JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2
3         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
4         https://bugs.webkit.org/show_bug.cgi?id=167991
5
6         Reviewed by Michael Catanzaro.
7
8         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
9         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
10         no more cases where you might have an invalid locale come back from resolveLocale.
11
12         * runtime/IntlObject.cpp:
13         (JSC::convertICULocaleToBCP47LanguageTag):
14         (JSC::defaultLocale):
15         (JSC::lookupMatcher):
16         * runtime/IntlObject.h:
17         * runtime/JSGlobalObject.cpp:
18         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
19         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
20         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
21         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
22
23 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
24
25         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
26         https://bugs.webkit.org/show_bug.cgi?id=188040
27
28         Unreviewed build fix for AppleWin port.
29
30         * API/tests/testapi.c: Disabled warning C4204.
31         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
32
33 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
34
35         [JSC API] We should support the symbol type in our C/Obj-C API
36         https://bugs.webkit.org/show_bug.cgi?id=175836
37
38         Unreviewed build fix for Windows port.
39
40         r234227 introduced a compilation error unresolved external symbol
41         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
42
43         Windows ports are compiling testapi.c as C++ by using /TP switch.
44
45         * API/tests/testapi.c:
46         (main): Removed `::` prefix of ::SetErrorMode Windows API.
47         (dllLauncherEntryPoint): Converted into C style.
48         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
49
50 2018-07-25  Keith Miller  <keith_miller@apple.com>
51
52         [JSC API] We should support the symbol type in our C/Obj-C API
53         https://bugs.webkit.org/show_bug.cgi?id=175836
54
55         Reviewed by Filip Pizlo.
56
57         This patch makes the following API additions:
58         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
59         2) Create a symbol on both APIs.
60         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
61         4) Add Get/Set/Delete in the C API.
62
63         We can do 3 because it is both binary and source compatable with
64         the existing API. I added (4) because the current property access
65         APIs only have the ability to get Strings. It was possible to
66         merge symbols into JSStringRef but that felt confusing and exposes
67         implementation details of our engine. The new functions match the
68         same meaning that they have in JS, thus should be forward
69         compatible with any future language extensions.
70
71         Lastly, this patch adds the same availability preproccessing phase
72         in WebCore to JavaScriptCore, which enables TBA features for
73         testing on previous releases.
74
75         * API/APICast.h:
76         * API/JSBasePrivate.h:
77         * API/JSContext.h:
78         * API/JSContextPrivate.h:
79         * API/JSContextRef.h:
80         * API/JSContextRefInternal.h:
81         * API/JSContextRefPrivate.h:
82         * API/JSManagedValue.h:
83         * API/JSObjectRef.cpp:
84         (JSObjectHasPropertyKey):
85         (JSObjectGetPropertyKey):
86         (JSObjectSetPropertyKey):
87         (JSObjectDeletePropertyKey):
88         * API/JSObjectRef.h:
89         * API/JSRemoteInspector.h:
90         * API/JSTypedArray.h:
91         * API/JSValue.h:
92         * API/JSValue.mm:
93         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
94         (performPropertyOperation):
95         (-[JSValue valueForProperty:valueForProperty:]):
96         (-[JSValue setValue:forProperty:setValue:forProperty:]):
97         (-[JSValue deleteProperty:deleteProperty:]):
98         (-[JSValue hasProperty:hasProperty:]):
99         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
100         (-[JSValue isSymbol]):
101         (-[JSValue objectForKeyedSubscript:]):
102         (-[JSValue setObject:forKeyedSubscript:]):
103         (-[JSValue valueForProperty:]): Deleted.
104         (-[JSValue setValue:forProperty:]): Deleted.
105         (-[JSValue deleteProperty:]): Deleted.
106         (-[JSValue hasProperty:]): Deleted.
107         (-[JSValue defineProperty:descriptor:]): Deleted.
108         * API/JSValueRef.cpp:
109         (JSValueGetType):
110         (JSValueIsSymbol):
111         (JSValueMakeSymbol):
112         * API/JSValueRef.h:
113         * API/WebKitAvailability.h:
114         * API/tests/CurrentThisInsideBlockGetterTest.mm:
115         * API/tests/CustomGlobalObjectClassTest.c:
116         * API/tests/DateTests.mm:
117         * API/tests/JSExportTests.mm:
118         * API/tests/JSNode.c:
119         * API/tests/JSNodeList.c:
120         * API/tests/Node.c:
121         * API/tests/NodeList.c:
122         * API/tests/minidom.c:
123         * API/tests/testapi.c:
124         (main):
125         * API/tests/testapi.cpp: Added.
126         (APIString::APIString):
127         (APIString::~APIString):
128         (APIString::operator JSStringRef):
129         (APIContext::APIContext):
130         (APIContext::~APIContext):
131         (APIContext::operator JSGlobalContextRef):
132         (APIVector::APIVector):
133         (APIVector::~APIVector):
134         (APIVector::append):
135         (testCAPIViaCpp):
136         (TestAPI::evaluateScript):
137         (TestAPI::callFunction):
138         (TestAPI::functionReturnsTrue):
139         (TestAPI::check):
140         (TestAPI::checkJSAndAPIMatch):
141         (TestAPI::interestingObjects):
142         (TestAPI::interestingKeys):
143         (TestAPI::run):
144         * API/tests/testapi.mm:
145         (testObjectiveCAPIMain):
146         * JavaScriptCore.xcodeproj/project.pbxproj:
147         * config.h:
148         * postprocess-headers.sh:
149         * shell/CMakeLists.txt:
150         * testmem/testmem.mm:
151
152 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
153
154         [INTL] Call Typed Array elements toLocaleString with locale and options
155         https://bugs.webkit.org/show_bug.cgi?id=185796
156
157         Reviewed by Keith Miller.
158
159         Improve ECMA 402 compliance of typed array toLocaleString, passing along
160         the locale and options to element toLocaleString calls.
161
162         * builtins/TypedArrayPrototype.js:
163         (toLocaleString):
164
165 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
166
167         [INTL] Intl constructor lengths should be configurable
168         https://bugs.webkit.org/show_bug.cgi?id=187960
169
170         Reviewed by Saam Barati.
171
172         Removed DontDelete from Intl constructor lengths.
173         Fixed DateTimeFormat formatToParts length.
174
175         * runtime/IntlCollatorConstructor.cpp:
176         (JSC::IntlCollatorConstructor::finishCreation):
177         * runtime/IntlDateTimeFormatConstructor.cpp:
178         (JSC::IntlDateTimeFormatConstructor::finishCreation):
179         * runtime/IntlDateTimeFormatPrototype.cpp:
180         (JSC::IntlDateTimeFormatPrototype::finishCreation):
181         * runtime/IntlNumberFormatConstructor.cpp:
182         (JSC::IntlNumberFormatConstructor::finishCreation):
183         * runtime/IntlPluralRulesConstructor.cpp:
184         (JSC::IntlPluralRulesConstructor::finishCreation):
185
186 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
187
188         runJITThreadLimitTests is failing
189         https://bugs.webkit.org/show_bug.cgi?id=187886
190         <rdar://problem/42561966>
191
192         Unreviewed build fix for MSVC.
193
194         MSVC doen't support ternary operator without second operand.
195
196         * dfg/DFGWorklist.cpp:
197         (JSC::DFG::getNumberOfDFGCompilerThreads):
198         (JSC::DFG::getNumberOfFTLCompilerThreads):
199
200 2018-07-24  Commit Queue  <commit-queue@webkit.org>
201
202         Unreviewed, rolling out r234183.
203         https://bugs.webkit.org/show_bug.cgi?id=187983
204
205         cause regression in Kraken gaussian blur and desaturate
206         (Requested by yusukesuzuki on #webkit).
207
208         Reverted changeset:
209
210         "[JSC] Record CoW status in ArrayProfile"
211         https://bugs.webkit.org/show_bug.cgi?id=187949
212         https://trac.webkit.org/changeset/234183
213
214 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
215
216         [JSC] Record CoW status in ArrayProfile
217         https://bugs.webkit.org/show_bug.cgi?id=187949
218
219         Reviewed by Saam Barati.
220
221         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
222         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
223         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
224         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
225         CoW arrays.
226
227         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
228         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
229
230         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
231
232                                       baseline                  patched
233
234         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
235         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
236
237         * bytecode/ArrayProfile.cpp:
238         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
239         * bytecode/ArrayProfile.h:
240         (JSC::asArrayModes):
241         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
242
243         (JSC::ArrayProfile::ArrayProfile):
244         (JSC::ArrayProfile::addressOfObservedIndexingModes):
245         (JSC::ArrayProfile::observedIndexingModes const):
246         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
247         So storing the union of seen IndexingMode in `unsigned` instead.
248
249         * dfg/DFGArrayMode.cpp:
250         (JSC::DFG::ArrayMode::fromObserved):
251         * dfg/DFGArrayMode.h:
252         (JSC::DFG::ArrayMode::withProfile const):
253         * jit/JITCall.cpp:
254         (JSC::JIT::compileOpCall):
255         * jit/JITCall32_64.cpp:
256         (JSC::JIT::compileOpCall):
257         * jit/JITInlines.h:
258         (JSC::JIT::emitArrayProfilingSiteWithCell):
259         * llint/LowLevelInterpreter.asm:
260         * llint/LowLevelInterpreter32_64.asm:
261         * llint/LowLevelInterpreter64.asm:
262
263 2018-07-24  Tim Horton  <timothy_horton@apple.com>
264
265         Enable Web Content Filtering on watchOS
266         https://bugs.webkit.org/show_bug.cgi?id=187979
267         <rdar://problem/42559346>
268
269         Reviewed by Wenson Hsieh.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
274
275         Don't modify Options when setting JIT thread limits
276         https://bugs.webkit.org/show_bug.cgi?id=187886
277
278         Reviewed by Filip Pizlo.
279
280         Previously, when setting the JIT thread limit prior to the worklist
281         initialization, it'd be set via Options, which didn't work if Options
282         hadn't been initialized yet. Change it to use a static variable in the
283         Worklist instead.
284
285         * API/JSVirtualMachine.mm:
286         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
287         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
288         * API/tests/testapi.mm:
289         (testObjectiveCAPIMain):
290         * dfg/DFGWorklist.cpp:
291         (JSC::DFG::getNumberOfDFGCompilerThreads):
292         (JSC::DFG::getNumberOfFTLCompilerThreads):
293         (JSC::DFG::setNumberOfDFGCompilerThreads):
294         (JSC::DFG::setNumberOfFTLCompilerThreads):
295         (JSC::DFG::ensureGlobalDFGWorklist):
296         (JSC::DFG::ensureGlobalFTLWorklist):
297         * dfg/DFGWorklist.h:
298
299 2018-07-24  Mark Lam  <mark.lam@apple.com>
300
301         Refactoring: make DFG::Plan a class.
302         https://bugs.webkit.org/show_bug.cgi?id=187968
303
304         Reviewed by Saam Barati.
305
306         This patch makes all the DFG::Plan fields private, and provide accessor methods
307         for them.  This makes it easier to reason about how these fields are used and
308         modified.
309
310         * dfg/DFGAbstractInterpreterInlines.h:
311         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
312         * dfg/DFGByteCodeParser.cpp:
313         (JSC::DFG::ByteCodeParser::handleCall):
314         (JSC::DFG::ByteCodeParser::handleVarargsCall):
315         (JSC::DFG::ByteCodeParser::handleInlining):
316         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
317         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
318         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
319         (JSC::DFG::ByteCodeParser::handleGetById):
320         (JSC::DFG::ByteCodeParser::handlePutById):
321         (JSC::DFG::ByteCodeParser::parseBlock):
322         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
323         (JSC::DFG::ByteCodeParser::parseCodeBlock):
324         (JSC::DFG::ByteCodeParser::parse):
325         * dfg/DFGCFAPhase.cpp:
326         (JSC::DFG::CFAPhase::run):
327         (JSC::DFG::CFAPhase::injectOSR):
328         * dfg/DFGClobberize.h:
329         (JSC::DFG::clobberize):
330         * dfg/DFGCommonData.cpp:
331         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
332         * dfg/DFGCommonData.h:
333         * dfg/DFGConstantFoldingPhase.cpp:
334         (JSC::DFG::ConstantFoldingPhase::foldConstants):
335         * dfg/DFGDriver.cpp:
336         (JSC::DFG::compileImpl):
337         * dfg/DFGFinalizer.h:
338         * dfg/DFGFixupPhase.cpp:
339         (JSC::DFG::FixupPhase::fixupNode):
340         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
341         * dfg/DFGGraph.cpp:
342         (JSC::DFG::Graph::Graph):
343         (JSC::DFG::Graph::watchCondition):
344         (JSC::DFG::Graph::inferredTypeFor):
345         (JSC::DFG::Graph::requiredRegisterCountForExit):
346         (JSC::DFG::Graph::registerFrozenValues):
347         (JSC::DFG::Graph::registerStructure):
348         (JSC::DFG::Graph::registerAndWatchStructureTransition):
349         (JSC::DFG::Graph::assertIsRegistered):
350         * dfg/DFGGraph.h:
351         (JSC::DFG::Graph::compilation):
352         (JSC::DFG::Graph::identifiers):
353         (JSC::DFG::Graph::watchpoints):
354         * dfg/DFGJITCompiler.cpp:
355         (JSC::DFG::JITCompiler::JITCompiler):
356         (JSC::DFG::JITCompiler::link):
357         (JSC::DFG::JITCompiler::compile):
358         (JSC::DFG::JITCompiler::compileFunction):
359         (JSC::DFG::JITCompiler::disassemble):
360         * dfg/DFGJITCompiler.h:
361         (JSC::DFG::JITCompiler::addWeakReference):
362         * dfg/DFGJITFinalizer.cpp:
363         (JSC::DFG::JITFinalizer::finalize):
364         (JSC::DFG::JITFinalizer::finalizeFunction):
365         (JSC::DFG::JITFinalizer::finalizeCommon):
366         * dfg/DFGOSREntrypointCreationPhase.cpp:
367         (JSC::DFG::OSREntrypointCreationPhase::run):
368         * dfg/DFGPhase.cpp:
369         (JSC::DFG::Phase::beginPhase):
370         * dfg/DFGPhase.h:
371         (JSC::DFG::runAndLog):
372         * dfg/DFGPlan.cpp:
373         (JSC::DFG::Plan::Plan):
374         (JSC::DFG::Plan::computeCompileTimes const):
375         (JSC::DFG::Plan::reportCompileTimes const):
376         (JSC::DFG::Plan::compileInThread):
377         (JSC::DFG::Plan::compileInThreadImpl):
378         (JSC::DFG::Plan::isStillValid):
379         (JSC::DFG::Plan::reallyAdd):
380         (JSC::DFG::Plan::notifyCompiling):
381         (JSC::DFG::Plan::notifyReady):
382         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
383         (JSC::DFG::Plan::finalizeAndNotifyCallback):
384         (JSC::DFG::Plan::key):
385         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
386         (JSC::DFG::Plan::finalizeInGC):
387         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
388         (JSC::DFG::Plan::cancel):
389         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
390         * dfg/DFGPlan.h:
391         (JSC::DFG::Plan::canTierUpAndOSREnter const):
392         (JSC::DFG::Plan::vm const):
393         (JSC::DFG::Plan::codeBlock):
394         (JSC::DFG::Plan::mode const):
395         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
396         (JSC::DFG::Plan::mustHandleValues const):
397         (JSC::DFG::Plan::threadData const):
398         (JSC::DFG::Plan::compilation const):
399         (JSC::DFG::Plan::finalizer const):
400         (JSC::DFG::Plan::setFinalizer):
401         (JSC::DFG::Plan::inlineCallFrames const):
402         (JSC::DFG::Plan::watchpoints):
403         (JSC::DFG::Plan::identifiers):
404         (JSC::DFG::Plan::weakReferences):
405         (JSC::DFG::Plan::transitions):
406         (JSC::DFG::Plan::recordedStatuses):
407         (JSC::DFG::Plan::willTryToTierUp const):
408         (JSC::DFG::Plan::setWillTryToTierUp):
409         (JSC::DFG::Plan::tierUpInLoopHierarchy):
410         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
411         (JSC::DFG::Plan::stage const):
412         (JSC::DFG::Plan::callback const):
413         (JSC::DFG::Plan::setCallback):
414         * dfg/DFGPlanInlines.h:
415         (JSC::DFG::Plan::iterateCodeBlocksForGC):
416         * dfg/DFGPreciseLocalClobberize.h:
417         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
418         * dfg/DFGPredictionInjectionPhase.cpp:
419         (JSC::DFG::PredictionInjectionPhase::run):
420         * dfg/DFGSafepoint.cpp:
421         (JSC::DFG::Safepoint::Safepoint):
422         (JSC::DFG::Safepoint::~Safepoint):
423         (JSC::DFG::Safepoint::begin):
424         * dfg/DFGSafepoint.h:
425         * dfg/DFGSpeculativeJIT.h:
426         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
427         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
428         * dfg/DFGStackLayoutPhase.cpp:
429         (JSC::DFG::StackLayoutPhase::run):
430         * dfg/DFGStrengthReductionPhase.cpp:
431         (JSC::DFG::StrengthReductionPhase::handleNode):
432         * dfg/DFGTierUpCheckInjectionPhase.cpp:
433         (JSC::DFG::TierUpCheckInjectionPhase::run):
434         * dfg/DFGTypeCheckHoistingPhase.cpp:
435         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
436         * dfg/DFGWorklist.cpp:
437         (JSC::DFG::Worklist::isActiveForVM const):
438         (JSC::DFG::Worklist::compilationState):
439         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
440         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
441         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
442         (JSC::DFG::Worklist::visitWeakReferences):
443         (JSC::DFG::Worklist::removeDeadPlans):
444         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
445         * dfg/DFGWorklistInlines.h:
446         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
447         * ftl/FTLCompile.cpp:
448         (JSC::FTL::compile):
449         * ftl/FTLFail.cpp:
450         (JSC::FTL::fail):
451         * ftl/FTLJITFinalizer.cpp:
452         (JSC::FTL::JITFinalizer::finalizeCommon):
453         * ftl/FTLLink.cpp:
454         (JSC::FTL::link):
455         * ftl/FTLLowerDFGToB3.cpp:
456         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
457         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
458         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
459         * ftl/FTLState.cpp:
460         (JSC::FTL::State::State):
461
462 2018-07-24  Saam Barati  <sbarati@apple.com>
463
464         Make VM::canUseJIT an inlined function
465         https://bugs.webkit.org/show_bug.cgi?id=187583
466
467         Reviewed by Mark Lam.
468
469         We know the answer to this query in initializeThreading after initializing
470         the executable allocator. This patch makes it so that we just hold this value
471         in a static variable and have an inlined function that just returns the value
472         of that static variable.
473
474         * runtime/InitializeThreading.cpp:
475         (JSC::initializeThreading):
476         * runtime/VM.cpp:
477         (JSC::VM::computeCanUseJIT):
478         (JSC::VM::canUseJIT): Deleted.
479         * runtime/VM.h:
480         (JSC::VM::canUseJIT):
481
482 2018-07-24  Mark Lam  <mark.lam@apple.com>
483
484         Placate exception check verification after recent changes.
485         https://bugs.webkit.org/show_bug.cgi?id=187961
486         <rdar://problem/42545394>
487
488         Reviewed by Saam Barati.
489
490         * runtime/IntlObject.cpp:
491         (JSC::intlNumberOption):
492
493 2018-07-23  Saam Barati  <sbarati@apple.com>
494
495         need to didFoldClobberWorld when we constant fold GetByVal
496         https://bugs.webkit.org/show_bug.cgi?id=187917
497         <rdar://problem/42505095>
498
499         Reviewed by Yusuke Suzuki.
500
501         * dfg/DFGAbstractInterpreterInlines.h:
502         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
503
504 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
505
506         [INTL] Language tags are not canonicalized
507         https://bugs.webkit.org/show_bug.cgi?id=185836
508
509         Reviewed by Keith Miller.
510
511         Canonicalize language tags, replacing deprecated tag parts with the
512         preferred values. Remove broken support for algorithmic numbering systems,
513         that can cause an error in icu, and are not supported in other engines.
514
515         Generate the lookup functions from the language-subtag-registry.
516
517         Also initialize the UNumberFormat in initializeNumberFormat so any
518         failures are thrown immediately instead of failing to format later.
519
520         * CMakeLists.txt:
521         * DerivedSources.make:
522         * JavaScriptCore.xcodeproj/project.pbxproj:
523         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
524         * runtime/IntlDateTimeFormat.cpp:
525         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
526         * runtime/IntlNumberFormat.cpp:
527         (JSC::IntlNumberFormat::initializeNumberFormat):
528         (JSC::IntlNumberFormat::formatNumber):
529         (JSC::IntlNumberFormat::formatToParts):
530         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
531         * runtime/IntlNumberFormat.h:
532         * runtime/IntlObject.cpp:
533         (JSC::intlNumberOption):
534         (JSC::intlDefaultNumberOption):
535         (JSC::preferredLanguage):
536         (JSC::preferredRegion):
537         (JSC::canonicalLangTag):
538         (JSC::canonicalizeLanguageTag):
539         (JSC::defaultLocale):
540         (JSC::removeUnicodeLocaleExtension):
541         (JSC::numberingSystemsForLocale):
542         (JSC::grandfatheredLangTag): Deleted.
543         * runtime/IntlObject.h:
544         * runtime/IntlPluralRules.cpp:
545         (JSC::IntlPluralRules::initializePluralRules):
546         * runtime/JSGlobalObject.cpp:
547         (JSC::addMissingScriptLocales):
548         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
549         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
550         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
551         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
552         * ucd/language-subtag-registry.txt: Added.
553
554 2018-07-23  Mark Lam  <mark.lam@apple.com>
555
556         Add some asserts to help diagnose a crash.
557         https://bugs.webkit.org/show_bug.cgi?id=187915
558         <rdar://problem/42508166>
559
560         Reviewed by Michael Saboff.
561
562         Add some asserts to verify that an CodeBlock alternative should always have a
563         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
564         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
565         so that we'll retain the state of the variables that failed the assertion (again
566         to help with diagnosis).
567
568         * bytecode/CodeBlock.cpp:
569         (JSC::CodeBlock::setAlternative):
570         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
571         * dfg/DFGPlan.cpp:
572         (JSC::DFG::Plan::Plan):
573
574 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
575
576         Unreviewed, fix no-JIT build.
577
578         * bytecode/CallLinkStatus.cpp:
579         (JSC::CallLinkStatus::computeFor):
580         * bytecode/CodeBlock.cpp:
581         (JSC::CodeBlock::finalizeUnconditionally):
582         * bytecode/GetByIdStatus.cpp:
583         (JSC::GetByIdStatus::computeFor):
584         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
585         * bytecode/InByIdStatus.cpp:
586         * bytecode/PutByIdStatus.cpp:
587         (JSC::PutByIdStatus::computeForStubInfo):
588
589 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
590
591         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
592         https://bugs.webkit.org/show_bug.cgi?id=187891
593
594         Reviewed by Saam Barati.
595
596         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
597         two variants are mergeable but they have "Miss" status. We make merging failed if
598         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
599         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
600         which patch have more chances to merge variants.
601
602         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
603         is not related since it does not use this check in Transition case.
604
605         * bytecode/GetByIdVariant.cpp:
606         (JSC::GetByIdVariant::attemptToMerge):
607         * bytecode/InByIdVariant.cpp:
608         (JSC::InByIdVariant::attemptToMerge):
609
610 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
611
612         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
613         https://bugs.webkit.org/show_bug.cgi?id=186462
614
615         Reviewed by Saam Barati.
616
617         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
618         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
619         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
620
621         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
622         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
623         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
624         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
625         changed and we can safely use it. We arrange our existing code to use this protocol.
626
627         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
628         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
629
630         This patch improves SixSpeed/template_string_tag.es6.
631
632                                           baseline                  patched
633
634         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
635
636         * dfg/DFGAbstractInterpreterInlines.h:
637         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
638         * runtime/JSArray.cpp:
639         (JSC::JSArray::setLengthWithArrayStorage):
640         * runtime/JSObject.cpp:
641         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
642         (JSC::JSObject::deletePropertyByIndex):
643         (JSC::JSObject::getOwnPropertyNames):
644         (JSC::putIndexedDescriptor):
645         (JSC::JSObject::defineOwnIndexedProperty):
646         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
647         (JSC::JSObject::putIndexedDescriptor): Deleted.
648         * runtime/JSObject.h:
649         * runtime/SparseArrayValueMap.cpp:
650         (JSC::SparseArrayValueMap::SparseArrayValueMap):
651         (JSC::SparseArrayValueMap::add):
652         (JSC::SparseArrayValueMap::putDirect):
653         (JSC::SparseArrayValueMap::getConcurrently):
654         (JSC::SparseArrayEntry::get const):
655         (JSC::SparseArrayEntry::getConcurrently const):
656         (JSC::SparseArrayEntry::put):
657         (JSC::SparseArrayEntry::getNonSparseMode const):
658         (JSC::SparseArrayValueMap::visitChildren):
659         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
660         * runtime/SparseArrayValueMap.h:
661         (JSC::SparseArrayEntry::SparseArrayEntry):
662         (JSC::SparseArrayEntry::attributes const):
663         (JSC::SparseArrayEntry::forceSet):
664         (JSC::SparseArrayEntry::asValue):
665
666 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
667
668         We should support CreateThis in the FTL
669         https://bugs.webkit.org/show_bug.cgi?id=164904
670
671         Reviewed by Yusuke Suzuki.
672         
673         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
674         inference adventure.
675         
676         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
677         benchmark's extremely perverse way of winning at type inference:
678         
679         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
680           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
681           benchmark was falling back to other mechanisms...
682         
683         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
684           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
685           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
686           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
687           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
688           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
689           
690           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
691           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
692           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
693           helper because it had a CreateThis.
694         
695         - Compilations that inlined the construction helper would have gotten super lucky with
696           parse-time constant folding, so they knew what structure the input to the get_by_id would
697           have at parse time. This is only profitable if the get_by_id parsing computed a
698           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
699           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
700           cases, we would indeed get a finite number of cases. The parser would then prune those
701           cases to just one - based on its knowledge of the structure - and that would result in that
702           get_by_id being folded at parse time to a constant.
703         
704         - The subsequent op_call would inline based on parse-time knowledge of that constant.
705         
706         This patch comprehensively fixes these issues, as well as other issues that come up along the
707         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
708         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
709         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
710         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
711         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
712         attack raytrace's problem as a shortcoming of polyvariant profiling.
713         
714         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
715           subset of the inline stack that includes the IC we're profiling. For example, if we have
716           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
717           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
718           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
719           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
720           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
721           from polyvariant profling. Previously, the polyvariant profiler would only look at the
722           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
723           had inlined bar and then baz. It may not have done that, because those calls could have
724           required polyvariant profiling that was only available in the FTL.
725           
726         - A particularly interesting case is when some IC in foo-baseline is also available in
727           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
728           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
729           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
730           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
731           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
732           because it warns us of historical polymorphism. Historical polymorphism usually means
733           future polymorphism. IC status code already had some merging functionality, but I needed to
734           beef it up a lot to make this work right.
735         
736         - Inlining an inline cache now preserves as much information as profiling. One challenge of
737           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
738           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
739           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
740           say "I don't have such an IC". At this point the DFG compilation that included that IC that
741           gave us the information that we used to inline the IC is no longer alive. To keep us from
742           losing the information we learned about the IC, there is now a RecordedStatuses data
743           structure that preserves the statuses we use for inlining ICs. We also filter those
744           statuses according to things we learn from AI. This further reduces the risk of information
745           about an IC being forgotten.
746         
747         - Exit profiling now considers whether or not an exit happened from inline code. This
748           protects us in the case where the not-inlined version of an IC exited a lot because of
749           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
750           profiling data, we consider only inlined exits.
751         
752         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
753           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
754           surprising that we've had this bug.
755         
756         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
757         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
758         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
759         prototype access folding in the bytecode parser and constant folder. That would require some
760         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
761         have a test that captures raytrace's behavior in the case that the parser cannot fold the
762         get_by_id.
763         
764         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
765         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
766         compile time regression anytime we fill in FTL coverage.
767         
768         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
769         speeds up and that raytrace slows down, but these changes balance out and don't affect the
770         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
771         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
772         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
773         see a significant difference. In all three cases the difference is <0.5% with a high p value,
774         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
775         an insignificant infinitesimal slow-down.
776         
777         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
778         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
779         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
780
781         * CMakeLists.txt:
782         * JavaScriptCore.xcodeproj/project.pbxproj:
783         * Sources.txt:
784         * bytecode/ByValInfo.h:
785         * bytecode/BytecodeDumper.cpp:
786         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
787         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
788         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
789         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
790         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
791         (JSC::BytecodeDumper<Block>::printCallOp):
792         (JSC::BytecodeDumper<Block>::dumpBytecode):
793         (JSC::BytecodeDumper<Block>::dumpBlock):
794         * bytecode/BytecodeDumper.h:
795         * bytecode/CallLinkInfo.h:
796         * bytecode/CallLinkStatus.cpp:
797         (JSC::CallLinkStatus::computeFor):
798         (JSC::CallLinkStatus::computeExitSiteData):
799         (JSC::CallLinkStatus::computeFromCallLinkInfo):
800         (JSC::CallLinkStatus::accountForExits):
801         (JSC::CallLinkStatus::finalize):
802         (JSC::CallLinkStatus::filter):
803         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
804         * bytecode/CallLinkStatus.h:
805         (JSC::CallLinkStatus::operator bool const):
806         (JSC::CallLinkStatus::operator! const): Deleted.
807         * bytecode/CallVariant.cpp:
808         (JSC::CallVariant::finalize):
809         (JSC::CallVariant::filter):
810         * bytecode/CallVariant.h:
811         (JSC::CallVariant::operator bool const):
812         (JSC::CallVariant::operator! const): Deleted.
813         * bytecode/CodeBlock.cpp:
814         (JSC::CodeBlock::dumpBytecode):
815         (JSC::CodeBlock::propagateTransitions):
816         (JSC::CodeBlock::finalizeUnconditionally):
817         (JSC::CodeBlock::getICStatusMap):
818         (JSC::CodeBlock::resetJITData):
819         (JSC::CodeBlock::getStubInfoMap): Deleted.
820         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
821         (JSC::CodeBlock::getByValInfoMap): Deleted.
822         * bytecode/CodeBlock.h:
823         * bytecode/CodeOrigin.cpp:
824         (JSC::CodeOrigin::isApproximatelyEqualTo const):
825         (JSC::CodeOrigin::approximateHash const):
826         * bytecode/CodeOrigin.h:
827         (JSC::CodeOrigin::exitingInlineKind const):
828         * bytecode/DFGExitProfile.cpp:
829         (JSC::DFG::FrequentExitSite::dump const):
830         (JSC::DFG::ExitProfile::add):
831         * bytecode/DFGExitProfile.h:
832         (JSC::DFG::FrequentExitSite::FrequentExitSite):
833         (JSC::DFG::FrequentExitSite::operator== const):
834         (JSC::DFG::FrequentExitSite::subsumes const):
835         (JSC::DFG::FrequentExitSite::hash const):
836         (JSC::DFG::FrequentExitSite::inlineKind const):
837         (JSC::DFG::FrequentExitSite::withInlineKind const):
838         (JSC::DFG::QueryableExitProfile::hasExitSite const):
839         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
840         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
841         * bytecode/ExitFlag.cpp: Added.
842         (JSC::ExitFlag::dump const):
843         * bytecode/ExitFlag.h: Added.
844         (JSC::ExitFlag::ExitFlag):
845         (JSC::ExitFlag::operator| const):
846         (JSC::ExitFlag::operator|=):
847         (JSC::ExitFlag::operator& const):
848         (JSC::ExitFlag::operator&=):
849         (JSC::ExitFlag::operator bool const):
850         (JSC::ExitFlag::isSet const):
851         * bytecode/ExitingInlineKind.cpp: Added.
852         (WTF::printInternal):
853         * bytecode/ExitingInlineKind.h: Added.
854         * bytecode/GetByIdStatus.cpp:
855         (JSC::GetByIdStatus::computeFor):
856         (JSC::GetByIdStatus::computeForStubInfo):
857         (JSC::GetByIdStatus::slowVersion const):
858         (JSC::GetByIdStatus::markIfCheap):
859         (JSC::GetByIdStatus::finalize):
860         (JSC::GetByIdStatus::hasExitSite): Deleted.
861         * bytecode/GetByIdStatus.h:
862         * bytecode/GetByIdVariant.cpp:
863         (JSC::GetByIdVariant::markIfCheap):
864         (JSC::GetByIdVariant::finalize):
865         * bytecode/GetByIdVariant.h:
866         * bytecode/ICStatusMap.cpp: Added.
867         (JSC::ICStatusContext::get const):
868         (JSC::ICStatusContext::isInlined const):
869         (JSC::ICStatusContext::inlineKind const):
870         * bytecode/ICStatusMap.h: Added.
871         * bytecode/ICStatusUtils.cpp: Added.
872         (JSC::hasBadCacheExitSite):
873         * bytecode/ICStatusUtils.h:
874         * bytecode/InstanceOfStatus.cpp:
875         (JSC::InstanceOfStatus::computeFor):
876         * bytecode/InstanceOfStatus.h:
877         * bytecode/PolyProtoAccessChain.h:
878         * bytecode/PutByIdStatus.cpp:
879         (JSC::PutByIdStatus::hasExitSite):
880         (JSC::PutByIdStatus::computeFor):
881         (JSC::PutByIdStatus::slowVersion const):
882         (JSC::PutByIdStatus::markIfCheap):
883         (JSC::PutByIdStatus::finalize):
884         (JSC::PutByIdStatus::filter):
885         * bytecode/PutByIdStatus.h:
886         * bytecode/PutByIdVariant.cpp:
887         (JSC::PutByIdVariant::markIfCheap):
888         (JSC::PutByIdVariant::finalize):
889         * bytecode/PutByIdVariant.h:
890         (JSC::PutByIdVariant::structureSet const):
891         * bytecode/RecordedStatuses.cpp: Added.
892         (JSC::RecordedStatuses::operator=):
893         (JSC::RecordedStatuses::RecordedStatuses):
894         (JSC::RecordedStatuses::addCallLinkStatus):
895         (JSC::RecordedStatuses::addGetByIdStatus):
896         (JSC::RecordedStatuses::addPutByIdStatus):
897         (JSC::RecordedStatuses::markIfCheap):
898         (JSC::RecordedStatuses::finalizeWithoutDeleting):
899         (JSC::RecordedStatuses::finalize):
900         (JSC::RecordedStatuses::shrinkToFit):
901         * bytecode/RecordedStatuses.h: Added.
902         (JSC::RecordedStatuses::RecordedStatuses):
903         (JSC::RecordedStatuses::forEachVector):
904         * bytecode/StructureSet.cpp:
905         (JSC::StructureSet::markIfCheap const):
906         (JSC::StructureSet::isStillAlive const):
907         * bytecode/StructureSet.h:
908         * bytecode/TerminatedCodeOrigin.h: Added.
909         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
910         (JSC::TerminatedCodeOriginHashTranslator::hash):
911         (JSC::TerminatedCodeOriginHashTranslator::equal):
912         * bytecode/Watchpoint.cpp:
913         (WTF::printInternal):
914         * bytecode/Watchpoint.h:
915         * dfg/DFGAbstractInterpreter.h:
916         * dfg/DFGAbstractInterpreterInlines.h:
917         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
918         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
919         * dfg/DFGByteCodeParser.cpp:
920         (JSC::DFG::ByteCodeParser::handleCall):
921         (JSC::DFG::ByteCodeParser::handleVarargsCall):
922         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
923         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
924         (JSC::DFG::ByteCodeParser::handleGetById):
925         (JSC::DFG::ByteCodeParser::handlePutById):
926         (JSC::DFG::ByteCodeParser::parseBlock):
927         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
928         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
929         (JSC::DFG::ByteCodeParser::parse):
930         * dfg/DFGClobberize.h:
931         (JSC::DFG::clobberize):
932         * dfg/DFGClobbersExitState.cpp:
933         (JSC::DFG::clobbersExitState):
934         * dfg/DFGCommonData.h:
935         * dfg/DFGConstantFoldingPhase.cpp:
936         (JSC::DFG::ConstantFoldingPhase::foldConstants):
937         * dfg/DFGDesiredWatchpoints.h:
938         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
939         * dfg/DFGDoesGC.cpp:
940         (JSC::DFG::doesGC):
941         * dfg/DFGFixupPhase.cpp:
942         (JSC::DFG::FixupPhase::fixupNode):
943         * dfg/DFGGraph.cpp:
944         (JSC::DFG::Graph::dump):
945         * dfg/DFGMayExit.cpp:
946         * dfg/DFGNode.h:
947         (JSC::DFG::Node::hasCallLinkStatus):
948         (JSC::DFG::Node::callLinkStatus):
949         (JSC::DFG::Node::hasGetByIdStatus):
950         (JSC::DFG::Node::getByIdStatus):
951         (JSC::DFG::Node::hasPutByIdStatus):
952         (JSC::DFG::Node::putByIdStatus):
953         * dfg/DFGNodeType.h:
954         * dfg/DFGOSRExitBase.cpp:
955         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
956         * dfg/DFGObjectAllocationSinkingPhase.cpp:
957         * dfg/DFGPlan.cpp:
958         (JSC::DFG::Plan::reallyAdd):
959         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
960         (JSC::DFG::Plan::finalizeInGC):
961         * dfg/DFGPlan.h:
962         * dfg/DFGPredictionPropagationPhase.cpp:
963         * dfg/DFGSafeToExecute.h:
964         (JSC::DFG::safeToExecute):
965         * dfg/DFGSpeculativeJIT32_64.cpp:
966         (JSC::DFG::SpeculativeJIT::compile):
967         * dfg/DFGSpeculativeJIT64.cpp:
968         (JSC::DFG::SpeculativeJIT::compile):
969         * dfg/DFGStrengthReductionPhase.cpp:
970         (JSC::DFG::StrengthReductionPhase::handleNode):
971         * dfg/DFGWorklist.cpp:
972         (JSC::DFG::Worklist::removeDeadPlans):
973         * ftl/FTLAbstractHeapRepository.h:
974         * ftl/FTLCapabilities.cpp:
975         (JSC::FTL::canCompile):
976         * ftl/FTLLowerDFGToB3.cpp:
977         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
978         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
979         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
980         * jit/PolymorphicCallStubRoutine.cpp:
981         (JSC::PolymorphicCallStubRoutine::hasEdges const):
982         (JSC::PolymorphicCallStubRoutine::edges const):
983         * jit/PolymorphicCallStubRoutine.h:
984         * profiler/ProfilerBytecodeSequence.cpp:
985         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
986         * runtime/FunctionRareData.cpp:
987         (JSC::FunctionRareData::initializeObjectAllocationProfile):
988         * runtime/Options.h:
989
990 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
991
992         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
993         https://bugs.webkit.org/show_bug.cgi?id=187472
994
995         Reviewed by Mark Lam.
996
997         std::function allocates memory from standard malloc instead of bmalloc. Instead of
998         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
999
1000         This patch attempts to replace std::function with the above WTF function types.
1001         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
1002         is really efficient. Otherwise, we should use WTF::Function.
1003         For recurring use cases, we can use RecursableLambda.
1004
1005         * assembler/MacroAssembler.cpp:
1006         (JSC::stdFunctionCallback):
1007         (JSC::MacroAssembler::probe):
1008         * assembler/MacroAssembler.h:
1009         * b3/air/AirDisassembler.cpp:
1010         (JSC::B3::Air::Disassembler::dump):
1011         * b3/air/AirDisassembler.h:
1012         * bytecompiler/BytecodeGenerator.cpp:
1013         (JSC::BytecodeGenerator::BytecodeGenerator):
1014         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1015         (JSC::BytecodeGenerator::emitEnumeration):
1016         * bytecompiler/BytecodeGenerator.h:
1017         * bytecompiler/NodesCodegen.cpp:
1018         (JSC::ArrayNode::emitBytecode):
1019         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1020         (JSC::ForOfNode::emitBytecode):
1021         * dfg/DFGSpeculativeJIT.cpp:
1022         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
1023         (JSC::DFG::SpeculativeJIT::compileMathIC):
1024         * dfg/DFGSpeculativeJIT.h:
1025         * dfg/DFGSpeculativeJIT64.cpp:
1026         (JSC::DFG::SpeculativeJIT::compile):
1027         * dfg/DFGValidate.cpp:
1028         * ftl/FTLCompile.cpp:
1029         (JSC::FTL::compile):
1030         * heap/HeapSnapshotBuilder.cpp:
1031         (JSC::HeapSnapshotBuilder::json):
1032         * heap/HeapSnapshotBuilder.h:
1033         * interpreter/StackVisitor.cpp:
1034         (JSC::StackVisitor::Frame::dump const):
1035         * interpreter/StackVisitor.h:
1036         * runtime/PromiseDeferredTimer.h:
1037         * runtime/VM.cpp:
1038         (JSC::VM::whenIdle):
1039         (JSC::enableProfilerWithRespectToCount):
1040         (JSC::disableProfilerWithRespectToCount):
1041         * runtime/VM.h:
1042         * runtime/VMEntryScope.cpp:
1043         (JSC::VMEntryScope::addDidPopListener):
1044         * runtime/VMEntryScope.h:
1045         * tools/HeapVerifier.cpp:
1046         (JSC::HeapVerifier::verifyCellList):
1047         (JSC::HeapVerifier::validateCell):
1048         (JSC::HeapVerifier::validateJSCell):
1049         * tools/HeapVerifier.h:
1050
1051 2018-07-20  Michael Saboff  <msaboff@apple.com>
1052
1053         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1054         https://bugs.webkit.org/show_bug.cgi?id=187827
1055         rdar://problem/42146858
1056
1057         Reviewed by Saam Barati.
1058
1059         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1060         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1061         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1062         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1063         putByIndex() path that doesn't change the shape.
1064
1065         * dfg/DFGArrayMode.h:
1066         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1067
1068 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1069
1070         [DFG] Fold GetByVal if Array is CoW
1071         https://bugs.webkit.org/show_bug.cgi?id=186459
1072
1073         Reviewed by Saam Barati.
1074
1075         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1076         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1077         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1078
1079         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1080         to these constant arrays can be folded into an actual constant by this patch.
1081
1082                                            baseline                  patched
1083
1084         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1085         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1086
1087         * dfg/DFGAbstractInterpreterInlines.h:
1088         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1089
1090 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1091
1092         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1093         https://bugs.webkit.org/show_bug.cgi?id=186602
1094
1095         Reviewed by Saam Barati.
1096
1097         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1098         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1099         drop the cellLock() here.
1100
1101         * runtime/JSObject.cpp:
1102         (JSC::JSObject::convertContiguousToArrayStorage):
1103
1104 2018-07-20  Saam Barati  <sbarati@apple.com>
1105
1106         CompareEq should be using KnownOtherUse instead of OtherUse
1107         https://bugs.webkit.org/show_bug.cgi?id=186814
1108         <rdar://problem/39720030>
1109
1110         Reviewed by Filip Pizlo.
1111
1112         CompareEq in fixup phase was doing this:
1113         insertCheck(child, OtherUse)
1114         setUseKind(child, OtherUse)
1115         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1116         lead to edge verification crashing because a phase may optimize the check out
1117         by removing the node. However, AI may not be privy to that optimization, and
1118         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1119         backend to actually emit a check here, but it does not.
1120         
1121         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1122         KnownOtherUse and changes the above pattern to be:
1123         insertCheck(child, OtherUse)
1124         setUseKind(child, KnownOtherUse)
1125
1126         * dfg/DFGFixupPhase.cpp:
1127         (JSC::DFG::FixupPhase::fixupNode):
1128         * dfg/DFGSafeToExecute.h:
1129         (JSC::DFG::SafeToExecuteEdge::operator()):
1130         * dfg/DFGSpeculativeJIT.cpp:
1131         (JSC::DFG::SpeculativeJIT::speculate):
1132         * dfg/DFGUseKind.cpp:
1133         (WTF::printInternal):
1134         * dfg/DFGUseKind.h:
1135         (JSC::DFG::typeFilterFor):
1136         (JSC::DFG::shouldNotHaveTypeCheck):
1137         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1138         * dfg/DFGWatchpointCollectionPhase.cpp:
1139         (JSC::DFG::WatchpointCollectionPhase::handle):
1140         * ftl/FTLCapabilities.cpp:
1141         (JSC::FTL::canCompile):
1142         * ftl/FTLLowerDFGToB3.cpp:
1143         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1144         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1145
1146 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1147
1148         [JSC] A bit performance improvement for Object.assign by cleaning up code
1149         https://bugs.webkit.org/show_bug.cgi?id=187852
1150
1151         Reviewed by Saam Barati.
1152
1153         We clean up Object.assign code a bit.
1154
1155         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1156         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1157
1158         It improves the performance a bit.
1159
1160                                     baseline                  patched
1161
1162         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1163
1164         * runtime/ObjectConstructor.cpp:
1165         (JSC::objectConstructorAssign):
1166
1167 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1168
1169         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1170         https://bugs.webkit.org/show_bug.cgi?id=187798
1171
1172         Reviewed by Michael Catanzaro.
1173
1174         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1175         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1176         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1177         patch adds JSAPIWrapperGlobalObject or that.
1178
1179         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1180         (jsAPIWrapperGlobalObjectHandleOwner):
1181         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1182         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1183         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1184         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1185         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1186         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1187         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1188         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1189         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1190         * API/glib/JSCClass.cpp:
1191         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1192         (wrappedObjectClass): Return the class of a wrapped object.
1193         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1194         scope extension global object is used instead.
1195         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1196         (setProperty): Ditto.
1197         (hasProperty): Ditto.
1198         (deleteProperty): Ditto.
1199         (getPropertyNames): Ditto.
1200         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1201         * API/glib/JSCClassPrivate.h:
1202         * API/glib/JSCContext.cpp:
1203         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1204         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1205         * API/glib/JSCContext.h:
1206         * API/glib/JSCContextPrivate.h:
1207         * API/glib/JSCWrapperMap.cpp:
1208         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1209         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1210         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1211         * API/glib/JSCWrapperMap.h:
1212         * GLib.cmake:
1213
1214 2018-07-19  Saam Barati  <sbarati@apple.com>
1215
1216         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1217         https://bugs.webkit.org/show_bug.cgi?id=187836
1218         <rdar://problem/42409527>
1219
1220         Reviewed by Mark Lam.
1221
1222         We have crash reports that we're crashing on source->getDirect in Object.assign's
1223         fast path. Mark investigated this and determined we end up with a nullptr for
1224         butterfly. This is curious, because source's Structure indicated that it has
1225         out of line properties. My leading hypothesis for this at the moment is a bit
1226         handwavy, but it's essentially:
1227         - We end up firing a watchpoint when assigning to the target (this can happen
1228         if a watchpoint was set up for storing to that particular field)
1229         - When we fire that watchpoint, we end up doing some kind work on the source,
1230         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1231         mutating source.
1232         
1233         I'm not super convinced this is what we're running into, but just by reading
1234         the code, I think it needs to be something similar to this. Seeing if this change
1235         fixes the crasher will give us good data to determine if something like this is
1236         happening or if the bug is something else entirely.
1237
1238         * runtime/ObjectConstructor.cpp:
1239         (JSC::objectConstructorAssign):
1240
1241 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1242
1243         Unreviewed, rolling out r233998.
1244         https://bugs.webkit.org/show_bug.cgi?id=187815
1245
1246         Not needed. (Requested by mlam|a on #webkit).
1247
1248         Reverted changeset:
1249
1250         "Temporarily mitigate a bug where a source provider is null
1251         when it shouldn't be."
1252         https://bugs.webkit.org/show_bug.cgi?id=187812
1253         https://trac.webkit.org/changeset/233998
1254
1255 2018-07-19  Mark Lam  <mark.lam@apple.com>
1256
1257         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1258         https://bugs.webkit.org/show_bug.cgi?id=187812
1259         <rdar://problem/41192691>
1260
1261         Reviewed by Michael Saboff.
1262
1263         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1264
1265         * runtime/Error.cpp:
1266         (JSC::addErrorInfo):
1267
1268 2018-07-19  Keith Rollin  <krollin@apple.com>
1269
1270         Adjust WEBCORE_EXPORT annotations for LTO
1271         https://bugs.webkit.org/show_bug.cgi?id=187781
1272         <rdar://problem/42351124>
1273
1274         Reviewed by Alex Christensen.
1275
1276         Continuation of Bug 186944. This bug addresses issues not caught
1277         during the first pass of adjustments. The initial work focussed on
1278         macOS; this one addresses issues found when building for iOS. From
1279         186944:
1280
1281         Adjust a number of places that result in WebKit's
1282         'check-for-weak-vtables-and-externals' script reporting weak external
1283         symbols:
1284
1285             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1286             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1287             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1288             ...
1289
1290         These cases are caused by inline methods being marked with WTF_EXPORT
1291         (or related macro) or with an inline function being in a class marked
1292         as such, and when enabling LTO builds.
1293
1294         For the most part, address these by removing the WEBCORE_EXPORT
1295         annotation from inline methods. In some cases, move the implementation
1296         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1297         and removing the annotation from the class would be too disruptive.
1298         Finally, in other cases, move the implementation out-of-line because
1299         check-for-weak-vtables-and-externals still complains when keeping the
1300         implementation inline and removing the annotation; this seems to
1301         typically (but not always) happen with destructors.
1302
1303         * inspector/remote/RemoteAutomationTarget.cpp:
1304         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1305         * inspector/remote/RemoteAutomationTarget.h:
1306         * inspector/remote/RemoteInspector.cpp:
1307         (Inspector::RemoteInspector::Client::~Client):
1308         * inspector/remote/RemoteInspector.h:
1309
1310 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1311
1312         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1313         https://bugs.webkit.org/show_bug.cgi?id=187807
1314
1315         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1316         that we know that exception occurrence and handle it well.
1317
1318         * runtime/JSONObject.cpp:
1319         (JSC::Stringifier::Holder::appendNextProperty):
1320
1321 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1322
1323         [JSC] Reduce size of AST nodes
1324         https://bugs.webkit.org/show_bug.cgi?id=187689
1325
1326         Reviewed by Mark Lam.
1327
1328         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1329         of ParserArena at peak state.
1330
1331         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1332         devirtualize a call to the function which are implemented in a final class.
1333
1334         2. Use default member initializers more.
1335
1336         3. And use `nullptr` instead of `0`.
1337
1338         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1339         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1340         to 40. This decreases the sizes of all the derived Statement nodes.
1341
1342         * parser/NodeConstructors.h:
1343         (JSC::Node::Node):
1344         (JSC::StatementNode::StatementNode):
1345         (JSC::ElementNode::ElementNode):
1346         (JSC::ArrayNode::ArrayNode):
1347         (JSC::PropertyListNode::PropertyListNode):
1348         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1349         (JSC::ArgumentListNode::ArgumentListNode):
1350         (JSC::ArgumentsNode::ArgumentsNode):
1351         (JSC::NewExprNode::NewExprNode):
1352         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1353         (JSC::BinaryOpNode::BinaryOpNode):
1354         (JSC::LogicalOpNode::LogicalOpNode):
1355         (JSC::CommaNode::CommaNode):
1356         (JSC::SourceElements::SourceElements):
1357         (JSC::ClauseListNode::ClauseListNode):
1358         * parser/Nodes.cpp:
1359         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1360         (JSC::FunctionMetadataNode::operator== const):
1361         (JSC::FunctionMetadataNode::dump const):
1362         * parser/Nodes.h:
1363         (JSC::BooleanNode::value): Deleted.
1364         (JSC::StringNode::value): Deleted.
1365         (JSC::TemplateExpressionListNode::value): Deleted.
1366         (JSC::TemplateExpressionListNode::next): Deleted.
1367         (JSC::TemplateStringNode::cooked): Deleted.
1368         (JSC::TemplateStringNode::raw): Deleted.
1369         (JSC::TemplateStringListNode::value): Deleted.
1370         (JSC::TemplateStringListNode::next): Deleted.
1371         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1372         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1373         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1374         (JSC::ResolveNode::identifier const): Deleted.
1375         (JSC::ElementNode::elision const): Deleted.
1376         (JSC::ElementNode::value): Deleted.
1377         (JSC::ElementNode::next): Deleted.
1378         (JSC::ArrayNode::elements const): Deleted.
1379         (JSC::PropertyNode::expressionName const): Deleted.
1380         (JSC::PropertyNode::name const): Deleted.
1381         (JSC::PropertyNode::type const): Deleted.
1382         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1383         (JSC::PropertyNode::isClassProperty const): Deleted.
1384         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1385         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1386         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1387         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1388         (JSC::PropertyNode::putType const): Deleted.
1389         (JSC::BracketAccessorNode::base const): Deleted.
1390         (JSC::BracketAccessorNode::subscript const): Deleted.
1391         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1392         (JSC::DotAccessorNode::base const): Deleted.
1393         (JSC::DotAccessorNode::identifier const): Deleted.
1394         (JSC::SpreadExpressionNode::expression const): Deleted.
1395         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1396         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1397         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1398         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1399         (JSC::TypeOfResolveNode::identifier const): Deleted.
1400         (JSC::BitwiseNotNode::expr): Deleted.
1401         (JSC::BitwiseNotNode::expr const): Deleted.
1402         (JSC::AssignResolveNode::identifier const): Deleted.
1403         (JSC::ExprStatementNode::expr const): Deleted.
1404         (JSC::ForOfNode::isForAwait const): Deleted.
1405         (JSC::ReturnNode::value): Deleted.
1406         (JSC::ProgramNode::startColumn const): Deleted.
1407         (JSC::ProgramNode::endColumn const): Deleted.
1408         (JSC::EvalNode::startColumn const): Deleted.
1409         (JSC::EvalNode::endColumn const): Deleted.
1410         (JSC::ModuleProgramNode::startColumn const): Deleted.
1411         (JSC::ModuleProgramNode::endColumn const): Deleted.
1412         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1413         (JSC::ModuleNameNode::moduleName): Deleted.
1414         (JSC::ImportSpecifierNode::importedName): Deleted.
1415         (JSC::ImportSpecifierNode::localName): Deleted.
1416         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1417         (JSC::ImportSpecifierListNode::append): Deleted.
1418         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1419         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1420         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1421         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1422         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1423         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1424         (JSC::ExportSpecifierNode::exportedName): Deleted.
1425         (JSC::ExportSpecifierNode::localName): Deleted.
1426         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1427         (JSC::ExportSpecifierListNode::append): Deleted.
1428         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1429         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1430         (JSC::ArrayPatternNode::appendIndex): Deleted.
1431         (JSC::ObjectPatternNode::appendEntry): Deleted.
1432         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1433         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1434         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1435         (JSC::FunctionParameters::size const): Deleted.
1436         (JSC::FunctionParameters::append): Deleted.
1437         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1438         (JSC::FuncDeclNode::metadata): Deleted.
1439         (JSC::CaseClauseNode::expr const): Deleted.
1440         (JSC::CaseClauseNode::setStartOffset): Deleted.
1441         (JSC::ClauseListNode::getClause const): Deleted.
1442         (JSC::ClauseListNode::getNext const): Deleted.
1443         * runtime/ExceptionHelpers.cpp:
1444         * runtime/JSObject.cpp:
1445
1446 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1447
1448         JSON.stringify should emit non own properties if second array argument includes
1449         https://bugs.webkit.org/show_bug.cgi?id=187724
1450
1451         Reviewed by Mark Lam.
1452
1453         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1454         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1455         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1456         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1457         property names which does not reside in the own properties. Or we can modify the
1458         own properties by deleting properties while JSON.stringify is calling a getter. So,
1459         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1460
1461         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1462         The performance of Kraken/json-stringify-tinderbox is neutral.
1463
1464         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1465
1466         * runtime/JSONObject.cpp:
1467         (JSC::Stringifier::toJSON):
1468         (JSC::Stringifier::toJSONImpl):
1469         (JSC::Stringifier::appendStringifiedValue):
1470         (JSC::Stringifier::Holder::Holder):
1471         (JSC::Stringifier::Holder::appendNextProperty):
1472
1473 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1474
1475         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1476         https://bugs.webkit.org/show_bug.cgi?id=187755
1477
1478         Reviewed by Mark Lam.
1479
1480         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1481         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1482         makes one test262 test failed.
1483
1484         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1485         to align these checks to the spec's order.
1486
1487         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1488
1489         * runtime/JSONObject.cpp:
1490         (JSC::Stringifier::Stringifier):
1491
1492 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1493
1494         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1495         https://bugs.webkit.org/show_bug.cgi?id=187752
1496
1497         Reviewed by Mark Lam.
1498
1499         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1500         with a wrapper object and a property name. While we always create this wrapper object,
1501         it is unnecessary if the given replacer is not callable.
1502
1503         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1504         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1505
1506                                            baseline                  patched
1507
1508         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1509
1510         * runtime/JSONObject.cpp:
1511         (JSC::Stringifier::isCallableReplacer const):
1512         (JSC::Stringifier::Stringifier):
1513         (JSC::Stringifier::stringify):
1514         (JSC::Stringifier::appendStringifiedValue):
1515
1516 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1517
1518         [GLIB] Add jsc_context_check_syntax() to GLib API
1519         https://bugs.webkit.org/show_bug.cgi?id=187694
1520
1521         Reviewed by Yusuke Suzuki.
1522
1523         A new function to be able to check for syntax errors without actually evaluating the code.
1524
1525         * API/glib/JSCContext.cpp:
1526         (jsc_context_check_syntax):
1527         * API/glib/JSCContext.h:
1528         * API/glib/docs/jsc-glib-4.0-sections.txt:
1529
1530 2018-07-17  Keith Miller  <keith_miller@apple.com>
1531
1532         Revert r233630 since it broke internal wasm benchmarks
1533         https://bugs.webkit.org/show_bug.cgi?id=187746
1534
1535         Unreviewed revert.
1536
1537         This patch seems to have broken internal Wasm benchmarks. This
1538         issue is likely due to an underlying bug but let's rollout while
1539         we investigate.
1540
1541         * bytecode/CodeType.h:
1542         * bytecode/UnlinkedCodeBlock.cpp:
1543         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1544         * bytecode/UnlinkedCodeBlock.h:
1545         (JSC::UnlinkedCodeBlock::codeType const):
1546         (JSC::UnlinkedCodeBlock::didOptimize const):
1547         (JSC::UnlinkedCodeBlock::setDidOptimize):
1548         * bytecode/VirtualRegister.h:
1549         (JSC::VirtualRegister::VirtualRegister):
1550         (): Deleted.
1551
1552 2018-07-17  Mark Lam  <mark.lam@apple.com>
1553
1554         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
1555         https://bugs.webkit.org/show_bug.cgi?id=187736
1556         <rdar://problem/42114371>
1557
1558         Reviewed by Michael Saboff.
1559
1560         CodeBlock::baselineVersion() currently checks for a null replacement but does not
1561         account for the fact that that the replacement can also be null due to the
1562         executable having being purged of its codeBlocks due to a memory event (see
1563         ExecutableBase::clearCode()).  This patch adds code to account for this.
1564
1565         * bytecode/CodeBlock.cpp:
1566         (JSC::CodeBlock::baselineVersion):
1567
1568 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1569
1570         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
1571         https://bugs.webkit.org/show_bug.cgi?id=187709
1572
1573         Reviewed by Mark Lam.
1574
1575         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
1576
1577         * bytecode/UnlinkedCodeBlock.cpp:
1578         (JSC::UnlinkedCodeBlock::shrinkToFit):
1579
1580 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1581
1582         [JSC] Make SourceParseMode small
1583         https://bugs.webkit.org/show_bug.cgi?id=187705
1584
1585         Reviewed by Mark Lam.
1586
1587         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
1588         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
1589         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
1590         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
1591
1592         * parser/ParserModes.h:
1593         (JSC::SourceParseModeSet::SourceParseModeSet):
1594         (JSC::SourceParseModeSet::contains):
1595         (JSC::SourceParseModeSet::mergeSourceParseModes):
1596
1597 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1598
1599         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
1600         https://bugs.webkit.org/show_bug.cgi?id=187585
1601
1602         Reviewed by Darin Adler.
1603
1604         This patch fixes Generator and AsyncGenerator's prototype issues.
1605
1606         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
1607         We fix this by changing JSFunction::prototypeForConstruction.
1608
1609         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1610         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1611         to fix `prototype` issues for AsyncGeneratorMethod.
1612
1613         * bytecompiler/BytecodeGenerator.cpp:
1614         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1615         (JSC::BytecodeGenerator::emitNewFunction):
1616         * bytecompiler/NodesCodegen.cpp:
1617         (JSC::FunctionNode::emitBytecode):
1618         * parser/ASTBuilder.h:
1619         (JSC::ASTBuilder::createFunctionMetadata):
1620         * parser/Parser.cpp:
1621         (JSC::getAsynFunctionBodyParseMode):
1622         (JSC::Parser<LexerType>::parseInner):
1623         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1624         * parser/ParserModes.h:
1625         (JSC::isAsyncGeneratorParseMode):
1626         (JSC::isAsyncGeneratorWrapperParseMode):
1627         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1628         * runtime/FunctionExecutable.h:
1629         * runtime/JSFunction.cpp:
1630         (JSC::JSFunction::prototypeForConstruction):
1631         (JSC::JSFunction::getOwnPropertySlot):
1632
1633 2018-07-16  Mark Lam  <mark.lam@apple.com>
1634
1635         jsc shell's noFTL utility test function should be more robust.
1636         https://bugs.webkit.org/show_bug.cgi?id=187704
1637         <rdar://problem/42231988>
1638
1639         Reviewed by Michael Saboff and Keith Miller.
1640
1641         * jsc.cpp:
1642         (functionNoFTL):
1643         - only setNeverFTLOptimize() if the function is actually a JS function.
1644
1645 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1646
1647         [GLIB] Add API to evaluate code using a given object to store global symbols
1648         https://bugs.webkit.org/show_bug.cgi?id=187639
1649
1650         Reviewed by Michael Catanzaro.
1651
1652         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1653         evaluated script are added as properties to the new object instead of to the context global object. This is
1654         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1655         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1656         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1657         jsc_context_evaluate_in_object().
1658
1659         * API/glib/JSCContext.cpp:
1660         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1661         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1662         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1663         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1664         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1665         * API/glib/JSCContext.h:
1666         * API/glib/docs/jsc-glib-4.0-sections.txt:
1667
1668 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1669
1670         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1671         https://bugs.webkit.org/show_bug.cgi?id=187561
1672
1673         Reviewed by Darin Adler.
1674
1675         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1676         We clean up 32bit put_by_val code.
1677
1678         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1679         aligns 32bit implementation to 64bit implementation.
1680
1681         2. We add CoW array checking, which is done in 64bit implementation.
1682
1683         * jit/JITPropertyAccess.cpp:
1684         (JSC::JIT::emit_op_put_by_val):
1685         * jit/JITPropertyAccess32_64.cpp:
1686         (JSC::JIT::emit_op_put_by_val):
1687         (JSC::JIT::emitSlow_op_put_by_val):
1688
1689 2018-07-12  Mark Lam  <mark.lam@apple.com>
1690
1691         Need to handle CodeBlock::replacement() being null.
1692         https://bugs.webkit.org/show_bug.cgi?id=187569
1693         <rdar://problem/41468692>
1694
1695         Reviewed by Saam Barati.
1696
1697         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1698         for this while others do not.  We should add null checks in all the places that
1699         need it.
1700
1701         * bytecode/CodeBlock.cpp:
1702         (JSC::CodeBlock::hasOptimizedReplacement):
1703         (JSC::CodeBlock::jettison):
1704         (JSC::CodeBlock::numberOfDFGCompiles):
1705         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1706         * dfg/DFGOperations.cpp:
1707         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1708         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1709         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1710         * jit/JITOperations.cpp:
1711
1712 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1713
1714         [JSC] Thread VM& to JSCell::methodTable(VM&)
1715         https://bugs.webkit.org/show_bug.cgi?id=187548
1716
1717         Reviewed by Saam Barati.
1718
1719         This patch threads VM& to methodTable(VM&) and remove methodTable().
1720         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1721
1722         * API/APICast.h:
1723         (toJS):
1724         * API/JSCallbackObject.h:
1725         * API/JSCallbackObjectFunctions.h:
1726         (JSC::JSCallbackObject<Parent>::className):
1727         * bytecode/CodeBlock.cpp:
1728         (JSC::CodeBlock::estimatedSize):
1729         * bytecode/CodeBlock.h:
1730         * bytecode/UnlinkedCodeBlock.cpp:
1731         (JSC::UnlinkedCodeBlock::estimatedSize):
1732         * bytecode/UnlinkedCodeBlock.h:
1733         * debugger/DebuggerScope.cpp:
1734         (JSC::DebuggerScope::className):
1735         * debugger/DebuggerScope.h:
1736         * heap/Heap.cpp:
1737         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1738         (JSC::GatherHeapSnapshotData::operator() const):
1739         (JSC::Heap::gatherExtraHeapSnapshotData):
1740         * heap/HeapSnapshotBuilder.cpp:
1741         (JSC::HeapSnapshotBuilder::json):
1742         * runtime/ArrayPrototype.cpp:
1743         (JSC::arrayProtoFuncToString):
1744         * runtime/ClassInfo.h:
1745         * runtime/DirectArguments.cpp:
1746         (JSC::DirectArguments::estimatedSize):
1747         * runtime/DirectArguments.h:
1748         * runtime/HashMapImpl.cpp:
1749         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1750         * runtime/HashMapImpl.h:
1751         * runtime/JSArrayBuffer.cpp:
1752         (JSC::JSArrayBuffer::estimatedSize):
1753         * runtime/JSArrayBuffer.h:
1754         * runtime/JSBigInt.cpp:
1755         (JSC::JSBigInt::estimatedSize):
1756         * runtime/JSBigInt.h:
1757         * runtime/JSCell.cpp:
1758         (JSC::JSCell::dump const):
1759         (JSC::JSCell::estimatedSizeInBytes const):
1760         (JSC::JSCell::estimatedSize):
1761         (JSC::JSCell::className):
1762         * runtime/JSCell.h:
1763         * runtime/JSCellInlines.h:
1764         * runtime/JSGenericTypedArrayView.h:
1765         * runtime/JSGenericTypedArrayViewInlines.h:
1766         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1767         * runtime/JSObject.cpp:
1768         (JSC::JSObject::estimatedSize):
1769         (JSC::JSObject::className):
1770         (JSC::JSObject::toStringName):
1771         (JSC::JSObject::calculatedClassName):
1772         * runtime/JSObject.h:
1773         * runtime/JSProxy.cpp:
1774         (JSC::JSProxy::className):
1775         * runtime/JSProxy.h:
1776         * runtime/JSString.cpp:
1777         (JSC::JSString::estimatedSize):
1778         * runtime/JSString.h:
1779         * runtime/RegExp.cpp:
1780         (JSC::RegExp::estimatedSize):
1781         * runtime/RegExp.h:
1782         * runtime/WeakMapImpl.cpp:
1783         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1784         * runtime/WeakMapImpl.h:
1785
1786 2018-07-11  Commit Queue  <commit-queue@webkit.org>
1787
1788         Unreviewed, rolling out r233714.
1789         https://bugs.webkit.org/show_bug.cgi?id=187579
1790
1791         it made tests time out (Requested by pizlo on #webkit).
1792
1793         Reverted changeset:
1794
1795         "Change the reoptimization backoff base to 1.3 from 2"
1796         https://bugs.webkit.org/show_bug.cgi?id=187540
1797         https://trac.webkit.org/changeset/233714
1798
1799 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1800
1801         [GLIB] Add API to allow creating variadic functions
1802         https://bugs.webkit.org/show_bug.cgi?id=187517
1803
1804         Reviewed by Michael Catanzaro.
1805
1806         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
1807         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
1808
1809         * API/glib/JSCCallbackFunction.cpp:
1810         (JSC::JSCCallbackFunction::create): Make the parameters optional.
1811         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
1812         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
1813         JSCValue for the arguments.
1814         (JSC::JSCCallbackFunction::construct): Ditto.
1815         * API/glib/JSCCallbackFunction.h:
1816         * API/glib/JSCClass.cpp:
1817         (jscClassCreateConstructor): Make the parameters optional.
1818         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
1819         (jscClassAddMethod): Make the parameters optional.
1820         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
1821         * API/glib/JSCClass.h:
1822         * API/glib/JSCValue.cpp:
1823         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
1824         (jscValueFunctionCreate): Make the parameters optional.
1825         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
1826         * API/glib/JSCValue.h:
1827         * API/glib/docs/jsc-glib-4.0-sections.txt:
1828
1829 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1830
1831         [GLIB] Add jsc_context_get_global_object() to GLib API
1832         https://bugs.webkit.org/show_bug.cgi?id=187515
1833
1834         Reviewed by Michael Catanzaro.
1835
1836         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
1837         object. However, getting the global object could be useful in some cases, for example to give it a well known
1838         name like 'window' in browsers and GJS.
1839
1840         * API/glib/JSCContext.cpp:
1841         (jsc_context_get_global_object):
1842         * API/glib/JSCContext.h:
1843         * API/glib/docs/jsc-glib-4.0-sections.txt:
1844
1845 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1846
1847         [GLIB] Handle G_TYPE_STRV in glib API
1848         https://bugs.webkit.org/show_bug.cgi?id=187512
1849
1850         Reviewed by Michael Catanzaro.
1851
1852         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
1853
1854         * API/glib/JSCContext.cpp:
1855         (jscContextGValueToJSValue):
1856         (jscContextJSValueToGValue):
1857         * API/glib/JSCValue.cpp:
1858         (jsc_value_new_array_from_strv):
1859         * API/glib/JSCValue.h:
1860         * API/glib/docs/jsc-glib-4.0-sections.txt:
1861
1862 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1863
1864         Iterator of Array.keys() returns object in wrong order
1865         https://bugs.webkit.org/show_bug.cgi?id=185197
1866
1867         Reviewed by Keith Miller.
1868
1869         * builtins/ArrayIteratorPrototype.js:
1870         (globalPrivate.arrayIteratorValueNext):
1871         (globalPrivate.arrayIteratorKeyNext):
1872         (globalPrivate.arrayIteratorKeyValueNext):
1873         * builtins/AsyncFromSyncIteratorPrototype.js:
1874         * builtins/AsyncGeneratorPrototype.js:
1875         (globalPrivate.asyncGeneratorResolve):
1876         * builtins/GeneratorPrototype.js:
1877         (globalPrivate.generatorResume):
1878         * builtins/MapIteratorPrototype.js:
1879         (globalPrivate.mapIteratorNext):
1880         * builtins/SetIteratorPrototype.js:
1881         (globalPrivate.setIteratorNext):
1882         * builtins/StringIteratorPrototype.js:
1883         (next):
1884         * runtime/IteratorOperations.cpp:
1885         (JSC::createIteratorResultObjectStructure):
1886         (JSC::createIteratorResultObject):
1887
1888 2018-07-10  Mark Lam  <mark.lam@apple.com>
1889
1890         constructArray() should always allocate the requested length.
1891         https://bugs.webkit.org/show_bug.cgi?id=187543
1892         <rdar://problem/41947884>
1893
1894         Reviewed by Saam Barati.
1895
1896         Currently, it does not when we're having a bad time.  We fix this by switching
1897         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
1898         If we detect that a structure transition is possible before we can initialize
1899         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
1900         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
1901
1902         Also enhanced the DisallowScope and ObjectInitializationScope to support this
1903         eager initialization when needed.
1904
1905         * dfg/DFGOperations.cpp:
1906         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
1907           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
1908           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
1909           generated code, which will appear as a generic null pointer dereference.
1910
1911         * runtime/ArrayPrototype.cpp:
1912         (JSC::concatAppendOne):
1913         - the code here clearly wants to check for an allocation failure.  Switched to
1914           using JSArray::tryCreate() instead of JSArray::create().
1915
1916         * runtime/DisallowScope.h:
1917         (JSC::DisallowScope::disable):
1918         * runtime/JSArray.cpp:
1919         (JSC::JSArray::tryCreateUninitializedRestricted):
1920         (JSC::JSArray::eagerlyInitializeButterfly):
1921         (JSC::constructArray):
1922         * runtime/JSArray.h:
1923         * runtime/ObjectInitializationScope.cpp:
1924         (JSC::ObjectInitializationScope::notifyInitialized):
1925         * runtime/ObjectInitializationScope.h:
1926         (JSC::ObjectInitializationScope::notifyInitialized):
1927
1928 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1929
1930         [JSC] Remove getTypedArrayImpl
1931         https://bugs.webkit.org/show_bug.cgi?id=187338
1932
1933         Reviewed by Mark Lam.
1934
1935         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
1936         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
1937         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
1938
1939         * runtime/ClassInfo.h:
1940         * runtime/GenericTypedArrayView.h:
1941         (JSC::GenericTypedArrayView::data const): Deleted.
1942         (JSC::GenericTypedArrayView::set): Deleted.
1943         (JSC::GenericTypedArrayView::setRange): Deleted.
1944         (JSC::GenericTypedArrayView::zeroRange): Deleted.
1945         (JSC::GenericTypedArrayView::zeroFill): Deleted.
1946         (JSC::GenericTypedArrayView::length const): Deleted.
1947         (JSC::GenericTypedArrayView::item const): Deleted.
1948         (JSC::GenericTypedArrayView::set const): Deleted.
1949         (JSC::GenericTypedArrayView::setNative const): Deleted.
1950         (JSC::GenericTypedArrayView::getRange): Deleted.
1951         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
1952         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
1953         * runtime/JSArrayBufferView.cpp:
1954         (JSC::JSArrayBufferView::possiblySharedImpl):
1955         * runtime/JSArrayBufferView.h:
1956         * runtime/JSArrayBufferViewInlines.h:
1957         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
1958         * runtime/JSCell.cpp:
1959         (JSC::JSCell::getTypedArrayImpl): Deleted.
1960         * runtime/JSCell.h:
1961         * runtime/JSDataView.cpp:
1962         (JSC::JSDataView::getTypedArrayImpl): Deleted.
1963         * runtime/JSDataView.h:
1964         * runtime/JSGenericTypedArrayView.h:
1965         * runtime/JSGenericTypedArrayViewInlines.h:
1966         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
1967
1968 2018-07-10  Keith Miller  <keith_miller@apple.com>
1969
1970         hasOwnProperty returns true for out of bounds property index on TypedArray
1971         https://bugs.webkit.org/show_bug.cgi?id=187520
1972
1973         Reviewed by Saam Barati.
1974
1975         * runtime/JSGenericTypedArrayViewInlines.h:
1976         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1977
1978 2018-07-10  Michael Saboff  <msaboff@apple.com>
1979
1980         DFG JIT: compileMathIC produces incorrect machine code
1981         https://bugs.webkit.org/show_bug.cgi?id=187537
1982
1983         Reviewed by Saam Barati.
1984
1985         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
1986         fall back to the fast path generator which handles such cases.
1987
1988         * jit/JITMulGenerator.cpp:
1989         (JSC::JITMulGenerator::generateInline):
1990
1991 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
1992
1993         Change the reoptimization backoff base to 1.3 from 2
1994         https://bugs.webkit.org/show_bug.cgi?id=187540
1995
1996         Reviewed by Saam Barati.
1997         
1998         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
1999         
2000         I also have data that hints that a backoff base of 1 might be even better, but I think that
2001         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
2002
2003         * bytecode/CodeBlock.cpp:
2004         (JSC::CodeBlock::reoptimizationRetryCounter const):
2005         (JSC::CodeBlock::countReoptimization):
2006         (JSC::CodeBlock::adjustedCounterValue):
2007         * runtime/Options.cpp:
2008         (JSC::recomputeDependentOptions):
2009         * runtime/Options.h:
2010
2011 2018-07-10  Mark Lam  <mark.lam@apple.com>
2012
2013         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
2014         https://bugs.webkit.org/show_bug.cgi?id=187362
2015         <rdar://problem/42027210>
2016
2017         Reviewed by Saam Barati.
2018
2019         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
2020         value to use for initializing unused properties.  Updated an assertion to account
2021         for this.
2022
2023         * runtime/ObjectInitializationScope.cpp:
2024         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2025
2026 2018-07-10  Michael Saboff  <msaboff@apple.com>
2027
2028         YARR: . doesn't match non-BMP Unicode characters in some cases
2029         https://bugs.webkit.org/show_bug.cgi?id=187248
2030
2031         Reviewed by Geoffrey Garen.
2032
2033         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2034         characters did not take into account that the character class is inverted.  In this case, we
2035         represent '.' as "not a newline" using the newline character class with an inverted check.
2036         Clearly that includes non-BMP characters.
2037
2038         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2039         inverted use of that character class.
2040
2041         * yarr/YarrJIT.cpp:
2042         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2043
2044 2018-07-09  Mark Lam  <mark.lam@apple.com>
2045
2046         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2047         https://bugs.webkit.org/show_bug.cgi?id=187479
2048
2049         Reviewed by Yusuke Suzuki and Saam Barati.
2050
2051         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2052
2053         The details:
2054         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2055         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2056            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2057            continually spammed with logging until we rebuild.
2058         3. Fixed slow path LLINT tracing to work with exception check validation.
2059
2060         * llint/LLIntCommon.h:
2061         * llint/LLIntExceptions.cpp:
2062         (JSC::LLInt::returnToThrow):
2063         (JSC::LLInt::callToThrow):
2064         * llint/LLIntOfflineAsmConfig.h:
2065         * llint/LLIntSlowPaths.cpp:
2066         (JSC::LLInt::slowPathLog):
2067         (JSC::LLInt::slowPathLn):
2068         (JSC::LLInt::slowPathLogF):
2069         (JSC::LLInt::slowPathLogLn):
2070         (JSC::LLInt::llint_trace_operand):
2071         (JSC::LLInt::llint_trace_value):
2072         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2073         (JSC::LLInt::traceFunctionPrologue):
2074         (JSC::LLInt::handleHostCall):
2075         (JSC::LLInt::setUpCall):
2076         * llint/LLIntSlowPaths.h:
2077         * llint/LowLevelInterpreter.asm:
2078         * runtime/CommonSlowPathsExceptions.cpp:
2079         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2080         * runtime/Options.cpp:
2081         (JSC::Options::isAvailable):
2082         * runtime/Options.h:
2083
2084 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2085
2086         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2087         https://bugs.webkit.org/show_bug.cgi?id=187477
2088
2089         Reviewed by Mark Lam.
2090
2091         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2092         However, it is not necessary since JSCells can be reside in a constant buffer.
2093         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2094         vector from RareData.
2095
2096         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2097
2098         * bytecode/BytecodeDumper.cpp:
2099         (JSC::BytecodeDumper<Block>::dumpBytecode):
2100         (JSC::BytecodeDumper<Block>::dumpBlock):
2101         (JSC::regexpToSourceString): Deleted.
2102         (JSC::regexpName): Deleted.
2103         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2104         * bytecode/BytecodeDumper.h:
2105         * bytecode/CodeBlock.h:
2106         (JSC::CodeBlock::regexp const): Deleted.
2107         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2108         * bytecode/UnlinkedCodeBlock.cpp:
2109         (JSC::UnlinkedCodeBlock::visitChildren):
2110         (JSC::UnlinkedCodeBlock::shrinkToFit):
2111         * bytecode/UnlinkedCodeBlock.h:
2112         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2113         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2114         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2115         * bytecompiler/BytecodeGenerator.cpp:
2116         (JSC::BytecodeGenerator::emitNewRegExp):
2117         (JSC::BytecodeGenerator::addRegExp): Deleted.
2118         * bytecompiler/BytecodeGenerator.h:
2119         * dfg/DFGByteCodeParser.cpp:
2120         (JSC::DFG::ByteCodeParser::parseBlock):
2121         * jit/JITOpcodes.cpp:
2122         (JSC::JIT::emit_op_new_regexp):
2123         * llint/LLIntSlowPaths.cpp:
2124         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2125         * runtime/JSCJSValue.cpp:
2126         (JSC::JSValue::dumpInContextAssumingStructure const):
2127         * runtime/RegExp.cpp:
2128         (JSC::regexpToSourceString):
2129         (JSC::RegExp::dumpToStream):
2130         * runtime/RegExp.h:
2131
2132 2018-07-09  Brian Burg  <bburg@apple.com>
2133
2134         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2135         https://bugs.webkit.org/show_bug.cgi?id=187350
2136         <rdar://problem/41728249>
2137
2138         Reviewed by Matt Baker.
2139
2140         Add a new command that toggles whether or not to blackbox internal scripts.
2141         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2142         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2143         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2144         that injects scripts.
2145
2146         * inspector/agents/InspectorDebuggerAgent.cpp:
2147         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2148         (Inspector::InspectorDebuggerAgent::didParseSource):
2149         * inspector/agents/InspectorDebuggerAgent.h:
2150         * inspector/protocol/Debugger.json:
2151
2152 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2153
2154         [JSC] Make some data members of UnlinkedCodeBlock private
2155         https://bugs.webkit.org/show_bug.cgi?id=187467
2156
2157         Reviewed by Mark Lam.
2158
2159         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2160         We also remove m_numCapturedVars since it is no longer used.
2161
2162         * bytecode/CodeBlock.cpp:
2163         (JSC::CodeBlock::CodeBlock):
2164         * bytecode/CodeBlock.h:
2165         * bytecode/UnlinkedCodeBlock.cpp:
2166         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2167         * bytecode/UnlinkedCodeBlock.h:
2168
2169 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2172         https://bugs.webkit.org/show_bug.cgi?id=187465
2173
2174         Reviewed by Keith Miller.
2175
2176         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2177         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2178
2179         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2180         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2181         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2182         from 104 to 96 since it inherits ProxyableAccessCase.
2183
2184         * bytecode/AccessCase.h:
2185         (JSC::AccessCase::viaProxy const):
2186         (JSC::AccessCase::AccessCase):
2187         * bytecode/ProxyableAccessCase.cpp:
2188         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2189         * bytecode/ProxyableAccessCase.h:
2190
2191 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2192
2193         Unreviewed, build fix for debug builds after r233630
2194         https://bugs.webkit.org/show_bug.cgi?id=187441
2195
2196         * jit/JIT.cpp:
2197         (JSC::JIT::frameRegisterCountFor):
2198         * llint/LLIntEntrypoint.cpp:
2199         (JSC::LLInt::frameRegisterCountFor):
2200
2201 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2202
2203         [JSC] Optimize layout of CodeBlock to reduce padding
2204         https://bugs.webkit.org/show_bug.cgi?id=187441
2205
2206         Reviewed by Mark Lam.
2207
2208         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2209         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2210         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2211
2212         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2213
2214         * bytecode/BytecodeDumper.cpp:
2215         (JSC::BytecodeDumper<Block>::dumpBlock):
2216         * bytecode/BytecodeUseDef.h:
2217         (JSC::computeDefsForBytecodeOffset):
2218         * bytecode/CodeBlock.cpp:
2219         (JSC::CodeBlock::CodeBlock):
2220         * bytecode/CodeBlock.h:
2221         (JSC::CodeBlock::numVars const):
2222         * bytecode/UnlinkedCodeBlock.h:
2223         (JSC::UnlinkedCodeBlock::numVars const):
2224         * dfg/DFGByteCodeParser.cpp:
2225         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2226         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2227         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2228         (JSC::DFG::ByteCodeParser::inlineCall):
2229         (JSC::DFG::ByteCodeParser::handleGetById):
2230         (JSC::DFG::ByteCodeParser::handlePutById):
2231         (JSC::DFG::ByteCodeParser::parseBlock):
2232         * dfg/DFGGraph.h:
2233         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2234         * dfg/DFGOSREntrypointCreationPhase.cpp:
2235         (JSC::DFG::OSREntrypointCreationPhase::run):
2236         * dfg/DFGVariableEventStream.cpp:
2237         (JSC::DFG::VariableEventStream::reconstruct const):
2238         * ftl/FTLOSREntry.cpp:
2239         (JSC::FTL::prepareOSREntry):
2240         * ftl/FTLState.cpp:
2241         (JSC::FTL::State::State):
2242         * interpreter/Interpreter.cpp:
2243         (JSC::Interpreter::dumpRegisters):
2244         * jit/JIT.cpp:
2245         (JSC::JIT::frameRegisterCountFor):
2246         * jit/JITOpcodes.cpp:
2247         (JSC::JIT::emit_op_enter):
2248         * jit/JITOpcodes32_64.cpp:
2249         (JSC::JIT::emit_op_enter):
2250         * jit/JITOperations.cpp:
2251         * llint/LLIntEntrypoint.cpp:
2252         (JSC::LLInt::frameRegisterCountFor):
2253         * llint/LLIntSlowPaths.cpp:
2254         (JSC::LLInt::traceFunctionPrologue):
2255         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2256         * runtime/JSCJSValue.h:
2257
2258 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2259
2260         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2261         https://bugs.webkit.org/show_bug.cgi?id=187448
2262
2263         Reviewed by Saam Barati.
2264
2265         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2266         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2267
2268         * bytecode/CodeType.h:
2269         * bytecode/UnlinkedCodeBlock.cpp:
2270         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2271         * bytecode/UnlinkedCodeBlock.h:
2272         (JSC::UnlinkedCodeBlock::codeType const):
2273         (JSC::UnlinkedCodeBlock::didOptimize const):
2274         (JSC::UnlinkedCodeBlock::setDidOptimize):
2275         * bytecode/VirtualRegister.h:
2276
2277 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2278
2279         [JSC] Optimize padding of InferredTypeTable by using cellLock
2280         https://bugs.webkit.org/show_bug.cgi?id=187447
2281
2282         Reviewed by Mark Lam.
2283
2284         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2285         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2286         reduce the size of InferredTypeTable from 40 to 32.
2287
2288         * runtime/InferredTypeTable.cpp:
2289         (JSC::InferredTypeTable::visitChildren):
2290         (JSC::InferredTypeTable::get):
2291         (JSC::InferredTypeTable::willStoreValue):
2292         (JSC::InferredTypeTable::makeTop):
2293         * runtime/InferredTypeTable.h:
2294         Using enum class and using. And remove `isEmpty()` since it is not used.
2295
2296         * runtime/Structure.h:
2297
2298 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2299
2300         [JSC] Optimize layout of SourceProvider to reduce padding
2301         https://bugs.webkit.org/show_bug.cgi?id=187440
2302
2303         Reviewed by Mark Lam.
2304
2305         Arrange members of SourceProvider to reduce the size from 80 to 72.
2306
2307         * parser/SourceProvider.cpp:
2308         (JSC::SourceProvider::SourceProvider):
2309         * parser/SourceProvider.h:
2310
2311 2018-07-08  Mark Lam  <mark.lam@apple.com>
2312
2313         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2314         https://bugs.webkit.org/show_bug.cgi?id=187444
2315         <rdar://problem/41282849>
2316
2317         Reviewed by Saam Barati.
2318
2319         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2320         an iterator class.  The begin() methods and the iterator operator++() method uses
2321         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2322         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2323         pointer from being incremented past the end of the table.  As a result, we can
2324         iterate past the end of the table.  Note that the C++ iteration protocol tests
2325         for the iterator not being equal to the end() value.  It does not do a <= test.
2326         If the iterator ever shoots past end, the loop will effectively not terminate.
2327
2328         This issue can manifest if and only if the last entry in the table is a deleted
2329         one, and the key field of the PropertyMapEntry shaped space at the end of the
2330         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2331         value.
2332
2333         No test because manifesting this issue requires uncontrollable happenstance where
2334         memory just beyond the end of the table looks like a deleted entry.
2335
2336         * runtime/PropertyMapHashTable.h:
2337         (JSC::PropertyTable::begin):
2338         (JSC::PropertyTable::end):
2339         (JSC::PropertyTable::begin const):
2340         (JSC::PropertyTable::end const):
2341         (JSC::PropertyTable::skipDeletedEntries):
2342
2343 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2344
2345         [JSC] Optimize layout of SymbolTable to reduce padding
2346         https://bugs.webkit.org/show_bug.cgi?id=187437
2347
2348         Reviewed by Mark Lam.
2349
2350         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2351
2352         * runtime/SymbolTable.h:
2353
2354 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2355
2356         [JSC] Optimize layout of RegExp to reduce padding
2357         https://bugs.webkit.org/show_bug.cgi?id=187438
2358
2359         Reviewed by Mark Lam.
2360
2361         Reduce the size of RegExp from 168 to 144.
2362
2363         * runtime/RegExp.cpp:
2364         (JSC::RegExp::RegExp):
2365         * runtime/RegExp.h:
2366         * runtime/RegExpKey.h:
2367         * yarr/YarrErrorCode.h:
2368
2369 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2370
2371         [JSC] Optimize layout of ValueProfile to reduce padding
2372         https://bugs.webkit.org/show_bug.cgi?id=187439
2373
2374         Reviewed by Mark Lam.
2375
2376         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2377
2378         * bytecode/ValueProfile.h:
2379         (JSC::ValueProfileBase::ValueProfileBase):
2380
2381 2018-07-05  Saam Barati  <sbarati@apple.com>
2382
2383         ProgramExecutable may be collected as we checkSyntax on it
2384         https://bugs.webkit.org/show_bug.cgi?id=187359
2385         <rdar://problem/41832135>
2386
2387         Reviewed by Mark Lam.
2388
2389         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2390         the ProgramExecutable itself may be collected. The fix here is to make a copy
2391         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2392         
2393         No new tests here as this was already caught by our iOS JSC testers.
2394
2395         * parser/ParserError.h:
2396         (JSC::ParserError::toErrorObject):
2397
2398 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2399
2400         Introduce PLATFORM(IOSMAC)
2401         https://bugs.webkit.org/show_bug.cgi?id=187315
2402
2403         Reviewed by Dan Bernstein.
2404
2405         * Configurations/Base.xcconfig:
2406         * Configurations/FeatureDefines.xcconfig:
2407
2408 2018-07-03  Mark Lam  <mark.lam@apple.com>
2409
2410         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2411         https://bugs.webkit.org/show_bug.cgi?id=187255
2412         <rdar://problem/41785257>
2413
2414         Reviewed by Saam Barati.
2415
2416         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2417         too: basically, do what the 64-bit code is doing.  At present, this change only
2418         serves to pacify an assertion.  It is not needed for correctness because the
2419         concurrent GC is not used on 32-bit builds.
2420
2421         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2422         test.
2423
2424         * jit/JITOpcodes32_64.cpp:
2425         (JSC::JIT::emit_op_create_this):
2426
2427 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2428
2429         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2430         https://bugs.webkit.org/show_bug.cgi?id=187290
2431
2432         Reviewed by Saam Barati.
2433
2434         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2435         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2436         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2437         easily calculated from JSType.
2438         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2439
2440         * runtime/ClassInfo.h:
2441         * runtime/JSArrayBufferView.cpp:
2442         (JSC::elementSize):
2443         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2444         * runtime/JSArrayBufferView.h:
2445         * runtime/JSArrayBufferViewInlines.h:
2446         (JSC::JSArrayBufferView::possiblySharedBuffer):
2447         * runtime/JSCell.cpp:
2448         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2449         * runtime/JSCell.h:
2450         * runtime/JSDataView.cpp:
2451         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2452         * runtime/JSDataView.h:
2453         * runtime/JSGenericTypedArrayView.h:
2454         * runtime/JSGenericTypedArrayViewInlines.h:
2455         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2456
2457 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2458
2459         Regular expressions with ".?" expressions at the start and the end match the entire string
2460         https://bugs.webkit.org/show_bug.cgi?id=119191
2461
2462         Reviewed by Michael Saboff.
2463
2464         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2465         for "abc" first and then processing the leading and trailing dot stars
2466         to find the beginning and the end of the match. However, it erroneously
2467         enabled this optimization for regular expressions whose leading or
2468         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2469         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2470         match the entire string when it shouldn't. This patch disables the
2471         optimization for those cases.
2472
2473         * yarr/YarrPattern.cpp:
2474         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2475
2476 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2477
2478         RegExp.exec returns wrong value with a long integer quantifier
2479         https://bugs.webkit.org/show_bug.cgi?id=187042
2480
2481         Reviewed by Saam Barati.
2482
2483         Prior to this patch, the Yarr parser checked for integer overflow when
2484         parsing quantifiers in regular expressions by adding one digit at a time
2485         to a number and checking if the result got larger. This is wrong;
2486         The parser would fail to detect overflow when parsing, for example,
2487         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2488
2489         Another issue was that once it detected overflow, it stopped consuming
2490         the remaining digits. Since it didn't find the closing bracket, it
2491         parsed the quantifier as a normal string instead.
2492
2493         This patch fixes these issues by reading all the digits and checking for
2494         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2495         returns the largest possible value (quantifyInfinite in this case). This
2496         matches Chrome [1], Firefox [2], and Edge [3].
2497
2498         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2499         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2500         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2501
2502         * yarr/YarrParser.h:
2503         (JSC::Yarr::Parser::consumeNumber):
2504
2505 2018-07-02  Keith Miller  <keith_miller@apple.com>
2506
2507         InstanceOf IC should do generic if the prototype is not an object.
2508         https://bugs.webkit.org/show_bug.cgi?id=187250
2509
2510         Reviewed by Mark Lam.
2511
2512         The old code was wrong for two reasons. First, the AccessCase expected that
2513         the prototype value would be non-null. Second, we would end up returning
2514         false instead of throwing an exception.
2515
2516         * jit/Repatch.cpp:
2517         (JSC::tryCacheInstanceOf):
2518
2519 2018-07-01  Mark Lam  <mark.lam@apple.com>
2520
2521         Builtins and host functions should get their own structures.
2522         https://bugs.webkit.org/show_bug.cgi?id=187211
2523         <rdar://problem/41646336>
2524
2525         Reviewed by Saam Barati.
2526
2527         JSFunctions do lazy reification of properties, but ordinary functions applies
2528         different rules of property reification than builtin and host functions.  Hence,
2529         we should give builtins and host functions their own structures.
2530
2531         * runtime/JSFunction.cpp:
2532         (JSC::JSFunction::selectStructureForNewFuncExp):
2533         (JSC::JSFunction::create):
2534         (JSC::JSFunction::getOwnPropertySlot):
2535         * runtime/JSGlobalObject.cpp:
2536         (JSC::JSGlobalObject::init):
2537         (JSC::JSGlobalObject::visitChildren):
2538         * runtime/JSGlobalObject.h:
2539         (JSC::JSGlobalObject::hostFunctionStructure const):
2540         (JSC::JSGlobalObject::arrowFunctionStructure const):
2541         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2542         (JSC::JSGlobalObject::strictFunctionStructure const):
2543
2544 2018-07-01  David Kilzer  <ddkilzer@apple.com>
2545
2546         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
2547         <https://webkit.org/b/187233>
2548
2549         Reviewed by Mark Lam.
2550
2551         * b3/air/AirEliminateDeadCode.cpp:
2552         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
2553         * parser/ParserTokens.h:
2554         (JSC::JSTextPosition::JSTextPosition): Add struct member
2555         initialization. Simplify default constructor.
2556         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
2557         union to the beginning to make it easy to zero out all fields.
2558         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
2559         initialization.  Simplify default constructor.  Note that
2560         `endOffset` was not being initialized previously.
2561         (JSC::JSTextPosition::JSToken): Add struct member initialization
2562         where necessary.
2563         * runtime/IntlObject.cpp:
2564         (JSC::MatcherResult): Add struct member initialization.
2565
2566 2018-06-23  Darin Adler  <darin@apple.com>
2567
2568         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
2569         https://bugs.webkit.org/show_bug.cgi?id=186973
2570
2571         Reviewed by Dan Bernstein.
2572
2573         * API/JSContext.mm:
2574         (WeakContextRef::WeakContextRef): Deleted.
2575         (WeakContextRef::~WeakContextRef): Deleted.
2576         (WeakContextRef::get): Deleted.
2577         (WeakContextRef::set): Deleted.
2578
2579         * API/JSContextInternal.h: Removed unneeded header guards since this is
2580         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
2581         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
2582         since neither is used outside the class implementation.
2583
2584         * API/JSManagedValue.mm:
2585         (-[JSManagedValue initWithValue:]): Use a bridging cast.
2586         (-[JSManagedValue dealloc]): Ditto.
2587         (-[JSManagedValue didAddOwner:]): Ditto.
2588         (-[JSManagedValue didRemoveOwner:]): Ditto.
2589         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
2590         (JSManagedValueHandleOwner::finalize): Ditto.
2591         * API/JSValue.mm:
2592         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
2593         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2594         (-[JSValue valueForProperty:]): Ditto.
2595         (-[JSValue setValue:forProperty:]): Ditto.
2596         (-[JSValue deleteProperty:]): Ditto.
2597         (-[JSValue hasProperty:]): Ditto.
2598         (-[JSValue invokeMethod:withArguments:]): Ditto.
2599         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
2600         (valueToArray): Ditto.
2601         (valueToDictionary): Ditto.
2602         (objectToValueWithoutCopy): Ditto.
2603         (objectToValue): Ditto.
2604         * API/JSVirtualMachine.mm:
2605         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
2606         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
2607         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
2608         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2609         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2610         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2611         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2612         (scanExternalObjectGraph): Ditto.
2613         (scanExternalRememberedSet): Ditto.
2614         * API/JSWrapperMap.mm:
2615         (makeWrapper): Ditto.
2616         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2617         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2618         (tryUnwrapObjcObject): Ditto.
2619         * API/ObjCCallbackFunction.mm:
2620         (blockSignatureContainsClass): Ditto.
2621         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2622         sure we will be keeping this the same way under ARC.
2623         (objCCallbackFunctionForBlock): Use a bridging cast.
2624
2625         * API/ObjcRuntimeExtras.h:
2626         (protocolImplementsProtocol): Use a more specific type that includes the
2627         explicit __unsafe_unretained for copied protocol lists.
2628         (forEachProtocolImplementingProtocol): Ditto.
2629
2630         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2631         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2632         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2633
2634         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2635         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2636         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2637         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2638         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2639
2640 2018-06-30  Adam Barth  <abarth@webkit.org>
2641
2642         Port JavaScriptCore to OS(FUCHSIA)
2643         https://bugs.webkit.org/show_bug.cgi?id=187223
2644
2645         Reviewed by Daniel Bates.
2646
2647         * assembler/ARM64Assembler.h:
2648         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2649         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2650         (JSC::MachineContext::stackPointerImpl):
2651         (JSC::MachineContext::framePointerImpl):
2652         (JSC::MachineContext::instructionPointerImpl):
2653         (JSC::MachineContext::argumentPointer<1>):
2654         (JSC::MachineContext::llintInstructionPointer):
2655
2656 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2657
2658         Fix clang static analyzer warnings: Garbage return value
2659         <https://webkit.org/b/187224>
2660
2661         Reviewed by Eric Carlson.
2662
2663         * bytecode/UnlinkedCodeBlock.cpp:
2664         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2665         - Use brace initialization for local variables.
2666         * debugger/DebuggerCallFrame.cpp:
2667         (class JSC::LineAndColumnFunctor):
2668         - Use class member initialization for member variables.
2669
2670 2018-06-29  Saam Barati  <sbarati@apple.com>
2671
2672         Unreviewed. Try to fix Windows build after r233377
2673
2674         * builtins/BuiltinExecutables.cpp:
2675         (JSC::BuiltinExecutables::createExecutable):
2676
2677 2018-06-29  Saam Barati  <sbarati@apple.com>
2678
2679         Don't use tracePoints in JS/Wasm entry
2680         https://bugs.webkit.org/show_bug.cgi?id=187196
2681
2682         Reviewed by Mark Lam.
2683
2684         This puts VM entry and Wasm entry tracePoints behind a runtime
2685         option. This is a ~4x speedup on a soon to be released Wasm
2686         benchmark. tracePoints should basically never run more than 50
2687         times a second. Entering the VM and entering Wasm are user controlled,
2688         and can happen hundreds of thousands of times in a second. Depending
2689         on how the Wasm/JS code is structured, this can be disastrous for
2690         performance.
2691
2692         * runtime/Options.h:
2693         * runtime/VMEntryScope.cpp:
2694         (JSC::VMEntryScope::VMEntryScope):
2695         (JSC::VMEntryScope::~VMEntryScope):
2696         * wasm/WasmBBQPlan.cpp:
2697         (JSC::Wasm::BBQPlan::compileFunctions):
2698         * wasm/js/WebAssemblyFunction.cpp:
2699         (JSC::callWebAssemblyFunction):
2700
2701 2018-06-29  Saam Barati  <sbarati@apple.com>
2702
2703         We shouldn't recurse into the parser when gathering metadata about various function offsets
2704         https://bugs.webkit.org/show_bug.cgi?id=184074
2705         <rdar://problem/37165897>
2706
2707         Reviewed by Mark Lam.
2708
2709         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2710         for that builtin. This required calling into the parser. However, the parser
2711         may throw a stack overflow. We were not able to recover from that. The only
2712         reason we called into the parser here is that we were gathering text offsets
2713         and various metadata for things in the builtin function. This patch writes a
2714         mini parser that figures this information out without calling into the full
2715         parser. (I've also added a debug assert that verifies the mini parser stays in
2716         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2717         always succeeds.
2718
2719         * builtins/AsyncFromSyncIteratorPrototype.js:
2720         (globalPrivate.createAsyncFromSyncIterator):
2721         (globalPrivate.AsyncFromSyncIteratorConstructor):
2722         * builtins/BuiltinExecutables.cpp:
2723         (JSC::BuiltinExecutables::createExecutable):
2724         * builtins/GlobalOperations.js:
2725         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2726         (globalPrivate.speciesConstructor):
2727         (globalPrivate.copyDataProperties):
2728         (globalPrivate.copyDataPropertiesNoExclusions):
2729         * builtins/PromiseOperations.js:
2730         (globalPrivate.newHandledRejectedPromise):
2731         * builtins/RegExpPrototype.js:
2732         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2733         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2734         * builtins/StringPrototype.js:
2735         (globalPrivate.hasObservableSideEffectsForStringReplace):
2736         (globalPrivate.getDefaultCollator):
2737         * parser/Nodes.cpp:
2738         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2739         (JSC::FunctionMetadataNode::operator== const):
2740         (JSC::FunctionMetadataNode::dump const):
2741         * parser/Nodes.h:
2742         * parser/Parser.h:
2743         (JSC::parse):
2744         * parser/ParserError.h:
2745         (JSC::ParserError::type const):
2746         * parser/ParserTokens.h:
2747         (JSC::JSTextPosition::operator== const):
2748         (JSC::JSTextPosition::operator!= const):
2749         * parser/SourceCode.h:
2750         (JSC::SourceCode::operator== const):
2751         (JSC::SourceCode::operator!= const):
2752         (JSC::SourceCode::subExpression const):
2753         (JSC::SourceCode::subExpression): Deleted.
2754
2755 2018-06-28  Michael Saboff  <msaboff@apple.com>
2756   
2757         IsoCellSet::sweepToFreeList() not safe when Full GC in process
2758         https://bugs.webkit.org/show_bug.cgi?id=187157
2759
2760         Reviewed by Mark Lam.
2761
2762         * heap/IsoCellSet.cpp:
2763         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
2764         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
2765         or not we are in the process of marking during a full GC.
2766         * heap/MarkedBlock.h:
2767         * heap/MarkedBlockInlines.h:
2768         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2769
2770 2018-06-27  Saam Barati  <sbarati@apple.com>
2771
2772         Add some more register state information when we crash in repatchPutById
2773         https://bugs.webkit.org/show_bug.cgi?id=187112
2774
2775         Reviewed by Mark Lam.
2776
2777         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
2778         with an offset that is different than what the put tells us.
2779
2780         * jit/Repatch.cpp:
2781         (JSC::tryCachePutByID):
2782
2783 2018-06-27  Mark Lam  <mark.lam@apple.com>
2784
2785         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
2786         https://bugs.webkit.org/show_bug.cgi?id=187119
2787
2788         Reviewed by Keith Miller.
2789
2790         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
2791         should be checking for codeBlock instead of !codeBlock
2792         before using the codeBlock.
2793
2794         I also renamed some other "print" functions to use "dump" instead
2795         to match their underlying C++ code that they will call e.g.
2796         CodeBlock::dumpSource().
2797
2798         * tools/JSDollarVM.cpp:
2799         (WTF::JSDollarVMCallFrame::finishCreation):
2800         (JSC::functionDumpSourceFor):
2801         (JSC::functionDumpBytecodeFor):
2802         (JSC::doPrint):
2803         (JSC::functionDataLog):
2804         (JSC::functionPrint):
2805         (JSC::functionDumpCallFrame):
2806         (JSC::functionDumpStack):
2807         (JSC::JSDollarVM::finishCreation):
2808         (JSC::functionPrintSourceFor): Deleted.
2809         (JSC::functionPrintBytecodeFor): Deleted.
2810         (JSC::doPrintln): Deleted.
2811         (JSC::functionPrintln): Deleted.
2812         (JSC::functionPrintCallFrame): Deleted.
2813         (JSC::functionPrintStack): Deleted.
2814         * tools/VMInspector.cpp:
2815         (JSC::DumpFrameFunctor::DumpFrameFunctor):
2816         (JSC::DumpFrameFunctor::operator() const):
2817         (JSC::VMInspector::dumpCallFrame):
2818         (JSC::VMInspector::dumpStack):
2819         (JSC::VMInspector::dumpValue):
2820         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
2821         (JSC::PrintFrameFunctor::operator() const): Deleted.
2822         (JSC::VMInspector::printCallFrame): Deleted.
2823         (JSC::VMInspector::printStack): Deleted.
2824         (JSC::VMInspector::printValue): Deleted.
2825         * tools/VMInspector.h:
2826
2827 2018-06-27  Keith Miller  <keith_miller@apple.com>
2828
2829         Add logging to try to diagnose where we get a null structure.
2830         https://bugs.webkit.org/show_bug.cgi?id=187106
2831
2832         Reviewed by Mark Lam.
2833
2834         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
2835         structure crash.
2836
2837         This code should be removed when we fix <rdar://problem/33451840>
2838
2839         * runtime/JSObject.cpp:
2840         (JSC::callToPrimitiveFunction):
2841         * runtime/JSObject.h:
2842         (JSC::JSObject::getPropertySlot):
2843
2844 2018-06-27  Mark Lam  <mark.lam@apple.com>
2845
2846         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
2847         https://bugs.webkit.org/show_bug.cgi?id=187091
2848         <rdar://problem/41395624>
2849
2850         Reviewed by Yusuke Suzuki.
2851
2852         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
2853         take their slow paths, the slow path would jump back to the fast path right after
2854         the emitted code which clears the unused property values.  As a result, the
2855         unused properties are not initialized.  We've fixed this by adding the slow path
2856         generators before we emit the code to clear the unused properties.
2857
2858         * dfg/DFGSpeculativeJIT.cpp:
2859         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2860         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2861
2862 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2863
2864         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
2865         https://bugs.webkit.org/show_bug.cgi?id=185943
2866
2867         Reviewed by Mark Lam.
2868
2869         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
2870         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
2871         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
2872         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
2873
2874         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
2875         but it should be done in a separate patch since it would be performance sensitive.
2876
2877         * bytecompiler/NodesCodegen.cpp:
2878         (JSC::ArrayPatternNode::emitDirectBinding):
2879
2880 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2881
2882         [JSC] Pass VM& to functions more
2883         https://bugs.webkit.org/show_bug.cgi?id=186241
2884
2885         Reviewed by Mark Lam.
2886
2887         This patch threads VM& to functions requiring VM& more.
2888
2889         * API/JSObjectRef.cpp:
2890         (JSObjectIsConstructor):
2891         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2892         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
2893         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2894         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
2895         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
2896         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2897         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2898         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2899         * bytecode/CodeBlockJettisoningWatchpoint.h:
2900         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2901         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2902         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2903         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2904         * bytecode/StructureStubClearingWatchpoint.cpp:
2905         (JSC::StructureStubClearingWatchpoint::fireInternal):
2906         * bytecode/StructureStubClearingWatchpoint.h:
2907         * bytecode/Watchpoint.cpp:
2908         (JSC::Watchpoint::fire):
2909         (JSC::WatchpointSet::fireAllWatchpoints):
2910         * bytecode/Watchpoint.h:
2911         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2912         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2913         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2914         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2915         (JSC::DFG::AdaptiveStructureWatchpoint::install):
2916         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2917         * dfg/DFGAdaptiveStructureWatchpoint.h:
2918         * dfg/DFGDesiredWatchpoints.cpp:
2919         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2920         * llint/LLIntSlowPaths.cpp:
2921         (JSC::LLInt::setupGetByIdPrototypeCache):
2922         * runtime/ArrayPrototype.cpp:
2923         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2924         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2925         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2926         (JSC::esSpecIsConstructor):
2927         * runtime/FunctionRareData.cpp:
2928         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2929         * runtime/FunctionRareData.h:
2930         * runtime/InferredStructureWatchpoint.cpp:
2931         (JSC::InferredStructureWatchpoint::fireInternal):
2932         * runtime/InferredStructureWatchpoint.h:
2933         * runtime/InternalFunction.cpp:
2934         (JSC::InternalFunction::createSubclassStructureSlow):
2935         * runtime/InternalFunction.h:
2936         (JSC::InternalFunction::createSubclassStructure):
2937         * runtime/JSCJSValue.h:
2938         * runtime/JSCJSValueInlines.h:
2939         (JSC::JSValue::isConstructor const):
2940         * runtime/JSCell.h:
2941         * runtime/JSCellInlines.h:
2942         (JSC::JSCell::isConstructor):
2943         (JSC::JSCell::methodTable const):
2944         * runtime/JSGlobalObject.cpp:
2945         (JSC::JSGlobalObject::init):
2946         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2947         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2948         * runtime/ProxyObject.cpp:
2949         (JSC::ProxyObject::finishCreation):
2950         * runtime/ReflectObject.cpp:
2951         (JSC::reflectObjectConstruct):
2952         * runtime/StructureRareData.cpp:
2953         (JSC::StructureRareData::setObjectToStringValue):
2954         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
2955         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2956         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2957
2958 2018-06-26  Mark Lam  <mark.lam@apple.com>
2959
2960         eval() is wrong about the LiteralParser never throwing any exceptions.
2961         https://bugs.webkit.org/show_bug.cgi?id=187074
2962         <rdar://problem/41461099>
2963
2964         Reviewed by Saam Barati.
2965
2966         Added the missing exception check, and removed an erroneous assertion.
2967
2968         * interpreter/Interpreter.cpp:
2969         (JSC::eval):
2970
2971 2018-06-26  Saam Barati  <sbarati@apple.com>
2972
2973         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2974         https://bugs.webkit.org/show_bug.cgi?id=186878
2975         <rdar://problem/40568659>
2976
2977         Reviewed by Filip Pizlo.
2978
2979         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2980         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2981         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
2982         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
2983         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
2984         conservative scan knows to treat it like a butterfly in when we we may be
2985         pointing into the middle of it.
2986         
2987         The way we were crashing on the stress GC bots is that our conservative marking
2988         won't do cell visiting for things that are Auxiliary. This meant that if the
2989         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
2990         that JSImmutableButterfly would not be visited. This is now fixed.
2991
2992         * bytecompiler/NodesCodegen.cpp:
2993         (JSC::ArrayNode::emitBytecode):
2994         * debugger/Debugger.cpp:
2995         * heap/ConservativeRoots.cpp:
2996         (JSC::ConservativeRoots::genericAddPointer):
2997         * heap/Heap.cpp:
2998         (JSC::GatherHeapSnapshotData::operator() const):
2999         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
3000         (JSC::Heap::globalObjectCount):
3001         (JSC::Heap::objectTypeCounts):
3002         (JSC::Heap::deleteAllCodeBlocks):
3003         * heap/HeapCell.cpp:
3004         (WTF::printInternal):
3005         * heap/HeapCell.h:
3006         (JSC::isJSCellKind):
3007         (JSC::hasInteriorPointers):
3008         * heap/HeapUtil.h:
3009         (JSC::HeapUtil::findGCObjectPointersForMarking):
3010         (JSC::HeapUtil::isPointerGCObjectJSCell):
3011         * heap/MarkedBlock.cpp:
3012         (JSC::MarkedBlock::Handle::didAddToDirectory):
3013         * heap/SlotVisitor.cpp:
3014         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3015         * runtime/JSGlobalObject.cpp:
3016         * runtime/JSImmutableButterfly.h:
3017         (JSC::JSImmutableButterfly::subspaceFor):
3018         * runtime/VM.cpp:
3019         (JSC::VM::VM):
3020         * runtime/VM.h:
3021         * tools/CellProfile.h:
3022         (JSC::CellProfile::CellProfile):
3023         (JSC::CellProfile::isJSCell const):
3024         * tools/HeapVerifier.cpp:
3025         (JSC::HeapVerifier::validateCell):
3026
3027 2018-06-26  Mark Lam  <mark.lam@apple.com>
3028
3029         Skip some unnecessary work in Interpreter::getStackTrace().
3030         https://bugs.webkit.org/show_bug.cgi?id=187070
3031
3032         Reviewed by Michael Saboff.
3033
3034         * interpreter/Interpreter.cpp:
3035         (JSC::Interpreter::getStackTrace):
3036
3037 2018-06-26  Mark Lam  <mark.lam@apple.com>
3038
3039         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3040         https://bugs.webkit.org/show_bug.cgi?id=187060
3041         <rdar://problem/41452767>
3042
3043         Reviewed by Keith Miller.
3044
3045         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3046         write conversion.  Hence, we can return early after the conversion if the vector
3047         length is already sufficient to cover the requested length.
3048
3049         * runtime/JSObject.cpp:
3050         (JSC::JSObject::ensureLengthSlow):
3051
3052 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3053
3054         Unreviewed, rolling out r233184.
3055         https://bugs.webkit.org/show_bug.cgi?id=187059
3056
3057         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3058         on #webkit).
3059
3060         Reverted changeset:
3061
3062         "JSImmutableButterfly can't be allocated from a subspace with
3063         HeapCell::Kind::Auxiliary"
3064         https://bugs.webkit.org/show_bug.cgi?id=186878
3065         https://trac.webkit.org/changeset/233184
3066
3067 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3068
3069         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3070         https://bugs.webkit.org/show_bug.cgi?id=187051
3071
3072         Reviewed by Mark Lam.
3073
3074         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3075         clang-3.8 to be able to compile this back (with libstdc++5)
3076
3077         * bytecode/UnlinkedCodeBlock.h:
3078         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3079
3080 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3081
3082         Fix testapi build when DFG_JIT is disabled
3083         https://bugs.webkit.org/show_bug.cgi?id=187038
3084
3085         Reviewed by Mark Lam.
3086
3087         r233158 added a new API and tests for configuring the number of JIT threads, but
3088         the API is only available when DFG_JIT is enabled and so should the tests.
3089
3090         * API/tests/testapi.mm:
3091         (runJITThreadLimitTests):
3092
3093 2018-06-25  Saam Barati  <sbarati@apple.com>
3094
3095         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3096         https://bugs.webkit.org/show_bug.cgi?id=186878
3097         <rdar://problem/40568659>
3098
3099         Reviewed by Mark Lam.
3100
3101         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3102         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3103         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3104         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3105         bots is that our conservative marking won't do cell marking for things that
3106         are Auxiliary. This means that if the stack is the only thing pointing to a
3107         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3108         not be visited. This patch fixes this bug. This patch also extends our conservative
3109         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3110
3111         * bytecompiler/NodesCodegen.cpp:
3112         (JSC::ArrayNode::emitBytecode):
3113         * heap/HeapUtil.h:
3114         (JSC::HeapUtil::findGCObjectPointersForMarking):
3115         * runtime/JSImmutableButterfly.h:
3116         (JSC::JSImmutableButterfly::subspaceFor):
3117
3118 2018-06-25  Mark Lam  <mark.lam@apple.com>
3119
3120         constructArray() should set m_numValuesInVector to the specified length.
3121         https://bugs.webkit.org/show_bug.cgi?id=187010
3122         <rdar://problem/41392167>
3123
3124         Reviewed by Filip Pizlo.
3125
3126         Its client will fill in the storage vector with some values using initializeIndex()
3127         and expects m_numValuesInVector to be set to the length i.e. the number of values
3128         to be initialized.
3129
3130         * runtime/JSArray.cpp:
3131         (JSC::constructArray):
3132
3133 2018-06-25  Mark Lam  <mark.lam@apple.com>
3134
3135         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3136         https://bugs.webkit.org/show_bug.cgi?id=187006
3137         <rdar://problem/41418412>
3138
3139         Reviewed by Keith Miller.
3140
3141         * runtime/RegExpObjectInlines.h:
3142         (JSC::collectMatches):
3143
3144 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3145
3146         Add API for configuring the number of threads used by DFG and FTL
3147         https://bugs.webkit.org/show_bug.cgi?id=186859
3148         <rdar://problem/41093519>
3149
3150         Reviewed by Filip Pizlo.
3151
3152         Add new private APIs for limiting the number of threads to be used by
3153         the DFG and FTL compilers. It was already possible to configure the
3154         limit through JSC Options, but now it can be changed at runtime, even
3155         in the case when the VM is already running.
3156
3157         Add a test for both cases: when trying to configure the limit before
3158         and after the Worklist has been created, but in order to simulate the
3159         first scenario, we must guarantee that the test runs at the very
3160         beginning, so I also added a check for that.
3161
3162         * API/JSVirtualMachine.mm:
3163         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3164         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3165         * API/JSVirtualMachinePrivate.h:
3166         * API/tests/testapi.mm:
3167         (runJITThreadLimitTests):
3168         (testObjectiveCAPIMain):
3169         * dfg/DFGWorklist.cpp:
3170         (JSC::DFG::Worklist::finishCreation):
3171         (JSC::DFG::Worklist::createNewThread):
3172         (JSC::DFG::Worklist::setNumberOfThreads):
3173         * dfg/DFGWorklist.h:
3174
3175 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3176
3177         [JSC] Remove unnecessary PLATFORM guards
3178         https://bugs.webkit.org/show_bug.cgi?id=186995
3179
3180         Reviewed by Mark Lam.
3181
3182         * assembler/AssemblerCommon.h:
3183         (JSC::isIOS):
3184         Add constexpr.
3185
3186         * inspector/JSGlobalObjectInspectorController.cpp:
3187         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3188         StackFrame works in all the platforms. If StackFrame::demangle failed,
3189         it just returns std::nullopt. And it is correctly handled in this code.
3190
3191 2018-06-23  Mark Lam  <mark.lam@apple.com>
3192
3193         Add more debugging features to $vm.
3194         https://bugs.webkit.org/show_bug.cgi?id=186947
3195
3196         Reviewed by Keith Miller.
3197
3198         Adding the following features:
3199
3200             // We now have println in addition to print.
3201             // println automatically adds a '\n' at the end.
3202             $vm.println("Hello");
3203
3204             // We can now capture some info about a stack frame.
3205             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3206             var callerCallerFrame = $vm.callFrame(2);
3207
3208             // We can inspect the following values associated with the frame:
3209             if (currentFrame.valid) {
3210                 $vm.println("name is ", currentFrame.name));
3211
3212                 // Note: For a WASM frame, all of these will be undefined.
3213                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3214                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3215                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3216                 $vm.println("executable is ", currentFrame.executable);
3217             }
3218
3219             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3220             // to dataLog its JSValue instead of its toString() result.
3221
3222             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3223             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3224             // toString on a non-object.
3225
3226             // Does what it says about enabling/disabling debugger mode.
3227             $vm.enableDebuggerModeWhenIdle();
3228             $vm.disableDebuggerModeWhenIdle();
3229
3230         * tools/JSDollarVM.cpp:
3231         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3232         (WTF::JSDollarVMCallFrame::createStructure):
3233         (WTF::JSDollarVMCallFrame::create):
3234         (WTF::JSDollarVMCallFrame::finishCreation):
3235         (WTF::JSDollarVMCallFrame::addProperty):
3236         (JSC::functionCallFrame):
3237         (JSC::functionCodeBlockForFrame):
3238         (JSC::codeBlockFromArg):
3239         (JSC::doPrintln):
3240         (JSC::functionPrint):
3241         (JSC::functionPrintln):
3242         (JSC::changeDebuggerModeWhenIdle):
3243         (JSC::functionEnableDebuggerModeWhenIdle):
3244         (JSC::functionDisableDebuggerModeWhenIdle):
3245         (JSC::JSDollarVM::finishCreation):
3246
3247 2018-06-22  Keith Miller  <keith_miller@apple.com>
3248
3249         We need to have a getDirectConcurrently for use in the compilers
3250         https://bugs.webkit.org/show_bug.cgi?id=186954
3251
3252         Reviewed by Mark Lam.
3253
3254         It used to be that the propertyStorage of an object never shrunk
3255         so if you called getDirect with some offset it would never be an
3256         OOB read. However, this property storage can shrink when calling
3257         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3258         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3259         adds a getDirectConcurrently that will safely try to load from the
3260         butterfly.
3261
3262         * bytecode/ObjectPropertyConditionSet.cpp:
3263         * bytecode/PropertyCondition.cpp:
3264         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3265         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3266         * dfg/DFGGraph.cpp:
3267         (JSC::DFG::Graph::tryGetConstantProperty):
3268         * runtime/JSObject.h:
3269         (JSC::JSObject::getDirectConcurrently const):
3270
3271 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3272
3273         [WTF] Use Ref<> for the result type of non-failing factory functions
3274         https://bugs.webkit.org/show_bug.cgi?id=186920
3275
3276         Reviewed by Darin Adler.
3277
3278         * dfg/DFGWorklist.cpp:
3279         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3280         (JSC::DFG::Worklist::finishCreation):
3281         * dfg/DFGWorklist.h:
3282         * heap/Heap.cpp:
3283         (JSC::Heap::Thread::Thread):
3284         * heap/Heap.h:
3285         * jit/JITWorklist.cpp:
3286         (JSC::JITWorklist::Thread::Thread):
3287         * jit/JITWorklist.h:
3288         * runtime/VMTraps.cpp:
3289         * runtime/VMTraps.h:
3290         * wasm/WasmWorklist.cpp:
3291         * wasm/WasmWorklist.h:
3292
3293 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3294
3295         [WTF] Add user-defined literal for ASCIILiteral
3296         https://bugs.webkit.org/show_bug.cgi?id=186839
3297
3298         Reviewed by Darin Adler.
3299
3300         * API/JSCallbackObjectFunctions.h:
3301         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3302         (JSC::JSCallbackObject<Parent>::callbackGetter):
3303         * API/JSObjectRef.cpp:
3304         (JSObjectMakeFunctionWithCallback):
3305         * API/JSTypedArray.cpp:
3306         (JSObjectGetArrayBufferBytesPtr):
3307         * API/JSValue.mm:
3308         (valueToArray):
3309         (valueToDictionary):
3310         * API/ObjCCallbackFunction.mm:
3311         (JSC::objCCallbackFunctionCallAsFunction):
3312         (JSC::objCCallbackFunctionCallAsConstructor):
3313         (JSC::ObjCCallbackFunctionImpl::call):
3314         * API/glib/JSCCallbackFunction.cpp:
3315         (JSC::JSCCallbackFunction::call):
3316         (JSC::JSCCallbackFunction::construct):
3317         * API/glib/JSCContext.cpp:
3318         (jscContextJSValueToGValue):
3319         * API/glib/JSCValue.cpp:
3320         (jsc_value_object_define_property_accessor):
3321         (jscValueFunctionCreate):
3322         * builtins/BuiltinUtils.h:
3323         * bytecode/CodeBlock.cpp:
3324         (JSC::CodeBlock::nameForRegister):
3325         * bytecompiler/BytecodeGenerator.cpp:
3326         (JSC::BytecodeGenerator::emitEnumeration):
3327         (JSC::BytecodeGenerator::emitIteratorNext):
3328         (JSC::BytecodeGenerator::emitIteratorClose):
3329         (JSC::BytecodeGenerator::emitDelegateYield):
3330         * bytecompiler/NodesCodegen.cpp:
3331         (JSC::FunctionCallValueNode::emitBytecode):
3332         (JSC::PostfixNode::emitBytecode):
3333         (JSC::PrefixNode::emitBytecode):
3334         (JSC::AssignErrorNode::emitBytecode):
3335         (JSC::ForInNode::emitBytecode):
3336         (JSC::ForOfNode::emitBytecode):
3337         (JSC::ClassExprNode::emitBytecode):
3338         (JSC::ObjectPatternNode::bindValue const):
3339         * dfg/DFGDriver.cpp:
3340         (JSC::DFG::compileImpl):
3341         * dfg/DFGOperations.cpp:
3342         (JSC::DFG::newTypedArrayWithSize):
3343         * dfg/DFGStrengthReductionPhase.cpp:
3344         (JSC::DFG::StrengthReductionPhase::handleNode):
3345         * inspector/ConsoleMessage.cpp:
3346         (Inspector::ConsoleMessage::addToFrontend):
3347         (Inspector::ConsoleMessage::clear):
3348         * inspector/ContentSearchUtilities.cpp:
3349         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3350         * inspector/InjectedScript.cpp:
3351         (Inspector::InjectedScript::InjectedScript):
3352         (Inspector::InjectedScript::evaluate):
3353         (Inspector::InjectedScript::callFunctionOn):
3354         (Inspector::InjectedScript::evaluateOnCallFrame):
3355         (Inspector::InjectedScript::getFunctionDetails):
3356         (Inspector::InjectedScript::functionDetails):
3357         (Inspector::InjectedScript::getPreview):
3358         (Inspector::InjectedScript::getProperties):
3359         (Inspector::InjectedScript::getDisplayableProperties):
3360         (Inspector::InjectedScript::getInternalProperties):
3361         (Inspector::InjectedScript::getCollectionEntries):
3362         (Inspector::InjectedScript::saveResult):
3363         (Inspector::InjectedScript::wrapCallFrames const):
3364         (Inspector::InjectedScript::wrapObject const):
3365         (Inspector::InjectedScript::wrapJSONString const):
3366         (Inspector::InjectedScript::wrapTable const):
3367         (Inspector::InjectedScript::previewValue const):
3368         (Inspector::InjectedScript::setExceptionValue):
3369         (Inspector::InjectedScript::clearExceptionValue):
3370         (Inspector::InjectedScript::findObjectById const):
3371         (Inspector::InjectedScript::inspectObject):
3372         (Inspector::InjectedScript::releaseObject):
3373         (Inspector::InjectedScript::releaseObjectGroup):
3374         * inspector/InjectedScriptBase.cpp:
3375         (Inspector::InjectedScriptBase::makeEvalCall):
3376         * inspector/InjectedScriptManager.cpp:
3377         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3378         * inspector/InjectedScriptModule.cpp:
3379         (Inspector::InjectedScriptModule::ensureInjected):
3380         * inspector/InspectorBackendDispatcher.cpp:
3381         (Inspector::BackendDispatcher::dispatch):
3382         (Inspector::BackendDispatcher::sendResponse):
3383         (Inspector::BackendDispatcher::sendPendingErrors):
3384         * inspector/JSGlobalObjectConsoleClient.cpp:
3385         (Inspector::JSGlobalObjectConsoleClient::profile):
3386         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3387         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3388         * inspector/JSGlobalObjectInspectorController.cpp:
3389         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3390         * inspector/JSInjectedScriptHost.cpp:
3391         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3392         (Inspector::JSInjectedScriptHost::subtype):
3393         (Inspector::JSInjectedScriptHost::getInternalProperties):
3394         * inspector/JSJavaScriptCallFrame.cpp:
3395         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3396         (Inspector::JSJavaScriptCallFrame::type const):
3397         * inspector/ScriptArguments.cpp:
3398         (Inspector::ScriptArguments::getFirstArgumentAsString):
3399         * inspector/ScriptCallStackFactory.cpp:
3400         (Inspector::extractSourceInformationFromException):
3401         * inspector/agents/InspectorAgent.cpp:
3402         (Inspector::InspectorAgent::InspectorAgent):
3403         * inspector/agents/InspectorConsoleAgent.cpp:
3404         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3405         (Inspector::InspectorConsoleAgent::clearMessages):
3406         (Inspector::InspectorConsoleAgent::count):
3407         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
3408         * inspector/agents/InspectorDebuggerAgent.cpp:
3409         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3410         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
3411         (Inspector::buildObjectForBreakpointCookie):
3412         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3413         (Inspector::parseLocation):
3414         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3415         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3416         (Inspector::InspectorDebuggerAgent::continueToLocation):
3417         (Inspector::InspectorDebuggerAgent::searchInContent):
3418         (Inspector::InspectorDebuggerAgent::getScriptSource):
3419         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
3420         (Inspector::InspectorDebuggerAgent::resume):
3421         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
3422         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
3423         (Inspector::InspectorDebuggerAgent::didParseSource):
3424         (Inspector::InspectorDebuggerAgent::assertPaused):
3425         * inspector/agents/InspectorHeapAgent.cpp:
3426         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3427         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3428         (Inspector::InspectorHeapAgent::getPreview):
3429         (Inspector::InspectorHeapAgent::getRemoteObject):
3430         * inspector/agents/InspectorRuntimeAgent.cpp:
3431         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3432         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3433         (Inspector::InspectorRuntimeAgent::getPreview):
3434         (Inspector::InspectorRuntimeAgent::getProperties):
3435         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3436         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3437         (Inspector::InspectorRuntimeAgent::saveResult):
3438         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3439         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3440         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3441         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3442         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3443         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
3444         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3445         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
3446         * inspector/scripts/codegen/cpp_generator_templates.py:
3447         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3448         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3449         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3450         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3451         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3452         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3453         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3454         (CppProtocolTypesImplementationGenerator):
3455         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3456         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3457         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
3458         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3459         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3460         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3461         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3462         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
3463         * inspector/scripts/codegen/objc_generator_templates.py:
3464         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3465         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3466         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3467         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3468         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3469         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3470         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3471         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3472         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3473         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3474         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3475         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3476         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3477         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3478         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3479         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3480         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3481         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3482         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3483         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3484         * interpreter/CallFrame.cpp:
3485         (JSC::CallFrame::friendlyFunctionName):
3486         * interpreter/Interpreter.cpp:
3487         (JSC::Interpreter::execute):
3488         * interpreter/StackVisitor.cpp:
3489         (JSC::StackVisitor::Frame::functionName const):
3490         (JSC::StackVisitor::Frame::sourceURL const):
3491         * jit/JIT.cpp:
3492         (JSC::JIT::doMainThreadPreparationBeforeCompile):
3493         * jit/JITOperations.cpp:
3494         * jsc.cpp:
3495         (resolvePath):
3496         (GlobalObject::moduleLoaderImportModule):
3497         (GlobalObject::moduleLoaderResolve):
3498         (functionDescribeArray):
3499         (functionRun):
3500         (functionLoad):
3501         (functionCheckSyntax):
3502         (functionDollarEvalScript):
3503         (functionDollarAgentStart):
3504         (functionDollarAgentReceiveBroadcast):
3505         (functionDollarAgentBroadcast):
3506         (functionTransferArrayBuffer):
3507         (functionLoadModule):
3508         (functionSamplingProfilerStackTraces):
3509         (functionAsyncTestStart):
3510         (functionWebAssemblyMemoryMode):
3511         (runWithOptions):
3512         * parser/Lexer.cpp:
3513         (JSC::Lexer<T>::invalidCharacterMessage const):
3514         (JSC::Lexer<T>::parseString):
3515         (JSC::Lexer<T>::parseComplexEscape):
3516         (JSC::Lexer<T>::parseStringSlowCase):
3517         (JSC::Lexer<T>::parseTemplateLiteral):
3518         (JSC::Lexer<T>::lex):
3519         * parser/Parser.cpp:
3520         (JSC::Parser<LexerType>::parseInner):
3521         * parser/Parser.h:
3522         (JSC::Parser::setErrorMessage):
3523         * runtime/AbstractModuleRecord.cpp:
3524         (JSC::AbstractModuleRecord::finishCreation):
3525         * runtime/ArrayBuffer.cpp:
3526         (JSC::errorMesasgeForTransfer):
3527         * runtime/ArrayBufferSharingMode.h:
3528         (JSC::arrayBufferSharingModeName):
3529         * runtime/ArrayConstructor.cpp:
3530         (JSC::constructArrayWithSizeQuirk):
3531         (JSC::isArraySlowInline):
3532         * runtime/ArrayPrototype.cpp:
3533         (JSC::setLength):
3534         (JSC::shift):
3535         (JSC::unshift):
3536         (JSC::arrayProtoFuncPop):
3537         (JSC::arrayProtoFuncReverse):
3538         (JSC::arrayProtoFuncUnShift):
3539         * runtime/AtomicsObject.cpp:
3540         (JSC::atomicsFuncWait):
3541         (JSC::atomicsFuncWake):
3542         * runtime/BigIntConstructor.cpp:
3543         (JSC::BigIntConstructor::finishCreation):
3544         (JSC::toBigInt):
3545         (JSC::callBigIntConstructor):
3546         * runtime/BigIntObject.cpp:
3547         (JSC::BigIntObject::toStringName):
3548         * runtime/BigIntPrototype.cpp:
3549         (JSC::bigIntProtoFuncToString):
3550         (JSC::bigIntProtoFuncValueOf):
3551         * runtime/CommonSlowPaths.cpp:
3552         (JSC::SLOW_PATH_DECL):
3553         * runtime/ConsoleClient.cpp:
3554         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3555         * runtime/ConsoleObject.cpp:
3556         (JSC::valueOrDefaultLabelString):
3557         (JSC::consoleProtoFuncTime):
3558         (JSC::consoleProtoFuncTimeEnd):
3559         * runtime/DatePrototype.cpp:
3560         (JSC::formatLocaleDate):
3561         (JSC::formateDateInstance):
3562         (JSC::DatePrototype::finishCreation):
3563         (JSC::dateProtoFuncToISOString):
3564         (JSC::dateProtoFuncToJSON):
3565         * runtime/Error.cpp:
3566         (JSC::createNotEnoughArgumentsError):
3567         (JSC::throwSyntaxError):
3568         (JSC::createTypeError):
3569         (JSC::createOutOfMemoryError):
3570         * runtime/Error.h:
3571         (JSC::throwVMError):
3572         * runtime/ErrorConstructor.cpp:
3573         (JSC::ErrorConstructor::finishCreation):
3574         * runtime/ErrorInstance.cpp:
3575         (JSC::ErrorInstance::sanitizedToString):
3576         * runtime/ErrorPrototype.cpp:
3577         (JSC::ErrorPrototype::finishCreation):
3578         (JSC::errorProtoFuncToString):
3579         * runtime/ExceptionFuzz.cpp:
3580         (JSC::doExceptionFuzzing):
3581         * runtime/ExceptionHelpers.cpp:
3582         (JSC::TerminatedExecutionError::defaultValue):
3583         (JSC::createStackOverflowError):
3584         (JSC::createNotAConstructorError):
3585         (JSC::createNotAFunctionError):
3586         (JSC::createNotAnObjectError):
3587         * runtime/GetterSetter.cpp:
3588         (JSC::callSetter):
3589         * runtime/IntlCollator.cpp:
3590         (JSC::sortLocaleData):
3591         (JSC::searchLocaleData):
3592         (JSC::IntlCollator::initializeCollator):
3593         (JSC::IntlCollator::compareStrings):
3594         (JSC::IntlCollator::usageString):
3595         (JSC::IntlCollator::sensitivityString):
3596         (JSC::IntlCollator::caseFirstString):
3597         (JSC::IntlCollator::resolvedOptions):
3598         * runtime/IntlCollator.h:
3599         * runtime/IntlCollatorConstructor.cpp:
3600         (JSC::IntlCollatorConstructor::finishCreation):
3601         * runtime/IntlCollatorPrototype.cpp:
3602         (JSC::IntlCollatorPrototypeGetterCompare):
3603         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3604         * runtime/IntlDateTimeFormat.cpp:
3605         (JSC::defaultTimeZone):
3606         (JSC::canonicalizeTimeZoneName):
3607         (JSC::IntlDTFInternal::localeData):
3608         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3609         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3610         (JSC::IntlDateTimeFormat::weekdayString):
3611         (JSC::IntlDateTimeFormat::eraString):
3612         (JSC::IntlDateTimeFormat::yearString):
3613         (JSC::IntlDateTimeFormat::monthString):
3614         (JSC::IntlDateTimeFormat::dayString):
3615         (JSC::IntlDateTimeFormat::hourString):
3616         (JSC::IntlDateTimeFormat::minuteString):
3617         (JSC::IntlDateTimeFormat::secondString):
3618         (JSC::IntlDateTimeFormat::timeZoneNameString):
3619         (JSC::IntlDateTimeFormat::resolvedOptions):
3620         (JSC::IntlDateTimeFormat::format):
3621         (JSC::IntlDateTimeFormat::partTypeString):
3622         (JSC::IntlDateTimeFormat::formatToParts):
3623         * runtime/IntlDateTimeFormat.h:
3624         * runtime/IntlDateTimeFormatConstructor.cpp:
3625         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3626         * runtime/IntlDateTimeFormatPrototype.cpp:
3627         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3628         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
3629         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3630         * runtime/IntlNumberFormat.cpp:
3631         (JSC::IntlNumberFormat::initializeNumberFormat):
3632         (JSC::IntlNumberFormat::formatNumber):
3633         (JSC::IntlNumberFormat::styleString):
3634         (JSC::IntlNumberFormat::currencyDisplayString):
3635         (JSC::IntlNumberFormat::resolvedOptions):
3636         (JSC::IntlNumberFormat::partTypeString):
3637         (JSC::IntlNumberFormat::formatToParts):
3638         * runtime/IntlNumberFormat.h:
3639         * runtime/IntlNumberFormatConstructor.cpp:
3640         (JSC::IntlNumberFormatConstructor::finishCreation):
3641         * runtime/IntlNumberFormatPrototype.cpp:
3642         (JSC::IntlNumberFormatPrototypeGetterFormat):
3643         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3644         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3645         * runtime/IntlObject.cpp:
3646         (JSC::grandfatheredLangTag):
3647         (JSC::canonicalizeLocaleList):
3648         (JSC::resolveLocale):
3649         (JSC::supportedLocales):
3650         * runtime/IntlPluralRules.cpp:
3651         (JSC::IntlPluralRules::initializePluralRules):
3652         (JSC::IntlPluralRules::resolvedOptions):
3653         (JSC::IntlPluralRules::select):
3654         * runtime/IntlPluralRulesConstructor.cpp:
3655         (JSC::IntlPluralRulesConstructor::finishCreation):
3656         * runtime/IntlPluralRulesPrototype.cpp:
3657         (JSC::IntlPluralRulesPrototypeFuncSelect):
3658         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3659         * runtime/IteratorOperations.cpp:
3660         (JSC::iteratorNext):
3661         (JSC::iteratorClose):
3662         (JSC::hasIteratorMethod):
3663         (JSC::iteratorMethod):
3664         * runtime/JSArray.cpp:
3665         (JSC::JSArray::tryCreateUninitializedRestricted):
3666         (JSC::JSArray::defineOwnProperty):
3667         (JSC::JSArray::put):
3668         (JSC::JSArray::setLengthWithArrayStorage):
3669         (JSC::JSArray::appendMemcpy):
3670         (JSC::JSArray::pop):
3671         * runtime/JSArray.h:
3672         * runtime/JSArrayBufferConstructor.cpp:
3673         (JSC::JSArrayBufferConstructor::finishCreation):
3674         * runtime/JSArrayBufferPrototype.cpp:
3675         (JSC::arrayBufferProtoFuncSlice):
3676         (JSC::arrayBufferProtoGetterFuncByteLength):
3677         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3678         * runtime/JSArrayBufferView.cpp:
3679         (JSC::JSArrayBufferView::toStringName):
3680         * runtime/JSArrayInlines.h:
3681         (JSC::JSArray::pushInline):
3682         * runtime/JSBigInt.cpp:
3683         (JSC::JSBigInt::divide):
3684         (JSC::JSBigInt::remainder):
3685         (JSC::JSBigInt::toNumber const):
3686         * runtime/JSCJSValue.cpp:
3687         (JSC::JSValue::putToPrimitive):
3688         (JSC::JSValue::putToPrimitiveByIndex):
3689         (JSC::JSValue::toStringSlowCase const):
3690         * runtime/JSCJSValueInlines.h:
3691         (JSC::toPreferredPrimitiveType):
3692         * runtime/JSDataView.cpp:
3693         (JSC::JSDataView::create):
3694         (JSC::JSDataView::put):
3695         (JSC::JSDataView::defineOwnProperty):
3696         * runtime/JSDataViewPrototype.cpp:
3697         (JSC::getData):
3698         (JSC::setData):
3699         * runtime/JSFunction.cpp:
3700         (JSC::JSFunction::callerGetter):
3701         (JSC::JSFunction::put):
3702         (JSC::JSFunction::defineOwnProperty):
3703         * runtime/JSGenericTypedArrayView.h:
3704         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3705         (JSC::constructGenericTypedArrayViewWithArguments):
3706         (JSC::constructGenericTypedArrayView):
3707         * runtime/JSGenericTypedArrayViewInlines.h:
3708         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3709         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3710         (JSC::speciesConstruct):
3711         (JSC::genericTypedArrayViewProtoFuncSet):
3712         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3713         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3714         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3715         * runtime/JSGlobalObject.cpp:
3716         (JSC::JSGlobalObject::init):
3717         * runtime/JSGlobalObjectDebuggable.cpp:
3718         (JSC::JSGlobalObjectDebuggable::name const):
3719         * runtime/JSGlobalObjectFunctions.cpp:
3720         (JSC::encode):
3721         (JSC::decode):
3722         (JSC::globalFuncProtoSetter):
3723         * runtime/JSGlobalObjectFunctions.h:
3724         * runtime/JSMap.cpp:
3725         (JSC::JSMap::toStringName):
3726         * runtime/JSModuleEnvironment.cpp:
3727         (JSC::JSModuleEnvironment::put):
3728         * runtime/JSModuleNamespaceObject.cpp:
3729         (JSC::JSModuleNamespaceObject::put):
3730         (JSC::JSModuleNamespaceObject::putByIndex):
3731         (JSC::JSModuleNamespaceObject::defineOwnProperty):
3732         * runtime/JSONObject.cpp:
3733         (JSC::Stringifier::appendStringifiedValue):
3734         (JSC::JSONProtoFuncParse):
3735         (JSC::JSONProtoFuncStringify):
3736         * runtime/JSObject.cpp:
3737         (JSC::getClassPropertyNames):
3738         (JSC::JSObject::calculatedClassName):
3739         (JSC::ordinarySetSlow):
3740         (JSC::JSObject::putInlineSlow):
3741         (JSC::JSObject::setPrototypeWithCycleCheck):
3742         (JSC::callToPrimitiveFunction):
3743         (JSC::JSObject::ordinaryToPrimitive const):
3744         (JSC::JSObject::defaultHasInstance):
3745         (JSC::JSObject::defineOwnIndexedProperty):
3746         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3747         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3748         (JSC::validateAndApplyPropertyDescriptor):
3749         * runtime/JSObject.h:
3750         * runtime/JSObjectInlines.h:
3751         (JSC::JSObject::putInlineForJSObject):
3752         * runtime/JSPromiseConstructor.cpp:
3753         (JSC::JSPromiseConstructor::finishCreation):
3754         * runtime/JSSet.cpp:
3755         (JSC::JSSet::toStringName):
3756         * runtime/JSSymbolTableObject.h:
3757         (JSC::symbolTablePut):
3758         * runtime/JSTypedArrayViewConstructor.cpp:
3759         (JSC::constructTypedArrayView):
3760         * runtime/JSTypedArrayViewPrototype.cpp:
3761         (JSC::typedArrayViewPrivateFuncLength):
3762         (JSC::typedArrayViewProtoFuncSet):
3763         (JSC::typedArrayViewProtoFuncCopyWithin):
3764         (JSC::typedArrayViewProtoFuncLastIndexOf):
3765         (JSC::typedArrayViewProtoFuncIndexOf):
3766         (JSC::typedArrayViewProtoFuncJoin):
3767         (JSC::typedArrayViewProtoGetterFuncBuffer):
3768         (JSC::typedArrayViewProtoGetterFuncLength):
3769         (JSC::typedArrayViewProtoGetterFuncByteLength):
3770         (JSC::typedArrayViewProtoGetterFuncByteOffset):
3771         (JSC::typedArrayViewProtoFuncReverse):
3772         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3773         (JSC::typedArrayViewProtoFuncSlice):
3774         (JSC::JSTypedArrayViewPrototype::finishCreation):
3775         * runtime/JSWeakMap.cpp:
3776         (JSC::JSWeakMap::toStringName):
3777         * runtime/JSWeakSet.cpp:
3778         (JSC::JSWeakSet::toStringName):
3779         * runtime/LiteralParser.cpp:
3780         (JSC::LiteralParser<CharType>::Lexer::lex):
3781         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3782         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
3783         (JSC::LiteralParser<CharType>::parse):
3784         * runtime/LiteralParser.h:
3785         (JSC::LiteralParser::getErrorMessage):
3786         * runtime/Lookup.cpp:
3787         (JSC::reifyStaticAccessor):
3788         * runtime/Lookup.h:
3789         (JSC::putEntry):
3790         * runtime/MapPrototype.cpp:
3791         (JSC::getMap):
3792         * runtime/NullSetterFunction.cpp:
3793         (JSC::NullSetterFunctionInternal::callReturnUndefined):
3794         * runtime/NumberPrototype.cpp:
3795         (JSC::numberProtoFuncToExponential):
3796         (JSC::numberProtoFuncToFixed):
3797         (JSC::numberProtoFuncToPrecision):
3798         (JSC::extractToStringRadixArgument):
3799         * runtime/ObjectConstructor.cpp:
3800         (JSC::objectConstructorSetPrototypeOf):
3801         (JSC::objectConstructorAssign):
3802         (JSC::objectConstructorValues):
3803         (JSC::toPropertyDescriptor):
3804         (JSC::objectConstructorDefineProperty):
3805         (JSC::objectConstructorDefineProperties):
3806         (JSC::objectConstructorCreate):
3807         (JSC::objectConstructorSeal):
3808         (JSC::objectConstructorFreeze):
3809         * runtime/ObjectPrototype.cpp:
3810         (JSC::objectProtoFuncDefineGetter):
3811         (JSC::objectProtoFuncDefineSetter):
3812         * runtime/Operations.cpp:
3813         (JSC::jsAddSlowCase):
3814         * runtime/Operations.h:
3815         (JSC::jsSub):
3816         (JSC::jsMul):
3817         * runtime/ProgramExecutable.cpp:
3818         (JSC::ProgramExecutable::initializeGlobalProperties):
3819         * runtime/ProxyConstructor.cpp:
3820         (JSC::makeRevocableProxy):
3821         (JSC::proxyRevocableConstructorThrowError):
3822         (JSC::ProxyConstructor::finishCreation):
3823         (JSC::constructProxyObject):
3824         * runtime/ProxyObject.cpp:
3825         (JSC::ProxyObject::toStringName):
3826         (JSC::ProxyObject::finishCreation):
3827         (JSC::performProxyGet):
3828         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3829         (JSC::ProxyObject::performHasProperty):
3830         (JSC::ProxyObject::performPut):
3831         (JSC::performProxyCall):
3832         (JSC::performProxyConstruct):
3833         (JSC::ProxyObject::performDelete):
3834         (JSC::ProxyObject::performPreventExtensions):
3835         (JSC::ProxyObject::performIsExtensible):
3836         (JSC::ProxyObject::performDefineOwnProperty):
3837         (JSC::ProxyObject::performGetOwnPropertyNames):
3838         (JSC::ProxyObject::performSetPrototype):
3839         (JSC::ProxyObject::performGetPrototype):
3840         * runtime/ReflectObject.cpp:
3841         (JSC::reflectObjectConstruct):
3842         (JSC::reflectObjectDefineProperty):
3843         (JSC::reflectObjectGet):
3844         (JSC::reflectObjectGetOwnPropertyDescriptor):
3845         (JSC::reflectObjectGetPrototypeOf):
3846         (JSC::reflectObjectIsExtensible):
3847         (JSC::reflectObjectOwnKeys):
3848         (JSC::reflectObjectPreventExtensions):
3849         (JSC::reflectObjectSet):
3850         (JSC::reflectObjectSetPrototypeOf):
3851         * runtime/RegExpConstructor.cpp:
3852         (JSC::RegExpConstructor::finishCreation):
3853         (JSC::toFlags):
3854         * runtime/RegExpObject.cpp:
3855         (JSC::RegExpObject::defineOwnProperty):
3856         * runtime/RegExpObject.h:
3857         * runtime/RegExpPrototype.cpp:
3858         (JSC::regExpProtoFuncCompile):
3859         (JSC::regExpProtoGetterGlobal):
3860         (JSC::regExpProtoGetterIgnoreCase):
3861         (JSC::regExpProtoGetterMultiline):
3862         (JSC::regExpProtoGetterDotAll):
3863         (JSC::regExpProtoGetterSticky):
3864         (JSC::regExpProtoGetterUnicode):