YARR: . doesn't match non-BMP Unicode characters in some cases
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-10  Michael Saboff  <msaboff@apple.com>
2
3         YARR: . doesn't match non-BMP Unicode characters in some cases
4         https://bugs.webkit.org/show_bug.cgi?id=187248
5
6         Reviewed by Geoffrey Garen.
7
8         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
9         characters did not take into account that the character class is inverted.  In this case, we
10         represent '.' as "not a newline" using the newline character class with an inverted check.
11         Clearly that includes non-BMP characters.
12
13         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
14         inverted use of that character class.
15
16         * yarr/YarrJIT.cpp:
17         (JSC::Yarr::YarrGenerator::optimizeAlternative):
18
19 2018-07-09  Mark Lam  <mark.lam@apple.com>
20
21         Add --traceLLIntExecution and --traceLLIntSlowPath options.
22         https://bugs.webkit.org/show_bug.cgi?id=187479
23
24         Reviewed by Yusuke Suzuki and Saam Barati.
25
26         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
27
28         The details:
29         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
30         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
31            This makes it such that enabling LLINT_TRACING doesn't means that we'll
32            continually spammed with logging until we rebuild.
33         3. Fixed slow path LLINT tracing to work with exception check validation.
34
35         * llint/LLIntCommon.h:
36         * llint/LLIntExceptions.cpp:
37         (JSC::LLInt::returnToThrow):
38         (JSC::LLInt::callToThrow):
39         * llint/LLIntOfflineAsmConfig.h:
40         * llint/LLIntSlowPaths.cpp:
41         (JSC::LLInt::slowPathLog):
42         (JSC::LLInt::slowPathLn):
43         (JSC::LLInt::slowPathLogF):
44         (JSC::LLInt::slowPathLogLn):
45         (JSC::LLInt::llint_trace_operand):
46         (JSC::LLInt::llint_trace_value):
47         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
48         (JSC::LLInt::traceFunctionPrologue):
49         (JSC::LLInt::handleHostCall):
50         (JSC::LLInt::setUpCall):
51         * llint/LLIntSlowPaths.h:
52         * llint/LowLevelInterpreter.asm:
53         * runtime/CommonSlowPathsExceptions.cpp:
54         (JSC::CommonSlowPaths::interpreterThrowInCaller):
55         * runtime/Options.cpp:
56         (JSC::Options::isAvailable):
57         * runtime/Options.h:
58
59 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
60
61         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
62         https://bugs.webkit.org/show_bug.cgi?id=187477
63
64         Reviewed by Mark Lam.
65
66         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
67         However, it is not necessary since JSCells can be reside in a constant buffer.
68         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
69         vector from RareData.
70
71         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
72
73         * bytecode/BytecodeDumper.cpp:
74         (JSC::BytecodeDumper<Block>::dumpBytecode):
75         (JSC::BytecodeDumper<Block>::dumpBlock):
76         (JSC::regexpToSourceString): Deleted.
77         (JSC::regexpName): Deleted.
78         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
79         * bytecode/BytecodeDumper.h:
80         * bytecode/CodeBlock.h:
81         (JSC::CodeBlock::regexp const): Deleted.
82         (JSC::CodeBlock::numberOfRegExps const): Deleted.
83         * bytecode/UnlinkedCodeBlock.cpp:
84         (JSC::UnlinkedCodeBlock::visitChildren):
85         (JSC::UnlinkedCodeBlock::shrinkToFit):
86         * bytecode/UnlinkedCodeBlock.h:
87         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
88         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
89         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
90         * bytecompiler/BytecodeGenerator.cpp:
91         (JSC::BytecodeGenerator::emitNewRegExp):
92         (JSC::BytecodeGenerator::addRegExp): Deleted.
93         * bytecompiler/BytecodeGenerator.h:
94         * dfg/DFGByteCodeParser.cpp:
95         (JSC::DFG::ByteCodeParser::parseBlock):
96         * jit/JITOpcodes.cpp:
97         (JSC::JIT::emit_op_new_regexp):
98         * llint/LLIntSlowPaths.cpp:
99         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
100         * runtime/JSCJSValue.cpp:
101         (JSC::JSValue::dumpInContextAssumingStructure const):
102         * runtime/RegExp.cpp:
103         (JSC::regexpToSourceString):
104         (JSC::RegExp::dumpToStream):
105         * runtime/RegExp.h:
106
107 2018-07-09  Brian Burg  <bburg@apple.com>
108
109         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
110         https://bugs.webkit.org/show_bug.cgi?id=187350
111         <rdar://problem/41728249>
112
113         Reviewed by Matt Baker.
114
115         Add a new command that toggles whether or not to blackbox internal scripts.
116         If blackboxed, the scripts will not be shown to the frontend and the debugger will
117         not pause in source frames from blackboxed scripts. Sometimes we want to break into
118         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
119         that injects scripts.
120
121         * inspector/agents/InspectorDebuggerAgent.cpp:
122         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
123         (Inspector::InspectorDebuggerAgent::didParseSource):
124         * inspector/agents/InspectorDebuggerAgent.h:
125         * inspector/protocol/Debugger.json:
126
127 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
128
129         [JSC] Make some data members of UnlinkedCodeBlock private
130         https://bugs.webkit.org/show_bug.cgi?id=187467
131
132         Reviewed by Mark Lam.
133
134         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
135         We also remove m_numCapturedVars since it is no longer used.
136
137         * bytecode/CodeBlock.cpp:
138         (JSC::CodeBlock::CodeBlock):
139         * bytecode/CodeBlock.h:
140         * bytecode/UnlinkedCodeBlock.cpp:
141         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
142         * bytecode/UnlinkedCodeBlock.h:
143
144 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
145
146         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
147         https://bugs.webkit.org/show_bug.cgi?id=187465
148
149         Reviewed by Keith Miller.
150
151         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
152         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
153
154         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
155         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
156         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
157         from 104 to 96 since it inherits ProxyableAccessCase.
158
159         * bytecode/AccessCase.h:
160         (JSC::AccessCase::viaProxy const):
161         (JSC::AccessCase::AccessCase):
162         * bytecode/ProxyableAccessCase.cpp:
163         (JSC::ProxyableAccessCase::ProxyableAccessCase):
164         * bytecode/ProxyableAccessCase.h:
165
166 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
167
168         Unreviewed, build fix for debug builds after r233630
169         https://bugs.webkit.org/show_bug.cgi?id=187441
170
171         * jit/JIT.cpp:
172         (JSC::JIT::frameRegisterCountFor):
173         * llint/LLIntEntrypoint.cpp:
174         (JSC::LLInt::frameRegisterCountFor):
175
176 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
177
178         [JSC] Optimize layout of CodeBlock to reduce padding
179         https://bugs.webkit.org/show_bug.cgi?id=187441
180
181         Reviewed by Mark Lam.
182
183         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
184         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
185         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
186
187         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
188
189         * bytecode/BytecodeDumper.cpp:
190         (JSC::BytecodeDumper<Block>::dumpBlock):
191         * bytecode/BytecodeUseDef.h:
192         (JSC::computeDefsForBytecodeOffset):
193         * bytecode/CodeBlock.cpp:
194         (JSC::CodeBlock::CodeBlock):
195         * bytecode/CodeBlock.h:
196         (JSC::CodeBlock::numVars const):
197         * bytecode/UnlinkedCodeBlock.h:
198         (JSC::UnlinkedCodeBlock::numVars const):
199         * dfg/DFGByteCodeParser.cpp:
200         (JSC::DFG::ByteCodeParser::ByteCodeParser):
201         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
202         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
203         (JSC::DFG::ByteCodeParser::inlineCall):
204         (JSC::DFG::ByteCodeParser::handleGetById):
205         (JSC::DFG::ByteCodeParser::handlePutById):
206         (JSC::DFG::ByteCodeParser::parseBlock):
207         * dfg/DFGGraph.h:
208         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
209         * dfg/DFGOSREntrypointCreationPhase.cpp:
210         (JSC::DFG::OSREntrypointCreationPhase::run):
211         * dfg/DFGVariableEventStream.cpp:
212         (JSC::DFG::VariableEventStream::reconstruct const):
213         * ftl/FTLOSREntry.cpp:
214         (JSC::FTL::prepareOSREntry):
215         * ftl/FTLState.cpp:
216         (JSC::FTL::State::State):
217         * interpreter/Interpreter.cpp:
218         (JSC::Interpreter::dumpRegisters):
219         * jit/JIT.cpp:
220         (JSC::JIT::frameRegisterCountFor):
221         * jit/JITOpcodes.cpp:
222         (JSC::JIT::emit_op_enter):
223         * jit/JITOpcodes32_64.cpp:
224         (JSC::JIT::emit_op_enter):
225         * jit/JITOperations.cpp:
226         * llint/LLIntEntrypoint.cpp:
227         (JSC::LLInt::frameRegisterCountFor):
228         * llint/LLIntSlowPaths.cpp:
229         (JSC::LLInt::traceFunctionPrologue):
230         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
231         * runtime/JSCJSValue.h:
232
233 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
234
235         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
236         https://bugs.webkit.org/show_bug.cgi?id=187448
237
238         Reviewed by Saam Barati.
239
240         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
241         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
242
243         * bytecode/CodeType.h:
244         * bytecode/UnlinkedCodeBlock.cpp:
245         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
246         * bytecode/UnlinkedCodeBlock.h:
247         (JSC::UnlinkedCodeBlock::codeType const):
248         (JSC::UnlinkedCodeBlock::didOptimize const):
249         (JSC::UnlinkedCodeBlock::setDidOptimize):
250         * bytecode/VirtualRegister.h:
251
252 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
253
254         [JSC] Optimize padding of InferredTypeTable by using cellLock
255         https://bugs.webkit.org/show_bug.cgi?id=187447
256
257         Reviewed by Mark Lam.
258
259         Use cellLock() in InferredTypeTable to guard changes of internal structures.
260         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
261         reduce the size of InferredTypeTable from 40 to 32.
262
263         * runtime/InferredTypeTable.cpp:
264         (JSC::InferredTypeTable::visitChildren):
265         (JSC::InferredTypeTable::get):
266         (JSC::InferredTypeTable::willStoreValue):
267         (JSC::InferredTypeTable::makeTop):
268         * runtime/InferredTypeTable.h:
269         Using enum class and using. And remove `isEmpty()` since it is not used.
270
271         * runtime/Structure.h:
272
273 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
274
275         [JSC] Optimize layout of SourceProvider to reduce padding
276         https://bugs.webkit.org/show_bug.cgi?id=187440
277
278         Reviewed by Mark Lam.
279
280         Arrange members of SourceProvider to reduce the size from 80 to 72.
281
282         * parser/SourceProvider.cpp:
283         (JSC::SourceProvider::SourceProvider):
284         * parser/SourceProvider.h:
285
286 2018-07-08  Mark Lam  <mark.lam@apple.com>
287
288         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
289         https://bugs.webkit.org/show_bug.cgi?id=187444
290         <rdar://problem/41282849>
291
292         Reviewed by Saam Barati.
293
294         PropertyTable supports C++ iteration by offering begin() and end() methods, and
295         an iterator class.  The begin() methods and the iterator operator++() method uses
296         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
297         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
298         pointer from being incremented past the end of the table.  As a result, we can
299         iterate past the end of the table.  Note that the C++ iteration protocol tests
300         for the iterator not being equal to the end() value.  It does not do a <= test.
301         If the iterator ever shoots past end, the loop will effectively not terminate.
302
303         This issue can manifest if and only if the last entry in the table is a deleted
304         one, and the key field of the PropertyMapEntry shaped space at the end of the
305         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
306         value.
307
308         No test because manifesting this issue requires uncontrollable happenstance where
309         memory just beyond the end of the table looks like a deleted entry.
310
311         * runtime/PropertyMapHashTable.h:
312         (JSC::PropertyTable::begin):
313         (JSC::PropertyTable::end):
314         (JSC::PropertyTable::begin const):
315         (JSC::PropertyTable::end const):
316         (JSC::PropertyTable::skipDeletedEntries):
317
318 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
319
320         [JSC] Optimize layout of SymbolTable to reduce padding
321         https://bugs.webkit.org/show_bug.cgi?id=187437
322
323         Reviewed by Mark Lam.
324
325         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
326
327         * runtime/SymbolTable.h:
328
329 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
330
331         [JSC] Optimize layout of RegExp to reduce padding
332         https://bugs.webkit.org/show_bug.cgi?id=187438
333
334         Reviewed by Mark Lam.
335
336         Reduce the size of RegExp from 168 to 144.
337
338         * runtime/RegExp.cpp:
339         (JSC::RegExp::RegExp):
340         * runtime/RegExp.h:
341         * runtime/RegExpKey.h:
342         * yarr/YarrErrorCode.h:
343
344 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
345
346         [JSC] Optimize layout of ValueProfile to reduce padding
347         https://bugs.webkit.org/show_bug.cgi?id=187439
348
349         Reviewed by Mark Lam.
350
351         Reduce the size of ValueProfile from 40 to 32 by reordering members.
352
353         * bytecode/ValueProfile.h:
354         (JSC::ValueProfileBase::ValueProfileBase):
355
356 2018-07-05  Saam Barati  <sbarati@apple.com>
357
358         ProgramExecutable may be collected as we checkSyntax on it
359         https://bugs.webkit.org/show_bug.cgi?id=187359
360         <rdar://problem/41832135>
361
362         Reviewed by Mark Lam.
363
364         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
365         the ProgramExecutable itself may be collected. The fix here is to make a copy
366         of the field instead of passing in a reference inside of ParserError::toErrorObject.
367         
368         No new tests here as this was already caught by our iOS JSC testers.
369
370         * parser/ParserError.h:
371         (JSC::ParserError::toErrorObject):
372
373 2018-07-04  Tim Horton  <timothy_horton@apple.com>
374
375         Introduce PLATFORM(IOSMAC)
376         https://bugs.webkit.org/show_bug.cgi?id=187315
377
378         Reviewed by Dan Bernstein.
379
380         * Configurations/Base.xcconfig:
381         * Configurations/FeatureDefines.xcconfig:
382
383 2018-07-03  Mark Lam  <mark.lam@apple.com>
384
385         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
386         https://bugs.webkit.org/show_bug.cgi?id=187255
387         <rdar://problem/41785257>
388
389         Reviewed by Saam Barati.
390
391         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
392         too: basically, do what the 64-bit code is doing.  At present, this change only
393         serves to pacify an assertion.  It is not needed for correctness because the
394         concurrent GC is not used on 32-bit builds.
395
396         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
397         test.
398
399         * jit/JITOpcodes32_64.cpp:
400         (JSC::JIT::emit_op_create_this):
401
402 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
403
404         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
405         https://bugs.webkit.org/show_bug.cgi?id=187290
406
407         Reviewed by Saam Barati.
408
409         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
410         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
411         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
412         easily calculated from JSType.
413         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
414
415         * runtime/ClassInfo.h:
416         * runtime/JSArrayBufferView.cpp:
417         (JSC::elementSize):
418         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
419         * runtime/JSArrayBufferView.h:
420         * runtime/JSArrayBufferViewInlines.h:
421         (JSC::JSArrayBufferView::possiblySharedBuffer):
422         * runtime/JSCell.cpp:
423         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
424         * runtime/JSCell.h:
425         * runtime/JSDataView.cpp:
426         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
427         * runtime/JSDataView.h:
428         * runtime/JSGenericTypedArrayView.h:
429         * runtime/JSGenericTypedArrayViewInlines.h:
430         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
431
432 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
433
434         Regular expressions with ".?" expressions at the start and the end match the entire string
435         https://bugs.webkit.org/show_bug.cgi?id=119191
436
437         Reviewed by Michael Saboff.
438
439         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
440         for "abc" first and then processing the leading and trailing dot stars
441         to find the beginning and the end of the match. However, it erroneously
442         enabled this optimization for regular expressions whose leading or
443         trailing dots had quantifiers that were not of arbitrary length, e.g.,
444         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
445         match the entire string when it shouldn't. This patch disables the
446         optimization for those cases.
447
448         * yarr/YarrPattern.cpp:
449         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
450
451 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
452
453         RegExp.exec returns wrong value with a long integer quantifier
454         https://bugs.webkit.org/show_bug.cgi?id=187042
455
456         Reviewed by Saam Barati.
457
458         Prior to this patch, the Yarr parser checked for integer overflow when
459         parsing quantifiers in regular expressions by adding one digit at a time
460         to a number and checking if the result got larger. This is wrong;
461         The parser would fail to detect overflow when parsing, for example,
462         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
463
464         Another issue was that once it detected overflow, it stopped consuming
465         the remaining digits. Since it didn't find the closing bracket, it
466         parsed the quantifier as a normal string instead.
467
468         This patch fixes these issues by reading all the digits and checking for
469         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
470         returns the largest possible value (quantifyInfinite in this case). This
471         matches Chrome [1], Firefox [2], and Edge [3].
472
473         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
474         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
475         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
476
477         * yarr/YarrParser.h:
478         (JSC::Yarr::Parser::consumeNumber):
479
480 2018-07-02  Keith Miller  <keith_miller@apple.com>
481
482         InstanceOf IC should do generic if the prototype is not an object.
483         https://bugs.webkit.org/show_bug.cgi?id=187250
484
485         Reviewed by Mark Lam.
486
487         The old code was wrong for two reasons. First, the AccessCase expected that
488         the prototype value would be non-null. Second, we would end up returning
489         false instead of throwing an exception.
490
491         * jit/Repatch.cpp:
492         (JSC::tryCacheInstanceOf):
493
494 2018-07-01  Mark Lam  <mark.lam@apple.com>
495
496         Builtins and host functions should get their own structures.
497         https://bugs.webkit.org/show_bug.cgi?id=187211
498         <rdar://problem/41646336>
499
500         Reviewed by Saam Barati.
501
502         JSFunctions do lazy reification of properties, but ordinary functions applies
503         different rules of property reification than builtin and host functions.  Hence,
504         we should give builtins and host functions their own structures.
505
506         * runtime/JSFunction.cpp:
507         (JSC::JSFunction::selectStructureForNewFuncExp):
508         (JSC::JSFunction::create):
509         (JSC::JSFunction::getOwnPropertySlot):
510         * runtime/JSGlobalObject.cpp:
511         (JSC::JSGlobalObject::init):
512         (JSC::JSGlobalObject::visitChildren):
513         * runtime/JSGlobalObject.h:
514         (JSC::JSGlobalObject::hostFunctionStructure const):
515         (JSC::JSGlobalObject::arrowFunctionStructure const):
516         (JSC::JSGlobalObject::sloppyFunctionStructure const):
517         (JSC::JSGlobalObject::strictFunctionStructure const):
518
519 2018-07-01  David Kilzer  <ddkilzer@apple.com>
520
521         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
522         <https://webkit.org/b/187233>
523
524         Reviewed by Mark Lam.
525
526         * b3/air/AirEliminateDeadCode.cpp:
527         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
528         * parser/ParserTokens.h:
529         (JSC::JSTextPosition::JSTextPosition): Add struct member
530         initialization. Simplify default constructor.
531         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
532         union to the beginning to make it easy to zero out all fields.
533         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
534         initialization.  Simplify default constructor.  Note that
535         `endOffset` was not being initialized previously.
536         (JSC::JSTextPosition::JSToken): Add struct member initialization
537         where necessary.
538         * runtime/IntlObject.cpp:
539         (JSC::MatcherResult): Add struct member initialization.
540
541 2018-06-23  Darin Adler  <darin@apple.com>
542
543         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
544         https://bugs.webkit.org/show_bug.cgi?id=186973
545
546         Reviewed by Dan Bernstein.
547
548         * API/JSContext.mm:
549         (WeakContextRef::WeakContextRef): Deleted.
550         (WeakContextRef::~WeakContextRef): Deleted.
551         (WeakContextRef::get): Deleted.
552         (WeakContextRef::set): Deleted.
553
554         * API/JSContextInternal.h: Removed unneeded header guards since this is
555         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
556         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
557         since neither is used outside the class implementation.
558
559         * API/JSManagedValue.mm:
560         (-[JSManagedValue initWithValue:]): Use a bridging cast.
561         (-[JSManagedValue dealloc]): Ditto.
562         (-[JSManagedValue didAddOwner:]): Ditto.
563         (-[JSManagedValue didRemoveOwner:]): Ditto.
564         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
565         (JSManagedValueHandleOwner::finalize): Ditto.
566         * API/JSValue.mm:
567         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
568         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
569         (-[JSValue valueForProperty:]): Ditto.
570         (-[JSValue setValue:forProperty:]): Ditto.
571         (-[JSValue deleteProperty:]): Ditto.
572         (-[JSValue hasProperty:]): Ditto.
573         (-[JSValue invokeMethod:withArguments:]): Ditto.
574         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
575         (valueToArray): Ditto.
576         (valueToDictionary): Ditto.
577         (objectToValueWithoutCopy): Ditto.
578         (objectToValue): Ditto.
579         * API/JSVirtualMachine.mm:
580         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
581         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
582         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
583         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
584         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
585         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
586         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
587         (scanExternalObjectGraph): Ditto.
588         (scanExternalRememberedSet): Ditto.
589         * API/JSWrapperMap.mm:
590         (makeWrapper): Ditto.
591         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
592         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
593         (tryUnwrapObjcObject): Ditto.
594         * API/ObjCCallbackFunction.mm:
595         (blockSignatureContainsClass): Ditto.
596         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
597         sure we will be keeping this the same way under ARC.
598         (objCCallbackFunctionForBlock): Use a bridging cast.
599
600         * API/ObjcRuntimeExtras.h:
601         (protocolImplementsProtocol): Use a more specific type that includes the
602         explicit __unsafe_unretained for copied protocol lists.
603         (forEachProtocolImplementingProtocol): Ditto.
604
605         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
606         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
607         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
608
609         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
610         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
611         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
612         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
613         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
614
615 2018-06-30  Adam Barth  <abarth@webkit.org>
616
617         Port JavaScriptCore to OS(FUCHSIA)
618         https://bugs.webkit.org/show_bug.cgi?id=187223
619
620         Reviewed by Daniel Bates.
621
622         * assembler/ARM64Assembler.h:
623         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
624         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
625         (JSC::MachineContext::stackPointerImpl):
626         (JSC::MachineContext::framePointerImpl):
627         (JSC::MachineContext::instructionPointerImpl):
628         (JSC::MachineContext::argumentPointer<1>):
629         (JSC::MachineContext::llintInstructionPointer):
630
631 2018-06-30  David Kilzer  <ddkilzer@apple.com>
632
633         Fix clang static analyzer warnings: Garbage return value
634         <https://webkit.org/b/187224>
635
636         Reviewed by Eric Carlson.
637
638         * bytecode/UnlinkedCodeBlock.cpp:
639         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
640         - Use brace initialization for local variables.
641         * debugger/DebuggerCallFrame.cpp:
642         (class JSC::LineAndColumnFunctor):
643         - Use class member initialization for member variables.
644
645 2018-06-29  Saam Barati  <sbarati@apple.com>
646
647         Unreviewed. Try to fix Windows build after r233377
648
649         * builtins/BuiltinExecutables.cpp:
650         (JSC::BuiltinExecutables::createExecutable):
651
652 2018-06-29  Saam Barati  <sbarati@apple.com>
653
654         Don't use tracePoints in JS/Wasm entry
655         https://bugs.webkit.org/show_bug.cgi?id=187196
656
657         Reviewed by Mark Lam.
658
659         This puts VM entry and Wasm entry tracePoints behind a runtime
660         option. This is a ~4x speedup on a soon to be released Wasm
661         benchmark. tracePoints should basically never run more than 50
662         times a second. Entering the VM and entering Wasm are user controlled,
663         and can happen hundreds of thousands of times in a second. Depending
664         on how the Wasm/JS code is structured, this can be disastrous for
665         performance.
666
667         * runtime/Options.h:
668         * runtime/VMEntryScope.cpp:
669         (JSC::VMEntryScope::VMEntryScope):
670         (JSC::VMEntryScope::~VMEntryScope):
671         * wasm/WasmBBQPlan.cpp:
672         (JSC::Wasm::BBQPlan::compileFunctions):
673         * wasm/js/WebAssemblyFunction.cpp:
674         (JSC::callWebAssemblyFunction):
675
676 2018-06-29  Saam Barati  <sbarati@apple.com>
677
678         We shouldn't recurse into the parser when gathering metadata about various function offsets
679         https://bugs.webkit.org/show_bug.cgi?id=184074
680         <rdar://problem/37165897>
681
682         Reviewed by Mark Lam.
683
684         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
685         for that builtin. This required calling into the parser. However, the parser
686         may throw a stack overflow. We were not able to recover from that. The only
687         reason we called into the parser here is that we were gathering text offsets
688         and various metadata for things in the builtin function. This patch writes a
689         mini parser that figures this information out without calling into the full
690         parser. (I've also added a debug assert that verifies the mini parser stays in
691         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
692         always succeeds.
693
694         * builtins/AsyncFromSyncIteratorPrototype.js:
695         (globalPrivate.createAsyncFromSyncIterator):
696         (globalPrivate.AsyncFromSyncIteratorConstructor):
697         * builtins/BuiltinExecutables.cpp:
698         (JSC::BuiltinExecutables::createExecutable):
699         * builtins/GlobalOperations.js:
700         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
701         (globalPrivate.speciesConstructor):
702         (globalPrivate.copyDataProperties):
703         (globalPrivate.copyDataPropertiesNoExclusions):
704         * builtins/PromiseOperations.js:
705         (globalPrivate.newHandledRejectedPromise):
706         * builtins/RegExpPrototype.js:
707         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
708         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
709         * builtins/StringPrototype.js:
710         (globalPrivate.hasObservableSideEffectsForStringReplace):
711         (globalPrivate.getDefaultCollator):
712         * parser/Nodes.cpp:
713         (JSC::FunctionMetadataNode::FunctionMetadataNode):
714         (JSC::FunctionMetadataNode::operator== const):
715         (JSC::FunctionMetadataNode::dump const):
716         * parser/Nodes.h:
717         * parser/Parser.h:
718         (JSC::parse):
719         * parser/ParserError.h:
720         (JSC::ParserError::type const):
721         * parser/ParserTokens.h:
722         (JSC::JSTextPosition::operator== const):
723         (JSC::JSTextPosition::operator!= const):
724         * parser/SourceCode.h:
725         (JSC::SourceCode::operator== const):
726         (JSC::SourceCode::operator!= const):
727         (JSC::SourceCode::subExpression const):
728         (JSC::SourceCode::subExpression): Deleted.
729
730 2018-06-28  Michael Saboff  <msaboff@apple.com>
731   
732         IsoCellSet::sweepToFreeList() not safe when Full GC in process
733         https://bugs.webkit.org/show_bug.cgi?id=187157
734
735         Reviewed by Mark Lam.
736
737         * heap/IsoCellSet.cpp:
738         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
739         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
740         or not we are in the process of marking during a full GC.
741         * heap/MarkedBlock.h:
742         * heap/MarkedBlockInlines.h:
743         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
744
745 2018-06-27  Saam Barati  <sbarati@apple.com>
746
747         Add some more register state information when we crash in repatchPutById
748         https://bugs.webkit.org/show_bug.cgi?id=187112
749
750         Reviewed by Mark Lam.
751
752         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
753         with an offset that is different than what the put tells us.
754
755         * jit/Repatch.cpp:
756         (JSC::tryCachePutByID):
757
758 2018-06-27  Mark Lam  <mark.lam@apple.com>
759
760         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
761         https://bugs.webkit.org/show_bug.cgi?id=187119
762
763         Reviewed by Keith Miller.
764
765         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
766         should be checking for codeBlock instead of !codeBlock
767         before using the codeBlock.
768
769         I also renamed some other "print" functions to use "dump" instead
770         to match their underlying C++ code that they will call e.g.
771         CodeBlock::dumpSource().
772
773         * tools/JSDollarVM.cpp:
774         (WTF::JSDollarVMCallFrame::finishCreation):
775         (JSC::functionDumpSourceFor):
776         (JSC::functionDumpBytecodeFor):
777         (JSC::doPrint):
778         (JSC::functionDataLog):
779         (JSC::functionPrint):
780         (JSC::functionDumpCallFrame):
781         (JSC::functionDumpStack):
782         (JSC::JSDollarVM::finishCreation):
783         (JSC::functionPrintSourceFor): Deleted.
784         (JSC::functionPrintBytecodeFor): Deleted.
785         (JSC::doPrintln): Deleted.
786         (JSC::functionPrintln): Deleted.
787         (JSC::functionPrintCallFrame): Deleted.
788         (JSC::functionPrintStack): Deleted.
789         * tools/VMInspector.cpp:
790         (JSC::DumpFrameFunctor::DumpFrameFunctor):
791         (JSC::DumpFrameFunctor::operator() const):
792         (JSC::VMInspector::dumpCallFrame):
793         (JSC::VMInspector::dumpStack):
794         (JSC::VMInspector::dumpValue):
795         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
796         (JSC::PrintFrameFunctor::operator() const): Deleted.
797         (JSC::VMInspector::printCallFrame): Deleted.
798         (JSC::VMInspector::printStack): Deleted.
799         (JSC::VMInspector::printValue): Deleted.
800         * tools/VMInspector.h:
801
802 2018-06-27  Keith Miller  <keith_miller@apple.com>
803
804         Add logging to try to diagnose where we get a null structure.
805         https://bugs.webkit.org/show_bug.cgi?id=187106
806
807         Reviewed by Mark Lam.
808
809         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
810         structure crash.
811
812         This code should be removed when we fix <rdar://problem/33451840>
813
814         * runtime/JSObject.cpp:
815         (JSC::callToPrimitiveFunction):
816         * runtime/JSObject.h:
817         (JSC::JSObject::getPropertySlot):
818
819 2018-06-27  Mark Lam  <mark.lam@apple.com>
820
821         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
822         https://bugs.webkit.org/show_bug.cgi?id=187091
823         <rdar://problem/41395624>
824
825         Reviewed by Yusuke Suzuki.
826
827         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
828         take their slow paths, the slow path would jump back to the fast path right after
829         the emitted code which clears the unused property values.  As a result, the
830         unused properties are not initialized.  We've fixed this by adding the slow path
831         generators before we emit the code to clear the unused properties.
832
833         * dfg/DFGSpeculativeJIT.cpp:
834         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
835         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
836
837 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
838
839         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
840         https://bugs.webkit.org/show_bug.cgi?id=185943
841
842         Reviewed by Mark Lam.
843
844         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
845         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
846         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
847         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
848
849         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
850         but it should be done in a separate patch since it would be performance sensitive.
851
852         * bytecompiler/NodesCodegen.cpp:
853         (JSC::ArrayPatternNode::emitDirectBinding):
854
855 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
856
857         [JSC] Pass VM& to functions more
858         https://bugs.webkit.org/show_bug.cgi?id=186241
859
860         Reviewed by Mark Lam.
861
862         This patch threads VM& to functions requiring VM& more.
863
864         * API/JSObjectRef.cpp:
865         (JSObjectIsConstructor):
866         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
867         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
868         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
869         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
870         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
871         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
872         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
873         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
874         * bytecode/CodeBlockJettisoningWatchpoint.h:
875         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
876         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
877         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
878         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
879         * bytecode/StructureStubClearingWatchpoint.cpp:
880         (JSC::StructureStubClearingWatchpoint::fireInternal):
881         * bytecode/StructureStubClearingWatchpoint.h:
882         * bytecode/Watchpoint.cpp:
883         (JSC::Watchpoint::fire):
884         (JSC::WatchpointSet::fireAllWatchpoints):
885         * bytecode/Watchpoint.h:
886         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
887         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
888         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
889         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
890         (JSC::DFG::AdaptiveStructureWatchpoint::install):
891         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
892         * dfg/DFGAdaptiveStructureWatchpoint.h:
893         * dfg/DFGDesiredWatchpoints.cpp:
894         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
895         * llint/LLIntSlowPaths.cpp:
896         (JSC::LLInt::setupGetByIdPrototypeCache):
897         * runtime/ArrayPrototype.cpp:
898         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
899         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
900         * runtime/ECMAScriptSpecInternalFunctions.cpp:
901         (JSC::esSpecIsConstructor):
902         * runtime/FunctionRareData.cpp:
903         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
904         * runtime/FunctionRareData.h:
905         * runtime/InferredStructureWatchpoint.cpp:
906         (JSC::InferredStructureWatchpoint::fireInternal):
907         * runtime/InferredStructureWatchpoint.h:
908         * runtime/InternalFunction.cpp:
909         (JSC::InternalFunction::createSubclassStructureSlow):
910         * runtime/InternalFunction.h:
911         (JSC::InternalFunction::createSubclassStructure):
912         * runtime/JSCJSValue.h:
913         * runtime/JSCJSValueInlines.h:
914         (JSC::JSValue::isConstructor const):
915         * runtime/JSCell.h:
916         * runtime/JSCellInlines.h:
917         (JSC::JSCell::isConstructor):
918         (JSC::JSCell::methodTable const):
919         * runtime/JSGlobalObject.cpp:
920         (JSC::JSGlobalObject::init):
921         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
922         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
923         * runtime/ProxyObject.cpp:
924         (JSC::ProxyObject::finishCreation):
925         * runtime/ReflectObject.cpp:
926         (JSC::reflectObjectConstruct):
927         * runtime/StructureRareData.cpp:
928         (JSC::StructureRareData::setObjectToStringValue):
929         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
930         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
931         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
932
933 2018-06-26  Mark Lam  <mark.lam@apple.com>
934
935         eval() is wrong about the LiteralParser never throwing any exceptions.
936         https://bugs.webkit.org/show_bug.cgi?id=187074
937         <rdar://problem/41461099>
938
939         Reviewed by Saam Barati.
940
941         Added the missing exception check, and removed an erroneous assertion.
942
943         * interpreter/Interpreter.cpp:
944         (JSC::eval):
945
946 2018-06-26  Saam Barati  <sbarati@apple.com>
947
948         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
949         https://bugs.webkit.org/show_bug.cgi?id=186878
950         <rdar://problem/40568659>
951
952         Reviewed by Filip Pizlo.
953
954         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
955         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
956         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
957         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
958         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
959         conservative scan knows to treat it like a butterfly in when we we may be
960         pointing into the middle of it.
961         
962         The way we were crashing on the stress GC bots is that our conservative marking
963         won't do cell visiting for things that are Auxiliary. This meant that if the
964         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
965         that JSImmutableButterfly would not be visited. This is now fixed.
966
967         * bytecompiler/NodesCodegen.cpp:
968         (JSC::ArrayNode::emitBytecode):
969         * debugger/Debugger.cpp:
970         * heap/ConservativeRoots.cpp:
971         (JSC::ConservativeRoots::genericAddPointer):
972         * heap/Heap.cpp:
973         (JSC::GatherHeapSnapshotData::operator() const):
974         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
975         (JSC::Heap::globalObjectCount):
976         (JSC::Heap::objectTypeCounts):
977         (JSC::Heap::deleteAllCodeBlocks):
978         * heap/HeapCell.cpp:
979         (WTF::printInternal):
980         * heap/HeapCell.h:
981         (JSC::isJSCellKind):
982         (JSC::hasInteriorPointers):
983         * heap/HeapUtil.h:
984         (JSC::HeapUtil::findGCObjectPointersForMarking):
985         (JSC::HeapUtil::isPointerGCObjectJSCell):
986         * heap/MarkedBlock.cpp:
987         (JSC::MarkedBlock::Handle::didAddToDirectory):
988         * heap/SlotVisitor.cpp:
989         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
990         * runtime/JSGlobalObject.cpp:
991         * runtime/JSImmutableButterfly.h:
992         (JSC::JSImmutableButterfly::subspaceFor):
993         * runtime/VM.cpp:
994         (JSC::VM::VM):
995         * runtime/VM.h:
996         * tools/CellProfile.h:
997         (JSC::CellProfile::CellProfile):
998         (JSC::CellProfile::isJSCell const):
999         * tools/HeapVerifier.cpp:
1000         (JSC::HeapVerifier::validateCell):
1001
1002 2018-06-26  Mark Lam  <mark.lam@apple.com>
1003
1004         Skip some unnecessary work in Interpreter::getStackTrace().
1005         https://bugs.webkit.org/show_bug.cgi?id=187070
1006
1007         Reviewed by Michael Saboff.
1008
1009         * interpreter/Interpreter.cpp:
1010         (JSC::Interpreter::getStackTrace):
1011
1012 2018-06-26  Mark Lam  <mark.lam@apple.com>
1013
1014         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1015         https://bugs.webkit.org/show_bug.cgi?id=187060
1016         <rdar://problem/41452767>
1017
1018         Reviewed by Keith Miller.
1019
1020         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1021         write conversion.  Hence, we can return early after the conversion if the vector
1022         length is already sufficient to cover the requested length.
1023
1024         * runtime/JSObject.cpp:
1025         (JSC::JSObject::ensureLengthSlow):
1026
1027 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1028
1029         Unreviewed, rolling out r233184.
1030         https://bugs.webkit.org/show_bug.cgi?id=187059
1031
1032         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1033         on #webkit).
1034
1035         Reverted changeset:
1036
1037         "JSImmutableButterfly can't be allocated from a subspace with
1038         HeapCell::Kind::Auxiliary"
1039         https://bugs.webkit.org/show_bug.cgi?id=186878
1040         https://trac.webkit.org/changeset/233184
1041
1042 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1043
1044         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1045         https://bugs.webkit.org/show_bug.cgi?id=187051
1046
1047         Reviewed by Mark Lam.
1048
1049         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1050         clang-3.8 to be able to compile this back (with libstdc++5)
1051
1052         * bytecode/UnlinkedCodeBlock.h:
1053         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1054
1055 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1056
1057         Fix testapi build when DFG_JIT is disabled
1058         https://bugs.webkit.org/show_bug.cgi?id=187038
1059
1060         Reviewed by Mark Lam.
1061
1062         r233158 added a new API and tests for configuring the number of JIT threads, but
1063         the API is only available when DFG_JIT is enabled and so should the tests.
1064
1065         * API/tests/testapi.mm:
1066         (runJITThreadLimitTests):
1067
1068 2018-06-25  Saam Barati  <sbarati@apple.com>
1069
1070         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1071         https://bugs.webkit.org/show_bug.cgi?id=186878
1072         <rdar://problem/40568659>
1073
1074         Reviewed by Mark Lam.
1075
1076         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1077         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1078         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
1079         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
1080         bots is that our conservative marking won't do cell marking for things that
1081         are Auxiliary. This means that if the stack is the only thing pointing to a
1082         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
1083         not be visited. This patch fixes this bug. This patch also extends our conservative
1084         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
1085
1086         * bytecompiler/NodesCodegen.cpp:
1087         (JSC::ArrayNode::emitBytecode):
1088         * heap/HeapUtil.h:
1089         (JSC::HeapUtil::findGCObjectPointersForMarking):
1090         * runtime/JSImmutableButterfly.h:
1091         (JSC::JSImmutableButterfly::subspaceFor):
1092
1093 2018-06-25  Mark Lam  <mark.lam@apple.com>
1094
1095         constructArray() should set m_numValuesInVector to the specified length.
1096         https://bugs.webkit.org/show_bug.cgi?id=187010
1097         <rdar://problem/41392167>
1098
1099         Reviewed by Filip Pizlo.
1100
1101         Its client will fill in the storage vector with some values using initializeIndex()
1102         and expects m_numValuesInVector to be set to the length i.e. the number of values
1103         to be initialized.
1104
1105         * runtime/JSArray.cpp:
1106         (JSC::constructArray):
1107
1108 2018-06-25  Mark Lam  <mark.lam@apple.com>
1109
1110         Add missing exception check in RegExpObjectInlines.h's collectMatches.
1111         https://bugs.webkit.org/show_bug.cgi?id=187006
1112         <rdar://problem/41418412>
1113
1114         Reviewed by Keith Miller.
1115
1116         * runtime/RegExpObjectInlines.h:
1117         (JSC::collectMatches):
1118
1119 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
1120
1121         Add API for configuring the number of threads used by DFG and FTL
1122         https://bugs.webkit.org/show_bug.cgi?id=186859
1123         <rdar://problem/41093519>
1124
1125         Reviewed by Filip Pizlo.
1126
1127         Add new private APIs for limiting the number of threads to be used by
1128         the DFG and FTL compilers. It was already possible to configure the
1129         limit through JSC Options, but now it can be changed at runtime, even
1130         in the case when the VM is already running.
1131
1132         Add a test for both cases: when trying to configure the limit before
1133         and after the Worklist has been created, but in order to simulate the
1134         first scenario, we must guarantee that the test runs at the very
1135         beginning, so I also added a check for that.
1136
1137         * API/JSVirtualMachine.mm:
1138         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
1139         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
1140         * API/JSVirtualMachinePrivate.h:
1141         * API/tests/testapi.mm:
1142         (runJITThreadLimitTests):
1143         (testObjectiveCAPIMain):
1144         * dfg/DFGWorklist.cpp:
1145         (JSC::DFG::Worklist::finishCreation):
1146         (JSC::DFG::Worklist::createNewThread):
1147         (JSC::DFG::Worklist::setNumberOfThreads):
1148         * dfg/DFGWorklist.h:
1149
1150 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1151
1152         [JSC] Remove unnecessary PLATFORM guards
1153         https://bugs.webkit.org/show_bug.cgi?id=186995
1154
1155         Reviewed by Mark Lam.
1156
1157         * assembler/AssemblerCommon.h:
1158         (JSC::isIOS):
1159         Add constexpr.
1160
1161         * inspector/JSGlobalObjectInspectorController.cpp:
1162         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1163         StackFrame works in all the platforms. If StackFrame::demangle failed,
1164         it just returns std::nullopt. And it is correctly handled in this code.
1165
1166 2018-06-23  Mark Lam  <mark.lam@apple.com>
1167
1168         Add more debugging features to $vm.
1169         https://bugs.webkit.org/show_bug.cgi?id=186947
1170
1171         Reviewed by Keith Miller.
1172
1173         Adding the following features:
1174
1175             // We now have println in addition to print.
1176             // println automatically adds a '\n' at the end.
1177             $vm.println("Hello");
1178
1179             // We can now capture some info about a stack frame.
1180             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
1181             var callerCallerFrame = $vm.callFrame(2);
1182
1183             // We can inspect the following values associated with the frame:
1184             if (currentFrame.valid) {
1185                 $vm.println("name is ", currentFrame.name));
1186
1187                 // Note: For a WASM frame, all of these will be undefined.
1188                 $vm.println("callee is ", $vm.value(currentFrame.callee));
1189                 $vm.println("codeBlock is ", currentFrame.codeBlock);
1190                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
1191                 $vm.println("executable is ", currentFrame.executable);
1192             }
1193
1194             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
1195             // to dataLog its JSValue instead of its toString() result.
1196
1197             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
1198             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
1199             // toString on a non-object.
1200
1201             // Does what it says about enabling/disabling debugger mode.
1202             $vm.enableDebuggerModeWhenIdle();
1203             $vm.disableDebuggerModeWhenIdle();
1204
1205         * tools/JSDollarVM.cpp:
1206         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
1207         (WTF::JSDollarVMCallFrame::createStructure):
1208         (WTF::JSDollarVMCallFrame::create):
1209         (WTF::JSDollarVMCallFrame::finishCreation):
1210         (WTF::JSDollarVMCallFrame::addProperty):
1211         (JSC::functionCallFrame):
1212         (JSC::functionCodeBlockForFrame):
1213         (JSC::codeBlockFromArg):
1214         (JSC::doPrintln):
1215         (JSC::functionPrint):
1216         (JSC::functionPrintln):
1217         (JSC::changeDebuggerModeWhenIdle):
1218         (JSC::functionEnableDebuggerModeWhenIdle):
1219         (JSC::functionDisableDebuggerModeWhenIdle):
1220         (JSC::JSDollarVM::finishCreation):
1221
1222 2018-06-22  Keith Miller  <keith_miller@apple.com>
1223
1224         We need to have a getDirectConcurrently for use in the compilers
1225         https://bugs.webkit.org/show_bug.cgi?id=186954
1226
1227         Reviewed by Mark Lam.
1228
1229         It used to be that the propertyStorage of an object never shrunk
1230         so if you called getDirect with some offset it would never be an
1231         OOB read. However, this property storage can shrink when calling
1232         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
1233         holds the Structure's ConcurrentJSLock while shrinking. This patch,
1234         adds a getDirectConcurrently that will safely try to load from the
1235         butterfly.
1236
1237         * bytecode/ObjectPropertyConditionSet.cpp:
1238         * bytecode/PropertyCondition.cpp:
1239         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1240         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1241         * dfg/DFGGraph.cpp:
1242         (JSC::DFG::Graph::tryGetConstantProperty):
1243         * runtime/JSObject.h:
1244         (JSC::JSObject::getDirectConcurrently const):
1245
1246 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1247
1248         [WTF] Use Ref<> for the result type of non-failing factory functions
1249         https://bugs.webkit.org/show_bug.cgi?id=186920
1250
1251         Reviewed by Darin Adler.
1252
1253         * dfg/DFGWorklist.cpp:
1254         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1255         (JSC::DFG::Worklist::finishCreation):
1256         * dfg/DFGWorklist.h:
1257         * heap/Heap.cpp:
1258         (JSC::Heap::Thread::Thread):
1259         * heap/Heap.h:
1260         * jit/JITWorklist.cpp:
1261         (JSC::JITWorklist::Thread::Thread):
1262         * jit/JITWorklist.h:
1263         * runtime/VMTraps.cpp:
1264         * runtime/VMTraps.h:
1265         * wasm/WasmWorklist.cpp:
1266         * wasm/WasmWorklist.h:
1267
1268 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1269
1270         [WTF] Add user-defined literal for ASCIILiteral
1271         https://bugs.webkit.org/show_bug.cgi?id=186839
1272
1273         Reviewed by Darin Adler.
1274
1275         * API/JSCallbackObjectFunctions.h:
1276         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1277         (JSC::JSCallbackObject<Parent>::callbackGetter):
1278         * API/JSObjectRef.cpp:
1279         (JSObjectMakeFunctionWithCallback):
1280         * API/JSTypedArray.cpp:
1281         (JSObjectGetArrayBufferBytesPtr):
1282         * API/JSValue.mm:
1283         (valueToArray):
1284         (valueToDictionary):
1285         * API/ObjCCallbackFunction.mm:
1286         (JSC::objCCallbackFunctionCallAsFunction):
1287         (JSC::objCCallbackFunctionCallAsConstructor):
1288         (JSC::ObjCCallbackFunctionImpl::call):
1289         * API/glib/JSCCallbackFunction.cpp:
1290         (JSC::JSCCallbackFunction::call):
1291         (JSC::JSCCallbackFunction::construct):
1292         * API/glib/JSCContext.cpp:
1293         (jscContextJSValueToGValue):
1294         * API/glib/JSCValue.cpp:
1295         (jsc_value_object_define_property_accessor):
1296         (jscValueFunctionCreate):
1297         * builtins/BuiltinUtils.h:
1298         * bytecode/CodeBlock.cpp:
1299         (JSC::CodeBlock::nameForRegister):
1300         * bytecompiler/BytecodeGenerator.cpp:
1301         (JSC::BytecodeGenerator::emitEnumeration):
1302         (JSC::BytecodeGenerator::emitIteratorNext):
1303         (JSC::BytecodeGenerator::emitIteratorClose):
1304         (JSC::BytecodeGenerator::emitDelegateYield):
1305         * bytecompiler/NodesCodegen.cpp:
1306         (JSC::FunctionCallValueNode::emitBytecode):
1307         (JSC::PostfixNode::emitBytecode):
1308         (JSC::PrefixNode::emitBytecode):
1309         (JSC::AssignErrorNode::emitBytecode):
1310         (JSC::ForInNode::emitBytecode):
1311         (JSC::ForOfNode::emitBytecode):
1312         (JSC::ClassExprNode::emitBytecode):
1313         (JSC::ObjectPatternNode::bindValue const):
1314         * dfg/DFGDriver.cpp:
1315         (JSC::DFG::compileImpl):
1316         * dfg/DFGOperations.cpp:
1317         (JSC::DFG::newTypedArrayWithSize):
1318         * dfg/DFGStrengthReductionPhase.cpp:
1319         (JSC::DFG::StrengthReductionPhase::handleNode):
1320         * inspector/ConsoleMessage.cpp:
1321         (Inspector::ConsoleMessage::addToFrontend):
1322         (Inspector::ConsoleMessage::clear):
1323         * inspector/ContentSearchUtilities.cpp:
1324         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
1325         * inspector/InjectedScript.cpp:
1326         (Inspector::InjectedScript::InjectedScript):
1327         (Inspector::InjectedScript::evaluate):
1328         (Inspector::InjectedScript::callFunctionOn):
1329         (Inspector::InjectedScript::evaluateOnCallFrame):
1330         (Inspector::InjectedScript::getFunctionDetails):
1331         (Inspector::InjectedScript::functionDetails):
1332         (Inspector::InjectedScript::getPreview):
1333         (Inspector::InjectedScript::getProperties):
1334         (Inspector::InjectedScript::getDisplayableProperties):
1335         (Inspector::InjectedScript::getInternalProperties):
1336         (Inspector::InjectedScript::getCollectionEntries):
1337         (Inspector::InjectedScript::saveResult):
1338         (Inspector::InjectedScript::wrapCallFrames const):
1339         (Inspector::InjectedScript::wrapObject const):
1340         (Inspector::InjectedScript::wrapJSONString const):
1341         (Inspector::InjectedScript::wrapTable const):
1342         (Inspector::InjectedScript::previewValue const):
1343         (Inspector::InjectedScript::setExceptionValue):
1344         (Inspector::InjectedScript::clearExceptionValue):
1345         (Inspector::InjectedScript::findObjectById const):
1346         (Inspector::InjectedScript::inspectObject):
1347         (Inspector::InjectedScript::releaseObject):
1348         (Inspector::InjectedScript::releaseObjectGroup):
1349         * inspector/InjectedScriptBase.cpp:
1350         (Inspector::InjectedScriptBase::makeEvalCall):
1351         * inspector/InjectedScriptManager.cpp:
1352         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1353         * inspector/InjectedScriptModule.cpp:
1354         (Inspector::InjectedScriptModule::ensureInjected):
1355         * inspector/InspectorBackendDispatcher.cpp:
1356         (Inspector::BackendDispatcher::dispatch):
1357         (Inspector::BackendDispatcher::sendResponse):
1358         (Inspector::BackendDispatcher::sendPendingErrors):
1359         * inspector/JSGlobalObjectConsoleClient.cpp:
1360         (Inspector::JSGlobalObjectConsoleClient::profile):
1361         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1362         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1363         * inspector/JSGlobalObjectInspectorController.cpp:
1364         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1365         * inspector/JSInjectedScriptHost.cpp:
1366         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1367         (Inspector::JSInjectedScriptHost::subtype):
1368         (Inspector::JSInjectedScriptHost::getInternalProperties):
1369         * inspector/JSJavaScriptCallFrame.cpp:
1370         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1371         (Inspector::JSJavaScriptCallFrame::type const):
1372         * inspector/ScriptArguments.cpp:
1373         (Inspector::ScriptArguments::getFirstArgumentAsString):
1374         * inspector/ScriptCallStackFactory.cpp:
1375         (Inspector::extractSourceInformationFromException):
1376         * inspector/agents/InspectorAgent.cpp:
1377         (Inspector::InspectorAgent::InspectorAgent):
1378         * inspector/agents/InspectorConsoleAgent.cpp:
1379         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1380         (Inspector::InspectorConsoleAgent::clearMessages):
1381         (Inspector::InspectorConsoleAgent::count):
1382         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1383         * inspector/agents/InspectorDebuggerAgent.cpp:
1384         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1385         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1386         (Inspector::buildObjectForBreakpointCookie):
1387         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1388         (Inspector::parseLocation):
1389         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1390         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1391         (Inspector::InspectorDebuggerAgent::continueToLocation):
1392         (Inspector::InspectorDebuggerAgent::searchInContent):
1393         (Inspector::InspectorDebuggerAgent::getScriptSource):
1394         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1395         (Inspector::InspectorDebuggerAgent::resume):
1396         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1397         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1398         (Inspector::InspectorDebuggerAgent::didParseSource):
1399         (Inspector::InspectorDebuggerAgent::assertPaused):
1400         * inspector/agents/InspectorHeapAgent.cpp:
1401         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1402         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1403         (Inspector::InspectorHeapAgent::getPreview):
1404         (Inspector::InspectorHeapAgent::getRemoteObject):
1405         * inspector/agents/InspectorRuntimeAgent.cpp:
1406         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1407         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1408         (Inspector::InspectorRuntimeAgent::getPreview):
1409         (Inspector::InspectorRuntimeAgent::getProperties):
1410         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1411         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1412         (Inspector::InspectorRuntimeAgent::saveResult):
1413         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1414         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1415         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1416         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1417         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1418         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1419         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1420         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1421         * inspector/scripts/codegen/cpp_generator_templates.py:
1422         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1423         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1424         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1425         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1426         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1427         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1428         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1429         (CppProtocolTypesImplementationGenerator):
1430         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1431         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1432         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1433         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1434         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1435         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1436         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1437         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1438         * inspector/scripts/codegen/objc_generator_templates.py:
1439         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1440         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1441         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1442         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1443         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1444         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1445         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1446         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1447         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1448         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1449         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1450         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1451         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1452         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1453         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1454         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1455         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1456         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1457         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1458         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1459         * interpreter/CallFrame.cpp:
1460         (JSC::CallFrame::friendlyFunctionName):
1461         * interpreter/Interpreter.cpp:
1462         (JSC::Interpreter::execute):
1463         * interpreter/StackVisitor.cpp:
1464         (JSC::StackVisitor::Frame::functionName const):
1465         (JSC::StackVisitor::Frame::sourceURL const):
1466         * jit/JIT.cpp:
1467         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1468         * jit/JITOperations.cpp:
1469         * jsc.cpp:
1470         (resolvePath):
1471         (GlobalObject::moduleLoaderImportModule):
1472         (GlobalObject::moduleLoaderResolve):
1473         (functionDescribeArray):
1474         (functionRun):
1475         (functionLoad):
1476         (functionCheckSyntax):
1477         (functionDollarEvalScript):
1478         (functionDollarAgentStart):
1479         (functionDollarAgentReceiveBroadcast):
1480         (functionDollarAgentBroadcast):
1481         (functionTransferArrayBuffer):
1482         (functionLoadModule):
1483         (functionSamplingProfilerStackTraces):
1484         (functionAsyncTestStart):
1485         (functionWebAssemblyMemoryMode):
1486         (runWithOptions):
1487         * parser/Lexer.cpp:
1488         (JSC::Lexer<T>::invalidCharacterMessage const):
1489         (JSC::Lexer<T>::parseString):
1490         (JSC::Lexer<T>::parseComplexEscape):
1491         (JSC::Lexer<T>::parseStringSlowCase):
1492         (JSC::Lexer<T>::parseTemplateLiteral):
1493         (JSC::Lexer<T>::lex):
1494         * parser/Parser.cpp:
1495         (JSC::Parser<LexerType>::parseInner):
1496         * parser/Parser.h:
1497         (JSC::Parser::setErrorMessage):
1498         * runtime/AbstractModuleRecord.cpp:
1499         (JSC::AbstractModuleRecord::finishCreation):
1500         * runtime/ArrayBuffer.cpp:
1501         (JSC::errorMesasgeForTransfer):
1502         * runtime/ArrayBufferSharingMode.h:
1503         (JSC::arrayBufferSharingModeName):
1504         * runtime/ArrayConstructor.cpp:
1505         (JSC::constructArrayWithSizeQuirk):
1506         (JSC::isArraySlowInline):
1507         * runtime/ArrayPrototype.cpp:
1508         (JSC::setLength):
1509         (JSC::shift):
1510         (JSC::unshift):
1511         (JSC::arrayProtoFuncPop):
1512         (JSC::arrayProtoFuncReverse):
1513         (JSC::arrayProtoFuncUnShift):
1514         * runtime/AtomicsObject.cpp:
1515         (JSC::atomicsFuncWait):
1516         (JSC::atomicsFuncWake):
1517         * runtime/BigIntConstructor.cpp:
1518         (JSC::BigIntConstructor::finishCreation):
1519         (JSC::toBigInt):
1520         (JSC::callBigIntConstructor):
1521         * runtime/BigIntObject.cpp:
1522         (JSC::BigIntObject::toStringName):
1523         * runtime/BigIntPrototype.cpp:
1524         (JSC::bigIntProtoFuncToString):
1525         (JSC::bigIntProtoFuncValueOf):
1526         * runtime/CommonSlowPaths.cpp:
1527         (JSC::SLOW_PATH_DECL):
1528         * runtime/ConsoleClient.cpp:
1529         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1530         * runtime/ConsoleObject.cpp:
1531         (JSC::valueOrDefaultLabelString):
1532         (JSC::consoleProtoFuncTime):
1533         (JSC::consoleProtoFuncTimeEnd):
1534         * runtime/DatePrototype.cpp:
1535         (JSC::formatLocaleDate):
1536         (JSC::formateDateInstance):
1537         (JSC::DatePrototype::finishCreation):
1538         (JSC::dateProtoFuncToISOString):
1539         (JSC::dateProtoFuncToJSON):
1540         * runtime/Error.cpp:
1541         (JSC::createNotEnoughArgumentsError):
1542         (JSC::throwSyntaxError):
1543         (JSC::createTypeError):
1544         (JSC::createOutOfMemoryError):
1545         * runtime/Error.h:
1546         (JSC::throwVMError):
1547         * runtime/ErrorConstructor.cpp:
1548         (JSC::ErrorConstructor::finishCreation):
1549         * runtime/ErrorInstance.cpp:
1550         (JSC::ErrorInstance::sanitizedToString):
1551         * runtime/ErrorPrototype.cpp:
1552         (JSC::ErrorPrototype::finishCreation):
1553         (JSC::errorProtoFuncToString):
1554         * runtime/ExceptionFuzz.cpp:
1555         (JSC::doExceptionFuzzing):
1556         * runtime/ExceptionHelpers.cpp:
1557         (JSC::TerminatedExecutionError::defaultValue):
1558         (JSC::createStackOverflowError):
1559         (JSC::createNotAConstructorError):
1560         (JSC::createNotAFunctionError):
1561         (JSC::createNotAnObjectError):
1562         * runtime/GetterSetter.cpp:
1563         (JSC::callSetter):
1564         * runtime/IntlCollator.cpp:
1565         (JSC::sortLocaleData):
1566         (JSC::searchLocaleData):
1567         (JSC::IntlCollator::initializeCollator):
1568         (JSC::IntlCollator::compareStrings):
1569         (JSC::IntlCollator::usageString):
1570         (JSC::IntlCollator::sensitivityString):
1571         (JSC::IntlCollator::caseFirstString):
1572         (JSC::IntlCollator::resolvedOptions):
1573         * runtime/IntlCollator.h:
1574         * runtime/IntlCollatorConstructor.cpp:
1575         (JSC::IntlCollatorConstructor::finishCreation):
1576         * runtime/IntlCollatorPrototype.cpp:
1577         (JSC::IntlCollatorPrototypeGetterCompare):
1578         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1579         * runtime/IntlDateTimeFormat.cpp:
1580         (JSC::defaultTimeZone):
1581         (JSC::canonicalizeTimeZoneName):
1582         (JSC::IntlDTFInternal::localeData):
1583         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
1584         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1585         (JSC::IntlDateTimeFormat::weekdayString):
1586         (JSC::IntlDateTimeFormat::eraString):
1587         (JSC::IntlDateTimeFormat::yearString):
1588         (JSC::IntlDateTimeFormat::monthString):
1589         (JSC::IntlDateTimeFormat::dayString):
1590         (JSC::IntlDateTimeFormat::hourString):
1591         (JSC::IntlDateTimeFormat::minuteString):
1592         (JSC::IntlDateTimeFormat::secondString):
1593         (JSC::IntlDateTimeFormat::timeZoneNameString):
1594         (JSC::IntlDateTimeFormat::resolvedOptions):
1595         (JSC::IntlDateTimeFormat::format):
1596         (JSC::IntlDateTimeFormat::partTypeString):
1597         (JSC::IntlDateTimeFormat::formatToParts):
1598         * runtime/IntlDateTimeFormat.h:
1599         * runtime/IntlDateTimeFormatConstructor.cpp:
1600         (JSC::IntlDateTimeFormatConstructor::finishCreation):
1601         * runtime/IntlDateTimeFormatPrototype.cpp:
1602         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
1603         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1604         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1605         * runtime/IntlNumberFormat.cpp:
1606         (JSC::IntlNumberFormat::initializeNumberFormat):
1607         (JSC::IntlNumberFormat::formatNumber):
1608         (JSC::IntlNumberFormat::styleString):
1609         (JSC::IntlNumberFormat::currencyDisplayString):
1610         (JSC::IntlNumberFormat::resolvedOptions):
1611         (JSC::IntlNumberFormat::partTypeString):
1612         (JSC::IntlNumberFormat::formatToParts):
1613         * runtime/IntlNumberFormat.h:
1614         * runtime/IntlNumberFormatConstructor.cpp:
1615         (JSC::IntlNumberFormatConstructor::finishCreation):
1616         * runtime/IntlNumberFormatPrototype.cpp:
1617         (JSC::IntlNumberFormatPrototypeGetterFormat):
1618         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1619         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1620         * runtime/IntlObject.cpp:
1621         (JSC::grandfatheredLangTag):
1622         (JSC::canonicalizeLocaleList):
1623         (JSC::resolveLocale):
1624         (JSC::supportedLocales):
1625         * runtime/IntlPluralRules.cpp:
1626         (JSC::IntlPluralRules::initializePluralRules):
1627         (JSC::IntlPluralRules::resolvedOptions):
1628         (JSC::IntlPluralRules::select):
1629         * runtime/IntlPluralRulesConstructor.cpp:
1630         (JSC::IntlPluralRulesConstructor::finishCreation):
1631         * runtime/IntlPluralRulesPrototype.cpp:
1632         (JSC::IntlPluralRulesPrototypeFuncSelect):
1633         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1634         * runtime/IteratorOperations.cpp:
1635         (JSC::iteratorNext):
1636         (JSC::iteratorClose):
1637         (JSC::hasIteratorMethod):
1638         (JSC::iteratorMethod):
1639         * runtime/JSArray.cpp:
1640         (JSC::JSArray::tryCreateUninitializedRestricted):
1641         (JSC::JSArray::defineOwnProperty):
1642         (JSC::JSArray::put):
1643         (JSC::JSArray::setLengthWithArrayStorage):
1644         (JSC::JSArray::appendMemcpy):
1645         (JSC::JSArray::pop):
1646         * runtime/JSArray.h:
1647         * runtime/JSArrayBufferConstructor.cpp:
1648         (JSC::JSArrayBufferConstructor::finishCreation):
1649         * runtime/JSArrayBufferPrototype.cpp:
1650         (JSC::arrayBufferProtoFuncSlice):
1651         (JSC::arrayBufferProtoGetterFuncByteLength):
1652         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1653         * runtime/JSArrayBufferView.cpp:
1654         (JSC::JSArrayBufferView::toStringName):
1655         * runtime/JSArrayInlines.h:
1656         (JSC::JSArray::pushInline):
1657         * runtime/JSBigInt.cpp:
1658         (JSC::JSBigInt::divide):
1659         (JSC::JSBigInt::remainder):
1660         (JSC::JSBigInt::toNumber const):
1661         * runtime/JSCJSValue.cpp:
1662         (JSC::JSValue::putToPrimitive):
1663         (JSC::JSValue::putToPrimitiveByIndex):
1664         (JSC::JSValue::toStringSlowCase const):
1665         * runtime/JSCJSValueInlines.h:
1666         (JSC::toPreferredPrimitiveType):
1667         * runtime/JSDataView.cpp:
1668         (JSC::JSDataView::create):
1669         (JSC::JSDataView::put):
1670         (JSC::JSDataView::defineOwnProperty):
1671         * runtime/JSDataViewPrototype.cpp:
1672         (JSC::getData):
1673         (JSC::setData):
1674         * runtime/JSFunction.cpp:
1675         (JSC::JSFunction::callerGetter):
1676         (JSC::JSFunction::put):
1677         (JSC::JSFunction::defineOwnProperty):
1678         * runtime/JSGenericTypedArrayView.h:
1679         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1680         (JSC::constructGenericTypedArrayViewWithArguments):
1681         (JSC::constructGenericTypedArrayView):
1682         * runtime/JSGenericTypedArrayViewInlines.h:
1683         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
1684         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1685         (JSC::speciesConstruct):
1686         (JSC::genericTypedArrayViewProtoFuncSet):
1687         (JSC::genericTypedArrayViewProtoFuncIndexOf):
1688         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
1689         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1690         * runtime/JSGlobalObject.cpp:
1691         (JSC::JSGlobalObject::init):
1692         * runtime/JSGlobalObjectDebuggable.cpp:
1693         (JSC::JSGlobalObjectDebuggable::name const):
1694         * runtime/JSGlobalObjectFunctions.cpp:
1695         (JSC::encode):
1696         (JSC::decode):
1697         (JSC::globalFuncProtoSetter):
1698         * runtime/JSGlobalObjectFunctions.h:
1699         * runtime/JSMap.cpp:
1700         (JSC::JSMap::toStringName):
1701         * runtime/JSModuleEnvironment.cpp:
1702         (JSC::JSModuleEnvironment::put):
1703         * runtime/JSModuleNamespaceObject.cpp:
1704         (JSC::JSModuleNamespaceObject::put):
1705         (JSC::JSModuleNamespaceObject::putByIndex):
1706         (JSC::JSModuleNamespaceObject::defineOwnProperty):
1707         * runtime/JSONObject.cpp:
1708         (JSC::Stringifier::appendStringifiedValue):
1709         (JSC::JSONProtoFuncParse):
1710         (JSC::JSONProtoFuncStringify):
1711         * runtime/JSObject.cpp:
1712         (JSC::getClassPropertyNames):
1713         (JSC::JSObject::calculatedClassName):
1714         (JSC::ordinarySetSlow):
1715         (JSC::JSObject::putInlineSlow):
1716         (JSC::JSObject::setPrototypeWithCycleCheck):
1717         (JSC::callToPrimitiveFunction):
1718         (JSC::JSObject::ordinaryToPrimitive const):
1719         (JSC::JSObject::defaultHasInstance):
1720         (JSC::JSObject::defineOwnIndexedProperty):
1721         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1722         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1723         (JSC::validateAndApplyPropertyDescriptor):
1724         * runtime/JSObject.h:
1725         * runtime/JSObjectInlines.h:
1726         (JSC::JSObject::putInlineForJSObject):
1727         * runtime/JSPromiseConstructor.cpp:
1728         (JSC::JSPromiseConstructor::finishCreation):
1729         * runtime/JSSet.cpp:
1730         (JSC::JSSet::toStringName):
1731         * runtime/JSSymbolTableObject.h:
1732         (JSC::symbolTablePut):
1733         * runtime/JSTypedArrayViewConstructor.cpp:
1734         (JSC::constructTypedArrayView):
1735         * runtime/JSTypedArrayViewPrototype.cpp:
1736         (JSC::typedArrayViewPrivateFuncLength):
1737         (JSC::typedArrayViewProtoFuncSet):
1738         (JSC::typedArrayViewProtoFuncCopyWithin):
1739         (JSC::typedArrayViewProtoFuncLastIndexOf):
1740         (JSC::typedArrayViewProtoFuncIndexOf):
1741         (JSC::typedArrayViewProtoFuncJoin):
1742         (JSC::typedArrayViewProtoGetterFuncBuffer):
1743         (JSC::typedArrayViewProtoGetterFuncLength):
1744         (JSC::typedArrayViewProtoGetterFuncByteLength):
1745         (JSC::typedArrayViewProtoGetterFuncByteOffset):
1746         (JSC::typedArrayViewProtoFuncReverse):
1747         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
1748         (JSC::typedArrayViewProtoFuncSlice):
1749         (JSC::JSTypedArrayViewPrototype::finishCreation):
1750         * runtime/JSWeakMap.cpp:
1751         (JSC::JSWeakMap::toStringName):
1752         * runtime/JSWeakSet.cpp:
1753         (JSC::JSWeakSet::toStringName):
1754         * runtime/LiteralParser.cpp:
1755         (JSC::LiteralParser<CharType>::Lexer::lex):
1756         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
1757         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
1758         (JSC::LiteralParser<CharType>::parse):
1759         * runtime/LiteralParser.h:
1760         (JSC::LiteralParser::getErrorMessage):
1761         * runtime/Lookup.cpp:
1762         (JSC::reifyStaticAccessor):
1763         * runtime/Lookup.h:
1764         (JSC::putEntry):
1765         * runtime/MapPrototype.cpp:
1766         (JSC::getMap):
1767         * runtime/NullSetterFunction.cpp:
1768         (JSC::NullSetterFunctionInternal::callReturnUndefined):
1769         * runtime/NumberPrototype.cpp:
1770         (JSC::numberProtoFuncToExponential):
1771         (JSC::numberProtoFuncToFixed):
1772         (JSC::numberProtoFuncToPrecision):
1773         (JSC::extractToStringRadixArgument):
1774         * runtime/ObjectConstructor.cpp:
1775         (JSC::objectConstructorSetPrototypeOf):
1776         (JSC::objectConstructorAssign):
1777         (JSC::objectConstructorValues):
1778         (JSC::toPropertyDescriptor):
1779         (JSC::objectConstructorDefineProperty):
1780         (JSC::objectConstructorDefineProperties):
1781         (JSC::objectConstructorCreate):
1782         (JSC::objectConstructorSeal):
1783         (JSC::objectConstructorFreeze):
1784         * runtime/ObjectPrototype.cpp:
1785         (JSC::objectProtoFuncDefineGetter):
1786         (JSC::objectProtoFuncDefineSetter):
1787         * runtime/Operations.cpp:
1788         (JSC::jsAddSlowCase):
1789         * runtime/Operations.h:
1790         (JSC::jsSub):
1791         (JSC::jsMul):
1792         * runtime/ProgramExecutable.cpp:
1793         (JSC::ProgramExecutable::initializeGlobalProperties):
1794         * runtime/ProxyConstructor.cpp:
1795         (JSC::makeRevocableProxy):
1796         (JSC::proxyRevocableConstructorThrowError):
1797         (JSC::ProxyConstructor::finishCreation):
1798         (JSC::constructProxyObject):
1799         * runtime/ProxyObject.cpp:
1800         (JSC::ProxyObject::toStringName):
1801         (JSC::ProxyObject::finishCreation):
1802         (JSC::performProxyGet):
1803         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1804         (JSC::ProxyObject::performHasProperty):
1805         (JSC::ProxyObject::performPut):
1806         (JSC::performProxyCall):
1807         (JSC::performProxyConstruct):
1808         (JSC::ProxyObject::performDelete):
1809         (JSC::ProxyObject::performPreventExtensions):
1810         (JSC::ProxyObject::performIsExtensible):
1811         (JSC::ProxyObject::performDefineOwnProperty):
1812         (JSC::ProxyObject::performGetOwnPropertyNames):
1813         (JSC::ProxyObject::performSetPrototype):
1814         (JSC::ProxyObject::performGetPrototype):
1815         * runtime/ReflectObject.cpp:
1816         (JSC::reflectObjectConstruct):
1817         (JSC::reflectObjectDefineProperty):
1818         (JSC::reflectObjectGet):
1819         (JSC::reflectObjectGetOwnPropertyDescriptor):
1820         (JSC::reflectObjectGetPrototypeOf):
1821         (JSC::reflectObjectIsExtensible):
1822         (JSC::reflectObjectOwnKeys):
1823         (JSC::reflectObjectPreventExtensions):
1824         (JSC::reflectObjectSet):
1825         (JSC::reflectObjectSetPrototypeOf):
1826         * runtime/RegExpConstructor.cpp:
1827         (JSC::RegExpConstructor::finishCreation):
1828         (JSC::toFlags):
1829         * runtime/RegExpObject.cpp:
1830         (JSC::RegExpObject::defineOwnProperty):
1831         * runtime/RegExpObject.h:
1832         * runtime/RegExpPrototype.cpp:
1833         (JSC::regExpProtoFuncCompile):
1834         (JSC::regExpProtoGetterGlobal):
1835         (JSC::regExpProtoGetterIgnoreCase):
1836         (JSC::regExpProtoGetterMultiline):
1837         (JSC::regExpProtoGetterDotAll):
1838         (JSC::regExpProtoGetterSticky):
1839         (JSC::regExpProtoGetterUnicode):
1840         (JSC::regExpProtoGetterFlags):
1841         (JSC::regExpProtoGetterSourceInternal):
1842         (JSC::regExpProtoGetterSource):
1843         * runtime/RuntimeType.cpp:
1844         (JSC::runtimeTypeAsString):
1845         * runtime/SamplingProfiler.cpp:
1846         (JSC::SamplingProfiler::StackFrame::displayName):
1847         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
1848         * runtime/ScriptExecutable.cpp:
1849         (JSC::ScriptExecutable::prepareForExecutionImpl):
1850         * runtime/SetPrototype.cpp:
1851         (JSC::getSet):
1852         * runtime/SparseArrayValueMap.cpp:
1853         (JSC::SparseArrayValueMap::putEntry):
1854         (JSC::SparseArrayValueMap::putDirect):
1855         (JSC::SparseArrayEntry::put):
1856         * runtime/StackFrame.cpp:
1857         (JSC::StackFrame::sourceURL const):
1858         (JSC::StackFrame::functionName const):
1859         * runtime/StringConstructor.cpp:
1860         (JSC::stringFromCodePoint):
1861         * runtime/StringObject.cpp:
1862         (JSC::StringObject::put):
1863         (JSC::StringObject::putByIndex):
1864         * runtime/StringPrototype.cpp:
1865         (JSC::StringPrototype::finishCreation):
1866         (JSC::toLocaleCase):
1867         (JSC::stringProtoFuncNormalize):
1868         * runtime/Symbol.cpp:
1869         (JSC::Symbol::toNumber const):
1870         * runtime/SymbolConstructor.cpp:
1871         (JSC::symbolConstructorKeyFor):
1872         * runtime/SymbolObject.cpp:
1873         (JSC::SymbolObject::toStringName):
1874         * runtime/SymbolPrototype.cpp:
1875         (JSC::SymbolPrototype::finishCreation):
1876         * runtime/TypeSet.cpp:
1877         (JSC::TypeSet::dumpTypes const):
1878         (JSC::TypeSet::displayName const):
1879         (JSC::StructureShape::leastCommonAncestor):
1880         * runtime/TypeSet.h:
1881         (JSC::StructureShape::setConstructorName):
1882         * runtime/VM.cpp:
1883         (JSC::VM::dumpTypeProfilerData):
1884         * runtime/WeakMapPrototype.cpp:
1885         (JSC::getWeakMap):
1886         (JSC::protoFuncWeakMapSet):
1887         * runtime/WeakSetPrototype.cpp:
1888         (JSC::getWeakSet):
1889         (JSC::protoFuncWeakSetAdd):
1890         * tools/JSDollarVM.cpp:
1891         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1892         (WTF::DOMJITGetterComplex::customGetter):
1893         (JSC::functionSetImpureGetterDelegate):
1894         (JSC::functionCreateElement):
1895         (JSC::functionGetHiddenValue):
1896         (JSC::functionSetHiddenValue):
1897         (JSC::functionFindTypeForExpression):
1898         (JSC::functionReturnTypeFor):
1899         (JSC::functionLoadGetterFromGetterSetter):
1900         * wasm/WasmB3IRGenerator.cpp:
1901         (JSC::Wasm::B3IRGenerator::fail const):
1902         * wasm/WasmIndexOrName.cpp:
1903         (JSC::Wasm::makeString):
1904         * wasm/WasmParser.h:
1905         (JSC::Wasm::FailureHelper::makeString):
1906         (JSC::Wasm::Parser::fail const):
1907         * wasm/WasmPlan.cpp:
1908         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
1909         * wasm/WasmValidate.cpp:
1910         (JSC::Wasm::Validate::fail const):
1911         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1912         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1913         * wasm/js/JSWebAssemblyHelpers.h:
1914         (JSC::toNonWrappingUint32):
1915         (JSC::getWasmBufferFromValue):
1916         * wasm/js/JSWebAssemblyInstance.cpp:
1917         (JSC::JSWebAssemblyInstance::create):
1918         * wasm/js/JSWebAssemblyMemory.cpp:
1919         (JSC::JSWebAssemblyMemory::grow):
1920         * wasm/js/WasmToJS.cpp:
1921         (JSC::Wasm::handleBadI64Use):
1922         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1923         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
1924         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1925         (JSC::constructJSWebAssemblyInstance):
1926         (JSC::WebAssemblyInstanceConstructor::finishCreation):
1927         * wasm/js/WebAssemblyInstancePrototype.cpp:
1928         (JSC::getInstance):
1929         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1930         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
1931         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1932         (JSC::constructJSWebAssemblyMemory):
1933         (JSC::WebAssemblyMemoryConstructor::finishCreation):
1934         * wasm/js/WebAssemblyMemoryPrototype.cpp:
1935         (JSC::getMemory):
1936         * wasm/js/WebAssemblyModuleConstructor.cpp:
1937         (JSC::webAssemblyModuleCustomSections):
1938         (JSC::webAssemblyModuleImports):
1939         (JSC::webAssemblyModuleExports):
1940         (JSC::WebAssemblyModuleConstructor::finishCreation):
1941         * wasm/js/WebAssemblyModuleRecord.cpp:
1942         (JSC::WebAssemblyModuleRecord::link):
1943         (JSC::dataSegmentFail):
1944         (JSC::WebAssemblyModuleRecord::evaluate):
1945         * wasm/js/WebAssemblyPrototype.cpp:
1946         (JSC::resolve):
1947         (JSC::webAssemblyInstantiateFunc):
1948         (JSC::webAssemblyInstantiateStreamingInternal):
1949         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1950         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
1951         * wasm/js/WebAssemblyTableConstructor.cpp:
1952         (JSC::constructJSWebAssemblyTable):
1953         (JSC::WebAssemblyTableConstructor::finishCreation):
1954         * wasm/js/WebAssemblyTablePrototype.cpp:
1955         (JSC::getTable):
1956         (JSC::webAssemblyTableProtoFuncGrow):
1957         (JSC::webAssemblyTableProtoFuncGet):
1958         (JSC::webAssemblyTableProtoFuncSet):
1959
1960 2018-06-22  Keith Miller  <keith_miller@apple.com>
1961
1962         unshift should zero unused property storage
1963         https://bugs.webkit.org/show_bug.cgi?id=186960
1964
1965         Reviewed by Saam Barati.
1966
1967         Also, this patch adds the zeroed unused property storage assertion
1968         to one more place it was missing.
1969
1970         * runtime/JSArray.cpp:
1971         (JSC::JSArray::unshiftCountSlowCase):
1972         * runtime/JSObjectInlines.h:
1973         (JSC::JSObject::putDirectInternal):
1974
1975 2018-06-22  Mark Lam  <mark.lam@apple.com>
1976
1977         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
1978         https://bugs.webkit.org/show_bug.cgi?id=186943
1979         <rdar://problem/41370337>
1980
1981         Reviewed by Saam Barati.
1982
1983         PropertyCondition::isValidValueForAttributes() should check if the passed in value
1984         is a deleted one before it does a jsDynamicCast on it.
1985
1986         * bytecode/PropertyCondition.cpp:
1987         (JSC::PropertyCondition::isValidValueForAttributes):
1988         * runtime/JSCJSValueInlines.h:
1989         - removed an unnecessary #if.
1990
1991 2018-06-22  Keith Miller  <keith_miller@apple.com>
1992
1993         performProxyCall should toThis the value passed to its handler
1994         https://bugs.webkit.org/show_bug.cgi?id=186951
1995
1996         Reviewed by Mark Lam.
1997
1998         * runtime/ProxyObject.cpp:
1999         (JSC::performProxyCall):
2000
2001 2018-06-22  Saam Barati  <sbarati@apple.com>
2002
2003         ensureWritableX should only convert away from CoW when it will succeed
2004         https://bugs.webkit.org/show_bug.cgi?id=186898
2005
2006         Reviewed by Keith Miller.
2007
2008         Otherwise, when we OSR exit, we'll end up profiling the array after
2009         it has been converted away from CoW. It's better for the ArrayProfile
2010         to see the array as it's still in CoW mode.
2011         
2012         This patch also renames ensureWritableX to tryMakeWritableX since these
2013         were never really "ensure" operations -- they may fail and return null.
2014
2015         * dfg/DFGOperations.cpp:
2016         * runtime/JSObject.cpp:
2017         (JSC::JSObject::tryMakeWritableInt32Slow):
2018         (JSC::JSObject::tryMakeWritableDoubleSlow):
2019         (JSC::JSObject::tryMakeWritableContiguousSlow):
2020         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2021         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2022         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2023         * runtime/JSObject.h:
2024         (JSC::JSObject::tryMakeWritableInt32):
2025         (JSC::JSObject::tryMakeWritableDouble):
2026         (JSC::JSObject::tryMakeWritableContiguous):
2027         (JSC::JSObject::ensureWritableInt32): Deleted.
2028         (JSC::JSObject::ensureWritableDouble): Deleted.
2029         (JSC::JSObject::ensureWritableContiguous): Deleted.
2030
2031 2018-06-22  Keith Miller  <keith_miller@apple.com>
2032
2033         We should call visitChildren on Base not the exact typename
2034         https://bugs.webkit.org/show_bug.cgi?id=186928
2035
2036         Reviewed by Mark Lam.
2037
2038         A lot of places were not properly calling visitChildren on their
2039         superclass. For most of them it didn't matter because they had
2040         immortal structures. If code changed in the future this might
2041         break things however.
2042
2043         Also, block off more of the MethodTable for GetterSetter objects.
2044
2045         * bytecode/CodeBlock.cpp:
2046         (JSC::CodeBlock::visitChildren):
2047         * bytecode/ExecutableToCodeBlockEdge.cpp:
2048         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2049         * debugger/DebuggerScope.cpp:
2050         (JSC::DebuggerScope::visitChildren):
2051         * runtime/EvalExecutable.cpp:
2052         (JSC::EvalExecutable::visitChildren):
2053         * runtime/FunctionExecutable.cpp:
2054         (JSC::FunctionExecutable::visitChildren):
2055         * runtime/FunctionRareData.cpp:
2056         (JSC::FunctionRareData::visitChildren):
2057         * runtime/GenericArgumentsInlines.h:
2058         (JSC::GenericArguments<Type>::visitChildren):
2059         * runtime/GetterSetter.cpp:
2060         (JSC::GetterSetter::visitChildren):
2061         * runtime/GetterSetter.h:
2062         * runtime/InferredType.cpp:
2063         (JSC::InferredType::visitChildren):
2064         * runtime/InferredTypeTable.cpp:
2065         (JSC::InferredTypeTable::visitChildren):
2066         * runtime/InferredValue.cpp:
2067         (JSC::InferredValue::visitChildren):
2068         * runtime/JSArrayBufferView.cpp:
2069         (JSC::JSArrayBufferView::visitChildren):
2070         * runtime/JSGenericTypedArrayViewInlines.h:
2071         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2072         * runtime/ModuleProgramExecutable.cpp:
2073         (JSC::ModuleProgramExecutable::visitChildren):
2074         * runtime/ProgramExecutable.cpp:
2075         (JSC::ProgramExecutable::visitChildren):
2076         * runtime/ScopedArguments.cpp:
2077         (JSC::ScopedArguments::visitChildren):
2078         * runtime/ScopedArguments.h:
2079         * runtime/Structure.cpp:
2080         (JSC::Structure::visitChildren):
2081         * runtime/StructureRareData.cpp:
2082         (JSC::StructureRareData::visitChildren):
2083         * runtime/SymbolTable.cpp:
2084         (JSC::SymbolTable::visitChildren):
2085
2086 2018-06-20  Darin Adler  <darin@apple.com>
2087
2088         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
2089         https://bugs.webkit.org/show_bug.cgi?id=186875
2090
2091         Reviewed by Anders Carlsson.
2092
2093         * API/tests/testapi.mm:
2094         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2095
2096 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
2097
2098         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
2099         https://bugs.webkit.org/show_bug.cgi?id=186915
2100
2101         Reviewed by Žan Doberšek.
2102
2103         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
2104
2105         * inspector/remote/glib/RemoteInspectorServer.cpp:
2106         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2107
2108 2018-06-21  Mark Lam  <mark.lam@apple.com>
2109
2110         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
2111         https://bugs.webkit.org/show_bug.cgi?id=185947
2112         <rdar://problem/40131933>
2113
2114         Reviewed by Saam Barati.
2115
2116         Newer Clang versions (due to C++17 support) is not happy with how I implemented
2117         conversions between CodeLocation types.  We'll fix this by adding a conversion
2118         operator for converting between CodeLocation types.
2119
2120         * assembler/CodeLocation.h:
2121         (JSC::CodeLocationCommon::operator T):
2122
2123 2018-06-21  Saam Barati  <sbarati@apple.com>
2124
2125         Do some CoW cleanup
2126         https://bugs.webkit.org/show_bug.cgi?id=186896
2127
2128         Reviewed by Mark Lam.
2129
2130         * bytecode/UnlinkedCodeBlock.h:
2131         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2132         We don't need to WTFMove() ints
2133
2134         * dfg/DFGByteCodeParser.cpp:
2135         (JSC::DFG::ByteCodeParser::parseBlock):
2136         remove a TODO.
2137
2138         * runtime/JSObject.cpp:
2139         (JSC::JSObject::putByIndex):
2140         We were checking for isCopyOnWrite even after we converted away
2141         from CoW in above code.
2142         (JSC::JSObject::ensureWritableInt32Slow):
2143         Model this in the same way the other ensureWritableXSlow are modeled.
2144
2145 2018-06-20  Keith Miller  <keith_miller@apple.com>
2146
2147         flattenDictionaryStruture needs to zero inline storage.
2148         https://bugs.webkit.org/show_bug.cgi?id=186869
2149
2150         Reviewed by Saam Barati.
2151
2152         This patch also adds the assetion that unused property storage is
2153         zero or JSValue() to putDirectInternal. Additionally, functions
2154         have been added to $vm that flatten dictionary objects and return
2155         the inline capacity of an object.
2156
2157         * runtime/JSObjectInlines.h:
2158         (JSC::JSObject::putDirectInternal):
2159         * runtime/Structure.cpp:
2160         (JSC::Structure::flattenDictionaryStructure):
2161         * tools/JSDollarVM.cpp:
2162         (JSC::functionInlineCapacity):
2163         (JSC::functionFlattenDictionaryObject):
2164         (JSC::JSDollarVM::finishCreation):
2165
2166 2018-06-21  Mark Lam  <mark.lam@apple.com>
2167
2168         Use IsoCellSets to track Executables with clearable code.
2169         https://bugs.webkit.org/show_bug.cgi?id=186877
2170
2171         Reviewed by Filip Pizlo.
2172
2173         Here’s an example of the results that this fix may yield: 
2174         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2175         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
2176
2177            Visiting Executables:
2178                                                         Old             New
2179            Number of objects visited:                   70897           14264
2180            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
2181            Number of memory pages visited:              3224            1602
2182            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
2183
2184            Visitng UnlinkedFunctionExecutables:
2185                                                         Old             New
2186            Number of objects visited:                   105454          17231
2187            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
2188            Number of memory pages visited:              4796            1349
2189            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
2190
2191         ** The number of objects differ because the old code only visit unlinked
2192            executables indirectly via linked executables, whereas the new behavior visit
2193            all unlinked executables with deletable code directly.  This means:
2194
2195            a. we used to not visit unlinked executables that have not been linked yet
2196               i.e. deleteAllCode() may not delete all code (especially code that is not
2197               used).
2198            b. we had to visit all linked executables to check if they of type
2199               FunctionExecutable, before going on to visit their unlinked executable, and
2200               this includes the ones that do not have deletable code.  This means that we
2201               would touch more memory in the process.
2202
2203            Both of these these issues are now fixed with the new code.
2204
2205         This code was tested with manually inserted instrumentation to track the above
2206         statistics.  It is not feasible to write an automated test for this without
2207         leaving a lot of invasive instrumentation in the code.
2208
2209         * bytecode/UnlinkedFunctionExecutable.cpp:
2210         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2211         * bytecode/UnlinkedFunctionExecutable.h:
2212         * heap/CodeBlockSetInlines.h:
2213         (JSC::CodeBlockSet::iterateViaSubspaces):
2214         * heap/Heap.cpp:
2215         (JSC::Heap::deleteAllCodeBlocks):
2216         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2217         (JSC::Heap::deleteUnmarkedCompiledCode):
2218         (JSC::Heap::clearUnmarkedExecutables): Deleted.
2219         (JSC::Heap::addExecutable): Deleted.
2220         * heap/Heap.h:
2221         * runtime/DirectEvalExecutable.h:
2222
2223         * runtime/ExecutableBase.cpp:
2224         (JSC::ExecutableBase::hasClearableCode const):
2225         - this is written based on the implementation of ExecutableBase::clearCode().
2226
2227         * runtime/ExecutableBase.h:
2228         * runtime/FunctionExecutable.h:
2229         * runtime/IndirectEvalExecutable.h:
2230         * runtime/ModuleProgramExecutable.h:
2231         * runtime/ProgramExecutable.h:
2232         * runtime/ScriptExecutable.cpp:
2233         (JSC::ScriptExecutable::clearCode):
2234         (JSC::ScriptExecutable::installCode):
2235         * runtime/ScriptExecutable.h:
2236         (JSC::ScriptExecutable::finishCreation):
2237         * runtime/VM.cpp:
2238         (JSC::VM::VM):
2239         * runtime/VM.h:
2240         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
2241         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
2242         (JSC::VM::forEachScriptExecutableSpace):
2243         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
2244         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2245
2246 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
2247
2248         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
2249         https://bugs.webkit.org/show_bug.cgi?id=186884
2250
2251         Reviewed by Carlos Garcia Campos.
2252
2253         Add a tuple array input parameter to the StartAutomationSession DBus
2254         message, representing a list of host-and-certificate pairs that have to
2255         be allowed for a given session. This array is then unpacked and used to
2256         fill out the certificates Vector object in the SessionCapabilities
2257         struct.
2258
2259         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
2260         String pairs representing hosts and the certificate file paths.
2261         * inspector/remote/glib/RemoteInspectorServer.cpp:
2262
2263 2018-06-20  Keith Miller  <keith_miller@apple.com>
2264
2265         Expand concurrent GC assertion to accept JSValue() or 0
2266         https://bugs.webkit.org/show_bug.cgi?id=186855
2267
2268         Reviewed by Mark Lam.
2269
2270         We tend to set unused property slots to either JSValue() or 0
2271         depending on the context. On 64-bit these are the same but on
2272         32-bit JSValue() has a NaN tag. This patch makes it so we
2273         the accept either JSValue() or 0.
2274
2275         * runtime/JSObjectInlines.h:
2276         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2277
2278 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
2279
2280         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
2281         https://bugs.webkit.org/show_bug.cgi?id=186765
2282
2283         Reviewed by Michael Saboff.
2284
2285         This widens the check for 0 so that we handle that case more correctly.
2286
2287         * assembler/LinkBuffer.h:
2288         (JSC::LinkBuffer::executableOffsetFor):
2289
2290 2018-06-19  Keith Miller  <keith_miller@apple.com>
2291
2292         Fix broken assertion on 32-bit
2293         https://bugs.webkit.org/show_bug.cgi?id=186830
2294
2295         Reviewed by Mark Lam.
2296
2297         The assertion was intended to catch concurrent GC issues. We don't
2298         run them on 32-bit so we don't need this assertion there. The
2299         assertion was broken because zero is not JSValue() on 32-bit.
2300
2301         * runtime/JSObjectInlines.h:
2302         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2303
2304 2018-06-19  Keith Miller  <keith_miller@apple.com>
2305
2306         flattenDictionaryStructure needs to zero properties that have been compressed away
2307         https://bugs.webkit.org/show_bug.cgi?id=186828
2308
2309         Reviewed by Mark Lam.
2310
2311         This patch fixes a bunch of crashing Mozilla tests on the bots.
2312
2313         * runtime/Structure.cpp:
2314         (JSC::Structure::flattenDictionaryStructure):
2315
2316 2018-06-19  Saam Barati  <sbarati@apple.com>
2317
2318         DirectArguments::create needs to initialize to undefined instead of the empty value
2319         https://bugs.webkit.org/show_bug.cgi?id=186818
2320         <rdar://problem/38415177>
2321
2322         Reviewed by Filip Pizlo.
2323
2324         The bug here is that we will emit code that just loads from DirectArguments as
2325         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
2326         The arguments object has at least enough capacity to hold the declared parameters.
2327         When we materialized this object in OSR exit, we initialized up to to the capacity
2328         with JSValue(). In OSR exit, though, we only filled up to the length of the
2329         object with actual values. So we'd end up with a DirectArguments object with
2330         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2331         capacity with jsUndefined during construction. The invariant of this object is
2332         that the capacity minus length slots at the end are filled in with jsUndefined.
2333
2334         * runtime/DirectArguments.cpp:
2335         (JSC::DirectArguments::create):
2336
2337 2018-06-19  Michael Saboff  <msaboff@apple.com>
2338
2339         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2340         https://bugs.webkit.org/show_bug.cgi?id=186827
2341
2342         Reviewed by Saam Barati.
2343
2344         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2345
2346         * runtime/JSLock.cpp:
2347         (JSC::JSLock::didAcquireLock):
2348
2349 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2350
2351         ShadowChicken crashes with stack overflow in the LLInt
2352         https://bugs.webkit.org/show_bug.cgi?id=186540
2353         <rdar://problem/39682133>
2354
2355         Reviewed by Saam Barati.
2356
2357         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2358         with debug opcodes because it was accessing the scope of the incomplete top
2359         frame, which hadn't been set yet. Check that we have moved past the first
2360         opcode (enter) and that the scope is not undefined (enter will
2361         initialize it to undefined).
2362
2363         * interpreter/ShadowChicken.cpp:
2364         (JSC::ShadowChicken::update):
2365
2366 2018-06-19  Keith Miller  <keith_miller@apple.com>
2367
2368         constructArray variants should take the slow path for subclasses of Array
2369         https://bugs.webkit.org/show_bug.cgi?id=186812
2370
2371         Reviewed by Saam Barati and Mark Lam.
2372
2373         This patch fixes a crashing test in ObjectInitializationScope where we would
2374         allocate a new structure for an indexing type change while initializing
2375         a subclass of Array. Since the new array hasn't been fully initialized
2376         if the GC ran it would see garbage and we might crash.
2377
2378         * runtime/JSArray.cpp:
2379         (JSC::constructArray):
2380         (JSC::constructArrayNegativeIndexed):
2381         * runtime/JSArray.h:
2382         (JSC::constructArray): Deleted.
2383         (JSC::constructArrayNegativeIndexed): Deleted.
2384
2385 2018-06-19  Saam Barati  <sbarati@apple.com>
2386
2387         Wasm: Any function argument of type Void should be a validation error
2388         https://bugs.webkit.org/show_bug.cgi?id=186794
2389         <rdar://problem/41140257>
2390
2391         Reviewed by Keith Miller.
2392
2393         * wasm/WasmModuleParser.cpp:
2394         (JSC::Wasm::ModuleParser::parseType):
2395
2396 2018-06-18  Keith Miller  <keith_miller@apple.com>
2397
2398         JSImmutableButterfly should assert m_header is adjacent to the data
2399         https://bugs.webkit.org/show_bug.cgi?id=186795
2400
2401         Reviewed by Saam Barati.
2402
2403         * runtime/JSImmutableButterfly.cpp:
2404         * runtime/JSImmutableButterfly.h:
2405
2406 2018-06-18  Keith Miller  <keith_miller@apple.com>
2407
2408         Unreviewed, fix the build...
2409
2410         * runtime/JSArray.cpp:
2411         (JSC::JSArray::tryCreateUninitializedRestricted):
2412
2413 2018-06-18  Keith Miller  <keith_miller@apple.com>
2414
2415         Unreviewed, remove bad assertion.
2416
2417         * runtime/JSArray.cpp:
2418         (JSC::JSArray::tryCreateUninitializedRestricted):
2419
2420 2018-06-18  Keith Miller  <keith_miller@apple.com>
2421
2422         Properly zero unused property storage offsets
2423         https://bugs.webkit.org/show_bug.cgi?id=186692
2424
2425         Reviewed by Filip Pizlo.
2426
2427         Since the concurrent GC might see a property slot before the mutator has actually
2428         stored the value there, we need to ensure that slot doesn't have garbage in it.
2429
2430         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2431         or creating a RegExp matches array, we never cleared the unused
2432         property storage. ObjectIntializationScope has also been upgraded
2433         to look for our invariants around property storage. Additionally,
2434         a new assertion has been added to check for JSValue() when adding
2435         a new property.
2436
2437         We used to put undefined into deleted property offsets. To
2438         make things simpler, this patch causes us to store JSValue() there
2439         instead.
2440
2441         Lastly, this patch fixes an issue where we would initialize the
2442         array storage of RegExpMatchesArray twice. First with 0 and
2443         secondly with the actual result. Now we only zero memory between
2444         vector length and public length.
2445
2446         * runtime/Butterfly.h:
2447         (JSC::Butterfly::offsetOfVectorLength):
2448         * runtime/ButterflyInlines.h:
2449         (JSC::Butterfly::tryCreateUninitialized):
2450         (JSC::Butterfly::createUninitialized):
2451         (JSC::Butterfly::tryCreate):
2452         (JSC::Butterfly::create):
2453         (JSC::Butterfly::createOrGrowPropertyStorage):
2454         (JSC::Butterfly::createOrGrowArrayRight):
2455         (JSC::Butterfly::growArrayRight):
2456         (JSC::Butterfly::resizeArray):
2457         * runtime/JSArray.cpp:
2458         (JSC::JSArray::tryCreateUninitializedRestricted):
2459         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2460         * runtime/JSArray.h:
2461         (JSC::tryCreateArrayButterfly):
2462         * runtime/JSObject.cpp:
2463         (JSC::JSObject::createArrayStorageButterfly):
2464         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2465         (JSC::JSObject::deleteProperty):
2466         (JSC::JSObject::shiftButterflyAfterFlattening):
2467         * runtime/JSObject.h:
2468         * runtime/JSObjectInlines.h:
2469         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2470         * runtime/ObjectInitializationScope.cpp:
2471         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2472         * runtime/ObjectInitializationScope.h:
2473         (JSC::ObjectInitializationScope::release):
2474         * runtime/RegExpMatchesArray.h:
2475         (JSC::tryCreateUninitializedRegExpMatchesArray):
2476         (JSC::createRegExpMatchesArray):
2477
2478         * runtime/Butterfly.h:
2479         (JSC::Butterfly::offsetOfVectorLength):
2480         * runtime/ButterflyInlines.h:
2481         (JSC::Butterfly::tryCreateUninitialized):
2482         (JSC::Butterfly::createUninitialized):
2483         (JSC::Butterfly::tryCreate):
2484         (JSC::Butterfly::create):
2485         (JSC::Butterfly::createOrGrowPropertyStorage):
2486         (JSC::Butterfly::createOrGrowArrayRight):
2487         (JSC::Butterfly::growArrayRight):
2488         (JSC::Butterfly::resizeArray):
2489         * runtime/JSArray.cpp:
2490         (JSC::JSArray::tryCreateUninitializedRestricted):
2491         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2492         * runtime/JSArray.h:
2493         (JSC::tryCreateArrayButterfly):
2494         * runtime/JSObject.cpp:
2495         (JSC::JSObject::createArrayStorageButterfly):
2496         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2497         (JSC::JSObject::deleteProperty):
2498         (JSC::JSObject::shiftButterflyAfterFlattening):
2499         * runtime/JSObject.h:
2500         * runtime/JSObjectInlines.h:
2501         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2502         * runtime/ObjectInitializationScope.cpp:
2503         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2504         * runtime/RegExpMatchesArray.cpp:
2505         (JSC::createEmptyRegExpMatchesArray):
2506         * runtime/RegExpMatchesArray.h:
2507         (JSC::tryCreateUninitializedRegExpMatchesArray):
2508         (JSC::createRegExpMatchesArray):
2509
2510 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2511
2512         Share structure across instances of classes exported through the ObjC API
2513         https://bugs.webkit.org/show_bug.cgi?id=186579
2514         <rdar://problem/40969212>
2515
2516         Reviewed by Saam Barati.
2517
2518         A new structure was being created for each instance of exported ObjC
2519         classes due to setting the prototype in the structure for every object,
2520         since prototype transitions are not cached by the structure. Cache the
2521         Structure in the JSObjcClassInfo to avoid the transition.
2522
2523         * API/JSWrapperMap.mm:
2524         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2525         (-[JSObjCClassInfo structureInContext:]):
2526         * API/tests/JSWrapperMapTests.h: Added.
2527         * API/tests/JSWrapperMapTests.mm: Added.
2528         (+[JSWrapperMapTests testStructureIdentity]):
2529         (runJSWrapperMapTests):
2530         * API/tests/testapi.mm:
2531         (testObjectiveCAPIMain):
2532         * JavaScriptCore.xcodeproj/project.pbxproj:
2533
2534 2018-06-18  Michael Saboff  <msaboff@apple.com>
2535
2536         Support Unicode 11 in RegExp
2537         https://bugs.webkit.org/show_bug.cgi?id=186685
2538
2539         Reviewed by Mark Lam.
2540
2541         Updated the UCD tables used to generate RegExp property tables to version 11.0.
2542
2543         * Scripts/generateYarrUnicodePropertyTables.py:
2544         * ucd/CaseFolding.txt:
2545         * ucd/DerivedBinaryProperties.txt:
2546         * ucd/DerivedCoreProperties.txt:
2547         * ucd/DerivedNormalizationProps.txt:
2548         * ucd/PropList.txt:
2549         * ucd/PropertyAliases.txt:
2550         * ucd/PropertyValueAliases.txt:
2551         * ucd/ScriptExtensions.txt:
2552         * ucd/Scripts.txt:
2553         * ucd/UnicodeData.txt:
2554         * ucd/emoji-data.txt:
2555
2556 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2557
2558         [WTF] Remove workarounds needed to support libstdc++-4
2559         https://bugs.webkit.org/show_bug.cgi?id=186762
2560
2561         Reviewed by Michael Catanzaro.
2562
2563         Revert r226299, r226300 r226301 and r226302.
2564
2565         * API/tests/TypedArrayCTest.cpp:
2566         (assertEqualsAsNumber):
2567
2568 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
2569
2570         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
2571         https://bugs.webkit.org/show_bug.cgi?id=182923
2572
2573         Reviewed by Mark Lam.
2574
2575         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
2576         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
2577
2578         * heap/MarkedBlock.h:
2579
2580 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
2583         https://bugs.webkit.org/show_bug.cgi?id=186723
2584
2585         Reviewed by Mark Lam.
2586
2587         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
2588         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
2589
2590         This patch improves SixSpeed/spread-literal.es5.
2591
2592                                      baseline                  patched
2593
2594         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
2595
2596         * runtime/JSArrayInlines.h:
2597         (JSC::JSArray::pushInline):
2598         * runtime/Structure.cpp:
2599         (JSC::Structure::nonPropertyTransitionSlow):
2600         (JSC::Structure::nonPropertyTransition): Deleted.
2601         * runtime/Structure.h:
2602         * runtime/StructureInlines.h:
2603         (JSC::Structure::nonPropertyTransition):
2604
2605 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
2608         https://bugs.webkit.org/show_bug.cgi?id=186721
2609
2610         Reviewed by Keith Miller.
2611
2612         We still have several other OSRExits, but this patch reduces that.
2613
2614         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
2615         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
2616
2617         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
2618         non-appropriate.
2619
2620         These changes a bit fix Kraken/crypto-aes regression.
2621
2622                                       baseline                  patched
2623
2624         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
2625
2626
2627         * dfg/DFGByteCodeParser.cpp:
2628         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2629         * ftl/FTLOperations.cpp:
2630         (JSC::FTL::operationMaterializeObjectInOSR):
2631         * runtime/CommonSlowPaths.cpp:
2632         (JSC::SLOW_PATH_DECL):
2633
2634 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2635
2636         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
2637         https://bugs.webkit.org/show_bug.cgi?id=186460
2638
2639         Reviewed by Saam Barati.
2640
2641         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
2642         We should return JSFixedArray for Spread. This patch adds a code generating
2643         a JSFixedArray from JSImmutableButterfly.
2644
2645         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
2646
2647         * ftl/FTLLowerDFGToB3.cpp:
2648         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
2649         * runtime/JSFixedArray.h:
2650
2651 2018-06-15  Saam Barati  <sbarati@apple.com>
2652
2653         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
2654         https://bugs.webkit.org/show_bug.cgi?id=186687
2655         <rdar://problem/40071332>
2656
2657         Reviewed by Keith Miller.
2658
2659         * API/JSVirtualMachinePrivate.h:
2660
2661 2018-06-15  Saam Barati  <sbarati@apple.com>
2662
2663         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
2664         https://bugs.webkit.org/show_bug.cgi?id=186648
2665
2666         Reviewed by Michael Saboff.
2667
2668         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
2669         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
2670         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
2671         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
2672         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
2673         2 speedup with this change on iOS.
2674
2675         * dfg/DFGByteCodeParser.cpp:
2676         (JSC::DFG::ByteCodeParser::parse):
2677
2678 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
2679
2680         Unreviewed, rolling out r232816.
2681
2682         Suggested by Caitlin:
2683         "this patch clearly does get some things wrong, and it's not
2684         easy to find what those things are"
2685
2686         Reverted changeset:
2687
2688         "[LLInt] use loadp consistently for
2689         get_from_scope/put_to_scope"
2690         https://bugs.webkit.org/show_bug.cgi?id=132333
2691         https://trac.webkit.org/changeset/232816
2692
2693 2018-06-14  Michael Saboff  <msaboff@apple.com>
2694
2695         REGRESSION(232741): Crash running ARES-6
2696         https://bugs.webkit.org/show_bug.cgi?id=186630
2697
2698         Reviewed by Saam Barati.
2699
2700         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
2701         treated edges between identical predecessor->successor pairs independently.
2702         This fixes the issue by handling such edges once, using the added intermediate
2703         pad for all instances of the edges between the same pairs.
2704
2705         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
2706         (JSC::DFG::CriticalEdgeBreakingPhase::run):
2707         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
2708
2709 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2710
2711         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
2712         https://bugs.webkit.org/show_bug.cgi?id=186560
2713
2714         Reviewed by Brian Burg.
2715
2716         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
2717         that always receives the session capabilities.
2718
2719         * inspector/remote/RemoteInspector.h:
2720         * inspector/remote/RemoteInspectorConstants.h:
2721         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2722         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
2723         WebKit here and fill the SessionCapabilities instead.
2724         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2725         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
2726         * inspector/remote/glib/RemoteInspectorServer.cpp:
2727         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
2728         * inspector/remote/glib/RemoteInspectorServer.h:
2729
2730 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
2731
2732         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
2733         https://bugs.webkit.org/show_bug.cgi?id=186588
2734
2735         Reviewed by Carlos Garcia Campos.
2736
2737         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
2738         for resource paths, which avoids needing a switcheroo depending on the port.
2739
2740         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2741
2742 2018-06-13  Caitlin Potter  <caitp@igalia.com>
2743
2744         [LLInt] use loadp consistently for get_from_scope/put_to_scope
2745         https://bugs.webkit.org/show_bug.cgi?id=132333
2746
2747         Reviewed by Mark Lam.
2748
2749         Using `loadis` for register indexes and `loadp` for constant scopes /
2750         symboltables makes sense, but is problematic for big-endian
2751         architectures.
2752
2753         Consistently treating the operand as a pointer simplifies determining
2754         how to access the operand, and helps avoid bad accesses and crashes on
2755         big-endian ports.
2756
2757         * bytecode/CodeBlock.cpp:
2758         (JSC::CodeBlock::finishCreation):
2759         * bytecode/Instruction.h:
2760         * jit/JITOperations.cpp:
2761         * llint/LLIntSlowPaths.cpp:
2762         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2763         * llint/LowLevelInterpreter32_64.asm:
2764         * llint/LowLevelInterpreter64.asm:
2765         * runtime/CommonSlowPaths.h:
2766         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
2767         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
2768
2769 2018-06-13  Keith Miller  <keith_miller@apple.com>
2770
2771         AutomaticThread should have a way to provide a thread name
2772         https://bugs.webkit.org/show_bug.cgi?id=186604
2773
2774         Reviewed by Filip Pizlo.
2775
2776         Add names for JSC's automatic threads.
2777
2778         * dfg/DFGWorklist.cpp:
2779         * heap/Heap.cpp:
2780         * jit/JITWorklist.cpp:
2781         * runtime/VMTraps.cpp:
2782         * wasm/WasmWorklist.cpp:
2783
2784 2018-06-13  Saam Barati  <sbarati@apple.com>
2785
2786         CFGSimplificationPhase should de-dupe jettisonedBlocks
2787         https://bugs.webkit.org/show_bug.cgi?id=186583
2788
2789         Reviewed by Filip Pizlo.
2790
2791         When making the predecessors list unique in r232741, it revealed a bug inside
2792         of CFG simplification, where we try to remove the same predecessor more than
2793         once from a blocks predecessors list. We built the list of blocks to remove
2794         from the list of successors, which is not unique, causing us to try to remove
2795         the same predecessor more than once. The solution here is to just add to this
2796         list of blocks to remove only if the block is not already in the list.
2797
2798         * dfg/DFGCFGSimplificationPhase.cpp:
2799         (JSC::DFG::CFGSimplificationPhase::run):
2800
2801 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2802
2803         [JSC] Always use Nuke & Set procedure for x86
2804         https://bugs.webkit.org/show_bug.cgi?id=186592
2805
2806         Reviewed by Keith Miller.
2807
2808         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
2809         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
2810         threads.
2811
2812         * runtime/JSObject.cpp:
2813         (JSC::JSObject::convertContiguousToArrayStorage):
2814
2815 2018-06-12  Saam Barati  <sbarati@apple.com>
2816
2817         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
2818         https://bugs.webkit.org/show_bug.cgi?id=186071
2819
2820         Reviewed by Mark Lam.
2821
2822         * API/JSVirtualMachine.mm:
2823         (-[JSVirtualMachine shrinkFootprint]): Deleted.
2824         * API/JSVirtualMachinePrivate.h:
2825
2826 2018-06-11  Saam Barati  <sbarati@apple.com>
2827
2828         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
2829         https://bugs.webkit.org/show_bug.cgi?id=181409
2830         <rdar://problem/36383749>
2831
2832         Reviewed by Keith Miller.
2833
2834         This patch is me redoing r226655. This is a patch I wrote when
2835         profiling Speedometer. Fil rolled this change out in r230928. He
2836         showed this slowed down a sunspider tests by ~2x. This sunspider
2837         regression revealed a real performance bug in the original change:
2838         we would kill blocks that reached OSR entry targets, sometimes leading
2839         us to not do OSR entry into the DFG, since we could end up deleting
2840         entire loops from the CFG. The reason for this is that code that has run
2841         ~once and that reaches loops often has ForceOSRExits inside of it. The
2842         solution to this is to not perform this optimization on blocks that can
2843         reach OSR entry targets.
2844         
2845         The reason I'm redoing this patch is that it turns out Fil rolling
2846         out the change was a Speedometer 2 regression.
2847         
2848         This is a modified version of the original ChangeLog I wrote in r226655:
2849         
2850         When I was looking at profiler data for Speedometer, I noticed that one of
2851         the hottest functions in Speedometer is around 1100 bytecode operations long.
2852         Only about 100 of those bytecode ops ever execute. However, we ended up
2853         spending a lot of time compiling basic blocks that never executed. We often
2854         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
2855         This is the case when such a node never executes.
2856         
2857         This patch makes it so that anytime a block has a ForceOSRExit, and that block
2858         can not reach an OSR entry target, we replace its terminal node with an Unreachable
2859         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
2860         size since it removes control flow edges from the CFG. This allows us to get
2861         rid of huge chunks of the CFG in certain programs. When doing this transformation,
2862         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
2863         live-in to the ForceOSRExit.
2864         
2865         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
2866         does not get rid of all the CFG that it could. If we decide it's worth
2867         it, we could use additional inputs into this mechanism. For example, we could
2868         profile if a basic block ever executes inside the LLInt/Baseline, and
2869         remove parts of the CFG based on that.
2870         
2871         When running Speedometer with the concurrent JIT turned off, this patch
2872         improves DFG/FTL compile times by around 5%.
2873
2874         * dfg/DFGByteCodeParser.cpp:
2875         (JSC::DFG::ByteCodeParser::addToGraph):
2876         (JSC::DFG::ByteCodeParser::inlineCall):
2877         (JSC::DFG::ByteCodeParser::parse):
2878         * dfg/DFGGraph.cpp:
2879         (JSC::DFG::Graph::blocksInPostOrder):
2880
2881 2018-06-11  Saam Barati  <sbarati@apple.com>
2882
2883         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
2884         https://bugs.webkit.org/show_bug.cgi?id=184829
2885
2886         Reviewed by Michael Saboff.
2887
2888         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
2889         In B3/Air, this just meant writing a validation rule. In DFG, this meant
2890         ensuring this property when building up the predecessors list, and also adding
2891         a validation rule. The NaturalLoops algorithm relies on this property.
2892
2893         * b3/B3Validate.cpp:
2894         * b3/air/AirValidate.cpp:
2895         * b3/testb3.cpp:
2896         (JSC::B3::testLoopWithMultipleHeaderEdges):
2897         (JSC::B3::run):
2898         * dfg/DFGGraph.cpp:
2899         (JSC::DFG::Graph::handleSuccessor):
2900         * dfg/DFGValidate.cpp:
2901
2902 2018-06-11  Keith Miller  <keith_miller@apple.com>
2903
2904         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
2905         https://bugs.webkit.org/show_bug.cgi?id=186467
2906
2907         Reviewed by Simon Fraser.
2908
2909         This patch adds a LazyFireDetail that wraps ScopedLambda so that
2910         we don't actually malloc any strings for firing unless those
2911         Strings are actually going to be printed.
2912
2913         * bytecode/Watchpoint.h:
2914         (JSC::LazyFireDetail::LazyFireDetail):
2915         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2916         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2917         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2918         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2919         * runtime/ArrayPrototype.cpp:
2920         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2921
2922 2018-06-11  Mark Lam  <mark.lam@apple.com>
2923
2924         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
2925         https://bugs.webkit.org/show_bug.cgi?id=186451
2926         <rdar://problem/40875792>
2927
2928         Reviewed by Tim Horton.
2929
2930         Enhance setOptions() to be able to take a comma separated options string in
2931         addition to white space separated options strings.
2932
2933         * runtime/Options.cpp:
2934         (JSC::isSeparator):
2935         (JSC::Options::setOptions):
2936
2937 2018-06-11  Michael Saboff  <msaboff@apple.com>
2938
2939         JavaScriptCore: Disable 32-bit JIT on Windows
2940         https://bugs.webkit.org/show_bug.cgi?id=185989
2941
2942         Reviewed by Mark Lam.
2943
2944         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
2945
2946         * llint/LLIntData.h:
2947         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
2948         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
2949         have a case label because these aren't opcodes.
2950         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
2951         on the JIT being enabled.
2952         (JSC::recomputeDependentOptions):
2953
2954 2018-06-11  Michael Saboff  <msaboff@apple.com>
2955
2956         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
2957         https://bugs.webkit.org/show_bug.cgi?id=186477
2958
2959         Reviewed by Filip Pizlo.
2960
2961         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
2962         YARR interpreter nodes.  This caused us to overwrite other frame information.
2963
2964         Added frame offset debugging code to YARR interpreter.
2965
2966         * yarr/YarrInterpreter.cpp:
2967         (JSC::Yarr::ByteCompiler::emitDisjunction):
2968         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2969
2970 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2971
2972         [JSC] Array.prototype.sort should rejects null comparator
2973         https://bugs.webkit.org/show_bug.cgi?id=186458
2974
2975         Reviewed by Keith Miller.
2976
2977         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
2978         the behavior to Chrome and Firefox.
2979
2980         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
2981         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
2982         the spec issue.
2983
2984         * builtins/ArrayPrototype.js:
2985         (sort):
2986
2987 2018-06-09  Dan Bernstein  <mitz@apple.com>
2988
2989         [Xcode] Clean up and modernize some build setting definitions
2990         https://bugs.webkit.org/show_bug.cgi?id=186463
2991
2992         Reviewed by Sam Weinig.
2993
2994         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
2995           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
2996           is true for all supported Xcode versions.
2997         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
2998         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
2999           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
3000         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
3001         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
3002
3003 2018-06-09  Dan Bernstein  <mitz@apple.com>
3004
3005         Added missing file references to the Configuration group.
3006
3007         * JavaScriptCore.xcodeproj/project.pbxproj:
3008
3009 2018-06-08  Darin Adler  <darin@apple.com>
3010
3011         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
3012         https://bugs.webkit.org/show_bug.cgi?id=186436
3013
3014         Reviewed by Anders Carlsson.
3015
3016         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
3017         objc-internal.h and explicitly declaring the alternative.
3018
3019 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
3020
3021         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
3022         https://bugs.webkit.org/show_bug.cgi?id=186442
3023         <rdar://problem/40879364>
3024
3025         Reviewed by Tim Horton.
3026
3027         * Configurations/FeatureDefines.xcconfig:
3028
3029 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
3030
3031         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
3032         https://bugs.webkit.org/show_bug.cgi?id=186446
3033         <rdar://problem/40949995>
3034
3035         Reviewed by Mark Lam.
3036
3037         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
3038         boolean literals, but it would only work for false. Change it so that it
3039         takes the fast path for true, false, null and undefined.
3040
3041         * llint/LowLevelInterpreter.asm:
3042         * llint/LowLevelInterpreter64.asm:
3043
3044 2018-06-08  Brian Burg  <bburg@apple.com>
3045
3046         [Cocoa] Web Automation: include browser name and version in listing for automation targets
3047         https://bugs.webkit.org/show_bug.cgi?id=186204
3048         <rdar://problem/36950423>
3049
3050         Reviewed by Darin Adler.
3051
3052         Ask the client what the reported browser name and version should be, then
3053         send this as part of the listing for an automation target.
3054
3055         * inspector/remote/RemoteInspectorConstants.h:
3056         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3057         (Inspector::RemoteInspector::listingForAutomationTarget const):
3058
3059 2018-06-07  Chris Dumez  <cdumez@apple.com>
3060
3061         Add base class to get WeakPtrFactory member and avoid some boilerplate code
3062         https://bugs.webkit.org/show_bug.cgi?id=186407
3063
3064         Reviewed by Brent Fulgham.
3065
3066         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
3067         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
3068         This also gets rid of old-style createWeakPtr() methods in favor of the newer
3069         makeWeakPtr().
3070
3071         * wasm/WasmInstance.h:
3072         * wasm/WasmMemory.cpp:
3073         (JSC::Wasm::Memory::registerInstance):
3074
3075 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3076
3077         Don't try to allocate JIT memory if we don't have the JIT entitlement
3078         https://bugs.webkit.org/show_bug.cgi?id=182605
3079         <rdar://problem/38271229>
3080
3081         Reviewed by Mark Lam.
3082
3083         Check that the current process has the correct entitlements before
3084         trying to allocate JIT memory to silence warnings.
3085
3086         * jit/ExecutableAllocator.cpp:
3087         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
3088         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
3089
3090 2018-06-07  Saam Barati  <sbarati@apple.com>
3091
3092         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
3093         https://bugs.webkit.org/show_bug.cgi?id=186386
3094
3095         Reviewed by Filip Pizlo.
3096
3097         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
3098
3099         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3100         (JSC::DFG::TierUpCheckInjectionPhase::run):
3101
3102 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3103
3104         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
3105         https://bugs.webkit.org/show_bug.cgi?id=186237
3106
3107         Reviewed by Saam Barati.
3108
3109         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
3110         that means that we never notice that it fired if it fires between when the DFG decides to
3111         watch it and when it actually adds the watchpoint.
3112         
3113         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
3114         reason for being initialized blind: that's how we knew to ignore changes to the prototype
3115         before the first allocation. However, that functionality also arose out of the fact that the
3116         rare data is created lazily and usually won't exist until the first allocation.
3117         
3118         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
3119         object allocation profile.
3120         
3121         It's hard to repro this race, however it started causing spurious test failures for me after
3122         bug 164904.
3123
3124         * runtime/FunctionRareData.cpp:
3125         (JSC::FunctionRareData::FunctionRareData):
3126         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3127
3128 2018-06-07  Saam Barati  <sbarati@apple.com>
3129
3130         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
3131         https://bugs.webkit.org/show_bug.cgi?id=186218
3132         <rdar://problem/38449540>
3133
3134         Reviewed by Filip Pizlo.
3135
3136         This patch makes tierUpCommon a tad bit more sane. There are a few things
3137         that I did:
3138         - There were a few release asserts that were crashing. Those release asserts
3139         were incorrect. They were making assumptions about how the code and data
3140         structures were ordered that were wrong. This patch removes them. The code
3141         was using the loop hierarchy vector to make assumptions about which loop we
3142         were currently executing in, which is incorrect. The only information that
3143         can be used about where we're currently executing is the bytecode index we're
3144         at.
3145         - This makes it so that we go back to trying to compile outer loops before
3146         inner loops. JF accidentally reverted this behavior that Ben implemented.
3147         JF made it so that we just compiled the inner most loop. I make this
3148         functionality work by first triggering a compile for the outer most loop
3149         that the code is currently executing in and that can perform OSR entry.
3150         However, some programs can get stuck in inner loops. The code works by
3151         progressively asking inner loops to compile if program execution has not
3152         yet reached an outer loop.
3153
3154         * dfg/DFGOperations.cpp:
3155
3156 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
3157
3158         ArityFixup should adjust SP first on 32-bit platforms too
3159         https://bugs.webkit.org/show_bug.cgi?id=186351
3160
3161         Reviewed by Yusuke Suzuki.
3162
3163         * jit/ThunkGenerators.cpp:
3164         (JSC::arityFixupGenerator):
3165
3166 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3167
3168         [DFG] Compare operations do not respect negative zeros
3169         https://bugs.webkit.org/show_bug.cgi?id=183729
3170
3171         Reviewed by Saam Barati.
3172
3173         Compare operations do not respect negative zeros. So propagating this can
3174         reduce the size of the produced code for negative zero case. This pattern
3175         can be seen in Kraken stanford-crypto-aes.
3176
3177         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
3178         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
3179         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
3180
3181         * bytecode/SpeculatedType.cpp:
3182         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
3183         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
3184         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
3185         SpecDoubleReal.
3186
3187         * dfg/DFGBackwardsPropagationPhase.cpp:
3188         (JSC::DFG::BackwardsPropagationPhase::propagate):
3189
3190 2018-06-06  Saam Barati  <sbarati@apple.com>
3191
3192         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
3193         https://bugs.webkit.org/show_bug.cgi?id=186363
3194
3195         Rubber-stamped by Filip Pizlo.
3196
3197         The code was assuming that the object it was creating an OPC for always
3198         had a non-poly-proto structure. However, this assumption was wrong. For
3199         example, an object in the prototype chain could be poly proto. That type 
3200         of object graph would cause a crash in this code. This patch makes it so
3201         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
3202         object as we traverse the prototype chain.
3203
3204         * bytecode/ObjectPropertyConditionSet.cpp:
3205         (JSC::generateConditionsForInstanceOf):
3206
3207 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3208
3209         Adjust compile and runtime flags to match shippable state of features
3210         https://bugs.webkit.org/show_bug.cgi?id=186319
3211         <rdar://problem/40352045>
3212
3213         Reviewed by Maciej Stachowiak, Jon Lee, and others.
3214
3215         This patch revises the compile time and runtime state for various features to match their
3216         suitability for end-user releases.
3217
3218         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
3219         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
3220         Cocoa builds.
3221         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
3222         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
3223         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
3224         at runtime for non-production builds.
3225
3226 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3227
3228         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
3229         https://bugs.webkit.org/show_bug.cgi?id=186286
3230         <rdar://problem/40782992>
3231
3232         Reviewed by Dan Bernstein.
3233
3234         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
3235         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
3236         change this flag when preparing for a production release.
3237
3238         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
3239         whether experimental features should be enabled, and use it to properly define the
3240         feature flag.
3241
3242 2018-06-05  Darin Adler  <darin@apple.com>
3243
3244         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
3245         https://bugs.webkit.org/show_bug.cgi?id=186301
3246
3247         Reviewed by Anders Carlsson.
3248
3249         * API/JSContext.mm:
3250         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
3251         (-[JSContext setName:]): Removed unnecessary call to copy, since the
3252         JSStringCreateWithCFString function already reads the characters out
3253         of the string and does not retain the string, so there is no need to
3254         make an immutable copy. And used __bridge for typecast.
3255         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3256         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3257         Ditto.
3258
3259         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3260         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3261         Use CFBridgingRelease instead of autorelease for a CF dictionary that
3262         we return as an NSDictionary.
3263
3264 2018-06-04  Keith Miller  <keith_miller@apple.com>
3265
3266         Remove missing files from JavaScriptCore Xcode project
3267         https://bugs.webkit.org/show_bug.cgi?id=186297
3268
3269         Reviewed by Saam Barati.
3270
3271         * JavaScriptCore.xcodeproj/project.pbxproj:
3272
3273 2018-06-04  Keith Miller  <keith_miller@apple.com>
3274
3275         Add test for CoW conversions in the DFG/FTL
3276         https://bugs.webkit.org/show_bug.cgi?id=186295
3277
3278         Reviewed by Saam Barati.
3279
3280         Add a function to $vm that returns a JSString containing the
3281         dataLog dump of the indexingMode of an Object.
3282
3283         * tools/JSDollarVM.cpp:
3284         (JSC::functionIndexingMode):
3285         (JSC::JSDollarVM::finishCreation):
3286
3287 2018-06-04  Saam Barati  <sbarati@apple.com>
3288
3289         Set the activeLength of all ScratchBuffers to zero when exiting the VM
3290         https://bugs.webkit.org/show_bug.cgi?id=186284
3291         <rdar://problem/40780738>
3292
3293         Reviewed by Keith Miller.
3294
3295         Simon recently found instances where we leak global objects from the
3296         ScratchBuffer. Yusuke found that we forgot to set the active length
3297         back to zero when doing catch OSR entry in the DFG/FTL. His solution
3298         to this was adding a node that cleared the active length. This is
3299         a good node to have, but it's not a complete solution: the DFG/FTL
3300         could OSR exit before that node executes, which would cause us to leak
3301         the data in it.
3302         
3303         This patch makes it so that we set each scratch buffer's active length
3304         to zero on VM exit. This helps prevent leaks for JS code that eventually
3305         exits the VM (which is essentially all code on the web and all API users).
3306
3307         * runtime/VM.cpp:
3308         (JSC::VM::clearScratchBuffers):
3309         * runtime/VM.h:
3310         * runtime/VMEntryScope.cpp:
3311         (JSC::VMEntryScope::~VMEntryScope):
3312
3313 2018-06-04  Keith Miller  <keith_miller@apple.com>
3314
3315         JSLock should clear last exception when releasing the lock
3316         https://bugs.webkit.org/show_bug.cgi?id=186277
3317
3318         Reviewed by Mark Lam.
3319
3320         If we don't clear the last exception we essentially leak the
3321         object and everything referenced by it until another exception is
3322         thrown.
3323
3324         * runtime/JSLock.cpp:
3325         (JSC::JSLock::willReleaseLock):
3326
3327 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3328
3329         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
3330         https://bugs.webkit.org/show_bug.cgi?id=180248
3331
3332         Reviewed by Sam Weinig.
3333
3334         As a final step, this patch removes ListableHandler from JSC.
3335         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
3336
3337         * CMakeLists.txt:
3338         * JavaScriptCore.xcodeproj/project.pbxproj:
3339         * heap/Heap.h:
3340         * heap/ListableHandler.h: Removed.
3341
3342 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
3345         https://bugs.webkit.org/show_bug.cgi?id=186223
3346
3347         Reviewed by Keith Miller.
3348
3349         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
3350         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
3351
3352         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
3353         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
3354         this ClearCatchLocals valid.
3355
3356         The existing tests for ExtractCatchLocal just pass.
3357
3358         * dfg/DFGAbstractHeap.h:
3359         * dfg/DFGAbstractInterpreterInlines.h:
3360         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3361         * dfg/DFGByteCodeParser.cpp:
3362         (JSC::DFG::ByteCodeParser::parseBlock):
3363         * dfg/DFGClobberize.h:
3364         (JSC::DFG::clobberize):
3365         * dfg/DFGDoesGC.cpp:
3366         (JSC::DFG::doesGC):
3367         * dfg/DFGFixupPhase.cpp:
3368         (JSC::DFG::FixupPhase::fixupNode):
3369         * dfg/DFGMayExit.cpp:
3370         * dfg/DFGNodeType.h:
3371         * dfg/DFGOSREntry.cpp:
3372         (JSC::DFG::prepareCatchOSREntry):
3373         * dfg/DFGPredictionPropagationPhase.cpp:
3374         * dfg/DFGSafeToExecute.h:
3375         (JSC::DFG::safeToExecute):
3376         * dfg/DFGSpeculativeJIT.cpp:
3377         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
3378         * dfg/DFGSpeculativeJIT.h:
3379         * dfg/DFGSpeculativeJIT32_64.cpp:
3380         (JSC::DFG::SpeculativeJIT::compile):
3381         * dfg/DFGSpeculativeJIT64.cpp:
3382         (JSC::DFG::SpeculativeJIT::compile):
3383         * ftl/FTLCapabilities.cpp:
3384         (JSC::FTL::canCompile):
3385         * ftl/FTLLowerDFGToB3.cpp:
3386         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3387         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
3388
3389 2018-06-02  Darin Adler  <darin@apple.com>
3390
3391         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
3392         https://bugs.webkit.org/show_bug.cgi?id=186227
3393
3394         Reviewed by Dan Bernstein.
3395
3396         * API/JSContext.mm:
3397         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
3398         * API/JSValue.mm:
3399         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
3400         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
3401         ARC-compatible, but more efficient.
3402         (valueToString): Use CFBridgingRelease instead of autorelease.
3403
3404 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3405
3406         [ESNext][BigInt] Implement support for addition operations
3407         https://bugs.webkit.org/show_bug.cgi?id=179002
3408
3409         Reviewed by Yusuke Suzuki.
3410
3411         This patch is implementing support to BigInt Operands into binary "+"
3412         and binary "-" operators. Right now, we have limited support to DFG
3413         and FTL JIT layers, but we plan to fix this support in future
3414         patches.
3415
3416         * jit/JITOperations.cpp:
3417         * runtime/CommonSlowPaths.cpp:
3418         (JSC::SLOW_PATH_DECL):
3419         * runtime/JSBigInt.cpp:
3420         (JSC::JSBigInt::parseInt):
3421         (JSC::JSBigInt::stringToBigInt):
3422         (JSC::JSBigInt::toString):
3423         (JSC::JSBigInt::multiply):
3424         (JSC::JSBigInt::divide):
3425         (JSC::JSBigInt::remainder):
3426         (JSC::JSBigInt::add):
3427         (JSC::JSBigInt::sub):
3428         (JSC::JSBigInt::absoluteAdd):
3429         (JSC::JSBigInt::absoluteSub):
3430         (JSC::JSBigInt::toStringGeneric):
3431         (JSC::JSBigInt::allocateFor):
3432         (JSC::JSBigInt::toNumber const):
3433         (JSC::JSBigInt::getPrimitiveNumber const):
3434         * runtime/JSBigInt.h:
3435         * runtime/JSCJSValueInlines.h:
3436         * runtime/Operations.cpp:
3437         (JSC::jsAddSlowCase):
3438         * runtime/Operations.h:
3439         (JSC::jsSub):
3440
3441 2018-06-02  Commit Queue  <commit-queue@webkit.org>
3442
3443         Unreviewed, rolling out r232439.
3444         https://bugs.webkit.org/show_bug.cgi?id=186238
3445
3446         It breaks gtk-linux-32-release (Requested by caiolima on
3447         #webkit).
3448
3449         Reverted changeset:
3450
3451         "[ESNext][BigInt] Implement support for addition operations"
3452         https://bugs.webkit.org/show_bug.cgi?id=179002
3453         https://trac.webkit.org/changeset/232439
3454
3455 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3456
3457         Baseline op_jtrue emits an insane amount of code
3458         https://bugs.webkit.org/show_bug.cgi?id=185708
3459
3460         Reviewed by Filip Pizlo.
3461
3462         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
3463
3464         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
3465            to jump directly. This tightens the code.
3466
3467         2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
3468
3469         This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
3470
3471         [  12] jtrue             arg1, 6(->18)
3472               0x7f233170162c: mov 0x30(%rbp), %rax
3473               0x7f2331701630: mov %rax, %rsi
3474               0x7f2331701633: xor $0x6, %rsi
3475               0x7f2331701637: test $0xfffffffffffffffe, %rsi
3476               0x7f233170163e: jnz 0x7f2331701654
3477               0x7f2331701644: cmp $0x7, %eax
3478               0x7f2331701647: setz %sil
3479               0x7f233170164b: movzx %sil, %esi
3480               0x7f233170164f: jmp 0x7f2331701705
3481               0x7f2331701654: test %rax, %r14
3482               0x7f2331701657: jz 0x7f233170169c
3483               0x7f233170165d: cmp %r14, %rax
3484               0x7f2331701660: jb 0x7f2331701675
3485               0x7f2331701666: test %eax, %eax
3486               0x7f2331701668: setnz %sil
3487               0x7f233170166c: movzx %sil, %esi
3488               0x7f2331701670: jmp 0x7f2331701705
3489               0x7f2331701675: lea (%r14,%rax), %rsi
3490               0x7f2331701679: movq %rsi, %xmm0
3491               0x7f233170167e: xorps %xmm1, %xmm1
3492               0x7f2331701681: ucomisd %xmm1, %xmm0
3493               0x7f2331701685: jz 0x7f2331701695
3494               0x7f233170168b: mov $0x1, %esi
3495               0x7f2331701690: jmp 0x7f2331701705
3496               0x7f2331701695: xor %esi, %esi
3497               0x7f2331701697: jmp 0x7f2331701705
3498               0x7f233170169c: test %rax, %r15
3499               0x7f233170169f: jnz 0x7f2331701703
3500               0x7f23317016a5: cmp $0x1, 0x5(%rax)
3501               0x7f23317016a9: jnz 0x7f23317016c1
3502               0x7f23317016af: mov 0x8(%rax), %esi
3503               0x7f23317016b2: test %esi, %esi
3504               0x7f23317016b4: setnz %sil
3505               0x7f23317016b8: movzx %sil, %esi
3506               0x7f23317016bc: jmp 0x7f2331701705
3507               0x7f23317016c1: test $0x1, 0x6(%rax)
3508               0x7f23317016c5: jz 0x7f23317016f9
3509               0x7f23317016cb: mov (%rax), %esi
3510               0x7f23317016cd: mov $0x7f23315000c8, %rdx
3511               0x7f23317016d7: mov (%rdx), %rdx
3512               0x7f23317016da: mov (%rdx,%rsi,8), %rsi
3513               0x7f23317016de: mov $0x7f2330de0000, %rdx
3514               0x7f23317016e8: cmp %rdx, 0x18(%rsi)
3515               0x7f23317016ec: jnz 0x7f23317016f9
3516               0x7f23317016f2: xor %esi, %esi
3517               0x7f23317016f4: jmp 0x7f2331701705
3518               0x7f23317016f9: mov $0x1, %esi
3519               0x7f23317016fe: jmp 0x7f2331701705
3520               0x7f2331701703: xor %esi, %esi
3521               0x7f2331701705: test %esi, %esi
3522               0x7f2331701707: jnz 0x7f233170171b
3523
3524         [  12] jtrue             arg1, 6(->18)
3525               0x7f6c8710156c: mov 0x30(%rbp), %rax
3526               0x7f6c87101570: test %rax, %r15
3527               0x7f6c87101573: jnz 0x7f6c871015c8
3528               0x7f6c87101579: cmp $0x1, 0x5(%rax)
3529               0x7f6c8710157d: jnz 0x7f6c87101592
3530               0x7f6c87101583: cmp $0x0, 0x8(%rax)
3531               0x7f6c87101587: jnz 0x7f6c87101623
3532               0x7f6c8710158d: jmp 0x7f6c87101615
3533               0x7f6c87101592: test $0x1, 0x6(%rax)
3534               0x7f6c87101596: jz 0x7f6c87101623
3535               0x7f6c8710159c: mov (%rax), %esi
3536               0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
3537               0x7f6c871015a8: mov (%rdx), %rdx
3538               0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
3539               0x7f6c871015af: mov $0x7f6c867e0000, %rdx
3540               0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
3541               0x7f6c871015bd: jnz 0x7f6c87101623
3542               0x7f6c871015c3: jmp 0x7f6c87101615
3543               0x7f6c871015c8: cmp %r14, %rax
3544               0x7f6c871015cb: jb 0x7f6c871015de
3545               0x7f6c871015d1: test %eax, %eax
3546               0x7f6c871015d3: jnz 0x7f6c87101623
3547               0x7f6c871015d9: jmp 0x7f6c87101615
3548               0x7f6c871015de: test %rax, %r14
3549               0x7f6c871015e1: jz 0x7f6c87101602
3550               0x7f6c871015e7: lea (%r14,%rax), %rsi
3551               0x7f6c871015eb: movq %rsi, %xmm0
3552               0x7f6c871015f0: xorps %xmm1, %xmm1
3553               0x7f6c871015f3: ucomisd %xmm1, %xmm0
3554               0x7f6c871015f7: jz 0x7f6c87101615
3555               0x7f6c871015fd: jmp 0x7f6c87101623
3556               0x7f6c87101602: mov $0x7, %r11
3557               0x7f6c8710160c: cmp %r11, %rax
3558               0x7f6c8710160f: jz 0x7f6c87101623
3559
3560         * dfg/DFGSpeculativeJIT32_64.cpp:
3561         (JSC::DFG::SpeculativeJIT::emitBranch):
3562         * dfg/DFGSpeculativeJIT64.cpp:
3563         (JSC::DFG::SpeculativeJIT::emitBranch):
3564         * jit/AssemblyHelpers.cpp:
3565         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3566         (JSC::AssemblyHelpers::branchIfValue):
3567         * jit/AssemblyHelpers.h:
3568         (JSC::AssemblyHelpers::branchIfTruthy):
3569         (JSC::AssemblyHelpers::branchIfFalsey):
3570         * jit/JIT.h:
3571         * jit/JITInlines.h:
3572         (JSC::JIT::addJump):
3573         * jit/JITOpcodes.cpp:
3574         (JSC::JIT::emit_op_jfalse):
3575         (JSC::JIT::emit_op_jtrue):
3576         * jit/JITOpcodes32_64.cpp:
3577         (JSC::JIT::emit_op_jfalse):
3578         (JSC::JIT::emit_op_jtrue):
3579
3580 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3581
3582         [JSC] Remove WeakReferenceHarvester
3583         https://bugs.webkit.org/show_bug.cgi?id=186102
3584
3585         Reviewed by Filip Pizlo.
3586
3587         After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
3588         Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
3589         by using output constraints & Subspace iteration.
3590
3591         This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
3592         output constraint set iterates marked JSWeakMap by using Subspace.
3593
3594         And we also add locking for JSWeakMap's rehash and output constraint visiting.
3595
3596         Attached microbenchmark does not show any regression.
3597
3598         * API/JSAPIWrapperObject.h:
3599         * CMakeLists.txt:
3600         * JavaScriptCore.xcodeproj/project.pbxproj:
3601         * heap/Heap.cpp:
3602         (JSC::Heap::endMarking):
3603         (JSC::Heap::addCoreConstraints):
3604         * heap/Heap.h:
3605         * heap/SlotVisitor.cpp:
3606         (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
3607         * heap/SlotVisitor.h:
3608         * heap/WeakReferenceHarvester.h: Removed.
3609         * runtime/WeakMapImpl.cpp:
3610         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
3611         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitOutputConstraints):
3612         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitOutputConstraints):
3613         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences): Deleted.
3614         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences): Deleted.
3615         * runtime/WeakMapImpl.h:
3616         (JSC::WeakMapImpl::WeakMapImpl):
3617         (JSC::WeakMapImpl::finishCreation):
3618         (JSC::WeakMapImpl::rehash):
3619         (JSC::WeakMapImpl::makeAndSetNewBuffer):
3620         (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
3621
3622 2018-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3623
3624         [JSC] Object.create should have intrinsic
3625         https://bugs.webkit.org/show_bug.cgi?id=186200
3626
3627         Reviewed by Filip Pizlo.
3628
3629         Object.create is used in various JS code. `Object.create(null)` is particularly used
3630         to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
3631         call in ARES-6/Babylon code.
3632
3633         This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
3634         DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
3635         object is null. It offers significant performance boost for `Object.create(null)`.
3636
3637                                                          baseline                  patched
3638
3639         object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
3640         object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
3641         object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
3642
3643         * dfg/DFGAbstractInterpreterInlines.h:
3644         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3645         * dfg/DFGByteCodeParser.cpp:
3646         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3647         * dfg/DFGClobberize.h:
3648         (JSC::DFG::clobberize):
3649         * dfg/DFGConstantFoldingPhase.cpp:
3650         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3651         * dfg/DFGDoesGC.cpp:
3652         (JSC::DFG::doesGC):
3653         * dfg/DFGFixupPhase.cpp:
3654         (JSC::DFG::FixupPhase::fixupNode):
3655         * dfg/DFGNode.h:
3656         (JSC::DFG::Node::convertToNewObject):
3657         * dfg/DFGNodeType.h:
3658         * dfg/DFGOperations.cpp:
3659         * dfg/DFGOperations.h:
3660         * dfg/DFGPredictionPropagationPhase.cpp:
3661         * dfg/DFGSafeToExecute.h:
3662         (JSC::DFG::safeToExecute):
3663         * dfg/DFGSpeculativeJIT.cpp:
3664         (JSC::DFG::SpeculativeJIT::compileObjectCreate):
3665         * dfg/DFGSpeculativeJIT.h:
3666         * dfg/DFGSpeculativeJIT32_64.cpp:
3667         (JSC::DFG::SpeculativeJIT::compile):
3668         * dfg/DFGSpeculativeJIT64.cpp:
3669         (JSC::DFG::SpeculativeJIT::compile):
3670         * ftl/FTLCapabilities.cpp:
3671         (JSC::FTL::canCompile):
3672         * ftl/FTLLowerDFGToB3.cpp:
3673         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3674         (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
3675         * runtime/Intrinsic.cpp:
3676         (JSC::intrinsicName):
3677         * runtime/Intrinsic.h:
3678         * runtime/JSGlobalObject.cpp:
3679         (JSC::JSGlobalObject::init):
3680         (JSC::JSGlobalObject::visitChildren):
3681         * runtime/JSGlobalObject.h:
3682         (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
3683         * runtime/ObjectConstructor.cpp:
3684
3685 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3686
3687         [ESNext][BigInt] Implement support for addition operations
3688         https://bugs.webkit.org/show_bug.cgi?id=179002
3689
3690         Reviewed by Yusuke Suzuki.
3691
3692         This patch is implementing support to BigInt Operands into binary "+"
3693         and binary "-" operators. Right now, we have limited support to DFG
3694         and FTL JIT layers, but we plan to fix this support in future
3695         patches.
3696
3697         * jit/JITOperations.cpp:
3698         * runtime/CommonSlowPaths.cpp:
3699         (JSC::SLOW_PATH_DECL):
3700         * runtime/JSBigInt.cpp:
3701         (JSC::JSBigInt::parseInt):
3702         (JSC::JSBigInt::stringToBigInt):
3703         (JSC::JSBigInt::toString):
3704         (JSC::JSBigInt::multiply):
3705         (JSC::JSBigInt::divide):
3706         (JSC::JSBigInt::remainder):
3707         (JSC::JSBigInt::add):
3708         (JSC::JSBigInt::sub):
3709         (JSC::JSBigInt::absoluteAdd):
3710         (JSC::JSBigInt::absoluteSub):
3711         (JSC::JSBigInt::toStringGeneric):
3712         (JSC::JSBigInt::allocateFor):
3713         (JSC::JSBigInt::toNumber const):
3714         (JSC::JSBigInt::getPrimitiveNumber const):
3715         * runtime/JSBigInt.h:
3716         * runtime/JSCJSValueInlines.h:
3717         * runtime/Operations.cpp:
3718         (JSC::jsAddSlowCase):
3719         * runtime/Operations.h:
3720         (JSC::jsSub):
3721
3722 2018-06-01  Wenson Hsieh  <wenson_hsieh@apple.com>
3723
3724         Fix the watchOS build after r232385
3725         https://bugs.webkit.org/show_bug.cgi?id=186203
3726
3727         Reviewed by Keith Miller.
3728
3729         Add a missing header include for JSImmutableButterfly.
3730
3731         * runtime/ArrayPrototype.cpp:
3732
3733 2018-05-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3734
3735         [JSC] Add Symbol.prototype.description getter
3736         https://bugs.webkit.org/show_bug.cgi?id=186053
3737
3738         Reviewed by Keith Miller.
3739
3740         Symbol.prototype.description accessor  is now stage 3[1].
3741         This adds a getter to retrieve [[Description]] value from Symbol.
3742         Previously, Symbol#toString() returns `Symbol(${description})` value.
3743         So users need to extract `description` part if they want it.
3744
3745         [1]: https://tc39.github.io/proposal-Symbol-description/
3746
3747         * runtime/Symbol.cpp:
3748         (JSC::Symbol::description const):
3749         * runtime/Symbol.h:
3750         * runtime/SymbolPrototype.cpp:
3751         (JSC::tryExtractSymbol):
3752         (JSC::symbolProtoGetterDescription):
3753         (JSC::symbolProtoFuncToString):
3754         (JSC::symbolProtoFuncValueOf):
3755
3756 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3757
3758         [JSC] Correct values and members of JSBigInt appropriately
3759         https://bugs.webkit.org/show_bug.cgi?id=186196
3760
3761         Reviewed by Darin Adler.
3762
3763         This patch cleans up a bit to select more appropriate values and members of JSBigInt.
3764
3765         1. JSBigInt's structure should be StructureIsImmortal.
3766         2. JSBigInt::allocationSize should be annotated with `inline`.
3767         3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
3768         4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
3769
3770         * runtime/JSBigInt.cpp:
3771         (JSC::JSBigInt::allocationSize):
3772         (JSC::JSBigInt::allocateFor):
3773         (JSC::JSBigInt::compareToDouble):
3774         (JSC::JSBigInt::visitChildren): Deleted.
3775         (JSC::JSBigInt::finishCreation): Deleted.
3776         * runtime/JSBigInt.h:
3777
3778 2018-05-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3779
3780         [DFG] InById should be converted to MatchStructure
3781         https://bugs.webkit.org/show_bug.cgi?id=185803
3782
3783         Reviewed by Keith Miller.
3784
3785         MatchStructure is introduced for instanceof optimization. But this node
3786         is also useful for InById node. This patch converts InById to MatchStructure
3787         node with CheckStructures if possible by using InByIdStatus.
3788
3789         Added microbenchmarks show improvements.
3790
3791                                    baseline                  patched
3792
3793         in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
3794         in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
3795
3796         * JavaScriptCore.xcodeproj/project.pbxproj:
3797         * Sources.txt:
3798         * bytecode/InByIdStatus.cpp: Added.
3799         (JSC::InByIdStatus::appendVariant):
3800         (JSC::InByIdStatus::computeFor):
3801         (JSC::InByIdStatus::hasExitSite):
3802         (JSC::InByIdStatus::computeForStubInfo):
3803         (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3804         (JSC::InByIdStatus::filter):
3805         (JSC::InByIdStatus::dump const):
3806         * bytecode/InByIdStatus.h: Added.
3807         (JSC::InByIdStatus::InByIdStatus):
3808         (JSC::InByIdStatus::state const):
3809         (JSC::InByIdStatus::isSet const):
3810         (JSC::InByIdStatus::operator bool const):
3811         (JSC::InByIdStatus::isSimple const):
3812         (JSC::InByIdStatus::numVariants const):
3813         (JSC::InByIdStatus::variants const):
3814         (JSC::InByIdStatus::at const):
3815         (JSC::InByIdStatus::operator[] const):
3816         (JSC::InByIdStatus::takesSlowPath const):
3817         * bytecode/InByIdVariant.cpp: Added.
3818         (JSC::InByIdVariant::InByIdVariant):
3819         (JSC::InByIdVariant::attemptToMerge):
3820         (JSC::InByIdVariant::dump const):
3821         (JSC::InByIdVariant::dumpInContext const):
3822         * bytecode/InByIdVariant.h: Added.
3823         (JSC::InByIdVariant::isSet const):
3824         (JSC::InByIdVariant::operator bool const):
3825         (JSC::InByIdVariant::structureSet const):
3826         (JSC::InByIdVariant::structureSet):
3827         (JSC::InByIdVariant::conditionSet const):
3828         (JSC::InByIdVariant::offset const):
3829         (JSC::InByIdVariant::isHit const):
3830         * bytecode/PolyProtoAccessChain.h:
3831         * dfg/DFGByteCodeParser.cpp:
3832         (JSC::DFG::ByteCodeParser::parseBlock):
3833
3834 2018-06-01  Keith Miller  <keith_miller@apple.com>
3835
3836         move should only emit the move if it's actually needed
3837         https://bugs.webkit.org/show_bug.cgi?id=186123
3838
3839         Reviewed by Saam Barati.
3840
3841         This patch relpaces move with moveToDestinationIfNeeded. This
3842         will prevent us from emiting moves to the same location. The old
3843         move, has been renamed to emitMove and made private.
3844
3845         * bytecompiler/BytecodeGenerator.cpp:
3846         (JSC::BytecodeGenerator::BytecodeGenerator):
3847         (JSC::BytecodeGenerator::emitMove):
3848         (JSC::BytecodeGenerator::emitGetGlobalPrivate):
3849         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3850         (JSC::BytecodeGenerator::move): Deleted.
3851         * bytecompiler/BytecodeGenerator.h:
3852         (JSC::BytecodeGenerator::move):
3853         (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
3854         * bytecompiler/NodesCodegen.cpp:
3855         (JSC::ThisNode::emitBytecode):
3856         (JSC::SuperNode::emitBytecode):
3857         (JSC::NewTargetNode::emitBytecode):
3858         (JSC::ResolveNode::emitBytecode):
3859         (JSC::TaggedTemplateNode::emitBytecode):
3860         (JSC::ArrayNode::emitBytecode):
3861         (JSC::ObjectLiteralNode::emitBytecode):
3862         (JSC::EvalFunctionCallNode::emitBytecode):
3863         (JSC::FunctionCallResolveNode::emitBytecode):
3864         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
3865         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3866         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
3867         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
3868         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
3869         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
3870         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
3871         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
3872         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
3873         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
3874         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
3875         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
3876         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
3877         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
3878         (JSC::CallFunctionCallDotNode::emitBytecode):
3879         (JSC::ApplyFunctionCallDotNode::emitBytecode):
3880         (JSC::emitPostIncOrDec):
3881         (JSC::PostfixNode::emitBracket):
3882         (JSC::PostfixNode::emitDot):
3883         (JSC::PrefixNode::emitResolve):
3884         (JSC::PrefixNode::emitBracket):
3885         (JSC::PrefixNode::emitDot):
3886         (JSC::LogicalOpNode::emitBytecode):
3887         (JSC::ReadModifyResolveNode::emitBytecode):
3888         (JSC::AssignResolveNode::emitBytecode):
3889         (JSC::AssignDotNode::emitBytecode):
3890         (JSC::AssignBracketNode::emitBytecode):
3891         (JSC::FunctionNode::emitBytecode):
3892         (JSC::ClassExprNode::emitBytecode):
3893         (JSC::DestructuringAssignmentNode::emitBytecode):
3894         (JSC::ArrayPatternNode::emitDirectBinding):
3895         (JSC::ObjectPatternNode::bindValue const):
3896         (JSC::AssignmentElementNode::bindValue const):
3897         (JSC::ObjectSpreadExpressionNode::emitBytecode):
3898
3899 2018-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
3900
3901         [Baseline] Store constant directly in emit_op_mov
3902         https://bugs.webkit.org/show_bug.cgi?id=186182
3903
3904         Reviewed by Saam Barati.
3905
3906         In the old code, we first move a constant to a register and store it to the speci