Source/JavaScriptCore:
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-02  Saam Barati  <sbarati@apple.com>
2
3         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
4         https://bugs.webkit.org/show_bug.cgi?id=188271
5         <rdar://problem/42850884>
6
7         Reviewed by Michael Saboff.
8
9         This patch defends against the instructionPointer containing garbage bits.
10         See radar for details.
11
12         * runtime/MachineContext.h:
13         (JSC::MachineContext::instructionPointer):
14         * runtime/SamplingProfiler.cpp:
15         (JSC::SamplingProfiler::takeSample):
16         * runtime/VMTraps.cpp:
17         (JSC::SignalContext::SignalContext):
18         (JSC::SignalContext::tryCreate):
19         * tools/CodeProfiling.cpp:
20         (JSC::profilingTimer):
21         * tools/SigillCrashAnalyzer.cpp:
22         (JSC::SignalContext::SignalContext):
23         (JSC::SignalContext::tryCreate):
24         (JSC::SignalContext::dump):
25         (JSC::installCrashHandler):
26         * wasm/WasmFaultSignalHandler.cpp:
27         (JSC::Wasm::trapHandler):
28
29 2018-08-02  David Fenton  <david_fenton@apple.com>
30
31         Unreviewed, rolling out r234489.
32
33         Caused 50+ crashes and 60+ API failures on iOS
34
35         Reverted changeset:
36
37         "[WTF] Rename String::format to String::deprecatedFormat"
38         https://bugs.webkit.org/show_bug.cgi?id=188191
39         https://trac.webkit.org/changeset/234489
40
41 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
42
43         Add self.queueMicrotask(f) on DOMWindow
44         https://bugs.webkit.org/show_bug.cgi?id=188212
45
46         Reviewed by Ryosuke Niwa.
47
48         * CMakeLists.txt:
49         * JavaScriptCore.xcodeproj/project.pbxproj:
50         * Sources.txt:
51         * runtime/JSGlobalObject.cpp:
52         (JSC::enqueueJob):
53         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
54         (JSC::createJSMicrotask):
55         Export them to WebCore.
56
57         (JSC::JSMicrotask::run):
58         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
59         Add another version of JSMicrotask which does not have arguments.
60
61 2018-08-01  Tomas Popela  <tpopela@redhat.com>
62
63         [WTF] Rename String::format to String::deprecatedFormat
64         https://bugs.webkit.org/show_bug.cgi?id=188191
65
66         Reviewed by Darin Adler.
67
68         It should be replaced with string concatenation.
69
70         * bytecode/CodeBlock.cpp:
71         (JSC::CodeBlock::nameForRegister):
72         * inspector/InjectedScriptBase.cpp:
73         (Inspector::InjectedScriptBase::makeCall):
74         * inspector/InspectorBackendDispatcher.cpp:
75         (Inspector::BackendDispatcher::getPropertyValue):
76         * inspector/agents/InspectorConsoleAgent.cpp:
77         (Inspector::InspectorConsoleAgent::enable):
78         (Inspector::InspectorConsoleAgent::stopTiming):
79         * jsc.cpp:
80         (FunctionJSCStackFunctor::operator() const):
81         * parser/Lexer.cpp:
82         (JSC::Lexer<T>::invalidCharacterMessage const):
83         * runtime/IntlDateTimeFormat.cpp:
84         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
85         * runtime/IntlObject.cpp:
86         (JSC::canonicalizeLocaleList):
87         * runtime/LiteralParser.cpp:
88         (JSC::LiteralParser<CharType>::Lexer::lex):
89         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
90         (JSC::LiteralParser<CharType>::parse):
91         * runtime/LiteralParser.h:
92         (JSC::LiteralParser::getErrorMessage):
93
94 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
95
96         [INTL] Allow "unknown" formatToParts types
97         https://bugs.webkit.org/show_bug.cgi?id=188176
98
99         Reviewed by Darin Adler.
100
101         Originally extra unexpected field types were marked as "literal", since
102         the spec did not account for these. The ECMA 402 spec has since been updated
103         to specify "unknown" should be used in these cases.
104
105         Currently there is no known way to reach these cases, so no tests can
106         account for them. Theoretically they shoudn't exist, but they are specified,
107         just to be safe. Marking them as "unknown" instead of "literal" hopefully
108         will make such cases easy to identify if they ever happen.
109
110         * runtime/IntlDateTimeFormat.cpp:
111         (JSC::IntlDateTimeFormat::partTypeString):
112         * runtime/IntlNumberFormat.cpp:
113         (JSC::IntlNumberFormat::partTypeString):
114
115 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
116
117         [INTL] Implement hourCycle in DateTimeFormat
118         https://bugs.webkit.org/show_bug.cgi?id=188006
119
120         Reviewed by Darin Adler.
121
122         Implemented hourCycle, updating both the skeleton and the final pattern.
123         Changed resolveLocale to assume undefined options are not given and null
124         strings actually mean null, which removes the tag extension.
125
126         * runtime/CommonIdentifiers.h:
127         * runtime/IntlCollator.cpp:
128         (JSC::IntlCollator::initializeCollator):
129         * runtime/IntlDateTimeFormat.cpp:
130         (JSC::IntlDTFInternal::localeData):
131         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
132         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
133         (JSC::IntlDateTimeFormat::resolvedOptions):
134         * runtime/IntlDateTimeFormat.h:
135         * runtime/IntlObject.cpp:
136         (JSC::resolveLocale):
137
138 2018-08-01  Keith Miller  <keith_miller@apple.com>
139
140         JSArrayBuffer should have its own JSType
141         https://bugs.webkit.org/show_bug.cgi?id=188231
142
143         Reviewed by Saam Barati.
144
145         * runtime/JSArrayBuffer.cpp:
146         (JSC::JSArrayBuffer::createStructure):
147         * runtime/JSCast.h:
148         * runtime/JSType.h:
149
150 2018-07-31  Keith Miller  <keith_miller@apple.com>
151
152         Unreviewed 32-bit build fix...
153
154         * dfg/DFGSpeculativeJIT32_64.cpp:
155
156 2018-07-31  Keith Miller  <keith_miller@apple.com>
157
158         Long compiling JSC files should not be unified
159         https://bugs.webkit.org/show_bug.cgi?id=188205
160
161         Reviewed by Saam Barati.
162
163         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
164         to compile. Unifying them means touching anything in the same
165         bundle as those files takes a long time to incrementally build.
166         This patch separates those files so they build standalone.
167
168         * JavaScriptCore.xcodeproj/project.pbxproj:
169         * Sources.txt:
170         * dfg/DFGSpeculativeJIT64.cpp:
171
172 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
173
174         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
175         https://bugs.webkit.org/show_bug.cgi?id=188201
176
177         Reviewed by Keith Miller.
178
179         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
180         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
181         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
182         never becomes broken state. This patch removes unnecessary locking.
183
184         * runtime/JSObject.cpp:
185         (JSC::JSObject::visitButterflyImpl):
186
187 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
188
189         [JSC] Remove gcc warnings for 32-bit platforms
190         https://bugs.webkit.org/show_bug.cgi?id=187803
191
192         Reviewed by Yusuke Suzuki.
193
194         * assembler/MacroAssemblerPrinter.cpp:
195         (JSC::Printer::printPCRegister):
196         (JSC::Printer::printRegisterID):
197         (JSC::Printer::printAddress):
198         * dfg/DFGSpeculativeJIT.cpp:
199         (JSC::DFG::SpeculativeJIT::speculateNumber):
200         (JSC::DFG::SpeculativeJIT::speculateMisc):
201         * jit/CCallHelpers.h:
202         (JSC::CCallHelpers::calculatePokeOffset):
203         * runtime/Options.cpp:
204         (JSC::parse):
205
206 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
207
208         watchOS engineering build is broken after r234227
209         https://bugs.webkit.org/show_bug.cgi?id=188180
210
211         Reviewed by Keith Miller.
212
213         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
214         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
215         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
216         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
217
218         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
219         entirely, since there's no relevant version to replace them with.
220
221         * postprocess-headers.sh:
222
223 2018-07-30  Keith Miller  <keith_miller@apple.com>
224
225         Clarify conversion rules for JSValue property access API
226         https://bugs.webkit.org/show_bug.cgi?id=188179
227
228         Reviewed by Geoffrey Garen.
229
230         * API/JSValue.h:
231
232 2018-07-30  Keith Miller  <keith_miller@apple.com>
233
234         Rename some JSC API functions/types.
235         https://bugs.webkit.org/show_bug.cgi?id=188173
236
237         Reviewed by Saam Barati.
238
239         * API/JSObjectRef.cpp:
240         (JSObjectHasPropertyForKey):
241         (JSObjectGetPropertyForKey):
242         (JSObjectSetPropertyForKey):
243         (JSObjectDeletePropertyForKey):
244         (JSObjectHasPropertyKey): Deleted.
245         (JSObjectGetPropertyKey): Deleted.
246         (JSObjectSetPropertyKey): Deleted.
247         (JSObjectDeletePropertyKey): Deleted.
248         * API/JSObjectRef.h:
249         * API/JSValue.h:
250         * API/JSValue.mm:
251         (-[JSValue valueForProperty:]):
252         (-[JSValue setValue:forProperty:]):
253         (-[JSValue deleteProperty:]):
254         (-[JSValue hasProperty:]):
255         (-[JSValue defineProperty:descriptor:]):
256         * API/tests/testapi.cpp:
257         (TestAPI::run):
258
259 2018-07-30  Mark Lam  <mark.lam@apple.com>
260
261         Add a debugging utility to dump the memory layout of a JSCell.
262         https://bugs.webkit.org/show_bug.cgi?id=188157
263
264         Reviewed by Yusuke Suzuki.
265
266         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
267         dump the memory contents of a cell and if present, its butterfly for debugging
268         purposes.
269
270         Example usage for JS code when JSC_useDollarVM=true:
271
272             $vm.dumpCell(obj);
273
274         Example usage from C++ code or from lldb: 
275
276             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
277
278         Some examples of dumps:
279
280             <0x104bc8260, Object>
281               [0] 0x104bc8260 : 0x010016000000016c header
282                 structureID 364 0x16c structure 0x104b721b0
283                 indexingTypeAndMisc 0 0x0 NonArray
284                 type 22 0x16
285                 flags 0 0x0
286                 cellState 1
287               [1] 0x104bc8268 : 0x0000000000000000 butterfly
288               [2] 0x104bc8270 : 0xffff000000000007
289               [3] 0x104bc8278 : 0xffff000000000008
290
291             <0x104bb4360, Array>
292               [0] 0x104bb4360 : 0x0108210b00000171 header
293                 structureID 369 0x171 structure 0x104b723e0
294                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
295                 type 33 0x21
296                 flags 8 0x8
297                 cellState 1
298               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
299                 base 0x8000f46e0
300                 hasIndexingHeader YES hasAnyArrayStorage YES
301                 publicLength 4 vectorLength 7 indexBias 2
302                 preCapacity 2 propertyCapacity 4
303                   <--- preCapacity
304                   [0] 0x8000f46e0 : 0x0000000000000000
305                   [1] 0x8000f46e8 : 0x0000000000000000
306                   <--- propertyCapacity
307                   [2] 0x8000f46f0 : 0x0000000000000000
308                   [3] 0x8000f46f8 : 0x0000000000000000
309                   [4] 0x8000f4700 : 0xffff00000000000d
310                   [5] 0x8000f4708 : 0xffff00000000000c
311                   <--- indexingHeader
312                   [6] 0x8000f4710 : 0x0000000700000004
313                   <--- butterfly
314                   <--- arrayStorage
315                   [7] 0x8000f4718 : 0x0000000000000000
316                   [8] 0x8000f4720 : 0x0000000400000002
317                   <--- indexedProperties
318                   [9] 0x8000f4728 : 0xffff000000000008
319                   [10] 0x8000f4730 : 0xffff000000000009
320                   [11] 0x8000f4738 : 0xffff000000000005
321                   [12] 0x8000f4740 : 0xffff000000000006
322                   [13] 0x8000f4748 : 0x0000000000000000
323                   [14] 0x8000f4750 : 0x0000000000000000
324                   [15] 0x8000f4758 : 0x0000000000000000
325                   <--- unallocated capacity
326                   [16] 0x8000f4760 : 0x0000000000000000
327                   [17] 0x8000f4768 : 0x0000000000000000
328                   [18] 0x8000f4770 : 0x0000000000000000
329                   [19] 0x8000f4778 : 0x0000000000000000
330
331         * runtime/JSObject.h:
332         * tools/JSDollarVM.cpp:
333         (JSC::functionDumpCell):
334         (JSC::JSDollarVM::finishCreation):
335         * tools/VMInspector.cpp:
336         (JSC::VMInspector::dumpCellMemory):
337         (JSC::IndentationScope::IndentationScope):
338         (JSC::IndentationScope::~IndentationScope):
339         (JSC::VMInspector::dumpCellMemoryToStream):
340         * tools/VMInspector.h:
341
342 2018-07-27  Mark Lam  <mark.lam@apple.com>
343
344         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
345         https://bugs.webkit.org/show_bug.cgi?id=188123
346         <rdar://problem/42672268>
347
348         Reviewed by Keith Miller.
349
350         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
351            padding space in VM and Heap, and should not cost any measurable perf to
352            initialize and update.
353
354         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
355
356            worldState tells us the value we failed the assertion on.
357
358            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
359            that led us here.
360
361            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
362
363            VM::isEntered() tells us if the current VM is currently executing JS code.
364
365            Some of this data may be redundant, but the redundancy is intentional so that
366            we can double check what is really happening at the time of crash.
367
368         * heap/Heap.cpp:
369         (JSC::asInt):
370         (JSC::Heap::checkConn):
371         (JSC::Heap::changePhase):
372         * heap/Heap.h:
373         * runtime/VM.cpp:
374         (JSC::VM::nextID):
375         (JSC::VM::VM):
376         * runtime/VM.h:
377         (JSC::VM::numberOfIDs):
378         (JSC::VM::id const):
379         (JSC::VM::isEntered const):
380
381 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
382
383         [JSC] Record CoW status in ArrayProfile correctly
384         https://bugs.webkit.org/show_bug.cgi?id=187949
385
386         Reviewed by Saam Barati.
387
388         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
389         This is important since our OSR exit compiler records m_observedArrayModes by calculating
390         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
391         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
392         Array::Generic DFG nodes.
393
394         * bytecode/ArrayProfile.h:
395         (JSC::asArrayModes):
396         (JSC::ArrayProfile::ArrayProfile):
397         * dfg/DFGOSRExit.cpp:
398         (JSC::DFG::OSRExit::compileExit):
399         * ftl/FTLOSRExitCompiler.cpp:
400         (JSC::FTL::compileStub):
401         * runtime/IndexingType.h:
402
403 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
404
405         [INTL] Remove INTL sub-feature compile flags
406         https://bugs.webkit.org/show_bug.cgi?id=188081
407
408         Reviewed by Michael Catanzaro.
409
410         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
411         The runtime flags are still present, and should be relied on instead.
412         The defines for ICU features have also been updated to match HAVE() style.
413
414         * Configurations/FeatureDefines.xcconfig:
415         * runtime/IntlPluralRules.cpp:
416         (JSC::IntlPluralRules::resolvedOptions):
417         (JSC::IntlPluralRules::select):
418         * runtime/IntlPluralRules.h:
419         * runtime/Options.h:
420
421 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
422
423         [JSC] Dump IndexingMode in Structure
424         https://bugs.webkit.org/show_bug.cgi?id=188085
425
426         Reviewed by Keith Miller.
427
428         Dump IndexingMode instead of IndexingType.
429
430         * runtime/Structure.cpp:
431         (JSC::Structure::dump const):
432
433 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
434
435         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
436         https://bugs.webkit.org/show_bug.cgi?id=187963
437
438         Reviewed by Alex Christensen.
439
440         * inspector/InspectorBackendDispatcher.cpp:
441         (Inspector::BackendDispatcher::dispatch):
442         * jsc.cpp:
443         (ModuleName::ModuleName):
444         (resolvePath):
445         * runtime/IntlObject.cpp:
446         (JSC::canonicalizeLanguageTag):
447         (JSC::removeUnicodeLocaleExtension):
448         Update split/splitAllowingEmptyEntries usage.
449
450 2018-07-26  Commit Queue  <commit-queue@webkit.org>
451
452         Unreviewed, rolling out r234181 and r234189.
453         https://bugs.webkit.org/show_bug.cgi?id=188075
454
455         These are not needed right now (Requested by thorton on
456         #webkit).
457
458         Reverted changesets:
459
460         "Enable Web Content Filtering on watchOS"
461         https://bugs.webkit.org/show_bug.cgi?id=187979
462         https://trac.webkit.org/changeset/234181
463
464         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
465         https://bugs.webkit.org/show_bug.cgi?id=187985
466         https://trac.webkit.org/changeset/234189
467
468 2018-07-26  Mark Lam  <mark.lam@apple.com>
469
470         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
471         https://bugs.webkit.org/show_bug.cgi?id=188065
472         <rdar://problem/42515726>
473
474         Reviewed by Saam Barati.
475
476         * runtime/ArrayPrototype.cpp:
477         (JSC::clearElement):
478         (JSC::copyElements):
479         (JSC::arrayProtoPrivateFuncConcatMemcpy):
480
481 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
482
483         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
484         https://bugs.webkit.org/show_bug.cgi?id=167991
485
486         Reviewed by Michael Catanzaro.
487
488         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
489         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
490         no more cases where you might have an invalid locale come back from resolveLocale.
491
492         * runtime/IntlObject.cpp:
493         (JSC::convertICULocaleToBCP47LanguageTag):
494         (JSC::defaultLocale):
495         (JSC::lookupMatcher):
496         * runtime/IntlObject.h:
497         * runtime/JSGlobalObject.cpp:
498         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
499         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
500         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
501         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
502
503 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
504
505         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
506         https://bugs.webkit.org/show_bug.cgi?id=188040
507
508         Unreviewed build fix for AppleWin port.
509
510         * API/tests/testapi.c: Disabled warning C4204.
511         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
512
513 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
514
515         [JSC API] We should support the symbol type in our C/Obj-C API
516         https://bugs.webkit.org/show_bug.cgi?id=175836
517
518         Unreviewed build fix for Windows port.
519
520         r234227 introduced a compilation error unresolved external symbol
521         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
522
523         Windows ports are compiling testapi.c as C++ by using /TP switch.
524
525         * API/tests/testapi.c:
526         (main): Removed `::` prefix of ::SetErrorMode Windows API.
527         (dllLauncherEntryPoint): Converted into C style.
528         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
529
530 2018-07-25  Keith Miller  <keith_miller@apple.com>
531
532         [JSC API] We should support the symbol type in our C/Obj-C API
533         https://bugs.webkit.org/show_bug.cgi?id=175836
534
535         Reviewed by Filip Pizlo.
536
537         This patch makes the following API additions:
538         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
539         2) Create a symbol on both APIs.
540         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
541         4) Add Get/Set/Delete in the C API.
542
543         We can do 3 because it is both binary and source compatable with
544         the existing API. I added (4) because the current property access
545         APIs only have the ability to get Strings. It was possible to
546         merge symbols into JSStringRef but that felt confusing and exposes
547         implementation details of our engine. The new functions match the
548         same meaning that they have in JS, thus should be forward
549         compatible with any future language extensions.
550
551         Lastly, this patch adds the same availability preproccessing phase
552         in WebCore to JavaScriptCore, which enables TBA features for
553         testing on previous releases.
554
555         * API/APICast.h:
556         * API/JSBasePrivate.h:
557         * API/JSContext.h:
558         * API/JSContextPrivate.h:
559         * API/JSContextRef.h:
560         * API/JSContextRefInternal.h:
561         * API/JSContextRefPrivate.h:
562         * API/JSManagedValue.h:
563         * API/JSObjectRef.cpp:
564         (JSObjectHasPropertyKey):
565         (JSObjectGetPropertyKey):
566         (JSObjectSetPropertyKey):
567         (JSObjectDeletePropertyKey):
568         * API/JSObjectRef.h:
569         * API/JSRemoteInspector.h:
570         * API/JSTypedArray.h:
571         * API/JSValue.h:
572         * API/JSValue.mm:
573         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
574         (performPropertyOperation):
575         (-[JSValue valueForProperty:valueForProperty:]):
576         (-[JSValue setValue:forProperty:setValue:forProperty:]):
577         (-[JSValue deleteProperty:deleteProperty:]):
578         (-[JSValue hasProperty:hasProperty:]):
579         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
580         (-[JSValue isSymbol]):
581         (-[JSValue objectForKeyedSubscript:]):
582         (-[JSValue setObject:forKeyedSubscript:]):
583         (-[JSValue valueForProperty:]): Deleted.
584         (-[JSValue setValue:forProperty:]): Deleted.
585         (-[JSValue deleteProperty:]): Deleted.
586         (-[JSValue hasProperty:]): Deleted.
587         (-[JSValue defineProperty:descriptor:]): Deleted.
588         * API/JSValueRef.cpp:
589         (JSValueGetType):
590         (JSValueIsSymbol):
591         (JSValueMakeSymbol):
592         * API/JSValueRef.h:
593         * API/WebKitAvailability.h:
594         * API/tests/CurrentThisInsideBlockGetterTest.mm:
595         * API/tests/CustomGlobalObjectClassTest.c:
596         * API/tests/DateTests.mm:
597         * API/tests/JSExportTests.mm:
598         * API/tests/JSNode.c:
599         * API/tests/JSNodeList.c:
600         * API/tests/Node.c:
601         * API/tests/NodeList.c:
602         * API/tests/minidom.c:
603         * API/tests/testapi.c:
604         (main):
605         * API/tests/testapi.cpp: Added.
606         (APIString::APIString):
607         (APIString::~APIString):
608         (APIString::operator JSStringRef):
609         (APIContext::APIContext):
610         (APIContext::~APIContext):
611         (APIContext::operator JSGlobalContextRef):
612         (APIVector::APIVector):
613         (APIVector::~APIVector):
614         (APIVector::append):
615         (testCAPIViaCpp):
616         (TestAPI::evaluateScript):
617         (TestAPI::callFunction):
618         (TestAPI::functionReturnsTrue):
619         (TestAPI::check):
620         (TestAPI::checkJSAndAPIMatch):
621         (TestAPI::interestingObjects):
622         (TestAPI::interestingKeys):
623         (TestAPI::run):
624         * API/tests/testapi.mm:
625         (testObjectiveCAPIMain):
626         * JavaScriptCore.xcodeproj/project.pbxproj:
627         * config.h:
628         * postprocess-headers.sh:
629         * shell/CMakeLists.txt:
630         * testmem/testmem.mm:
631
632 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
633
634         [INTL] Call Typed Array elements toLocaleString with locale and options
635         https://bugs.webkit.org/show_bug.cgi?id=185796
636
637         Reviewed by Keith Miller.
638
639         Improve ECMA 402 compliance of typed array toLocaleString, passing along
640         the locale and options to element toLocaleString calls.
641
642         * builtins/TypedArrayPrototype.js:
643         (toLocaleString):
644
645 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
646
647         [INTL] Intl constructor lengths should be configurable
648         https://bugs.webkit.org/show_bug.cgi?id=187960
649
650         Reviewed by Saam Barati.
651
652         Removed DontDelete from Intl constructor lengths.
653         Fixed DateTimeFormat formatToParts length.
654
655         * runtime/IntlCollatorConstructor.cpp:
656         (JSC::IntlCollatorConstructor::finishCreation):
657         * runtime/IntlDateTimeFormatConstructor.cpp:
658         (JSC::IntlDateTimeFormatConstructor::finishCreation):
659         * runtime/IntlDateTimeFormatPrototype.cpp:
660         (JSC::IntlDateTimeFormatPrototype::finishCreation):
661         * runtime/IntlNumberFormatConstructor.cpp:
662         (JSC::IntlNumberFormatConstructor::finishCreation):
663         * runtime/IntlPluralRulesConstructor.cpp:
664         (JSC::IntlPluralRulesConstructor::finishCreation):
665
666 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
667
668         runJITThreadLimitTests is failing
669         https://bugs.webkit.org/show_bug.cgi?id=187886
670         <rdar://problem/42561966>
671
672         Unreviewed build fix for MSVC.
673
674         MSVC doen't support ternary operator without second operand.
675
676         * dfg/DFGWorklist.cpp:
677         (JSC::DFG::getNumberOfDFGCompilerThreads):
678         (JSC::DFG::getNumberOfFTLCompilerThreads):
679
680 2018-07-24  Commit Queue  <commit-queue@webkit.org>
681
682         Unreviewed, rolling out r234183.
683         https://bugs.webkit.org/show_bug.cgi?id=187983
684
685         cause regression in Kraken gaussian blur and desaturate
686         (Requested by yusukesuzuki on #webkit).
687
688         Reverted changeset:
689
690         "[JSC] Record CoW status in ArrayProfile"
691         https://bugs.webkit.org/show_bug.cgi?id=187949
692         https://trac.webkit.org/changeset/234183
693
694 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
695
696         [JSC] Record CoW status in ArrayProfile
697         https://bugs.webkit.org/show_bug.cgi?id=187949
698
699         Reviewed by Saam Barati.
700
701         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
702         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
703         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
704         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
705         CoW arrays.
706
707         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
708         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
709
710         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
711
712                                       baseline                  patched
713
714         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
715         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
716
717         * bytecode/ArrayProfile.cpp:
718         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
719         * bytecode/ArrayProfile.h:
720         (JSC::asArrayModes):
721         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
722
723         (JSC::ArrayProfile::ArrayProfile):
724         (JSC::ArrayProfile::addressOfObservedIndexingModes):
725         (JSC::ArrayProfile::observedIndexingModes const):
726         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
727         So storing the union of seen IndexingMode in `unsigned` instead.
728
729         * dfg/DFGArrayMode.cpp:
730         (JSC::DFG::ArrayMode::fromObserved):
731         * dfg/DFGArrayMode.h:
732         (JSC::DFG::ArrayMode::withProfile const):
733         * jit/JITCall.cpp:
734         (JSC::JIT::compileOpCall):
735         * jit/JITCall32_64.cpp:
736         (JSC::JIT::compileOpCall):
737         * jit/JITInlines.h:
738         (JSC::JIT::emitArrayProfilingSiteWithCell):
739         * llint/LowLevelInterpreter.asm:
740         * llint/LowLevelInterpreter32_64.asm:
741         * llint/LowLevelInterpreter64.asm:
742
743 2018-07-24  Tim Horton  <timothy_horton@apple.com>
744
745         Enable Web Content Filtering on watchOS
746         https://bugs.webkit.org/show_bug.cgi?id=187979
747         <rdar://problem/42559346>
748
749         Reviewed by Wenson Hsieh.
750
751         * Configurations/FeatureDefines.xcconfig:
752
753 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
754
755         Don't modify Options when setting JIT thread limits
756         https://bugs.webkit.org/show_bug.cgi?id=187886
757
758         Reviewed by Filip Pizlo.
759
760         Previously, when setting the JIT thread limit prior to the worklist
761         initialization, it'd be set via Options, which didn't work if Options
762         hadn't been initialized yet. Change it to use a static variable in the
763         Worklist instead.
764
765         * API/JSVirtualMachine.mm:
766         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
767         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
768         * API/tests/testapi.mm:
769         (testObjectiveCAPIMain):
770         * dfg/DFGWorklist.cpp:
771         (JSC::DFG::getNumberOfDFGCompilerThreads):
772         (JSC::DFG::getNumberOfFTLCompilerThreads):
773         (JSC::DFG::setNumberOfDFGCompilerThreads):
774         (JSC::DFG::setNumberOfFTLCompilerThreads):
775         (JSC::DFG::ensureGlobalDFGWorklist):
776         (JSC::DFG::ensureGlobalFTLWorklist):
777         * dfg/DFGWorklist.h:
778
779 2018-07-24  Mark Lam  <mark.lam@apple.com>
780
781         Refactoring: make DFG::Plan a class.
782         https://bugs.webkit.org/show_bug.cgi?id=187968
783
784         Reviewed by Saam Barati.
785
786         This patch makes all the DFG::Plan fields private, and provide accessor methods
787         for them.  This makes it easier to reason about how these fields are used and
788         modified.
789
790         * dfg/DFGAbstractInterpreterInlines.h:
791         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
792         * dfg/DFGByteCodeParser.cpp:
793         (JSC::DFG::ByteCodeParser::handleCall):
794         (JSC::DFG::ByteCodeParser::handleVarargsCall):
795         (JSC::DFG::ByteCodeParser::handleInlining):
796         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
797         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
798         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
799         (JSC::DFG::ByteCodeParser::handleGetById):
800         (JSC::DFG::ByteCodeParser::handlePutById):
801         (JSC::DFG::ByteCodeParser::parseBlock):
802         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
803         (JSC::DFG::ByteCodeParser::parseCodeBlock):
804         (JSC::DFG::ByteCodeParser::parse):
805         * dfg/DFGCFAPhase.cpp:
806         (JSC::DFG::CFAPhase::run):
807         (JSC::DFG::CFAPhase::injectOSR):
808         * dfg/DFGClobberize.h:
809         (JSC::DFG::clobberize):
810         * dfg/DFGCommonData.cpp:
811         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
812         * dfg/DFGCommonData.h:
813         * dfg/DFGConstantFoldingPhase.cpp:
814         (JSC::DFG::ConstantFoldingPhase::foldConstants):
815         * dfg/DFGDriver.cpp:
816         (JSC::DFG::compileImpl):
817         * dfg/DFGFinalizer.h:
818         * dfg/DFGFixupPhase.cpp:
819         (JSC::DFG::FixupPhase::fixupNode):
820         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
821         * dfg/DFGGraph.cpp:
822         (JSC::DFG::Graph::Graph):
823         (JSC::DFG::Graph::watchCondition):
824         (JSC::DFG::Graph::inferredTypeFor):
825         (JSC::DFG::Graph::requiredRegisterCountForExit):
826         (JSC::DFG::Graph::registerFrozenValues):
827         (JSC::DFG::Graph::registerStructure):
828         (JSC::DFG::Graph::registerAndWatchStructureTransition):
829         (JSC::DFG::Graph::assertIsRegistered):
830         * dfg/DFGGraph.h:
831         (JSC::DFG::Graph::compilation):
832         (JSC::DFG::Graph::identifiers):
833         (JSC::DFG::Graph::watchpoints):
834         * dfg/DFGJITCompiler.cpp:
835         (JSC::DFG::JITCompiler::JITCompiler):
836         (JSC::DFG::JITCompiler::link):
837         (JSC::DFG::JITCompiler::compile):
838         (JSC::DFG::JITCompiler::compileFunction):
839         (JSC::DFG::JITCompiler::disassemble):
840         * dfg/DFGJITCompiler.h:
841         (JSC::DFG::JITCompiler::addWeakReference):
842         * dfg/DFGJITFinalizer.cpp:
843         (JSC::DFG::JITFinalizer::finalize):
844         (JSC::DFG::JITFinalizer::finalizeFunction):
845         (JSC::DFG::JITFinalizer::finalizeCommon):
846         * dfg/DFGOSREntrypointCreationPhase.cpp:
847         (JSC::DFG::OSREntrypointCreationPhase::run):
848         * dfg/DFGPhase.cpp:
849         (JSC::DFG::Phase::beginPhase):
850         * dfg/DFGPhase.h:
851         (JSC::DFG::runAndLog):
852         * dfg/DFGPlan.cpp:
853         (JSC::DFG::Plan::Plan):
854         (JSC::DFG::Plan::computeCompileTimes const):
855         (JSC::DFG::Plan::reportCompileTimes const):
856         (JSC::DFG::Plan::compileInThread):
857         (JSC::DFG::Plan::compileInThreadImpl):
858         (JSC::DFG::Plan::isStillValid):
859         (JSC::DFG::Plan::reallyAdd):
860         (JSC::DFG::Plan::notifyCompiling):
861         (JSC::DFG::Plan::notifyReady):
862         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
863         (JSC::DFG::Plan::finalizeAndNotifyCallback):
864         (JSC::DFG::Plan::key):
865         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
866         (JSC::DFG::Plan::finalizeInGC):
867         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
868         (JSC::DFG::Plan::cancel):
869         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
870         * dfg/DFGPlan.h:
871         (JSC::DFG::Plan::canTierUpAndOSREnter const):
872         (JSC::DFG::Plan::vm const):
873         (JSC::DFG::Plan::codeBlock):
874         (JSC::DFG::Plan::mode const):
875         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
876         (JSC::DFG::Plan::mustHandleValues const):
877         (JSC::DFG::Plan::threadData const):
878         (JSC::DFG::Plan::compilation const):
879         (JSC::DFG::Plan::finalizer const):
880         (JSC::DFG::Plan::setFinalizer):
881         (JSC::DFG::Plan::inlineCallFrames const):
882         (JSC::DFG::Plan::watchpoints):
883         (JSC::DFG::Plan::identifiers):
884         (JSC::DFG::Plan::weakReferences):
885         (JSC::DFG::Plan::transitions):
886         (JSC::DFG::Plan::recordedStatuses):
887         (JSC::DFG::Plan::willTryToTierUp const):
888         (JSC::DFG::Plan::setWillTryToTierUp):
889         (JSC::DFG::Plan::tierUpInLoopHierarchy):
890         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
891         (JSC::DFG::Plan::stage const):
892         (JSC::DFG::Plan::callback const):
893         (JSC::DFG::Plan::setCallback):
894         * dfg/DFGPlanInlines.h:
895         (JSC::DFG::Plan::iterateCodeBlocksForGC):
896         * dfg/DFGPreciseLocalClobberize.h:
897         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
898         * dfg/DFGPredictionInjectionPhase.cpp:
899         (JSC::DFG::PredictionInjectionPhase::run):
900         * dfg/DFGSafepoint.cpp:
901         (JSC::DFG::Safepoint::Safepoint):
902         (JSC::DFG::Safepoint::~Safepoint):
903         (JSC::DFG::Safepoint::begin):
904         * dfg/DFGSafepoint.h:
905         * dfg/DFGSpeculativeJIT.h:
906         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
907         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
908         * dfg/DFGStackLayoutPhase.cpp:
909         (JSC::DFG::StackLayoutPhase::run):
910         * dfg/DFGStrengthReductionPhase.cpp:
911         (JSC::DFG::StrengthReductionPhase::handleNode):
912         * dfg/DFGTierUpCheckInjectionPhase.cpp:
913         (JSC::DFG::TierUpCheckInjectionPhase::run):
914         * dfg/DFGTypeCheckHoistingPhase.cpp:
915         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
916         * dfg/DFGWorklist.cpp:
917         (JSC::DFG::Worklist::isActiveForVM const):
918         (JSC::DFG::Worklist::compilationState):
919         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
920         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
921         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
922         (JSC::DFG::Worklist::visitWeakReferences):
923         (JSC::DFG::Worklist::removeDeadPlans):
924         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
925         * dfg/DFGWorklistInlines.h:
926         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
927         * ftl/FTLCompile.cpp:
928         (JSC::FTL::compile):
929         * ftl/FTLFail.cpp:
930         (JSC::FTL::fail):
931         * ftl/FTLJITFinalizer.cpp:
932         (JSC::FTL::JITFinalizer::finalizeCommon):
933         * ftl/FTLLink.cpp:
934         (JSC::FTL::link):
935         * ftl/FTLLowerDFGToB3.cpp:
936         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
937         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
938         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
939         * ftl/FTLState.cpp:
940         (JSC::FTL::State::State):
941
942 2018-07-24  Saam Barati  <sbarati@apple.com>
943
944         Make VM::canUseJIT an inlined function
945         https://bugs.webkit.org/show_bug.cgi?id=187583
946
947         Reviewed by Mark Lam.
948
949         We know the answer to this query in initializeThreading after initializing
950         the executable allocator. This patch makes it so that we just hold this value
951         in a static variable and have an inlined function that just returns the value
952         of that static variable.
953
954         * runtime/InitializeThreading.cpp:
955         (JSC::initializeThreading):
956         * runtime/VM.cpp:
957         (JSC::VM::computeCanUseJIT):
958         (JSC::VM::canUseJIT): Deleted.
959         * runtime/VM.h:
960         (JSC::VM::canUseJIT):
961
962 2018-07-24  Mark Lam  <mark.lam@apple.com>
963
964         Placate exception check verification after recent changes.
965         https://bugs.webkit.org/show_bug.cgi?id=187961
966         <rdar://problem/42545394>
967
968         Reviewed by Saam Barati.
969
970         * runtime/IntlObject.cpp:
971         (JSC::intlNumberOption):
972
973 2018-07-23  Saam Barati  <sbarati@apple.com>
974
975         need to didFoldClobberWorld when we constant fold GetByVal
976         https://bugs.webkit.org/show_bug.cgi?id=187917
977         <rdar://problem/42505095>
978
979         Reviewed by Yusuke Suzuki.
980
981         * dfg/DFGAbstractInterpreterInlines.h:
982         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
983
984 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
985
986         [INTL] Language tags are not canonicalized
987         https://bugs.webkit.org/show_bug.cgi?id=185836
988
989         Reviewed by Keith Miller.
990
991         Canonicalize language tags, replacing deprecated tag parts with the
992         preferred values. Remove broken support for algorithmic numbering systems,
993         that can cause an error in icu, and are not supported in other engines.
994
995         Generate the lookup functions from the language-subtag-registry.
996
997         Also initialize the UNumberFormat in initializeNumberFormat so any
998         failures are thrown immediately instead of failing to format later.
999
1000         * CMakeLists.txt:
1001         * DerivedSources.make:
1002         * JavaScriptCore.xcodeproj/project.pbxproj:
1003         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
1004         * runtime/IntlDateTimeFormat.cpp:
1005         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
1006         * runtime/IntlNumberFormat.cpp:
1007         (JSC::IntlNumberFormat::initializeNumberFormat):
1008         (JSC::IntlNumberFormat::formatNumber):
1009         (JSC::IntlNumberFormat::formatToParts):
1010         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
1011         * runtime/IntlNumberFormat.h:
1012         * runtime/IntlObject.cpp:
1013         (JSC::intlNumberOption):
1014         (JSC::intlDefaultNumberOption):
1015         (JSC::preferredLanguage):
1016         (JSC::preferredRegion):
1017         (JSC::canonicalLangTag):
1018         (JSC::canonicalizeLanguageTag):
1019         (JSC::defaultLocale):
1020         (JSC::removeUnicodeLocaleExtension):
1021         (JSC::numberingSystemsForLocale):
1022         (JSC::grandfatheredLangTag): Deleted.
1023         * runtime/IntlObject.h:
1024         * runtime/IntlPluralRules.cpp:
1025         (JSC::IntlPluralRules::initializePluralRules):
1026         * runtime/JSGlobalObject.cpp:
1027         (JSC::addMissingScriptLocales):
1028         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
1029         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
1030         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
1031         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
1032         * ucd/language-subtag-registry.txt: Added.
1033
1034 2018-07-23  Mark Lam  <mark.lam@apple.com>
1035
1036         Add some asserts to help diagnose a crash.
1037         https://bugs.webkit.org/show_bug.cgi?id=187915
1038         <rdar://problem/42508166>
1039
1040         Reviewed by Michael Saboff.
1041
1042         Add some asserts to verify that an CodeBlock alternative should always have a
1043         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
1044         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
1045         so that we'll retain the state of the variables that failed the assertion (again
1046         to help with diagnosis).
1047
1048         * bytecode/CodeBlock.cpp:
1049         (JSC::CodeBlock::setAlternative):
1050         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1051         * dfg/DFGPlan.cpp:
1052         (JSC::DFG::Plan::Plan):
1053
1054 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
1055
1056         Unreviewed, fix no-JIT build.
1057
1058         * bytecode/CallLinkStatus.cpp:
1059         (JSC::CallLinkStatus::computeFor):
1060         * bytecode/CodeBlock.cpp:
1061         (JSC::CodeBlock::finalizeUnconditionally):
1062         * bytecode/GetByIdStatus.cpp:
1063         (JSC::GetByIdStatus::computeFor):
1064         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1065         * bytecode/InByIdStatus.cpp:
1066         * bytecode/PutByIdStatus.cpp:
1067         (JSC::PutByIdStatus::computeForStubInfo):
1068
1069 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1070
1071         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
1072         https://bugs.webkit.org/show_bug.cgi?id=187891
1073
1074         Reviewed by Saam Barati.
1075
1076         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
1077         two variants are mergeable but they have "Miss" status. We make merging failed if
1078         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
1079         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
1080         which patch have more chances to merge variants.
1081
1082         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
1083         is not related since it does not use this check in Transition case.
1084
1085         * bytecode/GetByIdVariant.cpp:
1086         (JSC::GetByIdVariant::attemptToMerge):
1087         * bytecode/InByIdVariant.cpp:
1088         (JSC::InByIdVariant::attemptToMerge):
1089
1090 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1091
1092         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
1093         https://bugs.webkit.org/show_bug.cgi?id=186462
1094
1095         Reviewed by Saam Barati.
1096
1097         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
1098         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
1099         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
1100
1101         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
1102         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
1103         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
1104         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
1105         changed and we can safely use it. We arrange our existing code to use this protocol.
1106
1107         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
1108         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
1109
1110         This patch improves SixSpeed/template_string_tag.es6.
1111
1112                                           baseline                  patched
1113
1114         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
1115
1116         * dfg/DFGAbstractInterpreterInlines.h:
1117         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1118         * runtime/JSArray.cpp:
1119         (JSC::JSArray::setLengthWithArrayStorage):
1120         * runtime/JSObject.cpp:
1121         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
1122         (JSC::JSObject::deletePropertyByIndex):
1123         (JSC::JSObject::getOwnPropertyNames):
1124         (JSC::putIndexedDescriptor):
1125         (JSC::JSObject::defineOwnIndexedProperty):
1126         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
1127         (JSC::JSObject::putIndexedDescriptor): Deleted.
1128         * runtime/JSObject.h:
1129         * runtime/SparseArrayValueMap.cpp:
1130         (JSC::SparseArrayValueMap::SparseArrayValueMap):
1131         (JSC::SparseArrayValueMap::add):
1132         (JSC::SparseArrayValueMap::putDirect):
1133         (JSC::SparseArrayValueMap::getConcurrently):
1134         (JSC::SparseArrayEntry::get const):
1135         (JSC::SparseArrayEntry::getConcurrently const):
1136         (JSC::SparseArrayEntry::put):
1137         (JSC::SparseArrayEntry::getNonSparseMode const):
1138         (JSC::SparseArrayValueMap::visitChildren):
1139         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
1140         * runtime/SparseArrayValueMap.h:
1141         (JSC::SparseArrayEntry::SparseArrayEntry):
1142         (JSC::SparseArrayEntry::attributes const):
1143         (JSC::SparseArrayEntry::forceSet):
1144         (JSC::SparseArrayEntry::asValue):
1145
1146 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
1147
1148         We should support CreateThis in the FTL
1149         https://bugs.webkit.org/show_bug.cgi?id=164904
1150
1151         Reviewed by Yusuke Suzuki.
1152         
1153         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
1154         inference adventure.
1155         
1156         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
1157         benchmark's extremely perverse way of winning at type inference:
1158         
1159         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
1160           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
1161           benchmark was falling back to other mechanisms...
1162         
1163         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
1164           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
1165           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
1166           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
1167           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
1168           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
1169           
1170           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
1171           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
1172           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
1173           helper because it had a CreateThis.
1174         
1175         - Compilations that inlined the construction helper would have gotten super lucky with
1176           parse-time constant folding, so they knew what structure the input to the get_by_id would
1177           have at parse time. This is only profitable if the get_by_id parsing computed a
1178           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
1179           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
1180           cases, we would indeed get a finite number of cases. The parser would then prune those
1181           cases to just one - based on its knowledge of the structure - and that would result in that
1182           get_by_id being folded at parse time to a constant.
1183         
1184         - The subsequent op_call would inline based on parse-time knowledge of that constant.
1185         
1186         This patch comprehensively fixes these issues, as well as other issues that come up along the
1187         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
1188         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
1189         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
1190         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
1191         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
1192         attack raytrace's problem as a shortcoming of polyvariant profiling.
1193         
1194         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
1195           subset of the inline stack that includes the IC we're profiling. For example, if we have
1196           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
1197           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
1198           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
1199           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
1200           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
1201           from polyvariant profling. Previously, the polyvariant profiler would only look at the
1202           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
1203           had inlined bar and then baz. It may not have done that, because those calls could have
1204           required polyvariant profiling that was only available in the FTL.
1205           
1206         - A particularly interesting case is when some IC in foo-baseline is also available in
1207           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
1208           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
1209           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
1210           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
1211           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
1212           because it warns us of historical polymorphism. Historical polymorphism usually means
1213           future polymorphism. IC status code already had some merging functionality, but I needed to
1214           beef it up a lot to make this work right.
1215         
1216         - Inlining an inline cache now preserves as much information as profiling. One challenge of
1217           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
1218           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
1219           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
1220           say "I don't have such an IC". At this point the DFG compilation that included that IC that
1221           gave us the information that we used to inline the IC is no longer alive. To keep us from
1222           losing the information we learned about the IC, there is now a RecordedStatuses data
1223           structure that preserves the statuses we use for inlining ICs. We also filter those
1224           statuses according to things we learn from AI. This further reduces the risk of information
1225           about an IC being forgotten.
1226         
1227         - Exit profiling now considers whether or not an exit happened from inline code. This
1228           protects us in the case where the not-inlined version of an IC exited a lot because of
1229           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
1230           profiling data, we consider only inlined exits.
1231         
1232         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
1233           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
1234           surprising that we've had this bug.
1235         
1236         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
1237         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
1238         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
1239         prototype access folding in the bytecode parser and constant folder. That would require some
1240         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
1241         have a test that captures raytrace's behavior in the case that the parser cannot fold the
1242         get_by_id.
1243         
1244         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
1245         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
1246         compile time regression anytime we fill in FTL coverage.
1247         
1248         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
1249         speeds up and that raytrace slows down, but these changes balance out and don't affect the
1250         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
1251         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
1252         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
1253         see a significant difference. In all three cases the difference is <0.5% with a high p value,
1254         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
1255         an insignificant infinitesimal slow-down.
1256         
1257         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
1258         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
1259         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
1260
1261         * CMakeLists.txt:
1262         * JavaScriptCore.xcodeproj/project.pbxproj:
1263         * Sources.txt:
1264         * bytecode/ByValInfo.h:
1265         * bytecode/BytecodeDumper.cpp:
1266         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1267         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
1268         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1269         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
1270         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
1271         (JSC::BytecodeDumper<Block>::printCallOp):
1272         (JSC::BytecodeDumper<Block>::dumpBytecode):
1273         (JSC::BytecodeDumper<Block>::dumpBlock):
1274         * bytecode/BytecodeDumper.h:
1275         * bytecode/CallLinkInfo.h:
1276         * bytecode/CallLinkStatus.cpp:
1277         (JSC::CallLinkStatus::computeFor):
1278         (JSC::CallLinkStatus::computeExitSiteData):
1279         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1280         (JSC::CallLinkStatus::accountForExits):
1281         (JSC::CallLinkStatus::finalize):
1282         (JSC::CallLinkStatus::filter):
1283         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
1284         * bytecode/CallLinkStatus.h:
1285         (JSC::CallLinkStatus::operator bool const):
1286         (JSC::CallLinkStatus::operator! const): Deleted.
1287         * bytecode/CallVariant.cpp:
1288         (JSC::CallVariant::finalize):
1289         (JSC::CallVariant::filter):
1290         * bytecode/CallVariant.h:
1291         (JSC::CallVariant::operator bool const):
1292         (JSC::CallVariant::operator! const): Deleted.
1293         * bytecode/CodeBlock.cpp:
1294         (JSC::CodeBlock::dumpBytecode):
1295         (JSC::CodeBlock::propagateTransitions):
1296         (JSC::CodeBlock::finalizeUnconditionally):
1297         (JSC::CodeBlock::getICStatusMap):
1298         (JSC::CodeBlock::resetJITData):
1299         (JSC::CodeBlock::getStubInfoMap): Deleted.
1300         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
1301         (JSC::CodeBlock::getByValInfoMap): Deleted.
1302         * bytecode/CodeBlock.h:
1303         * bytecode/CodeOrigin.cpp:
1304         (JSC::CodeOrigin::isApproximatelyEqualTo const):
1305         (JSC::CodeOrigin::approximateHash const):
1306         * bytecode/CodeOrigin.h:
1307         (JSC::CodeOrigin::exitingInlineKind const):
1308         * bytecode/DFGExitProfile.cpp:
1309         (JSC::DFG::FrequentExitSite::dump const):
1310         (JSC::DFG::ExitProfile::add):
1311         * bytecode/DFGExitProfile.h:
1312         (JSC::DFG::FrequentExitSite::FrequentExitSite):
1313         (JSC::DFG::FrequentExitSite::operator== const):
1314         (JSC::DFG::FrequentExitSite::subsumes const):
1315         (JSC::DFG::FrequentExitSite::hash const):
1316         (JSC::DFG::FrequentExitSite::inlineKind const):
1317         (JSC::DFG::FrequentExitSite::withInlineKind const):
1318         (JSC::DFG::QueryableExitProfile::hasExitSite const):
1319         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
1320         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
1321         * bytecode/ExitFlag.cpp: Added.
1322         (JSC::ExitFlag::dump const):
1323         * bytecode/ExitFlag.h: Added.
1324         (JSC::ExitFlag::ExitFlag):
1325         (JSC::ExitFlag::operator| const):
1326         (JSC::ExitFlag::operator|=):
1327         (JSC::ExitFlag::operator& const):
1328         (JSC::ExitFlag::operator&=):
1329         (JSC::ExitFlag::operator bool const):
1330         (JSC::ExitFlag::isSet const):
1331         * bytecode/ExitingInlineKind.cpp: Added.
1332         (WTF::printInternal):
1333         * bytecode/ExitingInlineKind.h: Added.
1334         * bytecode/GetByIdStatus.cpp:
1335         (JSC::GetByIdStatus::computeFor):
1336         (JSC::GetByIdStatus::computeForStubInfo):
1337         (JSC::GetByIdStatus::slowVersion const):
1338         (JSC::GetByIdStatus::markIfCheap):
1339         (JSC::GetByIdStatus::finalize):
1340         (JSC::GetByIdStatus::hasExitSite): Deleted.
1341         * bytecode/GetByIdStatus.h:
1342         * bytecode/GetByIdVariant.cpp:
1343         (JSC::GetByIdVariant::markIfCheap):
1344         (JSC::GetByIdVariant::finalize):
1345         * bytecode/GetByIdVariant.h:
1346         * bytecode/ICStatusMap.cpp: Added.
1347         (JSC::ICStatusContext::get const):
1348         (JSC::ICStatusContext::isInlined const):
1349         (JSC::ICStatusContext::inlineKind const):
1350         * bytecode/ICStatusMap.h: Added.
1351         * bytecode/ICStatusUtils.cpp: Added.
1352         (JSC::hasBadCacheExitSite):
1353         * bytecode/ICStatusUtils.h:
1354         * bytecode/InstanceOfStatus.cpp:
1355         (JSC::InstanceOfStatus::computeFor):
1356         * bytecode/InstanceOfStatus.h:
1357         * bytecode/PolyProtoAccessChain.h:
1358         * bytecode/PutByIdStatus.cpp:
1359         (JSC::PutByIdStatus::hasExitSite):
1360         (JSC::PutByIdStatus::computeFor):
1361         (JSC::PutByIdStatus::slowVersion const):
1362         (JSC::PutByIdStatus::markIfCheap):
1363         (JSC::PutByIdStatus::finalize):
1364         (JSC::PutByIdStatus::filter):
1365         * bytecode/PutByIdStatus.h:
1366         * bytecode/PutByIdVariant.cpp:
1367         (JSC::PutByIdVariant::markIfCheap):
1368         (JSC::PutByIdVariant::finalize):
1369         * bytecode/PutByIdVariant.h:
1370         (JSC::PutByIdVariant::structureSet const):
1371         * bytecode/RecordedStatuses.cpp: Added.
1372         (JSC::RecordedStatuses::operator=):
1373         (JSC::RecordedStatuses::RecordedStatuses):
1374         (JSC::RecordedStatuses::addCallLinkStatus):
1375         (JSC::RecordedStatuses::addGetByIdStatus):
1376         (JSC::RecordedStatuses::addPutByIdStatus):
1377         (JSC::RecordedStatuses::markIfCheap):
1378         (JSC::RecordedStatuses::finalizeWithoutDeleting):
1379         (JSC::RecordedStatuses::finalize):
1380         (JSC::RecordedStatuses::shrinkToFit):
1381         * bytecode/RecordedStatuses.h: Added.
1382         (JSC::RecordedStatuses::RecordedStatuses):
1383         (JSC::RecordedStatuses::forEachVector):
1384         * bytecode/StructureSet.cpp:
1385         (JSC::StructureSet::markIfCheap const):
1386         (JSC::StructureSet::isStillAlive const):
1387         * bytecode/StructureSet.h:
1388         * bytecode/TerminatedCodeOrigin.h: Added.
1389         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
1390         (JSC::TerminatedCodeOriginHashTranslator::hash):
1391         (JSC::TerminatedCodeOriginHashTranslator::equal):
1392         * bytecode/Watchpoint.cpp:
1393         (WTF::printInternal):
1394         * bytecode/Watchpoint.h:
1395         * dfg/DFGAbstractInterpreter.h:
1396         * dfg/DFGAbstractInterpreterInlines.h:
1397         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1398         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
1399         * dfg/DFGByteCodeParser.cpp:
1400         (JSC::DFG::ByteCodeParser::handleCall):
1401         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1402         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1403         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1404         (JSC::DFG::ByteCodeParser::handleGetById):
1405         (JSC::DFG::ByteCodeParser::handlePutById):
1406         (JSC::DFG::ByteCodeParser::parseBlock):
1407         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1408         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
1409         (JSC::DFG::ByteCodeParser::parse):
1410         * dfg/DFGClobberize.h:
1411         (JSC::DFG::clobberize):
1412         * dfg/DFGClobbersExitState.cpp:
1413         (JSC::DFG::clobbersExitState):
1414         * dfg/DFGCommonData.h:
1415         * dfg/DFGConstantFoldingPhase.cpp:
1416         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1417         * dfg/DFGDesiredWatchpoints.h:
1418         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
1419         * dfg/DFGDoesGC.cpp:
1420         (JSC::DFG::doesGC):
1421         * dfg/DFGFixupPhase.cpp:
1422         (JSC::DFG::FixupPhase::fixupNode):
1423         * dfg/DFGGraph.cpp:
1424         (JSC::DFG::Graph::dump):
1425         * dfg/DFGMayExit.cpp:
1426         * dfg/DFGNode.h:
1427         (JSC::DFG::Node::hasCallLinkStatus):
1428         (JSC::DFG::Node::callLinkStatus):
1429         (JSC::DFG::Node::hasGetByIdStatus):
1430         (JSC::DFG::Node::getByIdStatus):
1431         (JSC::DFG::Node::hasPutByIdStatus):
1432         (JSC::DFG::Node::putByIdStatus):
1433         * dfg/DFGNodeType.h:
1434         * dfg/DFGOSRExitBase.cpp:
1435         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1436         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1437         * dfg/DFGPlan.cpp:
1438         (JSC::DFG::Plan::reallyAdd):
1439         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1440         (JSC::DFG::Plan::finalizeInGC):
1441         * dfg/DFGPlan.h:
1442         * dfg/DFGPredictionPropagationPhase.cpp:
1443         * dfg/DFGSafeToExecute.h:
1444         (JSC::DFG::safeToExecute):
1445         * dfg/DFGSpeculativeJIT32_64.cpp:
1446         (JSC::DFG::SpeculativeJIT::compile):
1447         * dfg/DFGSpeculativeJIT64.cpp:
1448         (JSC::DFG::SpeculativeJIT::compile):
1449         * dfg/DFGStrengthReductionPhase.cpp:
1450         (JSC::DFG::StrengthReductionPhase::handleNode):
1451         * dfg/DFGWorklist.cpp:
1452         (JSC::DFG::Worklist::removeDeadPlans):
1453         * ftl/FTLAbstractHeapRepository.h:
1454         * ftl/FTLCapabilities.cpp:
1455         (JSC::FTL::canCompile):
1456         * ftl/FTLLowerDFGToB3.cpp:
1457         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1458         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1459         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
1460         * jit/PolymorphicCallStubRoutine.cpp:
1461         (JSC::PolymorphicCallStubRoutine::hasEdges const):
1462         (JSC::PolymorphicCallStubRoutine::edges const):
1463         * jit/PolymorphicCallStubRoutine.h:
1464         * profiler/ProfilerBytecodeSequence.cpp:
1465         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1466         * runtime/FunctionRareData.cpp:
1467         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1468         * runtime/Options.h:
1469
1470 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1471
1472         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
1473         https://bugs.webkit.org/show_bug.cgi?id=187472
1474
1475         Reviewed by Mark Lam.
1476
1477         std::function allocates memory from standard malloc instead of bmalloc. Instead of
1478         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
1479
1480         This patch attempts to replace std::function with the above WTF function types.
1481         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
1482         is really efficient. Otherwise, we should use WTF::Function.
1483         For recurring use cases, we can use RecursableLambda.
1484
1485         * assembler/MacroAssembler.cpp:
1486         (JSC::stdFunctionCallback):
1487         (JSC::MacroAssembler::probe):
1488         * assembler/MacroAssembler.h:
1489         * b3/air/AirDisassembler.cpp:
1490         (JSC::B3::Air::Disassembler::dump):
1491         * b3/air/AirDisassembler.h:
1492         * bytecompiler/BytecodeGenerator.cpp:
1493         (JSC::BytecodeGenerator::BytecodeGenerator):
1494         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1495         (JSC::BytecodeGenerator::emitEnumeration):
1496         * bytecompiler/BytecodeGenerator.h:
1497         * bytecompiler/NodesCodegen.cpp:
1498         (JSC::ArrayNode::emitBytecode):
1499         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1500         (JSC::ForOfNode::emitBytecode):
1501         * dfg/DFGSpeculativeJIT.cpp:
1502         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
1503         (JSC::DFG::SpeculativeJIT::compileMathIC):
1504         * dfg/DFGSpeculativeJIT.h:
1505         * dfg/DFGSpeculativeJIT64.cpp:
1506         (JSC::DFG::SpeculativeJIT::compile):
1507         * dfg/DFGValidate.cpp:
1508         * ftl/FTLCompile.cpp:
1509         (JSC::FTL::compile):
1510         * heap/HeapSnapshotBuilder.cpp:
1511         (JSC::HeapSnapshotBuilder::json):
1512         * heap/HeapSnapshotBuilder.h:
1513         * interpreter/StackVisitor.cpp:
1514         (JSC::StackVisitor::Frame::dump const):
1515         * interpreter/StackVisitor.h:
1516         * runtime/PromiseDeferredTimer.h:
1517         * runtime/VM.cpp:
1518         (JSC::VM::whenIdle):
1519         (JSC::enableProfilerWithRespectToCount):
1520         (JSC::disableProfilerWithRespectToCount):
1521         * runtime/VM.h:
1522         * runtime/VMEntryScope.cpp:
1523         (JSC::VMEntryScope::addDidPopListener):
1524         * runtime/VMEntryScope.h:
1525         * tools/HeapVerifier.cpp:
1526         (JSC::HeapVerifier::verifyCellList):
1527         (JSC::HeapVerifier::validateCell):
1528         (JSC::HeapVerifier::validateJSCell):
1529         * tools/HeapVerifier.h:
1530
1531 2018-07-20  Michael Saboff  <msaboff@apple.com>
1532
1533         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1534         https://bugs.webkit.org/show_bug.cgi?id=187827
1535         rdar://problem/42146858
1536
1537         Reviewed by Saam Barati.
1538
1539         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1540         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1541         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1542         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1543         putByIndex() path that doesn't change the shape.
1544
1545         * dfg/DFGArrayMode.h:
1546         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1547
1548 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1549
1550         [DFG] Fold GetByVal if Array is CoW
1551         https://bugs.webkit.org/show_bug.cgi?id=186459
1552
1553         Reviewed by Saam Barati.
1554
1555         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1556         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1557         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1558
1559         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1560         to these constant arrays can be folded into an actual constant by this patch.
1561
1562                                            baseline                  patched
1563
1564         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1565         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1566
1567         * dfg/DFGAbstractInterpreterInlines.h:
1568         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1569
1570 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1571
1572         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1573         https://bugs.webkit.org/show_bug.cgi?id=186602
1574
1575         Reviewed by Saam Barati.
1576
1577         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1578         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1579         drop the cellLock() here.
1580
1581         * runtime/JSObject.cpp:
1582         (JSC::JSObject::convertContiguousToArrayStorage):
1583
1584 2018-07-20  Saam Barati  <sbarati@apple.com>
1585
1586         CompareEq should be using KnownOtherUse instead of OtherUse
1587         https://bugs.webkit.org/show_bug.cgi?id=186814
1588         <rdar://problem/39720030>
1589
1590         Reviewed by Filip Pizlo.
1591
1592         CompareEq in fixup phase was doing this:
1593         insertCheck(child, OtherUse)
1594         setUseKind(child, OtherUse)
1595         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1596         lead to edge verification crashing because a phase may optimize the check out
1597         by removing the node. However, AI may not be privy to that optimization, and
1598         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1599         backend to actually emit a check here, but it does not.
1600         
1601         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1602         KnownOtherUse and changes the above pattern to be:
1603         insertCheck(child, OtherUse)
1604         setUseKind(child, KnownOtherUse)
1605
1606         * dfg/DFGFixupPhase.cpp:
1607         (JSC::DFG::FixupPhase::fixupNode):
1608         * dfg/DFGSafeToExecute.h:
1609         (JSC::DFG::SafeToExecuteEdge::operator()):
1610         * dfg/DFGSpeculativeJIT.cpp:
1611         (JSC::DFG::SpeculativeJIT::speculate):
1612         * dfg/DFGUseKind.cpp:
1613         (WTF::printInternal):
1614         * dfg/DFGUseKind.h:
1615         (JSC::DFG::typeFilterFor):
1616         (JSC::DFG::shouldNotHaveTypeCheck):
1617         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1618         * dfg/DFGWatchpointCollectionPhase.cpp:
1619         (JSC::DFG::WatchpointCollectionPhase::handle):
1620         * ftl/FTLCapabilities.cpp:
1621         (JSC::FTL::canCompile):
1622         * ftl/FTLLowerDFGToB3.cpp:
1623         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1624         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1625
1626 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1627
1628         [JSC] A bit performance improvement for Object.assign by cleaning up code
1629         https://bugs.webkit.org/show_bug.cgi?id=187852
1630
1631         Reviewed by Saam Barati.
1632
1633         We clean up Object.assign code a bit.
1634
1635         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1636         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1637
1638         It improves the performance a bit.
1639
1640                                     baseline                  patched
1641
1642         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1643
1644         * runtime/ObjectConstructor.cpp:
1645         (JSC::objectConstructorAssign):
1646
1647 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1648
1649         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1650         https://bugs.webkit.org/show_bug.cgi?id=187798
1651
1652         Reviewed by Michael Catanzaro.
1653
1654         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1655         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1656         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1657         patch adds JSAPIWrapperGlobalObject or that.
1658
1659         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1660         (jsAPIWrapperGlobalObjectHandleOwner):
1661         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1662         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1663         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1664         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1665         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1666         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1667         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1668         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1669         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1670         * API/glib/JSCClass.cpp:
1671         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1672         (wrappedObjectClass): Return the class of a wrapped object.
1673         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1674         scope extension global object is used instead.
1675         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1676         (setProperty): Ditto.
1677         (hasProperty): Ditto.
1678         (deleteProperty): Ditto.
1679         (getPropertyNames): Ditto.
1680         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1681         * API/glib/JSCClassPrivate.h:
1682         * API/glib/JSCContext.cpp:
1683         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1684         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1685         * API/glib/JSCContext.h:
1686         * API/glib/JSCContextPrivate.h:
1687         * API/glib/JSCWrapperMap.cpp:
1688         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1689         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1690         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1691         * API/glib/JSCWrapperMap.h:
1692         * GLib.cmake:
1693
1694 2018-07-19  Saam Barati  <sbarati@apple.com>
1695
1696         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1697         https://bugs.webkit.org/show_bug.cgi?id=187836
1698         <rdar://problem/42409527>
1699
1700         Reviewed by Mark Lam.
1701
1702         We have crash reports that we're crashing on source->getDirect in Object.assign's
1703         fast path. Mark investigated this and determined we end up with a nullptr for
1704         butterfly. This is curious, because source's Structure indicated that it has
1705         out of line properties. My leading hypothesis for this at the moment is a bit
1706         handwavy, but it's essentially:
1707         - We end up firing a watchpoint when assigning to the target (this can happen
1708         if a watchpoint was set up for storing to that particular field)
1709         - When we fire that watchpoint, we end up doing some kind work on the source,
1710         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1711         mutating source.
1712         
1713         I'm not super convinced this is what we're running into, but just by reading
1714         the code, I think it needs to be something similar to this. Seeing if this change
1715         fixes the crasher will give us good data to determine if something like this is
1716         happening or if the bug is something else entirely.
1717
1718         * runtime/ObjectConstructor.cpp:
1719         (JSC::objectConstructorAssign):
1720
1721 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1722
1723         Unreviewed, rolling out r233998.
1724         https://bugs.webkit.org/show_bug.cgi?id=187815
1725
1726         Not needed. (Requested by mlam|a on #webkit).
1727
1728         Reverted changeset:
1729
1730         "Temporarily mitigate a bug where a source provider is null
1731         when it shouldn't be."
1732         https://bugs.webkit.org/show_bug.cgi?id=187812
1733         https://trac.webkit.org/changeset/233998
1734
1735 2018-07-19  Mark Lam  <mark.lam@apple.com>
1736
1737         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1738         https://bugs.webkit.org/show_bug.cgi?id=187812
1739         <rdar://problem/41192691>
1740
1741         Reviewed by Michael Saboff.
1742
1743         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1744
1745         * runtime/Error.cpp:
1746         (JSC::addErrorInfo):
1747
1748 2018-07-19  Keith Rollin  <krollin@apple.com>
1749
1750         Adjust WEBCORE_EXPORT annotations for LTO
1751         https://bugs.webkit.org/show_bug.cgi?id=187781
1752         <rdar://problem/42351124>
1753
1754         Reviewed by Alex Christensen.
1755
1756         Continuation of Bug 186944. This bug addresses issues not caught
1757         during the first pass of adjustments. The initial work focussed on
1758         macOS; this one addresses issues found when building for iOS. From
1759         186944:
1760
1761         Adjust a number of places that result in WebKit's
1762         'check-for-weak-vtables-and-externals' script reporting weak external
1763         symbols:
1764
1765             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1766             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1767             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1768             ...
1769
1770         These cases are caused by inline methods being marked with WTF_EXPORT
1771         (or related macro) or with an inline function being in a class marked
1772         as such, and when enabling LTO builds.
1773
1774         For the most part, address these by removing the WEBCORE_EXPORT
1775         annotation from inline methods. In some cases, move the implementation
1776         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1777         and removing the annotation from the class would be too disruptive.
1778         Finally, in other cases, move the implementation out-of-line because
1779         check-for-weak-vtables-and-externals still complains when keeping the
1780         implementation inline and removing the annotation; this seems to
1781         typically (but not always) happen with destructors.
1782
1783         * inspector/remote/RemoteAutomationTarget.cpp:
1784         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1785         * inspector/remote/RemoteAutomationTarget.h:
1786         * inspector/remote/RemoteInspector.cpp:
1787         (Inspector::RemoteInspector::Client::~Client):
1788         * inspector/remote/RemoteInspector.h:
1789
1790 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1791
1792         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1793         https://bugs.webkit.org/show_bug.cgi?id=187807
1794
1795         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1796         that we know that exception occurrence and handle it well.
1797
1798         * runtime/JSONObject.cpp:
1799         (JSC::Stringifier::Holder::appendNextProperty):
1800
1801 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1802
1803         [JSC] Reduce size of AST nodes
1804         https://bugs.webkit.org/show_bug.cgi?id=187689
1805
1806         Reviewed by Mark Lam.
1807
1808         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1809         of ParserArena at peak state.
1810
1811         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1812         devirtualize a call to the function which are implemented in a final class.
1813
1814         2. Use default member initializers more.
1815
1816         3. And use `nullptr` instead of `0`.
1817
1818         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1819         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1820         to 40. This decreases the sizes of all the derived Statement nodes.
1821
1822         * parser/NodeConstructors.h:
1823         (JSC::Node::Node):
1824         (JSC::StatementNode::StatementNode):
1825         (JSC::ElementNode::ElementNode):
1826         (JSC::ArrayNode::ArrayNode):
1827         (JSC::PropertyListNode::PropertyListNode):
1828         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1829         (JSC::ArgumentListNode::ArgumentListNode):
1830         (JSC::ArgumentsNode::ArgumentsNode):
1831         (JSC::NewExprNode::NewExprNode):
1832         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1833         (JSC::BinaryOpNode::BinaryOpNode):
1834         (JSC::LogicalOpNode::LogicalOpNode):
1835         (JSC::CommaNode::CommaNode):
1836         (JSC::SourceElements::SourceElements):
1837         (JSC::ClauseListNode::ClauseListNode):
1838         * parser/Nodes.cpp:
1839         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1840         (JSC::FunctionMetadataNode::operator== const):
1841         (JSC::FunctionMetadataNode::dump const):
1842         * parser/Nodes.h:
1843         (JSC::BooleanNode::value): Deleted.
1844         (JSC::StringNode::value): Deleted.
1845         (JSC::TemplateExpressionListNode::value): Deleted.
1846         (JSC::TemplateExpressionListNode::next): Deleted.
1847         (JSC::TemplateStringNode::cooked): Deleted.
1848         (JSC::TemplateStringNode::raw): Deleted.
1849         (JSC::TemplateStringListNode::value): Deleted.
1850         (JSC::TemplateStringListNode::next): Deleted.
1851         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1852         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1853         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1854         (JSC::ResolveNode::identifier const): Deleted.
1855         (JSC::ElementNode::elision const): Deleted.
1856         (JSC::ElementNode::value): Deleted.
1857         (JSC::ElementNode::next): Deleted.
1858         (JSC::ArrayNode::elements const): Deleted.
1859         (JSC::PropertyNode::expressionName const): Deleted.
1860         (JSC::PropertyNode::name const): Deleted.
1861         (JSC::PropertyNode::type const): Deleted.
1862         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1863         (JSC::PropertyNode::isClassProperty const): Deleted.
1864         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1865         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1866         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1867         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1868         (JSC::PropertyNode::putType const): Deleted.
1869         (JSC::BracketAccessorNode::base const): Deleted.
1870         (JSC::BracketAccessorNode::subscript const): Deleted.
1871         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1872         (JSC::DotAccessorNode::base const): Deleted.
1873         (JSC::DotAccessorNode::identifier const): Deleted.
1874         (JSC::SpreadExpressionNode::expression const): Deleted.
1875         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1876         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1877         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1878         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1879         (JSC::TypeOfResolveNode::identifier const): Deleted.
1880         (JSC::BitwiseNotNode::expr): Deleted.
1881         (JSC::BitwiseNotNode::expr const): Deleted.
1882         (JSC::AssignResolveNode::identifier const): Deleted.
1883         (JSC::ExprStatementNode::expr const): Deleted.
1884         (JSC::ForOfNode::isForAwait const): Deleted.
1885         (JSC::ReturnNode::value): Deleted.
1886         (JSC::ProgramNode::startColumn const): Deleted.
1887         (JSC::ProgramNode::endColumn const): Deleted.
1888         (JSC::EvalNode::startColumn const): Deleted.
1889         (JSC::EvalNode::endColumn const): Deleted.
1890         (JSC::ModuleProgramNode::startColumn const): Deleted.
1891         (JSC::ModuleProgramNode::endColumn const): Deleted.
1892         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1893         (JSC::ModuleNameNode::moduleName): Deleted.
1894         (JSC::ImportSpecifierNode::importedName): Deleted.
1895         (JSC::ImportSpecifierNode::localName): Deleted.
1896         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1897         (JSC::ImportSpecifierListNode::append): Deleted.
1898         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1899         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1900         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1901         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1902         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1903         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1904         (JSC::ExportSpecifierNode::exportedName): Deleted.
1905         (JSC::ExportSpecifierNode::localName): Deleted.
1906         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1907         (JSC::ExportSpecifierListNode::append): Deleted.
1908         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1909         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1910         (JSC::ArrayPatternNode::appendIndex): Deleted.
1911         (JSC::ObjectPatternNode::appendEntry): Deleted.
1912         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1913         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1914         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1915         (JSC::FunctionParameters::size const): Deleted.
1916         (JSC::FunctionParameters::append): Deleted.
1917         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1918         (JSC::FuncDeclNode::metadata): Deleted.
1919         (JSC::CaseClauseNode::expr const): Deleted.
1920         (JSC::CaseClauseNode::setStartOffset): Deleted.
1921         (JSC::ClauseListNode::getClause const): Deleted.
1922         (JSC::ClauseListNode::getNext const): Deleted.
1923         * runtime/ExceptionHelpers.cpp:
1924         * runtime/JSObject.cpp:
1925
1926 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1927
1928         JSON.stringify should emit non own properties if second array argument includes
1929         https://bugs.webkit.org/show_bug.cgi?id=187724
1930
1931         Reviewed by Mark Lam.
1932
1933         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1934         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1935         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1936         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1937         property names which does not reside in the own properties. Or we can modify the
1938         own properties by deleting properties while JSON.stringify is calling a getter. So,
1939         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1940
1941         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1942         The performance of Kraken/json-stringify-tinderbox is neutral.
1943
1944         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1945
1946         * runtime/JSONObject.cpp:
1947         (JSC::Stringifier::toJSON):
1948         (JSC::Stringifier::toJSONImpl):
1949         (JSC::Stringifier::appendStringifiedValue):
1950         (JSC::Stringifier::Holder::Holder):
1951         (JSC::Stringifier::Holder::appendNextProperty):
1952
1953 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1954
1955         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1956         https://bugs.webkit.org/show_bug.cgi?id=187755
1957
1958         Reviewed by Mark Lam.
1959
1960         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1961         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1962         makes one test262 test failed.
1963
1964         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1965         to align these checks to the spec's order.
1966
1967         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1968
1969         * runtime/JSONObject.cpp:
1970         (JSC::Stringifier::Stringifier):
1971
1972 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1973
1974         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1975         https://bugs.webkit.org/show_bug.cgi?id=187752
1976
1977         Reviewed by Mark Lam.
1978
1979         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1980         with a wrapper object and a property name. While we always create this wrapper object,
1981         it is unnecessary if the given replacer is not callable.
1982
1983         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1984         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1985
1986                                            baseline                  patched
1987
1988         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1989
1990         * runtime/JSONObject.cpp:
1991         (JSC::Stringifier::isCallableReplacer const):
1992         (JSC::Stringifier::Stringifier):
1993         (JSC::Stringifier::stringify):
1994         (JSC::Stringifier::appendStringifiedValue):
1995
1996 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1997
1998         [GLIB] Add jsc_context_check_syntax() to GLib API
1999         https://bugs.webkit.org/show_bug.cgi?id=187694
2000
2001         Reviewed by Yusuke Suzuki.
2002
2003         A new function to be able to check for syntax errors without actually evaluating the code.
2004
2005         * API/glib/JSCContext.cpp:
2006         (jsc_context_check_syntax):
2007         * API/glib/JSCContext.h:
2008         * API/glib/docs/jsc-glib-4.0-sections.txt:
2009
2010 2018-07-17  Keith Miller  <keith_miller@apple.com>
2011
2012         Revert r233630 since it broke internal wasm benchmarks
2013         https://bugs.webkit.org/show_bug.cgi?id=187746
2014
2015         Unreviewed revert.
2016
2017         This patch seems to have broken internal Wasm benchmarks. This
2018         issue is likely due to an underlying bug but let's rollout while
2019         we investigate.
2020
2021         * bytecode/CodeType.h:
2022         * bytecode/UnlinkedCodeBlock.cpp:
2023         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2024         * bytecode/UnlinkedCodeBlock.h:
2025         (JSC::UnlinkedCodeBlock::codeType const):
2026         (JSC::UnlinkedCodeBlock::didOptimize const):
2027         (JSC::UnlinkedCodeBlock::setDidOptimize):
2028         * bytecode/VirtualRegister.h:
2029         (JSC::VirtualRegister::VirtualRegister):
2030         (): Deleted.
2031
2032 2018-07-17  Mark Lam  <mark.lam@apple.com>
2033
2034         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
2035         https://bugs.webkit.org/show_bug.cgi?id=187736
2036         <rdar://problem/42114371>
2037
2038         Reviewed by Michael Saboff.
2039
2040         CodeBlock::baselineVersion() currently checks for a null replacement but does not
2041         account for the fact that that the replacement can also be null due to the
2042         executable having being purged of its codeBlocks due to a memory event (see
2043         ExecutableBase::clearCode()).  This patch adds code to account for this.
2044
2045         * bytecode/CodeBlock.cpp:
2046         (JSC::CodeBlock::baselineVersion):
2047
2048 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2049
2050         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
2051         https://bugs.webkit.org/show_bug.cgi?id=187709
2052
2053         Reviewed by Mark Lam.
2054
2055         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
2056
2057         * bytecode/UnlinkedCodeBlock.cpp:
2058         (JSC::UnlinkedCodeBlock::shrinkToFit):
2059
2060 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2061
2062         [JSC] Make SourceParseMode small
2063         https://bugs.webkit.org/show_bug.cgi?id=187705
2064
2065         Reviewed by Mark Lam.
2066
2067         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
2068         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
2069         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
2070         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
2071
2072         * parser/ParserModes.h:
2073         (JSC::SourceParseModeSet::SourceParseModeSet):
2074         (JSC::SourceParseModeSet::contains):
2075         (JSC::SourceParseModeSet::mergeSourceParseModes):
2076
2077 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2078
2079         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
2080         https://bugs.webkit.org/show_bug.cgi?id=187585
2081
2082         Reviewed by Darin Adler.
2083
2084         This patch fixes Generator and AsyncGenerator's prototype issues.
2085
2086         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
2087         We fix this by changing JSFunction::prototypeForConstruction.
2088
2089         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
2090         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
2091         to fix `prototype` issues for AsyncGeneratorMethod.
2092
2093         * bytecompiler/BytecodeGenerator.cpp:
2094         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
2095         (JSC::BytecodeGenerator::emitNewFunction):
2096         * bytecompiler/NodesCodegen.cpp:
2097         (JSC::FunctionNode::emitBytecode):
2098         * parser/ASTBuilder.h:
2099         (JSC::ASTBuilder::createFunctionMetadata):
2100         * parser/Parser.cpp:
2101         (JSC::getAsynFunctionBodyParseMode):
2102         (JSC::Parser<LexerType>::parseInner):
2103         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2104         * parser/ParserModes.h:
2105         (JSC::isAsyncGeneratorParseMode):
2106         (JSC::isAsyncGeneratorWrapperParseMode):
2107         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
2108         * runtime/FunctionExecutable.h:
2109         * runtime/JSFunction.cpp:
2110         (JSC::JSFunction::prototypeForConstruction):
2111         (JSC::JSFunction::getOwnPropertySlot):
2112
2113 2018-07-16  Mark Lam  <mark.lam@apple.com>
2114
2115         jsc shell's noFTL utility test function should be more robust.
2116         https://bugs.webkit.org/show_bug.cgi?id=187704
2117         <rdar://problem/42231988>
2118
2119         Reviewed by Michael Saboff and Keith Miller.
2120
2121         * jsc.cpp:
2122         (functionNoFTL):
2123         - only setNeverFTLOptimize() if the function is actually a JS function.
2124
2125 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
2126
2127         [GLIB] Add API to evaluate code using a given object to store global symbols
2128         https://bugs.webkit.org/show_bug.cgi?id=187639
2129
2130         Reviewed by Michael Catanzaro.
2131
2132         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
2133         evaluated script are added as properties to the new object instead of to the context global object. This is
2134         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
2135         scope for assignments, so we have to create a new context and get its global object. This patch also updates
2136         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
2137         jsc_context_evaluate_in_object().
2138
2139         * API/glib/JSCContext.cpp:
2140         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
2141         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
2142         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
2143         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
2144         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
2145         * API/glib/JSCContext.h:
2146         * API/glib/docs/jsc-glib-4.0-sections.txt:
2147
2148 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2149
2150         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
2151         https://bugs.webkit.org/show_bug.cgi?id=187561
2152
2153         Reviewed by Darin Adler.
2154
2155         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
2156         We clean up 32bit put_by_val code.
2157
2158         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
2159         aligns 32bit implementation to 64bit implementation.
2160
2161         2. We add CoW array checking, which is done in 64bit implementation.
2162
2163         * jit/JITPropertyAccess.cpp:
2164         (JSC::JIT::emit_op_put_by_val):
2165         * jit/JITPropertyAccess32_64.cpp:
2166         (JSC::JIT::emit_op_put_by_val):
2167         (JSC::JIT::emitSlow_op_put_by_val):
2168
2169 2018-07-12  Mark Lam  <mark.lam@apple.com>
2170
2171         Need to handle CodeBlock::replacement() being null.
2172         https://bugs.webkit.org/show_bug.cgi?id=187569
2173         <rdar://problem/41468692>
2174
2175         Reviewed by Saam Barati.
2176
2177         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
2178         for this while others do not.  We should add null checks in all the places that
2179         need it.
2180
2181         * bytecode/CodeBlock.cpp:
2182         (JSC::CodeBlock::hasOptimizedReplacement):
2183         (JSC::CodeBlock::jettison):
2184         (JSC::CodeBlock::numberOfDFGCompiles):
2185         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2186         * dfg/DFGOperations.cpp:
2187         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2188         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
2189         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2190         * jit/JITOperations.cpp:
2191
2192 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2193
2194         [JSC] Thread VM& to JSCell::methodTable(VM&)
2195         https://bugs.webkit.org/show_bug.cgi?id=187548
2196
2197         Reviewed by Saam Barati.
2198
2199         This patch threads VM& to methodTable(VM&) and remove methodTable().
2200         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
2201
2202         * API/APICast.h:
2203         (toJS):
2204         * API/JSCallbackObject.h:
2205         * API/JSCallbackObjectFunctions.h:
2206         (JSC::JSCallbackObject<Parent>::className):
2207         * bytecode/CodeBlock.cpp:
2208         (JSC::CodeBlock::estimatedSize):
2209         * bytecode/CodeBlock.h:
2210         * bytecode/UnlinkedCodeBlock.cpp:
2211         (JSC::UnlinkedCodeBlock::estimatedSize):
2212         * bytecode/UnlinkedCodeBlock.h:
2213         * debugger/DebuggerScope.cpp:
2214         (JSC::DebuggerScope::className):
2215         * debugger/DebuggerScope.h:
2216         * heap/Heap.cpp:
2217         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
2218         (JSC::GatherHeapSnapshotData::operator() const):
2219         (JSC::Heap::gatherExtraHeapSnapshotData):
2220         * heap/HeapSnapshotBuilder.cpp:
2221         (JSC::HeapSnapshotBuilder::json):
2222         * runtime/ArrayPrototype.cpp:
2223         (JSC::arrayProtoFuncToString):
2224         * runtime/ClassInfo.h:
2225         * runtime/DirectArguments.cpp:
2226         (JSC::DirectArguments::estimatedSize):
2227         * runtime/DirectArguments.h:
2228         * runtime/HashMapImpl.cpp:
2229         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
2230         * runtime/HashMapImpl.h:
2231         * runtime/JSArrayBuffer.cpp:
2232         (JSC::JSArrayBuffer::estimatedSize):
2233         * runtime/JSArrayBuffer.h:
2234         * runtime/JSBigInt.cpp:
2235         (JSC::JSBigInt::estimatedSize):
2236         * runtime/JSBigInt.h:
2237         * runtime/JSCell.cpp:
2238         (JSC::JSCell::dump const):
2239         (JSC::JSCell::estimatedSizeInBytes const):
2240         (JSC::JSCell::estimatedSize):
2241         (JSC::JSCell::className):
2242         * runtime/JSCell.h:
2243         * runtime/JSCellInlines.h:
2244         * runtime/JSGenericTypedArrayView.h:
2245         * runtime/JSGenericTypedArrayViewInlines.h:
2246         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
2247         * runtime/JSObject.cpp:
2248         (JSC::JSObject::estimatedSize):
2249         (JSC::JSObject::className):
2250         (JSC::JSObject::toStringName):
2251         (JSC::JSObject::calculatedClassName):
2252         * runtime/JSObject.h:
2253         * runtime/JSProxy.cpp:
2254         (JSC::JSProxy::className):
2255         * runtime/JSProxy.h:
2256         * runtime/JSString.cpp:
2257         (JSC::JSString::estimatedSize):
2258         * runtime/JSString.h:
2259         * runtime/RegExp.cpp:
2260         (JSC::RegExp::estimatedSize):
2261         * runtime/RegExp.h:
2262         * runtime/WeakMapImpl.cpp:
2263         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
2264         * runtime/WeakMapImpl.h:
2265
2266 2018-07-11  Commit Queue  <commit-queue@webkit.org>
2267
2268         Unreviewed, rolling out r233714.
2269         https://bugs.webkit.org/show_bug.cgi?id=187579
2270
2271         it made tests time out (Requested by pizlo on #webkit).
2272
2273         Reverted changeset:
2274
2275         "Change the reoptimization backoff base to 1.3 from 2"
2276         https://bugs.webkit.org/show_bug.cgi?id=187540
2277         https://trac.webkit.org/changeset/233714
2278
2279 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2280
2281         [GLIB] Add API to allow creating variadic functions
2282         https://bugs.webkit.org/show_bug.cgi?id=187517
2283
2284         Reviewed by Michael Catanzaro.
2285
2286         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
2287         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
2288
2289         * API/glib/JSCCallbackFunction.cpp:
2290         (JSC::JSCCallbackFunction::create): Make the parameters optional.
2291         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
2292         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
2293         JSCValue for the arguments.
2294         (JSC::JSCCallbackFunction::construct): Ditto.
2295         * API/glib/JSCCallbackFunction.h:
2296         * API/glib/JSCClass.cpp:
2297         (jscClassCreateConstructor): Make the parameters optional.
2298         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
2299         (jscClassAddMethod): Make the parameters optional.
2300         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
2301         * API/glib/JSCClass.h:
2302         * API/glib/JSCValue.cpp:
2303         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
2304         (jscValueFunctionCreate): Make the parameters optional.
2305         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
2306         * API/glib/JSCValue.h:
2307         * API/glib/docs/jsc-glib-4.0-sections.txt:
2308
2309 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2310
2311         [GLIB] Add jsc_context_get_global_object() to GLib API
2312         https://bugs.webkit.org/show_bug.cgi?id=187515
2313
2314         Reviewed by Michael Catanzaro.
2315
2316         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
2317         object. However, getting the global object could be useful in some cases, for example to give it a well known
2318         name like 'window' in browsers and GJS.
2319
2320         * API/glib/JSCContext.cpp:
2321         (jsc_context_get_global_object):
2322         * API/glib/JSCContext.h:
2323         * API/glib/docs/jsc-glib-4.0-sections.txt:
2324
2325 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2326
2327         [GLIB] Handle G_TYPE_STRV in glib API
2328         https://bugs.webkit.org/show_bug.cgi?id=187512
2329
2330         Reviewed by Michael Catanzaro.
2331
2332         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
2333
2334         * API/glib/JSCContext.cpp:
2335         (jscContextGValueToJSValue):
2336         (jscContextJSValueToGValue):
2337         * API/glib/JSCValue.cpp:
2338         (jsc_value_new_array_from_strv):
2339         * API/glib/JSCValue.h:
2340         * API/glib/docs/jsc-glib-4.0-sections.txt:
2341
2342 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2343
2344         Iterator of Array.keys() returns object in wrong order
2345         https://bugs.webkit.org/show_bug.cgi?id=185197
2346
2347         Reviewed by Keith Miller.
2348
2349         * builtins/ArrayIteratorPrototype.js:
2350         (globalPrivate.arrayIteratorValueNext):
2351         (globalPrivate.arrayIteratorKeyNext):
2352         (globalPrivate.arrayIteratorKeyValueNext):
2353         * builtins/AsyncFromSyncIteratorPrototype.js:
2354         * builtins/AsyncGeneratorPrototype.js:
2355         (globalPrivate.asyncGeneratorResolve):
2356         * builtins/GeneratorPrototype.js:
2357         (globalPrivate.generatorResume):
2358         * builtins/MapIteratorPrototype.js:
2359         (globalPrivate.mapIteratorNext):
2360         * builtins/SetIteratorPrototype.js:
2361         (globalPrivate.setIteratorNext):
2362         * builtins/StringIteratorPrototype.js:
2363         (next):
2364         * runtime/IteratorOperations.cpp:
2365         (JSC::createIteratorResultObjectStructure):
2366         (JSC::createIteratorResultObject):
2367
2368 2018-07-10  Mark Lam  <mark.lam@apple.com>
2369
2370         constructArray() should always allocate the requested length.
2371         https://bugs.webkit.org/show_bug.cgi?id=187543
2372         <rdar://problem/41947884>
2373
2374         Reviewed by Saam Barati.
2375
2376         Currently, it does not when we're having a bad time.  We fix this by switching
2377         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
2378         If we detect that a structure transition is possible before we can initialize
2379         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
2380         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
2381
2382         Also enhanced the DisallowScope and ObjectInitializationScope to support this
2383         eager initialization when needed.
2384
2385         * dfg/DFGOperations.cpp:
2386         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
2387           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
2388           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
2389           generated code, which will appear as a generic null pointer dereference.
2390
2391         * runtime/ArrayPrototype.cpp:
2392         (JSC::concatAppendOne):
2393         - the code here clearly wants to check for an allocation failure.  Switched to
2394           using JSArray::tryCreate() instead of JSArray::create().
2395
2396         * runtime/DisallowScope.h:
2397         (JSC::DisallowScope::disable):
2398         * runtime/JSArray.cpp:
2399         (JSC::JSArray::tryCreateUninitializedRestricted):
2400         (JSC::JSArray::eagerlyInitializeButterfly):
2401         (JSC::constructArray):
2402         * runtime/JSArray.h:
2403         * runtime/ObjectInitializationScope.cpp:
2404         (JSC::ObjectInitializationScope::notifyInitialized):
2405         * runtime/ObjectInitializationScope.h:
2406         (JSC::ObjectInitializationScope::notifyInitialized):
2407
2408 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2409
2410         [JSC] Remove getTypedArrayImpl
2411         https://bugs.webkit.org/show_bug.cgi?id=187338
2412
2413         Reviewed by Mark Lam.
2414
2415         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
2416         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
2417         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
2418
2419         * runtime/ClassInfo.h:
2420         * runtime/GenericTypedArrayView.h:
2421         (JSC::GenericTypedArrayView::data const): Deleted.
2422         (JSC::GenericTypedArrayView::set): Deleted.
2423         (JSC::GenericTypedArrayView::setRange): Deleted.
2424         (JSC::GenericTypedArrayView::zeroRange): Deleted.
2425         (JSC::GenericTypedArrayView::zeroFill): Deleted.
2426         (JSC::GenericTypedArrayView::length const): Deleted.
2427         (JSC::GenericTypedArrayView::item const): Deleted.
2428         (JSC::GenericTypedArrayView::set const): Deleted.
2429         (JSC::GenericTypedArrayView::setNative const): Deleted.
2430         (JSC::GenericTypedArrayView::getRange): Deleted.
2431         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
2432         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
2433         * runtime/JSArrayBufferView.cpp:
2434         (JSC::JSArrayBufferView::possiblySharedImpl):
2435         * runtime/JSArrayBufferView.h:
2436         * runtime/JSArrayBufferViewInlines.h:
2437         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
2438         * runtime/JSCell.cpp:
2439         (JSC::JSCell::getTypedArrayImpl): Deleted.
2440         * runtime/JSCell.h:
2441         * runtime/JSDataView.cpp:
2442         (JSC::JSDataView::getTypedArrayImpl): Deleted.
2443         * runtime/JSDataView.h:
2444         * runtime/JSGenericTypedArrayView.h:
2445         * runtime/JSGenericTypedArrayViewInlines.h:
2446         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
2447
2448 2018-07-10  Keith Miller  <keith_miller@apple.com>
2449
2450         hasOwnProperty returns true for out of bounds property index on TypedArray
2451         https://bugs.webkit.org/show_bug.cgi?id=187520
2452
2453         Reviewed by Saam Barati.
2454
2455         * runtime/JSGenericTypedArrayViewInlines.h:
2456         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2457
2458 2018-07-10  Michael Saboff  <msaboff@apple.com>
2459
2460         DFG JIT: compileMathIC produces incorrect machine code
2461         https://bugs.webkit.org/show_bug.cgi?id=187537
2462
2463         Reviewed by Saam Barati.
2464
2465         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
2466         fall back to the fast path generator which handles such cases.
2467
2468         * jit/JITMulGenerator.cpp:
2469         (JSC::JITMulGenerator::generateInline):
2470
2471 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
2472
2473         Change the reoptimization backoff base to 1.3 from 2
2474         https://bugs.webkit.org/show_bug.cgi?id=187540
2475
2476         Reviewed by Saam Barati.
2477         
2478         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
2479         
2480         I also have data that hints that a backoff base of 1 might be even better, but I think that
2481         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
2482
2483         * bytecode/CodeBlock.cpp:
2484         (JSC::CodeBlock::reoptimizationRetryCounter const):
2485         (JSC::CodeBlock::countReoptimization):
2486         (JSC::CodeBlock::adjustedCounterValue):
2487         * runtime/Options.cpp:
2488         (JSC::recomputeDependentOptions):
2489         * runtime/Options.h:
2490
2491 2018-07-10  Mark Lam  <mark.lam@apple.com>
2492
2493         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
2494         https://bugs.webkit.org/show_bug.cgi?id=187362
2495         <rdar://problem/42027210>
2496
2497         Reviewed by Saam Barati.
2498
2499         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
2500         value to use for initializing unused properties.  Updated an assertion to account
2501         for this.
2502
2503         * runtime/ObjectInitializationScope.cpp:
2504         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2505
2506 2018-07-10  Michael Saboff  <msaboff@apple.com>
2507
2508         YARR: . doesn't match non-BMP Unicode characters in some cases
2509         https://bugs.webkit.org/show_bug.cgi?id=187248
2510
2511         Reviewed by Geoffrey Garen.
2512
2513         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2514         characters did not take into account that the character class is inverted.  In this case, we
2515         represent '.' as "not a newline" using the newline character class with an inverted check.
2516         Clearly that includes non-BMP characters.
2517
2518         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2519         inverted use of that character class.
2520
2521         * yarr/YarrJIT.cpp:
2522         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2523
2524 2018-07-09  Mark Lam  <mark.lam@apple.com>
2525
2526         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2527         https://bugs.webkit.org/show_bug.cgi?id=187479
2528
2529         Reviewed by Yusuke Suzuki and Saam Barati.
2530
2531         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2532
2533         The details:
2534         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2535         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2536            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2537            continually spammed with logging until we rebuild.
2538         3. Fixed slow path LLINT tracing to work with exception check validation.
2539
2540         * llint/LLIntCommon.h:
2541         * llint/LLIntExceptions.cpp:
2542         (JSC::LLInt::returnToThrow):
2543         (JSC::LLInt::callToThrow):
2544         * llint/LLIntOfflineAsmConfig.h:
2545         * llint/LLIntSlowPaths.cpp:
2546         (JSC::LLInt::slowPathLog):
2547         (JSC::LLInt::slowPathLn):
2548         (JSC::LLInt::slowPathLogF):
2549         (JSC::LLInt::slowPathLogLn):
2550         (JSC::LLInt::llint_trace_operand):
2551         (JSC::LLInt::llint_trace_value):
2552         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2553         (JSC::LLInt::traceFunctionPrologue):
2554         (JSC::LLInt::handleHostCall):
2555         (JSC::LLInt::setUpCall):
2556         * llint/LLIntSlowPaths.h:
2557         * llint/LowLevelInterpreter.asm:
2558         * runtime/CommonSlowPathsExceptions.cpp:
2559         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2560         * runtime/Options.cpp:
2561         (JSC::Options::isAvailable):
2562         * runtime/Options.h:
2563
2564 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2565
2566         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2567         https://bugs.webkit.org/show_bug.cgi?id=187477
2568
2569         Reviewed by Mark Lam.
2570
2571         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2572         However, it is not necessary since JSCells can be reside in a constant buffer.
2573         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2574         vector from RareData.
2575
2576         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2577
2578         * bytecode/BytecodeDumper.cpp:
2579         (JSC::BytecodeDumper<Block>::dumpBytecode):
2580         (JSC::BytecodeDumper<Block>::dumpBlock):
2581         (JSC::regexpToSourceString): Deleted.
2582         (JSC::regexpName): Deleted.
2583         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2584         * bytecode/BytecodeDumper.h:
2585         * bytecode/CodeBlock.h:
2586         (JSC::CodeBlock::regexp const): Deleted.
2587         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2588         * bytecode/UnlinkedCodeBlock.cpp:
2589         (JSC::UnlinkedCodeBlock::visitChildren):
2590         (JSC::UnlinkedCodeBlock::shrinkToFit):
2591         * bytecode/UnlinkedCodeBlock.h:
2592         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2593         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2594         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2595         * bytecompiler/BytecodeGenerator.cpp:
2596         (JSC::BytecodeGenerator::emitNewRegExp):
2597         (JSC::BytecodeGenerator::addRegExp): Deleted.
2598         * bytecompiler/BytecodeGenerator.h:
2599         * dfg/DFGByteCodeParser.cpp:
2600         (JSC::DFG::ByteCodeParser::parseBlock):
2601         * jit/JITOpcodes.cpp:
2602         (JSC::JIT::emit_op_new_regexp):
2603         * llint/LLIntSlowPaths.cpp:
2604         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2605         * runtime/JSCJSValue.cpp:
2606         (JSC::JSValue::dumpInContextAssumingStructure const):
2607         * runtime/RegExp.cpp:
2608         (JSC::regexpToSourceString):
2609         (JSC::RegExp::dumpToStream):
2610         * runtime/RegExp.h:
2611
2612 2018-07-09  Brian Burg  <bburg@apple.com>
2613
2614         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2615         https://bugs.webkit.org/show_bug.cgi?id=187350
2616         <rdar://problem/41728249>
2617
2618         Reviewed by Matt Baker.
2619
2620         Add a new command that toggles whether or not to blackbox internal scripts.
2621         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2622         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2623         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2624         that injects scripts.
2625
2626         * inspector/agents/InspectorDebuggerAgent.cpp:
2627         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2628         (Inspector::InspectorDebuggerAgent::didParseSource):
2629         * inspector/agents/InspectorDebuggerAgent.h:
2630         * inspector/protocol/Debugger.json:
2631
2632 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2633
2634         [JSC] Make some data members of UnlinkedCodeBlock private
2635         https://bugs.webkit.org/show_bug.cgi?id=187467
2636
2637         Reviewed by Mark Lam.
2638
2639         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2640         We also remove m_numCapturedVars since it is no longer used.
2641
2642         * bytecode/CodeBlock.cpp:
2643         (JSC::CodeBlock::CodeBlock):
2644         * bytecode/CodeBlock.h:
2645         * bytecode/UnlinkedCodeBlock.cpp:
2646         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2647         * bytecode/UnlinkedCodeBlock.h:
2648
2649 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2650
2651         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2652         https://bugs.webkit.org/show_bug.cgi?id=187465
2653
2654         Reviewed by Keith Miller.
2655
2656         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2657         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2658
2659         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2660         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2661         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2662         from 104 to 96 since it inherits ProxyableAccessCase.
2663
2664         * bytecode/AccessCase.h:
2665         (JSC::AccessCase::viaProxy const):
2666         (JSC::AccessCase::AccessCase):
2667         * bytecode/ProxyableAccessCase.cpp:
2668         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2669         * bytecode/ProxyableAccessCase.h:
2670
2671 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2672
2673         Unreviewed, build fix for debug builds after r233630
2674         https://bugs.webkit.org/show_bug.cgi?id=187441
2675
2676         * jit/JIT.cpp:
2677         (JSC::JIT::frameRegisterCountFor):
2678         * llint/LLIntEntrypoint.cpp:
2679         (JSC::LLInt::frameRegisterCountFor):
2680
2681 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2682
2683         [JSC] Optimize layout of CodeBlock to reduce padding
2684         https://bugs.webkit.org/show_bug.cgi?id=187441
2685
2686         Reviewed by Mark Lam.
2687
2688         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2689         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2690         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2691
2692         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2693
2694         * bytecode/BytecodeDumper.cpp:
2695         (JSC::BytecodeDumper<Block>::dumpBlock):
2696         * bytecode/BytecodeUseDef.h:
2697         (JSC::computeDefsForBytecodeOffset):
2698         * bytecode/CodeBlock.cpp:
2699         (JSC::CodeBlock::CodeBlock):
2700         * bytecode/CodeBlock.h:
2701         (JSC::CodeBlock::numVars const):
2702         * bytecode/UnlinkedCodeBlock.h:
2703         (JSC::UnlinkedCodeBlock::numVars const):
2704         * dfg/DFGByteCodeParser.cpp:
2705         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2706         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2707         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2708         (JSC::DFG::ByteCodeParser::inlineCall):
2709         (JSC::DFG::ByteCodeParser::handleGetById):
2710         (JSC::DFG::ByteCodeParser::handlePutById):
2711         (JSC::DFG::ByteCodeParser::parseBlock):
2712         * dfg/DFGGraph.h:
2713         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2714         * dfg/DFGOSREntrypointCreationPhase.cpp:
2715         (JSC::DFG::OSREntrypointCreationPhase::run):
2716         * dfg/DFGVariableEventStream.cpp:
2717         (JSC::DFG::VariableEventStream::reconstruct const):
2718         * ftl/FTLOSREntry.cpp:
2719         (JSC::FTL::prepareOSREntry):
2720         * ftl/FTLState.cpp:
2721         (JSC::FTL::State::State):
2722         * interpreter/Interpreter.cpp:
2723         (JSC::Interpreter::dumpRegisters):
2724         * jit/JIT.cpp:
2725         (JSC::JIT::frameRegisterCountFor):
2726         * jit/JITOpcodes.cpp:
2727         (JSC::JIT::emit_op_enter):
2728         * jit/JITOpcodes32_64.cpp:
2729         (JSC::JIT::emit_op_enter):
2730         * jit/JITOperations.cpp:
2731         * llint/LLIntEntrypoint.cpp:
2732         (JSC::LLInt::frameRegisterCountFor):
2733         * llint/LLIntSlowPaths.cpp:
2734         (JSC::LLInt::traceFunctionPrologue):
2735         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2736         * runtime/JSCJSValue.h:
2737
2738 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2739
2740         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2741         https://bugs.webkit.org/show_bug.cgi?id=187448
2742
2743         Reviewed by Saam Barati.
2744
2745         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2746         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2747
2748         * bytecode/CodeType.h:
2749         * bytecode/UnlinkedCodeBlock.cpp:
2750         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2751         * bytecode/UnlinkedCodeBlock.h:
2752         (JSC::UnlinkedCodeBlock::codeType const):
2753         (JSC::UnlinkedCodeBlock::didOptimize const):
2754         (JSC::UnlinkedCodeBlock::setDidOptimize):
2755         * bytecode/VirtualRegister.h:
2756
2757 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2758
2759         [JSC] Optimize padding of InferredTypeTable by using cellLock
2760         https://bugs.webkit.org/show_bug.cgi?id=187447
2761
2762         Reviewed by Mark Lam.
2763
2764         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2765         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2766         reduce the size of InferredTypeTable from 40 to 32.
2767
2768         * runtime/InferredTypeTable.cpp:
2769         (JSC::InferredTypeTable::visitChildren):
2770         (JSC::InferredTypeTable::get):
2771         (JSC::InferredTypeTable::willStoreValue):
2772         (JSC::InferredTypeTable::makeTop):
2773         * runtime/InferredTypeTable.h:
2774         Using enum class and using. And remove `isEmpty()` since it is not used.
2775
2776         * runtime/Structure.h:
2777
2778 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         [JSC] Optimize layout of SourceProvider to reduce padding
2781         https://bugs.webkit.org/show_bug.cgi?id=187440
2782
2783         Reviewed by Mark Lam.
2784
2785         Arrange members of SourceProvider to reduce the size from 80 to 72.
2786
2787         * parser/SourceProvider.cpp:
2788         (JSC::SourceProvider::SourceProvider):
2789         * parser/SourceProvider.h:
2790
2791 2018-07-08  Mark Lam  <mark.lam@apple.com>
2792
2793         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2794         https://bugs.webkit.org/show_bug.cgi?id=187444
2795         <rdar://problem/41282849>
2796
2797         Reviewed by Saam Barati.
2798
2799         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2800         an iterator class.  The begin() methods and the iterator operator++() method uses
2801         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2802         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2803         pointer from being incremented past the end of the table.  As a result, we can
2804         iterate past the end of the table.  Note that the C++ iteration protocol tests
2805         for the iterator not being equal to the end() value.  It does not do a <= test.
2806         If the iterator ever shoots past end, the loop will effectively not terminate.
2807
2808         This issue can manifest if and only if the last entry in the table is a deleted
2809         one, and the key field of the PropertyMapEntry shaped space at the end of the
2810         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2811         value.
2812
2813         No test because manifesting this issue requires uncontrollable happenstance where
2814         memory just beyond the end of the table looks like a deleted entry.
2815
2816         * runtime/PropertyMapHashTable.h:
2817         (JSC::PropertyTable::begin):
2818         (JSC::PropertyTable::end):
2819         (JSC::PropertyTable::begin const):
2820         (JSC::PropertyTable::end const):
2821         (JSC::PropertyTable::skipDeletedEntries):
2822
2823 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         [JSC] Optimize layout of SymbolTable to reduce padding
2826         https://bugs.webkit.org/show_bug.cgi?id=187437
2827
2828         Reviewed by Mark Lam.
2829
2830         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2831
2832         * runtime/SymbolTable.h:
2833
2834 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2835
2836         [JSC] Optimize layout of RegExp to reduce padding
2837         https://bugs.webkit.org/show_bug.cgi?id=187438
2838
2839         Reviewed by Mark Lam.
2840
2841         Reduce the size of RegExp from 168 to 144.
2842
2843         * runtime/RegExp.cpp:
2844         (JSC::RegExp::RegExp):
2845         * runtime/RegExp.h:
2846         * runtime/RegExpKey.h:
2847         * yarr/YarrErrorCode.h:
2848
2849 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2850
2851         [JSC] Optimize layout of ValueProfile to reduce padding
2852         https://bugs.webkit.org/show_bug.cgi?id=187439
2853
2854         Reviewed by Mark Lam.
2855
2856         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2857
2858         * bytecode/ValueProfile.h:
2859         (JSC::ValueProfileBase::ValueProfileBase):
2860
2861 2018-07-05  Saam Barati  <sbarati@apple.com>
2862
2863         ProgramExecutable may be collected as we checkSyntax on it
2864         https://bugs.webkit.org/show_bug.cgi?id=187359
2865         <rdar://problem/41832135>
2866
2867         Reviewed by Mark Lam.
2868
2869         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2870         the ProgramExecutable itself may be collected. The fix here is to make a copy
2871         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2872         
2873         No new tests here as this was already caught by our iOS JSC testers.
2874
2875         * parser/ParserError.h:
2876         (JSC::ParserError::toErrorObject):
2877
2878 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2879
2880         Introduce PLATFORM(IOSMAC)
2881         https://bugs.webkit.org/show_bug.cgi?id=187315
2882
2883         Reviewed by Dan Bernstein.
2884
2885         * Configurations/Base.xcconfig:
2886         * Configurations/FeatureDefines.xcconfig:
2887
2888 2018-07-03  Mark Lam  <mark.lam@apple.com>
2889
2890         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2891         https://bugs.webkit.org/show_bug.cgi?id=187255
2892         <rdar://problem/41785257>
2893
2894         Reviewed by Saam Barati.
2895
2896         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2897         too: basically, do what the 64-bit code is doing.  At present, this change only
2898         serves to pacify an assertion.  It is not needed for correctness because the
2899         concurrent GC is not used on 32-bit builds.
2900
2901         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2902         test.
2903
2904         * jit/JITOpcodes32_64.cpp:
2905         (JSC::JIT::emit_op_create_this):
2906
2907 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2908
2909         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2910         https://bugs.webkit.org/show_bug.cgi?id=187290
2911
2912         Reviewed by Saam Barati.
2913
2914         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2915         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2916         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2917         easily calculated from JSType.
2918         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2919
2920         * runtime/ClassInfo.h:
2921         * runtime/JSArrayBufferView.cpp:
2922         (JSC::elementSize):
2923         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2924         * runtime/JSArrayBufferView.h:
2925         * runtime/JSArrayBufferViewInlines.h:
2926         (JSC::JSArrayBufferView::possiblySharedBuffer):
2927         * runtime/JSCell.cpp:
2928         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2929         * runtime/JSCell.h:
2930         * runtime/JSDataView.cpp:
2931         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2932         * runtime/JSDataView.h:
2933         * runtime/JSGenericTypedArrayView.h:
2934         * runtime/JSGenericTypedArrayViewInlines.h:
2935         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2936
2937 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2938
2939         Regular expressions with ".?" expressions at the start and the end match the entire string
2940         https://bugs.webkit.org/show_bug.cgi?id=119191
2941
2942         Reviewed by Michael Saboff.
2943
2944         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2945         for "abc" first and then processing the leading and trailing dot stars
2946         to find the beginning and the end of the match. However, it erroneously
2947         enabled this optimization for regular expressions whose leading or
2948         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2949         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2950         match the entire string when it shouldn't. This patch disables the
2951         optimization for those cases.
2952
2953         * yarr/YarrPattern.cpp:
2954         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2955
2956 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2957
2958         RegExp.exec returns wrong value with a long integer quantifier
2959         https://bugs.webkit.org/show_bug.cgi?id=187042
2960
2961         Reviewed by Saam Barati.
2962
2963         Prior to this patch, the Yarr parser checked for integer overflow when
2964         parsing quantifiers in regular expressions by adding one digit at a time
2965         to a number and checking if the result got larger. This is wrong;
2966         The parser would fail to detect overflow when parsing, for example,
2967         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2968
2969         Another issue was that once it detected overflow, it stopped consuming
2970         the remaining digits. Since it didn't find the closing bracket, it
2971         parsed the quantifier as a normal string instead.
2972
2973         This patch fixes these issues by reading all the digits and checking for
2974         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2975         returns the largest possible value (quantifyInfinite in this case). This
2976         matches Chrome [1], Firefox [2], and Edge [3].
2977
2978         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2979         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2980         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2981
2982         * yarr/YarrParser.h:
2983         (JSC::Yarr::Parser::consumeNumber):
2984
2985 2018-07-02  Keith Miller  <keith_miller@apple.com>
2986
2987         InstanceOf IC should do generic if the prototype is not an object.
2988         https://bugs.webkit.org/show_bug.cgi?id=187250
2989
2990         Reviewed by Mark Lam.
2991
2992         The old code was wrong for two reasons. First, the AccessCase expected that
2993         the prototype value would be non-null. Second, we would end up returning
2994         false instead of throwing an exception.
2995
2996         * jit/Repatch.cpp:
2997         (JSC::tryCacheInstanceOf):
2998
2999 2018-07-01  Mark Lam  <mark.lam@apple.com>
3000
3001         Builtins and host functions should get their own structures.
3002         https://bugs.webkit.org/show_bug.cgi?id=187211
3003         <rdar://problem/41646336>
3004
3005         Reviewed by Saam Barati.
3006
3007         JSFunctions do lazy reification of properties, but ordinary functions applies
3008         different rules of property reification than builtin and host functions.  Hence,
3009         we should give builtins and host functions their own structures.
3010
3011         * runtime/JSFunction.cpp:
3012         (JSC::JSFunction::selectStructureForNewFuncExp):
3013         (JSC::JSFunction::create):
3014         (JSC::JSFunction::getOwnPropertySlot):
3015         * runtime/JSGlobalObject.cpp:
3016         (JSC::JSGlobalObject::init):
3017         (JSC::JSGlobalObject::visitChildren):
3018         * runtime/JSGlobalObject.h:
3019         (JSC::JSGlobalObject::hostFunctionStructure const):
3020         (JSC::JSGlobalObject::arrowFunctionStructure const):
3021         (JSC::JSGlobalObject::sloppyFunctionStructure const):
3022         (JSC::JSGlobalObject::strictFunctionStructure const):
3023
3024 2018-07-01  David Kilzer  <ddkilzer@apple.com>
3025
3026         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
3027         <https://webkit.org/b/187233>
3028
3029         Reviewed by Mark Lam.
3030
3031         * b3/air/AirEliminateDeadCode.cpp:
3032         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
3033         * parser/ParserTokens.h:
3034         (JSC::JSTextPosition::JSTextPosition): Add struct member
3035         initialization. Simplify default constructor.
3036         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
3037         union to the beginning to make it easy to zero out all fields.
3038         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
3039         initialization.  Simplify default constructor.  Note that
3040         `endOffset` was not being initialized previously.
3041         (JSC::JSTextPosition::JSToken): Add struct member initialization
3042         where necessary.
3043         * runtime/IntlObject.cpp:
3044         (JSC::MatcherResult): Add struct member initialization.
3045
3046 2018-06-23  Darin Adler  <darin@apple.com>
3047
3048         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
3049         https://bugs.webkit.org/show_bug.cgi?id=186973
3050
3051         Reviewed by Dan Bernstein.
3052
3053         * API/JSContext.mm:
3054         (WeakContextRef::WeakContextRef): Deleted.
3055         (WeakContextRef::~WeakContextRef): Deleted.
3056         (WeakContextRef::get): Deleted.
3057         (WeakContextRef::set): Deleted.
3058
3059         * API/JSContextInternal.h: Removed unneeded header guards since this is
3060         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
3061         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
3062         since neither is used outside the class implementation.
3063
3064         * API/JSManagedValue.mm:
3065         (-[JSManagedValue initWithValue:]): Use a bridging cast.
3066         (-[JSManagedValue dealloc]): Ditto.
3067         (-[JSManagedValue didAddOwner:]): Ditto.
3068         (-[JSManagedValue didRemoveOwner:]): Ditto.
3069         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
3070         (JSManagedValueHandleOwner::finalize): Ditto.
3071         * API/JSValue.mm:
3072         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
3073         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3074         (-[JSValue valueForProperty:]): Ditto.
3075         (-[JSValue setValue:forProperty:]): Ditto.
3076         (-[JSValue deleteProperty:]): Ditto.
3077         (-[JSValue hasProperty:]): Ditto.
3078         (-[JSValue invokeMethod:withArguments:]): Ditto.
3079         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
3080         (valueToArray): Ditto.
3081         (valueToDictionary): Ditto.
3082         (objectToValueWithoutCopy): Ditto.
3083         (objectToValue): Ditto.
3084         * API/JSVirtualMachine.mm:
3085         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
3086         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
3087         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
3088         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
3089         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
3090         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
3091         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
3092         (scanExternalObjectGraph): Ditto.
3093         (scanExternalRememberedSet): Ditto.
3094         * API/JSWrapperMap.mm:
3095         (makeWrapper): Ditto.
3096         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
3097         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
3098         (tryUnwrapObjcObject): Ditto.
3099         * API/ObjCCallbackFunction.mm:
3100         (blockSignatureContainsClass): Ditto.
3101         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
3102         sure we will be keeping this the same way under ARC.
3103         (objCCallbackFunctionForBlock): Use a bridging cast.
3104
3105         * API/ObjcRuntimeExtras.h:
3106         (protocolImplementsProtocol): Use a more specific type that includes the
3107         explicit __unsafe_unretained for copied protocol lists.
3108         (forEachProtocolImplementingProtocol): Ditto.
3109
3110         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3111         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
3112         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
3113
3114         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
3115         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
3116         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
3117         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
3118         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
3119
3120 2018-06-30  Adam Barth  <abarth@webkit.org>
3121
3122         Port JavaScriptCore to OS(FUCHSIA)
3123         https://bugs.webkit.org/show_bug.cgi?id=187223
3124
3125         Reviewed by Daniel Bates.
3126
3127         * assembler/ARM64Assembler.h:
3128         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
3129         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
3130         (JSC::MachineContext::stackPointerImpl):
3131         (JSC::MachineContext::framePointerImpl):
3132         (JSC::MachineContext::instructionPointerImpl):
3133         (JSC::MachineContext::argumentPointer<1>):
3134         (JSC::MachineContext::llintInstructionPointer):
3135
3136 2018-06-30  David Kilzer  <ddkilzer@apple.com>
3137
3138         Fix clang static analyzer warnings: Garbage return value
3139         <https://webkit.org/b/187224>
3140
3141         Reviewed by Eric Carlson.
3142
3143         * bytecode/UnlinkedCodeBlock.cpp:
3144         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
3145         - Use brace initialization for local variables.
3146         * debugger/DebuggerCallFrame.cpp:
3147         (class JSC::LineAndColumnFunctor):
3148         - Use class member initialization for member variables.
3149
3150 2018-06-29  Saam Barati  <sbarati@apple.com>
3151
3152         Unreviewed. Try to fix Windows build after r233377
3153
3154         * builtins/BuiltinExecutables.cpp:
3155         (JSC::BuiltinExecutables::createExecutable):
3156
3157 2018-06-29  Saam Barati  <sbarati@apple.com>
3158
3159         Don't use tracePoints in JS/Wasm entry
3160         https://bugs.webkit.org/show_bug.cgi?id=187196
3161
3162         Reviewed by Mark Lam.
3163
3164         This puts VM entry and Wasm entry tracePoints behind a runtime
3165         option. This is a ~4x speedup on a soon to be released Wasm
3166         benchmark. tracePoints should basically never run more than 50
3167         times a second. Entering the VM and entering Wasm are user controlled,
3168         and can happen hundreds of thousands of times in a second. Depending
3169         on how the Wasm/JS code is structured, this can be disastrous for
3170         performance.
3171
3172         * runtime/Options.h:
3173         * runtime/VMEntryScope.cpp:
3174         (JSC::VMEntryScope::VMEntryScope):
3175         (JSC::VMEntryScope::~VMEntryScope):
3176         * wasm/WasmBBQPlan.cpp:
3177         (JSC::Wasm::BBQPlan::compileFunctions):
3178         * wasm/js/WebAssemblyFunction.cpp:
3179         (JSC::callWebAssemblyFunction):
3180
3181 2018-06-29  Saam Barati  <sbarati@apple.com>
3182
3183         We shouldn't recurse into the parser when gathering metadata about various function offsets
3184         https://bugs.webkit.org/show_bug.cgi?id=184074
3185         <rdar://problem/37165897>
3186
3187         Reviewed by Mark Lam.
3188
3189         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
3190         for that builtin. This required calling into the parser. However, the parser
3191         may throw a stack overflow. We were not able to recover from that. The only
3192         reason we called into the parser here is that we were gathering text offsets
3193         and various metadata for things in the builtin function. This patch writes a
3194         mini parser that figures this information out without calling into the full
3195         parser. (I've also added a debug assert that verifies the mini parser stays in
3196         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
3197         always succeeds.
3198
3199         * builtins/AsyncFromSyncIteratorPrototype.js:
3200         (globalPrivate.createAsyncFromSyncIterator):
3201         (globalPrivate.AsyncFromSyncIteratorConstructor):
3202         * builtins/BuiltinExecutables.cpp:
3203         (JSC::BuiltinExecutables::createExecutable):
3204         * builtins/GlobalOperations.js:
3205         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
3206         (globalPrivate.speciesConstructor):
3207         (globalPrivate.copyDataProperties):
3208         (globalPrivate.copyDataPropertiesNoExclusions):
3209         * builtins/PromiseOperations.js:
3210         (globalPrivate.newHandledRejectedPromise):
3211         * builtins/RegExpPrototype.js:
3212         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
3213         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
3214         * builtins/StringPrototype.js:
3215         (globalPrivate.hasObservableSideEffectsForStringReplace):
3216         (globalPrivate.getDefaultCollator):
3217         * parser/Nodes.cpp:
3218         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3219         (JSC::FunctionMetadataNode::operator== const):
3220         (JSC::FunctionMetadataNode::dump const):
3221         * parser/Nodes.h:
3222         * parser/Parser.h:
3223         (JSC::parse):
3224         * parser/ParserError.h:
3225         (JSC::ParserError::type const):
3226         * parser/ParserTokens.h:
3227         (JSC::JSTextPosition::operator== const):
3228         (JSC::JSTextPosition::operator!= const):
3229         * parser/SourceCode.h:
3230         (JSC::SourceCode::operator== const):
3231         (JSC::SourceCode::operator!= const):
3232         (JSC::SourceCode::subExpression const):
3233         (JSC::SourceCode::subExpression): Deleted.
3234
3235 2018-06-28  Michael Saboff  <msaboff@apple.com>
3236   
3237         IsoCellSet::sweepToFreeList() not safe when Full GC in process
3238         https://bugs.webkit.org/show_bug.cgi?id=187157
3239
3240         Reviewed by Mark Lam.
3241
3242         * heap/IsoCellSet.cpp:
3243         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
3244         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
3245         or not we are in the process of marking during a full GC.
3246         * heap/MarkedBlock.h:
3247         * heap/MarkedBlockInlines.h:
3248         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
3249
3250 2018-06-27  Saam Barati  <sbarati@apple.com>
3251
3252         Add some more register state information when we crash in repatchPutById
3253         https://bugs.webkit.org/show_bug.cgi?id=187112
3254
3255         Reviewed by Mark Lam.
3256
3257         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
3258         with an offset that is different than what the put tells us.
3259
3260         * jit/Repatch.cpp:
3261         (JSC::tryCachePutByID):
3262
3263 2018-06-27  Mark Lam  <mark.lam@apple.com>
3264
3265         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
3266         https://bugs.webkit.org/show_bug.cgi?id=187119
3267
3268         Reviewed by Keith Miller.
3269
3270         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
3271         should be checking for codeBlock instead of !codeBlock
3272         before using the codeBlock.
3273
3274         I also renamed some other "print" functions to use "dump" instead
3275         to match their underlying C++ code that they will call e.g.
3276         CodeBlock::dumpSource().
3277
3278         * tools/JSDollarVM.cpp:
3279         (WTF::JSDollarVMCallFrame::finishCreation):
3280         (JSC::functionDumpSourceFor):
3281         (JSC::functionDumpBytecodeFor):
3282         (JSC::doPrint):
3283         (JSC::functionDataLog):
3284         (JSC::functionPrint):
3285         (JSC::functionDumpCallFrame):
3286         (JSC::functionDumpStack):
3287         (JSC::JSDollarVM::finishCreation):
3288         (JSC::functionPrintSourceFor): Deleted.
3289         (JSC::functionPrintBytecodeFor): Deleted.
3290         (JSC::doPrintln): Deleted.
3291         (JSC::functionPrintln): Deleted.
3292         (JSC::functionPrintCallFrame): Deleted.
3293         (JSC::functionPrintStack): Deleted.
3294         * tools/VMInspector.cpp:
3295         (JSC::DumpFrameFunctor::DumpFrameFunctor):
3296         (JSC::DumpFrameFunctor::operator() const):
3297         (JSC::VMInspector::dumpCallFrame):
3298         (JSC::VMInspector::dumpStack):
3299         (JSC::VMInspector::dumpValue):
3300         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
3301         (JSC::PrintFrameFunctor::operator() const): Deleted.
3302         (JSC::VMInspector::printCallFrame): Deleted.
3303         (JSC::VMInspector::printStack): Deleted.
3304         (JSC::VMInspector::printValue): Deleted.
3305         * tools/VMInspector.h:
3306
3307 2018-06-27  Keith Miller  <keith_miller@apple.com>
3308
3309         Add logging to try to diagnose where we get a null structure.
3310         https://bugs.webkit.org/show_bug.cgi?id=187106
3311
3312         Reviewed by Mark Lam.
3313
3314         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
3315         structure crash.
3316
3317         This code should be removed when we fix <rdar://problem/33451840>
3318
3319         * runtime/JSObject.cpp:
3320         (JSC::callToPrimitiveFunction):
3321         * runtime/JSObject.h:
3322         (JSC::JSObject::getPropertySlot):
3323
3324 2018-06-27  Mark Lam  <mark.lam@apple.com>
3325
3326         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
3327         https://bugs.webkit.org/show_bug.cgi?id=187091
3328         <rdar://problem/41395624>
3329
3330         Reviewed by Yusuke Suzuki.
3331
3332         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
3333         take their slow paths, the slow path would jump back to the fast path right after
3334         the emitted code which clears the unused property values.  As a result, the
3335         unused properties are not initialized.  We've fixed this by adding the slow path
3336         generators before we emit the code to clear the unused properties.
3337
3338         * dfg/DFGSpeculativeJIT.cpp:
3339         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3340         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3341
3342 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3343
3344         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
3345         https://bugs.webkit.org/show_bug.cgi?id=185943
3346
3347         Reviewed by Mark Lam.
3348
3349         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
3350         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
3351         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
3352         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
3353
3354         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
3355         but it should be done in a separate patch since it would be performance sensitive.
3356
3357         * bytecompiler/NodesCodegen.cpp:
3358         (JSC::ArrayPatternNode::emitDirectBinding):
3359
3360 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3361
3362         [JSC] Pass VM& to functions more
3363         https://bugs.webkit.org/show_bug.cgi?id=186241
3364
3365         Reviewed by Mark Lam.
3366
3367         This patch threads VM& to functions requiring VM& more.
3368
3369         * API/JSObjectRef.cpp:
3370         (JSObjectIsConstructor):
3371         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3372         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
3373         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3374         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
3375         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
3376         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
3377         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3378         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
3379         * bytecode/CodeBlockJettisoningWatchpoint.h:
3380         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3381         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
3382         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3383         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3384         * bytecode/StructureStubClearingWatchpoint.cpp:
3385         (JSC::StructureStubClearingWatchpoint::fireInternal):
3386         * bytecode/StructureStubClearingWatchpoint.h:
3387         * bytecode/Watchpoint.cpp:
3388         (JSC::Watchpoint::fire):
3389         (JSC::WatchpointSet::fireAllWatchpoints):
3390         * bytecode/Watchpoint.h:
3391         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3392         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3393         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
3394         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3395         (JSC::DFG::AdaptiveStructureWatchpoint::install):
3396         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3397         * dfg/DFGAdaptiveStructureWatchpoint.h:
3398         * dfg/DFGDesiredWatchpoints.cpp:
3399         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3400         * llint/LLIntSlowPaths.cpp:
3401         (JSC::LLInt::setupGetByIdPrototypeCache):
3402         * runtime/ArrayPrototype.cpp:
3403         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
3404         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3405         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3406         (JSC::esSpecIsConstructor):
3407         * runtime/FunctionRareData.cpp:
3408         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3409         * runtime/FunctionRareData.h:
3410         * runtime/InferredStructureWatchpoint.cpp:
3411         (JSC::InferredStructureWatchpoint::fireInternal):
3412         * runtime/InferredStructureWatchpoint.h:
3413         * runtime/InternalFunction.cpp:
3414         (JSC::InternalFunction::createSubclassStructureSlow):
3415         * runtime/InternalFunction.h:
3416         (JSC::InternalFunction::createSubclassStructure):
3417         * runtime/JSCJSValue.h:
3418         * runtime/JSCJSValueInlines.h:
3419         (JSC::JSValue::isConstructor const):
3420         * runtime/JSCell.h:
3421         * runtime/JSCellInlines.h:
3422         (JSC::JSCell::isConstructor):
3423         (JSC::JSCell::methodTable const):
3424         * runtime/JSGlobalObject.cpp:
3425         (JSC::JSGlobalObject::init):
3426         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
3427         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
3428         * runtime/ProxyObject.cpp:
3429         (JSC::ProxyObject::finishCreation):
3430         * runtime/ReflectObject.cpp:
3431         (JSC::reflectObjectConstruct):
3432         * runtime/StructureRareData.cpp:
3433         (JSC::StructureRareData::setObjectToStringValue):
3434         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
3435         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3436         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3437
3438 2018-06-26  Mark Lam  <mark.lam@apple.com>
3439
3440         eval() is wrong about the LiteralParser never throwing any exceptions.
3441         https://bugs.webkit.org/show_bug.cgi?id=187074
3442         <rdar://problem/41461099>
3443
3444         Reviewed by Saam Barati.
3445
3446         Added the missing exception check, and removed an erroneous assertion.
3447
3448         * interpreter/Interpreter.cpp:
3449         (JSC::eval):
3450
3451 2018-06-26  Saam Barati  <sbarati@apple.com>
3452
3453         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3454         https://bugs.webkit.org/show_bug.cgi?id=186878
3455         <rdar://problem/40568659>
3456
3457         Reviewed by Filip Pizlo.
3458
3459         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3460         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3461         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
3462         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
3463         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
3464         conservative scan knows to treat it like a butterfly in when we we may be
3465         pointing into the middle of it.
3466         
3467         The way we were crashing on the stress GC bots is that our conservative marking
3468         won't do cell visiting for things that are Auxiliary. This meant that if the
3469         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
3470         that JSImmutableButterfly would not be visited. This is now fixed.
3471
3472         * bytecompiler/NodesCodegen.cpp:
3473         (JSC::ArrayNode::emitBytecode):
3474         * debugger/Debugger.cpp:
3475         * heap/ConservativeRoots.cpp:
3476         (JSC::ConservativeRoots::genericAddPointer):
3477         * heap/Heap.cpp:
3478         (JSC::GatherHeapSnapshotData::operator() const):
3479         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
3480         (JSC::Heap::globalObjectCount):
3481         (JSC::Heap::objectTypeCounts):
3482         (JSC::Heap::deleteAllCodeBlocks):
3483         * heap/HeapCell.cpp:
3484         (WTF::printInternal):
3485         * heap/HeapCell.h:
3486         (JSC::isJSCellKind):
3487         (JSC::hasInteriorPointers):
3488         * heap/HeapUtil.h:
3489         (JSC::HeapUtil::findGCObjectPointersForMarking):
3490         (JSC::HeapUtil::isPointerGCObjectJSCell):
3491         * heap/MarkedBlock.cpp:
3492         (JSC::MarkedBlock::Handle::didAddToDirectory):
3493         * heap/SlotVisitor.cpp:
3494         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3495         * runtime/JSGlobalObject.cpp:
3496         * runtime/JSImmutableButterfly.h:
3497         (JSC::JSImmutableButterfly::subspaceFor):
3498         * runtime/VM.cpp:
3499         (JSC::VM::VM):
3500         * runtime/VM.h:
3501         * tools/CellProfile.h:
3502         (JSC::CellProfile::CellProfile):
3503         (JSC::CellProfile::isJSCell const):
3504         * tools/HeapVerifier.cpp:
3505         (JSC::HeapVerifier::validateCell):
3506
3507 2018-06-26  Mark Lam  <mark.lam@apple.com>
3508
3509         Skip some unnecessary work in Interpreter::getStackTrace().
3510         https://bugs.webkit.org/show_bug.cgi?id=187070
3511
3512         Reviewed by Michael Saboff.
3513
3514         * interpreter/Interpreter.cpp:
3515         (JSC::Interpreter::getStackTrace):
3516
3517 2018-06-26  Mark Lam  <mark.lam@apple.com>
3518
3519         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3520         https://bugs.webkit.org/show_bug.cgi?id=187060
3521         <rdar://problem/41452767>
3522
3523         Reviewed by Keith Miller.
3524
3525         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3526         write conversion.  Hence, we can return early after the conversion if the vector
3527         length is already sufficient to cover the requested length.
3528
3529         * runtime/JSObject.cpp:
3530         (JSC::JSObject::ensureLengthSlow):
3531
3532 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3533
3534         Unreviewed, rolling out r233184.
3535         https://bugs.webkit.org/show_bug.cgi?id=187059
3536
3537         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3538         on #webkit).
3539
3540         Reverted changeset:
3541
3542         "JSImmutableButterfly can't be allocated from a subspace with
3543         HeapCell::Kind::Auxiliary"
3544         https://bugs.webkit.org/show_bug.cgi?id=186878
3545         https://trac.webkit.org/changeset/233184
3546
3547 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3548
3549         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3550         https://bugs.webkit.org/show_bug.cgi?id=187051
3551
3552         Reviewed by Mark Lam.
3553
3554         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3555         clang-3.8 to be able to compile this back (with libstdc++5)
3556
3557         * bytecode/UnlinkedCodeBlock.h:
3558         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3559
3560 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3561
3562         Fix testapi build when DFG_JIT is disabled
3563         https://bugs.webkit.org/show_bug.cgi?id=187038
3564
3565         Reviewed by Mark Lam.
3566
3567         r233158 added a new API and tests for configuring the number of JIT threads, but
3568         the API is only available when DFG_JIT is enabled and so should the tests.
3569
3570         * API/tests/testapi.mm:
3571         (runJITThreadLimitTests):
3572
3573 2018-06-25  Saam Barati  <sbarati@apple.com>
3574
3575         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3576         https://bugs.webkit.org/show_bug.cgi?id=186878
3577         <rdar://problem/40568659>
3578
3579         Reviewed by Mark Lam.
3580
3581         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3582         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3583         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3584         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3585         bots is that our conservative marking won't do cell marking for things that
3586         are Auxiliary. This means that if the stack is the only thing pointing to a
3587         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3588         not be visited. This patch fixes this bug. This patch also extends our conservative
3589         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3590
3591         * bytecompiler/NodesCodegen.cpp:
3592         (JSC::ArrayNode::emitBytecode):
3593         * heap/HeapUtil.h:
3594         (JSC::HeapUtil::findGCObjectPointersForMarking):
3595         * runtime/JSImmutableButterfly.h:
3596         (JSC::JSImmutableButterfly::subspaceFor):
3597
3598 2018-06-25  Mark Lam  <mark.lam@apple.com>
3599
3600         constructArray() should set m_numValuesInVector to the specified length.
3601         https://bugs.webkit.org/show_bug.cgi?id=187010
3602         <rdar://problem/41392167>
3603
3604         Reviewed by Filip Pizlo.
3605
3606         Its client will fill in the storage vector with some values using initializeIndex()
3607         and expects m_numValuesInVector to be set to the length i.e. the number of values
3608         to be initialized.
3609
3610         * runtime/JSArray.cpp:
3611         (JSC::constructArray):
3612
3613 2018-06-25  Mark Lam  <mark.lam@apple.com>
3614
3615         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3616         https://bugs.webkit.org/show_bug.cgi?id=187006
3617         <rdar://problem/41418412>
3618
3619         Reviewed by Keith Miller.
3620
3621         * runtime/RegExpObjectInlines.h:
3622         (JSC::collectMatches):
3623
3624 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3625
3626         Add API for configuring the number of threads used by DFG and FTL
3627         https://bugs.webkit.org/show_bug.cgi?id=186859
3628         <rdar://problem/41093519>
3629
3630         Reviewed by Filip Pizlo.
3631
3632         Add new private APIs for limiting the number of threads to be used by
3633         the DFG and FTL compilers. It was already possible to configure the
3634         limit through JSC Options, but now it can be changed at runtime, even
3635         in the case when the VM is already running.
3636
3637         Add a test for both cases: when trying to configure the limit before
3638         and after the Worklist has been created, but in order to simulate the
3639         first scenario, we must guarantee that the test runs at the very
3640         beginning, so I also added a check for that.
3641
3642         * API/JSVirtualMachine.mm:
3643         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3644         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3645         * API/JSVirtualMachinePrivate.h:
3646         * API/tests/testapi.mm:
3647         (runJITThreadLimitTests):
3648         (testObjectiveCAPIMain):
3649         * dfg/DFGWorklist.cpp:
3650         (JSC::DFG::Worklist::finishCreation):
3651         (JSC::DFG::Worklist::createNewThread):
3652         (JSC::DFG::Worklist::setNumberOfThreads):
3653         * dfg/DFGWorklist.h:
3654
3655 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3656
3657         [JSC] Remove unnecessary PLATFORM guards
3658         https://bugs.webkit.org/show_bug.cgi?id=186995
3659
3660         Reviewed by Mark Lam.
3661
3662         * assembler/AssemblerCommon.h:
3663         (JSC::isIOS):
3664         Add constexpr.
3665
3666         * inspector/JSGlobalObjectInspectorController.cpp:
3667         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3668         StackFrame works in all the platforms. If StackFrame::demangle failed,
3669         it just returns std::nullopt. And it is correctly handled in this code.
3670
3671 2018-06-23  Mark Lam  <mark.lam@apple.com>
3672
3673         Add more debugging features to $vm.
3674         https://bugs.webkit.org/show_bug.cgi?id=186947
3675
3676         Reviewed by Keith Miller.
3677
3678         Adding the following features:
3679
3680             // We now have println in addition to print.
3681             // println automatically adds a '\n' at the end.
3682             $vm.println("Hello");
3683
3684             // We can now capture some info about a stack frame.
3685             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3686             var callerCallerFrame = $vm.callFrame(2);
3687
3688             // We can inspect the following values associated with the frame:
3689             if (currentFrame.valid) {
3690                 $vm.println("name is ", currentFrame.name));
3691
3692                 // Note: For a WASM frame, all of these will be undefined.
3693                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3694                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3695                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3696                 $vm.println("executable is ", currentFrame.executable);
3697             }
3698
3699             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3700             // to dataLog its JSValue instead of its toString() result.
3701
3702             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3703             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3704             // toString on a non-object.
3705
3706             // Does what it says about enabling/disabling debugger mode.
3707             $vm.enableDebuggerModeWhenIdle();
3708             $vm.disableDebuggerModeWhenIdle();
3709
3710         * tools/JSDollarVM.cpp:
3711         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3712         (WTF::JSDollarVMCallFrame::createStructure):
3713         (WTF::JSDollarVMCallFrame::create):
3714         (WTF::JSDollarVMCallFrame::finishCreation):
3715         (WTF::JSDollarVMCallFrame::addProperty):
3716         (JSC::functionCallFrame):
3717         (JSC::functionCodeBlockForFrame):
3718         (JSC::codeBlockFromArg):
3719         (JSC::doPrintln):
3720         (JSC::functionPrint):
3721         (JSC::functionPrintln):
3722         (JSC::changeDebuggerModeWhenIdle):
3723         (JSC::functionEnableDebuggerModeWhenIdle):
3724         (JSC::functionDisableDebuggerModeWhenIdle):
3725         (JSC::JSDollarVM::finishCreation):
3726
3727 2018-06-22  Keith Miller  <keith_miller@apple.com>
3728
3729         We need to have a getDirectConcurrently for use in the compilers
3730         https://bugs.webkit.org/show_bug.cgi?id=186954
3731
3732         Reviewed by Mark Lam.
3733
3734         It used to be that the propertyStorage of an object never shrunk
3735         so if you called getDirect with some offset it would never be an
3736         OOB read. However, this property storage can shrink when calling
3737         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3738         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3739         adds a getDirectConcurrently that will safely try to load from the
3740         butterfly.
3741
3742         * bytecode/ObjectPropertyConditionSet.cpp:
3743         * bytecode/PropertyCondition.cpp:
3744         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3745         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3746         * dfg/DFGGraph.cpp:
3747         (JSC::DFG::Graph::tryGetConstantProperty):
3748         * runtime/JSObject.h:
3749         (JSC::JSObject::getDirectConcurrently const):
3750
3751 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3752
3753         [WTF] Use Ref<> for the result type of non-failing factory functions
3754         https://bugs.webkit.org/show_bug.cgi?id=186920
3755
3756         Reviewed by Darin Adler.
3757
3758         * dfg/DFGWorklist.cpp:
3759         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3760         (JSC::DFG::Worklist::finishCreation):
3761         * dfg/DFGWorklist.h:
3762         * heap/Heap.cpp:
3763         (JSC::Heap::Thread::Thread):
3764         * heap/Heap.h:
3765         * jit/JITWorklist.cpp:
3766         (JSC::JITWorklist::Thread::Thread):
3767         * jit/JITWorklist.h:
3768         * runtime/VMTraps.cpp:
3769         * runtime/VMTraps.h:
3770         * wasm/WasmWorklist.cpp:
3771         * wasm/WasmWorklist.h:
3772
3773 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3774
3775         [WTF] Add user-defined literal for ASCIILiteral
3776         https://bugs.webkit.org/show_bug.cgi?id=186839
3777
3778         Reviewed by Darin Adler.
3779
3780         * API/JSCallbackObjectFunctions.h:
3781         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3782         (JSC::JSCallbackObject<Parent>::callbackGetter):
3783         * API/JSObjectRef.cpp:
3784         (JSObjectMakeFunctionWithCallback):
3785         * API/JSTypedArray.cpp:
3786         (JSObjectGetArrayBufferBytesPtr):
3787         * API/JSValue.mm:
3788         (valueToArray):
3789         (valueToDictionary):
3790         * API/ObjCCallbackFunction.mm:
3791         (JSC::objCCallbackFunctionCallAsFunction):
3792         (JSC::objCCallbackFunctionCallAsConstructor):
3793         (JSC::ObjCCallbackFunctionImpl::call):
3794         * API/glib/JSCCallbackFunction.cpp:
3795         (JSC::JSCCallbackFunction::call):
3796         (JSC::JSCCallbackFunction::construct):
3797         * API/glib/JSCContext.cpp:
3798         (jscContextJSValueToGValue):
3799         * API/glib/JSCValue.cpp:
3800         (jsc_value_object_define_property_accessor):
3801         (jscValueFunctionCreate):
3802         * builtins/BuiltinUtils.h:
3803         * bytecode/CodeBlock.cpp:
3804         (JSC::CodeBlock::nameForRegister):
3805         * bytecompiler/BytecodeGenerator.cpp:
3806         (JSC::BytecodeGenerator::emitEnumeration):
3807         (JSC::BytecodeGenerator::emitIteratorNext):
3808         (JSC::BytecodeGenerator::emitIteratorClose):
3809         (JSC::BytecodeGenerator::emitDelegateYield):
3810         * bytecompiler/NodesCodegen.cpp:
3811         (JSC::FunctionCallValueNode::emitBytecode):
3812         (JSC::PostfixNode::emitBytecode):
3813         (JSC::PrefixNode::emitBytecode):
3814         (JSC::AssignErrorNode::emitBytecode):
3815         (JSC::ForInNode::emitBytecode):
3816         (JSC::ForOfNode::emitBytecode):
3817         (JSC::ClassExprNode::emitBytecode):
3818         (JSC::ObjectPatternNode::bindValue const):
3819         * dfg/DFGDriver.cpp:
3820         (JSC::DFG::compileImpl):
3821         * dfg/DFGOperations.cpp:
3822         (JSC::DFG::newTypedArrayWithSize):
3823         * dfg/DFGStrengthReductionPhase.cpp:
3824         (JSC::DFG::StrengthReductionPhase::handleNode):
3825         * inspector/ConsoleMessage.cpp:
3826         (Inspector::ConsoleMessage::addToFrontend):
3827         (Inspector::ConsoleMessage::clear):
3828         * inspector/ContentSearchUtilities.cpp:
3829         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3830         * inspector/InjectedScript.cpp:
3831         (Inspector::InjectedScript::InjectedScript):
3832         (Inspector::InjectedScript::evaluate):
3833         (Inspector::InjectedScript::callFunctionOn):
3834         (Inspector::InjectedScript::evaluateOnCallFrame):
3835         (Inspector::InjectedScript::getFunctionDetails):
3836         (Inspector::InjectedScript::functionDetails):
3837         (Inspector::InjectedScript::getPreview):
3838         (Inspector::InjectedScript::getProperties):
3839         (Inspector::InjectedScript::getDisplayableProperties):
3840         (Inspector::InjectedScript::getInternalProperties):
3841         (Inspector::InjectedScript::getCollectionEntries):
3842         (Inspector::InjectedScript::saveResult):
3843         (Inspector::InjectedScript::wrapCallFrames const):
3844         (Inspector::InjectedScript::wrapObject const):
3845         (Inspector::InjectedScript::wrapJSONString const):
3846         (Inspector::InjectedScript::wrapTable const):
3847         (Inspector::InjectedScript::previewValue const):
3848         (Inspector::InjectedScript::setExceptionValue):
3849         (Inspector::InjectedScript::clearExceptionValue):
3850         (Inspector::InjectedScript::findObjectById const):
3851         (Inspector::InjectedScript::inspectObject):
3852         (Inspector::InjectedScript::releaseObject):
3853         (Inspector::InjectedScript::releaseObjectGroup):
3854         * inspector/InjectedScriptBase.cpp:
3855         (Inspector::InjectedScriptBase::makeEvalCall):
3856         * inspector/InjectedScriptManager.cpp:
3857         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3858         * inspector/InjectedScriptModule.cpp:
3859         (Inspector::InjectedScriptModule::ensureInjected):
3860         * inspector/InspectorBackendDispatcher.cpp:
3861         (Inspector::BackendDispatcher::dispatch):
3862         (Inspector::BackendDispatcher::sendResponse):
3863         (Inspector::BackendDispatcher::sendPendingErrors):
3864         * inspector/JSGlobalObjectConsoleClient.cpp:
3865         (Inspector::JSGlobalObjectConsoleClient::profile):
3866         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3867         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3868         * inspector/JSGlobalObjectInspectorController.cpp:
3869         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3870         * inspector/JSInjectedScriptHost.cpp:
3871         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3872         (Inspector::JSInjectedScriptHost::subtype):
3873         (Inspector::JSInjectedScriptHost::getInternalProperties):
3874         * inspector/JSJavaScriptCallFrame.cpp:
3875         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3876         (Inspector::JSJavaScriptCallFrame::type const):
3877         * inspector/ScriptArguments.cpp:
3878         (Inspector::ScriptArguments::getFirstArgumentAsString):