[JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
4         https://bugs.webkit.org/show_bug.cgi?id=187709
5
6         Reviewed by Mark Lam.
7
8         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
9
10         * bytecode/UnlinkedCodeBlock.cpp:
11         (JSC::UnlinkedCodeBlock::shrinkToFit):
12
13 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
14
15         [JSC] Make SourceParseMode small
16         https://bugs.webkit.org/show_bug.cgi?id=187705
17
18         Reviewed by Mark Lam.
19
20         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
21         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
22         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
23         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
24
25         * parser/ParserModes.h:
26         (JSC::SourceParseModeSet::SourceParseModeSet):
27         (JSC::SourceParseModeSet::contains):
28         (JSC::SourceParseModeSet::mergeSourceParseModes):
29
30 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
31
32         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
33         https://bugs.webkit.org/show_bug.cgi?id=187585
34
35         Reviewed by Darin Adler.
36
37         This patch fixes Generator and AsyncGenerator's prototype issues.
38
39         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
40         We fix this by changing JSFunction::prototypeForConstruction.
41
42         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
43         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
44         to fix `prototype` issues for AsyncGeneratorMethod.
45
46         * bytecompiler/BytecodeGenerator.cpp:
47         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
48         (JSC::BytecodeGenerator::emitNewFunction):
49         * bytecompiler/NodesCodegen.cpp:
50         (JSC::FunctionNode::emitBytecode):
51         * parser/ASTBuilder.h:
52         (JSC::ASTBuilder::createFunctionMetadata):
53         * parser/Parser.cpp:
54         (JSC::getAsynFunctionBodyParseMode):
55         (JSC::Parser<LexerType>::parseInner):
56         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
57         * parser/ParserModes.h:
58         (JSC::isAsyncGeneratorParseMode):
59         (JSC::isAsyncGeneratorWrapperParseMode):
60         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
61         * runtime/FunctionExecutable.h:
62         * runtime/JSFunction.cpp:
63         (JSC::JSFunction::prototypeForConstruction):
64         (JSC::JSFunction::getOwnPropertySlot):
65
66 2018-07-16  Mark Lam  <mark.lam@apple.com>
67
68         jsc shell's noFTL utility test function should be more robust.
69         https://bugs.webkit.org/show_bug.cgi?id=187704
70         <rdar://problem/42231988>
71
72         Reviewed by Michael Saboff and Keith Miller.
73
74         * jsc.cpp:
75         (functionNoFTL):
76         - only setNeverFTLOptimize() if the function is actually a JS function.
77
78 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
79
80         [GLIB] Add API to evaluate code using a given object to store global symbols
81         https://bugs.webkit.org/show_bug.cgi?id=187639
82
83         Reviewed by Michael Catanzaro.
84
85         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
86         evaluated script are added as properties to the new object instead of to the context global object. This is
87         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
88         scope for assignments, so we have to create a new context and get its global object. This patch also updates
89         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
90         jsc_context_evaluate_in_object().
91
92         * API/glib/JSCContext.cpp:
93         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
94         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
95         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
96         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
97         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
98         * API/glib/JSCContext.h:
99         * API/glib/docs/jsc-glib-4.0-sections.txt:
100
101 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
102
103         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
104         https://bugs.webkit.org/show_bug.cgi?id=187561
105
106         Reviewed by Darin Adler.
107
108         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
109         We clean up 32bit put_by_val code.
110
111         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
112         aligns 32bit implementation to 64bit implementation.
113
114         2. We add CoW array checking, which is done in 64bit implementation.
115
116         * jit/JITPropertyAccess.cpp:
117         (JSC::JIT::emit_op_put_by_val):
118         * jit/JITPropertyAccess32_64.cpp:
119         (JSC::JIT::emit_op_put_by_val):
120         (JSC::JIT::emitSlow_op_put_by_val):
121
122 2018-07-12  Mark Lam  <mark.lam@apple.com>
123
124         Need to handle CodeBlock::replacement() being null.
125         https://bugs.webkit.org/show_bug.cgi?id=187569
126         <rdar://problem/41468692>
127
128         Reviewed by Saam Barati.
129
130         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
131         for this while others do not.  We should add null checks in all the places that
132         need it.
133
134         * bytecode/CodeBlock.cpp:
135         (JSC::CodeBlock::hasOptimizedReplacement):
136         (JSC::CodeBlock::jettison):
137         (JSC::CodeBlock::numberOfDFGCompiles):
138         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
139         * dfg/DFGOperations.cpp:
140         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
141         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
142         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
143         * jit/JITOperations.cpp:
144
145 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
146
147         [JSC] Thread VM& to JSCell::methodTable(VM&)
148         https://bugs.webkit.org/show_bug.cgi?id=187548
149
150         Reviewed by Saam Barati.
151
152         This patch threads VM& to methodTable(VM&) and remove methodTable().
153         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
154
155         * API/APICast.h:
156         (toJS):
157         * API/JSCallbackObject.h:
158         * API/JSCallbackObjectFunctions.h:
159         (JSC::JSCallbackObject<Parent>::className):
160         * bytecode/CodeBlock.cpp:
161         (JSC::CodeBlock::estimatedSize):
162         * bytecode/CodeBlock.h:
163         * bytecode/UnlinkedCodeBlock.cpp:
164         (JSC::UnlinkedCodeBlock::estimatedSize):
165         * bytecode/UnlinkedCodeBlock.h:
166         * debugger/DebuggerScope.cpp:
167         (JSC::DebuggerScope::className):
168         * debugger/DebuggerScope.h:
169         * heap/Heap.cpp:
170         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
171         (JSC::GatherHeapSnapshotData::operator() const):
172         (JSC::Heap::gatherExtraHeapSnapshotData):
173         * heap/HeapSnapshotBuilder.cpp:
174         (JSC::HeapSnapshotBuilder::json):
175         * runtime/ArrayPrototype.cpp:
176         (JSC::arrayProtoFuncToString):
177         * runtime/ClassInfo.h:
178         * runtime/DirectArguments.cpp:
179         (JSC::DirectArguments::estimatedSize):
180         * runtime/DirectArguments.h:
181         * runtime/HashMapImpl.cpp:
182         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
183         * runtime/HashMapImpl.h:
184         * runtime/JSArrayBuffer.cpp:
185         (JSC::JSArrayBuffer::estimatedSize):
186         * runtime/JSArrayBuffer.h:
187         * runtime/JSBigInt.cpp:
188         (JSC::JSBigInt::estimatedSize):
189         * runtime/JSBigInt.h:
190         * runtime/JSCell.cpp:
191         (JSC::JSCell::dump const):
192         (JSC::JSCell::estimatedSizeInBytes const):
193         (JSC::JSCell::estimatedSize):
194         (JSC::JSCell::className):
195         * runtime/JSCell.h:
196         * runtime/JSCellInlines.h:
197         * runtime/JSGenericTypedArrayView.h:
198         * runtime/JSGenericTypedArrayViewInlines.h:
199         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
200         * runtime/JSObject.cpp:
201         (JSC::JSObject::estimatedSize):
202         (JSC::JSObject::className):
203         (JSC::JSObject::toStringName):
204         (JSC::JSObject::calculatedClassName):
205         * runtime/JSObject.h:
206         * runtime/JSProxy.cpp:
207         (JSC::JSProxy::className):
208         * runtime/JSProxy.h:
209         * runtime/JSString.cpp:
210         (JSC::JSString::estimatedSize):
211         * runtime/JSString.h:
212         * runtime/RegExp.cpp:
213         (JSC::RegExp::estimatedSize):
214         * runtime/RegExp.h:
215         * runtime/WeakMapImpl.cpp:
216         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
217         * runtime/WeakMapImpl.h:
218
219 2018-07-11  Commit Queue  <commit-queue@webkit.org>
220
221         Unreviewed, rolling out r233714.
222         https://bugs.webkit.org/show_bug.cgi?id=187579
223
224         it made tests time out (Requested by pizlo on #webkit).
225
226         Reverted changeset:
227
228         "Change the reoptimization backoff base to 1.3 from 2"
229         https://bugs.webkit.org/show_bug.cgi?id=187540
230         https://trac.webkit.org/changeset/233714
231
232 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
233
234         [GLIB] Add API to allow creating variadic functions
235         https://bugs.webkit.org/show_bug.cgi?id=187517
236
237         Reviewed by Michael Catanzaro.
238
239         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
240         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
241
242         * API/glib/JSCCallbackFunction.cpp:
243         (JSC::JSCCallbackFunction::create): Make the parameters optional.
244         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
245         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
246         JSCValue for the arguments.
247         (JSC::JSCCallbackFunction::construct): Ditto.
248         * API/glib/JSCCallbackFunction.h:
249         * API/glib/JSCClass.cpp:
250         (jscClassCreateConstructor): Make the parameters optional.
251         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
252         (jscClassAddMethod): Make the parameters optional.
253         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
254         * API/glib/JSCClass.h:
255         * API/glib/JSCValue.cpp:
256         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
257         (jscValueFunctionCreate): Make the parameters optional.
258         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
259         * API/glib/JSCValue.h:
260         * API/glib/docs/jsc-glib-4.0-sections.txt:
261
262 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
263
264         [GLIB] Add jsc_context_get_global_object() to GLib API
265         https://bugs.webkit.org/show_bug.cgi?id=187515
266
267         Reviewed by Michael Catanzaro.
268
269         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
270         object. However, getting the global object could be useful in some cases, for example to give it a well known
271         name like 'window' in browsers and GJS.
272
273         * API/glib/JSCContext.cpp:
274         (jsc_context_get_global_object):
275         * API/glib/JSCContext.h:
276         * API/glib/docs/jsc-glib-4.0-sections.txt:
277
278 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
279
280         [GLIB] Handle G_TYPE_STRV in glib API
281         https://bugs.webkit.org/show_bug.cgi?id=187512
282
283         Reviewed by Michael Catanzaro.
284
285         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
286
287         * API/glib/JSCContext.cpp:
288         (jscContextGValueToJSValue):
289         (jscContextJSValueToGValue):
290         * API/glib/JSCValue.cpp:
291         (jsc_value_new_array_from_strv):
292         * API/glib/JSCValue.h:
293         * API/glib/docs/jsc-glib-4.0-sections.txt:
294
295 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
296
297         Iterator of Array.keys() returns object in wrong order
298         https://bugs.webkit.org/show_bug.cgi?id=185197
299
300         Reviewed by Keith Miller.
301
302         * builtins/ArrayIteratorPrototype.js:
303         (globalPrivate.arrayIteratorValueNext):
304         (globalPrivate.arrayIteratorKeyNext):
305         (globalPrivate.arrayIteratorKeyValueNext):
306         * builtins/AsyncFromSyncIteratorPrototype.js:
307         * builtins/AsyncGeneratorPrototype.js:
308         (globalPrivate.asyncGeneratorResolve):
309         * builtins/GeneratorPrototype.js:
310         (globalPrivate.generatorResume):
311         * builtins/MapIteratorPrototype.js:
312         (globalPrivate.mapIteratorNext):
313         * builtins/SetIteratorPrototype.js:
314         (globalPrivate.setIteratorNext):
315         * builtins/StringIteratorPrototype.js:
316         (next):
317         * runtime/IteratorOperations.cpp:
318         (JSC::createIteratorResultObjectStructure):
319         (JSC::createIteratorResultObject):
320
321 2018-07-10  Mark Lam  <mark.lam@apple.com>
322
323         constructArray() should always allocate the requested length.
324         https://bugs.webkit.org/show_bug.cgi?id=187543
325         <rdar://problem/41947884>
326
327         Reviewed by Saam Barati.
328
329         Currently, it does not when we're having a bad time.  We fix this by switching
330         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
331         If we detect that a structure transition is possible before we can initialize
332         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
333         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
334
335         Also enhanced the DisallowScope and ObjectInitializationScope to support this
336         eager initialization when needed.
337
338         * dfg/DFGOperations.cpp:
339         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
340           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
341           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
342           generated code, which will appear as a generic null pointer dereference.
343
344         * runtime/ArrayPrototype.cpp:
345         (JSC::concatAppendOne):
346         - the code here clearly wants to check for an allocation failure.  Switched to
347           using JSArray::tryCreate() instead of JSArray::create().
348
349         * runtime/DisallowScope.h:
350         (JSC::DisallowScope::disable):
351         * runtime/JSArray.cpp:
352         (JSC::JSArray::tryCreateUninitializedRestricted):
353         (JSC::JSArray::eagerlyInitializeButterfly):
354         (JSC::constructArray):
355         * runtime/JSArray.h:
356         * runtime/ObjectInitializationScope.cpp:
357         (JSC::ObjectInitializationScope::notifyInitialized):
358         * runtime/ObjectInitializationScope.h:
359         (JSC::ObjectInitializationScope::notifyInitialized):
360
361 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
362
363         [JSC] Remove getTypedArrayImpl
364         https://bugs.webkit.org/show_bug.cgi?id=187338
365
366         Reviewed by Mark Lam.
367
368         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
369         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
370         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
371
372         * runtime/ClassInfo.h:
373         * runtime/GenericTypedArrayView.h:
374         (JSC::GenericTypedArrayView::data const): Deleted.
375         (JSC::GenericTypedArrayView::set): Deleted.
376         (JSC::GenericTypedArrayView::setRange): Deleted.
377         (JSC::GenericTypedArrayView::zeroRange): Deleted.
378         (JSC::GenericTypedArrayView::zeroFill): Deleted.
379         (JSC::GenericTypedArrayView::length const): Deleted.
380         (JSC::GenericTypedArrayView::item const): Deleted.
381         (JSC::GenericTypedArrayView::set const): Deleted.
382         (JSC::GenericTypedArrayView::setNative const): Deleted.
383         (JSC::GenericTypedArrayView::getRange): Deleted.
384         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
385         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
386         * runtime/JSArrayBufferView.cpp:
387         (JSC::JSArrayBufferView::possiblySharedImpl):
388         * runtime/JSArrayBufferView.h:
389         * runtime/JSArrayBufferViewInlines.h:
390         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
391         * runtime/JSCell.cpp:
392         (JSC::JSCell::getTypedArrayImpl): Deleted.
393         * runtime/JSCell.h:
394         * runtime/JSDataView.cpp:
395         (JSC::JSDataView::getTypedArrayImpl): Deleted.
396         * runtime/JSDataView.h:
397         * runtime/JSGenericTypedArrayView.h:
398         * runtime/JSGenericTypedArrayViewInlines.h:
399         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
400
401 2018-07-10  Keith Miller  <keith_miller@apple.com>
402
403         hasOwnProperty returns true for out of bounds property index on TypedArray
404         https://bugs.webkit.org/show_bug.cgi?id=187520
405
406         Reviewed by Saam Barati.
407
408         * runtime/JSGenericTypedArrayViewInlines.h:
409         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
410
411 2018-07-10  Michael Saboff  <msaboff@apple.com>
412
413         DFG JIT: compileMathIC produces incorrect machine code
414         https://bugs.webkit.org/show_bug.cgi?id=187537
415
416         Reviewed by Saam Barati.
417
418         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
419         fall back to the fast path generator which handles such cases.
420
421         * jit/JITMulGenerator.cpp:
422         (JSC::JITMulGenerator::generateInline):
423
424 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
425
426         Change the reoptimization backoff base to 1.3 from 2
427         https://bugs.webkit.org/show_bug.cgi?id=187540
428
429         Reviewed by Saam Barati.
430         
431         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
432         
433         I also have data that hints that a backoff base of 1 might be even better, but I think that
434         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
435
436         * bytecode/CodeBlock.cpp:
437         (JSC::CodeBlock::reoptimizationRetryCounter const):
438         (JSC::CodeBlock::countReoptimization):
439         (JSC::CodeBlock::adjustedCounterValue):
440         * runtime/Options.cpp:
441         (JSC::recomputeDependentOptions):
442         * runtime/Options.h:
443
444 2018-07-10  Mark Lam  <mark.lam@apple.com>
445
446         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
447         https://bugs.webkit.org/show_bug.cgi?id=187362
448         <rdar://problem/42027210>
449
450         Reviewed by Saam Barati.
451
452         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
453         value to use for initializing unused properties.  Updated an assertion to account
454         for this.
455
456         * runtime/ObjectInitializationScope.cpp:
457         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
458
459 2018-07-10  Michael Saboff  <msaboff@apple.com>
460
461         YARR: . doesn't match non-BMP Unicode characters in some cases
462         https://bugs.webkit.org/show_bug.cgi?id=187248
463
464         Reviewed by Geoffrey Garen.
465
466         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
467         characters did not take into account that the character class is inverted.  In this case, we
468         represent '.' as "not a newline" using the newline character class with an inverted check.
469         Clearly that includes non-BMP characters.
470
471         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
472         inverted use of that character class.
473
474         * yarr/YarrJIT.cpp:
475         (JSC::Yarr::YarrGenerator::optimizeAlternative):
476
477 2018-07-09  Mark Lam  <mark.lam@apple.com>
478
479         Add --traceLLIntExecution and --traceLLIntSlowPath options.
480         https://bugs.webkit.org/show_bug.cgi?id=187479
481
482         Reviewed by Yusuke Suzuki and Saam Barati.
483
484         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
485
486         The details:
487         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
488         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
489            This makes it such that enabling LLINT_TRACING doesn't means that we'll
490            continually spammed with logging until we rebuild.
491         3. Fixed slow path LLINT tracing to work with exception check validation.
492
493         * llint/LLIntCommon.h:
494         * llint/LLIntExceptions.cpp:
495         (JSC::LLInt::returnToThrow):
496         (JSC::LLInt::callToThrow):
497         * llint/LLIntOfflineAsmConfig.h:
498         * llint/LLIntSlowPaths.cpp:
499         (JSC::LLInt::slowPathLog):
500         (JSC::LLInt::slowPathLn):
501         (JSC::LLInt::slowPathLogF):
502         (JSC::LLInt::slowPathLogLn):
503         (JSC::LLInt::llint_trace_operand):
504         (JSC::LLInt::llint_trace_value):
505         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
506         (JSC::LLInt::traceFunctionPrologue):
507         (JSC::LLInt::handleHostCall):
508         (JSC::LLInt::setUpCall):
509         * llint/LLIntSlowPaths.h:
510         * llint/LowLevelInterpreter.asm:
511         * runtime/CommonSlowPathsExceptions.cpp:
512         (JSC::CommonSlowPaths::interpreterThrowInCaller):
513         * runtime/Options.cpp:
514         (JSC::Options::isAvailable):
515         * runtime/Options.h:
516
517 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
518
519         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
520         https://bugs.webkit.org/show_bug.cgi?id=187477
521
522         Reviewed by Mark Lam.
523
524         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
525         However, it is not necessary since JSCells can be reside in a constant buffer.
526         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
527         vector from RareData.
528
529         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
530
531         * bytecode/BytecodeDumper.cpp:
532         (JSC::BytecodeDumper<Block>::dumpBytecode):
533         (JSC::BytecodeDumper<Block>::dumpBlock):
534         (JSC::regexpToSourceString): Deleted.
535         (JSC::regexpName): Deleted.
536         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
537         * bytecode/BytecodeDumper.h:
538         * bytecode/CodeBlock.h:
539         (JSC::CodeBlock::regexp const): Deleted.
540         (JSC::CodeBlock::numberOfRegExps const): Deleted.
541         * bytecode/UnlinkedCodeBlock.cpp:
542         (JSC::UnlinkedCodeBlock::visitChildren):
543         (JSC::UnlinkedCodeBlock::shrinkToFit):
544         * bytecode/UnlinkedCodeBlock.h:
545         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
546         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
547         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
548         * bytecompiler/BytecodeGenerator.cpp:
549         (JSC::BytecodeGenerator::emitNewRegExp):
550         (JSC::BytecodeGenerator::addRegExp): Deleted.
551         * bytecompiler/BytecodeGenerator.h:
552         * dfg/DFGByteCodeParser.cpp:
553         (JSC::DFG::ByteCodeParser::parseBlock):
554         * jit/JITOpcodes.cpp:
555         (JSC::JIT::emit_op_new_regexp):
556         * llint/LLIntSlowPaths.cpp:
557         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
558         * runtime/JSCJSValue.cpp:
559         (JSC::JSValue::dumpInContextAssumingStructure const):
560         * runtime/RegExp.cpp:
561         (JSC::regexpToSourceString):
562         (JSC::RegExp::dumpToStream):
563         * runtime/RegExp.h:
564
565 2018-07-09  Brian Burg  <bburg@apple.com>
566
567         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
568         https://bugs.webkit.org/show_bug.cgi?id=187350
569         <rdar://problem/41728249>
570
571         Reviewed by Matt Baker.
572
573         Add a new command that toggles whether or not to blackbox internal scripts.
574         If blackboxed, the scripts will not be shown to the frontend and the debugger will
575         not pause in source frames from blackboxed scripts. Sometimes we want to break into
576         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
577         that injects scripts.
578
579         * inspector/agents/InspectorDebuggerAgent.cpp:
580         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
581         (Inspector::InspectorDebuggerAgent::didParseSource):
582         * inspector/agents/InspectorDebuggerAgent.h:
583         * inspector/protocol/Debugger.json:
584
585 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
586
587         [JSC] Make some data members of UnlinkedCodeBlock private
588         https://bugs.webkit.org/show_bug.cgi?id=187467
589
590         Reviewed by Mark Lam.
591
592         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
593         We also remove m_numCapturedVars since it is no longer used.
594
595         * bytecode/CodeBlock.cpp:
596         (JSC::CodeBlock::CodeBlock):
597         * bytecode/CodeBlock.h:
598         * bytecode/UnlinkedCodeBlock.cpp:
599         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
600         * bytecode/UnlinkedCodeBlock.h:
601
602 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
603
604         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
605         https://bugs.webkit.org/show_bug.cgi?id=187465
606
607         Reviewed by Keith Miller.
608
609         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
610         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
611
612         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
613         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
614         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
615         from 104 to 96 since it inherits ProxyableAccessCase.
616
617         * bytecode/AccessCase.h:
618         (JSC::AccessCase::viaProxy const):
619         (JSC::AccessCase::AccessCase):
620         * bytecode/ProxyableAccessCase.cpp:
621         (JSC::ProxyableAccessCase::ProxyableAccessCase):
622         * bytecode/ProxyableAccessCase.h:
623
624 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
625
626         Unreviewed, build fix for debug builds after r233630
627         https://bugs.webkit.org/show_bug.cgi?id=187441
628
629         * jit/JIT.cpp:
630         (JSC::JIT::frameRegisterCountFor):
631         * llint/LLIntEntrypoint.cpp:
632         (JSC::LLInt::frameRegisterCountFor):
633
634 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
635
636         [JSC] Optimize layout of CodeBlock to reduce padding
637         https://bugs.webkit.org/show_bug.cgi?id=187441
638
639         Reviewed by Mark Lam.
640
641         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
642         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
643         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
644
645         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
646
647         * bytecode/BytecodeDumper.cpp:
648         (JSC::BytecodeDumper<Block>::dumpBlock):
649         * bytecode/BytecodeUseDef.h:
650         (JSC::computeDefsForBytecodeOffset):
651         * bytecode/CodeBlock.cpp:
652         (JSC::CodeBlock::CodeBlock):
653         * bytecode/CodeBlock.h:
654         (JSC::CodeBlock::numVars const):
655         * bytecode/UnlinkedCodeBlock.h:
656         (JSC::UnlinkedCodeBlock::numVars const):
657         * dfg/DFGByteCodeParser.cpp:
658         (JSC::DFG::ByteCodeParser::ByteCodeParser):
659         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
660         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
661         (JSC::DFG::ByteCodeParser::inlineCall):
662         (JSC::DFG::ByteCodeParser::handleGetById):
663         (JSC::DFG::ByteCodeParser::handlePutById):
664         (JSC::DFG::ByteCodeParser::parseBlock):
665         * dfg/DFGGraph.h:
666         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
667         * dfg/DFGOSREntrypointCreationPhase.cpp:
668         (JSC::DFG::OSREntrypointCreationPhase::run):
669         * dfg/DFGVariableEventStream.cpp:
670         (JSC::DFG::VariableEventStream::reconstruct const):
671         * ftl/FTLOSREntry.cpp:
672         (JSC::FTL::prepareOSREntry):
673         * ftl/FTLState.cpp:
674         (JSC::FTL::State::State):
675         * interpreter/Interpreter.cpp:
676         (JSC::Interpreter::dumpRegisters):
677         * jit/JIT.cpp:
678         (JSC::JIT::frameRegisterCountFor):
679         * jit/JITOpcodes.cpp:
680         (JSC::JIT::emit_op_enter):
681         * jit/JITOpcodes32_64.cpp:
682         (JSC::JIT::emit_op_enter):
683         * jit/JITOperations.cpp:
684         * llint/LLIntEntrypoint.cpp:
685         (JSC::LLInt::frameRegisterCountFor):
686         * llint/LLIntSlowPaths.cpp:
687         (JSC::LLInt::traceFunctionPrologue):
688         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
689         * runtime/JSCJSValue.h:
690
691 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
694         https://bugs.webkit.org/show_bug.cgi?id=187448
695
696         Reviewed by Saam Barati.
697
698         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
699         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
700
701         * bytecode/CodeType.h:
702         * bytecode/UnlinkedCodeBlock.cpp:
703         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
704         * bytecode/UnlinkedCodeBlock.h:
705         (JSC::UnlinkedCodeBlock::codeType const):
706         (JSC::UnlinkedCodeBlock::didOptimize const):
707         (JSC::UnlinkedCodeBlock::setDidOptimize):
708         * bytecode/VirtualRegister.h:
709
710 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
711
712         [JSC] Optimize padding of InferredTypeTable by using cellLock
713         https://bugs.webkit.org/show_bug.cgi?id=187447
714
715         Reviewed by Mark Lam.
716
717         Use cellLock() in InferredTypeTable to guard changes of internal structures.
718         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
719         reduce the size of InferredTypeTable from 40 to 32.
720
721         * runtime/InferredTypeTable.cpp:
722         (JSC::InferredTypeTable::visitChildren):
723         (JSC::InferredTypeTable::get):
724         (JSC::InferredTypeTable::willStoreValue):
725         (JSC::InferredTypeTable::makeTop):
726         * runtime/InferredTypeTable.h:
727         Using enum class and using. And remove `isEmpty()` since it is not used.
728
729         * runtime/Structure.h:
730
731 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
732
733         [JSC] Optimize layout of SourceProvider to reduce padding
734         https://bugs.webkit.org/show_bug.cgi?id=187440
735
736         Reviewed by Mark Lam.
737
738         Arrange members of SourceProvider to reduce the size from 80 to 72.
739
740         * parser/SourceProvider.cpp:
741         (JSC::SourceProvider::SourceProvider):
742         * parser/SourceProvider.h:
743
744 2018-07-08  Mark Lam  <mark.lam@apple.com>
745
746         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
747         https://bugs.webkit.org/show_bug.cgi?id=187444
748         <rdar://problem/41282849>
749
750         Reviewed by Saam Barati.
751
752         PropertyTable supports C++ iteration by offering begin() and end() methods, and
753         an iterator class.  The begin() methods and the iterator operator++() method uses
754         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
755         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
756         pointer from being incremented past the end of the table.  As a result, we can
757         iterate past the end of the table.  Note that the C++ iteration protocol tests
758         for the iterator not being equal to the end() value.  It does not do a <= test.
759         If the iterator ever shoots past end, the loop will effectively not terminate.
760
761         This issue can manifest if and only if the last entry in the table is a deleted
762         one, and the key field of the PropertyMapEntry shaped space at the end of the
763         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
764         value.
765
766         No test because manifesting this issue requires uncontrollable happenstance where
767         memory just beyond the end of the table looks like a deleted entry.
768
769         * runtime/PropertyMapHashTable.h:
770         (JSC::PropertyTable::begin):
771         (JSC::PropertyTable::end):
772         (JSC::PropertyTable::begin const):
773         (JSC::PropertyTable::end const):
774         (JSC::PropertyTable::skipDeletedEntries):
775
776 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
777
778         [JSC] Optimize layout of SymbolTable to reduce padding
779         https://bugs.webkit.org/show_bug.cgi?id=187437
780
781         Reviewed by Mark Lam.
782
783         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
784
785         * runtime/SymbolTable.h:
786
787 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
788
789         [JSC] Optimize layout of RegExp to reduce padding
790         https://bugs.webkit.org/show_bug.cgi?id=187438
791
792         Reviewed by Mark Lam.
793
794         Reduce the size of RegExp from 168 to 144.
795
796         * runtime/RegExp.cpp:
797         (JSC::RegExp::RegExp):
798         * runtime/RegExp.h:
799         * runtime/RegExpKey.h:
800         * yarr/YarrErrorCode.h:
801
802 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
803
804         [JSC] Optimize layout of ValueProfile to reduce padding
805         https://bugs.webkit.org/show_bug.cgi?id=187439
806
807         Reviewed by Mark Lam.
808
809         Reduce the size of ValueProfile from 40 to 32 by reordering members.
810
811         * bytecode/ValueProfile.h:
812         (JSC::ValueProfileBase::ValueProfileBase):
813
814 2018-07-05  Saam Barati  <sbarati@apple.com>
815
816         ProgramExecutable may be collected as we checkSyntax on it
817         https://bugs.webkit.org/show_bug.cgi?id=187359
818         <rdar://problem/41832135>
819
820         Reviewed by Mark Lam.
821
822         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
823         the ProgramExecutable itself may be collected. The fix here is to make a copy
824         of the field instead of passing in a reference inside of ParserError::toErrorObject.
825         
826         No new tests here as this was already caught by our iOS JSC testers.
827
828         * parser/ParserError.h:
829         (JSC::ParserError::toErrorObject):
830
831 2018-07-04  Tim Horton  <timothy_horton@apple.com>
832
833         Introduce PLATFORM(IOSMAC)
834         https://bugs.webkit.org/show_bug.cgi?id=187315
835
836         Reviewed by Dan Bernstein.
837
838         * Configurations/Base.xcconfig:
839         * Configurations/FeatureDefines.xcconfig:
840
841 2018-07-03  Mark Lam  <mark.lam@apple.com>
842
843         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
844         https://bugs.webkit.org/show_bug.cgi?id=187255
845         <rdar://problem/41785257>
846
847         Reviewed by Saam Barati.
848
849         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
850         too: basically, do what the 64-bit code is doing.  At present, this change only
851         serves to pacify an assertion.  It is not needed for correctness because the
852         concurrent GC is not used on 32-bit builds.
853
854         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
855         test.
856
857         * jit/JITOpcodes32_64.cpp:
858         (JSC::JIT::emit_op_create_this):
859
860 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
861
862         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
863         https://bugs.webkit.org/show_bug.cgi?id=187290
864
865         Reviewed by Saam Barati.
866
867         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
868         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
869         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
870         easily calculated from JSType.
871         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
872
873         * runtime/ClassInfo.h:
874         * runtime/JSArrayBufferView.cpp:
875         (JSC::elementSize):
876         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
877         * runtime/JSArrayBufferView.h:
878         * runtime/JSArrayBufferViewInlines.h:
879         (JSC::JSArrayBufferView::possiblySharedBuffer):
880         * runtime/JSCell.cpp:
881         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
882         * runtime/JSCell.h:
883         * runtime/JSDataView.cpp:
884         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
885         * runtime/JSDataView.h:
886         * runtime/JSGenericTypedArrayView.h:
887         * runtime/JSGenericTypedArrayViewInlines.h:
888         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
889
890 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
891
892         Regular expressions with ".?" expressions at the start and the end match the entire string
893         https://bugs.webkit.org/show_bug.cgi?id=119191
894
895         Reviewed by Michael Saboff.
896
897         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
898         for "abc" first and then processing the leading and trailing dot stars
899         to find the beginning and the end of the match. However, it erroneously
900         enabled this optimization for regular expressions whose leading or
901         trailing dots had quantifiers that were not of arbitrary length, e.g.,
902         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
903         match the entire string when it shouldn't. This patch disables the
904         optimization for those cases.
905
906         * yarr/YarrPattern.cpp:
907         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
908
909 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
910
911         RegExp.exec returns wrong value with a long integer quantifier
912         https://bugs.webkit.org/show_bug.cgi?id=187042
913
914         Reviewed by Saam Barati.
915
916         Prior to this patch, the Yarr parser checked for integer overflow when
917         parsing quantifiers in regular expressions by adding one digit at a time
918         to a number and checking if the result got larger. This is wrong;
919         The parser would fail to detect overflow when parsing, for example,
920         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
921
922         Another issue was that once it detected overflow, it stopped consuming
923         the remaining digits. Since it didn't find the closing bracket, it
924         parsed the quantifier as a normal string instead.
925
926         This patch fixes these issues by reading all the digits and checking for
927         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
928         returns the largest possible value (quantifyInfinite in this case). This
929         matches Chrome [1], Firefox [2], and Edge [3].
930
931         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
932         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
933         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
934
935         * yarr/YarrParser.h:
936         (JSC::Yarr::Parser::consumeNumber):
937
938 2018-07-02  Keith Miller  <keith_miller@apple.com>
939
940         InstanceOf IC should do generic if the prototype is not an object.
941         https://bugs.webkit.org/show_bug.cgi?id=187250
942
943         Reviewed by Mark Lam.
944
945         The old code was wrong for two reasons. First, the AccessCase expected that
946         the prototype value would be non-null. Second, we would end up returning
947         false instead of throwing an exception.
948
949         * jit/Repatch.cpp:
950         (JSC::tryCacheInstanceOf):
951
952 2018-07-01  Mark Lam  <mark.lam@apple.com>
953
954         Builtins and host functions should get their own structures.
955         https://bugs.webkit.org/show_bug.cgi?id=187211
956         <rdar://problem/41646336>
957
958         Reviewed by Saam Barati.
959
960         JSFunctions do lazy reification of properties, but ordinary functions applies
961         different rules of property reification than builtin and host functions.  Hence,
962         we should give builtins and host functions their own structures.
963
964         * runtime/JSFunction.cpp:
965         (JSC::JSFunction::selectStructureForNewFuncExp):
966         (JSC::JSFunction::create):
967         (JSC::JSFunction::getOwnPropertySlot):
968         * runtime/JSGlobalObject.cpp:
969         (JSC::JSGlobalObject::init):
970         (JSC::JSGlobalObject::visitChildren):
971         * runtime/JSGlobalObject.h:
972         (JSC::JSGlobalObject::hostFunctionStructure const):
973         (JSC::JSGlobalObject::arrowFunctionStructure const):
974         (JSC::JSGlobalObject::sloppyFunctionStructure const):
975         (JSC::JSGlobalObject::strictFunctionStructure const):
976
977 2018-07-01  David Kilzer  <ddkilzer@apple.com>
978
979         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
980         <https://webkit.org/b/187233>
981
982         Reviewed by Mark Lam.
983
984         * b3/air/AirEliminateDeadCode.cpp:
985         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
986         * parser/ParserTokens.h:
987         (JSC::JSTextPosition::JSTextPosition): Add struct member
988         initialization. Simplify default constructor.
989         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
990         union to the beginning to make it easy to zero out all fields.
991         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
992         initialization.  Simplify default constructor.  Note that
993         `endOffset` was not being initialized previously.
994         (JSC::JSTextPosition::JSToken): Add struct member initialization
995         where necessary.
996         * runtime/IntlObject.cpp:
997         (JSC::MatcherResult): Add struct member initialization.
998
999 2018-06-23  Darin Adler  <darin@apple.com>
1000
1001         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
1002         https://bugs.webkit.org/show_bug.cgi?id=186973
1003
1004         Reviewed by Dan Bernstein.
1005
1006         * API/JSContext.mm:
1007         (WeakContextRef::WeakContextRef): Deleted.
1008         (WeakContextRef::~WeakContextRef): Deleted.
1009         (WeakContextRef::get): Deleted.
1010         (WeakContextRef::set): Deleted.
1011
1012         * API/JSContextInternal.h: Removed unneeded header guards since this is
1013         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
1014         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
1015         since neither is used outside the class implementation.
1016
1017         * API/JSManagedValue.mm:
1018         (-[JSManagedValue initWithValue:]): Use a bridging cast.
1019         (-[JSManagedValue dealloc]): Ditto.
1020         (-[JSManagedValue didAddOwner:]): Ditto.
1021         (-[JSManagedValue didRemoveOwner:]): Ditto.
1022         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
1023         (JSManagedValueHandleOwner::finalize): Ditto.
1024         * API/JSValue.mm:
1025         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
1026         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
1027         (-[JSValue valueForProperty:]): Ditto.
1028         (-[JSValue setValue:forProperty:]): Ditto.
1029         (-[JSValue deleteProperty:]): Ditto.
1030         (-[JSValue hasProperty:]): Ditto.
1031         (-[JSValue invokeMethod:withArguments:]): Ditto.
1032         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
1033         (valueToArray): Ditto.
1034         (valueToDictionary): Ditto.
1035         (objectToValueWithoutCopy): Ditto.
1036         (objectToValue): Ditto.
1037         * API/JSVirtualMachine.mm:
1038         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
1039         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
1040         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
1041         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
1042         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
1043         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
1044         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
1045         (scanExternalObjectGraph): Ditto.
1046         (scanExternalRememberedSet): Ditto.
1047         * API/JSWrapperMap.mm:
1048         (makeWrapper): Ditto.
1049         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
1050         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
1051         (tryUnwrapObjcObject): Ditto.
1052         * API/ObjCCallbackFunction.mm:
1053         (blockSignatureContainsClass): Ditto.
1054         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
1055         sure we will be keeping this the same way under ARC.
1056         (objCCallbackFunctionForBlock): Use a bridging cast.
1057
1058         * API/ObjcRuntimeExtras.h:
1059         (protocolImplementsProtocol): Use a more specific type that includes the
1060         explicit __unsafe_unretained for copied protocol lists.
1061         (forEachProtocolImplementingProtocol): Ditto.
1062
1063         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1064         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
1065         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
1066
1067         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
1068         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
1069         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
1070         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
1071         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
1072
1073 2018-06-30  Adam Barth  <abarth@webkit.org>
1074
1075         Port JavaScriptCore to OS(FUCHSIA)
1076         https://bugs.webkit.org/show_bug.cgi?id=187223
1077
1078         Reviewed by Daniel Bates.
1079
1080         * assembler/ARM64Assembler.h:
1081         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
1082         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
1083         (JSC::MachineContext::stackPointerImpl):
1084         (JSC::MachineContext::framePointerImpl):
1085         (JSC::MachineContext::instructionPointerImpl):
1086         (JSC::MachineContext::argumentPointer<1>):
1087         (JSC::MachineContext::llintInstructionPointer):
1088
1089 2018-06-30  David Kilzer  <ddkilzer@apple.com>
1090
1091         Fix clang static analyzer warnings: Garbage return value
1092         <https://webkit.org/b/187224>
1093
1094         Reviewed by Eric Carlson.
1095
1096         * bytecode/UnlinkedCodeBlock.cpp:
1097         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
1098         - Use brace initialization for local variables.
1099         * debugger/DebuggerCallFrame.cpp:
1100         (class JSC::LineAndColumnFunctor):
1101         - Use class member initialization for member variables.
1102
1103 2018-06-29  Saam Barati  <sbarati@apple.com>
1104
1105         Unreviewed. Try to fix Windows build after r233377
1106
1107         * builtins/BuiltinExecutables.cpp:
1108         (JSC::BuiltinExecutables::createExecutable):
1109
1110 2018-06-29  Saam Barati  <sbarati@apple.com>
1111
1112         Don't use tracePoints in JS/Wasm entry
1113         https://bugs.webkit.org/show_bug.cgi?id=187196
1114
1115         Reviewed by Mark Lam.
1116
1117         This puts VM entry and Wasm entry tracePoints behind a runtime
1118         option. This is a ~4x speedup on a soon to be released Wasm
1119         benchmark. tracePoints should basically never run more than 50
1120         times a second. Entering the VM and entering Wasm are user controlled,
1121         and can happen hundreds of thousands of times in a second. Depending
1122         on how the Wasm/JS code is structured, this can be disastrous for
1123         performance.
1124
1125         * runtime/Options.h:
1126         * runtime/VMEntryScope.cpp:
1127         (JSC::VMEntryScope::VMEntryScope):
1128         (JSC::VMEntryScope::~VMEntryScope):
1129         * wasm/WasmBBQPlan.cpp:
1130         (JSC::Wasm::BBQPlan::compileFunctions):
1131         * wasm/js/WebAssemblyFunction.cpp:
1132         (JSC::callWebAssemblyFunction):
1133
1134 2018-06-29  Saam Barati  <sbarati@apple.com>
1135
1136         We shouldn't recurse into the parser when gathering metadata about various function offsets
1137         https://bugs.webkit.org/show_bug.cgi?id=184074
1138         <rdar://problem/37165897>
1139
1140         Reviewed by Mark Lam.
1141
1142         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
1143         for that builtin. This required calling into the parser. However, the parser
1144         may throw a stack overflow. We were not able to recover from that. The only
1145         reason we called into the parser here is that we were gathering text offsets
1146         and various metadata for things in the builtin function. This patch writes a
1147         mini parser that figures this information out without calling into the full
1148         parser. (I've also added a debug assert that verifies the mini parser stays in
1149         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
1150         always succeeds.
1151
1152         * builtins/AsyncFromSyncIteratorPrototype.js:
1153         (globalPrivate.createAsyncFromSyncIterator):
1154         (globalPrivate.AsyncFromSyncIteratorConstructor):
1155         * builtins/BuiltinExecutables.cpp:
1156         (JSC::BuiltinExecutables::createExecutable):
1157         * builtins/GlobalOperations.js:
1158         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
1159         (globalPrivate.speciesConstructor):
1160         (globalPrivate.copyDataProperties):
1161         (globalPrivate.copyDataPropertiesNoExclusions):
1162         * builtins/PromiseOperations.js:
1163         (globalPrivate.newHandledRejectedPromise):
1164         * builtins/RegExpPrototype.js:
1165         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
1166         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
1167         * builtins/StringPrototype.js:
1168         (globalPrivate.hasObservableSideEffectsForStringReplace):
1169         (globalPrivate.getDefaultCollator):
1170         * parser/Nodes.cpp:
1171         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1172         (JSC::FunctionMetadataNode::operator== const):
1173         (JSC::FunctionMetadataNode::dump const):
1174         * parser/Nodes.h:
1175         * parser/Parser.h:
1176         (JSC::parse):
1177         * parser/ParserError.h:
1178         (JSC::ParserError::type const):
1179         * parser/ParserTokens.h:
1180         (JSC::JSTextPosition::operator== const):
1181         (JSC::JSTextPosition::operator!= const):
1182         * parser/SourceCode.h:
1183         (JSC::SourceCode::operator== const):
1184         (JSC::SourceCode::operator!= const):
1185         (JSC::SourceCode::subExpression const):
1186         (JSC::SourceCode::subExpression): Deleted.
1187
1188 2018-06-28  Michael Saboff  <msaboff@apple.com>
1189   
1190         IsoCellSet::sweepToFreeList() not safe when Full GC in process
1191         https://bugs.webkit.org/show_bug.cgi?id=187157
1192
1193         Reviewed by Mark Lam.
1194
1195         * heap/IsoCellSet.cpp:
1196         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
1197         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
1198         or not we are in the process of marking during a full GC.
1199         * heap/MarkedBlock.h:
1200         * heap/MarkedBlockInlines.h:
1201         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
1202
1203 2018-06-27  Saam Barati  <sbarati@apple.com>
1204
1205         Add some more register state information when we crash in repatchPutById
1206         https://bugs.webkit.org/show_bug.cgi?id=187112
1207
1208         Reviewed by Mark Lam.
1209
1210         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
1211         with an offset that is different than what the put tells us.
1212
1213         * jit/Repatch.cpp:
1214         (JSC::tryCachePutByID):
1215
1216 2018-06-27  Mark Lam  <mark.lam@apple.com>
1217
1218         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
1219         https://bugs.webkit.org/show_bug.cgi?id=187119
1220
1221         Reviewed by Keith Miller.
1222
1223         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
1224         should be checking for codeBlock instead of !codeBlock
1225         before using the codeBlock.
1226
1227         I also renamed some other "print" functions to use "dump" instead
1228         to match their underlying C++ code that they will call e.g.
1229         CodeBlock::dumpSource().
1230
1231         * tools/JSDollarVM.cpp:
1232         (WTF::JSDollarVMCallFrame::finishCreation):
1233         (JSC::functionDumpSourceFor):
1234         (JSC::functionDumpBytecodeFor):
1235         (JSC::doPrint):
1236         (JSC::functionDataLog):
1237         (JSC::functionPrint):
1238         (JSC::functionDumpCallFrame):
1239         (JSC::functionDumpStack):
1240         (JSC::JSDollarVM::finishCreation):
1241         (JSC::functionPrintSourceFor): Deleted.
1242         (JSC::functionPrintBytecodeFor): Deleted.
1243         (JSC::doPrintln): Deleted.
1244         (JSC::functionPrintln): Deleted.
1245         (JSC::functionPrintCallFrame): Deleted.
1246         (JSC::functionPrintStack): Deleted.
1247         * tools/VMInspector.cpp:
1248         (JSC::DumpFrameFunctor::DumpFrameFunctor):
1249         (JSC::DumpFrameFunctor::operator() const):
1250         (JSC::VMInspector::dumpCallFrame):
1251         (JSC::VMInspector::dumpStack):
1252         (JSC::VMInspector::dumpValue):
1253         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
1254         (JSC::PrintFrameFunctor::operator() const): Deleted.
1255         (JSC::VMInspector::printCallFrame): Deleted.
1256         (JSC::VMInspector::printStack): Deleted.
1257         (JSC::VMInspector::printValue): Deleted.
1258         * tools/VMInspector.h:
1259
1260 2018-06-27  Keith Miller  <keith_miller@apple.com>
1261
1262         Add logging to try to diagnose where we get a null structure.
1263         https://bugs.webkit.org/show_bug.cgi?id=187106
1264
1265         Reviewed by Mark Lam.
1266
1267         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
1268         structure crash.
1269
1270         This code should be removed when we fix <rdar://problem/33451840>
1271
1272         * runtime/JSObject.cpp:
1273         (JSC::callToPrimitiveFunction):
1274         * runtime/JSObject.h:
1275         (JSC::JSObject::getPropertySlot):
1276
1277 2018-06-27  Mark Lam  <mark.lam@apple.com>
1278
1279         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
1280         https://bugs.webkit.org/show_bug.cgi?id=187091
1281         <rdar://problem/41395624>
1282
1283         Reviewed by Yusuke Suzuki.
1284
1285         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
1286         take their slow paths, the slow path would jump back to the fast path right after
1287         the emitted code which clears the unused property values.  As a result, the
1288         unused properties are not initialized.  We've fixed this by adding the slow path
1289         generators before we emit the code to clear the unused properties.
1290
1291         * dfg/DFGSpeculativeJIT.cpp:
1292         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1293         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1294
1295 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1296
1297         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
1298         https://bugs.webkit.org/show_bug.cgi?id=185943
1299
1300         Reviewed by Mark Lam.
1301
1302         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
1303         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
1304         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
1305         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
1306
1307         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
1308         but it should be done in a separate patch since it would be performance sensitive.
1309
1310         * bytecompiler/NodesCodegen.cpp:
1311         (JSC::ArrayPatternNode::emitDirectBinding):
1312
1313 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1314
1315         [JSC] Pass VM& to functions more
1316         https://bugs.webkit.org/show_bug.cgi?id=186241
1317
1318         Reviewed by Mark Lam.
1319
1320         This patch threads VM& to functions requiring VM& more.
1321
1322         * API/JSObjectRef.cpp:
1323         (JSObjectIsConstructor):
1324         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
1325         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
1326         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
1327         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
1328         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
1329         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
1330         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
1331         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
1332         * bytecode/CodeBlockJettisoningWatchpoint.h:
1333         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1334         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
1335         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1336         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
1337         * bytecode/StructureStubClearingWatchpoint.cpp:
1338         (JSC::StructureStubClearingWatchpoint::fireInternal):
1339         * bytecode/StructureStubClearingWatchpoint.h:
1340         * bytecode/Watchpoint.cpp:
1341         (JSC::Watchpoint::fire):
1342         (JSC::WatchpointSet::fireAllWatchpoints):
1343         * bytecode/Watchpoint.h:
1344         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
1345         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
1346         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
1347         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
1348         (JSC::DFG::AdaptiveStructureWatchpoint::install):
1349         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
1350         * dfg/DFGAdaptiveStructureWatchpoint.h:
1351         * dfg/DFGDesiredWatchpoints.cpp:
1352         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
1353         * llint/LLIntSlowPaths.cpp:
1354         (JSC::LLInt::setupGetByIdPrototypeCache):
1355         * runtime/ArrayPrototype.cpp:
1356         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
1357         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
1358         * runtime/ECMAScriptSpecInternalFunctions.cpp:
1359         (JSC::esSpecIsConstructor):
1360         * runtime/FunctionRareData.cpp:
1361         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1362         * runtime/FunctionRareData.h:
1363         * runtime/InferredStructureWatchpoint.cpp:
1364         (JSC::InferredStructureWatchpoint::fireInternal):
1365         * runtime/InferredStructureWatchpoint.h:
1366         * runtime/InternalFunction.cpp:
1367         (JSC::InternalFunction::createSubclassStructureSlow):
1368         * runtime/InternalFunction.h:
1369         (JSC::InternalFunction::createSubclassStructure):
1370         * runtime/JSCJSValue.h:
1371         * runtime/JSCJSValueInlines.h:
1372         (JSC::JSValue::isConstructor const):
1373         * runtime/JSCell.h:
1374         * runtime/JSCellInlines.h:
1375         (JSC::JSCell::isConstructor):
1376         (JSC::JSCell::methodTable const):
1377         * runtime/JSGlobalObject.cpp:
1378         (JSC::JSGlobalObject::init):
1379         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
1380         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
1381         * runtime/ProxyObject.cpp:
1382         (JSC::ProxyObject::finishCreation):
1383         * runtime/ReflectObject.cpp:
1384         (JSC::reflectObjectConstruct):
1385         * runtime/StructureRareData.cpp:
1386         (JSC::StructureRareData::setObjectToStringValue):
1387         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
1388         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1389         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1390
1391 2018-06-26  Mark Lam  <mark.lam@apple.com>
1392
1393         eval() is wrong about the LiteralParser never throwing any exceptions.
1394         https://bugs.webkit.org/show_bug.cgi?id=187074
1395         <rdar://problem/41461099>
1396
1397         Reviewed by Saam Barati.
1398
1399         Added the missing exception check, and removed an erroneous assertion.
1400
1401         * interpreter/Interpreter.cpp:
1402         (JSC::eval):
1403
1404 2018-06-26  Saam Barati  <sbarati@apple.com>
1405
1406         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1407         https://bugs.webkit.org/show_bug.cgi?id=186878
1408         <rdar://problem/40568659>
1409
1410         Reviewed by Filip Pizlo.
1411
1412         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1413         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1414         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
1415         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
1416         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
1417         conservative scan knows to treat it like a butterfly in when we we may be
1418         pointing into the middle of it.
1419         
1420         The way we were crashing on the stress GC bots is that our conservative marking
1421         won't do cell visiting for things that are Auxiliary. This meant that if the
1422         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
1423         that JSImmutableButterfly would not be visited. This is now fixed.
1424
1425         * bytecompiler/NodesCodegen.cpp:
1426         (JSC::ArrayNode::emitBytecode):
1427         * debugger/Debugger.cpp:
1428         * heap/ConservativeRoots.cpp:
1429         (JSC::ConservativeRoots::genericAddPointer):
1430         * heap/Heap.cpp:
1431         (JSC::GatherHeapSnapshotData::operator() const):
1432         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
1433         (JSC::Heap::globalObjectCount):
1434         (JSC::Heap::objectTypeCounts):
1435         (JSC::Heap::deleteAllCodeBlocks):
1436         * heap/HeapCell.cpp:
1437         (WTF::printInternal):
1438         * heap/HeapCell.h:
1439         (JSC::isJSCellKind):
1440         (JSC::hasInteriorPointers):
1441         * heap/HeapUtil.h:
1442         (JSC::HeapUtil::findGCObjectPointersForMarking):
1443         (JSC::HeapUtil::isPointerGCObjectJSCell):
1444         * heap/MarkedBlock.cpp:
1445         (JSC::MarkedBlock::Handle::didAddToDirectory):
1446         * heap/SlotVisitor.cpp:
1447         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
1448         * runtime/JSGlobalObject.cpp:
1449         * runtime/JSImmutableButterfly.h:
1450         (JSC::JSImmutableButterfly::subspaceFor):
1451         * runtime/VM.cpp:
1452         (JSC::VM::VM):
1453         * runtime/VM.h:
1454         * tools/CellProfile.h:
1455         (JSC::CellProfile::CellProfile):
1456         (JSC::CellProfile::isJSCell const):
1457         * tools/HeapVerifier.cpp:
1458         (JSC::HeapVerifier::validateCell):
1459
1460 2018-06-26  Mark Lam  <mark.lam@apple.com>
1461
1462         Skip some unnecessary work in Interpreter::getStackTrace().
1463         https://bugs.webkit.org/show_bug.cgi?id=187070
1464
1465         Reviewed by Michael Saboff.
1466
1467         * interpreter/Interpreter.cpp:
1468         (JSC::Interpreter::getStackTrace):
1469
1470 2018-06-26  Mark Lam  <mark.lam@apple.com>
1471
1472         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
1473         https://bugs.webkit.org/show_bug.cgi?id=187060
1474         <rdar://problem/41452767>
1475
1476         Reviewed by Keith Miller.
1477
1478         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
1479         write conversion.  Hence, we can return early after the conversion if the vector
1480         length is already sufficient to cover the requested length.
1481
1482         * runtime/JSObject.cpp:
1483         (JSC::JSObject::ensureLengthSlow):
1484
1485 2018-06-26  Commit Queue  <commit-queue@webkit.org>
1486
1487         Unreviewed, rolling out r233184.
1488         https://bugs.webkit.org/show_bug.cgi?id=187059
1489
1490         "It regressed JetStream between 5-8%" (Requested by saamyjoon
1491         on #webkit).
1492
1493         Reverted changeset:
1494
1495         "JSImmutableButterfly can't be allocated from a subspace with
1496         HeapCell::Kind::Auxiliary"
1497         https://bugs.webkit.org/show_bug.cgi?id=186878
1498         https://trac.webkit.org/changeset/233184
1499
1500 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
1501
1502         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
1503         https://bugs.webkit.org/show_bug.cgi?id=187051
1504
1505         Reviewed by Mark Lam.
1506
1507         Revert r233065 changes over UnlinkedCodeBlock.h to allow
1508         clang-3.8 to be able to compile this back (with libstdc++5)
1509
1510         * bytecode/UnlinkedCodeBlock.h:
1511         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
1512
1513 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
1514
1515         Fix testapi build when DFG_JIT is disabled
1516         https://bugs.webkit.org/show_bug.cgi?id=187038
1517
1518         Reviewed by Mark Lam.
1519
1520         r233158 added a new API and tests for configuring the number of JIT threads, but
1521         the API is only available when DFG_JIT is enabled and so should the tests.
1522
1523         * API/tests/testapi.mm:
1524         (runJITThreadLimitTests):
1525
1526 2018-06-25  Saam Barati  <sbarati@apple.com>
1527
1528         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
1529         https://bugs.webkit.org/show_bug.cgi?id=186878
1530         <rdar://problem/40568659>
1531
1532         Reviewed by Mark Lam.
1533
1534         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
1535         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
1536         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
1537         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
1538         bots is that our conservative marking won't do cell marking for things that
1539         are Auxiliary. This means that if the stack is the only thing pointing to a
1540         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
1541         not be visited. This patch fixes this bug. This patch also extends our conservative
1542         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
1543
1544         * bytecompiler/NodesCodegen.cpp:
1545         (JSC::ArrayNode::emitBytecode):
1546         * heap/HeapUtil.h:
1547         (JSC::HeapUtil::findGCObjectPointersForMarking):
1548         * runtime/JSImmutableButterfly.h:
1549         (JSC::JSImmutableButterfly::subspaceFor):
1550
1551 2018-06-25  Mark Lam  <mark.lam@apple.com>
1552
1553         constructArray() should set m_numValuesInVector to the specified length.
1554         https://bugs.webkit.org/show_bug.cgi?id=187010
1555         <rdar://problem/41392167>
1556
1557         Reviewed by Filip Pizlo.
1558
1559         Its client will fill in the storage vector with some values using initializeIndex()
1560         and expects m_numValuesInVector to be set to the length i.e. the number of values
1561         to be initialized.
1562
1563         * runtime/JSArray.cpp:
1564         (JSC::constructArray):
1565
1566 2018-06-25  Mark Lam  <mark.lam@apple.com>
1567
1568         Add missing exception check in RegExpObjectInlines.h's collectMatches.
1569         https://bugs.webkit.org/show_bug.cgi?id=187006
1570         <rdar://problem/41418412>
1571
1572         Reviewed by Keith Miller.
1573
1574         * runtime/RegExpObjectInlines.h:
1575         (JSC::collectMatches):
1576
1577 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
1578
1579         Add API for configuring the number of threads used by DFG and FTL
1580         https://bugs.webkit.org/show_bug.cgi?id=186859
1581         <rdar://problem/41093519>
1582
1583         Reviewed by Filip Pizlo.
1584
1585         Add new private APIs for limiting the number of threads to be used by
1586         the DFG and FTL compilers. It was already possible to configure the
1587         limit through JSC Options, but now it can be changed at runtime, even
1588         in the case when the VM is already running.
1589
1590         Add a test for both cases: when trying to configure the limit before
1591         and after the Worklist has been created, but in order to simulate the
1592         first scenario, we must guarantee that the test runs at the very
1593         beginning, so I also added a check for that.
1594
1595         * API/JSVirtualMachine.mm:
1596         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
1597         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
1598         * API/JSVirtualMachinePrivate.h:
1599         * API/tests/testapi.mm:
1600         (runJITThreadLimitTests):
1601         (testObjectiveCAPIMain):
1602         * dfg/DFGWorklist.cpp:
1603         (JSC::DFG::Worklist::finishCreation):
1604         (JSC::DFG::Worklist::createNewThread):
1605         (JSC::DFG::Worklist::setNumberOfThreads):
1606         * dfg/DFGWorklist.h:
1607
1608 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
1609
1610         [JSC] Remove unnecessary PLATFORM guards
1611         https://bugs.webkit.org/show_bug.cgi?id=186995
1612
1613         Reviewed by Mark Lam.
1614
1615         * assembler/AssemblerCommon.h:
1616         (JSC::isIOS):
1617         Add constexpr.
1618
1619         * inspector/JSGlobalObjectInspectorController.cpp:
1620         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1621         StackFrame works in all the platforms. If StackFrame::demangle failed,
1622         it just returns std::nullopt. And it is correctly handled in this code.
1623
1624 2018-06-23  Mark Lam  <mark.lam@apple.com>
1625
1626         Add more debugging features to $vm.
1627         https://bugs.webkit.org/show_bug.cgi?id=186947
1628
1629         Reviewed by Keith Miller.
1630
1631         Adding the following features:
1632
1633             // We now have println in addition to print.
1634             // println automatically adds a '\n' at the end.
1635             $vm.println("Hello");
1636
1637             // We can now capture some info about a stack frame.
1638             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
1639             var callerCallerFrame = $vm.callFrame(2);
1640
1641             // We can inspect the following values associated with the frame:
1642             if (currentFrame.valid) {
1643                 $vm.println("name is ", currentFrame.name));
1644
1645                 // Note: For a WASM frame, all of these will be undefined.
1646                 $vm.println("callee is ", $vm.value(currentFrame.callee));
1647                 $vm.println("codeBlock is ", currentFrame.codeBlock);
1648                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
1649                 $vm.println("executable is ", currentFrame.executable);
1650             }
1651
1652             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
1653             // to dataLog its JSValue instead of its toString() result.
1654
1655             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
1656             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
1657             // toString on a non-object.
1658
1659             // Does what it says about enabling/disabling debugger mode.
1660             $vm.enableDebuggerModeWhenIdle();
1661             $vm.disableDebuggerModeWhenIdle();
1662
1663         * tools/JSDollarVM.cpp:
1664         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
1665         (WTF::JSDollarVMCallFrame::createStructure):
1666         (WTF::JSDollarVMCallFrame::create):
1667         (WTF::JSDollarVMCallFrame::finishCreation):
1668         (WTF::JSDollarVMCallFrame::addProperty):
1669         (JSC::functionCallFrame):
1670         (JSC::functionCodeBlockForFrame):
1671         (JSC::codeBlockFromArg):
1672         (JSC::doPrintln):
1673         (JSC::functionPrint):
1674         (JSC::functionPrintln):
1675         (JSC::changeDebuggerModeWhenIdle):
1676         (JSC::functionEnableDebuggerModeWhenIdle):
1677         (JSC::functionDisableDebuggerModeWhenIdle):
1678         (JSC::JSDollarVM::finishCreation):
1679
1680 2018-06-22  Keith Miller  <keith_miller@apple.com>
1681
1682         We need to have a getDirectConcurrently for use in the compilers
1683         https://bugs.webkit.org/show_bug.cgi?id=186954
1684
1685         Reviewed by Mark Lam.
1686
1687         It used to be that the propertyStorage of an object never shrunk
1688         so if you called getDirect with some offset it would never be an
1689         OOB read. However, this property storage can shrink when calling
1690         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
1691         holds the Structure's ConcurrentJSLock while shrinking. This patch,
1692         adds a getDirectConcurrently that will safely try to load from the
1693         butterfly.
1694
1695         * bytecode/ObjectPropertyConditionSet.cpp:
1696         * bytecode/PropertyCondition.cpp:
1697         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1698         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
1699         * dfg/DFGGraph.cpp:
1700         (JSC::DFG::Graph::tryGetConstantProperty):
1701         * runtime/JSObject.h:
1702         (JSC::JSObject::getDirectConcurrently const):
1703
1704 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [WTF] Use Ref<> for the result type of non-failing factory functions
1707         https://bugs.webkit.org/show_bug.cgi?id=186920
1708
1709         Reviewed by Darin Adler.
1710
1711         * dfg/DFGWorklist.cpp:
1712         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
1713         (JSC::DFG::Worklist::finishCreation):
1714         * dfg/DFGWorklist.h:
1715         * heap/Heap.cpp:
1716         (JSC::Heap::Thread::Thread):
1717         * heap/Heap.h:
1718         * jit/JITWorklist.cpp:
1719         (JSC::JITWorklist::Thread::Thread):
1720         * jit/JITWorklist.h:
1721         * runtime/VMTraps.cpp:
1722         * runtime/VMTraps.h:
1723         * wasm/WasmWorklist.cpp:
1724         * wasm/WasmWorklist.h:
1725
1726 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1727
1728         [WTF] Add user-defined literal for ASCIILiteral
1729         https://bugs.webkit.org/show_bug.cgi?id=186839
1730
1731         Reviewed by Darin Adler.
1732
1733         * API/JSCallbackObjectFunctions.h:
1734         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
1735         (JSC::JSCallbackObject<Parent>::callbackGetter):
1736         * API/JSObjectRef.cpp:
1737         (JSObjectMakeFunctionWithCallback):
1738         * API/JSTypedArray.cpp:
1739         (JSObjectGetArrayBufferBytesPtr):
1740         * API/JSValue.mm:
1741         (valueToArray):
1742         (valueToDictionary):
1743         * API/ObjCCallbackFunction.mm:
1744         (JSC::objCCallbackFunctionCallAsFunction):
1745         (JSC::objCCallbackFunctionCallAsConstructor):
1746         (JSC::ObjCCallbackFunctionImpl::call):
1747         * API/glib/JSCCallbackFunction.cpp:
1748         (JSC::JSCCallbackFunction::call):
1749         (JSC::JSCCallbackFunction::construct):
1750         * API/glib/JSCContext.cpp:
1751         (jscContextJSValueToGValue):
1752         * API/glib/JSCValue.cpp:
1753         (jsc_value_object_define_property_accessor):
1754         (jscValueFunctionCreate):
1755         * builtins/BuiltinUtils.h:
1756         * bytecode/CodeBlock.cpp:
1757         (JSC::CodeBlock::nameForRegister):
1758         * bytecompiler/BytecodeGenerator.cpp:
1759         (JSC::BytecodeGenerator::emitEnumeration):
1760         (JSC::BytecodeGenerator::emitIteratorNext):
1761         (JSC::BytecodeGenerator::emitIteratorClose):
1762         (JSC::BytecodeGenerator::emitDelegateYield):
1763         * bytecompiler/NodesCodegen.cpp:
1764         (JSC::FunctionCallValueNode::emitBytecode):
1765         (JSC::PostfixNode::emitBytecode):
1766         (JSC::PrefixNode::emitBytecode):
1767         (JSC::AssignErrorNode::emitBytecode):
1768         (JSC::ForInNode::emitBytecode):
1769         (JSC::ForOfNode::emitBytecode):
1770         (JSC::ClassExprNode::emitBytecode):
1771         (JSC::ObjectPatternNode::bindValue const):
1772         * dfg/DFGDriver.cpp:
1773         (JSC::DFG::compileImpl):
1774         * dfg/DFGOperations.cpp:
1775         (JSC::DFG::newTypedArrayWithSize):
1776         * dfg/DFGStrengthReductionPhase.cpp:
1777         (JSC::DFG::StrengthReductionPhase::handleNode):
1778         * inspector/ConsoleMessage.cpp:
1779         (Inspector::ConsoleMessage::addToFrontend):
1780         (Inspector::ConsoleMessage::clear):
1781         * inspector/ContentSearchUtilities.cpp:
1782         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
1783         * inspector/InjectedScript.cpp:
1784         (Inspector::InjectedScript::InjectedScript):
1785         (Inspector::InjectedScript::evaluate):
1786         (Inspector::InjectedScript::callFunctionOn):
1787         (Inspector::InjectedScript::evaluateOnCallFrame):
1788         (Inspector::InjectedScript::getFunctionDetails):
1789         (Inspector::InjectedScript::functionDetails):
1790         (Inspector::InjectedScript::getPreview):
1791         (Inspector::InjectedScript::getProperties):
1792         (Inspector::InjectedScript::getDisplayableProperties):
1793         (Inspector::InjectedScript::getInternalProperties):
1794         (Inspector::InjectedScript::getCollectionEntries):
1795         (Inspector::InjectedScript::saveResult):
1796         (Inspector::InjectedScript::wrapCallFrames const):
1797         (Inspector::InjectedScript::wrapObject const):
1798         (Inspector::InjectedScript::wrapJSONString const):
1799         (Inspector::InjectedScript::wrapTable const):
1800         (Inspector::InjectedScript::previewValue const):
1801         (Inspector::InjectedScript::setExceptionValue):
1802         (Inspector::InjectedScript::clearExceptionValue):
1803         (Inspector::InjectedScript::findObjectById const):
1804         (Inspector::InjectedScript::inspectObject):
1805         (Inspector::InjectedScript::releaseObject):
1806         (Inspector::InjectedScript::releaseObjectGroup):
1807         * inspector/InjectedScriptBase.cpp:
1808         (Inspector::InjectedScriptBase::makeEvalCall):
1809         * inspector/InjectedScriptManager.cpp:
1810         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1811         * inspector/InjectedScriptModule.cpp:
1812         (Inspector::InjectedScriptModule::ensureInjected):
1813         * inspector/InspectorBackendDispatcher.cpp:
1814         (Inspector::BackendDispatcher::dispatch):
1815         (Inspector::BackendDispatcher::sendResponse):
1816         (Inspector::BackendDispatcher::sendPendingErrors):
1817         * inspector/JSGlobalObjectConsoleClient.cpp:
1818         (Inspector::JSGlobalObjectConsoleClient::profile):
1819         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
1820         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
1821         * inspector/JSGlobalObjectInspectorController.cpp:
1822         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
1823         * inspector/JSInjectedScriptHost.cpp:
1824         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
1825         (Inspector::JSInjectedScriptHost::subtype):
1826         (Inspector::JSInjectedScriptHost::getInternalProperties):
1827         * inspector/JSJavaScriptCallFrame.cpp:
1828         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
1829         (Inspector::JSJavaScriptCallFrame::type const):
1830         * inspector/ScriptArguments.cpp:
1831         (Inspector::ScriptArguments::getFirstArgumentAsString):
1832         * inspector/ScriptCallStackFactory.cpp:
1833         (Inspector::extractSourceInformationFromException):
1834         * inspector/agents/InspectorAgent.cpp:
1835         (Inspector::InspectorAgent::InspectorAgent):
1836         * inspector/agents/InspectorConsoleAgent.cpp:
1837         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
1838         (Inspector::InspectorConsoleAgent::clearMessages):
1839         (Inspector::InspectorConsoleAgent::count):
1840         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
1841         * inspector/agents/InspectorDebuggerAgent.cpp:
1842         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
1843         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
1844         (Inspector::buildObjectForBreakpointCookie):
1845         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1846         (Inspector::parseLocation):
1847         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1848         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1849         (Inspector::InspectorDebuggerAgent::continueToLocation):
1850         (Inspector::InspectorDebuggerAgent::searchInContent):
1851         (Inspector::InspectorDebuggerAgent::getScriptSource):
1852         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1853         (Inspector::InspectorDebuggerAgent::resume):
1854         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
1855         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1856         (Inspector::InspectorDebuggerAgent::didParseSource):
1857         (Inspector::InspectorDebuggerAgent::assertPaused):
1858         * inspector/agents/InspectorHeapAgent.cpp:
1859         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
1860         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
1861         (Inspector::InspectorHeapAgent::getPreview):
1862         (Inspector::InspectorHeapAgent::getRemoteObject):
1863         * inspector/agents/InspectorRuntimeAgent.cpp:
1864         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
1865         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1866         (Inspector::InspectorRuntimeAgent::getPreview):
1867         (Inspector::InspectorRuntimeAgent::getProperties):
1868         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1869         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1870         (Inspector::InspectorRuntimeAgent::saveResult):
1871         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1872         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
1873         * inspector/agents/InspectorScriptProfilerAgent.cpp:
1874         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
1875         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1876         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
1877         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
1878         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
1879         * inspector/scripts/codegen/cpp_generator_templates.py:
1880         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1881         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
1882         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1883         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1884         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1885         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1886         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1887         (CppProtocolTypesImplementationGenerator):
1888         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1889         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1890         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
1891         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1892         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1893         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1894         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
1895         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
1896         * inspector/scripts/codegen/objc_generator_templates.py:
1897         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1898         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1899         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1900         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1901         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1902         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1903         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1904         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1905         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1906         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1907         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1908         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1909         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1910         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1911         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1912         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1913         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1914         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1915         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1916         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1917         * interpreter/CallFrame.cpp:
1918         (JSC::CallFrame::friendlyFunctionName):
1919         * interpreter/Interpreter.cpp:
1920         (JSC::Interpreter::execute):
1921         * interpreter/StackVisitor.cpp:
1922         (JSC::StackVisitor::Frame::functionName const):
1923         (JSC::StackVisitor::Frame::sourceURL const):
1924         * jit/JIT.cpp:
1925         (JSC::JIT::doMainThreadPreparationBeforeCompile):
1926         * jit/JITOperations.cpp:
1927         * jsc.cpp:
1928         (resolvePath):
1929         (GlobalObject::moduleLoaderImportModule):
1930         (GlobalObject::moduleLoaderResolve):
1931         (functionDescribeArray):
1932         (functionRun):
1933         (functionLoad):
1934         (functionCheckSyntax):
1935         (functionDollarEvalScript):
1936         (functionDollarAgentStart):
1937         (functionDollarAgentReceiveBroadcast):
1938         (functionDollarAgentBroadcast):
1939         (functionTransferArrayBuffer):
1940         (functionLoadModule):
1941         (functionSamplingProfilerStackTraces):
1942         (functionAsyncTestStart):
1943         (functionWebAssemblyMemoryMode):
1944         (runWithOptions):
1945         * parser/Lexer.cpp:
1946         (JSC::Lexer<T>::invalidCharacterMessage const):
1947         (JSC::Lexer<T>::parseString):
1948         (JSC::Lexer<T>::parseComplexEscape):
1949         (JSC::Lexer<T>::parseStringSlowCase):
1950         (JSC::Lexer<T>::parseTemplateLiteral):
1951         (JSC::Lexer<T>::lex):
1952         * parser/Parser.cpp:
1953         (JSC::Parser<LexerType>::parseInner):
1954         * parser/Parser.h:
1955         (JSC::Parser::setErrorMessage):
1956         * runtime/AbstractModuleRecord.cpp:
1957         (JSC::AbstractModuleRecord::finishCreation):
1958         * runtime/ArrayBuffer.cpp:
1959         (JSC::errorMesasgeForTransfer):
1960         * runtime/ArrayBufferSharingMode.h:
1961         (JSC::arrayBufferSharingModeName):
1962         * runtime/ArrayConstructor.cpp:
1963         (JSC::constructArrayWithSizeQuirk):
1964         (JSC::isArraySlowInline):
1965         * runtime/ArrayPrototype.cpp:
1966         (JSC::setLength):
1967         (JSC::shift):
1968         (JSC::unshift):
1969         (JSC::arrayProtoFuncPop):
1970         (JSC::arrayProtoFuncReverse):
1971         (JSC::arrayProtoFuncUnShift):
1972         * runtime/AtomicsObject.cpp:
1973         (JSC::atomicsFuncWait):
1974         (JSC::atomicsFuncWake):
1975         * runtime/BigIntConstructor.cpp:
1976         (JSC::BigIntConstructor::finishCreation):
1977         (JSC::toBigInt):
1978         (JSC::callBigIntConstructor):
1979         * runtime/BigIntObject.cpp:
1980         (JSC::BigIntObject::toStringName):
1981         * runtime/BigIntPrototype.cpp:
1982         (JSC::bigIntProtoFuncToString):
1983         (JSC::bigIntProtoFuncValueOf):
1984         * runtime/CommonSlowPaths.cpp:
1985         (JSC::SLOW_PATH_DECL):
1986         * runtime/ConsoleClient.cpp:
1987         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1988         * runtime/ConsoleObject.cpp:
1989         (JSC::valueOrDefaultLabelString):
1990         (JSC::consoleProtoFuncTime):
1991         (JSC::consoleProtoFuncTimeEnd):
1992         * runtime/DatePrototype.cpp:
1993         (JSC::formatLocaleDate):
1994         (JSC::formateDateInstance):
1995         (JSC::DatePrototype::finishCreation):
1996         (JSC::dateProtoFuncToISOString):
1997         (JSC::dateProtoFuncToJSON):
1998         * runtime/Error.cpp:
1999         (JSC::createNotEnoughArgumentsError):
2000         (JSC::throwSyntaxError):
2001         (JSC::createTypeError):
2002         (JSC::createOutOfMemoryError):
2003         * runtime/Error.h:
2004         (JSC::throwVMError):
2005         * runtime/ErrorConstructor.cpp:
2006         (JSC::ErrorConstructor::finishCreation):
2007         * runtime/ErrorInstance.cpp:
2008         (JSC::ErrorInstance::sanitizedToString):
2009         * runtime/ErrorPrototype.cpp:
2010         (JSC::ErrorPrototype::finishCreation):
2011         (JSC::errorProtoFuncToString):
2012         * runtime/ExceptionFuzz.cpp:
2013         (JSC::doExceptionFuzzing):
2014         * runtime/ExceptionHelpers.cpp:
2015         (JSC::TerminatedExecutionError::defaultValue):
2016         (JSC::createStackOverflowError):
2017         (JSC::createNotAConstructorError):
2018         (JSC::createNotAFunctionError):
2019         (JSC::createNotAnObjectError):
2020         * runtime/GetterSetter.cpp:
2021         (JSC::callSetter):
2022         * runtime/IntlCollator.cpp:
2023         (JSC::sortLocaleData):
2024         (JSC::searchLocaleData):
2025         (JSC::IntlCollator::initializeCollator):
2026         (JSC::IntlCollator::compareStrings):
2027         (JSC::IntlCollator::usageString):
2028         (JSC::IntlCollator::sensitivityString):
2029         (JSC::IntlCollator::caseFirstString):
2030         (JSC::IntlCollator::resolvedOptions):
2031         * runtime/IntlCollator.h:
2032         * runtime/IntlCollatorConstructor.cpp:
2033         (JSC::IntlCollatorConstructor::finishCreation):
2034         * runtime/IntlCollatorPrototype.cpp:
2035         (JSC::IntlCollatorPrototypeGetterCompare):
2036         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2037         * runtime/IntlDateTimeFormat.cpp:
2038         (JSC::defaultTimeZone):
2039         (JSC::canonicalizeTimeZoneName):
2040         (JSC::IntlDTFInternal::localeData):
2041         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2042         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2043         (JSC::IntlDateTimeFormat::weekdayString):
2044         (JSC::IntlDateTimeFormat::eraString):
2045         (JSC::IntlDateTimeFormat::yearString):
2046         (JSC::IntlDateTimeFormat::monthString):
2047         (JSC::IntlDateTimeFormat::dayString):
2048         (JSC::IntlDateTimeFormat::hourString):
2049         (JSC::IntlDateTimeFormat::minuteString):
2050         (JSC::IntlDateTimeFormat::secondString):
2051         (JSC::IntlDateTimeFormat::timeZoneNameString):
2052         (JSC::IntlDateTimeFormat::resolvedOptions):
2053         (JSC::IntlDateTimeFormat::format):
2054         (JSC::IntlDateTimeFormat::partTypeString):
2055         (JSC::IntlDateTimeFormat::formatToParts):
2056         * runtime/IntlDateTimeFormat.h:
2057         * runtime/IntlDateTimeFormatConstructor.cpp:
2058         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2059         * runtime/IntlDateTimeFormatPrototype.cpp:
2060         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2061         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2062         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2063         * runtime/IntlNumberFormat.cpp:
2064         (JSC::IntlNumberFormat::initializeNumberFormat):
2065         (JSC::IntlNumberFormat::formatNumber):
2066         (JSC::IntlNumberFormat::styleString):
2067         (JSC::IntlNumberFormat::currencyDisplayString):
2068         (JSC::IntlNumberFormat::resolvedOptions):
2069         (JSC::IntlNumberFormat::partTypeString):
2070         (JSC::IntlNumberFormat::formatToParts):
2071         * runtime/IntlNumberFormat.h:
2072         * runtime/IntlNumberFormatConstructor.cpp:
2073         (JSC::IntlNumberFormatConstructor::finishCreation):
2074         * runtime/IntlNumberFormatPrototype.cpp:
2075         (JSC::IntlNumberFormatPrototypeGetterFormat):
2076         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2077         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2078         * runtime/IntlObject.cpp:
2079         (JSC::grandfatheredLangTag):
2080         (JSC::canonicalizeLocaleList):
2081         (JSC::resolveLocale):
2082         (JSC::supportedLocales):
2083         * runtime/IntlPluralRules.cpp:
2084         (JSC::IntlPluralRules::initializePluralRules):
2085         (JSC::IntlPluralRules::resolvedOptions):
2086         (JSC::IntlPluralRules::select):
2087         * runtime/IntlPluralRulesConstructor.cpp:
2088         (JSC::IntlPluralRulesConstructor::finishCreation):
2089         * runtime/IntlPluralRulesPrototype.cpp:
2090         (JSC::IntlPluralRulesPrototypeFuncSelect):
2091         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2092         * runtime/IteratorOperations.cpp:
2093         (JSC::iteratorNext):
2094         (JSC::iteratorClose):
2095         (JSC::hasIteratorMethod):
2096         (JSC::iteratorMethod):
2097         * runtime/JSArray.cpp:
2098         (JSC::JSArray::tryCreateUninitializedRestricted):
2099         (JSC::JSArray::defineOwnProperty):
2100         (JSC::JSArray::put):
2101         (JSC::JSArray::setLengthWithArrayStorage):
2102         (JSC::JSArray::appendMemcpy):
2103         (JSC::JSArray::pop):
2104         * runtime/JSArray.h:
2105         * runtime/JSArrayBufferConstructor.cpp:
2106         (JSC::JSArrayBufferConstructor::finishCreation):
2107         * runtime/JSArrayBufferPrototype.cpp:
2108         (JSC::arrayBufferProtoFuncSlice):
2109         (JSC::arrayBufferProtoGetterFuncByteLength):
2110         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
2111         * runtime/JSArrayBufferView.cpp:
2112         (JSC::JSArrayBufferView::toStringName):
2113         * runtime/JSArrayInlines.h:
2114         (JSC::JSArray::pushInline):
2115         * runtime/JSBigInt.cpp:
2116         (JSC::JSBigInt::divide):
2117         (JSC::JSBigInt::remainder):
2118         (JSC::JSBigInt::toNumber const):
2119         * runtime/JSCJSValue.cpp:
2120         (JSC::JSValue::putToPrimitive):
2121         (JSC::JSValue::putToPrimitiveByIndex):
2122         (JSC::JSValue::toStringSlowCase const):
2123         * runtime/JSCJSValueInlines.h:
2124         (JSC::toPreferredPrimitiveType):
2125         * runtime/JSDataView.cpp:
2126         (JSC::JSDataView::create):
2127         (JSC::JSDataView::put):
2128         (JSC::JSDataView::defineOwnProperty):
2129         * runtime/JSDataViewPrototype.cpp:
2130         (JSC::getData):
2131         (JSC::setData):
2132         * runtime/JSFunction.cpp:
2133         (JSC::JSFunction::callerGetter):
2134         (JSC::JSFunction::put):
2135         (JSC::JSFunction::defineOwnProperty):
2136         * runtime/JSGenericTypedArrayView.h:
2137         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2138         (JSC::constructGenericTypedArrayViewWithArguments):
2139         (JSC::constructGenericTypedArrayView):
2140         * runtime/JSGenericTypedArrayViewInlines.h:
2141         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
2142         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2143         (JSC::speciesConstruct):
2144         (JSC::genericTypedArrayViewProtoFuncSet):
2145         (JSC::genericTypedArrayViewProtoFuncIndexOf):
2146         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
2147         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2148         * runtime/JSGlobalObject.cpp:
2149         (JSC::JSGlobalObject::init):
2150         * runtime/JSGlobalObjectDebuggable.cpp:
2151         (JSC::JSGlobalObjectDebuggable::name const):
2152         * runtime/JSGlobalObjectFunctions.cpp:
2153         (JSC::encode):
2154         (JSC::decode):
2155         (JSC::globalFuncProtoSetter):
2156         * runtime/JSGlobalObjectFunctions.h:
2157         * runtime/JSMap.cpp:
2158         (JSC::JSMap::toStringName):
2159         * runtime/JSModuleEnvironment.cpp:
2160         (JSC::JSModuleEnvironment::put):
2161         * runtime/JSModuleNamespaceObject.cpp:
2162         (JSC::JSModuleNamespaceObject::put):
2163         (JSC::JSModuleNamespaceObject::putByIndex):
2164         (JSC::JSModuleNamespaceObject::defineOwnProperty):
2165         * runtime/JSONObject.cpp:
2166         (JSC::Stringifier::appendStringifiedValue):
2167         (JSC::JSONProtoFuncParse):
2168         (JSC::JSONProtoFuncStringify):
2169         * runtime/JSObject.cpp:
2170         (JSC::getClassPropertyNames):
2171         (JSC::JSObject::calculatedClassName):
2172         (JSC::ordinarySetSlow):
2173         (JSC::JSObject::putInlineSlow):
2174         (JSC::JSObject::setPrototypeWithCycleCheck):
2175         (JSC::callToPrimitiveFunction):
2176         (JSC::JSObject::ordinaryToPrimitive const):
2177         (JSC::JSObject::defaultHasInstance):
2178         (JSC::JSObject::defineOwnIndexedProperty):
2179         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
2180         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
2181         (JSC::validateAndApplyPropertyDescriptor):
2182         * runtime/JSObject.h:
2183         * runtime/JSObjectInlines.h:
2184         (JSC::JSObject::putInlineForJSObject):
2185         * runtime/JSPromiseConstructor.cpp:
2186         (JSC::JSPromiseConstructor::finishCreation):
2187         * runtime/JSSet.cpp:
2188         (JSC::JSSet::toStringName):
2189         * runtime/JSSymbolTableObject.h:
2190         (JSC::symbolTablePut):
2191         * runtime/JSTypedArrayViewConstructor.cpp:
2192         (JSC::constructTypedArrayView):
2193         * runtime/JSTypedArrayViewPrototype.cpp:
2194         (JSC::typedArrayViewPrivateFuncLength):
2195         (JSC::typedArrayViewProtoFuncSet):
2196         (JSC::typedArrayViewProtoFuncCopyWithin):
2197         (JSC::typedArrayViewProtoFuncLastIndexOf):
2198         (JSC::typedArrayViewProtoFuncIndexOf):
2199         (JSC::typedArrayViewProtoFuncJoin):
2200         (JSC::typedArrayViewProtoGetterFuncBuffer):
2201         (JSC::typedArrayViewProtoGetterFuncLength):
2202         (JSC::typedArrayViewProtoGetterFuncByteLength):
2203         (JSC::typedArrayViewProtoGetterFuncByteOffset):
2204         (JSC::typedArrayViewProtoFuncReverse):
2205         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
2206         (JSC::typedArrayViewProtoFuncSlice):
2207         (JSC::JSTypedArrayViewPrototype::finishCreation):
2208         * runtime/JSWeakMap.cpp:
2209         (JSC::JSWeakMap::toStringName):
2210         * runtime/JSWeakSet.cpp:
2211         (JSC::JSWeakSet::toStringName):
2212         * runtime/LiteralParser.cpp:
2213         (JSC::LiteralParser<CharType>::Lexer::lex):
2214         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2215         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
2216         (JSC::LiteralParser<CharType>::parse):
2217         * runtime/LiteralParser.h:
2218         (JSC::LiteralParser::getErrorMessage):
2219         * runtime/Lookup.cpp:
2220         (JSC::reifyStaticAccessor):
2221         * runtime/Lookup.h:
2222         (JSC::putEntry):
2223         * runtime/MapPrototype.cpp:
2224         (JSC::getMap):
2225         * runtime/NullSetterFunction.cpp:
2226         (JSC::NullSetterFunctionInternal::callReturnUndefined):
2227         * runtime/NumberPrototype.cpp:
2228         (JSC::numberProtoFuncToExponential):
2229         (JSC::numberProtoFuncToFixed):
2230         (JSC::numberProtoFuncToPrecision):
2231         (JSC::extractToStringRadixArgument):
2232         * runtime/ObjectConstructor.cpp:
2233         (JSC::objectConstructorSetPrototypeOf):
2234         (JSC::objectConstructorAssign):
2235         (JSC::objectConstructorValues):
2236         (JSC::toPropertyDescriptor):
2237         (JSC::objectConstructorDefineProperty):
2238         (JSC::objectConstructorDefineProperties):
2239         (JSC::objectConstructorCreate):
2240         (JSC::objectConstructorSeal):
2241         (JSC::objectConstructorFreeze):
2242         * runtime/ObjectPrototype.cpp:
2243         (JSC::objectProtoFuncDefineGetter):
2244         (JSC::objectProtoFuncDefineSetter):
2245         * runtime/Operations.cpp:
2246         (JSC::jsAddSlowCase):
2247         * runtime/Operations.h:
2248         (JSC::jsSub):
2249         (JSC::jsMul):
2250         * runtime/ProgramExecutable.cpp:
2251         (JSC::ProgramExecutable::initializeGlobalProperties):
2252         * runtime/ProxyConstructor.cpp:
2253         (JSC::makeRevocableProxy):
2254         (JSC::proxyRevocableConstructorThrowError):
2255         (JSC::ProxyConstructor::finishCreation):
2256         (JSC::constructProxyObject):
2257         * runtime/ProxyObject.cpp:
2258         (JSC::ProxyObject::toStringName):
2259         (JSC::ProxyObject::finishCreation):
2260         (JSC::performProxyGet):
2261         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2262         (JSC::ProxyObject::performHasProperty):
2263         (JSC::ProxyObject::performPut):
2264         (JSC::performProxyCall):
2265         (JSC::performProxyConstruct):
2266         (JSC::ProxyObject::performDelete):
2267         (JSC::ProxyObject::performPreventExtensions):
2268         (JSC::ProxyObject::performIsExtensible):
2269         (JSC::ProxyObject::performDefineOwnProperty):
2270         (JSC::ProxyObject::performGetOwnPropertyNames):
2271         (JSC::ProxyObject::performSetPrototype):
2272         (JSC::ProxyObject::performGetPrototype):
2273         * runtime/ReflectObject.cpp:
2274         (JSC::reflectObjectConstruct):
2275         (JSC::reflectObjectDefineProperty):
2276         (JSC::reflectObjectGet):
2277         (JSC::reflectObjectGetOwnPropertyDescriptor):
2278         (JSC::reflectObjectGetPrototypeOf):
2279         (JSC::reflectObjectIsExtensible):
2280         (JSC::reflectObjectOwnKeys):
2281         (JSC::reflectObjectPreventExtensions):
2282         (JSC::reflectObjectSet):
2283         (JSC::reflectObjectSetPrototypeOf):
2284         * runtime/RegExpConstructor.cpp:
2285         (JSC::RegExpConstructor::finishCreation):
2286         (JSC::toFlags):
2287         * runtime/RegExpObject.cpp:
2288         (JSC::RegExpObject::defineOwnProperty):
2289         * runtime/RegExpObject.h:
2290         * runtime/RegExpPrototype.cpp:
2291         (JSC::regExpProtoFuncCompile):
2292         (JSC::regExpProtoGetterGlobal):
2293         (JSC::regExpProtoGetterIgnoreCase):
2294         (JSC::regExpProtoGetterMultiline):
2295         (JSC::regExpProtoGetterDotAll):
2296         (JSC::regExpProtoGetterSticky):
2297         (JSC::regExpProtoGetterUnicode):
2298         (JSC::regExpProtoGetterFlags):
2299         (JSC::regExpProtoGetterSourceInternal):
2300         (JSC::regExpProtoGetterSource):
2301         * runtime/RuntimeType.cpp:
2302         (JSC::runtimeTypeAsString):
2303         * runtime/SamplingProfiler.cpp:
2304         (JSC::SamplingProfiler::StackFrame::displayName):
2305         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
2306         * runtime/ScriptExecutable.cpp:
2307         (JSC::ScriptExecutable::prepareForExecutionImpl):
2308         * runtime/SetPrototype.cpp:
2309         (JSC::getSet):
2310         * runtime/SparseArrayValueMap.cpp:
2311         (JSC::SparseArrayValueMap::putEntry):
2312         (JSC::SparseArrayValueMap::putDirect):
2313         (JSC::SparseArrayEntry::put):
2314         * runtime/StackFrame.cpp:
2315         (JSC::StackFrame::sourceURL const):
2316         (JSC::StackFrame::functionName const):
2317         * runtime/StringConstructor.cpp:
2318         (JSC::stringFromCodePoint):
2319         * runtime/StringObject.cpp:
2320         (JSC::StringObject::put):
2321         (JSC::StringObject::putByIndex):
2322         * runtime/StringPrototype.cpp:
2323         (JSC::StringPrototype::finishCreation):
2324         (JSC::toLocaleCase):
2325         (JSC::stringProtoFuncNormalize):
2326         * runtime/Symbol.cpp:
2327         (JSC::Symbol::toNumber const):
2328         * runtime/SymbolConstructor.cpp:
2329         (JSC::symbolConstructorKeyFor):
2330         * runtime/SymbolObject.cpp:
2331         (JSC::SymbolObject::toStringName):
2332         * runtime/SymbolPrototype.cpp:
2333         (JSC::SymbolPrototype::finishCreation):
2334         * runtime/TypeSet.cpp:
2335         (JSC::TypeSet::dumpTypes const):
2336         (JSC::TypeSet::displayName const):
2337         (JSC::StructureShape::leastCommonAncestor):
2338         * runtime/TypeSet.h:
2339         (JSC::StructureShape::setConstructorName):
2340         * runtime/VM.cpp:
2341         (JSC::VM::dumpTypeProfilerData):
2342         * runtime/WeakMapPrototype.cpp:
2343         (JSC::getWeakMap):
2344         (JSC::protoFuncWeakMapSet):
2345         * runtime/WeakSetPrototype.cpp:
2346         (JSC::getWeakSet):
2347         (JSC::protoFuncWeakSetAdd):
2348         * tools/JSDollarVM.cpp:
2349         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2350         (WTF::DOMJITGetterComplex::customGetter):
2351         (JSC::functionSetImpureGetterDelegate):
2352         (JSC::functionCreateElement):
2353         (JSC::functionGetHiddenValue):
2354         (JSC::functionSetHiddenValue):
2355         (JSC::functionFindTypeForExpression):
2356         (JSC::functionReturnTypeFor):
2357         (JSC::functionLoadGetterFromGetterSetter):
2358         * wasm/WasmB3IRGenerator.cpp:
2359         (JSC::Wasm::B3IRGenerator::fail const):
2360         * wasm/WasmIndexOrName.cpp:
2361         (JSC::Wasm::makeString):
2362         * wasm/WasmParser.h:
2363         (JSC::Wasm::FailureHelper::makeString):
2364         (JSC::Wasm::Parser::fail const):
2365         * wasm/WasmPlan.cpp:
2366         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2367         * wasm/WasmValidate.cpp:
2368         (JSC::Wasm::Validate::fail const):
2369         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2370         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2371         * wasm/js/JSWebAssemblyHelpers.h:
2372         (JSC::toNonWrappingUint32):
2373         (JSC::getWasmBufferFromValue):
2374         * wasm/js/JSWebAssemblyInstance.cpp:
2375         (JSC::JSWebAssemblyInstance::create):
2376         * wasm/js/JSWebAssemblyMemory.cpp:
2377         (JSC::JSWebAssemblyMemory::grow):
2378         * wasm/js/WasmToJS.cpp:
2379         (JSC::Wasm::handleBadI64Use):
2380         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2381         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
2382         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2383         (JSC::constructJSWebAssemblyInstance):
2384         (JSC::WebAssemblyInstanceConstructor::finishCreation):
2385         * wasm/js/WebAssemblyInstancePrototype.cpp:
2386         (JSC::getInstance):
2387         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2388         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
2389         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2390         (JSC::constructJSWebAssemblyMemory):
2391         (JSC::WebAssemblyMemoryConstructor::finishCreation):
2392         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2393         (JSC::getMemory):
2394         * wasm/js/WebAssemblyModuleConstructor.cpp:
2395         (JSC::webAssemblyModuleCustomSections):
2396         (JSC::webAssemblyModuleImports):
2397         (JSC::webAssemblyModuleExports):
2398         (JSC::WebAssemblyModuleConstructor::finishCreation):
2399         * wasm/js/WebAssemblyModuleRecord.cpp:
2400         (JSC::WebAssemblyModuleRecord::link):
2401         (JSC::dataSegmentFail):
2402         (JSC::WebAssemblyModuleRecord::evaluate):
2403         * wasm/js/WebAssemblyPrototype.cpp:
2404         (JSC::resolve):
2405         (JSC::webAssemblyInstantiateFunc):
2406         (JSC::webAssemblyInstantiateStreamingInternal):
2407         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2408         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
2409         * wasm/js/WebAssemblyTableConstructor.cpp:
2410         (JSC::constructJSWebAssemblyTable):
2411         (JSC::WebAssemblyTableConstructor::finishCreation):
2412         * wasm/js/WebAssemblyTablePrototype.cpp:
2413         (JSC::getTable):
2414         (JSC::webAssemblyTableProtoFuncGrow):
2415         (JSC::webAssemblyTableProtoFuncGet):
2416         (JSC::webAssemblyTableProtoFuncSet):
2417
2418 2018-06-22  Keith Miller  <keith_miller@apple.com>
2419
2420         unshift should zero unused property storage
2421         https://bugs.webkit.org/show_bug.cgi?id=186960
2422
2423         Reviewed by Saam Barati.
2424
2425         Also, this patch adds the zeroed unused property storage assertion
2426         to one more place it was missing.
2427
2428         * runtime/JSArray.cpp:
2429         (JSC::JSArray::unshiftCountSlowCase):
2430         * runtime/JSObjectInlines.h:
2431         (JSC::JSObject::putDirectInternal):
2432
2433 2018-06-22  Mark Lam  <mark.lam@apple.com>
2434
2435         PropertyCondition::isValidValueForAttributes() should also consider deleted values.
2436         https://bugs.webkit.org/show_bug.cgi?id=186943
2437         <rdar://problem/41370337>
2438
2439         Reviewed by Saam Barati.
2440
2441         PropertyCondition::isValidValueForAttributes() should check if the passed in value
2442         is a deleted one before it does a jsDynamicCast on it.
2443
2444         * bytecode/PropertyCondition.cpp:
2445         (JSC::PropertyCondition::isValidValueForAttributes):
2446         * runtime/JSCJSValueInlines.h:
2447         - removed an unnecessary #if.
2448
2449 2018-06-22  Keith Miller  <keith_miller@apple.com>
2450
2451         performProxyCall should toThis the value passed to its handler
2452         https://bugs.webkit.org/show_bug.cgi?id=186951
2453
2454         Reviewed by Mark Lam.
2455
2456         * runtime/ProxyObject.cpp:
2457         (JSC::performProxyCall):
2458
2459 2018-06-22  Saam Barati  <sbarati@apple.com>
2460
2461         ensureWritableX should only convert away from CoW when it will succeed
2462         https://bugs.webkit.org/show_bug.cgi?id=186898
2463
2464         Reviewed by Keith Miller.
2465
2466         Otherwise, when we OSR exit, we'll end up profiling the array after
2467         it has been converted away from CoW. It's better for the ArrayProfile
2468         to see the array as it's still in CoW mode.
2469         
2470         This patch also renames ensureWritableX to tryMakeWritableX since these
2471         were never really "ensure" operations -- they may fail and return null.
2472
2473         * dfg/DFGOperations.cpp:
2474         * runtime/JSObject.cpp:
2475         (JSC::JSObject::tryMakeWritableInt32Slow):
2476         (JSC::JSObject::tryMakeWritableDoubleSlow):
2477         (JSC::JSObject::tryMakeWritableContiguousSlow):
2478         (JSC::JSObject::ensureWritableInt32Slow): Deleted.
2479         (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
2480         (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
2481         * runtime/JSObject.h:
2482         (JSC::JSObject::tryMakeWritableInt32):
2483         (JSC::JSObject::tryMakeWritableDouble):
2484         (JSC::JSObject::tryMakeWritableContiguous):
2485         (JSC::JSObject::ensureWritableInt32): Deleted.
2486         (JSC::JSObject::ensureWritableDouble): Deleted.
2487         (JSC::JSObject::ensureWritableContiguous): Deleted.
2488
2489 2018-06-22  Keith Miller  <keith_miller@apple.com>
2490
2491         We should call visitChildren on Base not the exact typename
2492         https://bugs.webkit.org/show_bug.cgi?id=186928
2493
2494         Reviewed by Mark Lam.
2495
2496         A lot of places were not properly calling visitChildren on their
2497         superclass. For most of them it didn't matter because they had
2498         immortal structures. If code changed in the future this might
2499         break things however.
2500
2501         Also, block off more of the MethodTable for GetterSetter objects.
2502
2503         * bytecode/CodeBlock.cpp:
2504         (JSC::CodeBlock::visitChildren):
2505         * bytecode/ExecutableToCodeBlockEdge.cpp:
2506         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2507         * debugger/DebuggerScope.cpp:
2508         (JSC::DebuggerScope::visitChildren):
2509         * runtime/EvalExecutable.cpp:
2510         (JSC::EvalExecutable::visitChildren):
2511         * runtime/FunctionExecutable.cpp:
2512         (JSC::FunctionExecutable::visitChildren):
2513         * runtime/FunctionRareData.cpp:
2514         (JSC::FunctionRareData::visitChildren):
2515         * runtime/GenericArgumentsInlines.h:
2516         (JSC::GenericArguments<Type>::visitChildren):
2517         * runtime/GetterSetter.cpp:
2518         (JSC::GetterSetter::visitChildren):
2519         * runtime/GetterSetter.h:
2520         * runtime/InferredType.cpp:
2521         (JSC::InferredType::visitChildren):
2522         * runtime/InferredTypeTable.cpp:
2523         (JSC::InferredTypeTable::visitChildren):
2524         * runtime/InferredValue.cpp:
2525         (JSC::InferredValue::visitChildren):
2526         * runtime/JSArrayBufferView.cpp:
2527         (JSC::JSArrayBufferView::visitChildren):
2528         * runtime/JSGenericTypedArrayViewInlines.h:
2529         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
2530         * runtime/ModuleProgramExecutable.cpp:
2531         (JSC::ModuleProgramExecutable::visitChildren):
2532         * runtime/ProgramExecutable.cpp:
2533         (JSC::ProgramExecutable::visitChildren):
2534         * runtime/ScopedArguments.cpp:
2535         (JSC::ScopedArguments::visitChildren):
2536         * runtime/ScopedArguments.h:
2537         * runtime/Structure.cpp:
2538         (JSC::Structure::visitChildren):
2539         * runtime/StructureRareData.cpp:
2540         (JSC::StructureRareData::visitChildren):
2541         * runtime/SymbolTable.cpp:
2542         (JSC::SymbolTable::visitChildren):
2543
2544 2018-06-20  Darin Adler  <darin@apple.com>
2545
2546         [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
2547         https://bugs.webkit.org/show_bug.cgi?id=186875
2548
2549         Reviewed by Anders Carlsson.
2550
2551         * API/tests/testapi.mm:
2552         (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
2553
2554 2018-06-22  Carlos Garcia Campos  <cgarcia@igalia.com>
2555
2556         [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
2557         https://bugs.webkit.org/show_bug.cgi?id=186915
2558
2559         Reviewed by Žan Doberšek.
2560
2561         Update StartAutomationSession message handling to receive a dictionary of session capabilities.
2562
2563         * inspector/remote/glib/RemoteInspectorServer.cpp:
2564         (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
2565
2566 2018-06-21  Mark Lam  <mark.lam@apple.com>
2567
2568         WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
2569         https://bugs.webkit.org/show_bug.cgi?id=185947
2570         <rdar://problem/40131933>
2571
2572         Reviewed by Saam Barati.
2573
2574         Newer Clang versions (due to C++17 support) is not happy with how I implemented
2575         conversions between CodeLocation types.  We'll fix this by adding a conversion
2576         operator for converting between CodeLocation types.
2577
2578         * assembler/CodeLocation.h:
2579         (JSC::CodeLocationCommon::operator T):
2580
2581 2018-06-21  Saam Barati  <sbarati@apple.com>
2582
2583         Do some CoW cleanup
2584         https://bugs.webkit.org/show_bug.cgi?id=186896
2585
2586         Reviewed by Mark Lam.
2587
2588         * bytecode/UnlinkedCodeBlock.h:
2589         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2590         We don't need to WTFMove() ints
2591
2592         * dfg/DFGByteCodeParser.cpp:
2593         (JSC::DFG::ByteCodeParser::parseBlock):
2594         remove a TODO.
2595
2596         * runtime/JSObject.cpp:
2597         (JSC::JSObject::putByIndex):
2598         We were checking for isCopyOnWrite even after we converted away
2599         from CoW in above code.
2600         (JSC::JSObject::ensureWritableInt32Slow):
2601         Model this in the same way the other ensureWritableXSlow are modeled.
2602
2603 2018-06-20  Keith Miller  <keith_miller@apple.com>
2604
2605         flattenDictionaryStruture needs to zero inline storage.
2606         https://bugs.webkit.org/show_bug.cgi?id=186869
2607
2608         Reviewed by Saam Barati.
2609
2610         This patch also adds the assetion that unused property storage is
2611         zero or JSValue() to putDirectInternal. Additionally, functions
2612         have been added to $vm that flatten dictionary objects and return
2613         the inline capacity of an object.
2614
2615         * runtime/JSObjectInlines.h:
2616         (JSC::JSObject::putDirectInternal):
2617         * runtime/Structure.cpp:
2618         (JSC::Structure::flattenDictionaryStructure):
2619         * tools/JSDollarVM.cpp:
2620         (JSC::functionInlineCapacity):
2621         (JSC::functionFlattenDictionaryObject):
2622         (JSC::JSDollarVM::finishCreation):
2623
2624 2018-06-21  Mark Lam  <mark.lam@apple.com>
2625
2626         Use IsoCellSets to track Executables with clearable code.
2627         https://bugs.webkit.org/show_bug.cgi?id=186877
2628
2629         Reviewed by Filip Pizlo.
2630
2631         Here’s an example of the results that this fix may yield: 
2632         1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
2633         2. Statistics on memory touched and memory freed by VM::deleteAllCode():
2634
2635            Visiting Executables:
2636                                                         Old             New
2637            Number of objects visited:                   70897           14264
2638            Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
2639            Number of memory pages visited:              3224            1602
2640            Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
2641
2642            Visitng UnlinkedFunctionExecutables:
2643                                                         Old             New
2644            Number of objects visited:                   105454          17231
2645            Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
2646            Number of memory pages visited:              4796            1349
2647            Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
2648
2649         ** The number of objects differ because the old code only visit unlinked
2650            executables indirectly via linked executables, whereas the new behavior visit
2651            all unlinked executables with deletable code directly.  This means:
2652
2653            a. we used to not visit unlinked executables that have not been linked yet
2654               i.e. deleteAllCode() may not delete all code (especially code that is not
2655               used).
2656            b. we had to visit all linked executables to check if they of type
2657               FunctionExecutable, before going on to visit their unlinked executable, and
2658               this includes the ones that do not have deletable code.  This means that we
2659               would touch more memory in the process.
2660
2661            Both of these these issues are now fixed with the new code.
2662
2663         This code was tested with manually inserted instrumentation to track the above
2664         statistics.  It is not feasible to write an automated test for this without
2665         leaving a lot of invasive instrumentation in the code.
2666
2667         * bytecode/UnlinkedFunctionExecutable.cpp:
2668         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
2669         * bytecode/UnlinkedFunctionExecutable.h:
2670         * heap/CodeBlockSetInlines.h:
2671         (JSC::CodeBlockSet::iterateViaSubspaces):
2672         * heap/Heap.cpp:
2673         (JSC::Heap::deleteAllCodeBlocks):
2674         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
2675         (JSC::Heap::deleteUnmarkedCompiledCode):
2676         (JSC::Heap::clearUnmarkedExecutables): Deleted.
2677         (JSC::Heap::addExecutable): Deleted.
2678         * heap/Heap.h:
2679         * runtime/DirectEvalExecutable.h:
2680
2681         * runtime/ExecutableBase.cpp:
2682         (JSC::ExecutableBase::hasClearableCode const):
2683         - this is written based on the implementation of ExecutableBase::clearCode().
2684
2685         * runtime/ExecutableBase.h:
2686         * runtime/FunctionExecutable.h:
2687         * runtime/IndirectEvalExecutable.h:
2688         * runtime/ModuleProgramExecutable.h:
2689         * runtime/ProgramExecutable.h:
2690         * runtime/ScriptExecutable.cpp:
2691         (JSC::ScriptExecutable::clearCode):
2692         (JSC::ScriptExecutable::installCode):
2693         * runtime/ScriptExecutable.h:
2694         (JSC::ScriptExecutable::finishCreation):
2695         * runtime/VM.cpp:
2696         (JSC::VM::VM):
2697         * runtime/VM.h:
2698         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
2699         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
2700         (JSC::VM::forEachScriptExecutableSpace):
2701         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
2702         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
2703
2704 2018-06-21  Zan Dobersek  <zdobersek@igalia.com>
2705
2706         [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
2707         https://bugs.webkit.org/show_bug.cgi?id=186884
2708
2709         Reviewed by Carlos Garcia Campos.
2710
2711         Add a tuple array input parameter to the StartAutomationSession DBus
2712         message, representing a list of host-and-certificate pairs that have to
2713         be allowed for a given session. This array is then unpacked and used to
2714         fill out the certificates Vector object in the SessionCapabilities
2715         struct.
2716
2717         * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
2718         String pairs representing hosts and the certificate file paths.
2719         * inspector/remote/glib/RemoteInspectorServer.cpp:
2720
2721 2018-06-20  Keith Miller  <keith_miller@apple.com>
2722
2723         Expand concurrent GC assertion to accept JSValue() or 0
2724         https://bugs.webkit.org/show_bug.cgi?id=186855
2725
2726         Reviewed by Mark Lam.
2727
2728         We tend to set unused property slots to either JSValue() or 0
2729         depending on the context. On 64-bit these are the same but on
2730         32-bit JSValue() has a NaN tag. This patch makes it so we
2731         the accept either JSValue() or 0.
2732
2733         * runtime/JSObjectInlines.h:
2734         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2735
2736 2018-06-20  Guillaume Emont  <guijemont@igalia.com>
2737
2738         [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
2739         https://bugs.webkit.org/show_bug.cgi?id=186765
2740
2741         Reviewed by Michael Saboff.
2742
2743         This widens the check for 0 so that we handle that case more correctly.
2744
2745         * assembler/LinkBuffer.h:
2746         (JSC::LinkBuffer::executableOffsetFor):
2747
2748 2018-06-19  Keith Miller  <keith_miller@apple.com>
2749
2750         Fix broken assertion on 32-bit
2751         https://bugs.webkit.org/show_bug.cgi?id=186830
2752
2753         Reviewed by Mark Lam.
2754
2755         The assertion was intended to catch concurrent GC issues. We don't
2756         run them on 32-bit so we don't need this assertion there. The
2757         assertion was broken because zero is not JSValue() on 32-bit.
2758
2759         * runtime/JSObjectInlines.h:
2760         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2761
2762 2018-06-19  Keith Miller  <keith_miller@apple.com>
2763
2764         flattenDictionaryStructure needs to zero properties that have been compressed away
2765         https://bugs.webkit.org/show_bug.cgi?id=186828
2766
2767         Reviewed by Mark Lam.
2768
2769         This patch fixes a bunch of crashing Mozilla tests on the bots.
2770
2771         * runtime/Structure.cpp:
2772         (JSC::Structure::flattenDictionaryStructure):
2773
2774 2018-06-19  Saam Barati  <sbarati@apple.com>
2775
2776         DirectArguments::create needs to initialize to undefined instead of the empty value
2777         https://bugs.webkit.org/show_bug.cgi?id=186818
2778         <rdar://problem/38415177>
2779
2780         Reviewed by Filip Pizlo.
2781
2782         The bug here is that we will emit code that just loads from DirectArguments as
2783         long as the index is within the known capacity of the arguments object (op_get_from_arguments).
2784         The arguments object has at least enough capacity to hold the declared parameters.
2785         When we materialized this object in OSR exit, we initialized up to to the capacity
2786         with JSValue(). In OSR exit, though, we only filled up to the length of the
2787         object with actual values. So we'd end up with a DirectArguments object with
2788         capacity minus length slots of JSValue(). To fix this, we need initialize up to
2789         capacity with jsUndefined during construction. The invariant of this object is
2790         that the capacity minus length slots at the end are filled in with jsUndefined.
2791
2792         * runtime/DirectArguments.cpp:
2793         (JSC::DirectArguments::create):
2794
2795 2018-06-19  Michael Saboff  <msaboff@apple.com>
2796
2797         Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
2798         https://bugs.webkit.org/show_bug.cgi?id=186827
2799
2800         Reviewed by Saam Barati.
2801
2802         Need to set VM::lastStackTop before any possible calls to sanitizeStack().
2803
2804         * runtime/JSLock.cpp:
2805         (JSC::JSLock::didAcquireLock):
2806
2807 2018-06-19  Tadeu Zagallo  <tzagallo@apple.com>
2808
2809         ShadowChicken crashes with stack overflow in the LLInt
2810         https://bugs.webkit.org/show_bug.cgi?id=186540
2811         <rdar://problem/39682133>
2812
2813         Reviewed by Saam Barati.
2814
2815         Stack overflows in the LLInt were crashing in ShadowChicken when compiling
2816         with debug opcodes because it was accessing the scope of the incomplete top
2817         frame, which hadn't been set yet. Check that we have moved past the first
2818         opcode (enter) and that the scope is not undefined (enter will
2819         initialize it to undefined).
2820
2821         * interpreter/ShadowChicken.cpp:
2822         (JSC::ShadowChicken::update):
2823
2824 2018-06-19  Keith Miller  <keith_miller@apple.com>
2825
2826         constructArray variants should take the slow path for subclasses of Array
2827         https://bugs.webkit.org/show_bug.cgi?id=186812
2828
2829         Reviewed by Saam Barati and Mark Lam.
2830
2831         This patch fixes a crashing test in ObjectInitializationScope where we would
2832         allocate a new structure for an indexing type change while initializing
2833         a subclass of Array. Since the new array hasn't been fully initialized
2834         if the GC ran it would see garbage and we might crash.
2835
2836         * runtime/JSArray.cpp:
2837         (JSC::constructArray):
2838         (JSC::constructArrayNegativeIndexed):
2839         * runtime/JSArray.h:
2840         (JSC::constructArray): Deleted.
2841         (JSC::constructArrayNegativeIndexed): Deleted.
2842
2843 2018-06-19  Saam Barati  <sbarati@apple.com>
2844
2845         Wasm: Any function argument of type Void should be a validation error
2846         https://bugs.webkit.org/show_bug.cgi?id=186794
2847         <rdar://problem/41140257>
2848
2849         Reviewed by Keith Miller.
2850
2851         * wasm/WasmModuleParser.cpp:
2852         (JSC::Wasm::ModuleParser::parseType):
2853
2854 2018-06-18  Keith Miller  <keith_miller@apple.com>
2855
2856         JSImmutableButterfly should assert m_header is adjacent to the data
2857         https://bugs.webkit.org/show_bug.cgi?id=186795
2858
2859         Reviewed by Saam Barati.
2860
2861         * runtime/JSImmutableButterfly.cpp:
2862         * runtime/JSImmutableButterfly.h:
2863
2864 2018-06-18  Keith Miller  <keith_miller@apple.com>
2865
2866         Unreviewed, fix the build...
2867
2868         * runtime/JSArray.cpp:
2869         (JSC::JSArray::tryCreateUninitializedRestricted):
2870
2871 2018-06-18  Keith Miller  <keith_miller@apple.com>
2872
2873         Unreviewed, remove bad assertion.
2874
2875         * runtime/JSArray.cpp:
2876         (JSC::JSArray::tryCreateUninitializedRestricted):
2877
2878 2018-06-18  Keith Miller  <keith_miller@apple.com>
2879
2880         Properly zero unused property storage offsets
2881         https://bugs.webkit.org/show_bug.cgi?id=186692
2882
2883         Reviewed by Filip Pizlo.
2884
2885         Since the concurrent GC might see a property slot before the mutator has actually
2886         stored the value there, we need to ensure that slot doesn't have garbage in it.
2887
2888         Right now when calling constructConvertedArrayStorageWithoutCopyingElements
2889         or creating a RegExp matches array, we never cleared the unused
2890         property storage. ObjectIntializationScope has also been upgraded
2891         to look for our invariants around property storage. Additionally,
2892         a new assertion has been added to check for JSValue() when adding
2893         a new property.
2894
2895         We used to put undefined into deleted property offsets. To
2896         make things simpler, this patch causes us to store JSValue() there
2897         instead.
2898
2899         Lastly, this patch fixes an issue where we would initialize the
2900         array storage of RegExpMatchesArray twice. First with 0 and
2901         secondly with the actual result. Now we only zero memory between
2902         vector length and public length.
2903
2904         * runtime/Butterfly.h:
2905         (JSC::Butterfly::offsetOfVectorLength):
2906         * runtime/ButterflyInlines.h:
2907         (JSC::Butterfly::tryCreateUninitialized):
2908         (JSC::Butterfly::createUninitialized):
2909         (JSC::Butterfly::tryCreate):
2910         (JSC::Butterfly::create):
2911         (JSC::Butterfly::createOrGrowPropertyStorage):
2912         (JSC::Butterfly::createOrGrowArrayRight):
2913         (JSC::Butterfly::growArrayRight):
2914         (JSC::Butterfly::resizeArray):
2915         * runtime/JSArray.cpp:
2916         (JSC::JSArray::tryCreateUninitializedRestricted):
2917         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2918         * runtime/JSArray.h:
2919         (JSC::tryCreateArrayButterfly):
2920         * runtime/JSObject.cpp:
2921         (JSC::JSObject::createArrayStorageButterfly):
2922         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2923         (JSC::JSObject::deleteProperty):
2924         (JSC::JSObject::shiftButterflyAfterFlattening):
2925         * runtime/JSObject.h:
2926         * runtime/JSObjectInlines.h:
2927         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2928         * runtime/ObjectInitializationScope.cpp:
2929         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2930         * runtime/ObjectInitializationScope.h:
2931         (JSC::ObjectInitializationScope::release):
2932         * runtime/RegExpMatchesArray.h:
2933         (JSC::tryCreateUninitializedRegExpMatchesArray):
2934         (JSC::createRegExpMatchesArray):
2935
2936         * runtime/Butterfly.h:
2937         (JSC::Butterfly::offsetOfVectorLength):
2938         * runtime/ButterflyInlines.h:
2939         (JSC::Butterfly::tryCreateUninitialized):
2940         (JSC::Butterfly::createUninitialized):
2941         (JSC::Butterfly::tryCreate):
2942         (JSC::Butterfly::create):
2943         (JSC::Butterfly::createOrGrowPropertyStorage):
2944         (JSC::Butterfly::createOrGrowArrayRight):
2945         (JSC::Butterfly::growArrayRight):
2946         (JSC::Butterfly::resizeArray):
2947         * runtime/JSArray.cpp:
2948         (JSC::JSArray::tryCreateUninitializedRestricted):
2949         (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
2950         * runtime/JSArray.h:
2951         (JSC::tryCreateArrayButterfly):
2952         * runtime/JSObject.cpp:
2953         (JSC::JSObject::createArrayStorageButterfly):
2954         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
2955         (JSC::JSObject::deleteProperty):
2956         (JSC::JSObject::shiftButterflyAfterFlattening):
2957         * runtime/JSObject.h:
2958         * runtime/JSObjectInlines.h:
2959         (JSC::JSObject::prepareToPutDirectWithoutTransition):
2960         * runtime/ObjectInitializationScope.cpp:
2961         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2962         * runtime/RegExpMatchesArray.cpp:
2963         (JSC::createEmptyRegExpMatchesArray):
2964         * runtime/RegExpMatchesArray.h:
2965         (JSC::tryCreateUninitializedRegExpMatchesArray):
2966         (JSC::createRegExpMatchesArray):
2967
2968 2018-06-18  Tadeu Zagallo  <tzagallo@apple.com>
2969
2970         Share structure across instances of classes exported through the ObjC API
2971         https://bugs.webkit.org/show_bug.cgi?id=186579
2972         <rdar://problem/40969212>
2973
2974         Reviewed by Saam Barati.
2975
2976         A new structure was being created for each instance of exported ObjC
2977         classes due to setting the prototype in the structure for every object,
2978         since prototype transitions are not cached by the structure. Cache the
2979         Structure in the JSObjcClassInfo to avoid the transition.
2980
2981         * API/JSWrapperMap.mm:
2982         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2983         (-[JSObjCClassInfo structureInContext:]):
2984         * API/tests/JSWrapperMapTests.h: Added.
2985         * API/tests/JSWrapperMapTests.mm: Added.
2986         (+[JSWrapperMapTests testStructureIdentity]):
2987         (runJSWrapperMapTests):
2988         * API/tests/testapi.mm:
2989         (testObjectiveCAPIMain):
2990         * JavaScriptCore.xcodeproj/project.pbxproj:
2991
2992 2018-06-18  Michael Saboff  <msaboff@apple.com>
2993
2994         Support Unicode 11 in RegExp
2995         https://bugs.webkit.org/show_bug.cgi?id=186685
2996
2997         Reviewed by Mark Lam.
2998
2999         Updated the UCD tables used to generate RegExp property tables to version 11.0.
3000
3001         * Scripts/generateYarrUnicodePropertyTables.py:
3002         * ucd/CaseFolding.txt:
3003         * ucd/DerivedBinaryProperties.txt:
3004         * ucd/DerivedCoreProperties.txt:
3005         * ucd/DerivedNormalizationProps.txt:
3006         * ucd/PropList.txt:
3007         * ucd/PropertyAliases.txt:
3008         * ucd/PropertyValueAliases.txt:
3009         * ucd/ScriptExtensions.txt:
3010         * ucd/Scripts.txt:
3011         * ucd/UnicodeData.txt:
3012         * ucd/emoji-data.txt:
3013
3014 2018-06-18  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3015
3016         [WTF] Remove workarounds needed to support libstdc++-4
3017         https://bugs.webkit.org/show_bug.cgi?id=186762
3018
3019         Reviewed by Michael Catanzaro.
3020
3021         Revert r226299, r226300 r226301 and r226302.
3022
3023         * API/tests/TypedArrayCTest.cpp:
3024         (assertEqualsAsNumber):
3025
3026 2018-06-16  Michael Catanzaro  <mcatanzaro@igalia.com>
3027
3028         REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
3029         https://bugs.webkit.org/show_bug.cgi?id=182923
3030
3031         Reviewed by Mark Lam.
3032
3033         The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
3034         Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
3035
3036         * heap/MarkedBlock.h:
3037
3038 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3039
3040         [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
3041         https://bugs.webkit.org/show_bug.cgi?id=186723
3042
3043         Reviewed by Mark Lam.
3044
3045         Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
3046         to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
3047
3048         This patch improves SixSpeed/spread-literal.es5.
3049
3050                                      baseline                  patched
3051
3052         spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
3053
3054         * runtime/JSArrayInlines.h:
3055         (JSC::JSArray::pushInline):
3056         * runtime/Structure.cpp:
3057         (JSC::Structure::nonPropertyTransitionSlow):
3058         (JSC::Structure::nonPropertyTransition): Deleted.
3059         * runtime/Structure.h:
3060         * runtime/StructureInlines.h:
3061         (JSC::Structure::nonPropertyTransition):
3062
3063 2018-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3064
3065         [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
3066         https://bugs.webkit.org/show_bug.cgi?id=186721
3067
3068         Reviewed by Keith Miller.
3069
3070         We still have several other OSRExits, but this patch reduces that.
3071
3072         1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
3073         So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
3074
3075         2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
3076         non-appropriate.
3077
3078         These changes a bit fix Kraken/crypto-aes regression.
3079
3080                                       baseline                  patched
3081
3082         stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
3083
3084
3085         * dfg/DFGByteCodeParser.cpp:
3086         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3087         * ftl/FTLOperations.cpp:
3088         (JSC::FTL::operationMaterializeObjectInOSR):
3089         * runtime/CommonSlowPaths.cpp:
3090         (JSC::SLOW_PATH_DECL):
3091
3092 2018-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3093
3094         [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
3095         https://bugs.webkit.org/show_bug.cgi?id=186460
3096
3097         Reviewed by Saam Barati.
3098
3099         Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
3100         We should return JSFixedArray for Spread. This patch adds a code generating
3101         a JSFixedArray from JSImmutableButterfly.
3102
3103         Merging JSFixedArray into JSImmutableButterfly is possible future extension.
3104
3105         * ftl/FTLLowerDFGToB3.cpp:
3106         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3107         * runtime/JSFixedArray.h:
3108
3109 2018-06-15  Saam Barati  <sbarati@apple.com>
3110
3111         Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
3112         https://bugs.webkit.org/show_bug.cgi?id=186687
3113         <rdar://problem/40071332>
3114
3115         Reviewed by Keith Miller.
3116
3117         * API/JSVirtualMachinePrivate.h:
3118
3119 2018-06-15  Saam Barati  <sbarati@apple.com>
3120
3121         Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
3122         https://bugs.webkit.org/show_bug.cgi?id=186648
3123
3124         Reviewed by Michael Saboff.
3125
3126         This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
3127         regressed with my first version of ForceOSRExit CFG pruning. This patch makes
3128         ForceOSRExit CFG pruning more aggressive by not ignoring everything that
3129         can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
3130         if it's the plan's osr entry bytecode target. The goal is to get a speedometer
3131         2 speedup with this change on iOS.
3132
3133         * dfg/DFGByteCodeParser.cpp:
3134         (JSC::DFG::ByteCodeParser::parse):
3135
3136 2018-06-15  Michael Catanzaro  <mcatanzaro@igalia.com>
3137
3138         Unreviewed, rolling out r232816.
3139
3140         Suggested by Caitlin:
3141         "this patch clearly does get some things wrong, and it's not
3142         easy to find what those things are"
3143
3144         Reverted changeset:
3145
3146         "[LLInt] use loadp consistently for
3147         get_from_scope/put_to_scope"
3148         https://bugs.webkit.org/show_bug.cgi?id=132333
3149         https://trac.webkit.org/changeset/232816
3150
3151 2018-06-14  Michael Saboff  <msaboff@apple.com>
3152
3153         REGRESSION(232741): Crash running ARES-6
3154         https://bugs.webkit.org/show_bug.cgi?id=186630
3155
3156         Reviewed by Saam Barati.
3157
3158         The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
3159         treated edges between identical predecessor->successor pairs independently.
3160         This fixes the issue by handling such edges once, using the added intermediate
3161         pad for all instances of the edges between the same pairs.
3162
3163         * dfg/DFGCriticalEdgeBreakingPhase.cpp:
3164         (JSC::DFG::CriticalEdgeBreakingPhase::run):
3165         (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
3166
3167 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
3168
3169         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
3170         https://bugs.webkit.org/show_bug.cgi?id=186560
3171
3172         Reviewed by Brian Burg.
3173
3174         Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
3175         that always receives the session capabilities.
3176
3177         * inspector/remote/RemoteInspector.h:
3178         * inspector/remote/RemoteInspectorConstants.h:
3179         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3180         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
3181         WebKit here and fill the SessionCapabilities instead.
3182         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3183         (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
3184         * inspector/remote/glib/RemoteInspectorServer.cpp:
3185         (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
3186         * inspector/remote/glib/RemoteInspectorServer.h:
3187
3188 2018-06-13  Adrian Perez de Castro  <aperez@igalia.com>
3189
3190         [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
3191         https://bugs.webkit.org/show_bug.cgi?id=186588
3192
3193         Reviewed by Carlos Garcia Campos.
3194
3195         Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
3196         for resource paths, which avoids needing a switcheroo depending on the port.
3197
3198         * inspector/remote/glib/RemoteInspectorUtils.cpp:
3199
3200 2018-06-13  Caitlin Potter  <caitp@igalia.com>
3201
3202         [LLInt] use loadp consistently for get_from_scope/put_to_scope
3203         https://bugs.webkit.org/show_bug.cgi?id=132333
3204
3205         Reviewed by Mark Lam.
3206
3207         Using `loadis` for register indexes and `loadp` for constant scopes /
3208         symboltables makes sense, but is problematic for big-endian
3209         architectures.
3210
3211         Consistently treating the operand as a pointer simplifies determining
3212         how to access the operand, and helps avoid bad accesses and crashes on
3213         big-endian ports.
3214
3215         * bytecode/CodeBlock.cpp:
3216         (JSC::CodeBlock::finishCreation):
3217         * bytecode/Instruction.h:
3218         * jit/JITOperations.cpp:
3219         * llint/LLIntSlowPaths.cpp:
3220         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3221         * llint/LowLevelInterpreter32_64.asm:
3222         * llint/LowLevelInterpreter64.asm:
3223         * runtime/CommonSlowPaths.h:
3224         (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
3225         (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
3226
3227 2018-06-13  Keith Miller  <keith_miller@apple.com>
3228
3229         AutomaticThread should have a way to provide a thread name
3230         https://bugs.webkit.org/show_bug.cgi?id=186604
3231
3232         Reviewed by Filip Pizlo.
3233
3234         Add names for JSC's automatic threads.
3235
3236         * dfg/DFGWorklist.cpp:
3237         * heap/Heap.cpp:
3238         * jit/JITWorklist.cpp:
3239         * runtime/VMTraps.cpp:
3240         * wasm/WasmWorklist.cpp:
3241
3242 2018-06-13  Saam Barati  <sbarati@apple.com>
3243
3244         CFGSimplificationPhase should de-dupe jettisonedBlocks
3245         https://bugs.webkit.org/show_bug.cgi?id=186583
3246
3247         Reviewed by Filip Pizlo.
3248
3249         When making the predecessors list unique in r232741, it revealed a bug inside
3250         of CFG simplification, where we try to remove the same predecessor more than
3251         once from a blocks predecessors list. We built the list of blocks to remove
3252         from the list of successors, which is not unique, causing us to try to remove
3253         the same predecessor more than once. The solution here is to just add to this
3254         list of blocks to remove only if the block is not already in the list.
3255
3256         * dfg/DFGCFGSimplificationPhase.cpp:
3257         (JSC::DFG::CFGSimplificationPhase::run):
3258
3259 2018-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3260
3261         [JSC] Always use Nuke & Set procedure for x86
3262         https://bugs.webkit.org/show_bug.cgi?id=186592
3263
3264         Reviewed by Keith Miller.
3265
3266         We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
3267         By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
3268         threads.
3269
3270         * runtime/JSObject.cpp:
3271         (JSC::JSObject::convertContiguousToArrayStorage):
3272
3273 2018-06-12  Saam Barati  <sbarati@apple.com>
3274
3275         Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
3276         https://bugs.webkit.org/show_bug.cgi?id=186071
3277
3278         Reviewed by Mark Lam.
3279
3280         * API/JSVirtualMachine.mm:
3281         (-[JSVirtualMachine shrinkFootprint]): Deleted.
3282         * API/JSVirtualMachinePrivate.h:
3283
3284 2018-06-11  Saam Barati  <sbarati@apple.com>
3285
3286         Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
3287         https://bugs.webkit.org/show_bug.cgi?id=181409
3288         <rdar://problem/36383749>
3289
3290         Reviewed by Keith Miller.
3291
3292         This patch is me redoing r226655. This is a patch I wrote when
3293         profiling Speedometer. Fil rolled this change out in r230928. He
3294         showed this slowed down a sunspider tests by ~2x. This sunspider
3295         regression revealed a real performance bug in the original change:
3296         we would kill blocks that reached OSR entry targets, sometimes leading
3297         us to not do OSR entry into the DFG, since we could end up deleting
3298         entire loops from the CFG. The reason for this is that code that has run
3299         ~once and that reaches loops often has ForceOSRExits inside of it. The
3300         solution to this is to not perform this optimization on blocks that can
3301         reach OSR entry targets.
3302         
3303         The reason I'm redoing this patch is that it turns out Fil rolling
3304         out the change was a Speedometer 2 regression.
3305         
3306         This is a modified version of the original ChangeLog I wrote in r226655:
3307         
3308         When I was looking at profiler data for Speedometer, I noticed that one of
3309         the hottest functions in Speedometer is around 1100 bytecode operations long.
3310         Only about 100 of those bytecode ops ever execute. However, we ended up
3311         spending a lot of time compiling basic blocks that never executed. We often
3312         plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
3313         This is the case when such a node never executes.
3314         
3315         This patch makes it so that anytime a block has a ForceOSRExit, and that block
3316         can not reach an OSR entry target, we replace its terminal node with an Unreachable
3317         node, and remove all nodes after the ForceOSRExit. This cuts down the graph
3318         size since it removes control flow edges from the CFG. This allows us to get
3319         rid of huge chunks of the CFG in certain programs. When doing this transformation,
3320         we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
3321         live-in to the ForceOSRExit.
3322         
3323         Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
3324         does not get rid of all the CFG that it could. If we decide it's worth
3325         it, we could use additional inputs into this mechanism. For example, we could
3326         profile if a basic block ever executes inside the LLInt/Baseline, and
3327         remove parts of the CFG based on that.
3328         
3329         When running Speedometer with the concurrent JIT turned off, this patch
3330         improves DFG/FTL compile times by around 5%.
3331
3332         * dfg/DFGByteCodeParser.cpp:
3333         (JSC::DFG::ByteCodeParser::addToGraph):
3334         (JSC::DFG::ByteCodeParser::inlineCall):
3335         (JSC::DFG::ByteCodeParser::parse):
3336         * dfg/DFGGraph.cpp:
3337         (JSC::DFG::Graph::blocksInPostOrder):
3338
3339 2018-06-11  Saam Barati  <sbarati@apple.com>
3340
3341         The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
3342         https://bugs.webkit.org/show_bug.cgi?id=184829
3343
3344         Reviewed by Michael Saboff.
3345
3346         This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
3347         In B3/Air, this just meant writing a validation rule. In DFG, this meant
3348         ensuring this property when building up the predecessors list, and also adding
3349         a validation rule. The NaturalLoops algorithm relies on this property.
3350
3351         * b3/B3Validate.cpp:
3352         * b3/air/AirValidate.cpp:
3353         * b3/testb3.cpp:
3354         (JSC::B3::testLoopWithMultipleHeaderEdges):
3355         (JSC::B3::run):
3356         * dfg/DFGGraph.cpp:
3357         (JSC::DFG::Graph::handleSuccessor):
3358         * dfg/DFGValidate.cpp:
3359
3360 2018-06-11  Keith Miller  <keith_miller@apple.com>
3361
3362         Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
3363         https://bugs.webkit.org/show_bug.cgi?id=186467
3364
3365         Reviewed by Simon Fraser.
3366
3367         This patch adds a LazyFireDetail that wraps ScopedLambda so that
3368         we don't actually malloc any strings for firing unless those
3369         Strings are actually going to be printed.
3370
3371         * bytecode/Watchpoint.h:
3372         (JSC::LazyFireDetail::LazyFireDetail):
3373         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3374         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3375         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3376         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3377         * runtime/ArrayPrototype.cpp:
3378         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3379
3380 2018-06-11  Mark Lam  <mark.lam@apple.com>
3381
3382         Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
3383         https://bugs.webkit.org/show_bug.cgi?id=186451
3384         <rdar://problem/40875792>
3385
3386         Reviewed by Tim Horton.
3387
3388         Enhance setOptions() to be able to take a comma separated options string in
3389         addition to white space separated options strings.
3390
3391         * runtime/Options.cpp:
3392         (JSC::isSeparator):
3393         (JSC::Options::setOptions):
3394
3395 2018-06-11  Michael Saboff  <msaboff@apple.com>
3396
3397         JavaScriptCore: Disable 32-bit JIT on Windows
3398         https://bugs.webkit.org/show_bug.cgi?id=185989
3399
3400         Reviewed by Mark Lam.
3401
3402         Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
3403
3404         * llint/LLIntData.h:
3405         (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
3406         * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
3407         have a case label because these aren't opcodes.
3408         * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
3409         on the JIT being enabled.
3410         (JSC::recomputeDependentOptions):
3411
3412 2018-06-11  Michael Saboff  <msaboff@apple.com>
3413
3414         Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
3415         https://bugs.webkit.org/show_bug.cgi?id=186477
3416
3417         Reviewed by Filip Pizlo.
3418
3419         Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
3420         YARR interpreter nodes.  This caused us to overwrite other frame information.
3421
3422         Added frame offset debugging code to YARR interpreter.
3423
3424         * yarr/YarrInterpreter.cpp:
3425         (JSC::Yarr::ByteCompiler::emitDisjunction):
3426         (JSC::Yarr::ByteCompiler::dumpDisjunction):
3427
3428 2018-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3429
3430         [JSC] Array.prototype.sort should rejects null comparator
3431         https://bugs.webkit.org/show_bug.cgi?id=186458
3432
3433         Reviewed by Keith Miller.
3434
3435         This relaxed behavior is once introduced in r216169 to fix some pages by aligning
3436         the behavior to Chrome and Firefox.
3437
3438         However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
3439         accepts it. This patch reverts r216169 to align JSC to the other engines and fix
3440         the spec issue.
3441
3442         * builtins/ArrayPrototype.js:
3443         (sort):
3444
3445 2018-06-09  Dan Bernstein  <mitz@apple.com>
3446
3447         [Xcode] Clean up and modernize some build setting definitions
3448         https://bugs.webkit.org/show_bug.cgi?id=186463
3449
3450         Reviewed by Sam Weinig.
3451
3452         * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
3453           definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
3454           is true for all supported Xcode versions.
3455         * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
3456         * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
3457           ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
3458         * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
3459         * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
3460
3461 2018-06-09  Dan Bernstein  <mitz@apple.com>
3462
3463         Added missing file references to the Configuration group.
3464
3465         * JavaScriptCore.xcodeproj/project.pbxproj:
3466
3467 2018-06-08  Darin Adler  <darin@apple.com>
3468
3469         [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
3470         https://bugs.webkit.org/show_bug.cgi?id=186436
3471
3472         Reviewed by Anders Carlsson.
3473
3474         * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
3475         objc-internal.h and explicitly declaring the alternative.
3476
3477 2018-06-08  Wenson Hsieh  <wenson_hsieh@apple.com>
3478
3479         [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
3480         https://bugs.webkit.org/show_bug.cgi?id=186442
3481         <rdar://problem/40879364>
3482
3483         Reviewed by Tim Horton.
3484
3485         * Configurations/FeatureDefines.xcconfig:
3486
3487 2018-06-08  Tadeu Zagallo  <tzagallo@apple.com>
3488
3489         jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
3490         https://bugs.webkit.org/show_bug.cgi?id=186446
3491         <rdar://problem/40949995>
3492
3493         Reviewed by Mark Lam.
3494
3495         On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
3496         boolean literals, but it would only work for false. Change it so that it
3497         takes the fast path for true, false, null and undefined.
3498
3499         * llint/LowLevelInterpreter.asm:
3500         * llint/LowLevelInterpreter64.asm:
3501
3502 2018-06-08  Brian Burg  <bburg@apple.com>
3503
3504         [Cocoa] Web Automation: include browser name and version in listing for automation targets
3505         https://bugs.webkit.org/show_bug.cgi?id=186204
3506         <rdar://problem/36950423>
3507
3508         Reviewed by Darin Adler.
3509
3510         Ask the client what the reported browser name and version should be, then
3511         send this as part of the listing for an automation target.
3512
3513         * inspector/remote/RemoteInspectorConstants.h:
3514         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3515         (Inspector::RemoteInspector::listingForAutomationTarget const):
3516
3517 2018-06-07  Chris Dumez  <cdumez@apple.com>
3518
3519         Add base class to get WeakPtrFactory member and avoid some boilerplate code
3520         https://bugs.webkit.org/show_bug.cgi?id=186407
3521
3522         Reviewed by Brent Fulgham.
3523
3524         Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
3525         order to avoid some boilerplate code in every class needing a WeakPtrFactory.
3526         This also gets rid of old-style createWeakPtr() methods in favor of the newer
3527         makeWeakPtr().
3528
3529         * wasm/WasmInstance.h:
3530         * wasm/WasmMemory.cpp:
3531         (JSC::Wasm::Memory::registerInstance):
3532
3533 2018-06-07  Tadeu Zagallo  <tzagallo@apple.com>
3534
3535         Don't try to allocate JIT memory if we don't have the JIT entitlement
3536         https://bugs.webkit.org/show_bug.cgi?id=182605
3537         <rdar://problem/38271229>
3538
3539         Reviewed by Mark Lam.
3540
3541         Check that the current process has the correct entitlements before
3542         trying to allocate JIT memory to silence warnings.
3543
3544         * jit/ExecutableAllocator.cpp:
3545         (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
3546         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
3547
3548 2018-06-07  Saam Barati  <sbarati@apple.com>
3549
3550         TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
3551         https://bugs.webkit.org/show_bug.cgi?id=186386
3552
3553         Reviewed by Filip Pizlo.
3554
3555         This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
3556
3557         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3558         (JSC::DFG::TierUpCheckInjectionPhase::run):
3559
3560 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3561
3562         FunctionRareData::m_objectAllocationProfileWatchpoint is racy
3563         https://bugs.webkit.org/show_bug.cgi?id=186237
3564
3565         Reviewed by Saam Barati.
3566
3567         We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
3568         that means that we never notice that it fired if it fires between when the DFG decides to
3569         watch it and when it actually adds the watchpoint.
3570         
3571         Most watchpoints are initialized watched for this purpose. This one had a somewhat good
3572         reason for being initialized blind: that's how we knew to ignore changes to the prototype
3573         before the first allocation. However, that functionality also arose out of the fact that the
3574         rare data is created lazily and usually won't exist until the first allocation.
3575         
3576         The fix here is to make the watchpoint go into watched mode as soon as we initialize the
3577         object allocation profile.
3578         
3579         It's hard to repro this race, however it started causing spurious test failures for me after
3580         bug 164904.
3581
3582         * runtime/FunctionRareData.cpp:
3583         (JSC::FunctionRareData::FunctionRareData):
3584         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3585
3586 2018-06-07  Saam Barati  <sbarati@apple.com>
3587
3588         Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
3589         https://bugs.webkit.org/show_bug.cgi?id=186218
3590         <rdar://problem/38449540>
3591
3592         Reviewed by Filip Pizlo.
3593
3594         This patch makes tierUpCommon a tad bit more sane. There are a few things
3595         that I did:
3596         - There were a few release asserts that were crashing. Those release asserts
3597         were incorrect. They were making assumptions about how the code and data
3598         structures were ordered that were wrong. This patch removes them. The code
3599         was using the loop hierarchy vector to make assumptions about which loop we
3600         were currently executing in, which is incorrect. The only information that
3601         can be used about where we're currently executing is the bytecode index we're
3602         at.
3603         - This makes it so that we go back to trying to compile outer loops before
3604         inner loops. JF accidentally reverted this behavior that Ben implemented.
3605         JF made it so that we just compiled the inner most loop. I make this
3606         functionality work by first triggering a compile for the outer most loop
3607         that the code is currently executing in and that can perform OSR entry.
3608         However, some programs can get stuck in inner loops. The code works by
3609         progressively asking inner loops to compile if program execution has not
3610         yet reached an outer loop.
3611
3612         * dfg/DFGOperations.cpp:
3613
3614 2018-06-06  Guillaume Emont  <guijemont@igalia.com>
3615
3616         ArityFixup should adjust SP first on 32-bit platforms too
3617         https://bugs.webkit.org/show_bug.cgi?id=186351
3618
3619         Reviewed by Yusuke Suzuki.
3620
3621         * jit/ThunkGenerators.cpp:
3622         (JSC::arityFixupGenerator):
3623
3624 2018-06-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3625
3626         [DFG] Compare operations do not respect negative zeros
3627         https://bugs.webkit.org/show_bug.cgi?id=183729
3628
3629         Reviewed by Saam Barati.
3630
3631         Compare operations do not respect negative zeros. So propagating this can
3632         reduce the size of the produced code for negative zero case. This pattern
3633         can be seen in Kraken stanford-crypto-aes.
3634
3635         This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
3636         However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
3637         This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
3638
3639         * bytecode/SpeculatedType.cpp:
3640         (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
3641         SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
3642         To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
3643         SpecDoubleReal.
3644
3645         * dfg/DFGBackwardsPropagationPhase.cpp:
3646         (JSC::DFG::BackwardsPropagationPhase::propagate):
3647
3648 2018-06-06  Saam Barati  <sbarati@apple.com>
3649
3650         generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
3651         https://bugs.webkit.org/show_bug.cgi?id=186363
3652
3653         Rubber-stamped by Filip Pizlo.
3654
3655         The code was assuming that the object it was creating an OPC for always
3656         had a non-poly-proto structure. However, this assumption was wrong. For
3657         example, an object in the prototype chain could be poly proto. That type 
3658         of object graph would cause a crash in this code. This patch makes it so
3659         that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
3660         object as we traverse the prototype chain.
3661
3662         * bytecode/ObjectPropertyConditionSet.cpp:
3663         (JSC::generateConditionsForInstanceOf):
3664
3665 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3666
3667         Adjust compile and runtime flags to match shippable state of features
3668         https://bugs.webkit.org/show_bug.cgi?id=186319
3669         <rdar://problem/40352045>
3670
3671         Reviewed by Maciej Stachowiak, Jon Lee, and others.
3672
3673         This patch revises the compile time and runtime state for various features to match their
3674         suitability for end-user releases.
3675
3676         * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
3677         WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
3678         Cocoa builds.
3679         * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
3680         or ENABLE_INPUT_TYPE_COLOR_POPOVER.
3681         * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
3682         at runtime for non-production builds.
3683
3684 2018-06-05  Brent Fulgham  <bfulgham@apple.com>
3685
3686         Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
3687         https://bugs.webkit.org/show_bug.cgi?id=186286
3688         <rdar://problem/40782992>
3689
3690         Reviewed by Dan Bernstein.
3691
3692         Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
3693         to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
3694         change this flag when preparing for a production release.
3695
3696         * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
3697         whether experimental features should be enabled, and use it to properly define the
3698         feature flag.
3699
3700 2018-06-05  Darin Adler  <darin@apple.com>
3701
3702         [Cocoa] Update some JavaScriptCore code to be more ready for ARC
3703         https://bugs.webkit.org/show_bug.cgi?id=186301
3704
3705         Reviewed by Anders Carlsson.
3706
3707         * API/JSContext.mm:
3708         (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
3709         (-[JSContext setName:]): Removed unnecessary call to copy, since the
3710         JSStringCreateWithCFString function already reads the characters out
3711         of the string and does not retain the string, so there is no need to
3712         make an immutable copy. And used __bridge for typecast.
3713         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3714         (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
3715         Ditto.
3716
3717         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3718         (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
3719         Use CFBridgingRelease instead of autorelease for a CF dictionary that
3720         we return as an NSDictionary.
3721
3722 2018-06-04  Keith Miller  <keith_miller@apple.com>
3723
3724         Remove missing files from JavaScriptCore Xcode project
3725         https://bugs.webkit.org/show_bug.cgi?id=186297
3726
3727         Reviewed by Saam Barati.
3728
3729         * JavaScriptCore.xcodeproj/project.pbxproj:
3730
3731 2018-06-04  Keith Miller  <keith_miller@apple.com>
3732
3733         Add test for CoW conversions in the DFG/FTL
3734         https://bugs.webkit.org/show_bug.cgi?id=186295
3735
3736         Reviewed by Saam Barati.
3737
3738         Add a function to $vm that returns a JSString containing the
3739         dataLog dump of the indexingMode of an Object.
3740
3741         * tools/JSDollarVM.cpp:
3742         (JSC::functionIndexingMode):
3743         (JSC::JSDollarVM::finishCreation):
3744
3745 2018-06-04  Saam Barati  <sbarati@apple.com>
3746
3747         Set the activeLength of all ScratchBuffers to zero when exiting the VM
3748         https://bugs.webkit.org/show_bug.cgi?id=186284
3749         <rdar://problem/40780738>
3750
3751         Reviewed by Keith Miller.
3752
3753         Simon recently found instances where we leak global objects from the
3754         ScratchBuffer. Yusuke found that we forgot to set the active length
3755         back to zero when doing catch OSR entry in the DFG/FTL. His solution
3756         to this was adding a node that cleared the active length. This is
3757         a good node to have, but it's not a complete solution: the DFG/FTL
3758         could OSR exit before that node executes, which would cause us to leak
3759         the data in it.
3760         
3761         This patch makes it so that we set each scratch buffer's active length
3762         to zero on VM exit. This helps prevent leaks for JS code that eventually
3763         exits the VM (which is essentially all code on the web and all API users).
3764
3765         * runtime/VM.cpp:
3766         (JSC::VM::clearScratchBuffers):
3767         * runtime/VM.h:
3768         * runtime/VMEntryScope.cpp:
3769         (JSC::VMEntryScope::~VMEntryScope):
3770
3771 2018-06-04  Keith Miller  <keith_miller@apple.com>
3772
3773         JSLock should clear last exception when releasing the lock
3774         https://bugs.webkit.org/show_bug.cgi?id=186277
3775
3776         Reviewed by Mark Lam.
3777
3778         If we don't clear the last exception we essentially leak the
3779         object and everything referenced by it until another exception is
3780         thrown.
3781
3782         * runtime/JSLock.cpp:
3783         (JSC::JSLock::willReleaseLock):
3784
3785 2018-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3786
3787         Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
3788         https://bugs.webkit.org/show_bug.cgi?id=180248
3789
3790         Reviewed by Sam Weinig.
3791
3792         As a final step, this patch removes ListableHandler from JSC.
3793         Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
3794
3795         * CMakeLists.txt:
3796         * JavaScriptCore.xcodeproj/project.pbxproj:
3797         * heap/Heap.h:
3798         * heap/ListableHandler.h: Removed.
3799
3800 2018-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3801
3802         LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
3803         https://bugs.webkit.org/show_bug.cgi?id=186223
3804
3805         Reviewed by Keith Miller.
3806
3807         After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
3808         It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
3809
3810         This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
3811         We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
3812         this ClearCatchLocals valid.
3813
3814         The existing tests for ExtractCatchLocal just pass.
3815
3816         * dfg/DFGAbstractHeap.h:
3817         * dfg/DFGAbstractInterpreterInlines.h:
3818         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3819         * dfg/DFGByteCodeParser.cpp:
3820         (JSC::DFG::ByteCodeParser::parseBlock):
3821         * dfg/DFGClobberize.h:
3822         (JSC::DFG::clobberize):
3823         * dfg/DFGDoesGC.cpp:
3824         (JSC::DFG::doesGC):
3825         * dfg/DFGFixupPhase.cpp:
3826         (JSC::DFG::FixupPhase::fixupNode):
3827         * dfg/DFGMayExit.cpp:
3828         * dfg/DFGNodeType.h:
3829         * dfg/DFGOSREntry.cpp:
3830         (JSC::DFG::prepareCatchOSREntry):
3831         * dfg/DFGPredictionPropagationPhase.cpp:
3832         * dfg/DFGSafeToExecute.h:
3833         (JSC::DFG::safeToExecute):
3834         * dfg/DFGSpeculativeJIT.cpp:
3835         (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
3836         * dfg/DFGSpeculativeJIT.h:
3837         * dfg/DFGSpeculativeJIT32_64.cpp:
3838         (JSC::DFG::SpeculativeJIT::compile):
3839         * dfg/DFGSpeculativeJIT64.cpp:
3840         (JSC::DFG::SpeculativeJIT::compile):
3841         * ftl/FTLCapabilities.cpp:
3842         (JSC::FTL::canCompile):
3843         * ftl/FTLLowerDFGToB3.cpp:
3844         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3845         (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
3846
3847 2018-06-02  Darin Adler  <darin@apple.com>
3848
3849         [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
3850         https://bugs.webkit.org/show_bug.cgi?id=186227
3851
3852         Reviewed by Dan Bernstein.
3853
3854         * API/JSContext.mm:
3855         (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
3856         * API/JSValue.mm:
3857         (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
3858         (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
3859         ARC-compatible, but more efficient.
3860         (valueToString): Use CFBridgingRelease instead of autorelease.
3861
3862 2018-06-02  Caio Lima  <ticaiolima@gmail.com>
3863
3864         [ESNext][BigInt] Implement support for addition operations
3865         https://bugs.webkit.org/show_bug.cgi?id=179002
3866
3867         Reviewed by Yusuke Suzuki.
3868
3869         This patch is implementing support to BigInt Operands into binary "+"
3870         and binary "-" operators. Right now, we have limited support to DFG
3871         and FTL JIT layers, but we plan to fix this support in future
3872         patches.
3873
3874         * jit/JITOperations.cpp:
3875         * runtime/CommonSlowPaths.cpp:
3876         (JSC::SLOW_PATH_DECL):
3877         * runtime/JSBigInt.cpp:
3878         (JSC::JSBigInt::parseInt):
3879         (JSC::JSBigInt::stringToBigInt):
3880         (JSC::JSBigInt::toString):
3881         (JSC::JSBigInt::multiply):
3882         (JSC::JSBigInt::divide):
3883         (JSC::JSBigInt::remainder):
3884         (JSC::JSBigInt::add):
3885         (JSC::JSBigInt::sub):
3886         (JSC::JSBigInt::absoluteAdd):
3887         (JSC::JSBigInt::absoluteSub):
3888         (JSC::JSBigInt::toStringGeneric):
3889         (JSC::JSBigInt::allocateFor):
3890         (JSC::JSBigInt::toNumber const):
3891         (JSC::JSBigInt::getPrimitiveNumber const):
3892         * runtime/JSBigInt.h:
3893         * runtime/JSCJSValueInlines.h:
3894         * runtime/Operations.cpp:
3895         (JSC::jsAddSlowCase):
3896         * runtime/Operations.h:
3897         (JSC::jsSub):
3898
3899 2018-06-02  Commit Queue  <commit-queue@webkit.org>
3900
3901         Unreviewed, rolling out r232439.
3902         https://bugs.webkit.org/show_bug.cgi?id=186238
3903
3904         It breaks gtk-linux-32-release (Requested by caiolima on
3905         #webkit).
3906
3907         Reverted changeset:
3908
3909         "[ESNext][BigInt] Implement support for addition operations"
3910         https://bugs.webkit.org/show_bug.cgi?id=179002
3911         https://trac.webkit.org/changeset/232439
3912
3913 2018-06-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3914
3915         Baseline op_jtrue emits an insane amount of code
3916         https://bugs.webkit.org/show_bug.cgi?id=185708
3917
3918         Reviewed by Filip Pizlo.
3919
3920         op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
3921
3922         1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}