[JSC API] We should support the symbol type in our C/Obj-C API
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2
3         [JSC API] We should support the symbol type in our C/Obj-C API
4         https://bugs.webkit.org/show_bug.cgi?id=175836
5
6         Unreviewed build fix for Windows port.
7
8         r234227 introduced a compilation error unresolved external symbol
9         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
10
11         Windows ports are compiling testapi.c as C++ by using /TP switch.
12
13         * API/tests/testapi.c:
14         (main): Removed `::` prefix of ::SetErrorMode Windows API.
15         (dllLauncherEntryPoint): Converted into C style.
16         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
17
18 2018-07-25  Keith Miller  <keith_miller@apple.com>
19
20         [JSC API] We should support the symbol type in our C/Obj-C API
21         https://bugs.webkit.org/show_bug.cgi?id=175836
22
23         Reviewed by Filip Pizlo.
24
25         This patch makes the following API additions:
26         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
27         2) Create a symbol on both APIs.
28         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
29         4) Add Get/Set/Delete in the C API.
30
31         We can do 3 because it is both binary and source compatable with
32         the existing API. I added (4) because the current property access
33         APIs only have the ability to get Strings. It was possible to
34         merge symbols into JSStringRef but that felt confusing and exposes
35         implementation details of our engine. The new functions match the
36         same meaning that they have in JS, thus should be forward
37         compatible with any future language extensions.
38
39         Lastly, this patch adds the same availability preproccessing phase
40         in WebCore to JavaScriptCore, which enables TBA features for
41         testing on previous releases.
42
43         * API/APICast.h:
44         * API/JSBasePrivate.h:
45         * API/JSContext.h:
46         * API/JSContextPrivate.h:
47         * API/JSContextRef.h:
48         * API/JSContextRefInternal.h:
49         * API/JSContextRefPrivate.h:
50         * API/JSManagedValue.h:
51         * API/JSObjectRef.cpp:
52         (JSObjectHasPropertyKey):
53         (JSObjectGetPropertyKey):
54         (JSObjectSetPropertyKey):
55         (JSObjectDeletePropertyKey):
56         * API/JSObjectRef.h:
57         * API/JSRemoteInspector.h:
58         * API/JSTypedArray.h:
59         * API/JSValue.h:
60         * API/JSValue.mm:
61         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
62         (performPropertyOperation):
63         (-[JSValue valueForProperty:valueForProperty:]):
64         (-[JSValue setValue:forProperty:setValue:forProperty:]):
65         (-[JSValue deleteProperty:deleteProperty:]):
66         (-[JSValue hasProperty:hasProperty:]):
67         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
68         (-[JSValue isSymbol]):
69         (-[JSValue objectForKeyedSubscript:]):
70         (-[JSValue setObject:forKeyedSubscript:]):
71         (-[JSValue valueForProperty:]): Deleted.
72         (-[JSValue setValue:forProperty:]): Deleted.
73         (-[JSValue deleteProperty:]): Deleted.
74         (-[JSValue hasProperty:]): Deleted.
75         (-[JSValue defineProperty:descriptor:]): Deleted.
76         * API/JSValueRef.cpp:
77         (JSValueGetType):
78         (JSValueIsSymbol):
79         (JSValueMakeSymbol):
80         * API/JSValueRef.h:
81         * API/WebKitAvailability.h:
82         * API/tests/CurrentThisInsideBlockGetterTest.mm:
83         * API/tests/CustomGlobalObjectClassTest.c:
84         * API/tests/DateTests.mm:
85         * API/tests/JSExportTests.mm:
86         * API/tests/JSNode.c:
87         * API/tests/JSNodeList.c:
88         * API/tests/Node.c:
89         * API/tests/NodeList.c:
90         * API/tests/minidom.c:
91         * API/tests/testapi.c:
92         (main):
93         * API/tests/testapi.cpp: Added.
94         (APIString::APIString):
95         (APIString::~APIString):
96         (APIString::operator JSStringRef):
97         (APIContext::APIContext):
98         (APIContext::~APIContext):
99         (APIContext::operator JSGlobalContextRef):
100         (APIVector::APIVector):
101         (APIVector::~APIVector):
102         (APIVector::append):
103         (testCAPIViaCpp):
104         (TestAPI::evaluateScript):
105         (TestAPI::callFunction):
106         (TestAPI::functionReturnsTrue):
107         (TestAPI::check):
108         (TestAPI::checkJSAndAPIMatch):
109         (TestAPI::interestingObjects):
110         (TestAPI::interestingKeys):
111         (TestAPI::run):
112         * API/tests/testapi.mm:
113         (testObjectiveCAPIMain):
114         * JavaScriptCore.xcodeproj/project.pbxproj:
115         * config.h:
116         * postprocess-headers.sh:
117         * shell/CMakeLists.txt:
118         * testmem/testmem.mm:
119
120 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
121
122         [INTL] Call Typed Array elements toLocaleString with locale and options
123         https://bugs.webkit.org/show_bug.cgi?id=185796
124
125         Reviewed by Keith Miller.
126
127         Improve ECMA 402 compliance of typed array toLocaleString, passing along
128         the locale and options to element toLocaleString calls.
129
130         * builtins/TypedArrayPrototype.js:
131         (toLocaleString):
132
133 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
134
135         [INTL] Intl constructor lengths should be configurable
136         https://bugs.webkit.org/show_bug.cgi?id=187960
137
138         Reviewed by Saam Barati.
139
140         Removed DontDelete from Intl constructor lengths.
141         Fixed DateTimeFormat formatToParts length.
142
143         * runtime/IntlCollatorConstructor.cpp:
144         (JSC::IntlCollatorConstructor::finishCreation):
145         * runtime/IntlDateTimeFormatConstructor.cpp:
146         (JSC::IntlDateTimeFormatConstructor::finishCreation):
147         * runtime/IntlDateTimeFormatPrototype.cpp:
148         (JSC::IntlDateTimeFormatPrototype::finishCreation):
149         * runtime/IntlNumberFormatConstructor.cpp:
150         (JSC::IntlNumberFormatConstructor::finishCreation):
151         * runtime/IntlPluralRulesConstructor.cpp:
152         (JSC::IntlPluralRulesConstructor::finishCreation):
153
154 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
155
156         runJITThreadLimitTests is failing
157         https://bugs.webkit.org/show_bug.cgi?id=187886
158         <rdar://problem/42561966>
159
160         Unreviewed build fix for MSVC.
161
162         MSVC doen't support ternary operator without second operand.
163
164         * dfg/DFGWorklist.cpp:
165         (JSC::DFG::getNumberOfDFGCompilerThreads):
166         (JSC::DFG::getNumberOfFTLCompilerThreads):
167
168 2018-07-24  Commit Queue  <commit-queue@webkit.org>
169
170         Unreviewed, rolling out r234183.
171         https://bugs.webkit.org/show_bug.cgi?id=187983
172
173         cause regression in Kraken gaussian blur and desaturate
174         (Requested by yusukesuzuki on #webkit).
175
176         Reverted changeset:
177
178         "[JSC] Record CoW status in ArrayProfile"
179         https://bugs.webkit.org/show_bug.cgi?id=187949
180         https://trac.webkit.org/changeset/234183
181
182 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
183
184         [JSC] Record CoW status in ArrayProfile
185         https://bugs.webkit.org/show_bug.cgi?id=187949
186
187         Reviewed by Saam Barati.
188
189         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
190         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
191         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
192         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
193         CoW arrays.
194
195         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
196         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
197
198         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
199
200                                       baseline                  patched
201
202         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
203         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
204
205         * bytecode/ArrayProfile.cpp:
206         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
207         * bytecode/ArrayProfile.h:
208         (JSC::asArrayModes):
209         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
210
211         (JSC::ArrayProfile::ArrayProfile):
212         (JSC::ArrayProfile::addressOfObservedIndexingModes):
213         (JSC::ArrayProfile::observedIndexingModes const):
214         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
215         So storing the union of seen IndexingMode in `unsigned` instead.
216
217         * dfg/DFGArrayMode.cpp:
218         (JSC::DFG::ArrayMode::fromObserved):
219         * dfg/DFGArrayMode.h:
220         (JSC::DFG::ArrayMode::withProfile const):
221         * jit/JITCall.cpp:
222         (JSC::JIT::compileOpCall):
223         * jit/JITCall32_64.cpp:
224         (JSC::JIT::compileOpCall):
225         * jit/JITInlines.h:
226         (JSC::JIT::emitArrayProfilingSiteWithCell):
227         * llint/LowLevelInterpreter.asm:
228         * llint/LowLevelInterpreter32_64.asm:
229         * llint/LowLevelInterpreter64.asm:
230
231 2018-07-24  Tim Horton  <timothy_horton@apple.com>
232
233         Enable Web Content Filtering on watchOS
234         https://bugs.webkit.org/show_bug.cgi?id=187979
235         <rdar://problem/42559346>
236
237         Reviewed by Wenson Hsieh.
238
239         * Configurations/FeatureDefines.xcconfig:
240
241 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
242
243         Don't modify Options when setting JIT thread limits
244         https://bugs.webkit.org/show_bug.cgi?id=187886
245
246         Reviewed by Filip Pizlo.
247
248         Previously, when setting the JIT thread limit prior to the worklist
249         initialization, it'd be set via Options, which didn't work if Options
250         hadn't been initialized yet. Change it to use a static variable in the
251         Worklist instead.
252
253         * API/JSVirtualMachine.mm:
254         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
255         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
256         * API/tests/testapi.mm:
257         (testObjectiveCAPIMain):
258         * dfg/DFGWorklist.cpp:
259         (JSC::DFG::getNumberOfDFGCompilerThreads):
260         (JSC::DFG::getNumberOfFTLCompilerThreads):
261         (JSC::DFG::setNumberOfDFGCompilerThreads):
262         (JSC::DFG::setNumberOfFTLCompilerThreads):
263         (JSC::DFG::ensureGlobalDFGWorklist):
264         (JSC::DFG::ensureGlobalFTLWorklist):
265         * dfg/DFGWorklist.h:
266
267 2018-07-24  Mark Lam  <mark.lam@apple.com>
268
269         Refactoring: make DFG::Plan a class.
270         https://bugs.webkit.org/show_bug.cgi?id=187968
271
272         Reviewed by Saam Barati.
273
274         This patch makes all the DFG::Plan fields private, and provide accessor methods
275         for them.  This makes it easier to reason about how these fields are used and
276         modified.
277
278         * dfg/DFGAbstractInterpreterInlines.h:
279         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
280         * dfg/DFGByteCodeParser.cpp:
281         (JSC::DFG::ByteCodeParser::handleCall):
282         (JSC::DFG::ByteCodeParser::handleVarargsCall):
283         (JSC::DFG::ByteCodeParser::handleInlining):
284         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
285         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
286         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
287         (JSC::DFG::ByteCodeParser::handleGetById):
288         (JSC::DFG::ByteCodeParser::handlePutById):
289         (JSC::DFG::ByteCodeParser::parseBlock):
290         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
291         (JSC::DFG::ByteCodeParser::parseCodeBlock):
292         (JSC::DFG::ByteCodeParser::parse):
293         * dfg/DFGCFAPhase.cpp:
294         (JSC::DFG::CFAPhase::run):
295         (JSC::DFG::CFAPhase::injectOSR):
296         * dfg/DFGClobberize.h:
297         (JSC::DFG::clobberize):
298         * dfg/DFGCommonData.cpp:
299         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
300         * dfg/DFGCommonData.h:
301         * dfg/DFGConstantFoldingPhase.cpp:
302         (JSC::DFG::ConstantFoldingPhase::foldConstants):
303         * dfg/DFGDriver.cpp:
304         (JSC::DFG::compileImpl):
305         * dfg/DFGFinalizer.h:
306         * dfg/DFGFixupPhase.cpp:
307         (JSC::DFG::FixupPhase::fixupNode):
308         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
309         * dfg/DFGGraph.cpp:
310         (JSC::DFG::Graph::Graph):
311         (JSC::DFG::Graph::watchCondition):
312         (JSC::DFG::Graph::inferredTypeFor):
313         (JSC::DFG::Graph::requiredRegisterCountForExit):
314         (JSC::DFG::Graph::registerFrozenValues):
315         (JSC::DFG::Graph::registerStructure):
316         (JSC::DFG::Graph::registerAndWatchStructureTransition):
317         (JSC::DFG::Graph::assertIsRegistered):
318         * dfg/DFGGraph.h:
319         (JSC::DFG::Graph::compilation):
320         (JSC::DFG::Graph::identifiers):
321         (JSC::DFG::Graph::watchpoints):
322         * dfg/DFGJITCompiler.cpp:
323         (JSC::DFG::JITCompiler::JITCompiler):
324         (JSC::DFG::JITCompiler::link):
325         (JSC::DFG::JITCompiler::compile):
326         (JSC::DFG::JITCompiler::compileFunction):
327         (JSC::DFG::JITCompiler::disassemble):
328         * dfg/DFGJITCompiler.h:
329         (JSC::DFG::JITCompiler::addWeakReference):
330         * dfg/DFGJITFinalizer.cpp:
331         (JSC::DFG::JITFinalizer::finalize):
332         (JSC::DFG::JITFinalizer::finalizeFunction):
333         (JSC::DFG::JITFinalizer::finalizeCommon):
334         * dfg/DFGOSREntrypointCreationPhase.cpp:
335         (JSC::DFG::OSREntrypointCreationPhase::run):
336         * dfg/DFGPhase.cpp:
337         (JSC::DFG::Phase::beginPhase):
338         * dfg/DFGPhase.h:
339         (JSC::DFG::runAndLog):
340         * dfg/DFGPlan.cpp:
341         (JSC::DFG::Plan::Plan):
342         (JSC::DFG::Plan::computeCompileTimes const):
343         (JSC::DFG::Plan::reportCompileTimes const):
344         (JSC::DFG::Plan::compileInThread):
345         (JSC::DFG::Plan::compileInThreadImpl):
346         (JSC::DFG::Plan::isStillValid):
347         (JSC::DFG::Plan::reallyAdd):
348         (JSC::DFG::Plan::notifyCompiling):
349         (JSC::DFG::Plan::notifyReady):
350         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
351         (JSC::DFG::Plan::finalizeAndNotifyCallback):
352         (JSC::DFG::Plan::key):
353         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
354         (JSC::DFG::Plan::finalizeInGC):
355         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
356         (JSC::DFG::Plan::cancel):
357         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
358         * dfg/DFGPlan.h:
359         (JSC::DFG::Plan::canTierUpAndOSREnter const):
360         (JSC::DFG::Plan::vm const):
361         (JSC::DFG::Plan::codeBlock):
362         (JSC::DFG::Plan::mode const):
363         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
364         (JSC::DFG::Plan::mustHandleValues const):
365         (JSC::DFG::Plan::threadData const):
366         (JSC::DFG::Plan::compilation const):
367         (JSC::DFG::Plan::finalizer const):
368         (JSC::DFG::Plan::setFinalizer):
369         (JSC::DFG::Plan::inlineCallFrames const):
370         (JSC::DFG::Plan::watchpoints):
371         (JSC::DFG::Plan::identifiers):
372         (JSC::DFG::Plan::weakReferences):
373         (JSC::DFG::Plan::transitions):
374         (JSC::DFG::Plan::recordedStatuses):
375         (JSC::DFG::Plan::willTryToTierUp const):
376         (JSC::DFG::Plan::setWillTryToTierUp):
377         (JSC::DFG::Plan::tierUpInLoopHierarchy):
378         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
379         (JSC::DFG::Plan::stage const):
380         (JSC::DFG::Plan::callback const):
381         (JSC::DFG::Plan::setCallback):
382         * dfg/DFGPlanInlines.h:
383         (JSC::DFG::Plan::iterateCodeBlocksForGC):
384         * dfg/DFGPreciseLocalClobberize.h:
385         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
386         * dfg/DFGPredictionInjectionPhase.cpp:
387         (JSC::DFG::PredictionInjectionPhase::run):
388         * dfg/DFGSafepoint.cpp:
389         (JSC::DFG::Safepoint::Safepoint):
390         (JSC::DFG::Safepoint::~Safepoint):
391         (JSC::DFG::Safepoint::begin):
392         * dfg/DFGSafepoint.h:
393         * dfg/DFGSpeculativeJIT.h:
394         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
395         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
396         * dfg/DFGStackLayoutPhase.cpp:
397         (JSC::DFG::StackLayoutPhase::run):
398         * dfg/DFGStrengthReductionPhase.cpp:
399         (JSC::DFG::StrengthReductionPhase::handleNode):
400         * dfg/DFGTierUpCheckInjectionPhase.cpp:
401         (JSC::DFG::TierUpCheckInjectionPhase::run):
402         * dfg/DFGTypeCheckHoistingPhase.cpp:
403         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
404         * dfg/DFGWorklist.cpp:
405         (JSC::DFG::Worklist::isActiveForVM const):
406         (JSC::DFG::Worklist::compilationState):
407         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
408         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
409         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
410         (JSC::DFG::Worklist::visitWeakReferences):
411         (JSC::DFG::Worklist::removeDeadPlans):
412         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
413         * dfg/DFGWorklistInlines.h:
414         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
415         * ftl/FTLCompile.cpp:
416         (JSC::FTL::compile):
417         * ftl/FTLFail.cpp:
418         (JSC::FTL::fail):
419         * ftl/FTLJITFinalizer.cpp:
420         (JSC::FTL::JITFinalizer::finalizeCommon):
421         * ftl/FTLLink.cpp:
422         (JSC::FTL::link):
423         * ftl/FTLLowerDFGToB3.cpp:
424         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
425         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
426         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
427         * ftl/FTLState.cpp:
428         (JSC::FTL::State::State):
429
430 2018-07-24  Saam Barati  <sbarati@apple.com>
431
432         Make VM::canUseJIT an inlined function
433         https://bugs.webkit.org/show_bug.cgi?id=187583
434
435         Reviewed by Mark Lam.
436
437         We know the answer to this query in initializeThreading after initializing
438         the executable allocator. This patch makes it so that we just hold this value
439         in a static variable and have an inlined function that just returns the value
440         of that static variable.
441
442         * runtime/InitializeThreading.cpp:
443         (JSC::initializeThreading):
444         * runtime/VM.cpp:
445         (JSC::VM::computeCanUseJIT):
446         (JSC::VM::canUseJIT): Deleted.
447         * runtime/VM.h:
448         (JSC::VM::canUseJIT):
449
450 2018-07-24  Mark Lam  <mark.lam@apple.com>
451
452         Placate exception check verification after recent changes.
453         https://bugs.webkit.org/show_bug.cgi?id=187961
454         <rdar://problem/42545394>
455
456         Reviewed by Saam Barati.
457
458         * runtime/IntlObject.cpp:
459         (JSC::intlNumberOption):
460
461 2018-07-23  Saam Barati  <sbarati@apple.com>
462
463         need to didFoldClobberWorld when we constant fold GetByVal
464         https://bugs.webkit.org/show_bug.cgi?id=187917
465         <rdar://problem/42505095>
466
467         Reviewed by Yusuke Suzuki.
468
469         * dfg/DFGAbstractInterpreterInlines.h:
470         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
471
472 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
473
474         [INTL] Language tags are not canonicalized
475         https://bugs.webkit.org/show_bug.cgi?id=185836
476
477         Reviewed by Keith Miller.
478
479         Canonicalize language tags, replacing deprecated tag parts with the
480         preferred values. Remove broken support for algorithmic numbering systems,
481         that can cause an error in icu, and are not supported in other engines.
482
483         Generate the lookup functions from the language-subtag-registry.
484
485         Also initialize the UNumberFormat in initializeNumberFormat so any
486         failures are thrown immediately instead of failing to format later.
487
488         * CMakeLists.txt:
489         * DerivedSources.make:
490         * JavaScriptCore.xcodeproj/project.pbxproj:
491         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
492         * runtime/IntlDateTimeFormat.cpp:
493         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
494         * runtime/IntlNumberFormat.cpp:
495         (JSC::IntlNumberFormat::initializeNumberFormat):
496         (JSC::IntlNumberFormat::formatNumber):
497         (JSC::IntlNumberFormat::formatToParts):
498         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
499         * runtime/IntlNumberFormat.h:
500         * runtime/IntlObject.cpp:
501         (JSC::intlNumberOption):
502         (JSC::intlDefaultNumberOption):
503         (JSC::preferredLanguage):
504         (JSC::preferredRegion):
505         (JSC::canonicalLangTag):
506         (JSC::canonicalizeLanguageTag):
507         (JSC::defaultLocale):
508         (JSC::removeUnicodeLocaleExtension):
509         (JSC::numberingSystemsForLocale):
510         (JSC::grandfatheredLangTag): Deleted.
511         * runtime/IntlObject.h:
512         * runtime/IntlPluralRules.cpp:
513         (JSC::IntlPluralRules::initializePluralRules):
514         * runtime/JSGlobalObject.cpp:
515         (JSC::addMissingScriptLocales):
516         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
517         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
518         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
519         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
520         * ucd/language-subtag-registry.txt: Added.
521
522 2018-07-23  Mark Lam  <mark.lam@apple.com>
523
524         Add some asserts to help diagnose a crash.
525         https://bugs.webkit.org/show_bug.cgi?id=187915
526         <rdar://problem/42508166>
527
528         Reviewed by Michael Saboff.
529
530         Add some asserts to verify that an CodeBlock alternative should always have a
531         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
532         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
533         so that we'll retain the state of the variables that failed the assertion (again
534         to help with diagnosis).
535
536         * bytecode/CodeBlock.cpp:
537         (JSC::CodeBlock::setAlternative):
538         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
539         * dfg/DFGPlan.cpp:
540         (JSC::DFG::Plan::Plan):
541
542 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
543
544         Unreviewed, fix no-JIT build.
545
546         * bytecode/CallLinkStatus.cpp:
547         (JSC::CallLinkStatus::computeFor):
548         * bytecode/CodeBlock.cpp:
549         (JSC::CodeBlock::finalizeUnconditionally):
550         * bytecode/GetByIdStatus.cpp:
551         (JSC::GetByIdStatus::computeFor):
552         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
553         * bytecode/InByIdStatus.cpp:
554         * bytecode/PutByIdStatus.cpp:
555         (JSC::PutByIdStatus::computeForStubInfo):
556
557 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
558
559         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
560         https://bugs.webkit.org/show_bug.cgi?id=187891
561
562         Reviewed by Saam Barati.
563
564         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
565         two variants are mergeable but they have "Miss" status. We make merging failed if
566         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
567         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
568         which patch have more chances to merge variants.
569
570         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
571         is not related since it does not use this check in Transition case.
572
573         * bytecode/GetByIdVariant.cpp:
574         (JSC::GetByIdVariant::attemptToMerge):
575         * bytecode/InByIdVariant.cpp:
576         (JSC::InByIdVariant::attemptToMerge):
577
578 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
579
580         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
581         https://bugs.webkit.org/show_bug.cgi?id=186462
582
583         Reviewed by Saam Barati.
584
585         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
586         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
587         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
588
589         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
590         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
591         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
592         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
593         changed and we can safely use it. We arrange our existing code to use this protocol.
594
595         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
596         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
597
598         This patch improves SixSpeed/template_string_tag.es6.
599
600                                           baseline                  patched
601
602         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
603
604         * dfg/DFGAbstractInterpreterInlines.h:
605         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
606         * runtime/JSArray.cpp:
607         (JSC::JSArray::setLengthWithArrayStorage):
608         * runtime/JSObject.cpp:
609         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
610         (JSC::JSObject::deletePropertyByIndex):
611         (JSC::JSObject::getOwnPropertyNames):
612         (JSC::putIndexedDescriptor):
613         (JSC::JSObject::defineOwnIndexedProperty):
614         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
615         (JSC::JSObject::putIndexedDescriptor): Deleted.
616         * runtime/JSObject.h:
617         * runtime/SparseArrayValueMap.cpp:
618         (JSC::SparseArrayValueMap::SparseArrayValueMap):
619         (JSC::SparseArrayValueMap::add):
620         (JSC::SparseArrayValueMap::putDirect):
621         (JSC::SparseArrayValueMap::getConcurrently):
622         (JSC::SparseArrayEntry::get const):
623         (JSC::SparseArrayEntry::getConcurrently const):
624         (JSC::SparseArrayEntry::put):
625         (JSC::SparseArrayEntry::getNonSparseMode const):
626         (JSC::SparseArrayValueMap::visitChildren):
627         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
628         * runtime/SparseArrayValueMap.h:
629         (JSC::SparseArrayEntry::SparseArrayEntry):
630         (JSC::SparseArrayEntry::attributes const):
631         (JSC::SparseArrayEntry::forceSet):
632         (JSC::SparseArrayEntry::asValue):
633
634 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
635
636         We should support CreateThis in the FTL
637         https://bugs.webkit.org/show_bug.cgi?id=164904
638
639         Reviewed by Yusuke Suzuki.
640         
641         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
642         inference adventure.
643         
644         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
645         benchmark's extremely perverse way of winning at type inference:
646         
647         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
648           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
649           benchmark was falling back to other mechanisms...
650         
651         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
652           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
653           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
654           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
655           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
656           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
657           
658           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
659           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
660           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
661           helper because it had a CreateThis.
662         
663         - Compilations that inlined the construction helper would have gotten super lucky with
664           parse-time constant folding, so they knew what structure the input to the get_by_id would
665           have at parse time. This is only profitable if the get_by_id parsing computed a
666           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
667           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
668           cases, we would indeed get a finite number of cases. The parser would then prune those
669           cases to just one - based on its knowledge of the structure - and that would result in that
670           get_by_id being folded at parse time to a constant.
671         
672         - The subsequent op_call would inline based on parse-time knowledge of that constant.
673         
674         This patch comprehensively fixes these issues, as well as other issues that come up along the
675         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
676         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
677         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
678         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
679         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
680         attack raytrace's problem as a shortcoming of polyvariant profiling.
681         
682         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
683           subset of the inline stack that includes the IC we're profiling. For example, if we have
684           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
685           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
686           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
687           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
688           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
689           from polyvariant profling. Previously, the polyvariant profiler would only look at the
690           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
691           had inlined bar and then baz. It may not have done that, because those calls could have
692           required polyvariant profiling that was only available in the FTL.
693           
694         - A particularly interesting case is when some IC in foo-baseline is also available in
695           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
696           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
697           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
698           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
699           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
700           because it warns us of historical polymorphism. Historical polymorphism usually means
701           future polymorphism. IC status code already had some merging functionality, but I needed to
702           beef it up a lot to make this work right.
703         
704         - Inlining an inline cache now preserves as much information as profiling. One challenge of
705           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
706           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
707           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
708           say "I don't have such an IC". At this point the DFG compilation that included that IC that
709           gave us the information that we used to inline the IC is no longer alive. To keep us from
710           losing the information we learned about the IC, there is now a RecordedStatuses data
711           structure that preserves the statuses we use for inlining ICs. We also filter those
712           statuses according to things we learn from AI. This further reduces the risk of information
713           about an IC being forgotten.
714         
715         - Exit profiling now considers whether or not an exit happened from inline code. This
716           protects us in the case where the not-inlined version of an IC exited a lot because of
717           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
718           profiling data, we consider only inlined exits.
719         
720         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
721           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
722           surprising that we've had this bug.
723         
724         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
725         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
726         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
727         prototype access folding in the bytecode parser and constant folder. That would require some
728         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
729         have a test that captures raytrace's behavior in the case that the parser cannot fold the
730         get_by_id.
731         
732         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
733         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
734         compile time regression anytime we fill in FTL coverage.
735         
736         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
737         speeds up and that raytrace slows down, but these changes balance out and don't affect the
738         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
739         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
740         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
741         see a significant difference. In all three cases the difference is <0.5% with a high p value,
742         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
743         an insignificant infinitesimal slow-down.
744         
745         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
746         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
747         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
748
749         * CMakeLists.txt:
750         * JavaScriptCore.xcodeproj/project.pbxproj:
751         * Sources.txt:
752         * bytecode/ByValInfo.h:
753         * bytecode/BytecodeDumper.cpp:
754         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
755         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
756         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
757         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
758         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
759         (JSC::BytecodeDumper<Block>::printCallOp):
760         (JSC::BytecodeDumper<Block>::dumpBytecode):
761         (JSC::BytecodeDumper<Block>::dumpBlock):
762         * bytecode/BytecodeDumper.h:
763         * bytecode/CallLinkInfo.h:
764         * bytecode/CallLinkStatus.cpp:
765         (JSC::CallLinkStatus::computeFor):
766         (JSC::CallLinkStatus::computeExitSiteData):
767         (JSC::CallLinkStatus::computeFromCallLinkInfo):
768         (JSC::CallLinkStatus::accountForExits):
769         (JSC::CallLinkStatus::finalize):
770         (JSC::CallLinkStatus::filter):
771         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
772         * bytecode/CallLinkStatus.h:
773         (JSC::CallLinkStatus::operator bool const):
774         (JSC::CallLinkStatus::operator! const): Deleted.
775         * bytecode/CallVariant.cpp:
776         (JSC::CallVariant::finalize):
777         (JSC::CallVariant::filter):
778         * bytecode/CallVariant.h:
779         (JSC::CallVariant::operator bool const):
780         (JSC::CallVariant::operator! const): Deleted.
781         * bytecode/CodeBlock.cpp:
782         (JSC::CodeBlock::dumpBytecode):
783         (JSC::CodeBlock::propagateTransitions):
784         (JSC::CodeBlock::finalizeUnconditionally):
785         (JSC::CodeBlock::getICStatusMap):
786         (JSC::CodeBlock::resetJITData):
787         (JSC::CodeBlock::getStubInfoMap): Deleted.
788         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
789         (JSC::CodeBlock::getByValInfoMap): Deleted.
790         * bytecode/CodeBlock.h:
791         * bytecode/CodeOrigin.cpp:
792         (JSC::CodeOrigin::isApproximatelyEqualTo const):
793         (JSC::CodeOrigin::approximateHash const):
794         * bytecode/CodeOrigin.h:
795         (JSC::CodeOrigin::exitingInlineKind const):
796         * bytecode/DFGExitProfile.cpp:
797         (JSC::DFG::FrequentExitSite::dump const):
798         (JSC::DFG::ExitProfile::add):
799         * bytecode/DFGExitProfile.h:
800         (JSC::DFG::FrequentExitSite::FrequentExitSite):
801         (JSC::DFG::FrequentExitSite::operator== const):
802         (JSC::DFG::FrequentExitSite::subsumes const):
803         (JSC::DFG::FrequentExitSite::hash const):
804         (JSC::DFG::FrequentExitSite::inlineKind const):
805         (JSC::DFG::FrequentExitSite::withInlineKind const):
806         (JSC::DFG::QueryableExitProfile::hasExitSite const):
807         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
808         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
809         * bytecode/ExitFlag.cpp: Added.
810         (JSC::ExitFlag::dump const):
811         * bytecode/ExitFlag.h: Added.
812         (JSC::ExitFlag::ExitFlag):
813         (JSC::ExitFlag::operator| const):
814         (JSC::ExitFlag::operator|=):
815         (JSC::ExitFlag::operator& const):
816         (JSC::ExitFlag::operator&=):
817         (JSC::ExitFlag::operator bool const):
818         (JSC::ExitFlag::isSet const):
819         * bytecode/ExitingInlineKind.cpp: Added.
820         (WTF::printInternal):
821         * bytecode/ExitingInlineKind.h: Added.
822         * bytecode/GetByIdStatus.cpp:
823         (JSC::GetByIdStatus::computeFor):
824         (JSC::GetByIdStatus::computeForStubInfo):
825         (JSC::GetByIdStatus::slowVersion const):
826         (JSC::GetByIdStatus::markIfCheap):
827         (JSC::GetByIdStatus::finalize):
828         (JSC::GetByIdStatus::hasExitSite): Deleted.
829         * bytecode/GetByIdStatus.h:
830         * bytecode/GetByIdVariant.cpp:
831         (JSC::GetByIdVariant::markIfCheap):
832         (JSC::GetByIdVariant::finalize):
833         * bytecode/GetByIdVariant.h:
834         * bytecode/ICStatusMap.cpp: Added.
835         (JSC::ICStatusContext::get const):
836         (JSC::ICStatusContext::isInlined const):
837         (JSC::ICStatusContext::inlineKind const):
838         * bytecode/ICStatusMap.h: Added.
839         * bytecode/ICStatusUtils.cpp: Added.
840         (JSC::hasBadCacheExitSite):
841         * bytecode/ICStatusUtils.h:
842         * bytecode/InstanceOfStatus.cpp:
843         (JSC::InstanceOfStatus::computeFor):
844         * bytecode/InstanceOfStatus.h:
845         * bytecode/PolyProtoAccessChain.h:
846         * bytecode/PutByIdStatus.cpp:
847         (JSC::PutByIdStatus::hasExitSite):
848         (JSC::PutByIdStatus::computeFor):
849         (JSC::PutByIdStatus::slowVersion const):
850         (JSC::PutByIdStatus::markIfCheap):
851         (JSC::PutByIdStatus::finalize):
852         (JSC::PutByIdStatus::filter):
853         * bytecode/PutByIdStatus.h:
854         * bytecode/PutByIdVariant.cpp:
855         (JSC::PutByIdVariant::markIfCheap):
856         (JSC::PutByIdVariant::finalize):
857         * bytecode/PutByIdVariant.h:
858         (JSC::PutByIdVariant::structureSet const):
859         * bytecode/RecordedStatuses.cpp: Added.
860         (JSC::RecordedStatuses::operator=):
861         (JSC::RecordedStatuses::RecordedStatuses):
862         (JSC::RecordedStatuses::addCallLinkStatus):
863         (JSC::RecordedStatuses::addGetByIdStatus):
864         (JSC::RecordedStatuses::addPutByIdStatus):
865         (JSC::RecordedStatuses::markIfCheap):
866         (JSC::RecordedStatuses::finalizeWithoutDeleting):
867         (JSC::RecordedStatuses::finalize):
868         (JSC::RecordedStatuses::shrinkToFit):
869         * bytecode/RecordedStatuses.h: Added.
870         (JSC::RecordedStatuses::RecordedStatuses):
871         (JSC::RecordedStatuses::forEachVector):
872         * bytecode/StructureSet.cpp:
873         (JSC::StructureSet::markIfCheap const):
874         (JSC::StructureSet::isStillAlive const):
875         * bytecode/StructureSet.h:
876         * bytecode/TerminatedCodeOrigin.h: Added.
877         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
878         (JSC::TerminatedCodeOriginHashTranslator::hash):
879         (JSC::TerminatedCodeOriginHashTranslator::equal):
880         * bytecode/Watchpoint.cpp:
881         (WTF::printInternal):
882         * bytecode/Watchpoint.h:
883         * dfg/DFGAbstractInterpreter.h:
884         * dfg/DFGAbstractInterpreterInlines.h:
885         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
886         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
887         * dfg/DFGByteCodeParser.cpp:
888         (JSC::DFG::ByteCodeParser::handleCall):
889         (JSC::DFG::ByteCodeParser::handleVarargsCall):
890         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
891         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
892         (JSC::DFG::ByteCodeParser::handleGetById):
893         (JSC::DFG::ByteCodeParser::handlePutById):
894         (JSC::DFG::ByteCodeParser::parseBlock):
895         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
896         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
897         (JSC::DFG::ByteCodeParser::parse):
898         * dfg/DFGClobberize.h:
899         (JSC::DFG::clobberize):
900         * dfg/DFGClobbersExitState.cpp:
901         (JSC::DFG::clobbersExitState):
902         * dfg/DFGCommonData.h:
903         * dfg/DFGConstantFoldingPhase.cpp:
904         (JSC::DFG::ConstantFoldingPhase::foldConstants):
905         * dfg/DFGDesiredWatchpoints.h:
906         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
907         * dfg/DFGDoesGC.cpp:
908         (JSC::DFG::doesGC):
909         * dfg/DFGFixupPhase.cpp:
910         (JSC::DFG::FixupPhase::fixupNode):
911         * dfg/DFGGraph.cpp:
912         (JSC::DFG::Graph::dump):
913         * dfg/DFGMayExit.cpp:
914         * dfg/DFGNode.h:
915         (JSC::DFG::Node::hasCallLinkStatus):
916         (JSC::DFG::Node::callLinkStatus):
917         (JSC::DFG::Node::hasGetByIdStatus):
918         (JSC::DFG::Node::getByIdStatus):
919         (JSC::DFG::Node::hasPutByIdStatus):
920         (JSC::DFG::Node::putByIdStatus):
921         * dfg/DFGNodeType.h:
922         * dfg/DFGOSRExitBase.cpp:
923         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
924         * dfg/DFGObjectAllocationSinkingPhase.cpp:
925         * dfg/DFGPlan.cpp:
926         (JSC::DFG::Plan::reallyAdd):
927         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
928         (JSC::DFG::Plan::finalizeInGC):
929         * dfg/DFGPlan.h:
930         * dfg/DFGPredictionPropagationPhase.cpp:
931         * dfg/DFGSafeToExecute.h:
932         (JSC::DFG::safeToExecute):
933         * dfg/DFGSpeculativeJIT32_64.cpp:
934         (JSC::DFG::SpeculativeJIT::compile):
935         * dfg/DFGSpeculativeJIT64.cpp:
936         (JSC::DFG::SpeculativeJIT::compile):
937         * dfg/DFGStrengthReductionPhase.cpp:
938         (JSC::DFG::StrengthReductionPhase::handleNode):
939         * dfg/DFGWorklist.cpp:
940         (JSC::DFG::Worklist::removeDeadPlans):
941         * ftl/FTLAbstractHeapRepository.h:
942         * ftl/FTLCapabilities.cpp:
943         (JSC::FTL::canCompile):
944         * ftl/FTLLowerDFGToB3.cpp:
945         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
946         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
947         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
948         * jit/PolymorphicCallStubRoutine.cpp:
949         (JSC::PolymorphicCallStubRoutine::hasEdges const):
950         (JSC::PolymorphicCallStubRoutine::edges const):
951         * jit/PolymorphicCallStubRoutine.h:
952         * profiler/ProfilerBytecodeSequence.cpp:
953         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
954         * runtime/FunctionRareData.cpp:
955         (JSC::FunctionRareData::initializeObjectAllocationProfile):
956         * runtime/Options.h:
957
958 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
959
960         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
961         https://bugs.webkit.org/show_bug.cgi?id=187472
962
963         Reviewed by Mark Lam.
964
965         std::function allocates memory from standard malloc instead of bmalloc. Instead of
966         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
967
968         This patch attempts to replace std::function with the above WTF function types.
969         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
970         is really efficient. Otherwise, we should use WTF::Function.
971         For recurring use cases, we can use RecursableLambda.
972
973         * assembler/MacroAssembler.cpp:
974         (JSC::stdFunctionCallback):
975         (JSC::MacroAssembler::probe):
976         * assembler/MacroAssembler.h:
977         * b3/air/AirDisassembler.cpp:
978         (JSC::B3::Air::Disassembler::dump):
979         * b3/air/AirDisassembler.h:
980         * bytecompiler/BytecodeGenerator.cpp:
981         (JSC::BytecodeGenerator::BytecodeGenerator):
982         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
983         (JSC::BytecodeGenerator::emitEnumeration):
984         * bytecompiler/BytecodeGenerator.h:
985         * bytecompiler/NodesCodegen.cpp:
986         (JSC::ArrayNode::emitBytecode):
987         (JSC::ApplyFunctionCallDotNode::emitBytecode):
988         (JSC::ForOfNode::emitBytecode):
989         * dfg/DFGSpeculativeJIT.cpp:
990         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
991         (JSC::DFG::SpeculativeJIT::compileMathIC):
992         * dfg/DFGSpeculativeJIT.h:
993         * dfg/DFGSpeculativeJIT64.cpp:
994         (JSC::DFG::SpeculativeJIT::compile):
995         * dfg/DFGValidate.cpp:
996         * ftl/FTLCompile.cpp:
997         (JSC::FTL::compile):
998         * heap/HeapSnapshotBuilder.cpp:
999         (JSC::HeapSnapshotBuilder::json):
1000         * heap/HeapSnapshotBuilder.h:
1001         * interpreter/StackVisitor.cpp:
1002         (JSC::StackVisitor::Frame::dump const):
1003         * interpreter/StackVisitor.h:
1004         * runtime/PromiseDeferredTimer.h:
1005         * runtime/VM.cpp:
1006         (JSC::VM::whenIdle):
1007         (JSC::enableProfilerWithRespectToCount):
1008         (JSC::disableProfilerWithRespectToCount):
1009         * runtime/VM.h:
1010         * runtime/VMEntryScope.cpp:
1011         (JSC::VMEntryScope::addDidPopListener):
1012         * runtime/VMEntryScope.h:
1013         * tools/HeapVerifier.cpp:
1014         (JSC::HeapVerifier::verifyCellList):
1015         (JSC::HeapVerifier::validateCell):
1016         (JSC::HeapVerifier::validateJSCell):
1017         * tools/HeapVerifier.h:
1018
1019 2018-07-20  Michael Saboff  <msaboff@apple.com>
1020
1021         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1022         https://bugs.webkit.org/show_bug.cgi?id=187827
1023         rdar://problem/42146858
1024
1025         Reviewed by Saam Barati.
1026
1027         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1028         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1029         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1030         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1031         putByIndex() path that doesn't change the shape.
1032
1033         * dfg/DFGArrayMode.h:
1034         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1035
1036 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1037
1038         [DFG] Fold GetByVal if Array is CoW
1039         https://bugs.webkit.org/show_bug.cgi?id=186459
1040
1041         Reviewed by Saam Barati.
1042
1043         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1044         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1045         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1046
1047         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1048         to these constant arrays can be folded into an actual constant by this patch.
1049
1050                                            baseline                  patched
1051
1052         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1053         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1054
1055         * dfg/DFGAbstractInterpreterInlines.h:
1056         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1057
1058 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1059
1060         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1061         https://bugs.webkit.org/show_bug.cgi?id=186602
1062
1063         Reviewed by Saam Barati.
1064
1065         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1066         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1067         drop the cellLock() here.
1068
1069         * runtime/JSObject.cpp:
1070         (JSC::JSObject::convertContiguousToArrayStorage):
1071
1072 2018-07-20  Saam Barati  <sbarati@apple.com>
1073
1074         CompareEq should be using KnownOtherUse instead of OtherUse
1075         https://bugs.webkit.org/show_bug.cgi?id=186814
1076         <rdar://problem/39720030>
1077
1078         Reviewed by Filip Pizlo.
1079
1080         CompareEq in fixup phase was doing this:
1081         insertCheck(child, OtherUse)
1082         setUseKind(child, OtherUse)
1083         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1084         lead to edge verification crashing because a phase may optimize the check out
1085         by removing the node. However, AI may not be privy to that optimization, and
1086         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1087         backend to actually emit a check here, but it does not.
1088         
1089         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1090         KnownOtherUse and changes the above pattern to be:
1091         insertCheck(child, OtherUse)
1092         setUseKind(child, KnownOtherUse)
1093
1094         * dfg/DFGFixupPhase.cpp:
1095         (JSC::DFG::FixupPhase::fixupNode):
1096         * dfg/DFGSafeToExecute.h:
1097         (JSC::DFG::SafeToExecuteEdge::operator()):
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::speculate):
1100         * dfg/DFGUseKind.cpp:
1101         (WTF::printInternal):
1102         * dfg/DFGUseKind.h:
1103         (JSC::DFG::typeFilterFor):
1104         (JSC::DFG::shouldNotHaveTypeCheck):
1105         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1106         * dfg/DFGWatchpointCollectionPhase.cpp:
1107         (JSC::DFG::WatchpointCollectionPhase::handle):
1108         * ftl/FTLCapabilities.cpp:
1109         (JSC::FTL::canCompile):
1110         * ftl/FTLLowerDFGToB3.cpp:
1111         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1112         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1113
1114 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1115
1116         [JSC] A bit performance improvement for Object.assign by cleaning up code
1117         https://bugs.webkit.org/show_bug.cgi?id=187852
1118
1119         Reviewed by Saam Barati.
1120
1121         We clean up Object.assign code a bit.
1122
1123         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1124         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1125
1126         It improves the performance a bit.
1127
1128                                     baseline                  patched
1129
1130         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1131
1132         * runtime/ObjectConstructor.cpp:
1133         (JSC::objectConstructorAssign):
1134
1135 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1136
1137         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1138         https://bugs.webkit.org/show_bug.cgi?id=187798
1139
1140         Reviewed by Michael Catanzaro.
1141
1142         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1143         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1144         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1145         patch adds JSAPIWrapperGlobalObject or that.
1146
1147         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1148         (jsAPIWrapperGlobalObjectHandleOwner):
1149         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1150         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1151         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1152         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1153         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1154         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1155         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1156         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1157         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1158         * API/glib/JSCClass.cpp:
1159         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1160         (wrappedObjectClass): Return the class of a wrapped object.
1161         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1162         scope extension global object is used instead.
1163         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1164         (setProperty): Ditto.
1165         (hasProperty): Ditto.
1166         (deleteProperty): Ditto.
1167         (getPropertyNames): Ditto.
1168         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1169         * API/glib/JSCClassPrivate.h:
1170         * API/glib/JSCContext.cpp:
1171         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1172         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1173         * API/glib/JSCContext.h:
1174         * API/glib/JSCContextPrivate.h:
1175         * API/glib/JSCWrapperMap.cpp:
1176         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1177         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1178         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1179         * API/glib/JSCWrapperMap.h:
1180         * GLib.cmake:
1181
1182 2018-07-19  Saam Barati  <sbarati@apple.com>
1183
1184         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1185         https://bugs.webkit.org/show_bug.cgi?id=187836
1186         <rdar://problem/42409527>
1187
1188         Reviewed by Mark Lam.
1189
1190         We have crash reports that we're crashing on source->getDirect in Object.assign's
1191         fast path. Mark investigated this and determined we end up with a nullptr for
1192         butterfly. This is curious, because source's Structure indicated that it has
1193         out of line properties. My leading hypothesis for this at the moment is a bit
1194         handwavy, but it's essentially:
1195         - We end up firing a watchpoint when assigning to the target (this can happen
1196         if a watchpoint was set up for storing to that particular field)
1197         - When we fire that watchpoint, we end up doing some kind work on the source,
1198         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1199         mutating source.
1200         
1201         I'm not super convinced this is what we're running into, but just by reading
1202         the code, I think it needs to be something similar to this. Seeing if this change
1203         fixes the crasher will give us good data to determine if something like this is
1204         happening or if the bug is something else entirely.
1205
1206         * runtime/ObjectConstructor.cpp:
1207         (JSC::objectConstructorAssign):
1208
1209 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1210
1211         Unreviewed, rolling out r233998.
1212         https://bugs.webkit.org/show_bug.cgi?id=187815
1213
1214         Not needed. (Requested by mlam|a on #webkit).
1215
1216         Reverted changeset:
1217
1218         "Temporarily mitigate a bug where a source provider is null
1219         when it shouldn't be."
1220         https://bugs.webkit.org/show_bug.cgi?id=187812
1221         https://trac.webkit.org/changeset/233998
1222
1223 2018-07-19  Mark Lam  <mark.lam@apple.com>
1224
1225         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1226         https://bugs.webkit.org/show_bug.cgi?id=187812
1227         <rdar://problem/41192691>
1228
1229         Reviewed by Michael Saboff.
1230
1231         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1232
1233         * runtime/Error.cpp:
1234         (JSC::addErrorInfo):
1235
1236 2018-07-19  Keith Rollin  <krollin@apple.com>
1237
1238         Adjust WEBCORE_EXPORT annotations for LTO
1239         https://bugs.webkit.org/show_bug.cgi?id=187781
1240         <rdar://problem/42351124>
1241
1242         Reviewed by Alex Christensen.
1243
1244         Continuation of Bug 186944. This bug addresses issues not caught
1245         during the first pass of adjustments. The initial work focussed on
1246         macOS; this one addresses issues found when building for iOS. From
1247         186944:
1248
1249         Adjust a number of places that result in WebKit's
1250         'check-for-weak-vtables-and-externals' script reporting weak external
1251         symbols:
1252
1253             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1254             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1255             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1256             ...
1257
1258         These cases are caused by inline methods being marked with WTF_EXPORT
1259         (or related macro) or with an inline function being in a class marked
1260         as such, and when enabling LTO builds.
1261
1262         For the most part, address these by removing the WEBCORE_EXPORT
1263         annotation from inline methods. In some cases, move the implementation
1264         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1265         and removing the annotation from the class would be too disruptive.
1266         Finally, in other cases, move the implementation out-of-line because
1267         check-for-weak-vtables-and-externals still complains when keeping the
1268         implementation inline and removing the annotation; this seems to
1269         typically (but not always) happen with destructors.
1270
1271         * inspector/remote/RemoteAutomationTarget.cpp:
1272         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1273         * inspector/remote/RemoteAutomationTarget.h:
1274         * inspector/remote/RemoteInspector.cpp:
1275         (Inspector::RemoteInspector::Client::~Client):
1276         * inspector/remote/RemoteInspector.h:
1277
1278 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1279
1280         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1281         https://bugs.webkit.org/show_bug.cgi?id=187807
1282
1283         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1284         that we know that exception occurrence and handle it well.
1285
1286         * runtime/JSONObject.cpp:
1287         (JSC::Stringifier::Holder::appendNextProperty):
1288
1289 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1290
1291         [JSC] Reduce size of AST nodes
1292         https://bugs.webkit.org/show_bug.cgi?id=187689
1293
1294         Reviewed by Mark Lam.
1295
1296         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1297         of ParserArena at peak state.
1298
1299         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1300         devirtualize a call to the function which are implemented in a final class.
1301
1302         2. Use default member initializers more.
1303
1304         3. And use `nullptr` instead of `0`.
1305
1306         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1307         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1308         to 40. This decreases the sizes of all the derived Statement nodes.
1309
1310         * parser/NodeConstructors.h:
1311         (JSC::Node::Node):
1312         (JSC::StatementNode::StatementNode):
1313         (JSC::ElementNode::ElementNode):
1314         (JSC::ArrayNode::ArrayNode):
1315         (JSC::PropertyListNode::PropertyListNode):
1316         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1317         (JSC::ArgumentListNode::ArgumentListNode):
1318         (JSC::ArgumentsNode::ArgumentsNode):
1319         (JSC::NewExprNode::NewExprNode):
1320         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1321         (JSC::BinaryOpNode::BinaryOpNode):
1322         (JSC::LogicalOpNode::LogicalOpNode):
1323         (JSC::CommaNode::CommaNode):
1324         (JSC::SourceElements::SourceElements):
1325         (JSC::ClauseListNode::ClauseListNode):
1326         * parser/Nodes.cpp:
1327         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1328         (JSC::FunctionMetadataNode::operator== const):
1329         (JSC::FunctionMetadataNode::dump const):
1330         * parser/Nodes.h:
1331         (JSC::BooleanNode::value): Deleted.
1332         (JSC::StringNode::value): Deleted.
1333         (JSC::TemplateExpressionListNode::value): Deleted.
1334         (JSC::TemplateExpressionListNode::next): Deleted.
1335         (JSC::TemplateStringNode::cooked): Deleted.
1336         (JSC::TemplateStringNode::raw): Deleted.
1337         (JSC::TemplateStringListNode::value): Deleted.
1338         (JSC::TemplateStringListNode::next): Deleted.
1339         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1340         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1341         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1342         (JSC::ResolveNode::identifier const): Deleted.
1343         (JSC::ElementNode::elision const): Deleted.
1344         (JSC::ElementNode::value): Deleted.
1345         (JSC::ElementNode::next): Deleted.
1346         (JSC::ArrayNode::elements const): Deleted.
1347         (JSC::PropertyNode::expressionName const): Deleted.
1348         (JSC::PropertyNode::name const): Deleted.
1349         (JSC::PropertyNode::type const): Deleted.
1350         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1351         (JSC::PropertyNode::isClassProperty const): Deleted.
1352         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1353         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1354         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1355         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1356         (JSC::PropertyNode::putType const): Deleted.
1357         (JSC::BracketAccessorNode::base const): Deleted.
1358         (JSC::BracketAccessorNode::subscript const): Deleted.
1359         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1360         (JSC::DotAccessorNode::base const): Deleted.
1361         (JSC::DotAccessorNode::identifier const): Deleted.
1362         (JSC::SpreadExpressionNode::expression const): Deleted.
1363         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1364         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1365         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1366         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1367         (JSC::TypeOfResolveNode::identifier const): Deleted.
1368         (JSC::BitwiseNotNode::expr): Deleted.
1369         (JSC::BitwiseNotNode::expr const): Deleted.
1370         (JSC::AssignResolveNode::identifier const): Deleted.
1371         (JSC::ExprStatementNode::expr const): Deleted.
1372         (JSC::ForOfNode::isForAwait const): Deleted.
1373         (JSC::ReturnNode::value): Deleted.
1374         (JSC::ProgramNode::startColumn const): Deleted.
1375         (JSC::ProgramNode::endColumn const): Deleted.
1376         (JSC::EvalNode::startColumn const): Deleted.
1377         (JSC::EvalNode::endColumn const): Deleted.
1378         (JSC::ModuleProgramNode::startColumn const): Deleted.
1379         (JSC::ModuleProgramNode::endColumn const): Deleted.
1380         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1381         (JSC::ModuleNameNode::moduleName): Deleted.
1382         (JSC::ImportSpecifierNode::importedName): Deleted.
1383         (JSC::ImportSpecifierNode::localName): Deleted.
1384         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1385         (JSC::ImportSpecifierListNode::append): Deleted.
1386         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1387         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1388         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1389         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1390         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1391         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1392         (JSC::ExportSpecifierNode::exportedName): Deleted.
1393         (JSC::ExportSpecifierNode::localName): Deleted.
1394         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1395         (JSC::ExportSpecifierListNode::append): Deleted.
1396         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1397         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1398         (JSC::ArrayPatternNode::appendIndex): Deleted.
1399         (JSC::ObjectPatternNode::appendEntry): Deleted.
1400         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1401         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1402         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1403         (JSC::FunctionParameters::size const): Deleted.
1404         (JSC::FunctionParameters::append): Deleted.
1405         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1406         (JSC::FuncDeclNode::metadata): Deleted.
1407         (JSC::CaseClauseNode::expr const): Deleted.
1408         (JSC::CaseClauseNode::setStartOffset): Deleted.
1409         (JSC::ClauseListNode::getClause const): Deleted.
1410         (JSC::ClauseListNode::getNext const): Deleted.
1411         * runtime/ExceptionHelpers.cpp:
1412         * runtime/JSObject.cpp:
1413
1414 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         JSON.stringify should emit non own properties if second array argument includes
1417         https://bugs.webkit.org/show_bug.cgi?id=187724
1418
1419         Reviewed by Mark Lam.
1420
1421         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1422         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1423         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1424         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1425         property names which does not reside in the own properties. Or we can modify the
1426         own properties by deleting properties while JSON.stringify is calling a getter. So,
1427         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1428
1429         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1430         The performance of Kraken/json-stringify-tinderbox is neutral.
1431
1432         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1433
1434         * runtime/JSONObject.cpp:
1435         (JSC::Stringifier::toJSON):
1436         (JSC::Stringifier::toJSONImpl):
1437         (JSC::Stringifier::appendStringifiedValue):
1438         (JSC::Stringifier::Holder::Holder):
1439         (JSC::Stringifier::Holder::appendNextProperty):
1440
1441 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1442
1443         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1444         https://bugs.webkit.org/show_bug.cgi?id=187755
1445
1446         Reviewed by Mark Lam.
1447
1448         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1449         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1450         makes one test262 test failed.
1451
1452         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1453         to align these checks to the spec's order.
1454
1455         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1456
1457         * runtime/JSONObject.cpp:
1458         (JSC::Stringifier::Stringifier):
1459
1460 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1461
1462         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1463         https://bugs.webkit.org/show_bug.cgi?id=187752
1464
1465         Reviewed by Mark Lam.
1466
1467         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1468         with a wrapper object and a property name. While we always create this wrapper object,
1469         it is unnecessary if the given replacer is not callable.
1470
1471         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1472         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1473
1474                                            baseline                  patched
1475
1476         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1477
1478         * runtime/JSONObject.cpp:
1479         (JSC::Stringifier::isCallableReplacer const):
1480         (JSC::Stringifier::Stringifier):
1481         (JSC::Stringifier::stringify):
1482         (JSC::Stringifier::appendStringifiedValue):
1483
1484 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1485
1486         [GLIB] Add jsc_context_check_syntax() to GLib API
1487         https://bugs.webkit.org/show_bug.cgi?id=187694
1488
1489         Reviewed by Yusuke Suzuki.
1490
1491         A new function to be able to check for syntax errors without actually evaluating the code.
1492
1493         * API/glib/JSCContext.cpp:
1494         (jsc_context_check_syntax):
1495         * API/glib/JSCContext.h:
1496         * API/glib/docs/jsc-glib-4.0-sections.txt:
1497
1498 2018-07-17  Keith Miller  <keith_miller@apple.com>
1499
1500         Revert r233630 since it broke internal wasm benchmarks
1501         https://bugs.webkit.org/show_bug.cgi?id=187746
1502
1503         Unreviewed revert.
1504
1505         This patch seems to have broken internal Wasm benchmarks. This
1506         issue is likely due to an underlying bug but let's rollout while
1507         we investigate.
1508
1509         * bytecode/CodeType.h:
1510         * bytecode/UnlinkedCodeBlock.cpp:
1511         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1512         * bytecode/UnlinkedCodeBlock.h:
1513         (JSC::UnlinkedCodeBlock::codeType const):
1514         (JSC::UnlinkedCodeBlock::didOptimize const):
1515         (JSC::UnlinkedCodeBlock::setDidOptimize):
1516         * bytecode/VirtualRegister.h:
1517         (JSC::VirtualRegister::VirtualRegister):
1518         (): Deleted.
1519
1520 2018-07-17  Mark Lam  <mark.lam@apple.com>
1521
1522         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
1523         https://bugs.webkit.org/show_bug.cgi?id=187736
1524         <rdar://problem/42114371>
1525
1526         Reviewed by Michael Saboff.
1527
1528         CodeBlock::baselineVersion() currently checks for a null replacement but does not
1529         account for the fact that that the replacement can also be null due to the
1530         executable having being purged of its codeBlocks due to a memory event (see
1531         ExecutableBase::clearCode()).  This patch adds code to account for this.
1532
1533         * bytecode/CodeBlock.cpp:
1534         (JSC::CodeBlock::baselineVersion):
1535
1536 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1537
1538         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
1539         https://bugs.webkit.org/show_bug.cgi?id=187709
1540
1541         Reviewed by Mark Lam.
1542
1543         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
1544
1545         * bytecode/UnlinkedCodeBlock.cpp:
1546         (JSC::UnlinkedCodeBlock::shrinkToFit):
1547
1548 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1549
1550         [JSC] Make SourceParseMode small
1551         https://bugs.webkit.org/show_bug.cgi?id=187705
1552
1553         Reviewed by Mark Lam.
1554
1555         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
1556         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
1557         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
1558         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
1559
1560         * parser/ParserModes.h:
1561         (JSC::SourceParseModeSet::SourceParseModeSet):
1562         (JSC::SourceParseModeSet::contains):
1563         (JSC::SourceParseModeSet::mergeSourceParseModes):
1564
1565 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1566
1567         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
1568         https://bugs.webkit.org/show_bug.cgi?id=187585
1569
1570         Reviewed by Darin Adler.
1571
1572         This patch fixes Generator and AsyncGenerator's prototype issues.
1573
1574         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
1575         We fix this by changing JSFunction::prototypeForConstruction.
1576
1577         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1578         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1579         to fix `prototype` issues for AsyncGeneratorMethod.
1580
1581         * bytecompiler/BytecodeGenerator.cpp:
1582         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1583         (JSC::BytecodeGenerator::emitNewFunction):
1584         * bytecompiler/NodesCodegen.cpp:
1585         (JSC::FunctionNode::emitBytecode):
1586         * parser/ASTBuilder.h:
1587         (JSC::ASTBuilder::createFunctionMetadata):
1588         * parser/Parser.cpp:
1589         (JSC::getAsynFunctionBodyParseMode):
1590         (JSC::Parser<LexerType>::parseInner):
1591         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1592         * parser/ParserModes.h:
1593         (JSC::isAsyncGeneratorParseMode):
1594         (JSC::isAsyncGeneratorWrapperParseMode):
1595         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1596         * runtime/FunctionExecutable.h:
1597         * runtime/JSFunction.cpp:
1598         (JSC::JSFunction::prototypeForConstruction):
1599         (JSC::JSFunction::getOwnPropertySlot):
1600
1601 2018-07-16  Mark Lam  <mark.lam@apple.com>
1602
1603         jsc shell's noFTL utility test function should be more robust.
1604         https://bugs.webkit.org/show_bug.cgi?id=187704
1605         <rdar://problem/42231988>
1606
1607         Reviewed by Michael Saboff and Keith Miller.
1608
1609         * jsc.cpp:
1610         (functionNoFTL):
1611         - only setNeverFTLOptimize() if the function is actually a JS function.
1612
1613 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1614
1615         [GLIB] Add API to evaluate code using a given object to store global symbols
1616         https://bugs.webkit.org/show_bug.cgi?id=187639
1617
1618         Reviewed by Michael Catanzaro.
1619
1620         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1621         evaluated script are added as properties to the new object instead of to the context global object. This is
1622         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1623         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1624         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1625         jsc_context_evaluate_in_object().
1626
1627         * API/glib/JSCContext.cpp:
1628         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1629         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1630         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1631         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1632         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1633         * API/glib/JSCContext.h:
1634         * API/glib/docs/jsc-glib-4.0-sections.txt:
1635
1636 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1637
1638         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1639         https://bugs.webkit.org/show_bug.cgi?id=187561
1640
1641         Reviewed by Darin Adler.
1642
1643         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1644         We clean up 32bit put_by_val code.
1645
1646         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1647         aligns 32bit implementation to 64bit implementation.
1648
1649         2. We add CoW array checking, which is done in 64bit implementation.
1650
1651         * jit/JITPropertyAccess.cpp:
1652         (JSC::JIT::emit_op_put_by_val):
1653         * jit/JITPropertyAccess32_64.cpp:
1654         (JSC::JIT::emit_op_put_by_val):
1655         (JSC::JIT::emitSlow_op_put_by_val):
1656
1657 2018-07-12  Mark Lam  <mark.lam@apple.com>
1658
1659         Need to handle CodeBlock::replacement() being null.
1660         https://bugs.webkit.org/show_bug.cgi?id=187569
1661         <rdar://problem/41468692>
1662
1663         Reviewed by Saam Barati.
1664
1665         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1666         for this while others do not.  We should add null checks in all the places that
1667         need it.
1668
1669         * bytecode/CodeBlock.cpp:
1670         (JSC::CodeBlock::hasOptimizedReplacement):
1671         (JSC::CodeBlock::jettison):
1672         (JSC::CodeBlock::numberOfDFGCompiles):
1673         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1674         * dfg/DFGOperations.cpp:
1675         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1676         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1677         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1678         * jit/JITOperations.cpp:
1679
1680 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1681
1682         [JSC] Thread VM& to JSCell::methodTable(VM&)
1683         https://bugs.webkit.org/show_bug.cgi?id=187548
1684
1685         Reviewed by Saam Barati.
1686
1687         This patch threads VM& to methodTable(VM&) and remove methodTable().
1688         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1689
1690         * API/APICast.h:
1691         (toJS):
1692         * API/JSCallbackObject.h:
1693         * API/JSCallbackObjectFunctions.h:
1694         (JSC::JSCallbackObject<Parent>::className):
1695         * bytecode/CodeBlock.cpp:
1696         (JSC::CodeBlock::estimatedSize):
1697         * bytecode/CodeBlock.h:
1698         * bytecode/UnlinkedCodeBlock.cpp:
1699         (JSC::UnlinkedCodeBlock::estimatedSize):
1700         * bytecode/UnlinkedCodeBlock.h:
1701         * debugger/DebuggerScope.cpp:
1702         (JSC::DebuggerScope::className):
1703         * debugger/DebuggerScope.h:
1704         * heap/Heap.cpp:
1705         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1706         (JSC::GatherHeapSnapshotData::operator() const):
1707         (JSC::Heap::gatherExtraHeapSnapshotData):
1708         * heap/HeapSnapshotBuilder.cpp:
1709         (JSC::HeapSnapshotBuilder::json):
1710         * runtime/ArrayPrototype.cpp:
1711         (JSC::arrayProtoFuncToString):
1712         * runtime/ClassInfo.h:
1713         * runtime/DirectArguments.cpp:
1714         (JSC::DirectArguments::estimatedSize):
1715         * runtime/DirectArguments.h:
1716         * runtime/HashMapImpl.cpp:
1717         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1718         * runtime/HashMapImpl.h:
1719         * runtime/JSArrayBuffer.cpp:
1720         (JSC::JSArrayBuffer::estimatedSize):
1721         * runtime/JSArrayBuffer.h:
1722         * runtime/JSBigInt.cpp:
1723         (JSC::JSBigInt::estimatedSize):
1724         * runtime/JSBigInt.h:
1725         * runtime/JSCell.cpp:
1726         (JSC::JSCell::dump const):
1727         (JSC::JSCell::estimatedSizeInBytes const):
1728         (JSC::JSCell::estimatedSize):
1729         (JSC::JSCell::className):
1730         * runtime/JSCell.h:
1731         * runtime/JSCellInlines.h:
1732         * runtime/JSGenericTypedArrayView.h:
1733         * runtime/JSGenericTypedArrayViewInlines.h:
1734         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1735         * runtime/JSObject.cpp:
1736         (JSC::JSObject::estimatedSize):
1737         (JSC::JSObject::className):
1738         (JSC::JSObject::toStringName):
1739         (JSC::JSObject::calculatedClassName):
1740         * runtime/JSObject.h:
1741         * runtime/JSProxy.cpp:
1742         (JSC::JSProxy::className):
1743         * runtime/JSProxy.h:
1744         * runtime/JSString.cpp:
1745         (JSC::JSString::estimatedSize):
1746         * runtime/JSString.h:
1747         * runtime/RegExp.cpp:
1748         (JSC::RegExp::estimatedSize):
1749         * runtime/RegExp.h:
1750         * runtime/WeakMapImpl.cpp:
1751         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1752         * runtime/WeakMapImpl.h:
1753
1754 2018-07-11  Commit Queue  <commit-queue@webkit.org>
1755
1756         Unreviewed, rolling out r233714.
1757         https://bugs.webkit.org/show_bug.cgi?id=187579
1758
1759         it made tests time out (Requested by pizlo on #webkit).
1760
1761         Reverted changeset:
1762
1763         "Change the reoptimization backoff base to 1.3 from 2"
1764         https://bugs.webkit.org/show_bug.cgi?id=187540
1765         https://trac.webkit.org/changeset/233714
1766
1767 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1768
1769         [GLIB] Add API to allow creating variadic functions
1770         https://bugs.webkit.org/show_bug.cgi?id=187517
1771
1772         Reviewed by Michael Catanzaro.
1773
1774         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
1775         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
1776
1777         * API/glib/JSCCallbackFunction.cpp:
1778         (JSC::JSCCallbackFunction::create): Make the parameters optional.
1779         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
1780         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
1781         JSCValue for the arguments.
1782         (JSC::JSCCallbackFunction::construct): Ditto.
1783         * API/glib/JSCCallbackFunction.h:
1784         * API/glib/JSCClass.cpp:
1785         (jscClassCreateConstructor): Make the parameters optional.
1786         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
1787         (jscClassAddMethod): Make the parameters optional.
1788         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
1789         * API/glib/JSCClass.h:
1790         * API/glib/JSCValue.cpp:
1791         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
1792         (jscValueFunctionCreate): Make the parameters optional.
1793         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
1794         * API/glib/JSCValue.h:
1795         * API/glib/docs/jsc-glib-4.0-sections.txt:
1796
1797 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1798
1799         [GLIB] Add jsc_context_get_global_object() to GLib API
1800         https://bugs.webkit.org/show_bug.cgi?id=187515
1801
1802         Reviewed by Michael Catanzaro.
1803
1804         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
1805         object. However, getting the global object could be useful in some cases, for example to give it a well known
1806         name like 'window' in browsers and GJS.
1807
1808         * API/glib/JSCContext.cpp:
1809         (jsc_context_get_global_object):
1810         * API/glib/JSCContext.h:
1811         * API/glib/docs/jsc-glib-4.0-sections.txt:
1812
1813 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1814
1815         [GLIB] Handle G_TYPE_STRV in glib API
1816         https://bugs.webkit.org/show_bug.cgi?id=187512
1817
1818         Reviewed by Michael Catanzaro.
1819
1820         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
1821
1822         * API/glib/JSCContext.cpp:
1823         (jscContextGValueToJSValue):
1824         (jscContextJSValueToGValue):
1825         * API/glib/JSCValue.cpp:
1826         (jsc_value_new_array_from_strv):
1827         * API/glib/JSCValue.h:
1828         * API/glib/docs/jsc-glib-4.0-sections.txt:
1829
1830 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1831
1832         Iterator of Array.keys() returns object in wrong order
1833         https://bugs.webkit.org/show_bug.cgi?id=185197
1834
1835         Reviewed by Keith Miller.
1836
1837         * builtins/ArrayIteratorPrototype.js:
1838         (globalPrivate.arrayIteratorValueNext):
1839         (globalPrivate.arrayIteratorKeyNext):
1840         (globalPrivate.arrayIteratorKeyValueNext):
1841         * builtins/AsyncFromSyncIteratorPrototype.js:
1842         * builtins/AsyncGeneratorPrototype.js:
1843         (globalPrivate.asyncGeneratorResolve):
1844         * builtins/GeneratorPrototype.js:
1845         (globalPrivate.generatorResume):
1846         * builtins/MapIteratorPrototype.js:
1847         (globalPrivate.mapIteratorNext):
1848         * builtins/SetIteratorPrototype.js:
1849         (globalPrivate.setIteratorNext):
1850         * builtins/StringIteratorPrototype.js:
1851         (next):
1852         * runtime/IteratorOperations.cpp:
1853         (JSC::createIteratorResultObjectStructure):
1854         (JSC::createIteratorResultObject):
1855
1856 2018-07-10  Mark Lam  <mark.lam@apple.com>
1857
1858         constructArray() should always allocate the requested length.
1859         https://bugs.webkit.org/show_bug.cgi?id=187543
1860         <rdar://problem/41947884>
1861
1862         Reviewed by Saam Barati.
1863
1864         Currently, it does not when we're having a bad time.  We fix this by switching
1865         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
1866         If we detect that a structure transition is possible before we can initialize
1867         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
1868         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
1869
1870         Also enhanced the DisallowScope and ObjectInitializationScope to support this
1871         eager initialization when needed.
1872
1873         * dfg/DFGOperations.cpp:
1874         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
1875           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
1876           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
1877           generated code, which will appear as a generic null pointer dereference.
1878
1879         * runtime/ArrayPrototype.cpp:
1880         (JSC::concatAppendOne):
1881         - the code here clearly wants to check for an allocation failure.  Switched to
1882           using JSArray::tryCreate() instead of JSArray::create().
1883
1884         * runtime/DisallowScope.h:
1885         (JSC::DisallowScope::disable):
1886         * runtime/JSArray.cpp:
1887         (JSC::JSArray::tryCreateUninitializedRestricted):
1888         (JSC::JSArray::eagerlyInitializeButterfly):
1889         (JSC::constructArray):
1890         * runtime/JSArray.h:
1891         * runtime/ObjectInitializationScope.cpp:
1892         (JSC::ObjectInitializationScope::notifyInitialized):
1893         * runtime/ObjectInitializationScope.h:
1894         (JSC::ObjectInitializationScope::notifyInitialized):
1895
1896 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1897
1898         [JSC] Remove getTypedArrayImpl
1899         https://bugs.webkit.org/show_bug.cgi?id=187338
1900
1901         Reviewed by Mark Lam.
1902
1903         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
1904         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
1905         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
1906
1907         * runtime/ClassInfo.h:
1908         * runtime/GenericTypedArrayView.h:
1909         (JSC::GenericTypedArrayView::data const): Deleted.
1910         (JSC::GenericTypedArrayView::set): Deleted.
1911         (JSC::GenericTypedArrayView::setRange): Deleted.
1912         (JSC::GenericTypedArrayView::zeroRange): Deleted.
1913         (JSC::GenericTypedArrayView::zeroFill): Deleted.
1914         (JSC::GenericTypedArrayView::length const): Deleted.
1915         (JSC::GenericTypedArrayView::item const): Deleted.
1916         (JSC::GenericTypedArrayView::set const): Deleted.
1917         (JSC::GenericTypedArrayView::setNative const): Deleted.
1918         (JSC::GenericTypedArrayView::getRange): Deleted.
1919         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
1920         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
1921         * runtime/JSArrayBufferView.cpp:
1922         (JSC::JSArrayBufferView::possiblySharedImpl):
1923         * runtime/JSArrayBufferView.h:
1924         * runtime/JSArrayBufferViewInlines.h:
1925         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
1926         * runtime/JSCell.cpp:
1927         (JSC::JSCell::getTypedArrayImpl): Deleted.
1928         * runtime/JSCell.h:
1929         * runtime/JSDataView.cpp:
1930         (JSC::JSDataView::getTypedArrayImpl): Deleted.
1931         * runtime/JSDataView.h:
1932         * runtime/JSGenericTypedArrayView.h:
1933         * runtime/JSGenericTypedArrayViewInlines.h:
1934         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
1935
1936 2018-07-10  Keith Miller  <keith_miller@apple.com>
1937
1938         hasOwnProperty returns true for out of bounds property index on TypedArray
1939         https://bugs.webkit.org/show_bug.cgi?id=187520
1940
1941         Reviewed by Saam Barati.
1942
1943         * runtime/JSGenericTypedArrayViewInlines.h:
1944         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1945
1946 2018-07-10  Michael Saboff  <msaboff@apple.com>
1947
1948         DFG JIT: compileMathIC produces incorrect machine code
1949         https://bugs.webkit.org/show_bug.cgi?id=187537
1950
1951         Reviewed by Saam Barati.
1952
1953         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
1954         fall back to the fast path generator which handles such cases.
1955
1956         * jit/JITMulGenerator.cpp:
1957         (JSC::JITMulGenerator::generateInline):
1958
1959 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
1960
1961         Change the reoptimization backoff base to 1.3 from 2
1962         https://bugs.webkit.org/show_bug.cgi?id=187540
1963
1964         Reviewed by Saam Barati.
1965         
1966         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
1967         
1968         I also have data that hints that a backoff base of 1 might be even better, but I think that
1969         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
1970
1971         * bytecode/CodeBlock.cpp:
1972         (JSC::CodeBlock::reoptimizationRetryCounter const):
1973         (JSC::CodeBlock::countReoptimization):
1974         (JSC::CodeBlock::adjustedCounterValue):
1975         * runtime/Options.cpp:
1976         (JSC::recomputeDependentOptions):
1977         * runtime/Options.h:
1978
1979 2018-07-10  Mark Lam  <mark.lam@apple.com>
1980
1981         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
1982         https://bugs.webkit.org/show_bug.cgi?id=187362
1983         <rdar://problem/42027210>
1984
1985         Reviewed by Saam Barati.
1986
1987         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
1988         value to use for initializing unused properties.  Updated an assertion to account
1989         for this.
1990
1991         * runtime/ObjectInitializationScope.cpp:
1992         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1993
1994 2018-07-10  Michael Saboff  <msaboff@apple.com>
1995
1996         YARR: . doesn't match non-BMP Unicode characters in some cases
1997         https://bugs.webkit.org/show_bug.cgi?id=187248
1998
1999         Reviewed by Geoffrey Garen.
2000
2001         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2002         characters did not take into account that the character class is inverted.  In this case, we
2003         represent '.' as "not a newline" using the newline character class with an inverted check.
2004         Clearly that includes non-BMP characters.
2005
2006         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2007         inverted use of that character class.
2008
2009         * yarr/YarrJIT.cpp:
2010         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2011
2012 2018-07-09  Mark Lam  <mark.lam@apple.com>
2013
2014         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2015         https://bugs.webkit.org/show_bug.cgi?id=187479
2016
2017         Reviewed by Yusuke Suzuki and Saam Barati.
2018
2019         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2020
2021         The details:
2022         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2023         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2024            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2025            continually spammed with logging until we rebuild.
2026         3. Fixed slow path LLINT tracing to work with exception check validation.
2027
2028         * llint/LLIntCommon.h:
2029         * llint/LLIntExceptions.cpp:
2030         (JSC::LLInt::returnToThrow):
2031         (JSC::LLInt::callToThrow):
2032         * llint/LLIntOfflineAsmConfig.h:
2033         * llint/LLIntSlowPaths.cpp:
2034         (JSC::LLInt::slowPathLog):
2035         (JSC::LLInt::slowPathLn):
2036         (JSC::LLInt::slowPathLogF):
2037         (JSC::LLInt::slowPathLogLn):
2038         (JSC::LLInt::llint_trace_operand):
2039         (JSC::LLInt::llint_trace_value):
2040         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2041         (JSC::LLInt::traceFunctionPrologue):
2042         (JSC::LLInt::handleHostCall):
2043         (JSC::LLInt::setUpCall):
2044         * llint/LLIntSlowPaths.h:
2045         * llint/LowLevelInterpreter.asm:
2046         * runtime/CommonSlowPathsExceptions.cpp:
2047         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2048         * runtime/Options.cpp:
2049         (JSC::Options::isAvailable):
2050         * runtime/Options.h:
2051
2052 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2053
2054         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2055         https://bugs.webkit.org/show_bug.cgi?id=187477
2056
2057         Reviewed by Mark Lam.
2058
2059         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2060         However, it is not necessary since JSCells can be reside in a constant buffer.
2061         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2062         vector from RareData.
2063
2064         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2065
2066         * bytecode/BytecodeDumper.cpp:
2067         (JSC::BytecodeDumper<Block>::dumpBytecode):
2068         (JSC::BytecodeDumper<Block>::dumpBlock):
2069         (JSC::regexpToSourceString): Deleted.
2070         (JSC::regexpName): Deleted.
2071         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2072         * bytecode/BytecodeDumper.h:
2073         * bytecode/CodeBlock.h:
2074         (JSC::CodeBlock::regexp const): Deleted.
2075         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2076         * bytecode/UnlinkedCodeBlock.cpp:
2077         (JSC::UnlinkedCodeBlock::visitChildren):
2078         (JSC::UnlinkedCodeBlock::shrinkToFit):
2079         * bytecode/UnlinkedCodeBlock.h:
2080         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2081         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2082         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2083         * bytecompiler/BytecodeGenerator.cpp:
2084         (JSC::BytecodeGenerator::emitNewRegExp):
2085         (JSC::BytecodeGenerator::addRegExp): Deleted.
2086         * bytecompiler/BytecodeGenerator.h:
2087         * dfg/DFGByteCodeParser.cpp:
2088         (JSC::DFG::ByteCodeParser::parseBlock):
2089         * jit/JITOpcodes.cpp:
2090         (JSC::JIT::emit_op_new_regexp):
2091         * llint/LLIntSlowPaths.cpp:
2092         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2093         * runtime/JSCJSValue.cpp:
2094         (JSC::JSValue::dumpInContextAssumingStructure const):
2095         * runtime/RegExp.cpp:
2096         (JSC::regexpToSourceString):
2097         (JSC::RegExp::dumpToStream):
2098         * runtime/RegExp.h:
2099
2100 2018-07-09  Brian Burg  <bburg@apple.com>
2101
2102         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2103         https://bugs.webkit.org/show_bug.cgi?id=187350
2104         <rdar://problem/41728249>
2105
2106         Reviewed by Matt Baker.
2107
2108         Add a new command that toggles whether or not to blackbox internal scripts.
2109         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2110         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2111         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2112         that injects scripts.
2113
2114         * inspector/agents/InspectorDebuggerAgent.cpp:
2115         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2116         (Inspector::InspectorDebuggerAgent::didParseSource):
2117         * inspector/agents/InspectorDebuggerAgent.h:
2118         * inspector/protocol/Debugger.json:
2119
2120 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2121
2122         [JSC] Make some data members of UnlinkedCodeBlock private
2123         https://bugs.webkit.org/show_bug.cgi?id=187467
2124
2125         Reviewed by Mark Lam.
2126
2127         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2128         We also remove m_numCapturedVars since it is no longer used.
2129
2130         * bytecode/CodeBlock.cpp:
2131         (JSC::CodeBlock::CodeBlock):
2132         * bytecode/CodeBlock.h:
2133         * bytecode/UnlinkedCodeBlock.cpp:
2134         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2135         * bytecode/UnlinkedCodeBlock.h:
2136
2137 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2138
2139         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2140         https://bugs.webkit.org/show_bug.cgi?id=187465
2141
2142         Reviewed by Keith Miller.
2143
2144         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2145         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2146
2147         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2148         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2149         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2150         from 104 to 96 since it inherits ProxyableAccessCase.
2151
2152         * bytecode/AccessCase.h:
2153         (JSC::AccessCase::viaProxy const):
2154         (JSC::AccessCase::AccessCase):
2155         * bytecode/ProxyableAccessCase.cpp:
2156         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2157         * bytecode/ProxyableAccessCase.h:
2158
2159 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2160
2161         Unreviewed, build fix for debug builds after r233630
2162         https://bugs.webkit.org/show_bug.cgi?id=187441
2163
2164         * jit/JIT.cpp:
2165         (JSC::JIT::frameRegisterCountFor):
2166         * llint/LLIntEntrypoint.cpp:
2167         (JSC::LLInt::frameRegisterCountFor):
2168
2169 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2170
2171         [JSC] Optimize layout of CodeBlock to reduce padding
2172         https://bugs.webkit.org/show_bug.cgi?id=187441
2173
2174         Reviewed by Mark Lam.
2175
2176         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2177         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2178         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2179
2180         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2181
2182         * bytecode/BytecodeDumper.cpp:
2183         (JSC::BytecodeDumper<Block>::dumpBlock):
2184         * bytecode/BytecodeUseDef.h:
2185         (JSC::computeDefsForBytecodeOffset):
2186         * bytecode/CodeBlock.cpp:
2187         (JSC::CodeBlock::CodeBlock):
2188         * bytecode/CodeBlock.h:
2189         (JSC::CodeBlock::numVars const):
2190         * bytecode/UnlinkedCodeBlock.h:
2191         (JSC::UnlinkedCodeBlock::numVars const):
2192         * dfg/DFGByteCodeParser.cpp:
2193         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2194         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2195         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2196         (JSC::DFG::ByteCodeParser::inlineCall):
2197         (JSC::DFG::ByteCodeParser::handleGetById):
2198         (JSC::DFG::ByteCodeParser::handlePutById):
2199         (JSC::DFG::ByteCodeParser::parseBlock):
2200         * dfg/DFGGraph.h:
2201         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2202         * dfg/DFGOSREntrypointCreationPhase.cpp:
2203         (JSC::DFG::OSREntrypointCreationPhase::run):
2204         * dfg/DFGVariableEventStream.cpp:
2205         (JSC::DFG::VariableEventStream::reconstruct const):
2206         * ftl/FTLOSREntry.cpp:
2207         (JSC::FTL::prepareOSREntry):
2208         * ftl/FTLState.cpp:
2209         (JSC::FTL::State::State):
2210         * interpreter/Interpreter.cpp:
2211         (JSC::Interpreter::dumpRegisters):
2212         * jit/JIT.cpp:
2213         (JSC::JIT::frameRegisterCountFor):
2214         * jit/JITOpcodes.cpp:
2215         (JSC::JIT::emit_op_enter):
2216         * jit/JITOpcodes32_64.cpp:
2217         (JSC::JIT::emit_op_enter):
2218         * jit/JITOperations.cpp:
2219         * llint/LLIntEntrypoint.cpp:
2220         (JSC::LLInt::frameRegisterCountFor):
2221         * llint/LLIntSlowPaths.cpp:
2222         (JSC::LLInt::traceFunctionPrologue):
2223         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2224         * runtime/JSCJSValue.h:
2225
2226 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2227
2228         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2229         https://bugs.webkit.org/show_bug.cgi?id=187448
2230
2231         Reviewed by Saam Barati.
2232
2233         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2234         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2235
2236         * bytecode/CodeType.h:
2237         * bytecode/UnlinkedCodeBlock.cpp:
2238         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2239         * bytecode/UnlinkedCodeBlock.h:
2240         (JSC::UnlinkedCodeBlock::codeType const):
2241         (JSC::UnlinkedCodeBlock::didOptimize const):
2242         (JSC::UnlinkedCodeBlock::setDidOptimize):
2243         * bytecode/VirtualRegister.h:
2244
2245 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2246
2247         [JSC] Optimize padding of InferredTypeTable by using cellLock
2248         https://bugs.webkit.org/show_bug.cgi?id=187447
2249
2250         Reviewed by Mark Lam.
2251
2252         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2253         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2254         reduce the size of InferredTypeTable from 40 to 32.
2255
2256         * runtime/InferredTypeTable.cpp:
2257         (JSC::InferredTypeTable::visitChildren):
2258         (JSC::InferredTypeTable::get):
2259         (JSC::InferredTypeTable::willStoreValue):
2260         (JSC::InferredTypeTable::makeTop):
2261         * runtime/InferredTypeTable.h:
2262         Using enum class and using. And remove `isEmpty()` since it is not used.
2263
2264         * runtime/Structure.h:
2265
2266 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2267
2268         [JSC] Optimize layout of SourceProvider to reduce padding
2269         https://bugs.webkit.org/show_bug.cgi?id=187440
2270
2271         Reviewed by Mark Lam.
2272
2273         Arrange members of SourceProvider to reduce the size from 80 to 72.
2274
2275         * parser/SourceProvider.cpp:
2276         (JSC::SourceProvider::SourceProvider):
2277         * parser/SourceProvider.h:
2278
2279 2018-07-08  Mark Lam  <mark.lam@apple.com>
2280
2281         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2282         https://bugs.webkit.org/show_bug.cgi?id=187444
2283         <rdar://problem/41282849>
2284
2285         Reviewed by Saam Barati.
2286
2287         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2288         an iterator class.  The begin() methods and the iterator operator++() method uses
2289         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2290         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2291         pointer from being incremented past the end of the table.  As a result, we can
2292         iterate past the end of the table.  Note that the C++ iteration protocol tests
2293         for the iterator not being equal to the end() value.  It does not do a <= test.
2294         If the iterator ever shoots past end, the loop will effectively not terminate.
2295
2296         This issue can manifest if and only if the last entry in the table is a deleted
2297         one, and the key field of the PropertyMapEntry shaped space at the end of the
2298         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2299         value.
2300
2301         No test because manifesting this issue requires uncontrollable happenstance where
2302         memory just beyond the end of the table looks like a deleted entry.
2303
2304         * runtime/PropertyMapHashTable.h:
2305         (JSC::PropertyTable::begin):
2306         (JSC::PropertyTable::end):
2307         (JSC::PropertyTable::begin const):
2308         (JSC::PropertyTable::end const):
2309         (JSC::PropertyTable::skipDeletedEntries):
2310
2311 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2312
2313         [JSC] Optimize layout of SymbolTable to reduce padding
2314         https://bugs.webkit.org/show_bug.cgi?id=187437
2315
2316         Reviewed by Mark Lam.
2317
2318         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2319
2320         * runtime/SymbolTable.h:
2321
2322 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2323
2324         [JSC] Optimize layout of RegExp to reduce padding
2325         https://bugs.webkit.org/show_bug.cgi?id=187438
2326
2327         Reviewed by Mark Lam.
2328
2329         Reduce the size of RegExp from 168 to 144.
2330
2331         * runtime/RegExp.cpp:
2332         (JSC::RegExp::RegExp):
2333         * runtime/RegExp.h:
2334         * runtime/RegExpKey.h:
2335         * yarr/YarrErrorCode.h:
2336
2337 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2338
2339         [JSC] Optimize layout of ValueProfile to reduce padding
2340         https://bugs.webkit.org/show_bug.cgi?id=187439
2341
2342         Reviewed by Mark Lam.
2343
2344         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2345
2346         * bytecode/ValueProfile.h:
2347         (JSC::ValueProfileBase::ValueProfileBase):
2348
2349 2018-07-05  Saam Barati  <sbarati@apple.com>
2350
2351         ProgramExecutable may be collected as we checkSyntax on it
2352         https://bugs.webkit.org/show_bug.cgi?id=187359
2353         <rdar://problem/41832135>
2354
2355         Reviewed by Mark Lam.
2356
2357         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2358         the ProgramExecutable itself may be collected. The fix here is to make a copy
2359         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2360         
2361         No new tests here as this was already caught by our iOS JSC testers.
2362
2363         * parser/ParserError.h:
2364         (JSC::ParserError::toErrorObject):
2365
2366 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2367
2368         Introduce PLATFORM(IOSMAC)
2369         https://bugs.webkit.org/show_bug.cgi?id=187315
2370
2371         Reviewed by Dan Bernstein.
2372
2373         * Configurations/Base.xcconfig:
2374         * Configurations/FeatureDefines.xcconfig:
2375
2376 2018-07-03  Mark Lam  <mark.lam@apple.com>
2377
2378         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2379         https://bugs.webkit.org/show_bug.cgi?id=187255
2380         <rdar://problem/41785257>
2381
2382         Reviewed by Saam Barati.
2383
2384         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2385         too: basically, do what the 64-bit code is doing.  At present, this change only
2386         serves to pacify an assertion.  It is not needed for correctness because the
2387         concurrent GC is not used on 32-bit builds.
2388
2389         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2390         test.
2391
2392         * jit/JITOpcodes32_64.cpp:
2393         (JSC::JIT::emit_op_create_this):
2394
2395 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2396
2397         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2398         https://bugs.webkit.org/show_bug.cgi?id=187290
2399
2400         Reviewed by Saam Barati.
2401
2402         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2403         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2404         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2405         easily calculated from JSType.
2406         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2407
2408         * runtime/ClassInfo.h:
2409         * runtime/JSArrayBufferView.cpp:
2410         (JSC::elementSize):
2411         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2412         * runtime/JSArrayBufferView.h:
2413         * runtime/JSArrayBufferViewInlines.h:
2414         (JSC::JSArrayBufferView::possiblySharedBuffer):
2415         * runtime/JSCell.cpp:
2416         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2417         * runtime/JSCell.h:
2418         * runtime/JSDataView.cpp:
2419         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2420         * runtime/JSDataView.h:
2421         * runtime/JSGenericTypedArrayView.h:
2422         * runtime/JSGenericTypedArrayViewInlines.h:
2423         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2424
2425 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2426
2427         Regular expressions with ".?" expressions at the start and the end match the entire string
2428         https://bugs.webkit.org/show_bug.cgi?id=119191
2429
2430         Reviewed by Michael Saboff.
2431
2432         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2433         for "abc" first and then processing the leading and trailing dot stars
2434         to find the beginning and the end of the match. However, it erroneously
2435         enabled this optimization for regular expressions whose leading or
2436         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2437         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2438         match the entire string when it shouldn't. This patch disables the
2439         optimization for those cases.
2440
2441         * yarr/YarrPattern.cpp:
2442         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2443
2444 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2445
2446         RegExp.exec returns wrong value with a long integer quantifier
2447         https://bugs.webkit.org/show_bug.cgi?id=187042
2448
2449         Reviewed by Saam Barati.
2450
2451         Prior to this patch, the Yarr parser checked for integer overflow when
2452         parsing quantifiers in regular expressions by adding one digit at a time
2453         to a number and checking if the result got larger. This is wrong;
2454         The parser would fail to detect overflow when parsing, for example,
2455         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2456
2457         Another issue was that once it detected overflow, it stopped consuming
2458         the remaining digits. Since it didn't find the closing bracket, it
2459         parsed the quantifier as a normal string instead.
2460
2461         This patch fixes these issues by reading all the digits and checking for
2462         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2463         returns the largest possible value (quantifyInfinite in this case). This
2464         matches Chrome [1], Firefox [2], and Edge [3].
2465
2466         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2467         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2468         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2469
2470         * yarr/YarrParser.h:
2471         (JSC::Yarr::Parser::consumeNumber):
2472
2473 2018-07-02  Keith Miller  <keith_miller@apple.com>
2474
2475         InstanceOf IC should do generic if the prototype is not an object.
2476         https://bugs.webkit.org/show_bug.cgi?id=187250
2477
2478         Reviewed by Mark Lam.
2479
2480         The old code was wrong for two reasons. First, the AccessCase expected that
2481         the prototype value would be non-null. Second, we would end up returning
2482         false instead of throwing an exception.
2483
2484         * jit/Repatch.cpp:
2485         (JSC::tryCacheInstanceOf):
2486
2487 2018-07-01  Mark Lam  <mark.lam@apple.com>
2488
2489         Builtins and host functions should get their own structures.
2490         https://bugs.webkit.org/show_bug.cgi?id=187211
2491         <rdar://problem/41646336>
2492
2493         Reviewed by Saam Barati.
2494
2495         JSFunctions do lazy reification of properties, but ordinary functions applies
2496         different rules of property reification than builtin and host functions.  Hence,
2497         we should give builtins and host functions their own structures.
2498
2499         * runtime/JSFunction.cpp:
2500         (JSC::JSFunction::selectStructureForNewFuncExp):
2501         (JSC::JSFunction::create):
2502         (JSC::JSFunction::getOwnPropertySlot):
2503         * runtime/JSGlobalObject.cpp:
2504         (JSC::JSGlobalObject::init):
2505         (JSC::JSGlobalObject::visitChildren):
2506         * runtime/JSGlobalObject.h:
2507         (JSC::JSGlobalObject::hostFunctionStructure const):
2508         (JSC::JSGlobalObject::arrowFunctionStructure const):
2509         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2510         (JSC::JSGlobalObject::strictFunctionStructure const):
2511
2512 2018-07-01  David Kilzer  <ddkilzer@apple.com>
2513
2514         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
2515         <https://webkit.org/b/187233>
2516
2517         Reviewed by Mark Lam.
2518
2519         * b3/air/AirEliminateDeadCode.cpp:
2520         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
2521         * parser/ParserTokens.h:
2522         (JSC::JSTextPosition::JSTextPosition): Add struct member
2523         initialization. Simplify default constructor.
2524         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
2525         union to the beginning to make it easy to zero out all fields.
2526         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
2527         initialization.  Simplify default constructor.  Note that
2528         `endOffset` was not being initialized previously.
2529         (JSC::JSTextPosition::JSToken): Add struct member initialization
2530         where necessary.
2531         * runtime/IntlObject.cpp:
2532         (JSC::MatcherResult): Add struct member initialization.
2533
2534 2018-06-23  Darin Adler  <darin@apple.com>
2535
2536         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
2537         https://bugs.webkit.org/show_bug.cgi?id=186973
2538
2539         Reviewed by Dan Bernstein.
2540
2541         * API/JSContext.mm:
2542         (WeakContextRef::WeakContextRef): Deleted.
2543         (WeakContextRef::~WeakContextRef): Deleted.
2544         (WeakContextRef::get): Deleted.
2545         (WeakContextRef::set): Deleted.
2546
2547         * API/JSContextInternal.h: Removed unneeded header guards since this is
2548         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
2549         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
2550         since neither is used outside the class implementation.
2551
2552         * API/JSManagedValue.mm:
2553         (-[JSManagedValue initWithValue:]): Use a bridging cast.
2554         (-[JSManagedValue dealloc]): Ditto.
2555         (-[JSManagedValue didAddOwner:]): Ditto.
2556         (-[JSManagedValue didRemoveOwner:]): Ditto.
2557         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
2558         (JSManagedValueHandleOwner::finalize): Ditto.
2559         * API/JSValue.mm:
2560         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
2561         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2562         (-[JSValue valueForProperty:]): Ditto.
2563         (-[JSValue setValue:forProperty:]): Ditto.
2564         (-[JSValue deleteProperty:]): Ditto.
2565         (-[JSValue hasProperty:]): Ditto.
2566         (-[JSValue invokeMethod:withArguments:]): Ditto.
2567         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
2568         (valueToArray): Ditto.
2569         (valueToDictionary): Ditto.
2570         (objectToValueWithoutCopy): Ditto.
2571         (objectToValue): Ditto.
2572         * API/JSVirtualMachine.mm:
2573         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
2574         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
2575         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
2576         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2577         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2578         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2579         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2580         (scanExternalObjectGraph): Ditto.
2581         (scanExternalRememberedSet): Ditto.
2582         * API/JSWrapperMap.mm:
2583         (makeWrapper): Ditto.
2584         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2585         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2586         (tryUnwrapObjcObject): Ditto.
2587         * API/ObjCCallbackFunction.mm:
2588         (blockSignatureContainsClass): Ditto.
2589         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2590         sure we will be keeping this the same way under ARC.
2591         (objCCallbackFunctionForBlock): Use a bridging cast.
2592
2593         * API/ObjcRuntimeExtras.h:
2594         (protocolImplementsProtocol): Use a more specific type that includes the
2595         explicit __unsafe_unretained for copied protocol lists.
2596         (forEachProtocolImplementingProtocol): Ditto.
2597
2598         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2599         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2600         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2601
2602         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2603         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2604         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2605         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2606         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2607
2608 2018-06-30  Adam Barth  <abarth@webkit.org>
2609
2610         Port JavaScriptCore to OS(FUCHSIA)
2611         https://bugs.webkit.org/show_bug.cgi?id=187223
2612
2613         Reviewed by Daniel Bates.
2614
2615         * assembler/ARM64Assembler.h:
2616         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2617         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2618         (JSC::MachineContext::stackPointerImpl):
2619         (JSC::MachineContext::framePointerImpl):
2620         (JSC::MachineContext::instructionPointerImpl):
2621         (JSC::MachineContext::argumentPointer<1>):
2622         (JSC::MachineContext::llintInstructionPointer):
2623
2624 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2625
2626         Fix clang static analyzer warnings: Garbage return value
2627         <https://webkit.org/b/187224>
2628
2629         Reviewed by Eric Carlson.
2630
2631         * bytecode/UnlinkedCodeBlock.cpp:
2632         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2633         - Use brace initialization for local variables.
2634         * debugger/DebuggerCallFrame.cpp:
2635         (class JSC::LineAndColumnFunctor):
2636         - Use class member initialization for member variables.
2637
2638 2018-06-29  Saam Barati  <sbarati@apple.com>
2639
2640         Unreviewed. Try to fix Windows build after r233377
2641
2642         * builtins/BuiltinExecutables.cpp:
2643         (JSC::BuiltinExecutables::createExecutable):
2644
2645 2018-06-29  Saam Barati  <sbarati@apple.com>
2646
2647         Don't use tracePoints in JS/Wasm entry
2648         https://bugs.webkit.org/show_bug.cgi?id=187196
2649
2650         Reviewed by Mark Lam.
2651
2652         This puts VM entry and Wasm entry tracePoints behind a runtime
2653         option. This is a ~4x speedup on a soon to be released Wasm
2654         benchmark. tracePoints should basically never run more than 50
2655         times a second. Entering the VM and entering Wasm are user controlled,
2656         and can happen hundreds of thousands of times in a second. Depending
2657         on how the Wasm/JS code is structured, this can be disastrous for
2658         performance.
2659
2660         * runtime/Options.h:
2661         * runtime/VMEntryScope.cpp:
2662         (JSC::VMEntryScope::VMEntryScope):
2663         (JSC::VMEntryScope::~VMEntryScope):
2664         * wasm/WasmBBQPlan.cpp:
2665         (JSC::Wasm::BBQPlan::compileFunctions):
2666         * wasm/js/WebAssemblyFunction.cpp:
2667         (JSC::callWebAssemblyFunction):
2668
2669 2018-06-29  Saam Barati  <sbarati@apple.com>
2670
2671         We shouldn't recurse into the parser when gathering metadata about various function offsets
2672         https://bugs.webkit.org/show_bug.cgi?id=184074
2673         <rdar://problem/37165897>
2674
2675         Reviewed by Mark Lam.
2676
2677         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2678         for that builtin. This required calling into the parser. However, the parser
2679         may throw a stack overflow. We were not able to recover from that. The only
2680         reason we called into the parser here is that we were gathering text offsets
2681         and various metadata for things in the builtin function. This patch writes a
2682         mini parser that figures this information out without calling into the full
2683         parser. (I've also added a debug assert that verifies the mini parser stays in
2684         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2685         always succeeds.
2686
2687         * builtins/AsyncFromSyncIteratorPrototype.js:
2688         (globalPrivate.createAsyncFromSyncIterator):
2689         (globalPrivate.AsyncFromSyncIteratorConstructor):
2690         * builtins/BuiltinExecutables.cpp:
2691         (JSC::BuiltinExecutables::createExecutable):
2692         * builtins/GlobalOperations.js:
2693         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2694         (globalPrivate.speciesConstructor):
2695         (globalPrivate.copyDataProperties):
2696         (globalPrivate.copyDataPropertiesNoExclusions):
2697         * builtins/PromiseOperations.js:
2698         (globalPrivate.newHandledRejectedPromise):
2699         * builtins/RegExpPrototype.js:
2700         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2701         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2702         * builtins/StringPrototype.js:
2703         (globalPrivate.hasObservableSideEffectsForStringReplace):
2704         (globalPrivate.getDefaultCollator):
2705         * parser/Nodes.cpp:
2706         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2707         (JSC::FunctionMetadataNode::operator== const):
2708         (JSC::FunctionMetadataNode::dump const):
2709         * parser/Nodes.h:
2710         * parser/Parser.h:
2711         (JSC::parse):
2712         * parser/ParserError.h:
2713         (JSC::ParserError::type const):
2714         * parser/ParserTokens.h:
2715         (JSC::JSTextPosition::operator== const):
2716         (JSC::JSTextPosition::operator!= const):
2717         * parser/SourceCode.h:
2718         (JSC::SourceCode::operator== const):
2719         (JSC::SourceCode::operator!= const):
2720         (JSC::SourceCode::subExpression const):
2721         (JSC::SourceCode::subExpression): Deleted.
2722
2723 2018-06-28  Michael Saboff  <msaboff@apple.com>
2724   
2725         IsoCellSet::sweepToFreeList() not safe when Full GC in process
2726         https://bugs.webkit.org/show_bug.cgi?id=187157
2727
2728         Reviewed by Mark Lam.
2729
2730         * heap/IsoCellSet.cpp:
2731         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
2732         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
2733         or not we are in the process of marking during a full GC.
2734         * heap/MarkedBlock.h:
2735         * heap/MarkedBlockInlines.h:
2736         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2737
2738 2018-06-27  Saam Barati  <sbarati@apple.com>
2739
2740         Add some more register state information when we crash in repatchPutById
2741         https://bugs.webkit.org/show_bug.cgi?id=187112
2742
2743         Reviewed by Mark Lam.
2744
2745         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
2746         with an offset that is different than what the put tells us.
2747
2748         * jit/Repatch.cpp:
2749         (JSC::tryCachePutByID):
2750
2751 2018-06-27  Mark Lam  <mark.lam@apple.com>
2752
2753         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
2754         https://bugs.webkit.org/show_bug.cgi?id=187119
2755
2756         Reviewed by Keith Miller.
2757
2758         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
2759         should be checking for codeBlock instead of !codeBlock
2760         before using the codeBlock.
2761
2762         I also renamed some other "print" functions to use "dump" instead
2763         to match their underlying C++ code that they will call e.g.
2764         CodeBlock::dumpSource().
2765
2766         * tools/JSDollarVM.cpp:
2767         (WTF::JSDollarVMCallFrame::finishCreation):
2768         (JSC::functionDumpSourceFor):
2769         (JSC::functionDumpBytecodeFor):
2770         (JSC::doPrint):
2771         (JSC::functionDataLog):
2772         (JSC::functionPrint):
2773         (JSC::functionDumpCallFrame):
2774         (JSC::functionDumpStack):
2775         (JSC::JSDollarVM::finishCreation):
2776         (JSC::functionPrintSourceFor): Deleted.
2777         (JSC::functionPrintBytecodeFor): Deleted.
2778         (JSC::doPrintln): Deleted.
2779         (JSC::functionPrintln): Deleted.
2780         (JSC::functionPrintCallFrame): Deleted.
2781         (JSC::functionPrintStack): Deleted.
2782         * tools/VMInspector.cpp:
2783         (JSC::DumpFrameFunctor::DumpFrameFunctor):
2784         (JSC::DumpFrameFunctor::operator() const):
2785         (JSC::VMInspector::dumpCallFrame):
2786         (JSC::VMInspector::dumpStack):
2787         (JSC::VMInspector::dumpValue):
2788         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
2789         (JSC::PrintFrameFunctor::operator() const): Deleted.
2790         (JSC::VMInspector::printCallFrame): Deleted.
2791         (JSC::VMInspector::printStack): Deleted.
2792         (JSC::VMInspector::printValue): Deleted.
2793         * tools/VMInspector.h:
2794
2795 2018-06-27  Keith Miller  <keith_miller@apple.com>
2796
2797         Add logging to try to diagnose where we get a null structure.
2798         https://bugs.webkit.org/show_bug.cgi?id=187106
2799
2800         Reviewed by Mark Lam.
2801
2802         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
2803         structure crash.
2804
2805         This code should be removed when we fix <rdar://problem/33451840>
2806
2807         * runtime/JSObject.cpp:
2808         (JSC::callToPrimitiveFunction):
2809         * runtime/JSObject.h:
2810         (JSC::JSObject::getPropertySlot):
2811
2812 2018-06-27  Mark Lam  <mark.lam@apple.com>
2813
2814         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
2815         https://bugs.webkit.org/show_bug.cgi?id=187091
2816         <rdar://problem/41395624>
2817
2818         Reviewed by Yusuke Suzuki.
2819
2820         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
2821         take their slow paths, the slow path would jump back to the fast path right after
2822         the emitted code which clears the unused property values.  As a result, the
2823         unused properties are not initialized.  We've fixed this by adding the slow path
2824         generators before we emit the code to clear the unused properties.
2825
2826         * dfg/DFGSpeculativeJIT.cpp:
2827         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2828         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2829
2830 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2831
2832         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
2833         https://bugs.webkit.org/show_bug.cgi?id=185943
2834
2835         Reviewed by Mark Lam.
2836
2837         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
2838         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
2839         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
2840         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
2841
2842         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
2843         but it should be done in a separate patch since it would be performance sensitive.
2844
2845         * bytecompiler/NodesCodegen.cpp:
2846         (JSC::ArrayPatternNode::emitDirectBinding):
2847
2848 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] Pass VM& to functions more
2851         https://bugs.webkit.org/show_bug.cgi?id=186241
2852
2853         Reviewed by Mark Lam.
2854
2855         This patch threads VM& to functions requiring VM& more.
2856
2857         * API/JSObjectRef.cpp:
2858         (JSObjectIsConstructor):
2859         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2860         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
2861         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2862         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
2863         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
2864         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2865         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2866         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2867         * bytecode/CodeBlockJettisoningWatchpoint.h:
2868         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2869         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2870         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2871         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2872         * bytecode/StructureStubClearingWatchpoint.cpp:
2873         (JSC::StructureStubClearingWatchpoint::fireInternal):
2874         * bytecode/StructureStubClearingWatchpoint.h:
2875         * bytecode/Watchpoint.cpp:
2876         (JSC::Watchpoint::fire):
2877         (JSC::WatchpointSet::fireAllWatchpoints):
2878         * bytecode/Watchpoint.h:
2879         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2880         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2881         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2882         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2883         (JSC::DFG::AdaptiveStructureWatchpoint::install):
2884         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2885         * dfg/DFGAdaptiveStructureWatchpoint.h:
2886         * dfg/DFGDesiredWatchpoints.cpp:
2887         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2888         * llint/LLIntSlowPaths.cpp:
2889         (JSC::LLInt::setupGetByIdPrototypeCache):
2890         * runtime/ArrayPrototype.cpp:
2891         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2892         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2893         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2894         (JSC::esSpecIsConstructor):
2895         * runtime/FunctionRareData.cpp:
2896         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2897         * runtime/FunctionRareData.h:
2898         * runtime/InferredStructureWatchpoint.cpp:
2899         (JSC::InferredStructureWatchpoint::fireInternal):
2900         * runtime/InferredStructureWatchpoint.h:
2901         * runtime/InternalFunction.cpp:
2902         (JSC::InternalFunction::createSubclassStructureSlow):
2903         * runtime/InternalFunction.h:
2904         (JSC::InternalFunction::createSubclassStructure):
2905         * runtime/JSCJSValue.h:
2906         * runtime/JSCJSValueInlines.h:
2907         (JSC::JSValue::isConstructor const):
2908         * runtime/JSCell.h:
2909         * runtime/JSCellInlines.h:
2910         (JSC::JSCell::isConstructor):
2911         (JSC::JSCell::methodTable const):
2912         * runtime/JSGlobalObject.cpp:
2913         (JSC::JSGlobalObject::init):
2914         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2915         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2916         * runtime/ProxyObject.cpp:
2917         (JSC::ProxyObject::finishCreation):
2918         * runtime/ReflectObject.cpp:
2919         (JSC::reflectObjectConstruct):
2920         * runtime/StructureRareData.cpp:
2921         (JSC::StructureRareData::setObjectToStringValue):
2922         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
2923         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2924         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2925
2926 2018-06-26  Mark Lam  <mark.lam@apple.com>
2927
2928         eval() is wrong about the LiteralParser never throwing any exceptions.
2929         https://bugs.webkit.org/show_bug.cgi?id=187074
2930         <rdar://problem/41461099>
2931
2932         Reviewed by Saam Barati.
2933
2934         Added the missing exception check, and removed an erroneous assertion.
2935
2936         * interpreter/Interpreter.cpp:
2937         (JSC::eval):
2938
2939 2018-06-26  Saam Barati  <sbarati@apple.com>
2940
2941         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2942         https://bugs.webkit.org/show_bug.cgi?id=186878
2943         <rdar://problem/40568659>
2944
2945         Reviewed by Filip Pizlo.
2946
2947         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2948         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2949         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
2950         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
2951         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
2952         conservative scan knows to treat it like a butterfly in when we we may be
2953         pointing into the middle of it.
2954         
2955         The way we were crashing on the stress GC bots is that our conservative marking
2956         won't do cell visiting for things that are Auxiliary. This meant that if the
2957         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
2958         that JSImmutableButterfly would not be visited. This is now fixed.
2959
2960         * bytecompiler/NodesCodegen.cpp:
2961         (JSC::ArrayNode::emitBytecode):
2962         * debugger/Debugger.cpp:
2963         * heap/ConservativeRoots.cpp:
2964         (JSC::ConservativeRoots::genericAddPointer):
2965         * heap/Heap.cpp:
2966         (JSC::GatherHeapSnapshotData::operator() const):
2967         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
2968         (JSC::Heap::globalObjectCount):
2969         (JSC::Heap::objectTypeCounts):
2970         (JSC::Heap::deleteAllCodeBlocks):
2971         * heap/HeapCell.cpp:
2972         (WTF::printInternal):
2973         * heap/HeapCell.h:
2974         (JSC::isJSCellKind):
2975         (JSC::hasInteriorPointers):
2976         * heap/HeapUtil.h:
2977         (JSC::HeapUtil::findGCObjectPointersForMarking):
2978         (JSC::HeapUtil::isPointerGCObjectJSCell):
2979         * heap/MarkedBlock.cpp:
2980         (JSC::MarkedBlock::Handle::didAddToDirectory):
2981         * heap/SlotVisitor.cpp:
2982         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2983         * runtime/JSGlobalObject.cpp:
2984         * runtime/JSImmutableButterfly.h:
2985         (JSC::JSImmutableButterfly::subspaceFor):
2986         * runtime/VM.cpp:
2987         (JSC::VM::VM):
2988         * runtime/VM.h:
2989         * tools/CellProfile.h:
2990         (JSC::CellProfile::CellProfile):
2991         (JSC::CellProfile::isJSCell const):
2992         * tools/HeapVerifier.cpp:
2993         (JSC::HeapVerifier::validateCell):
2994
2995 2018-06-26  Mark Lam  <mark.lam@apple.com>
2996
2997         Skip some unnecessary work in Interpreter::getStackTrace().
2998         https://bugs.webkit.org/show_bug.cgi?id=187070
2999
3000         Reviewed by Michael Saboff.
3001
3002         * interpreter/Interpreter.cpp:
3003         (JSC::Interpreter::getStackTrace):
3004
3005 2018-06-26  Mark Lam  <mark.lam@apple.com>
3006
3007         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3008         https://bugs.webkit.org/show_bug.cgi?id=187060
3009         <rdar://problem/41452767>
3010
3011         Reviewed by Keith Miller.
3012
3013         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3014         write conversion.  Hence, we can return early after the conversion if the vector
3015         length is already sufficient to cover the requested length.
3016
3017         * runtime/JSObject.cpp:
3018         (JSC::JSObject::ensureLengthSlow):
3019
3020 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3021
3022         Unreviewed, rolling out r233184.
3023         https://bugs.webkit.org/show_bug.cgi?id=187059
3024
3025         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3026         on #webkit).
3027
3028         Reverted changeset:
3029
3030         "JSImmutableButterfly can't be allocated from a subspace with
3031         HeapCell::Kind::Auxiliary"
3032         https://bugs.webkit.org/show_bug.cgi?id=186878
3033         https://trac.webkit.org/changeset/233184
3034
3035 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3036
3037         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3038         https://bugs.webkit.org/show_bug.cgi?id=187051
3039
3040         Reviewed by Mark Lam.
3041
3042         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3043         clang-3.8 to be able to compile this back (with libstdc++5)
3044
3045         * bytecode/UnlinkedCodeBlock.h:
3046         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3047
3048 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3049
3050         Fix testapi build when DFG_JIT is disabled
3051         https://bugs.webkit.org/show_bug.cgi?id=187038
3052
3053         Reviewed by Mark Lam.
3054
3055         r233158 added a new API and tests for configuring the number of JIT threads, but
3056         the API is only available when DFG_JIT is enabled and so should the tests.
3057
3058         * API/tests/testapi.mm:
3059         (runJITThreadLimitTests):
3060
3061 2018-06-25  Saam Barati  <sbarati@apple.com>
3062
3063         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3064         https://bugs.webkit.org/show_bug.cgi?id=186878
3065         <rdar://problem/40568659>
3066
3067         Reviewed by Mark Lam.
3068
3069         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3070         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3071         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3072         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3073         bots is that our conservative marking won't do cell marking for things that
3074         are Auxiliary. This means that if the stack is the only thing pointing to a
3075         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3076         not be visited. This patch fixes this bug. This patch also extends our conservative
3077         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3078
3079         * bytecompiler/NodesCodegen.cpp:
3080         (JSC::ArrayNode::emitBytecode):
3081         * heap/HeapUtil.h:
3082         (JSC::HeapUtil::findGCObjectPointersForMarking):
3083         * runtime/JSImmutableButterfly.h:
3084         (JSC::JSImmutableButterfly::subspaceFor):
3085
3086 2018-06-25  Mark Lam  <mark.lam@apple.com>
3087
3088         constructArray() should set m_numValuesInVector to the specified length.
3089         https://bugs.webkit.org/show_bug.cgi?id=187010
3090         <rdar://problem/41392167>
3091
3092         Reviewed by Filip Pizlo.
3093
3094         Its client will fill in the storage vector with some values using initializeIndex()
3095         and expects m_numValuesInVector to be set to the length i.e. the number of values
3096         to be initialized.
3097
3098         * runtime/JSArray.cpp:
3099         (JSC::constructArray):
3100
3101 2018-06-25  Mark Lam  <mark.lam@apple.com>
3102
3103         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3104         https://bugs.webkit.org/show_bug.cgi?id=187006
3105         <rdar://problem/41418412>
3106
3107         Reviewed by Keith Miller.
3108
3109         * runtime/RegExpObjectInlines.h:
3110         (JSC::collectMatches):
3111
3112 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3113
3114         Add API for configuring the number of threads used by DFG and FTL
3115         https://bugs.webkit.org/show_bug.cgi?id=186859
3116         <rdar://problem/41093519>
3117
3118         Reviewed by Filip Pizlo.
3119
3120         Add new private APIs for limiting the number of threads to be used by
3121         the DFG and FTL compilers. It was already possible to configure the
3122         limit through JSC Options, but now it can be changed at runtime, even
3123         in the case when the VM is already running.
3124
3125         Add a test for both cases: when trying to configure the limit before
3126         and after the Worklist has been created, but in order to simulate the
3127         first scenario, we must guarantee that the test runs at the very
3128         beginning, so I also added a check for that.
3129
3130         * API/JSVirtualMachine.mm:
3131         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3132         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3133         * API/JSVirtualMachinePrivate.h:
3134         * API/tests/testapi.mm:
3135         (runJITThreadLimitTests):
3136         (testObjectiveCAPIMain):
3137         * dfg/DFGWorklist.cpp:
3138         (JSC::DFG::Worklist::finishCreation):
3139         (JSC::DFG::Worklist::createNewThread):
3140         (JSC::DFG::Worklist::setNumberOfThreads):
3141         * dfg/DFGWorklist.h:
3142
3143 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3144
3145         [JSC] Remove unnecessary PLATFORM guards
3146         https://bugs.webkit.org/show_bug.cgi?id=186995
3147
3148         Reviewed by Mark Lam.
3149
3150         * assembler/AssemblerCommon.h:
3151         (JSC::isIOS):
3152         Add constexpr.
3153
3154         * inspector/JSGlobalObjectInspectorController.cpp:
3155         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3156         StackFrame works in all the platforms. If StackFrame::demangle failed,
3157         it just returns std::nullopt. And it is correctly handled in this code.
3158
3159 2018-06-23  Mark Lam  <mark.lam@apple.com>
3160
3161         Add more debugging features to $vm.
3162         https://bugs.webkit.org/show_bug.cgi?id=186947
3163
3164         Reviewed by Keith Miller.
3165
3166         Adding the following features:
3167
3168             // We now have println in addition to print.
3169             // println automatically adds a '\n' at the end.
3170             $vm.println("Hello");
3171
3172             // We can now capture some info about a stack frame.
3173             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3174             var callerCallerFrame = $vm.callFrame(2);
3175
3176             // We can inspect the following values associated with the frame:
3177             if (currentFrame.valid) {
3178                 $vm.println("name is ", currentFrame.name));
3179
3180                 // Note: For a WASM frame, all of these will be undefined.
3181                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3182                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3183                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3184                 $vm.println("executable is ", currentFrame.executable);
3185             }
3186
3187             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3188             // to dataLog its JSValue instead of its toString() result.
3189
3190             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3191             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3192             // toString on a non-object.
3193
3194             // Does what it says about enabling/disabling debugger mode.
3195             $vm.enableDebuggerModeWhenIdle();
3196             $vm.disableDebuggerModeWhenIdle();
3197
3198         * tools/JSDollarVM.cpp:
3199         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3200         (WTF::JSDollarVMCallFrame::createStructure):
3201         (WTF::JSDollarVMCallFrame::create):
3202         (WTF::JSDollarVMCallFrame::finishCreation):
3203         (WTF::JSDollarVMCallFrame::addProperty):
3204         (JSC::functionCallFrame):
3205         (JSC::functionCodeBlockForFrame):
3206         (JSC::codeBlockFromArg):
3207         (JSC::doPrintln):
3208         (JSC::functionPrint):
3209         (JSC::functionPrintln):
3210         (JSC::changeDebuggerModeWhenIdle):
3211         (JSC::functionEnableDebuggerModeWhenIdle):
3212         (JSC::functionDisableDebuggerModeWhenIdle):
3213         (JSC::JSDollarVM::finishCreation):
3214
3215 2018-06-22  Keith Miller  <keith_miller@apple.com>
3216
3217         We need to have a getDirectConcurrently for use in the compilers
3218         https://bugs.webkit.org/show_bug.cgi?id=186954
3219
3220         Reviewed by Mark Lam.
3221
3222         It used to be that the propertyStorage of an object never shrunk
3223         so if you called getDirect with some offset it would never be an
3224         OOB read. However, this property storage can shrink when calling
3225         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3226         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3227         adds a getDirectConcurrently that will safely try to load from the
3228         butterfly.
3229
3230         * bytecode/ObjectPropertyConditionSet.cpp:
3231         * bytecode/PropertyCondition.cpp:
3232         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3233         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3234         * dfg/DFGGraph.cpp:
3235         (JSC::DFG::Graph::tryGetConstantProperty):
3236         * runtime/JSObject.h:
3237         (JSC::JSObject::getDirectConcurrently const):
3238
3239 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3240
3241         [WTF] Use Ref<> for the result type of non-failing factory functions
3242         https://bugs.webkit.org/show_bug.cgi?id=186920
3243
3244         Reviewed by Darin Adler.
3245
3246         * dfg/DFGWorklist.cpp:
3247         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3248         (JSC::DFG::Worklist::finishCreation):
3249         * dfg/DFGWorklist.h:
3250         * heap/Heap.cpp:
3251         (JSC::Heap::Thread::Thread):
3252         * heap/Heap.h:
3253         * jit/JITWorklist.cpp:
3254         (JSC::JITWorklist::Thread::Thread):
3255         * jit/JITWorklist.h:
3256         * runtime/VMTraps.cpp:
3257         * runtime/VMTraps.h:
3258         * wasm/WasmWorklist.cpp:
3259         * wasm/WasmWorklist.h:
3260
3261 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3262
3263         [WTF] Add user-defined literal for ASCIILiteral
3264         https://bugs.webkit.org/show_bug.cgi?id=186839
3265
3266         Reviewed by Darin Adler.
3267
3268         * API/JSCallbackObjectFunctions.h:
3269         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3270         (JSC::JSCallbackObject<Parent>::callbackGetter):
3271         * API/JSObjectRef.cpp:
3272         (JSObjectMakeFunctionWithCallback):
3273         * API/JSTypedArray.cpp:
3274         (JSObjectGetArrayBufferBytesPtr):
3275         * API/JSValue.mm:
3276         (valueToArray):
3277         (valueToDictionary):
3278         * API/ObjCCallbackFunction.mm:
3279         (JSC::objCCallbackFunctionCallAsFunction):
3280         (JSC::objCCallbackFunctionCallAsConstructor):
3281         (JSC::ObjCCallbackFunctionImpl::call):
3282         * API/glib/JSCCallbackFunction.cpp:
3283         (JSC::JSCCallbackFunction::call):
3284         (JSC::JSCCallbackFunction::construct):
3285         * API/glib/JSCContext.cpp:
3286         (jscContextJSValueToGValue):
3287         * API/glib/JSCValue.cpp:
3288         (jsc_value_object_define_property_accessor):
3289         (jscValueFunctionCreate):
3290         * builtins/BuiltinUtils.h:
3291         * bytecode/CodeBlock.cpp:
3292         (JSC::CodeBlock::nameForRegister):
3293         * bytecompiler/BytecodeGenerator.cpp:
3294         (JSC::BytecodeGenerator::emitEnumeration):
3295         (JSC::BytecodeGenerator::emitIteratorNext):
3296         (JSC::BytecodeGenerator::emitIteratorClose):
3297         (JSC::BytecodeGenerator::emitDelegateYield):
3298         * bytecompiler/NodesCodegen.cpp:
3299         (JSC::FunctionCallValueNode::emitBytecode):
3300         (JSC::PostfixNode::emitBytecode):
3301         (JSC::PrefixNode::emitBytecode):
3302         (JSC::AssignErrorNode::emitBytecode):
3303         (JSC::ForInNode::emitBytecode):
3304         (JSC::ForOfNode::emitBytecode):
3305         (JSC::ClassExprNode::emitBytecode):
3306         (JSC::ObjectPatternNode::bindValue const):
3307         * dfg/DFGDriver.cpp:
3308         (JSC::DFG::compileImpl):
3309         * dfg/DFGOperations.cpp:
3310         (JSC::DFG::newTypedArrayWithSize):
3311         * dfg/DFGStrengthReductionPhase.cpp:
3312         (JSC::DFG::StrengthReductionPhase::handleNode):
3313         * inspector/ConsoleMessage.cpp:
3314         (Inspector::ConsoleMessage::addToFrontend):
3315         (Inspector::ConsoleMessage::clear):
3316         * inspector/ContentSearchUtilities.cpp:
3317         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3318         * inspector/InjectedScript.cpp:
3319         (Inspector::InjectedScript::InjectedScript):
3320         (Inspector::InjectedScript::evaluate):
3321         (Inspector::InjectedScript::callFunctionOn):
3322         (Inspector::InjectedScript::evaluateOnCallFrame):
3323         (Inspector::InjectedScript::getFunctionDetails):
3324         (Inspector::InjectedScript::functionDetails):
3325         (Inspector::InjectedScript::getPreview):
3326         (Inspector::InjectedScript::getProperties):
3327         (Inspector::InjectedScript::getDisplayableProperties):
3328         (Inspector::InjectedScript::getInternalProperties):
3329         (Inspector::InjectedScript::getCollectionEntries):
3330         (Inspector::InjectedScript::saveResult):
3331         (Inspector::InjectedScript::wrapCallFrames const):
3332         (Inspector::InjectedScript::wrapObject const):
3333         (Inspector::InjectedScript::wrapJSONString const):
3334         (Inspector::InjectedScript::wrapTable const):
3335         (Inspector::InjectedScript::previewValue const):
3336         (Inspector::InjectedScript::setExceptionValue):
3337         (Inspector::InjectedScript::clearExceptionValue):
3338         (Inspector::InjectedScript::findObjectById const):
3339         (Inspector::InjectedScript::inspectObject):
3340         (Inspector::InjectedScript::releaseObject):
3341         (Inspector::InjectedScript::releaseObjectGroup):
3342         * inspector/InjectedScriptBase.cpp:
3343         (Inspector::InjectedScriptBase::makeEvalCall):
3344         * inspector/InjectedScriptManager.cpp:
3345         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3346         * inspector/InjectedScriptModule.cpp:
3347         (Inspector::InjectedScriptModule::ensureInjected):
3348         * inspector/InspectorBackendDispatcher.cpp:
3349         (Inspector::BackendDispatcher::dispatch):
3350         (Inspector::BackendDispatcher::sendResponse):
3351         (Inspector::BackendDispatcher::sendPendingErrors):
3352         * inspector/JSGlobalObjectConsoleClient.cpp:
3353         (Inspector::JSGlobalObjectConsoleClient::profile):
3354         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3355         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3356         * inspector/JSGlobalObjectInspectorController.cpp:
3357         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3358         * inspector/JSInjectedScriptHost.cpp:
3359         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3360         (Inspector::JSInjectedScriptHost::subtype):
3361         (Inspector::JSInjectedScriptHost::getInternalProperties):
3362         * inspector/JSJavaScriptCallFrame.cpp:
3363         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3364         (Inspector::JSJavaScriptCallFrame::type const):
3365         * inspector/ScriptArguments.cpp:
3366         (Inspector::ScriptArguments::getFirstArgumentAsString):
3367         * inspector/ScriptCallStackFactory.cpp:
3368         (Inspector::extractSourceInformationFromException):
3369         * inspector/agents/InspectorAgent.cpp:
3370         (Inspector::InspectorAgent::InspectorAgent):
3371         * inspector/agents/InspectorConsoleAgent.cpp:
3372         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3373         (Inspector::InspectorConsoleAgent::clearMessages):
3374         (Inspector::InspectorConsoleAgent::count):
3375         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
3376         * inspector/agents/InspectorDebuggerAgent.cpp:
3377         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3378         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
3379         (Inspector::buildObjectForBreakpointCookie):
3380         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3381         (Inspector::parseLocation):
3382         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3383         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3384         (Inspector::InspectorDebuggerAgent::continueToLocation):
3385         (Inspector::InspectorDebuggerAgent::searchInContent):
3386         (Inspector::InspectorDebuggerAgent::getScriptSource):
3387         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
3388         (Inspector::InspectorDebuggerAgent::resume):
3389         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
3390         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
3391         (Inspector::InspectorDebuggerAgent::didParseSource):
3392         (Inspector::InspectorDebuggerAgent::assertPaused):
3393         * inspector/agents/InspectorHeapAgent.cpp:
3394         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3395         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3396         (Inspector::InspectorHeapAgent::getPreview):
3397         (Inspector::InspectorHeapAgent::getRemoteObject):
3398         * inspector/agents/InspectorRuntimeAgent.cpp:
3399         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3400         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3401         (Inspector::InspectorRuntimeAgent::getPreview):
3402         (Inspector::InspectorRuntimeAgent::getProperties):
3403         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3404         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3405         (Inspector::InspectorRuntimeAgent::saveResult):
3406         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3407         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3408         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3409         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3410         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3411         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
3412         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3413         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
3414         * inspector/scripts/codegen/cpp_generator_templates.py:
3415         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3416         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3417         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3418         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3419         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3420         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3421         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3422         (CppProtocolTypesImplementationGenerator):
3423         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3424         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3425         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
3426         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3427         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3428         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3429         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3430         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
3431         * inspector/scripts/codegen/objc_generator_templates.py:
3432         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3433         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3434         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3435         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3436         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3437         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3438         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3439         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3440         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3441         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3442         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3443         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3444         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3445         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3446         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3447         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3448         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3449         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3450         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3451         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3452         * interpreter/CallFrame.cpp:
3453         (JSC::CallFrame::friendlyFunctionName):
3454         * interpreter/Interpreter.cpp:
3455         (JSC::Interpreter::execute):
3456         * interpreter/StackVisitor.cpp:
3457         (JSC::StackVisitor::Frame::functionName const):
3458         (JSC::StackVisitor::Frame::sourceURL const):
3459         * jit/JIT.cpp:
3460         (JSC::JIT::doMainThreadPreparationBeforeCompile):
3461         * jit/JITOperations.cpp:
3462         * jsc.cpp:
3463         (resolvePath):
3464         (GlobalObject::moduleLoaderImportModule):
3465         (GlobalObject::moduleLoaderResolve):
3466         (functionDescribeArray):
3467         (functionRun):
3468         (functionLoad):
3469         (functionCheckSyntax):
3470         (functionDollarEvalScript):
3471         (functionDollarAgentStart):
3472         (functionDollarAgentReceiveBroadcast):
3473         (functionDollarAgentBroadcast):
3474         (functionTransferArrayBuffer):
3475         (functionLoadModule):
3476         (functionSamplingProfilerStackTraces):
3477         (functionAsyncTestStart):
3478         (functionWebAssemblyMemoryMode):
3479         (runWithOptions):
3480         * parser/Lexer.cpp:
3481         (JSC::Lexer<T>::invalidCharacterMessage const):
3482         (JSC::Lexer<T>::parseString):
3483         (JSC::Lexer<T>::parseComplexEscape):
3484         (JSC::Lexer<T>::parseStringSlowCase):
3485         (JSC::Lexer<T>::parseTemplateLiteral):
3486         (JSC::Lexer<T>::lex):
3487         * parser/Parser.cpp:
3488         (JSC::Parser<LexerType>::parseInner):
3489         * parser/Parser.h:
3490         (JSC::Parser::setErrorMessage):
3491         * runtime/AbstractModuleRecord.cpp:
3492         (JSC::AbstractModuleRecord::finishCreation):
3493         * runtime/ArrayBuffer.cpp:
3494         (JSC::errorMesasgeForTransfer):
3495         * runtime/ArrayBufferSharingMode.h:
3496         (JSC::arrayBufferSharingModeName):
3497         * runtime/ArrayConstructor.cpp:
3498         (JSC::constructArrayWithSizeQuirk):
3499         (JSC::isArraySlowInline):
3500         * runtime/ArrayPrototype.cpp:
3501         (JSC::setLength):
3502         (JSC::shift):
3503         (JSC::unshift):
3504         (JSC::arrayProtoFuncPop):
3505         (JSC::arrayProtoFuncReverse):
3506         (JSC::arrayProtoFuncUnShift):
3507         * runtime/AtomicsObject.cpp:
3508         (JSC::atomicsFuncWait):
3509         (JSC::atomicsFuncWake):
3510         * runtime/BigIntConstructor.cpp:
3511         (JSC::BigIntConstructor::finishCreation):
3512         (JSC::toBigInt):
3513         (JSC::callBigIntConstructor):
3514         * runtime/BigIntObject.cpp:
3515         (JSC::BigIntObject::toStringName):
3516         * runtime/BigIntPrototype.cpp:
3517         (JSC::bigIntProtoFuncToString):
3518         (JSC::bigIntProtoFuncValueOf):
3519         * runtime/CommonSlowPaths.cpp:
3520         (JSC::SLOW_PATH_DECL):
3521         * runtime/ConsoleClient.cpp:
3522         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3523         * runtime/ConsoleObject.cpp:
3524         (JSC::valueOrDefaultLabelString):
3525         (JSC::consoleProtoFuncTime):
3526         (JSC::consoleProtoFuncTimeEnd):
3527         * runtime/DatePrototype.cpp:
3528         (JSC::formatLocaleDate):
3529         (JSC::formateDateInstance):
3530         (JSC::DatePrototype::finishCreation):
3531         (JSC::dateProtoFuncToISOString):
3532         (JSC::dateProtoFuncToJSON):
3533         * runtime/Error.cpp:
3534         (JSC::createNotEnoughArgumentsError):
3535         (JSC::throwSyntaxError):
3536         (JSC::createTypeError):
3537         (JSC::createOutOfMemoryError):
3538         * runtime/Error.h:
3539         (JSC::throwVMError):
3540         * runtime/ErrorConstructor.cpp:
3541         (JSC::ErrorConstructor::finishCreation):
3542         * runtime/ErrorInstance.cpp:
3543         (JSC::ErrorInstance::sanitizedToString):
3544         * runtime/ErrorPrototype.cpp:
3545         (JSC::ErrorPrototype::finishCreation):
3546         (JSC::errorProtoFuncToString):
3547         * runtime/ExceptionFuzz.cpp:
3548         (JSC::doExceptionFuzzing):
3549         * runtime/ExceptionHelpers.cpp:
3550         (JSC::TerminatedExecutionError::defaultValue):
3551         (JSC::createStackOverflowError):
3552         (JSC::createNotAConstructorError):
3553         (JSC::createNotAFunctionError):
3554         (JSC::createNotAnObjectError):
3555         * runtime/GetterSetter.cpp:
3556         (JSC::callSetter):
3557         * runtime/IntlCollator.cpp:
3558         (JSC::sortLocaleData):
3559         (JSC::searchLocaleData):
3560         (JSC::IntlCollator::initializeCollator):
3561         (JSC::IntlCollator::compareStrings):
3562         (JSC::IntlCollator::usageString):
3563         (JSC::IntlCollator::sensitivityString):
3564         (JSC::IntlCollator::caseFirstString):
3565         (JSC::IntlCollator::resolvedOptions):
3566         * runtime/IntlCollator.h:
3567         * runtime/IntlCollatorConstructor.cpp:
3568         (JSC::IntlCollatorConstructor::finishCreation):
3569         * runtime/IntlCollatorPrototype.cpp:
3570         (JSC::IntlCollatorPrototypeGetterCompare):
3571         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3572         * runtime/IntlDateTimeFormat.cpp:
3573         (JSC::defaultTimeZone):
3574         (JSC::canonicalizeTimeZoneName):
3575         (JSC::IntlDTFInternal::localeData):
3576         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
3577         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3578         (JSC::IntlDateTimeFormat::weekdayString):
3579         (JSC::IntlDateTimeFormat::eraString):
3580         (JSC::IntlDateTimeFormat::yearString):
3581         (JSC::IntlDateTimeFormat::monthString):
3582         (JSC::IntlDateTimeFormat::dayString):
3583         (JSC::IntlDateTimeFormat::hourString):
3584         (JSC::IntlDateTimeFormat::minuteString):
3585         (JSC::IntlDateTimeFormat::secondString):
3586         (JSC::IntlDateTimeFormat::timeZoneNameString):
3587         (JSC::IntlDateTimeFormat::resolvedOptions):
3588         (JSC::IntlDateTimeFormat::format):
3589         (JSC::IntlDateTimeFormat::partTypeString):
3590         (JSC::IntlDateTimeFormat::formatToParts):
3591         * runtime/IntlDateTimeFormat.h:
3592         * runtime/IntlDateTimeFormatConstructor.cpp:
3593         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3594         * runtime/IntlDateTimeFormatPrototype.cpp:
3595         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
3596         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
3597         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
3598         * runtime/IntlNumberFormat.cpp:
3599         (JSC::IntlNumberFormat::initializeNumberFormat):
3600         (JSC::IntlNumberFormat::formatNumber):
3601         (JSC::IntlNumberFormat::styleString):
3602         (JSC::IntlNumberFormat::currencyDisplayString):
3603         (JSC::IntlNumberFormat::resolvedOptions):
3604         (JSC::IntlNumberFormat::partTypeString):
3605         (JSC::IntlNumberFormat::formatToParts):
3606         * runtime/IntlNumberFormat.h:
3607         * runtime/IntlNumberFormatConstructor.cpp:
3608         (JSC::IntlNumberFormatConstructor::finishCreation):
3609         * runtime/IntlNumberFormatPrototype.cpp:
3610         (JSC::IntlNumberFormatPrototypeGetterFormat):
3611         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
3612         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
3613         * runtime/IntlObject.cpp:
3614         (JSC::grandfatheredLangTag):
3615         (JSC::canonicalizeLocaleList):
3616         (JSC::resolveLocale):
3617         (JSC::supportedLocales):
3618         * runtime/IntlPluralRules.cpp:
3619         (JSC::IntlPluralRules::initializePluralRules):
3620         (JSC::IntlPluralRules::resolvedOptions):
3621         (JSC::IntlPluralRules::select):
3622         * runtime/IntlPluralRulesConstructor.cpp:
3623         (JSC::IntlPluralRulesConstructor::finishCreation):
3624         * runtime/IntlPluralRulesPrototype.cpp:
3625         (JSC::IntlPluralRulesPrototypeFuncSelect):
3626         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
3627         * runtime/IteratorOperations.cpp:
3628         (JSC::iteratorNext):
3629         (JSC::iteratorClose):
3630         (JSC::hasIteratorMethod):
3631         (JSC::iteratorMethod):
3632         * runtime/JSArray.cpp:
3633         (JSC::JSArray::tryCreateUninitializedRestricted):
3634         (JSC::JSArray::defineOwnProperty):
3635         (JSC::JSArray::put):
3636         (JSC::JSArray::setLengthWithArrayStorage):
3637         (JSC::JSArray::appendMemcpy):
3638         (JSC::JSArray::pop):
3639         * runtime/JSArray.h:
3640         * runtime/JSArrayBufferConstructor.cpp:
3641         (JSC::JSArrayBufferConstructor::finishCreation):
3642         * runtime/JSArrayBufferPrototype.cpp:
3643         (JSC::arrayBufferProtoFuncSlice):
3644         (JSC::arrayBufferProtoGetterFuncByteLength):
3645         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3646         * runtime/JSArrayBufferView.cpp:
3647         (JSC::JSArrayBufferView::toStringName):
3648         * runtime/JSArrayInlines.h:
3649         (JSC::JSArray::pushInline):
3650         * runtime/JSBigInt.cpp:
3651         (JSC::JSBigInt::divide):
3652         (JSC::JSBigInt::remainder):
3653         (JSC::JSBigInt::toNumber const):
3654         * runtime/JSCJSValue.cpp:
3655         (JSC::JSValue::putToPrimitive):
3656         (JSC::JSValue::putToPrimitiveByIndex):
3657         (JSC::JSValue::toStringSlowCase const):
3658         * runtime/JSCJSValueInlines.h:
3659         (JSC::toPreferredPrimitiveType):
3660         * runtime/JSDataView.cpp:
3661         (JSC::JSDataView::create):
3662         (JSC::JSDataView::put):
3663         (JSC::JSDataView::defineOwnProperty):
3664         * runtime/JSDataViewPrototype.cpp:
3665         (JSC::getData):
3666         (JSC::setData):
3667         * runtime/JSFunction.cpp:
3668         (JSC::JSFunction::callerGetter):
3669         (JSC::JSFunction::put):
3670         (JSC::JSFunction::defineOwnProperty):
3671         * runtime/JSGenericTypedArrayView.h:
3672         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3673         (JSC::constructGenericTypedArrayViewWithArguments):
3674         (JSC::constructGenericTypedArrayView):
3675         * runtime/JSGenericTypedArrayViewInlines.h:
3676         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3677         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3678         (JSC::speciesConstruct):
3679         (JSC::genericTypedArrayViewProtoFuncSet):
3680         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3681         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3682         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3683         * runtime/JSGlobalObject.cpp:
3684         (JSC::JSGlobalObject::init):
3685         * runtime/JSGlobalObjectDebuggable.cpp:
3686         (JSC::JSGlobalObjectDebuggable::name const):
3687         * runtime/JSGlobalObjectFunctions.cpp:
3688         (JSC::encode):
3689         (JSC::decode):
3690         (JSC::globalFuncProtoSetter):
3691         * runtime/JSGlobalObjectFunctions.h:
3692         * runtime/JSMap.cpp:
3693         (JSC::JSMap::toStringName):
3694         * runtime/JSModuleEnvironment.cpp:
3695         (JSC::JSModuleEnvironment::put):
3696         * runtime/JSModuleNamespaceObject.cpp:
3697         (JSC::JSModuleNamespaceObject::put):
3698         (JSC::JSModuleNamespaceObject::putByIndex):
3699         (JSC::JSModuleNamespaceObject::defineOwnProperty):
3700         * runtime/JSONObject.cpp:
3701         (JSC::Stringifier::appendStringifiedValue):
3702         (JSC::JSONProtoFuncParse):
3703         (JSC::JSONProtoFuncStringify):
3704         * runtime/JSObject.cpp:
3705         (JSC::getClassPropertyNames):
3706         (JSC::JSObject::calculatedClassName):
3707         (JSC::ordinarySetSlow):
3708         (JSC::JSObject::putInlineSlow):
3709         (JSC::JSObject::setPrototypeWithCycleCheck):
3710         (JSC::callToPrimitiveFunction):
3711         (JSC::JSObject::ordinaryToPrimitive const):
3712         (JSC::JSObject::defaultHasInstance):
3713         (JSC::JSObject::defineOwnIndexedProperty):
3714         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3715         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3716         (JSC::validateAndApplyPropertyDescriptor):
3717         * runtime/JSObject.h:
3718         * runtime/JSObjectInlines.h:
3719         (JSC::JSObject::putInlineForJSObject):
3720         * runtime/JSPromiseConstructor.cpp:
3721         (JSC::JSPromiseConstructor::finishCreation):
3722         * runtime/JSSet.cpp:
3723         (JSC::JSSet::toStringName):
3724         * runtime/JSSymbolTableObject.h:
3725         (JSC::symbolTablePut):
3726         * runtime/JSTypedArrayViewConstructor.cpp:
3727         (JSC::constructTypedArrayView):
3728         * runtime/JSTypedArrayViewPrototype.cpp:
3729         (JSC::typedArrayViewPrivateFuncLength):
3730         (JSC::typedArrayViewProtoFuncSet):
3731         (JSC::typedArrayViewProtoFuncCopyWithin):
3732         (JSC::typedArrayViewProtoFuncLastIndexOf):
3733         (JSC::typedArrayViewProtoFuncIndexOf):
3734         (JSC::typedArrayViewProtoFuncJoin):
3735         (JSC::typedArrayViewProtoGetterFuncBuffer):
3736         (JSC::typedArrayViewProtoGetterFuncLength):
3737         (JSC::typedArrayViewProtoGetterFuncByteLength):
3738         (JSC::typedArrayViewProtoGetterFuncByteOffset):
3739         (JSC::typedArrayViewProtoFuncReverse):
3740         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3741         (JSC::typedArrayViewProtoFuncSlice):
3742         (JSC::JSTypedArrayViewPrototype::finishCreation):
3743         * runtime/JSWeakMap.cpp:
3744         (JSC::JSWeakMap::toStringName):
3745         * runtime/JSWeakSet.cpp:
3746         (JSC::JSWeakSet::toStringName):
3747         * runtime/LiteralParser.cpp:
3748         (JSC::LiteralParser<CharType>::Lexer::lex):
3749         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3750         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
3751         (JSC::LiteralParser<CharType>::parse):
3752         * runtime/LiteralParser.h:
3753         (JSC::LiteralParser::getErrorMessage):
3754         * runtime/Lookup.cpp:
3755         (JSC::reifyStaticAccessor):
3756         * runtime/Lookup.h:
3757         (JSC::putEntry):
3758         * runtime/MapPrototype.cpp:
3759         (JSC::getMap):
3760         * runtime/NullSetterFunction.cpp:
3761         (JSC::NullSetterFunctionInternal::callReturnUndefined):
3762         * runtime/NumberPrototype.cpp:
3763         (JSC::numberProtoFuncToExponential):
3764         (JSC::numberProtoFuncToFixed):
3765         (JSC::numberProtoFuncToPrecision):
3766         (JSC::extractToStringRadixArgument):
3767         * runtime/ObjectConstructor.cpp:
3768         (JSC::objectConstructorSetPrototypeOf):
3769         (JSC::objectConstructorAssign):
3770         (JSC::objectConstructorValues):
3771         (JSC::toPropertyDescriptor):
3772         (JSC::objectConstructorDefineProperty):
3773         (JSC::objectConstructorDefineProperties):
3774         (JSC::objectConstructorCreate):
3775         (JSC::objectConstructorSeal):
3776         (JSC::objectConstructorFreeze):
3777         * runtime/ObjectPrototype.cpp:
3778         (JSC::objectProtoFuncDefineGetter):
3779         (JSC::objectProtoFuncDefineSetter):
3780         * runtime/Operations.cpp:
3781         (JSC::jsAddSlowCase):
3782         * runtime/Operations.h:
3783         (JSC::jsSub):
3784         (JSC::jsMul):
3785         * runtime/ProgramExecutable.cpp:
3786         (JSC::ProgramExecutable::initializeGlobalProperties):
3787         * runtime/ProxyConstructor.cpp:
3788         (JSC::makeRevocableProxy):
3789         (JSC::proxyRevocableConstructorThrowError):
3790         (JSC::ProxyConstructor::finishCreation):
3791         (JSC::constructProxyObject):
3792         * runtime/ProxyObject.cpp:
3793         (JSC::ProxyObject::toStringName):
3794         (JSC::ProxyObject::finishCreation):
3795         (JSC::performProxyGet):
3796         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3797         (JSC::ProxyObject::performHasProperty):
3798         (JSC::ProxyObject::performPut):
3799         (JSC::performProxyCall):
3800         (JSC::performProxyConstruct):
3801         (JSC::ProxyObject::performDelete):
3802         (JSC::ProxyObject::performPreventExtensions):
3803         (JSC::ProxyObject::performIsExtensible):
3804         (JSC::ProxyObject::performDefineOwnProperty):
3805         (JSC::ProxyObject::performGetOwnPropertyNames):
3806         (JSC::ProxyObject::performSetPrototype):
3807         (JSC::ProxyObject::performGetPrototype):
3808         * runtime/ReflectObject.cpp:
3809         (JSC::reflectObjectConstruct):
3810         (JSC::reflectObjectDefineProperty):
3811         (JSC::reflectObjectGet):
3812         (JSC::reflectObjectGetOwnPropertyDescriptor):
3813         (JSC::reflectObjectGetPrototypeOf):
3814         (JSC::reflectObjectIsExtensible):
3815         (JSC::reflectObjectOwnKeys):
3816         (JSC::reflectObjectPreventExtensions):
3817         (JSC::reflectObjectSet):
3818         (JSC::reflectObjectSetPrototypeOf):
3819         * runtime/RegExpConstructor.cpp:
3820         (JSC::RegExpConstructor::finishCreation):
3821         (JSC::toFlags):
3822         * runtime/RegExpObject.cpp:
3823         (JSC::RegExpObject::defineOwnProperty):
3824         * runtime/RegExpObject.h:
3825         * runtime/RegExpPrototype.cpp:
3826         (JSC::regExpProtoFuncCompile):
3827         (JSC::regExpProtoGetterGlobal):
3828         (JSC::regExpProtoGetterIgnoreCase):
3829         (JSC::regExpProtoGetterMultiline):
3830         (JSC::regExpProtoGetterDotAll):
3831         (JSC::regExpProtoGetterSticky):
3832         (JSC::regExpProtoGetterUnicode):
3833         (JSC::regExpProtoGetterFlags):
3834         (JSC::regExpProtoGetterSourceInternal):
3835         (JSC::regExpProtoGetterSource):
3836         * runtime/RuntimeType.cpp:
3837         (JSC::runtimeTypeAsString):
3838         * runtime/SamplingProfiler.cpp:
3839         (JSC::SamplingProfiler::StackFrame::displayName):
3840         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
3841         * runtime/ScriptExecutable.cpp:
3842         (JSC::ScriptExecutable::prepareForExecutionImpl):
3843         * runtime/SetPrototype.cpp:
3844         (JSC::getSet):
3845         * runtime/SparseArrayValueMap.cpp:
3846         (JSC::SparseArrayValueMap::putEntry):
3847         (JSC::SparseArrayValueMap::putDirect):
3848         (JSC::SparseArrayEntry::put):
3849         * runtime/StackFrame.cpp:
3850         (JSC::StackFrame::sourceURL const):
3851         (JSC::StackFrame::functionName const):
3852         * runtime/StringConstructor.cpp:
3853         (JSC::stringFromCodePoint):
3854         * runtime/StringObject.cpp:
3855         (JSC::StringObject::put):
3856         (JSC::StringObject::putByIndex):
3857         * runtime/StringPrototype.cpp:
3858         (JSC::StringPrototype::finishCreation):
3859         (JSC::toLocaleCase):
3860         (JSC::stringProtoFuncNormalize):
3861         * runtime/Symbol.cpp:
3862         (JSC::Symbol::toNumber const):
3863         * runtime/SymbolConstructor.cpp:
3864         (JSC::symbolConstructorKeyFor):
3865