Clarify conversion rules for JSValue property access API
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-30  Keith Miller  <keith_miller@apple.com>
2
3         Clarify conversion rules for JSValue property access API
4         https://bugs.webkit.org/show_bug.cgi?id=188179
5
6         Reviewed by Geoffrey Garen.
7
8         * API/JSValue.h:
9
10 2018-07-30  Keith Miller  <keith_miller@apple.com>
11
12         Rename some JSC API functions/types.
13         https://bugs.webkit.org/show_bug.cgi?id=188173
14
15         Reviewed by Saam Barati.
16
17         * API/JSObjectRef.cpp:
18         (JSObjectHasPropertyForKey):
19         (JSObjectGetPropertyForKey):
20         (JSObjectSetPropertyForKey):
21         (JSObjectDeletePropertyForKey):
22         (JSObjectHasPropertyKey): Deleted.
23         (JSObjectGetPropertyKey): Deleted.
24         (JSObjectSetPropertyKey): Deleted.
25         (JSObjectDeletePropertyKey): Deleted.
26         * API/JSObjectRef.h:
27         * API/JSValue.h:
28         * API/JSValue.mm:
29         (-[JSValue valueForProperty:]):
30         (-[JSValue setValue:forProperty:]):
31         (-[JSValue deleteProperty:]):
32         (-[JSValue hasProperty:]):
33         (-[JSValue defineProperty:descriptor:]):
34         * API/tests/testapi.cpp:
35         (TestAPI::run):
36
37 2018-07-30  Mark Lam  <mark.lam@apple.com>
38
39         Add a debugging utility to dump the memory layout of a JSCell.
40         https://bugs.webkit.org/show_bug.cgi?id=188157
41
42         Reviewed by Yusuke Suzuki.
43
44         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
45         dump the memory contents of a cell and if present, its butterfly for debugging
46         purposes.
47
48         Example usage for JS code when JSC_useDollarVM=true:
49
50             $vm.dumpCell(obj);
51
52         Example usage from C++ code or from lldb: 
53
54             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
55
56         Some examples of dumps:
57
58             <0x104bc8260, Object>
59               [0] 0x104bc8260 : 0x010016000000016c header
60                 structureID 364 0x16c structure 0x104b721b0
61                 indexingTypeAndMisc 0 0x0 NonArray
62                 type 22 0x16
63                 flags 0 0x0
64                 cellState 1
65               [1] 0x104bc8268 : 0x0000000000000000 butterfly
66               [2] 0x104bc8270 : 0xffff000000000007
67               [3] 0x104bc8278 : 0xffff000000000008
68
69             <0x104bb4360, Array>
70               [0] 0x104bb4360 : 0x0108210b00000171 header
71                 structureID 369 0x171 structure 0x104b723e0
72                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
73                 type 33 0x21
74                 flags 8 0x8
75                 cellState 1
76               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
77                 base 0x8000f46e0
78                 hasIndexingHeader YES hasAnyArrayStorage YES
79                 publicLength 4 vectorLength 7 indexBias 2
80                 preCapacity 2 propertyCapacity 4
81                   <--- preCapacity
82                   [0] 0x8000f46e0 : 0x0000000000000000
83                   [1] 0x8000f46e8 : 0x0000000000000000
84                   <--- propertyCapacity
85                   [2] 0x8000f46f0 : 0x0000000000000000
86                   [3] 0x8000f46f8 : 0x0000000000000000
87                   [4] 0x8000f4700 : 0xffff00000000000d
88                   [5] 0x8000f4708 : 0xffff00000000000c
89                   <--- indexingHeader
90                   [6] 0x8000f4710 : 0x0000000700000004
91                   <--- butterfly
92                   <--- arrayStorage
93                   [7] 0x8000f4718 : 0x0000000000000000
94                   [8] 0x8000f4720 : 0x0000000400000002
95                   <--- indexedProperties
96                   [9] 0x8000f4728 : 0xffff000000000008
97                   [10] 0x8000f4730 : 0xffff000000000009
98                   [11] 0x8000f4738 : 0xffff000000000005
99                   [12] 0x8000f4740 : 0xffff000000000006
100                   [13] 0x8000f4748 : 0x0000000000000000
101                   [14] 0x8000f4750 : 0x0000000000000000
102                   [15] 0x8000f4758 : 0x0000000000000000
103                   <--- unallocated capacity
104                   [16] 0x8000f4760 : 0x0000000000000000
105                   [17] 0x8000f4768 : 0x0000000000000000
106                   [18] 0x8000f4770 : 0x0000000000000000
107                   [19] 0x8000f4778 : 0x0000000000000000
108
109         * runtime/JSObject.h:
110         * tools/JSDollarVM.cpp:
111         (JSC::functionDumpCell):
112         (JSC::JSDollarVM::finishCreation):
113         * tools/VMInspector.cpp:
114         (JSC::VMInspector::dumpCellMemory):
115         (JSC::IndentationScope::IndentationScope):
116         (JSC::IndentationScope::~IndentationScope):
117         (JSC::VMInspector::dumpCellMemoryToStream):
118         * tools/VMInspector.h:
119
120 2018-07-27  Mark Lam  <mark.lam@apple.com>
121
122         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
123         https://bugs.webkit.org/show_bug.cgi?id=188123
124         <rdar://problem/42672268>
125
126         Reviewed by Keith Miller.
127
128         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
129            padding space in VM and Heap, and should not cost any measurable perf to
130            initialize and update.
131
132         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
133
134            worldState tells us the value we failed the assertion on.
135
136            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
137            that led us here.
138
139            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
140
141            VM::isEntered() tells us if the current VM is currently executing JS code.
142
143            Some of this data may be redundant, but the redundancy is intentional so that
144            we can double check what is really happening at the time of crash.
145
146         * heap/Heap.cpp:
147         (JSC::asInt):
148         (JSC::Heap::checkConn):
149         (JSC::Heap::changePhase):
150         * heap/Heap.h:
151         * runtime/VM.cpp:
152         (JSC::VM::nextID):
153         (JSC::VM::VM):
154         * runtime/VM.h:
155         (JSC::VM::numberOfIDs):
156         (JSC::VM::id const):
157         (JSC::VM::isEntered const):
158
159 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
160
161         [JSC] Record CoW status in ArrayProfile correctly
162         https://bugs.webkit.org/show_bug.cgi?id=187949
163
164         Reviewed by Saam Barati.
165
166         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
167         This is important since our OSR exit compiler records m_observedArrayModes by calculating
168         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
169         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
170         Array::Generic DFG nodes.
171
172         * bytecode/ArrayProfile.h:
173         (JSC::asArrayModes):
174         (JSC::ArrayProfile::ArrayProfile):
175         * dfg/DFGOSRExit.cpp:
176         (JSC::DFG::OSRExit::compileExit):
177         * ftl/FTLOSRExitCompiler.cpp:
178         (JSC::FTL::compileStub):
179         * runtime/IndexingType.h:
180
181 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
182
183         [INTL] Remove INTL sub-feature compile flags
184         https://bugs.webkit.org/show_bug.cgi?id=188081
185
186         Reviewed by Michael Catanzaro.
187
188         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
189         The runtime flags are still present, and should be relied on instead.
190         The defines for ICU features have also been updated to match HAVE() style.
191
192         * Configurations/FeatureDefines.xcconfig:
193         * runtime/IntlPluralRules.cpp:
194         (JSC::IntlPluralRules::resolvedOptions):
195         (JSC::IntlPluralRules::select):
196         * runtime/IntlPluralRules.h:
197         * runtime/Options.h:
198
199 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
200
201         [JSC] Dump IndexingMode in Structure
202         https://bugs.webkit.org/show_bug.cgi?id=188085
203
204         Reviewed by Keith Miller.
205
206         Dump IndexingMode instead of IndexingType.
207
208         * runtime/Structure.cpp:
209         (JSC::Structure::dump const):
210
211 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
212
213         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
214         https://bugs.webkit.org/show_bug.cgi?id=187963
215
216         Reviewed by Alex Christensen.
217
218         * inspector/InspectorBackendDispatcher.cpp:
219         (Inspector::BackendDispatcher::dispatch):
220         * jsc.cpp:
221         (ModuleName::ModuleName):
222         (resolvePath):
223         * runtime/IntlObject.cpp:
224         (JSC::canonicalizeLanguageTag):
225         (JSC::removeUnicodeLocaleExtension):
226         Update split/splitAllowingEmptyEntries usage.
227
228 2018-07-26  Commit Queue  <commit-queue@webkit.org>
229
230         Unreviewed, rolling out r234181 and r234189.
231         https://bugs.webkit.org/show_bug.cgi?id=188075
232
233         These are not needed right now (Requested by thorton on
234         #webkit).
235
236         Reverted changesets:
237
238         "Enable Web Content Filtering on watchOS"
239         https://bugs.webkit.org/show_bug.cgi?id=187979
240         https://trac.webkit.org/changeset/234181
241
242         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
243         https://bugs.webkit.org/show_bug.cgi?id=187985
244         https://trac.webkit.org/changeset/234189
245
246 2018-07-26  Mark Lam  <mark.lam@apple.com>
247
248         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
249         https://bugs.webkit.org/show_bug.cgi?id=188065
250         <rdar://problem/42515726>
251
252         Reviewed by Saam Barati.
253
254         * runtime/ArrayPrototype.cpp:
255         (JSC::clearElement):
256         (JSC::copyElements):
257         (JSC::arrayProtoPrivateFuncConcatMemcpy):
258
259 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
260
261         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
262         https://bugs.webkit.org/show_bug.cgi?id=167991
263
264         Reviewed by Michael Catanzaro.
265
266         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
267         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
268         no more cases where you might have an invalid locale come back from resolveLocale.
269
270         * runtime/IntlObject.cpp:
271         (JSC::convertICULocaleToBCP47LanguageTag):
272         (JSC::defaultLocale):
273         (JSC::lookupMatcher):
274         * runtime/IntlObject.h:
275         * runtime/JSGlobalObject.cpp:
276         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
277         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
278         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
279         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
280
281 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
282
283         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
284         https://bugs.webkit.org/show_bug.cgi?id=188040
285
286         Unreviewed build fix for AppleWin port.
287
288         * API/tests/testapi.c: Disabled warning C4204.
289         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
290
291 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
292
293         [JSC API] We should support the symbol type in our C/Obj-C API
294         https://bugs.webkit.org/show_bug.cgi?id=175836
295
296         Unreviewed build fix for Windows port.
297
298         r234227 introduced a compilation error unresolved external symbol
299         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
300
301         Windows ports are compiling testapi.c as C++ by using /TP switch.
302
303         * API/tests/testapi.c:
304         (main): Removed `::` prefix of ::SetErrorMode Windows API.
305         (dllLauncherEntryPoint): Converted into C style.
306         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
307
308 2018-07-25  Keith Miller  <keith_miller@apple.com>
309
310         [JSC API] We should support the symbol type in our C/Obj-C API
311         https://bugs.webkit.org/show_bug.cgi?id=175836
312
313         Reviewed by Filip Pizlo.
314
315         This patch makes the following API additions:
316         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
317         2) Create a symbol on both APIs.
318         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
319         4) Add Get/Set/Delete in the C API.
320
321         We can do 3 because it is both binary and source compatable with
322         the existing API. I added (4) because the current property access
323         APIs only have the ability to get Strings. It was possible to
324         merge symbols into JSStringRef but that felt confusing and exposes
325         implementation details of our engine. The new functions match the
326         same meaning that they have in JS, thus should be forward
327         compatible with any future language extensions.
328
329         Lastly, this patch adds the same availability preproccessing phase
330         in WebCore to JavaScriptCore, which enables TBA features for
331         testing on previous releases.
332
333         * API/APICast.h:
334         * API/JSBasePrivate.h:
335         * API/JSContext.h:
336         * API/JSContextPrivate.h:
337         * API/JSContextRef.h:
338         * API/JSContextRefInternal.h:
339         * API/JSContextRefPrivate.h:
340         * API/JSManagedValue.h:
341         * API/JSObjectRef.cpp:
342         (JSObjectHasPropertyKey):
343         (JSObjectGetPropertyKey):
344         (JSObjectSetPropertyKey):
345         (JSObjectDeletePropertyKey):
346         * API/JSObjectRef.h:
347         * API/JSRemoteInspector.h:
348         * API/JSTypedArray.h:
349         * API/JSValue.h:
350         * API/JSValue.mm:
351         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
352         (performPropertyOperation):
353         (-[JSValue valueForProperty:valueForProperty:]):
354         (-[JSValue setValue:forProperty:setValue:forProperty:]):
355         (-[JSValue deleteProperty:deleteProperty:]):
356         (-[JSValue hasProperty:hasProperty:]):
357         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
358         (-[JSValue isSymbol]):
359         (-[JSValue objectForKeyedSubscript:]):
360         (-[JSValue setObject:forKeyedSubscript:]):
361         (-[JSValue valueForProperty:]): Deleted.
362         (-[JSValue setValue:forProperty:]): Deleted.
363         (-[JSValue deleteProperty:]): Deleted.
364         (-[JSValue hasProperty:]): Deleted.
365         (-[JSValue defineProperty:descriptor:]): Deleted.
366         * API/JSValueRef.cpp:
367         (JSValueGetType):
368         (JSValueIsSymbol):
369         (JSValueMakeSymbol):
370         * API/JSValueRef.h:
371         * API/WebKitAvailability.h:
372         * API/tests/CurrentThisInsideBlockGetterTest.mm:
373         * API/tests/CustomGlobalObjectClassTest.c:
374         * API/tests/DateTests.mm:
375         * API/tests/JSExportTests.mm:
376         * API/tests/JSNode.c:
377         * API/tests/JSNodeList.c:
378         * API/tests/Node.c:
379         * API/tests/NodeList.c:
380         * API/tests/minidom.c:
381         * API/tests/testapi.c:
382         (main):
383         * API/tests/testapi.cpp: Added.
384         (APIString::APIString):
385         (APIString::~APIString):
386         (APIString::operator JSStringRef):
387         (APIContext::APIContext):
388         (APIContext::~APIContext):
389         (APIContext::operator JSGlobalContextRef):
390         (APIVector::APIVector):
391         (APIVector::~APIVector):
392         (APIVector::append):
393         (testCAPIViaCpp):
394         (TestAPI::evaluateScript):
395         (TestAPI::callFunction):
396         (TestAPI::functionReturnsTrue):
397         (TestAPI::check):
398         (TestAPI::checkJSAndAPIMatch):
399         (TestAPI::interestingObjects):
400         (TestAPI::interestingKeys):
401         (TestAPI::run):
402         * API/tests/testapi.mm:
403         (testObjectiveCAPIMain):
404         * JavaScriptCore.xcodeproj/project.pbxproj:
405         * config.h:
406         * postprocess-headers.sh:
407         * shell/CMakeLists.txt:
408         * testmem/testmem.mm:
409
410 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
411
412         [INTL] Call Typed Array elements toLocaleString with locale and options
413         https://bugs.webkit.org/show_bug.cgi?id=185796
414
415         Reviewed by Keith Miller.
416
417         Improve ECMA 402 compliance of typed array toLocaleString, passing along
418         the locale and options to element toLocaleString calls.
419
420         * builtins/TypedArrayPrototype.js:
421         (toLocaleString):
422
423 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
424
425         [INTL] Intl constructor lengths should be configurable
426         https://bugs.webkit.org/show_bug.cgi?id=187960
427
428         Reviewed by Saam Barati.
429
430         Removed DontDelete from Intl constructor lengths.
431         Fixed DateTimeFormat formatToParts length.
432
433         * runtime/IntlCollatorConstructor.cpp:
434         (JSC::IntlCollatorConstructor::finishCreation):
435         * runtime/IntlDateTimeFormatConstructor.cpp:
436         (JSC::IntlDateTimeFormatConstructor::finishCreation):
437         * runtime/IntlDateTimeFormatPrototype.cpp:
438         (JSC::IntlDateTimeFormatPrototype::finishCreation):
439         * runtime/IntlNumberFormatConstructor.cpp:
440         (JSC::IntlNumberFormatConstructor::finishCreation):
441         * runtime/IntlPluralRulesConstructor.cpp:
442         (JSC::IntlPluralRulesConstructor::finishCreation):
443
444 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
445
446         runJITThreadLimitTests is failing
447         https://bugs.webkit.org/show_bug.cgi?id=187886
448         <rdar://problem/42561966>
449
450         Unreviewed build fix for MSVC.
451
452         MSVC doen't support ternary operator without second operand.
453
454         * dfg/DFGWorklist.cpp:
455         (JSC::DFG::getNumberOfDFGCompilerThreads):
456         (JSC::DFG::getNumberOfFTLCompilerThreads):
457
458 2018-07-24  Commit Queue  <commit-queue@webkit.org>
459
460         Unreviewed, rolling out r234183.
461         https://bugs.webkit.org/show_bug.cgi?id=187983
462
463         cause regression in Kraken gaussian blur and desaturate
464         (Requested by yusukesuzuki on #webkit).
465
466         Reverted changeset:
467
468         "[JSC] Record CoW status in ArrayProfile"
469         https://bugs.webkit.org/show_bug.cgi?id=187949
470         https://trac.webkit.org/changeset/234183
471
472 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
473
474         [JSC] Record CoW status in ArrayProfile
475         https://bugs.webkit.org/show_bug.cgi?id=187949
476
477         Reviewed by Saam Barati.
478
479         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
480         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
481         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
482         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
483         CoW arrays.
484
485         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
486         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
487
488         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
489
490                                       baseline                  patched
491
492         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
493         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
494
495         * bytecode/ArrayProfile.cpp:
496         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
497         * bytecode/ArrayProfile.h:
498         (JSC::asArrayModes):
499         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
500
501         (JSC::ArrayProfile::ArrayProfile):
502         (JSC::ArrayProfile::addressOfObservedIndexingModes):
503         (JSC::ArrayProfile::observedIndexingModes const):
504         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
505         So storing the union of seen IndexingMode in `unsigned` instead.
506
507         * dfg/DFGArrayMode.cpp:
508         (JSC::DFG::ArrayMode::fromObserved):
509         * dfg/DFGArrayMode.h:
510         (JSC::DFG::ArrayMode::withProfile const):
511         * jit/JITCall.cpp:
512         (JSC::JIT::compileOpCall):
513         * jit/JITCall32_64.cpp:
514         (JSC::JIT::compileOpCall):
515         * jit/JITInlines.h:
516         (JSC::JIT::emitArrayProfilingSiteWithCell):
517         * llint/LowLevelInterpreter.asm:
518         * llint/LowLevelInterpreter32_64.asm:
519         * llint/LowLevelInterpreter64.asm:
520
521 2018-07-24  Tim Horton  <timothy_horton@apple.com>
522
523         Enable Web Content Filtering on watchOS
524         https://bugs.webkit.org/show_bug.cgi?id=187979
525         <rdar://problem/42559346>
526
527         Reviewed by Wenson Hsieh.
528
529         * Configurations/FeatureDefines.xcconfig:
530
531 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
532
533         Don't modify Options when setting JIT thread limits
534         https://bugs.webkit.org/show_bug.cgi?id=187886
535
536         Reviewed by Filip Pizlo.
537
538         Previously, when setting the JIT thread limit prior to the worklist
539         initialization, it'd be set via Options, which didn't work if Options
540         hadn't been initialized yet. Change it to use a static variable in the
541         Worklist instead.
542
543         * API/JSVirtualMachine.mm:
544         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
545         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
546         * API/tests/testapi.mm:
547         (testObjectiveCAPIMain):
548         * dfg/DFGWorklist.cpp:
549         (JSC::DFG::getNumberOfDFGCompilerThreads):
550         (JSC::DFG::getNumberOfFTLCompilerThreads):
551         (JSC::DFG::setNumberOfDFGCompilerThreads):
552         (JSC::DFG::setNumberOfFTLCompilerThreads):
553         (JSC::DFG::ensureGlobalDFGWorklist):
554         (JSC::DFG::ensureGlobalFTLWorklist):
555         * dfg/DFGWorklist.h:
556
557 2018-07-24  Mark Lam  <mark.lam@apple.com>
558
559         Refactoring: make DFG::Plan a class.
560         https://bugs.webkit.org/show_bug.cgi?id=187968
561
562         Reviewed by Saam Barati.
563
564         This patch makes all the DFG::Plan fields private, and provide accessor methods
565         for them.  This makes it easier to reason about how these fields are used and
566         modified.
567
568         * dfg/DFGAbstractInterpreterInlines.h:
569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
570         * dfg/DFGByteCodeParser.cpp:
571         (JSC::DFG::ByteCodeParser::handleCall):
572         (JSC::DFG::ByteCodeParser::handleVarargsCall):
573         (JSC::DFG::ByteCodeParser::handleInlining):
574         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
575         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
576         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
577         (JSC::DFG::ByteCodeParser::handleGetById):
578         (JSC::DFG::ByteCodeParser::handlePutById):
579         (JSC::DFG::ByteCodeParser::parseBlock):
580         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
581         (JSC::DFG::ByteCodeParser::parseCodeBlock):
582         (JSC::DFG::ByteCodeParser::parse):
583         * dfg/DFGCFAPhase.cpp:
584         (JSC::DFG::CFAPhase::run):
585         (JSC::DFG::CFAPhase::injectOSR):
586         * dfg/DFGClobberize.h:
587         (JSC::DFG::clobberize):
588         * dfg/DFGCommonData.cpp:
589         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
590         * dfg/DFGCommonData.h:
591         * dfg/DFGConstantFoldingPhase.cpp:
592         (JSC::DFG::ConstantFoldingPhase::foldConstants):
593         * dfg/DFGDriver.cpp:
594         (JSC::DFG::compileImpl):
595         * dfg/DFGFinalizer.h:
596         * dfg/DFGFixupPhase.cpp:
597         (JSC::DFG::FixupPhase::fixupNode):
598         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
599         * dfg/DFGGraph.cpp:
600         (JSC::DFG::Graph::Graph):
601         (JSC::DFG::Graph::watchCondition):
602         (JSC::DFG::Graph::inferredTypeFor):
603         (JSC::DFG::Graph::requiredRegisterCountForExit):
604         (JSC::DFG::Graph::registerFrozenValues):
605         (JSC::DFG::Graph::registerStructure):
606         (JSC::DFG::Graph::registerAndWatchStructureTransition):
607         (JSC::DFG::Graph::assertIsRegistered):
608         * dfg/DFGGraph.h:
609         (JSC::DFG::Graph::compilation):
610         (JSC::DFG::Graph::identifiers):
611         (JSC::DFG::Graph::watchpoints):
612         * dfg/DFGJITCompiler.cpp:
613         (JSC::DFG::JITCompiler::JITCompiler):
614         (JSC::DFG::JITCompiler::link):
615         (JSC::DFG::JITCompiler::compile):
616         (JSC::DFG::JITCompiler::compileFunction):
617         (JSC::DFG::JITCompiler::disassemble):
618         * dfg/DFGJITCompiler.h:
619         (JSC::DFG::JITCompiler::addWeakReference):
620         * dfg/DFGJITFinalizer.cpp:
621         (JSC::DFG::JITFinalizer::finalize):
622         (JSC::DFG::JITFinalizer::finalizeFunction):
623         (JSC::DFG::JITFinalizer::finalizeCommon):
624         * dfg/DFGOSREntrypointCreationPhase.cpp:
625         (JSC::DFG::OSREntrypointCreationPhase::run):
626         * dfg/DFGPhase.cpp:
627         (JSC::DFG::Phase::beginPhase):
628         * dfg/DFGPhase.h:
629         (JSC::DFG::runAndLog):
630         * dfg/DFGPlan.cpp:
631         (JSC::DFG::Plan::Plan):
632         (JSC::DFG::Plan::computeCompileTimes const):
633         (JSC::DFG::Plan::reportCompileTimes const):
634         (JSC::DFG::Plan::compileInThread):
635         (JSC::DFG::Plan::compileInThreadImpl):
636         (JSC::DFG::Plan::isStillValid):
637         (JSC::DFG::Plan::reallyAdd):
638         (JSC::DFG::Plan::notifyCompiling):
639         (JSC::DFG::Plan::notifyReady):
640         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
641         (JSC::DFG::Plan::finalizeAndNotifyCallback):
642         (JSC::DFG::Plan::key):
643         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
644         (JSC::DFG::Plan::finalizeInGC):
645         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
646         (JSC::DFG::Plan::cancel):
647         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
648         * dfg/DFGPlan.h:
649         (JSC::DFG::Plan::canTierUpAndOSREnter const):
650         (JSC::DFG::Plan::vm const):
651         (JSC::DFG::Plan::codeBlock):
652         (JSC::DFG::Plan::mode const):
653         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
654         (JSC::DFG::Plan::mustHandleValues const):
655         (JSC::DFG::Plan::threadData const):
656         (JSC::DFG::Plan::compilation const):
657         (JSC::DFG::Plan::finalizer const):
658         (JSC::DFG::Plan::setFinalizer):
659         (JSC::DFG::Plan::inlineCallFrames const):
660         (JSC::DFG::Plan::watchpoints):
661         (JSC::DFG::Plan::identifiers):
662         (JSC::DFG::Plan::weakReferences):
663         (JSC::DFG::Plan::transitions):
664         (JSC::DFG::Plan::recordedStatuses):
665         (JSC::DFG::Plan::willTryToTierUp const):
666         (JSC::DFG::Plan::setWillTryToTierUp):
667         (JSC::DFG::Plan::tierUpInLoopHierarchy):
668         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
669         (JSC::DFG::Plan::stage const):
670         (JSC::DFG::Plan::callback const):
671         (JSC::DFG::Plan::setCallback):
672         * dfg/DFGPlanInlines.h:
673         (JSC::DFG::Plan::iterateCodeBlocksForGC):
674         * dfg/DFGPreciseLocalClobberize.h:
675         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
676         * dfg/DFGPredictionInjectionPhase.cpp:
677         (JSC::DFG::PredictionInjectionPhase::run):
678         * dfg/DFGSafepoint.cpp:
679         (JSC::DFG::Safepoint::Safepoint):
680         (JSC::DFG::Safepoint::~Safepoint):
681         (JSC::DFG::Safepoint::begin):
682         * dfg/DFGSafepoint.h:
683         * dfg/DFGSpeculativeJIT.h:
684         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
685         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
686         * dfg/DFGStackLayoutPhase.cpp:
687         (JSC::DFG::StackLayoutPhase::run):
688         * dfg/DFGStrengthReductionPhase.cpp:
689         (JSC::DFG::StrengthReductionPhase::handleNode):
690         * dfg/DFGTierUpCheckInjectionPhase.cpp:
691         (JSC::DFG::TierUpCheckInjectionPhase::run):
692         * dfg/DFGTypeCheckHoistingPhase.cpp:
693         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
694         * dfg/DFGWorklist.cpp:
695         (JSC::DFG::Worklist::isActiveForVM const):
696         (JSC::DFG::Worklist::compilationState):
697         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
698         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
699         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
700         (JSC::DFG::Worklist::visitWeakReferences):
701         (JSC::DFG::Worklist::removeDeadPlans):
702         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
703         * dfg/DFGWorklistInlines.h:
704         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
705         * ftl/FTLCompile.cpp:
706         (JSC::FTL::compile):
707         * ftl/FTLFail.cpp:
708         (JSC::FTL::fail):
709         * ftl/FTLJITFinalizer.cpp:
710         (JSC::FTL::JITFinalizer::finalizeCommon):
711         * ftl/FTLLink.cpp:
712         (JSC::FTL::link):
713         * ftl/FTLLowerDFGToB3.cpp:
714         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
715         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
716         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
717         * ftl/FTLState.cpp:
718         (JSC::FTL::State::State):
719
720 2018-07-24  Saam Barati  <sbarati@apple.com>
721
722         Make VM::canUseJIT an inlined function
723         https://bugs.webkit.org/show_bug.cgi?id=187583
724
725         Reviewed by Mark Lam.
726
727         We know the answer to this query in initializeThreading after initializing
728         the executable allocator. This patch makes it so that we just hold this value
729         in a static variable and have an inlined function that just returns the value
730         of that static variable.
731
732         * runtime/InitializeThreading.cpp:
733         (JSC::initializeThreading):
734         * runtime/VM.cpp:
735         (JSC::VM::computeCanUseJIT):
736         (JSC::VM::canUseJIT): Deleted.
737         * runtime/VM.h:
738         (JSC::VM::canUseJIT):
739
740 2018-07-24  Mark Lam  <mark.lam@apple.com>
741
742         Placate exception check verification after recent changes.
743         https://bugs.webkit.org/show_bug.cgi?id=187961
744         <rdar://problem/42545394>
745
746         Reviewed by Saam Barati.
747
748         * runtime/IntlObject.cpp:
749         (JSC::intlNumberOption):
750
751 2018-07-23  Saam Barati  <sbarati@apple.com>
752
753         need to didFoldClobberWorld when we constant fold GetByVal
754         https://bugs.webkit.org/show_bug.cgi?id=187917
755         <rdar://problem/42505095>
756
757         Reviewed by Yusuke Suzuki.
758
759         * dfg/DFGAbstractInterpreterInlines.h:
760         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
761
762 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
763
764         [INTL] Language tags are not canonicalized
765         https://bugs.webkit.org/show_bug.cgi?id=185836
766
767         Reviewed by Keith Miller.
768
769         Canonicalize language tags, replacing deprecated tag parts with the
770         preferred values. Remove broken support for algorithmic numbering systems,
771         that can cause an error in icu, and are not supported in other engines.
772
773         Generate the lookup functions from the language-subtag-registry.
774
775         Also initialize the UNumberFormat in initializeNumberFormat so any
776         failures are thrown immediately instead of failing to format later.
777
778         * CMakeLists.txt:
779         * DerivedSources.make:
780         * JavaScriptCore.xcodeproj/project.pbxproj:
781         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
782         * runtime/IntlDateTimeFormat.cpp:
783         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
784         * runtime/IntlNumberFormat.cpp:
785         (JSC::IntlNumberFormat::initializeNumberFormat):
786         (JSC::IntlNumberFormat::formatNumber):
787         (JSC::IntlNumberFormat::formatToParts):
788         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
789         * runtime/IntlNumberFormat.h:
790         * runtime/IntlObject.cpp:
791         (JSC::intlNumberOption):
792         (JSC::intlDefaultNumberOption):
793         (JSC::preferredLanguage):
794         (JSC::preferredRegion):
795         (JSC::canonicalLangTag):
796         (JSC::canonicalizeLanguageTag):
797         (JSC::defaultLocale):
798         (JSC::removeUnicodeLocaleExtension):
799         (JSC::numberingSystemsForLocale):
800         (JSC::grandfatheredLangTag): Deleted.
801         * runtime/IntlObject.h:
802         * runtime/IntlPluralRules.cpp:
803         (JSC::IntlPluralRules::initializePluralRules):
804         * runtime/JSGlobalObject.cpp:
805         (JSC::addMissingScriptLocales):
806         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
807         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
808         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
809         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
810         * ucd/language-subtag-registry.txt: Added.
811
812 2018-07-23  Mark Lam  <mark.lam@apple.com>
813
814         Add some asserts to help diagnose a crash.
815         https://bugs.webkit.org/show_bug.cgi?id=187915
816         <rdar://problem/42508166>
817
818         Reviewed by Michael Saboff.
819
820         Add some asserts to verify that an CodeBlock alternative should always have a
821         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
822         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
823         so that we'll retain the state of the variables that failed the assertion (again
824         to help with diagnosis).
825
826         * bytecode/CodeBlock.cpp:
827         (JSC::CodeBlock::setAlternative):
828         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
829         * dfg/DFGPlan.cpp:
830         (JSC::DFG::Plan::Plan):
831
832 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
833
834         Unreviewed, fix no-JIT build.
835
836         * bytecode/CallLinkStatus.cpp:
837         (JSC::CallLinkStatus::computeFor):
838         * bytecode/CodeBlock.cpp:
839         (JSC::CodeBlock::finalizeUnconditionally):
840         * bytecode/GetByIdStatus.cpp:
841         (JSC::GetByIdStatus::computeFor):
842         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
843         * bytecode/InByIdStatus.cpp:
844         * bytecode/PutByIdStatus.cpp:
845         (JSC::PutByIdStatus::computeForStubInfo):
846
847 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
848
849         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
850         https://bugs.webkit.org/show_bug.cgi?id=187891
851
852         Reviewed by Saam Barati.
853
854         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
855         two variants are mergeable but they have "Miss" status. We make merging failed if
856         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
857         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
858         which patch have more chances to merge variants.
859
860         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
861         is not related since it does not use this check in Transition case.
862
863         * bytecode/GetByIdVariant.cpp:
864         (JSC::GetByIdVariant::attemptToMerge):
865         * bytecode/InByIdVariant.cpp:
866         (JSC::InByIdVariant::attemptToMerge):
867
868 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
869
870         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
871         https://bugs.webkit.org/show_bug.cgi?id=186462
872
873         Reviewed by Saam Barati.
874
875         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
876         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
877         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
878
879         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
880         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
881         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
882         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
883         changed and we can safely use it. We arrange our existing code to use this protocol.
884
885         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
886         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
887
888         This patch improves SixSpeed/template_string_tag.es6.
889
890                                           baseline                  patched
891
892         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
893
894         * dfg/DFGAbstractInterpreterInlines.h:
895         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
896         * runtime/JSArray.cpp:
897         (JSC::JSArray::setLengthWithArrayStorage):
898         * runtime/JSObject.cpp:
899         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
900         (JSC::JSObject::deletePropertyByIndex):
901         (JSC::JSObject::getOwnPropertyNames):
902         (JSC::putIndexedDescriptor):
903         (JSC::JSObject::defineOwnIndexedProperty):
904         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
905         (JSC::JSObject::putIndexedDescriptor): Deleted.
906         * runtime/JSObject.h:
907         * runtime/SparseArrayValueMap.cpp:
908         (JSC::SparseArrayValueMap::SparseArrayValueMap):
909         (JSC::SparseArrayValueMap::add):
910         (JSC::SparseArrayValueMap::putDirect):
911         (JSC::SparseArrayValueMap::getConcurrently):
912         (JSC::SparseArrayEntry::get const):
913         (JSC::SparseArrayEntry::getConcurrently const):
914         (JSC::SparseArrayEntry::put):
915         (JSC::SparseArrayEntry::getNonSparseMode const):
916         (JSC::SparseArrayValueMap::visitChildren):
917         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
918         * runtime/SparseArrayValueMap.h:
919         (JSC::SparseArrayEntry::SparseArrayEntry):
920         (JSC::SparseArrayEntry::attributes const):
921         (JSC::SparseArrayEntry::forceSet):
922         (JSC::SparseArrayEntry::asValue):
923
924 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
925
926         We should support CreateThis in the FTL
927         https://bugs.webkit.org/show_bug.cgi?id=164904
928
929         Reviewed by Yusuke Suzuki.
930         
931         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
932         inference adventure.
933         
934         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
935         benchmark's extremely perverse way of winning at type inference:
936         
937         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
938           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
939           benchmark was falling back to other mechanisms...
940         
941         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
942           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
943           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
944           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
945           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
946           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
947           
948           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
949           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
950           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
951           helper because it had a CreateThis.
952         
953         - Compilations that inlined the construction helper would have gotten super lucky with
954           parse-time constant folding, so they knew what structure the input to the get_by_id would
955           have at parse time. This is only profitable if the get_by_id parsing computed a
956           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
957           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
958           cases, we would indeed get a finite number of cases. The parser would then prune those
959           cases to just one - based on its knowledge of the structure - and that would result in that
960           get_by_id being folded at parse time to a constant.
961         
962         - The subsequent op_call would inline based on parse-time knowledge of that constant.
963         
964         This patch comprehensively fixes these issues, as well as other issues that come up along the
965         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
966         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
967         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
968         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
969         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
970         attack raytrace's problem as a shortcoming of polyvariant profiling.
971         
972         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
973           subset of the inline stack that includes the IC we're profiling. For example, if we have
974           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
975           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
976           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
977           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
978           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
979           from polyvariant profling. Previously, the polyvariant profiler would only look at the
980           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
981           had inlined bar and then baz. It may not have done that, because those calls could have
982           required polyvariant profiling that was only available in the FTL.
983           
984         - A particularly interesting case is when some IC in foo-baseline is also available in
985           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
986           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
987           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
988           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
989           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
990           because it warns us of historical polymorphism. Historical polymorphism usually means
991           future polymorphism. IC status code already had some merging functionality, but I needed to
992           beef it up a lot to make this work right.
993         
994         - Inlining an inline cache now preserves as much information as profiling. One challenge of
995           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
996           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
997           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
998           say "I don't have such an IC". At this point the DFG compilation that included that IC that
999           gave us the information that we used to inline the IC is no longer alive. To keep us from
1000           losing the information we learned about the IC, there is now a RecordedStatuses data
1001           structure that preserves the statuses we use for inlining ICs. We also filter those
1002           statuses according to things we learn from AI. This further reduces the risk of information
1003           about an IC being forgotten.
1004         
1005         - Exit profiling now considers whether or not an exit happened from inline code. This
1006           protects us in the case where the not-inlined version of an IC exited a lot because of
1007           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
1008           profiling data, we consider only inlined exits.
1009         
1010         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
1011           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
1012           surprising that we've had this bug.
1013         
1014         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
1015         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
1016         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
1017         prototype access folding in the bytecode parser and constant folder. That would require some
1018         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
1019         have a test that captures raytrace's behavior in the case that the parser cannot fold the
1020         get_by_id.
1021         
1022         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
1023         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
1024         compile time regression anytime we fill in FTL coverage.
1025         
1026         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
1027         speeds up and that raytrace slows down, but these changes balance out and don't affect the
1028         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
1029         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
1030         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
1031         see a significant difference. In all three cases the difference is <0.5% with a high p value,
1032         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
1033         an insignificant infinitesimal slow-down.
1034         
1035         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
1036         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
1037         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
1038
1039         * CMakeLists.txt:
1040         * JavaScriptCore.xcodeproj/project.pbxproj:
1041         * Sources.txt:
1042         * bytecode/ByValInfo.h:
1043         * bytecode/BytecodeDumper.cpp:
1044         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1045         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
1046         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1047         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
1048         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
1049         (JSC::BytecodeDumper<Block>::printCallOp):
1050         (JSC::BytecodeDumper<Block>::dumpBytecode):
1051         (JSC::BytecodeDumper<Block>::dumpBlock):
1052         * bytecode/BytecodeDumper.h:
1053         * bytecode/CallLinkInfo.h:
1054         * bytecode/CallLinkStatus.cpp:
1055         (JSC::CallLinkStatus::computeFor):
1056         (JSC::CallLinkStatus::computeExitSiteData):
1057         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1058         (JSC::CallLinkStatus::accountForExits):
1059         (JSC::CallLinkStatus::finalize):
1060         (JSC::CallLinkStatus::filter):
1061         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
1062         * bytecode/CallLinkStatus.h:
1063         (JSC::CallLinkStatus::operator bool const):
1064         (JSC::CallLinkStatus::operator! const): Deleted.
1065         * bytecode/CallVariant.cpp:
1066         (JSC::CallVariant::finalize):
1067         (JSC::CallVariant::filter):
1068         * bytecode/CallVariant.h:
1069         (JSC::CallVariant::operator bool const):
1070         (JSC::CallVariant::operator! const): Deleted.
1071         * bytecode/CodeBlock.cpp:
1072         (JSC::CodeBlock::dumpBytecode):
1073         (JSC::CodeBlock::propagateTransitions):
1074         (JSC::CodeBlock::finalizeUnconditionally):
1075         (JSC::CodeBlock::getICStatusMap):
1076         (JSC::CodeBlock::resetJITData):
1077         (JSC::CodeBlock::getStubInfoMap): Deleted.
1078         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
1079         (JSC::CodeBlock::getByValInfoMap): Deleted.
1080         * bytecode/CodeBlock.h:
1081         * bytecode/CodeOrigin.cpp:
1082         (JSC::CodeOrigin::isApproximatelyEqualTo const):
1083         (JSC::CodeOrigin::approximateHash const):
1084         * bytecode/CodeOrigin.h:
1085         (JSC::CodeOrigin::exitingInlineKind const):
1086         * bytecode/DFGExitProfile.cpp:
1087         (JSC::DFG::FrequentExitSite::dump const):
1088         (JSC::DFG::ExitProfile::add):
1089         * bytecode/DFGExitProfile.h:
1090         (JSC::DFG::FrequentExitSite::FrequentExitSite):
1091         (JSC::DFG::FrequentExitSite::operator== const):
1092         (JSC::DFG::FrequentExitSite::subsumes const):
1093         (JSC::DFG::FrequentExitSite::hash const):
1094         (JSC::DFG::FrequentExitSite::inlineKind const):
1095         (JSC::DFG::FrequentExitSite::withInlineKind const):
1096         (JSC::DFG::QueryableExitProfile::hasExitSite const):
1097         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
1098         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
1099         * bytecode/ExitFlag.cpp: Added.
1100         (JSC::ExitFlag::dump const):
1101         * bytecode/ExitFlag.h: Added.
1102         (JSC::ExitFlag::ExitFlag):
1103         (JSC::ExitFlag::operator| const):
1104         (JSC::ExitFlag::operator|=):
1105         (JSC::ExitFlag::operator& const):
1106         (JSC::ExitFlag::operator&=):
1107         (JSC::ExitFlag::operator bool const):
1108         (JSC::ExitFlag::isSet const):
1109         * bytecode/ExitingInlineKind.cpp: Added.
1110         (WTF::printInternal):
1111         * bytecode/ExitingInlineKind.h: Added.
1112         * bytecode/GetByIdStatus.cpp:
1113         (JSC::GetByIdStatus::computeFor):
1114         (JSC::GetByIdStatus::computeForStubInfo):
1115         (JSC::GetByIdStatus::slowVersion const):
1116         (JSC::GetByIdStatus::markIfCheap):
1117         (JSC::GetByIdStatus::finalize):
1118         (JSC::GetByIdStatus::hasExitSite): Deleted.
1119         * bytecode/GetByIdStatus.h:
1120         * bytecode/GetByIdVariant.cpp:
1121         (JSC::GetByIdVariant::markIfCheap):
1122         (JSC::GetByIdVariant::finalize):
1123         * bytecode/GetByIdVariant.h:
1124         * bytecode/ICStatusMap.cpp: Added.
1125         (JSC::ICStatusContext::get const):
1126         (JSC::ICStatusContext::isInlined const):
1127         (JSC::ICStatusContext::inlineKind const):
1128         * bytecode/ICStatusMap.h: Added.
1129         * bytecode/ICStatusUtils.cpp: Added.
1130         (JSC::hasBadCacheExitSite):
1131         * bytecode/ICStatusUtils.h:
1132         * bytecode/InstanceOfStatus.cpp:
1133         (JSC::InstanceOfStatus::computeFor):
1134         * bytecode/InstanceOfStatus.h:
1135         * bytecode/PolyProtoAccessChain.h:
1136         * bytecode/PutByIdStatus.cpp:
1137         (JSC::PutByIdStatus::hasExitSite):
1138         (JSC::PutByIdStatus::computeFor):
1139         (JSC::PutByIdStatus::slowVersion const):
1140         (JSC::PutByIdStatus::markIfCheap):
1141         (JSC::PutByIdStatus::finalize):
1142         (JSC::PutByIdStatus::filter):
1143         * bytecode/PutByIdStatus.h:
1144         * bytecode/PutByIdVariant.cpp:
1145         (JSC::PutByIdVariant::markIfCheap):
1146         (JSC::PutByIdVariant::finalize):
1147         * bytecode/PutByIdVariant.h:
1148         (JSC::PutByIdVariant::structureSet const):
1149         * bytecode/RecordedStatuses.cpp: Added.
1150         (JSC::RecordedStatuses::operator=):
1151         (JSC::RecordedStatuses::RecordedStatuses):
1152         (JSC::RecordedStatuses::addCallLinkStatus):
1153         (JSC::RecordedStatuses::addGetByIdStatus):
1154         (JSC::RecordedStatuses::addPutByIdStatus):
1155         (JSC::RecordedStatuses::markIfCheap):
1156         (JSC::RecordedStatuses::finalizeWithoutDeleting):
1157         (JSC::RecordedStatuses::finalize):
1158         (JSC::RecordedStatuses::shrinkToFit):
1159         * bytecode/RecordedStatuses.h: Added.
1160         (JSC::RecordedStatuses::RecordedStatuses):
1161         (JSC::RecordedStatuses::forEachVector):
1162         * bytecode/StructureSet.cpp:
1163         (JSC::StructureSet::markIfCheap const):
1164         (JSC::StructureSet::isStillAlive const):
1165         * bytecode/StructureSet.h:
1166         * bytecode/TerminatedCodeOrigin.h: Added.
1167         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
1168         (JSC::TerminatedCodeOriginHashTranslator::hash):
1169         (JSC::TerminatedCodeOriginHashTranslator::equal):
1170         * bytecode/Watchpoint.cpp:
1171         (WTF::printInternal):
1172         * bytecode/Watchpoint.h:
1173         * dfg/DFGAbstractInterpreter.h:
1174         * dfg/DFGAbstractInterpreterInlines.h:
1175         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1176         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
1177         * dfg/DFGByteCodeParser.cpp:
1178         (JSC::DFG::ByteCodeParser::handleCall):
1179         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1180         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1181         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1182         (JSC::DFG::ByteCodeParser::handleGetById):
1183         (JSC::DFG::ByteCodeParser::handlePutById):
1184         (JSC::DFG::ByteCodeParser::parseBlock):
1185         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1186         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
1187         (JSC::DFG::ByteCodeParser::parse):
1188         * dfg/DFGClobberize.h:
1189         (JSC::DFG::clobberize):
1190         * dfg/DFGClobbersExitState.cpp:
1191         (JSC::DFG::clobbersExitState):
1192         * dfg/DFGCommonData.h:
1193         * dfg/DFGConstantFoldingPhase.cpp:
1194         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1195         * dfg/DFGDesiredWatchpoints.h:
1196         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
1197         * dfg/DFGDoesGC.cpp:
1198         (JSC::DFG::doesGC):
1199         * dfg/DFGFixupPhase.cpp:
1200         (JSC::DFG::FixupPhase::fixupNode):
1201         * dfg/DFGGraph.cpp:
1202         (JSC::DFG::Graph::dump):
1203         * dfg/DFGMayExit.cpp:
1204         * dfg/DFGNode.h:
1205         (JSC::DFG::Node::hasCallLinkStatus):
1206         (JSC::DFG::Node::callLinkStatus):
1207         (JSC::DFG::Node::hasGetByIdStatus):
1208         (JSC::DFG::Node::getByIdStatus):
1209         (JSC::DFG::Node::hasPutByIdStatus):
1210         (JSC::DFG::Node::putByIdStatus):
1211         * dfg/DFGNodeType.h:
1212         * dfg/DFGOSRExitBase.cpp:
1213         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1214         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1215         * dfg/DFGPlan.cpp:
1216         (JSC::DFG::Plan::reallyAdd):
1217         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1218         (JSC::DFG::Plan::finalizeInGC):
1219         * dfg/DFGPlan.h:
1220         * dfg/DFGPredictionPropagationPhase.cpp:
1221         * dfg/DFGSafeToExecute.h:
1222         (JSC::DFG::safeToExecute):
1223         * dfg/DFGSpeculativeJIT32_64.cpp:
1224         (JSC::DFG::SpeculativeJIT::compile):
1225         * dfg/DFGSpeculativeJIT64.cpp:
1226         (JSC::DFG::SpeculativeJIT::compile):
1227         * dfg/DFGStrengthReductionPhase.cpp:
1228         (JSC::DFG::StrengthReductionPhase::handleNode):
1229         * dfg/DFGWorklist.cpp:
1230         (JSC::DFG::Worklist::removeDeadPlans):
1231         * ftl/FTLAbstractHeapRepository.h:
1232         * ftl/FTLCapabilities.cpp:
1233         (JSC::FTL::canCompile):
1234         * ftl/FTLLowerDFGToB3.cpp:
1235         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1236         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1237         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
1238         * jit/PolymorphicCallStubRoutine.cpp:
1239         (JSC::PolymorphicCallStubRoutine::hasEdges const):
1240         (JSC::PolymorphicCallStubRoutine::edges const):
1241         * jit/PolymorphicCallStubRoutine.h:
1242         * profiler/ProfilerBytecodeSequence.cpp:
1243         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1244         * runtime/FunctionRareData.cpp:
1245         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1246         * runtime/Options.h:
1247
1248 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1249
1250         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
1251         https://bugs.webkit.org/show_bug.cgi?id=187472
1252
1253         Reviewed by Mark Lam.
1254
1255         std::function allocates memory from standard malloc instead of bmalloc. Instead of
1256         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
1257
1258         This patch attempts to replace std::function with the above WTF function types.
1259         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
1260         is really efficient. Otherwise, we should use WTF::Function.
1261         For recurring use cases, we can use RecursableLambda.
1262
1263         * assembler/MacroAssembler.cpp:
1264         (JSC::stdFunctionCallback):
1265         (JSC::MacroAssembler::probe):
1266         * assembler/MacroAssembler.h:
1267         * b3/air/AirDisassembler.cpp:
1268         (JSC::B3::Air::Disassembler::dump):
1269         * b3/air/AirDisassembler.h:
1270         * bytecompiler/BytecodeGenerator.cpp:
1271         (JSC::BytecodeGenerator::BytecodeGenerator):
1272         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1273         (JSC::BytecodeGenerator::emitEnumeration):
1274         * bytecompiler/BytecodeGenerator.h:
1275         * bytecompiler/NodesCodegen.cpp:
1276         (JSC::ArrayNode::emitBytecode):
1277         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1278         (JSC::ForOfNode::emitBytecode):
1279         * dfg/DFGSpeculativeJIT.cpp:
1280         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
1281         (JSC::DFG::SpeculativeJIT::compileMathIC):
1282         * dfg/DFGSpeculativeJIT.h:
1283         * dfg/DFGSpeculativeJIT64.cpp:
1284         (JSC::DFG::SpeculativeJIT::compile):
1285         * dfg/DFGValidate.cpp:
1286         * ftl/FTLCompile.cpp:
1287         (JSC::FTL::compile):
1288         * heap/HeapSnapshotBuilder.cpp:
1289         (JSC::HeapSnapshotBuilder::json):
1290         * heap/HeapSnapshotBuilder.h:
1291         * interpreter/StackVisitor.cpp:
1292         (JSC::StackVisitor::Frame::dump const):
1293         * interpreter/StackVisitor.h:
1294         * runtime/PromiseDeferredTimer.h:
1295         * runtime/VM.cpp:
1296         (JSC::VM::whenIdle):
1297         (JSC::enableProfilerWithRespectToCount):
1298         (JSC::disableProfilerWithRespectToCount):
1299         * runtime/VM.h:
1300         * runtime/VMEntryScope.cpp:
1301         (JSC::VMEntryScope::addDidPopListener):
1302         * runtime/VMEntryScope.h:
1303         * tools/HeapVerifier.cpp:
1304         (JSC::HeapVerifier::verifyCellList):
1305         (JSC::HeapVerifier::validateCell):
1306         (JSC::HeapVerifier::validateJSCell):
1307         * tools/HeapVerifier.h:
1308
1309 2018-07-20  Michael Saboff  <msaboff@apple.com>
1310
1311         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1312         https://bugs.webkit.org/show_bug.cgi?id=187827
1313         rdar://problem/42146858
1314
1315         Reviewed by Saam Barati.
1316
1317         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1318         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1319         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1320         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1321         putByIndex() path that doesn't change the shape.
1322
1323         * dfg/DFGArrayMode.h:
1324         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1325
1326 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1327
1328         [DFG] Fold GetByVal if Array is CoW
1329         https://bugs.webkit.org/show_bug.cgi?id=186459
1330
1331         Reviewed by Saam Barati.
1332
1333         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1334         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1335         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1336
1337         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1338         to these constant arrays can be folded into an actual constant by this patch.
1339
1340                                            baseline                  patched
1341
1342         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1343         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1344
1345         * dfg/DFGAbstractInterpreterInlines.h:
1346         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1347
1348 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1349
1350         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1351         https://bugs.webkit.org/show_bug.cgi?id=186602
1352
1353         Reviewed by Saam Barati.
1354
1355         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1356         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1357         drop the cellLock() here.
1358
1359         * runtime/JSObject.cpp:
1360         (JSC::JSObject::convertContiguousToArrayStorage):
1361
1362 2018-07-20  Saam Barati  <sbarati@apple.com>
1363
1364         CompareEq should be using KnownOtherUse instead of OtherUse
1365         https://bugs.webkit.org/show_bug.cgi?id=186814
1366         <rdar://problem/39720030>
1367
1368         Reviewed by Filip Pizlo.
1369
1370         CompareEq in fixup phase was doing this:
1371         insertCheck(child, OtherUse)
1372         setUseKind(child, OtherUse)
1373         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1374         lead to edge verification crashing because a phase may optimize the check out
1375         by removing the node. However, AI may not be privy to that optimization, and
1376         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1377         backend to actually emit a check here, but it does not.
1378         
1379         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1380         KnownOtherUse and changes the above pattern to be:
1381         insertCheck(child, OtherUse)
1382         setUseKind(child, KnownOtherUse)
1383
1384         * dfg/DFGFixupPhase.cpp:
1385         (JSC::DFG::FixupPhase::fixupNode):
1386         * dfg/DFGSafeToExecute.h:
1387         (JSC::DFG::SafeToExecuteEdge::operator()):
1388         * dfg/DFGSpeculativeJIT.cpp:
1389         (JSC::DFG::SpeculativeJIT::speculate):
1390         * dfg/DFGUseKind.cpp:
1391         (WTF::printInternal):
1392         * dfg/DFGUseKind.h:
1393         (JSC::DFG::typeFilterFor):
1394         (JSC::DFG::shouldNotHaveTypeCheck):
1395         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1396         * dfg/DFGWatchpointCollectionPhase.cpp:
1397         (JSC::DFG::WatchpointCollectionPhase::handle):
1398         * ftl/FTLCapabilities.cpp:
1399         (JSC::FTL::canCompile):
1400         * ftl/FTLLowerDFGToB3.cpp:
1401         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1402         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1403
1404 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1405
1406         [JSC] A bit performance improvement for Object.assign by cleaning up code
1407         https://bugs.webkit.org/show_bug.cgi?id=187852
1408
1409         Reviewed by Saam Barati.
1410
1411         We clean up Object.assign code a bit.
1412
1413         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1414         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1415
1416         It improves the performance a bit.
1417
1418                                     baseline                  patched
1419
1420         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1421
1422         * runtime/ObjectConstructor.cpp:
1423         (JSC::objectConstructorAssign):
1424
1425 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1426
1427         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1428         https://bugs.webkit.org/show_bug.cgi?id=187798
1429
1430         Reviewed by Michael Catanzaro.
1431
1432         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1433         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1434         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1435         patch adds JSAPIWrapperGlobalObject or that.
1436
1437         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1438         (jsAPIWrapperGlobalObjectHandleOwner):
1439         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1440         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1441         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1442         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1443         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1444         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1445         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1446         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1447         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1448         * API/glib/JSCClass.cpp:
1449         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1450         (wrappedObjectClass): Return the class of a wrapped object.
1451         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1452         scope extension global object is used instead.
1453         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1454         (setProperty): Ditto.
1455         (hasProperty): Ditto.
1456         (deleteProperty): Ditto.
1457         (getPropertyNames): Ditto.
1458         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1459         * API/glib/JSCClassPrivate.h:
1460         * API/glib/JSCContext.cpp:
1461         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1462         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1463         * API/glib/JSCContext.h:
1464         * API/glib/JSCContextPrivate.h:
1465         * API/glib/JSCWrapperMap.cpp:
1466         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1467         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1468         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1469         * API/glib/JSCWrapperMap.h:
1470         * GLib.cmake:
1471
1472 2018-07-19  Saam Barati  <sbarati@apple.com>
1473
1474         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1475         https://bugs.webkit.org/show_bug.cgi?id=187836
1476         <rdar://problem/42409527>
1477
1478         Reviewed by Mark Lam.
1479
1480         We have crash reports that we're crashing on source->getDirect in Object.assign's
1481         fast path. Mark investigated this and determined we end up with a nullptr for
1482         butterfly. This is curious, because source's Structure indicated that it has
1483         out of line properties. My leading hypothesis for this at the moment is a bit
1484         handwavy, but it's essentially:
1485         - We end up firing a watchpoint when assigning to the target (this can happen
1486         if a watchpoint was set up for storing to that particular field)
1487         - When we fire that watchpoint, we end up doing some kind work on the source,
1488         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1489         mutating source.
1490         
1491         I'm not super convinced this is what we're running into, but just by reading
1492         the code, I think it needs to be something similar to this. Seeing if this change
1493         fixes the crasher will give us good data to determine if something like this is
1494         happening or if the bug is something else entirely.
1495
1496         * runtime/ObjectConstructor.cpp:
1497         (JSC::objectConstructorAssign):
1498
1499 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1500
1501         Unreviewed, rolling out r233998.
1502         https://bugs.webkit.org/show_bug.cgi?id=187815
1503
1504         Not needed. (Requested by mlam|a on #webkit).
1505
1506         Reverted changeset:
1507
1508         "Temporarily mitigate a bug where a source provider is null
1509         when it shouldn't be."
1510         https://bugs.webkit.org/show_bug.cgi?id=187812
1511         https://trac.webkit.org/changeset/233998
1512
1513 2018-07-19  Mark Lam  <mark.lam@apple.com>
1514
1515         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1516         https://bugs.webkit.org/show_bug.cgi?id=187812
1517         <rdar://problem/41192691>
1518
1519         Reviewed by Michael Saboff.
1520
1521         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1522
1523         * runtime/Error.cpp:
1524         (JSC::addErrorInfo):
1525
1526 2018-07-19  Keith Rollin  <krollin@apple.com>
1527
1528         Adjust WEBCORE_EXPORT annotations for LTO
1529         https://bugs.webkit.org/show_bug.cgi?id=187781
1530         <rdar://problem/42351124>
1531
1532         Reviewed by Alex Christensen.
1533
1534         Continuation of Bug 186944. This bug addresses issues not caught
1535         during the first pass of adjustments. The initial work focussed on
1536         macOS; this one addresses issues found when building for iOS. From
1537         186944:
1538
1539         Adjust a number of places that result in WebKit's
1540         'check-for-weak-vtables-and-externals' script reporting weak external
1541         symbols:
1542
1543             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1544             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1545             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1546             ...
1547
1548         These cases are caused by inline methods being marked with WTF_EXPORT
1549         (or related macro) or with an inline function being in a class marked
1550         as such, and when enabling LTO builds.
1551
1552         For the most part, address these by removing the WEBCORE_EXPORT
1553         annotation from inline methods. In some cases, move the implementation
1554         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1555         and removing the annotation from the class would be too disruptive.
1556         Finally, in other cases, move the implementation out-of-line because
1557         check-for-weak-vtables-and-externals still complains when keeping the
1558         implementation inline and removing the annotation; this seems to
1559         typically (but not always) happen with destructors.
1560
1561         * inspector/remote/RemoteAutomationTarget.cpp:
1562         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1563         * inspector/remote/RemoteAutomationTarget.h:
1564         * inspector/remote/RemoteInspector.cpp:
1565         (Inspector::RemoteInspector::Client::~Client):
1566         * inspector/remote/RemoteInspector.h:
1567
1568 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1569
1570         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1571         https://bugs.webkit.org/show_bug.cgi?id=187807
1572
1573         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1574         that we know that exception occurrence and handle it well.
1575
1576         * runtime/JSONObject.cpp:
1577         (JSC::Stringifier::Holder::appendNextProperty):
1578
1579 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1580
1581         [JSC] Reduce size of AST nodes
1582         https://bugs.webkit.org/show_bug.cgi?id=187689
1583
1584         Reviewed by Mark Lam.
1585
1586         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1587         of ParserArena at peak state.
1588
1589         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1590         devirtualize a call to the function which are implemented in a final class.
1591
1592         2. Use default member initializers more.
1593
1594         3. And use `nullptr` instead of `0`.
1595
1596         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1597         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1598         to 40. This decreases the sizes of all the derived Statement nodes.
1599
1600         * parser/NodeConstructors.h:
1601         (JSC::Node::Node):
1602         (JSC::StatementNode::StatementNode):
1603         (JSC::ElementNode::ElementNode):
1604         (JSC::ArrayNode::ArrayNode):
1605         (JSC::PropertyListNode::PropertyListNode):
1606         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1607         (JSC::ArgumentListNode::ArgumentListNode):
1608         (JSC::ArgumentsNode::ArgumentsNode):
1609         (JSC::NewExprNode::NewExprNode):
1610         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1611         (JSC::BinaryOpNode::BinaryOpNode):
1612         (JSC::LogicalOpNode::LogicalOpNode):
1613         (JSC::CommaNode::CommaNode):
1614         (JSC::SourceElements::SourceElements):
1615         (JSC::ClauseListNode::ClauseListNode):
1616         * parser/Nodes.cpp:
1617         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1618         (JSC::FunctionMetadataNode::operator== const):
1619         (JSC::FunctionMetadataNode::dump const):
1620         * parser/Nodes.h:
1621         (JSC::BooleanNode::value): Deleted.
1622         (JSC::StringNode::value): Deleted.
1623         (JSC::TemplateExpressionListNode::value): Deleted.
1624         (JSC::TemplateExpressionListNode::next): Deleted.
1625         (JSC::TemplateStringNode::cooked): Deleted.
1626         (JSC::TemplateStringNode::raw): Deleted.
1627         (JSC::TemplateStringListNode::value): Deleted.
1628         (JSC::TemplateStringListNode::next): Deleted.
1629         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1630         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1631         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1632         (JSC::ResolveNode::identifier const): Deleted.
1633         (JSC::ElementNode::elision const): Deleted.
1634         (JSC::ElementNode::value): Deleted.
1635         (JSC::ElementNode::next): Deleted.
1636         (JSC::ArrayNode::elements const): Deleted.
1637         (JSC::PropertyNode::expressionName const): Deleted.
1638         (JSC::PropertyNode::name const): Deleted.
1639         (JSC::PropertyNode::type const): Deleted.
1640         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1641         (JSC::PropertyNode::isClassProperty const): Deleted.
1642         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1643         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1644         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1645         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1646         (JSC::PropertyNode::putType const): Deleted.
1647         (JSC::BracketAccessorNode::base const): Deleted.
1648         (JSC::BracketAccessorNode::subscript const): Deleted.
1649         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1650         (JSC::DotAccessorNode::base const): Deleted.
1651         (JSC::DotAccessorNode::identifier const): Deleted.
1652         (JSC::SpreadExpressionNode::expression const): Deleted.
1653         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1654         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1655         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1656         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1657         (JSC::TypeOfResolveNode::identifier const): Deleted.
1658         (JSC::BitwiseNotNode::expr): Deleted.
1659         (JSC::BitwiseNotNode::expr const): Deleted.
1660         (JSC::AssignResolveNode::identifier const): Deleted.
1661         (JSC::ExprStatementNode::expr const): Deleted.
1662         (JSC::ForOfNode::isForAwait const): Deleted.
1663         (JSC::ReturnNode::value): Deleted.
1664         (JSC::ProgramNode::startColumn const): Deleted.
1665         (JSC::ProgramNode::endColumn const): Deleted.
1666         (JSC::EvalNode::startColumn const): Deleted.
1667         (JSC::EvalNode::endColumn const): Deleted.
1668         (JSC::ModuleProgramNode::startColumn const): Deleted.
1669         (JSC::ModuleProgramNode::endColumn const): Deleted.
1670         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1671         (JSC::ModuleNameNode::moduleName): Deleted.
1672         (JSC::ImportSpecifierNode::importedName): Deleted.
1673         (JSC::ImportSpecifierNode::localName): Deleted.
1674         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1675         (JSC::ImportSpecifierListNode::append): Deleted.
1676         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1677         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1678         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1679         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1680         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1681         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1682         (JSC::ExportSpecifierNode::exportedName): Deleted.
1683         (JSC::ExportSpecifierNode::localName): Deleted.
1684         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1685         (JSC::ExportSpecifierListNode::append): Deleted.
1686         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1687         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1688         (JSC::ArrayPatternNode::appendIndex): Deleted.
1689         (JSC::ObjectPatternNode::appendEntry): Deleted.
1690         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1691         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1692         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1693         (JSC::FunctionParameters::size const): Deleted.
1694         (JSC::FunctionParameters::append): Deleted.
1695         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1696         (JSC::FuncDeclNode::metadata): Deleted.
1697         (JSC::CaseClauseNode::expr const): Deleted.
1698         (JSC::CaseClauseNode::setStartOffset): Deleted.
1699         (JSC::ClauseListNode::getClause const): Deleted.
1700         (JSC::ClauseListNode::getNext const): Deleted.
1701         * runtime/ExceptionHelpers.cpp:
1702         * runtime/JSObject.cpp:
1703
1704 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         JSON.stringify should emit non own properties if second array argument includes
1707         https://bugs.webkit.org/show_bug.cgi?id=187724
1708
1709         Reviewed by Mark Lam.
1710
1711         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1712         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1713         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1714         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1715         property names which does not reside in the own properties. Or we can modify the
1716         own properties by deleting properties while JSON.stringify is calling a getter. So,
1717         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1718
1719         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1720         The performance of Kraken/json-stringify-tinderbox is neutral.
1721
1722         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1723
1724         * runtime/JSONObject.cpp:
1725         (JSC::Stringifier::toJSON):
1726         (JSC::Stringifier::toJSONImpl):
1727         (JSC::Stringifier::appendStringifiedValue):
1728         (JSC::Stringifier::Holder::Holder):
1729         (JSC::Stringifier::Holder::appendNextProperty):
1730
1731 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1732
1733         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1734         https://bugs.webkit.org/show_bug.cgi?id=187755
1735
1736         Reviewed by Mark Lam.
1737
1738         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1739         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1740         makes one test262 test failed.
1741
1742         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1743         to align these checks to the spec's order.
1744
1745         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1746
1747         * runtime/JSONObject.cpp:
1748         (JSC::Stringifier::Stringifier):
1749
1750 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1751
1752         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1753         https://bugs.webkit.org/show_bug.cgi?id=187752
1754
1755         Reviewed by Mark Lam.
1756
1757         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1758         with a wrapper object and a property name. While we always create this wrapper object,
1759         it is unnecessary if the given replacer is not callable.
1760
1761         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1762         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1763
1764                                            baseline                  patched
1765
1766         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1767
1768         * runtime/JSONObject.cpp:
1769         (JSC::Stringifier::isCallableReplacer const):
1770         (JSC::Stringifier::Stringifier):
1771         (JSC::Stringifier::stringify):
1772         (JSC::Stringifier::appendStringifiedValue):
1773
1774 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1775
1776         [GLIB] Add jsc_context_check_syntax() to GLib API
1777         https://bugs.webkit.org/show_bug.cgi?id=187694
1778
1779         Reviewed by Yusuke Suzuki.
1780
1781         A new function to be able to check for syntax errors without actually evaluating the code.
1782
1783         * API/glib/JSCContext.cpp:
1784         (jsc_context_check_syntax):
1785         * API/glib/JSCContext.h:
1786         * API/glib/docs/jsc-glib-4.0-sections.txt:
1787
1788 2018-07-17  Keith Miller  <keith_miller@apple.com>
1789
1790         Revert r233630 since it broke internal wasm benchmarks
1791         https://bugs.webkit.org/show_bug.cgi?id=187746
1792
1793         Unreviewed revert.
1794
1795         This patch seems to have broken internal Wasm benchmarks. This
1796         issue is likely due to an underlying bug but let's rollout while
1797         we investigate.
1798
1799         * bytecode/CodeType.h:
1800         * bytecode/UnlinkedCodeBlock.cpp:
1801         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1802         * bytecode/UnlinkedCodeBlock.h:
1803         (JSC::UnlinkedCodeBlock::codeType const):
1804         (JSC::UnlinkedCodeBlock::didOptimize const):
1805         (JSC::UnlinkedCodeBlock::setDidOptimize):
1806         * bytecode/VirtualRegister.h:
1807         (JSC::VirtualRegister::VirtualRegister):
1808         (): Deleted.
1809
1810 2018-07-17  Mark Lam  <mark.lam@apple.com>
1811
1812         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
1813         https://bugs.webkit.org/show_bug.cgi?id=187736
1814         <rdar://problem/42114371>
1815
1816         Reviewed by Michael Saboff.
1817
1818         CodeBlock::baselineVersion() currently checks for a null replacement but does not
1819         account for the fact that that the replacement can also be null due to the
1820         executable having being purged of its codeBlocks due to a memory event (see
1821         ExecutableBase::clearCode()).  This patch adds code to account for this.
1822
1823         * bytecode/CodeBlock.cpp:
1824         (JSC::CodeBlock::baselineVersion):
1825
1826 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1827
1828         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
1829         https://bugs.webkit.org/show_bug.cgi?id=187709
1830
1831         Reviewed by Mark Lam.
1832
1833         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
1834
1835         * bytecode/UnlinkedCodeBlock.cpp:
1836         (JSC::UnlinkedCodeBlock::shrinkToFit):
1837
1838 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1839
1840         [JSC] Make SourceParseMode small
1841         https://bugs.webkit.org/show_bug.cgi?id=187705
1842
1843         Reviewed by Mark Lam.
1844
1845         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
1846         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
1847         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
1848         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
1849
1850         * parser/ParserModes.h:
1851         (JSC::SourceParseModeSet::SourceParseModeSet):
1852         (JSC::SourceParseModeSet::contains):
1853         (JSC::SourceParseModeSet::mergeSourceParseModes):
1854
1855 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1856
1857         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
1858         https://bugs.webkit.org/show_bug.cgi?id=187585
1859
1860         Reviewed by Darin Adler.
1861
1862         This patch fixes Generator and AsyncGenerator's prototype issues.
1863
1864         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
1865         We fix this by changing JSFunction::prototypeForConstruction.
1866
1867         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1868         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1869         to fix `prototype` issues for AsyncGeneratorMethod.
1870
1871         * bytecompiler/BytecodeGenerator.cpp:
1872         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1873         (JSC::BytecodeGenerator::emitNewFunction):
1874         * bytecompiler/NodesCodegen.cpp:
1875         (JSC::FunctionNode::emitBytecode):
1876         * parser/ASTBuilder.h:
1877         (JSC::ASTBuilder::createFunctionMetadata):
1878         * parser/Parser.cpp:
1879         (JSC::getAsynFunctionBodyParseMode):
1880         (JSC::Parser<LexerType>::parseInner):
1881         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1882         * parser/ParserModes.h:
1883         (JSC::isAsyncGeneratorParseMode):
1884         (JSC::isAsyncGeneratorWrapperParseMode):
1885         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1886         * runtime/FunctionExecutable.h:
1887         * runtime/JSFunction.cpp:
1888         (JSC::JSFunction::prototypeForConstruction):
1889         (JSC::JSFunction::getOwnPropertySlot):
1890
1891 2018-07-16  Mark Lam  <mark.lam@apple.com>
1892
1893         jsc shell's noFTL utility test function should be more robust.
1894         https://bugs.webkit.org/show_bug.cgi?id=187704
1895         <rdar://problem/42231988>
1896
1897         Reviewed by Michael Saboff and Keith Miller.
1898
1899         * jsc.cpp:
1900         (functionNoFTL):
1901         - only setNeverFTLOptimize() if the function is actually a JS function.
1902
1903 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1904
1905         [GLIB] Add API to evaluate code using a given object to store global symbols
1906         https://bugs.webkit.org/show_bug.cgi?id=187639
1907
1908         Reviewed by Michael Catanzaro.
1909
1910         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1911         evaluated script are added as properties to the new object instead of to the context global object. This is
1912         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1913         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1914         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1915         jsc_context_evaluate_in_object().
1916
1917         * API/glib/JSCContext.cpp:
1918         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1919         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1920         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1921         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1922         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1923         * API/glib/JSCContext.h:
1924         * API/glib/docs/jsc-glib-4.0-sections.txt:
1925
1926 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1927
1928         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1929         https://bugs.webkit.org/show_bug.cgi?id=187561
1930
1931         Reviewed by Darin Adler.
1932
1933         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1934         We clean up 32bit put_by_val code.
1935
1936         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1937         aligns 32bit implementation to 64bit implementation.
1938
1939         2. We add CoW array checking, which is done in 64bit implementation.
1940
1941         * jit/JITPropertyAccess.cpp:
1942         (JSC::JIT::emit_op_put_by_val):
1943         * jit/JITPropertyAccess32_64.cpp:
1944         (JSC::JIT::emit_op_put_by_val):
1945         (JSC::JIT::emitSlow_op_put_by_val):
1946
1947 2018-07-12  Mark Lam  <mark.lam@apple.com>
1948
1949         Need to handle CodeBlock::replacement() being null.
1950         https://bugs.webkit.org/show_bug.cgi?id=187569
1951         <rdar://problem/41468692>
1952
1953         Reviewed by Saam Barati.
1954
1955         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1956         for this while others do not.  We should add null checks in all the places that
1957         need it.
1958
1959         * bytecode/CodeBlock.cpp:
1960         (JSC::CodeBlock::hasOptimizedReplacement):
1961         (JSC::CodeBlock::jettison):
1962         (JSC::CodeBlock::numberOfDFGCompiles):
1963         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1964         * dfg/DFGOperations.cpp:
1965         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1966         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1967         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1968         * jit/JITOperations.cpp:
1969
1970 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1971
1972         [JSC] Thread VM& to JSCell::methodTable(VM&)
1973         https://bugs.webkit.org/show_bug.cgi?id=187548
1974
1975         Reviewed by Saam Barati.
1976
1977         This patch threads VM& to methodTable(VM&) and remove methodTable().
1978         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1979
1980         * API/APICast.h:
1981         (toJS):
1982         * API/JSCallbackObject.h:
1983         * API/JSCallbackObjectFunctions.h:
1984         (JSC::JSCallbackObject<Parent>::className):
1985         * bytecode/CodeBlock.cpp:
1986         (JSC::CodeBlock::estimatedSize):
1987         * bytecode/CodeBlock.h:
1988         * bytecode/UnlinkedCodeBlock.cpp:
1989         (JSC::UnlinkedCodeBlock::estimatedSize):
1990         * bytecode/UnlinkedCodeBlock.h:
1991         * debugger/DebuggerScope.cpp:
1992         (JSC::DebuggerScope::className):
1993         * debugger/DebuggerScope.h:
1994         * heap/Heap.cpp:
1995         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1996         (JSC::GatherHeapSnapshotData::operator() const):
1997         (JSC::Heap::gatherExtraHeapSnapshotData):
1998         * heap/HeapSnapshotBuilder.cpp:
1999         (JSC::HeapSnapshotBuilder::json):
2000         * runtime/ArrayPrototype.cpp:
2001         (JSC::arrayProtoFuncToString):
2002         * runtime/ClassInfo.h:
2003         * runtime/DirectArguments.cpp:
2004         (JSC::DirectArguments::estimatedSize):
2005         * runtime/DirectArguments.h:
2006         * runtime/HashMapImpl.cpp:
2007         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
2008         * runtime/HashMapImpl.h:
2009         * runtime/JSArrayBuffer.cpp:
2010         (JSC::JSArrayBuffer::estimatedSize):
2011         * runtime/JSArrayBuffer.h:
2012         * runtime/JSBigInt.cpp:
2013         (JSC::JSBigInt::estimatedSize):
2014         * runtime/JSBigInt.h:
2015         * runtime/JSCell.cpp:
2016         (JSC::JSCell::dump const):
2017         (JSC::JSCell::estimatedSizeInBytes const):
2018         (JSC::JSCell::estimatedSize):
2019         (JSC::JSCell::className):
2020         * runtime/JSCell.h:
2021         * runtime/JSCellInlines.h:
2022         * runtime/JSGenericTypedArrayView.h:
2023         * runtime/JSGenericTypedArrayViewInlines.h:
2024         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
2025         * runtime/JSObject.cpp:
2026         (JSC::JSObject::estimatedSize):
2027         (JSC::JSObject::className):
2028         (JSC::JSObject::toStringName):
2029         (JSC::JSObject::calculatedClassName):
2030         * runtime/JSObject.h:
2031         * runtime/JSProxy.cpp:
2032         (JSC::JSProxy::className):
2033         * runtime/JSProxy.h:
2034         * runtime/JSString.cpp:
2035         (JSC::JSString::estimatedSize):
2036         * runtime/JSString.h:
2037         * runtime/RegExp.cpp:
2038         (JSC::RegExp::estimatedSize):
2039         * runtime/RegExp.h:
2040         * runtime/WeakMapImpl.cpp:
2041         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
2042         * runtime/WeakMapImpl.h:
2043
2044 2018-07-11  Commit Queue  <commit-queue@webkit.org>
2045
2046         Unreviewed, rolling out r233714.
2047         https://bugs.webkit.org/show_bug.cgi?id=187579
2048
2049         it made tests time out (Requested by pizlo on #webkit).
2050
2051         Reverted changeset:
2052
2053         "Change the reoptimization backoff base to 1.3 from 2"
2054         https://bugs.webkit.org/show_bug.cgi?id=187540
2055         https://trac.webkit.org/changeset/233714
2056
2057 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2058
2059         [GLIB] Add API to allow creating variadic functions
2060         https://bugs.webkit.org/show_bug.cgi?id=187517
2061
2062         Reviewed by Michael Catanzaro.
2063
2064         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
2065         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
2066
2067         * API/glib/JSCCallbackFunction.cpp:
2068         (JSC::JSCCallbackFunction::create): Make the parameters optional.
2069         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
2070         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
2071         JSCValue for the arguments.
2072         (JSC::JSCCallbackFunction::construct): Ditto.
2073         * API/glib/JSCCallbackFunction.h:
2074         * API/glib/JSCClass.cpp:
2075         (jscClassCreateConstructor): Make the parameters optional.
2076         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
2077         (jscClassAddMethod): Make the parameters optional.
2078         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
2079         * API/glib/JSCClass.h:
2080         * API/glib/JSCValue.cpp:
2081         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
2082         (jscValueFunctionCreate): Make the parameters optional.
2083         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
2084         * API/glib/JSCValue.h:
2085         * API/glib/docs/jsc-glib-4.0-sections.txt:
2086
2087 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2088
2089         [GLIB] Add jsc_context_get_global_object() to GLib API
2090         https://bugs.webkit.org/show_bug.cgi?id=187515
2091
2092         Reviewed by Michael Catanzaro.
2093
2094         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
2095         object. However, getting the global object could be useful in some cases, for example to give it a well known
2096         name like 'window' in browsers and GJS.
2097
2098         * API/glib/JSCContext.cpp:
2099         (jsc_context_get_global_object):
2100         * API/glib/JSCContext.h:
2101         * API/glib/docs/jsc-glib-4.0-sections.txt:
2102
2103 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2104
2105         [GLIB] Handle G_TYPE_STRV in glib API
2106         https://bugs.webkit.org/show_bug.cgi?id=187512
2107
2108         Reviewed by Michael Catanzaro.
2109
2110         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
2111
2112         * API/glib/JSCContext.cpp:
2113         (jscContextGValueToJSValue):
2114         (jscContextJSValueToGValue):
2115         * API/glib/JSCValue.cpp:
2116         (jsc_value_new_array_from_strv):
2117         * API/glib/JSCValue.h:
2118         * API/glib/docs/jsc-glib-4.0-sections.txt:
2119
2120 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2121
2122         Iterator of Array.keys() returns object in wrong order
2123         https://bugs.webkit.org/show_bug.cgi?id=185197
2124
2125         Reviewed by Keith Miller.
2126
2127         * builtins/ArrayIteratorPrototype.js:
2128         (globalPrivate.arrayIteratorValueNext):
2129         (globalPrivate.arrayIteratorKeyNext):
2130         (globalPrivate.arrayIteratorKeyValueNext):
2131         * builtins/AsyncFromSyncIteratorPrototype.js:
2132         * builtins/AsyncGeneratorPrototype.js:
2133         (globalPrivate.asyncGeneratorResolve):
2134         * builtins/GeneratorPrototype.js:
2135         (globalPrivate.generatorResume):
2136         * builtins/MapIteratorPrototype.js:
2137         (globalPrivate.mapIteratorNext):
2138         * builtins/SetIteratorPrototype.js:
2139         (globalPrivate.setIteratorNext):
2140         * builtins/StringIteratorPrototype.js:
2141         (next):
2142         * runtime/IteratorOperations.cpp:
2143         (JSC::createIteratorResultObjectStructure):
2144         (JSC::createIteratorResultObject):
2145
2146 2018-07-10  Mark Lam  <mark.lam@apple.com>
2147
2148         constructArray() should always allocate the requested length.
2149         https://bugs.webkit.org/show_bug.cgi?id=187543
2150         <rdar://problem/41947884>
2151
2152         Reviewed by Saam Barati.
2153
2154         Currently, it does not when we're having a bad time.  We fix this by switching
2155         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
2156         If we detect that a structure transition is possible before we can initialize
2157         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
2158         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
2159
2160         Also enhanced the DisallowScope and ObjectInitializationScope to support this
2161         eager initialization when needed.
2162
2163         * dfg/DFGOperations.cpp:
2164         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
2165           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
2166           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
2167           generated code, which will appear as a generic null pointer dereference.
2168
2169         * runtime/ArrayPrototype.cpp:
2170         (JSC::concatAppendOne):
2171         - the code here clearly wants to check for an allocation failure.  Switched to
2172           using JSArray::tryCreate() instead of JSArray::create().
2173
2174         * runtime/DisallowScope.h:
2175         (JSC::DisallowScope::disable):
2176         * runtime/JSArray.cpp:
2177         (JSC::JSArray::tryCreateUninitializedRestricted):
2178         (JSC::JSArray::eagerlyInitializeButterfly):
2179         (JSC::constructArray):
2180         * runtime/JSArray.h:
2181         * runtime/ObjectInitializationScope.cpp:
2182         (JSC::ObjectInitializationScope::notifyInitialized):
2183         * runtime/ObjectInitializationScope.h:
2184         (JSC::ObjectInitializationScope::notifyInitialized):
2185
2186 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2187
2188         [JSC] Remove getTypedArrayImpl
2189         https://bugs.webkit.org/show_bug.cgi?id=187338
2190
2191         Reviewed by Mark Lam.
2192
2193         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
2194         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
2195         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
2196
2197         * runtime/ClassInfo.h:
2198         * runtime/GenericTypedArrayView.h:
2199         (JSC::GenericTypedArrayView::data const): Deleted.
2200         (JSC::GenericTypedArrayView::set): Deleted.
2201         (JSC::GenericTypedArrayView::setRange): Deleted.
2202         (JSC::GenericTypedArrayView::zeroRange): Deleted.
2203         (JSC::GenericTypedArrayView::zeroFill): Deleted.
2204         (JSC::GenericTypedArrayView::length const): Deleted.
2205         (JSC::GenericTypedArrayView::item const): Deleted.
2206         (JSC::GenericTypedArrayView::set const): Deleted.
2207         (JSC::GenericTypedArrayView::setNative const): Deleted.
2208         (JSC::GenericTypedArrayView::getRange): Deleted.
2209         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
2210         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
2211         * runtime/JSArrayBufferView.cpp:
2212         (JSC::JSArrayBufferView::possiblySharedImpl):
2213         * runtime/JSArrayBufferView.h:
2214         * runtime/JSArrayBufferViewInlines.h:
2215         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
2216         * runtime/JSCell.cpp:
2217         (JSC::JSCell::getTypedArrayImpl): Deleted.
2218         * runtime/JSCell.h:
2219         * runtime/JSDataView.cpp:
2220         (JSC::JSDataView::getTypedArrayImpl): Deleted.
2221         * runtime/JSDataView.h:
2222         * runtime/JSGenericTypedArrayView.h:
2223         * runtime/JSGenericTypedArrayViewInlines.h:
2224         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
2225
2226 2018-07-10  Keith Miller  <keith_miller@apple.com>
2227
2228         hasOwnProperty returns true for out of bounds property index on TypedArray
2229         https://bugs.webkit.org/show_bug.cgi?id=187520
2230
2231         Reviewed by Saam Barati.
2232
2233         * runtime/JSGenericTypedArrayViewInlines.h:
2234         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2235
2236 2018-07-10  Michael Saboff  <msaboff@apple.com>
2237
2238         DFG JIT: compileMathIC produces incorrect machine code
2239         https://bugs.webkit.org/show_bug.cgi?id=187537
2240
2241         Reviewed by Saam Barati.
2242
2243         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
2244         fall back to the fast path generator which handles such cases.
2245
2246         * jit/JITMulGenerator.cpp:
2247         (JSC::JITMulGenerator::generateInline):
2248
2249 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
2250
2251         Change the reoptimization backoff base to 1.3 from 2
2252         https://bugs.webkit.org/show_bug.cgi?id=187540
2253
2254         Reviewed by Saam Barati.
2255         
2256         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
2257         
2258         I also have data that hints that a backoff base of 1 might be even better, but I think that
2259         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
2260
2261         * bytecode/CodeBlock.cpp:
2262         (JSC::CodeBlock::reoptimizationRetryCounter const):
2263         (JSC::CodeBlock::countReoptimization):
2264         (JSC::CodeBlock::adjustedCounterValue):
2265         * runtime/Options.cpp:
2266         (JSC::recomputeDependentOptions):
2267         * runtime/Options.h:
2268
2269 2018-07-10  Mark Lam  <mark.lam@apple.com>
2270
2271         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
2272         https://bugs.webkit.org/show_bug.cgi?id=187362
2273         <rdar://problem/42027210>
2274
2275         Reviewed by Saam Barati.
2276
2277         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
2278         value to use for initializing unused properties.  Updated an assertion to account
2279         for this.
2280
2281         * runtime/ObjectInitializationScope.cpp:
2282         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2283
2284 2018-07-10  Michael Saboff  <msaboff@apple.com>
2285
2286         YARR: . doesn't match non-BMP Unicode characters in some cases
2287         https://bugs.webkit.org/show_bug.cgi?id=187248
2288
2289         Reviewed by Geoffrey Garen.
2290
2291         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2292         characters did not take into account that the character class is inverted.  In this case, we
2293         represent '.' as "not a newline" using the newline character class with an inverted check.
2294         Clearly that includes non-BMP characters.
2295
2296         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2297         inverted use of that character class.
2298
2299         * yarr/YarrJIT.cpp:
2300         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2301
2302 2018-07-09  Mark Lam  <mark.lam@apple.com>
2303
2304         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2305         https://bugs.webkit.org/show_bug.cgi?id=187479
2306
2307         Reviewed by Yusuke Suzuki and Saam Barati.
2308
2309         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2310
2311         The details:
2312         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2313         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2314            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2315            continually spammed with logging until we rebuild.
2316         3. Fixed slow path LLINT tracing to work with exception check validation.
2317
2318         * llint/LLIntCommon.h:
2319         * llint/LLIntExceptions.cpp:
2320         (JSC::LLInt::returnToThrow):
2321         (JSC::LLInt::callToThrow):
2322         * llint/LLIntOfflineAsmConfig.h:
2323         * llint/LLIntSlowPaths.cpp:
2324         (JSC::LLInt::slowPathLog):
2325         (JSC::LLInt::slowPathLn):
2326         (JSC::LLInt::slowPathLogF):
2327         (JSC::LLInt::slowPathLogLn):
2328         (JSC::LLInt::llint_trace_operand):
2329         (JSC::LLInt::llint_trace_value):
2330         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2331         (JSC::LLInt::traceFunctionPrologue):
2332         (JSC::LLInt::handleHostCall):
2333         (JSC::LLInt::setUpCall):
2334         * llint/LLIntSlowPaths.h:
2335         * llint/LowLevelInterpreter.asm:
2336         * runtime/CommonSlowPathsExceptions.cpp:
2337         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2338         * runtime/Options.cpp:
2339         (JSC::Options::isAvailable):
2340         * runtime/Options.h:
2341
2342 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2343
2344         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2345         https://bugs.webkit.org/show_bug.cgi?id=187477
2346
2347         Reviewed by Mark Lam.
2348
2349         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2350         However, it is not necessary since JSCells can be reside in a constant buffer.
2351         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2352         vector from RareData.
2353
2354         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2355
2356         * bytecode/BytecodeDumper.cpp:
2357         (JSC::BytecodeDumper<Block>::dumpBytecode):
2358         (JSC::BytecodeDumper<Block>::dumpBlock):
2359         (JSC::regexpToSourceString): Deleted.
2360         (JSC::regexpName): Deleted.
2361         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2362         * bytecode/BytecodeDumper.h:
2363         * bytecode/CodeBlock.h:
2364         (JSC::CodeBlock::regexp const): Deleted.
2365         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2366         * bytecode/UnlinkedCodeBlock.cpp:
2367         (JSC::UnlinkedCodeBlock::visitChildren):
2368         (JSC::UnlinkedCodeBlock::shrinkToFit):
2369         * bytecode/UnlinkedCodeBlock.h:
2370         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2371         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2372         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2373         * bytecompiler/BytecodeGenerator.cpp:
2374         (JSC::BytecodeGenerator::emitNewRegExp):
2375         (JSC::BytecodeGenerator::addRegExp): Deleted.
2376         * bytecompiler/BytecodeGenerator.h:
2377         * dfg/DFGByteCodeParser.cpp:
2378         (JSC::DFG::ByteCodeParser::parseBlock):
2379         * jit/JITOpcodes.cpp:
2380         (JSC::JIT::emit_op_new_regexp):
2381         * llint/LLIntSlowPaths.cpp:
2382         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2383         * runtime/JSCJSValue.cpp:
2384         (JSC::JSValue::dumpInContextAssumingStructure const):
2385         * runtime/RegExp.cpp:
2386         (JSC::regexpToSourceString):
2387         (JSC::RegExp::dumpToStream):
2388         * runtime/RegExp.h:
2389
2390 2018-07-09  Brian Burg  <bburg@apple.com>
2391
2392         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2393         https://bugs.webkit.org/show_bug.cgi?id=187350
2394         <rdar://problem/41728249>
2395
2396         Reviewed by Matt Baker.
2397
2398         Add a new command that toggles whether or not to blackbox internal scripts.
2399         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2400         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2401         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2402         that injects scripts.
2403
2404         * inspector/agents/InspectorDebuggerAgent.cpp:
2405         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2406         (Inspector::InspectorDebuggerAgent::didParseSource):
2407         * inspector/agents/InspectorDebuggerAgent.h:
2408         * inspector/protocol/Debugger.json:
2409
2410 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2411
2412         [JSC] Make some data members of UnlinkedCodeBlock private
2413         https://bugs.webkit.org/show_bug.cgi?id=187467
2414
2415         Reviewed by Mark Lam.
2416
2417         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2418         We also remove m_numCapturedVars since it is no longer used.
2419
2420         * bytecode/CodeBlock.cpp:
2421         (JSC::CodeBlock::CodeBlock):
2422         * bytecode/CodeBlock.h:
2423         * bytecode/UnlinkedCodeBlock.cpp:
2424         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2425         * bytecode/UnlinkedCodeBlock.h:
2426
2427 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2428
2429         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2430         https://bugs.webkit.org/show_bug.cgi?id=187465
2431
2432         Reviewed by Keith Miller.
2433
2434         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2435         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2436
2437         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2438         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2439         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2440         from 104 to 96 since it inherits ProxyableAccessCase.
2441
2442         * bytecode/AccessCase.h:
2443         (JSC::AccessCase::viaProxy const):
2444         (JSC::AccessCase::AccessCase):
2445         * bytecode/ProxyableAccessCase.cpp:
2446         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2447         * bytecode/ProxyableAccessCase.h:
2448
2449 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2450
2451         Unreviewed, build fix for debug builds after r233630
2452         https://bugs.webkit.org/show_bug.cgi?id=187441
2453
2454         * jit/JIT.cpp:
2455         (JSC::JIT::frameRegisterCountFor):
2456         * llint/LLIntEntrypoint.cpp:
2457         (JSC::LLInt::frameRegisterCountFor):
2458
2459 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2460
2461         [JSC] Optimize layout of CodeBlock to reduce padding
2462         https://bugs.webkit.org/show_bug.cgi?id=187441
2463
2464         Reviewed by Mark Lam.
2465
2466         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2467         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2468         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2469
2470         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2471
2472         * bytecode/BytecodeDumper.cpp:
2473         (JSC::BytecodeDumper<Block>::dumpBlock):
2474         * bytecode/BytecodeUseDef.h:
2475         (JSC::computeDefsForBytecodeOffset):
2476         * bytecode/CodeBlock.cpp:
2477         (JSC::CodeBlock::CodeBlock):
2478         * bytecode/CodeBlock.h:
2479         (JSC::CodeBlock::numVars const):
2480         * bytecode/UnlinkedCodeBlock.h:
2481         (JSC::UnlinkedCodeBlock::numVars const):
2482         * dfg/DFGByteCodeParser.cpp:
2483         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2484         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2485         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2486         (JSC::DFG::ByteCodeParser::inlineCall):
2487         (JSC::DFG::ByteCodeParser::handleGetById):
2488         (JSC::DFG::ByteCodeParser::handlePutById):
2489         (JSC::DFG::ByteCodeParser::parseBlock):
2490         * dfg/DFGGraph.h:
2491         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2492         * dfg/DFGOSREntrypointCreationPhase.cpp:
2493         (JSC::DFG::OSREntrypointCreationPhase::run):
2494         * dfg/DFGVariableEventStream.cpp:
2495         (JSC::DFG::VariableEventStream::reconstruct const):
2496         * ftl/FTLOSREntry.cpp:
2497         (JSC::FTL::prepareOSREntry):
2498         * ftl/FTLState.cpp:
2499         (JSC::FTL::State::State):
2500         * interpreter/Interpreter.cpp:
2501         (JSC::Interpreter::dumpRegisters):
2502         * jit/JIT.cpp:
2503         (JSC::JIT::frameRegisterCountFor):
2504         * jit/JITOpcodes.cpp:
2505         (JSC::JIT::emit_op_enter):
2506         * jit/JITOpcodes32_64.cpp:
2507         (JSC::JIT::emit_op_enter):
2508         * jit/JITOperations.cpp:
2509         * llint/LLIntEntrypoint.cpp:
2510         (JSC::LLInt::frameRegisterCountFor):
2511         * llint/LLIntSlowPaths.cpp:
2512         (JSC::LLInt::traceFunctionPrologue):
2513         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2514         * runtime/JSCJSValue.h:
2515
2516 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2517
2518         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2519         https://bugs.webkit.org/show_bug.cgi?id=187448
2520
2521         Reviewed by Saam Barati.
2522
2523         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2524         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2525
2526         * bytecode/CodeType.h:
2527         * bytecode/UnlinkedCodeBlock.cpp:
2528         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2529         * bytecode/UnlinkedCodeBlock.h:
2530         (JSC::UnlinkedCodeBlock::codeType const):
2531         (JSC::UnlinkedCodeBlock::didOptimize const):
2532         (JSC::UnlinkedCodeBlock::setDidOptimize):
2533         * bytecode/VirtualRegister.h:
2534
2535 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [JSC] Optimize padding of InferredTypeTable by using cellLock
2538         https://bugs.webkit.org/show_bug.cgi?id=187447
2539
2540         Reviewed by Mark Lam.
2541
2542         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2543         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2544         reduce the size of InferredTypeTable from 40 to 32.
2545
2546         * runtime/InferredTypeTable.cpp:
2547         (JSC::InferredTypeTable::visitChildren):
2548         (JSC::InferredTypeTable::get):
2549         (JSC::InferredTypeTable::willStoreValue):
2550         (JSC::InferredTypeTable::makeTop):
2551         * runtime/InferredTypeTable.h:
2552         Using enum class and using. And remove `isEmpty()` since it is not used.
2553
2554         * runtime/Structure.h:
2555
2556 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2557
2558         [JSC] Optimize layout of SourceProvider to reduce padding
2559         https://bugs.webkit.org/show_bug.cgi?id=187440
2560
2561         Reviewed by Mark Lam.
2562
2563         Arrange members of SourceProvider to reduce the size from 80 to 72.
2564
2565         * parser/SourceProvider.cpp:
2566         (JSC::SourceProvider::SourceProvider):
2567         * parser/SourceProvider.h:
2568
2569 2018-07-08  Mark Lam  <mark.lam@apple.com>
2570
2571         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2572         https://bugs.webkit.org/show_bug.cgi?id=187444
2573         <rdar://problem/41282849>
2574
2575         Reviewed by Saam Barati.
2576
2577         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2578         an iterator class.  The begin() methods and the iterator operator++() method uses
2579         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2580         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2581         pointer from being incremented past the end of the table.  As a result, we can
2582         iterate past the end of the table.  Note that the C++ iteration protocol tests
2583         for the iterator not being equal to the end() value.  It does not do a <= test.
2584         If the iterator ever shoots past end, the loop will effectively not terminate.
2585
2586         This issue can manifest if and only if the last entry in the table is a deleted
2587         one, and the key field of the PropertyMapEntry shaped space at the end of the
2588         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2589         value.
2590
2591         No test because manifesting this issue requires uncontrollable happenstance where
2592         memory just beyond the end of the table looks like a deleted entry.
2593
2594         * runtime/PropertyMapHashTable.h:
2595         (JSC::PropertyTable::begin):
2596         (JSC::PropertyTable::end):
2597         (JSC::PropertyTable::begin const):
2598         (JSC::PropertyTable::end const):
2599         (JSC::PropertyTable::skipDeletedEntries):
2600
2601 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2602
2603         [JSC] Optimize layout of SymbolTable to reduce padding
2604         https://bugs.webkit.org/show_bug.cgi?id=187437
2605
2606         Reviewed by Mark Lam.
2607
2608         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2609
2610         * runtime/SymbolTable.h:
2611
2612 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2613
2614         [JSC] Optimize layout of RegExp to reduce padding
2615         https://bugs.webkit.org/show_bug.cgi?id=187438
2616
2617         Reviewed by Mark Lam.
2618
2619         Reduce the size of RegExp from 168 to 144.
2620
2621         * runtime/RegExp.cpp:
2622         (JSC::RegExp::RegExp):
2623         * runtime/RegExp.h:
2624         * runtime/RegExpKey.h:
2625         * yarr/YarrErrorCode.h:
2626
2627 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2628
2629         [JSC] Optimize layout of ValueProfile to reduce padding
2630         https://bugs.webkit.org/show_bug.cgi?id=187439
2631
2632         Reviewed by Mark Lam.
2633
2634         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2635
2636         * bytecode/ValueProfile.h:
2637         (JSC::ValueProfileBase::ValueProfileBase):
2638
2639 2018-07-05  Saam Barati  <sbarati@apple.com>
2640
2641         ProgramExecutable may be collected as we checkSyntax on it
2642         https://bugs.webkit.org/show_bug.cgi?id=187359
2643         <rdar://problem/41832135>
2644
2645         Reviewed by Mark Lam.
2646
2647         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2648         the ProgramExecutable itself may be collected. The fix here is to make a copy
2649         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2650         
2651         No new tests here as this was already caught by our iOS JSC testers.
2652
2653         * parser/ParserError.h:
2654         (JSC::ParserError::toErrorObject):
2655
2656 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2657
2658         Introduce PLATFORM(IOSMAC)
2659         https://bugs.webkit.org/show_bug.cgi?id=187315
2660
2661         Reviewed by Dan Bernstein.
2662
2663         * Configurations/Base.xcconfig:
2664         * Configurations/FeatureDefines.xcconfig:
2665
2666 2018-07-03  Mark Lam  <mark.lam@apple.com>
2667
2668         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2669         https://bugs.webkit.org/show_bug.cgi?id=187255
2670         <rdar://problem/41785257>
2671
2672         Reviewed by Saam Barati.
2673
2674         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2675         too: basically, do what the 64-bit code is doing.  At present, this change only
2676         serves to pacify an assertion.  It is not needed for correctness because the
2677         concurrent GC is not used on 32-bit builds.
2678
2679         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2680         test.
2681
2682         * jit/JITOpcodes32_64.cpp:
2683         (JSC::JIT::emit_op_create_this):
2684
2685 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2686
2687         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2688         https://bugs.webkit.org/show_bug.cgi?id=187290
2689
2690         Reviewed by Saam Barati.
2691
2692         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2693         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2694         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2695         easily calculated from JSType.
2696         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2697
2698         * runtime/ClassInfo.h:
2699         * runtime/JSArrayBufferView.cpp:
2700         (JSC::elementSize):
2701         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2702         * runtime/JSArrayBufferView.h:
2703         * runtime/JSArrayBufferViewInlines.h:
2704         (JSC::JSArrayBufferView::possiblySharedBuffer):
2705         * runtime/JSCell.cpp:
2706         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2707         * runtime/JSCell.h:
2708         * runtime/JSDataView.cpp:
2709         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2710         * runtime/JSDataView.h:
2711         * runtime/JSGenericTypedArrayView.h:
2712         * runtime/JSGenericTypedArrayViewInlines.h:
2713         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2714
2715 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2716
2717         Regular expressions with ".?" expressions at the start and the end match the entire string
2718         https://bugs.webkit.org/show_bug.cgi?id=119191
2719
2720         Reviewed by Michael Saboff.
2721
2722         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2723         for "abc" first and then processing the leading and trailing dot stars
2724         to find the beginning and the end of the match. However, it erroneously
2725         enabled this optimization for regular expressions whose leading or
2726         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2727         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2728         match the entire string when it shouldn't. This patch disables the
2729         optimization for those cases.
2730
2731         * yarr/YarrPattern.cpp:
2732         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2733
2734 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2735
2736         RegExp.exec returns wrong value with a long integer quantifier
2737         https://bugs.webkit.org/show_bug.cgi?id=187042
2738
2739         Reviewed by Saam Barati.
2740
2741         Prior to this patch, the Yarr parser checked for integer overflow when
2742         parsing quantifiers in regular expressions by adding one digit at a time
2743         to a number and checking if the result got larger. This is wrong;
2744         The parser would fail to detect overflow when parsing, for example,
2745         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2746
2747         Another issue was that once it detected overflow, it stopped consuming
2748         the remaining digits. Since it didn't find the closing bracket, it
2749         parsed the quantifier as a normal string instead.
2750
2751         This patch fixes these issues by reading all the digits and checking for
2752         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2753         returns the largest possible value (quantifyInfinite in this case). This
2754         matches Chrome [1], Firefox [2], and Edge [3].
2755
2756         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2757         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2758         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2759
2760         * yarr/YarrParser.h:
2761         (JSC::Yarr::Parser::consumeNumber):
2762
2763 2018-07-02  Keith Miller  <keith_miller@apple.com>
2764
2765         InstanceOf IC should do generic if the prototype is not an object.
2766         https://bugs.webkit.org/show_bug.cgi?id=187250
2767
2768         Reviewed by Mark Lam.
2769
2770         The old code was wrong for two reasons. First, the AccessCase expected that
2771         the prototype value would be non-null. Second, we would end up returning
2772         false instead of throwing an exception.
2773
2774         * jit/Repatch.cpp:
2775         (JSC::tryCacheInstanceOf):
2776
2777 2018-07-01  Mark Lam  <mark.lam@apple.com>
2778
2779         Builtins and host functions should get their own structures.
2780         https://bugs.webkit.org/show_bug.cgi?id=187211
2781         <rdar://problem/41646336>
2782
2783         Reviewed by Saam Barati.
2784
2785         JSFunctions do lazy reification of properties, but ordinary functions applies
2786         different rules of property reification than builtin and host functions.  Hence,
2787         we should give builtins and host functions their own structures.
2788
2789         * runtime/JSFunction.cpp:
2790         (JSC::JSFunction::selectStructureForNewFuncExp):
2791         (JSC::JSFunction::create):
2792         (JSC::JSFunction::getOwnPropertySlot):
2793         * runtime/JSGlobalObject.cpp:
2794         (JSC::JSGlobalObject::init):
2795         (JSC::JSGlobalObject::visitChildren):
2796         * runtime/JSGlobalObject.h:
2797         (JSC::JSGlobalObject::hostFunctionStructure const):
2798         (JSC::JSGlobalObject::arrowFunctionStructure const):
2799         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2800         (JSC::JSGlobalObject::strictFunctionStructure const):
2801
2802 2018-07-01  David Kilzer  <ddkilzer@apple.com>
2803
2804         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
2805         <https://webkit.org/b/187233>
2806
2807         Reviewed by Mark Lam.
2808
2809         * b3/air/AirEliminateDeadCode.cpp:
2810         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
2811         * parser/ParserTokens.h:
2812         (JSC::JSTextPosition::JSTextPosition): Add struct member
2813         initialization. Simplify default constructor.
2814         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
2815         union to the beginning to make it easy to zero out all fields.
2816         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
2817         initialization.  Simplify default constructor.  Note that
2818         `endOffset` was not being initialized previously.
2819         (JSC::JSTextPosition::JSToken): Add struct member initialization
2820         where necessary.
2821         * runtime/IntlObject.cpp:
2822         (JSC::MatcherResult): Add struct member initialization.
2823
2824 2018-06-23  Darin Adler  <darin@apple.com>
2825
2826         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
2827         https://bugs.webkit.org/show_bug.cgi?id=186973
2828
2829         Reviewed by Dan Bernstein.
2830
2831         * API/JSContext.mm:
2832         (WeakContextRef::WeakContextRef): Deleted.
2833         (WeakContextRef::~WeakContextRef): Deleted.
2834         (WeakContextRef::get): Deleted.
2835         (WeakContextRef::set): Deleted.
2836
2837         * API/JSContextInternal.h: Removed unneeded header guards since this is
2838         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
2839         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
2840         since neither is used outside the class implementation.
2841
2842         * API/JSManagedValue.mm:
2843         (-[JSManagedValue initWithValue:]): Use a bridging cast.
2844         (-[JSManagedValue dealloc]): Ditto.
2845         (-[JSManagedValue didAddOwner:]): Ditto.
2846         (-[JSManagedValue didRemoveOwner:]): Ditto.
2847         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
2848         (JSManagedValueHandleOwner::finalize): Ditto.
2849         * API/JSValue.mm:
2850         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
2851         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2852         (-[JSValue valueForProperty:]): Ditto.
2853         (-[JSValue setValue:forProperty:]): Ditto.
2854         (-[JSValue deleteProperty:]): Ditto.
2855         (-[JSValue hasProperty:]): Ditto.
2856         (-[JSValue invokeMethod:withArguments:]): Ditto.
2857         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
2858         (valueToArray): Ditto.
2859         (valueToDictionary): Ditto.
2860         (objectToValueWithoutCopy): Ditto.
2861         (objectToValue): Ditto.
2862         * API/JSVirtualMachine.mm:
2863         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
2864         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
2865         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
2866         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2867         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2868         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2869         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2870         (scanExternalObjectGraph): Ditto.
2871         (scanExternalRememberedSet): Ditto.
2872         * API/JSWrapperMap.mm:
2873         (makeWrapper): Ditto.
2874         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2875         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2876         (tryUnwrapObjcObject): Ditto.
2877         * API/ObjCCallbackFunction.mm:
2878         (blockSignatureContainsClass): Ditto.
2879         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2880         sure we will be keeping this the same way under ARC.
2881         (objCCallbackFunctionForBlock): Use a bridging cast.
2882
2883         * API/ObjcRuntimeExtras.h:
2884         (protocolImplementsProtocol): Use a more specific type that includes the
2885         explicit __unsafe_unretained for copied protocol lists.
2886         (forEachProtocolImplementingProtocol): Ditto.
2887
2888         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2889         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2890         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2891
2892         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2893         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2894         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2895         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2896         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2897
2898 2018-06-30  Adam Barth  <abarth@webkit.org>
2899
2900         Port JavaScriptCore to OS(FUCHSIA)
2901         https://bugs.webkit.org/show_bug.cgi?id=187223
2902
2903         Reviewed by Daniel Bates.
2904
2905         * assembler/ARM64Assembler.h:
2906         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2907         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2908         (JSC::MachineContext::stackPointerImpl):
2909         (JSC::MachineContext::framePointerImpl):
2910         (JSC::MachineContext::instructionPointerImpl):
2911         (JSC::MachineContext::argumentPointer<1>):
2912         (JSC::MachineContext::llintInstructionPointer):
2913
2914 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2915
2916         Fix clang static analyzer warnings: Garbage return value
2917         <https://webkit.org/b/187224>
2918
2919         Reviewed by Eric Carlson.
2920
2921         * bytecode/UnlinkedCodeBlock.cpp:
2922         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2923         - Use brace initialization for local variables.
2924         * debugger/DebuggerCallFrame.cpp:
2925         (class JSC::LineAndColumnFunctor):
2926         - Use class member initialization for member variables.
2927
2928 2018-06-29  Saam Barati  <sbarati@apple.com>
2929
2930         Unreviewed. Try to fix Windows build after r233377
2931
2932         * builtins/BuiltinExecutables.cpp:
2933         (JSC::BuiltinExecutables::createExecutable):
2934
2935 2018-06-29  Saam Barati  <sbarati@apple.com>
2936
2937         Don't use tracePoints in JS/Wasm entry
2938         https://bugs.webkit.org/show_bug.cgi?id=187196
2939
2940         Reviewed by Mark Lam.
2941
2942         This puts VM entry and Wasm entry tracePoints behind a runtime
2943         option. This is a ~4x speedup on a soon to be released Wasm
2944         benchmark. tracePoints should basically never run more than 50
2945         times a second. Entering the VM and entering Wasm are user controlled,
2946         and can happen hundreds of thousands of times in a second. Depending
2947         on how the Wasm/JS code is structured, this can be disastrous for
2948         performance.
2949
2950         * runtime/Options.h:
2951         * runtime/VMEntryScope.cpp:
2952         (JSC::VMEntryScope::VMEntryScope):
2953         (JSC::VMEntryScope::~VMEntryScope):
2954         * wasm/WasmBBQPlan.cpp:
2955         (JSC::Wasm::BBQPlan::compileFunctions):
2956         * wasm/js/WebAssemblyFunction.cpp:
2957         (JSC::callWebAssemblyFunction):
2958
2959 2018-06-29  Saam Barati  <sbarati@apple.com>
2960
2961         We shouldn't recurse into the parser when gathering metadata about various function offsets
2962         https://bugs.webkit.org/show_bug.cgi?id=184074
2963         <rdar://problem/37165897>
2964
2965         Reviewed by Mark Lam.
2966
2967         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2968         for that builtin. This required calling into the parser. However, the parser
2969         may throw a stack overflow. We were not able to recover from that. The only
2970         reason we called into the parser here is that we were gathering text offsets
2971         and various metadata for things in the builtin function. This patch writes a
2972         mini parser that figures this information out without calling into the full
2973         parser. (I've also added a debug assert that verifies the mini parser stays in
2974         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2975         always succeeds.
2976
2977         * builtins/AsyncFromSyncIteratorPrototype.js:
2978         (globalPrivate.createAsyncFromSyncIterator):
2979         (globalPrivate.AsyncFromSyncIteratorConstructor):
2980         * builtins/BuiltinExecutables.cpp:
2981         (JSC::BuiltinExecutables::createExecutable):
2982         * builtins/GlobalOperations.js:
2983         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2984         (globalPrivate.speciesConstructor):
2985         (globalPrivate.copyDataProperties):
2986         (globalPrivate.copyDataPropertiesNoExclusions):
2987         * builtins/PromiseOperations.js:
2988         (globalPrivate.newHandledRejectedPromise):
2989         * builtins/RegExpPrototype.js:
2990         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2991         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2992         * builtins/StringPrototype.js:
2993         (globalPrivate.hasObservableSideEffectsForStringReplace):
2994         (globalPrivate.getDefaultCollator):
2995         * parser/Nodes.cpp:
2996         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2997         (JSC::FunctionMetadataNode::operator== const):
2998         (JSC::FunctionMetadataNode::dump const):
2999         * parser/Nodes.h:
3000         * parser/Parser.h:
3001         (JSC::parse):
3002         * parser/ParserError.h:
3003         (JSC::ParserError::type const):
3004         * parser/ParserTokens.h:
3005         (JSC::JSTextPosition::operator== const):
3006         (JSC::JSTextPosition::operator!= const):
3007         * parser/SourceCode.h:
3008         (JSC::SourceCode::operator== const):
3009         (JSC::SourceCode::operator!= const):
3010         (JSC::SourceCode::subExpression const):
3011         (JSC::SourceCode::subExpression): Deleted.
3012
3013 2018-06-28  Michael Saboff  <msaboff@apple.com>
3014   
3015         IsoCellSet::sweepToFreeList() not safe when Full GC in process
3016         https://bugs.webkit.org/show_bug.cgi?id=187157
3017
3018         Reviewed by Mark Lam.
3019
3020         * heap/IsoCellSet.cpp:
3021         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
3022         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
3023         or not we are in the process of marking during a full GC.
3024         * heap/MarkedBlock.h:
3025         * heap/MarkedBlockInlines.h:
3026         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
3027
3028 2018-06-27  Saam Barati  <sbarati@apple.com>
3029
3030         Add some more register state information when we crash in repatchPutById
3031         https://bugs.webkit.org/show_bug.cgi?id=187112
3032
3033         Reviewed by Mark Lam.
3034
3035         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
3036         with an offset that is different than what the put tells us.
3037
3038         * jit/Repatch.cpp:
3039         (JSC::tryCachePutByID):
3040
3041 2018-06-27  Mark Lam  <mark.lam@apple.com>
3042
3043         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
3044         https://bugs.webkit.org/show_bug.cgi?id=187119
3045
3046         Reviewed by Keith Miller.
3047
3048         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
3049         should be checking for codeBlock instead of !codeBlock
3050         before using the codeBlock.
3051
3052         I also renamed some other "print" functions to use "dump" instead
3053         to match their underlying C++ code that they will call e.g.
3054         CodeBlock::dumpSource().
3055
3056         * tools/JSDollarVM.cpp:
3057         (WTF::JSDollarVMCallFrame::finishCreation):
3058         (JSC::functionDumpSourceFor):
3059         (JSC::functionDumpBytecodeFor):
3060         (JSC::doPrint):
3061         (JSC::functionDataLog):
3062         (JSC::functionPrint):
3063         (JSC::functionDumpCallFrame):
3064         (JSC::functionDumpStack):
3065         (JSC::JSDollarVM::finishCreation):
3066         (JSC::functionPrintSourceFor): Deleted.
3067         (JSC::functionPrintBytecodeFor): Deleted.
3068         (JSC::doPrintln): Deleted.
3069         (JSC::functionPrintln): Deleted.
3070         (JSC::functionPrintCallFrame): Deleted.
3071         (JSC::functionPrintStack): Deleted.
3072         * tools/VMInspector.cpp:
3073         (JSC::DumpFrameFunctor::DumpFrameFunctor):
3074         (JSC::DumpFrameFunctor::operator() const):
3075         (JSC::VMInspector::dumpCallFrame):
3076         (JSC::VMInspector::dumpStack):
3077         (JSC::VMInspector::dumpValue):
3078         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
3079         (JSC::PrintFrameFunctor::operator() const): Deleted.
3080         (JSC::VMInspector::printCallFrame): Deleted.
3081         (JSC::VMInspector::printStack): Deleted.
3082         (JSC::VMInspector::printValue): Deleted.
3083         * tools/VMInspector.h:
3084
3085 2018-06-27  Keith Miller  <keith_miller@apple.com>
3086
3087         Add logging to try to diagnose where we get a null structure.
3088         https://bugs.webkit.org/show_bug.cgi?id=187106
3089
3090         Reviewed by Mark Lam.
3091
3092         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
3093         structure crash.
3094
3095         This code should be removed when we fix <rdar://problem/33451840>
3096
3097         * runtime/JSObject.cpp:
3098         (JSC::callToPrimitiveFunction):
3099         * runtime/JSObject.h:
3100         (JSC::JSObject::getPropertySlot):
3101
3102 2018-06-27  Mark Lam  <mark.lam@apple.com>
3103
3104         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
3105         https://bugs.webkit.org/show_bug.cgi?id=187091
3106         <rdar://problem/41395624>
3107
3108         Reviewed by Yusuke Suzuki.
3109
3110         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
3111         take their slow paths, the slow path would jump back to the fast path right after
3112         the emitted code which clears the unused property values.  As a result, the
3113         unused properties are not initialized.  We've fixed this by adding the slow path
3114         generators before we emit the code to clear the unused properties.
3115
3116         * dfg/DFGSpeculativeJIT.cpp:
3117         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3118         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3119
3120 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3121
3122         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
3123         https://bugs.webkit.org/show_bug.cgi?id=185943
3124
3125         Reviewed by Mark Lam.
3126
3127         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
3128         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
3129         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
3130         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
3131
3132         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
3133         but it should be done in a separate patch since it would be performance sensitive.
3134
3135         * bytecompiler/NodesCodegen.cpp:
3136         (JSC::ArrayPatternNode::emitDirectBinding):
3137
3138 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3139
3140         [JSC] Pass VM& to functions more
3141         https://bugs.webkit.org/show_bug.cgi?id=186241
3142
3143         Reviewed by Mark Lam.
3144
3145         This patch threads VM& to functions requiring VM& more.
3146
3147         * API/JSObjectRef.cpp:
3148         (JSObjectIsConstructor):
3149         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3150         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
3151         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3152         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
3153         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
3154         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
3155         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3156         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
3157         * bytecode/CodeBlockJettisoningWatchpoint.h:
3158         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3159         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
3160         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3161         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3162         * bytecode/StructureStubClearingWatchpoint.cpp:
3163         (JSC::StructureStubClearingWatchpoint::fireInternal):
3164         * bytecode/StructureStubClearingWatchpoint.h:
3165         * bytecode/Watchpoint.cpp:
3166         (JSC::Watchpoint::fire):
3167         (JSC::WatchpointSet::fireAllWatchpoints):
3168         * bytecode/Watchpoint.h:
3169         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3170         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3171         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
3172         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3173         (JSC::DFG::AdaptiveStructureWatchpoint::install):
3174         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3175         * dfg/DFGAdaptiveStructureWatchpoint.h:
3176         * dfg/DFGDesiredWatchpoints.cpp:
3177         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3178         * llint/LLIntSlowPaths.cpp:
3179         (JSC::LLInt::setupGetByIdPrototypeCache):
3180         * runtime/ArrayPrototype.cpp:
3181         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
3182         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3183         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3184         (JSC::esSpecIsConstructor):
3185         * runtime/FunctionRareData.cpp:
3186         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3187         * runtime/FunctionRareData.h:
3188         * runtime/InferredStructureWatchpoint.cpp:
3189         (JSC::InferredStructureWatchpoint::fireInternal):
3190         * runtime/InferredStructureWatchpoint.h:
3191         * runtime/InternalFunction.cpp:
3192         (JSC::InternalFunction::createSubclassStructureSlow):
3193         * runtime/InternalFunction.h:
3194         (JSC::InternalFunction::createSubclassStructure):
3195         * runtime/JSCJSValue.h:
3196         * runtime/JSCJSValueInlines.h:
3197         (JSC::JSValue::isConstructor const):
3198         * runtime/JSCell.h:
3199         * runtime/JSCellInlines.h:
3200         (JSC::JSCell::isConstructor):
3201         (JSC::JSCell::methodTable const):
3202         * runtime/JSGlobalObject.cpp:
3203         (JSC::JSGlobalObject::init):
3204         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
3205         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
3206         * runtime/ProxyObject.cpp:
3207         (JSC::ProxyObject::finishCreation):
3208         * runtime/ReflectObject.cpp:
3209         (JSC::reflectObjectConstruct):
3210         * runtime/StructureRareData.cpp:
3211         (JSC::StructureRareData::setObjectToStringValue):
3212         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
3213         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3214         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3215
3216 2018-06-26  Mark Lam  <mark.lam@apple.com>
3217
3218         eval() is wrong about the LiteralParser never throwing any exceptions.
3219         https://bugs.webkit.org/show_bug.cgi?id=187074
3220         <rdar://problem/41461099>
3221
3222         Reviewed by Saam Barati.
3223
3224         Added the missing exception check, and removed an erroneous assertion.
3225
3226         * interpreter/Interpreter.cpp:
3227         (JSC::eval):
3228
3229 2018-06-26  Saam Barati  <sbarati@apple.com>
3230
3231         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3232         https://bugs.webkit.org/show_bug.cgi?id=186878
3233         <rdar://problem/40568659>
3234
3235         Reviewed by Filip Pizlo.
3236
3237         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3238         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3239         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
3240         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
3241         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
3242         conservative scan knows to treat it like a butterfly in when we we may be
3243         pointing into the middle of it.
3244         
3245         The way we were crashing on the stress GC bots is that our conservative marking
3246         won't do cell visiting for things that are Auxiliary. This meant that if the
3247         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
3248         that JSImmutableButterfly would not be visited. This is now fixed.
3249
3250         * bytecompiler/NodesCodegen.cpp:
3251         (JSC::ArrayNode::emitBytecode):
3252         * debugger/Debugger.cpp:
3253         * heap/ConservativeRoots.cpp:
3254         (JSC::ConservativeRoots::genericAddPointer):
3255         * heap/Heap.cpp:
3256         (JSC::GatherHeapSnapshotData::operator() const):
3257         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
3258         (JSC::Heap::globalObjectCount):
3259         (JSC::Heap::objectTypeCounts):
3260         (JSC::Heap::deleteAllCodeBlocks):
3261         * heap/HeapCell.cpp:
3262         (WTF::printInternal):
3263         * heap/HeapCell.h:
3264         (JSC::isJSCellKind):
3265         (JSC::hasInteriorPointers):
3266         * heap/HeapUtil.h:
3267         (JSC::HeapUtil::findGCObjectPointersForMarking):
3268         (JSC::HeapUtil::isPointerGCObjectJSCell):
3269         * heap/MarkedBlock.cpp:
3270         (JSC::MarkedBlock::Handle::didAddToDirectory):
3271         * heap/SlotVisitor.cpp:
3272         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3273         * runtime/JSGlobalObject.cpp:
3274         * runtime/JSImmutableButterfly.h:
3275         (JSC::JSImmutableButterfly::subspaceFor):
3276         * runtime/VM.cpp:
3277         (JSC::VM::VM):
3278         * runtime/VM.h:
3279         * tools/CellProfile.h:
3280         (JSC::CellProfile::CellProfile):
3281         (JSC::CellProfile::isJSCell const):
3282         * tools/HeapVerifier.cpp:
3283         (JSC::HeapVerifier::validateCell):
3284
3285 2018-06-26  Mark Lam  <mark.lam@apple.com>
3286
3287         Skip some unnecessary work in Interpreter::getStackTrace().
3288         https://bugs.webkit.org/show_bug.cgi?id=187070
3289
3290         Reviewed by Michael Saboff.
3291
3292         * interpreter/Interpreter.cpp:
3293         (JSC::Interpreter::getStackTrace):
3294
3295 2018-06-26  Mark Lam  <mark.lam@apple.com>
3296
3297         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3298         https://bugs.webkit.org/show_bug.cgi?id=187060
3299         <rdar://problem/41452767>
3300
3301         Reviewed by Keith Miller.
3302
3303         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3304         write conversion.  Hence, we can return early after the conversion if the vector
3305         length is already sufficient to cover the requested length.
3306
3307         * runtime/JSObject.cpp:
3308         (JSC::JSObject::ensureLengthSlow):
3309
3310 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3311
3312         Unreviewed, rolling out r233184.
3313         https://bugs.webkit.org/show_bug.cgi?id=187059
3314
3315         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3316         on #webkit).
3317
3318         Reverted changeset:
3319
3320         "JSImmutableButterfly can't be allocated from a subspace with
3321         HeapCell::Kind::Auxiliary"
3322         https://bugs.webkit.org/show_bug.cgi?id=186878
3323         https://trac.webkit.org/changeset/233184
3324
3325 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3326
3327         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3328         https://bugs.webkit.org/show_bug.cgi?id=187051
3329
3330         Reviewed by Mark Lam.
3331
3332         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3333         clang-3.8 to be able to compile this back (with libstdc++5)
3334
3335         * bytecode/UnlinkedCodeBlock.h:
3336         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3337
3338 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3339
3340         Fix testapi build when DFG_JIT is disabled
3341         https://bugs.webkit.org/show_bug.cgi?id=187038
3342
3343         Reviewed by Mark Lam.
3344
3345         r233158 added a new API and tests for configuring the number of JIT threads, but
3346         the API is only available when DFG_JIT is enabled and so should the tests.
3347
3348         * API/tests/testapi.mm:
3349         (runJITThreadLimitTests):
3350
3351 2018-06-25  Saam Barati  <sbarati@apple.com>
3352
3353         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3354         https://bugs.webkit.org/show_bug.cgi?id=186878
3355         <rdar://problem/40568659>
3356
3357         Reviewed by Mark Lam.
3358
3359         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3360         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3361         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3362         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3363         bots is that our conservative marking won't do cell marking for things that
3364         are Auxiliary. This means that if the stack is the only thing pointing to a
3365         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3366         not be visited. This patch fixes this bug. This patch also extends our conservative
3367         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3368
3369         * bytecompiler/NodesCodegen.cpp:
3370         (JSC::ArrayNode::emitBytecode):
3371         * heap/HeapUtil.h:
3372         (JSC::HeapUtil::findGCObjectPointersForMarking):
3373         * runtime/JSImmutableButterfly.h:
3374         (JSC::JSImmutableButterfly::subspaceFor):
3375
3376 2018-06-25  Mark Lam  <mark.lam@apple.com>
3377
3378         constructArray() should set m_numValuesInVector to the specified length.
3379         https://bugs.webkit.org/show_bug.cgi?id=187010
3380         <rdar://problem/41392167>
3381
3382         Reviewed by Filip Pizlo.
3383
3384         Its client will fill in the storage vector with some values using initializeIndex()
3385         and expects m_numValuesInVector to be set to the length i.e. the number of values
3386         to be initialized.
3387
3388         * runtime/JSArray.cpp:
3389         (JSC::constructArray):
3390
3391 2018-06-25  Mark Lam  <mark.lam@apple.com>
3392
3393         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3394         https://bugs.webkit.org/show_bug.cgi?id=187006
3395         <rdar://problem/41418412>
3396
3397         Reviewed by Keith Miller.
3398
3399         * runtime/RegExpObjectInlines.h:
3400         (JSC::collectMatches):
3401
3402 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3403
3404         Add API for configuring the number of threads used by DFG and FTL
3405         https://bugs.webkit.org/show_bug.cgi?id=186859
3406         <rdar://problem/41093519>
3407
3408         Reviewed by Filip Pizlo.
3409
3410         Add new private APIs for limiting the number of threads to be used by
3411         the DFG and FTL compilers. It was already possible to configure the
3412         limit through JSC Options, but now it can be changed at runtime, even
3413         in the case when the VM is already running.
3414
3415         Add a test for both cases: when trying to configure the limit before
3416         and after the Worklist has been created, but in order to simulate the
3417         first scenario, we must guarantee that the test runs at the very
3418         beginning, so I also added a check for that.
3419
3420         * API/JSVirtualMachine.mm:
3421         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3422         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3423         * API/JSVirtualMachinePrivate.h:
3424         * API/tests/testapi.mm:
3425         (runJITThreadLimitTests):
3426         (testObjectiveCAPIMain):
3427         * dfg/DFGWorklist.cpp:
3428         (JSC::DFG::Worklist::finishCreation):
3429         (JSC::DFG::Worklist::createNewThread):
3430         (JSC::DFG::Worklist::setNumberOfThreads):
3431         * dfg/DFGWorklist.h:
3432
3433 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3434
3435         [JSC] Remove unnecessary PLATFORM guards
3436         https://bugs.webkit.org/show_bug.cgi?id=186995
3437
3438         Reviewed by Mark Lam.
3439
3440         * assembler/AssemblerCommon.h:
3441         (JSC::isIOS):
3442         Add constexpr.
3443
3444         * inspector/JSGlobalObjectInspectorController.cpp:
3445         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3446         StackFrame works in all the platforms. If StackFrame::demangle failed,
3447         it just returns std::nullopt. And it is correctly handled in this code.
3448
3449 2018-06-23  Mark Lam  <mark.lam@apple.com>
3450
3451         Add more debugging features to $vm.
3452         https://bugs.webkit.org/show_bug.cgi?id=186947
3453
3454         Reviewed by Keith Miller.
3455
3456         Adding the following features:
3457
3458             // We now have println in addition to print.
3459             // println automatically adds a '\n' at the end.
3460             $vm.println("Hello");
3461
3462             // We can now capture some info about a stack frame.
3463             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3464             var callerCallerFrame = $vm.callFrame(2);
3465
3466             // We can inspect the following values associated with the frame:
3467             if (currentFrame.valid) {
3468                 $vm.println("name is ", currentFrame.name));
3469
3470                 // Note: For a WASM frame, all of these will be undefined.
3471                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3472                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3473                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3474                 $vm.println("executable is ", currentFrame.executable);
3475             }
3476
3477             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3478             // to dataLog its JSValue instead of its toString() result.
3479
3480             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3481             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3482             // toString on a non-object.
3483
3484             // Does what it says about enabling/disabling debugger mode.
3485             $vm.enableDebuggerModeWhenIdle();
3486             $vm.disableDebuggerModeWhenIdle();
3487
3488         * tools/JSDollarVM.cpp:
3489         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3490         (WTF::JSDollarVMCallFrame::createStructure):
3491         (WTF::JSDollarVMCallFrame::create):
3492         (WTF::JSDollarVMCallFrame::finishCreation):
3493         (WTF::JSDollarVMCallFrame::addProperty):
3494         (JSC::functionCallFrame):
3495         (JSC::functionCodeBlockForFrame):
3496         (JSC::codeBlockFromArg):
3497         (JSC::doPrintln):
3498         (JSC::functionPrint):
3499         (JSC::functionPrintln):
3500         (JSC::changeDebuggerModeWhenIdle):
3501         (JSC::functionEnableDebuggerModeWhenIdle):
3502         (JSC::functionDisableDebuggerModeWhenIdle):
3503         (JSC::JSDollarVM::finishCreation):
3504
3505 2018-06-22  Keith Miller  <keith_miller@apple.com>
3506
3507         We need to have a getDirectConcurrently for use in the compilers
3508         https://bugs.webkit.org/show_bug.cgi?id=186954
3509
3510         Reviewed by Mark Lam.
3511
3512         It used to be that the propertyStorage of an object never shrunk
3513         so if you called getDirect with some offset it would never be an
3514         OOB read. However, this property storage can shrink when calling
3515         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3516         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3517         adds a getDirectConcurrently that will safely try to load from the
3518         butterfly.
3519
3520         * bytecode/ObjectPropertyConditionSet.cpp:
3521         * bytecode/PropertyCondition.cpp:
3522         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3523         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3524         * dfg/DFGGraph.cpp:
3525         (JSC::DFG::Graph::tryGetConstantProperty):
3526         * runtime/JSObject.h:
3527         (JSC::JSObject::getDirectConcurrently const):
3528
3529 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3530
3531         [WTF] Use Ref<> for the result type of non-failing factory functions
3532         https://bugs.webkit.org/show_bug.cgi?id=186920
3533
3534         Reviewed by Darin Adler.
3535
3536         * dfg/DFGWorklist.cpp:
3537         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3538         (JSC::DFG::Worklist::finishCreation):
3539         * dfg/DFGWorklist.h:
3540         * heap/Heap.cpp:
3541         (JSC::Heap::Thread::Thread):
3542         * heap/Heap.h:
3543         * jit/JITWorklist.cpp:
3544         (JSC::JITWorklist::Thread::Thread):
3545         * jit/JITWorklist.h:
3546         * runtime/VMTraps.cpp:
3547         * runtime/VMTraps.h:
3548         * wasm/WasmWorklist.cpp:
3549         * wasm/WasmWorklist.h:
3550
3551 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3552
3553         [WTF] Add user-defined literal for ASCIILiteral
3554         https://bugs.webkit.org/show_bug.cgi?id=186839
3555
3556         Reviewed by Darin Adler.
3557
3558         * API/JSCallbackObjectFunctions.h:
3559         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3560         (JSC::JSCallbackObject<Parent>::callbackGetter):
3561         * API/JSObjectRef.cpp:
3562         (JSObjectMakeFunctionWithCallback):
3563         * API/JSTypedArray.cpp:
3564         (JSObjectGetArrayBufferBytesPtr):
3565         * API/JSValue.mm:
3566         (valueToArray):
3567         (valueToDictionary):
3568         * API/ObjCCallbackFunction.mm:
3569         (JSC::objCCallbackFunctionCallAsFunction):
3570         (JSC::objCCallbackFunctionCallAsConstructor):
3571         (JSC::ObjCCallbackFunctionImpl::call):
3572         * API/glib/JSCCallbackFunction.cpp:
3573         (JSC::JSCCallbackFunction::call):
3574         (JSC::JSCCallbackFunction::construct):
3575         * API/glib/JSCContext.cpp:
3576         (jscContextJSValueToGValue):
3577         * API/glib/JSCValue.cpp:
3578         (jsc_value_object_define_property_accessor):
3579         (jscValueFunctionCreate):
3580         * builtins/BuiltinUtils.h:
3581         * bytecode/CodeBlock.cpp:
3582         (JSC::CodeBlock::nameForRegister):
3583         * bytecompiler/BytecodeGenerator.cpp:
3584         (JSC::BytecodeGenerator::emitEnumeration):
3585         (JSC::BytecodeGenerator::emitIteratorNext):
3586         (JSC::BytecodeGenerator::emitIteratorClose):
3587         (JSC::BytecodeGenerator::emitDelegateYield):
3588         * bytecompiler/NodesCodegen.cpp:
3589         (JSC::FunctionCallValueNode::emitBytecode):
3590         (JSC::PostfixNode::emitBytecode):
3591         (JSC::PrefixNode::emitBytecode):
3592         (JSC::AssignErrorNode::emitBytecode):
3593         (JSC::ForInNode::emitBytecode):
3594         (JSC::ForOfNode::emitBytecode):
3595         (JSC::ClassExprNode::emitBytecode):
3596         (JSC::ObjectPatternNode::bindValue const):
3597         * dfg/DFGDriver.cpp:
3598         (JSC::DFG::compileImpl):
3599         * dfg/DFGOperations.cpp:
3600         (JSC::DFG::newTypedArrayWithSize):
3601         * dfg/DFGStrengthReductionPhase.cpp:
3602         (JSC::DFG::StrengthReductionPhase::handleNode):
3603         * inspector/ConsoleMessage.cpp:
3604         (Inspector::ConsoleMessage::addToFrontend):
3605         (Inspector::ConsoleMessage::clear):
3606         * inspector/ContentSearchUtilities.cpp:
3607         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3608         * inspector/InjectedScript.cpp:
3609         (Inspector::InjectedScript::InjectedScript):
3610         (Inspector::InjectedScript::evaluate):
3611         (Inspector::InjectedScript::callFunctionOn):
3612         (Inspector::InjectedScript::evaluateOnCallFrame):
3613         (Inspector::InjectedScript::getFunctionDetails):
3614         (Inspector::InjectedScript::functionDetails):
3615         (Inspector::InjectedScript::getPreview):
3616         (Inspector::InjectedScript::getProperties):
3617         (Inspector::InjectedScript::getDisplayableProperties):
3618         (Inspector::InjectedScript::getInternalProperties):
3619         (Inspector::InjectedScript::getCollectionEntries):
3620         (Inspector::InjectedScript::saveResult):
3621         (Inspector::InjectedScript::wrapCallFrames const):
3622         (Inspector::InjectedScript::wrapObject const):
3623         (Inspector::InjectedScript::wrapJSONString const):
3624         (Inspector::InjectedScript::wrapTable const):
3625         (Inspector::InjectedScript::previewValue const):
3626         (Inspector::InjectedScript::setExceptionValue):
3627         (Inspector::InjectedScript::clearExceptionValue):
3628         (Inspector::InjectedScript::findObjectById const):
3629         (Inspector::InjectedScript::inspectObject):
3630         (Inspector::InjectedScript::releaseObject):
3631         (Inspector::InjectedScript::releaseObjectGroup):
3632         * inspector/InjectedScriptBase.cpp:
3633         (Inspector::InjectedScriptBase::makeEvalCall):
3634         * inspector/InjectedScriptManager.cpp:
3635         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3636         * inspector/InjectedScriptModule.cpp:
3637         (Inspector::InjectedScriptModule::ensureInjected):
3638         * inspector/InspectorBackendDispatcher.cpp:
3639         (Inspector::BackendDispatcher::dispatch):
3640         (Inspector::BackendDispatcher::sendResponse):
3641         (Inspector::BackendDispatcher::sendPendingErrors):
3642         * inspector/JSGlobalObjectConsoleClient.cpp:
3643         (Inspector::JSGlobalObjectConsoleClient::profile):
3644         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3645         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3646         * inspector/JSGlobalObjectInspectorController.cpp:
3647         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3648         * inspector/JSInjectedScriptHost.cpp:
3649         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3650         (Inspector::JSInjectedScriptHost::subtype):
3651         (Inspector::JSInjectedScriptHost::getInternalProperties):
3652         * inspector/JSJavaScriptCallFrame.cpp:
3653         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3654         (Inspector::JSJavaScriptCallFrame::type const):
3655         * inspector/ScriptArguments.cpp:
3656         (Inspector::ScriptArguments::getFirstArgumentAsString):
3657         * inspector/ScriptCallStackFactory.cpp:
3658         (Inspector::extractSourceInformationFromException):
3659         * inspector/agents/InspectorAgent.cpp:
3660         (Inspector::InspectorAgent::InspectorAgent):
3661         * inspector/agents/InspectorConsoleAgent.cpp:
3662         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3663         (Inspector::InspectorConsoleAgent::clearMessages):
3664         (Inspector::InspectorConsoleAgent::count):
3665         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
3666         * inspector/agents/InspectorDebuggerAgent.cpp:
3667         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3668         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
3669         (Inspector::buildObjectForBreakpointCookie):
3670         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3671         (Inspector::parseLocation):
3672         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3673         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3674         (Inspector::InspectorDebuggerAgent::continueToLocation):
3675         (Inspector::InspectorDebuggerAgent::searchInContent):
3676         (Inspector::InspectorDebuggerAgent::getScriptSource):
3677         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
3678         (Inspector::InspectorDebuggerAgent::resume):
3679         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
3680         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
3681         (Inspector::InspectorDebuggerAgent::didParseSource):
3682         (Inspector::InspectorDebuggerAgent::assertPaused):
3683         * inspector/agents/InspectorHeapAgent.cpp:
3684         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3685         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3686         (Inspector::InspectorHeapAgent::getPreview):
3687         (Inspector::InspectorHeapAgent::getRemoteObject):
3688         * inspector/agents/InspectorRuntimeAgent.cpp:
3689         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3690         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3691         (Inspector::InspectorRuntimeAgent::getPreview):
3692         (Inspector::InspectorRuntimeAgent::getProperties):
3693         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3694         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3695         (Inspector::InspectorRuntimeAgent::saveResult):
3696         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3697         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3698         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3699         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3700         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3701         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
3702         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3703         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
3704         * inspector/scripts/codegen/cpp_generator_templates.py:
3705         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3706         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3707         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3708         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3709         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3710         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3711         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3712         (CppProtocolTypesImplementationGenerator):
3713         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3714         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3715         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
3716         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3717         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3718         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3719         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3720         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
3721         * inspector/scripts/codegen/objc_generator_templates.py:
3722         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3723         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3724         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3725         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3726         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3727         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3728         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3729         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3730         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3731         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3732         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3733         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3734         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3735         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3736         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3737         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3738         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3739         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3740         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3741         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3742         * interpreter/CallFrame.cpp:
3743         (JSC::CallFrame::friendlyFunctionName):
3744         * interpreter/Interpreter.cpp:
3745         (JSC::Interpreter::execute):
3746         * interpreter/StackVisitor.cpp:
3747         (JSC::StackVisitor::Frame::functionName const):
3748         (JSC::StackVisitor::Frame::sourceURL const):
3749         * jit/JIT.cpp:
3750         (JSC::JIT::doMainThreadPreparationBeforeCompile):
3751         * jit/JITOperations.cpp:
3752         * jsc.cpp:
3753         (resolvePath):
3754         (GlobalObject::moduleLoaderImportModule):
3755         (GlobalObject::moduleLoaderResolve):
3756         (functionDescribeArray):
3757         (functionRun):
3758         (functionLoad):
3759         (functionCheckSyntax):
3760         (functionDollarEvalScript):
3761         (functionDollarAgentStart):
3762         (functionDollarAgentReceiveBroadcast):
3763         (functionDollarAgentBroadcast):
3764         (functionTransferArrayBuffer):
3765         (functionLoadModule):
3766         (functionSamplingProfilerStackTraces):
3767         (functionAsyncTestStart):
3768         (functionWebAssemblyMemoryMode):
3769         (runWithOptions):
3770         * parser/Lexer.cpp:
3771         (JSC::Lexer<T>::invalidCharacterMessage const):
3772         (JSC::Lexer<T>::parseString):
3773         (JSC::Lexer<T>::parseComplexEscape):
3774         (JSC::Lexer<T>::parseStringSlowCase):
3775         (JSC::Lexer<T>::parseTemplateLiteral):
3776         (JSC::Lexer<T>::lex):
3777         * parser/Parser.cpp:
3778         (JSC::Parser<LexerType>::parseInner):
3779         * parser/Parser.h:
3780         (JSC::Parser::setErrorMessage):
3781         * runtime/AbstractModuleRecord.cpp:
3782         (JSC::AbstractModuleRecord::finishCreation):
3783         * runtime/ArrayBuffer.cpp:
3784         (JSC::errorMesasgeForTransfer):
3785         * runtime/ArrayBufferSharingMode.h:
3786         (JSC::arrayBufferSharingModeName):
3787         * runtime/ArrayConstructor.cpp:
3788         (JSC::constructArrayWithSizeQuirk):
3789         (JSC::isArraySlowInline):
3790         * runtime/ArrayPrototype.cpp:
3791         (JSC::setLength):
3792         (JSC::shift):
3793         (JSC::unshift):
3794         (JSC::arrayProtoFuncPop):
3795         (JSC::arrayProtoFuncReverse):
3796         (JSC::arrayProtoFuncUnShift):
3797         * runtime/AtomicsObject.cpp:
3798         (JSC::atomicsFuncWait):
3799         (JSC::atomicsFuncWake):
3800         * runtime/BigIntConstructor.cpp:
3801         (JSC::BigIntConstructor::finishCreation):
3802         (JSC::toBigInt):
3803         (JSC::callBigIntConstructor):
3804         * runtime/BigIntObject.cpp:
3805         (JSC::BigIntObject::toStringName):
3806         * runtime/BigIntPrototype.cpp:
3807         (JSC::bigIntProtoFuncToString):
3808         (JSC::bigIntProtoFuncValueOf):
3809         * runtime/CommonSlowPaths.cpp:
3810         (JSC::SLOW_PATH_DECL):
3811         * runtime/ConsoleClient.cpp:
3812         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3813         * runtime/ConsoleObject.cpp:
3814         (JSC::valueOrDefaultLabelString):
3815         (JSC::consoleProtoFuncTime):
3816         (JSC::consoleProtoFuncTimeEnd):
3817         * runtime/DatePrototype.cpp:
3818         (JSC::formatLocaleDate):
3819         (JSC::formateDateInstance):
3820         (JSC::DatePrototype::finishCreation):
3821         (JSC::dateProtoFuncToISOString):
3822         (JSC::dateProtoFuncToJSON):
3823         * runtime/Error.cpp:
3824         (JSC::createNotEnoughArgumentsError):
3825         (JSC::throwSyntaxError):
3826         (JSC::createTypeError):
3827         (JSC::createOutOfMemoryError):
3828         * runtime/Error.h:
3829         (JSC::throwVMError):
3830         * runtime/ErrorConstructor.cpp:
3831         (JSC::ErrorConstructor::finishCreation):
3832         * runtime/ErrorInstance.cpp:
3833         (JSC::ErrorInstance::sanitizedToString):
3834         * runtime/ErrorPrototype.cpp:
3835         (JSC::ErrorPrototype::finishCreation):
3836         (JSC::errorProtoFuncToString):
3837         * runtime/ExceptionFuzz.cpp:
3838         (JSC::doExceptionFuzzing):
3839         * runtime/ExceptionHelpers.cpp:
3840         (JSC::TerminatedExecutionError::defaultValue):
3841         (JSC::createStackOverflowError):
3842         (JSC::createNotAConstructorError):
3843         (JSC::createNotAFunctionError):
3844         (JSC::createNotAnObjectError):
3845         * runtime/GetterSetter.cpp:
3846         (JSC::callSetter):
3847         * runtime/IntlCollator.cpp:
3848         (JSC::sortLocaleData):
3849         (JSC::searchLocaleData):
3850         (JSC::IntlCollator::initializeCollator):
3851         (JSC::IntlCollator::compareStrings):
3852         (JSC::IntlCollator::usageString):
3853         (JSC::IntlCollator::sensitivityString):
3854         (JSC::IntlCollator::caseFirstString):
3855         (JSC::IntlCollator::resolvedOptions):
3856         * runtime/IntlCollator.h:
3857         * runtime/IntlCollatorConstructor.cpp:
3858         (JSC::IntlCollatorConstructor::finishCreation):
3859         * runtime/IntlCollatorPrototype.cpp:
3860         (JSC::IntlCollatorPrototypeGetterCompare):
3861         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
3862         * runtime/IntlDateTimeFormat.cpp:
3863         (JSC::defaultTimeZone):
3864         (JSC::canonic