Disable JIT on IA-32 without SSE2
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index c20a868..f0d9adb 100644 (file)
@@ -1,3 +1,714 @@
+2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
+
+        Disable JIT on IA-32 without SSE2
+        https://bugs.webkit.org/show_bug.cgi?id=188476
+
+        Reviewed by Yusuke Suzuki.
+
+        On IA-32 CPUs without SSE2 most of the webpages cannot load
+        if the JIT is turned on.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: console.log fires getters for deep properties
+        https://bugs.webkit.org/show_bug.cgi?id=187542
+        <rdar://problem/42873158>
+
+        Reviewed by Saam Barati.
+
+        * inspector/InjectedScriptSource.js:
+        (RemoteObject.prototype._isPreviewableObject):
+        Avoid getters/setters when checking for simple properties to preview.
+        Here we avoid invoking `object[property]` if it could be a user getter.
+
+2018-08-10  Keith Miller  <keith_miller@apple.com>
+
+        Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
+        https://bugs.webkit.org/show_bug.cgi?id=185127
+
+        Reviewed by Saam Barati.
+
+        Previously, we would truncate the indicies passed to slice to an
+        int. This meant that the value was not getting properly clamped
+        later.
+
+        This patch also removes a non-spec compliant check that slice was
+        passed at least one argument.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::clampValue):
+        (JSC::ArrayBuffer::clampIndex const):
+        (JSC::ArrayBuffer::slice const):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::clampValue): Deleted.
+        (JSC::ArrayBuffer::clampIndex const): Deleted.
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferProtoFuncSlice):
+
+2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        Date.UTC should not return NaN with only Year param
+        https://bugs.webkit.org/show_bug.cgi?id=188378
+
+        Reviewed by Keith Miller.
+
+        Date.UTC requires one argument for |year|. But the other ones are optional.
+        This patch fix this handling.
+
+        * runtime/DateConstructor.cpp:
+        (JSC::millisecondsFromComponents):
+
+2018-08-08  Keith Miller  <keith_miller@apple.com>
+
+        Array.prototype.sort should call @toLength instead of ">>> 0"
+        https://bugs.webkit.org/show_bug.cgi?id=188430
+
+        Reviewed by Saam Barati.
+
+        Also add a new function to $vm that will fetch a private
+        property. This can be useful for running builtin helper functions.
+
+        * builtins/ArrayPrototype.js:
+        (sort):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionGetPrivateProperty):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-08-08  Keith Miller  <keith_miller@apple.com>
+
+        Array.prototype.sort should throw TypeError if param is a not callable object
+        https://bugs.webkit.org/show_bug.cgi?id=188382
+
+        Reviewed by Saam Barati.
+
+        Improve spec compatability by checking if the Array.prototype.sort comparator is a function
+        before doing anything else.
+
+        Also, refactor the various helper functions to use let instead of var.
+
+        * builtins/ArrayPrototype.js:
+        (sort.stringComparator):
+        (sort.compactSparse):
+        (sort.compactSlow):
+        (sort.compact):
+        (sort.merge):
+        (sort.mergeSort):
+        (sort.bucketSort):
+        (sort.comparatorSort):
+        (sort.stringSort):
+        (sort):
+
+2018-08-08  Michael Saboff  <msaboff@apple.com>
+
+        Yarr JIT should include annotations with dumpDisassembly=true
+        https://bugs.webkit.org/show_bug.cgi?id=188415
+
+        Reviewed by Yusuke Suzuki.
+
+        Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
+        Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
+        then the backtracking code through the YarrPattern ops in reverse order, the disassembler
+        needs to do the same think.
+
+        Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
+        out simple methods for what was needed by the YarrDisassembler.
+
+        Here is abbreviated sample output after this change.
+
+        Generated JIT code for 8-bit regular expression /ab*c/:
+            Code at [0x469561c03720, 0x469561c03840):
+                0x469561c03720: push %rbp
+                0x469561c03721: mov %rsp, %rbp
+                ...
+                0x469561c03762: sub $0x40, %rsp
+             == Matching ==
+           0:OpBodyAlternativeBegin minimum size 2
+                0x469561c03766: add $0x2, %esi
+                0x469561c03769: cmp %edx, %esi
+                0x469561c0376b: ja 0x469561c037fa
+           1:OpTerm TypePatternCharacter 'a'
+                0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
+                0x469561c03776: cmp $0x61, %eax
+                0x469561c03779: jnz 0x469561c037e9
+           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
+                0x469561c0377f: xor %r9d, %r9d
+                0x469561c03782: cmp %edx, %esi
+                0x469561c03784: jz 0x469561c037a2
+                ...
+                0x469561c0379d: jmp 0x469561c03782
+                0x469561c037a2: mov %r9, 0x8(%rsp)
+           3:OpTerm TypePatternCharacter 'c'
+                0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
+                0x469561c037ac: cmp $0x63, %eax
+                0x469561c037af: jnz 0x469561c037d1
+           4:OpBodyAlternativeEnd
+                0x469561c037b5: add $0x40, %rsp
+                ...
+                0x469561c037cf: pop %rbp
+                0x469561c037d0: ret
+             == Backtracking ==
+           4:OpBodyAlternativeEnd
+           3:OpTerm TypePatternCharacter 'c'
+           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
+                0x469561c037d1: mov 0x8(%rsp), %r9
+                ...
+                0x469561c037e4: jmp 0x469561c037a2
+           1:OpTerm TypePatternCharacter 'a'
+           0:OpBodyAlternativeBegin minimum size 2
+                0x469561c037e9: mov %rsi, %rax
+                ...
+                0x469561c0382f: pop %rbp
+                0x469561c03830: ret
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * yarr/YarrDisassembler.cpp: Added.
+        (JSC::Yarr::YarrDisassembler::indentString):
+        (JSC::Yarr::YarrDisassembler::YarrDisassembler):
+        (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
+        (JSC::Yarr::YarrDisassembler::dump):
+        (JSC::Yarr::YarrDisassembler::dumpHeader):
+        (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
+        (JSC::Yarr::YarrDisassembler::dumpForInstructions):
+        (JSC::Yarr::YarrDisassembler::dumpDisassembly):
+        * yarr/YarrDisassembler.h: Added.
+        (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
+        (JSC::Yarr::YarrDisassembler::setStartOfCode):
+        (JSC::Yarr::YarrDisassembler::setForGenerate):
+        (JSC::Yarr::YarrDisassembler::setForBacktrack):
+        (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
+        (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
+        (JSC::Yarr::YarrDisassembler::setEndOfCode):
+        (JSC::Yarr::YarrDisassembler::indentString):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::dumpCharacterClass):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::YarrPattern::dumpPatternString):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        * yarr/YarrPattern.h:
+
+2018-08-05  Darin Adler  <darin@apple.com>
+
+        [Cocoa] More tweaks and refactoring to prepare for ARC
+        https://bugs.webkit.org/show_bug.cgi?id=188245
+
+        Reviewed by Dan Bernstein.
+
+        * API/JSValue.mm: Use __unsafe_unretained.
+        (JSContainerConvertor::convert): Use auto for compatibility with the above.
+        * API/JSWrapperMap.mm:
+        (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
+        (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
+
+        * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
+
+2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
+
+        Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
+        https://bugs.webkit.org/show_bug.cgi?id=188328
+
+        Reviewed by Saam Barati.
+
+        Shrinking the size of PropertyCondition can improve memory consumption by a lot.
+        For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
+        and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
+        as a member field.
+
+        This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
+        PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
+        are within 48bit, we can put PropertyCondition::Kind in this unused bits.
+        To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
+        folds a pointer and 1byte type into 64bit data.
+
+        This change shrinks PropertyCondition from 24bytes to 16bytes.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::dumpInContext const):
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::isStillValid const):
+        (JSC::PropertyCondition::isWatchableWhenValid const):
+        * bytecode/PropertyCondition.h:
+        (JSC::PropertyCondition::PropertyCondition):
+        (JSC::PropertyCondition::presenceWithoutBarrier):
+        (JSC::PropertyCondition::absenceWithoutBarrier):
+        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
+        (JSC::PropertyCondition::equivalenceWithoutBarrier):
+        (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
+        (JSC::PropertyCondition::operator bool const):
+        (JSC::PropertyCondition::kind const):
+        (JSC::PropertyCondition::uid const):
+        (JSC::PropertyCondition::hasOffset const):
+        (JSC::PropertyCondition::hasAttributes const):
+        (JSC::PropertyCondition::hasPrototype const):
+        (JSC::PropertyCondition::hasRequiredValue const):
+        (JSC::PropertyCondition::hash const):
+        (JSC::PropertyCondition::operator== const):
+        (JSC::PropertyCondition::isHashTableDeletedValue const):
+        (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
+
+2018-08-07  Mark Lam  <mark.lam@apple.com>
+
+        Use a more specific PtrTag for PlatformRegisters PC and LR.
+        https://bugs.webkit.org/show_bug.cgi?id=188366
+        <rdar://problem/42984123>
+
+        Reviewed by Keith Miller.
+
+        Also fixed a bug in linkRegister(), which was previously returning the PC instead
+        of LR.  It now returns LR.
+
+        * runtime/JSCPtrTag.h:
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::linkRegister):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+
+2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
+
+        Hardcoded LFENCE instruction
+        https://bugs.webkit.org/show_bug.cgi?id=188145
+
+        Reviewed by Filip Pizlo.
+
+        Remove lfence instruction because it is crashing systems without SSE2 and
+        this is not the way how WebKit mitigates Spectre.
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        (JSC::JSLock::willReleaseLock):
+
+2018-08-04  David Kilzer  <ddkilzer@apple.com>
+
+        REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
+        <https://webkit.org/b/188331>
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/TemplateObjectDescriptor.h:
+        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
+        Use `m_rawstrings` instead of `rawStrings` to calculate hash.
+
+2018-08-03  Saam Barati  <sbarati@apple.com>
+
+        Give the `jsc` shell the JIT entitlement
+        https://bugs.webkit.org/show_bug.cgi?id=188324
+        <rdar://problem/42885806>
+
+        Reviewed by Dan Bernstein.
+
+        This should help us in ensuring the system jsc is able to JIT.
+
+        * Configurations/JSC.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * allow-jit-macOS.entitlements: Added.
+
+2018-08-03  Alex Christensen  <achristensen@webkit.org>
+
+        Fix spelling of "overridden"
+        https://bugs.webkit.org/show_bug.cgi?id=188315
+
+        Reviewed by Darin Adler.
+
+        * API/JSExport.h:
+        * inspector/InjectedScriptSource.js:
+
+2018-08-02  Saam Barati  <sbarati@apple.com>
+
+        Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
+        https://bugs.webkit.org/show_bug.cgi?id=188271
+        <rdar://problem/42850884>
+
+        Reviewed by Michael Saboff.
+
+        This patch defends against the instructionPointer containing garbage bits.
+        See radar for details.
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::tryCreate):
+        * tools/CodeProfiling.cpp:
+        (JSC::profilingTimer):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::tryCreate):
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+
+2018-08-02  David Fenton  <david_fenton@apple.com>
+
+        Unreviewed, rolling out r234489.
+
+        Caused 50+ crashes and 60+ API failures on iOS
+
+        Reverted changeset:
+
+        "[WTF] Rename String::format to String::deprecatedFormat"
+        https://bugs.webkit.org/show_bug.cgi?id=188191
+        https://trac.webkit.org/changeset/234489
+
+2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Add self.queueMicrotask(f) on DOMWindow
+        https://bugs.webkit.org/show_bug.cgi?id=188212
+
+        Reviewed by Ryosuke Niwa.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::enqueueJob):
+        * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
+        (JSC::createJSMicrotask):
+        Export them to WebCore.
+
+        (JSC::JSMicrotask::run):
+        * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
+        Add another version of JSMicrotask which does not have arguments.
+
+2018-08-01  Tomas Popela  <tpopela@redhat.com>
+
+        [WTF] Rename String::format to String::deprecatedFormat
+        https://bugs.webkit.org/show_bug.cgi?id=188191
+
+        Reviewed by Darin Adler.
+
+        It should be replaced with string concatenation.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::nameForRegister):
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::makeCall):
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::getPropertyValue):
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::enable):
+        (Inspector::InspectorConsoleAgent::stopTiming):
+        * jsc.cpp:
+        (FunctionJSCStackFunctor::operator() const):
+        * parser/Lexer.cpp:
+        (JSC::Lexer<T>::invalidCharacterMessage const):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLocaleList):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser<CharType>::Lexer::lex):
+        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
+        (JSC::LiteralParser<CharType>::parse):
+        * runtime/LiteralParser.h:
+        (JSC::LiteralParser::getErrorMessage):
+
+2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
+
+        [INTL] Allow "unknown" formatToParts types
+        https://bugs.webkit.org/show_bug.cgi?id=188176
+
+        Reviewed by Darin Adler.
+
+        Originally extra unexpected field types were marked as "literal", since
+        the spec did not account for these. The ECMA 402 spec has since been updated
+        to specify "unknown" should be used in these cases.
+
+        Currently there is no known way to reach these cases, so no tests can
+        account for them. Theoretically they shoudn't exist, but they are specified,
+        just to be safe. Marking them as "unknown" instead of "literal" hopefully
+        will make such cases easy to identify if they ever happen.
+
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::partTypeString):
+
+2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
+
+        [INTL] Implement hourCycle in DateTimeFormat
+        https://bugs.webkit.org/show_bug.cgi?id=188006
+
+        Reviewed by Darin Adler.
+
+        Implemented hourCycle, updating both the skeleton and the final pattern.
+        Changed resolveLocale to assume undefined options are not given and null
+        strings actually mean null, which removes the tag extension.
+
+        * runtime/CommonIdentifiers.h:
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDTFInternal::localeData):
+        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        (JSC::IntlDateTimeFormat::resolvedOptions):
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlObject.cpp:
+        (JSC::resolveLocale):
+
+2018-08-01  Keith Miller  <keith_miller@apple.com>
+
+        JSArrayBuffer should have its own JSType
+        https://bugs.webkit.org/show_bug.cgi?id=188231
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::createStructure):
+        * runtime/JSCast.h:
+        * runtime/JSType.h:
+
+2018-07-31  Keith Miller  <keith_miller@apple.com>
+
+        Unreviewed 32-bit build fix...
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+
+2018-07-31  Keith Miller  <keith_miller@apple.com>
+
+        Long compiling JSC files should not be unified
+        https://bugs.webkit.org/show_bug.cgi?id=188205
+
+        Reviewed by Saam Barati.
+
+        The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
+        to compile. Unifying them means touching anything in the same
+        bundle as those files takes a long time to incrementally build.
+        This patch separates those files so they build standalone.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGSpeculativeJIT64.cpp:
+
+2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
+        https://bugs.webkit.org/show_bug.cgi?id=188201
+
+        Reviewed by Keith Miller.
+
+        We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
+        When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
+        new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
+        never becomes broken state. This patch removes unnecessary locking.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitButterflyImpl):
+
+2018-07-31  Guillaume Emont  <guijemont@igalia.com>
+
+        [JSC] Remove gcc warnings for 32-bit platforms
+        https://bugs.webkit.org/show_bug.cgi?id=187803
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printPCRegister):
+        (JSC::Printer::printRegisterID):
+        (JSC::Printer::printAddress):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateNumber):
+        (JSC::DFG::SpeculativeJIT::speculateMisc):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::calculatePokeOffset):
+        * runtime/Options.cpp:
+        (JSC::parse):
+
+2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
+
+        watchOS engineering build is broken after r234227
+        https://bugs.webkit.org/show_bug.cgi?id=188180
+
+        Reviewed by Keith Miller.
+
+        In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
+        postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
+        `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
+        `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
+
+        To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
+        entirely, since there's no relevant version to replace them with.
+
+        * postprocess-headers.sh:
+
+2018-07-30  Keith Miller  <keith_miller@apple.com>
+
+        Clarify conversion rules for JSValue property access API
+        https://bugs.webkit.org/show_bug.cgi?id=188179
+
+        Reviewed by Geoffrey Garen.
+
+        * API/JSValue.h:
+
+2018-07-30  Keith Miller  <keith_miller@apple.com>
+
+        Rename some JSC API functions/types.
+        https://bugs.webkit.org/show_bug.cgi?id=188173
+
+        Reviewed by Saam Barati.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectHasPropertyForKey):
+        (JSObjectGetPropertyForKey):
+        (JSObjectSetPropertyForKey):
+        (JSObjectDeletePropertyForKey):
+        (JSObjectHasPropertyKey): Deleted.
+        (JSObjectGetPropertyKey): Deleted.
+        (JSObjectSetPropertyKey): Deleted.
+        (JSObjectDeletePropertyKey): Deleted.
+        * API/JSObjectRef.h:
+        * API/JSValue.h:
+        * API/JSValue.mm:
+        (-[JSValue valueForProperty:]):
+        (-[JSValue setValue:forProperty:]):
+        (-[JSValue deleteProperty:]):
+        (-[JSValue hasProperty:]):
+        (-[JSValue defineProperty:descriptor:]):
+        * API/tests/testapi.cpp:
+        (TestAPI::run):
+
+2018-07-30  Mark Lam  <mark.lam@apple.com>
+
+        Add a debugging utility to dump the memory layout of a JSCell.
+        https://bugs.webkit.org/show_bug.cgi?id=188157
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
+        dump the memory contents of a cell and if present, its butterfly for debugging
+        purposes.
+
+        Example usage for JS code when JSC_useDollarVM=true:
+
+            $vm.dumpCell(obj);
+
+        Example usage from C++ code or from lldb: 
+
+            (lldb) p JSC::VMInspector::dumpCellMemory(obj)
+
+        Some examples of dumps:
+
+            <0x104bc8260, Object>
+              [0] 0x104bc8260 : 0x010016000000016c header
+                structureID 364 0x16c structure 0x104b721b0
+                indexingTypeAndMisc 0 0x0 NonArray
+                type 22 0x16
+                flags 0 0x0
+                cellState 1
+              [1] 0x104bc8268 : 0x0000000000000000 butterfly
+              [2] 0x104bc8270 : 0xffff000000000007
+              [3] 0x104bc8278 : 0xffff000000000008
+
+            <0x104bb4360, Array>
+              [0] 0x104bb4360 : 0x0108210b00000171 header
+                structureID 369 0x171 structure 0x104b723e0
+                indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
+                type 33 0x21
+                flags 8 0x8
+                cellState 1
+              [1] 0x104bb4368 : 0x00000008000f4718 butterfly
+                base 0x8000f46e0
+                hasIndexingHeader YES hasAnyArrayStorage YES
+                publicLength 4 vectorLength 7 indexBias 2
+                preCapacity 2 propertyCapacity 4
+                  <--- preCapacity
+                  [0] 0x8000f46e0 : 0x0000000000000000
+                  [1] 0x8000f46e8 : 0x0000000000000000
+                  <--- propertyCapacity
+                  [2] 0x8000f46f0 : 0x0000000000000000
+                  [3] 0x8000f46f8 : 0x0000000000000000
+                  [4] 0x8000f4700 : 0xffff00000000000d
+                  [5] 0x8000f4708 : 0xffff00000000000c
+                  <--- indexingHeader
+                  [6] 0x8000f4710 : 0x0000000700000004
+                  <--- butterfly
+                  <--- arrayStorage
+                  [7] 0x8000f4718 : 0x0000000000000000
+                  [8] 0x8000f4720 : 0x0000000400000002
+                  <--- indexedProperties
+                  [9] 0x8000f4728 : 0xffff000000000008
+                  [10] 0x8000f4730 : 0xffff000000000009
+                  [11] 0x8000f4738 : 0xffff000000000005
+                  [12] 0x8000f4740 : 0xffff000000000006
+                  [13] 0x8000f4748 : 0x0000000000000000
+                  [14] 0x8000f4750 : 0x0000000000000000
+                  [15] 0x8000f4758 : 0x0000000000000000
+                  <--- unallocated capacity
+                  [16] 0x8000f4760 : 0x0000000000000000
+                  [17] 0x8000f4768 : 0x0000000000000000
+                  [18] 0x8000f4770 : 0x0000000000000000
+                  [19] 0x8000f4778 : 0x0000000000000000
+
+        * runtime/JSObject.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionDumpCell):
+        (JSC::JSDollarVM::finishCreation):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::dumpCellMemory):
+        (JSC::IndentationScope::IndentationScope):
+        (JSC::IndentationScope::~IndentationScope):
+        (JSC::VMInspector::dumpCellMemoryToStream):
+        * tools/VMInspector.h:
+
+2018-07-27  Mark Lam  <mark.lam@apple.com>
+
+        Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
+        https://bugs.webkit.org/show_bug.cgi?id=188123
+        <rdar://problem/42672268>
+
+        Reviewed by Keith Miller.
+
+        1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
+           padding space in VM and Heap, and should not cost any measurable perf to
+           initialize and update.
+
+        2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
+
+           worldState tells us the value we failed the assertion on.
+
+           m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
+           that led us here.
+
+           VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
+
+           VM::isEntered() tells us if the current VM is currently executing JS code.
+
+           Some of this data may be redundant, but the redundancy is intentional so that
+           we can double check what is really happening at the time of crash.
+
+        * heap/Heap.cpp:
+        (JSC::asInt):
+        (JSC::Heap::checkConn):
+        (JSC::Heap::changePhase):
+        * heap/Heap.h:
+        * runtime/VM.cpp:
+        (JSC::VM::nextID):
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::numberOfIDs):
+        (JSC::VM::id const):
+        (JSC::VM::isEntered const):
+
 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [JSC] Record CoW status in ArrayProfile correctly