0e75b8bbfd6a87278ba8d7ab32827cd8efffcbe6
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-10-16  Fujii Hironori  <Hironori.Fujii@sony.com>
2
3         Unreviewed, rolling out r237188, r237189, and r237197.
4
5         It breaks WinCairo Debug builds and Release LayoutTests
6
7         Reverted changesets:
8
9         https://bugs.webkit.org/show_bug.cgi?id=189708
10         https://trac.webkit.org/changeset/237188
11
12         "Unreviewed, forgot to add untracked files."
13         https://trac.webkit.org/changeset/237189
14
15         "isASTErroneous in offlineasm should de-macroify before
16         looking for Errors"
17         https://bugs.webkit.org/show_bug.cgi?id=190634
18         https://trac.webkit.org/changeset/237197
19
20 2018-10-16  Devin Rousso  <drousso@apple.com>
21
22         Web Inspector: Canvas: capture previously saved states and add them to the recording payload
23         https://bugs.webkit.org/show_bug.cgi?id=190473
24
25         Reviewed by Joseph Pecoraro.
26
27         * inspector/protocol/Recording.json:
28         Add `states` key to `InitialState` object.
29
30 2018-10-16  Keith Miller  <keith_miller@apple.com>
31
32         isASTErroneous in offlineasm should de-macroify before looking for Errors
33         https://bugs.webkit.org/show_bug.cgi?id=190634
34
35         Reviewed by Mark Lam.
36
37         If a macro isn't usable in a configuration it might still cause us to
38         think the ast is invalid. This change runs the de-macroifier before
39         looking for errors.
40
41         Also, it adds a missing include to Printer.h.
42
43         * assembler/Printer.h:
44         * offlineasm/settings.rb:
45
46 2018-10-16  Justin Michaud  <justin_michaud@apple.com>
47
48         Implement feature flag and bindings for CSS Painting API
49         https://bugs.webkit.org/show_bug.cgi?id=190237
50
51         Reviewed by Ryosuke Niwa.
52
53         * Configurations/FeatureDefines.xcconfig:
54
55 2018-10-16  Keith Miller  <keith_miller@apple.com>
56
57         Unreviewed, forgot to add untracked files.
58
59         * llint/LLIntSettingsExtractor.cpp: Added.
60         (main):
61         * offlineasm/generate_settings_extractor.rb: Added.
62
63 2018-10-16  Keith Miller  <keith_miller@apple.com>
64
65         Unreviewed, reland https://bugs.webkit.org/show_bug.cgi?id=189708 with build fix.
66
67         * CMakeLists.txt:
68         * JavaScriptCore.xcodeproj/project.pbxproj:
69         * llint/LLIntOffsetsExtractor.cpp:
70         (JSC::LLIntOffsetsExtractor::dummy):
71         * offlineasm/generate_offset_extractor.rb:
72         * offlineasm/offsets.rb:
73         * offlineasm/settings.rb:
74
75 2018-10-16  Keith Miller  <keith_miller@apple.com>
76
77         Unreviewed, add missing include.
78
79         * runtime/BasicBlockLocation.h:
80
81 2018-10-15  Keith Miller  <keith_miller@apple.com>
82
83         Support arm64 CPUs with a 32-bit address space
84         https://bugs.webkit.org/show_bug.cgi?id=190273
85
86         Reviewed by Michael Saboff.
87
88         This patch adds support for arm64_32 in the LLInt. In order to
89         make this work we needed to add a new type that reflects the size
90         of a cpu register. This type is called CPURegister or UCPURegister
91         for the unsigned version. Most places that used void* or intptr_t
92         to refer to a register have been changed to use this new type.
93
94         * JavaScriptCore.xcodeproj/project.pbxproj:
95         * assembler/ARM64Assembler.h:
96         (JSC::isInt):
97         (JSC::is4ByteAligned):
98         (JSC::PairPostIndex::PairPostIndex):
99         (JSC::PairPreIndex::PairPreIndex):
100         (JSC::ARM64Assembler::readPointer):
101         (JSC::ARM64Assembler::readCallTarget):
102         (JSC::ARM64Assembler::computeJumpType):
103         (JSC::ARM64Assembler::linkCompareAndBranch):
104         (JSC::ARM64Assembler::linkConditionalBranch):
105         (JSC::ARM64Assembler::linkTestAndBranch):
106         (JSC::ARM64Assembler::loadRegisterLiteral):
107         (JSC::ARM64Assembler::loadStoreRegisterPairPostIndex):
108         (JSC::ARM64Assembler::loadStoreRegisterPairPreIndex):
109         (JSC::ARM64Assembler::loadStoreRegisterPairOffset):
110         (JSC::ARM64Assembler::loadStoreRegisterPairNonTemporal):
111         (JSC::isInt7): Deleted.
112         (JSC::isInt11): Deleted.
113         * assembler/CPU.h:
114         (JSC::isAddress64Bit):
115         (JSC::isAddress32Bit):
116         * assembler/MacroAssembler.h:
117         (JSC::MacroAssembler::shouldBlind):
118         * assembler/MacroAssemblerARM64.cpp:
119         (JSC::MacroAssemblerARM64::collectCPUFeatures):
120         * assembler/MacroAssemblerARM64.h:
121         (JSC::MacroAssemblerARM64::load):
122         (JSC::MacroAssemblerARM64::store):
123         (JSC::MacroAssemblerARM64::isInIntRange): Deleted.
124         * assembler/Printer.h:
125         * assembler/ProbeContext.h:
126         (JSC::Probe::CPUState::gpr):
127         (JSC::Probe::CPUState::spr):
128         (JSC::Probe::Context::gpr):
129         (JSC::Probe::Context::spr):
130         * b3/B3ConstPtrValue.h:
131         * b3/B3StackmapSpecial.cpp:
132         (JSC::B3::StackmapSpecial::isArgValidForRep):
133         * b3/air/AirArg.h:
134         (JSC::B3::Air::Arg::stackSlot const):
135         (JSC::B3::Air::Arg::special const):
136         * b3/air/testair.cpp:
137         * b3/testb3.cpp:
138         (JSC::B3::testStoreConstantPtr):
139         (JSC::B3::testInterpreter):
140         (JSC::B3::testAddShl32):
141         (JSC::B3::testLoadBaseIndexShift32):
142         * bindings/ScriptFunctionCall.cpp:
143         (Deprecated::ScriptCallArgumentHandler::appendArgument):
144         * bindings/ScriptFunctionCall.h:
145         * bytecode/CodeBlock.cpp:
146         (JSC::roundCalleeSaveSpaceAsVirtualRegisters):
147         * dfg/DFGOSRExit.cpp:
148         (JSC::DFG::restoreCalleeSavesFor):
149         (JSC::DFG::saveCalleeSavesFor):
150         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
151         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
152         * dfg/DFGOSRExitCompilerCommon.cpp:
153         (JSC::DFG::reifyInlinedCallFrames):
154         * dfg/DFGSpeculativeJIT64.cpp:
155         (JSC::DFG::SpeculativeJIT::compile):
156         * disassembler/UDis86Disassembler.cpp:
157         (JSC::tryToDisassembleWithUDis86):
158         * ftl/FTLLowerDFGToB3.cpp:
159         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
160         * heap/MachineStackMarker.cpp:
161         (JSC::copyMemory):
162         * interpreter/CallFrame.h:
163         (JSC::ExecState::returnPC const):
164         (JSC::ExecState::hasReturnPC const):
165         (JSC::ExecState::clearReturnPC):
166         (JSC::ExecState::returnPCOffset):
167         (JSC::ExecState::isGlobalExec const):
168         (JSC::ExecState::setReturnPC):
169         * interpreter/CalleeBits.h:
170         (JSC::CalleeBits::boxWasm):
171         (JSC::CalleeBits::isWasm const):
172         (JSC::CalleeBits::asWasmCallee const):
173         * interpreter/Interpreter.cpp:
174         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
175         * interpreter/VMEntryRecord.h:
176         * jit/AssemblyHelpers.h:
177         (JSC::AssemblyHelpers::clearStackFrame):
178         * jit/RegisterAtOffset.h:
179         (JSC::RegisterAtOffset::offsetAsIndex const):
180         * jit/RegisterAtOffsetList.cpp:
181         (JSC::RegisterAtOffsetList::RegisterAtOffsetList):
182         * llint/LLIntData.cpp:
183         (JSC::LLInt::Data::performAssertions):
184         * llint/LLIntOfflineAsmConfig.h:
185         * llint/LowLevelInterpreter.asm:
186         * llint/LowLevelInterpreter64.asm:
187         * offlineasm/arm64.rb:
188         * offlineasm/asm.rb:
189         * offlineasm/ast.rb:
190         * offlineasm/backends.rb:
191         * offlineasm/parser.rb:
192         * offlineasm/x86.rb:
193         * runtime/BasicBlockLocation.cpp:
194         (JSC::BasicBlockLocation::dumpData const):
195         (JSC::BasicBlockLocation::emitExecuteCode const):
196         * runtime/BasicBlockLocation.h:
197         * runtime/HasOwnPropertyCache.h:
198         * runtime/JSBigInt.cpp:
199         (JSC::JSBigInt::inplaceMultiplyAdd):
200         (JSC::JSBigInt::digitDiv):
201         * runtime/JSBigInt.h:
202         * runtime/JSObject.h:
203         * runtime/Options.cpp:
204         (JSC::jitEnabledByDefault):
205         * runtime/Options.h:
206         * runtime/RegExp.cpp:
207         (JSC::RegExp::printTraceData):
208         * runtime/SamplingProfiler.cpp:
209         (JSC::CFrameWalker::walk):
210         * runtime/SlowPathReturnType.h:
211         (JSC::encodeResult):
212         (JSC::decodeResult):
213         * tools/SigillCrashAnalyzer.cpp:
214         (JSC::SigillCrashAnalyzer::dumpCodeBlock):
215
216 2018-10-15  Justin Fan  <justin_fan@apple.com>
217
218         Add WebGPU 2018 feature flag and experimental feature flag
219         https://bugs.webkit.org/show_bug.cgi?id=190509
220
221         Reviewed by Dean Jackson.
222
223         Re-add ENABLE_WEBGPU, an experimental feature flag, and a RuntimeEnabledFeature
224         for the 2018 WebGPU prototype.
225
226         * Configurations/FeatureDefines.xcconfig:
227
228 2018-10-15  Timothy Hatcher  <timothy@apple.com>
229
230         Add support for prefers-color-scheme media query
231         https://bugs.webkit.org/show_bug.cgi?id=190499
232         rdar://problem/45212025
233
234         Reviewed by Dean Jackson.
235
236         * Configurations/FeatureDefines.xcconfig: Added ENABLE_DARK_MODE_CSS.
237
238 2018-10-15  Commit Queue  <commit-queue@webkit.org>
239
240         Unreviewed, rolling out r237084, r237088, r237098, and
241         r237114.
242         https://bugs.webkit.org/show_bug.cgi?id=190602
243
244         Breaks internal builds. (Requested by ryanhaddad on #webkit).
245
246         Reverted changesets:
247
248         "Separate configuration extraction from offset extraction"
249         https://bugs.webkit.org/show_bug.cgi?id=189708
250         https://trac.webkit.org/changeset/237084
251
252         "Gardening: Build fix after r237084."
253         https://bugs.webkit.org/show_bug.cgi?id=189708
254         https://trac.webkit.org/changeset/237088
255
256         "Gardening: Build fix after r237084."
257         https://bugs.webkit.org/show_bug.cgi?id=189708
258         https://trac.webkit.org/changeset/237098
259
260         "REGRESSION (r237084): JavaScriptCore fails to build on Linux"
261         https://trac.webkit.org/changeset/237114
262
263 2018-10-15  Keith Miller  <keith_miller@apple.com>
264
265         BytecodeDumper should print all switch labels
266         https://bugs.webkit.org/show_bug.cgi?id=190596
267
268         Reviewed by Saam Barati.
269
270         Right now the bytecode dumper only prints the default target not any of the
271         non-default targets.
272
273         * bytecode/BytecodeDumper.cpp:
274         (JSC::BytecodeDumper<Block>::dumpBytecode):
275
276 2018-10-15  Saam barati  <sbarati@apple.com>
277
278         Emit fjcvtzs on ARM64E on Darwin
279         https://bugs.webkit.org/show_bug.cgi?id=184023
280
281         Reviewed by Yusuke Suzuki and Filip Pizlo.
282
283         ARMv8.3 introduced the fjcvtzs instruction which does double->int32
284         conversion using the semantics defined by JavaScript:
285         http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0801g/hko1477562192868.html
286         This patch teaches JSC to use that instruction when possible.
287
288         * assembler/ARM64Assembler.h:
289         (JSC::ARM64Assembler::fjcvtzs):
290         (JSC::ARM64Assembler::fjcvtzsInsn):
291         * assembler/MacroAssemblerARM64.cpp:
292         (JSC::MacroAssemblerARM64::collectCPUFeatures):
293         * assembler/MacroAssemblerARM64.h:
294         (JSC::MacroAssemblerARM64::supportsDoubleToInt32ConversionUsingJavaScriptSemantics):
295         (JSC::MacroAssemblerARM64::convertDoubleToInt32UsingJavaScriptSemantics):
296         * dfg/DFGSpeculativeJIT.cpp:
297         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
298         * disassembler/ARM64/A64DOpcode.cpp:
299         * disassembler/ARM64/A64DOpcode.h:
300         (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
301         * ftl/FTLLowerDFGToB3.cpp:
302         (JSC::FTL::DFG::LowerDFGToB3::doubleToInt32):
303         * jit/JITRightShiftGenerator.cpp:
304         (JSC::JITRightShiftGenerator::generateFastPath):
305         * runtime/MathCommon.h:
306         (JSC::toInt32):
307
308 2018-10-15  Saam Barati  <sbarati@apple.com>
309
310         JSArray::shiftCountWithArrayStorage is wrong when an array has holes
311         https://bugs.webkit.org/show_bug.cgi?id=190262
312         <rdar://problem/44986241>
313
314         Reviewed by Mark Lam.
315
316         We would take the fast path for shiftCountWithArrayStorage when the array
317         hasHoles(). However, the code for this was wrong. It'd incorrectly update
318         ArrayStorage::m_numValuesInVector. Since the hasHoles() for ArrayStorage
319         path is never taken in JetStream 2, this patch just removes that from
320         the fast path. Instead, we just fallback to the slow path when hasHoles().
321         If we find evidence that this matters for real use cases, we can
322         figure out a way to make the fast path work.
323
324         * runtime/JSArray.cpp:
325         (JSC::JSArray::shiftCountWithArrayStorage):
326
327 2018-10-15  Commit Queue  <commit-queue@webkit.org>
328
329         Unreviewed, rolling out r237054.
330         https://bugs.webkit.org/show_bug.cgi?id=190593
331
332         "this regressed JetStream 2 by 6% on iOS" (Requested by
333         saamyjoon on #webkit).
334
335         Reverted changeset:
336
337         "[JSC] JSC should have "parseFunction" to optimize Function
338         constructor"
339         https://bugs.webkit.org/show_bug.cgi?id=190340
340         https://trac.webkit.org/changeset/237054
341
342 2018-10-14  David Kilzer  <ddkilzer@apple.com>
343
344         REGRESSION (r237084): JavaScriptCore fails to build on Linux
345         <https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10949>
346
347         * llint/LLIntSettingsExtractor.cpp: Attempt to fix build by
348         including <stdio.h>.
349
350 2018-10-15  Alex Christensen  <achristensen@webkit.org>
351
352         Shrink more enum classes
353         https://bugs.webkit.org/show_bug.cgi?id=190540
354
355         Reviewed by Chris Dumez.
356
357         * runtime/ConsoleTypes.h:
358
359 2018-10-15  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
360
361         [JSC] Disable DOMJIT on 32bit architecture
362         https://bugs.webkit.org/show_bug.cgi?id=190387
363
364         Reviewed by Mark Lam.
365
366         We disable DOMJIT on 32bit architecture due to exhaustion of registers.
367
368         * runtime/Options.h:
369
370 2018-10-15  Alex Christensen  <achristensen@webkit.org>
371
372         Include EnumTraits.h less
373         https://bugs.webkit.org/show_bug.cgi?id=190535
374
375         Reviewed by Chris Dumez.
376
377         * runtime/ConsoleTypes.h:
378
379 2018-10-14  Mark Lam  <mark.lam@apple.com>
380
381         Gardening: Build fix after r237084.
382         https://bugs.webkit.org/show_bug.cgi?id=189708
383
384         Unreviewd.
385
386         * llint/LLIntOffsetsExtractor.cpp:
387
388 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
389
390         [JSC] Remove Option::useAsyncIterator
391         https://bugs.webkit.org/show_bug.cgi?id=190567
392
393         Reviewed by Saam Barati.
394
395         Async iterator is enabled by default at 2017-08-09. It is already shipped in several releases,
396         and we can think that it is already mature. Let's drop the option `Option::useAsyncIterator`.
397
398         * Configurations/FeatureDefines.xcconfig:
399         * bytecompiler/BytecodeGenerator.cpp:
400         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
401         (JSC::BytecodeGenerator::emitNewFunction):
402         * parser/ASTBuilder.h:
403         (JSC::ASTBuilder::createFunctionMetadata):
404         * parser/Parser.cpp:
405         (JSC::Parser<LexerType>::parseForStatement):
406         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
407         (JSC::Parser<LexerType>::parseClass):
408         (JSC::Parser<LexerType>::parseProperty):
409         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
410         * runtime/Options.h:
411
412 2018-10-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
413
414         [JSC] Remove Options::useObjectRestSpread
415         https://bugs.webkit.org/show_bug.cgi?id=190568
416
417         Reviewed by Saam Barati.
418
419         Options::useObjectRestSpread is enabled by default at 2017-06-27. It is already shipped in several releases,
420         and we can think that it is mature. Let's drop Options::useObjectRestSpread() flag.
421
422         * parser/Parser.cpp:
423         (JSC::Parser<LexerType>::Parser):
424         (JSC::Parser<LexerType>::parseDestructuringPattern):
425         (JSC::Parser<LexerType>::parseProperty):
426         * parser/Parser.h:
427         * runtime/Options.h:
428
429 2018-10-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
430
431         [JSC] JSON.stringify can accept call-with-no-arguments
432         https://bugs.webkit.org/show_bug.cgi?id=190343
433
434         Reviewed by Mark Lam.
435
436         JSON.stringify can accept `JSON.stringify()` call (call-with-no-arguments) according to the spec[1].
437         Instead of throwing an error, we should take the first argument as `undefined` if it is not given.
438
439         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
440
441         * runtime/JSONObject.cpp:
442         (JSC::JSONProtoFuncStringify):
443
444 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
445
446         Gardening: Build fix after r237084.
447         https://bugs.webkit.org/show_bug.cgi?id=189708
448
449         Unreviewd.
450
451         * JavaScriptCore.xcodeproj/project.pbxproj:
452
453 2018-10-12  Tadeu Zagallo  <tzagallo@apple.com>
454
455         Separate configuration extraction from offset extraction
456         https://bugs.webkit.org/show_bug.cgi?id=189708
457
458         Reviewed by Keith Miller.
459
460         Instead of generating a file with all offsets for every combination of
461         configurations, we first generate a file with only the configuration
462         indices and pass that to the offset extractor. The offset extractor then
463         only generates the offsets for valid configurations
464
465         * CMakeLists.txt:
466         * JavaScriptCore.xcodeproj/project.pbxproj:
467         * llint/LLIntOffsetsExtractor.cpp:
468         (JSC::LLIntOffsetsExtractor::dummy):
469         * llint/LLIntSettingsExtractor.cpp: Added.
470         (main):
471         * offlineasm/generate_offset_extractor.rb:
472         * offlineasm/generate_settings_extractor.rb: Added.
473         * offlineasm/offsets.rb:
474         * offlineasm/settings.rb:
475
476 2018-10-12  Ryan Haddad  <ryanhaddad@apple.com>
477
478         Unreviewed, rolling out r237063.
479
480         Caused layout test fast/dom/Window/window-postmessage-clone-
481         deep-array.html to fail on macOS and iOS Debug bots.
482
483         Reverted changeset:
484
485         "[JSC] Remove gcc warnings on mips and armv7"
486         https://bugs.webkit.org/show_bug.cgi?id=188598
487         https://trac.webkit.org/changeset/237063
488
489 2018-10-11  Guillaume Emont  <guijemont@igalia.com>
490
491         [JSC] Remove gcc warnings on mips and armv7
492         https://bugs.webkit.org/show_bug.cgi?id=188598
493
494         Reviewed by Mark Lam.
495
496         Fix many gcc/clang warnings that are false positives, mostly alignment
497         issues.
498
499         * assembler/MacroAssemblerPrinter.cpp:
500         (JSC::Printer::printMemory):
501         Use bitwise_cast instead of reinterpret_cast.
502         * assembler/testmasm.cpp:
503         (JSC::floatOperands):
504         marked as potentially unused as it is not used on all platforms.
505         (JSC::testProbeModifiesStackValues):
506         modifiedFlags is not used on mips, so don't declare it.
507         * bytecode/CodeBlock.h:
508         Make ScriptExecutable::prepareForExecution() return an
509         std::optional<Exception*> instead of a JSObject*.
510         * interpreter/Interpreter.cpp:
511         (JSC::Interpreter::executeProgram):
512         (JSC::Interpreter::executeCall):
513         (JSC::Interpreter::executeConstruct):
514         (JSC::Interpreter::prepareForRepeatCall):
515         (JSC::Interpreter::execute):
516         (JSC::Interpreter::executeModuleProgram):
517         Update calling code for the prototype change of
518         ScriptExecutable::prepareForExecution().
519         * jit/JITOperations.cpp: Same as for Interpreter.cpp.
520         * llint/LLIntSlowPaths.cpp:
521         (JSC::LLInt::setUpCall): Same as for Interpreter.cpp.
522         * runtime/JSBigInt.cpp:
523         (JSC::JSBigInt::dataStorage):
524         Use bitwise_cast instead of reinterpret_cast.
525         * runtime/ScriptExecutable.cpp:
526         * runtime/ScriptExecutable.h:
527         Make ScriptExecutable::prepareForExecution() return an
528         std::optional<Exception*> instead of a JSObject*.
529         * tools/JSDollarVM.cpp:
530         (JSC::codeBlockFromArg): Use bitwise_cast instead of reinterpret_cast.
531
532 2018-10-11  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
533
534         Use currentStackPointer more
535         https://bugs.webkit.org/show_bug.cgi?id=190503
536
537         Reviewed by Saam Barati.
538
539         * runtime/VM.cpp:
540         (JSC::VM::committedStackByteCount):
541
542 2018-10-08  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
543
544         [JSC] JSC should have "parseFunction" to optimize Function constructor
545         https://bugs.webkit.org/show_bug.cgi?id=190340
546
547         Reviewed by Mark Lam.
548
549         The current Function constructor is suboptimal. We parse the piece of the same code three times to meet
550         the spec requirement. (1) check parameters syntax, (2) check body syntax, and (3) parse the entire function.
551         And to parse 1-3 correctly, we create two strings, the parameters and the entire function. This operation
552         is really costly and ideally we should meet the above requirement by the one time parsing.
553
554         To meet the above requirement, we add a special function for Parser, parseSingleFunction. This function
555         takes `std::optional<int> functionConstructorParametersEndPosition` and check this end position is correct in the parser.
556         For example, if we run the code,
557
558             Function('/*', '*/){')
559
560         According to the spec, this should produce '/*' parameter string and '*/){' body string. And parameter
561         string should be syntax-checked by the parser, and raise the error since it is incorrect. Instead of doing
562         that, in our implementation, we first create the entire string.
563
564             function anonymous(/*) {
565                 */){
566             }
567
568         And we parse it. At that time, we also pass the end position of the parameters to the parser. In the above case,
569         the position of the `function anonymous(/*)' <> is passed. And in the parser, we check that the last token
570         offset of the parameters is the given end position. This check allows us to raise the error correctly to the
571         above example while we parse the entire function only once. And we do not need to create two strings too.
572
573         This improves the performance of the Function constructor significantly. And web-tooling-benchmark/uglify-js is
574         significantly sped up (28.2%).
575
576         Before:
577             uglify-js:  2.94 runs/s
578         After:
579             uglify-js:  3.77 runs/s
580
581         * bytecode/UnlinkedFunctionExecutable.cpp:
582         (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
583         * bytecode/UnlinkedFunctionExecutable.h:
584         * parser/Parser.cpp:
585         (JSC::Parser<LexerType>::parseInner):
586         (JSC::Parser<LexerType>::parseSingleFunction):
587         (JSC::Parser<LexerType>::parseFunctionInfo):
588         (JSC::Parser<LexerType>::parseFunctionDeclaration):
589         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
590         (JSC::Parser<LexerType>::parseClass):
591         (JSC::Parser<LexerType>::parsePropertyMethod):
592         (JSC::Parser<LexerType>::parseGetterSetter):
593         (JSC::Parser<LexerType>::parseFunctionExpression):
594         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
595         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
596         * parser/Parser.h:
597         (JSC::Parser<LexerType>::parse):
598         (JSC::parse):
599         (JSC::parseFunctionForFunctionConstructor):
600         * parser/ParserModes.h:
601         * parser/ParserTokens.h:
602         (JSC::JSTextPosition::JSTextPosition):
603         (JSC::JSTokenLocation::JSTokenLocation): Deleted.
604         * parser/SourceCodeKey.h:
605         (JSC::SourceCodeKey::SourceCodeKey):
606         (JSC::SourceCodeKey::operator== const):
607         * runtime/CodeCache.cpp:
608         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
609         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
610         * runtime/CodeCache.h:
611         * runtime/FunctionConstructor.cpp:
612         (JSC::constructFunctionSkippingEvalEnabledCheck):
613         * runtime/FunctionExecutable.cpp:
614         (JSC::FunctionExecutable::fromGlobalCode):
615         * runtime/FunctionExecutable.h:
616
617 2018-10-11  Ross Kirsling  <ross.kirsling@sony.com>
618
619         Fix non-existent define `CPU(JSVALUE64)`
620         https://bugs.webkit.org/show_bug.cgi?id=190479
621
622         Reviewed by Yusuke Suzuki.
623
624         * jit/CCallHelpers.h:
625         (JSC::CCallHelpers::setupArgumentsImpl):
626         Correct CPU(JSVALUE64) to USE(JSVALUE64).
627
628 2018-10-11  Keith Rollin  <krollin@apple.com>
629
630         CURRENT_ARCH should not be used in Run Script phase.
631         https://bugs.webkit.org/show_bug.cgi?id=190407
632         <rdar://problem/45133556>
633
634         Reviewed by Alexey Proskuryakov.
635
636         CURRENT_ARCH is used in a number of Xcode Run Script phases. However,
637         CURRENT_ARCH is not well-defined during this phase (and may even have
638         the value "undefined") since this phase is run just once per build
639         rather than once per supported architecture. Migrate away from
640         CURRENT_ARCH in favor of ARCHS, either by iterating over ARCHS and
641         performing an operation for each value, or by picking the first entry
642         in ARCHS and using that as a representative value.
643
644         * JavaScriptCore.xcodeproj/project.pbxproj: Store
645         LLIntDesiredOffsets.h into a directory with a name based on ARCHS
646         rather than CURRENT_ARCH.
647
648 2018-10-10  Mark Lam  <mark.lam@apple.com>
649
650         Changes towards allowing use of the ASAN detect_stack_use_after_return option.
651         https://bugs.webkit.org/show_bug.cgi?id=190405
652         <rdar://problem/45131464>
653
654         Reviewed by Michael Saboff.
655
656         The ASAN detect_stack_use_after_return option checks for use of stack variables
657         after they have been freed.  It does this by allocating relevant stack variables
658         in heap memory (instead of on the stack) if the code ever takes the address of
659         those stack variables.  Unfortunately, this is a common idiom that we use to
660         compute the approximate stack pointer value.  As a result, on such ASAN runs, the
661         computed approximate stack pointer value will point into the heap instead of the
662         stack.  This breaks the VM's expectations and wreaks havoc.
663
664         To fix this, we use the newly introduced WTF::currentStackPointer() instead of
665         taking the address of stack variables.
666
667         We also need to enhance ExceptionScopes to be able to work with ASAN
668         detect_stack_use_after_return which will allocated the scope in the heap.  We
669         work around this by passing the current stack pointer of the instantiating calling
670         frame into the scope constructor, and using that for the position check in
671         ~ThrowScope() instead.
672
673         The above is only a start towards enabling ASAN detect_stack_use_after_return on
674         the VM.  There are still other issues to be resolved before we can run with this
675         ASAN option.
676
677         * runtime/CatchScope.h:
678         * runtime/ExceptionEventLocation.h:
679         (JSC::ExceptionEventLocation::ExceptionEventLocation):
680         * runtime/ExceptionScope.h:
681         (JSC::ExceptionScope::stackPosition const):
682         * runtime/JSLock.cpp:
683         (JSC::JSLock::didAcquireLock):
684         * runtime/ThrowScope.cpp:
685         (JSC::ThrowScope::~ThrowScope):
686         * runtime/ThrowScope.h:
687         * runtime/VM.h:
688         (JSC::VM::needExceptionCheck const):
689         (JSC::VM::isSafeToRecurse const):
690         * wasm/js/WebAssemblyFunction.cpp:
691         (JSC::callWebAssemblyFunction):
692         * yarr/YarrPattern.cpp:
693         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
694
695 2018-10-10  Devin Rousso  <drousso@apple.com>
696
697         Web Inspector: create special Network waterfall for media events
698         https://bugs.webkit.org/show_bug.cgi?id=189773
699         <rdar://problem/44626605>
700
701         Reviewed by Joseph Pecoraro.
702
703         * inspector/protocol/DOM.json:
704         Add `didFireEvent` event that is fired when specific event listeners added by
705         `InspectorInstrumentation::addEventListenersToNode` are fired.
706
707 2018-10-10  Michael Saboff  <msaboff@apple.com>
708
709         Increase executable memory pool from 64MB to 128MB for ARM64
710         https://bugs.webkit.org/show_bug.cgi?id=190453
711
712         Reviewed by Saam Barati.
713
714         * jit/ExecutableAllocator.cpp:
715
716 2018-10-10  Devin Rousso  <drousso@apple.com>
717
718         Web Inspector: notify the frontend when a canvas has started recording via console.record
719         https://bugs.webkit.org/show_bug.cgi?id=190306
720
721         Reviewed by Brian Burg.
722
723         * inspector/protocol/Canvas.json:
724         Add `recordingStarted` event.
725
726         * inspector/protocol/Recording.json:
727         Add `Initiator` enum for determining who started the recording.
728
729 2018-10-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
730
731         [JSC] Rename createXXX to tryCreateXXX if it can return RefPtr
732         https://bugs.webkit.org/show_bug.cgi?id=190429
733
734         Reviewed by Saam Barati.
735
736         Some createXXX functions can fail. But sometimes the caller does not perform error checking.
737         To make it explicit that these functions can fail, we rename these functions from createXXX
738         to tryCreateXXX. In this patch, we focus on non-JS-managed factory functions. If the factory
739         function does not fail, it should return Ref<>. Otherwise, it should be named as tryCreateXXX
740         and it should return RefPtr<>.
741
742         This patch mainly focuses on TypedArray factory functions. Previously, these functions are
743         `RefPtr<XXXArray> create(...)`. This patch changes them to `RefPtr<XXXArray> tryCreate(...)`.
744         And we also introduce `Ref<XXXArray> create(...)` function which internally performs
745         RELEASE_ASSERT on the result of `tryCreate(...)`.
746
747         And we also convert OpaqueJSString::create to OpaqueJSString::tryCreate since it can fail.
748
749         This change actually finds one place which does not perform any null checkings while it uses
750         `RefPtr<> create(...)` function.
751
752         * API/JSCallbackObjectFunctions.h:
753         (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
754         (JSC::JSCallbackObject<Parent>::put):
755         (JSC::JSCallbackObject<Parent>::putByIndex):
756         (JSC::JSCallbackObject<Parent>::deleteProperty):
757         (JSC::JSCallbackObject<Parent>::callbackGetter):
758         * API/JSClassRef.h:
759         (StaticValueEntry::StaticValueEntry):
760         * API/JSContext.mm:
761         (-[JSContext evaluateScript:withSourceURL:]):
762         (-[JSContext setName:]):
763         * API/JSContextRef.cpp:
764         (JSGlobalContextCopyName):
765         (JSContextCreateBacktrace):
766         * API/JSObjectRef.cpp:
767         (JSObjectCopyPropertyNames):
768         * API/JSScriptRef.cpp:
769         * API/JSStringRef.cpp:
770         (JSStringCreateWithCharactersNoCopy):
771         * API/JSValue.mm:
772         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
773         (+[JSValue valueWithNewErrorFromMessage:inContext:]):
774         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
775         (performPropertyOperation):
776         (-[JSValue invokeMethod:withArguments:]):
777         (containerValueToObject):
778         (objectToValueWithoutCopy):
779         (objectToValue):
780         * API/JSValueRef.cpp:
781         (JSValueCreateJSONString):
782         (JSValueToStringCopy):
783         * API/OpaqueJSString.cpp:
784         (OpaqueJSString::tryCreate):
785         (OpaqueJSString::create): Deleted.
786         * API/OpaqueJSString.h:
787         * API/glib/JSCContext.cpp:
788         (evaluateScriptInContext):
789         * API/glib/JSCValue.cpp:
790         (jsc_value_new_string_from_bytes):
791         * ftl/FTLLazySlowPath.h:
792         (JSC::FTL::LazySlowPath::createGenerator):
793         * ftl/FTLLazySlowPathCall.h:
794         (JSC::FTL::createLazyCallGenerator):
795         * ftl/FTLOSRExit.cpp:
796         (JSC::FTL::OSRExitDescriptor::emitOSRExit):
797         (JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
798         (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
799         * ftl/FTLOSRExit.h:
800         * ftl/FTLPatchpointExceptionHandle.cpp:
801         (JSC::FTL::PatchpointExceptionHandle::create):
802         (JSC::FTL::PatchpointExceptionHandle::createHandle):
803         * ftl/FTLPatchpointExceptionHandle.h:
804         * heap/EdenGCActivityCallback.h:
805         (JSC::GCActivityCallback::tryCreateEdenTimer):
806         (JSC::GCActivityCallback::createEdenTimer): Deleted.
807         * heap/FullGCActivityCallback.h:
808         (JSC::GCActivityCallback::tryCreateFullTimer):
809         (JSC::GCActivityCallback::createFullTimer): Deleted.
810         * heap/GCActivityCallback.h:
811         * heap/Heap.cpp:
812         (JSC::Heap::Heap):
813         * inspector/AsyncStackTrace.cpp:
814         (Inspector::AsyncStackTrace::create):
815         * inspector/AsyncStackTrace.h:
816         * jsc.cpp:
817         (fillBufferWithContentsOfFile):
818         * runtime/ArrayBuffer.h:
819         * runtime/GenericTypedArrayView.h:
820         * runtime/GenericTypedArrayViewInlines.h:
821         (JSC::GenericTypedArrayView<Adaptor>::create):
822         (JSC::GenericTypedArrayView<Adaptor>::tryCreate):
823         (JSC::GenericTypedArrayView<Adaptor>::createUninitialized):
824         (JSC::GenericTypedArrayView<Adaptor>::tryCreateUninitialized):
825         (JSC::GenericTypedArrayView<Adaptor>::subarray const):
826         * runtime/JSArrayBufferView.cpp:
827         (JSC::JSArrayBufferView::possiblySharedImpl):
828         * runtime/JSGenericTypedArrayViewInlines.h:
829         (JSC::JSGenericTypedArrayView<Adaptor>::possiblySharedTypedImpl):
830         (JSC::JSGenericTypedArrayView<Adaptor>::unsharedTypedImpl):
831         * wasm/WasmMemory.cpp:
832         (JSC::Wasm::Memory::create):
833         (JSC::Wasm::Memory::tryCreate):
834         * wasm/WasmMemory.h:
835         * wasm/WasmTable.cpp:
836         (JSC::Wasm::Table::tryCreate):
837         (JSC::Wasm::Table::create): Deleted.
838         * wasm/WasmTable.h:
839         * wasm/js/JSWebAssemblyInstance.cpp:
840         (JSC::JSWebAssemblyInstance::create):
841         * wasm/js/JSWebAssemblyMemory.cpp:
842         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
843         * wasm/js/WebAssemblyMemoryConstructor.cpp:
844         (JSC::constructJSWebAssemblyMemory):
845         * wasm/js/WebAssemblyModuleRecord.cpp:
846         (JSC::WebAssemblyModuleRecord::link):
847         * wasm/js/WebAssemblyTableConstructor.cpp:
848         (JSC::constructJSWebAssemblyTable):
849
850 2018-10-09  Devin Rousso  <drousso@apple.com>
851
852         Web Inspector: show redirect requests in Network and Timelines tabs
853         https://bugs.webkit.org/show_bug.cgi?id=150005
854         <rdar://problem/5378164>
855
856         Reviewed by Joseph Pecoraro.
857
858         * inspector/protocol/Network.json:
859         Add missing fields to `ResourceTiming`.
860
861 2018-10-09  Claudio Saavedra  <csaavedra@igalia.com>
862
863         [WPE] Explicitly link against gmodule where used
864         https://bugs.webkit.org/show_bug.cgi?id=190398
865
866         Reviewed by Michael Catanzaro.
867
868         * PlatformWPE.cmake:
869
870 2018-10-08  Justin Fan  <justin_fan@apple.com>
871
872         WebGPU: Rename old WebGPU prototype to WebMetal
873         https://bugs.webkit.org/show_bug.cgi?id=190325
874         <rdar://problem/44990443>
875
876         Reviewed by Dean Jackson.
877
878         Rename WebGPU prototype files to WebMetal in preparation for implementing the new (Oct 2018) WebGPU interface.
879
880         * Configurations/FeatureDefines.xcconfig:
881         * inspector/protocol/Canvas.json:
882         * inspector/scripts/codegen/generator.py:
883
884 2018-10-08  Aditya Keerthi  <akeerthi@apple.com>
885
886         Make <input type=color> a runtime enabled (on-by-default) feature
887         https://bugs.webkit.org/show_bug.cgi?id=189162
888
889         Reviewed by Wenson Hsieh and Tim Horton.
890
891         * Configurations/FeatureDefines.xcconfig:
892
893 2018-10-08  Devin Rousso  <drousso@apple.com>
894
895         Web Inspector: group media network entries by the node that triggered the request
896         https://bugs.webkit.org/show_bug.cgi?id=189606
897         <rdar://problem/44438527>
898
899         Reviewed by Brian Burg.
900
901         * inspector/protocol/Network.json:
902         Add an optional `nodeId` field to the `Initiator` object that is set it is possible to
903         determine which ancestor node triggered the load. It may not correspond directly to the node
904         with the href/src, as that url may only be used by an ancestor for loading.
905
906 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
907
908         [JSC][Linux] Use non-truncated name for JIT workers in Linux
909         https://bugs.webkit.org/show_bug.cgi?id=190339
910
911         Reviewed by Mark Lam.
912
913         The current thread names are meaningless in Linux environment. We do not want to
914         have truncated name in Linux: we want to have clear name in Linux. Instead, we
915         should have the name for Linux separately from the name used in the non-Linux
916         environments. This patch adds FTLWorker, DFGWorker, and JITWorker names for
917         Linux environment.
918
919         * dfg/DFGWorklist.cpp:
920         (JSC::DFG::createWorklistName):
921         (JSC::DFG::Worklist::Worklist):
922         (JSC::DFG::Worklist::create):
923         (JSC::DFG::ensureGlobalDFGWorklist):
924         (JSC::DFG::ensureGlobalFTLWorklist):
925         * dfg/DFGWorklist.h:
926         * jit/JITWorklist.cpp:
927
928 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
929
930         Name Heap threads
931         https://bugs.webkit.org/show_bug.cgi?id=190337
932
933         Reviewed by Mark Lam.
934
935         Name heap threads as "Heap Helper Thread". In Linux, we name it "HeapHelper" since
936         Linux does not accept the name longer than 15. We do not want to use the short name
937         for non-Linux environment. And we want to have clear name in Linux: truncated name
938         is not good. So, having the two names is the only way.
939
940         * heap/HeapHelperPool.cpp:
941         (JSC::heapHelperPool):
942
943 2018-10-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
944
945         [JSC] Avoid creating ProgramExecutable in checkSyntax
946         https://bugs.webkit.org/show_bug.cgi?id=190332
947
948         Reviewed by Mark Lam.
949
950         uglify-js in web-tooling-benchmark executes massive number of Function constructor calls.
951         In Function constructor code, we perform checkSyntax for body and parameters. So fast checkSyntax
952         is important when the performance of Function constructor matters. Current checkSyntax code
953         unnecessarily allocates ProgramExecutable. This patch removes this allocation and improves
954         the benchmark score slightly.
955
956         Before:
957             uglify-js:  2.87 runs/s
958         After:
959             uglify-js:  2.94 runs/s
960
961         * runtime/Completion.cpp:
962         (JSC::checkSyntaxInternal):
963         (JSC::checkSyntax):
964         * runtime/ProgramExecutable.cpp:
965         (JSC::ProgramExecutable::checkSyntax): Deleted.
966         * runtime/ProgramExecutable.h:
967
968 2018-10-06  Caio Lima  <ticaiolima@gmail.com>
969
970         [ESNext][BigInt] Implement support for "|"
971         https://bugs.webkit.org/show_bug.cgi?id=186229
972
973         Reviewed by Yusuke Suzuki.
974
975         This patch is introducing support for BigInt into bitwise "or" operator.
976         In addition, we are also introducing 2 new DFG nodes, named "ArithBitOr" and
977         "ValueBitOr", to replace "BitOr" node. The idea is to follow the
978         difference that we make on Arith<op> and Value<op>, where ArithBitOr
979         handles cases when the operands are Int32 and ValueBitOr handles
980         the remaining cases.
981
982         We are also changing op_bitor to use ValueProfile. We are using
983         ValueProfile during DFG generation to emit "ArithBitOr" when
984         outcome prediction is Int32.
985
986         * bytecode/CodeBlock.cpp:
987         (JSC::CodeBlock::finishCreation):
988         (JSC::CodeBlock::arithProfileForPC):
989         * bytecompiler/BytecodeGenerator.cpp:
990         (JSC::BytecodeGenerator::emitBinaryOp):
991         * dfg/DFGAbstractInterpreterInlines.h:
992         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
993         * dfg/DFGBackwardsPropagationPhase.cpp:
994         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
995         (JSC::DFG::BackwardsPropagationPhase::propagate):
996         * dfg/DFGByteCodeParser.cpp:
997         (JSC::DFG::ByteCodeParser::parseBlock):
998         * dfg/DFGClobberize.h:
999         (JSC::DFG::clobberize):
1000         * dfg/DFGDoesGC.cpp:
1001         (JSC::DFG::doesGC):
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::fixupNode):
1004         * dfg/DFGNodeType.h:
1005         * dfg/DFGOperations.cpp:
1006         (JSC::DFG::bitwiseOp):
1007         * dfg/DFGOperations.h:
1008         * dfg/DFGPredictionPropagationPhase.cpp:
1009         * dfg/DFGSafeToExecute.h:
1010         (JSC::DFG::safeToExecute):
1011         * dfg/DFGSpeculativeJIT.cpp:
1012         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1013         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1014         * dfg/DFGSpeculativeJIT.h:
1015         (JSC::DFG::SpeculativeJIT::bitOp):
1016         * dfg/DFGSpeculativeJIT32_64.cpp:
1017         (JSC::DFG::SpeculativeJIT::compile):
1018         * dfg/DFGSpeculativeJIT64.cpp:
1019         (JSC::DFG::SpeculativeJIT::compile):
1020         * dfg/DFGStrengthReductionPhase.cpp:
1021         (JSC::DFG::StrengthReductionPhase::handleNode):
1022         * ftl/FTLCapabilities.cpp:
1023         (JSC::FTL::canCompile):
1024         * ftl/FTLLowerDFGToB3.cpp:
1025         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1026         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
1027         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitOr):
1028         (JSC::FTL::DFG::LowerDFGToB3::compileBitOr): Deleted.
1029         * jit/JITArithmetic.cpp:
1030         (JSC::JIT::emit_op_bitor):
1031         * llint/LowLevelInterpreter32_64.asm:
1032         * llint/LowLevelInterpreter64.asm:
1033         * runtime/CommonSlowPaths.cpp:
1034         (JSC::SLOW_PATH_DECL):
1035         * runtime/JSBigInt.cpp:
1036         (JSC::JSBigInt::bitwiseAnd):
1037         (JSC::JSBigInt::bitwiseOr):
1038         (JSC::JSBigInt::absoluteBitwiseOp):
1039         (JSC::JSBigInt::absoluteAddOne):
1040         * runtime/JSBigInt.h:
1041
1042 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1043
1044         [JSC] Use new extra memory reporting in SparseArrayMap
1045         https://bugs.webkit.org/show_bug.cgi?id=190278
1046
1047         Reviewed by Keith Miller.
1048
1049         This patch switches the extra memory reporting mechanism from deprecatedReportExtraMemory
1050         to reportExtraMemoryAllocated & reportExtraMemoryVisited in SparseArrayMap.
1051
1052         * runtime/SparseArrayValueMap.cpp:
1053         (JSC::SparseArrayValueMap::add):
1054         (JSC::SparseArrayValueMap::visitChildren):
1055
1056 2018-10-05  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1057
1058         [JSC][Linux] Support Perf JITDump logging
1059         https://bugs.webkit.org/show_bug.cgi?id=189893
1060
1061         Reviewed by Mark Lam.
1062
1063         This patch adds Linux `perf` command's JIT Dump support. It allows JSC to tell perf about JIT code information.
1064         We add a command line option, `--logJITCodeForPerf`, which dumps `jit-%pid.dump` in the current directory.
1065         By using this dump and perf.data output, we can annotate JIT code with profiling information.
1066
1067             $ echo "(function f() { var s = 0; for (var i = 0; i < 1000000000; i++) { s += i; } return s; })();" > test.js
1068             $ perf record -k mono ../../WebKitBuild/perf/Release/bin/jsc test.js --logJITCodeForPerf=true
1069             [ perf record: Woken up 1 times to write data ]
1070             [ perf record: Captured and wrote 0.182 MB perf.data (4346 samples) ]
1071             $ perf inject --jit -i perf.data -o perf.jit.data
1072             $ perf report -i perf.jit.data
1073
1074         * Sources.txt:
1075         * assembler/LinkBuffer.cpp:
1076         (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
1077         * assembler/LinkBuffer.h:
1078         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
1079         * assembler/PerfLog.cpp: Added.
1080         (JSC::PerfLog::singleton):
1081         (JSC::generateTimestamp):
1082         (JSC::getCurrentThreadID):
1083         (JSC::PerfLog::PerfLog):
1084         (JSC::PerfLog::write):
1085         (JSC::PerfLog::flush):
1086         (JSC::PerfLog::log):
1087         * assembler/PerfLog.h: Added.
1088         * jit/ExecutableAllocator.cpp:
1089         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1090         * runtime/Options.cpp:
1091         (JSC::Options::isAvailable):
1092         * runtime/Options.h:
1093
1094 2018-10-05  Mark Lam  <mark.lam@apple.com>
1095
1096         Gardening: Build fix after r236880.
1097         https://bugs.webkit.org/show_bug.cgi?id=190317
1098
1099         Unreviewed.
1100
1101         * jit/ExecutableAllocator.h:
1102
1103 2018-10-05  Mark Lam  <mark.lam@apple.com>
1104
1105         performJITMemcpy() should handle the case when the executable allocator is not initialized yet.
1106         https://bugs.webkit.org/show_bug.cgi?id=190317
1107         <rdar://problem/45039398>
1108
1109         Reviewed by Saam Barati.
1110
1111         When SeparatedWXHeaps is in use, jitWriteThunkGenerator() will call performJITMemcpy()
1112         to copy memory before the JIT fixed memory pool is initialize.  Before r236864,
1113         performJITMemcpy() would just do a memcpy in that case.  We need to restore the
1114         equivalent behavior.
1115
1116         * jit/ExecutableAllocator.cpp:
1117         (JSC::isJITPC):
1118         * jit/ExecutableAllocator.h:
1119         (JSC::performJITMemcpy):
1120
1121 2018-10-05  Carlos Eduardo Ramalho  <cadubentzen@gmail.com>
1122
1123         [WPE][JSC] Use Unified Sources for Platform-specific sources
1124         https://bugs.webkit.org/show_bug.cgi?id=190300
1125
1126         Reviewed by Yusuke Suzuki.
1127
1128         Currently the GTK port already used Unified Sources with the same source files.
1129         As WPE has conditional code using gmodule, we need to add GLIB_GMODULE_LIBRARIES
1130         to the list of libraries to link with.
1131
1132         * PlatformWPE.cmake:
1133         * SourcesWPE.txt: Added.
1134         * shell/PlatformWPE.cmake:
1135
1136 2018-10-05  Mike Gorse  <mgorse@alum.wpi.edu>
1137
1138         [GTK] build fails with python 3 if LANG and LC_TYPE are unset
1139         https://bugs.webkit.org/show_bug.cgi?id=190258
1140
1141         Reviewed by Konstantin Tokarev.
1142
1143         * Scripts/cssmin.py: Set stdout to UTF-8 on python 3.
1144         * Scripts/generateIntlCanonicalizeLanguage.py: Open files with
1145           encoding=UTF-8 on Python 3.
1146         * yarr/generateYarrCanonicalizeUnicode: Ditto.
1147         * yarr/generateYarrUnicodePropertyTables.py: Ditto.
1148
1149 2018-10-04  Mark Lam  <mark.lam@apple.com>
1150
1151         Move start/EndOfFixedExecutableMemoryPool pointers into the FixedVMPoolExecutableAllocator object.
1152         https://bugs.webkit.org/show_bug.cgi?id=190295
1153         <rdar://problem/19197193>
1154
1155         Reviewed by Saam Barati.
1156
1157         This allows us to use the tagging logic already baked into MacroAssemblerCodePtr
1158         instead of needing to use our own custom version here.
1159
1160         * jit/ExecutableAllocator.cpp:
1161         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
1162         (JSC::FixedVMPoolExecutableAllocator::memoryStart):
1163         (JSC::FixedVMPoolExecutableAllocator::memoryEnd):
1164         (JSC::FixedVMPoolExecutableAllocator::isJITPC):
1165         (JSC::ExecutableAllocator::allocate):
1166         (JSC::startOfFixedExecutableMemoryPoolImpl):
1167         (JSC::endOfFixedExecutableMemoryPoolImpl):
1168         (JSC::isJITPC):
1169         * jit/ExecutableAllocator.h:
1170
1171 2018-10-04  Mark Lam  <mark.lam@apple.com>
1172
1173         Disable Options::useWebAssemblyFastMemory() on linux if ASAN signal handling is not disabled.
1174         https://bugs.webkit.org/show_bug.cgi?id=190283
1175         <rdar://problem/45015752>
1176
1177         Reviewed by Keith Miller.
1178
1179         * runtime/Options.cpp:
1180         (JSC::Options::initialize):
1181         * wasm/WasmFaultSignalHandler.cpp:
1182         (JSC::Wasm::enableFastMemory):
1183
1184 2018-10-03  Ross Kirsling  <ross.kirsling@sony.com>
1185
1186         [JSC] print() changes CRLF to CRCRLF on Windows
1187         https://bugs.webkit.org/show_bug.cgi?id=190228
1188
1189         Reviewed by Mark Lam.
1190
1191         * jsc.cpp:
1192         (main):
1193         Ultimately, this is just the normal behavior of printf in text mode on Windows.
1194         Since we're reading in files as binary, we need to be printing out as binary too
1195         (just as we do in DumpRenderTree and ImageDiff.)
1196
1197 2018-10-03  Saam barati  <sbarati@apple.com>
1198
1199         lowXYZ in FTLLower should always filter the type of the incoming edge
1200         https://bugs.webkit.org/show_bug.cgi?id=189939
1201         <rdar://problem/44407030>
1202
1203         Reviewed by Michael Saboff.
1204
1205         For example, the FTL may know more about data flow than AI in certain programs,
1206         and it needs to inform AI of these data flow properties to appease the assertion
1207         we have in AI that a node must perform type checks on its child nodes.
1208         
1209         For example, consider this program:
1210         
1211         ```
1212         bb#1
1213         a: Phi // Let's say it has an Int32 result, so it goes into the int32 hash table in FTLLower
1214         Branch(...,  #2, #3)
1215         
1216         bb#2
1217         ArrayifyToStructure(Cell:@a) // This modifies @a to have the its previous type union the type of some structure set.
1218         Jump(#3)
1219         
1220         bb#3
1221         c: Add(Int32:@something, Int32:@a)
1222         ```
1223         
1224         When the Add node does lowInt32() for @a, FTL lower used to just grab it
1225         from the int32 hash table without filtering the AbstractValue. However,
1226         the parent node is asking for a type check to happen, so we must inform
1227         AI of this "type check" if we want to appease the assertion that all nodes
1228         perform type checks for their edges that semantically perform type checks.
1229         This patch makes it so we filter the AbstractValue in the lowXYZ even
1230         if FTLLower proved the value must be XYZ.
1231
1232         * ftl/FTLLowerDFGToB3.cpp:
1233         (JSC::FTL::DFG::LowerDFGToB3::compilePhi):
1234         (JSC::FTL::DFG::LowerDFGToB3::simulatedTypeCheck):
1235         (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
1236         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
1237         (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
1238
1239 2018-10-03  Michael Saboff  <msaboff@apple.com>
1240
1241         Command line jsc should report memory footprint in bytes
1242         https://bugs.webkit.org/show_bug.cgi?id=190267
1243
1244         Reviewed by Mark Lam.
1245
1246         Change to leave the footprint values from the system unmodified.
1247
1248         * jsc.cpp:
1249         (JSCMemoryFootprint::finishCreation):
1250
1251 2018-10-03  Mark Lam  <mark.lam@apple.com>
1252
1253         Suppress unreachable code warning for LLIntAssembly.h code.
1254         https://bugs.webkit.org/show_bug.cgi?id=190263
1255         <rdar://problem/44986532>
1256
1257         Reviewed by Saam Barati.
1258
1259         This is needed because LLIntAssembly.h is template generated from LowLevelInterpreter
1260         asm files, and may contain dead code which are harmless, but will trip up the warning.
1261         We should suppress the warning so that it doesn't break builds.
1262
1263         * llint/LowLevelInterpreter.cpp:
1264         (JSC::CLoop::execute):
1265
1266 2018-10-03  Dan Bernstein  <mitz@apple.com>
1267
1268         JavaScriptCore part of [Xcode] Update some build settings as recommended by Xcode 10
1269         https://bugs.webkit.org/show_bug.cgi?id=190250
1270
1271         Reviewed by Alex Christensen.
1272
1273         * API/tests/Regress141275.mm:
1274         (-[JSTEvaluator _sourcePerform]): Addressed newly-enabled CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF
1275           by making the self-retaining explicit.
1276
1277         * API/tests/testapi.cpp:
1278         (testCAPIViaCpp): Addressed newly-enabled CLANG_WARN_UNREACHABLE_CODE by breaking out of the
1279           loop instead of returning from the lambda.
1280
1281         * Configurations/Base.xcconfig: Enabled CLANG_WARN_COMMA, CLANG_WARN_UNREACHABLE_CODE,
1282           CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS, CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF, and
1283           CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED.
1284
1285         * JavaScriptCore.xcodeproj/project.pbxproj: Removed a duplicate reference to
1286           UnlinkedFunctionExecutable.h, and let Xcode update the project file.
1287
1288         * assembler/MacroAssemblerPrinter.cpp:
1289         (JSC::Printer::printAllRegisters): Addressed newly-enabled CLANG_WARN_COMMA by replacing
1290           some commas with semicolons.
1291
1292 2018-10-03  Mark Lam  <mark.lam@apple.com>
1293
1294         Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.
1295         https://bugs.webkit.org/show_bug.cgi?id=190187
1296         <rdar://problem/42512909>
1297
1298         Reviewed by Michael Saboff.
1299
1300         Allowing different max string lengths at each level opens up opportunities for
1301         bugs to creep in.  With 2 different max length values, it is more difficult to
1302         keep the story straight on how we do overflow / bounds checks at each place in
1303         the code.  It's also difficult to tell if a seemingly valid check at the WTF level
1304         will have bad ramifications at the JSC level.  Also, it's also not meaningful to
1305         support a max length > INT_MAX.  To eliminate this class of bugs, we'll
1306         standardize on a MaxLength of INT_MAX at all levels.
1307
1308         We'll also standardize the way we do length overflow checks on using
1309         CheckedArithmetic, and add some asserts to document the assumptions of the code.
1310
1311         * runtime/FunctionConstructor.cpp:
1312         (JSC::constructFunctionSkippingEvalEnabledCheck):
1313         - Fix OOM error handling which crashed a test after the new MaxLength was applied.
1314         * runtime/JSString.h:
1315         (JSC::JSString::finishCreation):
1316         (JSC::JSString::createHasOtherOwner):
1317         (JSC::JSString::setLength):
1318         * runtime/JSStringInlines.h:
1319         (JSC::jsMakeNontrivialString):
1320         * runtime/Operations.h:
1321         (JSC::jsString):
1322
1323 2018-10-03  Koby Boyango  <koby.b@mce-sys.com>
1324
1325         [JSC] Add a C++ callable overload of objectConstructorSeal
1326         https://bugs.webkit.org/show_bug.cgi?id=190137
1327
1328         Reviewed by Yusuke Suzuki.
1329
1330         * runtime/ObjectConstructor.cpp:
1331         * runtime/ObjectConstructor.h:
1332
1333 2018-10-02  Dominik Infuehr  <dinfuehr@igalia.com>
1334
1335         Fix Disassembler-output on ARM Thumb2
1336         https://bugs.webkit.org/show_bug.cgi?id=190203
1337
1338         On ARMv7 with Thumb2 addresses have bit 0 set to 1 to force
1339         execution in thumb mode for jumps and calls. The actual machine
1340         instructions are still aligned to 2-bytes though. Use dataLocation() as
1341         start address for disassembling since it unsets the thumb bit.
1342         Until now the disassembler would start at the wrong address (off by 1),
1343         resulting in the wrong disassembled machine instructions.
1344
1345         Reviewed by Mark Lam.
1346
1347         * disassembler/CapstoneDisassembler.cpp:
1348         (JSC::tryToDisassemble):
1349
1350 2018-10-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1351
1352         [JSC] Add stub of ExecutableAllocator used when JIT is disabled
1353         https://bugs.webkit.org/show_bug.cgi?id=190215
1354
1355         Reviewed by Mark Lam.
1356
1357         When ENABLE(JIT) is disabled, we do not use JIT. But we ExecutableAllocator is still available since
1358         it is guarded by ENABLE(ASSEMBLER). ENABLE(ASSEMBLER) is necessary for LLInt ASM interpreter since
1359         our MacroAssembler tells machine architecture information. Eventually, we would like to decouple
1360         this machine architecture information from MacroAssembler. But for now, we use ENABLE(ASSEMBLER)
1361         for LLInt ASM interpreter even if JIT is disabled by ENABLE(JIT).
1362
1363         To ensure any executable memory allocation is not done, we add a stub of ExecutableAllocator for
1364         non-JIT configurations. This does not have any functionality allocating executable memory, thus
1365         any accidental operation cannot attempt to allocate executable memory if ENABLE(JIT) = OFF.
1366
1367         * jit/ExecutableAllocator.cpp:
1368         (JSC::ExecutableAllocator::initializeAllocator):
1369         (JSC::ExecutableAllocator::singleton):
1370         * jit/ExecutableAllocator.h:
1371         (JSC::ExecutableAllocator::isValid const):
1372         (JSC::ExecutableAllocator::underMemoryPressure):
1373         (JSC::ExecutableAllocator::memoryPressureMultiplier):
1374         (JSC::ExecutableAllocator::dumpProfile):
1375         (JSC::ExecutableAllocator::allocate):
1376         (JSC::ExecutableAllocator::isValidExecutableMemory):
1377         (JSC::ExecutableAllocator::committedByteCount):
1378         (JSC::ExecutableAllocator::getLock const):
1379         (JSC::performJITMemcpy):
1380
1381 2018-10-01  Dean Jackson  <dino@apple.com>
1382
1383         Remove CSS Animation Triggers
1384         https://bugs.webkit.org/show_bug.cgi?id=190175
1385         <rdar://problem/44925626>
1386
1387         Reviewed by Simon Fraser.
1388
1389         * Configurations/FeatureDefines.xcconfig:
1390
1391 2018-10-02  Caio Lima  <ticaiolima@gmail.com>
1392
1393         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1394         https://bugs.webkit.org/show_bug.cgi?id=190033
1395
1396         Reviewed by Yusuke Suzuki.
1397
1398         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1399         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1400         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1401         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1402         digit.
1403
1404         * runtime/JSBigInt.cpp:
1405         (JSC::JSBigInt::toString):
1406         (JSC::JSBigInt::toStringBasePowerOfTwo):
1407         * runtime/JSBigInt.h:
1408
1409 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1410
1411         [JSC] Add branchIfNaN and branchIfNotNaN
1412         https://bugs.webkit.org/show_bug.cgi?id=190122
1413
1414         Reviewed by Mark Lam.
1415
1416         Add AssemblyHelpers::{branchIfNaN, branchIfNotNaN} to make code more readable.
1417
1418         * dfg/DFGSpeculativeJIT.cpp:
1419         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1420         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
1421         (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
1422         (JSC::DFG::SpeculativeJIT::compileSpread):
1423         (JSC::DFG::SpeculativeJIT::compileNewArray):
1424         (JSC::DFG::SpeculativeJIT::speculateRealNumber):
1425         (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal):
1426         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1427         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1428         * dfg/DFGSpeculativeJIT32_64.cpp:
1429         (JSC::DFG::SpeculativeJIT::compile):
1430         * dfg/DFGSpeculativeJIT64.cpp:
1431         (JSC::DFG::SpeculativeJIT::compile):
1432         * jit/AssemblyHelpers.cpp:
1433         (JSC::AssemblyHelpers::purifyNaN):
1434         * jit/AssemblyHelpers.h:
1435         (JSC::AssemblyHelpers::branchIfNaN):
1436         (JSC::AssemblyHelpers::branchIfNotNaN):
1437         * jit/JITPropertyAccess.cpp:
1438         (JSC::JIT::emitGenericContiguousPutByVal):
1439         (JSC::JIT::emitDoubleLoad):
1440         (JSC::JIT::emitFloatTypedArrayGetByVal):
1441         * jit/JITPropertyAccess32_64.cpp:
1442         (JSC::JIT::emitGenericContiguousPutByVal):
1443         * wasm/js/JSToWasm.cpp:
1444         (JSC::Wasm::createJSToWasmWrapper):
1445
1446 2018-10-01  Mark Lam  <mark.lam@apple.com>
1447
1448         Function.toString() should also copy the source code Functions that are class definitions.
1449         https://bugs.webkit.org/show_bug.cgi?id=190186
1450         <rdar://problem/44733360>
1451
1452         Reviewed by Saam Barati.
1453
1454         Previously, if the Function is a class definition, functionProtoFuncToString()
1455         would create a String using StringView::toStringWithoutCopying(), and use that
1456         String to make a JSString.  This is not a problem if the underlying SourceProvider
1457         (that backs the characters in that StringView) is immortal.  However, this is
1458         not always the case in practice.
1459
1460         This patch fixes this issue by changing functionProtoFuncToString() to create the
1461         String using StringView::toString() instead, which makes a copy of the underlying
1462         characters buffer.  This detaches the resultant JSString from the SourceProvider
1463         characters buffer that it was created from, and ensure that the underlying
1464         characters buffer of the string will be alive for the entire lifetime of the
1465         JSString.
1466
1467         * runtime/FunctionPrototype.cpp:
1468         (JSC::functionProtoFuncToString):
1469
1470 2018-10-01  Keith Miller  <keith_miller@apple.com>
1471
1472         Create a RELEASE_AND_RETURN macro for ExceptionScopes
1473         https://bugs.webkit.org/show_bug.cgi?id=190163
1474
1475         Reviewed by Mark Lam.
1476
1477         The new RELEASE_AND_RETURN does all the work for cases
1478         where you want to return the result of some expression
1479         without explicitly checking for an exception. This is
1480         much like the existing RETURN_IF_EXCEPTION macro.
1481
1482         * dfg/DFGOperations.cpp:
1483         (JSC::DFG::newTypedArrayWithSize):
1484         * interpreter/Interpreter.cpp:
1485         (JSC::eval):
1486         * jit/JITOperations.cpp:
1487         (JSC::getByVal):
1488         * jsc.cpp:
1489         (functionDollarAgentReceiveBroadcast):
1490         * llint/LLIntSlowPaths.cpp:
1491         (JSC::LLInt::setUpCall):
1492         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1493         (JSC::LLInt::varargsSetup):
1494         * profiler/ProfilerDatabase.cpp:
1495         (JSC::Profiler::Database::toJSON const):
1496         * runtime/AbstractModuleRecord.cpp:
1497         (JSC::AbstractModuleRecord::hostResolveImportedModule):
1498         * runtime/ArrayConstructor.cpp:
1499         (JSC::constructArrayWithSizeQuirk):
1500         * runtime/ArrayPrototype.cpp:
1501         (JSC::getProperty):
1502         (JSC::fastJoin):
1503         (JSC::arrayProtoFuncToString):
1504         (JSC::arrayProtoFuncToLocaleString):
1505         (JSC::arrayProtoFuncJoin):
1506         (JSC::arrayProtoFuncPop):
1507         (JSC::arrayProtoPrivateFuncConcatMemcpy):
1508         * runtime/BigIntConstructor.cpp:
1509         (JSC::toBigInt):
1510         * runtime/CommonSlowPaths.h:
1511         (JSC::CommonSlowPaths::opInByVal):
1512         * runtime/ConstructData.cpp:
1513         (JSC::construct):
1514         * runtime/DateConstructor.cpp:
1515         (JSC::dateParse):
1516         * runtime/DatePrototype.cpp:
1517         (JSC::dateProtoFuncToPrimitiveSymbol):
1518         * runtime/DirectArguments.h:
1519         * runtime/ErrorConstructor.cpp:
1520         (JSC::Interpreter::constructWithErrorConstructor):
1521         * runtime/ErrorPrototype.cpp:
1522         (JSC::errorProtoFuncToString):
1523         * runtime/ExceptionScope.h:
1524         * runtime/FunctionConstructor.cpp:
1525         (JSC::constructFunction):
1526         * runtime/FunctionPrototype.cpp:
1527         (JSC::functionProtoFuncToString):
1528         * runtime/GenericArgumentsInlines.h:
1529         (JSC::GenericArguments<Type>::defineOwnProperty):
1530         * runtime/GetterSetter.cpp:
1531         (JSC::callGetter):
1532         * runtime/IntlCollatorConstructor.cpp:
1533         (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
1534         * runtime/IntlCollatorPrototype.cpp:
1535         (JSC::IntlCollatorFuncCompare):
1536         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
1537         * runtime/IntlDateTimeFormatConstructor.cpp:
1538         (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
1539         * runtime/IntlDateTimeFormatPrototype.cpp:
1540         (JSC::IntlDateTimeFormatFuncFormatDateTime):
1541         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
1542         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
1543         * runtime/IntlNumberFormatConstructor.cpp:
1544         (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
1545         * runtime/IntlNumberFormatPrototype.cpp:
1546         (JSC::IntlNumberFormatFuncFormatNumber):
1547         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
1548         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
1549         * runtime/IntlObject.cpp:
1550         (JSC::intlNumberOption):
1551         * runtime/IntlObjectInlines.h:
1552         (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
1553         * runtime/IntlPluralRules.cpp:
1554         (JSC::IntlPluralRules::resolvedOptions):
1555         * runtime/IntlPluralRulesConstructor.cpp:
1556         (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
1557         * runtime/IntlPluralRulesPrototype.cpp:
1558         (JSC::IntlPluralRulesPrototypeFuncSelect):
1559         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
1560         * runtime/JSArray.cpp:
1561         (JSC::JSArray::defineOwnProperty):
1562         (JSC::JSArray::put):
1563         (JSC::JSArray::setLength):
1564         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1565         * runtime/JSArrayBufferPrototype.cpp:
1566         (JSC::arrayBufferProtoGetterFuncByteLength):
1567         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
1568         * runtime/JSArrayInlines.h:
1569         (JSC::toLength):
1570         * runtime/JSBoundFunction.cpp:
1571         (JSC::boundFunctionCall):
1572         (JSC::boundFunctionConstruct):
1573         * runtime/JSCJSValue.cpp:
1574         (JSC::JSValue::putToPrimitive):
1575         * runtime/JSCJSValueInlines.h:
1576         (JSC::JSValue::toIndex const):
1577         (JSC::JSValue::toPropertyKey const):
1578         (JSC::JSValue::get const):
1579         (JSC::JSValue::getPropertySlot const):
1580         (JSC::JSValue::getOwnPropertySlot const):
1581         (JSC::JSValue::equalSlowCaseInline):
1582         * runtime/JSDataView.cpp:
1583         (JSC::JSDataView::put):
1584         (JSC::JSDataView::defineOwnProperty):
1585         * runtime/JSFunction.cpp:
1586         (JSC::JSFunction::put):
1587         (JSC::JSFunction::defineOwnProperty):
1588         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1589         (JSC::constructGenericTypedArrayViewWithArguments):
1590         (JSC::constructGenericTypedArrayView):
1591         * runtime/JSGenericTypedArrayViewInlines.h:
1592         (JSC::JSGenericTypedArrayView<Adaptor>::set):
1593         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
1594         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1595         (JSC::speciesConstruct):
1596         (JSC::genericTypedArrayViewProtoFuncJoin):
1597         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1598         * runtime/JSGlobalObject.cpp:
1599         (JSC::JSGlobalObject::put):
1600         * runtime/JSGlobalObjectFunctions.cpp:
1601         (JSC::decode):
1602         (JSC::globalFuncEval):
1603         (JSC::globalFuncProtoGetter):
1604         * runtime/JSInternalPromise.cpp:
1605         (JSC::JSInternalPromise::then):
1606         * runtime/JSModuleEnvironment.cpp:
1607         (JSC::JSModuleEnvironment::put):
1608         * runtime/JSModuleLoader.cpp:
1609         (JSC::JSModuleLoader::provideFetch):
1610         (JSC::JSModuleLoader::loadAndEvaluateModule):
1611         (JSC::JSModuleLoader::loadModule):
1612         (JSC::JSModuleLoader::linkAndEvaluateModule):
1613         (JSC::JSModuleLoader::requestImportModule):
1614         (JSC::JSModuleLoader::getModuleNamespaceObject):
1615         (JSC::moduleLoaderRequestedModules):
1616         * runtime/JSONObject.cpp:
1617         (JSC::Stringifier::stringify):
1618         (JSC::Stringifier::toJSON):
1619         (JSC::Walker::walk):
1620         (JSC::JSONProtoFuncStringify):
1621         * runtime/JSObject.cpp:
1622         (JSC::ordinarySetSlow):
1623         (JSC::JSObject::putInlineSlow):
1624         (JSC::JSObject::toPrimitive const):
1625         (JSC::JSObject::hasInstance):
1626         (JSC::JSObject::toNumber const):
1627         (JSC::JSObject::defineOwnIndexedProperty):
1628         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
1629         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
1630         (JSC::JSObject::defineOwnNonIndexProperty):
1631         * runtime/JSObject.h:
1632         (JSC::JSObject::get const):
1633         * runtime/JSObjectInlines.h:
1634         (JSC::JSObject::getPropertySlot const):
1635         (JSC::JSObject::putInlineForJSObject):
1636         * runtime/MapConstructor.cpp:
1637         (JSC::constructMap):
1638         * runtime/NativeErrorConstructor.cpp:
1639         (JSC::Interpreter::constructWithNativeErrorConstructor):
1640         * runtime/ObjectConstructor.cpp:
1641         (JSC::constructObject):
1642         (JSC::objectConstructorGetPrototypeOf):
1643         (JSC::objectConstructorGetOwnPropertyDescriptor):
1644         (JSC::objectConstructorGetOwnPropertyDescriptors):
1645         (JSC::objectConstructorGetOwnPropertyNames):
1646         (JSC::objectConstructorGetOwnPropertySymbols):
1647         (JSC::objectConstructorKeys):
1648         (JSC::objectConstructorDefineProperty):
1649         (JSC::objectConstructorDefineProperties):
1650         (JSC::objectConstructorCreate):
1651         * runtime/ObjectPrototype.cpp:
1652         (JSC::objectProtoFuncToLocaleString):
1653         (JSC::objectProtoFuncToString):
1654         * runtime/Operations.cpp:
1655         (JSC::jsAddSlowCase):
1656         * runtime/Operations.h:
1657         (JSC::jsString):
1658         (JSC::jsLess):
1659         (JSC::jsLessEq):
1660         * runtime/ParseInt.h:
1661         (JSC::toStringView):
1662         * runtime/ProxyConstructor.cpp:
1663         (JSC::constructProxyObject):
1664         * runtime/ProxyObject.cpp:
1665         (JSC::ProxyObject::toStringName):
1666         (JSC::performProxyGet):
1667         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1668         (JSC::ProxyObject::performHasProperty):
1669         (JSC::ProxyObject::getOwnPropertySlotCommon):
1670         (JSC::ProxyObject::performPut):
1671         (JSC::ProxyObject::putByIndexCommon):
1672         (JSC::performProxyCall):
1673         (JSC::performProxyConstruct):
1674         (JSC::ProxyObject::performDelete):
1675         (JSC::ProxyObject::performPreventExtensions):
1676         (JSC::ProxyObject::performIsExtensible):
1677         (JSC::ProxyObject::performDefineOwnProperty):
1678         (JSC::ProxyObject::performSetPrototype):
1679         (JSC::ProxyObject::performGetPrototype):
1680         * runtime/ReflectObject.cpp:
1681         (JSC::reflectObjectConstruct):
1682         (JSC::reflectObjectDefineProperty):
1683         (JSC::reflectObjectGet):
1684         (JSC::reflectObjectGetOwnPropertyDescriptor):
1685         (JSC::reflectObjectGetPrototypeOf):
1686         (JSC::reflectObjectOwnKeys):
1687         (JSC::reflectObjectSet):
1688         * runtime/RegExpConstructor.cpp:
1689         (JSC::constructRegExp):
1690         * runtime/RegExpObject.cpp:
1691         (JSC::RegExpObject::defineOwnProperty):
1692         (JSC::RegExpObject::matchGlobal):
1693         * runtime/RegExpPrototype.cpp:
1694         (JSC::regExpProtoFuncTestFast):
1695         (JSC::regExpProtoFuncExec):
1696         (JSC::regExpProtoFuncToString):
1697         * runtime/ScriptExecutable.cpp:
1698         (JSC::ScriptExecutable::newCodeBlockFor):
1699         * runtime/SetConstructor.cpp:
1700         (JSC::constructSet):
1701         * runtime/SparseArrayValueMap.cpp:
1702         (JSC::SparseArrayValueMap::putEntry):
1703         (JSC::SparseArrayEntry::put):
1704         * runtime/StringConstructor.cpp:
1705         (JSC::stringFromCharCode):
1706         (JSC::stringFromCodePoint):
1707         * runtime/StringObject.cpp:
1708         (JSC::StringObject::put):
1709         (JSC::StringObject::putByIndex):
1710         (JSC::StringObject::defineOwnProperty):
1711         * runtime/StringPrototype.cpp:
1712         (JSC::jsSpliceSubstrings):
1713         (JSC::jsSpliceSubstringsWithSeparators):
1714         (JSC::removeUsingRegExpSearch):
1715         (JSC::replaceUsingRegExpSearch):
1716         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
1717         (JSC::replaceUsingStringSearch):
1718         (JSC::repeatCharacter):
1719         (JSC::replace):
1720         (JSC::stringProtoFuncReplaceUsingRegExp):
1721         (JSC::stringProtoFuncReplaceUsingStringSearch):
1722         (JSC::stringProtoFuncSplitFast):
1723         (JSC::stringProtoFuncToLowerCase):
1724         (JSC::stringProtoFuncToUpperCase):
1725         (JSC::toLocaleCase):
1726         (JSC::trimString):
1727         (JSC::stringProtoFuncIncludes):
1728         (JSC::builtinStringIncludesInternal):
1729         (JSC::normalize):
1730         (JSC::stringProtoFuncNormalize):
1731         * runtime/SymbolPrototype.cpp:
1732         (JSC::symbolProtoFuncToString):
1733         (JSC::symbolProtoFuncValueOf):
1734         * tools/JSDollarVM.cpp:
1735         (WTF::functionWasmStreamingParserAddBytes):
1736         (JSC::functionGetPrivateProperty):
1737         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1738         (JSC::constructJSWebAssemblyCompileError):
1739         * wasm/js/WebAssemblyModuleConstructor.cpp:
1740         (JSC::constructJSWebAssemblyModule):
1741         (JSC::WebAssemblyModuleConstructor::createModule):
1742         * wasm/js/WebAssemblyTableConstructor.cpp:
1743         (JSC::constructJSWebAssemblyTable):
1744         * wasm/js/WebAssemblyWrapperFunction.cpp:
1745         (JSC::callWebAssemblyWrapperFunction):
1746
1747 2018-10-01  Koby Boyango  <koby.b@mce-sys.com>
1748
1749         [JSC] Add a JSONStringify overload that receives a JSValue space
1750         https://bugs.webkit.org/show_bug.cgi?id=190131
1751
1752         Reviewed by Yusuke Suzuki.
1753
1754         * runtime/JSONObject.cpp:
1755         * runtime/JSONObject.h:
1756
1757 2018-10-01  Commit Queue  <commit-queue@webkit.org>
1758
1759         Unreviewed, rolling out r236647.
1760         https://bugs.webkit.org/show_bug.cgi?id=190124
1761
1762         Breaking test stress/big-int-to-string.js (Requested by
1763         caiolima_ on #webkit).
1764
1765         Reverted changeset:
1766
1767         "[BigInt] BigInt.proptotype.toString is broken when radix is
1768         power of 2"
1769         https://bugs.webkit.org/show_bug.cgi?id=190033
1770         https://trac.webkit.org/changeset/236647
1771
1772 2018-10-01  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1773
1774         [WebAssembly] Move type conversion code of JSToWasm return type to JS wasm wrapper
1775         https://bugs.webkit.org/show_bug.cgi?id=189498
1776
1777         Reviewed by Saam Barati.
1778
1779         To call JS-to-Wasm code we need to convert the result value from wasm function to
1780         the JS type. Previously this is done by callWebAssemblyFunction by using swtich
1781         over signature.returnType(). But since we know the value of `signature.returnType()`
1782         at compiling phase, we can emit a small conversion code directly to JSToWasm glue
1783         and remove this switch from callWebAssemblyFunction.
1784
1785         In JSToWasm glue code, we do not have tag registers. So we use DoNotHaveTagRegisters
1786         in boxInt32 and boxDouble. Since boxDouble does not have DoNotHaveTagRegisters version,
1787         we add an implementation for that.
1788
1789         * jit/AssemblyHelpers.h:
1790         (JSC::AssemblyHelpers::boxDouble):
1791         * wasm/js/JSToWasm.cpp:
1792         (JSC::Wasm::createJSToWasmWrapper):
1793         * wasm/js/WebAssemblyFunction.cpp:
1794         (JSC::callWebAssemblyFunction):
1795
1796 2018-09-30  Caio Lima  <ticaiolima@gmail.com>
1797
1798         [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
1799         https://bugs.webkit.org/show_bug.cgi?id=190033
1800
1801         Reviewed by Yusuke Suzuki.
1802
1803         The implementation of JSBigInt::toStringToGeneric doesn't handle power
1804         of 2 radix when JSBigInt length is >= 2. To handle such cases, we
1805         implemented JSBigInt::toStringBasePowerOfTwo that follows the
1806         algorithm that groups bits using mask of (2 ^ n) - 1 to extract every
1807         digit.
1808
1809         * runtime/JSBigInt.cpp:
1810         (JSC::JSBigInt::toString):
1811         (JSC::JSBigInt::toStringBasePowerOfTwo):
1812         * runtime/JSBigInt.h:
1813
1814 2018-09-28  Caio Lima  <ticaiolima@gmail.com>
1815
1816         [ESNext][BigInt] Implement support for "&"
1817         https://bugs.webkit.org/show_bug.cgi?id=186228
1818
1819         Reviewed by Yusuke Suzuki.
1820
1821         This patch introduces support of BigInt into bitwise "&" operation.
1822         We are also introducing the ValueBitAnd DFG node, that is responsible
1823         to take care of JIT for non-Int32 operands. With the introduction of this
1824         new node, we renamed the BitAnd node to ArithBitAnd. The ArithBitAnd
1825         follows the behavior of ArithAdd and other arithmetic nodes, where
1826         the Arith<op> version always results in Number (in the case of
1827         ArithBitAnd, its is always an Int32).
1828
1829         * bytecode/CodeBlock.cpp:
1830         (JSC::CodeBlock::finishCreation):
1831         * bytecompiler/BytecodeGenerator.cpp:
1832         (JSC::BytecodeGenerator::emitBinaryOp):
1833         * dfg/DFGAbstractInterpreterInlines.h:
1834         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1835         * dfg/DFGBackwardsPropagationPhase.cpp:
1836         (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
1837         (JSC::DFG::BackwardsPropagationPhase::propagate):
1838         * dfg/DFGByteCodeParser.cpp:
1839         (JSC::DFG::ByteCodeParser::parseBlock):
1840         * dfg/DFGClobberize.h:
1841         (JSC::DFG::clobberize):
1842         * dfg/DFGDoesGC.cpp:
1843         (JSC::DFG::doesGC):
1844         * dfg/DFGFixupPhase.cpp:
1845         (JSC::DFG::FixupPhase::fixupNode):
1846         * dfg/DFGNodeType.h:
1847         * dfg/DFGOperations.cpp:
1848         * dfg/DFGOperations.h:
1849         * dfg/DFGPredictionPropagationPhase.cpp:
1850         * dfg/DFGSafeToExecute.h:
1851         (JSC::DFG::safeToExecute):
1852         * dfg/DFGSpeculativeJIT.cpp:
1853         (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp):
1854         (JSC::DFG::SpeculativeJIT::compileBitwiseOp):
1855         * dfg/DFGSpeculativeJIT.h:
1856         (JSC::DFG::SpeculativeJIT::bitOp):
1857         * dfg/DFGSpeculativeJIT32_64.cpp:
1858         (JSC::DFG::SpeculativeJIT::compile):
1859         * dfg/DFGSpeculativeJIT64.cpp:
1860         (JSC::DFG::SpeculativeJIT::compile):
1861         * dfg/DFGStrengthReductionPhase.cpp:
1862         (JSC::DFG::StrengthReductionPhase::handleNode):
1863         * ftl/FTLCapabilities.cpp:
1864         (JSC::FTL::canCompile):
1865         * ftl/FTLLowerDFGToB3.cpp:
1866         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1867         (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
1868         (JSC::FTL::DFG::LowerDFGToB3::compileArithBitAnd):
1869         (JSC::FTL::DFG::LowerDFGToB3::compileBitAnd): Deleted.
1870         * jit/JIT.h:
1871         * jit/JITArithmetic.cpp:
1872         (JSC::JIT::emitBitBinaryOpFastPath):
1873         (JSC::JIT::emit_op_bitand):
1874         * llint/LowLevelInterpreter32_64.asm:
1875         * llint/LowLevelInterpreter64.asm:
1876         * runtime/CommonSlowPaths.cpp:
1877         (JSC::SLOW_PATH_DECL):
1878         * runtime/JSBigInt.cpp:
1879         (JSC::JSBigInt::JSBigInt):
1880         (JSC::JSBigInt::initialize):
1881         (JSC::JSBigInt::createZero):
1882         (JSC::JSBigInt::createFrom):
1883         (JSC::JSBigInt::bitwiseAnd):
1884         (JSC::JSBigInt::absoluteBitwiseOp):
1885         (JSC::JSBigInt::absoluteAnd):
1886         (JSC::JSBigInt::absoluteOr):
1887         (JSC::JSBigInt::absoluteAndNot):
1888         (JSC::JSBigInt::absoluteAddOne):
1889         (JSC::JSBigInt::absoluteSubOne):
1890         * runtime/JSBigInt.h:
1891         * runtime/JSCJSValue.h:
1892         * runtime/JSCJSValueInlines.h:
1893         (JSC::JSValue::toBigIntOrInt32 const):
1894
1895 2018-09-28  Mark Lam  <mark.lam@apple.com>
1896
1897         Gardening: speculative build fix.
1898         <rdar://problem/44869924>
1899
1900         Not reviewed.
1901
1902         * assembler/LinkBuffer.cpp:
1903         (JSC::LinkBuffer::copyCompactAndLinkCode):
1904
1905 2018-09-28  Guillaume Emont  <guijemont@igalia.com>
1906
1907         [JSC] [Armv7] Add a copy function argument to MacroAssemblerARMv7::link() and pass it down to the assembler's linking functions.
1908         https://bugs.webkit.org/show_bug.cgi?id=190080
1909
1910         Reviewed by Mark Lam.
1911
1912         * assembler/ARMv7Assembler.h:
1913         (JSC::ARMv7Assembler::link):
1914         (JSC::ARMv7Assembler::linkJumpT1):
1915         (JSC::ARMv7Assembler::linkJumpT2):
1916         (JSC::ARMv7Assembler::linkJumpT3):
1917         (JSC::ARMv7Assembler::linkJumpT4):
1918         (JSC::ARMv7Assembler::linkConditionalJumpT4):
1919         (JSC::ARMv7Assembler::linkBX):
1920         (JSC::ARMv7Assembler::linkConditionalBX):
1921         * assembler/MacroAssemblerARMv7.h:
1922         (JSC::MacroAssemblerARMv7::link):
1923
1924 2018-09-27  Saam barati  <sbarati@apple.com>
1925
1926         Verify the contents of AssemblerBuffer on arm64e
1927         https://bugs.webkit.org/show_bug.cgi?id=190057
1928         <rdar://problem/38916630>
1929
1930         Reviewed by Mark Lam.
1931
1932         * assembler/ARM64Assembler.h:
1933         (JSC::ARM64Assembler::ARM64Assembler):
1934         (JSC::ARM64Assembler::fillNops):
1935         (JSC::ARM64Assembler::link):
1936         (JSC::ARM64Assembler::linkJumpOrCall):
1937         (JSC::ARM64Assembler::linkCompareAndBranch):
1938         (JSC::ARM64Assembler::linkConditionalBranch):
1939         (JSC::ARM64Assembler::linkTestAndBranch):
1940         (JSC::ARM64Assembler::unlinkedCode): Deleted.
1941         * assembler/ARMAssembler.h:
1942         (JSC::ARMAssembler::fillNops):
1943         * assembler/ARMv7Assembler.h:
1944         (JSC::ARMv7Assembler::unlinkedCode): Deleted.
1945         * assembler/AbstractMacroAssembler.h:
1946         (JSC::AbstractMacroAssembler::emitNops):
1947         (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
1948         * assembler/AssemblerBuffer.h:
1949         (JSC::ARM64EHash::ARM64EHash):
1950         (JSC::ARM64EHash::update):
1951         (JSC::ARM64EHash::hash const):
1952         (JSC::ARM64EHash::randomSeed const):
1953         (JSC::AssemblerBuffer::AssemblerBuffer):
1954         (JSC::AssemblerBuffer::putShort):
1955         (JSC::AssemblerBuffer::putIntUnchecked):
1956         (JSC::AssemblerBuffer::putInt):
1957         (JSC::AssemblerBuffer::hash const):
1958         (JSC::AssemblerBuffer::data const):
1959         (JSC::AssemblerBuffer::putIntegralUnchecked):
1960         (JSC::AssemblerBuffer::append): Deleted.
1961         * assembler/LinkBuffer.cpp:
1962         (JSC::LinkBuffer::copyCompactAndLinkCode):
1963         * assembler/MIPSAssembler.h:
1964         (JSC::MIPSAssembler::fillNops):
1965         * assembler/MacroAssemblerARM64.h:
1966         (JSC::MacroAssemblerARM64::jumpsToLink):
1967         (JSC::MacroAssemblerARM64::link):
1968         (JSC::MacroAssemblerARM64::unlinkedCode): Deleted.
1969         * assembler/MacroAssemblerARMv7.h:
1970         (JSC::MacroAssemblerARMv7::jumpsToLink):
1971         (JSC::MacroAssemblerARMv7::unlinkedCode): Deleted.
1972         * assembler/X86Assembler.h:
1973         (JSC::X86Assembler::fillNops):
1974
1975 2018-09-27  Mark Lam  <mark.lam@apple.com>
1976
1977         ByValInfo should not use integer offsets.
1978         https://bugs.webkit.org/show_bug.cgi?id=190070
1979         <rdar://problem/44803430>
1980
1981         Reviewed by Saam Barati.
1982
1983         Also moved some fields around to allow the ByValInfo struct to be more densely packed.
1984
1985         * bytecode/ByValInfo.h:
1986         (JSC::ByValInfo::ByValInfo):
1987         * jit/JIT.cpp:
1988         (JSC::JIT::link):
1989         * jit/JITOpcodes.cpp:
1990         (JSC::JIT::privateCompileHasIndexedProperty):
1991         * jit/JITOpcodes32_64.cpp:
1992         (JSC::JIT::privateCompileHasIndexedProperty):
1993         * jit/JITPropertyAccess.cpp:
1994         (JSC::JIT::privateCompileGetByVal):
1995         (JSC::JIT::privateCompileGetByValWithCachedId):
1996         (JSC::JIT::privateCompilePutByVal):
1997         (JSC::JIT::privateCompilePutByValWithCachedId):
1998
1999 2018-09-27  Saam barati  <sbarati@apple.com>
2000
2001         DFG::OSRExit::m_patchableCodeOffset should not be an int
2002         https://bugs.webkit.org/show_bug.cgi?id=190066
2003         <rdar://problem/39498244>
2004
2005         Reviewed by Mark Lam.
2006
2007         * dfg/DFGJITCompiler.cpp:
2008         (JSC::DFG::JITCompiler::linkOSRExits):
2009         (JSC::DFG::JITCompiler::link):
2010         * dfg/DFGOSRExit.cpp:
2011         (JSC::DFG::OSRExit::codeLocationForRepatch const):
2012         (JSC::DFG::OSRExit::compileOSRExit):
2013         (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
2014         (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
2015         (JSC::DFG::OSRExit::correctJump): Deleted.
2016         * dfg/DFGOSRExit.h:
2017         * dfg/DFGOSRExitCompilationInfo.h:
2018
2019 2018-09-27  Saam barati  <sbarati@apple.com>
2020
2021         Don't use int offsets in StructureStubInfo
2022         https://bugs.webkit.org/show_bug.cgi?id=190064
2023         <rdar://problem/44784719>
2024
2025         Reviewed by Mark Lam.
2026
2027         * bytecode/InlineAccess.cpp:
2028         (JSC::linkCodeInline):
2029         * bytecode/StructureStubInfo.h:
2030         (JSC::StructureStubInfo::slowPathCallLocation):
2031         (JSC::StructureStubInfo::doneLocation):
2032         (JSC::StructureStubInfo::slowPathStartLocation):
2033         * jit/JITInlineCacheGenerator.cpp:
2034         (JSC::JITInlineCacheGenerator::finalize):
2035
2036 2018-09-27  Mark Lam  <mark.lam@apple.com>
2037
2038         DFG::OSREntry::m_machineCodeOffset should be a CodeLocation.
2039         https://bugs.webkit.org/show_bug.cgi?id=190054
2040         <rdar://problem/44803543>
2041
2042         Reviewed by Saam Barati.
2043
2044         * dfg/DFGJITCode.h:
2045         (JSC::DFG::JITCode::appendOSREntryData):
2046         * dfg/DFGJITCompiler.cpp:
2047         (JSC::DFG::JITCompiler::noticeOSREntry):
2048         * dfg/DFGOSREntry.cpp:
2049         (JSC::DFG::OSREntryData::dumpInContext const):
2050         (JSC::DFG::prepareOSREntry):
2051         * dfg/DFGOSREntry.h:
2052         * runtime/JSCPtrTag.h:
2053
2054 2018-09-27  Mark Lam  <mark.lam@apple.com>
2055
2056         JITMathIC should not use integer offsets into machine code.
2057         https://bugs.webkit.org/show_bug.cgi?id=190030
2058         <rdar://problem/44803307>
2059
2060         Reviewed by Saam Barati.
2061
2062         We'll replace them with CodeLocation smart pointers instead.
2063
2064         * jit/JITMathIC.h:
2065         (JSC::isProfileEmpty):
2066
2067 2018-09-26  Mark Lam  <mark.lam@apple.com>
2068
2069         Options::useSeparatedWXHeap() should always be false when ENABLE(FAST_JIT_PERMISSIONS) && CPU(ARM64E).
2070         https://bugs.webkit.org/show_bug.cgi?id=190022
2071         <rdar://problem/44800928>
2072
2073         Reviewed by Saam Barati.
2074
2075         * jit/ExecutableAllocator.cpp:
2076         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2077         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2078         * jit/ExecutableAllocator.h:
2079         (JSC::performJITMemcpy):
2080         * runtime/Options.cpp:
2081         (JSC::recomputeDependentOptions):
2082
2083 2018-09-26  Mark Lam  <mark.lam@apple.com>
2084
2085         Assert that performJITMemcpy() is always called with instruction size aligned addresses on ARM64.
2086         https://bugs.webkit.org/show_bug.cgi?id=190016
2087         <rdar://problem/44802875>
2088
2089         Reviewed by Saam Barati.
2090
2091         Also assert in performJITMemcpy() that the entire buffer to be copied will fit in
2092         JIT memory.
2093
2094         * assembler/ARM64Assembler.h:
2095         (JSC::ARM64Assembler::fillNops):
2096         (JSC::ARM64Assembler::replaceWithVMHalt):
2097         (JSC::ARM64Assembler::replaceWithJump):
2098         (JSC::ARM64Assembler::replaceWithLoad):
2099         (JSC::ARM64Assembler::replaceWithAddressComputation):
2100         (JSC::ARM64Assembler::setPointer):
2101         (JSC::ARM64Assembler::repatchInt32):
2102         (JSC::ARM64Assembler::repatchCompact):
2103         (JSC::ARM64Assembler::linkJumpOrCall):
2104         (JSC::ARM64Assembler::linkCompareAndBranch):
2105         (JSC::ARM64Assembler::linkConditionalBranch):
2106         (JSC::ARM64Assembler::linkTestAndBranch):
2107         * assembler/LinkBuffer.cpp:
2108         (JSC::LinkBuffer::copyCompactAndLinkCode):
2109         (JSC::LinkBuffer::linkCode):
2110         * jit/ExecutableAllocator.h:
2111         (JSC::performJITMemcpy):
2112
2113 2018-09-25  Keith Miller  <keith_miller@apple.com>
2114
2115         Move Symbol API to SPI
2116         https://bugs.webkit.org/show_bug.cgi?id=189946
2117
2118         Reviewed by Michael Saboff.
2119
2120         Some of the property access methods on JSValue needed to be moved
2121         to a category so that SPI overloads don't result in a compiler
2122         error for internal users.
2123
2124         Additionally, this patch does not move the new enum entry for
2125         Symbols in the JSType enumeration.
2126
2127         * API/JSObjectRef.h:
2128         * API/JSObjectRefPrivate.h:
2129         * API/JSValue.h:
2130         * API/JSValuePrivate.h:
2131         * API/JSValueRef.h:
2132
2133 2018-09-26  Keith Miller  <keith_miller@apple.com>
2134
2135         We should zero unused property storage when rebalancing array storage.
2136         https://bugs.webkit.org/show_bug.cgi?id=188151
2137
2138         Reviewed by Michael Saboff.
2139
2140         In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
2141         This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
2142         property storage.
2143
2144         * runtime/JSArray.cpp:
2145         (JSC::JSArray::unshiftCountSlowCase):
2146
2147 2018-09-26  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2148
2149         Unreviewed, add scope verification handling
2150         https://bugs.webkit.org/show_bug.cgi?id=189780
2151
2152         * runtime/ArrayPrototype.cpp:
2153         (JSC::arrayProtoFuncIndexOf):
2154         (JSC::arrayProtoFuncLastIndexOf):
2155
2156 2018-09-26  Koby Boyango  <koby.b@mce.systems>
2157
2158         [JSC] offlineasm parser should handle CRLF in asm files
2159         https://bugs.webkit.org/show_bug.cgi?id=189949
2160
2161         Reviewed by Mark Lam.
2162
2163         * offlineasm/parser.rb:
2164
2165 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2166
2167         [JSC] Optimize Array#lastIndexOf
2168         https://bugs.webkit.org/show_bug.cgi?id=189780
2169
2170         Reviewed by Saam Barati.
2171
2172         Optimize Array#lastIndexOf as the same to Array#indexOf. We add a fast path
2173         for JSArray with contiguous storage.
2174
2175         * runtime/ArrayPrototype.cpp:
2176         (JSC::arrayProtoFuncLastIndexOf):
2177
2178 2018-09-25  Saam Barati  <sbarati@apple.com>
2179
2180         Calls to baselineCodeBlockForOriginAndBaselineCodeBlock in operationMaterializeObjectInOSR should actually pass in the baseline CodeBlock
2181         https://bugs.webkit.org/show_bug.cgi?id=189940
2182         <rdar://problem/43640987>
2183
2184         Reviewed by Mark Lam.
2185
2186         We were calling baselineCodeBlockForOriginAndBaselineCodeBlock with the FTL
2187         CodeBlock. There is nothing semantically wrong with doing that (except for
2188         poor naming), however, the poor naming here led us to make a real semantic
2189         mistake. We wanted the baseline CodeBlock's constant pool, but we were
2190         accessing the FTL CodeBlock's constant pool accidentally. We need to
2191         access the baseline CodeBlock's constant pool when we update the NewArrayBuffer
2192         constant value.
2193
2194         * bytecode/InlineCallFrame.h:
2195         (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
2196         * ftl/FTLOperations.cpp:
2197         (JSC::FTL::operationMaterializeObjectInOSR):
2198
2199 2018-09-25  Joseph Pecoraro  <pecoraro@apple.com>
2200
2201         Web Inspector: Stricter block syntax in generated ObjC protocol interfaces
2202         https://bugs.webkit.org/show_bug.cgi?id=189962
2203         <rdar://problem/44648287>
2204
2205         Reviewed by Brian Burg.
2206
2207         * inspector/scripts/codegen/generate_objc_header.py:
2208         (ObjCHeaderGenerator._callback_block_for_command):
2209         If there are no return parameters include "void" in the block signature.
2210
2211         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2212         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2213         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2214         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2215         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2216         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2217         Rebaseline test results.
2218
2219 2018-09-24  Joseph Pecoraro  <pecoraro@apple.com>
2220
2221         Remove AUTHORS and THANKS files which are stale
2222         https://bugs.webkit.org/show_bug.cgi?id=189941
2223
2224         Reviewed by Darin Adler.
2225
2226         Included mentions below so their names are still in ChangeLogs.
2227
2228         * AUTHORS: Removed.
2229         Harri Porten (porten@kde.org) and Peter Kelly (pmk@post.com).
2230         These authors remain mentioned in copyrights in source files.
2231
2232         * THANKS: Removed.
2233         Richard Moore <rich@kde.org> - for filling the Math object with some life
2234         Daegeun Lee <realking@mizi.com> - for pointing out some bugs and providing much code for the String and Date object.
2235         Marco Pinelli <pinmc@libero.it> - for his patches
2236         Christian Kirsch <ck@held.mind.de> - for his contribution to the Date object
2237         
2238 2018-09-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2239
2240         Rename WTF_COMPILER_GCC_OR_CLANG to WTF_COMPILER_GCC_COMPATIBLE
2241         https://bugs.webkit.org/show_bug.cgi?id=189733
2242
2243         Reviewed by Michael Catanzaro.
2244
2245         * assembler/ARM64Assembler.h:
2246         * assembler/ARMAssembler.h:
2247         (JSC::ARMAssembler::cacheFlush):
2248         * assembler/MacroAssemblerARM.cpp:
2249         (JSC::isVFPPresent):
2250         * assembler/MacroAssemblerARM64.cpp:
2251         * assembler/MacroAssemblerARMv7.cpp:
2252         * assembler/MacroAssemblerMIPS.cpp:
2253         * assembler/MacroAssemblerX86Common.cpp:
2254         * heap/HeapCell.cpp:
2255         * heap/HeapCell.h:
2256         * jit/HostCallReturnValue.h:
2257         * jit/JIT.h:
2258         * jit/JITOperations.cpp:
2259         * jit/ThunkGenerators.cpp:
2260         * runtime/ArrayConventions.cpp:
2261         (JSC::clearArrayMemset):
2262         * runtime/JSBigInt.cpp:
2263         (JSC::JSBigInt::digitDiv):
2264
2265 2018-09-24  Saam Barati  <sbarati@apple.com>
2266
2267         Array.prototype.indexOf fast path needs to ensure the length is still valid after performing effects
2268         https://bugs.webkit.org/show_bug.cgi?id=189922
2269         <rdar://problem/44651275>
2270
2271         Reviewed by Mark Lam.
2272
2273         The implementation was first getting the length to iterate up to,
2274         then getting the starting index. However, getting the starting
2275         index may perform effects. e.g, it could change the length of the
2276         array. This changes it so we verify the length is still valid.
2277
2278         * runtime/ArrayPrototype.cpp:
2279         (JSC::arrayProtoFuncIndexOf):
2280
2281 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2282
2283         offlineasm: fix macro scoping
2284         https://bugs.webkit.org/show_bug.cgi?id=189902
2285
2286         Reviewed by Mark Lam.
2287
2288         In the code below, the reference to `f` in `g`, which should refer to
2289         the outer macro definition will instead refer to the f argument of the
2290         anonymous macro passed to `g`. That leads to this code failing to
2291         compile (f expected 0 args but got 1).
2292         
2293         ```
2294         macro f(x)
2295             move x, t0
2296         end
2297         
2298         macro g(fn)
2299             fn(macro () f(42) end)
2300         end
2301         
2302         g(macro(f) f() end)
2303         ```
2304
2305         * offlineasm/ast.rb:
2306         * offlineasm/transform.rb:
2307
2308 2018-09-24  Tadeu Zagallo  <tzagallo@apple.com>
2309
2310         Add forEach method for iterating CodeBlock's ValueProfiles
2311         https://bugs.webkit.org/show_bug.cgi?id=189897
2312
2313         Reviewed by Mark Lam.
2314
2315         Add method to abstract how we find ValueProfiles in a CodeBlock in
2316         preparation for https://bugs.webkit.org/show_bug.cgi?id=189785, when
2317         ValueProfiles will be stored in the MetadataTable.
2318
2319         * bytecode/CodeBlock.cpp:
2320         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2321         (JSC::CodeBlock::updateAllValueProfilePredictions):
2322         (JSC::CodeBlock::shouldOptimizeNow):
2323         (JSC::CodeBlock::dumpValueProfiles):
2324         * bytecode/CodeBlock.h:
2325         (JSC::CodeBlock::forEachValueProfile):
2326         (JSC::CodeBlock::numberOfArgumentValueProfiles):
2327         (JSC::CodeBlock::valueProfileForArgument):
2328         (JSC::CodeBlock::numberOfValueProfiles):
2329         (JSC::CodeBlock::valueProfile):
2330         (JSC::CodeBlock::totalNumberOfValueProfiles): Deleted.
2331         (JSC::CodeBlock::getFromAllValueProfiles): Deleted.
2332         * tools/HeapVerifier.cpp:
2333         (JSC::HeapVerifier::validateJSCell):
2334
2335 2018-09-24  Saam barati  <sbarati@apple.com>
2336
2337         ArgumentsEliminationPhase should snip basic blocks after proven OSR exits
2338         https://bugs.webkit.org/show_bug.cgi?id=189682
2339         <rdar://problem/43557315>
2340
2341         Reviewed by Mark Lam.
2342
2343         Otherwise, if we have code like this:
2344         ```
2345         a: Arguments
2346         b: GetButterfly(@a)
2347         c: ForceExit
2348         d: GetArrayLength(@a, @b)
2349         ```
2350         it will get transformed into this invalid DFG IR:
2351         ```
2352         a: PhantomArguments
2353         b: Check(@a)
2354         c: ForceExit
2355         d: GetArrayLength(@a, @b)
2356         ```
2357         
2358         And we will fail DFG validation since @b does not have a result.
2359         
2360         The fix is to just remove all nodes after the ForceExit and plant an
2361         Unreachable after it. So the above code program will now turn into this:
2362         ```
2363         a: PhantomArguments
2364         b: Check(@a)
2365         c: ForceExit
2366         e: Unreachable
2367         ```
2368
2369         * dfg/DFGArgumentsEliminationPhase.cpp:
2370
2371 2018-09-22  Saam barati  <sbarati@apple.com>
2372
2373         The sampling should not use Strong<CodeBlock> in its machineLocation field
2374         https://bugs.webkit.org/show_bug.cgi?id=189319
2375
2376         Reviewed by Filip Pizlo.
2377
2378         The sampling profiler has a CLI mode where we gather information about inline
2379         call frames. That data structure was using a Strong<CodeBlock>. We were
2380         constructing this Strong<CodeBlock> during GC concurrently to processing all
2381         the Strong handles. This is a bug since we end up corrupting that data
2382         structure. This patch fixes this by just making this data structure use the
2383         sampling profiler's mechanism for holding onto and properly visiting heap pointers.
2384
2385         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2386         (Inspector::InspectorScriptProfilerAgent::trackingComplete):
2387         * runtime/SamplingProfiler.cpp:
2388         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2389
2390         (JSC::SamplingProfiler::reportTopFunctions):
2391         (JSC::SamplingProfiler::reportTopBytecodes):
2392         These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
2393         cause a GC to happen while already holding the sampling profiler's
2394         lock.
2395
2396 2018-09-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2397
2398         [JSC] Enable LLInt ASM interpreter on X64 and ARM64 in non JIT configuration
2399         https://bugs.webkit.org/show_bug.cgi?id=189778
2400
2401         Reviewed by Keith Miller.
2402
2403         LLInt ASM interpreter is 2x and 15% faster than CLoop interpreter on
2404         Linux and macOS respectively. We would like to enable it for non JIT
2405         configurations in X86_64 and ARM64.
2406
2407         This patch enables LLInt for non JIT builds in X86_64 and ARM64 architectures.
2408         Previously, we switch LLInt ASM interpreter and CLoop by using ENABLE(JIT)
2409         configuration. But it is wrong in the new scenario since we have a build
2410         configuration that uses LLInt ASM interpreter and JIT is disabled. We introduce
2411         ENABLE(C_LOOP) option, which represents that we use CLoop. And we replace
2412         ENABLE(JIT) with ENABLE(C_LOOP) if the previous ENABLE(JIT) is essentially just
2413         related to LLInt ASM interpreter and not related to JIT.
2414
2415         We also replace some ENABLE(JIT) configurations with ENABLE(ASSEMBLER).
2416         ENABLE(ASSEMBLER) is now enabled even if we disable JIT since MacroAssembler
2417         has machine register information that is used in LLInt ASM interpreter.
2418
2419         * API/tests/PingPongStackOverflowTest.cpp:
2420         (testPingPongStackOverflow):
2421         * CMakeLists.txt:
2422         * JavaScriptCore.xcodeproj/project.pbxproj:
2423         * assembler/MaxFrameExtentForSlowPathCall.h:
2424         * bytecode/CallReturnOffsetToBytecodeOffset.h: Removed. It is no longer used.
2425         * bytecode/CodeBlock.cpp:
2426         (JSC::CodeBlock::finishCreation):
2427         * bytecode/CodeBlock.h:
2428         (JSC::CodeBlock::calleeSaveRegisters const):
2429         (JSC::CodeBlock::numberOfLLIntBaselineCalleeSaveRegisters):
2430         (JSC::CodeBlock::llintBaselineCalleeSaveSpaceAsVirtualRegisters):
2431         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2432         * bytecode/Opcode.h:
2433         (JSC::padOpcodeName):
2434         * heap/Heap.cpp:
2435         (JSC::Heap::gatherJSStackRoots):
2436         (JSC::Heap::stopThePeriphery):
2437         * interpreter/CLoopStack.cpp:
2438         * interpreter/CLoopStack.h:
2439         * interpreter/CLoopStackInlines.h:
2440         * interpreter/EntryFrame.h:
2441         * interpreter/Interpreter.cpp:
2442         (JSC::Interpreter::Interpreter):
2443         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2444         * interpreter/Interpreter.h:
2445         * interpreter/StackVisitor.cpp:
2446         (JSC::StackVisitor::Frame::calleeSaveRegisters):
2447         * interpreter/VMEntryRecord.h:
2448         * jit/ExecutableAllocator.h:
2449         * jit/FPRInfo.h:
2450         (WTF::printInternal):
2451         * jit/GPRInfo.cpp:
2452         * jit/GPRInfo.h:
2453         (WTF::printInternal):
2454         * jit/HostCallReturnValue.cpp:
2455         (JSC::getHostCallReturnValueWithExecState): Moved. They are used in LLInt ASM interpreter too.
2456         * jit/HostCallReturnValue.h:
2457         * jit/JITOperations.cpp:
2458         (JSC::getHostCallReturnValueWithExecState): Deleted.
2459         * jit/JITOperationsMSVC64.cpp:
2460         * jit/Reg.cpp:
2461         * jit/Reg.h:
2462         * jit/RegisterAtOffset.cpp:
2463         * jit/RegisterAtOffset.h:
2464         * jit/RegisterAtOffsetList.cpp:
2465         * jit/RegisterAtOffsetList.h:
2466         * jit/RegisterMap.h:
2467         * jit/RegisterSet.cpp:
2468         * jit/RegisterSet.h:
2469         * jit/TempRegisterSet.cpp:
2470         * jit/TempRegisterSet.h:
2471         * llint/LLIntCLoop.cpp:
2472         * llint/LLIntCLoop.h:
2473         * llint/LLIntData.cpp:
2474         (JSC::LLInt::initialize):
2475         (JSC::LLInt::Data::performAssertions):
2476         * llint/LLIntData.h:
2477         * llint/LLIntOfflineAsmConfig.h:
2478         * llint/LLIntOpcode.h:
2479         * llint/LLIntPCRanges.h:
2480         * llint/LLIntSlowPaths.cpp:
2481         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2482         * llint/LLIntSlowPaths.h:
2483         * llint/LLIntThunks.cpp:
2484         * llint/LowLevelInterpreter.cpp:
2485         * llint/LowLevelInterpreter.h:
2486         * runtime/JSCJSValue.h:
2487         * runtime/MachineContext.h:
2488         * runtime/SamplingProfiler.cpp:
2489         (JSC::SamplingProfiler::processUnverifiedStackTraces): Enable SamplingProfiler
2490         for LLInt ASM interpreter with non JIT configuration.
2491         * runtime/TestRunnerUtils.cpp:
2492         (JSC::optimizeNextInvocation):
2493         * runtime/VM.cpp:
2494         (JSC::VM::VM):
2495         (JSC::VM::getHostFunction):
2496         (JSC::VM::updateSoftReservedZoneSize):
2497         (JSC::sanitizeStackForVM):
2498         (JSC::VM::committedStackByteCount):
2499         * runtime/VM.h:
2500         * runtime/VMInlines.h:
2501         (JSC::VM::ensureStackCapacityFor):
2502         (JSC::VM::isSafeToRecurseSoft const):
2503
2504 2018-09-21  Keith Miller  <keith_miller@apple.com>
2505
2506         Add Promise SPI
2507         https://bugs.webkit.org/show_bug.cgi?id=189809
2508
2509         Reviewed by Saam Barati.
2510
2511         The Patch adds new SPI to create promises. It's mostly SPI because
2512         I want to see how internal users react to it before we make it
2513         public.
2514
2515         This patch adds a couple of new Obj-C SPI methods. The first
2516         creates a new promise using the same API that JS does where the
2517         user provides an executor callback. If an exception is raised
2518         in/to that callback the promise is automagically rejected. The
2519         other methods create a pre-resolved or rejected promise as this
2520         appears to be a common way to initialize a promise.
2521
2522         I was also considering adding a second version of executor API
2523         where it would catch specific Obj-C exceptions. This would work by
2524         taking a Class paramter and checking isKindOfClass: on the
2525         exception. I decided against this as nothing else in our API
2526         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2527         corrupt state if an Obj-C exception unwinds through JS frames.
2528
2529         This patch adds a new C function that will create a "deferred"
2530         promise. A deferred promise is a style of creating promise/futures
2531         where the resolve and reject functions are passed as outputs of a
2532         function. I went with this style for the C SPI because we don't have
2533         any concept of forwarding exceptions in the C API.
2534
2535         In order to make the C API work I refactored a bit of the promise code
2536         so that we can call a static method on JSDeferredPromise and just get
2537         the components without allocating an extra cell wrapper.
2538
2539         * API/JSContext.mm:
2540         (+[JSContext currentCallee]):
2541         * API/JSObjectRef.cpp:
2542         (JSObjectMakeDeferredPromise):
2543         * API/JSObjectRefPrivate.h:
2544         * API/JSValue.mm:
2545         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2546         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2547         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2548         * API/JSValuePrivate.h: Added.
2549         * API/JSVirtualMachine.mm:
2550         * API/JSVirtualMachinePrivate.h:
2551         * API/tests/testapi.c:
2552         (main):
2553         * API/tests/testapi.cpp:
2554         (APIContext::operator JSC::ExecState*):
2555         (TestAPI::failed const):
2556         (TestAPI::check):
2557         (TestAPI::basicSymbol):
2558         (TestAPI::symbolsTypeof):
2559         (TestAPI::symbolsGetPropertyForKey):
2560         (TestAPI::symbolsSetPropertyForKey):
2561         (TestAPI::symbolsHasPropertyForKey):
2562         (TestAPI::symbolsDeletePropertyForKey):
2563         (TestAPI::promiseResolveTrue):
2564         (TestAPI::promiseRejectTrue):
2565         (testCAPIViaCpp):
2566         (TestAPI::run): Deleted.
2567         * API/tests/testapi.mm:
2568         (testObjectiveCAPIMain):
2569         (promiseWithExecutor):
2570         (promiseRejectOnJSException):
2571         (promiseCreateResolved):
2572         (promiseCreateRejected):
2573         (parallelPromiseResolveTest):
2574         (testObjectiveCAPI):
2575         * JavaScriptCore.xcodeproj/project.pbxproj:
2576         * runtime/JSInternalPromiseDeferred.cpp:
2577         (JSC::JSInternalPromiseDeferred::create):
2578         * runtime/JSPromise.h:
2579         * runtime/JSPromiseConstructor.cpp:
2580         (JSC::constructPromise):
2581         * runtime/JSPromiseDeferred.cpp:
2582         (JSC::JSPromiseDeferred::createDeferredData):
2583         (JSC::JSPromiseDeferred::create):
2584         (JSC::JSPromiseDeferred::finishCreation):
2585         (JSC::newPromiseCapability): Deleted.
2586         * runtime/JSPromiseDeferred.h:
2587         (JSC::JSPromiseDeferred::promise const):
2588         (JSC::JSPromiseDeferred::resolve const):
2589         (JSC::JSPromiseDeferred::reject const):
2590
2591 2018-09-21  Ryan Haddad  <ryanhaddad@apple.com>
2592
2593         Unreviewed, rolling out r236359.
2594
2595         Broke the Windows build.
2596
2597         Reverted changeset:
2598
2599         "Add Promise SPI"
2600         https://bugs.webkit.org/show_bug.cgi?id=189809
2601         https://trac.webkit.org/changeset/236359
2602
2603 2018-09-21  Mark Lam  <mark.lam@apple.com>
2604
2605         JSRopeString::resolveRope() wrongly assumes that tryGetValue() passes it a valid ExecState.
2606         https://bugs.webkit.org/show_bug.cgi?id=189855
2607         <rdar://problem/44680181>
2608
2609         Reviewed by Filip Pizlo.
2610
2611         tryGetValue() always passes a nullptr to JSRopeString::resolveRope() for the
2612         ExecState* argument.  This is intentional so that resolveRope() does not throw
2613         in the event of an OutOfMemory error.  Hence, JSRopeString::resolveRope() should
2614         get the VM from the cell instead of via the ExecState.
2615
2616         Also removed an obsolete and unused field in JSString.
2617
2618         * runtime/JSString.cpp:
2619         (JSC::JSRopeString::resolveRope const):
2620         (JSC::JSRopeString::outOfMemory const):
2621         * runtime/JSString.h:
2622         (JSC::JSString::tryGetValue const):
2623
2624 2018-09-21  Michael Saboff  <msaboff@apple.com>
2625
2626         Add functions to measure memory footprint to JSC
2627         https://bugs.webkit.org/show_bug.cgi?id=189768
2628
2629         Reviewed by Saam Barati.
2630
2631         Rolling this back in again.
2632
2633         Provide system memory metrics for the current process to aid in memory reduction measurement and
2634         tuning using native JS tests.
2635
2636         * jsc.cpp:
2637         (MemoryFootprint::now):
2638         (MemoryFootprint::resetPeak):
2639         (GlobalObject::finishCreation):
2640         (JSCMemoryFootprint::JSCMemoryFootprint):
2641         (JSCMemoryFootprint::createStructure):
2642         (JSCMemoryFootprint::create):
2643         (JSCMemoryFootprint::finishCreation):
2644         (JSCMemoryFootprint::addProperty):
2645         (functionResetMemoryPeak):
2646
2647 2018-09-21  Keith Miller  <keith_miller@apple.com>
2648
2649         Add Promise SPI
2650         https://bugs.webkit.org/show_bug.cgi?id=189809
2651
2652         Reviewed by Saam Barati.
2653
2654         The Patch adds new SPI to create promises. It's mostly SPI because
2655         I want to see how internal users react to it before we make it
2656         public.
2657
2658         This patch adds a couple of new Obj-C SPI methods. The first
2659         creates a new promise using the same API that JS does where the
2660         user provides an executor callback. If an exception is raised
2661         in/to that callback the promise is automagically rejected. The
2662         other methods create a pre-resolved or rejected promise as this
2663         appears to be a common way to initialize a promise.
2664
2665         I was also considering adding a second version of executor API
2666         where it would catch specific Obj-C exceptions. This would work by
2667         taking a Class paramter and checking isKindOfClass: on the
2668         exception. I decided against this as nothing else in our API
2669         handles Obj-C exceptions. I'm pretty sure the VM will end up in a
2670         corrupt state if an Obj-C exception unwinds through JS frames.
2671
2672         This patch adds a new C function that will create a "deferred"
2673         promise. A deferred promise is a style of creating promise/futures
2674         where the resolve and reject functions are passed as outputs of a
2675         function. I went with this style for the C SPI because we don't have
2676         any concept of forwarding exceptions in the C API.
2677
2678         In order to make the C API work I refactored a bit of the promise code
2679         so that we can call a static method on JSDeferredPromise and just get
2680         the components without allocating an extra cell wrapper.
2681
2682         * API/JSContext.mm:
2683         (+[JSContext currentCallee]):
2684         * API/JSObjectRef.cpp:
2685         (JSObjectMakeDeferredPromise):
2686         * API/JSObjectRefPrivate.h:
2687         * API/JSValue.mm:
2688         (+[JSValue valueWithNewPromiseInContext:fromExecutor:]):
2689         (+[JSValue valueWithNewPromiseResolvedWithResult:inContext:]):
2690         (+[JSValue valueWithNewPromiseRejectedWithReason:inContext:]):
2691         * API/JSValuePrivate.h: Added.
2692         * API/JSVirtualMachine.mm:
2693         * API/JSVirtualMachinePrivate.h:
2694         * API/tests/testapi.c:
2695         (main):
2696         * API/tests/testapi.cpp:
2697         (APIContext::operator JSC::ExecState*):
2698         (TestAPI::failed const):
2699         (TestAPI::check):
2700         (TestAPI::basicSymbol):
2701         (TestAPI::symbolsTypeof):
2702         (TestAPI::symbolsGetPropertyForKey):
2703         (TestAPI::symbolsSetPropertyForKey):
2704         (TestAPI::symbolsHasPropertyForKey):
2705         (TestAPI::symbolsDeletePropertyForKey):
2706         (TestAPI::promiseResolveTrue):
2707         (TestAPI::promiseRejectTrue):
2708         (testCAPIViaCpp):
2709         (TestAPI::run): Deleted.
2710         * API/tests/testapi.mm:
2711         (testObjectiveCAPIMain):
2712         (promiseWithExecutor):
2713         (promiseRejectOnJSException):
2714         (promiseCreateResolved):
2715         (promiseCreateRejected):
2716         (parallelPromiseResolveTest):
2717         (testObjectiveCAPI):
2718         * JavaScriptCore.xcodeproj/project.pbxproj:
2719         * runtime/JSInternalPromiseDeferred.cpp:
2720         (JSC::JSInternalPromiseDeferred::create):
2721         * runtime/JSPromise.h:
2722         * runtime/JSPromiseConstructor.cpp:
2723         (JSC::constructPromise):
2724         * runtime/JSPromiseDeferred.cpp:
2725         (JSC::JSPromiseDeferred::createDeferredData):
2726         (JSC::JSPromiseDeferred::create):
2727         (JSC::JSPromiseDeferred::finishCreation):
2728         (JSC::newPromiseCapability): Deleted.
2729         * runtime/JSPromiseDeferred.h:
2730         (JSC::JSPromiseDeferred::promise const):
2731         (JSC::JSPromiseDeferred::resolve const):
2732         (JSC::JSPromiseDeferred::reject const):
2733
2734 2018-09-21  Truitt Savell  <tsavell@apple.com>
2735
2736         Rebaseline tests after changes in https://trac.webkit.org/changeset/236321/webkit
2737         https://bugs.webkit.org/show_bug.cgi?id=156674
2738
2739         Unreviewed Test Gardening
2740
2741         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2742         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2743
2744 2018-09-21  Mike Gorse  <mgorse@suse.com>
2745
2746         Build tools should work when the /usr/bin/python is python3
2747         https://bugs.webkit.org/show_bug.cgi?id=156674
2748
2749         Reviewed by Michael Catanzaro.
2750
2751         * Scripts/cssmin.py:
2752         * Scripts/generate-js-builtins.py:
2753         (do_open):
2754         (generate_bindings_for_builtins_files):
2755         * Scripts/generateIntlCanonicalizeLanguage.py:
2756         * Scripts/jsmin.py:
2757         (JavascriptMinify.minify.write):
2758         (JavascriptMinify):
2759         (JavascriptMinify.minify):
2760         * Scripts/make-js-file-arrays.py:
2761         (chunk):
2762         (main):
2763         * Scripts/wkbuiltins/__init__.py:
2764         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2765         (generate_section_for_global_private_code_name_macro):
2766         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_header.py:
2767         (BuiltinsInternalsWrapperHeaderGenerator.__init__):
2768         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py:
2769         (BuiltinsInternalsWrapperImplementationGenerator.__init__):
2770         * Scripts/wkbuiltins/builtins_model.py:
2771         (BuiltinFunction.__lt__):
2772         (BuiltinsCollection.copyrights):
2773         (BuiltinsCollection._parse_functions):
2774         * disassembler/udis86/ud_opcode.py:
2775         (UdOpcodeTables.pprint.printWalk):
2776         * generate-bytecode-files:
2777         * inspector/scripts/codegen/__init__.py:
2778         * inspector/scripts/codegen/cpp_generator.py:
2779         * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
2780         (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
2781         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
2782         (CppBackendDispatcherHeaderGenerator.domains_to_generate):
2783         (CppBackendDispatcherHeaderGenerator.generate_output):
2784         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
2785         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2786         (CppBackendDispatcherImplementationGenerator.domains_to_generate):
2787         (CppBackendDispatcherImplementationGenerator.generate_output):
2788         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
2789         (CppFrontendDispatcherHeaderGenerator.domains_to_generate):
2790         (CppFrontendDispatcherHeaderGenerator.generate_output):
2791         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2792         (CppFrontendDispatcherImplementationGenerator.domains_to_generate):
2793         (CppFrontendDispatcherImplementationGenerator.generate_output):
2794         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2795         (CppProtocolTypesHeaderGenerator.generate_output):
2796         (CppProtocolTypesHeaderGenerator._generate_forward_declarations):
2797         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2798         (CppProtocolTypesImplementationGenerator.generate_output):
2799         (CppProtocolTypesImplementationGenerator._generate_enum_conversion_methods_for_domain):
2800         (CppProtocolTypesImplementationGenerator._generate_enum_mapping_and_conversion_methods):
2801         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2802         (CppProtocolTypesImplementationGenerator._generate_builders_for_domain):
2803         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2804         * inspector/scripts/codegen/generate_js_backend_commands.py:
2805         (JSBackendCommandsGenerator.should_generate_domain):
2806         (JSBackendCommandsGenerator.domains_to_generate):
2807         (JSBackendCommandsGenerator.generate_output):
2808         (JSBackendCommandsGenerator.generate_domain):
2809         * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
2810         (ObjCBackendDispatcherHeaderGenerator.domains_to_generate):
2811         (ObjCBackendDispatcherHeaderGenerator.generate_output):
2812         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2813         (ObjCBackendDispatcherImplementationGenerator.domains_to_generate):
2814         (ObjCBackendDispatcherImplementationGenerator.generate_output):
2815         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2816         * inspector/scripts/codegen/generate_objc_configuration_header.py:
2817         * inspector/scripts/codegen/generate_objc_configuration_implementation.py:
2818         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2819         (ObjCFrontendDispatcherImplementationGenerator.domains_to_generate):
2820         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
2821         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2822         * inspector/scripts/codegen/generate_objc_header.py:
2823         (ObjCHeaderGenerator.generate_output):
2824         (ObjCHeaderGenerator._generate_type_interface):
2825         * inspector/scripts/codegen/generate_objc_internal_header.py:
2826         (ObjCInternalHeaderGenerator.generate_output):
2827         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2828         (ObjCProtocolTypeConversionsHeaderGenerator.domains_to_generate):
2829         (ObjCProtocolTypeConversionsHeaderGenerator.generate_output):
2830         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_implementation.py:
2831         (ObjCProtocolTypeConversionsImplementationGenerator.domains_to_generate):
2832         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
2833         (ObjCProtocolTypesImplementationGenerator.domains_to_generate):
2834         (ObjCProtocolTypesImplementationGenerator.generate_output):
2835         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
2836         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_required_members):
2837         * inspector/scripts/codegen/generator.py:
2838         (Generator.non_supplemental_domains):
2839         (Generator.open_fields):
2840         (Generator.calculate_types_requiring_shape_assertions):
2841         (Generator._traverse_and_assign_enum_values):
2842         (Generator.stylized_name_for_enum_value):
2843         * inspector/scripts/codegen/models.py:
2844         (find_duplicates):
2845         * inspector/scripts/codegen/objc_generator.py:
2846         * wasm/generateWasm.py:
2847         (opcodeIterator):
2848         * yarr/generateYarrCanonicalizeUnicode:
2849         * yarr/generateYarrUnicodePropertyTables.py:
2850         * yarr/hasher.py:
2851         (stringHash):
2852
2853 2018-09-21  Tomas Popela  <tpopela@redhat.com>
2854
2855         [ARM] Build broken on armv7hl after r235517
2856         https://bugs.webkit.org/show_bug.cgi?id=189831
2857
2858         Reviewed by Yusuke Suzuki.
2859
2860         Add missing implementation of patchebleBranch8() for traditional ARM.
2861
2862         * assembler/MacroAssemblerARM.h:
2863         (JSC::MacroAssemblerARM::patchableBranch8):
2864
2865 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2866
2867         Unreviewed, rolling out r236293.
2868
2869         Internal build still broken.
2870
2871         Reverted changeset:
2872
2873         "Add functions to measure memory footprint to JSC"
2874         https://bugs.webkit.org/show_bug.cgi?id=189768
2875         https://trac.webkit.org/changeset/236293
2876
2877 2018-09-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2878
2879         [JSC] Heap::reportExtraMemoryVisited shows contention if we have many JSString
2880         https://bugs.webkit.org/show_bug.cgi?id=189558
2881
2882         Reviewed by Mark Lam.
2883
2884         When running web-tooling-benchmark postcss test on Linux JSCOnly port, we get the following result in `perf report`.
2885
2886             10.95%  AutomaticThread  libJavaScriptCore.so.1.0.0  [.] JSC::Heap::reportExtraMemoryVisited
2887
2888         This is because postcss produces bunch of JSString, which require reportExtraMemoryVisited calls in JSString::visitChildren.
2889         And since reportExtraMemoryVisited attempts to update atomic counter, if we have bunch of marking threads, it becomes super contended.
2890
2891         This patch reduces the frequency of updating the atomic counter. Each SlotVisitor has per-SlotVisitor m_extraMemorySize counter.
2892         And we propagate this value to the global atomic counter when rebalance happens.
2893
2894         We also reduce HeapCell::heap() access by using `vm.heap`.
2895
2896         * heap/SlotVisitor.cpp:
2897         (JSC::SlotVisitor::didStartMarking):
2898         (JSC::SlotVisitor::propagateExternalMemoryVisitedIfNecessary):
2899         (JSC::SlotVisitor::drain):
2900         (JSC::SlotVisitor::performIncrementOfDraining):
2901         * heap/SlotVisitor.h:
2902         * heap/SlotVisitorInlines.h:
2903         (JSC::SlotVisitor::reportExtraMemoryVisited):
2904         * runtime/JSString.cpp:
2905         (JSC::JSRopeString::resolveRopeToAtomicString const):
2906         (JSC::JSRopeString::resolveRope const):
2907         * runtime/JSString.h:
2908         (JSC::JSString::finishCreation):
2909         * wasm/js/JSWebAssemblyInstance.cpp:
2910         (JSC::JSWebAssemblyInstance::finishCreation):
2911         * wasm/js/JSWebAssemblyMemory.cpp:
2912         (JSC::JSWebAssemblyMemory::finishCreation):
2913
2914 2018-09-20  Michael Saboff  <msaboff@apple.com>
2915
2916         Add functions to measure memory footprint to JSC
2917         https://bugs.webkit.org/show_bug.cgi?id=189768
2918
2919         Reviewed by Saam Barati.
2920
2921         Rolling this back in.
2922
2923         Provide system memory metrics for the current process to aid in memory reduction measurement and
2924         tuning using native JS tests.
2925
2926         * jsc.cpp:
2927         (MemoryFootprint::now):
2928         (MemoryFootprint::resetPeak):
2929         (GlobalObject::finishCreation):
2930         (JSCMemoryFootprint::JSCMemoryFootprint):
2931         (JSCMemoryFootprint::createStructure):
2932         (JSCMemoryFootprint::create):
2933         (JSCMemoryFootprint::finishCreation):
2934         (JSCMemoryFootprint::addProperty):
2935         (functionResetMemoryPeak):
2936
2937 2018-09-20  Ryan Haddad  <ryanhaddad@apple.com>
2938
2939         Unreviewed, rolling out r236235.
2940
2941         Breaks internal builds.
2942
2943         Reverted changeset:
2944
2945         "Add functions to measure memory footprint to JSC"
2946         https://bugs.webkit.org/show_bug.cgi?id=189768
2947         https://trac.webkit.org/changeset/236235
2948
2949 2018-09-20  Fujii Hironori  <Hironori.Fujii@sony.com>
2950
2951         [Win][Clang] JITMathIC.h: error: missing 'template' keyword prior to dependent template name 'retagged'
2952         https://bugs.webkit.org/show_bug.cgi?id=189730
2953
2954         Reviewed by Saam Barati.
2955
2956         Clang for Windows can't compile the workaround for MSVC quirk in generateOutOfLine.
2957
2958         * jit/JITMathIC.h:
2959         (generateOutOfLine): Append "&& !COMPILER(CLANG)" to "#if COMPILER(MSVC)".
2960
2961 2018-09-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2962
2963         [JSC] Optimize Array#indexOf in C++ runtime
2964         https://bugs.webkit.org/show_bug.cgi?id=189507
2965
2966         Reviewed by Saam Barati.
2967
2968         C++ Array#indexOf runtime function takes so much time in babylon benchmark in
2969         web-tooling-benchmark. While our DFG and FTL has Array#indexOf optimization
2970         and actually it is working well, C++ Array#indexOf is called significant amount
2971         of time before tiering up, and it takes 6.74% of jsc main thread samples according
2972         to perf command in Linux. This is because C++ Array#indexOf is too generic and
2973         misses the chance to optimize JSArray cases.
2974
2975         This patch adds JSArray fast path for Array#indexOf. If we know that indexed
2976         access to the given JSArray is non-observable and indexing type is good for the fast
2977         path, we go to the fast path. This makes sampling of Array#indexOf 3.83% in
2978         babylon web-tooling-benchmark.
2979
2980         * runtime/ArrayPrototype.cpp:
2981         (JSC::arrayProtoFuncIndexOf):
2982         * runtime/JSArray.h:
2983         * runtime/JSArrayInlines.h:
2984         (JSC::JSArray::canDoFastIndexedAccess):
2985         (JSC::toLength):
2986         * runtime/JSCJSValueInlines.h:
2987         (JSC::JSValue::JSValue):
2988         * runtime/JSGlobalObject.h:
2989         * runtime/JSGlobalObjectInlines.h:
2990         (JSC::JSGlobalObject::isArrayPrototypeIndexedAccessFastAndNonObservable):
2991         (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
2992         * runtime/MathCommon.h:
2993         (JSC::canBeStrictInt32):
2994         (JSC::canBeInt32):
2995
2996 2018-09-19  Michael Saboff  <msaboff@apple.com>
2997
2998         Add functions to measure memory footprint to JSC
2999         https://bugs.webkit.org/show_bug.cgi?id=189768
3000
3001         Reviewed by Saam Barati.
3002
3003         Provide system memory metrics for the current process to aid in memory reduction measurement and
3004         tuning using native JS tests.
3005
3006         * jsc.cpp:
3007         (MemoryFootprint::now):
3008         (MemoryFootprint::resetPeak):
3009         (GlobalObject::finishCreation):
3010         (JSCMemoryFootprint::JSCMemoryFootprint):
3011         (JSCMemoryFootprint::createStructure):
3012         (JSCMemoryFootprint::create):
3013         (JSCMemoryFootprint::finishCreation):
3014         (JSCMemoryFootprint::addProperty):
3015         (functionResetMemoryPeak):
3016
3017 2018-09-19  Saam barati  <sbarati@apple.com>
3018
3019         CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
3020         https://bugs.webkit.org/show_bug.cgi?id=189703
3021
3022         Reviewed by Mark Lam.
3023
3024         This fixes a crash that a TypeProfiler change revealed.
3025
3026         * dfg/DFGSpeculativeJIT64.cpp:
3027         (JSC::DFG::SpeculativeJIT::compile):
3028
3029 2018-09-19  Saam barati  <sbarati@apple.com>
3030
3031         AI rule for MultiPutByOffset executes its effects in the wrong order
3032         https://bugs.webkit.org/show_bug.cgi?id=189757
3033         <rdar://problem/43535257>
3034
3035         Reviewed by Michael Saboff.
3036
3037         The AI rule for MultiPutByOffset was executing effects in the wrong order.
3038         It first executed the transition effects and the effects on the base, and
3039         then executed the filtering effects on the value being stored. However, you
3040         can end up with the wrong type when the base and the value being stored
3041         are the same. E.g, in a program like `o.f = o`. These effects need to happen
3042         in the opposite order, modeling what happens in the runtime executing of
3043         MultiPutByOffset.
3044
3045         * dfg/DFGAbstractInterpreterInlines.h:
3046         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3047
3048 2018-09-18  Mark Lam  <mark.lam@apple.com>
3049
3050         Ensure that ForInContexts are invalidated if their loop local is over-written.
3051         https://bugs.webkit.org/show_bug.cgi?id=189571
3052         <rdar://problem/44402277>
3053
3054         Reviewed by Saam Barati.
3055
3056         Instead of hunting down every place in the BytecodeGenerator that potentially
3057         needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
3058         the bytecode range of the loop body when the ForInContext is popped, and
3059         invalidate the context if we ever find the loop temp variable over-written.
3060
3061         This has 2 benefits:
3062         1. It ensures that every type of opcode that can write to the loop temp will be
3063            handled appropriately, not just the op_mov that we've hunted down.
3064         2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
3065            every time we emit an op_mov (or other opcodes that can write to a local)
3066            even when we're not inside a for-in loop.
3067
3068         JSC benchmarks show that that this change is performance neutral.
3069
3070         * bytecompiler/BytecodeGenerator.cpp:
3071         (JSC::BytecodeGenerator::pushIndexedForInScope):
3072         (JSC::BytecodeGenerator::popIndexedForInScope):
3073         (JSC::BytecodeGenerator::pushStructureForInScope):
3074         (JSC::BytecodeGenerator::popStructureForInScope):
3075         (JSC::ForInContext::finalize):
3076         (JSC::StructureForInContext::finalize):
3077         (JSC::IndexedForInContext::finalize):
3078         (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
3079         * bytecompiler/BytecodeGenerator.h:
3080         (JSC::ForInContext::ForInContext):
3081         (JSC::ForInContext::bodyBytecodeStartOffset const):
3082         (JSC::StructureForInContext::StructureForInContext):
3083         (JSC::IndexedForInContext::IndexedForInContext):
3084         * bytecompiler/NodesCodegen.cpp:
3085         (JSC::PostfixNode::emitResolve):
3086         (JSC::PrefixNode::emitResolve):
3087         (JSC::ReadModifyResolveNode::emitBytecode):
3088         (JSC::AssignResolveNode::emitBytecode):
3089         (JSC::EmptyLetExpression::emitBytecode):
3090         (JSC::ForInNode::emitLoopHeader):
3091         (JSC::ForOfNode::emitBytecode):
3092         (JSC::BindingNode::bindValue const):
3093         (JSC::AssignmentElementNode::bindValue const):
3094         * runtime/CommonSlowPaths.cpp:
3095         (JSC::SLOW_PATH_DECL):
3096
3097 2018-09-17  Devin Rousso  <drousso@apple.com>
3098
3099         Web Inspector: generate CSSKeywordCompletions from backend values
3100         https://bugs.webkit.org/show_bug.cgi?id=189041
3101
3102         Reviewed by Joseph Pecoraro.
3103
3104         * inspector/protocol/CSS.json:
3105         Include an optional `aliases` array and `inherited` boolean for `CSSPropertyInfo`.
3106
3107 2018-09-17  Saam barati  <sbarati@apple.com>
3108
3109         We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
3110         https://bugs.webkit.org/show_bug.cgi?id=189676
3111         <rdar://problem/39682897>
3112
3113         Reviewed by Michael Saboff.
3114
3115         Because the incoming value may be TDZ, CheckStructure may end up crashing.
3116         Since the Type Profile does not currently record TDZ values in any of its
3117         data structures, this is not a semantic change in how it will show you data.
3118         It just fixes crashes when we emit a CheckStructure and the incoming value
3119         is TDZ.
3120
3121         * dfg/DFGFixupPhase.cpp:
3122         (JSC::DFG::FixupPhase::fixupNode):
3123         * dfg/DFGNode.h:
3124         (JSC::DFG::Node::convertToCheckStructureOrEmpty):
3125
3126 2018-09-17  Darin Adler  <darin@apple.com>
3127
3128         Use OpaqueJSString rather than JSRetainPtr inside WebKit
3129         https://bugs.webkit.org/show_bug.cgi?id=189652
3130
3131         Reviewed by Saam Barati.
3132
3133         * API/JSCallbackObjectFunctions.h: Removed an uneeded include of
3134         JSStringRef.h.
3135
3136         * API/JSContext.mm:
3137         (-[JSContext evaluateScript:withSourceURL:]): Use OpaqueJSString::create rather
3138         than JSStringCreateWithCFString, simplifying the code and also obviating the
3139         need for explicit JSStringRelease.
3140         (-[JSContext setName:]): Ditto.
3141
3142         * API/JSStringRef.cpp:
3143         (JSStringIsEqualToUTF8CString): Use adoptRef rather than explicit JSStringRelease.
3144         It seems that additional optimization is possible, obviating the need to allocate
3145         an OpaqueJSString, but that's true almost everywhere else in this patch, too.
3146
3147         * API/JSValue.mm:
3148         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Use
3149         OpaqueJSString::create and adoptRef as appropriate.
3150         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
3151         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Ditto.
3152         (performPropertyOperation): Ditto.
3153         (-[JSValue invokeMethod:withArguments:]): Ditto.
3154         (valueToObjectWithoutCopy): Ditto.
3155         (containerValueToObject): Ditto.
3156         (valueToString): Ditto.
3157         (objectToValueWithoutCopy): Ditto.
3158         (objectToValue): Ditto.
3159
3160 2018-09-08  Darin Adler  <darin@apple.com>
3161
3162         Streamline JSRetainPtr, fix leaks of JSString and JSGlobalContext
3163         https://bugs.webkit.org/show_bug.cgi?id=189455
3164
3165         Reviewed by Keith Miller.
3166
3167         * API/JSObjectRef.cpp:
3168         (OpaqueJSPropertyNameArray): Use Ref<OpaqueJSString> instead of
3169         JSRetainPtr<JSStringRef>.
3170         (JSObjectCopyPropertyNames): Remove now-unneeded use of leakRef and
3171         adopt constructor.
3172         (JSPropertyNameArrayGetNameAtIndex): Use ptr() instead of get() since
3173         the array elements are now Ref.
3174
3175         * API/JSRetainPtr.h: While JSRetainPtr is written as a template,
3176         it only works for two specific unrelated types, JSStringRef and
3177         JSGlobalContextRef. Simplified the default constructor using data
3178         member initialization. Prepared to make the adopt constructor private
3179         (got everything compiling that way, then made it public again so that
3180         Apple internal software will still build). Got rid of unneeded
3181         templated constructor and assignment operator, since it's not relevant
3182         since there is no inheritance between JSRetainPtr template types.
3183         Added WARN_UNUSED_RETURN to leakRef as in RefPtr and RetainPtr.
3184         Added move constructor and move assignment operator for slightly better
3185         performance. Simplified implementations of various member functions
3186         so they are more obviously correct, by using leakPtr in more of them
3187         and using std::exchange to make the flow of values more obvious.
3188
3189         * API/JSValue.mm:
3190         (+[JSValue valueWithNewSymbolFromDescription:inContext:]): Added a
3191         missing JSStringRelease to fix a leak.
3192
3193         * API/tests/CustomGlobalObjectClassTest.c:
3194         (customGlobalObjectClassTest): Added a JSGlobalContextRelease to fix a leak.
3195         (globalObjectSetPrototypeTest): Ditto.
3196         (globalObjectPrivatePropertyTest): Ditto.
3197
3198         * API/tests/ExecutionTimeLimitTest.cpp:
3199         (testResetAfterTimeout): Added a call to JSStringRelease to fix a leak.
3200         (testExecutionTimeLimit): Ditto, lots more.
3201
3202         * API/tests/FunctionOverridesTest.cpp:
3203         (testFunctionOverrides): Added a call to JSStringRelease to fix a leak.
3204
3205         * API/tests/JSObjectGetProxyTargetTest.cpp:
3206         (testJSObjectGetProxyTarget): Added a call to JSGlobalContextRelease to fix
3207         a leak.
3208
3209         * API/tests/PingPongStackOverflowTest.cpp:
3210         (testPingPongStackOverflow): Added calls to JSGlobalContextRelease and
3211         JSStringRelease to fix leaks.
3212
3213         * API/tests/testapi.c:
3214         (throwException): Added. Helper function for repeated idiom where we want
3215         to throw an exception, but with additional JSStringRelease calls so we don't
3216         have to leak just to keep the code simpler to read.
3217         (MyObject_getProperty): Use throwException.
3218         (MyObject_setProperty): Ditto.
3219         (MyObject_deleteProperty): Ditto.
3220         (isValueEqualToString): Added. Helper function for an idiom where we check
3221         if something is a string and then if it's equal to a particular string
3222         constant, but a version that has an additional JSStringRelease call so we
3223         don't have to leak just to keep the code simpler to read.
3224         (MyObject_callAsFunction): Use isValueEqualToString and throwException.
3225         (MyObject_callAsConstructor): Ditto.
3226         (MyObject_hasInstance): Ditto.
3227         (globalContextNameTest): Added a JSGlobalContextRelease to fix a leak.
3228         (testMarkingConstraintsAndHeapFinalizers): Ditto.
3229
3230 2018-09-14  Saam barati  <sbarati@apple.com>
3231
3232         Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
3233         https://bugs.webkit.org/show_bug.cgi?id=189628
3234         <rdar://problem/39481690>
3235
3236         Reviewed by Mark Lam.
3237
3238         An Availability may point to a Node. And that Node may be removed from
3239         the graph, e.g, it's freed and its memory is no longer owned by Graph.
3240         This patch makes it so we no longer dump this metadata by default. If
3241         this metadata is interesting to you, you'll need to go in and change
3242         Graph::dump to dump the needed metadata.
3243
3244         * dfg/DFGGraph.cpp:
3245         (JSC::DFG::Graph::dump):
3246
3247 2018-09-14  Mark Lam  <mark.lam@apple.com>
3248
3249         Refactor some ForInContext code for better encapsulation.
3250         https://bugs.webkit.org/show_bug.cgi?id=189626
3251         <rdar://problem/44466415>
3252
3253         Reviewed by Keith Miller.
3254
3255         1. Add a ForInContext::m_type field to store the context type.  This does not
3256            increase the class size, but eliminates the need for a virtual call to get the
3257            type.
3258
3259            Note: we still need a virtual destructor because we'll be mingling
3260            IndexedForInContexts and StructureForInContexts in the BytecodeGenerator::m_forInContextStack.
3261
3262         2. Add ForInContext::isIndexedForInContext() and ForInContext::isStructureForInContext()
3263            convenience methods.
3264
3265         3. Add ForInContext::asIndexedForInContext() and ForInContext::asStructureForInContext()
3266            to do the casting to the subclass types.  This ensures that we'll properly
3267            assert that the casting is legal.
3268
3269         * bytecompiler/BytecodeGenerator.cpp:
3270         (JSC::BytecodeGenerator::emitGetByVal):
3271         (JSC::BytecodeGenerator::popIndexedForInScope):
3272         (JSC::BytecodeGenerator::popStructureForInScope):
3273         * bytecompiler/BytecodeGenerator.h:
3274         (JSC::ForInContext::type const):
3275         (JSC::ForInContext::isIndexedForInContext const):
3276         (JSC::ForInContext::isStructureForInContext const):
3277         (JSC::ForInContext::asIndexedForInContext):
3278         (JSC::ForInContext::asStructureForInContext):
3279         (JSC::ForInContext::ForInContext):
3280         (JSC::StructureForInContext::StructureForInContext):
3281         (JSC::IndexedForInContext::IndexedForInContext):
3282         (JSC::ForInContext::~ForInContext): Deleted.
3283
3284 2018-09-14  Devin Rousso  <webkit@devinrousso.com>
3285
3286         Web Inspector: Record actions performed on ImageBitmapRenderingContext
3287         https://bugs.webkit.org/show_bug.cgi?id=181341
3288
3289         Reviewed by Joseph Pecoraro.
3290
3291         * inspector/protocol/Recording.json:
3292         * inspector/scripts/codegen/generator.py:
3293
3294 2018-09-14  Mike Gorse  <mgorse@suse.com>
3295
3296         builtins directory causes name conflict on Python 3
3297         https://bugs.webkit.org/show_bug.cgi?id=189552
3298
3299         Reviewed by Michael Catanzaro.
3300
3301         * CMakeLists.txt: builtins -> wkbuiltins.
3302         * DerivedSources.make: builtins -> wkbuiltins.
3303         * Scripts/generate-js-builtins.py: import wkbuiltins, rather than
3304           builtins.
3305         * Scripts/wkbuiltins/__init__.py: Renamed from Source/JavaScriptCore/Scripts/builtins/__init__.py.
3306         * Scripts/wkbuiltins/builtins_generate_combined_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_combined_header.py.
3307         * Scripts/wkbuiltins/builtins_generate_internals_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_internals_wrapper_implementation.py.
3308         * Scripts/wkbuiltins/builtins_generate_separate_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_header.py.
3309         * Scripts/wkbuiltins/builtins_generate_separate_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_separate_implementation.py.
3310         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_header.py.
3311         * Scripts/wkbuiltins/builtins_generate_wrapper_implementation.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generate_wrapper_implementation.py.
3312         * Scripts/wkbuiltins/builtins_generator.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_generator.py.
3313         * Scripts/wkbuiltins/builtins_model.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_model.py.
3314         * Scripts/wkbuiltins/builtins_templates.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins_templates.py.
3315         * Scripts/wkbuiltins/wkbuiltins.py: Renamed from Source/JavaScriptCore/Scripts/builtins/builtins.py.
3316         * JavaScriptCore.xcodeproj/project.pbxproj: Update for the renaming.
3317
3318 2018-09-13  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
3319
3320         [WebAssembly] Inline WasmContext accessor functions
3321         https://bugs.webkit.org/show_bug.cgi?id=189416
3322
3323         Reviewed by Saam Barati.
3324
3325         WasmContext accessor functions are very small while it resides in the critical path of
3326         JS to Wasm function call. This patch makes them inline to improve performance.
3327         This change improves a small benchmark (calling JS to Wasm function 1e7 times) from 320ms to 270ms.
3328
3329         * JavaScriptCore.xcodeproj/project.pbxproj:
3330         * Sources.txt:
3331         * interpreter/CallFrame.cpp:
3332         * jit/AssemblyHelpers.cpp:
3333         * wasm/WasmB3IRGenerator.cpp:
3334         * wasm/WasmContextInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmContext.cpp.
3335         (JSC::Wasm::Context::useFastTLS):
3336         (JSC::Wasm::Context::load const):
3337         (JSC::Wasm::Context::store):
3338         * wasm/WasmMemoryInformation.cpp:
3339         * wasm/WasmModuleParser.cpp: Include <wtf/SHA1.h> due to changes of unified source combinations.
3340         * wasm/js/JSToWasm.cpp:
3341         * wasm/js/WebAssemblyFunction.cpp:
3342
3343 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3344
3345         Move JavaScriptCore files to match Xcode project hierarchy
3346         <https://webkit.org/b/189574>
3347
3348         Reviewed by Filip Pizlo.
3349
3350         * API/JSAPIValueWrapper.cpp: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.cpp.
3351         * API/JSAPIValueWrapper.h: Rename from Source/JavaScriptCore/runtime/JSAPIValueWrapper.h.
3352         * CMakeLists.txt: Update for new path to
3353         generateYarrUnicodePropertyTables.py, hasher.py and
3354         JSAPIValueWrapper.h.
3355         * DerivedSources.make: Ditto. Add missing dependency on
3356         hasher.py captured by CMakeLists.txt.
3357         * JavaScriptCore.xcodeproj/project.pbxproj: Update for new file
3358         reference paths. Add hasher.py library to project.
3359         * Sources.txt: Update for new path to
3360         JSAPIValueWrapper.cpp.
3361         * runtime/JSImmutableButterfly.h: Add missing includes
3362         after changes to Sources.txt and regenerating unified
3363         sources.
3364         * runtime/RuntimeType.h: Ditto.
3365         * yarr/generateYarrUnicodePropertyTables.py: Rename from Source/JavaScriptCore/Scripts/generateYarrUnicodePropertyTables.py.
3366         * yarr/hasher.py: Rename from Source/JavaScriptCore/Scripts/hasher.py.
3367
3368 2018-09-12  David Kilzer  <ddkilzer@apple.com>
3369
3370         Let Xcode have its way with the JavaScriptCore project
3371
3372         * JavaScriptCore.xcodeproj/project.pbxproj:
3373
3374 2018-09-12  Guillaume Emont  <guijemont@igalia.com>
3375
3376         Add IGNORE_WARNING_.* macros
3377         https://bugs.webkit.org/show_bug.cgi?id=188996
3378
3379         Reviewed by Michael Catanzaro.
3380
3381         * API/JSCallbackObject.h:
3382         * API/tests/testapi.c:
3383         * assembler/LinkBuffer.h:
3384         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
3385         * b3/B3LowerToAir.cpp:
3386         * b3/B3Opcode.cpp:
3387         * b3/B3Type.h:
3388         * b3/B3TypeMap.h:
3389         * b3/B3Width.h:
3390         * b3/air/AirArg.cpp:
3391         * b3/air/AirArg.h:
3392         * b3/air/AirCode.h:
3393         * bytecode/Opcode.h:
3394         (JSC::padOpcodeName):
3395         * dfg/DFGSpeculativeJIT.cpp:
3396         (JSC::DFG::SpeculativeJIT::speculateNumber):
3397         (JSC::DFG::SpeculativeJIT::speculateMisc):
3398         * dfg/DFGSpeculativeJIT64.cpp:
3399         * ftl/FTLOutput.h:
3400         * jit/CCallHelpers.h:
3401         (JSC::CCallHelpers::calculatePokeOffset):
3402         * llint/LLIntData.cpp:
3403         * llint/LLIntSlowPaths.cpp:
3404         (JSC::LLInt::slowPathLogF):
3405         * runtime/ConfigFile.cpp:
3406         (JSC::ConfigFile::canonicalizePaths):
3407         * runtime/JSDataViewPrototype.cpp:
3408         * runtime/JSGenericTypedArrayViewConstructor.h:
3409         * runtime/JSGenericTypedArrayViewPrototype.h:
3410         * runtime/Options.cpp:
3411         (JSC::Options::setAliasedOption):
3412         * tools/CodeProfiling.cpp:
3413         * wasm/WasmSections.h:
3414         * wasm/generateWasmValidateInlinesHeader.py:
3415
3416 == Rolled over to ChangeLog-2018-09-11 ==