0e811c4c14d036830517799867114553a970dff6
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-07-31  Keith Miller  <keith_miller@apple.com>
2
3         Unreviewed 32-bit build fix...
4
5         * dfg/DFGSpeculativeJIT32_64.cpp:
6
7 2018-07-31  Keith Miller  <keith_miller@apple.com>
8
9         Long compiling JSC files should not be unified
10         https://bugs.webkit.org/show_bug.cgi?id=188205
11
12         Reviewed by Saam Barati.
13
14         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
15         to compile. Unifying them means touching anything in the same
16         bundle as those files takes a long time to incrementally build.
17         This patch separates those files so they build standalone.
18
19         * JavaScriptCore.xcodeproj/project.pbxproj:
20         * Sources.txt:
21         * dfg/DFGSpeculativeJIT64.cpp:
22
23 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
24
25         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
26         https://bugs.webkit.org/show_bug.cgi?id=188201
27
28         Reviewed by Keith Miller.
29
30         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
31         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
32         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
33         never becomes broken state. This patch removes unnecessary locking.
34
35         * runtime/JSObject.cpp:
36         (JSC::JSObject::visitButterflyImpl):
37
38 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
39
40         [JSC] Remove gcc warnings for 32-bit platforms
41         https://bugs.webkit.org/show_bug.cgi?id=187803
42
43         Reviewed by Yusuke Suzuki.
44
45         * assembler/MacroAssemblerPrinter.cpp:
46         (JSC::Printer::printPCRegister):
47         (JSC::Printer::printRegisterID):
48         (JSC::Printer::printAddress):
49         * dfg/DFGSpeculativeJIT.cpp:
50         (JSC::DFG::SpeculativeJIT::speculateNumber):
51         (JSC::DFG::SpeculativeJIT::speculateMisc):
52         * jit/CCallHelpers.h:
53         (JSC::CCallHelpers::calculatePokeOffset):
54         * runtime/Options.cpp:
55         (JSC::parse):
56
57 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
58
59         watchOS engineering build is broken after r234227
60         https://bugs.webkit.org/show_bug.cgi?id=188180
61
62         Reviewed by Keith Miller.
63
64         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
65         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
66         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
67         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
68
69         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
70         entirely, since there's no relevant version to replace them with.
71
72         * postprocess-headers.sh:
73
74 2018-07-30  Keith Miller  <keith_miller@apple.com>
75
76         Clarify conversion rules for JSValue property access API
77         https://bugs.webkit.org/show_bug.cgi?id=188179
78
79         Reviewed by Geoffrey Garen.
80
81         * API/JSValue.h:
82
83 2018-07-30  Keith Miller  <keith_miller@apple.com>
84
85         Rename some JSC API functions/types.
86         https://bugs.webkit.org/show_bug.cgi?id=188173
87
88         Reviewed by Saam Barati.
89
90         * API/JSObjectRef.cpp:
91         (JSObjectHasPropertyForKey):
92         (JSObjectGetPropertyForKey):
93         (JSObjectSetPropertyForKey):
94         (JSObjectDeletePropertyForKey):
95         (JSObjectHasPropertyKey): Deleted.
96         (JSObjectGetPropertyKey): Deleted.
97         (JSObjectSetPropertyKey): Deleted.
98         (JSObjectDeletePropertyKey): Deleted.
99         * API/JSObjectRef.h:
100         * API/JSValue.h:
101         * API/JSValue.mm:
102         (-[JSValue valueForProperty:]):
103         (-[JSValue setValue:forProperty:]):
104         (-[JSValue deleteProperty:]):
105         (-[JSValue hasProperty:]):
106         (-[JSValue defineProperty:descriptor:]):
107         * API/tests/testapi.cpp:
108         (TestAPI::run):
109
110 2018-07-30  Mark Lam  <mark.lam@apple.com>
111
112         Add a debugging utility to dump the memory layout of a JSCell.
113         https://bugs.webkit.org/show_bug.cgi?id=188157
114
115         Reviewed by Yusuke Suzuki.
116
117         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
118         dump the memory contents of a cell and if present, its butterfly for debugging
119         purposes.
120
121         Example usage for JS code when JSC_useDollarVM=true:
122
123             $vm.dumpCell(obj);
124
125         Example usage from C++ code or from lldb: 
126
127             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
128
129         Some examples of dumps:
130
131             <0x104bc8260, Object>
132               [0] 0x104bc8260 : 0x010016000000016c header
133                 structureID 364 0x16c structure 0x104b721b0
134                 indexingTypeAndMisc 0 0x0 NonArray
135                 type 22 0x16
136                 flags 0 0x0
137                 cellState 1
138               [1] 0x104bc8268 : 0x0000000000000000 butterfly
139               [2] 0x104bc8270 : 0xffff000000000007
140               [3] 0x104bc8278 : 0xffff000000000008
141
142             <0x104bb4360, Array>
143               [0] 0x104bb4360 : 0x0108210b00000171 header
144                 structureID 369 0x171 structure 0x104b723e0
145                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
146                 type 33 0x21
147                 flags 8 0x8
148                 cellState 1
149               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
150                 base 0x8000f46e0
151                 hasIndexingHeader YES hasAnyArrayStorage YES
152                 publicLength 4 vectorLength 7 indexBias 2
153                 preCapacity 2 propertyCapacity 4
154                   <--- preCapacity
155                   [0] 0x8000f46e0 : 0x0000000000000000
156                   [1] 0x8000f46e8 : 0x0000000000000000
157                   <--- propertyCapacity
158                   [2] 0x8000f46f0 : 0x0000000000000000
159                   [3] 0x8000f46f8 : 0x0000000000000000
160                   [4] 0x8000f4700 : 0xffff00000000000d
161                   [5] 0x8000f4708 : 0xffff00000000000c
162                   <--- indexingHeader
163                   [6] 0x8000f4710 : 0x0000000700000004
164                   <--- butterfly
165                   <--- arrayStorage
166                   [7] 0x8000f4718 : 0x0000000000000000
167                   [8] 0x8000f4720 : 0x0000000400000002
168                   <--- indexedProperties
169                   [9] 0x8000f4728 : 0xffff000000000008
170                   [10] 0x8000f4730 : 0xffff000000000009
171                   [11] 0x8000f4738 : 0xffff000000000005
172                   [12] 0x8000f4740 : 0xffff000000000006
173                   [13] 0x8000f4748 : 0x0000000000000000
174                   [14] 0x8000f4750 : 0x0000000000000000
175                   [15] 0x8000f4758 : 0x0000000000000000
176                   <--- unallocated capacity
177                   [16] 0x8000f4760 : 0x0000000000000000
178                   [17] 0x8000f4768 : 0x0000000000000000
179                   [18] 0x8000f4770 : 0x0000000000000000
180                   [19] 0x8000f4778 : 0x0000000000000000
181
182         * runtime/JSObject.h:
183         * tools/JSDollarVM.cpp:
184         (JSC::functionDumpCell):
185         (JSC::JSDollarVM::finishCreation):
186         * tools/VMInspector.cpp:
187         (JSC::VMInspector::dumpCellMemory):
188         (JSC::IndentationScope::IndentationScope):
189         (JSC::IndentationScope::~IndentationScope):
190         (JSC::VMInspector::dumpCellMemoryToStream):
191         * tools/VMInspector.h:
192
193 2018-07-27  Mark Lam  <mark.lam@apple.com>
194
195         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
196         https://bugs.webkit.org/show_bug.cgi?id=188123
197         <rdar://problem/42672268>
198
199         Reviewed by Keith Miller.
200
201         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
202            padding space in VM and Heap, and should not cost any measurable perf to
203            initialize and update.
204
205         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
206
207            worldState tells us the value we failed the assertion on.
208
209            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
210            that led us here.
211
212            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
213
214            VM::isEntered() tells us if the current VM is currently executing JS code.
215
216            Some of this data may be redundant, but the redundancy is intentional so that
217            we can double check what is really happening at the time of crash.
218
219         * heap/Heap.cpp:
220         (JSC::asInt):
221         (JSC::Heap::checkConn):
222         (JSC::Heap::changePhase):
223         * heap/Heap.h:
224         * runtime/VM.cpp:
225         (JSC::VM::nextID):
226         (JSC::VM::VM):
227         * runtime/VM.h:
228         (JSC::VM::numberOfIDs):
229         (JSC::VM::id const):
230         (JSC::VM::isEntered const):
231
232 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
233
234         [JSC] Record CoW status in ArrayProfile correctly
235         https://bugs.webkit.org/show_bug.cgi?id=187949
236
237         Reviewed by Saam Barati.
238
239         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
240         This is important since our OSR exit compiler records m_observedArrayModes by calculating
241         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
242         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
243         Array::Generic DFG nodes.
244
245         * bytecode/ArrayProfile.h:
246         (JSC::asArrayModes):
247         (JSC::ArrayProfile::ArrayProfile):
248         * dfg/DFGOSRExit.cpp:
249         (JSC::DFG::OSRExit::compileExit):
250         * ftl/FTLOSRExitCompiler.cpp:
251         (JSC::FTL::compileStub):
252         * runtime/IndexingType.h:
253
254 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
255
256         [INTL] Remove INTL sub-feature compile flags
257         https://bugs.webkit.org/show_bug.cgi?id=188081
258
259         Reviewed by Michael Catanzaro.
260
261         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
262         The runtime flags are still present, and should be relied on instead.
263         The defines for ICU features have also been updated to match HAVE() style.
264
265         * Configurations/FeatureDefines.xcconfig:
266         * runtime/IntlPluralRules.cpp:
267         (JSC::IntlPluralRules::resolvedOptions):
268         (JSC::IntlPluralRules::select):
269         * runtime/IntlPluralRules.h:
270         * runtime/Options.h:
271
272 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
273
274         [JSC] Dump IndexingMode in Structure
275         https://bugs.webkit.org/show_bug.cgi?id=188085
276
277         Reviewed by Keith Miller.
278
279         Dump IndexingMode instead of IndexingType.
280
281         * runtime/Structure.cpp:
282         (JSC::Structure::dump const):
283
284 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
285
286         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
287         https://bugs.webkit.org/show_bug.cgi?id=187963
288
289         Reviewed by Alex Christensen.
290
291         * inspector/InspectorBackendDispatcher.cpp:
292         (Inspector::BackendDispatcher::dispatch):
293         * jsc.cpp:
294         (ModuleName::ModuleName):
295         (resolvePath):
296         * runtime/IntlObject.cpp:
297         (JSC::canonicalizeLanguageTag):
298         (JSC::removeUnicodeLocaleExtension):
299         Update split/splitAllowingEmptyEntries usage.
300
301 2018-07-26  Commit Queue  <commit-queue@webkit.org>
302
303         Unreviewed, rolling out r234181 and r234189.
304         https://bugs.webkit.org/show_bug.cgi?id=188075
305
306         These are not needed right now (Requested by thorton on
307         #webkit).
308
309         Reverted changesets:
310
311         "Enable Web Content Filtering on watchOS"
312         https://bugs.webkit.org/show_bug.cgi?id=187979
313         https://trac.webkit.org/changeset/234181
314
315         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
316         https://bugs.webkit.org/show_bug.cgi?id=187985
317         https://trac.webkit.org/changeset/234189
318
319 2018-07-26  Mark Lam  <mark.lam@apple.com>
320
321         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
322         https://bugs.webkit.org/show_bug.cgi?id=188065
323         <rdar://problem/42515726>
324
325         Reviewed by Saam Barati.
326
327         * runtime/ArrayPrototype.cpp:
328         (JSC::clearElement):
329         (JSC::copyElements):
330         (JSC::arrayProtoPrivateFuncConcatMemcpy):
331
332 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
333
334         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
335         https://bugs.webkit.org/show_bug.cgi?id=167991
336
337         Reviewed by Michael Catanzaro.
338
339         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
340         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
341         no more cases where you might have an invalid locale come back from resolveLocale.
342
343         * runtime/IntlObject.cpp:
344         (JSC::convertICULocaleToBCP47LanguageTag):
345         (JSC::defaultLocale):
346         (JSC::lookupMatcher):
347         * runtime/IntlObject.h:
348         * runtime/JSGlobalObject.cpp:
349         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
350         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
351         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
352         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
353
354 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
355
356         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
357         https://bugs.webkit.org/show_bug.cgi?id=188040
358
359         Unreviewed build fix for AppleWin port.
360
361         * API/tests/testapi.c: Disabled warning C4204.
362         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
363
364 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
365
366         [JSC API] We should support the symbol type in our C/Obj-C API
367         https://bugs.webkit.org/show_bug.cgi?id=175836
368
369         Unreviewed build fix for Windows port.
370
371         r234227 introduced a compilation error unresolved external symbol
372         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
373
374         Windows ports are compiling testapi.c as C++ by using /TP switch.
375
376         * API/tests/testapi.c:
377         (main): Removed `::` prefix of ::SetErrorMode Windows API.
378         (dllLauncherEntryPoint): Converted into C style.
379         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
380
381 2018-07-25  Keith Miller  <keith_miller@apple.com>
382
383         [JSC API] We should support the symbol type in our C/Obj-C API
384         https://bugs.webkit.org/show_bug.cgi?id=175836
385
386         Reviewed by Filip Pizlo.
387
388         This patch makes the following API additions:
389         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
390         2) Create a symbol on both APIs.
391         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
392         4) Add Get/Set/Delete in the C API.
393
394         We can do 3 because it is both binary and source compatable with
395         the existing API. I added (4) because the current property access
396         APIs only have the ability to get Strings. It was possible to
397         merge symbols into JSStringRef but that felt confusing and exposes
398         implementation details of our engine. The new functions match the
399         same meaning that they have in JS, thus should be forward
400         compatible with any future language extensions.
401
402         Lastly, this patch adds the same availability preproccessing phase
403         in WebCore to JavaScriptCore, which enables TBA features for
404         testing on previous releases.
405
406         * API/APICast.h:
407         * API/JSBasePrivate.h:
408         * API/JSContext.h:
409         * API/JSContextPrivate.h:
410         * API/JSContextRef.h:
411         * API/JSContextRefInternal.h:
412         * API/JSContextRefPrivate.h:
413         * API/JSManagedValue.h:
414         * API/JSObjectRef.cpp:
415         (JSObjectHasPropertyKey):
416         (JSObjectGetPropertyKey):
417         (JSObjectSetPropertyKey):
418         (JSObjectDeletePropertyKey):
419         * API/JSObjectRef.h:
420         * API/JSRemoteInspector.h:
421         * API/JSTypedArray.h:
422         * API/JSValue.h:
423         * API/JSValue.mm:
424         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
425         (performPropertyOperation):
426         (-[JSValue valueForProperty:valueForProperty:]):
427         (-[JSValue setValue:forProperty:setValue:forProperty:]):
428         (-[JSValue deleteProperty:deleteProperty:]):
429         (-[JSValue hasProperty:hasProperty:]):
430         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
431         (-[JSValue isSymbol]):
432         (-[JSValue objectForKeyedSubscript:]):
433         (-[JSValue setObject:forKeyedSubscript:]):
434         (-[JSValue valueForProperty:]): Deleted.
435         (-[JSValue setValue:forProperty:]): Deleted.
436         (-[JSValue deleteProperty:]): Deleted.
437         (-[JSValue hasProperty:]): Deleted.
438         (-[JSValue defineProperty:descriptor:]): Deleted.
439         * API/JSValueRef.cpp:
440         (JSValueGetType):
441         (JSValueIsSymbol):
442         (JSValueMakeSymbol):
443         * API/JSValueRef.h:
444         * API/WebKitAvailability.h:
445         * API/tests/CurrentThisInsideBlockGetterTest.mm:
446         * API/tests/CustomGlobalObjectClassTest.c:
447         * API/tests/DateTests.mm:
448         * API/tests/JSExportTests.mm:
449         * API/tests/JSNode.c:
450         * API/tests/JSNodeList.c:
451         * API/tests/Node.c:
452         * API/tests/NodeList.c:
453         * API/tests/minidom.c:
454         * API/tests/testapi.c:
455         (main):
456         * API/tests/testapi.cpp: Added.
457         (APIString::APIString):
458         (APIString::~APIString):
459         (APIString::operator JSStringRef):
460         (APIContext::APIContext):
461         (APIContext::~APIContext):
462         (APIContext::operator JSGlobalContextRef):
463         (APIVector::APIVector):
464         (APIVector::~APIVector):
465         (APIVector::append):
466         (testCAPIViaCpp):
467         (TestAPI::evaluateScript):
468         (TestAPI::callFunction):
469         (TestAPI::functionReturnsTrue):
470         (TestAPI::check):
471         (TestAPI::checkJSAndAPIMatch):
472         (TestAPI::interestingObjects):
473         (TestAPI::interestingKeys):
474         (TestAPI::run):
475         * API/tests/testapi.mm:
476         (testObjectiveCAPIMain):
477         * JavaScriptCore.xcodeproj/project.pbxproj:
478         * config.h:
479         * postprocess-headers.sh:
480         * shell/CMakeLists.txt:
481         * testmem/testmem.mm:
482
483 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
484
485         [INTL] Call Typed Array elements toLocaleString with locale and options
486         https://bugs.webkit.org/show_bug.cgi?id=185796
487
488         Reviewed by Keith Miller.
489
490         Improve ECMA 402 compliance of typed array toLocaleString, passing along
491         the locale and options to element toLocaleString calls.
492
493         * builtins/TypedArrayPrototype.js:
494         (toLocaleString):
495
496 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
497
498         [INTL] Intl constructor lengths should be configurable
499         https://bugs.webkit.org/show_bug.cgi?id=187960
500
501         Reviewed by Saam Barati.
502
503         Removed DontDelete from Intl constructor lengths.
504         Fixed DateTimeFormat formatToParts length.
505
506         * runtime/IntlCollatorConstructor.cpp:
507         (JSC::IntlCollatorConstructor::finishCreation):
508         * runtime/IntlDateTimeFormatConstructor.cpp:
509         (JSC::IntlDateTimeFormatConstructor::finishCreation):
510         * runtime/IntlDateTimeFormatPrototype.cpp:
511         (JSC::IntlDateTimeFormatPrototype::finishCreation):
512         * runtime/IntlNumberFormatConstructor.cpp:
513         (JSC::IntlNumberFormatConstructor::finishCreation):
514         * runtime/IntlPluralRulesConstructor.cpp:
515         (JSC::IntlPluralRulesConstructor::finishCreation):
516
517 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
518
519         runJITThreadLimitTests is failing
520         https://bugs.webkit.org/show_bug.cgi?id=187886
521         <rdar://problem/42561966>
522
523         Unreviewed build fix for MSVC.
524
525         MSVC doen't support ternary operator without second operand.
526
527         * dfg/DFGWorklist.cpp:
528         (JSC::DFG::getNumberOfDFGCompilerThreads):
529         (JSC::DFG::getNumberOfFTLCompilerThreads):
530
531 2018-07-24  Commit Queue  <commit-queue@webkit.org>
532
533         Unreviewed, rolling out r234183.
534         https://bugs.webkit.org/show_bug.cgi?id=187983
535
536         cause regression in Kraken gaussian blur and desaturate
537         (Requested by yusukesuzuki on #webkit).
538
539         Reverted changeset:
540
541         "[JSC] Record CoW status in ArrayProfile"
542         https://bugs.webkit.org/show_bug.cgi?id=187949
543         https://trac.webkit.org/changeset/234183
544
545 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
546
547         [JSC] Record CoW status in ArrayProfile
548         https://bugs.webkit.org/show_bug.cgi?id=187949
549
550         Reviewed by Saam Barati.
551
552         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
553         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
554         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
555         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
556         CoW arrays.
557
558         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
559         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
560
561         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
562
563                                       baseline                  patched
564
565         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
566         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
567
568         * bytecode/ArrayProfile.cpp:
569         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
570         * bytecode/ArrayProfile.h:
571         (JSC::asArrayModes):
572         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
573
574         (JSC::ArrayProfile::ArrayProfile):
575         (JSC::ArrayProfile::addressOfObservedIndexingModes):
576         (JSC::ArrayProfile::observedIndexingModes const):
577         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
578         So storing the union of seen IndexingMode in `unsigned` instead.
579
580         * dfg/DFGArrayMode.cpp:
581         (JSC::DFG::ArrayMode::fromObserved):
582         * dfg/DFGArrayMode.h:
583         (JSC::DFG::ArrayMode::withProfile const):
584         * jit/JITCall.cpp:
585         (JSC::JIT::compileOpCall):
586         * jit/JITCall32_64.cpp:
587         (JSC::JIT::compileOpCall):
588         * jit/JITInlines.h:
589         (JSC::JIT::emitArrayProfilingSiteWithCell):
590         * llint/LowLevelInterpreter.asm:
591         * llint/LowLevelInterpreter32_64.asm:
592         * llint/LowLevelInterpreter64.asm:
593
594 2018-07-24  Tim Horton  <timothy_horton@apple.com>
595
596         Enable Web Content Filtering on watchOS
597         https://bugs.webkit.org/show_bug.cgi?id=187979
598         <rdar://problem/42559346>
599
600         Reviewed by Wenson Hsieh.
601
602         * Configurations/FeatureDefines.xcconfig:
603
604 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
605
606         Don't modify Options when setting JIT thread limits
607         https://bugs.webkit.org/show_bug.cgi?id=187886
608
609         Reviewed by Filip Pizlo.
610
611         Previously, when setting the JIT thread limit prior to the worklist
612         initialization, it'd be set via Options, which didn't work if Options
613         hadn't been initialized yet. Change it to use a static variable in the
614         Worklist instead.
615
616         * API/JSVirtualMachine.mm:
617         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
618         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
619         * API/tests/testapi.mm:
620         (testObjectiveCAPIMain):
621         * dfg/DFGWorklist.cpp:
622         (JSC::DFG::getNumberOfDFGCompilerThreads):
623         (JSC::DFG::getNumberOfFTLCompilerThreads):
624         (JSC::DFG::setNumberOfDFGCompilerThreads):
625         (JSC::DFG::setNumberOfFTLCompilerThreads):
626         (JSC::DFG::ensureGlobalDFGWorklist):
627         (JSC::DFG::ensureGlobalFTLWorklist):
628         * dfg/DFGWorklist.h:
629
630 2018-07-24  Mark Lam  <mark.lam@apple.com>
631
632         Refactoring: make DFG::Plan a class.
633         https://bugs.webkit.org/show_bug.cgi?id=187968
634
635         Reviewed by Saam Barati.
636
637         This patch makes all the DFG::Plan fields private, and provide accessor methods
638         for them.  This makes it easier to reason about how these fields are used and
639         modified.
640
641         * dfg/DFGAbstractInterpreterInlines.h:
642         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
643         * dfg/DFGByteCodeParser.cpp:
644         (JSC::DFG::ByteCodeParser::handleCall):
645         (JSC::DFG::ByteCodeParser::handleVarargsCall):
646         (JSC::DFG::ByteCodeParser::handleInlining):
647         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
648         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
649         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
650         (JSC::DFG::ByteCodeParser::handleGetById):
651         (JSC::DFG::ByteCodeParser::handlePutById):
652         (JSC::DFG::ByteCodeParser::parseBlock):
653         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
654         (JSC::DFG::ByteCodeParser::parseCodeBlock):
655         (JSC::DFG::ByteCodeParser::parse):
656         * dfg/DFGCFAPhase.cpp:
657         (JSC::DFG::CFAPhase::run):
658         (JSC::DFG::CFAPhase::injectOSR):
659         * dfg/DFGClobberize.h:
660         (JSC::DFG::clobberize):
661         * dfg/DFGCommonData.cpp:
662         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
663         * dfg/DFGCommonData.h:
664         * dfg/DFGConstantFoldingPhase.cpp:
665         (JSC::DFG::ConstantFoldingPhase::foldConstants):
666         * dfg/DFGDriver.cpp:
667         (JSC::DFG::compileImpl):
668         * dfg/DFGFinalizer.h:
669         * dfg/DFGFixupPhase.cpp:
670         (JSC::DFG::FixupPhase::fixupNode):
671         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
672         * dfg/DFGGraph.cpp:
673         (JSC::DFG::Graph::Graph):
674         (JSC::DFG::Graph::watchCondition):
675         (JSC::DFG::Graph::inferredTypeFor):
676         (JSC::DFG::Graph::requiredRegisterCountForExit):
677         (JSC::DFG::Graph::registerFrozenValues):
678         (JSC::DFG::Graph::registerStructure):
679         (JSC::DFG::Graph::registerAndWatchStructureTransition):
680         (JSC::DFG::Graph::assertIsRegistered):
681         * dfg/DFGGraph.h:
682         (JSC::DFG::Graph::compilation):
683         (JSC::DFG::Graph::identifiers):
684         (JSC::DFG::Graph::watchpoints):
685         * dfg/DFGJITCompiler.cpp:
686         (JSC::DFG::JITCompiler::JITCompiler):
687         (JSC::DFG::JITCompiler::link):
688         (JSC::DFG::JITCompiler::compile):
689         (JSC::DFG::JITCompiler::compileFunction):
690         (JSC::DFG::JITCompiler::disassemble):
691         * dfg/DFGJITCompiler.h:
692         (JSC::DFG::JITCompiler::addWeakReference):
693         * dfg/DFGJITFinalizer.cpp:
694         (JSC::DFG::JITFinalizer::finalize):
695         (JSC::DFG::JITFinalizer::finalizeFunction):
696         (JSC::DFG::JITFinalizer::finalizeCommon):
697         * dfg/DFGOSREntrypointCreationPhase.cpp:
698         (JSC::DFG::OSREntrypointCreationPhase::run):
699         * dfg/DFGPhase.cpp:
700         (JSC::DFG::Phase::beginPhase):
701         * dfg/DFGPhase.h:
702         (JSC::DFG::runAndLog):
703         * dfg/DFGPlan.cpp:
704         (JSC::DFG::Plan::Plan):
705         (JSC::DFG::Plan::computeCompileTimes const):
706         (JSC::DFG::Plan::reportCompileTimes const):
707         (JSC::DFG::Plan::compileInThread):
708         (JSC::DFG::Plan::compileInThreadImpl):
709         (JSC::DFG::Plan::isStillValid):
710         (JSC::DFG::Plan::reallyAdd):
711         (JSC::DFG::Plan::notifyCompiling):
712         (JSC::DFG::Plan::notifyReady):
713         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
714         (JSC::DFG::Plan::finalizeAndNotifyCallback):
715         (JSC::DFG::Plan::key):
716         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
717         (JSC::DFG::Plan::finalizeInGC):
718         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
719         (JSC::DFG::Plan::cancel):
720         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
721         * dfg/DFGPlan.h:
722         (JSC::DFG::Plan::canTierUpAndOSREnter const):
723         (JSC::DFG::Plan::vm const):
724         (JSC::DFG::Plan::codeBlock):
725         (JSC::DFG::Plan::mode const):
726         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
727         (JSC::DFG::Plan::mustHandleValues const):
728         (JSC::DFG::Plan::threadData const):
729         (JSC::DFG::Plan::compilation const):
730         (JSC::DFG::Plan::finalizer const):
731         (JSC::DFG::Plan::setFinalizer):
732         (JSC::DFG::Plan::inlineCallFrames const):
733         (JSC::DFG::Plan::watchpoints):
734         (JSC::DFG::Plan::identifiers):
735         (JSC::DFG::Plan::weakReferences):
736         (JSC::DFG::Plan::transitions):
737         (JSC::DFG::Plan::recordedStatuses):
738         (JSC::DFG::Plan::willTryToTierUp const):
739         (JSC::DFG::Plan::setWillTryToTierUp):
740         (JSC::DFG::Plan::tierUpInLoopHierarchy):
741         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
742         (JSC::DFG::Plan::stage const):
743         (JSC::DFG::Plan::callback const):
744         (JSC::DFG::Plan::setCallback):
745         * dfg/DFGPlanInlines.h:
746         (JSC::DFG::Plan::iterateCodeBlocksForGC):
747         * dfg/DFGPreciseLocalClobberize.h:
748         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
749         * dfg/DFGPredictionInjectionPhase.cpp:
750         (JSC::DFG::PredictionInjectionPhase::run):
751         * dfg/DFGSafepoint.cpp:
752         (JSC::DFG::Safepoint::Safepoint):
753         (JSC::DFG::Safepoint::~Safepoint):
754         (JSC::DFG::Safepoint::begin):
755         * dfg/DFGSafepoint.h:
756         * dfg/DFGSpeculativeJIT.h:
757         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
758         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
759         * dfg/DFGStackLayoutPhase.cpp:
760         (JSC::DFG::StackLayoutPhase::run):
761         * dfg/DFGStrengthReductionPhase.cpp:
762         (JSC::DFG::StrengthReductionPhase::handleNode):
763         * dfg/DFGTierUpCheckInjectionPhase.cpp:
764         (JSC::DFG::TierUpCheckInjectionPhase::run):
765         * dfg/DFGTypeCheckHoistingPhase.cpp:
766         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
767         * dfg/DFGWorklist.cpp:
768         (JSC::DFG::Worklist::isActiveForVM const):
769         (JSC::DFG::Worklist::compilationState):
770         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
771         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
772         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
773         (JSC::DFG::Worklist::visitWeakReferences):
774         (JSC::DFG::Worklist::removeDeadPlans):
775         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
776         * dfg/DFGWorklistInlines.h:
777         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
778         * ftl/FTLCompile.cpp:
779         (JSC::FTL::compile):
780         * ftl/FTLFail.cpp:
781         (JSC::FTL::fail):
782         * ftl/FTLJITFinalizer.cpp:
783         (JSC::FTL::JITFinalizer::finalizeCommon):
784         * ftl/FTLLink.cpp:
785         (JSC::FTL::link):
786         * ftl/FTLLowerDFGToB3.cpp:
787         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
788         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
789         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
790         * ftl/FTLState.cpp:
791         (JSC::FTL::State::State):
792
793 2018-07-24  Saam Barati  <sbarati@apple.com>
794
795         Make VM::canUseJIT an inlined function
796         https://bugs.webkit.org/show_bug.cgi?id=187583
797
798         Reviewed by Mark Lam.
799
800         We know the answer to this query in initializeThreading after initializing
801         the executable allocator. This patch makes it so that we just hold this value
802         in a static variable and have an inlined function that just returns the value
803         of that static variable.
804
805         * runtime/InitializeThreading.cpp:
806         (JSC::initializeThreading):
807         * runtime/VM.cpp:
808         (JSC::VM::computeCanUseJIT):
809         (JSC::VM::canUseJIT): Deleted.
810         * runtime/VM.h:
811         (JSC::VM::canUseJIT):
812
813 2018-07-24  Mark Lam  <mark.lam@apple.com>
814
815         Placate exception check verification after recent changes.
816         https://bugs.webkit.org/show_bug.cgi?id=187961
817         <rdar://problem/42545394>
818
819         Reviewed by Saam Barati.
820
821         * runtime/IntlObject.cpp:
822         (JSC::intlNumberOption):
823
824 2018-07-23  Saam Barati  <sbarati@apple.com>
825
826         need to didFoldClobberWorld when we constant fold GetByVal
827         https://bugs.webkit.org/show_bug.cgi?id=187917
828         <rdar://problem/42505095>
829
830         Reviewed by Yusuke Suzuki.
831
832         * dfg/DFGAbstractInterpreterInlines.h:
833         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
834
835 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
836
837         [INTL] Language tags are not canonicalized
838         https://bugs.webkit.org/show_bug.cgi?id=185836
839
840         Reviewed by Keith Miller.
841
842         Canonicalize language tags, replacing deprecated tag parts with the
843         preferred values. Remove broken support for algorithmic numbering systems,
844         that can cause an error in icu, and are not supported in other engines.
845
846         Generate the lookup functions from the language-subtag-registry.
847
848         Also initialize the UNumberFormat in initializeNumberFormat so any
849         failures are thrown immediately instead of failing to format later.
850
851         * CMakeLists.txt:
852         * DerivedSources.make:
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
855         * runtime/IntlDateTimeFormat.cpp:
856         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
857         * runtime/IntlNumberFormat.cpp:
858         (JSC::IntlNumberFormat::initializeNumberFormat):
859         (JSC::IntlNumberFormat::formatNumber):
860         (JSC::IntlNumberFormat::formatToParts):
861         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
862         * runtime/IntlNumberFormat.h:
863         * runtime/IntlObject.cpp:
864         (JSC::intlNumberOption):
865         (JSC::intlDefaultNumberOption):
866         (JSC::preferredLanguage):
867         (JSC::preferredRegion):
868         (JSC::canonicalLangTag):
869         (JSC::canonicalizeLanguageTag):
870         (JSC::defaultLocale):
871         (JSC::removeUnicodeLocaleExtension):
872         (JSC::numberingSystemsForLocale):
873         (JSC::grandfatheredLangTag): Deleted.
874         * runtime/IntlObject.h:
875         * runtime/IntlPluralRules.cpp:
876         (JSC::IntlPluralRules::initializePluralRules):
877         * runtime/JSGlobalObject.cpp:
878         (JSC::addMissingScriptLocales):
879         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
880         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
881         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
882         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
883         * ucd/language-subtag-registry.txt: Added.
884
885 2018-07-23  Mark Lam  <mark.lam@apple.com>
886
887         Add some asserts to help diagnose a crash.
888         https://bugs.webkit.org/show_bug.cgi?id=187915
889         <rdar://problem/42508166>
890
891         Reviewed by Michael Saboff.
892
893         Add some asserts to verify that an CodeBlock alternative should always have a
894         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
895         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
896         so that we'll retain the state of the variables that failed the assertion (again
897         to help with diagnosis).
898
899         * bytecode/CodeBlock.cpp:
900         (JSC::CodeBlock::setAlternative):
901         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
902         * dfg/DFGPlan.cpp:
903         (JSC::DFG::Plan::Plan):
904
905 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
906
907         Unreviewed, fix no-JIT build.
908
909         * bytecode/CallLinkStatus.cpp:
910         (JSC::CallLinkStatus::computeFor):
911         * bytecode/CodeBlock.cpp:
912         (JSC::CodeBlock::finalizeUnconditionally):
913         * bytecode/GetByIdStatus.cpp:
914         (JSC::GetByIdStatus::computeFor):
915         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
916         * bytecode/InByIdStatus.cpp:
917         * bytecode/PutByIdStatus.cpp:
918         (JSC::PutByIdStatus::computeForStubInfo):
919
920 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
921
922         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
923         https://bugs.webkit.org/show_bug.cgi?id=187891
924
925         Reviewed by Saam Barati.
926
927         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
928         two variants are mergeable but they have "Miss" status. We make merging failed if
929         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
930         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
931         which patch have more chances to merge variants.
932
933         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
934         is not related since it does not use this check in Transition case.
935
936         * bytecode/GetByIdVariant.cpp:
937         (JSC::GetByIdVariant::attemptToMerge):
938         * bytecode/InByIdVariant.cpp:
939         (JSC::InByIdVariant::attemptToMerge):
940
941 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
942
943         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
944         https://bugs.webkit.org/show_bug.cgi?id=186462
945
946         Reviewed by Saam Barati.
947
948         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
949         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
950         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
951
952         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
953         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
954         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
955         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
956         changed and we can safely use it. We arrange our existing code to use this protocol.
957
958         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
959         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
960
961         This patch improves SixSpeed/template_string_tag.es6.
962
963                                           baseline                  patched
964
965         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
966
967         * dfg/DFGAbstractInterpreterInlines.h:
968         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
969         * runtime/JSArray.cpp:
970         (JSC::JSArray::setLengthWithArrayStorage):
971         * runtime/JSObject.cpp:
972         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
973         (JSC::JSObject::deletePropertyByIndex):
974         (JSC::JSObject::getOwnPropertyNames):
975         (JSC::putIndexedDescriptor):
976         (JSC::JSObject::defineOwnIndexedProperty):
977         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
978         (JSC::JSObject::putIndexedDescriptor): Deleted.
979         * runtime/JSObject.h:
980         * runtime/SparseArrayValueMap.cpp:
981         (JSC::SparseArrayValueMap::SparseArrayValueMap):
982         (JSC::SparseArrayValueMap::add):
983         (JSC::SparseArrayValueMap::putDirect):
984         (JSC::SparseArrayValueMap::getConcurrently):
985         (JSC::SparseArrayEntry::get const):
986         (JSC::SparseArrayEntry::getConcurrently const):
987         (JSC::SparseArrayEntry::put):
988         (JSC::SparseArrayEntry::getNonSparseMode const):
989         (JSC::SparseArrayValueMap::visitChildren):
990         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
991         * runtime/SparseArrayValueMap.h:
992         (JSC::SparseArrayEntry::SparseArrayEntry):
993         (JSC::SparseArrayEntry::attributes const):
994         (JSC::SparseArrayEntry::forceSet):
995         (JSC::SparseArrayEntry::asValue):
996
997 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
998
999         We should support CreateThis in the FTL
1000         https://bugs.webkit.org/show_bug.cgi?id=164904
1001
1002         Reviewed by Yusuke Suzuki.
1003         
1004         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
1005         inference adventure.
1006         
1007         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
1008         benchmark's extremely perverse way of winning at type inference:
1009         
1010         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
1011           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
1012           benchmark was falling back to other mechanisms...
1013         
1014         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
1015           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
1016           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
1017           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
1018           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
1019           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
1020           
1021           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
1022           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
1023           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
1024           helper because it had a CreateThis.
1025         
1026         - Compilations that inlined the construction helper would have gotten super lucky with
1027           parse-time constant folding, so they knew what structure the input to the get_by_id would
1028           have at parse time. This is only profitable if the get_by_id parsing computed a
1029           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
1030           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
1031           cases, we would indeed get a finite number of cases. The parser would then prune those
1032           cases to just one - based on its knowledge of the structure - and that would result in that
1033           get_by_id being folded at parse time to a constant.
1034         
1035         - The subsequent op_call would inline based on parse-time knowledge of that constant.
1036         
1037         This patch comprehensively fixes these issues, as well as other issues that come up along the
1038         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
1039         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
1040         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
1041         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
1042         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
1043         attack raytrace's problem as a shortcoming of polyvariant profiling.
1044         
1045         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
1046           subset of the inline stack that includes the IC we're profiling. For example, if we have
1047           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
1048           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
1049           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
1050           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
1051           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
1052           from polyvariant profling. Previously, the polyvariant profiler would only look at the
1053           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
1054           had inlined bar and then baz. It may not have done that, because those calls could have
1055           required polyvariant profiling that was only available in the FTL.
1056           
1057         - A particularly interesting case is when some IC in foo-baseline is also available in
1058           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
1059           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
1060           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
1061           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
1062           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
1063           because it warns us of historical polymorphism. Historical polymorphism usually means
1064           future polymorphism. IC status code already had some merging functionality, but I needed to
1065           beef it up a lot to make this work right.
1066         
1067         - Inlining an inline cache now preserves as much information as profiling. One challenge of
1068           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
1069           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
1070           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
1071           say "I don't have such an IC". At this point the DFG compilation that included that IC that
1072           gave us the information that we used to inline the IC is no longer alive. To keep us from
1073           losing the information we learned about the IC, there is now a RecordedStatuses data
1074           structure that preserves the statuses we use for inlining ICs. We also filter those
1075           statuses according to things we learn from AI. This further reduces the risk of information
1076           about an IC being forgotten.
1077         
1078         - Exit profiling now considers whether or not an exit happened from inline code. This
1079           protects us in the case where the not-inlined version of an IC exited a lot because of
1080           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
1081           profiling data, we consider only inlined exits.
1082         
1083         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
1084           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
1085           surprising that we've had this bug.
1086         
1087         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
1088         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
1089         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
1090         prototype access folding in the bytecode parser and constant folder. That would require some
1091         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
1092         have a test that captures raytrace's behavior in the case that the parser cannot fold the
1093         get_by_id.
1094         
1095         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
1096         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
1097         compile time regression anytime we fill in FTL coverage.
1098         
1099         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
1100         speeds up and that raytrace slows down, but these changes balance out and don't affect the
1101         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
1102         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
1103         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
1104         see a significant difference. In all three cases the difference is <0.5% with a high p value,
1105         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
1106         an insignificant infinitesimal slow-down.
1107         
1108         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
1109         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
1110         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
1111
1112         * CMakeLists.txt:
1113         * JavaScriptCore.xcodeproj/project.pbxproj:
1114         * Sources.txt:
1115         * bytecode/ByValInfo.h:
1116         * bytecode/BytecodeDumper.cpp:
1117         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1118         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
1119         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
1120         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
1121         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
1122         (JSC::BytecodeDumper<Block>::printCallOp):
1123         (JSC::BytecodeDumper<Block>::dumpBytecode):
1124         (JSC::BytecodeDumper<Block>::dumpBlock):
1125         * bytecode/BytecodeDumper.h:
1126         * bytecode/CallLinkInfo.h:
1127         * bytecode/CallLinkStatus.cpp:
1128         (JSC::CallLinkStatus::computeFor):
1129         (JSC::CallLinkStatus::computeExitSiteData):
1130         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1131         (JSC::CallLinkStatus::accountForExits):
1132         (JSC::CallLinkStatus::finalize):
1133         (JSC::CallLinkStatus::filter):
1134         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
1135         * bytecode/CallLinkStatus.h:
1136         (JSC::CallLinkStatus::operator bool const):
1137         (JSC::CallLinkStatus::operator! const): Deleted.
1138         * bytecode/CallVariant.cpp:
1139         (JSC::CallVariant::finalize):
1140         (JSC::CallVariant::filter):
1141         * bytecode/CallVariant.h:
1142         (JSC::CallVariant::operator bool const):
1143         (JSC::CallVariant::operator! const): Deleted.
1144         * bytecode/CodeBlock.cpp:
1145         (JSC::CodeBlock::dumpBytecode):
1146         (JSC::CodeBlock::propagateTransitions):
1147         (JSC::CodeBlock::finalizeUnconditionally):
1148         (JSC::CodeBlock::getICStatusMap):
1149         (JSC::CodeBlock::resetJITData):
1150         (JSC::CodeBlock::getStubInfoMap): Deleted.
1151         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
1152         (JSC::CodeBlock::getByValInfoMap): Deleted.
1153         * bytecode/CodeBlock.h:
1154         * bytecode/CodeOrigin.cpp:
1155         (JSC::CodeOrigin::isApproximatelyEqualTo const):
1156         (JSC::CodeOrigin::approximateHash const):
1157         * bytecode/CodeOrigin.h:
1158         (JSC::CodeOrigin::exitingInlineKind const):
1159         * bytecode/DFGExitProfile.cpp:
1160         (JSC::DFG::FrequentExitSite::dump const):
1161         (JSC::DFG::ExitProfile::add):
1162         * bytecode/DFGExitProfile.h:
1163         (JSC::DFG::FrequentExitSite::FrequentExitSite):
1164         (JSC::DFG::FrequentExitSite::operator== const):
1165         (JSC::DFG::FrequentExitSite::subsumes const):
1166         (JSC::DFG::FrequentExitSite::hash const):
1167         (JSC::DFG::FrequentExitSite::inlineKind const):
1168         (JSC::DFG::FrequentExitSite::withInlineKind const):
1169         (JSC::DFG::QueryableExitProfile::hasExitSite const):
1170         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
1171         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
1172         * bytecode/ExitFlag.cpp: Added.
1173         (JSC::ExitFlag::dump const):
1174         * bytecode/ExitFlag.h: Added.
1175         (JSC::ExitFlag::ExitFlag):
1176         (JSC::ExitFlag::operator| const):
1177         (JSC::ExitFlag::operator|=):
1178         (JSC::ExitFlag::operator& const):
1179         (JSC::ExitFlag::operator&=):
1180         (JSC::ExitFlag::operator bool const):
1181         (JSC::ExitFlag::isSet const):
1182         * bytecode/ExitingInlineKind.cpp: Added.
1183         (WTF::printInternal):
1184         * bytecode/ExitingInlineKind.h: Added.
1185         * bytecode/GetByIdStatus.cpp:
1186         (JSC::GetByIdStatus::computeFor):
1187         (JSC::GetByIdStatus::computeForStubInfo):
1188         (JSC::GetByIdStatus::slowVersion const):
1189         (JSC::GetByIdStatus::markIfCheap):
1190         (JSC::GetByIdStatus::finalize):
1191         (JSC::GetByIdStatus::hasExitSite): Deleted.
1192         * bytecode/GetByIdStatus.h:
1193         * bytecode/GetByIdVariant.cpp:
1194         (JSC::GetByIdVariant::markIfCheap):
1195         (JSC::GetByIdVariant::finalize):
1196         * bytecode/GetByIdVariant.h:
1197         * bytecode/ICStatusMap.cpp: Added.
1198         (JSC::ICStatusContext::get const):
1199         (JSC::ICStatusContext::isInlined const):
1200         (JSC::ICStatusContext::inlineKind const):
1201         * bytecode/ICStatusMap.h: Added.
1202         * bytecode/ICStatusUtils.cpp: Added.
1203         (JSC::hasBadCacheExitSite):
1204         * bytecode/ICStatusUtils.h:
1205         * bytecode/InstanceOfStatus.cpp:
1206         (JSC::InstanceOfStatus::computeFor):
1207         * bytecode/InstanceOfStatus.h:
1208         * bytecode/PolyProtoAccessChain.h:
1209         * bytecode/PutByIdStatus.cpp:
1210         (JSC::PutByIdStatus::hasExitSite):
1211         (JSC::PutByIdStatus::computeFor):
1212         (JSC::PutByIdStatus::slowVersion const):
1213         (JSC::PutByIdStatus::markIfCheap):
1214         (JSC::PutByIdStatus::finalize):
1215         (JSC::PutByIdStatus::filter):
1216         * bytecode/PutByIdStatus.h:
1217         * bytecode/PutByIdVariant.cpp:
1218         (JSC::PutByIdVariant::markIfCheap):
1219         (JSC::PutByIdVariant::finalize):
1220         * bytecode/PutByIdVariant.h:
1221         (JSC::PutByIdVariant::structureSet const):
1222         * bytecode/RecordedStatuses.cpp: Added.
1223         (JSC::RecordedStatuses::operator=):
1224         (JSC::RecordedStatuses::RecordedStatuses):
1225         (JSC::RecordedStatuses::addCallLinkStatus):
1226         (JSC::RecordedStatuses::addGetByIdStatus):
1227         (JSC::RecordedStatuses::addPutByIdStatus):
1228         (JSC::RecordedStatuses::markIfCheap):
1229         (JSC::RecordedStatuses::finalizeWithoutDeleting):
1230         (JSC::RecordedStatuses::finalize):
1231         (JSC::RecordedStatuses::shrinkToFit):
1232         * bytecode/RecordedStatuses.h: Added.
1233         (JSC::RecordedStatuses::RecordedStatuses):
1234         (JSC::RecordedStatuses::forEachVector):
1235         * bytecode/StructureSet.cpp:
1236         (JSC::StructureSet::markIfCheap const):
1237         (JSC::StructureSet::isStillAlive const):
1238         * bytecode/StructureSet.h:
1239         * bytecode/TerminatedCodeOrigin.h: Added.
1240         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
1241         (JSC::TerminatedCodeOriginHashTranslator::hash):
1242         (JSC::TerminatedCodeOriginHashTranslator::equal):
1243         * bytecode/Watchpoint.cpp:
1244         (WTF::printInternal):
1245         * bytecode/Watchpoint.h:
1246         * dfg/DFGAbstractInterpreter.h:
1247         * dfg/DFGAbstractInterpreterInlines.h:
1248         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1249         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
1250         * dfg/DFGByteCodeParser.cpp:
1251         (JSC::DFG::ByteCodeParser::handleCall):
1252         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1253         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1254         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
1255         (JSC::DFG::ByteCodeParser::handleGetById):
1256         (JSC::DFG::ByteCodeParser::handlePutById):
1257         (JSC::DFG::ByteCodeParser::parseBlock):
1258         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1259         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
1260         (JSC::DFG::ByteCodeParser::parse):
1261         * dfg/DFGClobberize.h:
1262         (JSC::DFG::clobberize):
1263         * dfg/DFGClobbersExitState.cpp:
1264         (JSC::DFG::clobbersExitState):
1265         * dfg/DFGCommonData.h:
1266         * dfg/DFGConstantFoldingPhase.cpp:
1267         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1268         * dfg/DFGDesiredWatchpoints.h:
1269         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
1270         * dfg/DFGDoesGC.cpp:
1271         (JSC::DFG::doesGC):
1272         * dfg/DFGFixupPhase.cpp:
1273         (JSC::DFG::FixupPhase::fixupNode):
1274         * dfg/DFGGraph.cpp:
1275         (JSC::DFG::Graph::dump):
1276         * dfg/DFGMayExit.cpp:
1277         * dfg/DFGNode.h:
1278         (JSC::DFG::Node::hasCallLinkStatus):
1279         (JSC::DFG::Node::callLinkStatus):
1280         (JSC::DFG::Node::hasGetByIdStatus):
1281         (JSC::DFG::Node::getByIdStatus):
1282         (JSC::DFG::Node::hasPutByIdStatus):
1283         (JSC::DFG::Node::putByIdStatus):
1284         * dfg/DFGNodeType.h:
1285         * dfg/DFGOSRExitBase.cpp:
1286         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
1287         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1288         * dfg/DFGPlan.cpp:
1289         (JSC::DFG::Plan::reallyAdd):
1290         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
1291         (JSC::DFG::Plan::finalizeInGC):
1292         * dfg/DFGPlan.h:
1293         * dfg/DFGPredictionPropagationPhase.cpp:
1294         * dfg/DFGSafeToExecute.h:
1295         (JSC::DFG::safeToExecute):
1296         * dfg/DFGSpeculativeJIT32_64.cpp:
1297         (JSC::DFG::SpeculativeJIT::compile):
1298         * dfg/DFGSpeculativeJIT64.cpp:
1299         (JSC::DFG::SpeculativeJIT::compile):
1300         * dfg/DFGStrengthReductionPhase.cpp:
1301         (JSC::DFG::StrengthReductionPhase::handleNode):
1302         * dfg/DFGWorklist.cpp:
1303         (JSC::DFG::Worklist::removeDeadPlans):
1304         * ftl/FTLAbstractHeapRepository.h:
1305         * ftl/FTLCapabilities.cpp:
1306         (JSC::FTL::canCompile):
1307         * ftl/FTLLowerDFGToB3.cpp:
1308         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1309         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
1310         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
1311         * jit/PolymorphicCallStubRoutine.cpp:
1312         (JSC::PolymorphicCallStubRoutine::hasEdges const):
1313         (JSC::PolymorphicCallStubRoutine::edges const):
1314         * jit/PolymorphicCallStubRoutine.h:
1315         * profiler/ProfilerBytecodeSequence.cpp:
1316         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1317         * runtime/FunctionRareData.cpp:
1318         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1319         * runtime/Options.h:
1320
1321 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1322
1323         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
1324         https://bugs.webkit.org/show_bug.cgi?id=187472
1325
1326         Reviewed by Mark Lam.
1327
1328         std::function allocates memory from standard malloc instead of bmalloc. Instead of
1329         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
1330
1331         This patch attempts to replace std::function with the above WTF function types.
1332         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
1333         is really efficient. Otherwise, we should use WTF::Function.
1334         For recurring use cases, we can use RecursableLambda.
1335
1336         * assembler/MacroAssembler.cpp:
1337         (JSC::stdFunctionCallback):
1338         (JSC::MacroAssembler::probe):
1339         * assembler/MacroAssembler.h:
1340         * b3/air/AirDisassembler.cpp:
1341         (JSC::B3::Air::Disassembler::dump):
1342         * b3/air/AirDisassembler.h:
1343         * bytecompiler/BytecodeGenerator.cpp:
1344         (JSC::BytecodeGenerator::BytecodeGenerator):
1345         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
1346         (JSC::BytecodeGenerator::emitEnumeration):
1347         * bytecompiler/BytecodeGenerator.h:
1348         * bytecompiler/NodesCodegen.cpp:
1349         (JSC::ArrayNode::emitBytecode):
1350         (JSC::ApplyFunctionCallDotNode::emitBytecode):
1351         (JSC::ForOfNode::emitBytecode):
1352         * dfg/DFGSpeculativeJIT.cpp:
1353         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
1354         (JSC::DFG::SpeculativeJIT::compileMathIC):
1355         * dfg/DFGSpeculativeJIT.h:
1356         * dfg/DFGSpeculativeJIT64.cpp:
1357         (JSC::DFG::SpeculativeJIT::compile):
1358         * dfg/DFGValidate.cpp:
1359         * ftl/FTLCompile.cpp:
1360         (JSC::FTL::compile):
1361         * heap/HeapSnapshotBuilder.cpp:
1362         (JSC::HeapSnapshotBuilder::json):
1363         * heap/HeapSnapshotBuilder.h:
1364         * interpreter/StackVisitor.cpp:
1365         (JSC::StackVisitor::Frame::dump const):
1366         * interpreter/StackVisitor.h:
1367         * runtime/PromiseDeferredTimer.h:
1368         * runtime/VM.cpp:
1369         (JSC::VM::whenIdle):
1370         (JSC::enableProfilerWithRespectToCount):
1371         (JSC::disableProfilerWithRespectToCount):
1372         * runtime/VM.h:
1373         * runtime/VMEntryScope.cpp:
1374         (JSC::VMEntryScope::addDidPopListener):
1375         * runtime/VMEntryScope.h:
1376         * tools/HeapVerifier.cpp:
1377         (JSC::HeapVerifier::verifyCellList):
1378         (JSC::HeapVerifier::validateCell):
1379         (JSC::HeapVerifier::validateJSCell):
1380         * tools/HeapVerifier.h:
1381
1382 2018-07-20  Michael Saboff  <msaboff@apple.com>
1383
1384         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
1385         https://bugs.webkit.org/show_bug.cgi?id=187827
1386         rdar://problem/42146858
1387
1388         Reviewed by Saam Barati.
1389
1390         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
1391         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
1392         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
1393         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
1394         putByIndex() path that doesn't change the shape.
1395
1396         * dfg/DFGArrayMode.h:
1397         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
1398
1399 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1400
1401         [DFG] Fold GetByVal if Array is CoW
1402         https://bugs.webkit.org/show_bug.cgi?id=186459
1403
1404         Reviewed by Saam Barati.
1405
1406         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
1407         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
1408         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
1409
1410         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
1411         to these constant arrays can be folded into an actual constant by this patch.
1412
1413                                            baseline                  patched
1414
1415         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
1416         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
1417
1418         * dfg/DFGAbstractInterpreterInlines.h:
1419         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1420
1421 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1422
1423         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
1424         https://bugs.webkit.org/show_bug.cgi?id=186602
1425
1426         Reviewed by Saam Barati.
1427
1428         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
1429         change the part of the butterfly, length etc. We prove that our procedure is safe, and
1430         drop the cellLock() here.
1431
1432         * runtime/JSObject.cpp:
1433         (JSC::JSObject::convertContiguousToArrayStorage):
1434
1435 2018-07-20  Saam Barati  <sbarati@apple.com>
1436
1437         CompareEq should be using KnownOtherUse instead of OtherUse
1438         https://bugs.webkit.org/show_bug.cgi?id=186814
1439         <rdar://problem/39720030>
1440
1441         Reviewed by Filip Pizlo.
1442
1443         CompareEq in fixup phase was doing this:
1444         insertCheck(child, OtherUse)
1445         setUseKind(child, OtherUse)
1446         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
1447         lead to edge verification crashing because a phase may optimize the check out
1448         by removing the node. However, AI may not be privy to that optimization, and
1449         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
1450         backend to actually emit a check here, but it does not.
1451         
1452         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
1453         KnownOtherUse and changes the above pattern to be:
1454         insertCheck(child, OtherUse)
1455         setUseKind(child, KnownOtherUse)
1456
1457         * dfg/DFGFixupPhase.cpp:
1458         (JSC::DFG::FixupPhase::fixupNode):
1459         * dfg/DFGSafeToExecute.h:
1460         (JSC::DFG::SafeToExecuteEdge::operator()):
1461         * dfg/DFGSpeculativeJIT.cpp:
1462         (JSC::DFG::SpeculativeJIT::speculate):
1463         * dfg/DFGUseKind.cpp:
1464         (WTF::printInternal):
1465         * dfg/DFGUseKind.h:
1466         (JSC::DFG::typeFilterFor):
1467         (JSC::DFG::shouldNotHaveTypeCheck):
1468         (JSC::DFG::checkMayCrashIfInputIsEmpty):
1469         * dfg/DFGWatchpointCollectionPhase.cpp:
1470         (JSC::DFG::WatchpointCollectionPhase::handle):
1471         * ftl/FTLCapabilities.cpp:
1472         (JSC::FTL::canCompile):
1473         * ftl/FTLLowerDFGToB3.cpp:
1474         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
1475         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1476
1477 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1478
1479         [JSC] A bit performance improvement for Object.assign by cleaning up code
1480         https://bugs.webkit.org/show_bug.cgi?id=187852
1481
1482         Reviewed by Saam Barati.
1483
1484         We clean up Object.assign code a bit.
1485
1486         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
1487         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
1488
1489         It improves the performance a bit.
1490
1491                                     baseline                  patched
1492
1493         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
1494
1495         * runtime/ObjectConstructor.cpp:
1496         (JSC::objectConstructorAssign):
1497
1498 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1499
1500         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
1501         https://bugs.webkit.org/show_bug.cgi?id=187798
1502
1503         Reviewed by Michael Catanzaro.
1504
1505         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
1506         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
1507         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
1508         patch adds JSAPIWrapperGlobalObject or that.
1509
1510         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
1511         (jsAPIWrapperGlobalObjectHandleOwner):
1512         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
1513         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
1514         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
1515         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
1516         (JSC::JSAPIWrapperGlobalObject::finishCreation):
1517         (JSC::JSAPIWrapperGlobalObject::visitChildren):
1518         * API/glib/JSAPIWrapperGlobalObject.h: Added.
1519         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
1520         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
1521         * API/glib/JSCClass.cpp:
1522         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
1523         (wrappedObjectClass): Return the class of a wrapped object.
1524         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
1525         scope extension global object is used instead.
1526         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
1527         (setProperty): Ditto.
1528         (hasProperty): Ditto.
1529         (deleteProperty): Ditto.
1530         (getPropertyNames): Ditto.
1531         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
1532         * API/glib/JSCClassPrivate.h:
1533         * API/glib/JSCContext.cpp:
1534         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
1535         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
1536         * API/glib/JSCContext.h:
1537         * API/glib/JSCContextPrivate.h:
1538         * API/glib/JSCWrapperMap.cpp:
1539         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
1540         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
1541         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
1542         * API/glib/JSCWrapperMap.h:
1543         * GLib.cmake:
1544
1545 2018-07-19  Saam Barati  <sbarati@apple.com>
1546
1547         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
1548         https://bugs.webkit.org/show_bug.cgi?id=187836
1549         <rdar://problem/42409527>
1550
1551         Reviewed by Mark Lam.
1552
1553         We have crash reports that we're crashing on source->getDirect in Object.assign's
1554         fast path. Mark investigated this and determined we end up with a nullptr for
1555         butterfly. This is curious, because source's Structure indicated that it has
1556         out of line properties. My leading hypothesis for this at the moment is a bit
1557         handwavy, but it's essentially:
1558         - We end up firing a watchpoint when assigning to the target (this can happen
1559         if a watchpoint was set up for storing to that particular field)
1560         - When we fire that watchpoint, we end up doing some kind work on the source,
1561         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
1562         mutating source.
1563         
1564         I'm not super convinced this is what we're running into, but just by reading
1565         the code, I think it needs to be something similar to this. Seeing if this change
1566         fixes the crasher will give us good data to determine if something like this is
1567         happening or if the bug is something else entirely.
1568
1569         * runtime/ObjectConstructor.cpp:
1570         (JSC::objectConstructorAssign):
1571
1572 2018-07-19  Commit Queue  <commit-queue@webkit.org>
1573
1574         Unreviewed, rolling out r233998.
1575         https://bugs.webkit.org/show_bug.cgi?id=187815
1576
1577         Not needed. (Requested by mlam|a on #webkit).
1578
1579         Reverted changeset:
1580
1581         "Temporarily mitigate a bug where a source provider is null
1582         when it shouldn't be."
1583         https://bugs.webkit.org/show_bug.cgi?id=187812
1584         https://trac.webkit.org/changeset/233998
1585
1586 2018-07-19  Mark Lam  <mark.lam@apple.com>
1587
1588         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
1589         https://bugs.webkit.org/show_bug.cgi?id=187812
1590         <rdar://problem/41192691>
1591
1592         Reviewed by Michael Saboff.
1593
1594         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
1595
1596         * runtime/Error.cpp:
1597         (JSC::addErrorInfo):
1598
1599 2018-07-19  Keith Rollin  <krollin@apple.com>
1600
1601         Adjust WEBCORE_EXPORT annotations for LTO
1602         https://bugs.webkit.org/show_bug.cgi?id=187781
1603         <rdar://problem/42351124>
1604
1605         Reviewed by Alex Christensen.
1606
1607         Continuation of Bug 186944. This bug addresses issues not caught
1608         during the first pass of adjustments. The initial work focussed on
1609         macOS; this one addresses issues found when building for iOS. From
1610         186944:
1611
1612         Adjust a number of places that result in WebKit's
1613         'check-for-weak-vtables-and-externals' script reporting weak external
1614         symbols:
1615
1616             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
1617             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
1618             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
1619             ...
1620
1621         These cases are caused by inline methods being marked with WTF_EXPORT
1622         (or related macro) or with an inline function being in a class marked
1623         as such, and when enabling LTO builds.
1624
1625         For the most part, address these by removing the WEBCORE_EXPORT
1626         annotation from inline methods. In some cases, move the implementation
1627         out-of-line because it's the class that has the WEBCORE_EXPORT on it
1628         and removing the annotation from the class would be too disruptive.
1629         Finally, in other cases, move the implementation out-of-line because
1630         check-for-weak-vtables-and-externals still complains when keeping the
1631         implementation inline and removing the annotation; this seems to
1632         typically (but not always) happen with destructors.
1633
1634         * inspector/remote/RemoteAutomationTarget.cpp:
1635         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
1636         * inspector/remote/RemoteAutomationTarget.h:
1637         * inspector/remote/RemoteInspector.cpp:
1638         (Inspector::RemoteInspector::Client::~Client):
1639         * inspector/remote/RemoteInspector.h:
1640
1641 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1642
1643         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
1644         https://bugs.webkit.org/show_bug.cgi?id=187807
1645
1646         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
1647         that we know that exception occurrence and handle it well.
1648
1649         * runtime/JSONObject.cpp:
1650         (JSC::Stringifier::Holder::appendNextProperty):
1651
1652 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1653
1654         [JSC] Reduce size of AST nodes
1655         https://bugs.webkit.org/show_bug.cgi?id=187689
1656
1657         Reviewed by Mark Lam.
1658
1659         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
1660         of ParserArena at peak state.
1661
1662         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
1663         devirtualize a call to the function which are implemented in a final class.
1664
1665         2. Use default member initializers more.
1666
1667         3. And use `nullptr` instead of `0`.
1668
1669         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
1670         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
1671         to 40. This decreases the sizes of all the derived Statement nodes.
1672
1673         * parser/NodeConstructors.h:
1674         (JSC::Node::Node):
1675         (JSC::StatementNode::StatementNode):
1676         (JSC::ElementNode::ElementNode):
1677         (JSC::ArrayNode::ArrayNode):
1678         (JSC::PropertyListNode::PropertyListNode):
1679         (JSC::ObjectLiteralNode::ObjectLiteralNode):
1680         (JSC::ArgumentListNode::ArgumentListNode):
1681         (JSC::ArgumentsNode::ArgumentsNode):
1682         (JSC::NewExprNode::NewExprNode):
1683         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
1684         (JSC::BinaryOpNode::BinaryOpNode):
1685         (JSC::LogicalOpNode::LogicalOpNode):
1686         (JSC::CommaNode::CommaNode):
1687         (JSC::SourceElements::SourceElements):
1688         (JSC::ClauseListNode::ClauseListNode):
1689         * parser/Nodes.cpp:
1690         (JSC::FunctionMetadataNode::FunctionMetadataNode):
1691         (JSC::FunctionMetadataNode::operator== const):
1692         (JSC::FunctionMetadataNode::dump const):
1693         * parser/Nodes.h:
1694         (JSC::BooleanNode::value): Deleted.
1695         (JSC::StringNode::value): Deleted.
1696         (JSC::TemplateExpressionListNode::value): Deleted.
1697         (JSC::TemplateExpressionListNode::next): Deleted.
1698         (JSC::TemplateStringNode::cooked): Deleted.
1699         (JSC::TemplateStringNode::raw): Deleted.
1700         (JSC::TemplateStringListNode::value): Deleted.
1701         (JSC::TemplateStringListNode::next): Deleted.
1702         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
1703         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
1704         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
1705         (JSC::ResolveNode::identifier const): Deleted.
1706         (JSC::ElementNode::elision const): Deleted.
1707         (JSC::ElementNode::value): Deleted.
1708         (JSC::ElementNode::next): Deleted.
1709         (JSC::ArrayNode::elements const): Deleted.
1710         (JSC::PropertyNode::expressionName const): Deleted.
1711         (JSC::PropertyNode::name const): Deleted.
1712         (JSC::PropertyNode::type const): Deleted.
1713         (JSC::PropertyNode::needsSuperBinding const): Deleted.
1714         (JSC::PropertyNode::isClassProperty const): Deleted.
1715         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
1716         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
1717         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
1718         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
1719         (JSC::PropertyNode::putType const): Deleted.
1720         (JSC::BracketAccessorNode::base const): Deleted.
1721         (JSC::BracketAccessorNode::subscript const): Deleted.
1722         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
1723         (JSC::DotAccessorNode::base const): Deleted.
1724         (JSC::DotAccessorNode::identifier const): Deleted.
1725         (JSC::SpreadExpressionNode::expression const): Deleted.
1726         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
1727         (JSC::BytecodeIntrinsicNode::type const): Deleted.
1728         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
1729         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
1730         (JSC::TypeOfResolveNode::identifier const): Deleted.
1731         (JSC::BitwiseNotNode::expr): Deleted.
1732         (JSC::BitwiseNotNode::expr const): Deleted.
1733         (JSC::AssignResolveNode::identifier const): Deleted.
1734         (JSC::ExprStatementNode::expr const): Deleted.
1735         (JSC::ForOfNode::isForAwait const): Deleted.
1736         (JSC::ReturnNode::value): Deleted.
1737         (JSC::ProgramNode::startColumn const): Deleted.
1738         (JSC::ProgramNode::endColumn const): Deleted.
1739         (JSC::EvalNode::startColumn const): Deleted.
1740         (JSC::EvalNode::endColumn const): Deleted.
1741         (JSC::ModuleProgramNode::startColumn const): Deleted.
1742         (JSC::ModuleProgramNode::endColumn const): Deleted.
1743         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
1744         (JSC::ModuleNameNode::moduleName): Deleted.
1745         (JSC::ImportSpecifierNode::importedName): Deleted.
1746         (JSC::ImportSpecifierNode::localName): Deleted.
1747         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
1748         (JSC::ImportSpecifierListNode::append): Deleted.
1749         (JSC::ImportDeclarationNode::specifierList const): Deleted.
1750         (JSC::ImportDeclarationNode::moduleName const): Deleted.
1751         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
1752         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
1753         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
1754         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
1755         (JSC::ExportSpecifierNode::exportedName): Deleted.
1756         (JSC::ExportSpecifierNode::localName): Deleted.
1757         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
1758         (JSC::ExportSpecifierListNode::append): Deleted.
1759         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
1760         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
1761         (JSC::ArrayPatternNode::appendIndex): Deleted.
1762         (JSC::ObjectPatternNode::appendEntry): Deleted.
1763         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
1764         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
1765         (JSC::DestructuringAssignmentNode::bindings): Deleted.
1766         (JSC::FunctionParameters::size const): Deleted.
1767         (JSC::FunctionParameters::append): Deleted.
1768         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
1769         (JSC::FuncDeclNode::metadata): Deleted.
1770         (JSC::CaseClauseNode::expr const): Deleted.
1771         (JSC::CaseClauseNode::setStartOffset): Deleted.
1772         (JSC::ClauseListNode::getClause const): Deleted.
1773         (JSC::ClauseListNode::getNext const): Deleted.
1774         * runtime/ExceptionHelpers.cpp:
1775         * runtime/JSObject.cpp:
1776
1777 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1778
1779         JSON.stringify should emit non own properties if second array argument includes
1780         https://bugs.webkit.org/show_bug.cgi?id=187724
1781
1782         Reviewed by Mark Lam.
1783
1784         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
1785         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
1786         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
1787         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
1788         property names which does not reside in the own properties. Or we can modify the
1789         own properties by deleting properties while JSON.stringify is calling a getter. So,
1790         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
1791
1792         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
1793         The performance of Kraken/json-stringify-tinderbox is neutral.
1794
1795         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
1796
1797         * runtime/JSONObject.cpp:
1798         (JSC::Stringifier::toJSON):
1799         (JSC::Stringifier::toJSONImpl):
1800         (JSC::Stringifier::appendStringifiedValue):
1801         (JSC::Stringifier::Holder::Holder):
1802         (JSC::Stringifier::Holder::appendNextProperty):
1803
1804 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1805
1806         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
1807         https://bugs.webkit.org/show_bug.cgi?id=187755
1808
1809         Reviewed by Mark Lam.
1810
1811         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
1812         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
1813         makes one test262 test failed.
1814
1815         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
1816         to align these checks to the spec's order.
1817
1818         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
1819
1820         * runtime/JSONObject.cpp:
1821         (JSC::Stringifier::Stringifier):
1822
1823 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1824
1825         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
1826         https://bugs.webkit.org/show_bug.cgi?id=187752
1827
1828         Reviewed by Mark Lam.
1829
1830         JSON.stringify has an implicit root wrapper object since we would like to call replacer
1831         with a wrapper object and a property name. While we always create this wrapper object,
1832         it is unnecessary if the given replacer is not callable.
1833
1834         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
1835         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
1836
1837                                            baseline                  patched
1838
1839         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
1840
1841         * runtime/JSONObject.cpp:
1842         (JSC::Stringifier::isCallableReplacer const):
1843         (JSC::Stringifier::Stringifier):
1844         (JSC::Stringifier::stringify):
1845         (JSC::Stringifier::appendStringifiedValue):
1846
1847 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
1848
1849         [GLIB] Add jsc_context_check_syntax() to GLib API
1850         https://bugs.webkit.org/show_bug.cgi?id=187694
1851
1852         Reviewed by Yusuke Suzuki.
1853
1854         A new function to be able to check for syntax errors without actually evaluating the code.
1855
1856         * API/glib/JSCContext.cpp:
1857         (jsc_context_check_syntax):
1858         * API/glib/JSCContext.h:
1859         * API/glib/docs/jsc-glib-4.0-sections.txt:
1860
1861 2018-07-17  Keith Miller  <keith_miller@apple.com>
1862
1863         Revert r233630 since it broke internal wasm benchmarks
1864         https://bugs.webkit.org/show_bug.cgi?id=187746
1865
1866         Unreviewed revert.
1867
1868         This patch seems to have broken internal Wasm benchmarks. This
1869         issue is likely due to an underlying bug but let's rollout while
1870         we investigate.
1871
1872         * bytecode/CodeType.h:
1873         * bytecode/UnlinkedCodeBlock.cpp:
1874         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1875         * bytecode/UnlinkedCodeBlock.h:
1876         (JSC::UnlinkedCodeBlock::codeType const):
1877         (JSC::UnlinkedCodeBlock::didOptimize const):
1878         (JSC::UnlinkedCodeBlock::setDidOptimize):
1879         * bytecode/VirtualRegister.h:
1880         (JSC::VirtualRegister::VirtualRegister):
1881         (): Deleted.
1882
1883 2018-07-17  Mark Lam  <mark.lam@apple.com>
1884
1885         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
1886         https://bugs.webkit.org/show_bug.cgi?id=187736
1887         <rdar://problem/42114371>
1888
1889         Reviewed by Michael Saboff.
1890
1891         CodeBlock::baselineVersion() currently checks for a null replacement but does not
1892         account for the fact that that the replacement can also be null due to the
1893         executable having being purged of its codeBlocks due to a memory event (see
1894         ExecutableBase::clearCode()).  This patch adds code to account for this.
1895
1896         * bytecode/CodeBlock.cpp:
1897         (JSC::CodeBlock::baselineVersion):
1898
1899 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1900
1901         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
1902         https://bugs.webkit.org/show_bug.cgi?id=187709
1903
1904         Reviewed by Mark Lam.
1905
1906         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
1907
1908         * bytecode/UnlinkedCodeBlock.cpp:
1909         (JSC::UnlinkedCodeBlock::shrinkToFit):
1910
1911 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1912
1913         [JSC] Make SourceParseMode small
1914         https://bugs.webkit.org/show_bug.cgi?id=187705
1915
1916         Reviewed by Mark Lam.
1917
1918         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
1919         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
1920         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
1921         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
1922
1923         * parser/ParserModes.h:
1924         (JSC::SourceParseModeSet::SourceParseModeSet):
1925         (JSC::SourceParseModeSet::contains):
1926         (JSC::SourceParseModeSet::mergeSourceParseModes):
1927
1928 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1929
1930         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
1931         https://bugs.webkit.org/show_bug.cgi?id=187585
1932
1933         Reviewed by Darin Adler.
1934
1935         This patch fixes Generator and AsyncGenerator's prototype issues.
1936
1937         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
1938         We fix this by changing JSFunction::prototypeForConstruction.
1939
1940         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
1941         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
1942         to fix `prototype` issues for AsyncGeneratorMethod.
1943
1944         * bytecompiler/BytecodeGenerator.cpp:
1945         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1946         (JSC::BytecodeGenerator::emitNewFunction):
1947         * bytecompiler/NodesCodegen.cpp:
1948         (JSC::FunctionNode::emitBytecode):
1949         * parser/ASTBuilder.h:
1950         (JSC::ASTBuilder::createFunctionMetadata):
1951         * parser/Parser.cpp:
1952         (JSC::getAsynFunctionBodyParseMode):
1953         (JSC::Parser<LexerType>::parseInner):
1954         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1955         * parser/ParserModes.h:
1956         (JSC::isAsyncGeneratorParseMode):
1957         (JSC::isAsyncGeneratorWrapperParseMode):
1958         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
1959         * runtime/FunctionExecutable.h:
1960         * runtime/JSFunction.cpp:
1961         (JSC::JSFunction::prototypeForConstruction):
1962         (JSC::JSFunction::getOwnPropertySlot):
1963
1964 2018-07-16  Mark Lam  <mark.lam@apple.com>
1965
1966         jsc shell's noFTL utility test function should be more robust.
1967         https://bugs.webkit.org/show_bug.cgi?id=187704
1968         <rdar://problem/42231988>
1969
1970         Reviewed by Michael Saboff and Keith Miller.
1971
1972         * jsc.cpp:
1973         (functionNoFTL):
1974         - only setNeverFTLOptimize() if the function is actually a JS function.
1975
1976 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
1977
1978         [GLIB] Add API to evaluate code using a given object to store global symbols
1979         https://bugs.webkit.org/show_bug.cgi?id=187639
1980
1981         Reviewed by Michael Catanzaro.
1982
1983         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
1984         evaluated script are added as properties to the new object instead of to the context global object. This is
1985         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
1986         scope for assignments, so we have to create a new context and get its global object. This patch also updates
1987         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
1988         jsc_context_evaluate_in_object().
1989
1990         * API/glib/JSCContext.cpp:
1991         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
1992         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
1993         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
1994         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
1995         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1996         * API/glib/JSCContext.h:
1997         * API/glib/docs/jsc-glib-4.0-sections.txt:
1998
1999 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2000
2001         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
2002         https://bugs.webkit.org/show_bug.cgi?id=187561
2003
2004         Reviewed by Darin Adler.
2005
2006         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
2007         We clean up 32bit put_by_val code.
2008
2009         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
2010         aligns 32bit implementation to 64bit implementation.
2011
2012         2. We add CoW array checking, which is done in 64bit implementation.
2013
2014         * jit/JITPropertyAccess.cpp:
2015         (JSC::JIT::emit_op_put_by_val):
2016         * jit/JITPropertyAccess32_64.cpp:
2017         (JSC::JIT::emit_op_put_by_val):
2018         (JSC::JIT::emitSlow_op_put_by_val):
2019
2020 2018-07-12  Mark Lam  <mark.lam@apple.com>
2021
2022         Need to handle CodeBlock::replacement() being null.
2023         https://bugs.webkit.org/show_bug.cgi?id=187569
2024         <rdar://problem/41468692>
2025
2026         Reviewed by Saam Barati.
2027
2028         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
2029         for this while others do not.  We should add null checks in all the places that
2030         need it.
2031
2032         * bytecode/CodeBlock.cpp:
2033         (JSC::CodeBlock::hasOptimizedReplacement):
2034         (JSC::CodeBlock::jettison):
2035         (JSC::CodeBlock::numberOfDFGCompiles):
2036         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
2037         * dfg/DFGOperations.cpp:
2038         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
2039         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
2040         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
2041         * jit/JITOperations.cpp:
2042
2043 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2044
2045         [JSC] Thread VM& to JSCell::methodTable(VM&)
2046         https://bugs.webkit.org/show_bug.cgi?id=187548
2047
2048         Reviewed by Saam Barati.
2049
2050         This patch threads VM& to methodTable(VM&) and remove methodTable().
2051         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
2052
2053         * API/APICast.h:
2054         (toJS):
2055         * API/JSCallbackObject.h:
2056         * API/JSCallbackObjectFunctions.h:
2057         (JSC::JSCallbackObject<Parent>::className):
2058         * bytecode/CodeBlock.cpp:
2059         (JSC::CodeBlock::estimatedSize):
2060         * bytecode/CodeBlock.h:
2061         * bytecode/UnlinkedCodeBlock.cpp:
2062         (JSC::UnlinkedCodeBlock::estimatedSize):
2063         * bytecode/UnlinkedCodeBlock.h:
2064         * debugger/DebuggerScope.cpp:
2065         (JSC::DebuggerScope::className):
2066         * debugger/DebuggerScope.h:
2067         * heap/Heap.cpp:
2068         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
2069         (JSC::GatherHeapSnapshotData::operator() const):
2070         (JSC::Heap::gatherExtraHeapSnapshotData):
2071         * heap/HeapSnapshotBuilder.cpp:
2072         (JSC::HeapSnapshotBuilder::json):
2073         * runtime/ArrayPrototype.cpp:
2074         (JSC::arrayProtoFuncToString):
2075         * runtime/ClassInfo.h:
2076         * runtime/DirectArguments.cpp:
2077         (JSC::DirectArguments::estimatedSize):
2078         * runtime/DirectArguments.h:
2079         * runtime/HashMapImpl.cpp:
2080         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
2081         * runtime/HashMapImpl.h:
2082         * runtime/JSArrayBuffer.cpp:
2083         (JSC::JSArrayBuffer::estimatedSize):
2084         * runtime/JSArrayBuffer.h:
2085         * runtime/JSBigInt.cpp:
2086         (JSC::JSBigInt::estimatedSize):
2087         * runtime/JSBigInt.h:
2088         * runtime/JSCell.cpp:
2089         (JSC::JSCell::dump const):
2090         (JSC::JSCell::estimatedSizeInBytes const):
2091         (JSC::JSCell::estimatedSize):
2092         (JSC::JSCell::className):
2093         * runtime/JSCell.h:
2094         * runtime/JSCellInlines.h:
2095         * runtime/JSGenericTypedArrayView.h:
2096         * runtime/JSGenericTypedArrayViewInlines.h:
2097         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
2098         * runtime/JSObject.cpp:
2099         (JSC::JSObject::estimatedSize):
2100         (JSC::JSObject::className):
2101         (JSC::JSObject::toStringName):
2102         (JSC::JSObject::calculatedClassName):
2103         * runtime/JSObject.h:
2104         * runtime/JSProxy.cpp:
2105         (JSC::JSProxy::className):
2106         * runtime/JSProxy.h:
2107         * runtime/JSString.cpp:
2108         (JSC::JSString::estimatedSize):
2109         * runtime/JSString.h:
2110         * runtime/RegExp.cpp:
2111         (JSC::RegExp::estimatedSize):
2112         * runtime/RegExp.h:
2113         * runtime/WeakMapImpl.cpp:
2114         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
2115         * runtime/WeakMapImpl.h:
2116
2117 2018-07-11  Commit Queue  <commit-queue@webkit.org>
2118
2119         Unreviewed, rolling out r233714.
2120         https://bugs.webkit.org/show_bug.cgi?id=187579
2121
2122         it made tests time out (Requested by pizlo on #webkit).
2123
2124         Reverted changeset:
2125
2126         "Change the reoptimization backoff base to 1.3 from 2"
2127         https://bugs.webkit.org/show_bug.cgi?id=187540
2128         https://trac.webkit.org/changeset/233714
2129
2130 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2131
2132         [GLIB] Add API to allow creating variadic functions
2133         https://bugs.webkit.org/show_bug.cgi?id=187517
2134
2135         Reviewed by Michael Catanzaro.
2136
2137         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
2138         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
2139
2140         * API/glib/JSCCallbackFunction.cpp:
2141         (JSC::JSCCallbackFunction::create): Make the parameters optional.
2142         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
2143         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
2144         JSCValue for the arguments.
2145         (JSC::JSCCallbackFunction::construct): Ditto.
2146         * API/glib/JSCCallbackFunction.h:
2147         * API/glib/JSCClass.cpp:
2148         (jscClassCreateConstructor): Make the parameters optional.
2149         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
2150         (jscClassAddMethod): Make the parameters optional.
2151         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
2152         * API/glib/JSCClass.h:
2153         * API/glib/JSCValue.cpp:
2154         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
2155         (jscValueFunctionCreate): Make the parameters optional.
2156         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
2157         * API/glib/JSCValue.h:
2158         * API/glib/docs/jsc-glib-4.0-sections.txt:
2159
2160 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2161
2162         [GLIB] Add jsc_context_get_global_object() to GLib API
2163         https://bugs.webkit.org/show_bug.cgi?id=187515
2164
2165         Reviewed by Michael Catanzaro.
2166
2167         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
2168         object. However, getting the global object could be useful in some cases, for example to give it a well known
2169         name like 'window' in browsers and GJS.
2170
2171         * API/glib/JSCContext.cpp:
2172         (jsc_context_get_global_object):
2173         * API/glib/JSCContext.h:
2174         * API/glib/docs/jsc-glib-4.0-sections.txt:
2175
2176 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
2177
2178         [GLIB] Handle G_TYPE_STRV in glib API
2179         https://bugs.webkit.org/show_bug.cgi?id=187512
2180
2181         Reviewed by Michael Catanzaro.
2182
2183         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
2184
2185         * API/glib/JSCContext.cpp:
2186         (jscContextGValueToJSValue):
2187         (jscContextJSValueToGValue):
2188         * API/glib/JSCValue.cpp:
2189         (jsc_value_new_array_from_strv):
2190         * API/glib/JSCValue.h:
2191         * API/glib/docs/jsc-glib-4.0-sections.txt:
2192
2193 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2194
2195         Iterator of Array.keys() returns object in wrong order
2196         https://bugs.webkit.org/show_bug.cgi?id=185197
2197
2198         Reviewed by Keith Miller.
2199
2200         * builtins/ArrayIteratorPrototype.js:
2201         (globalPrivate.arrayIteratorValueNext):
2202         (globalPrivate.arrayIteratorKeyNext):
2203         (globalPrivate.arrayIteratorKeyValueNext):
2204         * builtins/AsyncFromSyncIteratorPrototype.js:
2205         * builtins/AsyncGeneratorPrototype.js:
2206         (globalPrivate.asyncGeneratorResolve):
2207         * builtins/GeneratorPrototype.js:
2208         (globalPrivate.generatorResume):
2209         * builtins/MapIteratorPrototype.js:
2210         (globalPrivate.mapIteratorNext):
2211         * builtins/SetIteratorPrototype.js:
2212         (globalPrivate.setIteratorNext):
2213         * builtins/StringIteratorPrototype.js:
2214         (next):
2215         * runtime/IteratorOperations.cpp:
2216         (JSC::createIteratorResultObjectStructure):
2217         (JSC::createIteratorResultObject):
2218
2219 2018-07-10  Mark Lam  <mark.lam@apple.com>
2220
2221         constructArray() should always allocate the requested length.
2222         https://bugs.webkit.org/show_bug.cgi?id=187543
2223         <rdar://problem/41947884>
2224
2225         Reviewed by Saam Barati.
2226
2227         Currently, it does not when we're having a bad time.  We fix this by switching
2228         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
2229         If we detect that a structure transition is possible before we can initialize
2230         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
2231         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
2232
2233         Also enhanced the DisallowScope and ObjectInitializationScope to support this
2234         eager initialization when needed.
2235
2236         * dfg/DFGOperations.cpp:
2237         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
2238           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
2239           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
2240           generated code, which will appear as a generic null pointer dereference.
2241
2242         * runtime/ArrayPrototype.cpp:
2243         (JSC::concatAppendOne):
2244         - the code here clearly wants to check for an allocation failure.  Switched to
2245           using JSArray::tryCreate() instead of JSArray::create().
2246
2247         * runtime/DisallowScope.h:
2248         (JSC::DisallowScope::disable):
2249         * runtime/JSArray.cpp:
2250         (JSC::JSArray::tryCreateUninitializedRestricted):
2251         (JSC::JSArray::eagerlyInitializeButterfly):
2252         (JSC::constructArray):
2253         * runtime/JSArray.h:
2254         * runtime/ObjectInitializationScope.cpp:
2255         (JSC::ObjectInitializationScope::notifyInitialized):
2256         * runtime/ObjectInitializationScope.h:
2257         (JSC::ObjectInitializationScope::notifyInitialized):
2258
2259 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2260
2261         [JSC] Remove getTypedArrayImpl
2262         https://bugs.webkit.org/show_bug.cgi?id=187338
2263
2264         Reviewed by Mark Lam.
2265
2266         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
2267         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
2268         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
2269
2270         * runtime/ClassInfo.h:
2271         * runtime/GenericTypedArrayView.h:
2272         (JSC::GenericTypedArrayView::data const): Deleted.
2273         (JSC::GenericTypedArrayView::set): Deleted.
2274         (JSC::GenericTypedArrayView::setRange): Deleted.
2275         (JSC::GenericTypedArrayView::zeroRange): Deleted.
2276         (JSC::GenericTypedArrayView::zeroFill): Deleted.
2277         (JSC::GenericTypedArrayView::length const): Deleted.
2278         (JSC::GenericTypedArrayView::item const): Deleted.
2279         (JSC::GenericTypedArrayView::set const): Deleted.
2280         (JSC::GenericTypedArrayView::setNative const): Deleted.
2281         (JSC::GenericTypedArrayView::getRange): Deleted.
2282         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
2283         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
2284         * runtime/JSArrayBufferView.cpp:
2285         (JSC::JSArrayBufferView::possiblySharedImpl):
2286         * runtime/JSArrayBufferView.h:
2287         * runtime/JSArrayBufferViewInlines.h:
2288         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
2289         * runtime/JSCell.cpp:
2290         (JSC::JSCell::getTypedArrayImpl): Deleted.
2291         * runtime/JSCell.h:
2292         * runtime/JSDataView.cpp:
2293         (JSC::JSDataView::getTypedArrayImpl): Deleted.
2294         * runtime/JSDataView.h:
2295         * runtime/JSGenericTypedArrayView.h:
2296         * runtime/JSGenericTypedArrayViewInlines.h:
2297         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
2298
2299 2018-07-10  Keith Miller  <keith_miller@apple.com>
2300
2301         hasOwnProperty returns true for out of bounds property index on TypedArray
2302         https://bugs.webkit.org/show_bug.cgi?id=187520
2303
2304         Reviewed by Saam Barati.
2305
2306         * runtime/JSGenericTypedArrayViewInlines.h:
2307         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
2308
2309 2018-07-10  Michael Saboff  <msaboff@apple.com>
2310
2311         DFG JIT: compileMathIC produces incorrect machine code
2312         https://bugs.webkit.org/show_bug.cgi?id=187537
2313
2314         Reviewed by Saam Barati.
2315
2316         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
2317         fall back to the fast path generator which handles such cases.
2318
2319         * jit/JITMulGenerator.cpp:
2320         (JSC::JITMulGenerator::generateInline):
2321
2322 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
2323
2324         Change the reoptimization backoff base to 1.3 from 2
2325         https://bugs.webkit.org/show_bug.cgi?id=187540
2326
2327         Reviewed by Saam Barati.
2328         
2329         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
2330         
2331         I also have data that hints that a backoff base of 1 might be even better, but I think that
2332         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
2333
2334         * bytecode/CodeBlock.cpp:
2335         (JSC::CodeBlock::reoptimizationRetryCounter const):
2336         (JSC::CodeBlock::countReoptimization):
2337         (JSC::CodeBlock::adjustedCounterValue):
2338         * runtime/Options.cpp:
2339         (JSC::recomputeDependentOptions):
2340         * runtime/Options.h:
2341
2342 2018-07-10  Mark Lam  <mark.lam@apple.com>
2343
2344         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
2345         https://bugs.webkit.org/show_bug.cgi?id=187362
2346         <rdar://problem/42027210>
2347
2348         Reviewed by Saam Barati.
2349
2350         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
2351         value to use for initializing unused properties.  Updated an assertion to account
2352         for this.
2353
2354         * runtime/ObjectInitializationScope.cpp:
2355         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
2356
2357 2018-07-10  Michael Saboff  <msaboff@apple.com>
2358
2359         YARR: . doesn't match non-BMP Unicode characters in some cases
2360         https://bugs.webkit.org/show_bug.cgi?id=187248
2361
2362         Reviewed by Geoffrey Garen.
2363
2364         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
2365         characters did not take into account that the character class is inverted.  In this case, we
2366         represent '.' as "not a newline" using the newline character class with an inverted check.
2367         Clearly that includes non-BMP characters.
2368
2369         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
2370         inverted use of that character class.
2371
2372         * yarr/YarrJIT.cpp:
2373         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2374
2375 2018-07-09  Mark Lam  <mark.lam@apple.com>
2376
2377         Add --traceLLIntExecution and --traceLLIntSlowPath options.
2378         https://bugs.webkit.org/show_bug.cgi?id=187479
2379
2380         Reviewed by Yusuke Suzuki and Saam Barati.
2381
2382         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
2383
2384         The details:
2385         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
2386         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
2387            This makes it such that enabling LLINT_TRACING doesn't means that we'll
2388            continually spammed with logging until we rebuild.
2389         3. Fixed slow path LLINT tracing to work with exception check validation.
2390
2391         * llint/LLIntCommon.h:
2392         * llint/LLIntExceptions.cpp:
2393         (JSC::LLInt::returnToThrow):
2394         (JSC::LLInt::callToThrow):
2395         * llint/LLIntOfflineAsmConfig.h:
2396         * llint/LLIntSlowPaths.cpp:
2397         (JSC::LLInt::slowPathLog):
2398         (JSC::LLInt::slowPathLn):
2399         (JSC::LLInt::slowPathLogF):
2400         (JSC::LLInt::slowPathLogLn):
2401         (JSC::LLInt::llint_trace_operand):
2402         (JSC::LLInt::llint_trace_value):
2403         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2404         (JSC::LLInt::traceFunctionPrologue):
2405         (JSC::LLInt::handleHostCall):
2406         (JSC::LLInt::setUpCall):
2407         * llint/LLIntSlowPaths.h:
2408         * llint/LowLevelInterpreter.asm:
2409         * runtime/CommonSlowPathsExceptions.cpp:
2410         (JSC::CommonSlowPaths::interpreterThrowInCaller):
2411         * runtime/Options.cpp:
2412         (JSC::Options::isAvailable):
2413         * runtime/Options.h:
2414
2415 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2416
2417         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
2418         https://bugs.webkit.org/show_bug.cgi?id=187477
2419
2420         Reviewed by Mark Lam.
2421
2422         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
2423         However, it is not necessary since JSCells can be reside in a constant buffer.
2424         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
2425         vector from RareData.
2426
2427         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
2428
2429         * bytecode/BytecodeDumper.cpp:
2430         (JSC::BytecodeDumper<Block>::dumpBytecode):
2431         (JSC::BytecodeDumper<Block>::dumpBlock):
2432         (JSC::regexpToSourceString): Deleted.
2433         (JSC::regexpName): Deleted.
2434         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
2435         * bytecode/BytecodeDumper.h:
2436         * bytecode/CodeBlock.h:
2437         (JSC::CodeBlock::regexp const): Deleted.
2438         (JSC::CodeBlock::numberOfRegExps const): Deleted.
2439         * bytecode/UnlinkedCodeBlock.cpp:
2440         (JSC::UnlinkedCodeBlock::visitChildren):
2441         (JSC::UnlinkedCodeBlock::shrinkToFit):
2442         * bytecode/UnlinkedCodeBlock.h:
2443         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
2444         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
2445         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
2446         * bytecompiler/BytecodeGenerator.cpp:
2447         (JSC::BytecodeGenerator::emitNewRegExp):
2448         (JSC::BytecodeGenerator::addRegExp): Deleted.
2449         * bytecompiler/BytecodeGenerator.h:
2450         * dfg/DFGByteCodeParser.cpp:
2451         (JSC::DFG::ByteCodeParser::parseBlock):
2452         * jit/JITOpcodes.cpp:
2453         (JSC::JIT::emit_op_new_regexp):
2454         * llint/LLIntSlowPaths.cpp:
2455         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2456         * runtime/JSCJSValue.cpp:
2457         (JSC::JSValue::dumpInContextAssumingStructure const):
2458         * runtime/RegExp.cpp:
2459         (JSC::regexpToSourceString):
2460         (JSC::RegExp::dumpToStream):
2461         * runtime/RegExp.h:
2462
2463 2018-07-09  Brian Burg  <bburg@apple.com>
2464
2465         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
2466         https://bugs.webkit.org/show_bug.cgi?id=187350
2467         <rdar://problem/41728249>
2468
2469         Reviewed by Matt Baker.
2470
2471         Add a new command that toggles whether or not to blackbox internal scripts.
2472         If blackboxed, the scripts will not be shown to the frontend and the debugger will
2473         not pause in source frames from blackboxed scripts. Sometimes we want to break into
2474         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
2475         that injects scripts.
2476
2477         * inspector/agents/InspectorDebuggerAgent.cpp:
2478         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2479         (Inspector::InspectorDebuggerAgent::didParseSource):
2480         * inspector/agents/InspectorDebuggerAgent.h:
2481         * inspector/protocol/Debugger.json:
2482
2483 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2484
2485         [JSC] Make some data members of UnlinkedCodeBlock private
2486         https://bugs.webkit.org/show_bug.cgi?id=187467
2487
2488         Reviewed by Mark Lam.
2489
2490         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
2491         We also remove m_numCapturedVars since it is no longer used.
2492
2493         * bytecode/CodeBlock.cpp:
2494         (JSC::CodeBlock::CodeBlock):
2495         * bytecode/CodeBlock.h:
2496         * bytecode/UnlinkedCodeBlock.cpp:
2497         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2498         * bytecode/UnlinkedCodeBlock.h:
2499
2500 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
2503         https://bugs.webkit.org/show_bug.cgi?id=187465
2504
2505         Reviewed by Keith Miller.
2506
2507         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
2508         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
2509
2510         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
2511         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
2512         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
2513         from 104 to 96 since it inherits ProxyableAccessCase.
2514
2515         * bytecode/AccessCase.h:
2516         (JSC::AccessCase::viaProxy const):
2517         (JSC::AccessCase::AccessCase):
2518         * bytecode/ProxyableAccessCase.cpp:
2519         (JSC::ProxyableAccessCase::ProxyableAccessCase):
2520         * bytecode/ProxyableAccessCase.h:
2521
2522 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2523
2524         Unreviewed, build fix for debug builds after r233630
2525         https://bugs.webkit.org/show_bug.cgi?id=187441
2526
2527         * jit/JIT.cpp:
2528         (JSC::JIT::frameRegisterCountFor):
2529         * llint/LLIntEntrypoint.cpp:
2530         (JSC::LLInt::frameRegisterCountFor):
2531
2532 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2533
2534         [JSC] Optimize layout of CodeBlock to reduce padding
2535         https://bugs.webkit.org/show_bug.cgi?id=187441
2536
2537         Reviewed by Mark Lam.
2538
2539         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
2540         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
2541         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
2542
2543         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
2544
2545         * bytecode/BytecodeDumper.cpp:
2546         (JSC::BytecodeDumper<Block>::dumpBlock):
2547         * bytecode/BytecodeUseDef.h:
2548         (JSC::computeDefsForBytecodeOffset):
2549         * bytecode/CodeBlock.cpp:
2550         (JSC::CodeBlock::CodeBlock):
2551         * bytecode/CodeBlock.h:
2552         (JSC::CodeBlock::numVars const):
2553         * bytecode/UnlinkedCodeBlock.h:
2554         (JSC::UnlinkedCodeBlock::numVars const):
2555         * dfg/DFGByteCodeParser.cpp:
2556         (JSC::DFG::ByteCodeParser::ByteCodeParser):
2557         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
2558         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2559         (JSC::DFG::ByteCodeParser::inlineCall):
2560         (JSC::DFG::ByteCodeParser::handleGetById):
2561         (JSC::DFG::ByteCodeParser::handlePutById):
2562         (JSC::DFG::ByteCodeParser::parseBlock):
2563         * dfg/DFGGraph.h:
2564         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
2565         * dfg/DFGOSREntrypointCreationPhase.cpp:
2566         (JSC::DFG::OSREntrypointCreationPhase::run):
2567         * dfg/DFGVariableEventStream.cpp:
2568         (JSC::DFG::VariableEventStream::reconstruct const):
2569         * ftl/FTLOSREntry.cpp:
2570         (JSC::FTL::prepareOSREntry):
2571         * ftl/FTLState.cpp:
2572         (JSC::FTL::State::State):
2573         * interpreter/Interpreter.cpp:
2574         (JSC::Interpreter::dumpRegisters):
2575         * jit/JIT.cpp:
2576         (JSC::JIT::frameRegisterCountFor):
2577         * jit/JITOpcodes.cpp:
2578         (JSC::JIT::emit_op_enter):
2579         * jit/JITOpcodes32_64.cpp:
2580         (JSC::JIT::emit_op_enter):
2581         * jit/JITOperations.cpp:
2582         * llint/LLIntEntrypoint.cpp:
2583         (JSC::LLInt::frameRegisterCountFor):
2584         * llint/LLIntSlowPaths.cpp:
2585         (JSC::LLInt::traceFunctionPrologue):
2586         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2587         * runtime/JSCJSValue.h:
2588
2589 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2590
2591         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
2592         https://bugs.webkit.org/show_bug.cgi?id=187448
2593
2594         Reviewed by Saam Barati.
2595
2596         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
2597         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
2598
2599         * bytecode/CodeType.h:
2600         * bytecode/UnlinkedCodeBlock.cpp:
2601         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2602         * bytecode/UnlinkedCodeBlock.h:
2603         (JSC::UnlinkedCodeBlock::codeType const):
2604         (JSC::UnlinkedCodeBlock::didOptimize const):
2605         (JSC::UnlinkedCodeBlock::setDidOptimize):
2606         * bytecode/VirtualRegister.h:
2607
2608 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2609
2610         [JSC] Optimize padding of InferredTypeTable by using cellLock
2611         https://bugs.webkit.org/show_bug.cgi?id=187447
2612
2613         Reviewed by Mark Lam.
2614
2615         Use cellLock() in InferredTypeTable to guard changes of internal structures.
2616         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
2617         reduce the size of InferredTypeTable from 40 to 32.
2618
2619         * runtime/InferredTypeTable.cpp:
2620         (JSC::InferredTypeTable::visitChildren):
2621         (JSC::InferredTypeTable::get):
2622         (JSC::InferredTypeTable::willStoreValue):
2623         (JSC::InferredTypeTable::makeTop):
2624         * runtime/InferredTypeTable.h:
2625         Using enum class and using. And remove `isEmpty()` since it is not used.
2626
2627         * runtime/Structure.h:
2628
2629 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2630
2631         [JSC] Optimize layout of SourceProvider to reduce padding
2632         https://bugs.webkit.org/show_bug.cgi?id=187440
2633
2634         Reviewed by Mark Lam.
2635
2636         Arrange members of SourceProvider to reduce the size from 80 to 72.
2637
2638         * parser/SourceProvider.cpp:
2639         (JSC::SourceProvider::SourceProvider):
2640         * parser/SourceProvider.h:
2641
2642 2018-07-08  Mark Lam  <mark.lam@apple.com>
2643
2644         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
2645         https://bugs.webkit.org/show_bug.cgi?id=187444
2646         <rdar://problem/41282849>
2647
2648         Reviewed by Saam Barati.
2649
2650         PropertyTable supports C++ iteration by offering begin() and end() methods, and
2651         an iterator class.  The begin() methods and the iterator operator++() method uses
2652         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
2653         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
2654         pointer from being incremented past the end of the table.  As a result, we can
2655         iterate past the end of the table.  Note that the C++ iteration protocol tests
2656         for the iterator not being equal to the end() value.  It does not do a <= test.
2657         If the iterator ever shoots past end, the loop will effectively not terminate.
2658
2659         This issue can manifest if and only if the last entry in the table is a deleted
2660         one, and the key field of the PropertyMapEntry shaped space at the end of the
2661         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
2662         value.
2663
2664         No test because manifesting this issue requires uncontrollable happenstance where
2665         memory just beyond the end of the table looks like a deleted entry.
2666
2667         * runtime/PropertyMapHashTable.h:
2668         (JSC::PropertyTable::begin):
2669         (JSC::PropertyTable::end):
2670         (JSC::PropertyTable::begin const):
2671         (JSC::PropertyTable::end const):
2672         (JSC::PropertyTable::skipDeletedEntries):
2673
2674 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2675
2676         [JSC] Optimize layout of SymbolTable to reduce padding
2677         https://bugs.webkit.org/show_bug.cgi?id=187437
2678
2679         Reviewed by Mark Lam.
2680
2681         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
2682
2683         * runtime/SymbolTable.h:
2684
2685 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2686
2687         [JSC] Optimize layout of RegExp to reduce padding
2688         https://bugs.webkit.org/show_bug.cgi?id=187438
2689
2690         Reviewed by Mark Lam.
2691
2692         Reduce the size of RegExp from 168 to 144.
2693
2694         * runtime/RegExp.cpp:
2695         (JSC::RegExp::RegExp):
2696         * runtime/RegExp.h:
2697         * runtime/RegExpKey.h:
2698         * yarr/YarrErrorCode.h:
2699
2700 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2701
2702         [JSC] Optimize layout of ValueProfile to reduce padding
2703         https://bugs.webkit.org/show_bug.cgi?id=187439
2704
2705         Reviewed by Mark Lam.
2706
2707         Reduce the size of ValueProfile from 40 to 32 by reordering members.
2708
2709         * bytecode/ValueProfile.h:
2710         (JSC::ValueProfileBase::ValueProfileBase):
2711
2712 2018-07-05  Saam Barati  <sbarati@apple.com>
2713
2714         ProgramExecutable may be collected as we checkSyntax on it
2715         https://bugs.webkit.org/show_bug.cgi?id=187359
2716         <rdar://problem/41832135>
2717
2718         Reviewed by Mark Lam.
2719
2720         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
2721         the ProgramExecutable itself may be collected. The fix here is to make a copy
2722         of the field instead of passing in a reference inside of ParserError::toErrorObject.
2723         
2724         No new tests here as this was already caught by our iOS JSC testers.
2725
2726         * parser/ParserError.h:
2727         (JSC::ParserError::toErrorObject):
2728
2729 2018-07-04  Tim Horton  <timothy_horton@apple.com>
2730
2731         Introduce PLATFORM(IOSMAC)
2732         https://bugs.webkit.org/show_bug.cgi?id=187315
2733
2734         Reviewed by Dan Bernstein.
2735
2736         * Configurations/Base.xcconfig:
2737         * Configurations/FeatureDefines.xcconfig:
2738
2739 2018-07-03  Mark Lam  <mark.lam@apple.com>
2740
2741         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
2742         https://bugs.webkit.org/show_bug.cgi?id=187255
2743         <rdar://problem/41785257>
2744
2745         Reviewed by Saam Barati.
2746
2747         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
2748         too: basically, do what the 64-bit code is doing.  At present, this change only
2749         serves to pacify an assertion.  It is not needed for correctness because the
2750         concurrent GC is not used on 32-bit builds.
2751
2752         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
2753         test.
2754
2755         * jit/JITOpcodes32_64.cpp:
2756         (JSC::JIT::emit_op_create_this):
2757
2758 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2759
2760         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
2761         https://bugs.webkit.org/show_bug.cgi?id=187290
2762
2763         Reviewed by Saam Barati.
2764
2765         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
2766         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
2767         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
2768         easily calculated from JSType.
2769         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
2770
2771         * runtime/ClassInfo.h:
2772         * runtime/JSArrayBufferView.cpp:
2773         (JSC::elementSize):
2774         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
2775         * runtime/JSArrayBufferView.h:
2776         * runtime/JSArrayBufferViewInlines.h:
2777         (JSC::JSArrayBufferView::possiblySharedBuffer):
2778         * runtime/JSCell.cpp:
2779         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
2780         * runtime/JSCell.h:
2781         * runtime/JSDataView.cpp:
2782         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
2783         * runtime/JSDataView.h:
2784         * runtime/JSGenericTypedArrayView.h:
2785         * runtime/JSGenericTypedArrayViewInlines.h:
2786         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
2787
2788 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2789
2790         Regular expressions with ".?" expressions at the start and the end match the entire string
2791         https://bugs.webkit.org/show_bug.cgi?id=119191
2792
2793         Reviewed by Michael Saboff.
2794
2795         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
2796         for "abc" first and then processing the leading and trailing dot stars
2797         to find the beginning and the end of the match. However, it erroneously
2798         enabled this optimization for regular expressions whose leading or
2799         trailing dots had quantifiers that were not of arbitrary length, e.g.,
2800         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
2801         match the entire string when it shouldn't. This patch disables the
2802         optimization for those cases.
2803
2804         * yarr/YarrPattern.cpp:
2805         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
2806
2807 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
2808
2809         RegExp.exec returns wrong value with a long integer quantifier
2810         https://bugs.webkit.org/show_bug.cgi?id=187042
2811
2812         Reviewed by Saam Barati.
2813
2814         Prior to this patch, the Yarr parser checked for integer overflow when
2815         parsing quantifiers in regular expressions by adding one digit at a time
2816         to a number and checking if the result got larger. This is wrong;
2817         The parser would fail to detect overflow when parsing, for example,
2818         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
2819
2820         Another issue was that once it detected overflow, it stopped consuming
2821         the remaining digits. Since it didn't find the closing bracket, it
2822         parsed the quantifier as a normal string instead.
2823
2824         This patch fixes these issues by reading all the digits and checking for
2825         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
2826         returns the largest possible value (quantifyInfinite in this case). This
2827         matches Chrome [1], Firefox [2], and Edge [3].
2828
2829         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
2830         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
2831         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
2832
2833         * yarr/YarrParser.h:
2834         (JSC::Yarr::Parser::consumeNumber):
2835
2836 2018-07-02  Keith Miller  <keith_miller@apple.com>
2837
2838         InstanceOf IC should do generic if the prototype is not an object.
2839         https://bugs.webkit.org/show_bug.cgi?id=187250
2840
2841         Reviewed by Mark Lam.
2842
2843         The old code was wrong for two reasons. First, the AccessCase expected that
2844         the prototype value would be non-null. Second, we would end up returning
2845         false instead of throwing an exception.
2846
2847         * jit/Repatch.cpp:
2848         (JSC::tryCacheInstanceOf):
2849
2850 2018-07-01  Mark Lam  <mark.lam@apple.com>
2851
2852         Builtins and host functions should get their own structures.
2853         https://bugs.webkit.org/show_bug.cgi?id=187211
2854         <rdar://problem/41646336>
2855
2856         Reviewed by Saam Barati.
2857
2858         JSFunctions do lazy reification of properties, but ordinary functions applies
2859         different rules of property reification than builtin and host functions.  Hence,
2860         we should give builtins and host functions their own structures.
2861
2862         * runtime/JSFunction.cpp:
2863         (JSC::JSFunction::selectStructureForNewFuncExp):
2864         (JSC::JSFunction::create):
2865         (JSC::JSFunction::getOwnPropertySlot):
2866         * runtime/JSGlobalObject.cpp:
2867         (JSC::JSGlobalObject::init):
2868         (JSC::JSGlobalObject::visitChildren):
2869         * runtime/JSGlobalObject.h:
2870         (JSC::JSGlobalObject::hostFunctionStructure const):
2871         (JSC::JSGlobalObject::arrowFunctionStructure const):
2872         (JSC::JSGlobalObject::sloppyFunctionStructure const):
2873         (JSC::JSGlobalObject::strictFunctionStructure const):
2874
2875 2018-07-01  David Kilzer  <ddkilzer@apple.com>
2876
2877         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
2878         <https://webkit.org/b/187233>
2879
2880         Reviewed by Mark Lam.
2881
2882         * b3/air/AirEliminateDeadCode.cpp:
2883         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
2884         * parser/ParserTokens.h:
2885         (JSC::JSTextPosition::JSTextPosition): Add struct member
2886         initialization. Simplify default constructor.
2887         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
2888         union to the beginning to make it easy to zero out all fields.
2889         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
2890         initialization.  Simplify default constructor.  Note that
2891         `endOffset` was not being initialized previously.
2892         (JSC::JSTextPosition::JSToken): Add struct member initialization
2893         where necessary.
2894         * runtime/IntlObject.cpp:
2895         (JSC::MatcherResult): Add struct member initialization.
2896
2897 2018-06-23  Darin Adler  <darin@apple.com>
2898
2899         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
2900         https://bugs.webkit.org/show_bug.cgi?id=186973
2901
2902         Reviewed by Dan Bernstein.
2903
2904         * API/JSContext.mm:
2905         (WeakContextRef::WeakContextRef): Deleted.
2906         (WeakContextRef::~WeakContextRef): Deleted.
2907         (WeakContextRef::get): Deleted.
2908         (WeakContextRef::set): Deleted.
2909
2910         * API/JSContextInternal.h: Removed unneeded header guards since this is
2911         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
2912         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
2913         since neither is used outside the class implementation.
2914
2915         * API/JSManagedValue.mm:
2916         (-[JSManagedValue initWithValue:]): Use a bridging cast.
2917         (-[JSManagedValue dealloc]): Ditto.
2918         (-[JSManagedValue didAddOwner:]): Ditto.
2919         (-[JSManagedValue didRemoveOwner:]): Ditto.
2920         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
2921         (JSManagedValueHandleOwner::finalize): Ditto.
2922         * API/JSValue.mm:
2923         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
2924         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
2925         (-[JSValue valueForProperty:]): Ditto.
2926         (-[JSValue setValue:forProperty:]): Ditto.
2927         (-[JSValue deleteProperty:]): Ditto.
2928         (-[JSValue hasProperty:]): Ditto.
2929         (-[JSValue invokeMethod:withArguments:]): Ditto.
2930         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
2931         (valueToArray): Ditto.
2932         (valueToDictionary): Ditto.
2933         (objectToValueWithoutCopy): Ditto.
2934         (objectToValue): Ditto.
2935         * API/JSVirtualMachine.mm:
2936         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
2937         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
2938         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
2939         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
2940         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
2941         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
2942         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
2943         (scanExternalObjectGraph): Ditto.
2944         (scanExternalRememberedSet): Ditto.
2945         * API/JSWrapperMap.mm:
2946         (makeWrapper): Ditto.
2947         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
2948         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
2949         (tryUnwrapObjcObject): Ditto.
2950         * API/ObjCCallbackFunction.mm:
2951         (blockSignatureContainsClass): Ditto.
2952         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
2953         sure we will be keeping this the same way under ARC.
2954         (objCCallbackFunctionForBlock): Use a bridging cast.
2955
2956         * API/ObjcRuntimeExtras.h:
2957         (protocolImplementsProtocol): Use a more specific type that includes the
2958         explicit __unsafe_unretained for copied protocol lists.
2959         (forEachProtocolImplementingProtocol): Ditto.
2960
2961         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2962         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
2963         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
2964
2965         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
2966         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
2967         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
2968         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
2969         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
2970
2971 2018-06-30  Adam Barth  <abarth@webkit.org>
2972
2973         Port JavaScriptCore to OS(FUCHSIA)
2974         https://bugs.webkit.org/show_bug.cgi?id=187223
2975
2976         Reviewed by Daniel Bates.
2977
2978         * assembler/ARM64Assembler.h:
2979         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
2980         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
2981         (JSC::MachineContext::stackPointerImpl):
2982         (JSC::MachineContext::framePointerImpl):
2983         (JSC::MachineContext::instructionPointerImpl):
2984         (JSC::MachineContext::argumentPointer<1>):
2985         (JSC::MachineContext::llintInstructionPointer):
2986
2987 2018-06-30  David Kilzer  <ddkilzer@apple.com>
2988
2989         Fix clang static analyzer warnings: Garbage return value
2990         <https://webkit.org/b/187224>
2991
2992         Reviewed by Eric Carlson.
2993
2994         * bytecode/UnlinkedCodeBlock.cpp:
2995         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2996         - Use brace initialization for local variables.
2997         * debugger/DebuggerCallFrame.cpp:
2998         (class JSC::LineAndColumnFunctor):
2999         - Use class member initialization for member variables.
3000
3001 2018-06-29  Saam Barati  <sbarati@apple.com>
3002
3003         Unreviewed. Try to fix Windows build after r233377
3004
3005         * builtins/BuiltinExecutables.cpp:
3006         (JSC::BuiltinExecutables::createExecutable):
3007
3008 2018-06-29  Saam Barati  <sbarati@apple.com>
3009
3010         Don't use tracePoints in JS/Wasm entry
3011         https://bugs.webkit.org/show_bug.cgi?id=187196
3012
3013         Reviewed by Mark Lam.
3014
3015         This puts VM entry and Wasm entry tracePoints behind a runtime
3016         option. This is a ~4x speedup on a soon to be released Wasm
3017         benchmark. tracePoints should basically never run more than 50
3018         times a second. Entering the VM and entering Wasm are user controlled,
3019         and can happen hundreds of thousands of times in a second. Depending
3020         on how the Wasm/JS code is structured, this can be disastrous for
3021         performance.
3022
3023         * runtime/Options.h:
3024         * runtime/VMEntryScope.cpp:
3025         (JSC::VMEntryScope::VMEntryScope):
3026         (JSC::VMEntryScope::~VMEntryScope):
3027         * wasm/WasmBBQPlan.cpp:
3028         (JSC::Wasm::BBQPlan::compileFunctions):
3029         * wasm/js/WebAssemblyFunction.cpp:
3030         (JSC::callWebAssemblyFunction):
3031
3032 2018-06-29  Saam Barati  <sbarati@apple.com>
3033
3034         We shouldn't recurse into the parser when gathering metadata about various function offsets
3035         https://bugs.webkit.org/show_bug.cgi?id=184074
3036         <rdar://problem/37165897>
3037
3038         Reviewed by Mark Lam.
3039
3040         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
3041         for that builtin. This required calling into the parser. However, the parser
3042         may throw a stack overflow. We were not able to recover from that. The only
3043         reason we called into the parser here is that we were gathering text offsets
3044         and various metadata for things in the builtin function. This patch writes a
3045         mini parser that figures this information out without calling into the full
3046         parser. (I've also added a debug assert that verifies the mini parser stays in
3047         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
3048         always succeeds.
3049
3050         * builtins/AsyncFromSyncIteratorPrototype.js:
3051         (globalPrivate.createAsyncFromSyncIterator):
3052         (globalPrivate.AsyncFromSyncIteratorConstructor):
3053         * builtins/BuiltinExecutables.cpp:
3054         (JSC::BuiltinExecutables::createExecutable):
3055         * builtins/GlobalOperations.js:
3056         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
3057         (globalPrivate.speciesConstructor):
3058         (globalPrivate.copyDataProperties):
3059         (globalPrivate.copyDataPropertiesNoExclusions):
3060         * builtins/PromiseOperations.js:
3061         (globalPrivate.newHandledRejectedPromise):
3062         * builtins/RegExpPrototype.js:
3063         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
3064         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
3065         * builtins/StringPrototype.js:
3066         (globalPrivate.hasObservableSideEffectsForStringReplace):
3067         (globalPrivate.getDefaultCollator):
3068         * parser/Nodes.cpp:
3069         (JSC::FunctionMetadataNode::FunctionMetadataNode):
3070         (JSC::FunctionMetadataNode::operator== const):
3071         (JSC::FunctionMetadataNode::dump const):
3072         * parser/Nodes.h:
3073         * parser/Parser.h:
3074         (JSC::parse):
3075         * parser/ParserError.h:
3076         (JSC::ParserError::type const):
3077         * parser/ParserTokens.h:
3078         (JSC::JSTextPosition::operator== const):
3079         (JSC::JSTextPosition::operator!= const):
3080         * parser/SourceCode.h:
3081         (JSC::SourceCode::operator== const):
3082         (JSC::SourceCode::operator!= const):
3083         (JSC::SourceCode::subExpression const):
3084         (JSC::SourceCode::subExpression): Deleted.
3085
3086 2018-06-28  Michael Saboff  <msaboff@apple.com>
3087   
3088         IsoCellSet::sweepToFreeList() not safe when Full GC in process
3089         https://bugs.webkit.org/show_bug.cgi?id=187157
3090
3091         Reviewed by Mark Lam.
3092
3093         * heap/IsoCellSet.cpp:
3094         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
3095         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
3096         or not we are in the process of marking during a full GC.
3097         * heap/MarkedBlock.h:
3098         * heap/MarkedBlockInlines.h:
3099         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
3100
3101 2018-06-27  Saam Barati  <sbarati@apple.com>
3102
3103         Add some more register state information when we crash in repatchPutById
3104         https://bugs.webkit.org/show_bug.cgi?id=187112
3105
3106         Reviewed by Mark Lam.
3107
3108         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
3109         with an offset that is different than what the put tells us.
3110
3111         * jit/Repatch.cpp:
3112         (JSC::tryCachePutByID):
3113
3114 2018-06-27  Mark Lam  <mark.lam@apple.com>
3115
3116         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
3117         https://bugs.webkit.org/show_bug.cgi?id=187119
3118
3119         Reviewed by Keith Miller.
3120
3121         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
3122         should be checking for codeBlock instead of !codeBlock
3123         before using the codeBlock.
3124
3125         I also renamed some other "print" functions to use "dump" instead
3126         to match their underlying C++ code that they will call e.g.
3127         CodeBlock::dumpSource().
3128
3129         * tools/JSDollarVM.cpp:
3130         (WTF::JSDollarVMCallFrame::finishCreation):
3131         (JSC::functionDumpSourceFor):
3132         (JSC::functionDumpBytecodeFor):
3133         (JSC::doPrint):
3134         (JSC::functionDataLog):
3135         (JSC::functionPrint):
3136         (JSC::functionDumpCallFrame):
3137         (JSC::functionDumpStack):
3138         (JSC::JSDollarVM::finishCreation):
3139         (JSC::functionPrintSourceFor): Deleted.
3140         (JSC::functionPrintBytecodeFor): Deleted.
3141         (JSC::doPrintln): Deleted.
3142         (JSC::functionPrintln): Deleted.
3143         (JSC::functionPrintCallFrame): Deleted.
3144         (JSC::functionPrintStack): Deleted.
3145         * tools/VMInspector.cpp:
3146         (JSC::DumpFrameFunctor::DumpFrameFunctor):
3147         (JSC::DumpFrameFunctor::operator() const):
3148         (JSC::VMInspector::dumpCallFrame):
3149         (JSC::VMInspector::dumpStack):
3150         (JSC::VMInspector::dumpValue):
3151         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
3152         (JSC::PrintFrameFunctor::operator() const): Deleted.
3153         (JSC::VMInspector::printCallFrame): Deleted.
3154         (JSC::VMInspector::printStack): Deleted.
3155         (JSC::VMInspector::printValue): Deleted.
3156         * tools/VMInspector.h:
3157
3158 2018-06-27  Keith Miller  <keith_miller@apple.com>
3159
3160         Add logging to try to diagnose where we get a null structure.
3161         https://bugs.webkit.org/show_bug.cgi?id=187106
3162
3163         Reviewed by Mark Lam.
3164
3165         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
3166         structure crash.
3167
3168         This code should be removed when we fix <rdar://problem/33451840>
3169
3170         * runtime/JSObject.cpp:
3171         (JSC::callToPrimitiveFunction):
3172         * runtime/JSObject.h:
3173         (JSC::JSObject::getPropertySlot):
3174
3175 2018-06-27  Mark Lam  <mark.lam@apple.com>
3176
3177         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
3178         https://bugs.webkit.org/show_bug.cgi?id=187091
3179         <rdar://problem/41395624>
3180
3181         Reviewed by Yusuke Suzuki.
3182
3183         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
3184         take their slow paths, the slow path would jump back to the fast path right after
3185         the emitted code which clears the unused property values.  As a result, the
3186         unused properties are not initialized.  We've fixed this by adding the slow path
3187         generators before we emit the code to clear the unused properties.
3188
3189         * dfg/DFGSpeculativeJIT.cpp:
3190         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3191         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3192
3193 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3194
3195         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
3196         https://bugs.webkit.org/show_bug.cgi?id=185943
3197
3198         Reviewed by Mark Lam.
3199
3200         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
3201         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
3202         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
3203         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
3204
3205         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
3206         but it should be done in a separate patch since it would be performance sensitive.
3207
3208         * bytecompiler/NodesCodegen.cpp:
3209         (JSC::ArrayPatternNode::emitDirectBinding):
3210
3211 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3212
3213         [JSC] Pass VM& to functions more
3214         https://bugs.webkit.org/show_bug.cgi?id=186241
3215
3216         Reviewed by Mark Lam.
3217
3218         This patch threads VM& to functions requiring VM& more.
3219
3220         * API/JSObjectRef.cpp:
3221         (JSObjectIsConstructor):
3222         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
3223         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
3224         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
3225         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
3226         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
3227         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
3228         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
3229         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
3230         * bytecode/CodeBlockJettisoningWatchpoint.h:
3231         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3232         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
3233         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3234         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
3235         * bytecode/StructureStubClearingWatchpoint.cpp:
3236         (JSC::StructureStubClearingWatchpoint::fireInternal):
3237         * bytecode/StructureStubClearingWatchpoint.h:
3238         * bytecode/Watchpoint.cpp:
3239         (JSC::Watchpoint::fire):
3240         (JSC::WatchpointSet::fireAllWatchpoints):
3241         * bytecode/Watchpoint.h:
3242         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
3243         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
3244         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
3245         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
3246         (JSC::DFG::AdaptiveStructureWatchpoint::install):
3247         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
3248         * dfg/DFGAdaptiveStructureWatchpoint.h:
3249         * dfg/DFGDesiredWatchpoints.cpp:
3250         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3251         * llint/LLIntSlowPaths.cpp:
3252         (JSC::LLInt::setupGetByIdPrototypeCache):
3253         * runtime/ArrayPrototype.cpp:
3254         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
3255         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
3256         * runtime/ECMAScriptSpecInternalFunctions.cpp:
3257         (JSC::esSpecIsConstructor):
3258         * runtime/FunctionRareData.cpp:
3259         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3260         * runtime/FunctionRareData.h:
3261         * runtime/InferredStructureWatchpoint.cpp:
3262         (JSC::InferredStructureWatchpoint::fireInternal):
3263         * runtime/InferredStructureWatchpoint.h:
3264         * runtime/InternalFunction.cpp:
3265         (JSC::InternalFunction::createSubclassStructureSlow):
3266         * runtime/InternalFunction.h:
3267         (JSC::InternalFunction::createSubclassStructure):
3268         * runtime/JSCJSValue.h:
3269         * runtime/JSCJSValueInlines.h:
3270         (JSC::JSValue::isConstructor const):
3271         * runtime/JSCell.h:
3272         * runtime/JSCellInlines.h:
3273         (JSC::JSCell::isConstructor):
3274         (JSC::JSCell::methodTable const):
3275         * runtime/JSGlobalObject.cpp:
3276         (JSC::JSGlobalObject::init):
3277         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
3278         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
3279         * runtime/ProxyObject.cpp:
3280         (JSC::ProxyObject::finishCreation):
3281         * runtime/ReflectObject.cpp:
3282         (JSC::reflectObjectConstruct):
3283         * runtime/StructureRareData.cpp:
3284         (JSC::StructureRareData::setObjectToStringValue):
3285         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
3286         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3287         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3288
3289 2018-06-26  Mark Lam  <mark.lam@apple.com>
3290
3291         eval() is wrong about the LiteralParser never throwing any exceptions.
3292         https://bugs.webkit.org/show_bug.cgi?id=187074
3293         <rdar://problem/41461099>
3294
3295         Reviewed by Saam Barati.
3296
3297         Added the missing exception check, and removed an erroneous assertion.
3298
3299         * interpreter/Interpreter.cpp:
3300         (JSC::eval):
3301
3302 2018-06-26  Saam Barati  <sbarati@apple.com>
3303
3304         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3305         https://bugs.webkit.org/show_bug.cgi?id=186878
3306         <rdar://problem/40568659>
3307
3308         Reviewed by Filip Pizlo.
3309
3310         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3311         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3312         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
3313         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
3314         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
3315         conservative scan knows to treat it like a butterfly in when we we may be
3316         pointing into the middle of it.
3317         
3318         The way we were crashing on the stress GC bots is that our conservative marking
3319         won't do cell visiting for things that are Auxiliary. This meant that if the
3320         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
3321         that JSImmutableButterfly would not be visited. This is now fixed.
3322
3323         * bytecompiler/NodesCodegen.cpp:
3324         (JSC::ArrayNode::emitBytecode):
3325         * debugger/Debugger.cpp:
3326         * heap/ConservativeRoots.cpp:
3327         (JSC::ConservativeRoots::genericAddPointer):
3328         * heap/Heap.cpp:
3329         (JSC::GatherHeapSnapshotData::operator() const):
3330         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
3331         (JSC::Heap::globalObjectCount):
3332         (JSC::Heap::objectTypeCounts):
3333         (JSC::Heap::deleteAllCodeBlocks):
3334         * heap/HeapCell.cpp:
3335         (WTF::printInternal):
3336         * heap/HeapCell.h:
3337         (JSC::isJSCellKind):
3338         (JSC::hasInteriorPointers):
3339         * heap/HeapUtil.h:
3340         (JSC::HeapUtil::findGCObjectPointersForMarking):
3341         (JSC::HeapUtil::isPointerGCObjectJSCell):
3342         * heap/MarkedBlock.cpp:
3343         (JSC::MarkedBlock::Handle::didAddToDirectory):
3344         * heap/SlotVisitor.cpp:
3345         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
3346         * runtime/JSGlobalObject.cpp:
3347         * runtime/JSImmutableButterfly.h:
3348         (JSC::JSImmutableButterfly::subspaceFor):
3349         * runtime/VM.cpp:
3350         (JSC::VM::VM):
3351         * runtime/VM.h:
3352         * tools/CellProfile.h:
3353         (JSC::CellProfile::CellProfile):
3354         (JSC::CellProfile::isJSCell const):
3355         * tools/HeapVerifier.cpp:
3356         (JSC::HeapVerifier::validateCell):
3357
3358 2018-06-26  Mark Lam  <mark.lam@apple.com>
3359
3360         Skip some unnecessary work in Interpreter::getStackTrace().
3361         https://bugs.webkit.org/show_bug.cgi?id=187070
3362
3363         Reviewed by Michael Saboff.
3364
3365         * interpreter/Interpreter.cpp:
3366         (JSC::Interpreter::getStackTrace):
3367
3368 2018-06-26  Mark Lam  <mark.lam@apple.com>
3369
3370         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
3371         https://bugs.webkit.org/show_bug.cgi?id=187060
3372         <rdar://problem/41452767>
3373
3374         Reviewed by Keith Miller.
3375
3376         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
3377         write conversion.  Hence, we can return early after the conversion if the vector
3378         length is already sufficient to cover the requested length.
3379
3380         * runtime/JSObject.cpp:
3381         (JSC::JSObject::ensureLengthSlow):
3382
3383 2018-06-26  Commit Queue  <commit-queue@webkit.org>
3384
3385         Unreviewed, rolling out r233184.
3386         https://bugs.webkit.org/show_bug.cgi?id=187059
3387
3388         "It regressed JetStream between 5-8%" (Requested by saamyjoon
3389         on #webkit).
3390
3391         Reverted changeset:
3392
3393         "JSImmutableButterfly can't be allocated from a subspace with
3394         HeapCell::Kind::Auxiliary"
3395         https://bugs.webkit.org/show_bug.cgi?id=186878
3396         https://trac.webkit.org/changeset/233184
3397
3398 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
3399
3400         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
3401         https://bugs.webkit.org/show_bug.cgi?id=187051
3402
3403         Reviewed by Mark Lam.
3404
3405         Revert r233065 changes over UnlinkedCodeBlock.h to allow
3406         clang-3.8 to be able to compile this back (with libstdc++5)
3407
3408         * bytecode/UnlinkedCodeBlock.h:
3409         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
3410
3411 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
3412
3413         Fix testapi build when DFG_JIT is disabled
3414         https://bugs.webkit.org/show_bug.cgi?id=187038
3415
3416         Reviewed by Mark Lam.
3417
3418         r233158 added a new API and tests for configuring the number of JIT threads, but
3419         the API is only available when DFG_JIT is enabled and so should the tests.
3420
3421         * API/tests/testapi.mm:
3422         (runJITThreadLimitTests):
3423
3424 2018-06-25  Saam Barati  <sbarati@apple.com>
3425
3426         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
3427         https://bugs.webkit.org/show_bug.cgi?id=186878
3428         <rdar://problem/40568659>
3429
3430         Reviewed by Mark Lam.
3431
3432         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
3433         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
3434         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
3435         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
3436         bots is that our conservative marking won't do cell marking for things that
3437         are Auxiliary. This means that if the stack is the only thing pointing to a
3438         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
3439         not be visited. This patch fixes this bug. This patch also extends our conservative
3440         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
3441
3442         * bytecompiler/NodesCodegen.cpp:
3443         (JSC::ArrayNode::emitBytecode):
3444         * heap/HeapUtil.h:
3445         (JSC::HeapUtil::findGCObjectPointersForMarking):
3446         * runtime/JSImmutableButterfly.h:
3447         (JSC::JSImmutableButterfly::subspaceFor):
3448
3449 2018-06-25  Mark Lam  <mark.lam@apple.com>
3450
3451         constructArray() should set m_numValuesInVector to the specified length.
3452         https://bugs.webkit.org/show_bug.cgi?id=187010
3453         <rdar://problem/41392167>
3454
3455         Reviewed by Filip Pizlo.
3456
3457         Its client will fill in the storage vector with some values using initializeIndex()
3458         and expects m_numValuesInVector to be set to the length i.e. the number of values
3459         to be initialized.
3460
3461         * runtime/JSArray.cpp:
3462         (JSC::constructArray):
3463
3464 2018-06-25  Mark Lam  <mark.lam@apple.com>
3465
3466         Add missing exception check in RegExpObjectInlines.h's collectMatches.
3467         https://bugs.webkit.org/show_bug.cgi?id=187006
3468         <rdar://problem/41418412>
3469
3470         Reviewed by Keith Miller.
3471
3472         * runtime/RegExpObjectInlines.h:
3473         (JSC::collectMatches):
3474
3475 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
3476
3477         Add API for configuring the number of threads used by DFG and FTL
3478         https://bugs.webkit.org/show_bug.cgi?id=186859
3479         <rdar://problem/41093519>
3480
3481         Reviewed by Filip Pizlo.
3482
3483         Add new private APIs for limiting the number of threads to be used by
3484         the DFG and FTL compilers. It was already possible to configure the
3485         limit through JSC Options, but now it can be changed at runtime, even
3486         in the case when the VM is already running.
3487
3488         Add a test for both cases: when trying to configure the limit before
3489         and after the Worklist has been created, but in order to simulate the
3490         first scenario, we must guarantee that the test runs at the very
3491         beginning, so I also added a check for that.
3492
3493         * API/JSVirtualMachine.mm:
3494         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3495         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3496         * API/JSVirtualMachinePrivate.h:
3497         * API/tests/testapi.mm:
3498         (runJITThreadLimitTests):
3499         (testObjectiveCAPIMain):
3500         * dfg/DFGWorklist.cpp:
3501         (JSC::DFG::Worklist::finishCreation):
3502         (JSC::DFG::Worklist::createNewThread):
3503         (JSC::DFG::Worklist::setNumberOfThreads):
3504         * dfg/DFGWorklist.h:
3505
3506 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
3507
3508         [JSC] Remove unnecessary PLATFORM guards
3509         https://bugs.webkit.org/show_bug.cgi?id=186995
3510
3511         Reviewed by Mark Lam.
3512
3513         * assembler/AssemblerCommon.h:
3514         (JSC::isIOS):
3515         Add constexpr.
3516
3517         * inspector/JSGlobalObjectInspectorController.cpp:
3518         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3519         StackFrame works in all the platforms. If StackFrame::demangle failed,
3520         it just returns std::nullopt. And it is correctly handled in this code.
3521
3522 2018-06-23  Mark Lam  <mark.lam@apple.com>
3523
3524         Add more debugging features to $vm.
3525         https://bugs.webkit.org/show_bug.cgi?id=186947
3526
3527         Reviewed by Keith Miller.
3528
3529         Adding the following features:
3530
3531             // We now have println in addition to print.
3532             // println automatically adds a '\n' at the end.
3533             $vm.println("Hello");
3534
3535             // We can now capture some info about a stack frame.
3536             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
3537             var callerCallerFrame = $vm.callFrame(2);
3538
3539             // We can inspect the following values associated with the frame:
3540             if (currentFrame.valid) {
3541                 $vm.println("name is ", currentFrame.name));
3542
3543                 // Note: For a WASM frame, all of these will be undefined.
3544                 $vm.println("callee is ", $vm.value(currentFrame.callee));
3545                 $vm.println("codeBlock is ", currentFrame.codeBlock);
3546                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
3547                 $vm.println("executable is ", currentFrame.executable);
3548             }
3549
3550             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
3551             // to dataLog its JSValue instead of its toString() result.
3552
3553             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
3554             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
3555             // toString on a non-object.
3556
3557             // Does what it says about enabling/disabling debugger mode.
3558             $vm.enableDebuggerModeWhenIdle();
3559             $vm.disableDebuggerModeWhenIdle();
3560
3561         * tools/JSDollarVM.cpp:
3562         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
3563         (WTF::JSDollarVMCallFrame::createStructure):
3564         (WTF::JSDollarVMCallFrame::create):
3565         (WTF::JSDollarVMCallFrame::finishCreation):
3566         (WTF::JSDollarVMCallFrame::addProperty):
3567         (JSC::functionCallFrame):
3568         (JSC::functionCodeBlockForFrame):
3569         (JSC::codeBlockFromArg):
3570         (JSC::doPrintln):
3571         (JSC::functionPrint):
3572         (JSC::functionPrintln):
3573         (JSC::changeDebuggerModeWhenIdle):
3574         (JSC::functionEnableDebuggerModeWhenIdle):
3575         (JSC::functionDisableDebuggerModeWhenIdle):
3576         (JSC::JSDollarVM::finishCreation):
3577
3578 2018-06-22  Keith Miller  <keith_miller@apple.com>
3579
3580         We need to have a getDirectConcurrently for use in the compilers
3581         https://bugs.webkit.org/show_bug.cgi?id=186954
3582
3583         Reviewed by Mark Lam.
3584
3585         It used to be that the propertyStorage of an object never shrunk
3586         so if you called getDirect with some offset it would never be an
3587         OOB read. However, this property storage can shrink when calling
3588         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
3589         holds the Structure's ConcurrentJSLock while shrinking. This patch,
3590         adds a getDirectConcurrently that will safely try to load from the
3591         butterfly.
3592
3593         * bytecode/ObjectPropertyConditionSet.cpp:
3594         * bytecode/PropertyCondition.cpp:
3595         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
3596         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
3597         * dfg/DFGGraph.cpp:
3598         (JSC::DFG::Graph::tryGetConstantProperty):
3599         * runtime/JSObject.h:
3600         (JSC::JSObject::getDirectConcurrently const):
3601
3602 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3603
3604         [WTF] Use Ref<> for the result type of non-failing factory functions
3605         https://bugs.webkit.org/show_bug.cgi?id=186920
3606
3607         Reviewed by Darin Adler.
3608
3609         * dfg/DFGWorklist.cpp:
3610         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
3611         (JSC::DFG::Worklist::finishCreation):
3612         * dfg/DFGWorklist.h:
3613         * heap/Heap.cpp:
3614         (JSC::Heap::Thread::Thread):
3615         * heap/Heap.h:
3616         * jit/JITWorklist.cpp:
3617         (JSC::JITWorklist::Thread::Thread):
3618         * jit/JITWorklist.h:
3619         * runtime/VMTraps.cpp:
3620         * runtime/VMTraps.h:
3621         * wasm/WasmWorklist.cpp:
3622         * wasm/WasmWorklist.h:
3623
3624 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3625
3626         [WTF] Add user-defined literal for ASCIILiteral
3627         https://bugs.webkit.org/show_bug.cgi?id=186839
3628
3629         Reviewed by Darin Adler.
3630
3631         * API/JSCallbackObjectFunctions.h:
3632         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
3633         (JSC::JSCallbackObject<Parent>::callbackGetter):
3634         * API/JSObjectRef.cpp:
3635         (JSObjectMakeFunctionWithCallback):
3636         * API/JSTypedArray.cpp:
3637         (JSObjectGetArrayBufferBytesPtr):
3638         * API/JSValue.mm:
3639         (valueToArray):
3640         (valueToDictionary):
3641         * API/ObjCCallbackFunction.mm:
3642         (JSC::objCCallbackFunctionCallAsFunction):
3643         (JSC::objCCallbackFunctionCallAsConstructor):
3644         (JSC::ObjCCallbackFunctionImpl::call):
3645         * API/glib/JSCCallbackFunction.cpp:
3646         (JSC::JSCCallbackFunction::call):
3647         (JSC::JSCCallbackFunction::construct):
3648         * API/glib/JSCContext.cpp:
3649         (jscContextJSValueToGValue):
3650         * API/glib/JSCValue.cpp:
3651         (jsc_value_object_define_property_accessor):
3652         (jscValueFunctionCreate):
3653         * builtins/BuiltinUtils.h:
3654         * bytecode/CodeBlock.cpp:
3655         (JSC::CodeBlock::nameForRegister):
3656         * bytecompiler/BytecodeGenerator.cpp:
3657         (JSC::BytecodeGenerator::emitEnumeration):
3658         (JSC::BytecodeGenerator::emitIteratorNext):
3659         (JSC::BytecodeGenerator::emitIteratorClose):
3660         (JSC::BytecodeGenerator::emitDelegateYield):
3661         * bytecompiler/NodesCodegen.cpp:
3662         (JSC::FunctionCallValueNode::emitBytecode):
3663         (JSC::PostfixNode::emitBytecode):
3664         (JSC::PrefixNode::emitBytecode):
3665         (JSC::AssignErrorNode::emitBytecode):
3666         (JSC::ForInNode::emitBytecode):
3667         (JSC::ForOfNode::emitBytecode):
3668         (JSC::ClassExprNode::emitBytecode):
3669         (JSC::ObjectPatternNode::bindValue const):
3670         * dfg/DFGDriver.cpp:
3671         (JSC::DFG::compileImpl):
3672         * dfg/DFGOperations.cpp:
3673         (JSC::DFG::newTypedArrayWithSize):
3674         * dfg/DFGStrengthReductionPhase.cpp:
3675         (JSC::DFG::StrengthReductionPhase::handleNode):
3676         * inspector/ConsoleMessage.cpp:
3677         (Inspector::ConsoleMessage::addToFrontend):
3678         (Inspector::ConsoleMessage::clear):
3679         * inspector/ContentSearchUtilities.cpp:
3680         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
3681         * inspector/InjectedScript.cpp:
3682         (Inspector::InjectedScript::InjectedScript):
3683         (Inspector::InjectedScript::evaluate):
3684         (Inspector::InjectedScript::callFunctionOn):
3685         (Inspector::InjectedScript::evaluateOnCallFrame):
3686         (Inspector::InjectedScript::getFunctionDetails):
3687         (Inspector::InjectedScript::functionDetails):
3688         (Inspector::InjectedScript::getPreview):
3689         (Inspector::InjectedScript::getProperties):
3690         (Inspector::InjectedScript::getDisplayableProperties):
3691         (Inspector::InjectedScript::getInternalProperties):
3692         (Inspector::InjectedScript::getCollectionEntries):
3693         (Inspector::InjectedScript::saveResult):
3694         (Inspector::InjectedScript::wrapCallFrames const):
3695         (Inspector::InjectedScript::wrapObject const):
3696         (Inspector::InjectedScript::wrapJSONString const):
3697         (Inspector::InjectedScript::wrapTable const):
3698         (Inspector::InjectedScript::previewValue const):
3699         (Inspector::InjectedScript::setExceptionValue):
3700         (Inspector::InjectedScript::clearExceptionValue):
3701         (Inspector::InjectedScript::findObjectById const):
3702         (Inspector::InjectedScript::inspectObject):
3703         (Inspector::InjectedScript::releaseObject):
3704         (Inspector::InjectedScript::releaseObjectGroup):
3705         * inspector/InjectedScriptBase.cpp:
3706         (Inspector::InjectedScriptBase::makeEvalCall):
3707         * inspector/InjectedScriptManager.cpp:
3708         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3709         * inspector/InjectedScriptModule.cpp:
3710         (Inspector::InjectedScriptModule::ensureInjected):
3711         * inspector/InspectorBackendDispatcher.cpp:
3712         (Inspector::BackendDispatcher::dispatch):
3713         (Inspector::BackendDispatcher::sendResponse):
3714         (Inspector::BackendDispatcher::sendPendingErrors):
3715         * inspector/JSGlobalObjectConsoleClient.cpp:
3716         (Inspector::JSGlobalObjectConsoleClient::profile):
3717         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
3718         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
3719         * inspector/JSGlobalObjectInspectorController.cpp:
3720         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
3721         * inspector/JSInjectedScriptHost.cpp:
3722         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
3723         (Inspector::JSInjectedScriptHost::subtype):
3724         (Inspector::JSInjectedScriptHost::getInternalProperties):
3725         * inspector/JSJavaScriptCallFrame.cpp:
3726         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
3727         (Inspector::JSJavaScriptCallFrame::type const):
3728         * inspector/ScriptArguments.cpp:
3729         (Inspector::ScriptArguments::getFirstArgumentAsString):
3730         * inspector/ScriptCallStackFactory.cpp:
3731         (Inspector::extractSourceInformationFromException):
3732         * inspector/agents/InspectorAgent.cpp:
3733         (Inspector::InspectorAgent::InspectorAgent):
3734         * inspector/agents/InspectorConsoleAgent.cpp:
3735         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
3736         (Inspector::InspectorConsoleAgent::clearMessages):
3737         (Inspector::InspectorConsoleAgent::count):
3738         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
3739         * inspector/agents/InspectorDebuggerAgent.cpp:
3740         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
3741         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
3742         (Inspector::buildObjectForBreakpointCookie):
3743         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3744         (Inspector::parseLocation):
3745         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3746         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3747         (Inspector::InspectorDebuggerAgent::continueToLocation):
3748         (Inspector::InspectorDebuggerAgent::searchInContent):
3749         (Inspector::InspectorDebuggerAgent::getScriptSource):
3750         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
3751         (Inspector::InspectorDebuggerAgent::resume):
3752         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
3753         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
3754         (Inspector::InspectorDebuggerAgent::didParseSource):
3755         (Inspector::InspectorDebuggerAgent::assertPaused):
3756         * inspector/agents/InspectorHeapAgent.cpp:
3757         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
3758         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
3759         (Inspector::InspectorHeapAgent::getPreview):
3760         (Inspector::InspectorHeapAgent::getRemoteObject):
3761         * inspector/agents/InspectorRuntimeAgent.cpp:
3762         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
3763         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3764         (Inspector::InspectorRuntimeAgent::getPreview):
3765         (Inspector::InspectorRuntimeAgent::getProperties):
3766         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3767         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3768         (Inspector::InspectorRuntimeAgent::saveResult):
3769         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3770         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3771         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3772         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
3773         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3774         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
3775         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
3776         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
3777         * inspector/scripts/codegen/cpp_generator_templates.py:
3778         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3779         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
3780         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3781         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3782         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3783         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3784         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3785         (CppProtocolTypesImplementationGenerator):
3786         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3787         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3788         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
3789         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3790         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3791         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3792         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
3793         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
3794         * inspector/scripts/codegen/objc_generator_templates.py:
3795         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3796         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3797         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3798         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3799         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3800         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3801         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3802         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3803         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3804         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3805         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3806         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3807         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3808         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3809         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3810         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3811         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3812         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3813         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3814         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3815         * interpreter/CallFrame.cpp:
3816         (JSC::CallFrame::friendlyFunctionName):
3817         * interpreter/Interpreter.cpp:
3818         (JSC::Interpreter::execute):
3819         * interpreter/StackVisitor.cpp:
3820         (JSC::StackVisitor::Frame::functionName const):
3821         (JSC::StackVisitor::Frame::sourceURL const):
3822         * jit/JIT.cpp:
3823         (JSC::JIT::doMainThreadPreparationBeforeCompile):
3824         * jit/JITOperations.cpp:
3825         * jsc.cpp:
3826         (resolvePath):
3827         (GlobalObject::moduleLoaderImportModule):
3828         (GlobalObject::moduleLoaderResolve):
3829         (functionDescribeArray):
3830         (functionRun):
3831         (functionLoad):
3832         (functionCheckSyntax):
3833         (functionDollarEvalScript):
3834         (functionDollarAgentStart):
3835         (functionDollarAgentReceiveBroadcast):
3836         (functionDollarAgentBroadcast):
3837         (functionTransferArrayBuffer):
3838         (functionLoadModule):
3839         (functionSamplingProfilerStackTraces):
3840         (functionAsyncTestStart):
3841         (functionWebAssemblyMemoryMode):
3842         (runWithOptions):
3843         * parser/Lexer.cpp:
3844         (JSC::Lexer<T>::invalidCharacterMessage const):
3845         (JSC::Lexer<T>::parseString):
3846         (JSC::Lexer<T>::parseComplexEscape):
3847         (JSC::Lexer<T>::parseStringSlowCase):
3848         (JSC::Lexer<T>::parseTemplateLiteral):
3849         (JSC::Lexer<T>::lex):
3850         * parser/Parser.cpp:
3851         (JSC::Parser<LexerType>::parseInner):
3852         * parser/Parser.h:
3853         (JSC::Parser::setErrorMessage):
3854         * runtime/AbstractModuleRecord.cpp:
3855         (JSC::AbstractModuleRecord::finishCreation):
3856         * runtime/ArrayBuffer.cpp:
3857         (JSC::errorMesasgeForTransfer):
3858         * runtime/ArrayBufferSharingMode.h:
3859         (JSC::arrayBufferSharingModeName):
3860         * runtime/ArrayConstructor.cpp:
3861         (JSC::constructArrayWithSizeQuirk):
3862         (JSC::isArraySlowInline):
3863         * runtime/ArrayPrototype.cpp:
3864         (JSC::setLength):
3865         (JSC::shift):
3866         (JSC::unshift):
3867         (JSC::arrayProtoFuncPop):
3868         (JSC::arrayProtoFuncReverse):
3869         (JSC::arrayProtoFuncUnShift):
3870         * runtime/AtomicsObject.cpp:
3871         (JSC::atomicsFuncWait):
3872         (JSC::atomicsFuncWake):
3873         * runtime/BigIntConstructor.cpp:
3874         (JSC::BigIntConstructor::finishCreation):
3875         (JSC::toBigInt):
3876         (JSC::callBigIntConstructor):
3877         * runtime/BigIntObject.cpp:
3878         (JSC::BigIntObject::toStringName):
3879         * runtime/BigIntPrototype.cpp:
3880         (JSC::bigIntProtoFuncToString):
3881         (JSC::bigIntProtoFuncValueOf):
3882         * runtime/CommonSlowPaths.cpp:
3883         (JSC::SLOW_PATH_DECL):
3884      &nb