Function object should convert params to string before throw a parsing error
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         Function object should convert params to string before throw a parsing error
4         https://bugs.webkit.org/show_bug.cgi?id=188874
5
6         Reviewed by Darin Adler.
7
8         ToString operation onto the `body` of the Function constructor should be performed
9         before checking syntax correctness of the parameters.
10
11         * runtime/FunctionConstructor.cpp:
12         (JSC::constructFunctionSkippingEvalEnabledCheck):
13
14 2018-08-31  Mark Lam  <mark.lam@apple.com>
15
16         Fix exception check accounting in constructJSWebAssemblyCompileError().
17         https://bugs.webkit.org/show_bug.cgi?id=189185
18         <rdar://problem/39786007>
19
20         Reviewed by Michael Saboff.
21
22         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
23         inadvertently overwrite a pre-existing exception (if present).
24
25         * wasm/js/JSWebAssemblyModule.cpp:
26         (JSC::JSWebAssemblyModule::createStub):
27         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
28         (JSC::constructJSWebAssemblyCompileError):
29
30 2018-08-31  Mark Lam  <mark.lam@apple.com>
31
32         Gardening: ARMv7 build fix.
33         https://bugs.webkit.org/show_bug.cgi?id=158911
34
35         Not reviewed.
36
37         * assembler/MacroAssemblerARMv7.h:
38         (JSC::MacroAssemblerARMv7::patchableBranch8):
39
40 2018-08-31  Mark Lam  <mark.lam@apple.com>
41
42         Fix exception check accounting in JSDataView::defineOwnProperty().
43         https://bugs.webkit.org/show_bug.cgi?id=189186
44         <rdar://problem/39786049>
45
46         Reviewed by Michael Saboff.
47
48         * runtime/JSDataView.cpp:
49         (JSC::JSDataView::defineOwnProperty):
50
51 2018-08-31  Mark Lam  <mark.lam@apple.com>
52
53         Add missing exception check in arrayProtoFuncLastIndexOf().
54         https://bugs.webkit.org/show_bug.cgi?id=189184
55         <rdar://problem/39785959>
56
57         Reviewed by Yusuke Suzuki.
58
59         * runtime/ArrayPrototype.cpp:
60         (JSC::arrayProtoFuncLastIndexOf):
61
62 2018-08-31  Saam barati  <sbarati@apple.com>
63
64         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
65         https://bugs.webkit.org/show_bug.cgi?id=189173
66         <rdar://problem/43501645>
67
68         Reviewed by Michael Saboff.
69
70         We were crashing during validation because mayExit returned true
71         at a point in the program when we weren't allowed to exit.
72         
73         The issue was is in StrengthReduction: we end up emitting code that
74         had a StringUse on an edge after a node that did side effects and before
75         an ExitOK/bytecode number transition. However, StrenghReduction did the
76         right thing here and also emitted the type checks before the node with
77         side effects. It just did bad bookkeeping. The node we convert to needs
78         to use KnownStringUse instead of StringUse for the child edge.
79
80         * dfg/DFGNode.cpp:
81         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
82         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
83         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
84         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
85         * dfg/DFGNode.h:
86         * dfg/DFGStrengthReductionPhase.cpp:
87         (JSC::DFG::StrengthReductionPhase::handleNode):
88
89 2018-08-30  Saam barati  <sbarati@apple.com>
90
91         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
92         https://bugs.webkit.org/show_bug.cgi?id=189166
93
94         Reviewed by Mark Lam.
95
96         * bytecode/AccessCase.cpp:
97         (JSC::AccessCase::generateImpl):
98         * bytecode/GetterSetterAccessCase.cpp:
99         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
100         * bytecode/InlineAccess.cpp:
101         (JSC::getScratchRegister):
102         * bytecode/PolymorphicAccess.cpp:
103         (JSC::PolymorphicAccess::regenerate):
104         * bytecode/StructureStubInfo.h:
105         (JSC::StructureStubInfo::valueRegs const):
106         * jit/JITInlineCacheGenerator.cpp:
107         (JSC::JITByIdGenerator::JITByIdGenerator):
108         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
109         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
110
111 2018-08-30  Saam barati  <sbarati@apple.com>
112
113         InlineAccess should do StringLength
114         https://bugs.webkit.org/show_bug.cgi?id=158911
115
116         Reviewed by Yusuke Suzuki.
117
118         This patch extends InlineAccess to support StringLength. This patch also
119         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
120         I forgot to implement this for ArrayLength in the initial InlineAccess
121         implementation.  Supporting StringLength is a natural extension of the
122         InlineAccess machinery.
123
124         * assembler/MacroAssembler.h:
125         (JSC::MacroAssembler::patchableBranch8):
126         * assembler/MacroAssemblerARM64.h:
127         (JSC::MacroAssemblerARM64::patchableBranch8):
128         * bytecode/AccessCase.cpp:
129         (JSC::AccessCase::fromStructureStubInfo):
130         * bytecode/BytecodeDumper.cpp:
131         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
132         * bytecode/InlineAccess.cpp:
133         (JSC::InlineAccess::dumpCacheSizesAndCrash):
134         (JSC::InlineAccess::generateSelfPropertyAccess):
135         (JSC::getScratchRegister):
136         (JSC::InlineAccess::generateSelfPropertyReplace):
137         (JSC::InlineAccess::generateArrayLength):
138         (JSC::InlineAccess::generateSelfInAccess):
139         (JSC::InlineAccess::generateStringLength):
140         * bytecode/InlineAccess.h:
141         * bytecode/PolymorphicAccess.cpp:
142         (JSC::PolymorphicAccess::regenerate):
143         * bytecode/StructureStubInfo.cpp:
144         (JSC::StructureStubInfo::initStringLength):
145         (JSC::StructureStubInfo::deref):
146         (JSC::StructureStubInfo::aboutToDie):
147         (JSC::StructureStubInfo::propagateTransitions):
148         * bytecode/StructureStubInfo.h:
149         (JSC::StructureStubInfo::baseGPR const):
150         * jit/Repatch.cpp:
151         (JSC::tryCacheGetByID):
152
153 2018-08-30  Saam barati  <sbarati@apple.com>
154
155         CSE DataViewGet* DFG nodes
156         https://bugs.webkit.org/show_bug.cgi?id=188768
157
158         Reviewed by Yusuke Suzuki.
159
160         This patch makes it so that we CSE DataViewGet* accesses. To do this,
161         I needed to add a third descriptor to HeapLocation to represent the
162         isLittleEndian child. This patch is neutral on compile time benchmarks,
163         and is a 50% speedup on a trivial CSE microbenchmark that I added.
164
165         * dfg/DFGClobberize.h:
166         (JSC::DFG::clobberize):
167         * dfg/DFGFixupPhase.cpp:
168         (JSC::DFG::FixupPhase::fixupNode):
169         * dfg/DFGHeapLocation.cpp:
170         (WTF::printInternal):
171         * dfg/DFGHeapLocation.h:
172         (JSC::DFG::HeapLocation::HeapLocation):
173         (JSC::DFG::HeapLocation::hash const):
174         (JSC::DFG::HeapLocation::operator== const):
175         (JSC::DFG::indexedPropertyLocForResultType):
176
177 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
178
179         output of toString() of Generator is wrong
180         https://bugs.webkit.org/show_bug.cgi?id=188952
181
182         Reviewed by Saam Barati.
183
184         Function#toString does not respect generator and async generator.
185         This patch fixes them and supports all the function types.
186
187         * runtime/FunctionPrototype.cpp:
188         (JSC::functionProtoFuncToString):
189
190 2018-08-29  Mark Lam  <mark.lam@apple.com>
191
192         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
193         https://bugs.webkit.org/show_bug.cgi?id=189132
194         <rdar://problem/42513068>
195
196         Reviewed by Saam Barati.
197
198         * runtime/JSCJSValueInlines.h:
199         (JSC::JSValue::toPropertyKey const):
200         * runtime/JSString.cpp:
201         (JSC::JSRopeString::resolveRopeToAtomicString const):
202
203 2018-08-29  Commit Queue  <commit-queue@webkit.org>
204
205         Unreviewed, rolling out r235432 and r235436.
206         https://bugs.webkit.org/show_bug.cgi?id=189086
207
208         Is a Swift source breaking change. (Requested by keith_miller
209         on #webkit).
210
211         Reverted changesets:
212
213         "Add nullablity attributes to JSValue"
214         https://bugs.webkit.org/show_bug.cgi?id=189047
215         https://trac.webkit.org/changeset/235432
216
217         "Add nullablity attributes to JSValue"
218         https://bugs.webkit.org/show_bug.cgi?id=189047
219         https://trac.webkit.org/changeset/235436
220
221 2018-08-28  Mark Lam  <mark.lam@apple.com>
222
223         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
224         https://bugs.webkit.org/show_bug.cgi?id=189059
225         <rdar://problem/40335354>
226
227         Reviewed by Saam Barati.
228
229         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
230         2. Added $vm.dumpRegisters().
231
232             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
233             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
234
235            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
236            It will treat inlined frames content as registers in the bounding physical frame.
237
238            Here's an example of such a dump on a DFG frame:
239
240                 Register frame: 
241
242                 -----------------------------------------------------------------------------
243                             use            |   address  |                value               
244                 -----------------------------------------------------------------------------
245                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
246                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
247                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
248                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
249                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
250                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
251                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
252                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
253                 -----------------------------------------------------------------------------
254                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
255                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
256                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
257                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
258                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
259                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
260                 -----------------------------------------------------------------------------
261                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
262                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
263                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
264                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
265                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
266                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
267                 -----------------------------------------------------------------------------
268                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
269                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
270                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
271                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
272                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
273                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
274                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
275                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
276                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
277                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
278                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
279                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
280                 -----------------------------------------------------------------------------
281
282         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
283            we can use in its place:
284
285             $vm.dumpCallFrame()
286             $vm.dumpBytecodeFor()
287             $vm.dumpRegisters()     // Just added in this patch.
288
289         4. Also fixed a bug in BytecodeDumper: it should only access
290            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
291
292         * bytecode/BytecodeDumper.cpp:
293         (JSC::BytecodeDumper<Block>::printCallOp):
294         * interpreter/Interpreter.cpp:
295         (JSC::Interpreter::dumpCallFrame): Deleted.
296         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
297         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
298         (JSC::Interpreter::dumpRegisters): Deleted.
299         * interpreter/Interpreter.h:
300         * jsc.cpp:
301         (GlobalObject::finishCreation):
302         (functionDumpCallFrame): Deleted.
303         * tools/JSDollarVM.cpp:
304         (JSC::functionDumpRegisters):
305         (JSC::JSDollarVM::finishCreation):
306         * tools/VMInspector.cpp:
307         (JSC::VMInspector::dumpRegisters):
308         * tools/VMInspector.h:
309
310 2018-08-28  Keith Miller  <keith_miller@apple.com>
311
312         Add nullablity attributes to JSValue
313         https://bugs.webkit.org/show_bug.cgi?id=189047
314
315         Reviewed by Dan Bernstein.
316
317         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
318
319         * API/JSValue.h:
320
321 2018-08-28  Keith Miller  <keith_miller@apple.com>
322
323         Add nullablity attributes to JSValue
324         https://bugs.webkit.org/show_bug.cgi?id=189047
325
326         Reviewed by Geoffrey Garen.
327
328         * API/JSValue.h:
329
330 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
331
332         [WebAssembly] Parse wasm modules in a streaming fashion
333         https://bugs.webkit.org/show_bug.cgi?id=188943
334
335         Reviewed by Mark Lam.
336
337         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
338         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
339         we start integrating it into BBQPlan and dropping the old ModuleParser.
340
341         * JavaScriptCore.xcodeproj/project.pbxproj:
342         * Sources.txt:
343         * tools/JSDollarVM.cpp:
344         (WTF::WasmStreamingParser::WasmStreamingParser):
345         (WTF::WasmStreamingParser::create):
346         (WTF::WasmStreamingParser::createStructure):
347         (WTF::WasmStreamingParser::streamingParser):
348         (WTF::WasmStreamingParser::finishCreation):
349         (WTF::functionWasmStreamingParserAddBytes):
350         (WTF::functionWasmStreamingParserFinalize):
351         (JSC::functionCreateWasmStreamingParser):
352         (JSC::JSDollarVM::finishCreation):
353         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
354         this interface to test streaming parser in the JSC shell.
355
356         * wasm/WasmBBQPlan.cpp:
357         (JSC::Wasm::BBQPlan::BBQPlan):
358         (JSC::Wasm::BBQPlan::parseAndValidateModule):
359         (JSC::Wasm::BBQPlan::prepare):
360         (JSC::Wasm::BBQPlan::compileFunctions):
361         (JSC::Wasm::BBQPlan::complete):
362         (JSC::Wasm::BBQPlan::work):
363         * wasm/WasmBBQPlan.h:
364         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
365         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
366
367         * wasm/WasmFormat.h:
368         * wasm/WasmModuleInformation.cpp:
369         (JSC::Wasm::ModuleInformation::ModuleInformation):
370         * wasm/WasmModuleInformation.h:
371         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
372         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
373         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
374         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
375         a function with this data can be done concurrently with StreamingParser.
376
377         (JSC::Wasm::ModuleInformation::create):
378         (JSC::Wasm::ModuleInformation::memoryCount const):
379         (JSC::Wasm::ModuleInformation::tableCount const):
380         memoryCount and tableCount should be recorded in ModuleInformation.
381
382         * wasm/WasmModuleParser.cpp:
383         (JSC::Wasm::ModuleParser::parse):
384         (JSC::Wasm::makeI32InitExpr): Deleted.
385         (JSC::Wasm::ModuleParser::parseType): Deleted.
386         (JSC::Wasm::ModuleParser::parseImport): Deleted.
387         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
388         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
389         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
390         (JSC::Wasm::ModuleParser::parseTable): Deleted.
391         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
392         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
393         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
394         (JSC::Wasm::ModuleParser::parseExport): Deleted.
395         (JSC::Wasm::ModuleParser::parseStart): Deleted.
396         (JSC::Wasm::ModuleParser::parseElement): Deleted.
397         (JSC::Wasm::ModuleParser::parseCode): Deleted.
398         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
399         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
400         (JSC::Wasm::ModuleParser::parseData): Deleted.
401         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
402         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
403         SectionParser is also used by StreamingParser.
404
405         * wasm/WasmModuleParser.h:
406         (): Deleted.
407         * wasm/WasmNameSection.h:
408         (JSC::Wasm::NameSection::NameSection):
409         (JSC::Wasm::NameSection::create):
410         (JSC::Wasm::NameSection::setHash):
411         Hash calculation is deferred since all the source is not available in streaming parsing.
412
413         * wasm/WasmNameSectionParser.cpp:
414         (JSC::Wasm::NameSectionParser::parse):
415         * wasm/WasmNameSectionParser.h:
416         Use Ref<NameSection>.
417
418         * wasm/WasmOMGPlan.cpp:
419         (JSC::Wasm::OMGPlan::work):
420         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
421         OMGPlan can get data of the function by using ModuleInformation::functions.
422
423         * wasm/WasmParser.h:
424         (JSC::Wasm::Parser::source const):
425         (JSC::Wasm::Parser::length const):
426         (JSC::Wasm::Parser::offset const):
427         (JSC::Wasm::Parser::fail const):
428         (JSC::Wasm::makeI32InitExpr):
429         * wasm/WasmPlan.cpp:
430         (JSC::Wasm::Plan::Plan):
431         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
432
433         * wasm/WasmPlan.h:
434         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
435         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
436         ModuleParser and the new StreamingParser.
437
438         (JSC::Wasm::SectionParser::parseType):
439         (JSC::Wasm::SectionParser::parseImport):
440         (JSC::Wasm::SectionParser::parseFunction):
441         (JSC::Wasm::SectionParser::parseResizableLimits):
442         (JSC::Wasm::SectionParser::parseTableHelper):
443         (JSC::Wasm::SectionParser::parseTable):
444         (JSC::Wasm::SectionParser::parseMemoryHelper):
445         (JSC::Wasm::SectionParser::parseMemory):
446         (JSC::Wasm::SectionParser::parseGlobal):
447         (JSC::Wasm::SectionParser::parseExport):
448         (JSC::Wasm::SectionParser::parseStart):
449         (JSC::Wasm::SectionParser::parseElement):
450         (JSC::Wasm::SectionParser::parseCode):
451         (JSC::Wasm::SectionParser::parseInitExpr):
452         (JSC::Wasm::SectionParser::parseGlobalType):
453         (JSC::Wasm::SectionParser::parseData):
454         (JSC::Wasm::SectionParser::parseCustom):
455         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
456         * wasm/WasmStreamingParser.cpp: Added.
457         (JSC::Wasm::parseUInt7):
458         (JSC::Wasm::StreamingParser::fail):
459         (JSC::Wasm::StreamingParser::StreamingParser):
460         (JSC::Wasm::StreamingParser::parseModuleHeader):
461         (JSC::Wasm::StreamingParser::parseSectionID):
462         (JSC::Wasm::StreamingParser::parseSectionSize):
463         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
464         Code section in Wasm binary is specially handled compared with the other sections since it includes
465         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
466         streaming validation / compilation of Wasm functions.
467
468         (JSC::Wasm::StreamingParser::parseFunctionSize):
469         (JSC::Wasm::StreamingParser::parseFunctionPayload):
470         (JSC::Wasm::StreamingParser::parseSectionPayload):
471         (JSC::Wasm::StreamingParser::consume):
472         (JSC::Wasm::StreamingParser::consumeVarUInt32):
473         (JSC::Wasm::StreamingParser::addBytes):
474         (JSC::Wasm::StreamingParser::failOnState):
475         (JSC::Wasm::StreamingParser::finalize):
476         * wasm/WasmStreamingParser.h: Added.
477         (JSC::Wasm::StreamingParser::addBytes):
478         (JSC::Wasm::StreamingParser::errorMessage const):
479         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
480         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
481         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
482         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
483         incoming byte stream.
484
485         * wasm/js/JSWebAssemblyModule.cpp:
486         (JSC::JSWebAssemblyModule::source const): Deleted.
487         All the source should not be held.
488
489         * wasm/js/JSWebAssemblyModule.h:
490         * wasm/js/WebAssemblyPrototype.cpp:
491         (JSC::webAssemblyValidateFunc):
492
493 2018-08-27  Mark Lam  <mark.lam@apple.com>
494
495         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
496         https://bugs.webkit.org/show_bug.cgi?id=188577
497         <rdar://problem/42985684>
498
499         Reviewed by Saam Barati.
500
501         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
502            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
503
504            The StackOverflowFrame is a sentinel frame that the low level code (exception
505            throwing code, stack visitor, and stack unwinding code) will know to skip
506            over.  The StackOverflowFrame will also have a valid JSCallee so that client
507            code can compute the globalObject or VM from this frame.
508
509            As a result, client code that throws StackOverflowErrors no longer need to
510            compute the caller frame to throw from: it just converts the top frame into
511            a StackOverflowFrame and everything should *Just Work*.
512
513         2. NativeCallFrameTracerWithRestore is now obsolete.
514
515            Instead, client code should always call convertToStackOverflowFrame() on the
516            frame before instantiating a NativeCallFrameTracer with it.
517
518            This means that topCallFrame will always point to the top CallFrame (which
519            may be a StackOverflowFrame), and topEntryFrame will always point to the top
520            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
521            (which we used to do with NativeCallFrameTracerWithRestore).
522
523         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
524            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
525
526            This obsoletes the UnwindStart flag.
527
528         * CMakeLists.txt:
529         * JavaScriptCore.xcodeproj/project.pbxproj:
530         * Sources.txt:
531         * debugger/Debugger.cpp:
532         (JSC::Debugger::pauseIfNeeded):
533         * interpreter/CallFrame.cpp:
534         (JSC::CallFrame::callerFrame const):
535         (JSC::CallFrame::unsafeCallerFrame const):
536         (JSC::CallFrame::convertToStackOverflowFrame):
537         (JSC::CallFrame::callerFrame): Deleted.
538         (JSC::CallFrame::unsafeCallerFrame): Deleted.
539         * interpreter/CallFrame.h:
540         (JSC::ExecState::iterate):
541         * interpreter/CallFrameInlines.h: Added.
542         (JSC::CallFrame::isStackOverflowFrame const):
543         (JSC::CallFrame::isWasmFrame const):
544         * interpreter/EntryFrame.h: Added.
545         (JSC::EntryFrame::vmEntryRecordOffset):
546         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
547         * interpreter/FrameTracers.h:
548         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
549         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
550         * interpreter/Interpreter.cpp:
551         (JSC::Interpreter::unwind):
552         * interpreter/Interpreter.h:
553         * interpreter/StackVisitor.cpp:
554         (JSC::StackVisitor::StackVisitor):
555         * interpreter/StackVisitor.h:
556         (JSC::StackVisitor::visit):
557         (JSC::StackVisitor::topEntryFrameIsEmpty const):
558         * interpreter/VMEntryRecord.h:
559         (JSC::VMEntryRecord::callee const):
560         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
561         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
562         * jit/AssemblyHelpers.h:
563         * jit/JITExceptions.cpp:
564         (JSC::genericUnwind):
565         * jit/JITExceptions.h:
566         * jit/JITOperations.cpp:
567         * llint/LLIntOffsetsExtractor.cpp:
568         * llint/LLIntSlowPaths.cpp:
569         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
570         * llint/LowLevelInterpreter.asm:
571         * llint/LowLevelInterpreter32_64.asm:
572         * llint/LowLevelInterpreter64.asm:
573         * runtime/CallData.cpp:
574         * runtime/CommonSlowPaths.cpp:
575         (JSC::throwArityCheckStackOverflowError):
576         (JSC::SLOW_PATH_DECL):
577         * runtime/CommonSlowPathsExceptions.cpp: Removed.
578         * runtime/CommonSlowPathsExceptions.h: Removed.
579         * runtime/Completion.cpp:
580         (JSC::evaluateWithScopeExtension):
581         * runtime/JSGeneratorFunction.h:
582         * runtime/JSGlobalObject.cpp:
583         (JSC::JSGlobalObject::init):
584         (JSC::JSGlobalObject::visitChildren):
585         * runtime/JSGlobalObject.h:
586         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
587         * runtime/VM.cpp:
588         (JSC::VM::throwException):
589         * runtime/VM.h:
590         * runtime/VMInlines.h:
591         (JSC::VM::topJSCallFrame const):
592
593 2018-08-27  Keith Rollin  <krollin@apple.com>
594
595         Unreviewed build fix -- disable LTO for production builds
596
597         * Configurations/Base.xcconfig:
598
599 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
600
601         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
602         https://bugs.webkit.org/show_bug.cgi?id=188931
603
604         Reviewed by Wenson Hsieh.
605
606         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
607
608 2018-08-27  Devin Rousso  <drousso@apple.com>
609
610         Web Inspector: provide autocompletion for event breakpoints
611         https://bugs.webkit.org/show_bug.cgi?id=188717
612
613         Reviewed by Brian Burg.
614
615         * inspector/protocol/DOM.json:
616         Add `getSupportedEventNames` command.
617
618 2018-08-27  Keith Rollin  <krollin@apple.com>
619
620         Build system support for LTO
621         https://bugs.webkit.org/show_bug.cgi?id=187785
622         <rdar://problem/42353132>
623
624         Reviewed by Dan Bernstein.
625
626         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
627         LTO.
628
629         * Configurations/Base.xcconfig:
630         * Configurations/DebugRelease.xcconfig:
631
632 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
633
634         [GTK][JSC] Add warn_unused_result attribute to some APIs
635         https://bugs.webkit.org/show_bug.cgi?id=188983
636
637         Reviewed by Michael Catanzaro.
638
639         * API/glib/JSCValue.h:
640
641 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
642
643         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
644         https://bugs.webkit.org/show_bug.cgi?id=188794
645
646         Reviewed by Saam Barati.
647
648         While Array.prototype.reverse modifies the butterfly of the given Array,
649         it does not account JSImmutableButterfly case. So it accidentally modifies
650         the content of JSImmutableButterfly.
651         This patch converts CoW arrays to writable arrays before reversing.
652
653         * runtime/ArrayPrototype.cpp:
654         (JSC::arrayProtoFuncReverse):
655         * runtime/JSObject.h:
656         (JSC::JSObject::ensureWritable):
657
658 2018-08-24  Michael Saboff  <msaboff@apple.com>
659
660         YARR: Update UCS canonicalization tables for Unicode 11
661         https://bugs.webkit.org/show_bug.cgi?id=188928
662
663         Reviewed by Mark Lam.
664
665         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
666
667         This passes JavaScriptCore and test262 tests.
668
669         * yarr/YarrCanonicalizeUCS2.cpp:
670         * yarr/YarrCanonicalizeUCS2.js:
671         (printHeader):
672
673 2018-08-24  Michael Saboff  <msaboff@apple.com>
674
675         YARR: JIT RegExps with non-greedy parenthesized sub patterns
676         https://bugs.webkit.org/show_bug.cgi?id=180876
677
678         Reviewed by Filip Pizlo.
679
680         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
681         For the matching code, the greedy path was correct except that we don't try matching for the
682         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
683         first / next match when we backtrack.  The backtracking code needs to check to see if we have
684         tried the first match or if we can do another match.
685
686         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
687         count.  Did other minor cleanup as well.
688
689         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
690
691         Updated the text in some comments, both for this change as well as accuracy for existing code.
692
693         * yarr/YarrJIT.cpp:
694         (JSC::Yarr::YarrGenerator::generate):
695         (JSC::Yarr::YarrGenerator::backtrack):
696         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
697         (JSC::Yarr::YarrGenerator::compile):
698         (JSC::Yarr::dumpCompileFailure):
699         (JSC::Yarr::jitCompile):
700         * yarr/YarrJIT.h:
701         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
702         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
703
704 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
705
706         Add support for dumping GC heap snapshots, and a viewer
707         https://bugs.webkit.org/show_bug.cgi?id=186416
708
709         Reviewed by Joseph Pecoraro.
710
711         Make a way to dump information about the GC heap that is useful for looking for leaked
712         or abandoned objects. This dump is obtained (on Apple platforms) via:
713             notifyutil -p com.apple.WebKit.dumpGCHeap
714         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
715         
716         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
717         the snapshot JSON that adds additional data about objects and why they are GC roots.
718
719         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
720         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
721         objects visited via opaque roots, we record the reason why via a new out param to
722         isReachableFromOpaqueRoots().
723
724         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
725         additional information including the address of the JSCell* and the wrapped object (for
726         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
727         be the document URL.
728
729         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
730
731         * API/JSAPIWrapperObject.mm:
732         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
733         * API/JSManagedValue.mm:
734         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
735         * API/glib/JSAPIWrapperObjectGLib.cpp:
736         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
737         * CMakeLists.txt:
738         * heap/ConservativeRoots.h:
739         (JSC::ConservativeRoots::size const):
740         (JSC::ConservativeRoots::size): Deleted.
741         * heap/Heap.cpp:
742         (JSC::Heap::addCoreConstraints):
743         * heap/HeapSnapshotBuilder.cpp:
744         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
745         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
746         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
747         (JSC::HeapSnapshotBuilder::buildSnapshot):
748         (JSC::HeapSnapshotBuilder::appendNode):
749         (JSC::HeapSnapshotBuilder::appendEdge):
750         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
751         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
752         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
753         (JSC::snapshotTypeToString):
754         (JSC::rootTypeToString):
755         (JSC::HeapSnapshotBuilder::setLabelForCell):
756         (JSC::HeapSnapshotBuilder::descriptionForCell const):
757         (JSC::HeapSnapshotBuilder::json):
758         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
759         * heap/HeapSnapshotBuilder.h:
760         * heap/SlotVisitor.cpp:
761         (JSC::SlotVisitor::appendSlow):
762         * heap/SlotVisitor.h:
763         (JSC::SlotVisitor::heapSnapshotBuilder const):
764         (JSC::SlotVisitor::rootMarkReason const):
765         (JSC::SlotVisitor::setRootMarkReason):
766         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
767         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
768         * heap/WeakBlock.cpp:
769         (JSC::WeakBlock::specializedVisit):
770         * heap/WeakHandleOwner.cpp:
771         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
772         * heap/WeakHandleOwner.h:
773         * runtime/SimpleTypedArrayController.cpp:
774         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
775         * runtime/SimpleTypedArrayController.h:
776         * tools/JSDollarVM.cpp:
777
778 2018-08-23  Saam barati  <sbarati@apple.com>
779
780         JSRunLoopTimer may run part of a member function after it's destroyed
781         https://bugs.webkit.org/show_bug.cgi?id=188426
782
783         Reviewed by Mark Lam.
784
785         When I was reading the JSRunLoopTimer code, I noticed that it is possible
786         to end up running timer code after the class had been destroyed.
787         
788         The issue I spotted was in this function:
789         ```
790         void JSRunLoopTimer::timerDidFire()
791         {
792             JSLock* apiLock = m_apiLock.get();
793             if (!apiLock) {
794                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
795                 return;
796             }
797             // HERE
798             std::lock_guard<JSLock> lock(*apiLock);
799             RefPtr<VM> vm = apiLock->vm();
800             if (!vm) {
801                 // The VM has been destroyed, so we should just give up.
802                 return;
803             }
804         
805             doWork();
806         }
807         ```
808         
809         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
810         switched before grabbing the API lock. Then, some other thread destroys the VM.
811         And let's say that the VM owns (perhaps transitively) this timer. Then, the
812         timer would run code and access member variables after it was destroyed.
813         
814         This patch fixes this issue by introducing a new timer manager class. 
815         This class manages timers on a per VM basis. When a timer is scheduled,
816         this class refs the timer. It also calls the timer callback while actively
817         maintaining a +1 ref to it. So, it's no longer possible to call the timer
818         callback after the timer has been destroyed. However, calling a timer callback
819         can still race with the VM being destroyed. We continue to detect this case and
820         bail out of the callback early.
821         
822         This patch also removes a lot of duplicate code between GCActivityCallback
823         and JSRunLoopTimer.
824
825         * heap/EdenGCActivityCallback.cpp:
826         (JSC::EdenGCActivityCallback::doCollection):
827         (JSC::EdenGCActivityCallback::lastGCLength):
828         (JSC::EdenGCActivityCallback::deathRate):
829         * heap/EdenGCActivityCallback.h:
830         * heap/FullGCActivityCallback.cpp:
831         (JSC::FullGCActivityCallback::doCollection):
832         (JSC::FullGCActivityCallback::lastGCLength):
833         (JSC::FullGCActivityCallback::deathRate):
834         * heap/FullGCActivityCallback.h:
835         * heap/GCActivityCallback.cpp:
836         (JSC::GCActivityCallback::doWork):
837         (JSC::GCActivityCallback::scheduleTimer):
838         (JSC::GCActivityCallback::didAllocate):
839         (JSC::GCActivityCallback::willCollect):
840         (JSC::GCActivityCallback::cancel):
841         (JSC::GCActivityCallback::cancelTimer): Deleted.
842         (JSC::GCActivityCallback::nextFireTime): Deleted.
843         * heap/GCActivityCallback.h:
844         * heap/Heap.cpp:
845         (JSC::Heap::reportAbandonedObjectGraph):
846         (JSC::Heap::notifyIncrementalSweeper):
847         (JSC::Heap::updateAllocationLimits):
848         (JSC::Heap::didAllocate):
849         * heap/IncrementalSweeper.cpp:
850         (JSC::IncrementalSweeper::scheduleTimer):
851         (JSC::IncrementalSweeper::doWork):
852         (JSC::IncrementalSweeper::doSweep):
853         (JSC::IncrementalSweeper::sweepNextBlock):
854         (JSC::IncrementalSweeper::startSweeping):
855         (JSC::IncrementalSweeper::stopSweeping):
856         * heap/IncrementalSweeper.h:
857         * heap/StopIfNecessaryTimer.cpp:
858         (JSC::StopIfNecessaryTimer::doWork):
859         (JSC::StopIfNecessaryTimer::scheduleSoon):
860         * heap/StopIfNecessaryTimer.h:
861         * runtime/JSRunLoopTimer.cpp:
862         (JSC::epochTime):
863         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
864         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
865         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
866         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
867         (JSC::JSRunLoopTimer::Manager::timerDidFire):
868         (JSC::JSRunLoopTimer::Manager::shared):
869         (JSC::JSRunLoopTimer::Manager::registerVM):
870         (JSC::JSRunLoopTimer::Manager::unregisterVM):
871         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
872         (JSC::JSRunLoopTimer::Manager::cancelTimer):
873         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
874         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
875         (JSC::JSRunLoopTimer::timerDidFire):
876         (JSC::JSRunLoopTimer::JSRunLoopTimer):
877         (JSC::JSRunLoopTimer::timeUntilFire):
878         (JSC::JSRunLoopTimer::setTimeUntilFire):
879         (JSC::JSRunLoopTimer::cancelTimer):
880         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
881         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
882         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
883         * runtime/JSRunLoopTimer.h:
884         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
885         * runtime/PromiseDeferredTimer.cpp:
886         (JSC::PromiseDeferredTimer::doWork):
887         (JSC::PromiseDeferredTimer::runRunLoop):
888         (JSC::PromiseDeferredTimer::addPendingPromise):
889         (JSC::PromiseDeferredTimer::hasPendingPromise):
890         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
891         (JSC::PromiseDeferredTimer::cancelPendingPromise):
892         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
893         * runtime/PromiseDeferredTimer.h:
894         * runtime/VM.cpp:
895         (JSC::VM::VM):
896         (JSC::VM::~VM):
897         (JSC::VM::setRunLoop):
898         (JSC::VM::registerRunLoopTimer): Deleted.
899         (JSC::VM::unregisterRunLoopTimer): Deleted.
900         * runtime/VM.h:
901         (JSC::VM::runLoop const):
902         * wasm/js/WebAssemblyPrototype.cpp:
903         (JSC::webAssemblyModuleValidateAsyncInternal):
904         (JSC::instantiate):
905         (JSC::compileAndInstantiate):
906         (JSC::webAssemblyModuleInstantinateAsyncInternal):
907         (JSC::webAssemblyCompileStreamingInternal):
908         (JSC::webAssemblyInstantiateStreamingInternal):
909
910 2018-08-23  Mark Lam  <mark.lam@apple.com>
911
912         Move vmEntryGlobalObject() to VM from CallFrame.
913         https://bugs.webkit.org/show_bug.cgi?id=188900
914         <rdar://problem/43655753>
915
916         Reviewed by Michael Saboff.
917
918         Also introduced CallFrame::isGlobalExec() which makes use of one property of
919         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
920         CallFrame::initGlobalExec() ensures this.
921
922         In contrast, normal CallFrames always have a callerFrame (because they must at
923         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
924         VM entry glue).
925
926         * API/APIUtils.h:
927         (handleExceptionIfNeeded):
928         (setException):
929         * API/JSBase.cpp:
930         (JSEvaluateScript):
931         (JSCheckScriptSyntax):
932         * API/JSContextRef.cpp:
933         (JSGlobalContextRetain):
934         (JSGlobalContextRelease):
935         (JSGlobalContextCopyName):
936         (JSGlobalContextSetName):
937         (JSGlobalContextGetRemoteInspectionEnabled):
938         (JSGlobalContextSetRemoteInspectionEnabled):
939         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
940         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
941         (JSGlobalContextGetDebuggerRunLoop):
942         (JSGlobalContextSetDebuggerRunLoop):
943         (JSGlobalContextGetAugmentableInspectorController):
944         * API/JSValue.mm:
945         (reportExceptionToInspector):
946         * API/glib/JSCClass.cpp:
947         (jscContextForObject):
948         * API/glib/JSCContext.cpp:
949         (jsc_context_evaluate_in_object):
950         * debugger/Debugger.cpp:
951         (JSC::Debugger::pauseIfNeeded):
952         * debugger/DebuggerCallFrame.cpp:
953         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
954         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
955         * interpreter/CallFrame.cpp:
956         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
957         * interpreter/CallFrame.h:
958         (JSC::ExecState::scope const):
959         (JSC::ExecState::noCaller):
960         (JSC::ExecState::isGlobalExec const):
961         * interpreter/Interpreter.cpp:
962         (JSC::notifyDebuggerOfUnwinding):
963         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
964         (JSC::Interpreter::debug):
965         * runtime/CallData.cpp:
966         (JSC::profiledCall):
967         * runtime/Completion.cpp:
968         (JSC::evaluate):
969         (JSC::profiledEvaluate):
970         (JSC::evaluateWithScopeExtension):
971         (JSC::loadAndEvaluateModule):
972         (JSC::loadModule):
973         (JSC::linkAndEvaluateModule):
974         (JSC::importModule):
975         * runtime/ConstructData.cpp:
976         (JSC::profiledConstruct):
977         * runtime/Error.cpp:
978         (JSC::getStackTrace):
979         * runtime/VM.cpp:
980         (JSC::VM::throwException):
981         (JSC::VM::vmEntryGlobalObject const):
982         * runtime/VM.h:
983
984 2018-08-23  Andy Estes  <aestes@apple.com>
985
986         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
987         https://bugs.webkit.org/show_bug.cgi?id=188829
988
989         Reviewed by Tim Horton.
990
991         * Configurations/FeatureDefines.xcconfig:
992
993 2018-08-23  Devin Rousso  <drousso@apple.com>
994
995         Web Inspector: support breakpoints for timers and animation-frame events
996         https://bugs.webkit.org/show_bug.cgi?id=188778
997
998         Reviewed by Brian Burg.
999
1000         * inspector/protocol/Debugger.json:
1001         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1002
1003         * inspector/protocol/DOMDebugger.json:
1004         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1005          - `setEventListenerBreakpoint`
1006          - `removeEventListenerBreakpoint`
1007          - `setInstrumentationBreakpoint`
1008          - `removeInstrumentationBreakpoint`
1009         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1010
1011         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1012         (CppProtocolTypesHeaderGenerator.generate_output):
1013         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1014         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1015         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1016         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1017
1018         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1019         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1020         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1021         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1022         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1023         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1024         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1025
1026 2018-08-23  Michael Saboff  <msaboff@apple.com>
1027
1028         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1029         https://bugs.webkit.org/show_bug.cgi?id=188895
1030
1031         Reviewed by Mark Lam.
1032
1033         Found while working on another change.  This will allow processing of nested
1034         parenthesis that require saved ParenContext structures.
1035
1036         * yarr/YarrJIT.cpp:
1037         (JSC::Yarr::YarrGenerator::compile):
1038
1039 2018-08-22  Michael Saboff  <msaboff@apple.com>
1040
1041         https://bugs.webkit.org/show_bug.cgi?id=188859
1042         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1043
1044         Rubber-stamped by Saam Barati.
1045
1046         Deleted these two functions.
1047
1048         * jit/JITOperations.cpp:
1049         * jit/JITOperations.h:
1050
1051 2018-08-22  Mark Lam  <mark.lam@apple.com>
1052
1053         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1054         https://bugs.webkit.org/show_bug.cgi?id=188298
1055         <rdar://problem/42888427>
1056
1057         Reviewed by Saam Barati.
1058
1059         In the event that both targets of a Branch is the same block, then even if we'll
1060         always take one path of the branch, the other target is not unreachable because
1061         it is the same target as the one in the taken path.  Hence, it should not be
1062         jettisoned.
1063
1064         * JavaScriptCore.xcodeproj/project.pbxproj:
1065         - Added DFGCFG.h which is in use and should have been added to the project.
1066         * dfg/DFGCFGSimplificationPhase.cpp:
1067         (JSC::DFG::CFGSimplificationPhase::run):
1068
1069 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1070
1071         [JSC] HeapUtil should care about pointer overflow
1072         https://bugs.webkit.org/show_bug.cgi?id=188740
1073
1074         Reviewed by Saam Barati.
1075
1076         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1077         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1078         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1079
1080         * heap/HeapUtil.h:
1081         (JSC::HeapUtil::findGCObjectPointersForMarking):
1082
1083 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1084
1085         [JSC] Should not rotate constant with 64
1086         https://bugs.webkit.org/show_bug.cgi?id=188556
1087
1088         Reviewed by Saam Barati.
1089
1090         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1091         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1092         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1093         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1094
1095         * assembler/MacroAssembler.h:
1096         (JSC::MacroAssembler::generateRotationSeed):
1097         (JSC::MacroAssembler::rotationBlindConstant):
1098
1099 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1100
1101         Unreviewed, rolling out r235107.
1102         https://bugs.webkit.org/show_bug.cgi?id=188832
1103
1104         "It revealed bugs in Blob code as well as regressed JS
1105         performance tests" (Requested by saamyjoon on #webkit).
1106
1107         Reverted changeset:
1108
1109         "JSRunLoopTimer may run part of a member function after it's
1110         destroyed"
1111         https://bugs.webkit.org/show_bug.cgi?id=188426
1112         https://trac.webkit.org/changeset/235107
1113
1114 2018-08-21  Saam barati  <sbarati@apple.com>
1115
1116         JSRunLoopTimer may run part of a member function after it's destroyed
1117         https://bugs.webkit.org/show_bug.cgi?id=188426
1118
1119         Reviewed by Mark Lam.
1120
1121         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1122         to end up running timer code after the class had been destroyed.
1123         
1124         The issue I spotted was in this function:
1125         ```
1126         void JSRunLoopTimer::timerDidFire()
1127         {
1128             JSLock* apiLock = m_apiLock.get();
1129             if (!apiLock) {
1130                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1131                 return;
1132             }
1133             // HERE
1134             std::lock_guard<JSLock> lock(*apiLock);
1135             RefPtr<VM> vm = apiLock->vm();
1136             if (!vm) {
1137                 // The VM has been destroyed, so we should just give up.
1138                 return;
1139             }
1140         
1141             doWork();
1142         }
1143         ```
1144         
1145         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1146         switched before grabbing the API lock. Then, some other thread destroys the VM.
1147         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1148         timer would run code and access member variables after it was destroyed.
1149         
1150         This patch fixes this issue by introducing a new timer manager class. 
1151         This class manages timers on a per VM basis. When a timer is scheduled,
1152         this class refs the timer. It also calls the timer callback while actively
1153         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1154         callback after the timer has been destroyed. However, calling a timer callback
1155         can still race with the VM being destroyed. We continue to detect this case and
1156         bail out of the callback early.
1157         
1158         This patch also removes a lot of duplicate code between GCActivityCallback
1159         and JSRunLoopTimer.
1160
1161         * heap/EdenGCActivityCallback.cpp:
1162         (JSC::EdenGCActivityCallback::doCollection):
1163         (JSC::EdenGCActivityCallback::lastGCLength):
1164         (JSC::EdenGCActivityCallback::deathRate):
1165         * heap/EdenGCActivityCallback.h:
1166         * heap/FullGCActivityCallback.cpp:
1167         (JSC::FullGCActivityCallback::doCollection):
1168         (JSC::FullGCActivityCallback::lastGCLength):
1169         (JSC::FullGCActivityCallback::deathRate):
1170         * heap/FullGCActivityCallback.h:
1171         * heap/GCActivityCallback.cpp:
1172         (JSC::GCActivityCallback::doWork):
1173         (JSC::GCActivityCallback::scheduleTimer):
1174         (JSC::GCActivityCallback::didAllocate):
1175         (JSC::GCActivityCallback::willCollect):
1176         (JSC::GCActivityCallback::cancel):
1177         (JSC::GCActivityCallback::cancelTimer): Deleted.
1178         (JSC::GCActivityCallback::nextFireTime): Deleted.
1179         * heap/GCActivityCallback.h:
1180         * heap/Heap.cpp:
1181         (JSC::Heap::reportAbandonedObjectGraph):
1182         (JSC::Heap::notifyIncrementalSweeper):
1183         (JSC::Heap::updateAllocationLimits):
1184         (JSC::Heap::didAllocate):
1185         * heap/IncrementalSweeper.cpp:
1186         (JSC::IncrementalSweeper::scheduleTimer):
1187         (JSC::IncrementalSweeper::doWork):
1188         (JSC::IncrementalSweeper::doSweep):
1189         (JSC::IncrementalSweeper::sweepNextBlock):
1190         (JSC::IncrementalSweeper::startSweeping):
1191         (JSC::IncrementalSweeper::stopSweeping):
1192         * heap/IncrementalSweeper.h:
1193         * heap/StopIfNecessaryTimer.cpp:
1194         (JSC::StopIfNecessaryTimer::doWork):
1195         (JSC::StopIfNecessaryTimer::scheduleSoon):
1196         * heap/StopIfNecessaryTimer.h:
1197         * runtime/JSRunLoopTimer.cpp:
1198         (JSC::epochTime):
1199         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1200         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1201         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1202         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1203         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1204         (JSC::JSRunLoopTimer::Manager::shared):
1205         (JSC::JSRunLoopTimer::Manager::registerVM):
1206         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1207         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1208         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1209         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1210         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1211         (JSC::JSRunLoopTimer::timerDidFire):
1212         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1213         (JSC::JSRunLoopTimer::timeUntilFire):
1214         (JSC::JSRunLoopTimer::setTimeUntilFire):
1215         (JSC::JSRunLoopTimer::cancelTimer):
1216         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1217         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1218         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1219         * runtime/JSRunLoopTimer.h:
1220         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1221         * runtime/PromiseDeferredTimer.cpp:
1222         (JSC::PromiseDeferredTimer::doWork):
1223         (JSC::PromiseDeferredTimer::runRunLoop):
1224         (JSC::PromiseDeferredTimer::addPendingPromise):
1225         (JSC::PromiseDeferredTimer::hasPendingPromise):
1226         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1227         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1228         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1229         * runtime/PromiseDeferredTimer.h:
1230         * runtime/VM.cpp:
1231         (JSC::VM::VM):
1232         (JSC::VM::~VM):
1233         (JSC::VM::setRunLoop):
1234         (JSC::VM::registerRunLoopTimer): Deleted.
1235         (JSC::VM::unregisterRunLoopTimer): Deleted.
1236         * runtime/VM.h:
1237         (JSC::VM::runLoop const):
1238         * wasm/js/WebAssemblyPrototype.cpp:
1239         (JSC::webAssemblyModuleValidateAsyncInternal):
1240         (JSC::instantiate):
1241         (JSC::compileAndInstantiate):
1242         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1243         (JSC::webAssemblyCompileStreamingInternal):
1244         (JSC::webAssemblyInstantiateStreamingInternal):
1245
1246 2018-08-20  Saam barati  <sbarati@apple.com>
1247
1248         Inline DataView accesses into DFG/FTL
1249         https://bugs.webkit.org/show_bug.cgi?id=188573
1250         <rdar://problem/43286746>
1251
1252         Reviewed by Michael Saboff.
1253
1254         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1255         straight forward. We inline the various get*/set* operations as intrinsics.
1256         
1257         This patch takes the most obvious approach for now. We OSR exit when:
1258         - An isLittleEndian argument is provided, and is not a boolean.
1259         - The index isn't an integer.
1260         - The |this| isn't a DataView.
1261         - We do an OOB access (or see a neutered array)
1262         
1263         To implement this change in a performant way, this patch teaches the macro
1264         assembler how to emit byte swap operations. The semantics of the added functions
1265         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1266         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1267         the instructions already have these semantics.
1268         
1269         This patch is just a lightweight initial implementation. There are some easy
1270         extensions we can do in future changes:
1271         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1272         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1273
1274         * assembler/MacroAssemblerARM64.h:
1275         (JSC::MacroAssemblerARM64::byteSwap16):
1276         (JSC::MacroAssemblerARM64::byteSwap32):
1277         (JSC::MacroAssemblerARM64::byteSwap64):
1278         * assembler/MacroAssemblerX86Common.h:
1279         (JSC::MacroAssemblerX86Common::byteSwap32):
1280         (JSC::MacroAssemblerX86Common::byteSwap16):
1281         (JSC::MacroAssemblerX86Common::byteSwap64):
1282         * assembler/X86Assembler.h:
1283         (JSC::X86Assembler::bswapl_r):
1284         (JSC::X86Assembler::bswapq_r):
1285         (JSC::X86Assembler::shiftInstruction16):
1286         (JSC::X86Assembler::rolw_i8r):
1287         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1288         * assembler/testmasm.cpp:
1289         (JSC::testByteSwap):
1290         (JSC::run):
1291         * bytecode/DataFormat.h:
1292         * bytecode/SpeculatedType.cpp:
1293         (JSC::dumpSpeculation):
1294         (JSC::speculationFromClassInfo):
1295         (JSC::speculationFromJSType):
1296         (JSC::speculationFromString):
1297         * bytecode/SpeculatedType.h:
1298         * dfg/DFGAbstractInterpreterInlines.h:
1299         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1300         * dfg/DFGByteCodeParser.cpp:
1301         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1302         * dfg/DFGClobberize.h:
1303         (JSC::DFG::clobberize):
1304         * dfg/DFGDoesGC.cpp:
1305         (JSC::DFG::doesGC):
1306         * dfg/DFGFixupPhase.cpp:
1307         (JSC::DFG::FixupPhase::fixupNode):
1308         * dfg/DFGNode.h:
1309         (JSC::DFG::Node::hasHeapPrediction):
1310         (JSC::DFG::Node::dataViewData):
1311         * dfg/DFGNodeType.h:
1312         * dfg/DFGPredictionPropagationPhase.cpp:
1313         * dfg/DFGSafeToExecute.h:
1314         (JSC::DFG::SafeToExecuteEdge::operator()):
1315         (JSC::DFG::safeToExecute):
1316         * dfg/DFGSpeculativeJIT.cpp:
1317         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1318         (JSC::DFG::SpeculativeJIT::speculate):
1319         * dfg/DFGSpeculativeJIT.h:
1320         * dfg/DFGSpeculativeJIT32_64.cpp:
1321         (JSC::DFG::SpeculativeJIT::compile):
1322         * dfg/DFGSpeculativeJIT64.cpp:
1323         (JSC::DFG::SpeculativeJIT::compile):
1324         * dfg/DFGUseKind.cpp:
1325         (WTF::printInternal):
1326         * dfg/DFGUseKind.h:
1327         (JSC::DFG::typeFilterFor):
1328         (JSC::DFG::isCell):
1329         * ftl/FTLCapabilities.cpp:
1330         (JSC::FTL::canCompile):
1331         * ftl/FTLLowerDFGToB3.cpp:
1332         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1333         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1334         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1335         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1336         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1337         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1338         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1339         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1340         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1341         * runtime/Intrinsic.cpp:
1342         (JSC::intrinsicName):
1343         * runtime/Intrinsic.h:
1344         * runtime/JSDataViewPrototype.cpp:
1345
1346 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1347
1348         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1349         https://bugs.webkit.org/show_bug.cgi?id=181989
1350
1351         Reviewed by Michael Saboff.
1352
1353         This patch extends bulk matching style for fixed-sized characters.
1354         In 64bit environment, the GPR can hold up to 8 characters. This change
1355         reduces the code size since we can fuse multiple `mov` operations into one.
1356
1357         * assembler/LinkBuffer.h:
1358         * runtime/Options.h:
1359         * yarr/YarrJIT.cpp:
1360         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1361         (JSC::Yarr::YarrGenerator::compile):
1362
1363 2018-08-20  Devin Rousso  <drousso@apple.com>
1364
1365         Web Inspector: allow breakpoints to be set for specific event listeners
1366         https://bugs.webkit.org/show_bug.cgi?id=183138
1367
1368         Reviewed by Joseph Pecoraro.
1369
1370         * inspector/protocol/DOM.json:
1371         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1372         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1373         should have a breakpoint and pause before running.
1374
1375 2018-08-20  Mark Lam  <mark.lam@apple.com>
1376
1377         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1378         https://bugs.webkit.org/show_bug.cgi?id=188769
1379
1380         Reviewed by Michael Saboff.
1381
1382         * llint/LowLevelInterpreter.asm:
1383         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1384           so that libunwind doesn't get confused by the 2 labels pointing to the same
1385           code address.
1386
1387 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1388
1389         [GLIB] Add API to throw exceptions using printf formatted strings
1390         https://bugs.webkit.org/show_bug.cgi?id=188698
1391
1392         Reviewed by Michael Catanzaro.
1393
1394         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1395         JSCException using printf formatted string.
1396
1397         * API/glib/JSCContext.cpp:
1398         (jsc_context_throw_printf):
1399         (jsc_context_throw_with_name_printf):
1400         * API/glib/JSCContext.h:
1401         * API/glib/JSCException.cpp:
1402         (jsc_exception_new_printf):
1403         (jsc_exception_new_vprintf):
1404         (jsc_exception_new_with_name_printf):
1405         (jsc_exception_new_with_name_vprintf):
1406         * API/glib/JSCException.h:
1407         * API/glib/docs/jsc-glib-4.0-sections.txt:
1408
1409 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1410
1411         [GLIB] Complete the JSCException API
1412         https://bugs.webkit.org/show_bug.cgi?id=188695
1413
1414         Reviewed by Michael Catanzaro.
1415
1416         Add more API to JSCException:
1417          - New function to get the column number
1418          - New function get exception as string (toString())
1419          - Add the possibility to create exceptions with a custom error name.
1420          - New function to get the exception error name
1421          - New function to get the exception backtrace.
1422          - New convenience function to report a exception by returning a formatted string with all the exception
1423            details, to be shown as a user error message.
1424
1425         * API/glib/JSCContext.cpp:
1426         (jsc_context_throw_with_name):
1427         * API/glib/JSCContext.h:
1428         * API/glib/JSCException.cpp:
1429         (jscExceptionEnsureProperties):
1430         (jsc_exception_new):
1431         (jsc_exception_new_with_name):
1432         (jsc_exception_get_name):
1433         (jsc_exception_get_column_number):
1434         (jsc_exception_get_back_trace_string):
1435         (jsc_exception_to_string):
1436         (jsc_exception_report):
1437         * API/glib/JSCException.h:
1438         * API/glib/docs/jsc-glib-4.0-sections.txt:
1439
1440 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1441
1442         Unreviewed, rolling out r234852.
1443         https://bugs.webkit.org/show_bug.cgi?id=188736
1444
1445         Workaround is not correct (Requested by yusukesuzuki on
1446         #webkit).
1447
1448         Reverted changeset:
1449
1450         "[JSC] Should not rotate constant with 64"
1451         https://bugs.webkit.org/show_bug.cgi?id=188556
1452         https://trac.webkit.org/changeset/234852
1453
1454 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1455
1456         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1457         https://bugs.webkit.org/show_bug.cgi?id=188716
1458
1459         Reviewed by Darin Adler.
1460
1461         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1462         The compiler can emit appropriate mov operations in x86 even if we use these
1463         helper functions.
1464
1465         * assembler/AssemblerBuffer.h:
1466         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1467         (JSC::AssemblerBuffer::putIntegral):
1468         (JSC::AssemblerBuffer::putIntegralUnchecked):
1469         * assembler/MacroAssemblerX86.h:
1470         (JSC::MacroAssemblerX86::readCallTarget):
1471         * assembler/X86Assembler.h:
1472         (JSC::X86Assembler::linkJump):
1473         (JSC::X86Assembler::readPointer):
1474         (JSC::X86Assembler::replaceWithHlt):
1475         (JSC::X86Assembler::replaceWithJump):
1476         (JSC::X86Assembler::setPointer):
1477         (JSC::X86Assembler::setInt32):
1478         (JSC::X86Assembler::setInt8):
1479         * interpreter/InterpreterInlines.h:
1480         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1481
1482 2018-08-17  Saam barati  <sbarati@apple.com>
1483
1484         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1485         https://bugs.webkit.org/show_bug.cgi?id=188707
1486         <rdar://problem/43015442>
1487
1488         Reviewed by Mark Lam.
1489
1490         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1491         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1492         that each incoming value is compatible with its corresponding AbstractValue.
1493         
1494         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1495         with abstract values that were clobbererd. This meant that the value we're
1496         verifying with at OSR entry effectively has an infinite structure set because
1497         it's clobbered. So, imagine we have code like this:
1498         ```
1499         ---> We OSR enter here, and we're clobbered here
1500         InvalidationPoint
1501         GetByOffset(@base)
1502         ```
1503         
1504         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1505         clobberred structure set, so we'd allow an incoming object with any
1506         structure. However, this is wrong because the invalidation point is no
1507         longer fulfilling its promise that it filters the structure that @base has.
1508         
1509         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1510         as if the incoming value may be live past an InvalidationPoint.
1511         This places a stricter requirement that to safely OSR enter at any basic
1512         block, all incoming values must be compatible as if they lived past
1513         the execution of an invalidation point.
1514
1515         * dfg/DFGCFAPhase.cpp:
1516         (JSC::DFG::CFAPhase::run):
1517
1518 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1519
1520         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1521         https://bugs.webkit.org/show_bug.cgi?id=188589
1522
1523         Reviewed by Mark Lam.
1524         And reviewed by Yusuke Suzuki for Hironori's change.
1525
1526         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1527         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1528
1529         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1530         - We make GPRReg and FPRReg int8_t enums.
1531         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1532         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1533           if `enum : int8_t` is used instead of `enum`.
1534
1535         * assembler/ARM64Assembler.h:
1536         * assembler/ARMAssembler.h:
1537         * assembler/ARMv7Assembler.h:
1538         * assembler/MIPSAssembler.h:
1539         * assembler/MacroAssembler.h:
1540         * assembler/X86Assembler.h:
1541         * jit/CCallHelpers.h:
1542         (JSC::CCallHelpers::clampArrayToSize):
1543         * jit/FPRInfo.h:
1544         * jit/GPRInfo.h:
1545         (JSC::JSValueRegs::JSValueRegs):
1546         (JSC::JSValueRegs::tagGPR const):
1547         (JSC::JSValueRegs::payloadGPR const):
1548         (JSC::JSValueSource::JSValueSource):
1549         (JSC::JSValueSource::unboxedCell):
1550         (JSC::JSValueSource::operator bool const):
1551         (JSC::JSValueSource::base const):
1552         (JSC::JSValueSource::tagGPR const):
1553         (JSC::JSValueSource::payloadGPR const):
1554         (JSC::JSValueSource::hasKnownTag const):
1555
1556 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1557
1558         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1559         https://bugs.webkit.org/show_bug.cgi?id=188686
1560
1561         Reviewed by Saam Barati.
1562
1563         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1564         for `alignof` for RegisterState.
1565
1566         * heap/RegisterState.h:
1567
1568 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1569
1570         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1571         https://bugs.webkit.org/show_bug.cgi?id=188571
1572
1573         Reviewed by Saam Barati.
1574
1575         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1576         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1577         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1578         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1579         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1580         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1581         than or equal to `sizeof(void*)` by `static_assert`.
1582
1583         * yarr/YarrInterpreter.cpp:
1584         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1585         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1586         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1587         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1588         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1589         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1590         (JSC::Yarr::Interpreter::Interpreter):
1591         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1592
1593 2018-08-15  Keith Miller  <keith_miller@apple.com>
1594
1595         Remove evernote hacks
1596         https://bugs.webkit.org/show_bug.cgi?id=188591
1597
1598         Reviewed by Joseph Pecoraro.
1599
1600         The hack was added in 2012 and the evernote app seems to work now.
1601         It's probably not needed anymore.
1602
1603         * API/JSValueRef.cpp:
1604         (JSValueUnprotect):
1605         (evernoteHackNeeded): Deleted.
1606
1607 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1608
1609         Unreviewed, rolling out r234874 and r234876.
1610
1611         WinCairo port can't compile
1612
1613         Reverted changesets:
1614
1615         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1616         https://bugs.webkit.org/show_bug.cgi?id=188589
1617         https://trac.webkit.org/changeset/234874
1618
1619         "Unreviewed, attempt to fix CLoop build"
1620         https://bugs.webkit.org/show_bug.cgi?id=188589
1621         https://trac.webkit.org/changeset/234876
1622
1623 2018-08-14  Saam barati  <sbarati@apple.com>
1624
1625         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1626         https://bugs.webkit.org/show_bug.cgi?id=188582
1627
1628         Reviewed by Sam Weinig.
1629
1630         * runtime/SparseArrayValueMap.h:
1631
1632 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1633
1634         Unreviewed, attempt to fix CLoop build
1635         https://bugs.webkit.org/show_bug.cgi?id=188589
1636
1637         * assembler/MacroAssembler.h:
1638
1639 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1640
1641         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1642         https://bugs.webkit.org/show_bug.cgi?id=188589
1643
1644         Reviewed by Mark Lam.
1645
1646         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1647         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1648
1649         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1650         2. We make GPRReg and FPRReg int8_t enums.
1651         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1652
1653         * assembler/ARM64Assembler.h:
1654         * assembler/ARMAssembler.h:
1655         * assembler/ARMv7Assembler.h:
1656         * assembler/MIPSAssembler.h:
1657         * assembler/X86Assembler.h:
1658         * jit/FPRInfo.h:
1659         * jit/GPRInfo.h:
1660         (JSC::JSValueRegs::JSValueRegs):
1661         (JSC::JSValueRegs::tagGPR const):
1662         (JSC::JSValueRegs::payloadGPR const):
1663         (JSC::JSValueSource::JSValueSource):
1664         (JSC::JSValueSource::unboxedCell):
1665         (JSC::JSValueSource::operator bool const):
1666         (JSC::JSValueSource::base const):
1667         (JSC::JSValueSource::tagGPR const):
1668         (JSC::JSValueSource::payloadGPR const):
1669         (JSC::JSValueSource::hasKnownTag const):
1670
1671 2018-08-14  Keith Miller  <keith_miller@apple.com>
1672
1673         Add missing availability macro.
1674         https://bugs.webkit.org/show_bug.cgi?id=188563
1675
1676         Reviewed by Mark Lam.
1677
1678         * API/JSValueRef.h:
1679
1680 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1681
1682         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1683         https://bugs.webkit.org/show_bug.cgi?id=188560
1684
1685         Reviewed by Keith Miller.
1686
1687         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1688         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1689         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1690         `m_wasSeenInJIT { false }`.
1691
1692         * bytecode/GetByIdStatus.h:
1693
1694 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1695
1696         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1697         https://bugs.webkit.org/show_bug.cgi?id=188557
1698
1699         Reviewed by Mark Lam.
1700
1701         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1702         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1703         in UBSan's result.
1704
1705         * dfg/DFGPredictionPropagationPhase.cpp:
1706
1707 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1708
1709         [JSC] Should not rotate constant with 64
1710         https://bugs.webkit.org/show_bug.cgi?id=188556
1711
1712         Reviewed by Mark Lam.
1713
1714         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1715         But if a seed becomes 64, the following code performs `value << 64` where value's type
1716         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1717         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1718
1719         * assembler/MacroAssembler.h:
1720         (JSC::MacroAssembler::generateRotationSeed):
1721         (JSC::MacroAssembler::rotationBlindConstant):
1722
1723 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1724
1725         Disable JIT on IA-32 without SSE2
1726         https://bugs.webkit.org/show_bug.cgi?id=188476
1727
1728         Reviewed by Michael Catanzaro.
1729
1730         Including missing header (MacroAssembler.h) in case of other
1731         operating systems than Windows too.
1732
1733         * runtime/Options.cpp:
1734
1735 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1736
1737         Disable JIT on IA-32 without SSE2
1738         https://bugs.webkit.org/show_bug.cgi?id=188476
1739
1740         Reviewed by Yusuke Suzuki.
1741
1742         On IA-32 CPUs without SSE2 most of the webpages cannot load
1743         if the JIT is turned on.
1744
1745         * runtime/Options.cpp:
1746         (JSC::recomputeDependentOptions):
1747
1748 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1749
1750         Web Inspector: console.log fires getters for deep properties
1751         https://bugs.webkit.org/show_bug.cgi?id=187542
1752         <rdar://problem/42873158>
1753
1754         Reviewed by Saam Barati.
1755
1756         * inspector/InjectedScriptSource.js:
1757         (RemoteObject.prototype._isPreviewableObject):
1758         Avoid getters/setters when checking for simple properties to preview.
1759         Here we avoid invoking `object[property]` if it could be a user getter.
1760
1761 2018-08-10  Keith Miller  <keith_miller@apple.com>
1762
1763         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1764         https://bugs.webkit.org/show_bug.cgi?id=185127
1765
1766         Reviewed by Saam Barati.
1767
1768         Previously, we would truncate the indicies passed to slice to an
1769         int. This meant that the value was not getting properly clamped
1770         later.
1771
1772         This patch also removes a non-spec compliant check that slice was
1773         passed at least one argument.
1774
1775         * runtime/ArrayBuffer.cpp:
1776         (JSC::ArrayBuffer::clampValue):
1777         (JSC::ArrayBuffer::clampIndex const):
1778         (JSC::ArrayBuffer::slice const):
1779         * runtime/ArrayBuffer.h:
1780         (JSC::ArrayBuffer::clampValue): Deleted.
1781         (JSC::ArrayBuffer::clampIndex const): Deleted.
1782         * runtime/JSArrayBufferPrototype.cpp:
1783         (JSC::arrayBufferProtoFuncSlice):
1784
1785 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1786
1787         Date.UTC should not return NaN with only Year param
1788         https://bugs.webkit.org/show_bug.cgi?id=188378
1789
1790         Reviewed by Keith Miller.
1791
1792         Date.UTC requires one argument for |year|. But the other ones are optional.
1793         This patch fix this handling.
1794
1795         * runtime/DateConstructor.cpp:
1796         (JSC::millisecondsFromComponents):
1797
1798 2018-08-08  Keith Miller  <keith_miller@apple.com>
1799
1800         Array.prototype.sort should call @toLength instead of ">>> 0"
1801         https://bugs.webkit.org/show_bug.cgi?id=188430
1802
1803         Reviewed by Saam Barati.
1804
1805         Also add a new function to $vm that will fetch a private
1806         property. This can be useful for running builtin helper functions.
1807
1808         * builtins/ArrayPrototype.js:
1809         (sort):
1810         * tools/JSDollarVM.cpp:
1811         (JSC::functionGetPrivateProperty):
1812         (JSC::JSDollarVM::finishCreation):
1813
1814 2018-08-08  Keith Miller  <keith_miller@apple.com>
1815
1816         Array.prototype.sort should throw TypeError if param is a not callable object
1817         https://bugs.webkit.org/show_bug.cgi?id=188382
1818
1819         Reviewed by Saam Barati.
1820
1821         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1822         before doing anything else.
1823
1824         Also, refactor the various helper functions to use let instead of var.
1825
1826         * builtins/ArrayPrototype.js:
1827         (sort.stringComparator):
1828         (sort.compactSparse):
1829         (sort.compactSlow):
1830         (sort.compact):
1831         (sort.merge):
1832         (sort.mergeSort):
1833         (sort.bucketSort):
1834         (sort.comparatorSort):
1835         (sort.stringSort):
1836         (sort):
1837
1838 2018-08-08  Michael Saboff  <msaboff@apple.com>
1839
1840         Yarr JIT should include annotations with dumpDisassembly=true
1841         https://bugs.webkit.org/show_bug.cgi?id=188415
1842
1843         Reviewed by Yusuke Suzuki.
1844
1845         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1846         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1847         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1848         needs to do the same think.
1849
1850         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1851         out simple methods for what was needed by the YarrDisassembler.
1852
1853         Here is abbreviated sample output after this change.
1854
1855         Generated JIT code for 8-bit regular expression /ab*c/:
1856             Code at [0x469561c03720, 0x469561c03840):
1857                 0x469561c03720: push %rbp
1858                 0x469561c03721: mov %rsp, %rbp
1859                 ...
1860                 0x469561c03762: sub $0x40, %rsp
1861              == Matching ==
1862            0:OpBodyAlternativeBegin minimum size 2
1863                 0x469561c03766: add $0x2, %esi
1864                 0x469561c03769: cmp %edx, %esi
1865                 0x469561c0376b: ja 0x469561c037fa
1866            1:OpTerm TypePatternCharacter 'a'
1867                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1868                 0x469561c03776: cmp $0x61, %eax
1869                 0x469561c03779: jnz 0x469561c037e9
1870            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1871                 0x469561c0377f: xor %r9d, %r9d
1872                 0x469561c03782: cmp %edx, %esi
1873                 0x469561c03784: jz 0x469561c037a2
1874                 ...
1875                 0x469561c0379d: jmp 0x469561c03782
1876                 0x469561c037a2: mov %r9, 0x8(%rsp)
1877            3:OpTerm TypePatternCharacter 'c'
1878                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1879                 0x469561c037ac: cmp $0x63, %eax
1880                 0x469561c037af: jnz 0x469561c037d1
1881            4:OpBodyAlternativeEnd
1882                 0x469561c037b5: add $0x40, %rsp
1883                 ...
1884                 0x469561c037cf: pop %rbp
1885                 0x469561c037d0: ret
1886              == Backtracking ==
1887            4:OpBodyAlternativeEnd
1888            3:OpTerm TypePatternCharacter 'c'
1889            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1890                 0x469561c037d1: mov 0x8(%rsp), %r9
1891                 ...
1892                 0x469561c037e4: jmp 0x469561c037a2
1893            1:OpTerm TypePatternCharacter 'a'
1894            0:OpBodyAlternativeBegin minimum size 2
1895                 0x469561c037e9: mov %rsi, %rax
1896                 ...
1897                 0x469561c0382f: pop %rbp
1898                 0x469561c03830: ret
1899
1900         * JavaScriptCore.xcodeproj/project.pbxproj:
1901         * Sources.txt:
1902         * runtime/RegExp.cpp:
1903         (JSC::RegExp::compile):
1904         (JSC::RegExp::compileMatchOnly):
1905         * yarr/YarrDisassembler.cpp: Added.
1906         (JSC::Yarr::YarrDisassembler::indentString):
1907         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1908         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1909         (JSC::Yarr::YarrDisassembler::dump):
1910         (JSC::Yarr::YarrDisassembler::dumpHeader):
1911         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1912         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1913         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1914         * yarr/YarrDisassembler.h: Added.
1915         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1916         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1917         (JSC::Yarr::YarrDisassembler::setForGenerate):
1918         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1919         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1920         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1921         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1922         (JSC::Yarr::YarrDisassembler::indentString):
1923         * yarr/YarrJIT.cpp:
1924         (JSC::Yarr::YarrGenerator::generate):
1925         (JSC::Yarr::YarrGenerator::backtrack):
1926         (JSC::Yarr::YarrGenerator::YarrGenerator):
1927         (JSC::Yarr::YarrGenerator::compile):
1928         (JSC::Yarr::jitCompile):
1929         * yarr/YarrJIT.h:
1930         * yarr/YarrPattern.cpp:
1931         (JSC::Yarr::dumpCharacterClass):
1932         (JSC::Yarr::PatternTerm::dump):
1933         (JSC::Yarr::YarrPattern::dumpPatternString):
1934         (JSC::Yarr::YarrPattern::dumpPattern):
1935         * yarr/YarrPattern.h:
1936
1937 2018-08-05  Darin Adler  <darin@apple.com>
1938
1939         [Cocoa] More tweaks and refactoring to prepare for ARC
1940         https://bugs.webkit.org/show_bug.cgi?id=188245
1941
1942         Reviewed by Dan Bernstein.
1943
1944         * API/JSValue.mm: Use __unsafe_unretained.
1945         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1946         * API/JSWrapperMap.mm:
1947         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1948         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1949
1950         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1951
1952 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1953
1954         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1955         https://bugs.webkit.org/show_bug.cgi?id=188328
1956
1957         Reviewed by Saam Barati.
1958
1959         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1960         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1961         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1962         as a member field.
1963
1964         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1965         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1966         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1967         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1968         folds a pointer and 1byte type into 64bit data.
1969
1970         This change shrinks PropertyCondition from 24bytes to 16bytes.
1971
1972         * bytecode/PropertyCondition.cpp:
1973         (JSC::PropertyCondition::dumpInContext const):
1974         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1975         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1976         (JSC::PropertyCondition::isStillValid const):
1977         (JSC::PropertyCondition::isWatchableWhenValid const):
1978         * bytecode/PropertyCondition.h:
1979         (JSC::PropertyCondition::PropertyCondition):
1980         (JSC::PropertyCondition::presenceWithoutBarrier):
1981         (JSC::PropertyCondition::absenceWithoutBarrier):
1982         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1983         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1984         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1985         (JSC::PropertyCondition::operator bool const):
1986         (JSC::PropertyCondition::kind const):
1987         (JSC::PropertyCondition::uid const):
1988         (JSC::PropertyCondition::hasOffset const):
1989         (JSC::PropertyCondition::hasAttributes const):
1990         (JSC::PropertyCondition::hasPrototype const):
1991         (JSC::PropertyCondition::hasRequiredValue const):
1992         (JSC::PropertyCondition::hash const):
1993         (JSC::PropertyCondition::operator== const):
1994         (JSC::PropertyCondition::isHashTableDeletedValue const):
1995         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1996
1997 2018-08-07  Mark Lam  <mark.lam@apple.com>
1998
1999         Use a more specific PtrTag for PlatformRegisters PC and LR.
2000         https://bugs.webkit.org/show_bug.cgi?id=188366
2001         <rdar://problem/42984123>
2002
2003         Reviewed by Keith Miller.
2004
2005         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2006         of LR.  It now returns LR.
2007
2008         * runtime/JSCPtrTag.h:
2009         * runtime/MachineContext.h:
2010         (JSC::MachineContext::instructionPointer):
2011         (JSC::MachineContext::linkRegister):
2012         * runtime/VMTraps.cpp:
2013         (JSC::SignalContext::SignalContext):
2014         * tools/SigillCrashAnalyzer.cpp:
2015         (JSC::SignalContext::SignalContext):
2016
2017 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2018
2019         Hardcoded LFENCE instruction
2020         https://bugs.webkit.org/show_bug.cgi?id=188145
2021
2022         Reviewed by Filip Pizlo.
2023
2024         Remove lfence instruction because it is crashing systems without SSE2 and
2025         this is not the way how WebKit mitigates Spectre.
2026
2027         * runtime/JSLock.cpp:
2028         (JSC::JSLock::didAcquireLock):
2029         (JSC::JSLock::willReleaseLock):
2030
2031 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2032
2033         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2034         <https://webkit.org/b/188331>
2035
2036         Reviewed by Yusuke Suzuki.
2037
2038         * runtime/TemplateObjectDescriptor.h:
2039         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2040         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2041
2042 2018-08-03  Saam Barati  <sbarati@apple.com>
2043
2044         Give the `jsc` shell the JIT entitlement
2045         https://bugs.webkit.org/show_bug.cgi?id=188324
2046         <rdar://problem/42885806>
2047
2048         Reviewed by Dan Bernstein.
2049
2050         This should help us in ensuring the system jsc is able to JIT.
2051
2052         * Configurations/JSC.xcconfig:
2053         * JavaScriptCore.xcodeproj/project.pbxproj:
2054         * allow-jit-macOS.entitlements: Added.
2055
2056 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2057
2058         Fix spelling of "overridden"
2059         https://bugs.webkit.org/show_bug.cgi?id=188315
2060
2061         Reviewed by Darin Adler.
2062
2063         * API/JSExport.h:
2064         * inspector/InjectedScriptSource.js:
2065
2066 2018-08-02  Saam Barati  <sbarati@apple.com>
2067
2068         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2069         https://bugs.webkit.org/show_bug.cgi?id=188271
2070         <rdar://problem/42850884>
2071
2072         Reviewed by Michael Saboff.
2073
2074         This patch defends against the instructionPointer containing garbage bits.
2075         See radar for details.
2076
2077         * runtime/MachineContext.h:
2078         (JSC::MachineContext::instructionPointer):
2079         * runtime/SamplingProfiler.cpp:
2080         (JSC::SamplingProfiler::takeSample):
2081         * runtime/VMTraps.cpp:
2082         (JSC::SignalContext::SignalContext):
2083         (JSC::SignalContext::tryCreate):
2084         * tools/CodeProfiling.cpp:
2085         (JSC::profilingTimer):
2086         * tools/SigillCrashAnalyzer.cpp:
2087         (JSC::SignalContext::SignalContext):
2088         (JSC::SignalContext::tryCreate):
2089         (JSC::SignalContext::dump):
2090         (JSC::installCrashHandler):
2091         * wasm/WasmFaultSignalHandler.cpp:
2092         (JSC::Wasm::trapHandler):
2093
2094 2018-08-02  David Fenton  <david_fenton@apple.com>
2095
2096         Unreviewed, rolling out r234489.
2097
2098         Caused 50+ crashes and 60+ API failures on iOS
2099
2100         Reverted changeset:
2101
2102         "[WTF] Rename String::format to String::deprecatedFormat"
2103         https://bugs.webkit.org/show_bug.cgi?id=188191
2104         https://trac.webkit.org/changeset/234489
2105
2106 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2107
2108         Add self.queueMicrotask(f) on DOMWindow
2109         https://bugs.webkit.org/show_bug.cgi?id=188212
2110
2111         Reviewed by Ryosuke Niwa.
2112
2113         * CMakeLists.txt:
2114         * JavaScriptCore.xcodeproj/project.pbxproj:
2115         * Sources.txt:
2116         * runtime/JSGlobalObject.cpp:
2117         (JSC::enqueueJob):
2118         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2119         (JSC::createJSMicrotask):
2120         Export them to WebCore.
2121
2122         (JSC::JSMicrotask::run):
2123         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2124         Add another version of JSMicrotask which does not have arguments.
2125
2126 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2127
2128         [WTF] Rename String::format to String::deprecatedFormat
2129         https://bugs.webkit.org/show_bug.cgi?id=188191
2130
2131         Reviewed by Darin Adler.
2132
2133         It should be replaced with string concatenation.
2134
2135         * bytecode/CodeBlock.cpp:
2136         (JSC::CodeBlock::nameForRegister):
2137         * inspector/InjectedScriptBase.cpp:
2138         (Inspector::InjectedScriptBase::makeCall):
2139         * inspector/InspectorBackendDispatcher.cpp:
2140         (Inspector::BackendDispatcher::getPropertyValue):
2141         * inspector/agents/InspectorConsoleAgent.cpp:
2142         (Inspector::InspectorConsoleAgent::enable):
2143         (Inspector::InspectorConsoleAgent::stopTiming):
2144         * jsc.cpp:
2145         (FunctionJSCStackFunctor::operator() const):
2146         * parser/Lexer.cpp:
2147         (JSC::Lexer<T>::invalidCharacterMessage const):
2148         * runtime/IntlDateTimeFormat.cpp:
2149         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2150         * runtime/IntlObject.cpp:
2151         (JSC::canonicalizeLocaleList):
2152         * runtime/LiteralParser.cpp:
2153         (JSC::LiteralParser<CharType>::Lexer::lex):
2154         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2155         (JSC::LiteralParser<CharType>::parse):
2156         * runtime/LiteralParser.h:
2157         (JSC::LiteralParser::getErrorMessage):
2158
2159 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2160
2161         [INTL] Allow "unknown" formatToParts types
2162         https://bugs.webkit.org/show_bug.cgi?id=188176
2163
2164         Reviewed by Darin Adler.
2165
2166         Originally extra unexpected field types were marked as "literal", since
2167         the spec did not account for these. The ECMA 402 spec has since been updated
2168         to specify "unknown" should be used in these cases.
2169
2170         Currently there is no known way to reach these cases, so no tests can
2171         account for them. Theoretically they shoudn't exist, but they are specified,
2172         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2173         will make such cases easy to identify if they ever happen.
2174
2175         * runtime/IntlDateTimeFormat.cpp:
2176         (JSC::IntlDateTimeFormat::partTypeString):
2177         * runtime/IntlNumberFormat.cpp:
2178         (JSC::IntlNumberFormat::partTypeString):
2179
2180 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2181
2182         [INTL] Implement hourCycle in DateTimeFormat
2183         https://bugs.webkit.org/show_bug.cgi?id=188006
2184
2185         Reviewed by Darin Adler.
2186
2187         Implemented hourCycle, updating both the skeleton and the final pattern.
2188         Changed resolveLocale to assume undefined options are not given and null
2189         strings actually mean null, which removes the tag extension.
2190
2191         * runtime/CommonIdentifiers.h:
2192         * runtime/IntlCollator.cpp:
2193         (JSC::IntlCollator::initializeCollator):
2194         * runtime/IntlDateTimeFormat.cpp:
2195         (JSC::IntlDTFInternal::localeData):
2196         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2197         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2198         (JSC::IntlDateTimeFormat::resolvedOptions):
2199         * runtime/IntlDateTimeFormat.h:
2200         * runtime/IntlObject.cpp:
2201         (JSC::resolveLocale):
2202
2203 2018-08-01  Keith Miller  <keith_miller@apple.com>
2204
2205         JSArrayBuffer should have its own JSType
2206         https://bugs.webkit.org/show_bug.cgi?id=188231
2207
2208         Reviewed by Saam Barati.
2209
2210         * runtime/JSArrayBuffer.cpp:
2211         (JSC::JSArrayBuffer::createStructure):
2212         * runtime/JSCast.h:
2213         * runtime/JSType.h:
2214
2215 2018-07-31  Keith Miller  <keith_miller@apple.com>
2216
2217         Unreviewed 32-bit build fix...
2218
2219         * dfg/DFGSpeculativeJIT32_64.cpp:
2220
2221 2018-07-31  Keith Miller  <keith_miller@apple.com>
2222
2223         Long compiling JSC files should not be unified
2224         https://bugs.webkit.org/show_bug.cgi?id=188205
2225
2226         Reviewed by Saam Barati.
2227
2228         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2229         to compile. Unifying them means touching anything in the same
2230         bundle as those files takes a long time to incrementally build.
2231         This patch separates those files so they build standalone.
2232
2233         * JavaScriptCore.xcodeproj/project.pbxproj:
2234         * Sources.txt:
2235         * dfg/DFGSpeculativeJIT64.cpp:
2236
2237 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2238
2239         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2240         https://bugs.webkit.org/show_bug.cgi?id=188201
2241
2242         Reviewed by Keith Miller.
2243
2244         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2245         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2246         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2247         never becomes broken state. This patch removes unnecessary locking.
2248
2249         * runtime/JSObject.cpp:
2250         (JSC::JSObject::visitButterflyImpl):
2251
2252 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2253
2254         [JSC] Remove gcc warnings for 32-bit platforms
2255         https://bugs.webkit.org/show_bug.cgi?id=187803
2256
2257         Reviewed by Yusuke Suzuki.
2258
2259         * assembler/MacroAssemblerPrinter.cpp:
2260         (JSC::Printer::printPCRegister):
2261         (JSC::Printer::printRegisterID):
2262         (JSC::Printer::printAddress):
2263         * dfg/DFGSpeculativeJIT.cpp:
2264         (JSC::DFG::SpeculativeJIT::speculateNumber):
2265         (JSC::DFG::SpeculativeJIT::speculateMisc):
2266         * jit/CCallHelpers.h:
2267         (JSC::CCallHelpers::calculatePokeOffset):
2268         * runtime/Options.cpp:
2269         (JSC::parse):
2270
2271 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2272
2273         watchOS engineering build is broken after r234227
2274         https://bugs.webkit.org/show_bug.cgi?id=188180
2275
2276         Reviewed by Keith Miller.
2277
2278         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2279         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2280         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2281         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2282
2283         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2284         entirely, since there's no relevant version to replace them with.
2285
2286         * postprocess-headers.sh:
2287
2288 2018-07-30  Keith Miller  <keith_miller@apple.com>
2289
2290         Clarify conversion rules for JSValue property access API
2291         https://bugs.webkit.org/show_bug.cgi?id=188179
2292
2293         Reviewed by Geoffrey Garen.
2294
2295         * API/JSValue.h:
2296
2297 2018-07-30  Keith Miller  <keith_miller@apple.com>
2298
2299         Rename some JSC API functions/types.
2300         https://bugs.webkit.org/show_bug.cgi?id=188173
2301
2302         Reviewed by Saam Barati.
2303
2304         * API/JSObjectRef.cpp:
2305         (JSObjectHasPropertyForKey):
2306         (JSObjectGetPropertyForKey):
2307         (JSObjectSetPropertyForKey):
2308         (JSObjectDeletePropertyForKey):
2309         (JSObjectHasPropertyKey): Deleted.
2310         (JSObjectGetPropertyKey): Deleted.
2311         (JSObjectSetPropertyKey): Deleted.
2312         (JSObjectDeletePropertyKey): Deleted.
2313         * API/JSObjectRef.h:
2314         * API/JSValue.h:
2315         * API/JSValue.mm:
2316         (-[JSValue valueForProperty:]):
2317         (-[JSValue setValue:forProperty:]):
2318         (-[JSValue deleteProperty:]):
2319         (-[JSValue hasProperty:]):
2320         (-[JSValue defineProperty:descriptor:]):
2321         * API/tests/testapi.cpp:
2322         (TestAPI::run):
2323
2324 2018-07-30  Mark Lam  <mark.lam@apple.com>
2325
2326         Add a debugging utility to dump the memory layout of a JSCell.
2327         https://bugs.webkit.org/show_bug.cgi?id=188157
2328
2329         Reviewed by Yusuke Suzuki.
2330
2331         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2332         dump the memory contents of a cell and if present, its butterfly for debugging
2333         purposes.
2334
2335         Example usage for JS code when JSC_useDollarVM=true:
2336
2337             $vm.dumpCell(obj);
2338
2339         Example usage from C++ code or from lldb: 
2340
2341             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2342
2343         Some examples of dumps:
2344
2345             <0x104bc8260, Object>
2346               [0] 0x104bc8260 : 0x010016000000016c header
2347                 structureID 364 0x16c structure 0x104b721b0
2348                 indexingTypeAndMisc 0 0x0 NonArray
2349                 type 22 0x16
2350                 flags 0 0x0
2351                 cellState 1
2352               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2353               [2] 0x104bc8270 : 0xffff000000000007
2354               [3] 0x104bc8278 : 0xffff000000000008
2355
2356             <0x104bb4360, Array>
2357               [0] 0x104bb4360 : 0x0108210b00000171 header
2358                 structureID 369 0x171 structure 0x104b723e0
2359                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2360                 type 33 0x21
2361                 flags 8 0x8
2362                 cellState 1
2363               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2364                 base 0x8000f46e0
2365                 hasIndexingHeader YES hasAnyArrayStorage YES
2366                 publicLength 4 vectorLength 7 indexBias 2
2367                 preCapacity 2 propertyCapacity 4
2368                   <--- preCapacity
2369                   [0] 0x8000f46e0 : 0x0000000000000000
2370                   [1] 0x8000f46e8 : 0x0000000000000000
2371                   <--- propertyCapacity
2372                   [2] 0x8000f46f0 : 0x0000000000000000
2373                   [3] 0x8000f46f8 : 0x0000000000000000
2374                   [4] 0x8000f4700 : 0xffff00000000000d
2375                   [5] 0x8000f4708 : 0xffff00000000000c
2376                   <--- indexingHeader
2377                   [6] 0x8000f4710 : 0x0000000700000004
2378                   <--- butterfly
2379                   <--- arrayStorage
2380                   [7] 0x8000f4718 : 0x0000000000000000
2381                   [8] 0x8000f4720 : 0x0000000400000002
2382                   <--- indexedProperties
2383                   [9] 0x8000f4728 : 0xffff000000000008
2384                   [10] 0x8000f4730 : 0xffff000000000009
2385                   [11] 0x8000f4738 : 0xffff000000000005
2386                   [12] 0x8000f4740 : 0xffff000000000006
2387                   [13] 0x8000f4748 : 0x0000000000000000
2388                   [14] 0x8000f4750 : 0x0000000000000000
2389                   [15] 0x8000f4758 : 0x0000000000000000
2390                   <--- unallocated capacity
2391                   [16] 0x8000f4760 : 0x0000000000000000
2392                   [17] 0x8000f4768 : 0x0000000000000000
2393                   [18] 0x8000f4770 : 0x0000000000000000
2394                   [19] 0x8000f4778 : 0x0000000000000000
2395
2396         * runtime/JSObject.h:
2397         * tools/JSDollarVM.cpp:
2398         (JSC::functionDumpCell):
2399         (JSC::JSDollarVM::finishCreation):
2400         * tools/VMInspector.cpp:
2401         (JSC::VMInspector::dumpCellMemory):
2402         (JSC::IndentationScope::IndentationScope):
2403         (JSC::IndentationScope::~IndentationScope):
2404         (JSC::VMInspector::dumpCellMemoryToStream):
2405         * tools/VMInspector.h:
2406
2407 2018-07-27  Mark Lam  <mark.lam@apple.com>
2408
2409         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2410         https://bugs.webkit.org/show_bug.cgi?id=188123
2411         <rdar://problem/42672268>
2412
2413         Reviewed by Keith Miller.
2414
2415         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2416            padding space in VM and Heap, and should not cost any measurable perf to
2417            initialize and update.
2418
2419         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2420
2421            worldState tells us the value we failed the assertion on.
2422
2423            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2424            that led us here.
2425
2426            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2427
2428            VM::isEntered() tells us if the current VM is currently executing JS code.
2429
2430            Some of this data may be redundant, but the redundancy is intentional so that
2431            we can double check what is really happening at the time of crash.
2432
2433         * heap/Heap.cpp:
2434         (JSC::asInt):
2435         (JSC::Heap::checkConn):
2436         (JSC::Heap::changePhase):
2437         * heap/Heap.h:
2438         * runtime/VM.cpp:
2439         (JSC::VM::nextID):
2440         (JSC::VM::VM):
2441         * runtime/VM.h:
2442         (JSC::VM::numberOfIDs):
2443         (JSC::VM::id const):
2444         (JSC::VM::isEntered const):
2445
2446 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2447
2448         [JSC] Record CoW status in ArrayProfile correctly
2449         https://bugs.webkit.org/show_bug.cgi?id=187949
2450
2451         Reviewed by Saam Barati.
2452
2453         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2454         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2455         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2456         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2457         Array::Generic DFG nodes.
2458
2459         * bytecode/ArrayProfile.h:
2460         (JSC::asArrayModes):
2461         (JSC::ArrayProfile::ArrayProfile):
2462         * dfg/DFGOSRExit.cpp:
2463         (JSC::DFG::OSRExit::compileExit):
2464         * ftl/FTLOSRExitCompiler.cpp:
2465         (JSC::FTL::compileStub):
2466         * runtime/IndexingType.h:
2467
2468 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2469
2470         [INTL] Remove INTL sub-feature compile flags
2471         https://bugs.webkit.org/show_bug.cgi?id=188081
2472
2473         Reviewed by Michael Catanzaro.
2474
2475         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2476         The runtime flags are still present, and should be relied on instead.
2477         The defines for ICU features have also been updated to match HAVE() style.
2478
2479         * Configurations/FeatureDefines.xcconfig:
2480         * runtime/IntlPluralRules.cpp:
2481         (JSC::IntlPluralRules::resolvedOptions):
2482         (JSC::IntlPluralRules::select):
2483         * runtime/IntlPluralRules.h:
2484         * runtime/Options.h:
2485
2486 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2487
2488         [JSC] Dump IndexingMode in Structure
2489         https://bugs.webkit.org/show_bug.cgi?id=188085
2490
2491         Reviewed by Keith Miller.
2492
2493         Dump IndexingMode instead of IndexingType.
2494
2495         * runtime/Structure.cpp:
2496         (JSC::Structure::dump const):
2497
2498 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2499
2500         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2501         https://bugs.webkit.org/show_bug.cgi?id=187963
2502
2503         Reviewed by Alex Christensen.
2504
2505         * inspector/InspectorBackendDispatcher.cpp:
2506         (Inspector::BackendDispatcher::dispatch):
2507         * jsc.cpp:
2508         (ModuleName::ModuleName):
2509         (resolvePath):
2510         * runtime/IntlObject.cpp:
2511         (JSC::canonicalizeLanguageTag):
2512         (JSC::removeUnicodeLocaleExtension):
2513         Update split/splitAllowingEmptyEntries usage.
2514
2515 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2516
2517         Unreviewed, rolling out r234181 and r234189.
2518         https://bugs.webkit.org/show_bug.cgi?id=188075
2519
2520         These are not needed right now (Requested by thorton on
2521         #webkit).
2522
2523         Reverted changesets:
2524
2525         "Enable Web Content Filtering on watchOS"
2526         https://bugs.webkit.org/show_bug.cgi?id=187979
2527         https://trac.webkit.org/changeset/234181
2528
2529         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2530         https://bugs.webkit.org/show_bug.cgi?id=187985
2531         https://trac.webkit.org/changeset/234189
2532
2533 2018-07-26  Mark Lam  <mark.lam@apple.com>
2534
2535         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2536         https://bugs.webkit.org/show_bug.cgi?id=188065
2537         <rdar://problem/42515726>
2538
2539         Reviewed by Saam Barati.
2540
2541         * runtime/ArrayPrototype.cpp:
2542         (JSC::clearElement):
2543         (JSC::copyElements):
2544         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2545
2546 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2547
2548         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2549         https://bugs.webkit.org/show_bug.cgi?id=167991
2550
2551         Reviewed by Michael Catanzaro.
2552
2553         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2554         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2555         no more cases where you might have an invalid locale come back from resolveLocale.
2556
2557         * runtime/IntlObject.cpp:
2558         (JSC::convertICULocaleToBCP47LanguageTag):
2559         (JSC::defaultLocale):
2560         (JSC::lookupMatcher):
2561         * runtime/IntlObject.h:
2562         * runtime/JSGlobalObject.cpp:
2563         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2564         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2565         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2566         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2567
2568 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2569
2570         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2571         https://bugs.webkit.org/show_bug.cgi?id=188040
2572
2573         Unreviewed build fix for AppleWin port.
2574
2575         * API/tests/testapi.c: Disabled warning C4204.
2576         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2577
2578 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2579
2580         [JSC API] We should support the symbol type in our C/Obj-C API
2581         https://bugs.webkit.org/show_bug.cgi?id=175836
2582
2583         Unreviewed build fix for Windows port.
2584
2585         r234227 introduced a compilation error unresolved external symbol
2586         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2587
2588         Windows ports are compiling testapi.c as C++ by using /TP switch.
2589
2590         * API/tests/testapi.c:
2591         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2592         (dllLauncherEntryPoint): Converted into C style.
2593         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2594
2595 2018-07-25  Keith Miller  <keith_miller@apple.com>
2596
2597         [JSC API] We should support the symbol type in our C/Obj-C API
2598         https://bugs.webkit.org/show_bug.cgi?id=175836
2599
2600         Reviewed by Filip Pizlo.
2601
2602         This patch makes the following API additions:
2603         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2604         2) Create a symbol on both APIs.
2605         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2606         4) Add Get/Set/Delete in the C API.
2607
2608         We can do 3 because it is both binary and source compatable with
2609         the existing API. I added (4) because the current property access
2610         APIs only have the ability to get Strings. It was possible to
2611         merge symbols into JSStringRef but that felt confusing and exposes
2612         implementation details of our engine. The new functions match the
2613         same meaning that they have in JS, thus should be forward
2614         compatible with any future language extensions.
2615
2616         Lastly, this patch adds the same availability preproccessing phase
2617         in WebCore to JavaScriptCore, which enables TBA features for
2618         testing on previous releases.
2619
2620         * API/APICast.h:
2621         * API/JSBasePrivate.h:
2622         * API/JSContext.h:
2623         * API/JSContextPrivate.h:
2624         * API/JSContextRef.h:
2625         * API/JSContextRefInternal.h:
2626         * API/JSContextRefPrivate.h:
2627         * API/JSManagedValue.h:
2628         * API/JSObjectRef.cpp:
2629         (JSObjectHasPropertyKey):
2630         (JSObjectGetPropertyKey):
2631         (JSObjectSetPropertyKey):
2632         (JSObjectDeletePropertyKey):
2633         * API/JSObjectRef.h:
2634         * API/JSRemoteInspector.h:
2635         * API/JSTypedArray.h:
2636         * API/JSValue.h:
2637         * API/JSValue.mm:
2638         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2639         (performPropertyOperation):
2640         (-[JSValue valueForProperty:valueForProperty:]):
2641         (-[JSValue setValue:forProperty:setValue:forProperty:]):
2642         (-[JSValue deleteProperty:deleteProperty:]):
2643         (-[JSValue hasProperty:hasProperty:]):
2644         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2645         (-[JSValue isSymbol]):
2646         (-[JSValue objectForKeyedSubscript:]):
2647         (-[JSValue setObject:forKeyedSubscript:]):
2648         (-[JSValue valueForProperty:]): Deleted.
2649         (-[JSValue setValue:forProperty:]): Deleted.
2650         (-[JSValue deleteProperty:]): Deleted.
2651         (-[JSValue hasProperty:]): Deleted.
2652         (-[JSValue defineProperty:descriptor:]): Deleted.
2653         * API/JSValueRef.cpp:
2654         (JSValueGetType):
2655         (JSValueIsSymbol):
2656         (JSValueMakeSymbol):
2657         * API/JSValueRef.h:
2658         * API/WebKitAvailability.h:
2659         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2660         * API/tests/CustomGlobalObjectClassTest.c:
2661         * API/tests/DateTests.mm:
2662         * API/tests/JSExportTests.mm:
2663         * API/tests/JSNode.c:
2664         * API/tests/JSNodeList.c:
2665         * API/tests/Node.c:
2666         * API/tests/NodeList.c:
2667         * API/tests/minidom.c:
2668         * API/tests/testapi.c:
2669         (main):
2670         * API/tests/testapi.cpp: Added.
2671         (APIString::APIString):
2672         (APIString::~APIString):
2673         (APIString::operator JSStringRef):
2674         (APIContext::APIContext):
2675         (APIContext::~APIContext):
2676         (APIContext::operator JSGlobalContextRef):
2677         (APIVector::APIVector):
2678         (APIVector::~APIVector):
2679         (APIVector::append):
2680         (testCAPIViaCpp):
2681         (TestAPI::evaluateScript):
2682         (TestAPI::callFunction):
2683         (TestAPI::functionReturnsTrue):
2684         (TestAPI::check):
2685         (TestAPI::checkJSAndAPIMatch):
2686         (TestAPI::interestingObjects):
2687         (TestAPI::interestingKeys):
2688         (TestAPI::run):
2689         * API/tests/testapi.mm:
2690         (testObjectiveCAPIMain):
2691         * JavaScriptCore.xcodeproj/project.pbxproj:
2692         * config.h:
2693         * postprocess-headers.sh:
2694         * shell/CMakeLists.txt:
2695         * testmem/testmem.mm:
2696
2697 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2698
2699         [INTL] Call Typed Array elements toLocaleString with locale and options
2700         https://bugs.webkit.org/show_bug.cgi?id=185796
2701
2702         Reviewed by Keith Miller.
2703
2704         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2705         the locale and options to element toLocaleString calls.
2706
2707         * builtins/TypedArrayPrototype.js:
2708         (toLocaleString):
2709
2710 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2711
2712         [INTL] Intl constructor lengths should be configurable
2713         https://bugs.webkit.org/show_bug.cgi?id=187960
2714
2715         Reviewed by Saam Barati.
2716
2717         Removed DontDelete from Intl constructor lengths.
2718         Fixed DateTimeFormat formatToParts length.
2719
2720         * runtime/IntlCollatorConstructor.cpp:
2721         (JSC::IntlCollatorConstructor::finishCreation):
2722         * runtime/IntlDateTimeFormatConstructor.cpp:
2723         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2724         * runtime/IntlDateTimeFormatPrototype.cpp:
2725         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2726         * runtime/IntlNumberFormatConstructor.cpp:
2727         (JSC::IntlNumberFormatConstructor::finishCreation):
2728         * runtime/IntlPluralRulesConstructor.cpp:
2729         (JSC::IntlPluralRulesConstructor::finishCreation):
2730
2731 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2732
2733         runJITThreadLimitTests is failing
2734         https://bugs.webkit.org/show_bug.cgi?id=187886
2735         <rdar://problem/42561966>
2736
2737         Unreviewed build fix for MSVC.
2738
2739         MSVC doen't support ternary operator without second operand.
2740
2741         * dfg/DFGWorklist.cpp:
2742         (JSC::DFG::getNumberOfDFGCompilerThreads):
2743         (JSC::DFG::getNumberOfFTLCompilerThreads):
2744
2745 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2746
2747         Unreviewed, rolling out r234183.
2748         https://bugs.webkit.org/show_bug.cgi?id=187983
2749
2750         cause regression in Kraken gaussian blur and desaturate
2751         (Requested by yusukesuzuki on #webkit).
2752
2753         Reverted changeset:
2754
2755         "[JSC] Record CoW status in ArrayProfile"
2756         https://bugs.webkit.org/show_bug.cgi?id=187949
2757         https://trac.webkit.org/changeset/234183
2758
2759 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2760
2761         [JSC] Record CoW status in ArrayProfile
2762         https://bugs.webkit.org/show_bug.cgi?id=187949
2763
2764         Reviewed by Saam Barati.
2765
2766         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2767         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2768         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2769         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2770         CoW arrays.
2771
2772         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2773         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2774
2775         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2776
2777                                       baseline                  patched
2778
2779         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2780         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2781
2782         * bytecode/ArrayProfile.cpp:
2783         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2784         * bytecode/ArrayProfile.h:
2785         (JSC::asArrayModes):
2786         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2787
2788         (JSC::ArrayProfile::ArrayProfile):
2789         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2790         (JSC::ArrayProfile::observedIndexingModes const):
2791         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2792         So storing the union of seen IndexingMode in `unsigned` instead.
2793
2794         * dfg/DFGArrayMode.cpp:
2795         (JSC::DFG::ArrayMode::fromObserved):
2796         * dfg/DFGArrayMode.h:
2797         (JSC::DFG::ArrayMode::withProfile const):
2798         * jit/JITCall.cpp:
2799         (JSC::JIT::compileOpCall):
2800         * jit/JITCall32_64.cpp:
2801         (JSC::JIT::compileOpCall):
2802         * jit/JITInlines.h:
2803         (JSC::JIT::emitArrayProfilingSiteWithCell):
2804         * llint/LowLevelInterpreter.asm:
2805         * llint/LowLevelInterpreter32_64.asm:
2806         * llint/LowLevelInterpreter64.asm:
2807
2808 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2809
2810         Enable Web Content Filtering on watchOS
2811         https://bugs.webkit.org/show_bug.cgi?id=187979
2812         <rdar://problem/42559346>
2813
2814         Reviewed by Wenson Hsieh.
2815
2816         * Configurations/FeatureDefines.xcconfig:
2817
2818 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2819
2820         Don't modify Options when setting JIT thread limits
2821         https://bugs.webkit.org/show_bug.cgi?id=187886
2822
2823         Reviewed by Filip Pizlo.
2824
2825         Previously, when setting the JIT thread limit prior to the worklist
2826         initialization, it'd be set via Options, which didn't work if Options
2827         hadn't been initialized yet. Change it to use a static variable in the
2828         Worklist instead.
2829
2830         * API/JSVirtualMachine.mm:
2831         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2832         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2833         * API/tests/testapi.mm:
2834         (testObjectiveCAPIMain):
2835         * dfg/DFGWorklist.cpp:
2836         (JSC::DFG::getNumberOfDFGCompilerThreads):
2837         (JSC::DFG::getNumberOfFTLCompilerThreads):
2838         (JSC::DFG::setNumberOfDFGCompilerThreads):
2839         (JSC::DFG::setNumberOfFTLCompilerThreads):
2840         (JSC::DFG::ensureGlobalDFGWorklist):
2841         (JSC::DFG::ensureGlobalFTLWorklist):
2842         * dfg/DFGWorklist.h:
2843
2844 2018-07-24  Mark Lam  <mark.lam@apple.com>
2845
2846         Refactoring: make DFG::Plan a class.
2847         https://bugs.webkit.org/show_bug.cgi?id=187968
2848
2849         Reviewed by Saam Barati.
2850
2851         This patch makes all the DFG::Plan fields private, and provide accessor methods
2852         for them.  This makes it easier to reason about how these fields are used and
2853         modified.
2854
2855         * dfg/DFGAbstractInterpreterInlines.h:
2856         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2857         * dfg/DFGByteCodeParser.cpp:
2858         (JSC::DFG::ByteCodeParser::handleCall):
2859         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2860         (JSC::DFG::ByteCodeParser::handleInlining):
2861         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2862         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2863         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2864         (JSC::DFG::ByteCodeParser::handleGetById):
2865         (JSC::DFG::ByteCodeParser::handlePutById):
2866         (JSC::DFG::ByteCodeParser::parseBlock):
2867         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2868         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2869         (JSC::DFG::ByteCodeParser::parse):
2870         * dfg/DFGCFAPhase.cpp:
2871         (JSC::DFG::CFAPhase::run):
2872         (JSC::DFG::CFAPhase::injectOSR):
2873         * dfg/DFGClobberize.h:
2874         (JSC::DFG::clobberize):
2875         * dfg/DFGCommonData.cpp:
2876         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2877         * dfg/DFGCommonData.h:
2878         * dfg/DFGConstantFoldingPhase.cpp:
2879         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2880         * dfg/DFGDriver.cpp:
2881         (JSC::DFG::compileImpl):
2882         * dfg/DFGFinalizer.h:
2883         * dfg/DFGFixupPhase.cpp:
2884         (JSC::DFG::FixupPhase::fixupNode):
2885         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2886         * dfg/DFGGraph.cpp:
2887         (JSC::DFG::Graph::Graph):
2888         (JSC::DFG::Graph::watchCondition):
2889         (JSC::DFG::Graph::inferredTypeFor):
2890         (JSC::DFG::Graph::requiredRegisterCountForExit):
2891         (JSC::DFG::Graph::registerFrozenValues):
2892         (JSC::DFG::Graph::registerStructure):
2893         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2894         (JSC::DFG::Graph::assertIsRegistered):
2895         * dfg/DFGGraph.h:
2896         (JSC::DFG::Graph::compilation):
2897         (JSC::DFG::Graph::identifiers):
2898         (JSC::DFG::Graph::watchpoints):
2899         * dfg/DFGJITCompiler.cpp:
2900         (JSC::DFG::JITCompiler::JITCompiler):
2901         (JSC::DFG::JITCompiler::link):
2902         (JSC::DFG::JITCompiler::compile):
2903         (JSC::DFG::JITCompiler::compileFunction):
2904         (JSC::DFG::JITCompiler::disassemble):
2905         * dfg/DFGJITCompiler.h:
2906         (JSC::DFG::JITCompiler::addWeakReference):
2907         * dfg/DFGJITFinalizer.cpp:
2908         (JSC::DFG::JITFinalizer::finalize):
2909         (JSC::DFG::JITFinalizer::finalizeFunction):
2910         (JSC::DFG::JITFinalizer::finalizeCommon):
2911         * dfg/DFGOSREntrypointCreationPhase.cpp:
2912         (JSC::DFG::OSREntrypointCreationPhase::run):
2913         * dfg/DFGPhase.cpp:
2914         (JSC::DFG::Phase::beginPhase):
2915         * dfg/DFGPhase.h:
2916         (JSC::DFG::runAndLog):
2917         * dfg/DFGPlan.cpp:
2918         (JSC::DFG::Plan::Plan):
2919         (JSC::DFG::Plan::computeCompileTimes const):
2920         (JSC::DFG::Plan::reportCompileTimes const):
2921         (JSC::DFG::Plan::compileInThread):
2922         (JSC::DFG::Plan::compileInThreadImpl):
2923         (JSC::DFG::Plan::isStillValid):
2924         (JSC::DFG::Plan::reallyAdd):
2925         (JSC::DFG::Plan::notifyCompiling):
2926         (JSC::DFG::Plan::notifyReady):
2927         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2928         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2929         (JSC::DFG::Plan::key):
2930         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2931         (JSC::DFG::Plan::finalizeInGC):
2932         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2933         (JSC::DFG::Plan::cancel):
2934         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2935         * dfg/DFGPlan.h:
2936         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2937         (JSC::DFG::Plan::vm const):
2938         (JSC::DFG::Plan::codeBlock):
2939         (JSC::DFG::Plan::mode const):
2940         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2941         (JSC::DFG::Plan::mustHandleValues const):
2942         (JSC::DFG::Plan::threadData const):
2943         (JSC::DFG::Plan::compilation const):
2944         (JSC::DFG::Plan::finalizer const):
2945         (JSC::DFG::Plan::setFinalizer):
2946         (JSC::DFG::Plan::inlineCallFrames const):
2947         (JSC::DFG::Plan::watchpoints):
2948         (JSC::DFG::Plan::identifiers):
2949         (JSC::DFG::Plan::weakReferences):
2950         (JSC::DFG::Plan::transitions):
2951         (JSC::DFG::Plan::recordedStatuses):
2952         (JSC::DFG::Plan::willTryToTierUp const):
2953         (JSC::DFG::Plan::setWillTryToTierUp):
2954         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2955         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2956         (JSC::DFG::Plan::stage const):
2957         (JSC::DFG::Plan::callback const):
2958         (JSC::DFG::Plan::setCallback):
2959         * dfg/DFGPlanInlines.h:
2960         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2961         * dfg/DFGPreciseLocalClobberize.h:
2962         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2963         * dfg/DFGPredictionInjectionPhase.cpp:
2964         (JSC::DFG::PredictionInjectionPhase::run):
2965         * dfg/DFGSafepoint.cpp:
2966         (JSC::DFG::Safepoint::Safepoint):
2967         (JSC::DFG::Safepoint::~Safepoint):
2968         (JSC::DFG::Safepoint::begin):
2969         * dfg/DFGSafepoint.h:
2970         * dfg/DFGSpeculativeJIT.h:
2971         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2972         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2973         * dfg/DFGStackLayoutPhase.cpp:
2974         (JSC::DFG::StackLayoutPhase::run):
2975         * dfg/DFGStrengthReductionPhase.cpp:
2976         (JSC::DFG::StrengthReductionPhase::handleNode):
2977         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2978         (JSC::DFG::TierUpCheckInjectionPhase::run):
2979         * dfg/DFGTypeCheckHoistingPhase.cpp:
2980         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2981         * dfg/DFGWorklist.cpp:
2982         (JSC::DFG::Worklist::isActiveForVM const):
2983         (JSC::DFG::Worklist::compilationState):
2984         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2985         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2986         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2987         (JSC::DFG::Worklist::visitWeakReferences):
2988         (JSC::DFG::Worklist::removeDeadPlans):
2989         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2990         * dfg/DFGWorklistInlines.h:
2991         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2992         * ftl/FTLCompile.cpp:
2993         (JSC::FTL::compile):
2994         * ftl/FTLFail.cpp:
2995         (JSC::FTL::fail):
2996         * ftl/FTLJITFinalizer.cpp:
2997         (JSC::FTL::JITFinalizer::finalizeCommon):
2998         * ftl/FTLLink.cpp:
2999         (JSC::FTL::link):
3000         * ftl/FTLLowerDFGToB3.cpp:
3001         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3002         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
3003         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
3004         * ftl/FTLState.cpp:
3005         (JSC::FTL::State::State):
3006
3007 2018-07-24  Saam Barati  <sbarati@apple.com>
3008
3009         Make VM::canUseJIT an inlined function
3010         https://bugs.webkit.org/show_bug.cgi?id=187583
3011
3012         Reviewed by Mark Lam.
3013
3014         We know the answer to this query in initializeThreading after initializing
3015         the executable allocator. This patch makes it so that we just hold this value
3016         in a static variable and have an inlined function that just returns the value
3017         of that static variable.
3018
3019         * runtime/InitializeThreading.cpp:
3020         (JSC::initializeThreading):
3021         * runtime/VM.cpp:
3022         (JSC::VM::computeCanUseJIT):
3023         (JSC::VM::canUseJIT): Deleted.
3024         * runtime/VM.h:
3025         (JSC::VM::canUseJIT):
3026
3027 2018-07-24  Mark Lam  <mark.lam@apple.com>
3028
3029         Placate exception check verification after recent changes.
3030         https://bugs.webkit.org/show_bug.cgi?id=187961
3031         <rdar://problem/42545394>
3032
3033         Reviewed by Saam Barati.
3034
3035         * runtime/IntlObject.cpp:
3036         (JSC::intlNumberOption):
3037
3038 2018-07-23  Saam Barati  <sbarati@apple.com>
3039
3040         need to didFoldClobberWorld when we constant fold GetByVal
3041         https://bugs.webkit.org/show_bug.cgi?id=187917
3042         <rdar://problem/42505095>
3043
3044         Reviewed by Yusuke Suzuki.
3045
3046         * dfg/DFGAbstractInterpreterInlines.h:
3047         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3048
3049 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
3050
3051         [INTL] Language tags are not canonicalized
3052         https://bugs.webkit.org/show_bug.cgi?id=185836
3053
3054         Reviewed by Keith Miller.
3055
3056         Canonicalize language tags, replacing deprecated tag parts with the
3057         preferred values. Remove broken support for algorithmic numbering systems,
3058         that can cause an error in icu, and are not supported in other engines.
3059
3060         Generate the lookup functions from the language-subtag-registry.
3061
3062         Also initialize the UNumberFormat in initializeNumberFormat so any
3063         failures are thrown immediately instead of failing to format later.
3064
3065         * CMakeLists.txt:
3066         * DerivedSources.make:
3067         * JavaScriptCore.xcodeproj/project.pbxproj:
3068         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3069         * runtime/IntlDateTimeFormat.cpp:
3070         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3071         * runtime/IntlNumberFormat.cpp:
3072         (JSC::IntlNumberFormat::initializeNumberFormat):
3073         (JSC::IntlNumberFormat::formatNumber):
3074         (JSC::IntlNumberFormat::formatToParts):
3075         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3076         * runtime/IntlNumberFormat.h:
3077         * runtime/IntlObject.cpp:
3078         (JSC::intlNumberOption):
3079         (JSC::intlDefaultNumberOption):
3080         (JSC::preferredLanguage):
3081         (JSC::preferredRegion):
3082         (JSC::canonicalLangTag):
3083         (JSC::canonicalizeLanguageTag):
3084         (JSC::defaultLocale):
3085         (JSC::removeUnicodeLocaleExtension):
3086         (JSC::numberingSystemsForLocale):
3087         (JSC::grandfatheredLangTag): Deleted.
3088         * runtime/IntlObject.h:
3089         * runtime/IntlPluralRules.cpp:
3090         (JSC::IntlPluralRules::initializePluralRules):
3091         * runtime/JSGlobalObject.cpp:
3092         (JSC::addMissingScriptLocales):
3093         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3094         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3095         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3096         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3097         * ucd/language-subtag-registry.txt: Added.
3098
3099 2018-07-23  Mark Lam  <mark.lam@apple.com>
3100
3101         Add some asserts to help diagnose a crash.
3102         https://bugs.webkit.org/show_bug.cgi?id=187915
3103         <rdar://problem/42508166>
3104
3105         Reviewed by Michael Saboff.
3106
3107         Add some asserts to verify that an CodeBlock alternative should always have a
3108         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3109         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3110         so that we'll retain the state of the variables that failed the assertion (again
3111         to help with diagnosis).
3112
3113         * bytecode/CodeBlock.cpp:
3114         (JSC::CodeBlock::setAlternative):
3115         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3116         * dfg/DFGPlan.cpp:
3117         (JSC::DFG::Plan::Plan):
3118
3119 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3120
3121         Unreviewed, fix no-JIT build.
3122
3123         * bytecode/CallLinkStatus.cpp:
3124         (JSC::CallLinkStatus::computeFor):
3125         * bytecode/CodeBlock.cpp:
3126         (JSC::CodeBlock::finalizeUnconditionally):
3127         * bytecode/GetByIdStatus.cpp:
3128         (JSC::GetByIdStatus::computeFor):
3129         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3130         * bytecode/InByIdStatus.cpp:
3131         * bytecode/PutByIdStatus.cpp:
3132         (JSC::PutByIdStatus::computeForStubInfo):
3133
3134 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3137         https://bugs.webkit.org/show_bug.cgi?id=187891
3138
3139         Reviewed by Saam Barati.
3140
3141         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3142         two variants are mergeable but they have "Miss" status. We make merging failed if
3143         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3144         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3145         which patch have more chances to merge variants.
3146
3147         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3148         is not related since it does not use this check in Transition case.
3149
3150         * bytecode/GetByIdVariant.cpp:
3151         (JSC::GetByIdVariant::attemptToMerge):
3152         * bytecode/InByIdVariant.cpp:
3153         (JSC::InByIdVariant::attemptToMerge):
3154
3155 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3156
3157         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3158         https://bugs.webkit.org/show_bug.cgi?id=186462
3159
3160         Reviewed by Saam Barati.
3161
3162         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3163         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3164         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3165
3166         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3167         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3168         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3169         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3170         changed and we can safely use it. We arrange our existing code to use this protocol.
3171
3172         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3173         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3174
3175         This patch improves SixSpeed/template_string_tag.es6.
3176
3177                                           baseline                  patched
3178
3179         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3180
3181         * dfg/DFGAbstractInterpreterInlines.h:
3182         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3183         * runtime/JSArray.cpp:
3184         (JSC::JSArray::setLengthWithArrayStorage):
3185         * runtime/JSObject.cpp:
3186         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3187         (JSC::JSObject::deletePropertyByIndex):
3188         (JSC::JSObject::getOwnPropertyNames):
3189         (JSC::putIndexedDescriptor):
3190         (JSC::JSObject::defineOwnIndexedProperty):
3191         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3192         (JSC::JSObject::putIndexedDescriptor): Deleted.
3193         * runtime/JSObject.h:
3194         * runtime/SparseArrayValueMap.cpp:
3195         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3196         (JSC::SparseArrayValueMap::add):
3197         (JSC::SparseArrayValueMap::putDirect):
3198         (JSC::SparseArrayValueMap::getConcurrently):
3199         (JSC::SparseArrayEntry::get const):
3200         (JSC::SparseArrayEntry::getConcurrently const):
3201         (JSC::SparseArrayEntry::put):
3202         (JSC::SparseArrayEntry::getNonSparseMode const):
3203         (JSC::SparseArrayValueMap::visitChildren):
3204         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3205         * runtime/SparseArrayValueMap.h:
3206         (JSC::SparseArrayEntry::SparseArrayEntry):
3207         (JSC::SparseArrayEntry::attributes const):
3208         (JSC::SparseArrayEntry::forceSet):
3209         (JSC::SparseArrayEntry::asValue):
3210
3211 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3212
3213         We should support CreateThis in the FTL
3214         https://bugs.webkit.org/show_bug.cgi?id=164904
3215
3216         Reviewed by Yusuke Suzuki.
3217         
3218         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3219         inference adventure.
3220         
3221         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3222         benchmark's extremely perverse way of winning at type inference:
3223         
3224         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3225           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3226           benchmark was falling back to other mechanisms...
3227         
3228         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3229           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3230           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3231           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3232           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3233           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3234           
3235           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3236           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3237           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3238           helper because it had a CreateThis.
3239         
3240         - Compilations that inlined the construction helper would have gotten super lucky with
3241           parse-time constant folding, so they knew what structure the input to the get_by_id would
3242           have at parse time. This is only profitable if the get_by_id parsing computed a
3243           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3244           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3245           cases, we would indeed get a finite number of cases. The parser would then prune those
3246           cases to just one - based on its knowledge of the structure - and that would result in that
3247           get_by_id being folded at parse time to a constant.
3248         
3249         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3250         
3251         This patch comprehensively fixes these issues, as well as other issues that come up along the
3252         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3253         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3254         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3255         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3256         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3257         attack raytrace's problem as a shortcoming of polyvariant profiling.
3258         
3259         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3260           subset of the inline stack that includes the IC we're profiling. For example, if we have
3261           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3262           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3263           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3264           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3265           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3266           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3267           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3268           had inlined bar and then baz. It may not have done that, because those calls could have
3269           required polyvariant profiling that was only available in the FTL.
3270           
3271         - A particularly interesting case is when some IC in foo-baseline is also available in
3272           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3273           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3274           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3275           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3276           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3277           because it warns us of historical polymorphism. Historical polymorphism usually means
3278           future polymorphism. IC status code already had some merging functionality, but I needed to
3279           beef it up a lot to make this work right.
3280         
3281         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3282           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3283           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3284           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3285           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3286           gave us the information that we used to inline the IC is no longer alive. To keep us from
3287           losing the information we learned about the IC, there is now a RecordedStatuses data
3288           structure that preserves the statuses we use for inlining ICs. We also filter those
3289           statuses according to things we learn from AI. This further reduces the risk of information
3290           about an IC being forgotten.
3291         
3292         - Exit profiling now considers whether or not an exit happened from inline code. This
3293           protects us in the case where the not-inlined version of an IC exited a lot because of
3294           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3295           profiling data, we consider only inlined exits.
3296         
3297         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3298           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3299           surprising that we've had this bug.
3300         
3301         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3302         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3303         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3304         prototype access folding in the bytecode parser and constant folder. That would require some
3305         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3306         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3307         get_by_id.
3308         
3309         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3310         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3311         compile time regression anytime we fill in FTL coverage.
3312         
3313         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3314         speeds up and that raytrace slows down, but these changes balance out and don't affect the