Add support for USDZ to webkit.org for a sample file
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-08-31  Mark Lam  <mark.lam@apple.com>
2
3         Fix exception check accounting in constructJSWebAssemblyCompileError().
4         https://bugs.webkit.org/show_bug.cgi?id=189185
5         <rdar://problem/39786007>
6
7         Reviewed by Michael Saboff.
8
9         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
10         inadvertently overwrite a pre-existing exception (if present).
11
12         * wasm/js/JSWebAssemblyModule.cpp:
13         (JSC::JSWebAssemblyModule::createStub):
14         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
15         (JSC::constructJSWebAssemblyCompileError):
16
17 2018-08-31  Mark Lam  <mark.lam@apple.com>
18
19         Gardening: ARMv7 build fix.
20         https://bugs.webkit.org/show_bug.cgi?id=158911
21
22         Not reviewed.
23
24         * assembler/MacroAssemblerARMv7.h:
25         (JSC::MacroAssemblerARMv7::patchableBranch8):
26
27 2018-08-31  Mark Lam  <mark.lam@apple.com>
28
29         Fix exception check accounting in JSDataView::defineOwnProperty().
30         https://bugs.webkit.org/show_bug.cgi?id=189186
31         <rdar://problem/39786049>
32
33         Reviewed by Michael Saboff.
34
35         * runtime/JSDataView.cpp:
36         (JSC::JSDataView::defineOwnProperty):
37
38 2018-08-31  Mark Lam  <mark.lam@apple.com>
39
40         Add missing exception check in arrayProtoFuncLastIndexOf().
41         https://bugs.webkit.org/show_bug.cgi?id=189184
42         <rdar://problem/39785959>
43
44         Reviewed by Yusuke Suzuki.
45
46         * runtime/ArrayPrototype.cpp:
47         (JSC::arrayProtoFuncLastIndexOf):
48
49 2018-08-31  Saam barati  <sbarati@apple.com>
50
51         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
52         https://bugs.webkit.org/show_bug.cgi?id=189173
53         <rdar://problem/43501645>
54
55         Reviewed by Michael Saboff.
56
57         We were crashing during validation because mayExit returned true
58         at a point in the program when we weren't allowed to exit.
59         
60         The issue was is in StrengthReduction: we end up emitting code that
61         had a StringUse on an edge after a node that did side effects and before
62         an ExitOK/bytecode number transition. However, StrenghReduction did the
63         right thing here and also emitted the type checks before the node with
64         side effects. It just did bad bookkeeping. The node we convert to needs
65         to use KnownStringUse instead of StringUse for the child edge.
66
67         * dfg/DFGNode.cpp:
68         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
69         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
70         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
71         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
72         * dfg/DFGNode.h:
73         * dfg/DFGStrengthReductionPhase.cpp:
74         (JSC::DFG::StrengthReductionPhase::handleNode):
75
76 2018-08-30  Saam barati  <sbarati@apple.com>
77
78         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
79         https://bugs.webkit.org/show_bug.cgi?id=189166
80
81         Reviewed by Mark Lam.
82
83         * bytecode/AccessCase.cpp:
84         (JSC::AccessCase::generateImpl):
85         * bytecode/GetterSetterAccessCase.cpp:
86         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
87         * bytecode/InlineAccess.cpp:
88         (JSC::getScratchRegister):
89         * bytecode/PolymorphicAccess.cpp:
90         (JSC::PolymorphicAccess::regenerate):
91         * bytecode/StructureStubInfo.h:
92         (JSC::StructureStubInfo::valueRegs const):
93         * jit/JITInlineCacheGenerator.cpp:
94         (JSC::JITByIdGenerator::JITByIdGenerator):
95         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
96         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
97
98 2018-08-30  Saam barati  <sbarati@apple.com>
99
100         InlineAccess should do StringLength
101         https://bugs.webkit.org/show_bug.cgi?id=158911
102
103         Reviewed by Yusuke Suzuki.
104
105         This patch extends InlineAccess to support StringLength. This patch also
106         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
107         I forgot to implement this for ArrayLength in the initial InlineAccess
108         implementation.  Supporting StringLength is a natural extension of the
109         InlineAccess machinery.
110
111         * assembler/MacroAssembler.h:
112         (JSC::MacroAssembler::patchableBranch8):
113         * assembler/MacroAssemblerARM64.h:
114         (JSC::MacroAssemblerARM64::patchableBranch8):
115         * bytecode/AccessCase.cpp:
116         (JSC::AccessCase::fromStructureStubInfo):
117         * bytecode/BytecodeDumper.cpp:
118         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
119         * bytecode/InlineAccess.cpp:
120         (JSC::InlineAccess::dumpCacheSizesAndCrash):
121         (JSC::InlineAccess::generateSelfPropertyAccess):
122         (JSC::getScratchRegister):
123         (JSC::InlineAccess::generateSelfPropertyReplace):
124         (JSC::InlineAccess::generateArrayLength):
125         (JSC::InlineAccess::generateSelfInAccess):
126         (JSC::InlineAccess::generateStringLength):
127         * bytecode/InlineAccess.h:
128         * bytecode/PolymorphicAccess.cpp:
129         (JSC::PolymorphicAccess::regenerate):
130         * bytecode/StructureStubInfo.cpp:
131         (JSC::StructureStubInfo::initStringLength):
132         (JSC::StructureStubInfo::deref):
133         (JSC::StructureStubInfo::aboutToDie):
134         (JSC::StructureStubInfo::propagateTransitions):
135         * bytecode/StructureStubInfo.h:
136         (JSC::StructureStubInfo::baseGPR const):
137         * jit/Repatch.cpp:
138         (JSC::tryCacheGetByID):
139
140 2018-08-30  Saam barati  <sbarati@apple.com>
141
142         CSE DataViewGet* DFG nodes
143         https://bugs.webkit.org/show_bug.cgi?id=188768
144
145         Reviewed by Yusuke Suzuki.
146
147         This patch makes it so that we CSE DataViewGet* accesses. To do this,
148         I needed to add a third descriptor to HeapLocation to represent the
149         isLittleEndian child. This patch is neutral on compile time benchmarks,
150         and is a 50% speedup on a trivial CSE microbenchmark that I added.
151
152         * dfg/DFGClobberize.h:
153         (JSC::DFG::clobberize):
154         * dfg/DFGFixupPhase.cpp:
155         (JSC::DFG::FixupPhase::fixupNode):
156         * dfg/DFGHeapLocation.cpp:
157         (WTF::printInternal):
158         * dfg/DFGHeapLocation.h:
159         (JSC::DFG::HeapLocation::HeapLocation):
160         (JSC::DFG::HeapLocation::hash const):
161         (JSC::DFG::HeapLocation::operator== const):
162         (JSC::DFG::indexedPropertyLocForResultType):
163
164 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
165
166         output of toString() of Generator is wrong
167         https://bugs.webkit.org/show_bug.cgi?id=188952
168
169         Reviewed by Saam Barati.
170
171         Function#toString does not respect generator and async generator.
172         This patch fixes them and supports all the function types.
173
174         * runtime/FunctionPrototype.cpp:
175         (JSC::functionProtoFuncToString):
176
177 2018-08-29  Mark Lam  <mark.lam@apple.com>
178
179         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
180         https://bugs.webkit.org/show_bug.cgi?id=189132
181         <rdar://problem/42513068>
182
183         Reviewed by Saam Barati.
184
185         * runtime/JSCJSValueInlines.h:
186         (JSC::JSValue::toPropertyKey const):
187         * runtime/JSString.cpp:
188         (JSC::JSRopeString::resolveRopeToAtomicString const):
189
190 2018-08-29  Commit Queue  <commit-queue@webkit.org>
191
192         Unreviewed, rolling out r235432 and r235436.
193         https://bugs.webkit.org/show_bug.cgi?id=189086
194
195         Is a Swift source breaking change. (Requested by keith_miller
196         on #webkit).
197
198         Reverted changesets:
199
200         "Add nullablity attributes to JSValue"
201         https://bugs.webkit.org/show_bug.cgi?id=189047
202         https://trac.webkit.org/changeset/235432
203
204         "Add nullablity attributes to JSValue"
205         https://bugs.webkit.org/show_bug.cgi?id=189047
206         https://trac.webkit.org/changeset/235436
207
208 2018-08-28  Mark Lam  <mark.lam@apple.com>
209
210         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
211         https://bugs.webkit.org/show_bug.cgi?id=189059
212         <rdar://problem/40335354>
213
214         Reviewed by Saam Barati.
215
216         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
217         2. Added $vm.dumpRegisters().
218
219             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
220             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
221
222            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
223            It will treat inlined frames content as registers in the bounding physical frame.
224
225            Here's an example of such a dump on a DFG frame:
226
227                 Register frame: 
228
229                 -----------------------------------------------------------------------------
230                             use            |   address  |                value               
231                 -----------------------------------------------------------------------------
232                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
233                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
234                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
235                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
236                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
237                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
238                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
239                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
240                 -----------------------------------------------------------------------------
241                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
242                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
243                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
244                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
245                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
246                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
247                 -----------------------------------------------------------------------------
248                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
249                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
250                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
251                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
252                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
253                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
254                 -----------------------------------------------------------------------------
255                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
256                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
257                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
258                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
259                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
260                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
261                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
262                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
263                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
264                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
265                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
266                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
267                 -----------------------------------------------------------------------------
268
269         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
270            we can use in its place:
271
272             $vm.dumpCallFrame()
273             $vm.dumpBytecodeFor()
274             $vm.dumpRegisters()     // Just added in this patch.
275
276         4. Also fixed a bug in BytecodeDumper: it should only access
277            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
278
279         * bytecode/BytecodeDumper.cpp:
280         (JSC::BytecodeDumper<Block>::printCallOp):
281         * interpreter/Interpreter.cpp:
282         (JSC::Interpreter::dumpCallFrame): Deleted.
283         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
284         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
285         (JSC::Interpreter::dumpRegisters): Deleted.
286         * interpreter/Interpreter.h:
287         * jsc.cpp:
288         (GlobalObject::finishCreation):
289         (functionDumpCallFrame): Deleted.
290         * tools/JSDollarVM.cpp:
291         (JSC::functionDumpRegisters):
292         (JSC::JSDollarVM::finishCreation):
293         * tools/VMInspector.cpp:
294         (JSC::VMInspector::dumpRegisters):
295         * tools/VMInspector.h:
296
297 2018-08-28  Keith Miller  <keith_miller@apple.com>
298
299         Add nullablity attributes to JSValue
300         https://bugs.webkit.org/show_bug.cgi?id=189047
301
302         Reviewed by Dan Bernstein.
303
304         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
305
306         * API/JSValue.h:
307
308 2018-08-28  Keith Miller  <keith_miller@apple.com>
309
310         Add nullablity attributes to JSValue
311         https://bugs.webkit.org/show_bug.cgi?id=189047
312
313         Reviewed by Geoffrey Garen.
314
315         * API/JSValue.h:
316
317 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
318
319         [WebAssembly] Parse wasm modules in a streaming fashion
320         https://bugs.webkit.org/show_bug.cgi?id=188943
321
322         Reviewed by Mark Lam.
323
324         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
325         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
326         we start integrating it into BBQPlan and dropping the old ModuleParser.
327
328         * JavaScriptCore.xcodeproj/project.pbxproj:
329         * Sources.txt:
330         * tools/JSDollarVM.cpp:
331         (WTF::WasmStreamingParser::WasmStreamingParser):
332         (WTF::WasmStreamingParser::create):
333         (WTF::WasmStreamingParser::createStructure):
334         (WTF::WasmStreamingParser::streamingParser):
335         (WTF::WasmStreamingParser::finishCreation):
336         (WTF::functionWasmStreamingParserAddBytes):
337         (WTF::functionWasmStreamingParserFinalize):
338         (JSC::functionCreateWasmStreamingParser):
339         (JSC::JSDollarVM::finishCreation):
340         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
341         this interface to test streaming parser in the JSC shell.
342
343         * wasm/WasmBBQPlan.cpp:
344         (JSC::Wasm::BBQPlan::BBQPlan):
345         (JSC::Wasm::BBQPlan::parseAndValidateModule):
346         (JSC::Wasm::BBQPlan::prepare):
347         (JSC::Wasm::BBQPlan::compileFunctions):
348         (JSC::Wasm::BBQPlan::complete):
349         (JSC::Wasm::BBQPlan::work):
350         * wasm/WasmBBQPlan.h:
351         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
352         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
353
354         * wasm/WasmFormat.h:
355         * wasm/WasmModuleInformation.cpp:
356         (JSC::Wasm::ModuleInformation::ModuleInformation):
357         * wasm/WasmModuleInformation.h:
358         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
359         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
360         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
361         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
362         a function with this data can be done concurrently with StreamingParser.
363
364         (JSC::Wasm::ModuleInformation::create):
365         (JSC::Wasm::ModuleInformation::memoryCount const):
366         (JSC::Wasm::ModuleInformation::tableCount const):
367         memoryCount and tableCount should be recorded in ModuleInformation.
368
369         * wasm/WasmModuleParser.cpp:
370         (JSC::Wasm::ModuleParser::parse):
371         (JSC::Wasm::makeI32InitExpr): Deleted.
372         (JSC::Wasm::ModuleParser::parseType): Deleted.
373         (JSC::Wasm::ModuleParser::parseImport): Deleted.
374         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
375         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
376         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
377         (JSC::Wasm::ModuleParser::parseTable): Deleted.
378         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
379         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
380         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
381         (JSC::Wasm::ModuleParser::parseExport): Deleted.
382         (JSC::Wasm::ModuleParser::parseStart): Deleted.
383         (JSC::Wasm::ModuleParser::parseElement): Deleted.
384         (JSC::Wasm::ModuleParser::parseCode): Deleted.
385         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
386         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
387         (JSC::Wasm::ModuleParser::parseData): Deleted.
388         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
389         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
390         SectionParser is also used by StreamingParser.
391
392         * wasm/WasmModuleParser.h:
393         (): Deleted.
394         * wasm/WasmNameSection.h:
395         (JSC::Wasm::NameSection::NameSection):
396         (JSC::Wasm::NameSection::create):
397         (JSC::Wasm::NameSection::setHash):
398         Hash calculation is deferred since all the source is not available in streaming parsing.
399
400         * wasm/WasmNameSectionParser.cpp:
401         (JSC::Wasm::NameSectionParser::parse):
402         * wasm/WasmNameSectionParser.h:
403         Use Ref<NameSection>.
404
405         * wasm/WasmOMGPlan.cpp:
406         (JSC::Wasm::OMGPlan::work):
407         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
408         OMGPlan can get data of the function by using ModuleInformation::functions.
409
410         * wasm/WasmParser.h:
411         (JSC::Wasm::Parser::source const):
412         (JSC::Wasm::Parser::length const):
413         (JSC::Wasm::Parser::offset const):
414         (JSC::Wasm::Parser::fail const):
415         (JSC::Wasm::makeI32InitExpr):
416         * wasm/WasmPlan.cpp:
417         (JSC::Wasm::Plan::Plan):
418         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
419
420         * wasm/WasmPlan.h:
421         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
422         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
423         ModuleParser and the new StreamingParser.
424
425         (JSC::Wasm::SectionParser::parseType):
426         (JSC::Wasm::SectionParser::parseImport):
427         (JSC::Wasm::SectionParser::parseFunction):
428         (JSC::Wasm::SectionParser::parseResizableLimits):
429         (JSC::Wasm::SectionParser::parseTableHelper):
430         (JSC::Wasm::SectionParser::parseTable):
431         (JSC::Wasm::SectionParser::parseMemoryHelper):
432         (JSC::Wasm::SectionParser::parseMemory):
433         (JSC::Wasm::SectionParser::parseGlobal):
434         (JSC::Wasm::SectionParser::parseExport):
435         (JSC::Wasm::SectionParser::parseStart):
436         (JSC::Wasm::SectionParser::parseElement):
437         (JSC::Wasm::SectionParser::parseCode):
438         (JSC::Wasm::SectionParser::parseInitExpr):
439         (JSC::Wasm::SectionParser::parseGlobalType):
440         (JSC::Wasm::SectionParser::parseData):
441         (JSC::Wasm::SectionParser::parseCustom):
442         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
443         * wasm/WasmStreamingParser.cpp: Added.
444         (JSC::Wasm::parseUInt7):
445         (JSC::Wasm::StreamingParser::fail):
446         (JSC::Wasm::StreamingParser::StreamingParser):
447         (JSC::Wasm::StreamingParser::parseModuleHeader):
448         (JSC::Wasm::StreamingParser::parseSectionID):
449         (JSC::Wasm::StreamingParser::parseSectionSize):
450         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
451         Code section in Wasm binary is specially handled compared with the other sections since it includes
452         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
453         streaming validation / compilation of Wasm functions.
454
455         (JSC::Wasm::StreamingParser::parseFunctionSize):
456         (JSC::Wasm::StreamingParser::parseFunctionPayload):
457         (JSC::Wasm::StreamingParser::parseSectionPayload):
458         (JSC::Wasm::StreamingParser::consume):
459         (JSC::Wasm::StreamingParser::consumeVarUInt32):
460         (JSC::Wasm::StreamingParser::addBytes):
461         (JSC::Wasm::StreamingParser::failOnState):
462         (JSC::Wasm::StreamingParser::finalize):
463         * wasm/WasmStreamingParser.h: Added.
464         (JSC::Wasm::StreamingParser::addBytes):
465         (JSC::Wasm::StreamingParser::errorMessage const):
466         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
467         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
468         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
469         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
470         incoming byte stream.
471
472         * wasm/js/JSWebAssemblyModule.cpp:
473         (JSC::JSWebAssemblyModule::source const): Deleted.
474         All the source should not be held.
475
476         * wasm/js/JSWebAssemblyModule.h:
477         * wasm/js/WebAssemblyPrototype.cpp:
478         (JSC::webAssemblyValidateFunc):
479
480 2018-08-27  Mark Lam  <mark.lam@apple.com>
481
482         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
483         https://bugs.webkit.org/show_bug.cgi?id=188577
484         <rdar://problem/42985684>
485
486         Reviewed by Saam Barati.
487
488         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
489            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
490
491            The StackOverflowFrame is a sentinel frame that the low level code (exception
492            throwing code, stack visitor, and stack unwinding code) will know to skip
493            over.  The StackOverflowFrame will also have a valid JSCallee so that client
494            code can compute the globalObject or VM from this frame.
495
496            As a result, client code that throws StackOverflowErrors no longer need to
497            compute the caller frame to throw from: it just converts the top frame into
498            a StackOverflowFrame and everything should *Just Work*.
499
500         2. NativeCallFrameTracerWithRestore is now obsolete.
501
502            Instead, client code should always call convertToStackOverflowFrame() on the
503            frame before instantiating a NativeCallFrameTracer with it.
504
505            This means that topCallFrame will always point to the top CallFrame (which
506            may be a StackOverflowFrame), and topEntryFrame will always point to the top
507            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
508            (which we used to do with NativeCallFrameTracerWithRestore).
509
510         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
511            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
512
513            This obsoletes the UnwindStart flag.
514
515         * CMakeLists.txt:
516         * JavaScriptCore.xcodeproj/project.pbxproj:
517         * Sources.txt:
518         * debugger/Debugger.cpp:
519         (JSC::Debugger::pauseIfNeeded):
520         * interpreter/CallFrame.cpp:
521         (JSC::CallFrame::callerFrame const):
522         (JSC::CallFrame::unsafeCallerFrame const):
523         (JSC::CallFrame::convertToStackOverflowFrame):
524         (JSC::CallFrame::callerFrame): Deleted.
525         (JSC::CallFrame::unsafeCallerFrame): Deleted.
526         * interpreter/CallFrame.h:
527         (JSC::ExecState::iterate):
528         * interpreter/CallFrameInlines.h: Added.
529         (JSC::CallFrame::isStackOverflowFrame const):
530         (JSC::CallFrame::isWasmFrame const):
531         * interpreter/EntryFrame.h: Added.
532         (JSC::EntryFrame::vmEntryRecordOffset):
533         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
534         * interpreter/FrameTracers.h:
535         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
536         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
537         * interpreter/Interpreter.cpp:
538         (JSC::Interpreter::unwind):
539         * interpreter/Interpreter.h:
540         * interpreter/StackVisitor.cpp:
541         (JSC::StackVisitor::StackVisitor):
542         * interpreter/StackVisitor.h:
543         (JSC::StackVisitor::visit):
544         (JSC::StackVisitor::topEntryFrameIsEmpty const):
545         * interpreter/VMEntryRecord.h:
546         (JSC::VMEntryRecord::callee const):
547         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
548         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
549         * jit/AssemblyHelpers.h:
550         * jit/JITExceptions.cpp:
551         (JSC::genericUnwind):
552         * jit/JITExceptions.h:
553         * jit/JITOperations.cpp:
554         * llint/LLIntOffsetsExtractor.cpp:
555         * llint/LLIntSlowPaths.cpp:
556         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
557         * llint/LowLevelInterpreter.asm:
558         * llint/LowLevelInterpreter32_64.asm:
559         * llint/LowLevelInterpreter64.asm:
560         * runtime/CallData.cpp:
561         * runtime/CommonSlowPaths.cpp:
562         (JSC::throwArityCheckStackOverflowError):
563         (JSC::SLOW_PATH_DECL):
564         * runtime/CommonSlowPathsExceptions.cpp: Removed.
565         * runtime/CommonSlowPathsExceptions.h: Removed.
566         * runtime/Completion.cpp:
567         (JSC::evaluateWithScopeExtension):
568         * runtime/JSGeneratorFunction.h:
569         * runtime/JSGlobalObject.cpp:
570         (JSC::JSGlobalObject::init):
571         (JSC::JSGlobalObject::visitChildren):
572         * runtime/JSGlobalObject.h:
573         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
574         * runtime/VM.cpp:
575         (JSC::VM::throwException):
576         * runtime/VM.h:
577         * runtime/VMInlines.h:
578         (JSC::VM::topJSCallFrame const):
579
580 2018-08-27  Keith Rollin  <krollin@apple.com>
581
582         Unreviewed build fix -- disable LTO for production builds
583
584         * Configurations/Base.xcconfig:
585
586 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
587
588         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
589         https://bugs.webkit.org/show_bug.cgi?id=188931
590
591         Reviewed by Wenson Hsieh.
592
593         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
594
595 2018-08-27  Devin Rousso  <drousso@apple.com>
596
597         Web Inspector: provide autocompletion for event breakpoints
598         https://bugs.webkit.org/show_bug.cgi?id=188717
599
600         Reviewed by Brian Burg.
601
602         * inspector/protocol/DOM.json:
603         Add `getSupportedEventNames` command.
604
605 2018-08-27  Keith Rollin  <krollin@apple.com>
606
607         Build system support for LTO
608         https://bugs.webkit.org/show_bug.cgi?id=187785
609         <rdar://problem/42353132>
610
611         Reviewed by Dan Bernstein.
612
613         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
614         LTO.
615
616         * Configurations/Base.xcconfig:
617         * Configurations/DebugRelease.xcconfig:
618
619 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
620
621         [GTK][JSC] Add warn_unused_result attribute to some APIs
622         https://bugs.webkit.org/show_bug.cgi?id=188983
623
624         Reviewed by Michael Catanzaro.
625
626         * API/glib/JSCValue.h:
627
628 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
629
630         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
631         https://bugs.webkit.org/show_bug.cgi?id=188794
632
633         Reviewed by Saam Barati.
634
635         While Array.prototype.reverse modifies the butterfly of the given Array,
636         it does not account JSImmutableButterfly case. So it accidentally modifies
637         the content of JSImmutableButterfly.
638         This patch converts CoW arrays to writable arrays before reversing.
639
640         * runtime/ArrayPrototype.cpp:
641         (JSC::arrayProtoFuncReverse):
642         * runtime/JSObject.h:
643         (JSC::JSObject::ensureWritable):
644
645 2018-08-24  Michael Saboff  <msaboff@apple.com>
646
647         YARR: Update UCS canonicalization tables for Unicode 11
648         https://bugs.webkit.org/show_bug.cgi?id=188928
649
650         Reviewed by Mark Lam.
651
652         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
653
654         This passes JavaScriptCore and test262 tests.
655
656         * yarr/YarrCanonicalizeUCS2.cpp:
657         * yarr/YarrCanonicalizeUCS2.js:
658         (printHeader):
659
660 2018-08-24  Michael Saboff  <msaboff@apple.com>
661
662         YARR: JIT RegExps with non-greedy parenthesized sub patterns
663         https://bugs.webkit.org/show_bug.cgi?id=180876
664
665         Reviewed by Filip Pizlo.
666
667         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
668         For the matching code, the greedy path was correct except that we don't try matching for the
669         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
670         first / next match when we backtrack.  The backtracking code needs to check to see if we have
671         tried the first match or if we can do another match.
672
673         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
674         count.  Did other minor cleanup as well.
675
676         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
677
678         Updated the text in some comments, both for this change as well as accuracy for existing code.
679
680         * yarr/YarrJIT.cpp:
681         (JSC::Yarr::YarrGenerator::generate):
682         (JSC::Yarr::YarrGenerator::backtrack):
683         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
684         (JSC::Yarr::YarrGenerator::compile):
685         (JSC::Yarr::dumpCompileFailure):
686         (JSC::Yarr::jitCompile):
687         * yarr/YarrJIT.h:
688         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
689         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
690
691 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
692
693         Add support for dumping GC heap snapshots, and a viewer
694         https://bugs.webkit.org/show_bug.cgi?id=186416
695
696         Reviewed by Joseph Pecoraro.
697
698         Make a way to dump information about the GC heap that is useful for looking for leaked
699         or abandoned objects. This dump is obtained (on Apple platforms) via:
700             notifyutil -p com.apple.WebKit.dumpGCHeap
701         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
702         
703         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
704         the snapshot JSON that adds additional data about objects and why they are GC roots.
705
706         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
707         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
708         objects visited via opaque roots, we record the reason why via a new out param to
709         isReachableFromOpaqueRoots().
710
711         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
712         additional information including the address of the JSCell* and the wrapped object (for
713         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
714         be the document URL.
715
716         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
717
718         * API/JSAPIWrapperObject.mm:
719         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
720         * API/JSManagedValue.mm:
721         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
722         * API/glib/JSAPIWrapperObjectGLib.cpp:
723         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
724         * CMakeLists.txt:
725         * heap/ConservativeRoots.h:
726         (JSC::ConservativeRoots::size const):
727         (JSC::ConservativeRoots::size): Deleted.
728         * heap/Heap.cpp:
729         (JSC::Heap::addCoreConstraints):
730         * heap/HeapSnapshotBuilder.cpp:
731         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
732         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
733         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
734         (JSC::HeapSnapshotBuilder::buildSnapshot):
735         (JSC::HeapSnapshotBuilder::appendNode):
736         (JSC::HeapSnapshotBuilder::appendEdge):
737         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
738         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
739         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
740         (JSC::snapshotTypeToString):
741         (JSC::rootTypeToString):
742         (JSC::HeapSnapshotBuilder::setLabelForCell):
743         (JSC::HeapSnapshotBuilder::descriptionForCell const):
744         (JSC::HeapSnapshotBuilder::json):
745         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
746         * heap/HeapSnapshotBuilder.h:
747         * heap/SlotVisitor.cpp:
748         (JSC::SlotVisitor::appendSlow):
749         * heap/SlotVisitor.h:
750         (JSC::SlotVisitor::heapSnapshotBuilder const):
751         (JSC::SlotVisitor::rootMarkReason const):
752         (JSC::SlotVisitor::setRootMarkReason):
753         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
754         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
755         * heap/WeakBlock.cpp:
756         (JSC::WeakBlock::specializedVisit):
757         * heap/WeakHandleOwner.cpp:
758         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
759         * heap/WeakHandleOwner.h:
760         * runtime/SimpleTypedArrayController.cpp:
761         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
762         * runtime/SimpleTypedArrayController.h:
763         * tools/JSDollarVM.cpp:
764
765 2018-08-23  Saam barati  <sbarati@apple.com>
766
767         JSRunLoopTimer may run part of a member function after it's destroyed
768         https://bugs.webkit.org/show_bug.cgi?id=188426
769
770         Reviewed by Mark Lam.
771
772         When I was reading the JSRunLoopTimer code, I noticed that it is possible
773         to end up running timer code after the class had been destroyed.
774         
775         The issue I spotted was in this function:
776         ```
777         void JSRunLoopTimer::timerDidFire()
778         {
779             JSLock* apiLock = m_apiLock.get();
780             if (!apiLock) {
781                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
782                 return;
783             }
784             // HERE
785             std::lock_guard<JSLock> lock(*apiLock);
786             RefPtr<VM> vm = apiLock->vm();
787             if (!vm) {
788                 // The VM has been destroyed, so we should just give up.
789                 return;
790             }
791         
792             doWork();
793         }
794         ```
795         
796         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
797         switched before grabbing the API lock. Then, some other thread destroys the VM.
798         And let's say that the VM owns (perhaps transitively) this timer. Then, the
799         timer would run code and access member variables after it was destroyed.
800         
801         This patch fixes this issue by introducing a new timer manager class. 
802         This class manages timers on a per VM basis. When a timer is scheduled,
803         this class refs the timer. It also calls the timer callback while actively
804         maintaining a +1 ref to it. So, it's no longer possible to call the timer
805         callback after the timer has been destroyed. However, calling a timer callback
806         can still race with the VM being destroyed. We continue to detect this case and
807         bail out of the callback early.
808         
809         This patch also removes a lot of duplicate code between GCActivityCallback
810         and JSRunLoopTimer.
811
812         * heap/EdenGCActivityCallback.cpp:
813         (JSC::EdenGCActivityCallback::doCollection):
814         (JSC::EdenGCActivityCallback::lastGCLength):
815         (JSC::EdenGCActivityCallback::deathRate):
816         * heap/EdenGCActivityCallback.h:
817         * heap/FullGCActivityCallback.cpp:
818         (JSC::FullGCActivityCallback::doCollection):
819         (JSC::FullGCActivityCallback::lastGCLength):
820         (JSC::FullGCActivityCallback::deathRate):
821         * heap/FullGCActivityCallback.h:
822         * heap/GCActivityCallback.cpp:
823         (JSC::GCActivityCallback::doWork):
824         (JSC::GCActivityCallback::scheduleTimer):
825         (JSC::GCActivityCallback::didAllocate):
826         (JSC::GCActivityCallback::willCollect):
827         (JSC::GCActivityCallback::cancel):
828         (JSC::GCActivityCallback::cancelTimer): Deleted.
829         (JSC::GCActivityCallback::nextFireTime): Deleted.
830         * heap/GCActivityCallback.h:
831         * heap/Heap.cpp:
832         (JSC::Heap::reportAbandonedObjectGraph):
833         (JSC::Heap::notifyIncrementalSweeper):
834         (JSC::Heap::updateAllocationLimits):
835         (JSC::Heap::didAllocate):
836         * heap/IncrementalSweeper.cpp:
837         (JSC::IncrementalSweeper::scheduleTimer):
838         (JSC::IncrementalSweeper::doWork):
839         (JSC::IncrementalSweeper::doSweep):
840         (JSC::IncrementalSweeper::sweepNextBlock):
841         (JSC::IncrementalSweeper::startSweeping):
842         (JSC::IncrementalSweeper::stopSweeping):
843         * heap/IncrementalSweeper.h:
844         * heap/StopIfNecessaryTimer.cpp:
845         (JSC::StopIfNecessaryTimer::doWork):
846         (JSC::StopIfNecessaryTimer::scheduleSoon):
847         * heap/StopIfNecessaryTimer.h:
848         * runtime/JSRunLoopTimer.cpp:
849         (JSC::epochTime):
850         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
851         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
852         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
853         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
854         (JSC::JSRunLoopTimer::Manager::timerDidFire):
855         (JSC::JSRunLoopTimer::Manager::shared):
856         (JSC::JSRunLoopTimer::Manager::registerVM):
857         (JSC::JSRunLoopTimer::Manager::unregisterVM):
858         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
859         (JSC::JSRunLoopTimer::Manager::cancelTimer):
860         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
861         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
862         (JSC::JSRunLoopTimer::timerDidFire):
863         (JSC::JSRunLoopTimer::JSRunLoopTimer):
864         (JSC::JSRunLoopTimer::timeUntilFire):
865         (JSC::JSRunLoopTimer::setTimeUntilFire):
866         (JSC::JSRunLoopTimer::cancelTimer):
867         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
868         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
869         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
870         * runtime/JSRunLoopTimer.h:
871         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
872         * runtime/PromiseDeferredTimer.cpp:
873         (JSC::PromiseDeferredTimer::doWork):
874         (JSC::PromiseDeferredTimer::runRunLoop):
875         (JSC::PromiseDeferredTimer::addPendingPromise):
876         (JSC::PromiseDeferredTimer::hasPendingPromise):
877         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
878         (JSC::PromiseDeferredTimer::cancelPendingPromise):
879         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
880         * runtime/PromiseDeferredTimer.h:
881         * runtime/VM.cpp:
882         (JSC::VM::VM):
883         (JSC::VM::~VM):
884         (JSC::VM::setRunLoop):
885         (JSC::VM::registerRunLoopTimer): Deleted.
886         (JSC::VM::unregisterRunLoopTimer): Deleted.
887         * runtime/VM.h:
888         (JSC::VM::runLoop const):
889         * wasm/js/WebAssemblyPrototype.cpp:
890         (JSC::webAssemblyModuleValidateAsyncInternal):
891         (JSC::instantiate):
892         (JSC::compileAndInstantiate):
893         (JSC::webAssemblyModuleInstantinateAsyncInternal):
894         (JSC::webAssemblyCompileStreamingInternal):
895         (JSC::webAssemblyInstantiateStreamingInternal):
896
897 2018-08-23  Mark Lam  <mark.lam@apple.com>
898
899         Move vmEntryGlobalObject() to VM from CallFrame.
900         https://bugs.webkit.org/show_bug.cgi?id=188900
901         <rdar://problem/43655753>
902
903         Reviewed by Michael Saboff.
904
905         Also introduced CallFrame::isGlobalExec() which makes use of one property of
906         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
907         CallFrame::initGlobalExec() ensures this.
908
909         In contrast, normal CallFrames always have a callerFrame (because they must at
910         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
911         VM entry glue).
912
913         * API/APIUtils.h:
914         (handleExceptionIfNeeded):
915         (setException):
916         * API/JSBase.cpp:
917         (JSEvaluateScript):
918         (JSCheckScriptSyntax):
919         * API/JSContextRef.cpp:
920         (JSGlobalContextRetain):
921         (JSGlobalContextRelease):
922         (JSGlobalContextCopyName):
923         (JSGlobalContextSetName):
924         (JSGlobalContextGetRemoteInspectionEnabled):
925         (JSGlobalContextSetRemoteInspectionEnabled):
926         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
927         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
928         (JSGlobalContextGetDebuggerRunLoop):
929         (JSGlobalContextSetDebuggerRunLoop):
930         (JSGlobalContextGetAugmentableInspectorController):
931         * API/JSValue.mm:
932         (reportExceptionToInspector):
933         * API/glib/JSCClass.cpp:
934         (jscContextForObject):
935         * API/glib/JSCContext.cpp:
936         (jsc_context_evaluate_in_object):
937         * debugger/Debugger.cpp:
938         (JSC::Debugger::pauseIfNeeded):
939         * debugger/DebuggerCallFrame.cpp:
940         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
941         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
942         * interpreter/CallFrame.cpp:
943         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
944         * interpreter/CallFrame.h:
945         (JSC::ExecState::scope const):
946         (JSC::ExecState::noCaller):
947         (JSC::ExecState::isGlobalExec const):
948         * interpreter/Interpreter.cpp:
949         (JSC::notifyDebuggerOfUnwinding):
950         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
951         (JSC::Interpreter::debug):
952         * runtime/CallData.cpp:
953         (JSC::profiledCall):
954         * runtime/Completion.cpp:
955         (JSC::evaluate):
956         (JSC::profiledEvaluate):
957         (JSC::evaluateWithScopeExtension):
958         (JSC::loadAndEvaluateModule):
959         (JSC::loadModule):
960         (JSC::linkAndEvaluateModule):
961         (JSC::importModule):
962         * runtime/ConstructData.cpp:
963         (JSC::profiledConstruct):
964         * runtime/Error.cpp:
965         (JSC::getStackTrace):
966         * runtime/VM.cpp:
967         (JSC::VM::throwException):
968         (JSC::VM::vmEntryGlobalObject const):
969         * runtime/VM.h:
970
971 2018-08-23  Andy Estes  <aestes@apple.com>
972
973         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
974         https://bugs.webkit.org/show_bug.cgi?id=188829
975
976         Reviewed by Tim Horton.
977
978         * Configurations/FeatureDefines.xcconfig:
979
980 2018-08-23  Devin Rousso  <drousso@apple.com>
981
982         Web Inspector: support breakpoints for timers and animation-frame events
983         https://bugs.webkit.org/show_bug.cgi?id=188778
984
985         Reviewed by Brian Burg.
986
987         * inspector/protocol/Debugger.json:
988         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
989
990         * inspector/protocol/DOMDebugger.json:
991         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
992          - `setEventListenerBreakpoint`
993          - `removeEventListenerBreakpoint`
994          - `setInstrumentationBreakpoint`
995          - `removeInstrumentationBreakpoint`
996         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
997
998         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
999         (CppProtocolTypesHeaderGenerator.generate_output):
1000         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1001         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1002         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1003         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1004
1005         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1006         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1007         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1008         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1009         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1010         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1011         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1012
1013 2018-08-23  Michael Saboff  <msaboff@apple.com>
1014
1015         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1016         https://bugs.webkit.org/show_bug.cgi?id=188895
1017
1018         Reviewed by Mark Lam.
1019
1020         Found while working on another change.  This will allow processing of nested
1021         parenthesis that require saved ParenContext structures.
1022
1023         * yarr/YarrJIT.cpp:
1024         (JSC::Yarr::YarrGenerator::compile):
1025
1026 2018-08-22  Michael Saboff  <msaboff@apple.com>
1027
1028         https://bugs.webkit.org/show_bug.cgi?id=188859
1029         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1030
1031         Rubber-stamped by Saam Barati.
1032
1033         Deleted these two functions.
1034
1035         * jit/JITOperations.cpp:
1036         * jit/JITOperations.h:
1037
1038 2018-08-22  Mark Lam  <mark.lam@apple.com>
1039
1040         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1041         https://bugs.webkit.org/show_bug.cgi?id=188298
1042         <rdar://problem/42888427>
1043
1044         Reviewed by Saam Barati.
1045
1046         In the event that both targets of a Branch is the same block, then even if we'll
1047         always take one path of the branch, the other target is not unreachable because
1048         it is the same target as the one in the taken path.  Hence, it should not be
1049         jettisoned.
1050
1051         * JavaScriptCore.xcodeproj/project.pbxproj:
1052         - Added DFGCFG.h which is in use and should have been added to the project.
1053         * dfg/DFGCFGSimplificationPhase.cpp:
1054         (JSC::DFG::CFGSimplificationPhase::run):
1055
1056 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1057
1058         [JSC] HeapUtil should care about pointer overflow
1059         https://bugs.webkit.org/show_bug.cgi?id=188740
1060
1061         Reviewed by Saam Barati.
1062
1063         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1064         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1065         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1066
1067         * heap/HeapUtil.h:
1068         (JSC::HeapUtil::findGCObjectPointersForMarking):
1069
1070 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1071
1072         [JSC] Should not rotate constant with 64
1073         https://bugs.webkit.org/show_bug.cgi?id=188556
1074
1075         Reviewed by Saam Barati.
1076
1077         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1078         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1079         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1080         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1081
1082         * assembler/MacroAssembler.h:
1083         (JSC::MacroAssembler::generateRotationSeed):
1084         (JSC::MacroAssembler::rotationBlindConstant):
1085
1086 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1087
1088         Unreviewed, rolling out r235107.
1089         https://bugs.webkit.org/show_bug.cgi?id=188832
1090
1091         "It revealed bugs in Blob code as well as regressed JS
1092         performance tests" (Requested by saamyjoon on #webkit).
1093
1094         Reverted changeset:
1095
1096         "JSRunLoopTimer may run part of a member function after it's
1097         destroyed"
1098         https://bugs.webkit.org/show_bug.cgi?id=188426
1099         https://trac.webkit.org/changeset/235107
1100
1101 2018-08-21  Saam barati  <sbarati@apple.com>
1102
1103         JSRunLoopTimer may run part of a member function after it's destroyed
1104         https://bugs.webkit.org/show_bug.cgi?id=188426
1105
1106         Reviewed by Mark Lam.
1107
1108         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1109         to end up running timer code after the class had been destroyed.
1110         
1111         The issue I spotted was in this function:
1112         ```
1113         void JSRunLoopTimer::timerDidFire()
1114         {
1115             JSLock* apiLock = m_apiLock.get();
1116             if (!apiLock) {
1117                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1118                 return;
1119             }
1120             // HERE
1121             std::lock_guard<JSLock> lock(*apiLock);
1122             RefPtr<VM> vm = apiLock->vm();
1123             if (!vm) {
1124                 // The VM has been destroyed, so we should just give up.
1125                 return;
1126             }
1127         
1128             doWork();
1129         }
1130         ```
1131         
1132         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1133         switched before grabbing the API lock. Then, some other thread destroys the VM.
1134         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1135         timer would run code and access member variables after it was destroyed.
1136         
1137         This patch fixes this issue by introducing a new timer manager class. 
1138         This class manages timers on a per VM basis. When a timer is scheduled,
1139         this class refs the timer. It also calls the timer callback while actively
1140         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1141         callback after the timer has been destroyed. However, calling a timer callback
1142         can still race with the VM being destroyed. We continue to detect this case and
1143         bail out of the callback early.
1144         
1145         This patch also removes a lot of duplicate code between GCActivityCallback
1146         and JSRunLoopTimer.
1147
1148         * heap/EdenGCActivityCallback.cpp:
1149         (JSC::EdenGCActivityCallback::doCollection):
1150         (JSC::EdenGCActivityCallback::lastGCLength):
1151         (JSC::EdenGCActivityCallback::deathRate):
1152         * heap/EdenGCActivityCallback.h:
1153         * heap/FullGCActivityCallback.cpp:
1154         (JSC::FullGCActivityCallback::doCollection):
1155         (JSC::FullGCActivityCallback::lastGCLength):
1156         (JSC::FullGCActivityCallback::deathRate):
1157         * heap/FullGCActivityCallback.h:
1158         * heap/GCActivityCallback.cpp:
1159         (JSC::GCActivityCallback::doWork):
1160         (JSC::GCActivityCallback::scheduleTimer):
1161         (JSC::GCActivityCallback::didAllocate):
1162         (JSC::GCActivityCallback::willCollect):
1163         (JSC::GCActivityCallback::cancel):
1164         (JSC::GCActivityCallback::cancelTimer): Deleted.
1165         (JSC::GCActivityCallback::nextFireTime): Deleted.
1166         * heap/GCActivityCallback.h:
1167         * heap/Heap.cpp:
1168         (JSC::Heap::reportAbandonedObjectGraph):
1169         (JSC::Heap::notifyIncrementalSweeper):
1170         (JSC::Heap::updateAllocationLimits):
1171         (JSC::Heap::didAllocate):
1172         * heap/IncrementalSweeper.cpp:
1173         (JSC::IncrementalSweeper::scheduleTimer):
1174         (JSC::IncrementalSweeper::doWork):
1175         (JSC::IncrementalSweeper::doSweep):
1176         (JSC::IncrementalSweeper::sweepNextBlock):
1177         (JSC::IncrementalSweeper::startSweeping):
1178         (JSC::IncrementalSweeper::stopSweeping):
1179         * heap/IncrementalSweeper.h:
1180         * heap/StopIfNecessaryTimer.cpp:
1181         (JSC::StopIfNecessaryTimer::doWork):
1182         (JSC::StopIfNecessaryTimer::scheduleSoon):
1183         * heap/StopIfNecessaryTimer.h:
1184         * runtime/JSRunLoopTimer.cpp:
1185         (JSC::epochTime):
1186         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1187         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1188         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1189         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1190         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1191         (JSC::JSRunLoopTimer::Manager::shared):
1192         (JSC::JSRunLoopTimer::Manager::registerVM):
1193         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1194         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1195         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1196         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1197         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1198         (JSC::JSRunLoopTimer::timerDidFire):
1199         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1200         (JSC::JSRunLoopTimer::timeUntilFire):
1201         (JSC::JSRunLoopTimer::setTimeUntilFire):
1202         (JSC::JSRunLoopTimer::cancelTimer):
1203         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1204         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1205         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1206         * runtime/JSRunLoopTimer.h:
1207         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1208         * runtime/PromiseDeferredTimer.cpp:
1209         (JSC::PromiseDeferredTimer::doWork):
1210         (JSC::PromiseDeferredTimer::runRunLoop):
1211         (JSC::PromiseDeferredTimer::addPendingPromise):
1212         (JSC::PromiseDeferredTimer::hasPendingPromise):
1213         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1214         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1215         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1216         * runtime/PromiseDeferredTimer.h:
1217         * runtime/VM.cpp:
1218         (JSC::VM::VM):
1219         (JSC::VM::~VM):
1220         (JSC::VM::setRunLoop):
1221         (JSC::VM::registerRunLoopTimer): Deleted.
1222         (JSC::VM::unregisterRunLoopTimer): Deleted.
1223         * runtime/VM.h:
1224         (JSC::VM::runLoop const):
1225         * wasm/js/WebAssemblyPrototype.cpp:
1226         (JSC::webAssemblyModuleValidateAsyncInternal):
1227         (JSC::instantiate):
1228         (JSC::compileAndInstantiate):
1229         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1230         (JSC::webAssemblyCompileStreamingInternal):
1231         (JSC::webAssemblyInstantiateStreamingInternal):
1232
1233 2018-08-20  Saam barati  <sbarati@apple.com>
1234
1235         Inline DataView accesses into DFG/FTL
1236         https://bugs.webkit.org/show_bug.cgi?id=188573
1237         <rdar://problem/43286746>
1238
1239         Reviewed by Michael Saboff.
1240
1241         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1242         straight forward. We inline the various get*/set* operations as intrinsics.
1243         
1244         This patch takes the most obvious approach for now. We OSR exit when:
1245         - An isLittleEndian argument is provided, and is not a boolean.
1246         - The index isn't an integer.
1247         - The |this| isn't a DataView.
1248         - We do an OOB access (or see a neutered array)
1249         
1250         To implement this change in a performant way, this patch teaches the macro
1251         assembler how to emit byte swap operations. The semantics of the added functions
1252         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1253         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1254         the instructions already have these semantics.
1255         
1256         This patch is just a lightweight initial implementation. There are some easy
1257         extensions we can do in future changes:
1258         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1259         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1260
1261         * assembler/MacroAssemblerARM64.h:
1262         (JSC::MacroAssemblerARM64::byteSwap16):
1263         (JSC::MacroAssemblerARM64::byteSwap32):
1264         (JSC::MacroAssemblerARM64::byteSwap64):
1265         * assembler/MacroAssemblerX86Common.h:
1266         (JSC::MacroAssemblerX86Common::byteSwap32):
1267         (JSC::MacroAssemblerX86Common::byteSwap16):
1268         (JSC::MacroAssemblerX86Common::byteSwap64):
1269         * assembler/X86Assembler.h:
1270         (JSC::X86Assembler::bswapl_r):
1271         (JSC::X86Assembler::bswapq_r):
1272         (JSC::X86Assembler::shiftInstruction16):
1273         (JSC::X86Assembler::rolw_i8r):
1274         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1275         * assembler/testmasm.cpp:
1276         (JSC::testByteSwap):
1277         (JSC::run):
1278         * bytecode/DataFormat.h:
1279         * bytecode/SpeculatedType.cpp:
1280         (JSC::dumpSpeculation):
1281         (JSC::speculationFromClassInfo):
1282         (JSC::speculationFromJSType):
1283         (JSC::speculationFromString):
1284         * bytecode/SpeculatedType.h:
1285         * dfg/DFGAbstractInterpreterInlines.h:
1286         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1287         * dfg/DFGByteCodeParser.cpp:
1288         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1289         * dfg/DFGClobberize.h:
1290         (JSC::DFG::clobberize):
1291         * dfg/DFGDoesGC.cpp:
1292         (JSC::DFG::doesGC):
1293         * dfg/DFGFixupPhase.cpp:
1294         (JSC::DFG::FixupPhase::fixupNode):
1295         * dfg/DFGNode.h:
1296         (JSC::DFG::Node::hasHeapPrediction):
1297         (JSC::DFG::Node::dataViewData):
1298         * dfg/DFGNodeType.h:
1299         * dfg/DFGPredictionPropagationPhase.cpp:
1300         * dfg/DFGSafeToExecute.h:
1301         (JSC::DFG::SafeToExecuteEdge::operator()):
1302         (JSC::DFG::safeToExecute):
1303         * dfg/DFGSpeculativeJIT.cpp:
1304         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1305         (JSC::DFG::SpeculativeJIT::speculate):
1306         * dfg/DFGSpeculativeJIT.h:
1307         * dfg/DFGSpeculativeJIT32_64.cpp:
1308         (JSC::DFG::SpeculativeJIT::compile):
1309         * dfg/DFGSpeculativeJIT64.cpp:
1310         (JSC::DFG::SpeculativeJIT::compile):
1311         * dfg/DFGUseKind.cpp:
1312         (WTF::printInternal):
1313         * dfg/DFGUseKind.h:
1314         (JSC::DFG::typeFilterFor):
1315         (JSC::DFG::isCell):
1316         * ftl/FTLCapabilities.cpp:
1317         (JSC::FTL::canCompile):
1318         * ftl/FTLLowerDFGToB3.cpp:
1319         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1320         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1321         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1322         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1323         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1324         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1325         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1326         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1327         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1328         * runtime/Intrinsic.cpp:
1329         (JSC::intrinsicName):
1330         * runtime/Intrinsic.h:
1331         * runtime/JSDataViewPrototype.cpp:
1332
1333 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1334
1335         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1336         https://bugs.webkit.org/show_bug.cgi?id=181989
1337
1338         Reviewed by Michael Saboff.
1339
1340         This patch extends bulk matching style for fixed-sized characters.
1341         In 64bit environment, the GPR can hold up to 8 characters. This change
1342         reduces the code size since we can fuse multiple `mov` operations into one.
1343
1344         * assembler/LinkBuffer.h:
1345         * runtime/Options.h:
1346         * yarr/YarrJIT.cpp:
1347         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1348         (JSC::Yarr::YarrGenerator::compile):
1349
1350 2018-08-20  Devin Rousso  <drousso@apple.com>
1351
1352         Web Inspector: allow breakpoints to be set for specific event listeners
1353         https://bugs.webkit.org/show_bug.cgi?id=183138
1354
1355         Reviewed by Joseph Pecoraro.
1356
1357         * inspector/protocol/DOM.json:
1358         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1359         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1360         should have a breakpoint and pause before running.
1361
1362 2018-08-20  Mark Lam  <mark.lam@apple.com>
1363
1364         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1365         https://bugs.webkit.org/show_bug.cgi?id=188769
1366
1367         Reviewed by Michael Saboff.
1368
1369         * llint/LowLevelInterpreter.asm:
1370         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1371           so that libunwind doesn't get confused by the 2 labels pointing to the same
1372           code address.
1373
1374 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1375
1376         [GLIB] Add API to throw exceptions using printf formatted strings
1377         https://bugs.webkit.org/show_bug.cgi?id=188698
1378
1379         Reviewed by Michael Catanzaro.
1380
1381         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1382         JSCException using printf formatted string.
1383
1384         * API/glib/JSCContext.cpp:
1385         (jsc_context_throw_printf):
1386         (jsc_context_throw_with_name_printf):
1387         * API/glib/JSCContext.h:
1388         * API/glib/JSCException.cpp:
1389         (jsc_exception_new_printf):
1390         (jsc_exception_new_vprintf):
1391         (jsc_exception_new_with_name_printf):
1392         (jsc_exception_new_with_name_vprintf):
1393         * API/glib/JSCException.h:
1394         * API/glib/docs/jsc-glib-4.0-sections.txt:
1395
1396 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1397
1398         [GLIB] Complete the JSCException API
1399         https://bugs.webkit.org/show_bug.cgi?id=188695
1400
1401         Reviewed by Michael Catanzaro.
1402
1403         Add more API to JSCException:
1404          - New function to get the column number
1405          - New function get exception as string (toString())
1406          - Add the possibility to create exceptions with a custom error name.
1407          - New function to get the exception error name
1408          - New function to get the exception backtrace.
1409          - New convenience function to report a exception by returning a formatted string with all the exception
1410            details, to be shown as a user error message.
1411
1412         * API/glib/JSCContext.cpp:
1413         (jsc_context_throw_with_name):
1414         * API/glib/JSCContext.h:
1415         * API/glib/JSCException.cpp:
1416         (jscExceptionEnsureProperties):
1417         (jsc_exception_new):
1418         (jsc_exception_new_with_name):
1419         (jsc_exception_get_name):
1420         (jsc_exception_get_column_number):
1421         (jsc_exception_get_back_trace_string):
1422         (jsc_exception_to_string):
1423         (jsc_exception_report):
1424         * API/glib/JSCException.h:
1425         * API/glib/docs/jsc-glib-4.0-sections.txt:
1426
1427 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1428
1429         Unreviewed, rolling out r234852.
1430         https://bugs.webkit.org/show_bug.cgi?id=188736
1431
1432         Workaround is not correct (Requested by yusukesuzuki on
1433         #webkit).
1434
1435         Reverted changeset:
1436
1437         "[JSC] Should not rotate constant with 64"
1438         https://bugs.webkit.org/show_bug.cgi?id=188556
1439         https://trac.webkit.org/changeset/234852
1440
1441 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1442
1443         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1444         https://bugs.webkit.org/show_bug.cgi?id=188716
1445
1446         Reviewed by Darin Adler.
1447
1448         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1449         The compiler can emit appropriate mov operations in x86 even if we use these
1450         helper functions.
1451
1452         * assembler/AssemblerBuffer.h:
1453         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1454         (JSC::AssemblerBuffer::putIntegral):
1455         (JSC::AssemblerBuffer::putIntegralUnchecked):
1456         * assembler/MacroAssemblerX86.h:
1457         (JSC::MacroAssemblerX86::readCallTarget):
1458         * assembler/X86Assembler.h:
1459         (JSC::X86Assembler::linkJump):
1460         (JSC::X86Assembler::readPointer):
1461         (JSC::X86Assembler::replaceWithHlt):
1462         (JSC::X86Assembler::replaceWithJump):
1463         (JSC::X86Assembler::setPointer):
1464         (JSC::X86Assembler::setInt32):
1465         (JSC::X86Assembler::setInt8):
1466         * interpreter/InterpreterInlines.h:
1467         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1468
1469 2018-08-17  Saam barati  <sbarati@apple.com>
1470
1471         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1472         https://bugs.webkit.org/show_bug.cgi?id=188707
1473         <rdar://problem/43015442>
1474
1475         Reviewed by Mark Lam.
1476
1477         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1478         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1479         that each incoming value is compatible with its corresponding AbstractValue.
1480         
1481         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1482         with abstract values that were clobbererd. This meant that the value we're
1483         verifying with at OSR entry effectively has an infinite structure set because
1484         it's clobbered. So, imagine we have code like this:
1485         ```
1486         ---> We OSR enter here, and we're clobbered here
1487         InvalidationPoint
1488         GetByOffset(@base)
1489         ```
1490         
1491         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1492         clobberred structure set, so we'd allow an incoming object with any
1493         structure. However, this is wrong because the invalidation point is no
1494         longer fulfilling its promise that it filters the structure that @base has.
1495         
1496         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1497         as if the incoming value may be live past an InvalidationPoint.
1498         This places a stricter requirement that to safely OSR enter at any basic
1499         block, all incoming values must be compatible as if they lived past
1500         the execution of an invalidation point.
1501
1502         * dfg/DFGCFAPhase.cpp:
1503         (JSC::DFG::CFAPhase::run):
1504
1505 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1506
1507         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1508         https://bugs.webkit.org/show_bug.cgi?id=188589
1509
1510         Reviewed by Mark Lam.
1511         And reviewed by Yusuke Suzuki for Hironori's change.
1512
1513         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1514         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1515
1516         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1517         - We make GPRReg and FPRReg int8_t enums.
1518         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1519         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1520           if `enum : int8_t` is used instead of `enum`.
1521
1522         * assembler/ARM64Assembler.h:
1523         * assembler/ARMAssembler.h:
1524         * assembler/ARMv7Assembler.h:
1525         * assembler/MIPSAssembler.h:
1526         * assembler/MacroAssembler.h:
1527         * assembler/X86Assembler.h:
1528         * jit/CCallHelpers.h:
1529         (JSC::CCallHelpers::clampArrayToSize):
1530         * jit/FPRInfo.h:
1531         * jit/GPRInfo.h:
1532         (JSC::JSValueRegs::JSValueRegs):
1533         (JSC::JSValueRegs::tagGPR const):
1534         (JSC::JSValueRegs::payloadGPR const):
1535         (JSC::JSValueSource::JSValueSource):
1536         (JSC::JSValueSource::unboxedCell):
1537         (JSC::JSValueSource::operator bool const):
1538         (JSC::JSValueSource::base const):
1539         (JSC::JSValueSource::tagGPR const):
1540         (JSC::JSValueSource::payloadGPR const):
1541         (JSC::JSValueSource::hasKnownTag const):
1542
1543 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1544
1545         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1546         https://bugs.webkit.org/show_bug.cgi?id=188686
1547
1548         Reviewed by Saam Barati.
1549
1550         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1551         for `alignof` for RegisterState.
1552
1553         * heap/RegisterState.h:
1554
1555 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1556
1557         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1558         https://bugs.webkit.org/show_bug.cgi?id=188571
1559
1560         Reviewed by Saam Barati.
1561
1562         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1563         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1564         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1565         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1566         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1567         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1568         than or equal to `sizeof(void*)` by `static_assert`.
1569
1570         * yarr/YarrInterpreter.cpp:
1571         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1572         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1573         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1574         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1575         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1576         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1577         (JSC::Yarr::Interpreter::Interpreter):
1578         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1579
1580 2018-08-15  Keith Miller  <keith_miller@apple.com>
1581
1582         Remove evernote hacks
1583         https://bugs.webkit.org/show_bug.cgi?id=188591
1584
1585         Reviewed by Joseph Pecoraro.
1586
1587         The hack was added in 2012 and the evernote app seems to work now.
1588         It's probably not needed anymore.
1589
1590         * API/JSValueRef.cpp:
1591         (JSValueUnprotect):
1592         (evernoteHackNeeded): Deleted.
1593
1594 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1595
1596         Unreviewed, rolling out r234874 and r234876.
1597
1598         WinCairo port can't compile
1599
1600         Reverted changesets:
1601
1602         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
1603         https://bugs.webkit.org/show_bug.cgi?id=188589
1604         https://trac.webkit.org/changeset/234874
1605
1606         "Unreviewed, attempt to fix CLoop build"
1607         https://bugs.webkit.org/show_bug.cgi?id=188589
1608         https://trac.webkit.org/changeset/234876
1609
1610 2018-08-14  Saam barati  <sbarati@apple.com>
1611
1612         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
1613         https://bugs.webkit.org/show_bug.cgi?id=188582
1614
1615         Reviewed by Sam Weinig.
1616
1617         * runtime/SparseArrayValueMap.h:
1618
1619 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1620
1621         Unreviewed, attempt to fix CLoop build
1622         https://bugs.webkit.org/show_bug.cgi?id=188589
1623
1624         * assembler/MacroAssembler.h:
1625
1626 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1627
1628         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1629         https://bugs.webkit.org/show_bug.cgi?id=188589
1630
1631         Reviewed by Mark Lam.
1632
1633         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1634         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1635
1636         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1637         2. We make GPRReg and FPRReg int8_t enums.
1638         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1639
1640         * assembler/ARM64Assembler.h:
1641         * assembler/ARMAssembler.h:
1642         * assembler/ARMv7Assembler.h:
1643         * assembler/MIPSAssembler.h:
1644         * assembler/X86Assembler.h:
1645         * jit/FPRInfo.h:
1646         * jit/GPRInfo.h:
1647         (JSC::JSValueRegs::JSValueRegs):
1648         (JSC::JSValueRegs::tagGPR const):
1649         (JSC::JSValueRegs::payloadGPR const):
1650         (JSC::JSValueSource::JSValueSource):
1651         (JSC::JSValueSource::unboxedCell):
1652         (JSC::JSValueSource::operator bool const):
1653         (JSC::JSValueSource::base const):
1654         (JSC::JSValueSource::tagGPR const):
1655         (JSC::JSValueSource::payloadGPR const):
1656         (JSC::JSValueSource::hasKnownTag const):
1657
1658 2018-08-14  Keith Miller  <keith_miller@apple.com>
1659
1660         Add missing availability macro.
1661         https://bugs.webkit.org/show_bug.cgi?id=188563
1662
1663         Reviewed by Mark Lam.
1664
1665         * API/JSValueRef.h:
1666
1667 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1668
1669         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
1670         https://bugs.webkit.org/show_bug.cgi?id=188560
1671
1672         Reviewed by Keith Miller.
1673
1674         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
1675         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
1676         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
1677         `m_wasSeenInJIT { false }`.
1678
1679         * bytecode/GetByIdStatus.h:
1680
1681 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1682
1683         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
1684         https://bugs.webkit.org/show_bug.cgi?id=188557
1685
1686         Reviewed by Mark Lam.
1687
1688         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
1689         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
1690         in UBSan's result.
1691
1692         * dfg/DFGPredictionPropagationPhase.cpp:
1693
1694 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1695
1696         [JSC] Should not rotate constant with 64
1697         https://bugs.webkit.org/show_bug.cgi?id=188556
1698
1699         Reviewed by Mark Lam.
1700
1701         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1702         But if a seed becomes 64, the following code performs `value << 64` where value's type
1703         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
1704         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
1705
1706         * assembler/MacroAssembler.h:
1707         (JSC::MacroAssembler::generateRotationSeed):
1708         (JSC::MacroAssembler::rotationBlindConstant):
1709
1710 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1711
1712         Disable JIT on IA-32 without SSE2
1713         https://bugs.webkit.org/show_bug.cgi?id=188476
1714
1715         Reviewed by Michael Catanzaro.
1716
1717         Including missing header (MacroAssembler.h) in case of other
1718         operating systems than Windows too.
1719
1720         * runtime/Options.cpp:
1721
1722 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
1723
1724         Disable JIT on IA-32 without SSE2
1725         https://bugs.webkit.org/show_bug.cgi?id=188476
1726
1727         Reviewed by Yusuke Suzuki.
1728
1729         On IA-32 CPUs without SSE2 most of the webpages cannot load
1730         if the JIT is turned on.
1731
1732         * runtime/Options.cpp:
1733         (JSC::recomputeDependentOptions):
1734
1735 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
1736
1737         Web Inspector: console.log fires getters for deep properties
1738         https://bugs.webkit.org/show_bug.cgi?id=187542
1739         <rdar://problem/42873158>
1740
1741         Reviewed by Saam Barati.
1742
1743         * inspector/InjectedScriptSource.js:
1744         (RemoteObject.prototype._isPreviewableObject):
1745         Avoid getters/setters when checking for simple properties to preview.
1746         Here we avoid invoking `object[property]` if it could be a user getter.
1747
1748 2018-08-10  Keith Miller  <keith_miller@apple.com>
1749
1750         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
1751         https://bugs.webkit.org/show_bug.cgi?id=185127
1752
1753         Reviewed by Saam Barati.
1754
1755         Previously, we would truncate the indicies passed to slice to an
1756         int. This meant that the value was not getting properly clamped
1757         later.
1758
1759         This patch also removes a non-spec compliant check that slice was
1760         passed at least one argument.
1761
1762         * runtime/ArrayBuffer.cpp:
1763         (JSC::ArrayBuffer::clampValue):
1764         (JSC::ArrayBuffer::clampIndex const):
1765         (JSC::ArrayBuffer::slice const):
1766         * runtime/ArrayBuffer.h:
1767         (JSC::ArrayBuffer::clampValue): Deleted.
1768         (JSC::ArrayBuffer::clampIndex const): Deleted.
1769         * runtime/JSArrayBufferPrototype.cpp:
1770         (JSC::arrayBufferProtoFuncSlice):
1771
1772 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1773
1774         Date.UTC should not return NaN with only Year param
1775         https://bugs.webkit.org/show_bug.cgi?id=188378
1776
1777         Reviewed by Keith Miller.
1778
1779         Date.UTC requires one argument for |year|. But the other ones are optional.
1780         This patch fix this handling.
1781
1782         * runtime/DateConstructor.cpp:
1783         (JSC::millisecondsFromComponents):
1784
1785 2018-08-08  Keith Miller  <keith_miller@apple.com>
1786
1787         Array.prototype.sort should call @toLength instead of ">>> 0"
1788         https://bugs.webkit.org/show_bug.cgi?id=188430
1789
1790         Reviewed by Saam Barati.
1791
1792         Also add a new function to $vm that will fetch a private
1793         property. This can be useful for running builtin helper functions.
1794
1795         * builtins/ArrayPrototype.js:
1796         (sort):
1797         * tools/JSDollarVM.cpp:
1798         (JSC::functionGetPrivateProperty):
1799         (JSC::JSDollarVM::finishCreation):
1800
1801 2018-08-08  Keith Miller  <keith_miller@apple.com>
1802
1803         Array.prototype.sort should throw TypeError if param is a not callable object
1804         https://bugs.webkit.org/show_bug.cgi?id=188382
1805
1806         Reviewed by Saam Barati.
1807
1808         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
1809         before doing anything else.
1810
1811         Also, refactor the various helper functions to use let instead of var.
1812
1813         * builtins/ArrayPrototype.js:
1814         (sort.stringComparator):
1815         (sort.compactSparse):
1816         (sort.compactSlow):
1817         (sort.compact):
1818         (sort.merge):
1819         (sort.mergeSort):
1820         (sort.bucketSort):
1821         (sort.comparatorSort):
1822         (sort.stringSort):
1823         (sort):
1824
1825 2018-08-08  Michael Saboff  <msaboff@apple.com>
1826
1827         Yarr JIT should include annotations with dumpDisassembly=true
1828         https://bugs.webkit.org/show_bug.cgi?id=188415
1829
1830         Reviewed by Yusuke Suzuki.
1831
1832         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
1833         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
1834         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
1835         needs to do the same think.
1836
1837         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
1838         out simple methods for what was needed by the YarrDisassembler.
1839
1840         Here is abbreviated sample output after this change.
1841
1842         Generated JIT code for 8-bit regular expression /ab*c/:
1843             Code at [0x469561c03720, 0x469561c03840):
1844                 0x469561c03720: push %rbp
1845                 0x469561c03721: mov %rsp, %rbp
1846                 ...
1847                 0x469561c03762: sub $0x40, %rsp
1848              == Matching ==
1849            0:OpBodyAlternativeBegin minimum size 2
1850                 0x469561c03766: add $0x2, %esi
1851                 0x469561c03769: cmp %edx, %esi
1852                 0x469561c0376b: ja 0x469561c037fa
1853            1:OpTerm TypePatternCharacter 'a'
1854                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
1855                 0x469561c03776: cmp $0x61, %eax
1856                 0x469561c03779: jnz 0x469561c037e9
1857            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1858                 0x469561c0377f: xor %r9d, %r9d
1859                 0x469561c03782: cmp %edx, %esi
1860                 0x469561c03784: jz 0x469561c037a2
1861                 ...
1862                 0x469561c0379d: jmp 0x469561c03782
1863                 0x469561c037a2: mov %r9, 0x8(%rsp)
1864            3:OpTerm TypePatternCharacter 'c'
1865                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
1866                 0x469561c037ac: cmp $0x63, %eax
1867                 0x469561c037af: jnz 0x469561c037d1
1868            4:OpBodyAlternativeEnd
1869                 0x469561c037b5: add $0x40, %rsp
1870                 ...
1871                 0x469561c037cf: pop %rbp
1872                 0x469561c037d0: ret
1873              == Backtracking ==
1874            4:OpBodyAlternativeEnd
1875            3:OpTerm TypePatternCharacter 'c'
1876            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
1877                 0x469561c037d1: mov 0x8(%rsp), %r9
1878                 ...
1879                 0x469561c037e4: jmp 0x469561c037a2
1880            1:OpTerm TypePatternCharacter 'a'
1881            0:OpBodyAlternativeBegin minimum size 2
1882                 0x469561c037e9: mov %rsi, %rax
1883                 ...
1884                 0x469561c0382f: pop %rbp
1885                 0x469561c03830: ret
1886
1887         * JavaScriptCore.xcodeproj/project.pbxproj:
1888         * Sources.txt:
1889         * runtime/RegExp.cpp:
1890         (JSC::RegExp::compile):
1891         (JSC::RegExp::compileMatchOnly):
1892         * yarr/YarrDisassembler.cpp: Added.
1893         (JSC::Yarr::YarrDisassembler::indentString):
1894         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
1895         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
1896         (JSC::Yarr::YarrDisassembler::dump):
1897         (JSC::Yarr::YarrDisassembler::dumpHeader):
1898         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
1899         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
1900         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
1901         * yarr/YarrDisassembler.h: Added.
1902         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
1903         (JSC::Yarr::YarrDisassembler::setStartOfCode):
1904         (JSC::Yarr::YarrDisassembler::setForGenerate):
1905         (JSC::Yarr::YarrDisassembler::setForBacktrack):
1906         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
1907         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
1908         (JSC::Yarr::YarrDisassembler::setEndOfCode):
1909         (JSC::Yarr::YarrDisassembler::indentString):
1910         * yarr/YarrJIT.cpp:
1911         (JSC::Yarr::YarrGenerator::generate):
1912         (JSC::Yarr::YarrGenerator::backtrack):
1913         (JSC::Yarr::YarrGenerator::YarrGenerator):
1914         (JSC::Yarr::YarrGenerator::compile):
1915         (JSC::Yarr::jitCompile):
1916         * yarr/YarrJIT.h:
1917         * yarr/YarrPattern.cpp:
1918         (JSC::Yarr::dumpCharacterClass):
1919         (JSC::Yarr::PatternTerm::dump):
1920         (JSC::Yarr::YarrPattern::dumpPatternString):
1921         (JSC::Yarr::YarrPattern::dumpPattern):
1922         * yarr/YarrPattern.h:
1923
1924 2018-08-05  Darin Adler  <darin@apple.com>
1925
1926         [Cocoa] More tweaks and refactoring to prepare for ARC
1927         https://bugs.webkit.org/show_bug.cgi?id=188245
1928
1929         Reviewed by Dan Bernstein.
1930
1931         * API/JSValue.mm: Use __unsafe_unretained.
1932         (JSContainerConvertor::convert): Use auto for compatibility with the above.
1933         * API/JSWrapperMap.mm:
1934         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
1935         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
1936
1937         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
1938
1939 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1940
1941         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
1942         https://bugs.webkit.org/show_bug.cgi?id=188328
1943
1944         Reviewed by Saam Barati.
1945
1946         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
1947         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
1948         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
1949         as a member field.
1950
1951         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
1952         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
1953         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
1954         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
1955         folds a pointer and 1byte type into 64bit data.
1956
1957         This change shrinks PropertyCondition from 24bytes to 16bytes.
1958
1959         * bytecode/PropertyCondition.cpp:
1960         (JSC::PropertyCondition::dumpInContext const):
1961         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
1962         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
1963         (JSC::PropertyCondition::isStillValid const):
1964         (JSC::PropertyCondition::isWatchableWhenValid const):
1965         * bytecode/PropertyCondition.h:
1966         (JSC::PropertyCondition::PropertyCondition):
1967         (JSC::PropertyCondition::presenceWithoutBarrier):
1968         (JSC::PropertyCondition::absenceWithoutBarrier):
1969         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
1970         (JSC::PropertyCondition::equivalenceWithoutBarrier):
1971         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
1972         (JSC::PropertyCondition::operator bool const):
1973         (JSC::PropertyCondition::kind const):
1974         (JSC::PropertyCondition::uid const):
1975         (JSC::PropertyCondition::hasOffset const):
1976         (JSC::PropertyCondition::hasAttributes const):
1977         (JSC::PropertyCondition::hasPrototype const):
1978         (JSC::PropertyCondition::hasRequiredValue const):
1979         (JSC::PropertyCondition::hash const):
1980         (JSC::PropertyCondition::operator== const):
1981         (JSC::PropertyCondition::isHashTableDeletedValue const):
1982         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
1983
1984 2018-08-07  Mark Lam  <mark.lam@apple.com>
1985
1986         Use a more specific PtrTag for PlatformRegisters PC and LR.
1987         https://bugs.webkit.org/show_bug.cgi?id=188366
1988         <rdar://problem/42984123>
1989
1990         Reviewed by Keith Miller.
1991
1992         Also fixed a bug in linkRegister(), which was previously returning the PC instead
1993         of LR.  It now returns LR.
1994
1995         * runtime/JSCPtrTag.h:
1996         * runtime/MachineContext.h:
1997         (JSC::MachineContext::instructionPointer):
1998         (JSC::MachineContext::linkRegister):
1999         * runtime/VMTraps.cpp:
2000         (JSC::SignalContext::SignalContext):
2001         * tools/SigillCrashAnalyzer.cpp:
2002         (JSC::SignalContext::SignalContext):
2003
2004 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2005
2006         Hardcoded LFENCE instruction
2007         https://bugs.webkit.org/show_bug.cgi?id=188145
2008
2009         Reviewed by Filip Pizlo.
2010
2011         Remove lfence instruction because it is crashing systems without SSE2 and
2012         this is not the way how WebKit mitigates Spectre.
2013
2014         * runtime/JSLock.cpp:
2015         (JSC::JSLock::didAcquireLock):
2016         (JSC::JSLock::willReleaseLock):
2017
2018 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2019
2020         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2021         <https://webkit.org/b/188331>
2022
2023         Reviewed by Yusuke Suzuki.
2024
2025         * runtime/TemplateObjectDescriptor.h:
2026         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2027         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2028
2029 2018-08-03  Saam Barati  <sbarati@apple.com>
2030
2031         Give the `jsc` shell the JIT entitlement
2032         https://bugs.webkit.org/show_bug.cgi?id=188324
2033         <rdar://problem/42885806>
2034
2035         Reviewed by Dan Bernstein.
2036
2037         This should help us in ensuring the system jsc is able to JIT.
2038
2039         * Configurations/JSC.xcconfig:
2040         * JavaScriptCore.xcodeproj/project.pbxproj:
2041         * allow-jit-macOS.entitlements: Added.
2042
2043 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2044
2045         Fix spelling of "overridden"
2046         https://bugs.webkit.org/show_bug.cgi?id=188315
2047
2048         Reviewed by Darin Adler.
2049
2050         * API/JSExport.h:
2051         * inspector/InjectedScriptSource.js:
2052
2053 2018-08-02  Saam Barati  <sbarati@apple.com>
2054
2055         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2056         https://bugs.webkit.org/show_bug.cgi?id=188271
2057         <rdar://problem/42850884>
2058
2059         Reviewed by Michael Saboff.
2060
2061         This patch defends against the instructionPointer containing garbage bits.
2062         See radar for details.
2063
2064         * runtime/MachineContext.h:
2065         (JSC::MachineContext::instructionPointer):
2066         * runtime/SamplingProfiler.cpp:
2067         (JSC::SamplingProfiler::takeSample):
2068         * runtime/VMTraps.cpp:
2069         (JSC::SignalContext::SignalContext):
2070         (JSC::SignalContext::tryCreate):
2071         * tools/CodeProfiling.cpp:
2072         (JSC::profilingTimer):
2073         * tools/SigillCrashAnalyzer.cpp:
2074         (JSC::SignalContext::SignalContext):
2075         (JSC::SignalContext::tryCreate):
2076         (JSC::SignalContext::dump):
2077         (JSC::installCrashHandler):
2078         * wasm/WasmFaultSignalHandler.cpp:
2079         (JSC::Wasm::trapHandler):
2080
2081 2018-08-02  David Fenton  <david_fenton@apple.com>
2082
2083         Unreviewed, rolling out r234489.
2084
2085         Caused 50+ crashes and 60+ API failures on iOS
2086
2087         Reverted changeset:
2088
2089         "[WTF] Rename String::format to String::deprecatedFormat"
2090         https://bugs.webkit.org/show_bug.cgi?id=188191
2091         https://trac.webkit.org/changeset/234489
2092
2093 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2094
2095         Add self.queueMicrotask(f) on DOMWindow
2096         https://bugs.webkit.org/show_bug.cgi?id=188212
2097
2098         Reviewed by Ryosuke Niwa.
2099
2100         * CMakeLists.txt:
2101         * JavaScriptCore.xcodeproj/project.pbxproj:
2102         * Sources.txt:
2103         * runtime/JSGlobalObject.cpp:
2104         (JSC::enqueueJob):
2105         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2106         (JSC::createJSMicrotask):
2107         Export them to WebCore.
2108
2109         (JSC::JSMicrotask::run):
2110         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2111         Add another version of JSMicrotask which does not have arguments.
2112
2113 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2114
2115         [WTF] Rename String::format to String::deprecatedFormat
2116         https://bugs.webkit.org/show_bug.cgi?id=188191
2117
2118         Reviewed by Darin Adler.
2119
2120         It should be replaced with string concatenation.
2121
2122         * bytecode/CodeBlock.cpp:
2123         (JSC::CodeBlock::nameForRegister):
2124         * inspector/InjectedScriptBase.cpp:
2125         (Inspector::InjectedScriptBase::makeCall):
2126         * inspector/InspectorBackendDispatcher.cpp:
2127         (Inspector::BackendDispatcher::getPropertyValue):
2128         * inspector/agents/InspectorConsoleAgent.cpp:
2129         (Inspector::InspectorConsoleAgent::enable):
2130         (Inspector::InspectorConsoleAgent::stopTiming):
2131         * jsc.cpp:
2132         (FunctionJSCStackFunctor::operator() const):
2133         * parser/Lexer.cpp:
2134         (JSC::Lexer<T>::invalidCharacterMessage const):
2135         * runtime/IntlDateTimeFormat.cpp:
2136         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2137         * runtime/IntlObject.cpp:
2138         (JSC::canonicalizeLocaleList):
2139         * runtime/LiteralParser.cpp:
2140         (JSC::LiteralParser<CharType>::Lexer::lex):
2141         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2142         (JSC::LiteralParser<CharType>::parse):
2143         * runtime/LiteralParser.h:
2144         (JSC::LiteralParser::getErrorMessage):
2145
2146 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2147
2148         [INTL] Allow "unknown" formatToParts types
2149         https://bugs.webkit.org/show_bug.cgi?id=188176
2150
2151         Reviewed by Darin Adler.
2152
2153         Originally extra unexpected field types were marked as "literal", since
2154         the spec did not account for these. The ECMA 402 spec has since been updated
2155         to specify "unknown" should be used in these cases.
2156
2157         Currently there is no known way to reach these cases, so no tests can
2158         account for them. Theoretically they shoudn't exist, but they are specified,
2159         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2160         will make such cases easy to identify if they ever happen.
2161
2162         * runtime/IntlDateTimeFormat.cpp:
2163         (JSC::IntlDateTimeFormat::partTypeString):
2164         * runtime/IntlNumberFormat.cpp:
2165         (JSC::IntlNumberFormat::partTypeString):
2166
2167 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2168
2169         [INTL] Implement hourCycle in DateTimeFormat
2170         https://bugs.webkit.org/show_bug.cgi?id=188006
2171
2172         Reviewed by Darin Adler.
2173
2174         Implemented hourCycle, updating both the skeleton and the final pattern.
2175         Changed resolveLocale to assume undefined options are not given and null
2176         strings actually mean null, which removes the tag extension.
2177
2178         * runtime/CommonIdentifiers.h:
2179         * runtime/IntlCollator.cpp:
2180         (JSC::IntlCollator::initializeCollator):
2181         * runtime/IntlDateTimeFormat.cpp:
2182         (JSC::IntlDTFInternal::localeData):
2183         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2184         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2185         (JSC::IntlDateTimeFormat::resolvedOptions):
2186         * runtime/IntlDateTimeFormat.h:
2187         * runtime/IntlObject.cpp:
2188         (JSC::resolveLocale):
2189
2190 2018-08-01  Keith Miller  <keith_miller@apple.com>
2191
2192         JSArrayBuffer should have its own JSType
2193         https://bugs.webkit.org/show_bug.cgi?id=188231
2194
2195         Reviewed by Saam Barati.
2196
2197         * runtime/JSArrayBuffer.cpp:
2198         (JSC::JSArrayBuffer::createStructure):
2199         * runtime/JSCast.h:
2200         * runtime/JSType.h:
2201
2202 2018-07-31  Keith Miller  <keith_miller@apple.com>
2203
2204         Unreviewed 32-bit build fix...
2205
2206         * dfg/DFGSpeculativeJIT32_64.cpp:
2207
2208 2018-07-31  Keith Miller  <keith_miller@apple.com>
2209
2210         Long compiling JSC files should not be unified
2211         https://bugs.webkit.org/show_bug.cgi?id=188205
2212
2213         Reviewed by Saam Barati.
2214
2215         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2216         to compile. Unifying them means touching anything in the same
2217         bundle as those files takes a long time to incrementally build.
2218         This patch separates those files so they build standalone.
2219
2220         * JavaScriptCore.xcodeproj/project.pbxproj:
2221         * Sources.txt:
2222         * dfg/DFGSpeculativeJIT64.cpp:
2223
2224 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2225
2226         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2227         https://bugs.webkit.org/show_bug.cgi?id=188201
2228
2229         Reviewed by Keith Miller.
2230
2231         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2232         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2233         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2234         never becomes broken state. This patch removes unnecessary locking.
2235
2236         * runtime/JSObject.cpp:
2237         (JSC::JSObject::visitButterflyImpl):
2238
2239 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2240
2241         [JSC] Remove gcc warnings for 32-bit platforms
2242         https://bugs.webkit.org/show_bug.cgi?id=187803
2243
2244         Reviewed by Yusuke Suzuki.
2245
2246         * assembler/MacroAssemblerPrinter.cpp:
2247         (JSC::Printer::printPCRegister):
2248         (JSC::Printer::printRegisterID):
2249         (JSC::Printer::printAddress):
2250         * dfg/DFGSpeculativeJIT.cpp:
2251         (JSC::DFG::SpeculativeJIT::speculateNumber):
2252         (JSC::DFG::SpeculativeJIT::speculateMisc):
2253         * jit/CCallHelpers.h:
2254         (JSC::CCallHelpers::calculatePokeOffset):
2255         * runtime/Options.cpp:
2256         (JSC::parse):
2257
2258 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2259
2260         watchOS engineering build is broken after r234227
2261         https://bugs.webkit.org/show_bug.cgi?id=188180
2262
2263         Reviewed by Keith Miller.
2264
2265         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2266         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2267         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2268         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2269
2270         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2271         entirely, since there's no relevant version to replace them with.
2272
2273         * postprocess-headers.sh:
2274
2275 2018-07-30  Keith Miller  <keith_miller@apple.com>
2276
2277         Clarify conversion rules for JSValue property access API
2278         https://bugs.webkit.org/show_bug.cgi?id=188179
2279
2280         Reviewed by Geoffrey Garen.
2281
2282         * API/JSValue.h:
2283
2284 2018-07-30  Keith Miller  <keith_miller@apple.com>
2285
2286         Rename some JSC API functions/types.
2287         https://bugs.webkit.org/show_bug.cgi?id=188173
2288
2289         Reviewed by Saam Barati.
2290
2291         * API/JSObjectRef.cpp:
2292         (JSObjectHasPropertyForKey):
2293         (JSObjectGetPropertyForKey):
2294         (JSObjectSetPropertyForKey):
2295         (JSObjectDeletePropertyForKey):
2296         (JSObjectHasPropertyKey): Deleted.
2297         (JSObjectGetPropertyKey): Deleted.
2298         (JSObjectSetPropertyKey): Deleted.
2299         (JSObjectDeletePropertyKey): Deleted.
2300         * API/JSObjectRef.h:
2301         * API/JSValue.h:
2302         * API/JSValue.mm:
2303         (-[JSValue valueForProperty:]):
2304         (-[JSValue setValue:forProperty:]):
2305         (-[JSValue deleteProperty:]):
2306         (-[JSValue hasProperty:]):
2307         (-[JSValue defineProperty:descriptor:]):
2308         * API/tests/testapi.cpp:
2309         (TestAPI::run):
2310
2311 2018-07-30  Mark Lam  <mark.lam@apple.com>
2312
2313         Add a debugging utility to dump the memory layout of a JSCell.
2314         https://bugs.webkit.org/show_bug.cgi?id=188157
2315
2316         Reviewed by Yusuke Suzuki.
2317
2318         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2319         dump the memory contents of a cell and if present, its butterfly for debugging
2320         purposes.
2321
2322         Example usage for JS code when JSC_useDollarVM=true:
2323
2324             $vm.dumpCell(obj);
2325
2326         Example usage from C++ code or from lldb: 
2327
2328             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2329
2330         Some examples of dumps:
2331
2332             <0x104bc8260, Object>
2333               [0] 0x104bc8260 : 0x010016000000016c header
2334                 structureID 364 0x16c structure 0x104b721b0
2335                 indexingTypeAndMisc 0 0x0 NonArray
2336                 type 22 0x16
2337                 flags 0 0x0
2338                 cellState 1
2339               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2340               [2] 0x104bc8270 : 0xffff000000000007
2341               [3] 0x104bc8278 : 0xffff000000000008
2342
2343             <0x104bb4360, Array>
2344               [0] 0x104bb4360 : 0x0108210b00000171 header
2345                 structureID 369 0x171 structure 0x104b723e0
2346                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2347                 type 33 0x21
2348                 flags 8 0x8
2349                 cellState 1
2350               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2351                 base 0x8000f46e0
2352                 hasIndexingHeader YES hasAnyArrayStorage YES
2353                 publicLength 4 vectorLength 7 indexBias 2
2354                 preCapacity 2 propertyCapacity 4
2355                   <--- preCapacity
2356                   [0] 0x8000f46e0 : 0x0000000000000000
2357                   [1] 0x8000f46e8 : 0x0000000000000000
2358                   <--- propertyCapacity
2359                   [2] 0x8000f46f0 : 0x0000000000000000
2360                   [3] 0x8000f46f8 : 0x0000000000000000
2361                   [4] 0x8000f4700 : 0xffff00000000000d
2362                   [5] 0x8000f4708 : 0xffff00000000000c
2363                   <--- indexingHeader
2364                   [6] 0x8000f4710 : 0x0000000700000004
2365                   <--- butterfly
2366                   <--- arrayStorage
2367                   [7] 0x8000f4718 : 0x0000000000000000
2368                   [8] 0x8000f4720 : 0x0000000400000002
2369                   <--- indexedProperties
2370                   [9] 0x8000f4728 : 0xffff000000000008
2371                   [10] 0x8000f4730 : 0xffff000000000009
2372                   [11] 0x8000f4738 : 0xffff000000000005
2373                   [12] 0x8000f4740 : 0xffff000000000006
2374                   [13] 0x8000f4748 : 0x0000000000000000
2375                   [14] 0x8000f4750 : 0x0000000000000000
2376                   [15] 0x8000f4758 : 0x0000000000000000
2377                   <--- unallocated capacity
2378                   [16] 0x8000f4760 : 0x0000000000000000
2379                   [17] 0x8000f4768 : 0x0000000000000000
2380                   [18] 0x8000f4770 : 0x0000000000000000
2381                   [19] 0x8000f4778 : 0x0000000000000000
2382
2383         * runtime/JSObject.h:
2384         * tools/JSDollarVM.cpp:
2385         (JSC::functionDumpCell):
2386         (JSC::JSDollarVM::finishCreation):
2387         * tools/VMInspector.cpp:
2388         (JSC::VMInspector::dumpCellMemory):
2389         (JSC::IndentationScope::IndentationScope):
2390         (JSC::IndentationScope::~IndentationScope):
2391         (JSC::VMInspector::dumpCellMemoryToStream):
2392         * tools/VMInspector.h:
2393
2394 2018-07-27  Mark Lam  <mark.lam@apple.com>
2395
2396         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2397         https://bugs.webkit.org/show_bug.cgi?id=188123
2398         <rdar://problem/42672268>
2399
2400         Reviewed by Keith Miller.
2401
2402         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2403            padding space in VM and Heap, and should not cost any measurable perf to
2404            initialize and update.
2405
2406         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2407
2408            worldState tells us the value we failed the assertion on.
2409
2410            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2411            that led us here.
2412
2413            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2414
2415            VM::isEntered() tells us if the current VM is currently executing JS code.
2416
2417            Some of this data may be redundant, but the redundancy is intentional so that
2418            we can double check what is really happening at the time of crash.
2419
2420         * heap/Heap.cpp:
2421         (JSC::asInt):
2422         (JSC::Heap::checkConn):
2423         (JSC::Heap::changePhase):
2424         * heap/Heap.h:
2425         * runtime/VM.cpp:
2426         (JSC::VM::nextID):
2427         (JSC::VM::VM):
2428         * runtime/VM.h:
2429         (JSC::VM::numberOfIDs):
2430         (JSC::VM::id const):
2431         (JSC::VM::isEntered const):
2432
2433 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2434
2435         [JSC] Record CoW status in ArrayProfile correctly
2436         https://bugs.webkit.org/show_bug.cgi?id=187949
2437
2438         Reviewed by Saam Barati.
2439
2440         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2441         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2442         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2443         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2444         Array::Generic DFG nodes.
2445
2446         * bytecode/ArrayProfile.h:
2447         (JSC::asArrayModes):
2448         (JSC::ArrayProfile::ArrayProfile):
2449         * dfg/DFGOSRExit.cpp:
2450         (JSC::DFG::OSRExit::compileExit):
2451         * ftl/FTLOSRExitCompiler.cpp:
2452         (JSC::FTL::compileStub):
2453         * runtime/IndexingType.h:
2454
2455 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2456
2457         [INTL] Remove INTL sub-feature compile flags
2458         https://bugs.webkit.org/show_bug.cgi?id=188081
2459
2460         Reviewed by Michael Catanzaro.
2461
2462         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2463         The runtime flags are still present, and should be relied on instead.
2464         The defines for ICU features have also been updated to match HAVE() style.
2465
2466         * Configurations/FeatureDefines.xcconfig:
2467         * runtime/IntlPluralRules.cpp:
2468         (JSC::IntlPluralRules::resolvedOptions):
2469         (JSC::IntlPluralRules::select):
2470         * runtime/IntlPluralRules.h:
2471         * runtime/Options.h:
2472
2473 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2474
2475         [JSC] Dump IndexingMode in Structure
2476         https://bugs.webkit.org/show_bug.cgi?id=188085
2477
2478         Reviewed by Keith Miller.
2479
2480         Dump IndexingMode instead of IndexingType.
2481
2482         * runtime/Structure.cpp:
2483         (JSC::Structure::dump const):
2484
2485 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2486
2487         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2488         https://bugs.webkit.org/show_bug.cgi?id=187963
2489
2490         Reviewed by Alex Christensen.
2491
2492         * inspector/InspectorBackendDispatcher.cpp:
2493         (Inspector::BackendDispatcher::dispatch):
2494         * jsc.cpp:
2495         (ModuleName::ModuleName):
2496         (resolvePath):
2497         * runtime/IntlObject.cpp:
2498         (JSC::canonicalizeLanguageTag):
2499         (JSC::removeUnicodeLocaleExtension):
2500         Update split/splitAllowingEmptyEntries usage.
2501
2502 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2503
2504         Unreviewed, rolling out r234181 and r234189.
2505         https://bugs.webkit.org/show_bug.cgi?id=188075
2506
2507         These are not needed right now (Requested by thorton on
2508         #webkit).
2509
2510         Reverted changesets:
2511
2512         "Enable Web Content Filtering on watchOS"
2513         https://bugs.webkit.org/show_bug.cgi?id=187979
2514         https://trac.webkit.org/changeset/234181
2515
2516         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2517         https://bugs.webkit.org/show_bug.cgi?id=187985
2518         https://trac.webkit.org/changeset/234189
2519
2520 2018-07-26  Mark Lam  <mark.lam@apple.com>
2521
2522         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2523         https://bugs.webkit.org/show_bug.cgi?id=188065
2524         <rdar://problem/42515726>
2525
2526         Reviewed by Saam Barati.
2527
2528         * runtime/ArrayPrototype.cpp:
2529         (JSC::clearElement):
2530         (JSC::copyElements):
2531         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2532
2533 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2534
2535         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2536         https://bugs.webkit.org/show_bug.cgi?id=167991
2537
2538         Reviewed by Michael Catanzaro.
2539
2540         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2541         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2542         no more cases where you might have an invalid locale come back from resolveLocale.
2543
2544         * runtime/IntlObject.cpp:
2545         (JSC::convertICULocaleToBCP47LanguageTag):
2546         (JSC::defaultLocale):
2547         (JSC::lookupMatcher):
2548         * runtime/IntlObject.h:
2549         * runtime/JSGlobalObject.cpp:
2550         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2551         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2552         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2553         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2554
2555 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2556
2557         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2558         https://bugs.webkit.org/show_bug.cgi?id=188040
2559
2560         Unreviewed build fix for AppleWin port.
2561
2562         * API/tests/testapi.c: Disabled warning C4204.
2563         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2564
2565 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2566
2567         [JSC API] We should support the symbol type in our C/Obj-C API
2568         https://bugs.webkit.org/show_bug.cgi?id=175836
2569
2570         Unreviewed build fix for Windows port.
2571
2572         r234227 introduced a compilation error unresolved external symbol
2573         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2574
2575         Windows ports are compiling testapi.c as C++ by using /TP switch.
2576
2577         * API/tests/testapi.c:
2578         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2579         (dllLauncherEntryPoint): Converted into C style.
2580         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2581
2582 2018-07-25  Keith Miller  <keith_miller@apple.com>
2583
2584         [JSC API] We should support the symbol type in our C/Obj-C API
2585         https://bugs.webkit.org/show_bug.cgi?id=175836
2586
2587         Reviewed by Filip Pizlo.
2588
2589         This patch makes the following API additions:
2590         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2591         2) Create a symbol on both APIs.
2592         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2593         4) Add Get/Set/Delete in the C API.
2594
2595         We can do 3 because it is both binary and source compatable with
2596         the existing API. I added (4) because the current property access
2597         APIs only have the ability to get Strings. It was possible to
2598         merge symbols into JSStringRef but that felt confusing and exposes
2599         implementation details of our engine. The new functions match the
2600         same meaning that they have in JS, thus should be forward
2601         compatible with any future language extensions.
2602
2603         Lastly, this patch adds the same availability preproccessing phase
2604         in WebCore to JavaScriptCore, which enables TBA features for
2605         testing on previous releases.
2606
2607         * API/APICast.h:
2608         * API/JSBasePrivate.h:
2609         * API/JSContext.h:
2610         * API/JSContextPrivate.h:
2611         * API/JSContextRef.h:
2612         * API/JSContextRefInternal.h:
2613         * API/JSContextRefPrivate.h:
2614         * API/JSManagedValue.h:
2615         * API/JSObjectRef.cpp:
2616         (JSObjectHasPropertyKey):
2617         (JSObjectGetPropertyKey):
2618         (JSObjectSetPropertyKey):
2619         (JSObjectDeletePropertyKey):
2620         * API/JSObjectRef.h:
2621         * API/JSRemoteInspector.h:
2622         * API/JSTypedArray.h:
2623         * API/JSValue.h:
2624         * API/JSValue.mm:
2625         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
2626         (performPropertyOperation):
2627         (-[JSValue valueForProperty:valueForProperty:]):
2628         (-[JSValue setValue:forProperty:setValue:forProperty:]):
2629         (-[JSValue deleteProperty:deleteProperty:]):
2630         (-[JSValue hasProperty:hasProperty:]):
2631         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
2632         (-[JSValue isSymbol]):
2633         (-[JSValue objectForKeyedSubscript:]):
2634         (-[JSValue setObject:forKeyedSubscript:]):
2635         (-[JSValue valueForProperty:]): Deleted.
2636         (-[JSValue setValue:forProperty:]): Deleted.
2637         (-[JSValue deleteProperty:]): Deleted.
2638         (-[JSValue hasProperty:]): Deleted.
2639         (-[JSValue defineProperty:descriptor:]): Deleted.
2640         * API/JSValueRef.cpp:
2641         (JSValueGetType):
2642         (JSValueIsSymbol):
2643         (JSValueMakeSymbol):
2644         * API/JSValueRef.h:
2645         * API/WebKitAvailability.h:
2646         * API/tests/CurrentThisInsideBlockGetterTest.mm:
2647         * API/tests/CustomGlobalObjectClassTest.c:
2648         * API/tests/DateTests.mm:
2649         * API/tests/JSExportTests.mm:
2650         * API/tests/JSNode.c:
2651         * API/tests/JSNodeList.c:
2652         * API/tests/Node.c:
2653         * API/tests/NodeList.c:
2654         * API/tests/minidom.c:
2655         * API/tests/testapi.c:
2656         (main):
2657         * API/tests/testapi.cpp: Added.
2658         (APIString::APIString):
2659         (APIString::~APIString):
2660         (APIString::operator JSStringRef):
2661         (APIContext::APIContext):
2662         (APIContext::~APIContext):
2663         (APIContext::operator JSGlobalContextRef):
2664         (APIVector::APIVector):
2665         (APIVector::~APIVector):
2666         (APIVector::append):
2667         (testCAPIViaCpp):
2668         (TestAPI::evaluateScript):
2669         (TestAPI::callFunction):
2670         (TestAPI::functionReturnsTrue):
2671         (TestAPI::check):
2672         (TestAPI::checkJSAndAPIMatch):
2673         (TestAPI::interestingObjects):
2674         (TestAPI::interestingKeys):
2675         (TestAPI::run):
2676         * API/tests/testapi.mm:
2677         (testObjectiveCAPIMain):
2678         * JavaScriptCore.xcodeproj/project.pbxproj:
2679         * config.h:
2680         * postprocess-headers.sh:
2681         * shell/CMakeLists.txt:
2682         * testmem/testmem.mm:
2683
2684 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2685
2686         [INTL] Call Typed Array elements toLocaleString with locale and options
2687         https://bugs.webkit.org/show_bug.cgi?id=185796
2688
2689         Reviewed by Keith Miller.
2690
2691         Improve ECMA 402 compliance of typed array toLocaleString, passing along
2692         the locale and options to element toLocaleString calls.
2693
2694         * builtins/TypedArrayPrototype.js:
2695         (toLocaleString):
2696
2697 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
2698
2699         [INTL] Intl constructor lengths should be configurable
2700         https://bugs.webkit.org/show_bug.cgi?id=187960
2701
2702         Reviewed by Saam Barati.
2703
2704         Removed DontDelete from Intl constructor lengths.
2705         Fixed DateTimeFormat formatToParts length.
2706
2707         * runtime/IntlCollatorConstructor.cpp:
2708         (JSC::IntlCollatorConstructor::finishCreation):
2709         * runtime/IntlDateTimeFormatConstructor.cpp:
2710         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2711         * runtime/IntlDateTimeFormatPrototype.cpp:
2712         (JSC::IntlDateTimeFormatPrototype::finishCreation):
2713         * runtime/IntlNumberFormatConstructor.cpp:
2714         (JSC::IntlNumberFormatConstructor::finishCreation):
2715         * runtime/IntlPluralRulesConstructor.cpp:
2716         (JSC::IntlPluralRulesConstructor::finishCreation):
2717
2718 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
2719
2720         runJITThreadLimitTests is failing
2721         https://bugs.webkit.org/show_bug.cgi?id=187886
2722         <rdar://problem/42561966>
2723
2724         Unreviewed build fix for MSVC.
2725
2726         MSVC doen't support ternary operator without second operand.
2727
2728         * dfg/DFGWorklist.cpp:
2729         (JSC::DFG::getNumberOfDFGCompilerThreads):
2730         (JSC::DFG::getNumberOfFTLCompilerThreads):
2731
2732 2018-07-24  Commit Queue  <commit-queue@webkit.org>
2733
2734         Unreviewed, rolling out r234183.
2735         https://bugs.webkit.org/show_bug.cgi?id=187983
2736
2737         cause regression in Kraken gaussian blur and desaturate
2738         (Requested by yusukesuzuki on #webkit).
2739
2740         Reverted changeset:
2741
2742         "[JSC] Record CoW status in ArrayProfile"
2743         https://bugs.webkit.org/show_bug.cgi?id=187949
2744         https://trac.webkit.org/changeset/234183
2745
2746 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2747
2748         [JSC] Record CoW status in ArrayProfile
2749         https://bugs.webkit.org/show_bug.cgi?id=187949
2750
2751         Reviewed by Saam Barati.
2752
2753         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
2754         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
2755         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
2756         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
2757         CoW arrays.
2758
2759         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
2760         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
2761
2762         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
2763
2764                                       baseline                  patched
2765
2766         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
2767         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
2768
2769         * bytecode/ArrayProfile.cpp:
2770         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2771         * bytecode/ArrayProfile.h:
2772         (JSC::asArrayModes):
2773         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
2774
2775         (JSC::ArrayProfile::ArrayProfile):
2776         (JSC::ArrayProfile::addressOfObservedIndexingModes):
2777         (JSC::ArrayProfile::observedIndexingModes const):
2778         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
2779         So storing the union of seen IndexingMode in `unsigned` instead.
2780
2781         * dfg/DFGArrayMode.cpp:
2782         (JSC::DFG::ArrayMode::fromObserved):
2783         * dfg/DFGArrayMode.h:
2784         (JSC::DFG::ArrayMode::withProfile const):
2785         * jit/JITCall.cpp:
2786         (JSC::JIT::compileOpCall):
2787         * jit/JITCall32_64.cpp:
2788         (JSC::JIT::compileOpCall):
2789         * jit/JITInlines.h:
2790         (JSC::JIT::emitArrayProfilingSiteWithCell):
2791         * llint/LowLevelInterpreter.asm:
2792         * llint/LowLevelInterpreter32_64.asm:
2793         * llint/LowLevelInterpreter64.asm:
2794
2795 2018-07-24  Tim Horton  <timothy_horton@apple.com>
2796
2797         Enable Web Content Filtering on watchOS
2798         https://bugs.webkit.org/show_bug.cgi?id=187979
2799         <rdar://problem/42559346>
2800
2801         Reviewed by Wenson Hsieh.
2802
2803         * Configurations/FeatureDefines.xcconfig:
2804
2805 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
2806
2807         Don't modify Options when setting JIT thread limits
2808         https://bugs.webkit.org/show_bug.cgi?id=187886
2809
2810         Reviewed by Filip Pizlo.
2811
2812         Previously, when setting the JIT thread limit prior to the worklist
2813         initialization, it'd be set via Options, which didn't work if Options
2814         hadn't been initialized yet. Change it to use a static variable in the
2815         Worklist instead.
2816
2817         * API/JSVirtualMachine.mm:
2818         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2819         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2820         * API/tests/testapi.mm:
2821         (testObjectiveCAPIMain):
2822         * dfg/DFGWorklist.cpp:
2823         (JSC::DFG::getNumberOfDFGCompilerThreads):
2824         (JSC::DFG::getNumberOfFTLCompilerThreads):
2825         (JSC::DFG::setNumberOfDFGCompilerThreads):
2826         (JSC::DFG::setNumberOfFTLCompilerThreads):
2827         (JSC::DFG::ensureGlobalDFGWorklist):
2828         (JSC::DFG::ensureGlobalFTLWorklist):
2829         * dfg/DFGWorklist.h:
2830
2831 2018-07-24  Mark Lam  <mark.lam@apple.com>
2832
2833         Refactoring: make DFG::Plan a class.
2834         https://bugs.webkit.org/show_bug.cgi?id=187968
2835
2836         Reviewed by Saam Barati.
2837
2838         This patch makes all the DFG::Plan fields private, and provide accessor methods
2839         for them.  This makes it easier to reason about how these fields are used and
2840         modified.
2841
2842         * dfg/DFGAbstractInterpreterInlines.h:
2843         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2844         * dfg/DFGByteCodeParser.cpp:
2845         (JSC::DFG::ByteCodeParser::handleCall):
2846         (JSC::DFG::ByteCodeParser::handleVarargsCall):
2847         (JSC::DFG::ByteCodeParser::handleInlining):
2848         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2849         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2850         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
2851         (JSC::DFG::ByteCodeParser::handleGetById):
2852         (JSC::DFG::ByteCodeParser::handlePutById):
2853         (JSC::DFG::ByteCodeParser::parseBlock):
2854         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2855         (JSC::DFG::ByteCodeParser::parseCodeBlock):
2856         (JSC::DFG::ByteCodeParser::parse):
2857         * dfg/DFGCFAPhase.cpp:
2858         (JSC::DFG::CFAPhase::run):
2859         (JSC::DFG::CFAPhase::injectOSR):
2860         * dfg/DFGClobberize.h:
2861         (JSC::DFG::clobberize):
2862         * dfg/DFGCommonData.cpp:
2863         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
2864         * dfg/DFGCommonData.h:
2865         * dfg/DFGConstantFoldingPhase.cpp:
2866         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2867         * dfg/DFGDriver.cpp:
2868         (JSC::DFG::compileImpl):
2869         * dfg/DFGFinalizer.h:
2870         * dfg/DFGFixupPhase.cpp:
2871         (JSC::DFG::FixupPhase::fixupNode):
2872         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
2873         * dfg/DFGGraph.cpp:
2874         (JSC::DFG::Graph::Graph):
2875         (JSC::DFG::Graph::watchCondition):
2876         (JSC::DFG::Graph::inferredTypeFor):
2877         (JSC::DFG::Graph::requiredRegisterCountForExit):
2878         (JSC::DFG::Graph::registerFrozenValues):
2879         (JSC::DFG::Graph::registerStructure):
2880         (JSC::DFG::Graph::registerAndWatchStructureTransition):
2881         (JSC::DFG::Graph::assertIsRegistered):
2882         * dfg/DFGGraph.h:
2883         (JSC::DFG::Graph::compilation):
2884         (JSC::DFG::Graph::identifiers):
2885         (JSC::DFG::Graph::watchpoints):
2886         * dfg/DFGJITCompiler.cpp:
2887         (JSC::DFG::JITCompiler::JITCompiler):
2888         (JSC::DFG::JITCompiler::link):
2889         (JSC::DFG::JITCompiler::compile):
2890         (JSC::DFG::JITCompiler::compileFunction):
2891         (JSC::DFG::JITCompiler::disassemble):
2892         * dfg/DFGJITCompiler.h:
2893         (JSC::DFG::JITCompiler::addWeakReference):
2894         * dfg/DFGJITFinalizer.cpp:
2895         (JSC::DFG::JITFinalizer::finalize):
2896         (JSC::DFG::JITFinalizer::finalizeFunction):
2897         (JSC::DFG::JITFinalizer::finalizeCommon):
2898         * dfg/DFGOSREntrypointCreationPhase.cpp:
2899         (JSC::DFG::OSREntrypointCreationPhase::run):
2900         * dfg/DFGPhase.cpp:
2901         (JSC::DFG::Phase::beginPhase):
2902         * dfg/DFGPhase.h:
2903         (JSC::DFG::runAndLog):
2904         * dfg/DFGPlan.cpp:
2905         (JSC::DFG::Plan::Plan):
2906         (JSC::DFG::Plan::computeCompileTimes const):
2907         (JSC::DFG::Plan::reportCompileTimes const):
2908         (JSC::DFG::Plan::compileInThread):
2909         (JSC::DFG::Plan::compileInThreadImpl):
2910         (JSC::DFG::Plan::isStillValid):
2911         (JSC::DFG::Plan::reallyAdd):
2912         (JSC::DFG::Plan::notifyCompiling):
2913         (JSC::DFG::Plan::notifyReady):
2914         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
2915         (JSC::DFG::Plan::finalizeAndNotifyCallback):
2916         (JSC::DFG::Plan::key):
2917         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
2918         (JSC::DFG::Plan::finalizeInGC):
2919         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
2920         (JSC::DFG::Plan::cancel):
2921         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2922         * dfg/DFGPlan.h:
2923         (JSC::DFG::Plan::canTierUpAndOSREnter const):
2924         (JSC::DFG::Plan::vm const):
2925         (JSC::DFG::Plan::codeBlock):
2926         (JSC::DFG::Plan::mode const):
2927         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
2928         (JSC::DFG::Plan::mustHandleValues const):
2929         (JSC::DFG::Plan::threadData const):
2930         (JSC::DFG::Plan::compilation const):
2931         (JSC::DFG::Plan::finalizer const):
2932         (JSC::DFG::Plan::setFinalizer):
2933         (JSC::DFG::Plan::inlineCallFrames const):
2934         (JSC::DFG::Plan::watchpoints):
2935         (JSC::DFG::Plan::identifiers):
2936         (JSC::DFG::Plan::weakReferences):
2937         (JSC::DFG::Plan::transitions):
2938         (JSC::DFG::Plan::recordedStatuses):
2939         (JSC::DFG::Plan::willTryToTierUp const):
2940         (JSC::DFG::Plan::setWillTryToTierUp):
2941         (JSC::DFG::Plan::tierUpInLoopHierarchy):
2942         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
2943         (JSC::DFG::Plan::stage const):
2944         (JSC::DFG::Plan::callback const):
2945         (JSC::DFG::Plan::setCallback):
2946         * dfg/DFGPlanInlines.h:
2947         (JSC::DFG::Plan::iterateCodeBlocksForGC):
2948         * dfg/DFGPreciseLocalClobberize.h:
2949         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
2950         * dfg/DFGPredictionInjectionPhase.cpp:
2951         (JSC::DFG::PredictionInjectionPhase::run):
2952         * dfg/DFGSafepoint.cpp:
2953         (JSC::DFG::Safepoint::Safepoint):
2954         (JSC::DFG::Safepoint::~Safepoint):
2955         (JSC::DFG::Safepoint::begin):
2956         * dfg/DFGSafepoint.h:
2957         * dfg/DFGSpeculativeJIT.h:
2958         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
2959         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
2960         * dfg/DFGStackLayoutPhase.cpp:
2961         (JSC::DFG::StackLayoutPhase::run):
2962         * dfg/DFGStrengthReductionPhase.cpp:
2963         (JSC::DFG::StrengthReductionPhase::handleNode):
2964         * dfg/DFGTierUpCheckInjectionPhase.cpp:
2965         (JSC::DFG::TierUpCheckInjectionPhase::run):
2966         * dfg/DFGTypeCheckHoistingPhase.cpp:
2967         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
2968         * dfg/DFGWorklist.cpp:
2969         (JSC::DFG::Worklist::isActiveForVM const):
2970         (JSC::DFG::Worklist::compilationState):
2971         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
2972         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
2973         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
2974         (JSC::DFG::Worklist::visitWeakReferences):
2975         (JSC::DFG::Worklist::removeDeadPlans):
2976         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
2977         * dfg/DFGWorklistInlines.h:
2978         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
2979         * ftl/FTLCompile.cpp:
2980         (JSC::FTL::compile):
2981         * ftl/FTLFail.cpp:
2982         (JSC::FTL::fail):
2983         * ftl/FTLJITFinalizer.cpp:
2984         (JSC::FTL::JITFinalizer::finalizeCommon):
2985         * ftl/FTLLink.cpp:
2986         (JSC::FTL::link):
2987         * ftl/FTLLowerDFGToB3.cpp:
2988         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
2989         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
2990         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
2991         * ftl/FTLState.cpp:
2992         (JSC::FTL::State::State):
2993
2994 2018-07-24  Saam Barati  <sbarati@apple.com>
2995
2996         Make VM::canUseJIT an inlined function
2997         https://bugs.webkit.org/show_bug.cgi?id=187583
2998
2999         Reviewed by Mark Lam.
3000
3001         We know the answer to this query in initializeThreading after initializing
3002         the executable allocator. This patch makes it so that we just hold this value
3003         in a static variable and have an inlined function that just returns the value
3004         of that static variable.
3005
3006         * runtime/InitializeThreading.cpp:
3007         (JSC::initializeThreading):
3008         * runtime/VM.cpp:
3009         (JSC::VM::computeCanUseJIT):
3010         (JSC::VM::canUseJIT): Deleted.
3011         * runtime/VM.h:
3012         (JSC::VM::canUseJIT):
3013
3014 2018-07-24  Mark Lam  <mark.lam@apple.com>
3015
3016         Placate exception check verification after recent changes.
3017         https://bugs.webkit.org/show_bug.cgi?id=187961
3018         <rdar://problem/42545394>
3019
3020         Reviewed by Saam Barati.
3021
3022         * runtime/IntlObject.cpp:
3023         (JSC::intlNumberOption):
3024
3025 2018-07-23  Saam Barati  <sbarati@apple.com>
3026
3027         need to didFoldClobberWorld when we constant fold GetByVal
3028         https://bugs.webkit.org/show_bug.cgi?id=187917
3029         <rdar://problem/42505095>
3030
3031         Reviewed by Yusuke Suzuki.
3032
3033         * dfg/DFGAbstractInterpreterInlines.h:
3034         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3035
3036 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
3037
3038         [INTL] Language tags are not canonicalized
3039         https://bugs.webkit.org/show_bug.cgi?id=185836
3040
3041         Reviewed by Keith Miller.
3042
3043         Canonicalize language tags, replacing deprecated tag parts with the
3044         preferred values. Remove broken support for algorithmic numbering systems,
3045         that can cause an error in icu, and are not supported in other engines.
3046
3047         Generate the lookup functions from the language-subtag-registry.
3048
3049         Also initialize the UNumberFormat in initializeNumberFormat so any
3050         failures are thrown immediately instead of failing to format later.
3051
3052         * CMakeLists.txt:
3053         * DerivedSources.make:
3054         * JavaScriptCore.xcodeproj/project.pbxproj:
3055         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3056         * runtime/IntlDateTimeFormat.cpp:
3057         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3058         * runtime/IntlNumberFormat.cpp:
3059         (JSC::IntlNumberFormat::initializeNumberFormat):
3060         (JSC::IntlNumberFormat::formatNumber):
3061         (JSC::IntlNumberFormat::formatToParts):
3062         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3063         * runtime/IntlNumberFormat.h:
3064         * runtime/IntlObject.cpp:
3065         (JSC::intlNumberOption):
3066         (JSC::intlDefaultNumberOption):
3067         (JSC::preferredLanguage):
3068         (JSC::preferredRegion):
3069         (JSC::canonicalLangTag):
3070         (JSC::canonicalizeLanguageTag):
3071         (JSC::defaultLocale):
3072         (JSC::removeUnicodeLocaleExtension):
3073         (JSC::numberingSystemsForLocale):
3074         (JSC::grandfatheredLangTag): Deleted.
3075         * runtime/IntlObject.h:
3076         * runtime/IntlPluralRules.cpp:
3077         (JSC::IntlPluralRules::initializePluralRules):
3078         * runtime/JSGlobalObject.cpp:
3079         (JSC::addMissingScriptLocales):
3080         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3081         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3082         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3083         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3084         * ucd/language-subtag-registry.txt: Added.
3085
3086 2018-07-23  Mark Lam  <mark.lam@apple.com>
3087
3088         Add some asserts to help diagnose a crash.
3089         https://bugs.webkit.org/show_bug.cgi?id=187915
3090         <rdar://problem/42508166>
3091
3092         Reviewed by Michael Saboff.
3093
3094         Add some asserts to verify that an CodeBlock alternative should always have a
3095         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3096         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3097         so that we'll retain the state of the variables that failed the assertion (again
3098         to help with diagnosis).
3099
3100         * bytecode/CodeBlock.cpp:
3101         (JSC::CodeBlock::setAlternative):
3102         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3103         * dfg/DFGPlan.cpp:
3104         (JSC::DFG::Plan::Plan):
3105
3106 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3107
3108         Unreviewed, fix no-JIT build.
3109
3110         * bytecode/CallLinkStatus.cpp:
3111         (JSC::CallLinkStatus::computeFor):
3112         * bytecode/CodeBlock.cpp:
3113         (JSC::CodeBlock::finalizeUnconditionally):
3114         * bytecode/GetByIdStatus.cpp:
3115         (JSC::GetByIdStatus::computeFor):
3116         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3117         * bytecode/InByIdStatus.cpp:
3118         * bytecode/PutByIdStatus.cpp:
3119         (JSC::PutByIdStatus::computeForStubInfo):
3120
3121 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3124         https://bugs.webkit.org/show_bug.cgi?id=187891
3125
3126         Reviewed by Saam Barati.
3127
3128         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3129         two variants are mergeable but they have "Miss" status. We make merging failed if
3130         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3131         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3132         which patch have more chances to merge variants.
3133
3134         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3135         is not related since it does not use this check in Transition case.
3136
3137         * bytecode/GetByIdVariant.cpp:
3138         (JSC::GetByIdVariant::attemptToMerge):
3139         * bytecode/InByIdVariant.cpp:
3140         (JSC::InByIdVariant::attemptToMerge):
3141
3142 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3143
3144         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3145         https://bugs.webkit.org/show_bug.cgi?id=186462
3146
3147         Reviewed by Saam Barati.
3148
3149         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3150         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3151         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3152
3153         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3154         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3155         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3156         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3157         changed and we can safely use it. We arrange our existing code to use this protocol.
3158
3159         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3160         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3161
3162         This patch improves SixSpeed/template_string_tag.es6.
3163
3164                                           baseline                  patched
3165
3166         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3167
3168         * dfg/DFGAbstractInterpreterInlines.h:
3169         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3170         * runtime/JSArray.cpp:
3171         (JSC::JSArray::setLengthWithArrayStorage):
3172         * runtime/JSObject.cpp:
3173         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3174         (JSC::JSObject::deletePropertyByIndex):
3175         (JSC::JSObject::getOwnPropertyNames):
3176         (JSC::putIndexedDescriptor):
3177         (JSC::JSObject::defineOwnIndexedProperty):
3178         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3179         (JSC::JSObject::putIndexedDescriptor): Deleted.
3180         * runtime/JSObject.h:
3181         * runtime/SparseArrayValueMap.cpp:
3182         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3183         (JSC::SparseArrayValueMap::add):
3184         (JSC::SparseArrayValueMap::putDirect):
3185         (JSC::SparseArrayValueMap::getConcurrently):
3186         (JSC::SparseArrayEntry::get const):
3187         (JSC::SparseArrayEntry::getConcurrently const):
3188         (JSC::SparseArrayEntry::put):
3189         (JSC::SparseArrayEntry::getNonSparseMode const):
3190         (JSC::SparseArrayValueMap::visitChildren):
3191         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3192         * runtime/SparseArrayValueMap.h:
3193         (JSC::SparseArrayEntry::SparseArrayEntry):
3194         (JSC::SparseArrayEntry::attributes const):
3195         (JSC::SparseArrayEntry::forceSet):
3196         (JSC::SparseArrayEntry::asValue):
3197
3198 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3199
3200         We should support CreateThis in the FTL
3201         https://bugs.webkit.org/show_bug.cgi?id=164904
3202
3203         Reviewed by Yusuke Suzuki.
3204         
3205         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3206         inference adventure.
3207         
3208         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3209         benchmark's extremely perverse way of winning at type inference:
3210         
3211         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3212           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3213           benchmark was falling back to other mechanisms...
3214         
3215         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3216           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3217           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3218           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3219           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3220           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3221           
3222           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3223           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3224           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3225           helper because it had a CreateThis.
3226         
3227         - Compilations that inlined the construction helper would have gotten super lucky with
3228           parse-time constant folding, so they knew what structure the input to the get_by_id would
3229           have at parse time. This is only profitable if the get_by_id parsing computed a
3230           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3231           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3232           cases, we would indeed get a finite number of cases. The parser would then prune those
3233           cases to just one - based on its knowledge of the structure - and that would result in that
3234           get_by_id being folded at parse time to a constant.
3235         
3236         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3237         
3238         This patch comprehensively fixes these issues, as well as other issues that come up along the
3239         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3240         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3241         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3242         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3243         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3244         attack raytrace's problem as a shortcoming of polyvariant profiling.
3245         
3246         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3247           subset of the inline stack that includes the IC we're profiling. For example, if we have
3248           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3249           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3250           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3251           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3252           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3253           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3254           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3255           had inlined bar and then baz. It may not have done that, because those calls could have
3256           required polyvariant profiling that was only available in the FTL.
3257           
3258         - A particularly interesting case is when some IC in foo-baseline is also available in
3259           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3260           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3261           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3262           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3263           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3264           because it warns us of historical polymorphism. Historical polymorphism usually means
3265           future polymorphism. IC status code already had some merging functionality, but I needed to
3266           beef it up a lot to make this work right.
3267         
3268         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3269           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3270           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3271           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3272           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3273           gave us the information that we used to inline the IC is no longer alive. To keep us from
3274           losing the information we learned about the IC, there is now a RecordedStatuses data
3275           structure that preserves the statuses we use for inlining ICs. We also filter those
3276           statuses according to things we learn from AI. This further reduces the risk of information
3277           about an IC being forgotten.
3278         
3279         - Exit profiling now considers whether or not an exit happened from inline code. This
3280           protects us in the case where the not-inlined version of an IC exited a lot because of
3281           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3282           profiling data, we consider only inlined exits.
3283         
3284         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3285           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3286           surprising that we've had this bug.
3287         
3288         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3289         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3290         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3291         prototype access folding in the bytecode parser and constant folder. That would require some
3292         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3293         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3294         get_by_id.
3295         
3296         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3297         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3298         compile time regression anytime we fill in FTL coverage.
3299         
3300         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3301         speeds up and that raytrace slows down, but these changes balance out and don't affect the
3302         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3303         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3304         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3305         see a significant difference. In all three cases the difference is <0.5% with a high p value,
3306         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3307         an insignificant infinitesimal slow-down.
3308         
3309         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3310         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3311         flow in a polymorphic constructor while h