604dbd4ae189f0620d67b7c9dfc2e88479da1e44
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-09-15  David Kilzer  <ddkilzer@apple.com>
2
3         Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
4         <https://webkit.org/b/201803>
5
6         Reviewed by Dan Bernstein.
7
8         * API/JSVirtualMachine.mm:
9         (-[JSVirtualMachine addManagedReference:withOwner:]): Use
10         RetainPtr<> to fix the leak.
11
12 2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>
13
14         Retire x86 32bit JIT support
15         https://bugs.webkit.org/show_bug.cgi?id=201790
16
17         Reviewed by Mark Lam.
18
19         Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
20         Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
21         can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
22         WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.
23
24         While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
25         This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.
26
27         This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
28         MachineContext information since they are useful even though JIT is not supported.
29
30         * dfg/DFGArrayMode.cpp:
31         (JSC::DFG::ArrayMode::refine const):
32         * dfg/DFGByteCodeParser.cpp:
33         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
34         (JSC::DFG::ByteCodeParser::parseBlock):
35         * dfg/DFGFixupPhase.cpp:
36         (JSC::DFG::FixupPhase::fixupNode):
37         * dfg/DFGJITCompiler.cpp:
38         (JSC::DFG::JITCompiler::compileExceptionHandlers):
39         * dfg/DFGOSRExitCompilerCommon.cpp:
40         (JSC::DFG::osrWriteBarrier):
41         * dfg/DFGSpeculativeJIT.cpp:
42         (JSC::DFG::SpeculativeJIT::compileArithDiv):
43         (JSC::DFG::SpeculativeJIT::compileArithMod):
44         (JSC::DFG::SpeculativeJIT::compileCreateRest):
45         (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
46         * dfg/DFGSpeculativeJIT.h:
47         * dfg/DFGSpeculativeJIT32_64.cpp:
48         (JSC::DFG::SpeculativeJIT::emitCall):
49         (JSC::DFG::SpeculativeJIT::compile):
50         * dfg/DFGThunks.cpp:
51         (JSC::DFG::osrExitGenerationThunkGenerator):
52         * ftl/FTLThunks.cpp:
53         (JSC::FTL::slowPathCallThunkGenerator):
54         * jit/AssemblyHelpers.cpp:
55         (JSC::AssemblyHelpers::callExceptionFuzz):
56         (JSC::AssemblyHelpers::debugCall):
57         * jit/AssemblyHelpers.h:
58         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
59         * jit/CCallHelpers.h:
60         (JSC::CCallHelpers::setupArgumentsImpl):
61         (JSC::CCallHelpers::prepareForTailCallSlow):
62         * jit/CallFrameShuffler.cpp:
63         (JSC::CallFrameShuffler::prepareForTailCall):
64         * jit/JIT.cpp:
65         (JSC::JIT::privateCompileExceptionHandlers):
66         * jit/JITArithmetic32_64.cpp:
67         (JSC::JIT::emit_op_mod):
68         (JSC::JIT::emitSlow_op_mod):
69         * jit/SlowPathCall.h:
70         (JSC::JITSlowPathCall::call):
71         * jit/ThunkGenerators.cpp:
72         (JSC::nativeForGenerator):
73         (JSC::arityFixupGenerator):
74         * wasm/WasmAirIRGenerator.cpp:
75         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
76         * yarr/YarrJIT.cpp:
77         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
78         (JSC::Yarr::YarrGenerator::generateEnter):
79         (JSC::Yarr::YarrGenerator::generateReturn):
80         (JSC::Yarr::YarrGenerator::compile):
81         * yarr/YarrJIT.h:
82
83 2019-09-13  Mark Lam  <mark.lam@apple.com>
84
85         jsc -d stopped working.
86         https://bugs.webkit.org/show_bug.cgi?id=201787
87
88         Reviewed by Joseph Pecoraro.
89
90         The reason is because, in this case, the jsc shell is trying to set an option
91         after the VM has been instantiated.  The fix is simply to move all options
92         initialization before the VM is instantiated.
93
94         * jsc.cpp:
95         (runWithOptions):
96         (jscmain):
97
98 2019-09-13  Mark Lam  <mark.lam@apple.com>
99
100         watchOS requires PageSize alignment of 16K for JSC::Config.
101         https://bugs.webkit.org/show_bug.cgi?id=201786
102         <rdar://problem/55357890>
103
104         Reviewed by Yusuke Suzuki.
105
106         * runtime/JSCConfig.h:
107
108 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
109
110         Unreviewed, follow-up fix after r249842
111         https://bugs.webkit.org/show_bug.cgi?id=201750
112
113         Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.
114
115         * assembler/MacroAssemblerARM64.h:
116         (JSC::MacroAssemblerARM64::nearCall):
117         (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
118
119 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
120
121         Date.prototype.toJSON does not execute steps 1-2
122         https://bugs.webkit.org/show_bug.cgi?id=105282
123
124         Reviewed by Ross Kirsling.
125
126         According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
127         strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
128         using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
129         value equals `null` or `undefined`.
130
131         * runtime/DatePrototype.cpp:
132         (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.
133
134 2019-09-13  Mark Lam  <mark.lam@apple.com>
135
136         performJITMemcpy() should do its !Gigacage assertion on exit.
137         https://bugs.webkit.org/show_bug.cgi?id=201780
138         <rdar://problem/55354867>
139
140         Reviewed by Robin Morisset.
141
142         Re-doing previous fix.
143
144         * jit/ExecutableAllocator.h:
145         (JSC::performJITMemcpy):
146         (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
147         (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.
148
149 2019-09-13  Mark Lam  <mark.lam@apple.com>
150
151         performJITMemcpy() should do its !Gigacage assertion on exit.
152         https://bugs.webkit.org/show_bug.cgi?id=201780
153         <rdar://problem/55354867>
154
155         Reviewed by Robin Morisset.
156
157         * jit/ExecutableAllocator.h:
158         (JSC::GigacageAssertScope::GigacageAssertScope):
159         (JSC::GigacageAssertScope::~GigacageAssertScope):
160         (JSC::performJITMemcpy):
161
162 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
163
164         [JSC] Micro-optimize YarrJIT's surrogate pair handling
165         https://bugs.webkit.org/show_bug.cgi?id=201750
166
167         Reviewed by Michael Saboff.
168
169         Optimize sequence of machine code used to get code-point with unicode flag.
170
171         * yarr/YarrJIT.cpp:
172         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
173
174 2019-09-13  Mark Lam  <mark.lam@apple.com>
175
176         We should assert $vm is enabled on entry and exit in its functions.
177         https://bugs.webkit.org/show_bug.cgi?id=201762
178         <rdar://problem/55338742>
179
180         Rubber-stamped by Michael Saboff.
181
182         1. Also do the same for FunctionOverrides.
183         2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
184         3. Also added assertions to lambda functions in $vm.
185
186         * tools/FunctionOverrides.cpp:
187         (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
188         (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
189         (JSC::FunctionOverrides::overrides):
190         (JSC::FunctionOverrides::FunctionOverrides):
191         (JSC::FunctionOverrides::reinstallOverrides):
192         (JSC::initializeOverrideInfo):
193         (JSC::FunctionOverrides::initializeOverrideFor):
194         (JSC::parseClause):
195         (JSC::FunctionOverrides::parseOverridesInFile):
196         * tools/JSDollarVM.cpp:
197         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
198         (JSC::JSDollarVMCallFrame::createStructure):
199         (JSC::JSDollarVMCallFrame::create):
200         (JSC::JSDollarVMCallFrame::finishCreation):
201         (JSC::JSDollarVMCallFrame::addProperty):
202         (JSC::Element::Element):
203         (JSC::Element::create):
204         (JSC::Element::visitChildren):
205         (JSC::Element::createStructure):
206         (JSC::Root::Root):
207         (JSC::Root::setElement):
208         (JSC::Root::create):
209         (JSC::Root::createStructure):
210         (JSC::Root::visitChildren):
211         (JSC::SimpleObject::SimpleObject):
212         (JSC::SimpleObject::create):
213         (JSC::SimpleObject::visitChildren):
214         (JSC::SimpleObject::createStructure):
215         (JSC::ImpureGetter::ImpureGetter):
216         (JSC::ImpureGetter::createStructure):
217         (JSC::ImpureGetter::create):
218         (JSC::ImpureGetter::finishCreation):
219         (JSC::ImpureGetter::getOwnPropertySlot):
220         (JSC::ImpureGetter::visitChildren):
221         (JSC::CustomGetter::CustomGetter):
222         (JSC::CustomGetter::createStructure):
223         (JSC::CustomGetter::create):
224         (JSC::CustomGetter::getOwnPropertySlot):
225         (JSC::CustomGetter::customGetter):
226         (JSC::CustomGetter::customGetterAcessor):
227         (JSC::RuntimeArray::create):
228         (JSC::RuntimeArray::destroy):
229         (JSC::RuntimeArray::getOwnPropertySlot):
230         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
231         (JSC::RuntimeArray::createPrototype):
232         (JSC::RuntimeArray::createStructure):
233         (JSC::RuntimeArray::finishCreation):
234         (JSC::RuntimeArray::RuntimeArray):
235         (JSC::RuntimeArray::lengthGetter):
236         (JSC::DOMJITNode::DOMJITNode):
237         (JSC::DOMJITNode::createStructure):
238         (JSC::DOMJITNode::checkSubClassSnippet):
239         (JSC::DOMJITNode::create):
240         (JSC::DOMJITGetter::DOMJITGetter):
241         (JSC::DOMJITGetter::createStructure):
242         (JSC::DOMJITGetter::create):
243         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
244         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
245         (JSC::DOMJITGetter::customGetter):
246         (JSC::DOMJITGetter::finishCreation):
247         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
248         (JSC::DOMJITGetterComplex::createStructure):
249         (JSC::DOMJITGetterComplex::create):
250         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
251         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
252         (JSC::DOMJITGetterComplex::functionEnableException):
253         (JSC::DOMJITGetterComplex::customGetter):
254         (JSC::DOMJITGetterComplex::finishCreation):
255         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
256         (JSC::DOMJITFunctionObject::createStructure):
257         (JSC::DOMJITFunctionObject::create):
258         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
259         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
260         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
261         (JSC::DOMJITFunctionObject::finishCreation):
262         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
263         (JSC::DOMJITCheckSubClassObject::createStructure):
264         (JSC::DOMJITCheckSubClassObject::create):
265         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
266         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
267         (JSC::DOMJITCheckSubClassObject::finishCreation):
268         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
269         (JSC::DOMJITGetterBaseJSObject::createStructure):
270         (JSC::DOMJITGetterBaseJSObject::create):
271         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
272         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
273         (JSC::DOMJITGetterBaseJSObject::customGetter):
274         (JSC::DOMJITGetterBaseJSObject::finishCreation):
275         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
276         (JSC::JSTestCustomGetterSetter::create):
277         (JSC::JSTestCustomGetterSetter::createStructure):
278         (JSC::customSetAccessor):
279         (JSC::customSetValue):
280         (JSC::JSTestCustomGetterSetter::finishCreation):
281         (JSC::Element::handleOwner):
282         (JSC::Element::finishCreation):
283         (JSC::WasmStreamingParser::WasmStreamingParser):
284         (JSC::WasmStreamingParser::create):
285         (JSC::WasmStreamingParser::createStructure):
286         (JSC::WasmStreamingParser::finishCreation):
287         (JSC::functionWasmStreamingParserAddBytes):
288         (JSC::functionWasmStreamingParserFinalize):
289         (JSC::functionCrash):
290         (JSC::functionBreakpoint):
291         (JSC::functionDFGTrue):
292         (JSC::functionFTLTrue):
293         (JSC::functionCpuMfence):
294         (JSC::functionCpuRdtsc):
295         (JSC::functionCpuCpuid):
296         (JSC::functionCpuPause):
297         (JSC::functionCpuClflush):
298         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
299         (JSC::getExecutableForFunction):
300         (JSC::functionLLintTrue):
301         (JSC::functionJITTrue):
302         (JSC::functionNoInline):
303         (JSC::functionGC):
304         (JSC::functionEdenGC):
305         (JSC::functionDumpSubspaceHashes):
306         (JSC::functionCallFrame):
307         (JSC::functionCodeBlockForFrame):
308         (JSC::codeBlockFromArg):
309         (JSC::functionCodeBlockFor):
310         (JSC::functionDumpSourceFor):
311         (JSC::functionDumpBytecodeFor):
312         (JSC::doPrint):
313         (JSC::functionDataLog):
314         (JSC::functionPrint):
315         (JSC::functionDumpCallFrame):
316         (JSC::functionDumpStack):
317         (JSC::functionDumpRegisters):
318         (JSC::functionDumpCell):
319         (JSC::functionIndexingMode):
320         (JSC::functionInlineCapacity):
321         (JSC::functionValue):
322         (JSC::functionGetPID):
323         (JSC::functionHaveABadTime):
324         (JSC::functionIsHavingABadTime):
325         (JSC::functionCreateGlobalObject):
326         (JSC::functionCreateProxy):
327         (JSC::functionCreateRuntimeArray):
328         (JSC::functionCreateNullRopeString):
329         (JSC::functionCreateImpureGetter):
330         (JSC::functionCreateCustomGetterObject):
331         (JSC::functionCreateDOMJITNodeObject):
332         (JSC::functionCreateDOMJITGetterObject):
333         (JSC::functionCreateDOMJITGetterComplexObject):
334         (JSC::functionCreateDOMJITFunctionObject):
335         (JSC::functionCreateDOMJITCheckSubClassObject):
336         (JSC::functionCreateDOMJITGetterBaseJSObject):
337         (JSC::functionCreateWasmStreamingParser):
338         (JSC::functionSetImpureGetterDelegate):
339         (JSC::functionCreateBuiltin):
340         (JSC::functionGetPrivateProperty):
341         (JSC::functionCreateRoot):
342         (JSC::functionCreateElement):
343         (JSC::functionGetElement):
344         (JSC::functionCreateSimpleObject):
345         (JSC::functionGetHiddenValue):
346         (JSC::functionSetHiddenValue):
347         (JSC::functionShadowChickenFunctionsOnStack):
348         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
349         (JSC::functionFindTypeForExpression):
350         (JSC::functionReturnTypeFor):
351         (JSC::functionFlattenDictionaryObject):
352         (JSC::functionDumpBasicBlockExecutionRanges):
353         (JSC::functionHasBasicBlockExecuted):
354         (JSC::functionBasicBlockExecutionCount):
355         (JSC::functionEnableExceptionFuzz):
356         (JSC::changeDebuggerModeWhenIdle):
357         (JSC::functionEnableDebuggerModeWhenIdle):
358         (JSC::functionDisableDebuggerModeWhenIdle):
359         (JSC::functionDeleteAllCodeWhenIdle):
360         (JSC::functionGlobalObjectCount):
361         (JSC::functionGlobalObjectForObject):
362         (JSC::functionGetGetterSetter):
363         (JSC::functionLoadGetterFromGetterSetter):
364         (JSC::functionCreateCustomTestGetterSetter):
365         (JSC::functionDeltaBetweenButterflies):
366         (JSC::functionTotalGCTime):
367         (JSC::functionParseCount):
368         (JSC::functionIsWasmSupported):
369         (JSC::JSDollarVM::finishCreation):
370         (JSC::JSDollarVM::addFunction):
371         (JSC::JSDollarVM::addConstructibleFunction):
372         * tools/JSDollarVM.h:
373         (JSC::DollarVMAssertScope::DollarVMAssertScope):
374         (JSC::DollarVMAssertScope::~DollarVMAssertScope):
375
376 2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>
377
378         Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
379         https://bugs.webkit.org/show_bug.cgi?id=201535
380         <rdar://problem/29119232>
381
382         Reviewed by Devin Rousso.
383
384         * debugger/Debugger.cpp:
385         (JSC::Debugger::resolveBreakpoint):
386         When resolving a breakpoint inside of an inline <script> we need to adjust
387         based on the starting position of the <script> in the HTML resource.
388
389 2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>
390
391         [JSC] X86Registers.h callee-save register definition is wrong
392         https://bugs.webkit.org/show_bug.cgi?id=201756
393
394         Reviewed by Mark Lam.
395
396         I think nobody is using X86 JIT backend, but it is simply wrong.
397         edi and esi should be callee-save.
398
399         * assembler/X86Registers.h:
400
401 2019-09-12  Mark Lam  <mark.lam@apple.com>
402
403         Harden JSC against the abuse of runtime options.
404         https://bugs.webkit.org/show_bug.cgi?id=201597
405         <rdar://problem/55167068>
406
407         Reviewed by Filip Pizlo.
408
409         Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.
410
411         1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
412            first VM instance is constructed.  The end of the VM constructor calls
413            Config::permanentlyFreeze() which will make the Config ReadOnly.
414
415            Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
416            OS(WINDOWS) will need to implement some missing pieces before it can enable
417            this hardening (see FIXME in JSCConfig.cpp).
418
419            The hardening strategy here is to put immutable global values into the Config.
420            Any modifications that need to be made to these values must be done before the
421            first VM instance is done instantiating.  This ensures that no script will
422            ever run while the Config is still writable.
423
424            Also, the policy for this hardening is that a process is opted in by default.
425            If there's a valid need to disable this hardening (e.g. for some test
426            environments), the relevant process will need to opt itself out by calling
427            Config::configureForTesting().
428
429            The jsc shell, WK2 UI and WebContent processes are opted in by default.
430            Only test processes may be opt out.
431
432         2. Put all JSC::Options in the Config.  This enforces the invariant that options
433            can only be changed before we instantiate a VM.  Once a VM is instantiated,
434            the options are immutable.
435
436         3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
437            Options::forceGCSlowPaths this way is no longer allowed.
438
439         4. Re-factored the Options code (Options.h) into:
440            - OptionEntry.h: the data structure that stores the option values.
441            - OptionsList.h: the list of options.
442            - Options.h: the Options singleton object which is the interface for accessing options.
443
444            Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
445            "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
446            "JSC_OPTIONS(FOR_EACH_OPTION)".
447
448         5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
449            use of setting options in its tests.  Hence, this hardening is disabled for
450            testapi.
451
452            Note: the jsc shell does enable this hardening.
453
454         6. Put ExecutableAllocator's immutable globals in the Config.
455
456         7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
457            FunctionOverrides test utility.
458
459         8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.
460
461            We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
462            that are non-trivial at an eye's glance.  This includes (but is not limited to):
463                constructors
464                create() factory
465                createStructure() factory
466                finishCreation()
467                HOST_CALL or operation functions
468                Constructors and methods of utility and test classes
469
470            The only exception are some constexpr constructors used for instantiating
471            globals (since these must have trivial constructors) e.g. DOMJITAttribute.
472            Instead, these constructors should always be ALWAYS_INLINE.
473
474         * API/glib/JSCOptions.cpp:
475         (jscOptionsSetValue):
476         (jscOptionsGetValue):
477         (jsc_options_foreach):
478         (jsc_options_get_option_group):
479         * API/tests/testapi.c:
480         (main):
481         * API/tests/testapi.cpp:
482         (configureJSCForTesting):
483         * CMakeLists.txt:
484         * JavaScriptCore.xcodeproj/project.pbxproj:
485         * Sources.txt:
486         * jit/ExecutableAllocator.cpp:
487         (JSC::isJITEnabled):
488         (JSC::ExecutableAllocator::setJITEnabled):
489         (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
490         (JSC::ExecutableAllocator::isValid const):
491         (JSC::ExecutableAllocator::underMemoryPressure):
492         (JSC::ExecutableAllocator::memoryPressureMultiplier):
493         (JSC::ExecutableAllocator::allocate):
494         (JSC::ExecutableAllocator::isValidExecutableMemory):
495         (JSC::ExecutableAllocator::getLock const):
496         (JSC::ExecutableAllocator::committedByteCount):
497         (JSC::ExecutableAllocator::dumpProfile):
498         (JSC::startOfFixedExecutableMemoryPoolImpl):
499         (JSC::endOfFixedExecutableMemoryPoolImpl):
500         (JSC::isJITPC):
501         (JSC::dumpJITMemory):
502         (JSC::ExecutableAllocator::initialize):
503         (JSC::ExecutableAllocator::singleton):
504         * jit/ExecutableAllocator.h:
505         (JSC::performJITMemcpy):
506         * jsc.cpp:
507         (GlobalObject::finishCreation):
508         (functionJSCOptions):
509         (jscmain):
510         (functionForceGCSlowPaths): Deleted.
511         * runtime/ConfigFile.cpp:
512         (JSC::ConfigFile::parse):
513         * runtime/InitializeThreading.cpp:
514         (JSC::initializeThreading):
515         * runtime/JSCConfig.cpp: Added.
516         (JSC::Config::disableFreezingForTesting):
517         (JSC::Config::enableRestrictedOptions):
518         (JSC::Config::permanentlyFreeze):
519         * runtime/JSCConfig.h: Added.
520         (JSC::Config::configureForTesting):
521         * runtime/JSGlobalObject.cpp:
522         (JSC::JSGlobalObject::exposeDollarVM):
523         * runtime/OptionEntry.h: Added.
524         (JSC::OptionRange::operator= ):
525         (JSC::OptionRange::rangeString const):
526         * runtime/Options.cpp:
527         (JSC::Options::isAvailable):
528         (JSC::scaleJITPolicy):
529         (JSC::Options::initialize):
530         (JSC::Options::setOptions):
531         (JSC::Options::setOptionWithoutAlias):
532         (JSC::Options::setAliasedOption):
533         (JSC::Option::dump const):
534         (JSC::Option::operator== const):
535         (): Deleted.
536         (JSC::Options::enableRestrictedOptions): Deleted.
537         * runtime/Options.h:
538         (JSC::Option::Option):
539         (JSC::Option::defaultOption const):
540         (JSC::Option::boolVal):
541         (JSC::Option::unsignedVal):
542         (JSC::Option::doubleVal):
543         (JSC::Option::int32Val):
544         (JSC::Option::optionRangeVal):
545         (JSC::Option::optionStringVal):
546         (JSC::Option::gcLogLevelVal):
547         (JSC::OptionRange::operator= ): Deleted.
548         (JSC::OptionRange::rangeString const): Deleted.
549         * runtime/OptionsList.h: Added.
550         (JSC::countNumberOfJSCOptions):
551         * runtime/VM.cpp:
552         (JSC::VM::VM):
553         * tools/FunctionOverrides.cpp:
554         (JSC::FunctionOverrides::FunctionOverrides):
555         (JSC::FunctionOverrides::reinstallOverrides):
556         (JSC::FunctionOverrides::initializeOverrideFor):
557         (JSC::FunctionOverrides::parseOverridesInFile):
558         * tools/JSDollarVM.cpp:
559         (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
560         (JSC::JSDollarVMCallFrame::createStructure):
561         (JSC::JSDollarVMCallFrame::create):
562         (JSC::JSDollarVMCallFrame::finishCreation):
563         (JSC::JSDollarVMCallFrame::addProperty):
564         (JSC::Element::Element):
565         (JSC::Element::create):
566         (JSC::Element::createStructure):
567         (JSC::Root::Root):
568         (JSC::Root::create):
569         (JSC::Root::createStructure):
570         (JSC::SimpleObject::SimpleObject):
571         (JSC::SimpleObject::create):
572         (JSC::SimpleObject::createStructure):
573         (JSC::ImpureGetter::ImpureGetter):
574         (JSC::ImpureGetter::createStructure):
575         (JSC::ImpureGetter::create):
576         (JSC::ImpureGetter::finishCreation):
577         (JSC::ImpureGetter::getOwnPropertySlot):
578         (JSC::CustomGetter::CustomGetter):
579         (JSC::CustomGetter::createStructure):
580         (JSC::CustomGetter::create):
581         (JSC::CustomGetter::getOwnPropertySlot):
582         (JSC::CustomGetter::customGetter):
583         (JSC::CustomGetter::customGetterAcessor):
584         (JSC::RuntimeArray::create):
585         (JSC::RuntimeArray::destroy):
586         (JSC::RuntimeArray::getOwnPropertySlot):
587         (JSC::RuntimeArray::getOwnPropertySlotByIndex):
588         (JSC::RuntimeArray::createPrototype):
589         (JSC::RuntimeArray::createStructure):
590         (JSC::RuntimeArray::finishCreation):
591         (JSC::RuntimeArray::RuntimeArray):
592         (JSC::RuntimeArray::lengthGetter):
593         (JSC::DOMJITNode::DOMJITNode):
594         (JSC::DOMJITNode::createStructure):
595         (JSC::DOMJITNode::checkSubClassSnippet):
596         (JSC::DOMJITNode::create):
597         (JSC::DOMJITGetter::DOMJITGetter):
598         (JSC::DOMJITGetter::createStructure):
599         (JSC::DOMJITGetter::create):
600         (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
601         (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
602         (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
603         (JSC::DOMJITGetter::customGetter):
604         (JSC::DOMJITGetter::finishCreation):
605         (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
606         (JSC::DOMJITGetterComplex::createStructure):
607         (JSC::DOMJITGetterComplex::create):
608         (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
609         (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
610         (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
611         (JSC::DOMJITGetterComplex::functionEnableException):
612         (JSC::DOMJITGetterComplex::customGetter):
613         (JSC::DOMJITGetterComplex::finishCreation):
614         (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
615         (JSC::DOMJITFunctionObject::createStructure):
616         (JSC::DOMJITFunctionObject::create):
617         (JSC::DOMJITFunctionObject::functionWithTypeCheck):
618         (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
619         (JSC::DOMJITFunctionObject::checkSubClassSnippet):
620         (JSC::DOMJITFunctionObject::finishCreation):
621         (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
622         (JSC::DOMJITCheckSubClassObject::createStructure):
623         (JSC::DOMJITCheckSubClassObject::create):
624         (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
625         (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
626         (JSC::DOMJITCheckSubClassObject::finishCreation):
627         (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
628         (JSC::DOMJITGetterBaseJSObject::createStructure):
629         (JSC::DOMJITGetterBaseJSObject::create):
630         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
631         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
632         (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
633         (JSC::DOMJITGetterBaseJSObject::customGetter):
634         (JSC::DOMJITGetterBaseJSObject::finishCreation):
635         (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
636         (JSC::JSTestCustomGetterSetter::create):
637         (JSC::JSTestCustomGetterSetter::createStructure):
638         (JSC::customSetAccessor):
639         (JSC::customSetValue):
640         (JSC::JSTestCustomGetterSetter::finishCreation):
641         (JSC::Element::handleOwner):
642         (JSC::Element::finishCreation):
643         (JSC::WasmStreamingParser::WasmStreamingParser):
644         (JSC::WasmStreamingParser::create):
645         (JSC::WasmStreamingParser::createStructure):
646         (JSC::WasmStreamingParser::finishCreation):
647         (JSC::functionWasmStreamingParserAddBytes):
648         (JSC::functionWasmStreamingParserFinalize):
649         (JSC::functionCrash):
650         (JSC::functionBreakpoint):
651         (JSC::functionDFGTrue):
652         (JSC::functionFTLTrue):
653         (JSC::functionCpuMfence):
654         (JSC::functionCpuRdtsc):
655         (JSC::functionCpuCpuid):
656         (JSC::functionCpuPause):
657         (JSC::functionCpuClflush):
658         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
659         (JSC::getExecutableForFunction):
660         (JSC::functionLLintTrue):
661         (JSC::functionJITTrue):
662         (JSC::functionNoInline):
663         (JSC::functionGC):
664         (JSC::functionEdenGC):
665         (JSC::functionDumpSubspaceHashes):
666         (JSC::functionCallFrame):
667         (JSC::functionCodeBlockForFrame):
668         (JSC::codeBlockFromArg):
669         (JSC::functionCodeBlockFor):
670         (JSC::functionDumpSourceFor):
671         (JSC::functionDumpBytecodeFor):
672         (JSC::doPrint):
673         (JSC::functionDataLog):
674         (JSC::functionPrint):
675         (JSC::functionDumpCallFrame):
676         (JSC::functionDumpStack):
677         (JSC::functionDumpRegisters):
678         (JSC::functionDumpCell):
679         (JSC::functionIndexingMode):
680         (JSC::functionInlineCapacity):
681         (JSC::functionValue):
682         (JSC::functionGetPID):
683         (JSC::functionHaveABadTime):
684         (JSC::functionIsHavingABadTime):
685         (JSC::functionCreateGlobalObject):
686         (JSC::functionCreateProxy):
687         (JSC::functionCreateRuntimeArray):
688         (JSC::functionCreateNullRopeString):
689         (JSC::functionCreateImpureGetter):
690         (JSC::functionCreateCustomGetterObject):
691         (JSC::functionCreateDOMJITNodeObject):
692         (JSC::functionCreateDOMJITGetterObject):
693         (JSC::functionCreateDOMJITGetterComplexObject):
694         (JSC::functionCreateDOMJITFunctionObject):
695         (JSC::functionCreateDOMJITCheckSubClassObject):
696         (JSC::functionCreateDOMJITGetterBaseJSObject):
697         (JSC::functionCreateWasmStreamingParser):
698         (JSC::functionSetImpureGetterDelegate):
699         (JSC::functionCreateBuiltin):
700         (JSC::functionGetPrivateProperty):
701         (JSC::functionCreateRoot):
702         (JSC::functionCreateElement):
703         (JSC::functionGetElement):
704         (JSC::functionCreateSimpleObject):
705         (JSC::functionGetHiddenValue):
706         (JSC::functionSetHiddenValue):
707         (JSC::functionShadowChickenFunctionsOnStack):
708         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
709         (JSC::functionFindTypeForExpression):
710         (JSC::functionReturnTypeFor):
711         (JSC::functionFlattenDictionaryObject):
712         (JSC::functionDumpBasicBlockExecutionRanges):
713         (JSC::functionHasBasicBlockExecuted):
714         (JSC::functionBasicBlockExecutionCount):
715         (JSC::functionEnableExceptionFuzz):
716         (JSC::changeDebuggerModeWhenIdle):
717         (JSC::functionEnableDebuggerModeWhenIdle):
718         (JSC::functionDisableDebuggerModeWhenIdle):
719         (JSC::functionDeleteAllCodeWhenIdle):
720         (JSC::functionGlobalObjectCount):
721         (JSC::functionGlobalObjectForObject):
722         (JSC::functionGetGetterSetter):
723         (JSC::functionLoadGetterFromGetterSetter):
724         (JSC::functionCreateCustomTestGetterSetter):
725         (JSC::functionDeltaBetweenButterflies):
726         (JSC::functionTotalGCTime):
727         (JSC::functionParseCount):
728         (JSC::functionIsWasmSupported):
729         (JSC::JSDollarVM::finishCreation):
730         (JSC::JSDollarVM::addFunction):
731         (JSC::JSDollarVM::addConstructibleFunction):
732         * tools/JSDollarVM.h:
733
734 2019-09-11  Devin Rousso  <drousso@apple.com>
735
736         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
737         https://bugs.webkit.org/show_bug.cgi?id=201650
738
739         Reviewed by Joseph Pecoraro.
740
741         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
742
743         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
744         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
745         `-webkit-canvas` client of a `WebGPUDevice`.
746
747         * inspector/protocol/Canvas.json:
748          - Add `powerPreference` key to `ContextAttributes` type.
749          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
750          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
751          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
752            really a "canvas".
753
754 2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>
755
756         [JSC] Add StringCodePointAt intrinsic
757         https://bugs.webkit.org/show_bug.cgi?id=201673
758
759         Reviewed by Michael Saboff.
760
761         JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
762         This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.
763
764         In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
765         inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
766         preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
767         check. This thing is just the same to the existing StringCharCodeAt mechanism.
768
769         * dfg/DFGAbstractInterpreterInlines.h:
770         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
771         * dfg/DFGBackwardsPropagationPhase.cpp:
772         (JSC::DFG::BackwardsPropagationPhase::propagate):
773         * dfg/DFGByteCodeParser.cpp:
774         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
775         * dfg/DFGClobberize.h:
776         (JSC::DFG::clobberize):
777         * dfg/DFGDoesGC.cpp:
778         (JSC::DFG::doesGC):
779         * dfg/DFGFixupPhase.cpp:
780         (JSC::DFG::FixupPhase::fixupNode):
781         * dfg/DFGNode.h:
782         (JSC::DFG::Node::hasArrayMode):
783         * dfg/DFGNodeType.h:
784         * dfg/DFGPredictionPropagationPhase.cpp:
785         * dfg/DFGSafeToExecute.h:
786         (JSC::DFG::safeToExecute):
787         * dfg/DFGSpeculativeJIT.h:
788         * dfg/DFGSpeculativeJIT32_64.cpp:
789         (JSC::DFG::SpeculativeJIT::compile):
790         * dfg/DFGSpeculativeJIT64.cpp:
791         (JSC::DFG::SpeculativeJIT::compile):
792         (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
793         * ftl/FTLCapabilities.cpp:
794         (JSC::FTL::canCompile):
795         * ftl/FTLLowerDFGToB3.cpp:
796         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
797         (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
798         * jit/JITInlines.h:
799         (JSC::JIT::emitLoadCharacterString):
800         * jit/ThunkGenerators.cpp:
801         (JSC::stringGetByValGenerator):
802         (JSC::stringCharLoad):
803         (JSC::stringPrototypeCodePointAtThunkGenerator):
804         * jit/ThunkGenerators.h:
805         * runtime/Intrinsic.cpp:
806         (JSC::intrinsicName):
807         * runtime/Intrinsic.h:
808         * runtime/StringPrototype.cpp:
809         (JSC::StringPrototype::finishCreation):
810         * runtime/VM.cpp:
811         (JSC::thunkGeneratorForIntrinsic):
812
813 2019-09-11  Michael Saboff  <msaboff@apple.com>
814
815         JSC crashes due to stack overflow while building RegExp
816         https://bugs.webkit.org/show_bug.cgi?id=201649
817
818         Reviewed by Yusuke Suzuki.
819
820         Check for running out of stack when we are optimizing RegExp containing BOL terms or
821         other deep copying of disjunctions.
822
823         * yarr/YarrPattern.cpp:
824         (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
825         (JSC::Yarr::YarrPatternConstructor::copyTerm):
826         (JSC::Yarr::YarrPatternConstructor::error):
827         (JSC::Yarr::YarrPattern::compile):
828
829 2019-09-11  Truitt Savell  <tsavell@apple.com>
830
831         Unreviewed, rolling out r249753.
832
833         caused inspector/canvas/shaderProgram-add-remove-webgl.html to
834         crash on all Mac platforms.
835
836         Reverted changeset:
837
838         "Web Inspector: Canvas: instrument WebGPUDevice instead of
839         GPUCanvasContext"
840         https://bugs.webkit.org/show_bug.cgi?id=201650
841         https://trac.webkit.org/changeset/249753
842
843 2019-09-10  Devin Rousso  <drousso@apple.com>
844
845         Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
846         https://bugs.webkit.org/show_bug.cgi?id=201650
847
848         Reviewed by Joseph Pecoraro.
849
850         Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.
851
852         A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
853         required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
854         `-webkit-canvas` client of a `WebGPUDevice`.
855
856         * inspector/protocol/Canvas.json:
857          - Add `powerPreference` key to `ContextAttributes` type.
858          - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
859          - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
860          - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
861            really a "canvas".
862
863 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
864
865         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
866         https://bugs.webkit.org/show_bug.cgi?id=201634
867
868         Reviewed by Mark Lam and Robin Morisset.
869
870         This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.
871
872         1. 32bit bitwise operation with allOne constants
873
874             Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
875             For example, in BitAnd strength reduction,
876
877                 1034             // Turn this: BitAnd(value, all-ones)
878                 1035             // Into this: value.
879                 1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
880                 1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
881                 1038                 replaceWithIdentity(m_value->child(0));
882                 1039                 break;
883                 1040             }
884
885             We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
886
887                 262 inline bool Value::isInt(int64_t value) const
888                 263 {
889                 264     return hasInt() && asInt() == value;
890                 265 }
891
892             So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
893
894                 257 inline int64_t Value::asInt() const
895                 258 {
896                 259     return hasInt32() ? asInt32() : asInt64();
897                 260 }
898
899             So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
900             We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
901
902         2. BitAnd and BitOr strength reduction bug
903
904             We also fix the following optimization.
905
906                 // Turn this: BitAnd(Op(value, constant1), constant2)
907                 //     where !(constant1 & constant2)
908                 //       and Op is BitOr or BitXor
909                 // into this: BitAnd(value, constant2)
910
911             Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
912
913                 // Turn this: BitAnd(BitXor(x, allOnes), c)
914                 // Into this: BitXor(BitOr(x, ~c), allOnes)
915
916             And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.
917
918         For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.
919
920         * b3/B3LowerToAir.cpp:
921         * b3/B3ReduceStrength.cpp:
922         * b3/testb3.h:
923         * b3/testb3_2.cpp:
924         (testBitAndNotNot32):
925         (testBitAndNotImm):
926         (testBitAndNotImm32):
927         (testBitOrAndAndArgs32):
928         (testBitOrAndSameArgs32):
929         (testBitOrNotNot32):
930         (testBitOrNotImm32):
931         (addBitTests):
932         * b3/testb3_3.cpp:
933         (testBitXorAndAndArgs32):
934         (testBitXorAndSameArgs32):
935
936 2019-09-10  Commit Queue  <commit-queue@webkit.org>
937
938         Unreviewed, rolling out r249721.
939         https://bugs.webkit.org/show_bug.cgi?id=201667
940
941         Discovering existing bug (Requested by yusukesuzuki on
942         #webkit).
943
944         Reverted changeset:
945
946         "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
947         B3"
948         https://bugs.webkit.org/show_bug.cgi?id=201634
949         https://trac.webkit.org/changeset/249721
950
951 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
952
953         [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
954         https://bugs.webkit.org/show_bug.cgi?id=201664
955         <rdar://problem/52126927>
956
957         Reviewed by Tadeu Zagallo.
958
959         We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
960         This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
961         Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
962         we can see half-baked JITData structure which holds garbage pointers.
963
964         But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.
965
966         1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
967            called while taking this exact same lock, so dead-lock can happen.
968         2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
969            compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.
970
971         Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
972         JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.
973
974         * bytecode/CodeBlock.cpp:
975         (JSC::CodeBlock::ensureJITDataSlow):
976
977 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
978
979         [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
980         https://bugs.webkit.org/show_bug.cgi?id=198253
981
982         Reviewed by Mark Lam.
983
984         ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
985         When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
986         it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
987
988         In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
989
990         * parser/ResultType.h:
991         (JSC::ResultType::bigIntOrInt32Type):
992
993 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
994
995         [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
996         https://bugs.webkit.org/show_bug.cgi?id=201634
997
998         Reviewed by Mark Lam.
999
1000         Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
1001         For example, in BitAnd strength reduction,
1002
1003             1034             // Turn this: BitAnd(value, all-ones)
1004             1035             // Into this: value.
1005             1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
1006             1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
1007             1038                 replaceWithIdentity(m_value->child(0));
1008             1039                 break;
1009             1040             }
1010
1011         We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,
1012
1013             262 inline bool Value::isInt(int64_t value) const
1014             263 {
1015             264     return hasInt() && asInt() == value;
1016             265 }
1017
1018         So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,
1019
1020             257 inline int64_t Value::asInt() const
1021             258 {
1022             259     return hasInt32() ? asInt32() : asInt64();
1023             260 }
1024
1025         So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
1026         We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).
1027
1028         We also fix the following optimization.
1029
1030             // Turn this: BitAnd(Op(value, constant1), constant2)
1031             //     where !(constant1 & constant2)
1032             //       and Op is BitOr or BitXor
1033             // into this: BitAnd(value, constant2)
1034
1035         Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.
1036
1037             // Turn this: BitAnd(BitXor(x, allOnes), c)
1038             // Into this: BitXor(BitOr(x, ~c), allOnes)
1039
1040         We add 32bit version of B3 tests for these optimizations.
1041
1042         * b3/B3LowerToAir.cpp:
1043         * b3/B3ReduceStrength.cpp:
1044         * b3/testb3.h:
1045         * b3/testb3_2.cpp:
1046         (testBitAndNotNot32):
1047         (testBitAndNotImm):
1048         (testBitAndNotImm32):
1049         (testBitOrAndAndArgs32):
1050         (testBitOrAndSameArgs32):
1051         (testBitOrNotNot32):
1052         (testBitOrNotImm32):
1053         (addBitTests):
1054         * b3/testb3_3.cpp:
1055         (testBitXorAndAndArgs32):
1056         (testBitXorAndSameArgs32):
1057
1058 2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
1059
1060         [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
1061         https://bugs.webkit.org/show_bug.cgi?id=189043
1062
1063         Reviewed by Keith Miller.
1064
1065         This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
1066         And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
1067         using Wasm::StreamingParser.
1068
1069         Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
1070         create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
1071         and instantiateStreaming.
1072
1073         * JavaScriptCore.xcodeproj/project.pbxproj:
1074         * Sources.txt:
1075         * tools/JSDollarVM.cpp:
1076         (JSC::WasmStreamingParser::WasmStreamingParser):
1077         * wasm/WasmAirIRGenerator.cpp:
1078         (JSC::Wasm::parseAndCompileAir):
1079         * wasm/WasmAirIRGenerator.h:
1080         * wasm/WasmB3IRGenerator.cpp:
1081         (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
1082         * wasm/WasmB3IRGenerator.h:
1083         * wasm/WasmBBQPlan.cpp:
1084         (JSC::Wasm::BBQPlan::BBQPlan):
1085         (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
1086         (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
1087         (JSC::Wasm::BBQPlan::compileFunctions):
1088         (JSC::Wasm::BBQPlan::complete):
1089         * wasm/WasmBBQPlan.h:
1090         * wasm/WasmModuleParser.cpp: Removed.
1091         * wasm/WasmModuleParser.h: Removed.
1092         * wasm/WasmOMGForOSREntryPlan.cpp:
1093         (JSC::Wasm::OMGForOSREntryPlan::work):
1094         * wasm/WasmOMGPlan.cpp:
1095         (JSC::Wasm::OMGPlan::work):
1096         * wasm/WasmPlan.cpp:
1097         (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
1098         * wasm/WasmSectionParser.cpp:
1099         (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
1100         * wasm/WasmStreamingParser.cpp:
1101         (JSC::Wasm::StreamingParser::StreamingParser):
1102         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
1103         (JSC::Wasm::StreamingParser::parseFunctionPayload):
1104         (JSC::Wasm::StreamingParser::parseSectionPayload):
1105         (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
1106         * wasm/WasmStreamingParser.h:
1107         (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
1108         (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
1109         (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
1110         which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
1111         at appropriate timings.
1112         * wasm/WasmValidate.cpp:
1113         (JSC::Wasm::validateFunction):
1114         * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.
1115
1116 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1117
1118         [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
1119         https://bugs.webkit.org/show_bug.cgi?id=201622
1120
1121         Reviewed by Mark Lam.
1122
1123         CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
1124         this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
1125         the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.
1126
1127         * bytecode/CodeBlock.cpp:
1128         (JSC::CodeBlock::finishCreation):
1129         (JSC::CodeBlock::setConstantRegisters):
1130         * bytecode/CodeBlock.h:
1131         (JSC::CodeBlock::addConstant):
1132         (JSC::CodeBlock::addConstantLazily):
1133         * dfg/DFGDesiredWatchpoints.cpp:
1134         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
1135         (JSC::DFG::SymbolTableAdaptor::add):
1136         (JSC::DFG::FunctionExecutableAdaptor::add):
1137         * dfg/DFGGraph.cpp:
1138         (JSC::DFG::Graph::registerFrozenValues):
1139         * dfg/DFGJITFinalizer.cpp:
1140         (JSC::DFG::JITFinalizer::finalizeCommon):
1141         * dfg/DFGLazyJSValue.cpp:
1142         (JSC::DFG::LazyJSValue::emit const):
1143
1144 2019-09-09  Robin Morisset  <rmorisset@apple.com>
1145
1146         [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
1147         https://bugs.webkit.org/show_bug.cgi?id=197305
1148
1149         Reviewed by Keith Miller.
1150
1151         Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
1152         Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).
1153
1154         This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
1155         Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).
1156
1157         The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
1158         So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.
1159
1160         No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.
1161
1162         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1163
1164 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1165
1166         [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
1167         https://bugs.webkit.org/show_bug.cgi?id=201613
1168
1169         Reviewed by Mark Lam.
1170
1171         We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
1172         since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
1173         issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
1174         misleading, it is like "instructions-requires-llint-finalize").
1175
1176         * bytecode/CodeBlock.cpp:
1177         (JSC::CodeBlock::propagateTransitions):
1178         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1179         * bytecode/UnlinkedCodeBlock.cpp:
1180         (JSC::UnlinkedCodeBlock::applyModification):
1181         (JSC::UnlinkedCodeBlock::shrinkToFit):
1182         * bytecode/UnlinkedCodeBlock.h:
1183         (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
1184         (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
1185         (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
1186         * bytecompiler/BytecodeGenerator.cpp:
1187         (JSC::BytecodeGenerator::emitResolveScope):
1188         (JSC::BytecodeGenerator::emitGetFromScope):
1189         (JSC::BytecodeGenerator::emitPutToScope):
1190         (JSC::BytecodeGenerator::emitGetById):
1191         (JSC::BytecodeGenerator::emitDirectGetById):
1192         (JSC::BytecodeGenerator::emitPutById):
1193         (JSC::BytecodeGenerator::emitDirectPutById):
1194         (JSC::BytecodeGenerator::emitCreateThis):
1195         (JSC::BytecodeGenerator::emitToThis):
1196         * runtime/CachedTypes.cpp:
1197         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1198         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1199
1200 2019-09-07  Keith Miller  <keith_miller@apple.com>
1201
1202         OSR entry into wasm misses some contexts
1203         https://bugs.webkit.org/show_bug.cgi?id=201569
1204
1205         Reviewed by Yusuke Suzuki.
1206
1207         This patch fixes an issue where we could fail to capture some of
1208         our contexts when OSR entering into wasm code. Before we would
1209         only capture the state of the block immediately surrounding the
1210         entrance loop block header. We actually need to capture all
1211         enclosed stacks.
1212
1213         Additionally, we don't need to use variables for all the captured
1214         values. We can use a Phi and insert an upsilon just below the
1215         captured value.
1216
1217         * interpreter/CallFrame.h:
1218         * jsc.cpp:
1219         (GlobalObject::finishCreation):
1220         (functionCallerIsOMGCompiled):
1221         * wasm/WasmAirIRGenerator.cpp:
1222         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
1223         (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
1224         (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
1225         (JSC::Wasm::AirIRGenerator::addLoop):
1226         * wasm/WasmB3IRGenerator.cpp:
1227         (JSC::Wasm::B3IRGenerator::createStack):
1228         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1229         (JSC::Wasm::B3IRGenerator::addConstant):
1230         (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
1231         (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
1232         (JSC::Wasm::B3IRGenerator::addLoop):
1233         (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
1234         (JSC::Wasm::dumpExpressionStack):
1235         (JSC::Wasm::B3IRGenerator::dump):
1236         (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
1237         (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
1238         (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
1239         (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
1240         (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
1241         (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
1242         (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
1243         (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
1244         (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
1245         (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
1246         (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
1247         (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
1248         * wasm/WasmFunctionParser.h:
1249         (JSC::Wasm::FunctionParser::controlStack):
1250
1251 2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>
1252
1253         [JSC] Promise resolve/reject functions should be created more efficiently
1254         https://bugs.webkit.org/show_bug.cgi?id=201488
1255
1256         Reviewed by Mark Lam.
1257
1258         While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
1259         Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
1260         for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
1261         Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.
1262
1263         In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
1264         to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
1265         anonymous-builtin-function creation faster.
1266
1267         We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
1268         The simple microbenchmark shows 1.7x improvement.
1269
1270                                               ToT                     Patched
1271
1272             promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster
1273
1274         * dfg/DFGSpeculativeJIT.cpp:
1275         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1276         * ftl/FTLLowerDFGToB3.cpp:
1277         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1278         * runtime/FunctionRareData.cpp:
1279         (JSC::FunctionRareData::create):
1280         (JSC::FunctionRareData::FunctionRareData):
1281         * runtime/FunctionRareData.h:
1282         * runtime/JSFunction.cpp:
1283         (JSC::JSFunction::finishCreation):
1284         (JSC::JSFunction::allocateRareData):
1285         (JSC::JSFunction::allocateAndInitializeRareData):
1286         * runtime/JSFunctionInlines.h:
1287         (JSC::JSFunction::hasReifiedName const):
1288
1289 2019-09-07  Mark Lam  <mark.lam@apple.com>
1290
1291         performJITMemcpy() source buffer should not be in the Gigacage.
1292         https://bugs.webkit.org/show_bug.cgi?id=201577
1293         <rdar://problem/55142606>
1294
1295         Reviewed by Michael Saboff.
1296
1297         Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
1298         buffer is not in the Gigacage.
1299
1300         * jit/ExecutableAllocator.h:
1301         (JSC::performJITMemcpy):
1302
1303 2019-09-07  Mark Lam  <mark.lam@apple.com>
1304
1305         The jsc shell should allow disabling of the Gigacage for testing purposes.
1306         https://bugs.webkit.org/show_bug.cgi?id=201579
1307
1308         Reviewed by Michael Saboff.
1309
1310         Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
1311         this env var is present and it has a falsy value, then do not
1312         forbidDisablingPrimitiveGigacage() in the jsc shell.
1313
1314         * jsc.cpp:
1315         (jscmain):
1316
1317 2019-09-06  Mark Lam  <mark.lam@apple.com>
1318
1319         Harden protection of the Gigacage Config parameters.
1320         https://bugs.webkit.org/show_bug.cgi?id=201570
1321         <rdar://problem/55134229>
1322
1323         Reviewed by Saam Barati.
1324
1325         Just renaming some function names here.
1326
1327         * assembler/testmasm.cpp:
1328         (JSC::testCagePreservesPACFailureBit):
1329         * jit/AssemblyHelpers.h:
1330         (JSC::AssemblyHelpers::cageConditionally):
1331         * jsc.cpp:
1332         (jscmain):
1333
1334 2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>
1335
1336         Math.round() produces wrong result for value prior to 0.5
1337         https://bugs.webkit.org/show_bug.cgi?id=185115
1338
1339         Reviewed by Saam Barati.
1340
1341         Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
1342         This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.
1343
1344         Specifically:
1345           - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
1346             so taking the difference between ceil(value)` and `value` is problematic.
1347           - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
1348             (by falling back to jsRound). This patch gives baseline a legitimate implementation too.
1349
1350         * dfg/DFGSpeculativeJIT.cpp:
1351         (JSC::DFG::SpeculativeJIT::compileArithRounding):
1352         * ftl/FTLLowerDFGToB3.cpp:
1353         (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
1354         * jit/ThunkGenerators.cpp:
1355         (JSC::roundThunkGenerator):
1356         * runtime/MathCommon.cpp:
1357
1358 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1359
1360         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1361         https://bugs.webkit.org/show_bug.cgi?id=201366
1362
1363         Reviewed by Saam Barati.
1364
1365         It is possible for the log buffer to be full right as someone is trying to
1366         log a function prologue. In such a case the machine stack has already been
1367         updated to include the new JavaScript call frame, but the prologue packet
1368         cannot be included in the update because the log is full. This would mean
1369         that the update fails to rationalize the machine stack with the shadow
1370         log / stack. Namely, the current JavaScript call frame is unable to
1371         find a matching prologue (the one we are holding to include after the update)
1372         and inserts a questionable value into the stack; and in the process
1373         missing and removing real potential tail calls.
1374
1375         For example:
1376         
1377             "use strict";
1378             function third() { return 1; }
1379             function second() { return third(); }
1380             function first() { return second(); }
1381             function start() { return first(); }
1382
1383         If the the log fills up just as we are entering `b` then we may have a list
1384         full log of packets looking like:
1385
1386           Shadow Log:
1387             ...
1388             { prologue-packet: entering `start` ... }
1389             { prologue-packet: entering `first` ... }
1390             { tail-packet: leaving `first` with a tail call }
1391
1392           Incoming Packet:
1393             { prologue-packet: entering `second` ... }
1394
1395           Current JS Stack:
1396             second
1397             start
1398
1399         Since the Current JavaScript stack already has `second`, if we process the
1400         log without the prologue for `second` then we push a confused entry on the
1401         shadow stack and clear the log such that we eventually lose the tail-call
1402         information for `first` to `second`.
1403
1404         This patch solves this issue by providing enough extra space in the log
1405         to always process the incoming packet when that forces an update. This way
1406         clients can continue to behave exactly as they are.
1407
1408         --
1409
1410         We also document a corner case in some circumstances where the shadow
1411         log may currently be insufficient to know how to reconcile:
1412         
1413         For example:
1414
1415             "use strict";
1416             function third() { return 1; }
1417             function second() { return third(); }
1418             function first() { return second(); }
1419             function doNothingTail() { return Math.random() }
1420             function start() {
1421                 for (i=0;i<1000;++i) doNothingTail();
1422                 return first();
1423             }
1424
1425         In this case the ShadowChicken log may be processed multiple times due
1426         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1427         Native function no prologue packet is emitted, so it is unclear that we
1428         temporarly go deeper and come back out on the stack, so the log appears
1429         to have lots of doNothingTail calls reusing the same frame:
1430
1431           Shadow Log:
1432             ...
1433             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1434             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1435             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1436             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1437             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1438             ...
1439             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1440             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1441             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1442             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1443             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1444             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1445             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1446             ...
1447
1448         This log would seem to be indistinguishable from real tail recursion, such as:
1449
1450             "use strict";
1451             function third() { return 1; }
1452             function second() { return third(); }
1453             function first() { return second(); }
1454             function doNothingTail(n) {
1455                 return n ? doNothingTail(n-1) : first();
1456             }
1457             function start() {
1458                 return doNothingTail(1000);
1459             }
1460
1461         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1462         the appropriate parent call frame with intermediate function calls. In practice this may
1463         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1464         It seems likely we would only show additional frames that did in fact happen serially
1465         between JavaScript call frames, but may not actually be the proper parent frames
1466         heirachy in the stack.
1467
1468         * interpreter/ShadowChicken.cpp:
1469         (JSC::ShadowChicken::Packet::dump const):
1470         (JSC::ShadowChicken::Frame::dump const):
1471         (JSC::ShadowChicken::dump const):
1472         Improved debugging output. Especially for functions.
1473
1474         (JSC::ShadowChicken::ShadowChicken):
1475         Make space in the log for 1 additional packet to process when we slow log.
1476
1477         (JSC::ShadowChicken::log):
1478         Include this packet in our update.
1479
1480         (JSC::ShadowChicken::update):
1481         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1482
1483 2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>
1484
1485         Unreviewed, rolling out r249566.
1486
1487         Causes inspector layout test crashes under GuardMalloc
1488
1489         Reverted changeset:
1490
1491         "Tail Deleted Frames shown in Web Inspector are sometimes
1492         incorrect (Shadow Chicken)"
1493         https://bugs.webkit.org/show_bug.cgi?id=201366
1494         https://trac.webkit.org/changeset/249566
1495
1496 2019-09-06  Guillaume Emont  <guijemont@igalia.com>
1497
1498         testmasm: save r6 in JIT'ed code on ARM_THUMB2
1499         https://bugs.webkit.org/show_bug.cgi?id=201138
1500
1501         Reviewed by Mark Lam.
1502
1503         MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
1504         callee-saved register. The JITs use
1505         AssemblyHelpers::emitSaveCalleeSaves() and friends to save
1506         callee-saved registers, but there is no such mechanism in testmasm,
1507         which seems to make the assumption that the macroassembler does not
1508         use callee-saved registers (which I guess is true for all other
1509         architectures, but not for Armv7).
1510
1511         This issue means that testmasm crashes on Armv7 since code generated
1512         by gcc uses r6, and it gets modified by JIT'ed code.
1513
1514         This change makes sure that we save and restore r6 for all code
1515         compiled by testmasm on Armv7.
1516
1517         * assembler/testmasm.cpp:
1518         (JSC::emitFunctionPrologue):
1519         (JSC::emitFunctionEpilogue):
1520         (JSC::testSimple):
1521         (JSC::testGetEffectiveAddress):
1522         (JSC::testBranchTruncateDoubleToInt32):
1523         (JSC::testBranchTestBit32RegReg):
1524         (JSC::testBranchTestBit32RegImm):
1525         (JSC::testBranchTestBit32AddrImm):
1526         (JSC::testBranchTestBit64RegReg):
1527         (JSC::testBranchTestBit64RegImm):
1528         (JSC::testBranchTestBit64AddrImm):
1529         (JSC::testCompareDouble):
1530         (JSC::testMul32WithImmediates):
1531         (JSC::testMul32SignExtend):
1532         (JSC::testCompareFloat):
1533         (JSC::testProbeReadsArgumentRegisters):
1534         (JSC::testProbeWritesArgumentRegisters):
1535         (JSC::testProbePreservesGPRS):
1536         (JSC::testProbeModifiesStackPointer):
1537         (JSC::testProbeModifiesProgramCounter):
1538         (JSC::testProbeModifiesStackValues):
1539         (JSC::testByteSwap):
1540         (JSC::testMoveDoubleConditionally32):
1541         (JSC::testMoveDoubleConditionally64):
1542         (JSC::testCagePreservesPACFailureBit):
1543
1544 2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>
1545
1546         Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
1547         https://bugs.webkit.org/show_bug.cgi?id=201366
1548
1549         Reviewed by Saam Barati.
1550
1551         It is possible for the log buffer to be full right as someone is trying to
1552         log a function prologue. In such a case the machine stack has already been
1553         updated to include the new JavaScript call frame, but the prologue packet
1554         cannot be included in the update because the log is full. This would mean
1555         that the update fails to rationalize the machine stack with the shadow
1556         log / stack. Namely, the current JavaScript call frame is unable to
1557         find a matching prologue (the one we are holding to include after the update)
1558         and inserts a questionable value into the stack; and in the process
1559         missing and removing real potential tail calls.
1560
1561         For example:
1562         
1563             "use strict";
1564             function third() { return 1; }
1565             function second() { return third(); }
1566             function first() { return second(); }
1567             function start() { return first(); }
1568
1569         If the the log fills up just as we are entering `b` then we may have a list
1570         full log of packets looking like:
1571
1572           Shadow Log:
1573             ...
1574             { prologue-packet: entering `start` ... }
1575             { prologue-packet: entering `first` ... }
1576             { tail-packet: leaving `first` with a tail call }
1577
1578           Incoming Packet:
1579             { prologue-packet: entering `second` ... }
1580
1581           Current JS Stack:
1582             second
1583             start
1584
1585         Since the Current JavaScript stack already has `second`, if we process the
1586         log without the prologue for `second` then we push a confused entry on the
1587         shadow stack and clear the log such that we eventually lose the tail-call
1588         information for `first` to `second`.
1589
1590         This patch solves this issue by providing enough extra space in the log
1591         to always process the incoming packet when that forces an update. This way
1592         clients can continue to behave exactly as they are.
1593
1594         --
1595
1596         We also document a corner case in some circumstances where the shadow
1597         log may currently be insufficient to know how to reconcile:
1598         
1599         For example:
1600
1601             "use strict";
1602             function third() { return 1; }
1603             function second() { return third(); }
1604             function first() { return second(); }
1605             function doNothingTail() { return Math.random() }
1606             function start() {
1607                 for (i=0;i<1000;++i) doNothingTail();
1608                 return first();
1609             }
1610
1611         In this case the ShadowChicken log may be processed multiple times due
1612         to the many calls to `doNothingTail` / `Math.random()`. When calling the
1613         Native function no prologue packet is emitted, so it is unclear that we
1614         temporarly go deeper and come back out on the stack, so the log appears
1615         to have lots of doNothingTail calls reusing the same frame:
1616
1617           Shadow Log:
1618             ...
1619             , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
1620             , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1621             , [125] tail-packet:{frame = 0x7ffeef8971f0}
1622             , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1623             , [127] tail-packet:{frame = 0x7ffeef8971f0}
1624             ...
1625             , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1626             , [141] tail-packet:{frame = 0x7ffeef8971f0}
1627             , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
1628             , [143] tail-packet:{frame = 0x7ffeef8971f0}
1629             , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
1630             , [145] tail-packet:{frame = 0x7ffeef8971f0}
1631             , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
1632             ...
1633
1634         This log would seem to be indistinguishable from real tail recursion, such as:
1635
1636             "use strict";
1637             function third() { return 1; }
1638             function second() { return third(); }
1639             function first() { return second(); }
1640             function doNothingTail(n) {
1641                 return n ? doNothingTail(n-1) : first();
1642             }
1643             function start() {
1644                 return doNothingTail(1000);
1645             }
1646
1647         Likewise there are more cases where the shadow log appears to be ambiguous with determining
1648         the appropriate parent call frame with intermediate function calls. In practice this may
1649         not be too problematic, as this is a best effort reconstruction of tail deleted frames.
1650         It seems likely we would only show additional frames that did in fact happen serially
1651         between JavaScript call frames, but may not actually be the proper parent frames
1652         heirachy in the stack.
1653
1654         * interpreter/ShadowChicken.cpp:
1655         (JSC::ShadowChicken::Packet::dump const):
1656         (JSC::ShadowChicken::Frame::dump const):
1657         (JSC::ShadowChicken::dump const):
1658         Improved debugging output. Especially for functions.
1659
1660         (JSC::ShadowChicken::ShadowChicken):
1661         Make space in the log for 1 additional packet to process when we slow log.
1662
1663         (JSC::ShadowChicken::log):
1664         Include this packet in our update.
1665
1666         (JSC::ShadowChicken::update):
1667         Address an edge case where we can eliminate tail-deleted frames that don't make sense.
1668
1669 2019-09-05  Mark Lam  <mark.lam@apple.com>
1670
1671         Refactor the Gigacage code to require less pointer casting.
1672         https://bugs.webkit.org/show_bug.cgi?id=201521
1673
1674         Reviewed by Saam Barati.
1675
1676         Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
1677         in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.
1678
1679         * jit/AssemblyHelpers.h:
1680         (JSC::AssemblyHelpers::cageConditionally):
1681         * llint/LowLevelInterpreter.asm:
1682         * llint/LowLevelInterpreter64.asm:
1683         * runtime/VM.h:
1684         (JSC::VM::gigacageAuxiliarySpace):
1685
1686 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1687
1688         Unreviewed, follow-up after r249530 and r249509
1689         https://bugs.webkit.org/show_bug.cgi?id=201495
1690
1691         Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.
1692
1693         * builtins/PromiseConstructor.js:
1694         (nakedConstructor.Promise.resolve):
1695         (nakedConstructor.Promise.reject):
1696         (nakedConstructor.Promise):
1697         (nakedConstructor.InternalPromise.resolve):
1698         (nakedConstructor.InternalPromise.reject):
1699         (nakedConstructor.InternalPromise):
1700         * ftl/FTLLowerDFGToB3.cpp:
1701         (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
1702         (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
1703         (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
1704         * ftl/FTLOutput.h:
1705         (JSC::FTL::Output::alreadyRegisteredWeakPointer):
1706         (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
1707         (JSC::FTL::Output::weakPointer): Deleted.
1708
1709 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1710
1711         [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
1712         https://bugs.webkit.org/show_bug.cgi?id=201513
1713
1714         Reviewed by Ross Kirsling.
1715
1716         This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
1717         It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.
1718
1719         The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
1720         with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
1721         has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
1722         different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
1723         And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
1724         emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.
1725
1726         Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
1727         number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.
1728
1729         * CMakeLists.txt:
1730         * JavaScriptCore.xcodeproj/project.pbxproj:
1731         * bytecode/BytecodeList.rb:
1732         * bytecode/BytecodeUseDef.h:
1733         (JSC::computeUsesForBytecodeOffset):
1734         (JSC::computeDefsForBytecodeOffset):
1735         * bytecode/CodeBlock.cpp:
1736         (JSC::CodeBlock::finishCreation):
1737         * bytecode/Opcode.h:
1738         * bytecompiler/BytecodeGenerator.cpp:
1739         (JSC::BytecodeGenerator::emitGetInternalField):
1740         (JSC::BytecodeGenerator::emitPutInternalField):
1741         (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
1742         (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
1743         * bytecompiler/BytecodeGenerator.h:
1744         * bytecompiler/NodesCodegen.cpp:
1745         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
1746         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
1747         * dfg/DFGAbstractInterpreterInlines.h:
1748         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1749         * dfg/DFGByteCodeParser.cpp:
1750         (JSC::DFG::ByteCodeParser::parseBlock):
1751         * dfg/DFGCapabilities.cpp:
1752         (JSC::DFG::capabilityLevel):
1753         * dfg/DFGClobberize.h:
1754         (JSC::DFG::clobberize):
1755         * dfg/DFGDoesGC.cpp:
1756         (JSC::DFG::doesGC):
1757         * dfg/DFGFixupPhase.cpp:
1758         (JSC::DFG::FixupPhase::fixupNode):
1759         * dfg/DFGMayExit.cpp:
1760         * dfg/DFGNode.h:
1761         (JSC::DFG::Node::hasInternalFieldIndex):
1762         (JSC::DFG::Node::hasHeapPrediction):
1763         * dfg/DFGNodeType.h:
1764         * dfg/DFGPredictionPropagationPhase.cpp:
1765         * dfg/DFGSafeToExecute.h:
1766         (JSC::DFG::safeToExecute):
1767         * dfg/DFGSpeculativeJIT.cpp:
1768         (JSC::DFG::SpeculativeJIT::compileGetInternalField):
1769         (JSC::DFG::SpeculativeJIT::compilePutInternalField):
1770         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
1771         (JSC::DFG::SpeculativeJIT::compileNewPromise):
1772         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
1773         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
1774         * dfg/DFGSpeculativeJIT.h:
1775         * dfg/DFGSpeculativeJIT32_64.cpp:
1776         (JSC::DFG::SpeculativeJIT::compile):
1777         * dfg/DFGSpeculativeJIT64.cpp:
1778         (JSC::DFG::SpeculativeJIT::compile):
1779         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1780         * ftl/FTLAbstractHeapRepository.h:
1781         * ftl/FTLCapabilities.cpp:
1782         (JSC::FTL::canCompile):
1783         * ftl/FTLLowerDFGToB3.cpp:
1784         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1785         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
1786         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1787         (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
1788         (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
1790         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
1791         * jit/JIT.cpp:
1792         (JSC::JIT::privateCompileMainPass):
1793         * jit/JIT.h:
1794         * jit/JITPropertyAccess.cpp:
1795         (JSC::JIT::emit_op_get_internal_field):
1796         (JSC::JIT::emit_op_put_internal_field):
1797         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1798         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1799         * jit/JITPropertyAccess32_64.cpp:
1800         (JSC::JIT::emit_op_get_internal_field):
1801         (JSC::JIT::emit_op_put_internal_field):
1802         (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
1803         (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
1804         * llint/LLIntOffsetsExtractor.cpp:
1805         * llint/LowLevelInterpreter.asm:
1806         * llint/LowLevelInterpreter32_64.asm:
1807         * llint/LowLevelInterpreter64.asm:
1808         * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
1809         (JSC::JSInternalFieldObjectImpl::allocationSize):
1810         (JSC::JSInternalFieldObjectImpl::internalField const):
1811         (JSC::JSInternalFieldObjectImpl::internalField):
1812         (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
1813         (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
1814         (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
1815         * runtime/JSInternalFieldObjectImplInlines.h: Added.
1816         (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
1817         * runtime/JSPromise.cpp:
1818         (JSC::JSPromise::finishCreation):
1819         (JSC::JSPromise::visitChildren):
1820         (JSC::JSPromise::status const):
1821         (JSC::JSPromise::result const):
1822         (JSC::JSPromise::isHandled const):
1823         * runtime/JSPromise.h:
1824         (JSC::JSPromise::allocationSize): Deleted.
1825         (JSC::JSPromise::offsetOfInternalFields): Deleted.
1826         (JSC::JSPromise::offsetOfInternalField): Deleted.
1827         (): Deleted.
1828
1829 2019-09-05  Commit Queue  <commit-queue@webkit.org>
1830
1831         Unreviewed, rolling out r247463.
1832         https://bugs.webkit.org/show_bug.cgi?id=201515
1833
1834         JetStream2 code-load related regression (Requested by
1835         yusukesuzuki on #webkit).
1836
1837         Reverted changeset:
1838
1839         "Keyword lookup can use memcmp to get around unaligned load
1840         undefined behavior"
1841         https://bugs.webkit.org/show_bug.cgi?id=199650
1842         https://trac.webkit.org/changeset/247463
1843
1844 2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>
1845
1846         LazyClassStructure::setConstructor should not store the constructor to the global object
1847         https://bugs.webkit.org/show_bug.cgi?id=201484
1848         <rdar://problem/50400451>
1849
1850         Reviewed by Yusuke Suzuki.
1851
1852         LazyClassStructure::setConstructor sets the constructor as a property of the global object.
1853         This became a problem when it started being used for WebAssembly constructors, such as Module
1854         and Instance, since they are properties of the WebAssembly object, not the global object. That
1855         resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
1856         was first accessed. e.g.
1857
1858         globalThis.Module = x;
1859         WebAssembly.Module;
1860         globalThis.Module === WebAssembly.Module;
1861
1862         * runtime/LazyClassStructure.cpp:
1863         (JSC::LazyClassStructure::Initializer::setConstructor):
1864         * runtime/LazyClassStructure.h:
1865         * runtime/Lookup.h:
1866         (JSC::reifyStaticProperty):
1867
1868 2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>
1869
1870         [JSC] Do not use FTLOutput::weakPointer directly
1871         https://bugs.webkit.org/show_bug.cgi?id=201495
1872
1873         Reviewed by Filip Pizlo.
1874
1875         FTLOutput::weakPointer does not register the cell as a weak pointer.
1876         CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
1877         While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
1878         and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
1879         For FrozenValue, we should use frozenPointer helper function.
1880
1881         * ftl/FTLLowerDFGToB3.cpp:
1882         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
1883         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
1884
1885 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1886
1887         Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
1888         https://bugs.webkit.org/show_bug.cgi?id=201373
1889
1890         * bytecode/BytecodeList.rb:
1891         * bytecode/BytecodeUseDef.h:
1892         (JSC::computeUsesForBytecodeOffset):
1893         (JSC::computeDefsForBytecodeOffset):
1894         * bytecompiler/BytecodeGenerator.cpp:
1895         (JSC::BytecodeGenerator::BytecodeGenerator):
1896         (JSC::BytecodeGenerator::emitLoopHint):
1897         (JSC::BytecodeGenerator::emitCheckTraps):
1898         * bytecompiler/BytecodeGenerator.h:
1899         * dfg/DFGByteCodeParser.cpp:
1900         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1901         (JSC::DFG::ByteCodeParser::parseBlock):
1902         * dfg/DFGCapabilities.cpp:
1903         (JSC::DFG::capabilityLevel):
1904         * jit/JIT.cpp:
1905         (JSC::JIT::emitEnterOptimizationCheck):
1906         (JSC::JIT::privateCompileMainPass):
1907         (JSC::JIT::privateCompileSlowCases):
1908         * jit/JIT.h:
1909         * jit/JITOpcodes.cpp:
1910         (JSC::JIT::emit_op_enter):
1911         (JSC::JIT::emit_op_loop_hint):
1912         (JSC::JIT::emitSlow_op_loop_hint):
1913         (JSC::JIT::emit_op_check_traps):
1914         (JSC::JIT::emitSlow_op_check_traps):
1915         (JSC::JIT::emitSlow_op_enter): Deleted.
1916         * jit/JITOpcodes32_64.cpp:
1917         (JSC::JIT::emit_op_enter):
1918         * llint/LowLevelInterpreter.asm:
1919         * llint/LowLevelInterpreter32_64.asm:
1920         * llint/LowLevelInterpreter64.asm:
1921         * runtime/CommonSlowPaths.cpp:
1922         (JSC::SLOW_PATH_DECL):
1923         * runtime/CommonSlowPaths.h:
1924
1925 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1926
1927         Unreviewed, rebaseline builtin generator test results
1928         https://bugs.webkit.org/show_bug.cgi?id=200898
1929
1930         Rebaseline the result files.
1931
1932         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
1933         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
1934         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
1935         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
1936         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
1937         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
1938         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
1939         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
1940         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
1941         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
1942         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
1943         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
1944         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
1945
1946 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1947
1948         [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
1949         https://bugs.webkit.org/show_bug.cgi?id=201485
1950
1951         Reviewed by Tadeu Zagallo.
1952
1953         FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
1954         it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
1955         a race issue like,
1956
1957         1. While one thread is adding overrides information,
1958         2. Another thread is accessing this hash table.
1959
1960         This patch adds a lock to make sure that only one thread can access this registry.
1961
1962         * tools/FunctionOverrides.cpp:
1963         (JSC::FunctionOverrides::FunctionOverrides):
1964         (JSC::FunctionOverrides::reinstallOverrides):
1965         (JSC::FunctionOverrides::initializeOverrideFor):
1966         (JSC::FunctionOverrides::parseOverridesInFile):
1967         * tools/FunctionOverrides.h:
1968         (JSC::FunctionOverrides::clear):
1969
1970 2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>
1971
1972         [JSC] Make Promise implementation faster
1973         https://bugs.webkit.org/show_bug.cgi?id=200898
1974
1975         Reviewed by Saam Barati.
1976
1977         This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.
1978
1979         1. Make JSPromise C++ friendly
1980
1981             Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
1982             This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
1983             fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
1984             fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
1985             supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
1986             this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].
1987
1988             We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
1989             This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.
1990
1991             Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
1992             is filed in [2].
1993
1994         2. Make JSPromise constructor JS friendly
1995
1996             The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
1997             calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
1998             If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
1999             Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
2000             construct is 100. We might want to investigate getting it inlined in the future[3].
2001
2002             We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
2003             annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
2004             do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
2005             us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
2006             which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
2007             JSPromise constructor fully in JS.
2008             With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].
2009
2010         3. DFG supports for JSPromise operations
2011
2012             This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
2013             and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
2014             promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
2015             When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
2016             used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
2017             can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
2018             in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
2019             structure is invalidated: `callee.prototype` is replaced.
2020
2021         4. Avoid creating unnecessary promises
2022
2023             Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
2024             For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
2025             intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
2026             take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
2027             in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
2028             check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.
2029
2030         5. Avoid creating resolving-functions and promise capabilities
2031
2032             Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
2033             patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
2034             created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
2035             and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
2036             The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
2037             `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
2038             This mechanism will be used to drop JSPromiseDeferred in a separate patch.
2039
2040         JetStream2/async-fs results.
2041             ToT:
2042                 Running async-fs:
2043                     Startup: 116.279
2044                     Worst Case: 151.515
2045                     Average: 176.630
2046                     Score: 145.996
2047                     Wall time: 0:01.149
2048
2049             Patched:
2050                 Running async-fs:
2051                     Startup: 166.667
2052                     Worst Case: 267.857
2053                     Average: 299.080
2054                     Score: 237.235
2055                     Wall time: 0:00.683
2056
2057         [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
2058         [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
2059         [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
2060         [4]: https://bugs.webkit.org/show_bug.cgi?id=201158
2061
2062         * CMakeLists.txt:
2063         * JavaScriptCore.xcodeproj/project.pbxproj:
2064         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2065         (ConstructAbility):
2066         (ConstructorKind):
2067         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2068         * Scripts/wkbuiltins/builtins_generator.py:
2069         (BuiltinsGenerator.generate_embedded_code_data_for_function):
2070         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2071         * Scripts/wkbuiltins/builtins_model.py:
2072         (BuiltinFunction.__init__):
2073         (BuiltinFunction.fromString):
2074         * Scripts/wkbuiltins/builtins_templates.py:
2075         * builtins/AsyncFromSyncIteratorPrototype.js:
2076         (next.try):
2077         (next):
2078         (return.try):
2079         (return):
2080         (throw.try):
2081         (throw):
2082         * builtins/AsyncFunctionPrototype.js:
2083         (globalPrivate.asyncFunctionResume):
2084         * builtins/AsyncGeneratorPrototype.js:
2085         (globalPrivate.asyncGeneratorQueueIsEmpty):
2086         (globalPrivate.asyncGeneratorQueueEnqueue):
2087         (globalPrivate.asyncGeneratorQueueDequeue):
2088         (globalPrivate.asyncGeneratorReject):
2089         (globalPrivate.asyncGeneratorResolve):
2090         (globalPrivate.asyncGeneratorYield):
2091         (onRejected):
2092         (globalPrivate.awaitValue):
2093         (onFulfilled):
2094         (globalPrivate.doAsyncGeneratorBodyCall):
2095         (globalPrivate.asyncGeneratorResumeNext):
2096         (globalPrivate.asyncGeneratorEnqueue):
2097         (globalPrivate.asyncGeneratorDequeue): Deleted.
2098         (const.onRejected): Deleted.
2099         (const.onFulfilled): Deleted.
2100         (globalPrivate.asyncGeneratorResumeNext.): Deleted.
2101         * builtins/BuiltinExecutableCreator.h:
2102         * builtins/BuiltinExecutables.cpp:
2103         (JSC::BuiltinExecutables::defaultConstructorSourceCode):
2104         (JSC::BuiltinExecutables::createDefaultConstructor):
2105         (JSC::BuiltinExecutables::createBuiltinExecutable):
2106         (JSC::BuiltinExecutables::createExecutable):
2107         (JSC::createBuiltinExecutable): Deleted.
2108         * builtins/BuiltinExecutables.h:
2109         * builtins/BuiltinNames.h:
2110         * builtins/BuiltinUtils.h:
2111         * builtins/ModuleLoader.js:
2112         (forceFulfillPromise):
2113         * builtins/PromiseConstructor.js:
2114         (nakedConstructor.Promise.resolve):
2115         (nakedConstructor.Promise.reject):
2116         (nakedConstructor.Promise):
2117         (nakedConstructor.InternalPromise.resolve):
2118         (nakedConstructor.InternalPromise.reject):
2119         (nakedConstructor.InternalPromise):
2120         * builtins/PromiseOperations.js:
2121         (globalPrivate.newPromiseReaction):
2122         (globalPrivate.newPromiseCapability):
2123         (globalPrivate.newHandledRejectedPromise):
2124         (globalPrivate.triggerPromiseReactions):
2125         (globalPrivate.resolvePromise):
2126         (globalPrivate.rejectPromise):
2127         (globalPrivate.fulfillPromise):
2128         (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
2129         (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
2130         (globalPrivate.createResolvingFunctions.resolve):
2131         (globalPrivate.createResolvingFunctions.reject):
2132         (globalPrivate.createResolvingFunctions):
2133         (globalPrivate.promiseReactionJobWithoutPromise):
2134         (globalPrivate.resolveWithoutPromise):
2135         (globalPrivate.rejectWithoutPromise):
2136         (globalPrivate.fulfillWithoutPromise):
2137         (resolve):
2138         (reject):
2139         (globalPrivate.createResolvingFunctionsWithoutPromise):
2140         (globalPrivate.promiseReactionJob):
2141         (globalPrivate.promiseResolveThenableJobFast):
2142         (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
2143         (globalPrivate.promiseResolveThenableJob):
2144         (globalPrivate.isPromise): Deleted.
2145         (globalPrivate.newPromiseCapability.executor): Deleted.
2146         (globalPrivate.initializePromise): Deleted.
2147         * builtins/PromisePrototype.js:
2148         (then):
2149         * bytecode/BytecodeIntrinsicRegistry.cpp:
2150         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
2151         * bytecode/BytecodeIntrinsicRegistry.h:
2152         * bytecode/BytecodeList.rb:
2153         * bytecode/BytecodeUseDef.h:
2154         (JSC::computeUsesForBytecodeOffset):
2155         (JSC::computeDefsForBytecodeOffset):
2156         * bytecode/CodeBlock.cpp:
2157         (JSC::CodeBlock::finishCreation):
2158         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2159         * bytecode/Opcode.h:
2160         * bytecode/SpeculatedType.cpp:
2161         (JSC::dumpSpeculation):
2162         (JSC::speculationFromClassInfo):
2163         (JSC::speculationFromJSType):
2164         (JSC::speculationFromString):
2165         * bytecode/SpeculatedType.h:
2166         * bytecode/UnlinkedFunctionExecutable.h:
2167         * bytecompiler/BytecodeGenerator.cpp:
2168         (JSC::BytecodeGenerator::generate):
2169         (JSC::BytecodeGenerator::BytecodeGenerator):
2170         (JSC::BytecodeGenerator::emitGetPromiseInternalField):
2171         (JSC::BytecodeGenerator::emitPutPromiseInternalField):
2172         (JSC::BytecodeGenerator::emitCreatePromise):
2173         (JSC::BytecodeGenerator::emitNewPromise):
2174         (JSC::BytecodeGenerator::emitReturn):
2175         * bytecompiler/BytecodeGenerator.h:
2176         (JSC::BytecodeGenerator::promiseRegister):
2177         (JSC::BytecodeGenerator::emitIsPromise):
2178         (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
2179         * bytecompiler/NodesCodegen.cpp:
2180         (JSC::promiseInternalFieldIndex):
2181         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
2182         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
2183         (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
2184         (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
2185         (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
2186         (JSC::FunctionNode::emitBytecode):
2187         * dfg/DFGAbstractHeap.h:
2188         * dfg/DFGAbstractInterpreterInlines.h:
2189         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2190         * dfg/DFGByteCodeParser.cpp:
2191         (JSC::DFG::ByteCodeParser::parseBlock):
2192         * dfg/DFGCapabilities.cpp:
2193         (JSC::DFG::capabilityLevel):
2194         * dfg/DFGClobberize.h:
2195         (JSC::DFG::clobberize):
2196         * dfg/DFGClobbersExitState.cpp:
2197         (JSC::DFG::clobbersExitState):
2198         * dfg/DFGConstantFoldingPhase.cpp:
2199         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2200         * dfg/DFGDoesGC.cpp:
2201         (JSC::DFG::doesGC):
2202         * dfg/DFGFixupPhase.cpp:
2203         (JSC::DFG::FixupPhase::fixupNode):
2204         * dfg/DFGGraph.cpp:
2205         (JSC::DFG::Graph::dump):
2206         * dfg/DFGHeapLocation.cpp:
2207         (WTF::printInternal):
2208         * dfg/DFGHeapLocation.h:
2209         * dfg/DFGMayExit.cpp:
2210         * dfg/DFGNode.h:
2211         (JSC::DFG::Node::convertToNewPromise):
2212         (JSC::DFG::Node::hasIsInternalPromise):
2213         (JSC::DFG::Node::isInternalPromise):
2214         (JSC::DFG::Node::hasInternalFieldIndex):
2215         (JSC::DFG::Node::internalFieldIndex):
2216         (JSC::DFG::Node::hasHeapPrediction):
2217         (JSC::DFG::Node::hasStructure):
2218         * dfg/DFGNodeType.h:
2219         * dfg/DFGOperations.cpp:
2220         * dfg/DFGOperations.h:
2221         * dfg/DFGPredictionPropagationPhase.cpp:
2222         * dfg/DFGPromotedHeapLocation.cpp:
2223         (WTF::printInternal):
2224         * dfg/DFGPromotedHeapLocation.h:
2225         * dfg/DFGSafeToExecute.h:
2226         (JSC::DFG::SafeToExecuteEdge::operator()):
2227         (JSC::DFG::safeToExecute):
2228         * dfg/DFGSpeculativeJIT.cpp:
2229         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
2230         (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
2231         (JSC::DFG::SpeculativeJIT::speculate):
2232         (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
2233         (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
2234         (JSC::DFG::SpeculativeJIT::compileCreatePromise):
2235         (JSC::DFG::SpeculativeJIT::compileNewPromise):
2236         * dfg/DFGSpeculativeJIT.h:
2237         * dfg/DFGSpeculativeJIT32_64.cpp:
2238         (JSC::DFG::SpeculativeJIT::compile):
2239         * dfg/DFGSpeculativeJIT64.cpp:
2240         (JSC::DFG::SpeculativeJIT::compile):
2241         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2242         * dfg/DFGUseKind.cpp:
2243         (WTF::printInternal):
2244         * dfg/DFGUseKind.h:
2245         (JSC::DFG::typeFilterFor):
2246         (JSC::DFG::isCell):
2247         * ftl/FTLAbstractHeapRepository.h:
2248         * ftl/FTLCapabilities.cpp:
2249         (JSC::FTL::canCompile):
2250         * ftl/FTLLowerDFGToB3.cpp:
2251         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2252         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2253         (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
2254         (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
2255         (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
2256         (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
2257         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2258         (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
2259         * jit/JIT.cpp:
2260         (JSC::JIT::privateCompileMainPass):
2261         (JSC::JIT::privateCompileSlowCases):
2262         * jit/JIT.h:
2263         * jit/JITOperations.cpp:
2264         * jit/JITOperations.h:
2265         * jit/JITPropertyAccess.cpp:
2266         (JSC::JIT::emit_op_get_promise_internal_field):
2267         (JSC::JIT::emit_op_put_promise_internal_field):
2268         * jit/JITPropertyAccess32_64.cpp:
2269         (JSC::JIT::emit_op_get_promise_internal_field):
2270         (JSC::JIT::emit_op_put_promise_internal_field):
2271         * llint/LowLevelInterpreter.asm:
2272         * llint/LowLevelInterpreter32_64.asm:
2273         * llint/LowLevelInterpreter64.asm:
2274         * parser/Parser.cpp:
2275         (JSC::Parser<LexerType>::Parser):
2276         (JSC::Parser<LexerType>::parseFunctionInfo):
2277         * parser/Parser.h:
2278         (JSC::parse):
2279         * parser/ParserModes.h:
2280         * runtime/CommonSlowPaths.cpp:
2281         (JSC::SLOW_PATH_DECL):
2282         * runtime/CommonSlowPaths.h:
2283         * runtime/ConstructAbility.h:
2284         * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
2285         * runtime/FunctionRareData.cpp:
2286         (JSC::FunctionRareData::FunctionRareData):
2287         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2288         (JSC::FunctionRareData::clear):
2289         * runtime/FunctionRareData.h:
2290         * runtime/InternalFunction.cpp:
2291         (JSC::InternalFunction::createSubclassStructureSlow):
2292         * runtime/InternalFunction.h:
2293         (JSC::InternalFunction::createSubclassStructure):
2294         * runtime/JSCast.h:
2295         * runtime/JSGlobalObject.cpp:
2296         (JSC::enqueueJob):
2297         (JSC::JSGlobalObject::init):
2298         (JSC::JSGlobalObject::visitChildren):
2299         * runtime/JSGlobalObject.h:
2300         (JSC::JSGlobalObject::arrayProtoValuesFunction const):
2301         (JSC::JSGlobalObject::promiseProtoThenFunction const):
2302         (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
2303         * runtime/JSInternalPromise.cpp:
2304         (JSC::JSInternalPromise::createStructure):
2305         * runtime/JSInternalPromiseConstructor.cpp:
2306         (JSC::JSInternalPromiseConstructor::create):
2307         (JSC::JSInternalPromiseConstructor::createStructure):
2308         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2309         (JSC::constructPromise): Deleted.
2310         * runtime/JSInternalPromiseConstructor.h:
2311         * runtime/JSInternalPromisePrototype.cpp:
2312         (JSC::JSInternalPromisePrototype::create):
2313         * runtime/JSMicrotask.cpp:
2314         (JSC::createJSMicrotask):
2315         (JSC::JSMicrotask::run):
2316         * runtime/JSMicrotask.h:
2317         * runtime/JSPromise.cpp:
2318         (JSC::JSPromise::createStructure):
2319         (JSC::JSPromise::finishCreation):
2320         (JSC::JSPromise::visitChildren):
2321         (JSC::JSPromise::status const):
2322         (JSC::JSPromise::result const):
2323         (JSC::JSPromise::isHandled const):
2324         (JSC::JSPromise::initialize): Deleted.
2325         * runtime/JSPromise.h:
2326         (JSC::JSPromise::allocationSize):
2327         (JSC::JSPromise::offsetOfInternalFields):
2328         (JSC::JSPromise::offsetOfInternalField):
2329         * runtime/JSPromiseConstructor.cpp:
2330         (JSC::JSPromiseConstructor::create):
2331         (JSC::JSPromiseConstructor::createStructure):
2332         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2333         (JSC::JSPromiseConstructor::finishCreation):
2334         (JSC::constructPromise): Deleted.
2335         (JSC::callPromise): Deleted.
2336         * runtime/JSPromiseConstructor.h:
2337         * runtime/JSPromisePrototype.cpp:
2338         (JSC::JSPromisePrototype::create):
2339         (JSC::JSPromisePrototype::finishCreation):
2340         (JSC::JSPromisePrototype::addOwnInternalSlots):
2341         * runtime/JSPromisePrototype.h:
2342         * runtime/JSType.cpp:
2343         (WTF::printInternal):
2344         * runtime/JSType.h:
2345
2346 2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>
2347
2348         Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
2349         https://bugs.webkit.org/show_bug.cgi?id=201262
2350         <rdar://problem/13108764>
2351
2352         Reviewed by Devin Rousso.
2353
2354         When interception is enabled, Network requests that match any of the configured
2355         interception patterns will be paused on the backend and allowed to be modified
2356         by the frontend.
2357
2358         Currently the only time a network request can be intercepted is during the
2359         HTTP response. However, this intercepting interface is mean to extend to
2360         HTTP requests as well.
2361
2362         When a response is to be intercepted a new event is sent to the frontend:
2363
2364           `Network.responseIntercepted` event
2365
2366         With a `requestId` to identify that network request. The frontend
2367         must respond with one of the following commands to continue:
2368
2369           `Network.interceptContinue`     - proceed with the response unmodified
2370           `Network.interceptWithResponse` - provide a response
2371
2372         The response is paused in the meantime.
2373
2374         * inspector/protocol/Network.json:
2375         New interfaces for intercepting network responses and suppling override content.
2376
2377         * Scripts/generate-combined-inspector-json.py:
2378         * inspector/scripts/generate-inspector-protocol-bindings.py:
2379         (generate_from_specification.load_specification):
2380         Complete allowing comments in JSON protocol files.
2381
2382         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2383         (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
2384         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2385         Allow optional enums in ObjC interfaces.
2386
2387 2019-09-03  Mark Lam  <mark.lam@apple.com>
2388
2389         Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
2390         https://bugs.webkit.org/show_bug.cgi?id=201449
2391
2392         Reviewed by Yusuke Suzuki.
2393
2394         Using !isMainThread() in the assertion also disables the assertion for the mutator
2395         of worker threads.  This is not what we intended.
2396
2397         * runtime/StructureInlines.h:
2398         (JSC::Structure::storedPrototype const):
2399         (JSC::Structure::storedPrototypeObject const):
2400
2401 2019-09-04  Mark Lam  <mark.lam@apple.com>
2402
2403         Disambiguate a symbol used in JSDollarVM.
2404         https://bugs.webkit.org/show_bug.cgi?id=201466
2405         <rdar://problem/51826672>
2406
2407         Reviewed by Tadeu Zagallo.
2408
2409         This was causing a build issue on some internal build.
2410
2411         * tools/JSDollarVM.cpp:
2412
2413 2019-09-03  Mark Lam  <mark.lam@apple.com>
2414
2415         Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
2416         https://bugs.webkit.org/show_bug.cgi?id=201309
2417         <rdar://problem/54832121>
2418
2419         Reviewed by Yusuke Suzuki.
2420
2421         * dfg/DFGAbstractInterpreterInlines.h:
2422         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2423         * runtime/JSArrayBufferView.h:
2424         * runtime/JSArrayBufferViewInlines.h:
2425         (JSC::JSArrayBufferView::possiblySharedBufferImpl):
2426         (JSC::JSArrayBufferView::possiblySharedBuffer):
2427         (JSC::JSArrayBufferView::byteOffsetImpl):
2428         (JSC::JSArrayBufferView::byteOffset):
2429         (JSC::JSArrayBufferView::byteOffsetConcurrently):
2430
2431 2019-09-03  Devin Rousso  <drousso@apple.com>
2432
2433         Web Inspector: implement blackboxing of script resources
2434         https://bugs.webkit.org/show_bug.cgi?id=17240
2435         <rdar://problem/5732847>
2436
2437         Reviewed by Joseph Pecoraro.
2438
2439         When a script is blackboxed and the debugger attempts to pause in that script, the pause
2440         reason/data will be saved and execution will continue until it has left the blackboxed
2441         script. Once outside, execution is paused with the saved reason/data.
2442
2443         This is especially useful when debugging issues using libraries/frameworks, as it allows the
2444         developer to "skip" the internal logic of the library/framework and instead focus only on
2445         how they're using it.
2446
2447         * inspector/protocol/Debugger.json:
2448         Add `setShouldBlackboxURL` command.
2449
2450         * inspector/agents/InspectorDebuggerAgent.h:
2451         * inspector/agents/InspectorDebuggerAgent.cpp:
2452         (Inspector::InspectorDebuggerAgent):
2453         (Inspector::InspectorDebuggerAgent::enable):
2454         (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
2455         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
2456         (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
2457         (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
2458         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
2459         (Inspector::InspectorDebuggerAgent::didParseSource):
2460         (Inspector::InspectorDebuggerAgent::didPause):
2461         (Inspector::InspectorDebuggerAgent::didContinue):
2462         (Inspector::InspectorDebuggerAgent::breakProgram):
2463         (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
2464         (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
2465         (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
2466         Renamed "break" to "pause" to match `Debugger` naming.
2467
2468         * debugger/Debugger.h:
2469         * debugger/Debugger.cpp:
2470         (JSC::Debugger::pauseIfNeeded):
2471         (JSC::Debugger::setBlackboxType): Added.
2472         (JSC::Debugger::clearBlackbox): Added.
2473         (JSC::Debugger::isBlacklisted const): Deleted.
2474         (JSC::Debugger::addToBlacklist): Deleted.
2475         (JSC::Debugger::clearBlacklist): Deleted.
2476
2477 2019-09-03  Mark Lam  <mark.lam@apple.com>
2478
2479         Remove the need to pass performJITMemcpy as a pointer.
2480         https://bugs.webkit.org/show_bug.cgi?id=201413
2481
2482         Reviewed by Michael Saboff.
2483
2484         We want performJITMemcpy to always be inlined.  In this patch, we also clean up
2485         some template parameters to use enums instead of booleans to better document the
2486         intent of the code.
2487
2488         * assembler/ARM64Assembler.h:
2489         (JSC::ARM64Assembler::fillNops):
2490         (JSC::ARM64Assembler::linkJump):
2491         (JSC::ARM64Assembler::linkCall):
2492         (JSC::ARM64Assembler::relinkJump):
2493         (JSC::ARM64Assembler::relinkCall):
2494         (JSC::ARM64Assembler::link):
2495         (JSC::ARM64Assembler::linkJumpOrCall):
2496         (JSC::ARM64Assembler::linkCompareAndBranch):
2497         (JSC::ARM64Assembler::linkConditionalBranch):
2498         (JSC::ARM64Assembler::linkTestAndBranch):
2499         (JSC::ARM64Assembler::relinkJumpOrCall):
2500         (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
2501         (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
2502         * assembler/ARMv7Assembler.h:
2503         (JSC::ARMv7Assembler::fillNops):
2504         (JSC::ARMv7Assembler::link):
2505         (JSC::ARMv7Assembler::linkJumpT1):
2506         (JSC::ARMv7Assembler::linkJumpT2):
2507         (JSC::ARMv7Assembler::linkJumpT3):
2508         (JSC::ARMv7Assembler::linkJumpT4):
2509         (JSC::ARMv7Assembler::linkConditionalJumpT4):
2510         (JSC::ARMv7Assembler::linkBX):
2511         (JSC::ARMv7Assembler::linkConditionalBX):
2512         * assembler/AbstractMacroAssembler.h:
2513         (JSC::AbstractMacroAssembler::emitNops):
2514         * assembler/LinkBuffer.cpp:
2515         (JSC::LinkBuffer::copyCompactAndLinkCode):
2516         * assembler/MIPSAssembler.h:
2517         (JSC::MIPSAssembler::fillNops):
2518         * assembler/MacroAssemblerARM64.h:
2519         (JSC::MacroAssemblerARM64::link):
2520         * assembler/MacroAssemblerARMv7.h:
2521         (JSC::MacroAssemblerARMv7::link):
2522         * assembler/X86Assembler.h:
2523         (JSC::X86Assembler::fillNops):
2524         * jit/ExecutableAllocator.h:
2525         (JSC::performJITMemcpy):
2526         * runtime/JSCPtrTag.h:
2527
2528 2019-09-03  Devin Rousso  <drousso@apple.com>
2529
2530         REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
2531         https://bugs.webkit.org/show_bug.cgi?id=201201
2532         <rdar://problem/54771560>
2533
2534         Reviewed by Joseph Pecoraro.
2535
2536         * inspector/InjectedScriptSource.js:
2537         (let.InjectedScript.prototype.injectModule):
2538         (let.InjectedScript.prototype._evaluateOn):
2539         (CommandLineAPI):
2540         (let.InjectedScript.prototype.setInspectObject): Deleted.
2541         (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
2542         (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
2543         (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
2544         (InjectedScript.CommandLineAPI): Deleted.
2545         Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
2546         directly, instead of having them call functions.
2547
2548         * inspector/InjectedScriptModule.cpp:
2549         (Inspector::InjectedScriptModule::ensureInjected):
2550         Make sure to reset `hadException` to `false` before making another call.
2551
2552 2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>
2553
2554         [JSC] Remove BytecodeGenerator::emitPopScope
2555         https://bugs.webkit.org/show_bug.cgi?id=201395
2556
2557         Reviewed by Saam Barati.
2558
2559         Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.
2560
2561         * bytecompiler/BytecodeGenerator.cpp:
2562         (JSC::BytecodeGenerator::popLexicalScopeInternal):
2563         (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
2564         (JSC::BytecodeGenerator::emitPopWithScope):
2565         (JSC::BytecodeGenerator::emitPopScope): Deleted.
2566         * bytecompiler/BytecodeGenerator.h:
2567
2568 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2569
2570         [JSC] Merge op_check_traps into op_enter and op_loop_hint
2571         https://bugs.webkit.org/show_bug.cgi?id=201373
2572
2573         Reviewed by Mark Lam.
2574
2575         This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
2576         But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
2577         op_enter and op_loop_hint.
2578
2579         While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
2580         since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.
2581
2582         We also inline op_enter's slow path's write-barrier emission in LLInt.
2583
2584         * bytecode/BytecodeList.rb:
2585         * bytecode/BytecodeUseDef.h:
2586         (JSC::computeUsesForBytecodeOffset):
2587         (JSC::computeDefsForBytecodeOffset):
2588         * bytecompiler/BytecodeGenerator.cpp:
2589         (JSC::BytecodeGenerator::BytecodeGenerator):
2590         (JSC::BytecodeGenerator::emitLoopHint):
2591         (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
2592         * bytecompiler/BytecodeGenerator.h:
2593         * dfg/DFGByteCodeParser.cpp:
2594         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2595         (JSC::DFG::ByteCodeParser::parseBlock):
2596         * dfg/DFGCapabilities.cpp:
2597         (JSC::DFG::capabilityLevel):
2598         * jit/JIT.cpp:
2599         (JSC::JIT::privateCompileMainPass):
2600         (JSC::JIT::privateCompileSlowCases):
2601         (JSC::JIT::emitEnterOptimizationCheck): Deleted.
2602         * jit/JIT.h:
2603         * jit/JITOpcodes.cpp:
2604         (JSC::JIT::emit_op_loop_hint):
2605         (JSC::JIT::emitSlow_op_loop_hint):
2606         (JSC::JIT::emit_op_enter):
2607         (JSC::JIT::emitSlow_op_enter):
2608         (JSC::JIT::emit_op_check_traps): Deleted.
2609         (JSC::JIT::emitSlow_op_check_traps): Deleted.
2610         * jit/JITOpcodes32_64.cpp:
2611         (JSC::JIT::emit_op_enter): Deleted.
2612         * llint/LowLevelInterpreter.asm:
2613         * llint/LowLevelInterpreter32_64.asm:
2614         * llint/LowLevelInterpreter64.asm:
2615         * runtime/CommonSlowPaths.cpp:
2616         * runtime/CommonSlowPaths.h:
2617
2618 2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>
2619
2620         [JSC] Fix testb3 debug failures
2621         https://bugs.webkit.org/show_bug.cgi?id=201382
2622
2623         Reviewed by Mark Lam.
2624
2625         Fix testb3 debug failures due to incorrect types of operations like pointer + int32.
2626
2627         * b3/testb3_8.cpp:
2628         (testByteCopyLoop):
2629         (testByteCopyLoopStartIsLoopDependent):
2630         (testByteCopyLoopBoundIsLoopDependent):
2631
2632 2019-09-01  Mark Lam  <mark.lam@apple.com>
2633
2634         Speculative build fix for ARMv7 and MIPS.
2635         https://bugs.webkit.org/show_bug.cgi?id=201389
2636
2637         Not reviewed.
2638
2639         * bytecode/CodeBlock.cpp:
2640         (JSC::CodeBlock::jettison):
2641
2642 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2643
2644         [JSC] LLInt op should not emit the same code three times
2645         https://bugs.webkit.org/show_bug.cgi?id=201370
2646
2647         Reviewed by Mark Lam.
2648
2649         LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
2650         But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.
2651
2652         * llint/LowLevelInterpreter.asm:
2653
2654 2019-08-30  Mark Lam  <mark.lam@apple.com>
2655
2656         Remove some obsolete statements that have no effect.
2657         https://bugs.webkit.org/show_bug.cgi?id=201357
2658
2659         Reviewed by Saam Barati.
2660
2661         This patch removes 3 statements that look like this:
2662
2663             result->butterfly(); // Ensure that the butterfly is in to-space.
2664
2665         The statement just reads a field and does nothing with it.  This is a no-op
2666         logic-wise, and the comment that accompanies it is obsolete.
2667
2668         * dfg/DFGOperations.cpp:
2669
2670 2019-08-30  Mark Lam  <mark.lam@apple.com>
2671
2672         Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
2673         https://bugs.webkit.org/show_bug.cgi?id=201345
2674
2675         Reviewed by Yusuke Suzuki.
2676
2677         This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
2678         the wrong pointer for capture the cell headerWord and zapReason.  As a result,
2679         we get junk for those 2 values.
2680
2681         Previously, we were only capturing the upper 32-bits of the cell header slot,
2682         and the lower 32-bit of the next slot in the zapped cell.  We now capture the
2683         full 64-bits of both slots.  If the second slot did not contain a zapReason as we
2684         expect, the upper 32-bits might give us a clue as to what type of value the slot
2685         contains.
2686
2687         This patch also adds capturing of the found MarkedBlock address for the zapped
2688         cell, as well as some state bit values.
2689
2690         * heap/SlotVisitor.cpp:
2691         (JSC::SlotVisitor::reportZappedCellAndCrash):
2692
2693 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2694
2695         [JSC] Generate new.target register only when it is used
2696         https://bugs.webkit.org/show_bug.cgi?id=201335
2697
2698         Reviewed by Mark Lam.
2699
2700         Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
2701         only when it is actually required.
2702
2703         * bytecompiler/BytecodeGenerator.cpp:
2704         (JSC::BytecodeGenerator::BytecodeGenerator):
2705         * bytecompiler/BytecodeGenerator.h:
2706         (JSC::BytecodeGenerator::newTarget):
2707         * parser/Nodes.h:
2708         (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):
2709
2710 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2711
2712         [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
2713         https://bugs.webkit.org/show_bug.cgi?id=201331
2714
2715         Reviewed by Mark Lam.
2716
2717         SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
2718         For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.
2719
2720             1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
2721             2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable
2722
2723         Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
2724         This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
2725         by profiled CodeBlock.
2726
2727         * bytecode/CodeBlock.h:
2728         (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
2729         * bytecode/JumpTable.h:
2730         (JSC::SimpleJumpTable::cloneNonJITPart const):
2731         (JSC::SimpleJumpTable::clear):
2732         * dfg/DFGByteCodeParser.cpp:
2733         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2734
2735 2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
2736
2737         [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
2738         https://bugs.webkit.org/show_bug.cgi?id=201332
2739
2740         Reviewed by Mark Lam.
2741
2742         When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
2743         that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
2744         does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.
2745
2746         * dfg/DFGByteCodeParser.cpp:
2747         (JSC::DFG::ByteCodeParser::handleInlining):
2748
2749 2019-08-29  Devin Rousso  <drousso@apple.com>
2750
2751         Web Inspector: Debugger: async event listener stack traces should be available in Workers
2752         https://bugs.webkit.org/show_bug.cgi?id=200903
2753
2754         Reviewed by Joseph Pecoraro.
2755
2756         * inspector/agents/InspectorDebuggerAgent.h:
2757         (Inspector::InspectorDebuggerAgent::enabled): Added.
2758         * inspector/agents/InspectorDebuggerAgent.cpp:
2759         (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
2760         (Inspector::InspectorDebuggerAgent::enable):
2761         (Inspector::InspectorDebuggerAgent::disable):
2762         Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.
2763
2764 2019-08-29  Keith Rollin  <krollin@apple.com>
2765
2766         Update .xcconfig symbols to reflect the current set of past and future product versions.
2767         https://bugs.webkit.org/show_bug.cgi?id=200720
2768         <rdar://problem/54305032>
2769
2770         Reviewed by Alex Christensen.
2771
2772         Remove version symbols related to old OS's we no longer support,
2773         ensure that version symbols are defined for OS's we do support.
2774
2775         * Configurations/Base.xcconfig:
2776         * Configurations/DebugRelease.xcconfig:
2777         * Configurations/Version.xcconfig:
2778
2779 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2780
2781         [JSC] Repatch should construct CallCases and CasesValue at the same time
2782         https://bugs.webkit.org/show_bug.cgi?id=201325
2783
2784         Reviewed by Saam Barati.
2785
2786         In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
2787         If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.
2788
2789         * jit/Repatch.cpp:
2790         (JSC::linkPolymorphicCall):
2791
2792 2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>
2793
2794         [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
2795         https://bugs.webkit.org/show_bug.cgi?id=198650
2796
2797         Reviewed by Saam Barati.
2798
2799         Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
2800         This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
2801         interpreter interpret the control-flow edge that AI proved that is never taken.
2802         AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
2803         ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
2804         done in ObjectAllocationSinking.
2805
2806         Let's see the example.
2807
2808             BB#0
2809                 35: NewObject([%AM:Object])
2810                 ...
2811                 47: Branch(ConstantTrue, T:#1, F:#2)
2812
2813             BB#1 // This basic block is never taken due to @47's jump.
2814                 ...
2815                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2816                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2817                 ...
2818                 XX: Jump(#2)
2819
2820             BB#2
2821                 ...
2822                 92: CheckStructure(@35, [%Dx:Object])
2823                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2824                 ...
2825
2826         AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
2827         AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
2828         After AI removes @92, ObjectAllocationSinking starts looking into this graph.
2829
2830             BB#0
2831                 35: NewObject([%AM:Object])
2832                 ...
2833                 47: Branch(ConstantTrue, T:#1, F:#2)
2834
2835             BB#1 // This basic block is never taken due to @47's jump.
2836                 ...
2837                 71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
2838                 72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
2839                 ...
2840                 XX: Jump(#2)
2841
2842             BB#2
2843                 ...
2844                 93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
2845                 ...
2846                 YY: Jump(#3)
2847
2848             BB#3
2849                 ...
2850                 ZZ: <HERE> want to materialize @35's sunk object.
2851
2852         Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
2853         BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
2854         insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
2855         one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
2856         phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
2857         conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
2858         So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
2859         assertion.
2860
2861             187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)
2862
2863         This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
2864         In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.
2865
2866         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2867
2868 2019-08-29  Devin Rousso  <drousso@apple.com>
2869
2870         Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
2871         https://bugs.webkit.org/show_bug.cgi?id=200651
2872
2873         Reviewed by Joseph Pecoraro.
2874
2875         * inspector/protocol/DOMDebugger.json:
2876         Make the domain available in "worker" contexts as well.
2877
2878 2019-08-29  Keith Rollin  <krollin@apple.com>
2879
2880         Remove 32-bit macOS support
2881         https://bugs.webkit.org/show_bug.cgi?id=201282
2882         <rdar://problem/54821667>
2883
2884         Reviewed by Anders Carlsson.
2885
2886         WebKit doesn’t support 32-bit Mac any more, so remove checks and code
2887         for that platform.
2888
2889         * API/JSBase.h:
2890         * runtime/VM.h:
2891
2892 2019-08-29  Keith Rollin  <krollin@apple.com>
2893
2894         Remove support for macOS < 10.13 (part 3)
2895         https://bugs.webkit.org/show_bug.cgi?id=201224
2896         <rdar://problem/54795934>
2897
2898         Reviewed by Darin Adler.
2899
2900         Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
2901         10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
2902         like _MACOS_SINCE_1013.
2903
2904         * Configurations/WebKitTargetConditionals.xcconfig:
2905
2906 2019-08-29  Mark Lam  <mark.lam@apple.com>
2907
2908         Remove a bad assertion in ByteCodeParser::inlineCall().
2909         https://bugs.webkit.org/show_bug.cgi?id=201292
2910         <rdar://problem/54121659>
2911
2912         Reviewed by Michael Saboff.
2913
2914         In the DFG bytecode parser, we've already computed the inlining cost of a candidate
2915         inlining target, and determine that it is worth inlining before invoking
2916         ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
2917         recomputes the inlining cost again only for the purpose of asserting that it isn't
2918         too high.
2919
2920         Not consider a badly written test that does the following:
2921
2922             function bar() {
2923                 ...
2924                 foo(); // Call in a hot loop here.
2925                 ...
2926             }
2927
2928             bar(); // <===== foo is inlineable into bar here.
2929             noInline(foo); // <===== Change mind, and make foo not inlineable.
2930             bar();
2931
2932         With this bad test, the following racy scenario can occur:
2933
2934         1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
2935         2. the compiler thread computes foo()'s inliningCost() and determines that it is
2936            worthy to be inlined, and will imminently call inlineCall().
2937         3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
2938            inlineable.
2939         4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
2940            inliningCost for foo() and now finds that it is not inlineable.  An assertion
2941            failure follows.
2942
2943         Technically, the test is in error because noInline() shouldn't be used that way.
2944         However, fuzzers that are not clued into noInline()'s proper usage may generate
2945         code like this.
2946
2947         On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
2948         inlining cost and asserting on it.  The only reason inlineCall() is invoked is
2949         because it was already previously determined that a target function is inlineable
2950         based on its inlining cost.  Today, in practice, I don't think we have any real
2951         world condition where the mutator can affect the inlining cost of a target
2952         function midway through execution.  So, this assertion isn't a problem if no one
2953         writes a test that abuses noInline().  However, should things change such that the
2954         mutator is able to affect the inlining cost of a target function, then it is
2955         incorrect for the compiler to assume that the inlining cost is immutable.  Once
2956         the compiler decides to inline a function, it should just follow through.
2957
2958         This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
2959         annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
2960         ability to affect the inlining cost of a target function.
2961
2962         * dfg/DFGByteCodeParser.cpp:
2963         (JSC::DFG::ByteCodeParser::inlineCall):
2964
2965 2019-08-28  Mark Lam  <mark.lam@apple.com>
2966
2967         DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
2968         https://bugs.webkit.org/show_bug.cgi?id=201281
2969         <rdar://problem/54028228>
2970
2971         Reviewed by Yusuke Suzuki and Saam Barati.
2972
2973         This (see title above) is already the preferred idiom used in most places in our
2974         compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
2975         compileStringCharAt().  Consider the following:
2976
2977             bool prototypeChainIsSane = false;
2978             if (globalObject->stringPrototypeChainIsSane()) {
2979                 ...
2980                 m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
2981                 m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));
2982
2983                 prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
2984             }
2985
2986         What's essential for correctness here is that the stringPrototype and objectPrototype
2987         structures be loaded before the loads in the second stringPrototypeChainIsSane()
2988         check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
2989         check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
2990         for doing this right is to pre-load the structures first, do a loadLoadFence, and
2991         then do the IsSane check just once after e.g.
2992
2993             Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
2994             Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);
2995
2996             if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2997                 && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
2998                 && globalObject->arrayPrototypeChainIsSane()) {
2999
3000                 m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
3001                 m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
3002                 ...
3003             }
3004
3005         This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
3006         compileStringCharAt() to follow the same idiom.
3007
3008         We also fix a bad assertion in Structure::storedPrototype() and
3009         Structure::storedPrototypeObject().  The assertion is only correct when those
3010         methods are called from the mutator thread.  The assertion has been updated to
3011         only check its test condition if the current thread is the mutator thread.
3012
3013         * dfg/DFGSpeculativeJIT.cpp:
3014         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3015         * ftl/FTLLowerDFGToB3.cpp:
3016         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3017         * runtime/StructureInlines.h:
3018         (JSC::Structure::storedPrototype const):
3019         (JSC::Structure::storedPrototypeObject const):
3020
3021 2019-08-28  Mark Lam  <mark.lam@apple.com>
3022
3023         Placate exception check validation in DFG's operationHasGenericProperty().
3024         https://bugs.webkit.org/show_bug.cgi?id=201245
3025         <rdar://problem/54777512>
3026
3027         Reviewed by Robin Morisset.
3028
3029         * dfg/DFGOperations.cpp:
3030
3031 2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>
3032
3033         Unreviewed. Restabilize non-unified build.
3034
3035         * runtime/PropertySlot.h:
3036
3037 2019-08-28  Mark Lam  <mark.lam@apple.com>
3038
3039         Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
3040         https://bugs.webkit.org/show_bug.cgi?id=201006
3041         <rdar://problem/52053991>
3042
3043         Reviewed by Yusuke Suzuki.
3044
3045         We already ensured that it is not possible to overflow in Wasm::FunctionParser's
3046         parse().  It is unnecessary and misleading to do those overflow checks in
3047         AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
3048         m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
3049         situation.
3050
3051         This patch changes these unnecessary checks to assertions instead.
3052
3053         * wasm/WasmAirIRGenerator.cpp:
3054         (JSC::Wasm::AirIRGenerator::addLocal):
3055         * wasm/WasmB3IRGenerator.cpp:
3056         (JSC::Wasm::B3IRGenerator::addLocal):
3057         * wasm/WasmValidate.cpp:
3058         (JSC::Wasm::Validate::addLocal):
3059
3060 2019-08-28  Keith Rollin  <krollin@apple.com>
3061
3062         Remove support for macOS < 10.13 (part 2)
3063         https://bugs.webkit.org/show_bug.cgi?id=201197
3064         <rdar://problem/54759985>
3065
3066         Update conditionals that reference WK_MACOS_1013 and suffixes like
3067         _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
3068         later and that these conditionals are always True or False.
3069
3070         See Bug 200694 for earlier changes in this area.
3071
3072         Reviewed by Darin Adler.
3073
3074         * Configurations/FeatureDefines.xcconfig:
3075
3076 2019-08-28  Mark Lam  <mark.lam@apple.com>
3077
3078         Gardening: Rebase test results after r249175.
3079         https://bugs.webkit.org/show_bug.cgi?id=201172
3080
3081         Not reviewed.
3082
3083         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
3084         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
3085         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
3086         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
3087         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
3088         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
3089         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
3090
3091 2019-08-27  Michael Saboff  <msaboff@apple.com>
3092
3093         Update PACCage changes for builds without Gigacage, but with signed pointers
3094         https://bugs.webkit.org/show_bug.cgi?id=201202
3095
3096         Reviewed by Saam Barati.
3097
3098         Factored out the untagging of pointers and added that to both the Gigacage enabled
3099         and disabled code paths.  Did this for the LLInt as well as the JITs.
3100
3101         * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
3102         * dfg/DFGSpeculativeJIT.cpp:
3103         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3104         * ftl/FTLLowerDFGToB3.cpp:
3105         (JSC::FTL::DFG::LowerDFGToB3::caged):
3106         * llint/LowLevelInterpreter64.asm:
3107
3108 2019-08-27  Mark Lam  <mark.lam@apple.com>
3109
3110         Refactor to use VM& instead of VM* at as many places as possible.
3111         https://bugs.webkit.org/show_bug.cgi?id=201172
3112
3113         Reviewed by Yusuke Suzuki.
3114
3115         Using VM& documents more clearly that the VM pointer is expected to never be null
3116         in most cases.  There are a few places where it can be null (e.g JSLock, and
3117         DFG::Plan).  Those will be left using a VM*.
3118
3119         Also converted some uses of ExecState* to using VM& instead since the ExecState*
3120         is only there to fetch the VM pointer.  Doing this also reduces the number of
3121         times we have to compute VM* from ExecState*.
3122
3123         This patch is not exhaustive in converting to use VM&, but applies the change to
3124         many commonly used pieces of code for a start.
3125
3126         Also fixed a missing exception check in JSString::toIdentifier() and
3127         JSValue::toPropertyKey() exposed by this patch.
3128
3129         * API/APICast.h:
3130         (toJS):
3131         * API/JSAPIGlobalObject.mm:
3132         (JSC::JSAPIGlobalObject::moduleLoaderResolve):
3133         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
3134         (JSC::JSAPIGlobalObject::moduleLoaderFetch):
3135         (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
3136         (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
3137         * API/JSCallbackConstructor.cpp:
3138         (JSC::JSCallbackConstructor::finishCreation):
3139         * API/JSCallbackObjectFunctions.h:
3140         (JSC::JSCallbackObject<Parent>::asCallbackObject):
3141         (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
3142         (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
3143         (JSC::JSCallbackObject<Parent>::putByIndex):
3144         (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
3145         (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
3146         * API/JSContext.mm:
3147         (-[JSContext dependencyIdentifiersForModuleJSScript:]):
3148         * API/JSObjectRef.cpp:
3149         (JSObjectMakeFunction):
3150         (classInfoPrivate):
3151         (JSObjectGetPrivate):
3152         (JSObjectSetPrivate):
3153         (JSObjectCopyPropertyNames):
3154         (JSPropertyNameAccumulatorAddName):
3155         (JSObjectGetProxyTarget):
3156         * API/JSScriptRef.cpp:
3157         (parseScript):
3158         * API/JSValueRef.cpp:
3159         (JSValueMakeString):
3160         * API/OpaqueJSString.cpp:
3161         (OpaqueJSString::identifier const):
3162         * API/glib/JSCContext.cpp:
3163         (jsc_context_check_syntax):
3164         * KeywordLookupGenerator.py:
3165         (Trie.printSubTreeAsC):
3166         * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
3167         (BuiltinsWrapperHeaderGenerator.generate_constructor):
3168         * Scripts/wkbuiltins/builtins_templates.py:
3169         * bindings/ScriptFunctionCall.cpp:
3170         (Deprecated::ScriptCallArgumentHandler::appendArgument):
3171         (Deprecated::ScriptFunctionCall::call):
3172         * bindings/ScriptValue.cpp:
3173         (Inspector::jsToInspectorValue):
3174         * builtins/BuiltinExecutables.cpp:
3175         (JSC::BuiltinExecutables::createExecutable):
3176         * builtins/BuiltinNames.cpp:
3177         (JSC::BuiltinNames::BuiltinNames):
3178         * builtins/BuiltinNames.h:
3179         (JSC::BuiltinNames::getPublicName const):
3180         * bytecode/BytecodeDumper.cpp:
3181         (JSC::BytecodeDumper<Block>::vm const):
3182         * bytecode/BytecodeDumper.h:
3183         * bytecode/BytecodeGeneratorification.cpp:
3184         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3185         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3186         (JSC::BytecodeGeneratorification::run):
3187         * bytecode/BytecodeIntrinsicRegistry.cpp:
3188         (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
3189         (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
3190         * bytecode/CallVariant.h:
3191         (JSC::CallVariant::internalFunction const):
3192         (JSC::CallVariant::function const):
3193         (JSC::CallVariant::isClosureCall const):
3194         (JSC::CallVariant::executable const):
3195         (JSC::CallVariant::functionExecutable const):
3196         (JSC::CallVariant::nativeExecutable const):
3197         * bytecode/CodeBlock.cpp:
3198         (JSC::CodeBlock::dumpSource):
3199         (JSC::CodeBlock::CodeBlock):
3200         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3201         (JSC::CodeBlock::setNumParameters):
3202         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
3203         (JSC::CodeBlock::unlinkIncomingCalls):
3204         (JSC::CodeBlock::replacement):
3205         (JSC::CodeBlock::computeCapabilityLevel):
3206         (JSC::CodeBlock::noticeIncomingCall):
3207         (JSC::CodeBlock::nameForRegister):
3208         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3209         * bytecode/CodeBlock.h:
3210         (JSC::CodeBlock::vm const):
3211         (JSC::CodeBlock::numberOfArgumentValueProfiles):
3212         (JSC::CodeBlock::valueProfileForArgument):
3213         * bytecode/DeferredSourceDump.cpp:
3214         (JSC::DeferredSourceDump::DeferredSourceDump):
3215         * bytecode/EvalCodeBlock.h:
3216         * bytecode/FunctionCodeBlock.h:
3217         * bytecode/GetByIdStatus.cpp:
3218         (JSC::GetByIdStatus::computeFromLLInt):
3219         * bytecode/GlobalCodeBlock.h:
3220         (JSC::GlobalCodeBlock::GlobalCodeBlock):
3221         * bytecode/ModuleProgramCodeBlock.h:
3222         * bytecode/ObjectAllocationProfileInlines.h:
3223         (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
3224         * bytecode/PolyProtoAccessChain.cpp:
3225         (JSC::PolyProtoAccessChain::create):
3226         * bytecode/ProgramCodeBlock.h:
3227         * bytecode/PropertyCondition.cpp:
3228         (JSC::PropertyCondition::isWatchableWhenValid const):
3229         * bytecode/PutByIdStatus.cpp:
3230         (JSC::PutByIdStatus::computeFromLLInt):
3231         * bytecode/StructureStubInfo.cpp:
3232         (JSC::StructureStubInfo::initGetByIdSelf):
3233         (JSC::StructureStubInfo::initPutByIdReplace):
3234         (JSC::StructureStubInfo::initInByIdSelf):
3235         (JSC::StructureStubInfo::addAccessCase):
3236         (JSC::StructureStubInfo::visitWeakReferences):
3237         * bytecode/UnlinkedCodeBlock.cpp:
3238         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3239         * bytecode/UnlinkedCodeBlock.h:
3240         (JSC::UnlinkedCodeBlock::addSetConstant):
3241         (JSC::UnlinkedCodeBlock::addConstant):
3242         (JSC::UnlinkedCodeBlock::addFunctionDecl):
3243         (JSC::UnlinkedCodeBlock::addFunctionExpr):
3244         * bytecode/UnlinkedEvalCodeBlock.h:
3245         * bytecode/UnlinkedFunctionCodeBlock.h:
3246         * bytecode/UnlinkedFunctionExecutable.cpp:
3247         (JSC::generateUnlinkedFunctionCodeBlock):
3248         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
3249         * bytecode/UnlinkedFunctionExecutable.h:
3250         * bytecode/UnlinkedGlobalCodeBlock.h:
3251         (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
3252         * bytecode/UnlinkedModuleProgramCodeBlock.h:
3253         * bytecode/UnlinkedProgramCodeBlock.h:
3254         * bytecompiler/BytecodeGenerator.cpp:
3255         (JSC::BytecodeGenerator::BytecodeGenerator):
3256         (JSC::BytecodeGenerator::pushLexicalScopeInternal):
3257         (JSC::BytecodeGenerator::emitDirectPutById):
3258         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
3259         (JSC::BytecodeGenerator::addBigIntConstant):
3260         (JSC::BytecodeGenerator::addTemplateObjectConstant):
3261         (JSC::BytecodeGenerator::emitNewDefaultConstructor):
3262         (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
3263         * bytecompiler/BytecodeGenerator.h:
3264         (JSC::BytecodeGenerator::vm const):
3265         (JSC::BytecodeGenerator::propertyNames const):
3266         (JSC::BytecodeGenerator::emitNodeInTailPosition):
3267         (JSC::BytecodeGenerator::emitDefineClassElements):
3268         (JSC::BytecodeGenerator::emitNodeInConditionContext):
3269         * bytecompiler/NodesCodegen.cpp:
3270         (JSC::RegExpNode::emitBytecode):
3271         (JSC::ArrayNode::emitBytecode):
3272         (JSC::FunctionCallResolveNode::emitBytecode):
3273         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
3274         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
3275         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
3276         (JSC::InstanceOfNode::emitBytecode):
3277         * debugger/Debugger.cpp:
3278         * debugger/DebuggerParseData.cpp:
3279         (JSC::gatherDebuggerParseData):
3280         * debugger/DebuggerScope.cpp:
3281         (JSC::DebuggerScope::next):
3282         (JSC::DebuggerScope::name const):
3283         (JSC::DebuggerScope::location const):
3284         * dfg/DFGDesiredIdentifiers.cpp:
3285         (JSC::DFG::DesiredIdentifiers::reallyAdd):
3286         * dfg/DFGDesiredWatchpoints.cpp:
3287         (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
3288         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
3289         * dfg/DFGFrozenValue.h:
3290         (JSC::DFG::FrozenValue::FrozenValue):
3291         * dfg/DFGGraph.cpp:
3292         (JSC::DFG::Graph::canOptimizeStringObjectAccess):
3293         * dfg/DFGJITCompiler.cpp:
3294         (JSC::DFG::JITCompiler::linkOSRExits):
3295         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3296         (JSC::DFG::JITCompiler::link):
3297         (JSC::DFG::emitStackOverflowCheck):
3298         (JSC::DFG::JITCompiler::compileFunction):
3299         (JSC::DFG::JITCompiler::exceptionCheck):
3300         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
3301         * dfg/DFGJITCompiler.h:
3302         (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
3303         (JSC::DFG::JITCompiler::fastExceptionCheck):
3304         (JSC::DFG::JITCompiler::vm):
3305         * dfg/DFGLazyJSValue.cpp:
3306         (JSC::DFG::LazyJSValue::getValue const):
3307         (JSC::DFG::LazyJSValue::emit const):
3308         * dfg/DFGOSREntry.cpp:
3309         (JSC::DFG::prepareOSREntry):
3310         * dfg/DFGOSRExit.cpp:
3311         (JSC::DFG::OSRExit::compileOSRExit):
3312         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
3313         * dfg/DFGOSRExitCompilerCommon.h:
3314         (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
3315         * dfg/DFGOperations.cpp:
3316         (JSC::DFG::newTypedArrayWithSize):
3317         (JSC::DFG::binaryOp):
3318         (JSC::DFG::bitwiseBinaryOp):
3319         * dfg/DFGPlan.cpp:
3320         (JSC::DFG::Plan::Plan):
3321         * dfg/DFGSpeculativeJIT.cpp:
3322         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3323         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3324         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3325         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
3326         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3327         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
3328         (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
3329         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
3330         (JSC::DFG::SpeculativeJIT::emitStringBranch):
3331         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
3332         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3333         (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
3334         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
3335         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
3336         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
3337         (JSC::DFG::SpeculativeJIT::compileSpread):
3338         (JSC::DFG::SpeculativeJIT::compileNewArray):
3339         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3340         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3341         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3342         (JSC::DFG::SpeculativeJIT::compileTypeOf):
3343         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3344         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3345         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
3346         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3347         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3348         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3349         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
3350         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
3351         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3352         (JSC::DFG::SpeculativeJIT::compileStringReplace):
3353         (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
3354         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3355         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
3356         (JSC::DFG::SpeculativeJIT::compileObjectKeys):
3357         (JSC::DFG::SpeculativeJIT::compileCreateThis):
3358         (JSC::DFG::SpeculativeJIT::compileNewObject):
3359         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
3360         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
3361         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3362         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
3363         (JSC::DFG::SpeculativeJIT::compileProfileType):
3364         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3365         * dfg/DFGSpeculativeJIT.h:
3366         (JSC::DFG::SpeculativeJIT::vm):
3367         (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
3368         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
3369         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
3370         (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
3371         (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
3372         * dfg/DFGSpeculativeJIT32_64.cpp:
3373         (JSC::DFG::SpeculativeJIT::emitCall):
3374         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3375         (JSC::DFG::SpeculativeJIT::emitBranch):
3376         (JSC::DFG::SpeculativeJIT::compile):
3377         * dfg/DFGSpeculativeJIT64.cpp:
3378         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
3379         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
3380         (JSC::DFG::SpeculativeJIT::emitCall):
3381         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3382         (JSC::DFG::SpeculativeJIT::compileLogicalNot):
3383         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3384         (JSC::DFG::SpeculativeJIT::emitBranch):
3385         (JSC::DFG::SpeculativeJIT::compile):
3386         * dfg/DFGThunks.cpp:
3387         (JSC::DFG::osrExitThunkGenerator):
3388         (JSC::DFG::osrExitGenerationThunkGenerator):
3389         (JSC::DFG::osrEntryThunkGenerator):
3390         * dfg/DFGThunks.h:
3391         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
3392         (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
3393         * dfg/DFGWorklist.cpp:
3394         (JSC::DFG::Worklist::visitWeakReferences):
3395         * dynbench.cpp:
3396         (main):
3397         * ftl/FTLLowerDFGToB3.cpp:
3398         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3399         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3400         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3401         * ftl/FTLThunks.cpp:
3402         (JSC::FTL::genericGenerationThunkGenerator):
3403         (JSC::FTL::osrExitGenerationThunkGenerator):
3404         (JSC::FTL::lazySlowPathGenerationThunkGenerator):
3405         * ftl/FTLThunks.h:
3406         * heap/CellContainer.h:
3407         * heap/CellContainerInlines.h:
3408         (JSC::CellContainer::vm const):
3409         (JSC::CellContainer::heap const):
3410         * heap/CompleteSubspace.cpp:
3411         (JSC::CompleteSubspace::tryAllocateSlow):
3412         (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
3413         * heap/GCActivityCallback.h:
3414         * heap/GCAssertions.h:
3415         * heap/HandleSet.cpp:
3416         (JSC::HandleSet::HandleSet):
3417         * heap/HandleSet.h:
3418         (JSC::HandleSet::vm):
3419         * heap/Heap.cpp:
3420         (JSC::Heap::Heap):
3421         (JSC::Heap::lastChanceToFinalize):
3422         (JSC::Heap::releaseDelayedReleasedObjects):
3423         (JSC::Heap::protect):
3424         (JSC::Heap::unprotect):
3425         (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
3426         (JSC::Heap::finalizeUnconditionalFinalizers):
3427         (JSC::Heap::completeAllJITPlans):
3428         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
3429         (JSC::Heap::gatherJSStackRoots):
3430         (JSC::Heap::gatherScratchBufferRoots):
3431         (JSC::Heap::removeDeadCompilerWorklistEntries):
3432         (JSC::Heap::isAnalyzingHeap const):
3433         (JSC::Heap::gatherExtraHeapData):
3434         (JSC::Heap::protectedObjectTypeCounts):
3435         (JSC::Heap::objectTypeCounts):
3436         (JSC::Heap::deleteAllCodeBlocks):
3437         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
3438         (JSC::Heap::deleteUnmarkedCompiledCode):
3439         (JSC::Heap::checkConn):
3440         (JSC::Heap::runEndPhase):
3441         (JSC::Heap::stopThePeriphery):
3442         (JSC::Heap::finalize):
3443         (JSC::Heap::requestCollection):
3444         (JSC::Heap::sweepInFinalize):
3445         (JSC::Heap::sweepArrayBuffers):
3446         (JSC::Heap::deleteSourceProviderCaches):
3447         (JSC::Heap::didFinishCollection):
3448         (JSC::Heap::addCoreConstraints):
3449         * heap/Heap.h:
3450         * heap/HeapCell.h:
3451         * heap/HeapCellInlines.h:
3452         (JSC::HeapCell::heap const):
3453         (JSC::HeapCell::vm const):
3454         * heap/HeapInlines.h:
3455         (JSC::Heap::vm const):
3456         * heap/IsoSubspacePerVM.cpp:
3457         (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
3458         * heap/LargeAllocation.cpp:
3459         (JSC::LargeAllocation::sweep):
3460         (JSC::LargeAllocation::assertValidCell const):
3461         * heap/LargeAllocation.h:
3462         (JSC::LargeAllocation::vm const):
3463         * heap/LocalAllocator.cpp:
3464         (JSC::LocalAllocator::allocateSlowCase):
3465         * heap/MarkedBlock.cpp:
3466         (JSC::MarkedBlock::Handle::Handle):
3467         (JSC::MarkedBlock::aboutToMarkSlow):
3468         (JSC::MarkedBlock::assertMarksNotStale):
3469         (JSC::MarkedBlock::areMarksStale):
3470         (JSC::MarkedBlock::isMarked):
3471         (JSC::MarkedBlock::assertValidCell const):
3472         * heap/MarkedBlock.h:
3473         (JSC::MarkedBlock::Handle::vm const):
3474         (JSC::MarkedBlock::vm const):
3475         * heap/MarkedBlockInlines.h:
3476         (JSC::MarkedBlock::heap const):
3477         (JSC::MarkedBlock::Handle::specializedSweep):
3478         * heap/SlotVisitor.cpp:
3479         (JSC::validate):
3480         * heap/SlotVisitorInlines.h:
3481         (JSC::SlotVisitor::vm):
3482         (JSC::SlotVisitor::vm const):
3483         * heap/StopIfNecessaryTimer.cpp:
3484         (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
3485         * heap/StopIfNecessaryTimer.h:
3486         * heap/Strong.h:
3487         (JSC::Strong::operator=):
3488         * heap/WeakSet.h:
3489         (JSC::WeakSet::WeakSet):
3490         (JSC::WeakSet::vm const):
3491         * inspector/JSInjectedScriptHost.cpp:
3492         (Inspector::JSInjectedScriptHost::savedResultAlias const):
3493         (Inspector::JSInjectedScriptHost::internalConstructorName):
3494         (Inspector::JSInjectedScriptHost::subtype):
3495         (Inspector::JSInjectedScriptHost::functionDetails):
3496         (Inspector::constructInternalProperty):
3497         (Inspector::JSInjectedScriptHost::getInternalProperties):
3498         (Inspector::JSInjectedScriptHost::weakMapEntries):
3499         (Inspector::JSInjectedScriptHost::weakSetEntries):
3500         (Inspector::JSInjectedScriptHost::iteratorEntries):
3501         (Inspector::JSInjectedScriptHost::queryInstances):
3502         (Inspector::JSInjectedScriptHost::queryHolders):
3503         * inspector/JSJavaScriptCallFrame.cpp:
3504         (Inspector::valueForScopeLocation):
3505         (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
3506         (Inspector::JSJavaScriptCallFrame::functionName const):
3507         (Inspector::JSJavaScriptCallFrame::type const):
3508         * inspector/ScriptCallStackFactory.cpp:
3509         (Inspector::extractSourceInformationFromException):
3510         * inspector/agents/InspectorAuditAgent.cpp:
3511         (Inspector::InspectorAuditAgent::populateAuditObject):
3512         * inspector/agents/InspectorHeapAgent.cpp:
3513         (Inspector::InspectorHeapAgent::gc):
3514         * interpreter/FrameTracers.h:
3515         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3516         * interpreter/Interpreter.cpp:
3517         (JSC::Interpreter::executeProgram):
3518         (JSC::Interpreter::prepareForRepeatCall):
3519         (JSC::Interpreter::execute):
3520         (JSC::Interpreter::executeModuleProgram):
3521         * interpreter/StackVisitor.cpp:
3522         (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
3523         (JSC::StackVisitor::Frame::computeLineAndColumn const):
3524         * jit/AssemblyHelpers.cpp:
3525         (JSC::AssemblyHelpers::emitDumbVirtualCall):
3526         (JSC::AssemblyHelpers::emitConvertValueToBoolean):
3527         (JSC::AssemblyHelpers::branchIfValue):
3528         * jit/AssemblyHelpers.h:
3529         (JSC::AssemblyHelpers::vm):
3530         * jit/JIT.cpp:
3531         (JSC::JIT::JIT):
3532         (JSC::JIT::emitEnterOptimizationCheck):
3533         (JSC::JIT::privateCompileMainPass):
3534         (JSC::JIT::privateCompileExceptionHandlers):
3535         * jit/JIT.h:
3536         * jit/JITCall.cpp:
3537         (JSC::JIT::compileCallEvalSlowCase):
3538         * jit/JITCall32_64.cpp:
3539         (JSC::JIT::compileCallEvalSlowCase):
3540         * jit/JITExceptions.cpp:
3541         (JSC::genericUnwind):
3542         * jit/JITExceptions.h:
3543         * jit/JITInlineCacheGenerator.cpp:
3544         (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
3545         * jit/JITOpcodes.cpp:
3546         (JSC::JIT::emit_op_is_undefined):
3547         (JSC::JIT::emit_op_jfalse):
3548         (JSC::JIT::emit_op_jeq_null):
3549         (JSC::JIT::emit_op_jneq_null):
3550         (JSC::JIT::emit_op_jtrue):
3551         (JSC::JIT::emit_op_throw):
3552         (JSC::JIT::emit_op_catch):
3553         (JSC::JIT::emit_op_eq_null):
3554         (JSC::JIT::emit_op_neq_null):
3555         (JSC::JIT::emitSlow_op_loop_hint):
3556         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3557         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3558         * jit/JITOpcodes32_64.cpp:
3559         (JSC::JIT::emit_op_jfalse):
3560         (JSC::JIT::emit_op_jtrue):
3561         (JSC::JIT::emit_op_throw):
3562         (JSC::JIT::emit_op_catch):
3563         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3564         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3565         * jit/JITOperations.cpp:
3566         (JSC::operationNewFunctionCommon):
3567         (JSC::tryGetByValOptimize):
3568         * jit/JITPropertyAccess.cpp:
3569         (JSC::JIT::emitWriteBarrier):
3570         * jit/JITThunks.cpp:
3571         (JSC::JITThunks::ctiNativeCall):
3572         (JSC::JITThunks::ctiNativeConstruct):
3573         (JSC::JITThunks::ctiNativeTailCall):
3574         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
3575         (JSC::JITThunks::ctiInternalFunctionCall):
3576         (JSC::JITThunks::ctiInternalFunctionConstruct):
3577         (JSC::JITThunks::ctiStub):
3578         (JSC::JITThunks::hostFunctionStub):
3579         * jit/JITThunks.h:
3580         * jit/JITWorklist.cpp:
3581         (JSC::JITWorklist::Plan::vm):
3582         (JSC::JITWorklist::completeAllForVM):
3583         (JSC::JITWorklist::poll):
3584         (JSC::JITWorklist::compileLater):
3585         (JSC::JITWorklist::compileNow):
3586         * jit/Repatch.cpp:
3587         (JSC::readPutICCallTarget):
3588         (JSC::ftlThunkAwareRepatchCall):
3589         (JSC::linkSlowFor):
3590         (JSC::linkFor):
3591         (JSC::linkDirectFor):
3592         (JSC::revertCall):
3593         (JSC::unlinkFor):
3594         (JSC::linkVirtualFor):
3595         (JSC::linkPolymorphicCall):
3596         * jit/SpecializedThunkJIT.h:
3597         (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
3598         * jit/ThunkGenerator.h:
3599         * jit/ThunkGenerators.cpp:
3600         (JSC::throwExceptionFromCallSlowPathGenerator):
3601         (JSC::slowPathFor):
3602         (JSC::linkCallThunkGenerator):
3603         (JSC::linkPolymorphicCallThunkGenerator):
3604         (JSC::virtualThunkFor):
3605         (JSC::nativeForGenerator):
3606         (JSC::nativeCallGenerator):
3607         (JSC::nativeTailCallGenerator):
3608         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3609         (JSC::nativeConstructGenerator):
3610         (JSC::internalFunctionCallGenerator):
3611         (JSC::internalFunctionConstructGenerator):
3612         (JSC::arityFixupGenerator):
3613         (JSC::unreachableGenerator):
3614         (JSC::stringGetByValGenerator):
3615         (JSC::charToString):
3616         (JSC::charCodeAtThunkGenerator):
3617         (JSC::charAtThunkGenerator):
3618         (JSC::fromCharCodeThunkGenerator):
3619         (JSC::clz32ThunkGenerator):
3620         (JSC::sqrtThunkGenerator):
3621         (JSC::floorThunkGenerator):
3622         (JSC::ceilThunkGenerator):
3623         (JSC::truncThunkGenerator):
3624         (JSC::roundThunkGenerator):
3625         (JSC::expThunkGenerator):
3626         (JSC::logThunkGenerator):
3627         (JSC::absThunkGenerator):
3628         (JSC::imulThunkGenerator):
3629         (JSC::randomThunkGenerator):
3630         (JSC::boundThisNoArgsFunctionCallGenerator):
3631         * jit/ThunkGenerators.h:
3632         * jsc.cpp:
3633         (GlobalObject::finishCreation):
3634         (GlobalObject::addFunction):
3635         (GlobalObject::moduleLoaderImportModule):
3636         (GlobalObject::moduleLoaderResolve):
3637         (GlobalObject::moduleLoaderCreateImportMetaProperties):
3638         (functionDescribe):
3639         (functionDescribeArray):
3640         (JSCMemoryFootprint::addProperty):
3641         (functionRun):
3642         (functionRunString):
3643         (functionReadFile):
3644         (functionCallerSourceOrigin):
3645         (functionReadline):
3646         (functionDollarCreateRealm):
3647         (functionDollarEvalScript):
3648         (functionDollarAgentGetReport):
3649         (functionWaitForReport):
3650         (functionJSCOptions):
3651         (functionCheckModuleSyntax):
3652         (functionGenerateHeapSnapshotForGCDebugging):
3653         (functionWebAssemblyMemoryMode):
3654         (dumpException):
3655         (checkUncaughtException):
3656         * llint/LLIntSlowPaths.cpp:
3657         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3658         (JSC::LLInt::handleHostCall):
3659         * parser/ASTBuilder.h:
3660         (JSC::ASTBuilder::ASTBuilder):
3661         (JSC::ASTBuilder::createResolve):
3662         (JSC::ASTBuilder::createGetterOrSetterProperty):
3663         (JSC::ASTBuilder::createProperty):
3664         (JSC::ASTBuilder::createFuncDeclStatement):
3665         (JSC::ASTBuilder::makeFunctionCallNode):
3666         * parser/Lexer.cpp:
3667         (JSC::Lexer<T>::Lexer):
3668         (JSC::Lexer<LChar>::parseIdentifier):
3669         (JSC::Lexer<UChar>::parseIdentifier):
3670         * parser/Lexer.h:
3671         (JSC::Lexer<T>::lexExpectIdentifier):
3672         * parser/ModuleAnalyzer.cpp:
3673         (JSC::ModuleAnalyzer::ModuleAnalyzer):
3674         * parser/ModuleAnalyzer.h:
3675         (JSC::ModuleAnalyzer::vm):
3676         * parser/Parser.cpp:
3677         (JSC::Parser<LexerType>::Parser):
3678         (JSC::Parser<LexerType>::parseInner):
3679         (JSC::Parser<LexerType>::isArrowFunctionParameters):
3680         (JSC::Parser<LexerType>::parseSourceElements):
3681         (JSC::Parser<LexerType>::parseModuleSourceElements):
3682         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
3683         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
3684         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
3685         (JSC::Parser<LexerType>::parseSingleFunction):
3686         (JSC::Parser<LexerType>::parseStatementListItem):
3687         (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
3688         (JSC::Parser<LexerType>::parseAssignmentElement):
3689         (JSC::Parser<LexerType>::parseDestructuringPattern):
3690         (JSC::Parser<LexerType>::parseForStatement):
3691         (JSC::Parser<LexerType>::parseBreakStatement):
3692         (JSC::Parser<LexerType>::parseContinueStatement):
3693         (JSC::Parser<LexerType>::parseStatement):
3694         (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
3695         (JSC::Parser<LexerType>::createGeneratorParameters):
3696         (JSC::Parser<LexerType>::parseFunctionInfo):
3697         (JSC::Parser<LexerType>::parseFunctionDeclaration):
3698         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
3699         (JSC::Parser<LexerType>::parseClassDeclaration):
3700         (JSC::Parser<LexerType>::parseClass):
3701         (JSC::Parser<LexerType>::parseImportClauseItem):
3702         (JSC::Parser<LexerType>::parseImportDeclaration):
3703         (JSC::Parser<LexerType>::parseExportSpecifier):
3704         (JSC::Parser<LexerType>::parseExportDeclaration):
3705         (JSC::Parser<LexerType>::parseAssignmentExpression):
3706         (JSC::Parser<LexerType>::parseProperty):
3707         (JSC::Parser<LexerType>::parseGetterSetter):
3708         (JSC::Parser<LexerType>::parseObjectLiteral):
3709         (JSC::Parser<LexerType>::parseStrictObjectLiteral):
3710         (JSC::Parser<LexerType>::parseClassExpression):
3711         (JSC::Parser<LexerType>::parseFunctionExpression):
3712         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
3713         (JSC::Parser<LexerType>::parsePrimaryExpression):
3714         (JSC::Parser<LexerType>::parseMemberExpression):
3715         (JSC::Parser<LexerType>::parseArrowFunctionExpression):
3716         (JSC::Parser<LexerType>::parseUnaryExpression):
3717         * parser/Parser.h:
3718         (JSC::isArguments):
3719         (JSC::isEval):
3720         (JSC::isEvalOrArgumentsIdentifier):
3721         (JSC::Scope::Scope):
3722         (JSC::Scope::declareParameter):
3723         (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
3724         (JSC::Scope::collectFreeVariables):
3725         (JSC::Parser::canRecurse):
3726         (JSC::parse):
3727         (JSC::parseFunctionForFunctionConstructor):
3728         * parser/ParserArena.h:
3729         (JSC::IdentifierArena::makeIdentifier):
3730         (JSC::IdentifierArena::makeEmptyIdentifier):
3731         (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
3732         (JSC::IdentifierArena::makeNumericIdentifier):
3733         * parser/SyntaxChecker.h:
3734         (JSC::SyntaxChecker::SyntaxChecker):
3735         (JSC::SyntaxChecker::createProperty):
3736         (JSC::SyntaxChecker::createGetterOrSetterProperty):
3737         * profiler/ProfilerBytecode.cpp:
3738         (JSC::Profiler::Bytecode::toJS const):
3739         * profiler/ProfilerBytecodeSequence.cpp:
3740         (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
3741         * profiler/ProfilerBytecodes.cpp:
3742         (JSC::Profiler::Bytecodes::toJS const):
3743         * profiler/ProfilerCompilation.cpp:
3744         (JSC::Profiler::Compilation::toJS const):
3745         * profiler/ProfilerCompiledBytecode.cpp:
3746         (JSC::Profiler::CompiledBytecode::toJS const):
3747         * profiler/ProfilerEvent.cpp:
3748         (JSC::Profiler::Event::toJS const):
3749         * profiler/ProfilerOSRExit.cpp:
3750         (JSC::Profiler::OSRExit::toJS const):
3751         * profiler/ProfilerOSRExitSite.cpp:
3752         (JSC::Profiler::OSRExitSite::toJS const):
3753         * profiler/ProfilerUID.cpp:
3754         (JSC::Profiler::UID::toJS const):
3755         * runtime/AbstractModuleRecord.cpp:
3756         (JSC::AbstractModuleRecord::finishCreation):
3757         (JSC::AbstractModuleRecord::hostResolveImportedModule):
3758         (JSC::AbstractModuleRecord::resolveExportImpl):
3759         (JSC::getExportedNames):
3760         (JSC::AbstractModuleRecord::getModuleNamespace):
3761         * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
3762         (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
3763         * runtime/ArrayIteratorPrototype.cpp:
3764         (JSC::ArrayIteratorPrototype::finishCreation):
3765         * runtime/ArrayPrototype.cpp:
3766         (JSC::fastJoin):
3767         (JSC::arrayProtoFuncToLocaleString):
3768         (JSC::slowJoin):
3769         (JSC::arrayProtoFuncJoin):
3770         (JSC::arrayProtoFuncPush):
3771         * runtime/AsyncFunctionPrototype.cpp:
3772         (JSC::AsyncFunctionPrototype::finishCreation):
3773         * runtime/AsyncGeneratorFunctionPrototype.cpp:
3774         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
3775         * runtime/AsyncGeneratorPrototype.cpp:
3776         (JSC::AsyncGeneratorPrototype::finishCreation):
3777         * runtime/AtomicsObject.cpp:
3778         (JSC::AtomicsObject::finishCreation):
3779         (JSC::atomicsFuncWait):
3780         (JSC::operationAtomicsAdd):
3781         (JSC::operationAtomicsAnd):
3782         (JSC::operationAtomicsCompareExchange):
3783         (JSC::operationAtomicsExchange):
3784         (JSC::operationAtomicsIsLockFree):
3785         (JSC::operationAtomicsLoad):
3786         (JSC::operationAtomicsOr):
3787         (JSC::operationAtomicsStore):
3788         (JSC::operationAtomicsSub):
3789         (JSC::operationAtomicsXor):
3790         * runtime/BigIntPrototype.cpp:
3791         (JSC::BigIntPrototype::finishCreation):
3792         (JSC::bigIntProtoFuncToString):
3793         * runtime/CachedTypes.cpp:
3794         (JSC::CachedUniquedStringImplBase::decode const):
3795         (JSC::CachedIdentifier::decode const):
3796         (JSC::CachedJSValue::decode const):
3797         * runtime/CodeCache.cpp:
3798         (JSC::CodeCacheMap::pruneSlowCase):
3799         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
3800         * runtime/CodeCache.h:
3801         (JSC::generateUnlinkedCodeBlockImpl):
3802         * runtime/CommonIdentifiers.cpp:
3803         (JSC::CommonIdentifiers::CommonIdentifiers):
3804         * runtime/CommonIdentifiers.h:
3805         * runtime/CommonSlowPaths.cpp:
3806         (JSC::SLOW_PATH_DECL):
3807         * runtime/Completion.cpp:
3808         (JSC::checkSyntaxInternal):
3809         (JSC::checkModuleSyntax):
3810         (JSC::loadAndEvaluateModule):
3811         (JSC::loadModule):
3812         * runtime/DateConstructor.cpp:
3813         (JSC::callDate):
3814         * runtime/DatePrototype.cpp:
3815         (JSC::formatLocaleDate):
3816         (JSC::formateDateInstance):
3817         (JSC::DatePrototype::finishCreation):
3818         (JSC::dateProtoFuncToISOString):
3819         * runtime/Error.cpp:
3820         (JSC::addErrorInfo):
3821         * runtime/ErrorInstance.cpp:
3822         (JSC::appendSourceToError):
3823         (JSC::ErrorInstance::finishCreation):
3824         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
3825         * runtime/ErrorPrototype.cpp:
3826         (JSC::ErrorPrototype::finishCreation):
3827         (JSC::errorProtoFuncToString):
3828         * runtime/ExceptionHelpers.cpp:
3829         (JSC::TerminatedExecutionError::defaultValue):
3830         * runtime/FunctionPrototype.cpp:
3831         (JSC::functionProtoFuncToString):
3832         * runtime/FunctionRareData.cpp:
3833         (JSC::FunctionRareData::clear):
3834         * runtime/GeneratorFunctionPrototype.cpp:
3835         (JSC::GeneratorFunctionPrototype::finishCreation):
3836         * runtime/GeneratorPrototype.cpp:
3837         (JSC::GeneratorPrototype::finishCreation):