[DFG] DFG should handle String#toString
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [DFG] DFG should handle String#toString
4         https://bugs.webkit.org/show_bug.cgi?id=189151
5
6         Reviewed by Saam Barati.
7
8         We handle String#toString and String#valueOf in DFG by introducing StringValueOf node.
9         In the fixup phase, we attempt to lower StringValueOf to the existing ToString or Identity
10         nodes. If we fail to lower it, we have StringValueOf(UntypedUse), which may raise an error
11         if an argument is neither String nor StringObject. The error message in String#toString and
12         String#valueOf is poor, which will be handled in a separate bug[1].
13
14         It improves simple microbenchmarks by 53.4 - 67.6%.
15
16                                               baseline                  patched
17
18             string-object-to-string       21.7308+-3.3147     ^     12.9655+-0.0527        ^ definitely 1.6760x faster
19             string-object-value-of        20.1122+-0.0691     ^     13.1134+-0.2482        ^ definitely 1.5337x faster
20
21         [1]: https://bugs.webkit.org/show_bug.cgi?id=189357
22
23         * dfg/DFGAbstractInterpreterInlines.h:
24         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
25         * dfg/DFGByteCodeParser.cpp:
26         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
27         * dfg/DFGClobberize.h:
28         (JSC::DFG::clobberize):
29         * dfg/DFGDoesGC.cpp:
30         (JSC::DFG::doesGC):
31         * dfg/DFGFixupPhase.cpp:
32         (JSC::DFG::FixupPhase::fixupNode):
33         (JSC::DFG::FixupPhase::fixupStringValueOf):
34         * dfg/DFGNode.h:
35         (JSC::DFG::Node::convertToToString):
36         * dfg/DFGNodeType.h:
37         * dfg/DFGOperations.cpp:
38         * dfg/DFGOperations.h:
39         * dfg/DFGPredictionPropagationPhase.cpp:
40         * dfg/DFGSafeToExecute.h:
41         (JSC::DFG::safeToExecute):
42         * dfg/DFGSpeculativeJIT.cpp:
43         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
44         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor): Deleted.
45         * dfg/DFGSpeculativeJIT.h:
46         * dfg/DFGSpeculativeJIT32_64.cpp:
47         (JSC::DFG::SpeculativeJIT::compile):
48         * dfg/DFGSpeculativeJIT64.cpp:
49         (JSC::DFG::SpeculativeJIT::compile):
50         * ftl/FTLCapabilities.cpp:
51         (JSC::FTL::canCompile):
52         * ftl/FTLLowerDFGToB3.cpp:
53         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
54         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
55         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor): Deleted.
56
57 2018-09-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
58
59         [WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex
60         https://bugs.webkit.org/show_bug.cgi?id=189401
61
62         Reviewed by Mark Lam.
63
64         SignatureInformation is a global repository for Signature to make Signature atomic.
65         It takes Ref<Signature>&& and generates SignatureIndex. And we get const Signature&
66         by using this SignatureIndex. However, converting SignatureIndex to const Signature&
67         always looks up a hash table. This is costly since JS to Wasm calls always use
68         Signature& to check types of arguments.
69
70         Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex.
71         This allows us to convert SignatureIndex to Signature by just casting it.
72
73         We also optimize SignatureInformation::singleton by making an accessor function inlined.
74         And we move ProtoCallFrame::init to the header since it's just setting values.
75
76         This change significantly optimizes JS to wasm calls (1e7 times) from 600ms to 320ms.
77
78         In the future, we can remove SignatureIndex by directly handling Ref<Signature>: adding
79         deref() of Signature which unregisters itself from SignatureInformation carefully. Or we can
80         make SignatureIndex uint32_t by introducing a mechanism similar to StructureID.
81
82         * JavaScriptCore.xcodeproj/project.pbxproj:
83         * Sources.txt:
84         * interpreter/ProtoCallFrame.h:
85         (JSC::ProtoCallFrame::init):
86         * wasm/WasmB3IRGenerator.cpp:
87         (JSC::Wasm::B3IRGenerator::addCallIndirect):
88         * wasm/WasmBBQPlan.cpp:
89         * wasm/WasmFormat.h:
90         (JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex):
91         * wasm/WasmFunctionParser.h:
92         * wasm/WasmModule.h:
93         * wasm/WasmOMGPlan.cpp:
94         * wasm/WasmSectionParser.cpp:
95         (JSC::Wasm::SectionParser::parseType):
96         * wasm/WasmSignature.cpp:
97         (JSC::Wasm::SignatureInformation::adopt):
98         (JSC::Wasm::SignatureInformation::tryCleanup):
99         (JSC::Wasm::SignatureInformation::singleton): Deleted.
100         (JSC::Wasm::SignatureInformation::get): Deleted.
101         * wasm/WasmSignature.h:
102         (JSC::Wasm::Signature::index const):
103         (JSC::Wasm::SignatureHash::SignatureHash):
104         (JSC::Wasm::SignatureHash::hash):
105         (JSC::Wasm::SignatureHash::isHashTableDeletedValue const):
106         (JSC::Wasm::SignatureHash::empty): Deleted.
107         (JSC::Wasm::SignatureHash::deleted): Deleted.
108         * wasm/WasmSignatureInlines.h: Renamed from Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp.
109         (JSC::Wasm::SignatureInformation::singleton):
110         (JSC::Wasm::SignatureInformation::get):
111         * wasm/js/JSToWasm.cpp:
112         * wasm/js/JSWebAssemblyModule.h:
113         * wasm/js/WasmToJS.cpp:
114         (JSC::Wasm::wasmToJS):
115         * wasm/js/WebAssemblyFunction.cpp:
116         * wasm/js/WebAssemblyModuleRecord.cpp:
117         * wasm/js/WebAssemblyWrapperFunction.cpp:
118
119 2018-09-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
120
121         [JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
122         https://bugs.webkit.org/show_bug.cgi?id=189410
123
124         Reviewed by Mark Lam.
125
126         Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
127         make doVMEntry code tight.
128
129         * llint/LLIntThunks.cpp:
130         (JSC::vmEntryToWasm): Deleted.
131         * llint/LLIntThunks.h:
132         (JSC::vmEntryToWasm):
133         * llint/LowLevelInterpreter32_64.asm:
134         * llint/LowLevelInterpreter64.asm:
135
136 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
137
138         [WebAssembly] Optimize JS to Wasm call by removing Vector allocation
139         https://bugs.webkit.org/show_bug.cgi?id=189353
140
141         Reviewed by Mark Lam.
142
143         JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
144         This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
145
146         * runtime/ArgList.h:
147         * wasm/js/WebAssemblyFunction.cpp:
148         (JSC::callWebAssemblyFunction):
149
150 2018-08-31  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
151
152         [JSC] Clean up StructureStubClearingWatchpoint
153         https://bugs.webkit.org/show_bug.cgi?id=189156
154
155         Reviewed by Saam Barati.
156
157         Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
158         in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
159
160         * bytecode/StructureStubClearingWatchpoint.cpp:
161         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
162         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
163         (JSC::StructureStubClearingWatchpoint::push): Deleted.
164         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
165         * bytecode/StructureStubClearingWatchpoint.h:
166         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
167
168 2018-09-06  Michael Saboff  <msaboff@apple.com>
169
170         Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
171         https://bugs.webkit.org/show_bug.cgi?id=189380
172
173         Reviewed by Saam Barati.
174
175         Account for the case where in Math.pow(NaN, y) where y could be 0.
176
177         * bytecode/SpeculatedType.cpp:
178         (JSC::typeOfDoublePow):
179
180 2018-09-06  Mark Lam  <mark.lam@apple.com>
181
182         Gardening: only visit m_cachedStructureID if it's not null.
183         https://bugs.webkit.org/show_bug.cgi?id=189124
184         <rdar://problem/43863605>
185
186         Not reviewed.
187
188         * runtime/JSPropertyNameEnumerator.cpp:
189         (JSC::JSPropertyNameEnumerator::visitChildren):
190
191 2018-09-06  Tomas Popela  <tpopela@redhat.com>
192
193         [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
194         https://bugs.webkit.org/show_bug.cgi?id=189078
195
196         Reviewed by Mark Lam.
197
198         Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
199         Using the ternary operator instead of std::max() fixes it.
200
201         * heap/RegisterState.h:
202
203 2018-09-05  Mark Lam  <mark.lam@apple.com>
204
205         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
206         https://bugs.webkit.org/show_bug.cgi?id=189124
207         <rdar://problem/43863605>
208
209         Reviewed by Filip Pizlo.
210
211         It is assumed that the Structure for the m_cachedStructureID will remain alive
212         while the m_cachedStructureID is in use.  This prevents the structureID from being
213         re-used for a different Structure.
214
215         * runtime/JSPropertyNameEnumerator.cpp:
216         (JSC::JSPropertyNameEnumerator::visitChildren):
217
218 2018-09-05  Ross Kirsling  <ross.kirsling@sony.com>
219
220         [ESNext] Symbol.prototype.description
221         https://bugs.webkit.org/show_bug.cgi?id=186686
222
223         Reviewed by Keith Miller.
224
225         Symbol.prototype.description was implemented in r232404, but has one small bug:
226         It should return undefined for a null symbol.
227
228         * runtime/Symbol.cpp:
229         (JSC::Symbol::description const):
230         * runtime/SymbolPrototype.cpp:
231         (JSC::symbolProtoGetterDescription):
232         Address the null symbol case.
233
234 2018-09-04  Keith Miller  <keith_miller@apple.com>
235
236         RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
237         https://bugs.webkit.org/show_bug.cgi?id=188917
238
239         Reviewed by Mark Lam.
240
241         Our allocators should be able to handle allocating a zero-sized object.
242         Zero-sized objects will be allocated into the smallest size class.
243
244         * dfg/DFGSpeculativeJIT.cpp:
245         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
246         * ftl/FTLLowerDFGToB3.cpp:
247         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
248         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
249         * heap/MarkedSpace.h:
250         (JSC::MarkedSpace::sizeClassToIndex):
251         (JSC::MarkedSpace::indexToSizeClass):
252         * jit/AssemblyHelpers.cpp:
253         (JSC::AssemblyHelpers::emitAllocateVariableSized):
254         * runtime/JSArrayBufferView.cpp:
255         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
256
257 2018-09-05  Mark Lam  <mark.lam@apple.com>
258
259         Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
260         https://bugs.webkit.org/show_bug.cgi?id=189300
261         <rdar://problem/39681779>
262
263         Reviewed by Saam Barati.
264
265         At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
266         which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
267         DeferredSourceDump is later used to dump source even if the compilation fails.
268         This is intentional so that we can use this tool to see what source fails to
269         compile as well.
270
271         The DFG::Plan may have been destructed by then, and since the compilation failed,
272         the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
273         may be end up accessing freed memory.
274
275         DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
276         bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
277         by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
278
279         In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
280         to be Strong references to ensure that the CodeBlocks are kept alive until they
281         can be dumped.
282
283         * bytecode/DeferredCompilationCallback.cpp:
284         (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
285         * bytecode/DeferredSourceDump.cpp:
286         (JSC::DeferredSourceDump::DeferredSourceDump):
287         (JSC::DeferredSourceDump::dump):
288         * bytecode/DeferredSourceDump.h:
289         * dfg/DFGByteCodeParser.cpp:
290         (JSC::DFG::ByteCodeParser::parseCodeBlock):
291
292 2018-09-05  David Kilzer  <ddkilzer@apple.com>
293
294         REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
295
296         Found using `tidy-Xcode-project-file --missing` (see Bug
297         188754).  Fix was made manually.
298
299         * JavaScriptCore.xcodeproj/project.pbxproj:
300         (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
301         `name` and `path` values to file reference.
302
303 2018-09-05  Mark Lam  <mark.lam@apple.com>
304
305         isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
306         https://bugs.webkit.org/show_bug.cgi?id=189292
307         <rdar://problem/38907433>
308
309         Reviewed by Saam Barati.
310
311         Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
312         instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
313         to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
314         in the name isAsyncGeneratorMethodParseMode).
315
316         * parser/ParserModes.h:
317         (JSC::isAsyncGeneratorMethodParseMode):
318
319 2018-09-04  Michael Saboff  <msaboff@apple.com>
320
321         Unreviewed indentations change.
322
323         * yarr/YarrJIT.cpp:
324         (JSC::Yarr::YarrGenerator::matchBackreference):
325
326 2018-09-04  Michael Saboff  <msaboff@apple.com>
327
328         JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
329         https://bugs.webkit.org/show_bug.cgi?id=189274
330
331         Reviewed by Saam Barati.
332
333         Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
334
335         Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
336         where landed there.
337
338         * JavaScriptCore.xcodeproj/project.pbxproj:
339
340 2018-09-04  Michael Saboff  <msaboff@apple.com>
341
342         YARR: JIT RegExps with back references
343         https://bugs.webkit.org/show_bug.cgi?id=180874
344
345         Reviewed by Filip Pizlo.
346
347         Implemented JIT'ed back references for all counted types.  The only type of back references
348         not handled in the JIT are 16bit matches that ignore case.  Such support would require the
349         canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
350         The back reference processing for surrogate pairs is implemented by individually comparing
351         each surrogate ala memcmp.
352
353         Added a generated canonicalization table for the LChar (8bit) domain to process case
354         ignored back references.
355
356         Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
357
358         Added a new JIT failure reason for forward references as the check to JIT expressions with
359         forward references we're handled synonimously those containing back references.
360
361         This change is only enabled for 64 bit platforms.
362
363         * assembler/MacroAssemblerARM64.h:
364         (JSC::MacroAssemblerARM64::load16):
365         * assembler/MacroAssemblerX86_64.h:
366         (JSC::MacroAssemblerX86_64::load16):
367         * runtime/RegExp.cpp:
368         (JSC::RegExp::compile):
369         (JSC::RegExp::compileMatchOnly):
370         * yarr/YarrCanonicalize.h:
371         * yarr/YarrCanonicalizeUCS2.cpp:
372         * yarr/YarrCanonicalizeUCS2.js:
373         (set characters.hex.set string_appeared_here):
374         * yarr/YarrJIT.cpp:
375         (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
376         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
377         (JSC::Yarr::YarrGenerator::matchBackreference):
378         (JSC::Yarr::YarrGenerator::generateBackReference):
379         (JSC::Yarr::YarrGenerator::backtrackBackReference):
380         (JSC::Yarr::YarrGenerator::generateTerm):
381         (JSC::Yarr::YarrGenerator::backtrackTerm):
382         (JSC::Yarr::YarrGenerator::compile):
383         (JSC::Yarr::dumpCompileFailure):
384         * yarr/YarrJIT.h:
385         * yarr/YarrPattern.h:
386         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
387         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
388
389 2018-09-04  Mark Lam  <mark.lam@apple.com>
390
391         Make the jsc shell print, printErr, and debug functions more robust.
392         https://bugs.webkit.org/show_bug.cgi?id=189268
393         <rdar://problem/41192690>
394
395         Reviewed by Keith Miller.
396
397         We'll now check for UTF8 conversion errors.
398
399         * jsc.cpp:
400         (cStringFromViewWithString):
401         (printInternal):
402         (functionDebug):
403
404 2018-09-04  Michael Catanzaro  <mcatanzaro@igalia.com>
405
406         [WPE][GTK] Add more unused result warnings to JSC API
407         https://bugs.webkit.org/show_bug.cgi?id=189243
408
409         Reviewed by Carlos Garcia Campos.
410
411         The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
412         caller may be tempted to not inspect it if uninterested in the return value. This would be
413         an error, because it must be freed.
414
415         * API/glib/JSCContext.h:
416
417 2018-09-03  Mark Lam  <mark.lam@apple.com>
418
419         The watchdog sometimes fails to terminate a script.
420         https://bugs.webkit.org/show_bug.cgi?id=189227
421         <rdar://problem/39932857>
422
423         Reviewed by Saam Barati.
424
425         Consider the following scenario:
426
427         1. We have an infinite loop bytecode sequence as follows:
428
429             [  13] loop_hint
430             [  14] check_traps
431             [  15] jmp               -2(->13)
432
433         2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
434
435            Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
436            When we're not using pollingTraps (JSC_usePollingTraps is false by default),
437            we emit no code for CheckTraps, but only record an InvalidationPoint there.
438
439         3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
440
441            InvalidationPoints OSR exits to the next instruction by design.  In this case,
442            that means the VM will resumes executing at the op_jmp, which jumps to the
443            op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
444            already hot, and attempts to tier up.  It immediately discovers that a replacement
445            CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
446            nor the FTL CodeBlock that was previously compiled for this function.
447
448            Note that jettisoning a CodeBlock necessarily means the VM will invalidate
449            its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
450            is not true: merely invalidating the InvalidationPoints does not necessarily
451            mean that the CodeBlock is jettisoned.
452
453            VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
454            it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
455            is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
456            the VMTraps mechanism relies on the script thread running to an op_check_traps
457            in the baseline JIT code where it will do the necessary jettisoning of optimized
458            CodeBlocks.
459
460         Since the op_check_traps never get executed, the VM will perpetually tier up in
461         the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
462         Consequently, the watchdog fails to terminate this script.
463
464         In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
465         node directly (when the VM is not configured to use polling traps).  This ensures
466         that the check traps invalidation point will OSR exit to the op_check_traps opcode
467         in the baseline JIT.
468
469         In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
470         CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
471         we don't really know if the frame is properly set up.  We're just conservatively
472         probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
473         will suppress the false positive ASAN complaint.
474
475         * dfg/DFGByteCodeParser.cpp:
476         (JSC::DFG::ByteCodeParser::parseBlock):
477         * dfg/DFGClobberize.h:
478         (JSC::DFG::clobberize):
479         * dfg/DFGFixupPhase.cpp:
480         (JSC::DFG::FixupPhase::fixupNode):
481         * dfg/DFGPredictionPropagationPhase.cpp:
482         * dfg/DFGSpeculativeJIT.cpp:
483         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
484         * dfg/DFGSpeculativeJIT32_64.cpp:
485         (JSC::DFG::SpeculativeJIT::compile):
486         * dfg/DFGSpeculativeJIT64.cpp:
487         (JSC::DFG::SpeculativeJIT::compile):
488         * ftl/FTLLowerDFGToB3.cpp:
489         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
490         * runtime/VMTraps.cpp:
491         (JSC::VMTraps::tryInstallTrapBreakpoints):
492
493 2018-09-03  Mark Lam  <mark.lam@apple.com>
494
495         CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
496         https://bugs.webkit.org/show_bug.cgi?id=189247
497
498         Reviewed by Saam Barati.
499
500         * interpreter/CallFrame.h:
501         (JSC::ExecState::unsafeCallee const):
502         * interpreter/Register.h:
503         (JSC::Register::asanUnsafePointer const):
504         (JSC::Register::unsafePayload const):
505
506 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
507
508         Implement Object.fromEntries
509         https://bugs.webkit.org/show_bug.cgi?id=188481
510
511         Reviewed by Darin Adler.
512
513         Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
514
515         [1]: https://tc39.github.io/proposal-object-from-entries/
516
517         * builtins/ObjectConstructor.js:
518         (fromEntries):
519         * runtime/ObjectConstructor.cpp:
520
521 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
522
523         Function object should convert params to string before throw a parsing error
524         https://bugs.webkit.org/show_bug.cgi?id=188874
525
526         Reviewed by Darin Adler.
527
528         ToString operation onto the `body` of the Function constructor should be performed
529         before checking syntax correctness of the parameters.
530
531         * runtime/FunctionConstructor.cpp:
532         (JSC::constructFunctionSkippingEvalEnabledCheck):
533
534 2018-08-31  Mark Lam  <mark.lam@apple.com>
535
536         Fix exception check accounting in constructJSWebAssemblyCompileError().
537         https://bugs.webkit.org/show_bug.cgi?id=189185
538         <rdar://problem/39786007>
539
540         Reviewed by Michael Saboff.
541
542         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
543         inadvertently overwrite a pre-existing exception (if present).
544
545         * wasm/js/JSWebAssemblyModule.cpp:
546         (JSC::JSWebAssemblyModule::createStub):
547         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
548         (JSC::constructJSWebAssemblyCompileError):
549
550 2018-08-31  Mark Lam  <mark.lam@apple.com>
551
552         Gardening: ARMv7 build fix.
553         https://bugs.webkit.org/show_bug.cgi?id=158911
554
555         Not reviewed.
556
557         * assembler/MacroAssemblerARMv7.h:
558         (JSC::MacroAssemblerARMv7::patchableBranch8):
559
560 2018-08-31  Mark Lam  <mark.lam@apple.com>
561
562         Fix exception check accounting in JSDataView::defineOwnProperty().
563         https://bugs.webkit.org/show_bug.cgi?id=189186
564         <rdar://problem/39786049>
565
566         Reviewed by Michael Saboff.
567
568         * runtime/JSDataView.cpp:
569         (JSC::JSDataView::defineOwnProperty):
570
571 2018-08-31  Mark Lam  <mark.lam@apple.com>
572
573         Add missing exception check in arrayProtoFuncLastIndexOf().
574         https://bugs.webkit.org/show_bug.cgi?id=189184
575         <rdar://problem/39785959>
576
577         Reviewed by Yusuke Suzuki.
578
579         * runtime/ArrayPrototype.cpp:
580         (JSC::arrayProtoFuncLastIndexOf):
581
582 2018-08-31  Saam barati  <sbarati@apple.com>
583
584         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
585         https://bugs.webkit.org/show_bug.cgi?id=189173
586         <rdar://problem/43501645>
587
588         Reviewed by Michael Saboff.
589
590         We were crashing during validation because mayExit returned true
591         at a point in the program when we weren't allowed to exit.
592         
593         The issue was is in StrengthReduction: we end up emitting code that
594         had a StringUse on an edge after a node that did side effects and before
595         an ExitOK/bytecode number transition. However, StrenghReduction did the
596         right thing here and also emitted the type checks before the node with
597         side effects. It just did bad bookkeeping. The node we convert to needs
598         to use KnownStringUse instead of StringUse for the child edge.
599
600         * dfg/DFGNode.cpp:
601         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
602         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
603         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
604         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
605         * dfg/DFGNode.h:
606         * dfg/DFGStrengthReductionPhase.cpp:
607         (JSC::DFG::StrengthReductionPhase::handleNode):
608
609 2018-08-30  Saam barati  <sbarati@apple.com>
610
611         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
612         https://bugs.webkit.org/show_bug.cgi?id=189166
613
614         Reviewed by Mark Lam.
615
616         * bytecode/AccessCase.cpp:
617         (JSC::AccessCase::generateImpl):
618         * bytecode/GetterSetterAccessCase.cpp:
619         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
620         * bytecode/InlineAccess.cpp:
621         (JSC::getScratchRegister):
622         * bytecode/PolymorphicAccess.cpp:
623         (JSC::PolymorphicAccess::regenerate):
624         * bytecode/StructureStubInfo.h:
625         (JSC::StructureStubInfo::valueRegs const):
626         * jit/JITInlineCacheGenerator.cpp:
627         (JSC::JITByIdGenerator::JITByIdGenerator):
628         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
629         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
630
631 2018-08-30  Saam barati  <sbarati@apple.com>
632
633         InlineAccess should do StringLength
634         https://bugs.webkit.org/show_bug.cgi?id=158911
635
636         Reviewed by Yusuke Suzuki.
637
638         This patch extends InlineAccess to support StringLength. This patch also
639         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
640         I forgot to implement this for ArrayLength in the initial InlineAccess
641         implementation.  Supporting StringLength is a natural extension of the
642         InlineAccess machinery.
643
644         * assembler/MacroAssembler.h:
645         (JSC::MacroAssembler::patchableBranch8):
646         * assembler/MacroAssemblerARM64.h:
647         (JSC::MacroAssemblerARM64::patchableBranch8):
648         * bytecode/AccessCase.cpp:
649         (JSC::AccessCase::fromStructureStubInfo):
650         * bytecode/BytecodeDumper.cpp:
651         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
652         * bytecode/InlineAccess.cpp:
653         (JSC::InlineAccess::dumpCacheSizesAndCrash):
654         (JSC::InlineAccess::generateSelfPropertyAccess):
655         (JSC::getScratchRegister):
656         (JSC::InlineAccess::generateSelfPropertyReplace):
657         (JSC::InlineAccess::generateArrayLength):
658         (JSC::InlineAccess::generateSelfInAccess):
659         (JSC::InlineAccess::generateStringLength):
660         * bytecode/InlineAccess.h:
661         * bytecode/PolymorphicAccess.cpp:
662         (JSC::PolymorphicAccess::regenerate):
663         * bytecode/StructureStubInfo.cpp:
664         (JSC::StructureStubInfo::initStringLength):
665         (JSC::StructureStubInfo::deref):
666         (JSC::StructureStubInfo::aboutToDie):
667         (JSC::StructureStubInfo::propagateTransitions):
668         * bytecode/StructureStubInfo.h:
669         (JSC::StructureStubInfo::baseGPR const):
670         * jit/Repatch.cpp:
671         (JSC::tryCacheGetByID):
672
673 2018-08-30  Saam barati  <sbarati@apple.com>
674
675         CSE DataViewGet* DFG nodes
676         https://bugs.webkit.org/show_bug.cgi?id=188768
677
678         Reviewed by Yusuke Suzuki.
679
680         This patch makes it so that we CSE DataViewGet* accesses. To do this,
681         I needed to add a third descriptor to HeapLocation to represent the
682         isLittleEndian child. This patch is neutral on compile time benchmarks,
683         and is a 50% speedup on a trivial CSE microbenchmark that I added.
684
685         * dfg/DFGClobberize.h:
686         (JSC::DFG::clobberize):
687         * dfg/DFGFixupPhase.cpp:
688         (JSC::DFG::FixupPhase::fixupNode):
689         * dfg/DFGHeapLocation.cpp:
690         (WTF::printInternal):
691         * dfg/DFGHeapLocation.h:
692         (JSC::DFG::HeapLocation::HeapLocation):
693         (JSC::DFG::HeapLocation::hash const):
694         (JSC::DFG::HeapLocation::operator== const):
695         (JSC::DFG::indexedPropertyLocForResultType):
696
697 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
698
699         output of toString() of Generator is wrong
700         https://bugs.webkit.org/show_bug.cgi?id=188952
701
702         Reviewed by Saam Barati.
703
704         Function#toString does not respect generator and async generator.
705         This patch fixes them and supports all the function types.
706
707         * runtime/FunctionPrototype.cpp:
708         (JSC::functionProtoFuncToString):
709
710 2018-08-29  Mark Lam  <mark.lam@apple.com>
711
712         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
713         https://bugs.webkit.org/show_bug.cgi?id=189132
714         <rdar://problem/42513068>
715
716         Reviewed by Saam Barati.
717
718         * runtime/JSCJSValueInlines.h:
719         (JSC::JSValue::toPropertyKey const):
720         * runtime/JSString.cpp:
721         (JSC::JSRopeString::resolveRopeToAtomicString const):
722
723 2018-08-29  Commit Queue  <commit-queue@webkit.org>
724
725         Unreviewed, rolling out r235432 and r235436.
726         https://bugs.webkit.org/show_bug.cgi?id=189086
727
728         Is a Swift source breaking change. (Requested by keith_miller
729         on #webkit).
730
731         Reverted changesets:
732
733         "Add nullablity attributes to JSValue"
734         https://bugs.webkit.org/show_bug.cgi?id=189047
735         https://trac.webkit.org/changeset/235432
736
737         "Add nullablity attributes to JSValue"
738         https://bugs.webkit.org/show_bug.cgi?id=189047
739         https://trac.webkit.org/changeset/235436
740
741 2018-08-28  Mark Lam  <mark.lam@apple.com>
742
743         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
744         https://bugs.webkit.org/show_bug.cgi?id=189059
745         <rdar://problem/40335354>
746
747         Reviewed by Saam Barati.
748
749         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
750         2. Added $vm.dumpRegisters().
751
752             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
753             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
754
755            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
756            It will treat inlined frames content as registers in the bounding physical frame.
757
758            Here's an example of such a dump on a DFG frame:
759
760                 Register frame: 
761
762                 -----------------------------------------------------------------------------
763                             use            |   address  |                value               
764                 -----------------------------------------------------------------------------
765                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
766                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
767                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
768                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
769                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
770                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
771                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
772                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
773                 -----------------------------------------------------------------------------
774                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
775                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
776                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
777                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
778                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
779                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
780                 -----------------------------------------------------------------------------
781                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
782                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
783                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
784                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
785                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
786                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
787                 -----------------------------------------------------------------------------
788                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
789                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
790                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
791                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
792                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
793                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
794                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
795                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
796                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
797                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
798                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
799                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
800                 -----------------------------------------------------------------------------
801
802         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
803            we can use in its place:
804
805             $vm.dumpCallFrame()
806             $vm.dumpBytecodeFor()
807             $vm.dumpRegisters()     // Just added in this patch.
808
809         4. Also fixed a bug in BytecodeDumper: it should only access
810            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
811
812         * bytecode/BytecodeDumper.cpp:
813         (JSC::BytecodeDumper<Block>::printCallOp):
814         * interpreter/Interpreter.cpp:
815         (JSC::Interpreter::dumpCallFrame): Deleted.
816         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
817         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
818         (JSC::Interpreter::dumpRegisters): Deleted.
819         * interpreter/Interpreter.h:
820         * jsc.cpp:
821         (GlobalObject::finishCreation):
822         (functionDumpCallFrame): Deleted.
823         * tools/JSDollarVM.cpp:
824         (JSC::functionDumpRegisters):
825         (JSC::JSDollarVM::finishCreation):
826         * tools/VMInspector.cpp:
827         (JSC::VMInspector::dumpRegisters):
828         * tools/VMInspector.h:
829
830 2018-08-28  Keith Miller  <keith_miller@apple.com>
831
832         Add nullablity attributes to JSValue
833         https://bugs.webkit.org/show_bug.cgi?id=189047
834
835         Reviewed by Dan Bernstein.
836
837         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
838
839         * API/JSValue.h:
840
841 2018-08-28  Keith Miller  <keith_miller@apple.com>
842
843         Add nullablity attributes to JSValue
844         https://bugs.webkit.org/show_bug.cgi?id=189047
845
846         Reviewed by Geoffrey Garen.
847
848         * API/JSValue.h:
849
850 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
851
852         [WebAssembly] Parse wasm modules in a streaming fashion
853         https://bugs.webkit.org/show_bug.cgi?id=188943
854
855         Reviewed by Mark Lam.
856
857         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
858         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
859         we start integrating it into BBQPlan and dropping the old ModuleParser.
860
861         * JavaScriptCore.xcodeproj/project.pbxproj:
862         * Sources.txt:
863         * tools/JSDollarVM.cpp:
864         (WTF::WasmStreamingParser::WasmStreamingParser):
865         (WTF::WasmStreamingParser::create):
866         (WTF::WasmStreamingParser::createStructure):
867         (WTF::WasmStreamingParser::streamingParser):
868         (WTF::WasmStreamingParser::finishCreation):
869         (WTF::functionWasmStreamingParserAddBytes):
870         (WTF::functionWasmStreamingParserFinalize):
871         (JSC::functionCreateWasmStreamingParser):
872         (JSC::JSDollarVM::finishCreation):
873         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
874         this interface to test streaming parser in the JSC shell.
875
876         * wasm/WasmBBQPlan.cpp:
877         (JSC::Wasm::BBQPlan::BBQPlan):
878         (JSC::Wasm::BBQPlan::parseAndValidateModule):
879         (JSC::Wasm::BBQPlan::prepare):
880         (JSC::Wasm::BBQPlan::compileFunctions):
881         (JSC::Wasm::BBQPlan::complete):
882         (JSC::Wasm::BBQPlan::work):
883         * wasm/WasmBBQPlan.h:
884         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
885         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
886
887         * wasm/WasmFormat.h:
888         * wasm/WasmModuleInformation.cpp:
889         (JSC::Wasm::ModuleInformation::ModuleInformation):
890         * wasm/WasmModuleInformation.h:
891         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
892         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
893         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
894         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
895         a function with this data can be done concurrently with StreamingParser.
896
897         (JSC::Wasm::ModuleInformation::create):
898         (JSC::Wasm::ModuleInformation::memoryCount const):
899         (JSC::Wasm::ModuleInformation::tableCount const):
900         memoryCount and tableCount should be recorded in ModuleInformation.
901
902         * wasm/WasmModuleParser.cpp:
903         (JSC::Wasm::ModuleParser::parse):
904         (JSC::Wasm::makeI32InitExpr): Deleted.
905         (JSC::Wasm::ModuleParser::parseType): Deleted.
906         (JSC::Wasm::ModuleParser::parseImport): Deleted.
907         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
908         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
909         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
910         (JSC::Wasm::ModuleParser::parseTable): Deleted.
911         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
912         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
913         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
914         (JSC::Wasm::ModuleParser::parseExport): Deleted.
915         (JSC::Wasm::ModuleParser::parseStart): Deleted.
916         (JSC::Wasm::ModuleParser::parseElement): Deleted.
917         (JSC::Wasm::ModuleParser::parseCode): Deleted.
918         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
919         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
920         (JSC::Wasm::ModuleParser::parseData): Deleted.
921         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
922         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
923         SectionParser is also used by StreamingParser.
924
925         * wasm/WasmModuleParser.h:
926         (): Deleted.
927         * wasm/WasmNameSection.h:
928         (JSC::Wasm::NameSection::NameSection):
929         (JSC::Wasm::NameSection::create):
930         (JSC::Wasm::NameSection::setHash):
931         Hash calculation is deferred since all the source is not available in streaming parsing.
932
933         * wasm/WasmNameSectionParser.cpp:
934         (JSC::Wasm::NameSectionParser::parse):
935         * wasm/WasmNameSectionParser.h:
936         Use Ref<NameSection>.
937
938         * wasm/WasmOMGPlan.cpp:
939         (JSC::Wasm::OMGPlan::work):
940         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
941         OMGPlan can get data of the function by using ModuleInformation::functions.
942
943         * wasm/WasmParser.h:
944         (JSC::Wasm::Parser::source const):
945         (JSC::Wasm::Parser::length const):
946         (JSC::Wasm::Parser::offset const):
947         (JSC::Wasm::Parser::fail const):
948         (JSC::Wasm::makeI32InitExpr):
949         * wasm/WasmPlan.cpp:
950         (JSC::Wasm::Plan::Plan):
951         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
952
953         * wasm/WasmPlan.h:
954         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
955         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
956         ModuleParser and the new StreamingParser.
957
958         (JSC::Wasm::SectionParser::parseType):
959         (JSC::Wasm::SectionParser::parseImport):
960         (JSC::Wasm::SectionParser::parseFunction):
961         (JSC::Wasm::SectionParser::parseResizableLimits):
962         (JSC::Wasm::SectionParser::parseTableHelper):
963         (JSC::Wasm::SectionParser::parseTable):
964         (JSC::Wasm::SectionParser::parseMemoryHelper):
965         (JSC::Wasm::SectionParser::parseMemory):
966         (JSC::Wasm::SectionParser::parseGlobal):
967         (JSC::Wasm::SectionParser::parseExport):
968         (JSC::Wasm::SectionParser::parseStart):
969         (JSC::Wasm::SectionParser::parseElement):
970         (JSC::Wasm::SectionParser::parseCode):
971         (JSC::Wasm::SectionParser::parseInitExpr):
972         (JSC::Wasm::SectionParser::parseGlobalType):
973         (JSC::Wasm::SectionParser::parseData):
974         (JSC::Wasm::SectionParser::parseCustom):
975         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
976         * wasm/WasmStreamingParser.cpp: Added.
977         (JSC::Wasm::parseUInt7):
978         (JSC::Wasm::StreamingParser::fail):
979         (JSC::Wasm::StreamingParser::StreamingParser):
980         (JSC::Wasm::StreamingParser::parseModuleHeader):
981         (JSC::Wasm::StreamingParser::parseSectionID):
982         (JSC::Wasm::StreamingParser::parseSectionSize):
983         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
984         Code section in Wasm binary is specially handled compared with the other sections since it includes
985         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
986         streaming validation / compilation of Wasm functions.
987
988         (JSC::Wasm::StreamingParser::parseFunctionSize):
989         (JSC::Wasm::StreamingParser::parseFunctionPayload):
990         (JSC::Wasm::StreamingParser::parseSectionPayload):
991         (JSC::Wasm::StreamingParser::consume):
992         (JSC::Wasm::StreamingParser::consumeVarUInt32):
993         (JSC::Wasm::StreamingParser::addBytes):
994         (JSC::Wasm::StreamingParser::failOnState):
995         (JSC::Wasm::StreamingParser::finalize):
996         * wasm/WasmStreamingParser.h: Added.
997         (JSC::Wasm::StreamingParser::addBytes):
998         (JSC::Wasm::StreamingParser::errorMessage const):
999         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
1000         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
1001         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
1002         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
1003         incoming byte stream.
1004
1005         * wasm/js/JSWebAssemblyModule.cpp:
1006         (JSC::JSWebAssemblyModule::source const): Deleted.
1007         All the source should not be held.
1008
1009         * wasm/js/JSWebAssemblyModule.h:
1010         * wasm/js/WebAssemblyPrototype.cpp:
1011         (JSC::webAssemblyValidateFunc):
1012
1013 2018-08-27  Mark Lam  <mark.lam@apple.com>
1014
1015         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
1016         https://bugs.webkit.org/show_bug.cgi?id=188577
1017         <rdar://problem/42985684>
1018
1019         Reviewed by Saam Barati.
1020
1021         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
1022            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
1023
1024            The StackOverflowFrame is a sentinel frame that the low level code (exception
1025            throwing code, stack visitor, and stack unwinding code) will know to skip
1026            over.  The StackOverflowFrame will also have a valid JSCallee so that client
1027            code can compute the globalObject or VM from this frame.
1028
1029            As a result, client code that throws StackOverflowErrors no longer need to
1030            compute the caller frame to throw from: it just converts the top frame into
1031            a StackOverflowFrame and everything should *Just Work*.
1032
1033         2. NativeCallFrameTracerWithRestore is now obsolete.
1034
1035            Instead, client code should always call convertToStackOverflowFrame() on the
1036            frame before instantiating a NativeCallFrameTracer with it.
1037
1038            This means that topCallFrame will always point to the top CallFrame (which
1039            may be a StackOverflowFrame), and topEntryFrame will always point to the top
1040            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
1041            (which we used to do with NativeCallFrameTracerWithRestore).
1042
1043         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
1044            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
1045
1046            This obsoletes the UnwindStart flag.
1047
1048         * CMakeLists.txt:
1049         * JavaScriptCore.xcodeproj/project.pbxproj:
1050         * Sources.txt:
1051         * debugger/Debugger.cpp:
1052         (JSC::Debugger::pauseIfNeeded):
1053         * interpreter/CallFrame.cpp:
1054         (JSC::CallFrame::callerFrame const):
1055         (JSC::CallFrame::unsafeCallerFrame const):
1056         (JSC::CallFrame::convertToStackOverflowFrame):
1057         (JSC::CallFrame::callerFrame): Deleted.
1058         (JSC::CallFrame::unsafeCallerFrame): Deleted.
1059         * interpreter/CallFrame.h:
1060         (JSC::ExecState::iterate):
1061         * interpreter/CallFrameInlines.h: Added.
1062         (JSC::CallFrame::isStackOverflowFrame const):
1063         (JSC::CallFrame::isWasmFrame const):
1064         * interpreter/EntryFrame.h: Added.
1065         (JSC::EntryFrame::vmEntryRecordOffset):
1066         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
1067         * interpreter/FrameTracers.h:
1068         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
1069         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
1070         * interpreter/Interpreter.cpp:
1071         (JSC::Interpreter::unwind):
1072         * interpreter/Interpreter.h:
1073         * interpreter/StackVisitor.cpp:
1074         (JSC::StackVisitor::StackVisitor):
1075         * interpreter/StackVisitor.h:
1076         (JSC::StackVisitor::visit):
1077         (JSC::StackVisitor::topEntryFrameIsEmpty const):
1078         * interpreter/VMEntryRecord.h:
1079         (JSC::VMEntryRecord::callee const):
1080         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
1081         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
1082         * jit/AssemblyHelpers.h:
1083         * jit/JITExceptions.cpp:
1084         (JSC::genericUnwind):
1085         * jit/JITExceptions.h:
1086         * jit/JITOperations.cpp:
1087         * llint/LLIntOffsetsExtractor.cpp:
1088         * llint/LLIntSlowPaths.cpp:
1089         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1090         * llint/LowLevelInterpreter.asm:
1091         * llint/LowLevelInterpreter32_64.asm:
1092         * llint/LowLevelInterpreter64.asm:
1093         * runtime/CallData.cpp:
1094         * runtime/CommonSlowPaths.cpp:
1095         (JSC::throwArityCheckStackOverflowError):
1096         (JSC::SLOW_PATH_DECL):
1097         * runtime/CommonSlowPathsExceptions.cpp: Removed.
1098         * runtime/CommonSlowPathsExceptions.h: Removed.
1099         * runtime/Completion.cpp:
1100         (JSC::evaluateWithScopeExtension):
1101         * runtime/JSGeneratorFunction.h:
1102         * runtime/JSGlobalObject.cpp:
1103         (JSC::JSGlobalObject::init):
1104         (JSC::JSGlobalObject::visitChildren):
1105         * runtime/JSGlobalObject.h:
1106         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
1107         * runtime/VM.cpp:
1108         (JSC::VM::throwException):
1109         * runtime/VM.h:
1110         * runtime/VMInlines.h:
1111         (JSC::VM::topJSCallFrame const):
1112
1113 2018-08-27  Keith Rollin  <krollin@apple.com>
1114
1115         Unreviewed build fix -- disable LTO for production builds
1116
1117         * Configurations/Base.xcconfig:
1118
1119 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
1120
1121         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
1122         https://bugs.webkit.org/show_bug.cgi?id=188931
1123
1124         Reviewed by Wenson Hsieh.
1125
1126         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
1127
1128 2018-08-27  Devin Rousso  <drousso@apple.com>
1129
1130         Web Inspector: provide autocompletion for event breakpoints
1131         https://bugs.webkit.org/show_bug.cgi?id=188717
1132
1133         Reviewed by Brian Burg.
1134
1135         * inspector/protocol/DOM.json:
1136         Add `getSupportedEventNames` command.
1137
1138 2018-08-27  Keith Rollin  <krollin@apple.com>
1139
1140         Build system support for LTO
1141         https://bugs.webkit.org/show_bug.cgi?id=187785
1142         <rdar://problem/42353132>
1143
1144         Reviewed by Dan Bernstein.
1145
1146         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
1147         LTO.
1148
1149         * Configurations/Base.xcconfig:
1150         * Configurations/DebugRelease.xcconfig:
1151
1152 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
1153
1154         [GTK][JSC] Add warn_unused_result attribute to some APIs
1155         https://bugs.webkit.org/show_bug.cgi?id=188983
1156
1157         Reviewed by Michael Catanzaro.
1158
1159         * API/glib/JSCValue.h:
1160
1161 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1162
1163         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
1164         https://bugs.webkit.org/show_bug.cgi?id=188794
1165
1166         Reviewed by Saam Barati.
1167
1168         While Array.prototype.reverse modifies the butterfly of the given Array,
1169         it does not account JSImmutableButterfly case. So it accidentally modifies
1170         the content of JSImmutableButterfly.
1171         This patch converts CoW arrays to writable arrays before reversing.
1172
1173         * runtime/ArrayPrototype.cpp:
1174         (JSC::arrayProtoFuncReverse):
1175         * runtime/JSObject.h:
1176         (JSC::JSObject::ensureWritable):
1177
1178 2018-08-24  Michael Saboff  <msaboff@apple.com>
1179
1180         YARR: Update UCS canonicalization tables for Unicode 11
1181         https://bugs.webkit.org/show_bug.cgi?id=188928
1182
1183         Reviewed by Mark Lam.
1184
1185         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
1186
1187         This passes JavaScriptCore and test262 tests.
1188
1189         * yarr/YarrCanonicalizeUCS2.cpp:
1190         * yarr/YarrCanonicalizeUCS2.js:
1191         (printHeader):
1192
1193 2018-08-24  Michael Saboff  <msaboff@apple.com>
1194
1195         YARR: JIT RegExps with non-greedy parenthesized sub patterns
1196         https://bugs.webkit.org/show_bug.cgi?id=180876
1197
1198         Reviewed by Filip Pizlo.
1199
1200         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
1201         For the matching code, the greedy path was correct except that we don't try matching for the
1202         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
1203         first / next match when we backtrack.  The backtracking code needs to check to see if we have
1204         tried the first match or if we can do another match.
1205
1206         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
1207         count.  Did other minor cleanup as well.
1208
1209         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
1210
1211         Updated the text in some comments, both for this change as well as accuracy for existing code.
1212
1213         * yarr/YarrJIT.cpp:
1214         (JSC::Yarr::YarrGenerator::generate):
1215         (JSC::Yarr::YarrGenerator::backtrack):
1216         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1217         (JSC::Yarr::YarrGenerator::compile):
1218         (JSC::Yarr::dumpCompileFailure):
1219         (JSC::Yarr::jitCompile):
1220         * yarr/YarrJIT.h:
1221         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
1222         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
1223
1224 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
1225
1226         Add support for dumping GC heap snapshots, and a viewer
1227         https://bugs.webkit.org/show_bug.cgi?id=186416
1228
1229         Reviewed by Joseph Pecoraro.
1230
1231         Make a way to dump information about the GC heap that is useful for looking for leaked
1232         or abandoned objects. This dump is obtained (on Apple platforms) via:
1233             notifyutil -p com.apple.WebKit.dumpGCHeap
1234         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
1235         
1236         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
1237         the snapshot JSON that adds additional data about objects and why they are GC roots.
1238
1239         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
1240         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
1241         objects visited via opaque roots, we record the reason why via a new out param to
1242         isReachableFromOpaqueRoots().
1243
1244         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
1245         additional information including the address of the JSCell* and the wrapped object (for
1246         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
1247         be the document URL.
1248
1249         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
1250
1251         * API/JSAPIWrapperObject.mm:
1252         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1253         * API/JSManagedValue.mm:
1254         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1255         * API/glib/JSAPIWrapperObjectGLib.cpp:
1256         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1257         * CMakeLists.txt:
1258         * heap/ConservativeRoots.h:
1259         (JSC::ConservativeRoots::size const):
1260         (JSC::ConservativeRoots::size): Deleted.
1261         * heap/Heap.cpp:
1262         (JSC::Heap::addCoreConstraints):
1263         * heap/HeapSnapshotBuilder.cpp:
1264         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
1265         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
1266         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
1267         (JSC::HeapSnapshotBuilder::buildSnapshot):
1268         (JSC::HeapSnapshotBuilder::appendNode):
1269         (JSC::HeapSnapshotBuilder::appendEdge):
1270         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
1271         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
1272         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
1273         (JSC::snapshotTypeToString):
1274         (JSC::rootTypeToString):
1275         (JSC::HeapSnapshotBuilder::setLabelForCell):
1276         (JSC::HeapSnapshotBuilder::descriptionForCell const):
1277         (JSC::HeapSnapshotBuilder::json):
1278         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
1279         * heap/HeapSnapshotBuilder.h:
1280         * heap/SlotVisitor.cpp:
1281         (JSC::SlotVisitor::appendSlow):
1282         * heap/SlotVisitor.h:
1283         (JSC::SlotVisitor::heapSnapshotBuilder const):
1284         (JSC::SlotVisitor::rootMarkReason const):
1285         (JSC::SlotVisitor::setRootMarkReason):
1286         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
1287         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
1288         * heap/WeakBlock.cpp:
1289         (JSC::WeakBlock::specializedVisit):
1290         * heap/WeakHandleOwner.cpp:
1291         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1292         * heap/WeakHandleOwner.h:
1293         * runtime/SimpleTypedArrayController.cpp:
1294         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1295         * runtime/SimpleTypedArrayController.h:
1296         * tools/JSDollarVM.cpp:
1297
1298 2018-08-23  Saam barati  <sbarati@apple.com>
1299
1300         JSRunLoopTimer may run part of a member function after it's destroyed
1301         https://bugs.webkit.org/show_bug.cgi?id=188426
1302
1303         Reviewed by Mark Lam.
1304
1305         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1306         to end up running timer code after the class had been destroyed.
1307         
1308         The issue I spotted was in this function:
1309         ```
1310         void JSRunLoopTimer::timerDidFire()
1311         {
1312             JSLock* apiLock = m_apiLock.get();
1313             if (!apiLock) {
1314                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1315                 return;
1316             }
1317             // HERE
1318             std::lock_guard<JSLock> lock(*apiLock);
1319             RefPtr<VM> vm = apiLock->vm();
1320             if (!vm) {
1321                 // The VM has been destroyed, so we should just give up.
1322                 return;
1323             }
1324         
1325             doWork();
1326         }
1327         ```
1328         
1329         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1330         switched before grabbing the API lock. Then, some other thread destroys the VM.
1331         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1332         timer would run code and access member variables after it was destroyed.
1333         
1334         This patch fixes this issue by introducing a new timer manager class. 
1335         This class manages timers on a per VM basis. When a timer is scheduled,
1336         this class refs the timer. It also calls the timer callback while actively
1337         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1338         callback after the timer has been destroyed. However, calling a timer callback
1339         can still race with the VM being destroyed. We continue to detect this case and
1340         bail out of the callback early.
1341         
1342         This patch also removes a lot of duplicate code between GCActivityCallback
1343         and JSRunLoopTimer.
1344
1345         * heap/EdenGCActivityCallback.cpp:
1346         (JSC::EdenGCActivityCallback::doCollection):
1347         (JSC::EdenGCActivityCallback::lastGCLength):
1348         (JSC::EdenGCActivityCallback::deathRate):
1349         * heap/EdenGCActivityCallback.h:
1350         * heap/FullGCActivityCallback.cpp:
1351         (JSC::FullGCActivityCallback::doCollection):
1352         (JSC::FullGCActivityCallback::lastGCLength):
1353         (JSC::FullGCActivityCallback::deathRate):
1354         * heap/FullGCActivityCallback.h:
1355         * heap/GCActivityCallback.cpp:
1356         (JSC::GCActivityCallback::doWork):
1357         (JSC::GCActivityCallback::scheduleTimer):
1358         (JSC::GCActivityCallback::didAllocate):
1359         (JSC::GCActivityCallback::willCollect):
1360         (JSC::GCActivityCallback::cancel):
1361         (JSC::GCActivityCallback::cancelTimer): Deleted.
1362         (JSC::GCActivityCallback::nextFireTime): Deleted.
1363         * heap/GCActivityCallback.h:
1364         * heap/Heap.cpp:
1365         (JSC::Heap::reportAbandonedObjectGraph):
1366         (JSC::Heap::notifyIncrementalSweeper):
1367         (JSC::Heap::updateAllocationLimits):
1368         (JSC::Heap::didAllocate):
1369         * heap/IncrementalSweeper.cpp:
1370         (JSC::IncrementalSweeper::scheduleTimer):
1371         (JSC::IncrementalSweeper::doWork):
1372         (JSC::IncrementalSweeper::doSweep):
1373         (JSC::IncrementalSweeper::sweepNextBlock):
1374         (JSC::IncrementalSweeper::startSweeping):
1375         (JSC::IncrementalSweeper::stopSweeping):
1376         * heap/IncrementalSweeper.h:
1377         * heap/StopIfNecessaryTimer.cpp:
1378         (JSC::StopIfNecessaryTimer::doWork):
1379         (JSC::StopIfNecessaryTimer::scheduleSoon):
1380         * heap/StopIfNecessaryTimer.h:
1381         * runtime/JSRunLoopTimer.cpp:
1382         (JSC::epochTime):
1383         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1384         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1385         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1386         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1387         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1388         (JSC::JSRunLoopTimer::Manager::shared):
1389         (JSC::JSRunLoopTimer::Manager::registerVM):
1390         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1391         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1392         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1393         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1394         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1395         (JSC::JSRunLoopTimer::timerDidFire):
1396         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1397         (JSC::JSRunLoopTimer::timeUntilFire):
1398         (JSC::JSRunLoopTimer::setTimeUntilFire):
1399         (JSC::JSRunLoopTimer::cancelTimer):
1400         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1401         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1402         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1403         * runtime/JSRunLoopTimer.h:
1404         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1405         * runtime/PromiseDeferredTimer.cpp:
1406         (JSC::PromiseDeferredTimer::doWork):
1407         (JSC::PromiseDeferredTimer::runRunLoop):
1408         (JSC::PromiseDeferredTimer::addPendingPromise):
1409         (JSC::PromiseDeferredTimer::hasPendingPromise):
1410         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1411         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1412         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1413         * runtime/PromiseDeferredTimer.h:
1414         * runtime/VM.cpp:
1415         (JSC::VM::VM):
1416         (JSC::VM::~VM):
1417         (JSC::VM::setRunLoop):
1418         (JSC::VM::registerRunLoopTimer): Deleted.
1419         (JSC::VM::unregisterRunLoopTimer): Deleted.
1420         * runtime/VM.h:
1421         (JSC::VM::runLoop const):
1422         * wasm/js/WebAssemblyPrototype.cpp:
1423         (JSC::webAssemblyModuleValidateAsyncInternal):
1424         (JSC::instantiate):
1425         (JSC::compileAndInstantiate):
1426         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1427         (JSC::webAssemblyCompileStreamingInternal):
1428         (JSC::webAssemblyInstantiateStreamingInternal):
1429
1430 2018-08-23  Mark Lam  <mark.lam@apple.com>
1431
1432         Move vmEntryGlobalObject() to VM from CallFrame.
1433         https://bugs.webkit.org/show_bug.cgi?id=188900
1434         <rdar://problem/43655753>
1435
1436         Reviewed by Michael Saboff.
1437
1438         Also introduced CallFrame::isGlobalExec() which makes use of one property of
1439         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
1440         CallFrame::initGlobalExec() ensures this.
1441
1442         In contrast, normal CallFrames always have a callerFrame (because they must at
1443         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
1444         VM entry glue).
1445
1446         * API/APIUtils.h:
1447         (handleExceptionIfNeeded):
1448         (setException):
1449         * API/JSBase.cpp:
1450         (JSEvaluateScript):
1451         (JSCheckScriptSyntax):
1452         * API/JSContextRef.cpp:
1453         (JSGlobalContextRetain):
1454         (JSGlobalContextRelease):
1455         (JSGlobalContextCopyName):
1456         (JSGlobalContextSetName):
1457         (JSGlobalContextGetRemoteInspectionEnabled):
1458         (JSGlobalContextSetRemoteInspectionEnabled):
1459         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
1460         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
1461         (JSGlobalContextGetDebuggerRunLoop):
1462         (JSGlobalContextSetDebuggerRunLoop):
1463         (JSGlobalContextGetAugmentableInspectorController):
1464         * API/JSValue.mm:
1465         (reportExceptionToInspector):
1466         * API/glib/JSCClass.cpp:
1467         (jscContextForObject):
1468         * API/glib/JSCContext.cpp:
1469         (jsc_context_evaluate_in_object):
1470         * debugger/Debugger.cpp:
1471         (JSC::Debugger::pauseIfNeeded):
1472         * debugger/DebuggerCallFrame.cpp:
1473         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
1474         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1475         * interpreter/CallFrame.cpp:
1476         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
1477         * interpreter/CallFrame.h:
1478         (JSC::ExecState::scope const):
1479         (JSC::ExecState::noCaller):
1480         (JSC::ExecState::isGlobalExec const):
1481         * interpreter/Interpreter.cpp:
1482         (JSC::notifyDebuggerOfUnwinding):
1483         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
1484         (JSC::Interpreter::debug):
1485         * runtime/CallData.cpp:
1486         (JSC::profiledCall):
1487         * runtime/Completion.cpp:
1488         (JSC::evaluate):
1489         (JSC::profiledEvaluate):
1490         (JSC::evaluateWithScopeExtension):
1491         (JSC::loadAndEvaluateModule):
1492         (JSC::loadModule):
1493         (JSC::linkAndEvaluateModule):
1494         (JSC::importModule):
1495         * runtime/ConstructData.cpp:
1496         (JSC::profiledConstruct):
1497         * runtime/Error.cpp:
1498         (JSC::getStackTrace):
1499         * runtime/VM.cpp:
1500         (JSC::VM::throwException):
1501         (JSC::VM::vmEntryGlobalObject const):
1502         * runtime/VM.h:
1503
1504 2018-08-23  Andy Estes  <aestes@apple.com>
1505
1506         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
1507         https://bugs.webkit.org/show_bug.cgi?id=188829
1508
1509         Reviewed by Tim Horton.
1510
1511         * Configurations/FeatureDefines.xcconfig:
1512
1513 2018-08-23  Devin Rousso  <drousso@apple.com>
1514
1515         Web Inspector: support breakpoints for timers and animation-frame events
1516         https://bugs.webkit.org/show_bug.cgi?id=188778
1517
1518         Reviewed by Brian Burg.
1519
1520         * inspector/protocol/Debugger.json:
1521         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1522
1523         * inspector/protocol/DOMDebugger.json:
1524         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1525          - `setEventListenerBreakpoint`
1526          - `removeEventListenerBreakpoint`
1527          - `setInstrumentationBreakpoint`
1528          - `removeInstrumentationBreakpoint`
1529         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1530
1531         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1532         (CppProtocolTypesHeaderGenerator.generate_output):
1533         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1534         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1535         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1536         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1537
1538         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1539         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1540         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1541         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1542         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1543         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1544         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1545
1546 2018-08-23  Michael Saboff  <msaboff@apple.com>
1547
1548         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1549         https://bugs.webkit.org/show_bug.cgi?id=188895
1550
1551         Reviewed by Mark Lam.
1552
1553         Found while working on another change.  This will allow processing of nested
1554         parenthesis that require saved ParenContext structures.
1555
1556         * yarr/YarrJIT.cpp:
1557         (JSC::Yarr::YarrGenerator::compile):
1558
1559 2018-08-22  Michael Saboff  <msaboff@apple.com>
1560
1561         https://bugs.webkit.org/show_bug.cgi?id=188859
1562         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1563
1564         Rubber-stamped by Saam Barati.
1565
1566         Deleted these two functions.
1567
1568         * jit/JITOperations.cpp:
1569         * jit/JITOperations.h:
1570
1571 2018-08-22  Mark Lam  <mark.lam@apple.com>
1572
1573         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1574         https://bugs.webkit.org/show_bug.cgi?id=188298
1575         <rdar://problem/42888427>
1576
1577         Reviewed by Saam Barati.
1578
1579         In the event that both targets of a Branch is the same block, then even if we'll
1580         always take one path of the branch, the other target is not unreachable because
1581         it is the same target as the one in the taken path.  Hence, it should not be
1582         jettisoned.
1583
1584         * JavaScriptCore.xcodeproj/project.pbxproj:
1585         - Added DFGCFG.h which is in use and should have been added to the project.
1586         * dfg/DFGCFGSimplificationPhase.cpp:
1587         (JSC::DFG::CFGSimplificationPhase::run):
1588
1589 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1590
1591         [JSC] HeapUtil should care about pointer overflow
1592         https://bugs.webkit.org/show_bug.cgi?id=188740
1593
1594         Reviewed by Saam Barati.
1595
1596         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1597         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1598         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1599
1600         * heap/HeapUtil.h:
1601         (JSC::HeapUtil::findGCObjectPointersForMarking):
1602
1603 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1604
1605         [JSC] Should not rotate constant with 64
1606         https://bugs.webkit.org/show_bug.cgi?id=188556
1607
1608         Reviewed by Saam Barati.
1609
1610         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1611         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1612         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1613         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1614
1615         * assembler/MacroAssembler.h:
1616         (JSC::MacroAssembler::generateRotationSeed):
1617         (JSC::MacroAssembler::rotationBlindConstant):
1618
1619 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1620
1621         Unreviewed, rolling out r235107.
1622         https://bugs.webkit.org/show_bug.cgi?id=188832
1623
1624         "It revealed bugs in Blob code as well as regressed JS
1625         performance tests" (Requested by saamyjoon on #webkit).
1626
1627         Reverted changeset:
1628
1629         "JSRunLoopTimer may run part of a member function after it's
1630         destroyed"
1631         https://bugs.webkit.org/show_bug.cgi?id=188426
1632         https://trac.webkit.org/changeset/235107
1633
1634 2018-08-21  Saam barati  <sbarati@apple.com>
1635
1636         JSRunLoopTimer may run part of a member function after it's destroyed
1637         https://bugs.webkit.org/show_bug.cgi?id=188426
1638
1639         Reviewed by Mark Lam.
1640
1641         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1642         to end up running timer code after the class had been destroyed.
1643         
1644         The issue I spotted was in this function:
1645         ```
1646         void JSRunLoopTimer::timerDidFire()
1647         {
1648             JSLock* apiLock = m_apiLock.get();
1649             if (!apiLock) {
1650                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1651                 return;
1652             }
1653             // HERE
1654             std::lock_guard<JSLock> lock(*apiLock);
1655             RefPtr<VM> vm = apiLock->vm();
1656             if (!vm) {
1657                 // The VM has been destroyed, so we should just give up.
1658                 return;
1659             }
1660         
1661             doWork();
1662         }
1663         ```
1664         
1665         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1666         switched before grabbing the API lock. Then, some other thread destroys the VM.
1667         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1668         timer would run code and access member variables after it was destroyed.
1669         
1670         This patch fixes this issue by introducing a new timer manager class. 
1671         This class manages timers on a per VM basis. When a timer is scheduled,
1672         this class refs the timer. It also calls the timer callback while actively
1673         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1674         callback after the timer has been destroyed. However, calling a timer callback
1675         can still race with the VM being destroyed. We continue to detect this case and
1676         bail out of the callback early.
1677         
1678         This patch also removes a lot of duplicate code between GCActivityCallback
1679         and JSRunLoopTimer.
1680
1681         * heap/EdenGCActivityCallback.cpp:
1682         (JSC::EdenGCActivityCallback::doCollection):
1683         (JSC::EdenGCActivityCallback::lastGCLength):
1684         (JSC::EdenGCActivityCallback::deathRate):
1685         * heap/EdenGCActivityCallback.h:
1686         * heap/FullGCActivityCallback.cpp:
1687         (JSC::FullGCActivityCallback::doCollection):
1688         (JSC::FullGCActivityCallback::lastGCLength):
1689         (JSC::FullGCActivityCallback::deathRate):
1690         * heap/FullGCActivityCallback.h:
1691         * heap/GCActivityCallback.cpp:
1692         (JSC::GCActivityCallback::doWork):
1693         (JSC::GCActivityCallback::scheduleTimer):
1694         (JSC::GCActivityCallback::didAllocate):
1695         (JSC::GCActivityCallback::willCollect):
1696         (JSC::GCActivityCallback::cancel):
1697         (JSC::GCActivityCallback::cancelTimer): Deleted.
1698         (JSC::GCActivityCallback::nextFireTime): Deleted.
1699         * heap/GCActivityCallback.h:
1700         * heap/Heap.cpp:
1701         (JSC::Heap::reportAbandonedObjectGraph):
1702         (JSC::Heap::notifyIncrementalSweeper):
1703         (JSC::Heap::updateAllocationLimits):
1704         (JSC::Heap::didAllocate):
1705         * heap/IncrementalSweeper.cpp:
1706         (JSC::IncrementalSweeper::scheduleTimer):
1707         (JSC::IncrementalSweeper::doWork):
1708         (JSC::IncrementalSweeper::doSweep):
1709         (JSC::IncrementalSweeper::sweepNextBlock):
1710         (JSC::IncrementalSweeper::startSweeping):
1711         (JSC::IncrementalSweeper::stopSweeping):
1712         * heap/IncrementalSweeper.h:
1713         * heap/StopIfNecessaryTimer.cpp:
1714         (JSC::StopIfNecessaryTimer::doWork):
1715         (JSC::StopIfNecessaryTimer::scheduleSoon):
1716         * heap/StopIfNecessaryTimer.h:
1717         * runtime/JSRunLoopTimer.cpp:
1718         (JSC::epochTime):
1719         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1720         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1721         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1722         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1723         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1724         (JSC::JSRunLoopTimer::Manager::shared):
1725         (JSC::JSRunLoopTimer::Manager::registerVM):
1726         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1727         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1728         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1729         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1730         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1731         (JSC::JSRunLoopTimer::timerDidFire):
1732         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1733         (JSC::JSRunLoopTimer::timeUntilFire):
1734         (JSC::JSRunLoopTimer::setTimeUntilFire):
1735         (JSC::JSRunLoopTimer::cancelTimer):
1736         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1737         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1738         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1739         * runtime/JSRunLoopTimer.h:
1740         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1741         * runtime/PromiseDeferredTimer.cpp:
1742         (JSC::PromiseDeferredTimer::doWork):
1743         (JSC::PromiseDeferredTimer::runRunLoop):
1744         (JSC::PromiseDeferredTimer::addPendingPromise):
1745         (JSC::PromiseDeferredTimer::hasPendingPromise):
1746         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1747         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1748         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1749         * runtime/PromiseDeferredTimer.h:
1750         * runtime/VM.cpp:
1751         (JSC::VM::VM):
1752         (JSC::VM::~VM):
1753         (JSC::VM::setRunLoop):
1754         (JSC::VM::registerRunLoopTimer): Deleted.
1755         (JSC::VM::unregisterRunLoopTimer): Deleted.
1756         * runtime/VM.h:
1757         (JSC::VM::runLoop const):
1758         * wasm/js/WebAssemblyPrototype.cpp:
1759         (JSC::webAssemblyModuleValidateAsyncInternal):
1760         (JSC::instantiate):
1761         (JSC::compileAndInstantiate):
1762         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1763         (JSC::webAssemblyCompileStreamingInternal):
1764         (JSC::webAssemblyInstantiateStreamingInternal):
1765
1766 2018-08-20  Saam barati  <sbarati@apple.com>
1767
1768         Inline DataView accesses into DFG/FTL
1769         https://bugs.webkit.org/show_bug.cgi?id=188573
1770         <rdar://problem/43286746>
1771
1772         Reviewed by Michael Saboff.
1773
1774         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1775         straight forward. We inline the various get*/set* operations as intrinsics.
1776         
1777         This patch takes the most obvious approach for now. We OSR exit when:
1778         - An isLittleEndian argument is provided, and is not a boolean.
1779         - The index isn't an integer.
1780         - The |this| isn't a DataView.
1781         - We do an OOB access (or see a neutered array)
1782         
1783         To implement this change in a performant way, this patch teaches the macro
1784         assembler how to emit byte swap operations. The semantics of the added functions
1785         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1786         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1787         the instructions already have these semantics.
1788         
1789         This patch is just a lightweight initial implementation. There are some easy
1790         extensions we can do in future changes:
1791         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1792         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1793
1794         * assembler/MacroAssemblerARM64.h:
1795         (JSC::MacroAssemblerARM64::byteSwap16):
1796         (JSC::MacroAssemblerARM64::byteSwap32):
1797         (JSC::MacroAssemblerARM64::byteSwap64):
1798         * assembler/MacroAssemblerX86Common.h:
1799         (JSC::MacroAssemblerX86Common::byteSwap32):
1800         (JSC::MacroAssemblerX86Common::byteSwap16):
1801         (JSC::MacroAssemblerX86Common::byteSwap64):
1802         * assembler/X86Assembler.h:
1803         (JSC::X86Assembler::bswapl_r):
1804         (JSC::X86Assembler::bswapq_r):
1805         (JSC::X86Assembler::shiftInstruction16):
1806         (JSC::X86Assembler::rolw_i8r):
1807         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1808         * assembler/testmasm.cpp:
1809         (JSC::testByteSwap):
1810         (JSC::run):
1811         * bytecode/DataFormat.h:
1812         * bytecode/SpeculatedType.cpp:
1813         (JSC::dumpSpeculation):
1814         (JSC::speculationFromClassInfo):
1815         (JSC::speculationFromJSType):
1816         (JSC::speculationFromString):
1817         * bytecode/SpeculatedType.h:
1818         * dfg/DFGAbstractInterpreterInlines.h:
1819         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1820         * dfg/DFGByteCodeParser.cpp:
1821         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1822         * dfg/DFGClobberize.h:
1823         (JSC::DFG::clobberize):
1824         * dfg/DFGDoesGC.cpp:
1825         (JSC::DFG::doesGC):
1826         * dfg/DFGFixupPhase.cpp:
1827         (JSC::DFG::FixupPhase::fixupNode):
1828         * dfg/DFGNode.h:
1829         (JSC::DFG::Node::hasHeapPrediction):
1830         (JSC::DFG::Node::dataViewData):
1831         * dfg/DFGNodeType.h:
1832         * dfg/DFGPredictionPropagationPhase.cpp:
1833         * dfg/DFGSafeToExecute.h:
1834         (JSC::DFG::SafeToExecuteEdge::operator()):
1835         (JSC::DFG::safeToExecute):
1836         * dfg/DFGSpeculativeJIT.cpp:
1837         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1838         (JSC::DFG::SpeculativeJIT::speculate):
1839         * dfg/DFGSpeculativeJIT.h:
1840         * dfg/DFGSpeculativeJIT32_64.cpp:
1841         (JSC::DFG::SpeculativeJIT::compile):
1842         * dfg/DFGSpeculativeJIT64.cpp:
1843         (JSC::DFG::SpeculativeJIT::compile):
1844         * dfg/DFGUseKind.cpp:
1845         (WTF::printInternal):
1846         * dfg/DFGUseKind.h:
1847         (JSC::DFG::typeFilterFor):
1848         (JSC::DFG::isCell):
1849         * ftl/FTLCapabilities.cpp:
1850         (JSC::FTL::canCompile):
1851         * ftl/FTLLowerDFGToB3.cpp:
1852         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1853         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1854         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1855         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1856         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1857         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1858         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1859         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1860         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1861         * runtime/Intrinsic.cpp:
1862         (JSC::intrinsicName):
1863         * runtime/Intrinsic.h:
1864         * runtime/JSDataViewPrototype.cpp:
1865
1866 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1867
1868         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1869         https://bugs.webkit.org/show_bug.cgi?id=181989
1870
1871         Reviewed by Michael Saboff.
1872
1873         This patch extends bulk matching style for fixed-sized characters.
1874         In 64bit environment, the GPR can hold up to 8 characters. This change
1875         reduces the code size since we can fuse multiple `mov` operations into one.
1876
1877         * assembler/LinkBuffer.h:
1878         * runtime/Options.h:
1879         * yarr/YarrJIT.cpp:
1880         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1881         (JSC::Yarr::YarrGenerator::compile):
1882
1883 2018-08-20  Devin Rousso  <drousso@apple.com>
1884
1885         Web Inspector: allow breakpoints to be set for specific event listeners
1886         https://bugs.webkit.org/show_bug.cgi?id=183138
1887
1888         Reviewed by Joseph Pecoraro.
1889
1890         * inspector/protocol/DOM.json:
1891         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1892         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1893         should have a breakpoint and pause before running.
1894
1895 2018-08-20  Mark Lam  <mark.lam@apple.com>
1896
1897         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1898         https://bugs.webkit.org/show_bug.cgi?id=188769
1899
1900         Reviewed by Michael Saboff.
1901
1902         * llint/LowLevelInterpreter.asm:
1903         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1904           so that libunwind doesn't get confused by the 2 labels pointing to the same
1905           code address.
1906
1907 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1908
1909         [GLIB] Add API to throw exceptions using printf formatted strings
1910         https://bugs.webkit.org/show_bug.cgi?id=188698
1911
1912         Reviewed by Michael Catanzaro.
1913
1914         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1915         JSCException using printf formatted string.
1916
1917         * API/glib/JSCContext.cpp:
1918         (jsc_context_throw_printf):
1919         (jsc_context_throw_with_name_printf):
1920         * API/glib/JSCContext.h:
1921         * API/glib/JSCException.cpp:
1922         (jsc_exception_new_printf):
1923         (jsc_exception_new_vprintf):
1924         (jsc_exception_new_with_name_printf):
1925         (jsc_exception_new_with_name_vprintf):
1926         * API/glib/JSCException.h:
1927         * API/glib/docs/jsc-glib-4.0-sections.txt:
1928
1929 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1930
1931         [GLIB] Complete the JSCException API
1932         https://bugs.webkit.org/show_bug.cgi?id=188695
1933
1934         Reviewed by Michael Catanzaro.
1935
1936         Add more API to JSCException:
1937          - New function to get the column number
1938          - New function get exception as string (toString())
1939          - Add the possibility to create exceptions with a custom error name.
1940          - New function to get the exception error name
1941          - New function to get the exception backtrace.
1942          - New convenience function to report a exception by returning a formatted string with all the exception
1943            details, to be shown as a user error message.
1944
1945         * API/glib/JSCContext.cpp:
1946         (jsc_context_throw_with_name):
1947         * API/glib/JSCContext.h:
1948         * API/glib/JSCException.cpp:
1949         (jscExceptionEnsureProperties):
1950         (jsc_exception_new):
1951         (jsc_exception_new_with_name):
1952         (jsc_exception_get_name):
1953         (jsc_exception_get_column_number):
1954         (jsc_exception_get_back_trace_string):
1955         (jsc_exception_to_string):
1956         (jsc_exception_report):
1957         * API/glib/JSCException.h:
1958         * API/glib/docs/jsc-glib-4.0-sections.txt:
1959
1960 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1961
1962         Unreviewed, rolling out r234852.
1963         https://bugs.webkit.org/show_bug.cgi?id=188736
1964
1965         Workaround is not correct (Requested by yusukesuzuki on
1966         #webkit).
1967
1968         Reverted changeset:
1969
1970         "[JSC] Should not rotate constant with 64"
1971         https://bugs.webkit.org/show_bug.cgi?id=188556
1972         https://trac.webkit.org/changeset/234852
1973
1974 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1975
1976         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1977         https://bugs.webkit.org/show_bug.cgi?id=188716
1978
1979         Reviewed by Darin Adler.
1980
1981         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1982         The compiler can emit appropriate mov operations in x86 even if we use these
1983         helper functions.
1984
1985         * assembler/AssemblerBuffer.h:
1986         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1987         (JSC::AssemblerBuffer::putIntegral):
1988         (JSC::AssemblerBuffer::putIntegralUnchecked):
1989         * assembler/MacroAssemblerX86.h:
1990         (JSC::MacroAssemblerX86::readCallTarget):
1991         * assembler/X86Assembler.h:
1992         (JSC::X86Assembler::linkJump):
1993         (JSC::X86Assembler::readPointer):
1994         (JSC::X86Assembler::replaceWithHlt):
1995         (JSC::X86Assembler::replaceWithJump):
1996         (JSC::X86Assembler::setPointer):
1997         (JSC::X86Assembler::setInt32):
1998         (JSC::X86Assembler::setInt8):
1999         * interpreter/InterpreterInlines.h:
2000         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
2001
2002 2018-08-17  Saam barati  <sbarati@apple.com>
2003
2004         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
2005         https://bugs.webkit.org/show_bug.cgi?id=188707
2006         <rdar://problem/43015442>
2007
2008         Reviewed by Mark Lam.
2009
2010         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
2011         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
2012         that each incoming value is compatible with its corresponding AbstractValue.
2013         
2014         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
2015         with abstract values that were clobbererd. This meant that the value we're
2016         verifying with at OSR entry effectively has an infinite structure set because
2017         it's clobbered. So, imagine we have code like this:
2018         ```
2019         ---> We OSR enter here, and we're clobbered here
2020         InvalidationPoint
2021         GetByOffset(@base)
2022         ```
2023         
2024         The abstract value for @base inside intersectionOfPastValuesAtHead has a
2025         clobberred structure set, so we'd allow an incoming object with any
2026         structure. However, this is wrong because the invalidation point is no
2027         longer fulfilling its promise that it filters the structure that @base has.
2028         
2029         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
2030         as if the incoming value may be live past an InvalidationPoint.
2031         This places a stricter requirement that to safely OSR enter at any basic
2032         block, all incoming values must be compatible as if they lived past
2033         the execution of an invalidation point.
2034
2035         * dfg/DFGCFAPhase.cpp:
2036         (JSC::DFG::CFAPhase::run):
2037
2038 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
2039
2040         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2041         https://bugs.webkit.org/show_bug.cgi?id=188589
2042
2043         Reviewed by Mark Lam.
2044         And reviewed by Yusuke Suzuki for Hironori's change.
2045
2046         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2047         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2048
2049         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2050         - We make GPRReg and FPRReg int8_t enums.
2051         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2052         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
2053           if `enum : int8_t` is used instead of `enum`.
2054
2055         * assembler/ARM64Assembler.h:
2056         * assembler/ARMAssembler.h:
2057         * assembler/ARMv7Assembler.h:
2058         * assembler/MIPSAssembler.h:
2059         * assembler/MacroAssembler.h:
2060         * assembler/X86Assembler.h:
2061         * jit/CCallHelpers.h:
2062         (JSC::CCallHelpers::clampArrayToSize):
2063         * jit/FPRInfo.h:
2064         * jit/GPRInfo.h:
2065         (JSC::JSValueRegs::JSValueRegs):
2066         (JSC::JSValueRegs::tagGPR const):
2067         (JSC::JSValueRegs::payloadGPR const):
2068         (JSC::JSValueSource::JSValueSource):
2069         (JSC::JSValueSource::unboxedCell):
2070         (JSC::JSValueSource::operator bool const):
2071         (JSC::JSValueSource::base const):
2072         (JSC::JSValueSource::tagGPR const):
2073         (JSC::JSValueSource::payloadGPR const):
2074         (JSC::JSValueSource::hasKnownTag const):
2075
2076 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2077
2078         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
2079         https://bugs.webkit.org/show_bug.cgi?id=188686
2080
2081         Reviewed by Saam Barati.
2082
2083         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
2084         for `alignof` for RegisterState.
2085
2086         * heap/RegisterState.h:
2087
2088 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2089
2090         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
2091         https://bugs.webkit.org/show_bug.cgi?id=188571
2092
2093         Reviewed by Saam Barati.
2094
2095         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
2096         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
2097         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
2098         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
2099         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
2100         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
2101         than or equal to `sizeof(void*)` by `static_assert`.
2102
2103         * yarr/YarrInterpreter.cpp:
2104         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
2105         (JSC::Yarr::Interpreter::allocDisjunctionContext):
2106         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
2107         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
2108         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
2109         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
2110         (JSC::Yarr::Interpreter::Interpreter):
2111         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
2112
2113 2018-08-15  Keith Miller  <keith_miller@apple.com>
2114
2115         Remove evernote hacks
2116         https://bugs.webkit.org/show_bug.cgi?id=188591
2117
2118         Reviewed by Joseph Pecoraro.
2119
2120         The hack was added in 2012 and the evernote app seems to work now.
2121         It's probably not needed anymore.
2122
2123         * API/JSValueRef.cpp:
2124         (JSValueUnprotect):
2125         (evernoteHackNeeded): Deleted.
2126
2127 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
2128
2129         Unreviewed, rolling out r234874 and r234876.
2130
2131         WinCairo port can't compile
2132
2133         Reverted changesets:
2134
2135         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
2136         https://bugs.webkit.org/show_bug.cgi?id=188589
2137         https://trac.webkit.org/changeset/234874
2138
2139         "Unreviewed, attempt to fix CLoop build"
2140         https://bugs.webkit.org/show_bug.cgi?id=188589
2141         https://trac.webkit.org/changeset/234876
2142
2143 2018-08-14  Saam barati  <sbarati@apple.com>
2144
2145         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
2146         https://bugs.webkit.org/show_bug.cgi?id=188582
2147
2148         Reviewed by Sam Weinig.
2149
2150         * runtime/SparseArrayValueMap.h:
2151
2152 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2153
2154         Unreviewed, attempt to fix CLoop build
2155         https://bugs.webkit.org/show_bug.cgi?id=188589
2156
2157         * assembler/MacroAssembler.h:
2158
2159 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2160
2161         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2162         https://bugs.webkit.org/show_bug.cgi?id=188589
2163
2164         Reviewed by Mark Lam.
2165
2166         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2167         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2168
2169         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2170         2. We make GPRReg and FPRReg int8_t enums.
2171         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2172
2173         * assembler/ARM64Assembler.h:
2174         * assembler/ARMAssembler.h:
2175         * assembler/ARMv7Assembler.h:
2176         * assembler/MIPSAssembler.h:
2177         * assembler/X86Assembler.h:
2178         * jit/FPRInfo.h:
2179         * jit/GPRInfo.h:
2180         (JSC::JSValueRegs::JSValueRegs):
2181         (JSC::JSValueRegs::tagGPR const):
2182         (JSC::JSValueRegs::payloadGPR const):
2183         (JSC::JSValueSource::JSValueSource):
2184         (JSC::JSValueSource::unboxedCell):
2185         (JSC::JSValueSource::operator bool const):
2186         (JSC::JSValueSource::base const):
2187         (JSC::JSValueSource::tagGPR const):
2188         (JSC::JSValueSource::payloadGPR const):
2189         (JSC::JSValueSource::hasKnownTag const):
2190
2191 2018-08-14  Keith Miller  <keith_miller@apple.com>
2192
2193         Add missing availability macro.
2194         https://bugs.webkit.org/show_bug.cgi?id=188563
2195
2196         Reviewed by Mark Lam.
2197
2198         * API/JSValueRef.h:
2199
2200 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2201
2202         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
2203         https://bugs.webkit.org/show_bug.cgi?id=188560
2204
2205         Reviewed by Keith Miller.
2206
2207         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
2208         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
2209         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
2210         `m_wasSeenInJIT { false }`.
2211
2212         * bytecode/GetByIdStatus.h:
2213
2214 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2215
2216         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
2217         https://bugs.webkit.org/show_bug.cgi?id=188557
2218
2219         Reviewed by Mark Lam.
2220
2221         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
2222         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
2223         in UBSan's result.
2224
2225         * dfg/DFGPredictionPropagationPhase.cpp:
2226
2227 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2228
2229         [JSC] Should not rotate constant with 64
2230         https://bugs.webkit.org/show_bug.cgi?id=188556
2231
2232         Reviewed by Mark Lam.
2233
2234         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
2235         But if a seed becomes 64, the following code performs `value << 64` where value's type
2236         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
2237         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
2238
2239         * assembler/MacroAssembler.h:
2240         (JSC::MacroAssembler::generateRotationSeed):
2241         (JSC::MacroAssembler::rotationBlindConstant):
2242
2243 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2244
2245         Disable JIT on IA-32 without SSE2
2246         https://bugs.webkit.org/show_bug.cgi?id=188476
2247
2248         Reviewed by Michael Catanzaro.
2249
2250         Including missing header (MacroAssembler.h) in case of other
2251         operating systems than Windows too.
2252
2253         * runtime/Options.cpp:
2254
2255 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2256
2257         Disable JIT on IA-32 without SSE2
2258         https://bugs.webkit.org/show_bug.cgi?id=188476
2259
2260         Reviewed by Yusuke Suzuki.
2261
2262         On IA-32 CPUs without SSE2 most of the webpages cannot load
2263         if the JIT is turned on.
2264
2265         * runtime/Options.cpp:
2266         (JSC::recomputeDependentOptions):
2267
2268 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
2269
2270         Web Inspector: console.log fires getters for deep properties
2271         https://bugs.webkit.org/show_bug.cgi?id=187542
2272         <rdar://problem/42873158>
2273
2274         Reviewed by Saam Barati.
2275
2276         * inspector/InjectedScriptSource.js:
2277         (RemoteObject.prototype._isPreviewableObject):
2278         Avoid getters/setters when checking for simple properties to preview.
2279         Here we avoid invoking `object[property]` if it could be a user getter.
2280
2281 2018-08-10  Keith Miller  <keith_miller@apple.com>
2282
2283         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
2284         https://bugs.webkit.org/show_bug.cgi?id=185127
2285
2286         Reviewed by Saam Barati.
2287
2288         Previously, we would truncate the indicies passed to slice to an
2289         int. This meant that the value was not getting properly clamped
2290         later.
2291
2292         This patch also removes a non-spec compliant check that slice was
2293         passed at least one argument.
2294
2295         * runtime/ArrayBuffer.cpp:
2296         (JSC::ArrayBuffer::clampValue):
2297         (JSC::ArrayBuffer::clampIndex const):
2298         (JSC::ArrayBuffer::slice const):
2299         * runtime/ArrayBuffer.h:
2300         (JSC::ArrayBuffer::clampValue): Deleted.
2301         (JSC::ArrayBuffer::clampIndex const): Deleted.
2302         * runtime/JSArrayBufferPrototype.cpp:
2303         (JSC::arrayBufferProtoFuncSlice):
2304
2305 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2306
2307         Date.UTC should not return NaN with only Year param
2308         https://bugs.webkit.org/show_bug.cgi?id=188378
2309
2310         Reviewed by Keith Miller.
2311
2312         Date.UTC requires one argument for |year|. But the other ones are optional.
2313         This patch fix this handling.
2314
2315         * runtime/DateConstructor.cpp:
2316         (JSC::millisecondsFromComponents):
2317
2318 2018-08-08  Keith Miller  <keith_miller@apple.com>
2319
2320         Array.prototype.sort should call @toLength instead of ">>> 0"
2321         https://bugs.webkit.org/show_bug.cgi?id=188430
2322
2323         Reviewed by Saam Barati.
2324
2325         Also add a new function to $vm that will fetch a private
2326         property. This can be useful for running builtin helper functions.
2327
2328         * builtins/ArrayPrototype.js:
2329         (sort):
2330         * tools/JSDollarVM.cpp:
2331         (JSC::functionGetPrivateProperty):
2332         (JSC::JSDollarVM::finishCreation):
2333
2334 2018-08-08  Keith Miller  <keith_miller@apple.com>
2335
2336         Array.prototype.sort should throw TypeError if param is a not callable object
2337         https://bugs.webkit.org/show_bug.cgi?id=188382
2338
2339         Reviewed by Saam Barati.
2340
2341         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
2342         before doing anything else.
2343
2344         Also, refactor the various helper functions to use let instead of var.
2345
2346         * builtins/ArrayPrototype.js:
2347         (sort.stringComparator):
2348         (sort.compactSparse):
2349         (sort.compactSlow):
2350         (sort.compact):
2351         (sort.merge):
2352         (sort.mergeSort):
2353         (sort.bucketSort):
2354         (sort.comparatorSort):
2355         (sort.stringSort):
2356         (sort):
2357
2358 2018-08-08  Michael Saboff  <msaboff@apple.com>
2359
2360         Yarr JIT should include annotations with dumpDisassembly=true
2361         https://bugs.webkit.org/show_bug.cgi?id=188415
2362
2363         Reviewed by Yusuke Suzuki.
2364
2365         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
2366         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
2367         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
2368         needs to do the same think.
2369
2370         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
2371         out simple methods for what was needed by the YarrDisassembler.
2372
2373         Here is abbreviated sample output after this change.
2374
2375         Generated JIT code for 8-bit regular expression /ab*c/:
2376             Code at [0x469561c03720, 0x469561c03840):
2377                 0x469561c03720: push %rbp
2378                 0x469561c03721: mov %rsp, %rbp
2379                 ...
2380                 0x469561c03762: sub $0x40, %rsp
2381              == Matching ==
2382            0:OpBodyAlternativeBegin minimum size 2
2383                 0x469561c03766: add $0x2, %esi
2384                 0x469561c03769: cmp %edx, %esi
2385                 0x469561c0376b: ja 0x469561c037fa
2386            1:OpTerm TypePatternCharacter 'a'
2387                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
2388                 0x469561c03776: cmp $0x61, %eax
2389                 0x469561c03779: jnz 0x469561c037e9
2390            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2391                 0x469561c0377f: xor %r9d, %r9d
2392                 0x469561c03782: cmp %edx, %esi
2393                 0x469561c03784: jz 0x469561c037a2
2394                 ...
2395                 0x469561c0379d: jmp 0x469561c03782
2396                 0x469561c037a2: mov %r9, 0x8(%rsp)
2397            3:OpTerm TypePatternCharacter 'c'
2398                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
2399                 0x469561c037ac: cmp $0x63, %eax
2400                 0x469561c037af: jnz 0x469561c037d1
2401            4:OpBodyAlternativeEnd
2402                 0x469561c037b5: add $0x40, %rsp
2403                 ...
2404                 0x469561c037cf: pop %rbp
2405                 0x469561c037d0: ret
2406              == Backtracking ==
2407            4:OpBodyAlternativeEnd
2408            3:OpTerm TypePatternCharacter 'c'
2409            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2410                 0x469561c037d1: mov 0x8(%rsp), %r9
2411                 ...
2412                 0x469561c037e4: jmp 0x469561c037a2
2413            1:OpTerm TypePatternCharacter 'a'
2414            0:OpBodyAlternativeBegin minimum size 2
2415                 0x469561c037e9: mov %rsi, %rax
2416                 ...
2417                 0x469561c0382f: pop %rbp
2418                 0x469561c03830: ret
2419
2420         * JavaScriptCore.xcodeproj/project.pbxproj:
2421         * Sources.txt:
2422         * runtime/RegExp.cpp:
2423         (JSC::RegExp::compile):
2424         (JSC::RegExp::compileMatchOnly):
2425         * yarr/YarrDisassembler.cpp: Added.
2426         (JSC::Yarr::YarrDisassembler::indentString):
2427         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
2428         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
2429         (JSC::Yarr::YarrDisassembler::dump):
2430         (JSC::Yarr::YarrDisassembler::dumpHeader):
2431         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
2432         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
2433         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
2434         * yarr/YarrDisassembler.h: Added.
2435         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
2436         (JSC::Yarr::YarrDisassembler::setStartOfCode):
2437         (JSC::Yarr::YarrDisassembler::setForGenerate):
2438         (JSC::Yarr::YarrDisassembler::setForBacktrack):
2439         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
2440         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
2441         (JSC::Yarr::YarrDisassembler::setEndOfCode):
2442         (JSC::Yarr::YarrDisassembler::indentString):
2443         * yarr/YarrJIT.cpp:
2444         (JSC::Yarr::YarrGenerator::generate):
2445         (JSC::Yarr::YarrGenerator::backtrack):
2446         (JSC::Yarr::YarrGenerator::YarrGenerator):
2447         (JSC::Yarr::YarrGenerator::compile):
2448         (JSC::Yarr::jitCompile):
2449         * yarr/YarrJIT.h:
2450         * yarr/YarrPattern.cpp:
2451         (JSC::Yarr::dumpCharacterClass):
2452         (JSC::Yarr::PatternTerm::dump):
2453         (JSC::Yarr::YarrPattern::dumpPatternString):
2454         (JSC::Yarr::YarrPattern::dumpPattern):
2455         * yarr/YarrPattern.h:
2456
2457 2018-08-05  Darin Adler  <darin@apple.com>
2458
2459         [Cocoa] More tweaks and refactoring to prepare for ARC
2460         https://bugs.webkit.org/show_bug.cgi?id=188245
2461
2462         Reviewed by Dan Bernstein.
2463
2464         * API/JSValue.mm: Use __unsafe_unretained.
2465         (JSContainerConvertor::convert): Use auto for compatibility with the above.
2466         * API/JSWrapperMap.mm:
2467         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
2468         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
2469
2470         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2471
2472 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2473
2474         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
2475         https://bugs.webkit.org/show_bug.cgi?id=188328
2476
2477         Reviewed by Saam Barati.
2478
2479         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
2480         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
2481         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
2482         as a member field.
2483
2484         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
2485         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
2486         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
2487         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
2488         folds a pointer and 1byte type into 64bit data.
2489
2490         This change shrinks PropertyCondition from 24bytes to 16bytes.
2491
2492         * bytecode/PropertyCondition.cpp:
2493         (JSC::PropertyCondition::dumpInContext const):
2494         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2495         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2496         (JSC::PropertyCondition::isStillValid const):
2497         (JSC::PropertyCondition::isWatchableWhenValid const):
2498         * bytecode/PropertyCondition.h:
2499         (JSC::PropertyCondition::PropertyCondition):
2500         (JSC::PropertyCondition::presenceWithoutBarrier):
2501         (JSC::PropertyCondition::absenceWithoutBarrier):
2502         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2503         (JSC::PropertyCondition::equivalenceWithoutBarrier):
2504         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2505         (JSC::PropertyCondition::operator bool const):
2506         (JSC::PropertyCondition::kind const):
2507         (JSC::PropertyCondition::uid const):
2508         (JSC::PropertyCondition::hasOffset const):
2509         (JSC::PropertyCondition::hasAttributes const):
2510         (JSC::PropertyCondition::hasPrototype const):
2511         (JSC::PropertyCondition::hasRequiredValue const):
2512         (JSC::PropertyCondition::hash const):
2513         (JSC::PropertyCondition::operator== const):
2514         (JSC::PropertyCondition::isHashTableDeletedValue const):
2515         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2516
2517 2018-08-07  Mark Lam  <mark.lam@apple.com>
2518
2519         Use a more specific PtrTag for PlatformRegisters PC and LR.
2520         https://bugs.webkit.org/show_bug.cgi?id=188366
2521         <rdar://problem/42984123>
2522
2523         Reviewed by Keith Miller.
2524
2525         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2526         of LR.  It now returns LR.
2527
2528         * runtime/JSCPtrTag.h:
2529         * runtime/MachineContext.h:
2530         (JSC::MachineContext::instructionPointer):
2531         (JSC::MachineContext::linkRegister):
2532         * runtime/VMTraps.cpp:
2533         (JSC::SignalContext::SignalContext):
2534         * tools/SigillCrashAnalyzer.cpp:
2535         (JSC::SignalContext::SignalContext):
2536
2537 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2538
2539         Hardcoded LFENCE instruction
2540         https://bugs.webkit.org/show_bug.cgi?id=188145
2541
2542         Reviewed by Filip Pizlo.
2543
2544         Remove lfence instruction because it is crashing systems without SSE2 and
2545         this is not the way how WebKit mitigates Spectre.
2546
2547         * runtime/JSLock.cpp:
2548         (JSC::JSLock::didAcquireLock):
2549         (JSC::JSLock::willReleaseLock):
2550
2551 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2552
2553         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2554         <https://webkit.org/b/188331>
2555
2556         Reviewed by Yusuke Suzuki.
2557
2558         * runtime/TemplateObjectDescriptor.h:
2559         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2560         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2561
2562 2018-08-03  Saam Barati  <sbarati@apple.com>
2563
2564         Give the `jsc` shell the JIT entitlement
2565         https://bugs.webkit.org/show_bug.cgi?id=188324
2566         <rdar://problem/42885806>
2567
2568         Reviewed by Dan Bernstein.
2569
2570         This should help us in ensuring the system jsc is able to JIT.
2571
2572         * Configurations/JSC.xcconfig:
2573         * JavaScriptCore.xcodeproj/project.pbxproj:
2574         * allow-jit-macOS.entitlements: Added.
2575
2576 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2577
2578         Fix spelling of "overridden"
2579         https://bugs.webkit.org/show_bug.cgi?id=188315
2580
2581         Reviewed by Darin Adler.
2582
2583         * API/JSExport.h:
2584         * inspector/InjectedScriptSource.js:
2585
2586 2018-08-02  Saam Barati  <sbarati@apple.com>
2587
2588         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2589         https://bugs.webkit.org/show_bug.cgi?id=188271
2590         <rdar://problem/42850884>
2591
2592         Reviewed by Michael Saboff.
2593
2594         This patch defends against the instructionPointer containing garbage bits.
2595         See radar for details.
2596
2597         * runtime/MachineContext.h:
2598         (JSC::MachineContext::instructionPointer):
2599         * runtime/SamplingProfiler.cpp:
2600         (JSC::SamplingProfiler::takeSample):
2601         * runtime/VMTraps.cpp:
2602         (JSC::SignalContext::SignalContext):
2603         (JSC::SignalContext::tryCreate):
2604         * tools/CodeProfiling.cpp:
2605         (JSC::profilingTimer):
2606         * tools/SigillCrashAnalyzer.cpp:
2607         (JSC::SignalContext::SignalContext):
2608         (JSC::SignalContext::tryCreate):
2609         (JSC::SignalContext::dump):
2610         (JSC::installCrashHandler):
2611         * wasm/WasmFaultSignalHandler.cpp:
2612         (JSC::Wasm::trapHandler):
2613
2614 2018-08-02  David Fenton  <david_fenton@apple.com>
2615
2616         Unreviewed, rolling out r234489.
2617
2618         Caused 50+ crashes and 60+ API failures on iOS
2619
2620         Reverted changeset:
2621
2622         "[WTF] Rename String::format to String::deprecatedFormat"
2623         https://bugs.webkit.org/show_bug.cgi?id=188191
2624         https://trac.webkit.org/changeset/234489
2625
2626 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2627
2628         Add self.queueMicrotask(f) on DOMWindow
2629         https://bugs.webkit.org/show_bug.cgi?id=188212
2630
2631         Reviewed by Ryosuke Niwa.
2632
2633         * CMakeLists.txt:
2634         * JavaScriptCore.xcodeproj/project.pbxproj:
2635         * Sources.txt:
2636         * runtime/JSGlobalObject.cpp:
2637         (JSC::enqueueJob):
2638         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2639         (JSC::createJSMicrotask):
2640         Export them to WebCore.
2641
2642         (JSC::JSMicrotask::run):
2643         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2644         Add another version of JSMicrotask which does not have arguments.
2645
2646 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2647
2648         [WTF] Rename String::format to String::deprecatedFormat
2649         https://bugs.webkit.org/show_bug.cgi?id=188191
2650
2651         Reviewed by Darin Adler.
2652
2653         It should be replaced with string concatenation.
2654
2655         * bytecode/CodeBlock.cpp:
2656         (JSC::CodeBlock::nameForRegister):
2657         * inspector/InjectedScriptBase.cpp:
2658         (Inspector::InjectedScriptBase::makeCall):
2659         * inspector/InspectorBackendDispatcher.cpp:
2660         (Inspector::BackendDispatcher::getPropertyValue):
2661         * inspector/agents/InspectorConsoleAgent.cpp:
2662         (Inspector::InspectorConsoleAgent::enable):
2663         (Inspector::InspectorConsoleAgent::stopTiming):
2664         * jsc.cpp:
2665         (FunctionJSCStackFunctor::operator() const):
2666         * parser/Lexer.cpp:
2667         (JSC::Lexer<T>::invalidCharacterMessage const):
2668         * runtime/IntlDateTimeFormat.cpp:
2669         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2670         * runtime/IntlObject.cpp:
2671         (JSC::canonicalizeLocaleList):
2672         * runtime/LiteralParser.cpp:
2673         (JSC::LiteralParser<CharType>::Lexer::lex):
2674         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2675         (JSC::LiteralParser<CharType>::parse):
2676         * runtime/LiteralParser.h:
2677         (JSC::LiteralParser::getErrorMessage):
2678
2679 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2680
2681         [INTL] Allow "unknown" formatToParts types
2682         https://bugs.webkit.org/show_bug.cgi?id=188176
2683
2684         Reviewed by Darin Adler.
2685
2686         Originally extra unexpected field types were marked as "literal", since
2687         the spec did not account for these. The ECMA 402 spec has since been updated
2688         to specify "unknown" should be used in these cases.
2689
2690         Currently there is no known way to reach these cases, so no tests can
2691         account for them. Theoretically they shoudn't exist, but they are specified,
2692         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2693         will make such cases easy to identify if they ever happen.
2694
2695         * runtime/IntlDateTimeFormat.cpp:
2696         (JSC::IntlDateTimeFormat::partTypeString):
2697         * runtime/IntlNumberFormat.cpp:
2698         (JSC::IntlNumberFormat::partTypeString):
2699
2700 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2701
2702         [INTL] Implement hourCycle in DateTimeFormat
2703         https://bugs.webkit.org/show_bug.cgi?id=188006
2704
2705         Reviewed by Darin Adler.
2706
2707         Implemented hourCycle, updating both the skeleton and the final pattern.
2708         Changed resolveLocale to assume undefined options are not given and null
2709         strings actually mean null, which removes the tag extension.
2710
2711         * runtime/CommonIdentifiers.h:
2712         * runtime/IntlCollator.cpp:
2713         (JSC::IntlCollator::initializeCollator):
2714         * runtime/IntlDateTimeFormat.cpp:
2715         (JSC::IntlDTFInternal::localeData):
2716         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2717         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2718         (JSC::IntlDateTimeFormat::resolvedOptions):
2719         * runtime/IntlDateTimeFormat.h:
2720         * runtime/IntlObject.cpp:
2721         (JSC::resolveLocale):
2722
2723 2018-08-01  Keith Miller  <keith_miller@apple.com>
2724
2725         JSArrayBuffer should have its own JSType
2726         https://bugs.webkit.org/show_bug.cgi?id=188231
2727
2728         Reviewed by Saam Barati.
2729
2730         * runtime/JSArrayBuffer.cpp:
2731         (JSC::JSArrayBuffer::createStructure):
2732         * runtime/JSCast.h:
2733         * runtime/JSType.h:
2734
2735 2018-07-31  Keith Miller  <keith_miller@apple.com>
2736
2737         Unreviewed 32-bit build fix...
2738
2739         * dfg/DFGSpeculativeJIT32_64.cpp:
2740
2741 2018-07-31  Keith Miller  <keith_miller@apple.com>
2742
2743         Long compiling JSC files should not be unified
2744         https://bugs.webkit.org/show_bug.cgi?id=188205
2745
2746         Reviewed by Saam Barati.
2747
2748         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2749         to compile. Unifying them means touching anything in the same
2750         bundle as those files takes a long time to incrementally build.
2751         This patch separates those files so they build standalone.
2752
2753         * JavaScriptCore.xcodeproj/project.pbxproj:
2754         * Sources.txt:
2755         * dfg/DFGSpeculativeJIT64.cpp:
2756
2757 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2758
2759         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2760         https://bugs.webkit.org/show_bug.cgi?id=188201
2761
2762         Reviewed by Keith Miller.
2763
2764         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2765         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2766         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2767         never becomes broken state. This patch removes unnecessary locking.
2768
2769         * runtime/JSObject.cpp:
2770         (JSC::JSObject::visitButterflyImpl):
2771
2772 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2773
2774         [JSC] Remove gcc warnings for 32-bit platforms
2775         https://bugs.webkit.org/show_bug.cgi?id=187803
2776
2777         Reviewed by Yusuke Suzuki.
2778
2779         * assembler/MacroAssemblerPrinter.cpp:
2780         (JSC::Printer::printPCRegister):
2781         (JSC::Printer::printRegisterID):
2782         (JSC::Printer::printAddress):
2783         * dfg/DFGSpeculativeJIT.cpp:
2784         (JSC::DFG::SpeculativeJIT::speculateNumber):
2785         (JSC::DFG::SpeculativeJIT::speculateMisc):
2786         * jit/CCallHelpers.h:
2787         (JSC::CCallHelpers::calculatePokeOffset):
2788         * runtime/Options.cpp:
2789         (JSC::parse):
2790
2791 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2792
2793         watchOS engineering build is broken after r234227
2794         https://bugs.webkit.org/show_bug.cgi?id=188180
2795
2796         Reviewed by Keith Miller.
2797
2798         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2799         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2800         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2801         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2802
2803         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2804         entirely, since there's no relevant version to replace them with.
2805
2806         * postprocess-headers.sh:
2807
2808 2018-07-30  Keith Miller  <keith_miller@apple.com>
2809
2810         Clarify conversion rules for JSValue property access API
2811         https://bugs.webkit.org/show_bug.cgi?id=188179
2812
2813         Reviewed by Geoffrey Garen.
2814
2815         * API/JSValue.h:
2816
2817 2018-07-30  Keith Miller  <keith_miller@apple.com>
2818
2819         Rename some JSC API functions/types.
2820         https://bugs.webkit.org/show_bug.cgi?id=188173
2821
2822         Reviewed by Saam Barati.
2823
2824         * API/JSObjectRef.cpp:
2825         (JSObjectHasPropertyForKey):
2826         (JSObjectGetPropertyForKey):
2827         (JSObjectSetPropertyForKey):
2828         (JSObjectDeletePropertyForKey):
2829         (JSObjectHasPropertyKey): Deleted.
2830         (JSObjectGetPropertyKey): Deleted.
2831         (JSObjectSetPropertyKey): Deleted.
2832         (JSObjectDeletePropertyKey): Deleted.
2833         * API/JSObjectRef.h:
2834         * API/JSValue.h:
2835         * API/JSValue.mm:
2836         (-[JSValue valueForProperty:]):
2837         (-[JSValue setValue:forProperty:]):
2838         (-[JSValue deleteProperty:]):
2839         (-[JSValue hasProperty:]):
2840         (-[JSValue defineProperty:descriptor:]):
2841         * API/tests/testapi.cpp:
2842         (TestAPI::run):
2843
2844 2018-07-30  Mark Lam  <mark.lam@apple.com>
2845
2846         Add a debugging utility to dump the memory layout of a JSCell.
2847         https://bugs.webkit.org/show_bug.cgi?id=188157
2848
2849         Reviewed by Yusuke Suzuki.
2850
2851         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2852         dump the memory contents of a cell and if present, its butterfly for debugging
2853         purposes.
2854
2855         Example usage for JS code when JSC_useDollarVM=true:
2856
2857             $vm.dumpCell(obj);
2858
2859         Example usage from C++ code or from lldb: 
2860
2861             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2862
2863         Some examples of dumps:
2864
2865             <0x104bc8260, Object>
2866               [0] 0x104bc8260 : 0x010016000000016c header
2867                 structureID 364 0x16c structure 0x104b721b0
2868                 indexingTypeAndMisc 0 0x0 NonArray
2869                 type 22 0x16
2870                 flags 0 0x0
2871                 cellState 1
2872               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2873               [2] 0x104bc8270 : 0xffff000000000007
2874               [3] 0x104bc8278 : 0xffff000000000008
2875
2876             <0x104bb4360, Array>
2877               [0] 0x104bb4360 : 0x0108210b00000171 header
2878                 structureID 369 0x171 structure 0x104b723e0
2879                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2880                 type 33 0x21
2881                 flags 8 0x8
2882                 cellState 1
2883               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2884                 base 0x8000f46e0
2885                 hasIndexingHeader YES hasAnyArrayStorage YES
2886                 publicLength 4 vectorLength 7 indexBias 2
2887                 preCapacity 2 propertyCapacity 4
2888                   <--- preCapacity
2889                   [0] 0x8000f46e0 : 0x0000000000000000
2890                   [1] 0x8000f46e8 : 0x0000000000000000
2891                   <--- propertyCapacity
2892                   [2] 0x8000f46f0 : 0x0000000000000000
2893                   [3] 0x8000f46f8 : 0x0000000000000000
2894                   [4] 0x8000f4700 : 0xffff00000000000d
2895                   [5] 0x8000f4708 : 0xffff00000000000c
2896                   <--- indexingHeader
2897                   [6] 0x8000f4710 : 0x0000000700000004
2898                   <--- butterfly
2899                   <--- arrayStorage
2900                   [7] 0x8000f4718 : 0x0000000000000000
2901                   [8] 0x8000f4720 : 0x0000000400000002
2902                   <--- indexedProperties
2903                   [9] 0x8000f4728 : 0xffff000000000008
2904                   [10] 0x8000f4730 : 0xffff000000000009
2905                   [11] 0x8000f4738 : 0xffff000000000005
2906                   [12] 0x8000f4740 : 0xffff000000000006
2907                   [13] 0x8000f4748 : 0x0000000000000000
2908                   [14] 0x8000f4750 : 0x0000000000000000
2909                   [15] 0x8000f4758 : 0x0000000000000000
2910                   <--- unallocated capacity
2911                   [16] 0x8000f4760 : 0x0000000000000000
2912                   [17] 0x8000f4768 : 0x0000000000000000
2913                   [18] 0x8000f4770 : 0x0000000000000000
2914                   [19] 0x8000f4778 : 0x0000000000000000
2915
2916         * runtime/JSObject.h:
2917         * tools/JSDollarVM.cpp:
2918         (JSC::functionDumpCell):
2919         (JSC::JSDollarVM::finishCreation):
2920         * tools/VMInspector.cpp:
2921         (JSC::VMInspector::dumpCellMemory):
2922         (JSC::IndentationScope::IndentationScope):
2923         (JSC::IndentationScope::~IndentationScope):
2924         (JSC::VMInspector::dumpCellMemoryToStream):
2925         * tools/VMInspector.h:
2926
2927 2018-07-27  Mark Lam  <mark.lam@apple.com>
2928
2929         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2930         https://bugs.webkit.org/show_bug.cgi?id=188123
2931         <rdar://problem/42672268>
2932
2933         Reviewed by Keith Miller.
2934
2935         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2936            padding space in VM and Heap, and should not cost any measurable perf to
2937            initialize and update.
2938
2939         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2940
2941            worldState tells us the value we failed the assertion on.
2942
2943            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2944            that led us here.
2945
2946            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2947
2948            VM::isEntered() tells us if the current VM is currently executing JS code.
2949
2950            Some of this data may be redundant, but the redundancy is intentional so that
2951            we can double check what is really happening at the time of crash.
2952
2953         * heap/Heap.cpp:
2954         (JSC::asInt):
2955         (JSC::Heap::checkConn):
2956         (JSC::Heap::changePhase):
2957         * heap/Heap.h:
2958         * runtime/VM.cpp:
2959         (JSC::VM::nextID):
2960         (JSC::VM::VM):
2961         * runtime/VM.h:
2962         (JSC::VM::numberOfIDs):
2963         (JSC::VM::id const):
2964         (JSC::VM::isEntered const):
2965
2966 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2967
2968         [JSC] Record CoW status in ArrayProfile correctly
2969         https://bugs.webkit.org/show_bug.cgi?id=187949
2970
2971         Reviewed by Saam Barati.
2972
2973         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2974         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2975         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2976         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2977         Array::Generic DFG nodes.
2978
2979         * bytecode/ArrayProfile.h:
2980         (JSC::asArrayModes):
2981         (JSC::ArrayProfile::ArrayProfile):
2982         * dfg/DFGOSRExit.cpp:
2983         (JSC::DFG::OSRExit::compileExit):
2984         * ftl/FTLOSRExitCompiler.cpp:
2985         (JSC::FTL::compileStub):
2986         * runtime/IndexingType.h:
2987
2988 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2989
2990         [INTL] Remove INTL sub-feature compile flags
2991         https://bugs.webkit.org/show_bug.cgi?id=188081
2992
2993         Reviewed by Michael Catanzaro.
2994
2995         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2996         The runtime flags are still present, and should be relied on instead.
2997         The defines for ICU features have also been updated to match HAVE() style.
2998
2999         * Configurations/FeatureDefines.xcconfig:
3000         * runtime/IntlPluralRules.cpp:
3001         (JSC::IntlPluralRules::resolvedOptions):
3002         (JSC::IntlPluralRules::select):
3003         * runtime/IntlPluralRules.h:
3004         * runtime/Options.h:
3005
3006 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3007
3008         [JSC] Dump IndexingMode in Structure
3009         https://bugs.webkit.org/show_bug.cgi?id=188085
3010
3011         Reviewed by Keith Miller.
3012
3013         Dump IndexingMode instead of IndexingType.
3014
3015         * runtime/Structure.cpp:
3016         (JSC::Structure::dump const):
3017
3018 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
3019
3020         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
3021         https://bugs.webkit.org/show_bug.cgi?id=187963
3022
3023         Reviewed by Alex Christensen.
3024
3025         * inspector/InspectorBackendDispatcher.cpp:
3026         (Inspector::BackendDispatcher::dispatch):
3027         * jsc.cpp:
3028         (ModuleName::ModuleName):
3029         (resolvePath):
3030         * runtime/IntlObject.cpp:
3031         (JSC::canonicalizeLanguageTag):
3032         (JSC::removeUnicodeLocaleExtension):
3033         Update split/splitAllowingEmptyEntries usage.
3034
3035 2018-07-26  Commit Queue  <commit-queue@webkit.org>
3036
3037         Unreviewed, rolling out r234181 and r234189.
3038         https://bugs.webkit.org/show_bug.cgi?id=188075
3039
3040         These are not needed right now (Requested by thorton on
3041         #webkit).
3042
3043         Reverted changesets:
3044
3045         "Enable Web Content Filtering on watchOS"
3046         https://bugs.webkit.org/show_bug.cgi?id=187979
3047         https://trac.webkit.org/changeset/234181
3048
3049         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
3050         https://bugs.webkit.org/show_bug.cgi?id=187985
3051         https://trac.webkit.org/changeset/234189
3052
3053 2018-07-26  Mark Lam  <mark.lam@apple.com>
3054
3055         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
3056         https://bugs.webkit.org/show_bug.cgi?id=188065
3057         <rdar://problem/42515726>
3058
3059         Reviewed by Saam Barati.
3060
3061         * runtime/ArrayPrototype.cpp:
3062         (JSC::clearElement):
3063         (JSC::copyElements):
3064         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3065
3066 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
3067
3068         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
3069         https://bugs.webkit.org/show_bug.cgi?id=167991
3070
3071         Reviewed by Michael Catanzaro.
3072
3073         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
3074         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
3075         no more cases where you might have an invalid locale come back from resolveLocale.
3076
3077         * runtime/IntlObject.cpp:
3078         (JSC::convertICULocaleToBCP47LanguageTag):
3079         (JSC::defaultLocale):
3080         (JSC::lookupMatcher):
3081         * runtime/IntlObject.h:
3082         * runtime/JSGlobalObject.cpp:
3083         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3084         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3085         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3086         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3087
3088 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
3089
3090         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
3091         https://bugs.webkit.org/show_bug.cgi?id=188040
3092
3093         Unreviewed build fix for AppleWin port.
3094
3095         * API/tests/testapi.c: Disabled warning C4204.
3096         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
3097
3098 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
3099
3100         [JSC API] We should support the symbol type in our C/Obj-C API
3101         https://bugs.webkit.org/show_bug.cgi?id=175836
3102
3103         Unreviewed build fix for Windows port.
3104
3105         r234227 introduced a compilation error unresolved external symbol
3106         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
3107
3108         Windows ports are compiling testapi.c as C++ by using /TP switch.
3109
3110         * API/tests/testapi.c:
3111         (main): Removed `::` prefix of ::SetErrorMode Windows API.
3112         (dllLauncherEntryPoint): Converted into C style.
3113         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
3114
3115 2018-07-25  Keith Miller  <keith_miller@apple.com>
3116
3117         [JSC API] We should support the symbol type in our C/Obj-C API
3118         https://bugs.webkit.org/show_bug.cgi?id=175836
3119
3120         Reviewed by Filip Pizlo.
3121
3122         This patch makes the following API additions:
3123         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
3124         2) Create a symbol on both APIs.
3125         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
3126         4) Add Get/Set/Delete in the C API.
3127
3128         We can do 3 because it is both binary and source compatable with
3129         the existing API. I added (4) because the current property access
3130         APIs only have the ability to get Strings. It was possible to
3131         merge symbols into JSStringRef but that felt confusing and exposes
3132         implementation details of our engine. The new functions match the
3133         same meaning that they have in JS, thus should be forward
3134         compatible with any future language extensions.
3135
3136         Lastly, this patch adds the same availability preproccessing phase
3137         in WebCore to JavaScriptCore, which enables TBA features for
3138         testing on previous releases.
3139
3140         * API/APICast.h:
3141         * API/JSBasePrivate.h:
3142         * API/JSContext.h:
3143         * API/JSContextPrivate.h:
3144         * API/JSContextRef.h:
3145         * API/JSContextRefInternal.h:
3146         * API/JSContextRefPrivate.h:
3147         * API/JSManagedValue.h:
3148         * API/JSObjectRef.cpp:
3149         (JSObjectHasPropertyKey):
3150         (JSObjectGetPropertyKey):
3151         (JSObjectSetPropertyKey):
3152         (JSObjectDeletePropertyKey):
3153         * API/JSObjectRef.h:
3154         * API/JSRemoteInspector.h:
3155         * API/JSTypedArray.h:
3156         * API/JSValue.h:
3157         * API/JSValue.mm:
3158         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
3159         (performPropertyOperation):
3160         (-[JSValue valueForProperty:valueForProperty:]):
3161         (-[JSValue setValue:forProperty:setValue:forProperty:]):
3162         (-[JSValue deleteProperty:deleteProperty:]):
3163         (-[JSValue hasProperty:hasProperty:]):
3164         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
3165         (-[JSValue isSymbol]):
3166         (-[JSValue objectForKeyedSubscript:]):
3167         (-[JSValue setObject:forKeyedSubscript:]):
3168         (-[JSValue valueForProperty:]): Deleted.
3169         (-[JSValue setValue:forProperty:]): Deleted.
3170         (-[JSValue deleteProperty:]): Deleted.
3171         (-[JSValue hasProperty:]): Deleted.
3172         (-[JSValue defineProperty:descriptor:]): Deleted.
3173         * API/JSValueRef.cpp:
3174         (JSValueGetType):
3175         (JSValueIsSymbol):
3176         (JSValueMakeSymbol):
3177         * API/JSValueRef.h:
3178         * API/WebKitAvailability.h:
3179         * API/tests/CurrentThisInsideBlockGetterTest.mm:
3180         * API/tests/CustomGlobalObjectClassTest.c:
3181         * API/tests/DateTests.mm:
3182         * API/tests/JSExportTests.mm:
3183         * API/tests/JSNode.c:
3184         * API/tests/JSNodeList.c:
3185         * API/tests/Node.c:
3186         * API/tests/NodeList.c:
3187         * API/tests/minidom.c:
3188         * API/tests/testapi.c:
3189         (main):
3190         * API/tests/testapi.cpp: Added.
3191         (APIString::APIString):
3192         (APIString::~APIString):
3193         (APIString::operator JSStringRef):
3194         (APIContext::APIContext):
3195         (APIContext::~APIContext):
3196         (APIContext::operator JSGlobalContextRef):
3197         (APIVector::APIVector):
3198         (APIVector::~APIVector):
3199         (APIVector::append):
3200         (testCAPIViaCpp):
3201         (TestAPI::evaluateScript):
3202         (TestAPI::callFunction):
3203         (TestAPI::functionReturnsTrue):
3204         (TestAPI::check):
3205         (TestAPI::checkJSAndAPIMatch):
3206         (TestAPI::interestingObjects):
3207         (TestAPI::interestingKeys):
3208         (TestAPI::run):
3209         * API/tests/testapi.mm:
3210         (testObjectiveCAPIMain):
3211         * JavaScriptCore.xcodeproj/project.pbxproj:
3212         * config.h:
3213         * postprocess-headers.sh:
3214         * shell/CMakeLists.txt:
3215         * testmem/testmem.mm:
3216
3217 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3218
3219         [INTL] Call Typed Array elements toLocaleString with locale and options
3220         https://bugs.webkit.org/show_bug.cgi?id=185796
3221
3222         Reviewed by Keith Miller.
3223
3224         Improve ECMA 402 compliance of typed array toLocaleString, passing along
3225         the locale and options to element toLocaleString calls.
3226
3227         * builtins/TypedArrayPrototype.js:
3228         (toLocaleString):
3229
3230 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3231
3232         [INTL] Intl constructor lengths should be configurable
3233         https://bugs.webkit.org/show_bug.cgi?id=187960
3234
3235         Reviewed by Saam Barati.
3236
3237         Removed DontDelete from Intl constructor lengths.
3238         Fixed DateTimeFormat formatToParts length.
3239
3240         * runtime/IntlCollatorConstructor.cpp:
3241         (JSC::IntlCollatorConstructor::finishCreation):
3242         * runtime/IntlDateTimeFormatConstructor.cpp:
3243         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3244         * runtime/IntlDateTimeFormatPrototype.cpp:
3245         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3246         * runtime/IntlNumberFormatConstructor.cpp:
3247         (JSC::IntlNumberFormatConstructor::finishCreation):
3248         * runtime/IntlPluralRulesConstructor.cpp:
3249         (JSC::IntlPluralRulesConstructor::finishCreation):
3250
3251 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
3252
3253         runJITThreadLimitTests is failing
3254         https://bugs.webkit.org/show_bug.cgi?id=187886
3255         <rdar://problem/42561966>
3256
3257         Unreviewed build fix for MSVC.
3258
3259         MSVC doen't support ternary operator without second operand.
3260
3261         * dfg/DFGWorklist.cpp:
3262         (JSC::DFG::getNumberOfDFGCompilerThreads):
3263         (JSC::DFG::getNumberOfFTLCompilerThreads):
3264
3265 2018-07-24  Commit Queue  <commit-queue@webkit.org>
3266
3267         Unreviewed, rolling out r234183.
3268         https://bugs.webkit.org/show_bug.cgi?id=187983
3269
3270         cause regression in Kraken gaussian blur and desaturate
3271         (Requested by yusukesuzuki on #webkit).
3272
3273         Reverted changeset:
3274
3275         "[JSC] Record CoW status in ArrayProfile"
3276         https://bugs.webkit.org/show_bug.cgi?id=187949
3277         https://trac.webkit.org/changeset/234183
3278
3279 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3280
3281         [JSC] Record CoW status in ArrayProfile
3282         https://bugs.webkit.org/show_bug.cgi?id=187949
3283
3284         Reviewed by Saam Barati.
3285
3286         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
3287         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
3288         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
3289         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
3290         CoW arrays.
3291
3292         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
3293         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
3294
3295         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
3296
3297                                       baseline                  patched
3298
3299         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
3300         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
3301
3302         * bytecode/ArrayProfile.cpp:
3303         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3304         * bytecode/ArrayProfile.h:
3305         (JSC::asArrayModes):
3306         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
3307
3308         (JSC::ArrayProfile::ArrayProfile):
3309         (JSC::ArrayProfile::addressOfObservedIndexingModes):
3310         (JSC::ArrayProfile::observedIndexingModes const):
3311         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
3312         So storing the union of seen IndexingMode in `unsigned` instead.
3313
3314         * dfg/DFGArrayMode.cpp:
3315         (JSC::DFG::ArrayMode::fromObserved):
3316         * dfg/DFGArrayMode.h:
3317         (JSC::DFG::ArrayMode::withProfile const):
3318         * jit/JITCall.cpp:
3319         (JSC::JIT::compileOpCall):
3320         * jit/JITCall32_64.cpp:
3321         (JSC::JIT::compileOpCall):
3322         * jit/JITInlines.h:
3323         (JSC::JIT::emitArrayProfilingSiteWithCell):
3324         * llint/LowLevelInterpreter.asm:
3325         * llint/LowLevelInterpreter32_64.asm:
3326         * llint/LowLevelInterpreter64.asm:
3327
3328 2018-07-24  Tim Horton  <timothy_horton@apple.com>
3329
3330         Enable Web Content Filtering on watchOS
3331         https://bugs.webkit.org/show_bug.cgi?id=187979
3332         <rdar://problem/42559346>
3333
3334         Reviewed by Wenson Hsieh.
3335
3336         * Configurations/FeatureDefines.xcconfig:
3337
3338 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
3339
3340         Don't modify Options when setting JIT thread limits