[JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-09-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
4         https://bugs.webkit.org/show_bug.cgi?id=189410
5
6         Reviewed by Mark Lam.
7
8         Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
9         make doVMEntry code tight.
10
11         * llint/LLIntThunks.cpp:
12         (JSC::vmEntryToWasm): Deleted.
13         * llint/LLIntThunks.h:
14         (JSC::vmEntryToWasm):
15         * llint/LowLevelInterpreter32_64.asm:
16         * llint/LowLevelInterpreter64.asm:
17
18 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
19
20         [WebAssembly] Optimize JS to Wasm call by removing Vector allocation
21         https://bugs.webkit.org/show_bug.cgi?id=189353
22
23         Reviewed by Mark Lam.
24
25         JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
26         This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
27
28         * runtime/ArgList.h:
29         * wasm/js/WebAssemblyFunction.cpp:
30         (JSC::callWebAssemblyFunction):
31
32 2018-08-31  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
33
34         [JSC] Clean up StructureStubClearingWatchpoint
35         https://bugs.webkit.org/show_bug.cgi?id=189156
36
37         Reviewed by Saam Barati.
38
39         Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
40         in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
41
42         * bytecode/StructureStubClearingWatchpoint.cpp:
43         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
44         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
45         (JSC::StructureStubClearingWatchpoint::push): Deleted.
46         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
47         * bytecode/StructureStubClearingWatchpoint.h:
48         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
49
50 2018-09-06  Michael Saboff  <msaboff@apple.com>
51
52         Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
53         https://bugs.webkit.org/show_bug.cgi?id=189380
54
55         Reviewed by Saam Barati.
56
57         Account for the case where in Math.pow(NaN, y) where y could be 0.
58
59         * bytecode/SpeculatedType.cpp:
60         (JSC::typeOfDoublePow):
61
62 2018-09-06  Mark Lam  <mark.lam@apple.com>
63
64         Gardening: only visit m_cachedStructureID if it's not null.
65         https://bugs.webkit.org/show_bug.cgi?id=189124
66         <rdar://problem/43863605>
67
68         Not reviewed.
69
70         * runtime/JSPropertyNameEnumerator.cpp:
71         (JSC::JSPropertyNameEnumerator::visitChildren):
72
73 2018-09-06  Tomas Popela  <tpopela@redhat.com>
74
75         [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
76         https://bugs.webkit.org/show_bug.cgi?id=189078
77
78         Reviewed by Mark Lam.
79
80         Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
81         Using the ternary operator instead of std::max() fixes it.
82
83         * heap/RegisterState.h:
84
85 2018-09-05  Mark Lam  <mark.lam@apple.com>
86
87         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
88         https://bugs.webkit.org/show_bug.cgi?id=189124
89         <rdar://problem/43863605>
90
91         Reviewed by Filip Pizlo.
92
93         It is assumed that the Structure for the m_cachedStructureID will remain alive
94         while the m_cachedStructureID is in use.  This prevents the structureID from being
95         re-used for a different Structure.
96
97         * runtime/JSPropertyNameEnumerator.cpp:
98         (JSC::JSPropertyNameEnumerator::visitChildren):
99
100 2018-09-05  Ross Kirsling  <ross.kirsling@sony.com>
101
102         [ESNext] Symbol.prototype.description
103         https://bugs.webkit.org/show_bug.cgi?id=186686
104
105         Reviewed by Keith Miller.
106
107         Symbol.prototype.description was implemented in r232404, but has one small bug:
108         It should return undefined for a null symbol.
109
110         * runtime/Symbol.cpp:
111         (JSC::Symbol::description const):
112         * runtime/SymbolPrototype.cpp:
113         (JSC::symbolProtoGetterDescription):
114         Address the null symbol case.
115
116 2018-09-04  Keith Miller  <keith_miller@apple.com>
117
118         RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
119         https://bugs.webkit.org/show_bug.cgi?id=188917
120
121         Reviewed by Mark Lam.
122
123         Our allocators should be able to handle allocating a zero-sized object.
124         Zero-sized objects will be allocated into the smallest size class.
125
126         * dfg/DFGSpeculativeJIT.cpp:
127         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
128         * ftl/FTLLowerDFGToB3.cpp:
129         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
130         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
131         * heap/MarkedSpace.h:
132         (JSC::MarkedSpace::sizeClassToIndex):
133         (JSC::MarkedSpace::indexToSizeClass):
134         * jit/AssemblyHelpers.cpp:
135         (JSC::AssemblyHelpers::emitAllocateVariableSized):
136         * runtime/JSArrayBufferView.cpp:
137         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
138
139 2018-09-05  Mark Lam  <mark.lam@apple.com>
140
141         Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
142         https://bugs.webkit.org/show_bug.cgi?id=189300
143         <rdar://problem/39681779>
144
145         Reviewed by Saam Barati.
146
147         At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
148         which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
149         DeferredSourceDump is later used to dump source even if the compilation fails.
150         This is intentional so that we can use this tool to see what source fails to
151         compile as well.
152
153         The DFG::Plan may have been destructed by then, and since the compilation failed,
154         the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
155         may be end up accessing freed memory.
156
157         DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
158         bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
159         by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
160
161         In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
162         to be Strong references to ensure that the CodeBlocks are kept alive until they
163         can be dumped.
164
165         * bytecode/DeferredCompilationCallback.cpp:
166         (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
167         * bytecode/DeferredSourceDump.cpp:
168         (JSC::DeferredSourceDump::DeferredSourceDump):
169         (JSC::DeferredSourceDump::dump):
170         * bytecode/DeferredSourceDump.h:
171         * dfg/DFGByteCodeParser.cpp:
172         (JSC::DFG::ByteCodeParser::parseCodeBlock):
173
174 2018-09-05  David Kilzer  <ddkilzer@apple.com>
175
176         REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
177
178         Found using `tidy-Xcode-project-file --missing` (see Bug
179         188754).  Fix was made manually.
180
181         * JavaScriptCore.xcodeproj/project.pbxproj:
182         (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
183         `name` and `path` values to file reference.
184
185 2018-09-05  Mark Lam  <mark.lam@apple.com>
186
187         isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
188         https://bugs.webkit.org/show_bug.cgi?id=189292
189         <rdar://problem/38907433>
190
191         Reviewed by Saam Barati.
192
193         Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
194         instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
195         to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
196         in the name isAsyncGeneratorMethodParseMode).
197
198         * parser/ParserModes.h:
199         (JSC::isAsyncGeneratorMethodParseMode):
200
201 2018-09-04  Michael Saboff  <msaboff@apple.com>
202
203         Unreviewed indentations change.
204
205         * yarr/YarrJIT.cpp:
206         (JSC::Yarr::YarrGenerator::matchBackreference):
207
208 2018-09-04  Michael Saboff  <msaboff@apple.com>
209
210         JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
211         https://bugs.webkit.org/show_bug.cgi?id=189274
212
213         Reviewed by Saam Barati.
214
215         Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
216
217         Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
218         where landed there.
219
220         * JavaScriptCore.xcodeproj/project.pbxproj:
221
222 2018-09-04  Michael Saboff  <msaboff@apple.com>
223
224         YARR: JIT RegExps with back references
225         https://bugs.webkit.org/show_bug.cgi?id=180874
226
227         Reviewed by Filip Pizlo.
228
229         Implemented JIT'ed back references for all counted types.  The only type of back references
230         not handled in the JIT are 16bit matches that ignore case.  Such support would require the
231         canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
232         The back reference processing for surrogate pairs is implemented by individually comparing
233         each surrogate ala memcmp.
234
235         Added a generated canonicalization table for the LChar (8bit) domain to process case
236         ignored back references.
237
238         Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
239
240         Added a new JIT failure reason for forward references as the check to JIT expressions with
241         forward references we're handled synonimously those containing back references.
242
243         This change is only enabled for 64 bit platforms.
244
245         * assembler/MacroAssemblerARM64.h:
246         (JSC::MacroAssemblerARM64::load16):
247         * assembler/MacroAssemblerX86_64.h:
248         (JSC::MacroAssemblerX86_64::load16):
249         * runtime/RegExp.cpp:
250         (JSC::RegExp::compile):
251         (JSC::RegExp::compileMatchOnly):
252         * yarr/YarrCanonicalize.h:
253         * yarr/YarrCanonicalizeUCS2.cpp:
254         * yarr/YarrCanonicalizeUCS2.js:
255         (set characters.hex.set string_appeared_here):
256         * yarr/YarrJIT.cpp:
257         (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
258         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
259         (JSC::Yarr::YarrGenerator::matchBackreference):
260         (JSC::Yarr::YarrGenerator::generateBackReference):
261         (JSC::Yarr::YarrGenerator::backtrackBackReference):
262         (JSC::Yarr::YarrGenerator::generateTerm):
263         (JSC::Yarr::YarrGenerator::backtrackTerm):
264         (JSC::Yarr::YarrGenerator::compile):
265         (JSC::Yarr::dumpCompileFailure):
266         * yarr/YarrJIT.h:
267         * yarr/YarrPattern.h:
268         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
269         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
270
271 2018-09-04  Mark Lam  <mark.lam@apple.com>
272
273         Make the jsc shell print, printErr, and debug functions more robust.
274         https://bugs.webkit.org/show_bug.cgi?id=189268
275         <rdar://problem/41192690>
276
277         Reviewed by Keith Miller.
278
279         We'll now check for UTF8 conversion errors.
280
281         * jsc.cpp:
282         (cStringFromViewWithString):
283         (printInternal):
284         (functionDebug):
285
286 2018-09-04  Michael Catanzaro  <mcatanzaro@igalia.com>
287
288         [WPE][GTK] Add more unused result warnings to JSC API
289         https://bugs.webkit.org/show_bug.cgi?id=189243
290
291         Reviewed by Carlos Garcia Campos.
292
293         The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
294         caller may be tempted to not inspect it if uninterested in the return value. This would be
295         an error, because it must be freed.
296
297         * API/glib/JSCContext.h:
298
299 2018-09-03  Mark Lam  <mark.lam@apple.com>
300
301         The watchdog sometimes fails to terminate a script.
302         https://bugs.webkit.org/show_bug.cgi?id=189227
303         <rdar://problem/39932857>
304
305         Reviewed by Saam Barati.
306
307         Consider the following scenario:
308
309         1. We have an infinite loop bytecode sequence as follows:
310
311             [  13] loop_hint
312             [  14] check_traps
313             [  15] jmp               -2(->13)
314
315         2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
316
317            Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
318            When we're not using pollingTraps (JSC_usePollingTraps is false by default),
319            we emit no code for CheckTraps, but only record an InvalidationPoint there.
320
321         3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
322
323            InvalidationPoints OSR exits to the next instruction by design.  In this case,
324            that means the VM will resumes executing at the op_jmp, which jumps to the
325            op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
326            already hot, and attempts to tier up.  It immediately discovers that a replacement
327            CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
328            nor the FTL CodeBlock that was previously compiled for this function.
329
330            Note that jettisoning a CodeBlock necessarily means the VM will invalidate
331            its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
332            is not true: merely invalidating the InvalidationPoints does not necessarily
333            mean that the CodeBlock is jettisoned.
334
335            VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
336            it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
337            is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
338            the VMTraps mechanism relies on the script thread running to an op_check_traps
339            in the baseline JIT code where it will do the necessary jettisoning of optimized
340            CodeBlocks.
341
342         Since the op_check_traps never get executed, the VM will perpetually tier up in
343         the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
344         Consequently, the watchdog fails to terminate this script.
345
346         In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
347         node directly (when the VM is not configured to use polling traps).  This ensures
348         that the check traps invalidation point will OSR exit to the op_check_traps opcode
349         in the baseline JIT.
350
351         In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
352         CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
353         we don't really know if the frame is properly set up.  We're just conservatively
354         probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
355         will suppress the false positive ASAN complaint.
356
357         * dfg/DFGByteCodeParser.cpp:
358         (JSC::DFG::ByteCodeParser::parseBlock):
359         * dfg/DFGClobberize.h:
360         (JSC::DFG::clobberize):
361         * dfg/DFGFixupPhase.cpp:
362         (JSC::DFG::FixupPhase::fixupNode):
363         * dfg/DFGPredictionPropagationPhase.cpp:
364         * dfg/DFGSpeculativeJIT.cpp:
365         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
366         * dfg/DFGSpeculativeJIT32_64.cpp:
367         (JSC::DFG::SpeculativeJIT::compile):
368         * dfg/DFGSpeculativeJIT64.cpp:
369         (JSC::DFG::SpeculativeJIT::compile):
370         * ftl/FTLLowerDFGToB3.cpp:
371         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
372         * runtime/VMTraps.cpp:
373         (JSC::VMTraps::tryInstallTrapBreakpoints):
374
375 2018-09-03  Mark Lam  <mark.lam@apple.com>
376
377         CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
378         https://bugs.webkit.org/show_bug.cgi?id=189247
379
380         Reviewed by Saam Barati.
381
382         * interpreter/CallFrame.h:
383         (JSC::ExecState::unsafeCallee const):
384         * interpreter/Register.h:
385         (JSC::Register::asanUnsafePointer const):
386         (JSC::Register::unsafePayload const):
387
388 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
389
390         Implement Object.fromEntries
391         https://bugs.webkit.org/show_bug.cgi?id=188481
392
393         Reviewed by Darin Adler.
394
395         Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
396
397         [1]: https://tc39.github.io/proposal-object-from-entries/
398
399         * builtins/ObjectConstructor.js:
400         (fromEntries):
401         * runtime/ObjectConstructor.cpp:
402
403 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
404
405         Function object should convert params to string before throw a parsing error
406         https://bugs.webkit.org/show_bug.cgi?id=188874
407
408         Reviewed by Darin Adler.
409
410         ToString operation onto the `body` of the Function constructor should be performed
411         before checking syntax correctness of the parameters.
412
413         * runtime/FunctionConstructor.cpp:
414         (JSC::constructFunctionSkippingEvalEnabledCheck):
415
416 2018-08-31  Mark Lam  <mark.lam@apple.com>
417
418         Fix exception check accounting in constructJSWebAssemblyCompileError().
419         https://bugs.webkit.org/show_bug.cgi?id=189185
420         <rdar://problem/39786007>
421
422         Reviewed by Michael Saboff.
423
424         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
425         inadvertently overwrite a pre-existing exception (if present).
426
427         * wasm/js/JSWebAssemblyModule.cpp:
428         (JSC::JSWebAssemblyModule::createStub):
429         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
430         (JSC::constructJSWebAssemblyCompileError):
431
432 2018-08-31  Mark Lam  <mark.lam@apple.com>
433
434         Gardening: ARMv7 build fix.
435         https://bugs.webkit.org/show_bug.cgi?id=158911
436
437         Not reviewed.
438
439         * assembler/MacroAssemblerARMv7.h:
440         (JSC::MacroAssemblerARMv7::patchableBranch8):
441
442 2018-08-31  Mark Lam  <mark.lam@apple.com>
443
444         Fix exception check accounting in JSDataView::defineOwnProperty().
445         https://bugs.webkit.org/show_bug.cgi?id=189186
446         <rdar://problem/39786049>
447
448         Reviewed by Michael Saboff.
449
450         * runtime/JSDataView.cpp:
451         (JSC::JSDataView::defineOwnProperty):
452
453 2018-08-31  Mark Lam  <mark.lam@apple.com>
454
455         Add missing exception check in arrayProtoFuncLastIndexOf().
456         https://bugs.webkit.org/show_bug.cgi?id=189184
457         <rdar://problem/39785959>
458
459         Reviewed by Yusuke Suzuki.
460
461         * runtime/ArrayPrototype.cpp:
462         (JSC::arrayProtoFuncLastIndexOf):
463
464 2018-08-31  Saam barati  <sbarati@apple.com>
465
466         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
467         https://bugs.webkit.org/show_bug.cgi?id=189173
468         <rdar://problem/43501645>
469
470         Reviewed by Michael Saboff.
471
472         We were crashing during validation because mayExit returned true
473         at a point in the program when we weren't allowed to exit.
474         
475         The issue was is in StrengthReduction: we end up emitting code that
476         had a StringUse on an edge after a node that did side effects and before
477         an ExitOK/bytecode number transition. However, StrenghReduction did the
478         right thing here and also emitted the type checks before the node with
479         side effects. It just did bad bookkeeping. The node we convert to needs
480         to use KnownStringUse instead of StringUse for the child edge.
481
482         * dfg/DFGNode.cpp:
483         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
484         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
485         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
486         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
487         * dfg/DFGNode.h:
488         * dfg/DFGStrengthReductionPhase.cpp:
489         (JSC::DFG::StrengthReductionPhase::handleNode):
490
491 2018-08-30  Saam barati  <sbarati@apple.com>
492
493         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
494         https://bugs.webkit.org/show_bug.cgi?id=189166
495
496         Reviewed by Mark Lam.
497
498         * bytecode/AccessCase.cpp:
499         (JSC::AccessCase::generateImpl):
500         * bytecode/GetterSetterAccessCase.cpp:
501         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
502         * bytecode/InlineAccess.cpp:
503         (JSC::getScratchRegister):
504         * bytecode/PolymorphicAccess.cpp:
505         (JSC::PolymorphicAccess::regenerate):
506         * bytecode/StructureStubInfo.h:
507         (JSC::StructureStubInfo::valueRegs const):
508         * jit/JITInlineCacheGenerator.cpp:
509         (JSC::JITByIdGenerator::JITByIdGenerator):
510         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
511         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
512
513 2018-08-30  Saam barati  <sbarati@apple.com>
514
515         InlineAccess should do StringLength
516         https://bugs.webkit.org/show_bug.cgi?id=158911
517
518         Reviewed by Yusuke Suzuki.
519
520         This patch extends InlineAccess to support StringLength. This patch also
521         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
522         I forgot to implement this for ArrayLength in the initial InlineAccess
523         implementation.  Supporting StringLength is a natural extension of the
524         InlineAccess machinery.
525
526         * assembler/MacroAssembler.h:
527         (JSC::MacroAssembler::patchableBranch8):
528         * assembler/MacroAssemblerARM64.h:
529         (JSC::MacroAssemblerARM64::patchableBranch8):
530         * bytecode/AccessCase.cpp:
531         (JSC::AccessCase::fromStructureStubInfo):
532         * bytecode/BytecodeDumper.cpp:
533         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
534         * bytecode/InlineAccess.cpp:
535         (JSC::InlineAccess::dumpCacheSizesAndCrash):
536         (JSC::InlineAccess::generateSelfPropertyAccess):
537         (JSC::getScratchRegister):
538         (JSC::InlineAccess::generateSelfPropertyReplace):
539         (JSC::InlineAccess::generateArrayLength):
540         (JSC::InlineAccess::generateSelfInAccess):
541         (JSC::InlineAccess::generateStringLength):
542         * bytecode/InlineAccess.h:
543         * bytecode/PolymorphicAccess.cpp:
544         (JSC::PolymorphicAccess::regenerate):
545         * bytecode/StructureStubInfo.cpp:
546         (JSC::StructureStubInfo::initStringLength):
547         (JSC::StructureStubInfo::deref):
548         (JSC::StructureStubInfo::aboutToDie):
549         (JSC::StructureStubInfo::propagateTransitions):
550         * bytecode/StructureStubInfo.h:
551         (JSC::StructureStubInfo::baseGPR const):
552         * jit/Repatch.cpp:
553         (JSC::tryCacheGetByID):
554
555 2018-08-30  Saam barati  <sbarati@apple.com>
556
557         CSE DataViewGet* DFG nodes
558         https://bugs.webkit.org/show_bug.cgi?id=188768
559
560         Reviewed by Yusuke Suzuki.
561
562         This patch makes it so that we CSE DataViewGet* accesses. To do this,
563         I needed to add a third descriptor to HeapLocation to represent the
564         isLittleEndian child. This patch is neutral on compile time benchmarks,
565         and is a 50% speedup on a trivial CSE microbenchmark that I added.
566
567         * dfg/DFGClobberize.h:
568         (JSC::DFG::clobberize):
569         * dfg/DFGFixupPhase.cpp:
570         (JSC::DFG::FixupPhase::fixupNode):
571         * dfg/DFGHeapLocation.cpp:
572         (WTF::printInternal):
573         * dfg/DFGHeapLocation.h:
574         (JSC::DFG::HeapLocation::HeapLocation):
575         (JSC::DFG::HeapLocation::hash const):
576         (JSC::DFG::HeapLocation::operator== const):
577         (JSC::DFG::indexedPropertyLocForResultType):
578
579 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
580
581         output of toString() of Generator is wrong
582         https://bugs.webkit.org/show_bug.cgi?id=188952
583
584         Reviewed by Saam Barati.
585
586         Function#toString does not respect generator and async generator.
587         This patch fixes them and supports all the function types.
588
589         * runtime/FunctionPrototype.cpp:
590         (JSC::functionProtoFuncToString):
591
592 2018-08-29  Mark Lam  <mark.lam@apple.com>
593
594         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
595         https://bugs.webkit.org/show_bug.cgi?id=189132
596         <rdar://problem/42513068>
597
598         Reviewed by Saam Barati.
599
600         * runtime/JSCJSValueInlines.h:
601         (JSC::JSValue::toPropertyKey const):
602         * runtime/JSString.cpp:
603         (JSC::JSRopeString::resolveRopeToAtomicString const):
604
605 2018-08-29  Commit Queue  <commit-queue@webkit.org>
606
607         Unreviewed, rolling out r235432 and r235436.
608         https://bugs.webkit.org/show_bug.cgi?id=189086
609
610         Is a Swift source breaking change. (Requested by keith_miller
611         on #webkit).
612
613         Reverted changesets:
614
615         "Add nullablity attributes to JSValue"
616         https://bugs.webkit.org/show_bug.cgi?id=189047
617         https://trac.webkit.org/changeset/235432
618
619         "Add nullablity attributes to JSValue"
620         https://bugs.webkit.org/show_bug.cgi?id=189047
621         https://trac.webkit.org/changeset/235436
622
623 2018-08-28  Mark Lam  <mark.lam@apple.com>
624
625         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
626         https://bugs.webkit.org/show_bug.cgi?id=189059
627         <rdar://problem/40335354>
628
629         Reviewed by Saam Barati.
630
631         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
632         2. Added $vm.dumpRegisters().
633
634             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
635             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
636
637            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
638            It will treat inlined frames content as registers in the bounding physical frame.
639
640            Here's an example of such a dump on a DFG frame:
641
642                 Register frame: 
643
644                 -----------------------------------------------------------------------------
645                             use            |   address  |                value               
646                 -----------------------------------------------------------------------------
647                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
648                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
649                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
650                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
651                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
652                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
653                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
654                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
655                 -----------------------------------------------------------------------------
656                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
657                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
658                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
659                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
660                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
661                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
662                 -----------------------------------------------------------------------------
663                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
664                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
665                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
666                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
667                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
668                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
669                 -----------------------------------------------------------------------------
670                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
671                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
672                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
673                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
674                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
675                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
676                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
677                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
678                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
679                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
680                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
681                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
682                 -----------------------------------------------------------------------------
683
684         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
685            we can use in its place:
686
687             $vm.dumpCallFrame()
688             $vm.dumpBytecodeFor()
689             $vm.dumpRegisters()     // Just added in this patch.
690
691         4. Also fixed a bug in BytecodeDumper: it should only access
692            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
693
694         * bytecode/BytecodeDumper.cpp:
695         (JSC::BytecodeDumper<Block>::printCallOp):
696         * interpreter/Interpreter.cpp:
697         (JSC::Interpreter::dumpCallFrame): Deleted.
698         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
699         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
700         (JSC::Interpreter::dumpRegisters): Deleted.
701         * interpreter/Interpreter.h:
702         * jsc.cpp:
703         (GlobalObject::finishCreation):
704         (functionDumpCallFrame): Deleted.
705         * tools/JSDollarVM.cpp:
706         (JSC::functionDumpRegisters):
707         (JSC::JSDollarVM::finishCreation):
708         * tools/VMInspector.cpp:
709         (JSC::VMInspector::dumpRegisters):
710         * tools/VMInspector.h:
711
712 2018-08-28  Keith Miller  <keith_miller@apple.com>
713
714         Add nullablity attributes to JSValue
715         https://bugs.webkit.org/show_bug.cgi?id=189047
716
717         Reviewed by Dan Bernstein.
718
719         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
720
721         * API/JSValue.h:
722
723 2018-08-28  Keith Miller  <keith_miller@apple.com>
724
725         Add nullablity attributes to JSValue
726         https://bugs.webkit.org/show_bug.cgi?id=189047
727
728         Reviewed by Geoffrey Garen.
729
730         * API/JSValue.h:
731
732 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
733
734         [WebAssembly] Parse wasm modules in a streaming fashion
735         https://bugs.webkit.org/show_bug.cgi?id=188943
736
737         Reviewed by Mark Lam.
738
739         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
740         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
741         we start integrating it into BBQPlan and dropping the old ModuleParser.
742
743         * JavaScriptCore.xcodeproj/project.pbxproj:
744         * Sources.txt:
745         * tools/JSDollarVM.cpp:
746         (WTF::WasmStreamingParser::WasmStreamingParser):
747         (WTF::WasmStreamingParser::create):
748         (WTF::WasmStreamingParser::createStructure):
749         (WTF::WasmStreamingParser::streamingParser):
750         (WTF::WasmStreamingParser::finishCreation):
751         (WTF::functionWasmStreamingParserAddBytes):
752         (WTF::functionWasmStreamingParserFinalize):
753         (JSC::functionCreateWasmStreamingParser):
754         (JSC::JSDollarVM::finishCreation):
755         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
756         this interface to test streaming parser in the JSC shell.
757
758         * wasm/WasmBBQPlan.cpp:
759         (JSC::Wasm::BBQPlan::BBQPlan):
760         (JSC::Wasm::BBQPlan::parseAndValidateModule):
761         (JSC::Wasm::BBQPlan::prepare):
762         (JSC::Wasm::BBQPlan::compileFunctions):
763         (JSC::Wasm::BBQPlan::complete):
764         (JSC::Wasm::BBQPlan::work):
765         * wasm/WasmBBQPlan.h:
766         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
767         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
768
769         * wasm/WasmFormat.h:
770         * wasm/WasmModuleInformation.cpp:
771         (JSC::Wasm::ModuleInformation::ModuleInformation):
772         * wasm/WasmModuleInformation.h:
773         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
774         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
775         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
776         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
777         a function with this data can be done concurrently with StreamingParser.
778
779         (JSC::Wasm::ModuleInformation::create):
780         (JSC::Wasm::ModuleInformation::memoryCount const):
781         (JSC::Wasm::ModuleInformation::tableCount const):
782         memoryCount and tableCount should be recorded in ModuleInformation.
783
784         * wasm/WasmModuleParser.cpp:
785         (JSC::Wasm::ModuleParser::parse):
786         (JSC::Wasm::makeI32InitExpr): Deleted.
787         (JSC::Wasm::ModuleParser::parseType): Deleted.
788         (JSC::Wasm::ModuleParser::parseImport): Deleted.
789         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
790         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
791         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
792         (JSC::Wasm::ModuleParser::parseTable): Deleted.
793         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
794         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
795         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
796         (JSC::Wasm::ModuleParser::parseExport): Deleted.
797         (JSC::Wasm::ModuleParser::parseStart): Deleted.
798         (JSC::Wasm::ModuleParser::parseElement): Deleted.
799         (JSC::Wasm::ModuleParser::parseCode): Deleted.
800         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
801         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
802         (JSC::Wasm::ModuleParser::parseData): Deleted.
803         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
804         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
805         SectionParser is also used by StreamingParser.
806
807         * wasm/WasmModuleParser.h:
808         (): Deleted.
809         * wasm/WasmNameSection.h:
810         (JSC::Wasm::NameSection::NameSection):
811         (JSC::Wasm::NameSection::create):
812         (JSC::Wasm::NameSection::setHash):
813         Hash calculation is deferred since all the source is not available in streaming parsing.
814
815         * wasm/WasmNameSectionParser.cpp:
816         (JSC::Wasm::NameSectionParser::parse):
817         * wasm/WasmNameSectionParser.h:
818         Use Ref<NameSection>.
819
820         * wasm/WasmOMGPlan.cpp:
821         (JSC::Wasm::OMGPlan::work):
822         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
823         OMGPlan can get data of the function by using ModuleInformation::functions.
824
825         * wasm/WasmParser.h:
826         (JSC::Wasm::Parser::source const):
827         (JSC::Wasm::Parser::length const):
828         (JSC::Wasm::Parser::offset const):
829         (JSC::Wasm::Parser::fail const):
830         (JSC::Wasm::makeI32InitExpr):
831         * wasm/WasmPlan.cpp:
832         (JSC::Wasm::Plan::Plan):
833         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
834
835         * wasm/WasmPlan.h:
836         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
837         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
838         ModuleParser and the new StreamingParser.
839
840         (JSC::Wasm::SectionParser::parseType):
841         (JSC::Wasm::SectionParser::parseImport):
842         (JSC::Wasm::SectionParser::parseFunction):
843         (JSC::Wasm::SectionParser::parseResizableLimits):
844         (JSC::Wasm::SectionParser::parseTableHelper):
845         (JSC::Wasm::SectionParser::parseTable):
846         (JSC::Wasm::SectionParser::parseMemoryHelper):
847         (JSC::Wasm::SectionParser::parseMemory):
848         (JSC::Wasm::SectionParser::parseGlobal):
849         (JSC::Wasm::SectionParser::parseExport):
850         (JSC::Wasm::SectionParser::parseStart):
851         (JSC::Wasm::SectionParser::parseElement):
852         (JSC::Wasm::SectionParser::parseCode):
853         (JSC::Wasm::SectionParser::parseInitExpr):
854         (JSC::Wasm::SectionParser::parseGlobalType):
855         (JSC::Wasm::SectionParser::parseData):
856         (JSC::Wasm::SectionParser::parseCustom):
857         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
858         * wasm/WasmStreamingParser.cpp: Added.
859         (JSC::Wasm::parseUInt7):
860         (JSC::Wasm::StreamingParser::fail):
861         (JSC::Wasm::StreamingParser::StreamingParser):
862         (JSC::Wasm::StreamingParser::parseModuleHeader):
863         (JSC::Wasm::StreamingParser::parseSectionID):
864         (JSC::Wasm::StreamingParser::parseSectionSize):
865         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
866         Code section in Wasm binary is specially handled compared with the other sections since it includes
867         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
868         streaming validation / compilation of Wasm functions.
869
870         (JSC::Wasm::StreamingParser::parseFunctionSize):
871         (JSC::Wasm::StreamingParser::parseFunctionPayload):
872         (JSC::Wasm::StreamingParser::parseSectionPayload):
873         (JSC::Wasm::StreamingParser::consume):
874         (JSC::Wasm::StreamingParser::consumeVarUInt32):
875         (JSC::Wasm::StreamingParser::addBytes):
876         (JSC::Wasm::StreamingParser::failOnState):
877         (JSC::Wasm::StreamingParser::finalize):
878         * wasm/WasmStreamingParser.h: Added.
879         (JSC::Wasm::StreamingParser::addBytes):
880         (JSC::Wasm::StreamingParser::errorMessage const):
881         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
882         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
883         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
884         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
885         incoming byte stream.
886
887         * wasm/js/JSWebAssemblyModule.cpp:
888         (JSC::JSWebAssemblyModule::source const): Deleted.
889         All the source should not be held.
890
891         * wasm/js/JSWebAssemblyModule.h:
892         * wasm/js/WebAssemblyPrototype.cpp:
893         (JSC::webAssemblyValidateFunc):
894
895 2018-08-27  Mark Lam  <mark.lam@apple.com>
896
897         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
898         https://bugs.webkit.org/show_bug.cgi?id=188577
899         <rdar://problem/42985684>
900
901         Reviewed by Saam Barati.
902
903         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
904            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
905
906            The StackOverflowFrame is a sentinel frame that the low level code (exception
907            throwing code, stack visitor, and stack unwinding code) will know to skip
908            over.  The StackOverflowFrame will also have a valid JSCallee so that client
909            code can compute the globalObject or VM from this frame.
910
911            As a result, client code that throws StackOverflowErrors no longer need to
912            compute the caller frame to throw from: it just converts the top frame into
913            a StackOverflowFrame and everything should *Just Work*.
914
915         2. NativeCallFrameTracerWithRestore is now obsolete.
916
917            Instead, client code should always call convertToStackOverflowFrame() on the
918            frame before instantiating a NativeCallFrameTracer with it.
919
920            This means that topCallFrame will always point to the top CallFrame (which
921            may be a StackOverflowFrame), and topEntryFrame will always point to the top
922            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
923            (which we used to do with NativeCallFrameTracerWithRestore).
924
925         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
926            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
927
928            This obsoletes the UnwindStart flag.
929
930         * CMakeLists.txt:
931         * JavaScriptCore.xcodeproj/project.pbxproj:
932         * Sources.txt:
933         * debugger/Debugger.cpp:
934         (JSC::Debugger::pauseIfNeeded):
935         * interpreter/CallFrame.cpp:
936         (JSC::CallFrame::callerFrame const):
937         (JSC::CallFrame::unsafeCallerFrame const):
938         (JSC::CallFrame::convertToStackOverflowFrame):
939         (JSC::CallFrame::callerFrame): Deleted.
940         (JSC::CallFrame::unsafeCallerFrame): Deleted.
941         * interpreter/CallFrame.h:
942         (JSC::ExecState::iterate):
943         * interpreter/CallFrameInlines.h: Added.
944         (JSC::CallFrame::isStackOverflowFrame const):
945         (JSC::CallFrame::isWasmFrame const):
946         * interpreter/EntryFrame.h: Added.
947         (JSC::EntryFrame::vmEntryRecordOffset):
948         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
949         * interpreter/FrameTracers.h:
950         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
951         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
952         * interpreter/Interpreter.cpp:
953         (JSC::Interpreter::unwind):
954         * interpreter/Interpreter.h:
955         * interpreter/StackVisitor.cpp:
956         (JSC::StackVisitor::StackVisitor):
957         * interpreter/StackVisitor.h:
958         (JSC::StackVisitor::visit):
959         (JSC::StackVisitor::topEntryFrameIsEmpty const):
960         * interpreter/VMEntryRecord.h:
961         (JSC::VMEntryRecord::callee const):
962         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
963         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
964         * jit/AssemblyHelpers.h:
965         * jit/JITExceptions.cpp:
966         (JSC::genericUnwind):
967         * jit/JITExceptions.h:
968         * jit/JITOperations.cpp:
969         * llint/LLIntOffsetsExtractor.cpp:
970         * llint/LLIntSlowPaths.cpp:
971         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
972         * llint/LowLevelInterpreter.asm:
973         * llint/LowLevelInterpreter32_64.asm:
974         * llint/LowLevelInterpreter64.asm:
975         * runtime/CallData.cpp:
976         * runtime/CommonSlowPaths.cpp:
977         (JSC::throwArityCheckStackOverflowError):
978         (JSC::SLOW_PATH_DECL):
979         * runtime/CommonSlowPathsExceptions.cpp: Removed.
980         * runtime/CommonSlowPathsExceptions.h: Removed.
981         * runtime/Completion.cpp:
982         (JSC::evaluateWithScopeExtension):
983         * runtime/JSGeneratorFunction.h:
984         * runtime/JSGlobalObject.cpp:
985         (JSC::JSGlobalObject::init):
986         (JSC::JSGlobalObject::visitChildren):
987         * runtime/JSGlobalObject.h:
988         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
989         * runtime/VM.cpp:
990         (JSC::VM::throwException):
991         * runtime/VM.h:
992         * runtime/VMInlines.h:
993         (JSC::VM::topJSCallFrame const):
994
995 2018-08-27  Keith Rollin  <krollin@apple.com>
996
997         Unreviewed build fix -- disable LTO for production builds
998
999         * Configurations/Base.xcconfig:
1000
1001 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
1002
1003         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
1004         https://bugs.webkit.org/show_bug.cgi?id=188931
1005
1006         Reviewed by Wenson Hsieh.
1007
1008         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
1009
1010 2018-08-27  Devin Rousso  <drousso@apple.com>
1011
1012         Web Inspector: provide autocompletion for event breakpoints
1013         https://bugs.webkit.org/show_bug.cgi?id=188717
1014
1015         Reviewed by Brian Burg.
1016
1017         * inspector/protocol/DOM.json:
1018         Add `getSupportedEventNames` command.
1019
1020 2018-08-27  Keith Rollin  <krollin@apple.com>
1021
1022         Build system support for LTO
1023         https://bugs.webkit.org/show_bug.cgi?id=187785
1024         <rdar://problem/42353132>
1025
1026         Reviewed by Dan Bernstein.
1027
1028         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
1029         LTO.
1030
1031         * Configurations/Base.xcconfig:
1032         * Configurations/DebugRelease.xcconfig:
1033
1034 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
1035
1036         [GTK][JSC] Add warn_unused_result attribute to some APIs
1037         https://bugs.webkit.org/show_bug.cgi?id=188983
1038
1039         Reviewed by Michael Catanzaro.
1040
1041         * API/glib/JSCValue.h:
1042
1043 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1044
1045         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
1046         https://bugs.webkit.org/show_bug.cgi?id=188794
1047
1048         Reviewed by Saam Barati.
1049
1050         While Array.prototype.reverse modifies the butterfly of the given Array,
1051         it does not account JSImmutableButterfly case. So it accidentally modifies
1052         the content of JSImmutableButterfly.
1053         This patch converts CoW arrays to writable arrays before reversing.
1054
1055         * runtime/ArrayPrototype.cpp:
1056         (JSC::arrayProtoFuncReverse):
1057         * runtime/JSObject.h:
1058         (JSC::JSObject::ensureWritable):
1059
1060 2018-08-24  Michael Saboff  <msaboff@apple.com>
1061
1062         YARR: Update UCS canonicalization tables for Unicode 11
1063         https://bugs.webkit.org/show_bug.cgi?id=188928
1064
1065         Reviewed by Mark Lam.
1066
1067         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
1068
1069         This passes JavaScriptCore and test262 tests.
1070
1071         * yarr/YarrCanonicalizeUCS2.cpp:
1072         * yarr/YarrCanonicalizeUCS2.js:
1073         (printHeader):
1074
1075 2018-08-24  Michael Saboff  <msaboff@apple.com>
1076
1077         YARR: JIT RegExps with non-greedy parenthesized sub patterns
1078         https://bugs.webkit.org/show_bug.cgi?id=180876
1079
1080         Reviewed by Filip Pizlo.
1081
1082         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
1083         For the matching code, the greedy path was correct except that we don't try matching for the
1084         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
1085         first / next match when we backtrack.  The backtracking code needs to check to see if we have
1086         tried the first match or if we can do another match.
1087
1088         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
1089         count.  Did other minor cleanup as well.
1090
1091         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
1092
1093         Updated the text in some comments, both for this change as well as accuracy for existing code.
1094
1095         * yarr/YarrJIT.cpp:
1096         (JSC::Yarr::YarrGenerator::generate):
1097         (JSC::Yarr::YarrGenerator::backtrack):
1098         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1099         (JSC::Yarr::YarrGenerator::compile):
1100         (JSC::Yarr::dumpCompileFailure):
1101         (JSC::Yarr::jitCompile):
1102         * yarr/YarrJIT.h:
1103         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
1104         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
1105
1106 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
1107
1108         Add support for dumping GC heap snapshots, and a viewer
1109         https://bugs.webkit.org/show_bug.cgi?id=186416
1110
1111         Reviewed by Joseph Pecoraro.
1112
1113         Make a way to dump information about the GC heap that is useful for looking for leaked
1114         or abandoned objects. This dump is obtained (on Apple platforms) via:
1115             notifyutil -p com.apple.WebKit.dumpGCHeap
1116         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
1117         
1118         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
1119         the snapshot JSON that adds additional data about objects and why they are GC roots.
1120
1121         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
1122         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
1123         objects visited via opaque roots, we record the reason why via a new out param to
1124         isReachableFromOpaqueRoots().
1125
1126         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
1127         additional information including the address of the JSCell* and the wrapped object (for
1128         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
1129         be the document URL.
1130
1131         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
1132
1133         * API/JSAPIWrapperObject.mm:
1134         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1135         * API/JSManagedValue.mm:
1136         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1137         * API/glib/JSAPIWrapperObjectGLib.cpp:
1138         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1139         * CMakeLists.txt:
1140         * heap/ConservativeRoots.h:
1141         (JSC::ConservativeRoots::size const):
1142         (JSC::ConservativeRoots::size): Deleted.
1143         * heap/Heap.cpp:
1144         (JSC::Heap::addCoreConstraints):
1145         * heap/HeapSnapshotBuilder.cpp:
1146         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
1147         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
1148         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
1149         (JSC::HeapSnapshotBuilder::buildSnapshot):
1150         (JSC::HeapSnapshotBuilder::appendNode):
1151         (JSC::HeapSnapshotBuilder::appendEdge):
1152         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
1153         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
1154         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
1155         (JSC::snapshotTypeToString):
1156         (JSC::rootTypeToString):
1157         (JSC::HeapSnapshotBuilder::setLabelForCell):
1158         (JSC::HeapSnapshotBuilder::descriptionForCell const):
1159         (JSC::HeapSnapshotBuilder::json):
1160         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
1161         * heap/HeapSnapshotBuilder.h:
1162         * heap/SlotVisitor.cpp:
1163         (JSC::SlotVisitor::appendSlow):
1164         * heap/SlotVisitor.h:
1165         (JSC::SlotVisitor::heapSnapshotBuilder const):
1166         (JSC::SlotVisitor::rootMarkReason const):
1167         (JSC::SlotVisitor::setRootMarkReason):
1168         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
1169         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
1170         * heap/WeakBlock.cpp:
1171         (JSC::WeakBlock::specializedVisit):
1172         * heap/WeakHandleOwner.cpp:
1173         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1174         * heap/WeakHandleOwner.h:
1175         * runtime/SimpleTypedArrayController.cpp:
1176         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1177         * runtime/SimpleTypedArrayController.h:
1178         * tools/JSDollarVM.cpp:
1179
1180 2018-08-23  Saam barati  <sbarati@apple.com>
1181
1182         JSRunLoopTimer may run part of a member function after it's destroyed
1183         https://bugs.webkit.org/show_bug.cgi?id=188426
1184
1185         Reviewed by Mark Lam.
1186
1187         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1188         to end up running timer code after the class had been destroyed.
1189         
1190         The issue I spotted was in this function:
1191         ```
1192         void JSRunLoopTimer::timerDidFire()
1193         {
1194             JSLock* apiLock = m_apiLock.get();
1195             if (!apiLock) {
1196                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1197                 return;
1198             }
1199             // HERE
1200             std::lock_guard<JSLock> lock(*apiLock);
1201             RefPtr<VM> vm = apiLock->vm();
1202             if (!vm) {
1203                 // The VM has been destroyed, so we should just give up.
1204                 return;
1205             }
1206         
1207             doWork();
1208         }
1209         ```
1210         
1211         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1212         switched before grabbing the API lock. Then, some other thread destroys the VM.
1213         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1214         timer would run code and access member variables after it was destroyed.
1215         
1216         This patch fixes this issue by introducing a new timer manager class. 
1217         This class manages timers on a per VM basis. When a timer is scheduled,
1218         this class refs the timer. It also calls the timer callback while actively
1219         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1220         callback after the timer has been destroyed. However, calling a timer callback
1221         can still race with the VM being destroyed. We continue to detect this case and
1222         bail out of the callback early.
1223         
1224         This patch also removes a lot of duplicate code between GCActivityCallback
1225         and JSRunLoopTimer.
1226
1227         * heap/EdenGCActivityCallback.cpp:
1228         (JSC::EdenGCActivityCallback::doCollection):
1229         (JSC::EdenGCActivityCallback::lastGCLength):
1230         (JSC::EdenGCActivityCallback::deathRate):
1231         * heap/EdenGCActivityCallback.h:
1232         * heap/FullGCActivityCallback.cpp:
1233         (JSC::FullGCActivityCallback::doCollection):
1234         (JSC::FullGCActivityCallback::lastGCLength):
1235         (JSC::FullGCActivityCallback::deathRate):
1236         * heap/FullGCActivityCallback.h:
1237         * heap/GCActivityCallback.cpp:
1238         (JSC::GCActivityCallback::doWork):
1239         (JSC::GCActivityCallback::scheduleTimer):
1240         (JSC::GCActivityCallback::didAllocate):
1241         (JSC::GCActivityCallback::willCollect):
1242         (JSC::GCActivityCallback::cancel):
1243         (JSC::GCActivityCallback::cancelTimer): Deleted.
1244         (JSC::GCActivityCallback::nextFireTime): Deleted.
1245         * heap/GCActivityCallback.h:
1246         * heap/Heap.cpp:
1247         (JSC::Heap::reportAbandonedObjectGraph):
1248         (JSC::Heap::notifyIncrementalSweeper):
1249         (JSC::Heap::updateAllocationLimits):
1250         (JSC::Heap::didAllocate):
1251         * heap/IncrementalSweeper.cpp:
1252         (JSC::IncrementalSweeper::scheduleTimer):
1253         (JSC::IncrementalSweeper::doWork):
1254         (JSC::IncrementalSweeper::doSweep):
1255         (JSC::IncrementalSweeper::sweepNextBlock):
1256         (JSC::IncrementalSweeper::startSweeping):
1257         (JSC::IncrementalSweeper::stopSweeping):
1258         * heap/IncrementalSweeper.h:
1259         * heap/StopIfNecessaryTimer.cpp:
1260         (JSC::StopIfNecessaryTimer::doWork):
1261         (JSC::StopIfNecessaryTimer::scheduleSoon):
1262         * heap/StopIfNecessaryTimer.h:
1263         * runtime/JSRunLoopTimer.cpp:
1264         (JSC::epochTime):
1265         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1266         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1267         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1268         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1269         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1270         (JSC::JSRunLoopTimer::Manager::shared):
1271         (JSC::JSRunLoopTimer::Manager::registerVM):
1272         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1273         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1274         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1275         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1276         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1277         (JSC::JSRunLoopTimer::timerDidFire):
1278         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1279         (JSC::JSRunLoopTimer::timeUntilFire):
1280         (JSC::JSRunLoopTimer::setTimeUntilFire):
1281         (JSC::JSRunLoopTimer::cancelTimer):
1282         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1283         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1284         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1285         * runtime/JSRunLoopTimer.h:
1286         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1287         * runtime/PromiseDeferredTimer.cpp:
1288         (JSC::PromiseDeferredTimer::doWork):
1289         (JSC::PromiseDeferredTimer::runRunLoop):
1290         (JSC::PromiseDeferredTimer::addPendingPromise):
1291         (JSC::PromiseDeferredTimer::hasPendingPromise):
1292         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1293         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1294         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1295         * runtime/PromiseDeferredTimer.h:
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM):
1298         (JSC::VM::~VM):
1299         (JSC::VM::setRunLoop):
1300         (JSC::VM::registerRunLoopTimer): Deleted.
1301         (JSC::VM::unregisterRunLoopTimer): Deleted.
1302         * runtime/VM.h:
1303         (JSC::VM::runLoop const):
1304         * wasm/js/WebAssemblyPrototype.cpp:
1305         (JSC::webAssemblyModuleValidateAsyncInternal):
1306         (JSC::instantiate):
1307         (JSC::compileAndInstantiate):
1308         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1309         (JSC::webAssemblyCompileStreamingInternal):
1310         (JSC::webAssemblyInstantiateStreamingInternal):
1311
1312 2018-08-23  Mark Lam  <mark.lam@apple.com>
1313
1314         Move vmEntryGlobalObject() to VM from CallFrame.
1315         https://bugs.webkit.org/show_bug.cgi?id=188900
1316         <rdar://problem/43655753>
1317
1318         Reviewed by Michael Saboff.
1319
1320         Also introduced CallFrame::isGlobalExec() which makes use of one property of
1321         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
1322         CallFrame::initGlobalExec() ensures this.
1323
1324         In contrast, normal CallFrames always have a callerFrame (because they must at
1325         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
1326         VM entry glue).
1327
1328         * API/APIUtils.h:
1329         (handleExceptionIfNeeded):
1330         (setException):
1331         * API/JSBase.cpp:
1332         (JSEvaluateScript):
1333         (JSCheckScriptSyntax):
1334         * API/JSContextRef.cpp:
1335         (JSGlobalContextRetain):
1336         (JSGlobalContextRelease):
1337         (JSGlobalContextCopyName):
1338         (JSGlobalContextSetName):
1339         (JSGlobalContextGetRemoteInspectionEnabled):
1340         (JSGlobalContextSetRemoteInspectionEnabled):
1341         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
1342         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
1343         (JSGlobalContextGetDebuggerRunLoop):
1344         (JSGlobalContextSetDebuggerRunLoop):
1345         (JSGlobalContextGetAugmentableInspectorController):
1346         * API/JSValue.mm:
1347         (reportExceptionToInspector):
1348         * API/glib/JSCClass.cpp:
1349         (jscContextForObject):
1350         * API/glib/JSCContext.cpp:
1351         (jsc_context_evaluate_in_object):
1352         * debugger/Debugger.cpp:
1353         (JSC::Debugger::pauseIfNeeded):
1354         * debugger/DebuggerCallFrame.cpp:
1355         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
1356         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1357         * interpreter/CallFrame.cpp:
1358         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
1359         * interpreter/CallFrame.h:
1360         (JSC::ExecState::scope const):
1361         (JSC::ExecState::noCaller):
1362         (JSC::ExecState::isGlobalExec const):
1363         * interpreter/Interpreter.cpp:
1364         (JSC::notifyDebuggerOfUnwinding):
1365         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
1366         (JSC::Interpreter::debug):
1367         * runtime/CallData.cpp:
1368         (JSC::profiledCall):
1369         * runtime/Completion.cpp:
1370         (JSC::evaluate):
1371         (JSC::profiledEvaluate):
1372         (JSC::evaluateWithScopeExtension):
1373         (JSC::loadAndEvaluateModule):
1374         (JSC::loadModule):
1375         (JSC::linkAndEvaluateModule):
1376         (JSC::importModule):
1377         * runtime/ConstructData.cpp:
1378         (JSC::profiledConstruct):
1379         * runtime/Error.cpp:
1380         (JSC::getStackTrace):
1381         * runtime/VM.cpp:
1382         (JSC::VM::throwException):
1383         (JSC::VM::vmEntryGlobalObject const):
1384         * runtime/VM.h:
1385
1386 2018-08-23  Andy Estes  <aestes@apple.com>
1387
1388         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
1389         https://bugs.webkit.org/show_bug.cgi?id=188829
1390
1391         Reviewed by Tim Horton.
1392
1393         * Configurations/FeatureDefines.xcconfig:
1394
1395 2018-08-23  Devin Rousso  <drousso@apple.com>
1396
1397         Web Inspector: support breakpoints for timers and animation-frame events
1398         https://bugs.webkit.org/show_bug.cgi?id=188778
1399
1400         Reviewed by Brian Burg.
1401
1402         * inspector/protocol/Debugger.json:
1403         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1404
1405         * inspector/protocol/DOMDebugger.json:
1406         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1407          - `setEventListenerBreakpoint`
1408          - `removeEventListenerBreakpoint`
1409          - `setInstrumentationBreakpoint`
1410          - `removeInstrumentationBreakpoint`
1411         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1412
1413         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1414         (CppProtocolTypesHeaderGenerator.generate_output):
1415         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1416         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1417         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1418         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1419
1420         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1421         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1422         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1423         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1424         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1425         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1426         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1427
1428 2018-08-23  Michael Saboff  <msaboff@apple.com>
1429
1430         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1431         https://bugs.webkit.org/show_bug.cgi?id=188895
1432
1433         Reviewed by Mark Lam.
1434
1435         Found while working on another change.  This will allow processing of nested
1436         parenthesis that require saved ParenContext structures.
1437
1438         * yarr/YarrJIT.cpp:
1439         (JSC::Yarr::YarrGenerator::compile):
1440
1441 2018-08-22  Michael Saboff  <msaboff@apple.com>
1442
1443         https://bugs.webkit.org/show_bug.cgi?id=188859
1444         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1445
1446         Rubber-stamped by Saam Barati.
1447
1448         Deleted these two functions.
1449
1450         * jit/JITOperations.cpp:
1451         * jit/JITOperations.h:
1452
1453 2018-08-22  Mark Lam  <mark.lam@apple.com>
1454
1455         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1456         https://bugs.webkit.org/show_bug.cgi?id=188298
1457         <rdar://problem/42888427>
1458
1459         Reviewed by Saam Barati.
1460
1461         In the event that both targets of a Branch is the same block, then even if we'll
1462         always take one path of the branch, the other target is not unreachable because
1463         it is the same target as the one in the taken path.  Hence, it should not be
1464         jettisoned.
1465
1466         * JavaScriptCore.xcodeproj/project.pbxproj:
1467         - Added DFGCFG.h which is in use and should have been added to the project.
1468         * dfg/DFGCFGSimplificationPhase.cpp:
1469         (JSC::DFG::CFGSimplificationPhase::run):
1470
1471 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1472
1473         [JSC] HeapUtil should care about pointer overflow
1474         https://bugs.webkit.org/show_bug.cgi?id=188740
1475
1476         Reviewed by Saam Barati.
1477
1478         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1479         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1480         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1481
1482         * heap/HeapUtil.h:
1483         (JSC::HeapUtil::findGCObjectPointersForMarking):
1484
1485 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1486
1487         [JSC] Should not rotate constant with 64
1488         https://bugs.webkit.org/show_bug.cgi?id=188556
1489
1490         Reviewed by Saam Barati.
1491
1492         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1493         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1494         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1495         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1496
1497         * assembler/MacroAssembler.h:
1498         (JSC::MacroAssembler::generateRotationSeed):
1499         (JSC::MacroAssembler::rotationBlindConstant):
1500
1501 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1502
1503         Unreviewed, rolling out r235107.
1504         https://bugs.webkit.org/show_bug.cgi?id=188832
1505
1506         "It revealed bugs in Blob code as well as regressed JS
1507         performance tests" (Requested by saamyjoon on #webkit).
1508
1509         Reverted changeset:
1510
1511         "JSRunLoopTimer may run part of a member function after it's
1512         destroyed"
1513         https://bugs.webkit.org/show_bug.cgi?id=188426
1514         https://trac.webkit.org/changeset/235107
1515
1516 2018-08-21  Saam barati  <sbarati@apple.com>
1517
1518         JSRunLoopTimer may run part of a member function after it's destroyed
1519         https://bugs.webkit.org/show_bug.cgi?id=188426
1520
1521         Reviewed by Mark Lam.
1522
1523         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1524         to end up running timer code after the class had been destroyed.
1525         
1526         The issue I spotted was in this function:
1527         ```
1528         void JSRunLoopTimer::timerDidFire()
1529         {
1530             JSLock* apiLock = m_apiLock.get();
1531             if (!apiLock) {
1532                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1533                 return;
1534             }
1535             // HERE
1536             std::lock_guard<JSLock> lock(*apiLock);
1537             RefPtr<VM> vm = apiLock->vm();
1538             if (!vm) {
1539                 // The VM has been destroyed, so we should just give up.
1540                 return;
1541             }
1542         
1543             doWork();
1544         }
1545         ```
1546         
1547         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1548         switched before grabbing the API lock. Then, some other thread destroys the VM.
1549         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1550         timer would run code and access member variables after it was destroyed.
1551         
1552         This patch fixes this issue by introducing a new timer manager class. 
1553         This class manages timers on a per VM basis. When a timer is scheduled,
1554         this class refs the timer. It also calls the timer callback while actively
1555         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1556         callback after the timer has been destroyed. However, calling a timer callback
1557         can still race with the VM being destroyed. We continue to detect this case and
1558         bail out of the callback early.
1559         
1560         This patch also removes a lot of duplicate code between GCActivityCallback
1561         and JSRunLoopTimer.
1562
1563         * heap/EdenGCActivityCallback.cpp:
1564         (JSC::EdenGCActivityCallback::doCollection):
1565         (JSC::EdenGCActivityCallback::lastGCLength):
1566         (JSC::EdenGCActivityCallback::deathRate):
1567         * heap/EdenGCActivityCallback.h:
1568         * heap/FullGCActivityCallback.cpp:
1569         (JSC::FullGCActivityCallback::doCollection):
1570         (JSC::FullGCActivityCallback::lastGCLength):
1571         (JSC::FullGCActivityCallback::deathRate):
1572         * heap/FullGCActivityCallback.h:
1573         * heap/GCActivityCallback.cpp:
1574         (JSC::GCActivityCallback::doWork):
1575         (JSC::GCActivityCallback::scheduleTimer):
1576         (JSC::GCActivityCallback::didAllocate):
1577         (JSC::GCActivityCallback::willCollect):
1578         (JSC::GCActivityCallback::cancel):
1579         (JSC::GCActivityCallback::cancelTimer): Deleted.
1580         (JSC::GCActivityCallback::nextFireTime): Deleted.
1581         * heap/GCActivityCallback.h:
1582         * heap/Heap.cpp:
1583         (JSC::Heap::reportAbandonedObjectGraph):
1584         (JSC::Heap::notifyIncrementalSweeper):
1585         (JSC::Heap::updateAllocationLimits):
1586         (JSC::Heap::didAllocate):
1587         * heap/IncrementalSweeper.cpp:
1588         (JSC::IncrementalSweeper::scheduleTimer):
1589         (JSC::IncrementalSweeper::doWork):
1590         (JSC::IncrementalSweeper::doSweep):
1591         (JSC::IncrementalSweeper::sweepNextBlock):
1592         (JSC::IncrementalSweeper::startSweeping):
1593         (JSC::IncrementalSweeper::stopSweeping):
1594         * heap/IncrementalSweeper.h:
1595         * heap/StopIfNecessaryTimer.cpp:
1596         (JSC::StopIfNecessaryTimer::doWork):
1597         (JSC::StopIfNecessaryTimer::scheduleSoon):
1598         * heap/StopIfNecessaryTimer.h:
1599         * runtime/JSRunLoopTimer.cpp:
1600         (JSC::epochTime):
1601         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1602         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1603         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1604         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1605         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1606         (JSC::JSRunLoopTimer::Manager::shared):
1607         (JSC::JSRunLoopTimer::Manager::registerVM):
1608         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1609         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1610         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1611         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1612         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1613         (JSC::JSRunLoopTimer::timerDidFire):
1614         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1615         (JSC::JSRunLoopTimer::timeUntilFire):
1616         (JSC::JSRunLoopTimer::setTimeUntilFire):
1617         (JSC::JSRunLoopTimer::cancelTimer):
1618         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1619         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1620         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1621         * runtime/JSRunLoopTimer.h:
1622         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1623         * runtime/PromiseDeferredTimer.cpp:
1624         (JSC::PromiseDeferredTimer::doWork):
1625         (JSC::PromiseDeferredTimer::runRunLoop):
1626         (JSC::PromiseDeferredTimer::addPendingPromise):
1627         (JSC::PromiseDeferredTimer::hasPendingPromise):
1628         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1629         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1630         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1631         * runtime/PromiseDeferredTimer.h:
1632         * runtime/VM.cpp:
1633         (JSC::VM::VM):
1634         (JSC::VM::~VM):
1635         (JSC::VM::setRunLoop):
1636         (JSC::VM::registerRunLoopTimer): Deleted.
1637         (JSC::VM::unregisterRunLoopTimer): Deleted.
1638         * runtime/VM.h:
1639         (JSC::VM::runLoop const):
1640         * wasm/js/WebAssemblyPrototype.cpp:
1641         (JSC::webAssemblyModuleValidateAsyncInternal):
1642         (JSC::instantiate):
1643         (JSC::compileAndInstantiate):
1644         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1645         (JSC::webAssemblyCompileStreamingInternal):
1646         (JSC::webAssemblyInstantiateStreamingInternal):
1647
1648 2018-08-20  Saam barati  <sbarati@apple.com>
1649
1650         Inline DataView accesses into DFG/FTL
1651         https://bugs.webkit.org/show_bug.cgi?id=188573
1652         <rdar://problem/43286746>
1653
1654         Reviewed by Michael Saboff.
1655
1656         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1657         straight forward. We inline the various get*/set* operations as intrinsics.
1658         
1659         This patch takes the most obvious approach for now. We OSR exit when:
1660         - An isLittleEndian argument is provided, and is not a boolean.
1661         - The index isn't an integer.
1662         - The |this| isn't a DataView.
1663         - We do an OOB access (or see a neutered array)
1664         
1665         To implement this change in a performant way, this patch teaches the macro
1666         assembler how to emit byte swap operations. The semantics of the added functions
1667         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1668         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1669         the instructions already have these semantics.
1670         
1671         This patch is just a lightweight initial implementation. There are some easy
1672         extensions we can do in future changes:
1673         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1674         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1675
1676         * assembler/MacroAssemblerARM64.h:
1677         (JSC::MacroAssemblerARM64::byteSwap16):
1678         (JSC::MacroAssemblerARM64::byteSwap32):
1679         (JSC::MacroAssemblerARM64::byteSwap64):
1680         * assembler/MacroAssemblerX86Common.h:
1681         (JSC::MacroAssemblerX86Common::byteSwap32):
1682         (JSC::MacroAssemblerX86Common::byteSwap16):
1683         (JSC::MacroAssemblerX86Common::byteSwap64):
1684         * assembler/X86Assembler.h:
1685         (JSC::X86Assembler::bswapl_r):
1686         (JSC::X86Assembler::bswapq_r):
1687         (JSC::X86Assembler::shiftInstruction16):
1688         (JSC::X86Assembler::rolw_i8r):
1689         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1690         * assembler/testmasm.cpp:
1691         (JSC::testByteSwap):
1692         (JSC::run):
1693         * bytecode/DataFormat.h:
1694         * bytecode/SpeculatedType.cpp:
1695         (JSC::dumpSpeculation):
1696         (JSC::speculationFromClassInfo):
1697         (JSC::speculationFromJSType):
1698         (JSC::speculationFromString):
1699         * bytecode/SpeculatedType.h:
1700         * dfg/DFGAbstractInterpreterInlines.h:
1701         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1702         * dfg/DFGByteCodeParser.cpp:
1703         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1704         * dfg/DFGClobberize.h:
1705         (JSC::DFG::clobberize):
1706         * dfg/DFGDoesGC.cpp:
1707         (JSC::DFG::doesGC):
1708         * dfg/DFGFixupPhase.cpp:
1709         (JSC::DFG::FixupPhase::fixupNode):
1710         * dfg/DFGNode.h:
1711         (JSC::DFG::Node::hasHeapPrediction):
1712         (JSC::DFG::Node::dataViewData):
1713         * dfg/DFGNodeType.h:
1714         * dfg/DFGPredictionPropagationPhase.cpp:
1715         * dfg/DFGSafeToExecute.h:
1716         (JSC::DFG::SafeToExecuteEdge::operator()):
1717         (JSC::DFG::safeToExecute):
1718         * dfg/DFGSpeculativeJIT.cpp:
1719         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1720         (JSC::DFG::SpeculativeJIT::speculate):
1721         * dfg/DFGSpeculativeJIT.h:
1722         * dfg/DFGSpeculativeJIT32_64.cpp:
1723         (JSC::DFG::SpeculativeJIT::compile):
1724         * dfg/DFGSpeculativeJIT64.cpp:
1725         (JSC::DFG::SpeculativeJIT::compile):
1726         * dfg/DFGUseKind.cpp:
1727         (WTF::printInternal):
1728         * dfg/DFGUseKind.h:
1729         (JSC::DFG::typeFilterFor):
1730         (JSC::DFG::isCell):
1731         * ftl/FTLCapabilities.cpp:
1732         (JSC::FTL::canCompile):
1733         * ftl/FTLLowerDFGToB3.cpp:
1734         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1735         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1736         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1737         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1738         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1739         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1740         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1741         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1742         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1743         * runtime/Intrinsic.cpp:
1744         (JSC::intrinsicName):
1745         * runtime/Intrinsic.h:
1746         * runtime/JSDataViewPrototype.cpp:
1747
1748 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1749
1750         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1751         https://bugs.webkit.org/show_bug.cgi?id=181989
1752
1753         Reviewed by Michael Saboff.
1754
1755         This patch extends bulk matching style for fixed-sized characters.
1756         In 64bit environment, the GPR can hold up to 8 characters. This change
1757         reduces the code size since we can fuse multiple `mov` operations into one.
1758
1759         * assembler/LinkBuffer.h:
1760         * runtime/Options.h:
1761         * yarr/YarrJIT.cpp:
1762         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1763         (JSC::Yarr::YarrGenerator::compile):
1764
1765 2018-08-20  Devin Rousso  <drousso@apple.com>
1766
1767         Web Inspector: allow breakpoints to be set for specific event listeners
1768         https://bugs.webkit.org/show_bug.cgi?id=183138
1769
1770         Reviewed by Joseph Pecoraro.
1771
1772         * inspector/protocol/DOM.json:
1773         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1774         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1775         should have a breakpoint and pause before running.
1776
1777 2018-08-20  Mark Lam  <mark.lam@apple.com>
1778
1779         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1780         https://bugs.webkit.org/show_bug.cgi?id=188769
1781
1782         Reviewed by Michael Saboff.
1783
1784         * llint/LowLevelInterpreter.asm:
1785         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1786           so that libunwind doesn't get confused by the 2 labels pointing to the same
1787           code address.
1788
1789 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1790
1791         [GLIB] Add API to throw exceptions using printf formatted strings
1792         https://bugs.webkit.org/show_bug.cgi?id=188698
1793
1794         Reviewed by Michael Catanzaro.
1795
1796         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1797         JSCException using printf formatted string.
1798
1799         * API/glib/JSCContext.cpp:
1800         (jsc_context_throw_printf):
1801         (jsc_context_throw_with_name_printf):
1802         * API/glib/JSCContext.h:
1803         * API/glib/JSCException.cpp:
1804         (jsc_exception_new_printf):
1805         (jsc_exception_new_vprintf):
1806         (jsc_exception_new_with_name_printf):
1807         (jsc_exception_new_with_name_vprintf):
1808         * API/glib/JSCException.h:
1809         * API/glib/docs/jsc-glib-4.0-sections.txt:
1810
1811 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1812
1813         [GLIB] Complete the JSCException API
1814         https://bugs.webkit.org/show_bug.cgi?id=188695
1815
1816         Reviewed by Michael Catanzaro.
1817
1818         Add more API to JSCException:
1819          - New function to get the column number
1820          - New function get exception as string (toString())
1821          - Add the possibility to create exceptions with a custom error name.
1822          - New function to get the exception error name
1823          - New function to get the exception backtrace.
1824          - New convenience function to report a exception by returning a formatted string with all the exception
1825            details, to be shown as a user error message.
1826
1827         * API/glib/JSCContext.cpp:
1828         (jsc_context_throw_with_name):
1829         * API/glib/JSCContext.h:
1830         * API/glib/JSCException.cpp:
1831         (jscExceptionEnsureProperties):
1832         (jsc_exception_new):
1833         (jsc_exception_new_with_name):
1834         (jsc_exception_get_name):
1835         (jsc_exception_get_column_number):
1836         (jsc_exception_get_back_trace_string):
1837         (jsc_exception_to_string):
1838         (jsc_exception_report):
1839         * API/glib/JSCException.h:
1840         * API/glib/docs/jsc-glib-4.0-sections.txt:
1841
1842 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1843
1844         Unreviewed, rolling out r234852.
1845         https://bugs.webkit.org/show_bug.cgi?id=188736
1846
1847         Workaround is not correct (Requested by yusukesuzuki on
1848         #webkit).
1849
1850         Reverted changeset:
1851
1852         "[JSC] Should not rotate constant with 64"
1853         https://bugs.webkit.org/show_bug.cgi?id=188556
1854         https://trac.webkit.org/changeset/234852
1855
1856 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1857
1858         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1859         https://bugs.webkit.org/show_bug.cgi?id=188716
1860
1861         Reviewed by Darin Adler.
1862
1863         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1864         The compiler can emit appropriate mov operations in x86 even if we use these
1865         helper functions.
1866
1867         * assembler/AssemblerBuffer.h:
1868         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1869         (JSC::AssemblerBuffer::putIntegral):
1870         (JSC::AssemblerBuffer::putIntegralUnchecked):
1871         * assembler/MacroAssemblerX86.h:
1872         (JSC::MacroAssemblerX86::readCallTarget):
1873         * assembler/X86Assembler.h:
1874         (JSC::X86Assembler::linkJump):
1875         (JSC::X86Assembler::readPointer):
1876         (JSC::X86Assembler::replaceWithHlt):
1877         (JSC::X86Assembler::replaceWithJump):
1878         (JSC::X86Assembler::setPointer):
1879         (JSC::X86Assembler::setInt32):
1880         (JSC::X86Assembler::setInt8):
1881         * interpreter/InterpreterInlines.h:
1882         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1883
1884 2018-08-17  Saam barati  <sbarati@apple.com>
1885
1886         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1887         https://bugs.webkit.org/show_bug.cgi?id=188707
1888         <rdar://problem/43015442>
1889
1890         Reviewed by Mark Lam.
1891
1892         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1893         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1894         that each incoming value is compatible with its corresponding AbstractValue.
1895         
1896         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1897         with abstract values that were clobbererd. This meant that the value we're
1898         verifying with at OSR entry effectively has an infinite structure set because
1899         it's clobbered. So, imagine we have code like this:
1900         ```
1901         ---> We OSR enter here, and we're clobbered here
1902         InvalidationPoint
1903         GetByOffset(@base)
1904         ```
1905         
1906         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1907         clobberred structure set, so we'd allow an incoming object with any
1908         structure. However, this is wrong because the invalidation point is no
1909         longer fulfilling its promise that it filters the structure that @base has.
1910         
1911         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1912         as if the incoming value may be live past an InvalidationPoint.
1913         This places a stricter requirement that to safely OSR enter at any basic
1914         block, all incoming values must be compatible as if they lived past
1915         the execution of an invalidation point.
1916
1917         * dfg/DFGCFAPhase.cpp:
1918         (JSC::DFG::CFAPhase::run):
1919
1920 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1921
1922         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1923         https://bugs.webkit.org/show_bug.cgi?id=188589
1924
1925         Reviewed by Mark Lam.
1926         And reviewed by Yusuke Suzuki for Hironori's change.
1927
1928         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1929         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1930
1931         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1932         - We make GPRReg and FPRReg int8_t enums.
1933         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1934         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1935           if `enum : int8_t` is used instead of `enum`.
1936
1937         * assembler/ARM64Assembler.h:
1938         * assembler/ARMAssembler.h:
1939         * assembler/ARMv7Assembler.h:
1940         * assembler/MIPSAssembler.h:
1941         * assembler/MacroAssembler.h:
1942         * assembler/X86Assembler.h:
1943         * jit/CCallHelpers.h:
1944         (JSC::CCallHelpers::clampArrayToSize):
1945         * jit/FPRInfo.h:
1946         * jit/GPRInfo.h:
1947         (JSC::JSValueRegs::JSValueRegs):
1948         (JSC::JSValueRegs::tagGPR const):
1949         (JSC::JSValueRegs::payloadGPR const):
1950         (JSC::JSValueSource::JSValueSource):
1951         (JSC::JSValueSource::unboxedCell):
1952         (JSC::JSValueSource::operator bool const):
1953         (JSC::JSValueSource::base const):
1954         (JSC::JSValueSource::tagGPR const):
1955         (JSC::JSValueSource::payloadGPR const):
1956         (JSC::JSValueSource::hasKnownTag const):
1957
1958 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1959
1960         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1961         https://bugs.webkit.org/show_bug.cgi?id=188686
1962
1963         Reviewed by Saam Barati.
1964
1965         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1966         for `alignof` for RegisterState.
1967
1968         * heap/RegisterState.h:
1969
1970 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1971
1972         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1973         https://bugs.webkit.org/show_bug.cgi?id=188571
1974
1975         Reviewed by Saam Barati.
1976
1977         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1978         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1979         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1980         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1981         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1982         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1983         than or equal to `sizeof(void*)` by `static_assert`.
1984
1985         * yarr/YarrInterpreter.cpp:
1986         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1987         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1988         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1989         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1990         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1991         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1992         (JSC::Yarr::Interpreter::Interpreter):
1993         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1994
1995 2018-08-15  Keith Miller  <keith_miller@apple.com>
1996
1997         Remove evernote hacks
1998         https://bugs.webkit.org/show_bug.cgi?id=188591
1999
2000         Reviewed by Joseph Pecoraro.
2001
2002         The hack was added in 2012 and the evernote app seems to work now.
2003         It's probably not needed anymore.
2004
2005         * API/JSValueRef.cpp:
2006         (JSValueUnprotect):
2007         (evernoteHackNeeded): Deleted.
2008
2009 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
2010
2011         Unreviewed, rolling out r234874 and r234876.
2012
2013         WinCairo port can't compile
2014
2015         Reverted changesets:
2016
2017         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
2018         https://bugs.webkit.org/show_bug.cgi?id=188589
2019         https://trac.webkit.org/changeset/234874
2020
2021         "Unreviewed, attempt to fix CLoop build"
2022         https://bugs.webkit.org/show_bug.cgi?id=188589
2023         https://trac.webkit.org/changeset/234876
2024
2025 2018-08-14  Saam barati  <sbarati@apple.com>
2026
2027         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
2028         https://bugs.webkit.org/show_bug.cgi?id=188582
2029
2030         Reviewed by Sam Weinig.
2031
2032         * runtime/SparseArrayValueMap.h:
2033
2034 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2035
2036         Unreviewed, attempt to fix CLoop build
2037         https://bugs.webkit.org/show_bug.cgi?id=188589
2038
2039         * assembler/MacroAssembler.h:
2040
2041 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2042
2043         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2044         https://bugs.webkit.org/show_bug.cgi?id=188589
2045
2046         Reviewed by Mark Lam.
2047
2048         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2049         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2050
2051         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2052         2. We make GPRReg and FPRReg int8_t enums.
2053         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2054
2055         * assembler/ARM64Assembler.h:
2056         * assembler/ARMAssembler.h:
2057         * assembler/ARMv7Assembler.h:
2058         * assembler/MIPSAssembler.h:
2059         * assembler/X86Assembler.h:
2060         * jit/FPRInfo.h:
2061         * jit/GPRInfo.h:
2062         (JSC::JSValueRegs::JSValueRegs):
2063         (JSC::JSValueRegs::tagGPR const):
2064         (JSC::JSValueRegs::payloadGPR const):
2065         (JSC::JSValueSource::JSValueSource):
2066         (JSC::JSValueSource::unboxedCell):
2067         (JSC::JSValueSource::operator bool const):
2068         (JSC::JSValueSource::base const):
2069         (JSC::JSValueSource::tagGPR const):
2070         (JSC::JSValueSource::payloadGPR const):
2071         (JSC::JSValueSource::hasKnownTag const):
2072
2073 2018-08-14  Keith Miller  <keith_miller@apple.com>
2074
2075         Add missing availability macro.
2076         https://bugs.webkit.org/show_bug.cgi?id=188563
2077
2078         Reviewed by Mark Lam.
2079
2080         * API/JSValueRef.h:
2081
2082 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2083
2084         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
2085         https://bugs.webkit.org/show_bug.cgi?id=188560
2086
2087         Reviewed by Keith Miller.
2088
2089         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
2090         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
2091         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
2092         `m_wasSeenInJIT { false }`.
2093
2094         * bytecode/GetByIdStatus.h:
2095
2096 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2097
2098         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
2099         https://bugs.webkit.org/show_bug.cgi?id=188557
2100
2101         Reviewed by Mark Lam.
2102
2103         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
2104         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
2105         in UBSan's result.
2106
2107         * dfg/DFGPredictionPropagationPhase.cpp:
2108
2109 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2110
2111         [JSC] Should not rotate constant with 64
2112         https://bugs.webkit.org/show_bug.cgi?id=188556
2113
2114         Reviewed by Mark Lam.
2115
2116         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
2117         But if a seed becomes 64, the following code performs `value << 64` where value's type
2118         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
2119         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
2120
2121         * assembler/MacroAssembler.h:
2122         (JSC::MacroAssembler::generateRotationSeed):
2123         (JSC::MacroAssembler::rotationBlindConstant):
2124
2125 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2126
2127         Disable JIT on IA-32 without SSE2
2128         https://bugs.webkit.org/show_bug.cgi?id=188476
2129
2130         Reviewed by Michael Catanzaro.
2131
2132         Including missing header (MacroAssembler.h) in case of other
2133         operating systems than Windows too.
2134
2135         * runtime/Options.cpp:
2136
2137 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2138
2139         Disable JIT on IA-32 without SSE2
2140         https://bugs.webkit.org/show_bug.cgi?id=188476
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         On IA-32 CPUs without SSE2 most of the webpages cannot load
2145         if the JIT is turned on.
2146
2147         * runtime/Options.cpp:
2148         (JSC::recomputeDependentOptions):
2149
2150 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
2151
2152         Web Inspector: console.log fires getters for deep properties
2153         https://bugs.webkit.org/show_bug.cgi?id=187542
2154         <rdar://problem/42873158>
2155
2156         Reviewed by Saam Barati.
2157
2158         * inspector/InjectedScriptSource.js:
2159         (RemoteObject.prototype._isPreviewableObject):
2160         Avoid getters/setters when checking for simple properties to preview.
2161         Here we avoid invoking `object[property]` if it could be a user getter.
2162
2163 2018-08-10  Keith Miller  <keith_miller@apple.com>
2164
2165         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
2166         https://bugs.webkit.org/show_bug.cgi?id=185127
2167
2168         Reviewed by Saam Barati.
2169
2170         Previously, we would truncate the indicies passed to slice to an
2171         int. This meant that the value was not getting properly clamped
2172         later.
2173
2174         This patch also removes a non-spec compliant check that slice was
2175         passed at least one argument.
2176
2177         * runtime/ArrayBuffer.cpp:
2178         (JSC::ArrayBuffer::clampValue):
2179         (JSC::ArrayBuffer::clampIndex const):
2180         (JSC::ArrayBuffer::slice const):
2181         * runtime/ArrayBuffer.h:
2182         (JSC::ArrayBuffer::clampValue): Deleted.
2183         (JSC::ArrayBuffer::clampIndex const): Deleted.
2184         * runtime/JSArrayBufferPrototype.cpp:
2185         (JSC::arrayBufferProtoFuncSlice):
2186
2187 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2188
2189         Date.UTC should not return NaN with only Year param
2190         https://bugs.webkit.org/show_bug.cgi?id=188378
2191
2192         Reviewed by Keith Miller.
2193
2194         Date.UTC requires one argument for |year|. But the other ones are optional.
2195         This patch fix this handling.
2196
2197         * runtime/DateConstructor.cpp:
2198         (JSC::millisecondsFromComponents):
2199
2200 2018-08-08  Keith Miller  <keith_miller@apple.com>
2201
2202         Array.prototype.sort should call @toLength instead of ">>> 0"
2203         https://bugs.webkit.org/show_bug.cgi?id=188430
2204
2205         Reviewed by Saam Barati.
2206
2207         Also add a new function to $vm that will fetch a private
2208         property. This can be useful for running builtin helper functions.
2209
2210         * builtins/ArrayPrototype.js:
2211         (sort):
2212         * tools/JSDollarVM.cpp:
2213         (JSC::functionGetPrivateProperty):
2214         (JSC::JSDollarVM::finishCreation):
2215
2216 2018-08-08  Keith Miller  <keith_miller@apple.com>
2217
2218         Array.prototype.sort should throw TypeError if param is a not callable object
2219         https://bugs.webkit.org/show_bug.cgi?id=188382
2220
2221         Reviewed by Saam Barati.
2222
2223         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
2224         before doing anything else.
2225
2226         Also, refactor the various helper functions to use let instead of var.
2227
2228         * builtins/ArrayPrototype.js:
2229         (sort.stringComparator):
2230         (sort.compactSparse):
2231         (sort.compactSlow):
2232         (sort.compact):
2233         (sort.merge):
2234         (sort.mergeSort):
2235         (sort.bucketSort):
2236         (sort.comparatorSort):
2237         (sort.stringSort):
2238         (sort):
2239
2240 2018-08-08  Michael Saboff  <msaboff@apple.com>
2241
2242         Yarr JIT should include annotations with dumpDisassembly=true
2243         https://bugs.webkit.org/show_bug.cgi?id=188415
2244
2245         Reviewed by Yusuke Suzuki.
2246
2247         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
2248         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
2249         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
2250         needs to do the same think.
2251
2252         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
2253         out simple methods for what was needed by the YarrDisassembler.
2254
2255         Here is abbreviated sample output after this change.
2256
2257         Generated JIT code for 8-bit regular expression /ab*c/:
2258             Code at [0x469561c03720, 0x469561c03840):
2259                 0x469561c03720: push %rbp
2260                 0x469561c03721: mov %rsp, %rbp
2261                 ...
2262                 0x469561c03762: sub $0x40, %rsp
2263              == Matching ==
2264            0:OpBodyAlternativeBegin minimum size 2
2265                 0x469561c03766: add $0x2, %esi
2266                 0x469561c03769: cmp %edx, %esi
2267                 0x469561c0376b: ja 0x469561c037fa
2268            1:OpTerm TypePatternCharacter 'a'
2269                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
2270                 0x469561c03776: cmp $0x61, %eax
2271                 0x469561c03779: jnz 0x469561c037e9
2272            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2273                 0x469561c0377f: xor %r9d, %r9d
2274                 0x469561c03782: cmp %edx, %esi
2275                 0x469561c03784: jz 0x469561c037a2
2276                 ...
2277                 0x469561c0379d: jmp 0x469561c03782
2278                 0x469561c037a2: mov %r9, 0x8(%rsp)
2279            3:OpTerm TypePatternCharacter 'c'
2280                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
2281                 0x469561c037ac: cmp $0x63, %eax
2282                 0x469561c037af: jnz 0x469561c037d1
2283            4:OpBodyAlternativeEnd
2284                 0x469561c037b5: add $0x40, %rsp
2285                 ...
2286                 0x469561c037cf: pop %rbp
2287                 0x469561c037d0: ret
2288              == Backtracking ==
2289            4:OpBodyAlternativeEnd
2290            3:OpTerm TypePatternCharacter 'c'
2291            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2292                 0x469561c037d1: mov 0x8(%rsp), %r9
2293                 ...
2294                 0x469561c037e4: jmp 0x469561c037a2
2295            1:OpTerm TypePatternCharacter 'a'
2296            0:OpBodyAlternativeBegin minimum size 2
2297                 0x469561c037e9: mov %rsi, %rax
2298                 ...
2299                 0x469561c0382f: pop %rbp
2300                 0x469561c03830: ret
2301
2302         * JavaScriptCore.xcodeproj/project.pbxproj:
2303         * Sources.txt:
2304         * runtime/RegExp.cpp:
2305         (JSC::RegExp::compile):
2306         (JSC::RegExp::compileMatchOnly):
2307         * yarr/YarrDisassembler.cpp: Added.
2308         (JSC::Yarr::YarrDisassembler::indentString):
2309         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
2310         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
2311         (JSC::Yarr::YarrDisassembler::dump):
2312         (JSC::Yarr::YarrDisassembler::dumpHeader):
2313         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
2314         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
2315         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
2316         * yarr/YarrDisassembler.h: Added.
2317         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
2318         (JSC::Yarr::YarrDisassembler::setStartOfCode):
2319         (JSC::Yarr::YarrDisassembler::setForGenerate):
2320         (JSC::Yarr::YarrDisassembler::setForBacktrack):
2321         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
2322         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
2323         (JSC::Yarr::YarrDisassembler::setEndOfCode):
2324         (JSC::Yarr::YarrDisassembler::indentString):
2325         * yarr/YarrJIT.cpp:
2326         (JSC::Yarr::YarrGenerator::generate):
2327         (JSC::Yarr::YarrGenerator::backtrack):
2328         (JSC::Yarr::YarrGenerator::YarrGenerator):
2329         (JSC::Yarr::YarrGenerator::compile):
2330         (JSC::Yarr::jitCompile):
2331         * yarr/YarrJIT.h:
2332         * yarr/YarrPattern.cpp:
2333         (JSC::Yarr::dumpCharacterClass):
2334         (JSC::Yarr::PatternTerm::dump):
2335         (JSC::Yarr::YarrPattern::dumpPatternString):
2336         (JSC::Yarr::YarrPattern::dumpPattern):
2337         * yarr/YarrPattern.h:
2338
2339 2018-08-05  Darin Adler  <darin@apple.com>
2340
2341         [Cocoa] More tweaks and refactoring to prepare for ARC
2342         https://bugs.webkit.org/show_bug.cgi?id=188245
2343
2344         Reviewed by Dan Bernstein.
2345
2346         * API/JSValue.mm: Use __unsafe_unretained.
2347         (JSContainerConvertor::convert): Use auto for compatibility with the above.
2348         * API/JSWrapperMap.mm:
2349         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
2350         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
2351
2352         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2353
2354 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2355
2356         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
2357         https://bugs.webkit.org/show_bug.cgi?id=188328
2358
2359         Reviewed by Saam Barati.
2360
2361         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
2362         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
2363         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
2364         as a member field.
2365
2366         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
2367         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
2368         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
2369         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
2370         folds a pointer and 1byte type into 64bit data.
2371
2372         This change shrinks PropertyCondition from 24bytes to 16bytes.
2373
2374         * bytecode/PropertyCondition.cpp:
2375         (JSC::PropertyCondition::dumpInContext const):
2376         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2377         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2378         (JSC::PropertyCondition::isStillValid const):
2379         (JSC::PropertyCondition::isWatchableWhenValid const):
2380         * bytecode/PropertyCondition.h:
2381         (JSC::PropertyCondition::PropertyCondition):
2382         (JSC::PropertyCondition::presenceWithoutBarrier):
2383         (JSC::PropertyCondition::absenceWithoutBarrier):
2384         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2385         (JSC::PropertyCondition::equivalenceWithoutBarrier):
2386         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2387         (JSC::PropertyCondition::operator bool const):
2388         (JSC::PropertyCondition::kind const):
2389         (JSC::PropertyCondition::uid const):
2390         (JSC::PropertyCondition::hasOffset const):
2391         (JSC::PropertyCondition::hasAttributes const):
2392         (JSC::PropertyCondition::hasPrototype const):
2393         (JSC::PropertyCondition::hasRequiredValue const):
2394         (JSC::PropertyCondition::hash const):
2395         (JSC::PropertyCondition::operator== const):
2396         (JSC::PropertyCondition::isHashTableDeletedValue const):
2397         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2398
2399 2018-08-07  Mark Lam  <mark.lam@apple.com>
2400
2401         Use a more specific PtrTag for PlatformRegisters PC and LR.
2402         https://bugs.webkit.org/show_bug.cgi?id=188366
2403         <rdar://problem/42984123>
2404
2405         Reviewed by Keith Miller.
2406
2407         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2408         of LR.  It now returns LR.
2409
2410         * runtime/JSCPtrTag.h:
2411         * runtime/MachineContext.h:
2412         (JSC::MachineContext::instructionPointer):
2413         (JSC::MachineContext::linkRegister):
2414         * runtime/VMTraps.cpp:
2415         (JSC::SignalContext::SignalContext):
2416         * tools/SigillCrashAnalyzer.cpp:
2417         (JSC::SignalContext::SignalContext):
2418
2419 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2420
2421         Hardcoded LFENCE instruction
2422         https://bugs.webkit.org/show_bug.cgi?id=188145
2423
2424         Reviewed by Filip Pizlo.
2425
2426         Remove lfence instruction because it is crashing systems without SSE2 and
2427         this is not the way how WebKit mitigates Spectre.
2428
2429         * runtime/JSLock.cpp:
2430         (JSC::JSLock::didAcquireLock):
2431         (JSC::JSLock::willReleaseLock):
2432
2433 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2434
2435         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2436         <https://webkit.org/b/188331>
2437
2438         Reviewed by Yusuke Suzuki.
2439
2440         * runtime/TemplateObjectDescriptor.h:
2441         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2442         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2443
2444 2018-08-03  Saam Barati  <sbarati@apple.com>
2445
2446         Give the `jsc` shell the JIT entitlement
2447         https://bugs.webkit.org/show_bug.cgi?id=188324
2448         <rdar://problem/42885806>
2449
2450         Reviewed by Dan Bernstein.
2451
2452         This should help us in ensuring the system jsc is able to JIT.
2453
2454         * Configurations/JSC.xcconfig:
2455         * JavaScriptCore.xcodeproj/project.pbxproj:
2456         * allow-jit-macOS.entitlements: Added.
2457
2458 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2459
2460         Fix spelling of "overridden"
2461         https://bugs.webkit.org/show_bug.cgi?id=188315
2462
2463         Reviewed by Darin Adler.
2464
2465         * API/JSExport.h:
2466         * inspector/InjectedScriptSource.js:
2467
2468 2018-08-02  Saam Barati  <sbarati@apple.com>
2469
2470         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2471         https://bugs.webkit.org/show_bug.cgi?id=188271
2472         <rdar://problem/42850884>
2473
2474         Reviewed by Michael Saboff.
2475
2476         This patch defends against the instructionPointer containing garbage bits.
2477         See radar for details.
2478
2479         * runtime/MachineContext.h:
2480         (JSC::MachineContext::instructionPointer):
2481         * runtime/SamplingProfiler.cpp:
2482         (JSC::SamplingProfiler::takeSample):
2483         * runtime/VMTraps.cpp:
2484         (JSC::SignalContext::SignalContext):
2485         (JSC::SignalContext::tryCreate):
2486         * tools/CodeProfiling.cpp:
2487         (JSC::profilingTimer):
2488         * tools/SigillCrashAnalyzer.cpp:
2489         (JSC::SignalContext::SignalContext):
2490         (JSC::SignalContext::tryCreate):
2491         (JSC::SignalContext::dump):
2492         (JSC::installCrashHandler):
2493         * wasm/WasmFaultSignalHandler.cpp:
2494         (JSC::Wasm::trapHandler):
2495
2496 2018-08-02  David Fenton  <david_fenton@apple.com>
2497
2498         Unreviewed, rolling out r234489.
2499
2500         Caused 50+ crashes and 60+ API failures on iOS
2501
2502         Reverted changeset:
2503
2504         "[WTF] Rename String::format to String::deprecatedFormat"
2505         https://bugs.webkit.org/show_bug.cgi?id=188191
2506         https://trac.webkit.org/changeset/234489
2507
2508 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2509
2510         Add self.queueMicrotask(f) on DOMWindow
2511         https://bugs.webkit.org/show_bug.cgi?id=188212
2512
2513         Reviewed by Ryosuke Niwa.
2514
2515         * CMakeLists.txt:
2516         * JavaScriptCore.xcodeproj/project.pbxproj:
2517         * Sources.txt:
2518         * runtime/JSGlobalObject.cpp:
2519         (JSC::enqueueJob):
2520         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2521         (JSC::createJSMicrotask):
2522         Export them to WebCore.
2523
2524         (JSC::JSMicrotask::run):
2525         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2526         Add another version of JSMicrotask which does not have arguments.
2527
2528 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2529
2530         [WTF] Rename String::format to String::deprecatedFormat
2531         https://bugs.webkit.org/show_bug.cgi?id=188191
2532
2533         Reviewed by Darin Adler.
2534
2535         It should be replaced with string concatenation.
2536
2537         * bytecode/CodeBlock.cpp:
2538         (JSC::CodeBlock::nameForRegister):
2539         * inspector/InjectedScriptBase.cpp:
2540         (Inspector::InjectedScriptBase::makeCall):
2541         * inspector/InspectorBackendDispatcher.cpp:
2542         (Inspector::BackendDispatcher::getPropertyValue):
2543         * inspector/agents/InspectorConsoleAgent.cpp:
2544         (Inspector::InspectorConsoleAgent::enable):
2545         (Inspector::InspectorConsoleAgent::stopTiming):
2546         * jsc.cpp:
2547         (FunctionJSCStackFunctor::operator() const):
2548         * parser/Lexer.cpp:
2549         (JSC::Lexer<T>::invalidCharacterMessage const):
2550         * runtime/IntlDateTimeFormat.cpp:
2551         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2552         * runtime/IntlObject.cpp:
2553         (JSC::canonicalizeLocaleList):
2554         * runtime/LiteralParser.cpp:
2555         (JSC::LiteralParser<CharType>::Lexer::lex):
2556         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2557         (JSC::LiteralParser<CharType>::parse):
2558         * runtime/LiteralParser.h:
2559         (JSC::LiteralParser::getErrorMessage):
2560
2561 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2562
2563         [INTL] Allow "unknown" formatToParts types
2564         https://bugs.webkit.org/show_bug.cgi?id=188176
2565
2566         Reviewed by Darin Adler.
2567
2568         Originally extra unexpected field types were marked as "literal", since
2569         the spec did not account for these. The ECMA 402 spec has since been updated
2570         to specify "unknown" should be used in these cases.
2571
2572         Currently there is no known way to reach these cases, so no tests can
2573         account for them. Theoretically they shoudn't exist, but they are specified,
2574         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2575         will make such cases easy to identify if they ever happen.
2576
2577         * runtime/IntlDateTimeFormat.cpp:
2578         (JSC::IntlDateTimeFormat::partTypeString):
2579         * runtime/IntlNumberFormat.cpp:
2580         (JSC::IntlNumberFormat::partTypeString):
2581
2582 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2583
2584         [INTL] Implement hourCycle in DateTimeFormat
2585         https://bugs.webkit.org/show_bug.cgi?id=188006
2586
2587         Reviewed by Darin Adler.
2588
2589         Implemented hourCycle, updating both the skeleton and the final pattern.
2590         Changed resolveLocale to assume undefined options are not given and null
2591         strings actually mean null, which removes the tag extension.
2592
2593         * runtime/CommonIdentifiers.h:
2594         * runtime/IntlCollator.cpp:
2595         (JSC::IntlCollator::initializeCollator):
2596         * runtime/IntlDateTimeFormat.cpp:
2597         (JSC::IntlDTFInternal::localeData):
2598         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2599         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2600         (JSC::IntlDateTimeFormat::resolvedOptions):
2601         * runtime/IntlDateTimeFormat.h:
2602         * runtime/IntlObject.cpp:
2603         (JSC::resolveLocale):
2604
2605 2018-08-01  Keith Miller  <keith_miller@apple.com>
2606
2607         JSArrayBuffer should have its own JSType
2608         https://bugs.webkit.org/show_bug.cgi?id=188231
2609
2610         Reviewed by Saam Barati.
2611
2612         * runtime/JSArrayBuffer.cpp:
2613         (JSC::JSArrayBuffer::createStructure):
2614         * runtime/JSCast.h:
2615         * runtime/JSType.h:
2616
2617 2018-07-31  Keith Miller  <keith_miller@apple.com>
2618
2619         Unreviewed 32-bit build fix...
2620
2621         * dfg/DFGSpeculativeJIT32_64.cpp:
2622
2623 2018-07-31  Keith Miller  <keith_miller@apple.com>
2624
2625         Long compiling JSC files should not be unified
2626         https://bugs.webkit.org/show_bug.cgi?id=188205
2627
2628         Reviewed by Saam Barati.
2629
2630         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2631         to compile. Unifying them means touching anything in the same
2632         bundle as those files takes a long time to incrementally build.
2633         This patch separates those files so they build standalone.
2634
2635         * JavaScriptCore.xcodeproj/project.pbxproj:
2636         * Sources.txt:
2637         * dfg/DFGSpeculativeJIT64.cpp:
2638
2639 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2640
2641         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2642         https://bugs.webkit.org/show_bug.cgi?id=188201
2643
2644         Reviewed by Keith Miller.
2645
2646         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2647         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2648         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2649         never becomes broken state. This patch removes unnecessary locking.
2650
2651         * runtime/JSObject.cpp:
2652         (JSC::JSObject::visitButterflyImpl):
2653
2654 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2655
2656         [JSC] Remove gcc warnings for 32-bit platforms
2657         https://bugs.webkit.org/show_bug.cgi?id=187803
2658
2659         Reviewed by Yusuke Suzuki.
2660
2661         * assembler/MacroAssemblerPrinter.cpp:
2662         (JSC::Printer::printPCRegister):
2663         (JSC::Printer::printRegisterID):
2664         (JSC::Printer::printAddress):
2665         * dfg/DFGSpeculativeJIT.cpp:
2666         (JSC::DFG::SpeculativeJIT::speculateNumber):
2667         (JSC::DFG::SpeculativeJIT::speculateMisc):
2668         * jit/CCallHelpers.h:
2669         (JSC::CCallHelpers::calculatePokeOffset):
2670         * runtime/Options.cpp:
2671         (JSC::parse):
2672
2673 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2674
2675         watchOS engineering build is broken after r234227
2676         https://bugs.webkit.org/show_bug.cgi?id=188180
2677
2678         Reviewed by Keith Miller.
2679
2680         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2681         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2682         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2683         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2684
2685         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2686         entirely, since there's no relevant version to replace them with.
2687
2688         * postprocess-headers.sh:
2689
2690 2018-07-30  Keith Miller  <keith_miller@apple.com>
2691
2692         Clarify conversion rules for JSValue property access API
2693         https://bugs.webkit.org/show_bug.cgi?id=188179
2694
2695         Reviewed by Geoffrey Garen.
2696
2697         * API/JSValue.h:
2698
2699 2018-07-30  Keith Miller  <keith_miller@apple.com>
2700
2701         Rename some JSC API functions/types.
2702         https://bugs.webkit.org/show_bug.cgi?id=188173
2703
2704         Reviewed by Saam Barati.
2705
2706         * API/JSObjectRef.cpp:
2707         (JSObjectHasPropertyForKey):
2708         (JSObjectGetPropertyForKey):
2709         (JSObjectSetPropertyForKey):
2710         (JSObjectDeletePropertyForKey):
2711         (JSObjectHasPropertyKey): Deleted.
2712         (JSObjectGetPropertyKey): Deleted.
2713         (JSObjectSetPropertyKey): Deleted.
2714         (JSObjectDeletePropertyKey): Deleted.
2715         * API/JSObjectRef.h:
2716         * API/JSValue.h:
2717         * API/JSValue.mm:
2718         (-[JSValue valueForProperty:]):
2719         (-[JSValue setValue:forProperty:]):
2720         (-[JSValue deleteProperty:]):
2721         (-[JSValue hasProperty:]):
2722         (-[JSValue defineProperty:descriptor:]):
2723         * API/tests/testapi.cpp:
2724         (TestAPI::run):
2725
2726 2018-07-30  Mark Lam  <mark.lam@apple.com>
2727
2728         Add a debugging utility to dump the memory layout of a JSCell.
2729         https://bugs.webkit.org/show_bug.cgi?id=188157
2730
2731         Reviewed by Yusuke Suzuki.
2732
2733         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2734         dump the memory contents of a cell and if present, its butterfly for debugging
2735         purposes.
2736
2737         Example usage for JS code when JSC_useDollarVM=true:
2738
2739             $vm.dumpCell(obj);
2740
2741         Example usage from C++ code or from lldb: 
2742
2743             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2744
2745         Some examples of dumps:
2746
2747             <0x104bc8260, Object>
2748               [0] 0x104bc8260 : 0x010016000000016c header
2749                 structureID 364 0x16c structure 0x104b721b0
2750                 indexingTypeAndMisc 0 0x0 NonArray
2751                 type 22 0x16
2752                 flags 0 0x0
2753                 cellState 1
2754               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2755               [2] 0x104bc8270 : 0xffff000000000007
2756               [3] 0x104bc8278 : 0xffff000000000008
2757
2758             <0x104bb4360, Array>
2759               [0] 0x104bb4360 : 0x0108210b00000171 header
2760                 structureID 369 0x171 structure 0x104b723e0
2761                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2762                 type 33 0x21
2763                 flags 8 0x8
2764                 cellState 1
2765               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2766                 base 0x8000f46e0
2767                 hasIndexingHeader YES hasAnyArrayStorage YES
2768                 publicLength 4 vectorLength 7 indexBias 2
2769                 preCapacity 2 propertyCapacity 4
2770                   <--- preCapacity
2771                   [0] 0x8000f46e0 : 0x0000000000000000
2772                   [1] 0x8000f46e8 : 0x0000000000000000
2773                   <--- propertyCapacity
2774                   [2] 0x8000f46f0 : 0x0000000000000000
2775                   [3] 0x8000f46f8 : 0x0000000000000000
2776                   [4] 0x8000f4700 : 0xffff00000000000d
2777                   [5] 0x8000f4708 : 0xffff00000000000c
2778                   <--- indexingHeader
2779                   [6] 0x8000f4710 : 0x0000000700000004
2780                   <--- butterfly
2781                   <--- arrayStorage
2782                   [7] 0x8000f4718 : 0x0000000000000000
2783                   [8] 0x8000f4720 : 0x0000000400000002
2784                   <--- indexedProperties
2785                   [9] 0x8000f4728 : 0xffff000000000008
2786                   [10] 0x8000f4730 : 0xffff000000000009
2787                   [11] 0x8000f4738 : 0xffff000000000005
2788                   [12] 0x8000f4740 : 0xffff000000000006
2789                   [13] 0x8000f4748 : 0x0000000000000000
2790                   [14] 0x8000f4750 : 0x0000000000000000
2791                   [15] 0x8000f4758 : 0x0000000000000000
2792                   <--- unallocated capacity
2793                   [16] 0x8000f4760 : 0x0000000000000000
2794                   [17] 0x8000f4768 : 0x0000000000000000
2795                   [18] 0x8000f4770 : 0x0000000000000000
2796                   [19] 0x8000f4778 : 0x0000000000000000
2797
2798         * runtime/JSObject.h:
2799         * tools/JSDollarVM.cpp:
2800         (JSC::functionDumpCell):
2801         (JSC::JSDollarVM::finishCreation):
2802         * tools/VMInspector.cpp:
2803         (JSC::VMInspector::dumpCellMemory):
2804         (JSC::IndentationScope::IndentationScope):
2805         (JSC::IndentationScope::~IndentationScope):
2806         (JSC::VMInspector::dumpCellMemoryToStream):
2807         * tools/VMInspector.h:
2808
2809 2018-07-27  Mark Lam  <mark.lam@apple.com>
2810
2811         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2812         https://bugs.webkit.org/show_bug.cgi?id=188123
2813         <rdar://problem/42672268>
2814
2815         Reviewed by Keith Miller.
2816
2817         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2818            padding space in VM and Heap, and should not cost any measurable perf to
2819            initialize and update.
2820
2821         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2822
2823            worldState tells us the value we failed the assertion on.
2824
2825            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2826            that led us here.
2827
2828            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2829
2830            VM::isEntered() tells us if the current VM is currently executing JS code.
2831
2832            Some of this data may be redundant, but the redundancy is intentional so that
2833            we can double check what is really happening at the time of crash.
2834
2835         * heap/Heap.cpp:
2836         (JSC::asInt):
2837         (JSC::Heap::checkConn):
2838         (JSC::Heap::changePhase):
2839         * heap/Heap.h:
2840         * runtime/VM.cpp:
2841         (JSC::VM::nextID):
2842         (JSC::VM::VM):
2843         * runtime/VM.h:
2844         (JSC::VM::numberOfIDs):
2845         (JSC::VM::id const):
2846         (JSC::VM::isEntered const):
2847
2848 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] Record CoW status in ArrayProfile correctly
2851         https://bugs.webkit.org/show_bug.cgi?id=187949
2852
2853         Reviewed by Saam Barati.
2854
2855         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2856         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2857         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2858         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2859         Array::Generic DFG nodes.
2860
2861         * bytecode/ArrayProfile.h:
2862         (JSC::asArrayModes):
2863         (JSC::ArrayProfile::ArrayProfile):
2864         * dfg/DFGOSRExit.cpp:
2865         (JSC::DFG::OSRExit::compileExit):
2866         * ftl/FTLOSRExitCompiler.cpp:
2867         (JSC::FTL::compileStub):
2868         * runtime/IndexingType.h:
2869
2870 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2871
2872         [INTL] Remove INTL sub-feature compile flags
2873         https://bugs.webkit.org/show_bug.cgi?id=188081
2874
2875         Reviewed by Michael Catanzaro.
2876
2877         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2878         The runtime flags are still present, and should be relied on instead.
2879         The defines for ICU features have also been updated to match HAVE() style.
2880
2881         * Configurations/FeatureDefines.xcconfig:
2882         * runtime/IntlPluralRules.cpp:
2883         (JSC::IntlPluralRules::resolvedOptions):
2884         (JSC::IntlPluralRules::select):
2885         * runtime/IntlPluralRules.h:
2886         * runtime/Options.h:
2887
2888 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2889
2890         [JSC] Dump IndexingMode in Structure
2891         https://bugs.webkit.org/show_bug.cgi?id=188085
2892
2893         Reviewed by Keith Miller.
2894
2895         Dump IndexingMode instead of IndexingType.
2896
2897         * runtime/Structure.cpp:
2898         (JSC::Structure::dump const):
2899
2900 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2901
2902         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2903         https://bugs.webkit.org/show_bug.cgi?id=187963
2904
2905         Reviewed by Alex Christensen.
2906
2907         * inspector/InspectorBackendDispatcher.cpp:
2908         (Inspector::BackendDispatcher::dispatch):
2909         * jsc.cpp:
2910         (ModuleName::ModuleName):
2911         (resolvePath):
2912         * runtime/IntlObject.cpp:
2913         (JSC::canonicalizeLanguageTag):
2914         (JSC::removeUnicodeLocaleExtension):
2915         Update split/splitAllowingEmptyEntries usage.
2916
2917 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2918
2919         Unreviewed, rolling out r234181 and r234189.
2920         https://bugs.webkit.org/show_bug.cgi?id=188075
2921
2922         These are not needed right now (Requested by thorton on
2923         #webkit).
2924
2925         Reverted changesets:
2926
2927         "Enable Web Content Filtering on watchOS"
2928         https://bugs.webkit.org/show_bug.cgi?id=187979
2929         https://trac.webkit.org/changeset/234181
2930
2931         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2932         https://bugs.webkit.org/show_bug.cgi?id=187985
2933         https://trac.webkit.org/changeset/234189
2934
2935 2018-07-26  Mark Lam  <mark.lam@apple.com>
2936
2937         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2938         https://bugs.webkit.org/show_bug.cgi?id=188065
2939         <rdar://problem/42515726>
2940
2941         Reviewed by Saam Barati.
2942
2943         * runtime/ArrayPrototype.cpp:
2944         (JSC::clearElement):
2945         (JSC::copyElements):
2946         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2947
2948 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2949
2950         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2951         https://bugs.webkit.org/show_bug.cgi?id=167991
2952
2953         Reviewed by Michael Catanzaro.
2954
2955         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2956         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2957         no more cases where you might have an invalid locale come back from resolveLocale.
2958
2959         * runtime/IntlObject.cpp:
2960         (JSC::convertICULocaleToBCP47LanguageTag):
2961         (JSC::defaultLocale):
2962         (JSC::lookupMatcher):
2963         * runtime/IntlObject.h:
2964         * runtime/JSGlobalObject.cpp:
2965         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2966         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2967         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2968         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2969
2970 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2971
2972         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2973         https://bugs.webkit.org/show_bug.cgi?id=188040
2974
2975         Unreviewed build fix for AppleWin port.
2976
2977         * API/tests/testapi.c: Disabled warning C4204.
2978         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2979
2980 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2981
2982         [JSC API] We should support the symbol type in our C/Obj-C API
2983         https://bugs.webkit.org/show_bug.cgi?id=175836
2984
2985         Unreviewed build fix for Windows port.
2986
2987         r234227 introduced a compilation error unresolved external symbol
2988         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2989
2990         Windows ports are compiling testapi.c as C++ by using /TP switch.
2991
2992         * API/tests/testapi.c:
2993         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2994         (dllLauncherEntryPoint): Converted into C style.
2995         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2996
2997 2018-07-25  Keith Miller  <keith_miller@apple.com>
2998
2999         [JSC API] We should support the symbol type in our C/Obj-C API
3000         https://bugs.webkit.org/show_bug.cgi?id=175836
3001
3002         Reviewed by Filip Pizlo.
3003
3004         This patch makes the following API additions:
3005         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
3006         2) Create a symbol on both APIs.
3007         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
3008         4) Add Get/Set/Delete in the C API.
3009
3010         We can do 3 because it is both binary and source compatable with
3011         the existing API. I added (4) because the current property access
3012         APIs only have the ability to get Strings. It was possible to
3013         merge symbols into JSStringRef but that felt confusing and exposes
3014         implementation details of our engine. The new functions match the
3015         same meaning that they have in JS, thus should be forward
3016         compatible with any future language extensions.
3017
3018         Lastly, this patch adds the same availability preproccessing phase
3019         in WebCore to JavaScriptCore, which enables TBA features for
3020         testing on previous releases.
3021
3022         * API/APICast.h:
3023         * API/JSBasePrivate.h:
3024         * API/JSContext.h:
3025         * API/JSContextPrivate.h:
3026         * API/JSContextRef.h:
3027         * API/JSContextRefInternal.h:
3028         * API/JSContextRefPrivate.h:
3029         * API/JSManagedValue.h:
3030         * API/JSObjectRef.cpp:
3031         (JSObjectHasPropertyKey):
3032         (JSObjectGetPropertyKey):
3033         (JSObjectSetPropertyKey):
3034         (JSObjectDeletePropertyKey):
3035         * API/JSObjectRef.h:
3036         * API/JSRemoteInspector.h:
3037         * API/JSTypedArray.h:
3038         * API/JSValue.h:
3039         * API/JSValue.mm:
3040         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
3041         (performPropertyOperation):
3042         (-[JSValue valueForProperty:valueForProperty:]):
3043         (-[JSValue setValue:forProperty:setValue:forProperty:]):
3044         (-[JSValue deleteProperty:deleteProperty:]):
3045         (-[JSValue hasProperty:hasProperty:]):
3046         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
3047         (-[JSValue isSymbol]):
3048         (-[JSValue objectForKeyedSubscript:]):
3049         (-[JSValue setObject:forKeyedSubscript:]):
3050         (-[JSValue valueForProperty:]): Deleted.
3051         (-[JSValue setValue:forProperty:]): Deleted.
3052         (-[JSValue deleteProperty:]): Deleted.
3053         (-[JSValue hasProperty:]): Deleted.
3054         (-[JSValue defineProperty:descriptor:]): Deleted.
3055         * API/JSValueRef.cpp:
3056         (JSValueGetType):
3057         (JSValueIsSymbol):
3058         (JSValueMakeSymbol):
3059         * API/JSValueRef.h:
3060         * API/WebKitAvailability.h:
3061         * API/tests/CurrentThisInsideBlockGetterTest.mm:
3062         * API/tests/CustomGlobalObjectClassTest.c:
3063         * API/tests/DateTests.mm:
3064         * API/tests/JSExportTests.mm:
3065         * API/tests/JSNode.c:
3066         * API/tests/JSNodeList.c:
3067         * API/tests/Node.c:
3068         * API/tests/NodeList.c:
3069         * API/tests/minidom.c:
3070         * API/tests/testapi.c:
3071         (main):
3072         * API/tests/testapi.cpp: Added.
3073         (APIString::APIString):
3074         (APIString::~APIString):
3075         (APIString::operator JSStringRef):
3076         (APIContext::APIContext):
3077         (APIContext::~APIContext):
3078         (APIContext::operator JSGlobalContextRef):
3079         (APIVector::APIVector):
3080         (APIVector::~APIVector):
3081         (APIVector::append):
3082         (testCAPIViaCpp):
3083         (TestAPI::evaluateScript):
3084         (TestAPI::callFunction):
3085         (TestAPI::functionReturnsTrue):
3086         (TestAPI::check):
3087         (TestAPI::checkJSAndAPIMatch):
3088         (TestAPI::interestingObjects):
3089         (TestAPI::interestingKeys):
3090         (TestAPI::run):
3091         * API/tests/testapi.mm:
3092         (testObjectiveCAPIMain):
3093         * JavaScriptCore.xcodeproj/project.pbxproj:
3094         * config.h:
3095         * postprocess-headers.sh:
3096         * shell/CMakeLists.txt:
3097         * testmem/testmem.mm:
3098
3099 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3100
3101         [INTL] Call Typed Array elements toLocaleString with locale and options
3102         https://bugs.webkit.org/show_bug.cgi?id=185796
3103
3104         Reviewed by Keith Miller.
3105
3106         Improve ECMA 402 compliance of typed array toLocaleString, passing along
3107         the locale and options to element toLocaleString calls.
3108
3109         * builtins/TypedArrayPrototype.js:
3110         (toLocaleString):
3111
3112 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3113
3114         [INTL] Intl constructor lengths should be configurable
3115         https://bugs.webkit.org/show_bug.cgi?id=187960
3116
3117         Reviewed by Saam Barati.
3118
3119         Removed DontDelete from Intl constructor lengths.
3120         Fixed DateTimeFormat formatToParts length.
3121
3122         * runtime/IntlCollatorConstructor.cpp:
3123         (JSC::IntlCollatorConstructor::finishCreation):
3124         * runtime/IntlDateTimeFormatConstructor.cpp:
3125         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3126         * runtime/IntlDateTimeFormatPrototype.cpp:
3127         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3128         * runtime/IntlNumberFormatConstructor.cpp:
3129         (JSC::IntlNumberFormatConstructor::finishCreation):
3130         * runtime/IntlPluralRulesConstructor.cpp:
3131         (JSC::IntlPluralRulesConstructor::finishCreation):
3132
3133 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
3134
3135         runJITThreadLimitTests is failing
3136         https://bugs.webkit.org/show_bug.cgi?id=187886
3137         <rdar://problem/42561966>
3138
3139         Unreviewed build fix for MSVC.
3140
3141         MSVC doen't support ternary operator without second operand.
3142
3143         * dfg/DFGWorklist.cpp:
3144         (JSC::DFG::getNumberOfDFGCompilerThreads):
3145         (JSC::DFG::getNumberOfFTLCompilerThreads):
3146
3147 2018-07-24  Commit Queue  <commit-queue@webkit.org>
3148
3149         Unreviewed, rolling out r234183.
3150         https://bugs.webkit.org/show_bug.cgi?id=187983
3151
3152         cause regression in Kraken gaussian blur and desaturate
3153         (Requested by yusukesuzuki on #webkit).
3154
3155         Reverted changeset:
3156
3157         "[JSC] Record CoW status in ArrayProfile"
3158         https://bugs.webkit.org/show_bug.cgi?id=187949
3159         https://trac.webkit.org/changeset/234183
3160
3161 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3162
3163         [JSC] Record CoW status in ArrayProfile
3164         https://bugs.webkit.org/show_bug.cgi?id=187949
3165
3166         Reviewed by Saam Barati.
3167
3168         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
3169         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
3170         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
3171         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
3172         CoW arrays.
3173
3174         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
3175         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
3176
3177         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
3178
3179                                       baseline                  patched
3180
3181         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
3182         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
3183
3184         * bytecode/ArrayProfile.cpp:
3185         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3186         * bytecode/ArrayProfile.h:
3187         (JSC::asArrayModes):
3188         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
3189
3190         (JSC::ArrayProfile::ArrayProfile):
3191         (JSC::ArrayProfile::addressOfObservedIndexingModes):
3192         (JSC::ArrayProfile::observedIndexingModes const):
3193         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
3194         So storing the union of seen IndexingMode in `unsigned` instead.
3195
3196         * dfg/DFGArrayMode.cpp:
3197         (JSC::DFG::ArrayMode::fromObserved):
3198         * dfg/DFGArrayMode.h:
3199         (JSC::DFG::ArrayMode::withProfile const):
3200         * jit/JITCall.cpp:
3201         (JSC::JIT::compileOpCall):
3202         * jit/JITCall32_64.cpp:
3203         (JSC::JIT::compileOpCall):
3204         * jit/JITInlines.h:
3205         (JSC::JIT::emitArrayProfilingSiteWithCell):
3206         * llint/LowLevelInterpreter.asm:
3207         * llint/LowLevelInterpreter32_64.asm:
3208         * llint/LowLevelInterpreter64.asm:
3209
3210 2018-07-24  Tim Horton  <timothy_horton@apple.com>
3211
3212         Enable Web Content Filtering on watchOS
3213         https://bugs.webkit.org/show_bug.cgi?id=187979
3214         <rdar://problem/42559346>
3215
3216         Reviewed by Wenson Hsieh.
3217
3218         * Configurations/FeatureDefines.xcconfig:
3219
3220 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
3221
3222         Don't modify Options when setting JIT thread limits
3223         https://bugs.webkit.org/show_bug.cgi?id=187886
3224
3225         Reviewed by Filip Pizlo.
3226
3227         Previously, when setting the JIT thread limit prior to the worklist
3228         initialization, it'd be set via Options, which didn't work if Options
3229         hadn't been initialized yet. Change it to use a static variable in the
3230         Worklist instead.
3231
3232         * API/JSVirtualMachine.mm:
3233         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3234         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3235         * API/tests/testapi.mm:
3236         (testObjectiveCAPIMain):
3237         * dfg/DFGWorklist.cpp:
3238         (JSC::DFG::getNumberOfDFGCompilerThreads):
3239         (JSC::DFG::getNumberOfFTLCompilerThreads):
3240         (JSC::DFG::setNumberOfDFGCompilerThreads):
3241         (JSC::DFG::setNumberOfFTLCompilerThreads):
3242         (JSC::DFG::ensureGlobalDFGWorklist):
3243         (JSC::DFG::ensureGlobalFTLWorklist):
3244         * dfg/DFGWorklist.h:
3245
3246 2018-07-24  Mark Lam  <mark.lam@apple.com>
3247
3248         Refactoring: make DFG::Plan a class.
3249         https://bugs.webkit.org/show_bug.cgi?id=187968
3250
3251         Reviewed by Saam Barati.
3252
3253         This patch makes all the DFG::Plan fields private, and provide accessor methods
3254         for them.  This makes it easier to reason about how these fields are used and
3255         modified.
3256
3257         * dfg/DFGAbstractInterpreterInlines.h:
3258         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3259         * dfg/DFGByteCodeParser.cpp:
3260         (JSC::DFG::ByteCodeParser::handleCall):
3261         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3262         (JSC::DFG::ByteCodeParser::handleInlining):
3263         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3264         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3265         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3266         (JSC::DFG::ByteCodeParser::handleGetById):
3267         (JSC::DFG::ByteCodeParser::handlePutById):
3268         (JSC::DFG::ByteCodeParser::parseBlock):
3269         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3270         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3271         (JSC::DFG::ByteCodeParser::parse):
3272         * dfg/DFGCFAPhase.cpp:
3273         (JSC::DFG::CFAPhase::run):
3274         (JSC::DFG::CFAPhase::injectOSR):
3275         * dfg/DFGClobberize.h:
3276         (JSC::DFG::clobberize):
3277         * dfg/DFGCommonData.cpp:
3278         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3279         * dfg/DFGCommonData.h:
3280         * dfg/DFGConstantFoldingPhase.cpp:
3281         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3282         * dfg/DFGDriver.cpp:
3283         (JSC::DFG::compileImpl):
3284         * dfg/DFGFinalizer.h:
3285         * dfg/DFGFixupPhase.cpp:
3286         (JSC::DFG::FixupPhase::fixupNode):
3287         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3288         * dfg/DFGGraph.cpp:
3289         (JSC::DFG::Graph::Graph):
3290         (JSC::DFG::Graph::watchCondition):
3291         (JSC::DFG::Graph::inferredTypeFor):
3292         (JSC::DFG::Graph::requiredRegisterCountForExit):
3293         (JSC::DFG::Graph::registerFrozenValues):
3294         (JSC::DFG::Graph::registerStructure):
3295         (JSC::DFG::Graph::registerAndWatchStructureTransition):
3296         (JSC::DFG::Graph::assertIsRegistered):
3297         * dfg/DFGGraph.h:
3298         (JSC::DFG::Graph::compilation):
3299         (JSC::DFG::Graph::identifiers):
3300         (JSC::DFG::Graph::watchpoints):
3301         * dfg/DFGJITCompiler.cpp:
3302         (JSC::DFG::JITCompiler::JITCompiler):
3303         (JSC::DFG::JITCompiler::link):
3304         (JSC::DFG::JITCompiler::compile):
3305         (JSC::DFG::JITCompiler::compileFunction):
3306         (JSC::DFG::JITCompiler::disassemble):
3307         * dfg/DFGJITCompiler.h:
3308         (JSC::DFG::JITCompiler::addWeakReference):
3309         * dfg/DFGJITFinalizer.cpp:
3310         (JSC::DFG::JITFinalizer::finalize):
3311         (JSC::DFG::JITFinalizer::finalizeFunction):
3312         (JSC::DFG::JITFinalizer::finalizeCommon):
3313         * dfg/DFGOSREntrypointCreationPhase.cpp:
3314         (JSC::DFG::OSREntrypointCreationPhase::run):
3315         * dfg/DFGPhase.cpp:
3316         (JSC::DFG::Phase::beginPhase):
3317         * dfg/DFGPhase.h:
3318         (JSC::DFG::runAndLog):
3319         * dfg/DFGPlan.cpp:
3320         (JSC::DFG::Plan::Plan):
3321         (JSC::DFG::Plan::computeCompileTimes const):
3322         (JSC::DFG::Plan::reportCompileTimes const):
3323         (JSC::DFG::Plan::compileInThread):
3324         (JSC::DFG::Plan::compileInThreadImpl):
3325         (JSC::DFG::Plan::isStillValid):
3326         (JSC::DFG::Plan::reallyAdd):
3327         (JSC::DFG::Plan::notifyCompiling):
3328         (JSC::DFG::Plan::notifyReady):
3329         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3330         (JSC::DFG::Plan::finalizeAndNotifyCallback):
3331         (JSC::DFG::Plan::key):
3332         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3333         (JSC::DFG::Plan::finalizeInGC):
3334         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3335         (JSC::DFG::Plan::cancel):
3336         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3337         * dfg/DFGPlan.h:
3338         (JSC::DFG::Plan::canTierUpAndOSREnter const):
3339         (JSC::DFG::Plan::vm const):
3340         (JSC::DFG::Plan::codeBlock):
3341         (JSC::DFG::Plan::mode const):
3342         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
3343         (JSC::DFG::Plan::mustHandleValues const):
3344         (JSC::DFG::Plan::threadData const):
3345         (JSC::DFG::Plan::compilation const):
3346         (JSC::DFG::Pl