99460871fe6907d271a4d0086f2354a858998bbd
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-09-06  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2
3         [WebAssembly] Optimize JS to Wasm call by removing Vector allocation
4         https://bugs.webkit.org/show_bug.cgi?id=189353
5
6         Reviewed by Mark Lam.
7
8         JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
9         This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
10
11         * runtime/ArgList.h:
12         * wasm/js/WebAssemblyFunction.cpp:
13         (JSC::callWebAssemblyFunction):
14
15 2018-08-31  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
16
17         [JSC] Clean up StructureStubClearingWatchpoint
18         https://bugs.webkit.org/show_bug.cgi?id=189156
19
20         Reviewed by Saam Barati.
21
22         Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
23         in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
24
25         * bytecode/StructureStubClearingWatchpoint.cpp:
26         (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
27         (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
28         (JSC::StructureStubClearingWatchpoint::push): Deleted.
29         (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
30         * bytecode/StructureStubClearingWatchpoint.h:
31         (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
32
33 2018-09-06  Michael Saboff  <msaboff@apple.com>
34
35         Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
36         https://bugs.webkit.org/show_bug.cgi?id=189380
37
38         Reviewed by Saam Barati.
39
40         Account for the case where in Math.pow(NaN, y) where y could be 0.
41
42         * bytecode/SpeculatedType.cpp:
43         (JSC::typeOfDoublePow):
44
45 2018-09-06  Mark Lam  <mark.lam@apple.com>
46
47         Gardening: only visit m_cachedStructureID if it's not null.
48         https://bugs.webkit.org/show_bug.cgi?id=189124
49         <rdar://problem/43863605>
50
51         Not reviewed.
52
53         * runtime/JSPropertyNameEnumerator.cpp:
54         (JSC::JSPropertyNameEnumerator::visitChildren):
55
56 2018-09-06  Tomas Popela  <tpopela@redhat.com>
57
58         [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
59         https://bugs.webkit.org/show_bug.cgi?id=189078
60
61         Reviewed by Mark Lam.
62
63         Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
64         Using the ternary operator instead of std::max() fixes it.
65
66         * heap/RegisterState.h:
67
68 2018-09-05  Mark Lam  <mark.lam@apple.com>
69
70         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
71         https://bugs.webkit.org/show_bug.cgi?id=189124
72         <rdar://problem/43863605>
73
74         Reviewed by Filip Pizlo.
75
76         It is assumed that the Structure for the m_cachedStructureID will remain alive
77         while the m_cachedStructureID is in use.  This prevents the structureID from being
78         re-used for a different Structure.
79
80         * runtime/JSPropertyNameEnumerator.cpp:
81         (JSC::JSPropertyNameEnumerator::visitChildren):
82
83 2018-09-05  Ross Kirsling  <ross.kirsling@sony.com>
84
85         [ESNext] Symbol.prototype.description
86         https://bugs.webkit.org/show_bug.cgi?id=186686
87
88         Reviewed by Keith Miller.
89
90         Symbol.prototype.description was implemented in r232404, but has one small bug:
91         It should return undefined for a null symbol.
92
93         * runtime/Symbol.cpp:
94         (JSC::Symbol::description const):
95         * runtime/SymbolPrototype.cpp:
96         (JSC::symbolProtoGetterDescription):
97         Address the null symbol case.
98
99 2018-09-04  Keith Miller  <keith_miller@apple.com>
100
101         RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
102         https://bugs.webkit.org/show_bug.cgi?id=188917
103
104         Reviewed by Mark Lam.
105
106         Our allocators should be able to handle allocating a zero-sized object.
107         Zero-sized objects will be allocated into the smallest size class.
108
109         * dfg/DFGSpeculativeJIT.cpp:
110         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
111         * ftl/FTLLowerDFGToB3.cpp:
112         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
113         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
114         * heap/MarkedSpace.h:
115         (JSC::MarkedSpace::sizeClassToIndex):
116         (JSC::MarkedSpace::indexToSizeClass):
117         * jit/AssemblyHelpers.cpp:
118         (JSC::AssemblyHelpers::emitAllocateVariableSized):
119         * runtime/JSArrayBufferView.cpp:
120         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
121
122 2018-09-05  Mark Lam  <mark.lam@apple.com>
123
124         Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
125         https://bugs.webkit.org/show_bug.cgi?id=189300
126         <rdar://problem/39681779>
127
128         Reviewed by Saam Barati.
129
130         At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
131         which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
132         DeferredSourceDump is later used to dump source even if the compilation fails.
133         This is intentional so that we can use this tool to see what source fails to
134         compile as well.
135
136         The DFG::Plan may have been destructed by then, and since the compilation failed,
137         the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
138         may be end up accessing freed memory.
139
140         DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
141         bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
142         by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
143
144         In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
145         to be Strong references to ensure that the CodeBlocks are kept alive until they
146         can be dumped.
147
148         * bytecode/DeferredCompilationCallback.cpp:
149         (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
150         * bytecode/DeferredSourceDump.cpp:
151         (JSC::DeferredSourceDump::DeferredSourceDump):
152         (JSC::DeferredSourceDump::dump):
153         * bytecode/DeferredSourceDump.h:
154         * dfg/DFGByteCodeParser.cpp:
155         (JSC::DFG::ByteCodeParser::parseCodeBlock):
156
157 2018-09-05  David Kilzer  <ddkilzer@apple.com>
158
159         REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
160
161         Found using `tidy-Xcode-project-file --missing` (see Bug
162         188754).  Fix was made manually.
163
164         * JavaScriptCore.xcodeproj/project.pbxproj:
165         (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
166         `name` and `path` values to file reference.
167
168 2018-09-05  Mark Lam  <mark.lam@apple.com>
169
170         isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
171         https://bugs.webkit.org/show_bug.cgi?id=189292
172         <rdar://problem/38907433>
173
174         Reviewed by Saam Barati.
175
176         Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
177         instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
178         to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
179         in the name isAsyncGeneratorMethodParseMode).
180
181         * parser/ParserModes.h:
182         (JSC::isAsyncGeneratorMethodParseMode):
183
184 2018-09-04  Michael Saboff  <msaboff@apple.com>
185
186         Unreviewed indentations change.
187
188         * yarr/YarrJIT.cpp:
189         (JSC::Yarr::YarrGenerator::matchBackreference):
190
191 2018-09-04  Michael Saboff  <msaboff@apple.com>
192
193         JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
194         https://bugs.webkit.org/show_bug.cgi?id=189274
195
196         Reviewed by Saam Barati.
197
198         Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
199
200         Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
201         where landed there.
202
203         * JavaScriptCore.xcodeproj/project.pbxproj:
204
205 2018-09-04  Michael Saboff  <msaboff@apple.com>
206
207         YARR: JIT RegExps with back references
208         https://bugs.webkit.org/show_bug.cgi?id=180874
209
210         Reviewed by Filip Pizlo.
211
212         Implemented JIT'ed back references for all counted types.  The only type of back references
213         not handled in the JIT are 16bit matches that ignore case.  Such support would require the
214         canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
215         The back reference processing for surrogate pairs is implemented by individually comparing
216         each surrogate ala memcmp.
217
218         Added a generated canonicalization table for the LChar (8bit) domain to process case
219         ignored back references.
220
221         Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
222
223         Added a new JIT failure reason for forward references as the check to JIT expressions with
224         forward references we're handled synonimously those containing back references.
225
226         This change is only enabled for 64 bit platforms.
227
228         * assembler/MacroAssemblerARM64.h:
229         (JSC::MacroAssemblerARM64::load16):
230         * assembler/MacroAssemblerX86_64.h:
231         (JSC::MacroAssemblerX86_64::load16):
232         * runtime/RegExp.cpp:
233         (JSC::RegExp::compile):
234         (JSC::RegExp::compileMatchOnly):
235         * yarr/YarrCanonicalize.h:
236         * yarr/YarrCanonicalizeUCS2.cpp:
237         * yarr/YarrCanonicalizeUCS2.js:
238         (set characters.hex.set string_appeared_here):
239         * yarr/YarrJIT.cpp:
240         (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
241         (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
242         (JSC::Yarr::YarrGenerator::matchBackreference):
243         (JSC::Yarr::YarrGenerator::generateBackReference):
244         (JSC::Yarr::YarrGenerator::backtrackBackReference):
245         (JSC::Yarr::YarrGenerator::generateTerm):
246         (JSC::Yarr::YarrGenerator::backtrackTerm):
247         (JSC::Yarr::YarrGenerator::compile):
248         (JSC::Yarr::dumpCompileFailure):
249         * yarr/YarrJIT.h:
250         * yarr/YarrPattern.h:
251         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
252         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
253
254 2018-09-04  Mark Lam  <mark.lam@apple.com>
255
256         Make the jsc shell print, printErr, and debug functions more robust.
257         https://bugs.webkit.org/show_bug.cgi?id=189268
258         <rdar://problem/41192690>
259
260         Reviewed by Keith Miller.
261
262         We'll now check for UTF8 conversion errors.
263
264         * jsc.cpp:
265         (cStringFromViewWithString):
266         (printInternal):
267         (functionDebug):
268
269 2018-09-04  Michael Catanzaro  <mcatanzaro@igalia.com>
270
271         [WPE][GTK] Add more unused result warnings to JSC API
272         https://bugs.webkit.org/show_bug.cgi?id=189243
273
274         Reviewed by Carlos Garcia Campos.
275
276         The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
277         caller may be tempted to not inspect it if uninterested in the return value. This would be
278         an error, because it must be freed.
279
280         * API/glib/JSCContext.h:
281
282 2018-09-03  Mark Lam  <mark.lam@apple.com>
283
284         The watchdog sometimes fails to terminate a script.
285         https://bugs.webkit.org/show_bug.cgi?id=189227
286         <rdar://problem/39932857>
287
288         Reviewed by Saam Barati.
289
290         Consider the following scenario:
291
292         1. We have an infinite loop bytecode sequence as follows:
293
294             [  13] loop_hint
295             [  14] check_traps
296             [  15] jmp               -2(->13)
297
298         2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
299
300            Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
301            When we're not using pollingTraps (JSC_usePollingTraps is false by default),
302            we emit no code for CheckTraps, but only record an InvalidationPoint there.
303
304         3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
305
306            InvalidationPoints OSR exits to the next instruction by design.  In this case,
307            that means the VM will resumes executing at the op_jmp, which jumps to the
308            op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
309            already hot, and attempts to tier up.  It immediately discovers that a replacement
310            CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
311            nor the FTL CodeBlock that was previously compiled for this function.
312
313            Note that jettisoning a CodeBlock necessarily means the VM will invalidate
314            its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
315            is not true: merely invalidating the InvalidationPoints does not necessarily
316            mean that the CodeBlock is jettisoned.
317
318            VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
319            it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
320            is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
321            the VMTraps mechanism relies on the script thread running to an op_check_traps
322            in the baseline JIT code where it will do the necessary jettisoning of optimized
323            CodeBlocks.
324
325         Since the op_check_traps never get executed, the VM will perpetually tier up in
326         the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
327         Consequently, the watchdog fails to terminate this script.
328
329         In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
330         node directly (when the VM is not configured to use polling traps).  This ensures
331         that the check traps invalidation point will OSR exit to the op_check_traps opcode
332         in the baseline JIT.
333
334         In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
335         CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
336         we don't really know if the frame is properly set up.  We're just conservatively
337         probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
338         will suppress the false positive ASAN complaint.
339
340         * dfg/DFGByteCodeParser.cpp:
341         (JSC::DFG::ByteCodeParser::parseBlock):
342         * dfg/DFGClobberize.h:
343         (JSC::DFG::clobberize):
344         * dfg/DFGFixupPhase.cpp:
345         (JSC::DFG::FixupPhase::fixupNode):
346         * dfg/DFGPredictionPropagationPhase.cpp:
347         * dfg/DFGSpeculativeJIT.cpp:
348         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
349         * dfg/DFGSpeculativeJIT32_64.cpp:
350         (JSC::DFG::SpeculativeJIT::compile):
351         * dfg/DFGSpeculativeJIT64.cpp:
352         (JSC::DFG::SpeculativeJIT::compile):
353         * ftl/FTLLowerDFGToB3.cpp:
354         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
355         * runtime/VMTraps.cpp:
356         (JSC::VMTraps::tryInstallTrapBreakpoints):
357
358 2018-09-03  Mark Lam  <mark.lam@apple.com>
359
360         CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
361         https://bugs.webkit.org/show_bug.cgi?id=189247
362
363         Reviewed by Saam Barati.
364
365         * interpreter/CallFrame.h:
366         (JSC::ExecState::unsafeCallee const):
367         * interpreter/Register.h:
368         (JSC::Register::asanUnsafePointer const):
369         (JSC::Register::unsafePayload const):
370
371 2018-09-02  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
372
373         Implement Object.fromEntries
374         https://bugs.webkit.org/show_bug.cgi?id=188481
375
376         Reviewed by Darin Adler.
377
378         Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
379
380         [1]: https://tc39.github.io/proposal-object-from-entries/
381
382         * builtins/ObjectConstructor.js:
383         (fromEntries):
384         * runtime/ObjectConstructor.cpp:
385
386 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
387
388         Function object should convert params to string before throw a parsing error
389         https://bugs.webkit.org/show_bug.cgi?id=188874
390
391         Reviewed by Darin Adler.
392
393         ToString operation onto the `body` of the Function constructor should be performed
394         before checking syntax correctness of the parameters.
395
396         * runtime/FunctionConstructor.cpp:
397         (JSC::constructFunctionSkippingEvalEnabledCheck):
398
399 2018-08-31  Mark Lam  <mark.lam@apple.com>
400
401         Fix exception check accounting in constructJSWebAssemblyCompileError().
402         https://bugs.webkit.org/show_bug.cgi?id=189185
403         <rdar://problem/39786007>
404
405         Reviewed by Michael Saboff.
406
407         Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
408         inadvertently overwrite a pre-existing exception (if present).
409
410         * wasm/js/JSWebAssemblyModule.cpp:
411         (JSC::JSWebAssemblyModule::createStub):
412         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
413         (JSC::constructJSWebAssemblyCompileError):
414
415 2018-08-31  Mark Lam  <mark.lam@apple.com>
416
417         Gardening: ARMv7 build fix.
418         https://bugs.webkit.org/show_bug.cgi?id=158911
419
420         Not reviewed.
421
422         * assembler/MacroAssemblerARMv7.h:
423         (JSC::MacroAssemblerARMv7::patchableBranch8):
424
425 2018-08-31  Mark Lam  <mark.lam@apple.com>
426
427         Fix exception check accounting in JSDataView::defineOwnProperty().
428         https://bugs.webkit.org/show_bug.cgi?id=189186
429         <rdar://problem/39786049>
430
431         Reviewed by Michael Saboff.
432
433         * runtime/JSDataView.cpp:
434         (JSC::JSDataView::defineOwnProperty):
435
436 2018-08-31  Mark Lam  <mark.lam@apple.com>
437
438         Add missing exception check in arrayProtoFuncLastIndexOf().
439         https://bugs.webkit.org/show_bug.cgi?id=189184
440         <rdar://problem/39785959>
441
442         Reviewed by Yusuke Suzuki.
443
444         * runtime/ArrayPrototype.cpp:
445         (JSC::arrayProtoFuncLastIndexOf):
446
447 2018-08-31  Saam barati  <sbarati@apple.com>
448
449         convertToRegExpMatchFastGlobal must use KnownString as the child use kind
450         https://bugs.webkit.org/show_bug.cgi?id=189173
451         <rdar://problem/43501645>
452
453         Reviewed by Michael Saboff.
454
455         We were crashing during validation because mayExit returned true
456         at a point in the program when we weren't allowed to exit.
457         
458         The issue was is in StrengthReduction: we end up emitting code that
459         had a StringUse on an edge after a node that did side effects and before
460         an ExitOK/bytecode number transition. However, StrenghReduction did the
461         right thing here and also emitted the type checks before the node with
462         side effects. It just did bad bookkeeping. The node we convert to needs
463         to use KnownStringUse instead of StringUse for the child edge.
464
465         * dfg/DFGNode.cpp:
466         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
467         (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
468         (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
469         (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
470         * dfg/DFGNode.h:
471         * dfg/DFGStrengthReductionPhase.cpp:
472         (JSC::DFG::StrengthReductionPhase::handleNode):
473
474 2018-08-30  Saam barati  <sbarati@apple.com>
475
476         Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
477         https://bugs.webkit.org/show_bug.cgi?id=189166
478
479         Reviewed by Mark Lam.
480
481         * bytecode/AccessCase.cpp:
482         (JSC::AccessCase::generateImpl):
483         * bytecode/GetterSetterAccessCase.cpp:
484         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
485         * bytecode/InlineAccess.cpp:
486         (JSC::getScratchRegister):
487         * bytecode/PolymorphicAccess.cpp:
488         (JSC::PolymorphicAccess::regenerate):
489         * bytecode/StructureStubInfo.h:
490         (JSC::StructureStubInfo::valueRegs const):
491         * jit/JITInlineCacheGenerator.cpp:
492         (JSC::JITByIdGenerator::JITByIdGenerator):
493         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
494         (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
495
496 2018-08-30  Saam barati  <sbarati@apple.com>
497
498         InlineAccess should do StringLength
499         https://bugs.webkit.org/show_bug.cgi?id=158911
500
501         Reviewed by Yusuke Suzuki.
502
503         This patch extends InlineAccess to support StringLength. This patch also
504         fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
505         I forgot to implement this for ArrayLength in the initial InlineAccess
506         implementation.  Supporting StringLength is a natural extension of the
507         InlineAccess machinery.
508
509         * assembler/MacroAssembler.h:
510         (JSC::MacroAssembler::patchableBranch8):
511         * assembler/MacroAssemblerARM64.h:
512         (JSC::MacroAssemblerARM64::patchableBranch8):
513         * bytecode/AccessCase.cpp:
514         (JSC::AccessCase::fromStructureStubInfo):
515         * bytecode/BytecodeDumper.cpp:
516         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
517         * bytecode/InlineAccess.cpp:
518         (JSC::InlineAccess::dumpCacheSizesAndCrash):
519         (JSC::InlineAccess::generateSelfPropertyAccess):
520         (JSC::getScratchRegister):
521         (JSC::InlineAccess::generateSelfPropertyReplace):
522         (JSC::InlineAccess::generateArrayLength):
523         (JSC::InlineAccess::generateSelfInAccess):
524         (JSC::InlineAccess::generateStringLength):
525         * bytecode/InlineAccess.h:
526         * bytecode/PolymorphicAccess.cpp:
527         (JSC::PolymorphicAccess::regenerate):
528         * bytecode/StructureStubInfo.cpp:
529         (JSC::StructureStubInfo::initStringLength):
530         (JSC::StructureStubInfo::deref):
531         (JSC::StructureStubInfo::aboutToDie):
532         (JSC::StructureStubInfo::propagateTransitions):
533         * bytecode/StructureStubInfo.h:
534         (JSC::StructureStubInfo::baseGPR const):
535         * jit/Repatch.cpp:
536         (JSC::tryCacheGetByID):
537
538 2018-08-30  Saam barati  <sbarati@apple.com>
539
540         CSE DataViewGet* DFG nodes
541         https://bugs.webkit.org/show_bug.cgi?id=188768
542
543         Reviewed by Yusuke Suzuki.
544
545         This patch makes it so that we CSE DataViewGet* accesses. To do this,
546         I needed to add a third descriptor to HeapLocation to represent the
547         isLittleEndian child. This patch is neutral on compile time benchmarks,
548         and is a 50% speedup on a trivial CSE microbenchmark that I added.
549
550         * dfg/DFGClobberize.h:
551         (JSC::DFG::clobberize):
552         * dfg/DFGFixupPhase.cpp:
553         (JSC::DFG::FixupPhase::fixupNode):
554         * dfg/DFGHeapLocation.cpp:
555         (WTF::printInternal):
556         * dfg/DFGHeapLocation.h:
557         (JSC::DFG::HeapLocation::HeapLocation):
558         (JSC::DFG::HeapLocation::hash const):
559         (JSC::DFG::HeapLocation::operator== const):
560         (JSC::DFG::indexedPropertyLocForResultType):
561
562 2018-08-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
563
564         output of toString() of Generator is wrong
565         https://bugs.webkit.org/show_bug.cgi?id=188952
566
567         Reviewed by Saam Barati.
568
569         Function#toString does not respect generator and async generator.
570         This patch fixes them and supports all the function types.
571
572         * runtime/FunctionPrototype.cpp:
573         (JSC::functionProtoFuncToString):
574
575 2018-08-29  Mark Lam  <mark.lam@apple.com>
576
577         Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
578         https://bugs.webkit.org/show_bug.cgi?id=189132
579         <rdar://problem/42513068>
580
581         Reviewed by Saam Barati.
582
583         * runtime/JSCJSValueInlines.h:
584         (JSC::JSValue::toPropertyKey const):
585         * runtime/JSString.cpp:
586         (JSC::JSRopeString::resolveRopeToAtomicString const):
587
588 2018-08-29  Commit Queue  <commit-queue@webkit.org>
589
590         Unreviewed, rolling out r235432 and r235436.
591         https://bugs.webkit.org/show_bug.cgi?id=189086
592
593         Is a Swift source breaking change. (Requested by keith_miller
594         on #webkit).
595
596         Reverted changesets:
597
598         "Add nullablity attributes to JSValue"
599         https://bugs.webkit.org/show_bug.cgi?id=189047
600         https://trac.webkit.org/changeset/235432
601
602         "Add nullablity attributes to JSValue"
603         https://bugs.webkit.org/show_bug.cgi?id=189047
604         https://trac.webkit.org/changeset/235436
605
606 2018-08-28  Mark Lam  <mark.lam@apple.com>
607
608         Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
609         https://bugs.webkit.org/show_bug.cgi?id=189059
610         <rdar://problem/40335354>
611
612         Reviewed by Saam Barati.
613
614         1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
615         2. Added $vm.dumpRegisters().
616
617             Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
618             Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
619
620            Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
621            It will treat inlined frames content as registers in the bounding physical frame.
622
623            Here's an example of such a dump on a DFG frame:
624
625                 Register frame: 
626
627                 -----------------------------------------------------------------------------
628                             use            |   address  |                value               
629                 -----------------------------------------------------------------------------
630                 [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
631                 [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
632                 [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
633                 [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
634                 [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
635                 [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
636                 [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
637                 [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
638                 -----------------------------------------------------------------------------
639                 [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
640                 [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
641                 [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
642                 [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
643                 [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
644                 [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
645                 -----------------------------------------------------------------------------
646                 [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
647                 [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
648                 [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
649                 [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
650                 [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
651                 [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
652                 -----------------------------------------------------------------------------
653                 [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
654                 [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
655                 [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
656                 [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
657                 [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
658                 [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
659                 [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
660                 [r-14]                     | 0x7ffeefbfd260 | 0x0                
661                 [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
662                 [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
663                 [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
664                 [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
665                 -----------------------------------------------------------------------------
666
667         3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
668            we can use in its place:
669
670             $vm.dumpCallFrame()
671             $vm.dumpBytecodeFor()
672             $vm.dumpRegisters()     // Just added in this patch.
673
674         4. Also fixed a bug in BytecodeDumper: it should only access
675            CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
676
677         * bytecode/BytecodeDumper.cpp:
678         (JSC::BytecodeDumper<Block>::printCallOp):
679         * interpreter/Interpreter.cpp:
680         (JSC::Interpreter::dumpCallFrame): Deleted.
681         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
682         (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
683         (JSC::Interpreter::dumpRegisters): Deleted.
684         * interpreter/Interpreter.h:
685         * jsc.cpp:
686         (GlobalObject::finishCreation):
687         (functionDumpCallFrame): Deleted.
688         * tools/JSDollarVM.cpp:
689         (JSC::functionDumpRegisters):
690         (JSC::JSDollarVM::finishCreation):
691         * tools/VMInspector.cpp:
692         (JSC::VMInspector::dumpRegisters):
693         * tools/VMInspector.h:
694
695 2018-08-28  Keith Miller  <keith_miller@apple.com>
696
697         Add nullablity attributes to JSValue
698         https://bugs.webkit.org/show_bug.cgi?id=189047
699
700         Reviewed by Dan Bernstein.
701
702         Switch to using NS_ASSUME_NONNULL_BEGIN/END.
703
704         * API/JSValue.h:
705
706 2018-08-28  Keith Miller  <keith_miller@apple.com>
707
708         Add nullablity attributes to JSValue
709         https://bugs.webkit.org/show_bug.cgi?id=189047
710
711         Reviewed by Geoffrey Garen.
712
713         * API/JSValue.h:
714
715 2018-08-27  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
716
717         [WebAssembly] Parse wasm modules in a streaming fashion
718         https://bugs.webkit.org/show_bug.cgi?id=188943
719
720         Reviewed by Mark Lam.
721
722         This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
723         Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
724         we start integrating it into BBQPlan and dropping the old ModuleParser.
725
726         * JavaScriptCore.xcodeproj/project.pbxproj:
727         * Sources.txt:
728         * tools/JSDollarVM.cpp:
729         (WTF::WasmStreamingParser::WasmStreamingParser):
730         (WTF::WasmStreamingParser::create):
731         (WTF::WasmStreamingParser::createStructure):
732         (WTF::WasmStreamingParser::streamingParser):
733         (WTF::WasmStreamingParser::finishCreation):
734         (WTF::functionWasmStreamingParserAddBytes):
735         (WTF::functionWasmStreamingParserFinalize):
736         (JSC::functionCreateWasmStreamingParser):
737         (JSC::JSDollarVM::finishCreation):
738         The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
739         this interface to test streaming parser in the JSC shell.
740
741         * wasm/WasmBBQPlan.cpp:
742         (JSC::Wasm::BBQPlan::BBQPlan):
743         (JSC::Wasm::BBQPlan::parseAndValidateModule):
744         (JSC::Wasm::BBQPlan::prepare):
745         (JSC::Wasm::BBQPlan::compileFunctions):
746         (JSC::Wasm::BBQPlan::complete):
747         (JSC::Wasm::BBQPlan::work):
748         * wasm/WasmBBQPlan.h:
749         BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
750         In subsequent patches, we will remove this, and stream the data into the BBQPlan.
751
752         * wasm/WasmFormat.h:
753         * wasm/WasmModuleInformation.cpp:
754         (JSC::Wasm::ModuleInformation::ModuleInformation):
755         * wasm/WasmModuleInformation.h:
756         One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
757         since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
758         in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
759         Vector<uint8_t> for its data. This data is eventually filled by StreamingParser, and compiling
760         a function with this data can be done concurrently with StreamingParser.
761
762         (JSC::Wasm::ModuleInformation::create):
763         (JSC::Wasm::ModuleInformation::memoryCount const):
764         (JSC::Wasm::ModuleInformation::tableCount const):
765         memoryCount and tableCount should be recorded in ModuleInformation.
766
767         * wasm/WasmModuleParser.cpp:
768         (JSC::Wasm::ModuleParser::parse):
769         (JSC::Wasm::makeI32InitExpr): Deleted.
770         (JSC::Wasm::ModuleParser::parseType): Deleted.
771         (JSC::Wasm::ModuleParser::parseImport): Deleted.
772         (JSC::Wasm::ModuleParser::parseFunction): Deleted.
773         (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
774         (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
775         (JSC::Wasm::ModuleParser::parseTable): Deleted.
776         (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
777         (JSC::Wasm::ModuleParser::parseMemory): Deleted.
778         (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
779         (JSC::Wasm::ModuleParser::parseExport): Deleted.
780         (JSC::Wasm::ModuleParser::parseStart): Deleted.
781         (JSC::Wasm::ModuleParser::parseElement): Deleted.
782         (JSC::Wasm::ModuleParser::parseCode): Deleted.
783         (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
784         (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
785         (JSC::Wasm::ModuleParser::parseData): Deleted.
786         (JSC::Wasm::ModuleParser::parseCustom): Deleted.
787         Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
788         SectionParser is also used by StreamingParser.
789
790         * wasm/WasmModuleParser.h:
791         (): Deleted.
792         * wasm/WasmNameSection.h:
793         (JSC::Wasm::NameSection::NameSection):
794         (JSC::Wasm::NameSection::create):
795         (JSC::Wasm::NameSection::setHash):
796         Hash calculation is deferred since all the source is not available in streaming parsing.
797
798         * wasm/WasmNameSectionParser.cpp:
799         (JSC::Wasm::NameSectionParser::parse):
800         * wasm/WasmNameSectionParser.h:
801         Use Ref<NameSection>.
802
803         * wasm/WasmOMGPlan.cpp:
804         (JSC::Wasm::OMGPlan::work):
805         Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
806         OMGPlan can get data of the function by using ModuleInformation::functions.
807
808         * wasm/WasmParser.h:
809         (JSC::Wasm::Parser::source const):
810         (JSC::Wasm::Parser::length const):
811         (JSC::Wasm::Parser::offset const):
812         (JSC::Wasm::Parser::fail const):
813         (JSC::Wasm::makeI32InitExpr):
814         * wasm/WasmPlan.cpp:
815         (JSC::Wasm::Plan::Plan):
816         Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
817
818         * wasm/WasmPlan.h:
819         * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
820         SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
821         ModuleParser and the new StreamingParser.
822
823         (JSC::Wasm::SectionParser::parseType):
824         (JSC::Wasm::SectionParser::parseImport):
825         (JSC::Wasm::SectionParser::parseFunction):
826         (JSC::Wasm::SectionParser::parseResizableLimits):
827         (JSC::Wasm::SectionParser::parseTableHelper):
828         (JSC::Wasm::SectionParser::parseTable):
829         (JSC::Wasm::SectionParser::parseMemoryHelper):
830         (JSC::Wasm::SectionParser::parseMemory):
831         (JSC::Wasm::SectionParser::parseGlobal):
832         (JSC::Wasm::SectionParser::parseExport):
833         (JSC::Wasm::SectionParser::parseStart):
834         (JSC::Wasm::SectionParser::parseElement):
835         (JSC::Wasm::SectionParser::parseCode):
836         (JSC::Wasm::SectionParser::parseInitExpr):
837         (JSC::Wasm::SectionParser::parseGlobalType):
838         (JSC::Wasm::SectionParser::parseData):
839         (JSC::Wasm::SectionParser::parseCustom):
840         * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
841         * wasm/WasmStreamingParser.cpp: Added.
842         (JSC::Wasm::parseUInt7):
843         (JSC::Wasm::StreamingParser::fail):
844         (JSC::Wasm::StreamingParser::StreamingParser):
845         (JSC::Wasm::StreamingParser::parseModuleHeader):
846         (JSC::Wasm::StreamingParser::parseSectionID):
847         (JSC::Wasm::StreamingParser::parseSectionSize):
848         (JSC::Wasm::StreamingParser::parseCodeSectionSize):
849         Code section in Wasm binary is specially handled compared with the other sections since it includes
850         a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
851         streaming validation / compilation of Wasm functions.
852
853         (JSC::Wasm::StreamingParser::parseFunctionSize):
854         (JSC::Wasm::StreamingParser::parseFunctionPayload):
855         (JSC::Wasm::StreamingParser::parseSectionPayload):
856         (JSC::Wasm::StreamingParser::consume):
857         (JSC::Wasm::StreamingParser::consumeVarUInt32):
858         (JSC::Wasm::StreamingParser::addBytes):
859         (JSC::Wasm::StreamingParser::failOnState):
860         (JSC::Wasm::StreamingParser::finalize):
861         * wasm/WasmStreamingParser.h: Added.
862         (JSC::Wasm::StreamingParser::addBytes):
863         (JSC::Wasm::StreamingParser::errorMessage const):
864         This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
865         StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
866         StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
867         the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
868         incoming byte stream.
869
870         * wasm/js/JSWebAssemblyModule.cpp:
871         (JSC::JSWebAssemblyModule::source const): Deleted.
872         All the source should not be held.
873
874         * wasm/js/JSWebAssemblyModule.h:
875         * wasm/js/WebAssemblyPrototype.cpp:
876         (JSC::webAssemblyValidateFunc):
877
878 2018-08-27  Mark Lam  <mark.lam@apple.com>
879
880         Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
881         https://bugs.webkit.org/show_bug.cgi?id=188577
882         <rdar://problem/42985684>
883
884         Reviewed by Saam Barati.
885
886         1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
887            (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
888
889            The StackOverflowFrame is a sentinel frame that the low level code (exception
890            throwing code, stack visitor, and stack unwinding code) will know to skip
891            over.  The StackOverflowFrame will also have a valid JSCallee so that client
892            code can compute the globalObject or VM from this frame.
893
894            As a result, client code that throws StackOverflowErrors no longer need to
895            compute the caller frame to throw from: it just converts the top frame into
896            a StackOverflowFrame and everything should *Just Work*.
897
898         2. NativeCallFrameTracerWithRestore is now obsolete.
899
900            Instead, client code should always call convertToStackOverflowFrame() on the
901            frame before instantiating a NativeCallFrameTracer with it.
902
903            This means that topCallFrame will always point to the top CallFrame (which
904            may be a StackOverflowFrame), and topEntryFrame will always point to the top
905            EntryFrame.  We'll never temporarily point them to the previous EntryFrame
906            (which we used to do with NativeCallFrameTracerWithRestore).
907
908         3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
909            CallFrame, and will know how to handle a StackOverflowFrame if they see one.
910
911            This obsoletes the UnwindStart flag.
912
913         * CMakeLists.txt:
914         * JavaScriptCore.xcodeproj/project.pbxproj:
915         * Sources.txt:
916         * debugger/Debugger.cpp:
917         (JSC::Debugger::pauseIfNeeded):
918         * interpreter/CallFrame.cpp:
919         (JSC::CallFrame::callerFrame const):
920         (JSC::CallFrame::unsafeCallerFrame const):
921         (JSC::CallFrame::convertToStackOverflowFrame):
922         (JSC::CallFrame::callerFrame): Deleted.
923         (JSC::CallFrame::unsafeCallerFrame): Deleted.
924         * interpreter/CallFrame.h:
925         (JSC::ExecState::iterate):
926         * interpreter/CallFrameInlines.h: Added.
927         (JSC::CallFrame::isStackOverflowFrame const):
928         (JSC::CallFrame::isWasmFrame const):
929         * interpreter/EntryFrame.h: Added.
930         (JSC::EntryFrame::vmEntryRecordOffset):
931         (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
932         * interpreter/FrameTracers.h:
933         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
934         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
935         * interpreter/Interpreter.cpp:
936         (JSC::Interpreter::unwind):
937         * interpreter/Interpreter.h:
938         * interpreter/StackVisitor.cpp:
939         (JSC::StackVisitor::StackVisitor):
940         * interpreter/StackVisitor.h:
941         (JSC::StackVisitor::visit):
942         (JSC::StackVisitor::topEntryFrameIsEmpty const):
943         * interpreter/VMEntryRecord.h:
944         (JSC::VMEntryRecord::callee const):
945         (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
946         (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
947         * jit/AssemblyHelpers.h:
948         * jit/JITExceptions.cpp:
949         (JSC::genericUnwind):
950         * jit/JITExceptions.h:
951         * jit/JITOperations.cpp:
952         * llint/LLIntOffsetsExtractor.cpp:
953         * llint/LLIntSlowPaths.cpp:
954         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
955         * llint/LowLevelInterpreter.asm:
956         * llint/LowLevelInterpreter32_64.asm:
957         * llint/LowLevelInterpreter64.asm:
958         * runtime/CallData.cpp:
959         * runtime/CommonSlowPaths.cpp:
960         (JSC::throwArityCheckStackOverflowError):
961         (JSC::SLOW_PATH_DECL):
962         * runtime/CommonSlowPathsExceptions.cpp: Removed.
963         * runtime/CommonSlowPathsExceptions.h: Removed.
964         * runtime/Completion.cpp:
965         (JSC::evaluateWithScopeExtension):
966         * runtime/JSGeneratorFunction.h:
967         * runtime/JSGlobalObject.cpp:
968         (JSC::JSGlobalObject::init):
969         (JSC::JSGlobalObject::visitChildren):
970         * runtime/JSGlobalObject.h:
971         (JSC::JSGlobalObject::stackOverflowFrameCallee const):
972         * runtime/VM.cpp:
973         (JSC::VM::throwException):
974         * runtime/VM.h:
975         * runtime/VMInlines.h:
976         (JSC::VM::topJSCallFrame const):
977
978 2018-08-27  Keith Rollin  <krollin@apple.com>
979
980         Unreviewed build fix -- disable LTO for production builds
981
982         * Configurations/Base.xcconfig:
983
984 2018-08-27  Aditya Keerthi  <akeerthi@apple.com>
985
986         Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
987         https://bugs.webkit.org/show_bug.cgi?id=188931
988
989         Reviewed by Wenson Hsieh.
990
991         * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
992
993 2018-08-27  Devin Rousso  <drousso@apple.com>
994
995         Web Inspector: provide autocompletion for event breakpoints
996         https://bugs.webkit.org/show_bug.cgi?id=188717
997
998         Reviewed by Brian Burg.
999
1000         * inspector/protocol/DOM.json:
1001         Add `getSupportedEventNames` command.
1002
1003 2018-08-27  Keith Rollin  <krollin@apple.com>
1004
1005         Build system support for LTO
1006         https://bugs.webkit.org/show_bug.cgi?id=187785
1007         <rdar://problem/42353132>
1008
1009         Reviewed by Dan Bernstein.
1010
1011         Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
1012         LTO.
1013
1014         * Configurations/Base.xcconfig:
1015         * Configurations/DebugRelease.xcconfig:
1016
1017 2018-08-27  Patrick Griffis  <pgriffis@igalia.com>
1018
1019         [GTK][JSC] Add warn_unused_result attribute to some APIs
1020         https://bugs.webkit.org/show_bug.cgi?id=188983
1021
1022         Reviewed by Michael Catanzaro.
1023
1024         * API/glib/JSCValue.h:
1025
1026 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1027
1028         [JSC] Array.prototype.reverse modifies JSImmutableButterfly
1029         https://bugs.webkit.org/show_bug.cgi?id=188794
1030
1031         Reviewed by Saam Barati.
1032
1033         While Array.prototype.reverse modifies the butterfly of the given Array,
1034         it does not account JSImmutableButterfly case. So it accidentally modifies
1035         the content of JSImmutableButterfly.
1036         This patch converts CoW arrays to writable arrays before reversing.
1037
1038         * runtime/ArrayPrototype.cpp:
1039         (JSC::arrayProtoFuncReverse):
1040         * runtime/JSObject.h:
1041         (JSC::JSObject::ensureWritable):
1042
1043 2018-08-24  Michael Saboff  <msaboff@apple.com>
1044
1045         YARR: Update UCS canonicalization tables for Unicode 11
1046         https://bugs.webkit.org/show_bug.cgi?id=188928
1047
1048         Reviewed by Mark Lam.
1049
1050         Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
1051
1052         This passes JavaScriptCore and test262 tests.
1053
1054         * yarr/YarrCanonicalizeUCS2.cpp:
1055         * yarr/YarrCanonicalizeUCS2.js:
1056         (printHeader):
1057
1058 2018-08-24  Michael Saboff  <msaboff@apple.com>
1059
1060         YARR: JIT RegExps with non-greedy parenthesized sub patterns
1061         https://bugs.webkit.org/show_bug.cgi?id=180876
1062
1063         Reviewed by Filip Pizlo.
1064
1065         Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
1066         For the matching code, the greedy path was correct except that we don't try matching for the
1067         non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
1068         first / next match when we backtrack.  The backtracking code needs to check to see if we have
1069         tried the first match or if we can do another match.
1070
1071         Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
1072         count.  Did other minor cleanup as well.
1073
1074         Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
1075
1076         Updated the text in some comments, both for this change as well as accuracy for existing code.
1077
1078         * yarr/YarrJIT.cpp:
1079         (JSC::Yarr::YarrGenerator::generate):
1080         (JSC::Yarr::YarrGenerator::backtrack):
1081         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1082         (JSC::Yarr::YarrGenerator::compile):
1083         (JSC::Yarr::dumpCompileFailure):
1084         (JSC::Yarr::jitCompile):
1085         * yarr/YarrJIT.h:
1086         (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
1087         (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
1088
1089 2018-08-23  Simon Fraser  <simon.fraser@apple.com>
1090
1091         Add support for dumping GC heap snapshots, and a viewer
1092         https://bugs.webkit.org/show_bug.cgi?id=186416
1093
1094         Reviewed by Joseph Pecoraro.
1095
1096         Make a way to dump information about the GC heap that is useful for looking for leaked
1097         or abandoned objects. This dump is obtained (on Apple platforms) via:
1098             notifyutil -p com.apple.WebKit.dumpGCHeap
1099         which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
1100         
1101         This leverages the heap snapshot used by Web Inspector, adding an alternate format for
1102         the snapshot JSON that adds additional data about objects and why they are GC roots.
1103
1104         SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
1105         the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
1106         objects visited via opaque roots, we record the reason why via a new out param to
1107         isReachableFromOpaqueRoots().
1108
1109         HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
1110         additional information including the address of the JSCell* and the wrapped object (for
1111         JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
1112         be the document URL.
1113
1114         GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
1115
1116         * API/JSAPIWrapperObject.mm:
1117         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1118         * API/JSManagedValue.mm:
1119         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
1120         * API/glib/JSAPIWrapperObjectGLib.cpp:
1121         (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
1122         * CMakeLists.txt:
1123         * heap/ConservativeRoots.h:
1124         (JSC::ConservativeRoots::size const):
1125         (JSC::ConservativeRoots::size): Deleted.
1126         * heap/Heap.cpp:
1127         (JSC::Heap::addCoreConstraints):
1128         * heap/HeapSnapshotBuilder.cpp:
1129         (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
1130         (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
1131         (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
1132         (JSC::HeapSnapshotBuilder::buildSnapshot):
1133         (JSC::HeapSnapshotBuilder::appendNode):
1134         (JSC::HeapSnapshotBuilder::appendEdge):
1135         (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
1136         (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
1137         (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
1138         (JSC::snapshotTypeToString):
1139         (JSC::rootTypeToString):
1140         (JSC::HeapSnapshotBuilder::setLabelForCell):
1141         (JSC::HeapSnapshotBuilder::descriptionForCell const):
1142         (JSC::HeapSnapshotBuilder::json):
1143         (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
1144         * heap/HeapSnapshotBuilder.h:
1145         * heap/SlotVisitor.cpp:
1146         (JSC::SlotVisitor::appendSlow):
1147         * heap/SlotVisitor.h:
1148         (JSC::SlotVisitor::heapSnapshotBuilder const):
1149         (JSC::SlotVisitor::rootMarkReason const):
1150         (JSC::SlotVisitor::setRootMarkReason):
1151         (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
1152         (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
1153         * heap/WeakBlock.cpp:
1154         (JSC::WeakBlock::specializedVisit):
1155         * heap/WeakHandleOwner.cpp:
1156         (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
1157         * heap/WeakHandleOwner.h:
1158         * runtime/SimpleTypedArrayController.cpp:
1159         (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
1160         * runtime/SimpleTypedArrayController.h:
1161         * tools/JSDollarVM.cpp:
1162
1163 2018-08-23  Saam barati  <sbarati@apple.com>
1164
1165         JSRunLoopTimer may run part of a member function after it's destroyed
1166         https://bugs.webkit.org/show_bug.cgi?id=188426
1167
1168         Reviewed by Mark Lam.
1169
1170         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1171         to end up running timer code after the class had been destroyed.
1172         
1173         The issue I spotted was in this function:
1174         ```
1175         void JSRunLoopTimer::timerDidFire()
1176         {
1177             JSLock* apiLock = m_apiLock.get();
1178             if (!apiLock) {
1179                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1180                 return;
1181             }
1182             // HERE
1183             std::lock_guard<JSLock> lock(*apiLock);
1184             RefPtr<VM> vm = apiLock->vm();
1185             if (!vm) {
1186                 // The VM has been destroyed, so we should just give up.
1187                 return;
1188             }
1189         
1190             doWork();
1191         }
1192         ```
1193         
1194         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1195         switched before grabbing the API lock. Then, some other thread destroys the VM.
1196         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1197         timer would run code and access member variables after it was destroyed.
1198         
1199         This patch fixes this issue by introducing a new timer manager class. 
1200         This class manages timers on a per VM basis. When a timer is scheduled,
1201         this class refs the timer. It also calls the timer callback while actively
1202         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1203         callback after the timer has been destroyed. However, calling a timer callback
1204         can still race with the VM being destroyed. We continue to detect this case and
1205         bail out of the callback early.
1206         
1207         This patch also removes a lot of duplicate code between GCActivityCallback
1208         and JSRunLoopTimer.
1209
1210         * heap/EdenGCActivityCallback.cpp:
1211         (JSC::EdenGCActivityCallback::doCollection):
1212         (JSC::EdenGCActivityCallback::lastGCLength):
1213         (JSC::EdenGCActivityCallback::deathRate):
1214         * heap/EdenGCActivityCallback.h:
1215         * heap/FullGCActivityCallback.cpp:
1216         (JSC::FullGCActivityCallback::doCollection):
1217         (JSC::FullGCActivityCallback::lastGCLength):
1218         (JSC::FullGCActivityCallback::deathRate):
1219         * heap/FullGCActivityCallback.h:
1220         * heap/GCActivityCallback.cpp:
1221         (JSC::GCActivityCallback::doWork):
1222         (JSC::GCActivityCallback::scheduleTimer):
1223         (JSC::GCActivityCallback::didAllocate):
1224         (JSC::GCActivityCallback::willCollect):
1225         (JSC::GCActivityCallback::cancel):
1226         (JSC::GCActivityCallback::cancelTimer): Deleted.
1227         (JSC::GCActivityCallback::nextFireTime): Deleted.
1228         * heap/GCActivityCallback.h:
1229         * heap/Heap.cpp:
1230         (JSC::Heap::reportAbandonedObjectGraph):
1231         (JSC::Heap::notifyIncrementalSweeper):
1232         (JSC::Heap::updateAllocationLimits):
1233         (JSC::Heap::didAllocate):
1234         * heap/IncrementalSweeper.cpp:
1235         (JSC::IncrementalSweeper::scheduleTimer):
1236         (JSC::IncrementalSweeper::doWork):
1237         (JSC::IncrementalSweeper::doSweep):
1238         (JSC::IncrementalSweeper::sweepNextBlock):
1239         (JSC::IncrementalSweeper::startSweeping):
1240         (JSC::IncrementalSweeper::stopSweeping):
1241         * heap/IncrementalSweeper.h:
1242         * heap/StopIfNecessaryTimer.cpp:
1243         (JSC::StopIfNecessaryTimer::doWork):
1244         (JSC::StopIfNecessaryTimer::scheduleSoon):
1245         * heap/StopIfNecessaryTimer.h:
1246         * runtime/JSRunLoopTimer.cpp:
1247         (JSC::epochTime):
1248         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1249         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1250         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1251         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1252         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1253         (JSC::JSRunLoopTimer::Manager::shared):
1254         (JSC::JSRunLoopTimer::Manager::registerVM):
1255         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1256         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1257         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1258         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1259         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1260         (JSC::JSRunLoopTimer::timerDidFire):
1261         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1262         (JSC::JSRunLoopTimer::timeUntilFire):
1263         (JSC::JSRunLoopTimer::setTimeUntilFire):
1264         (JSC::JSRunLoopTimer::cancelTimer):
1265         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1266         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1267         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1268         * runtime/JSRunLoopTimer.h:
1269         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1270         * runtime/PromiseDeferredTimer.cpp:
1271         (JSC::PromiseDeferredTimer::doWork):
1272         (JSC::PromiseDeferredTimer::runRunLoop):
1273         (JSC::PromiseDeferredTimer::addPendingPromise):
1274         (JSC::PromiseDeferredTimer::hasPendingPromise):
1275         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1276         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1277         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1278         * runtime/PromiseDeferredTimer.h:
1279         * runtime/VM.cpp:
1280         (JSC::VM::VM):
1281         (JSC::VM::~VM):
1282         (JSC::VM::setRunLoop):
1283         (JSC::VM::registerRunLoopTimer): Deleted.
1284         (JSC::VM::unregisterRunLoopTimer): Deleted.
1285         * runtime/VM.h:
1286         (JSC::VM::runLoop const):
1287         * wasm/js/WebAssemblyPrototype.cpp:
1288         (JSC::webAssemblyModuleValidateAsyncInternal):
1289         (JSC::instantiate):
1290         (JSC::compileAndInstantiate):
1291         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1292         (JSC::webAssemblyCompileStreamingInternal):
1293         (JSC::webAssemblyInstantiateStreamingInternal):
1294
1295 2018-08-23  Mark Lam  <mark.lam@apple.com>
1296
1297         Move vmEntryGlobalObject() to VM from CallFrame.
1298         https://bugs.webkit.org/show_bug.cgi?id=188900
1299         <rdar://problem/43655753>
1300
1301         Reviewed by Michael Saboff.
1302
1303         Also introduced CallFrame::isGlobalExec() which makes use of one property of
1304         GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
1305         CallFrame::initGlobalExec() ensures this.
1306
1307         In contrast, normal CallFrames always have a callerFrame (because they must at
1308         least be preceded by a VM EntryFrame) and a returnPC (at least return to the
1309         VM entry glue).
1310
1311         * API/APIUtils.h:
1312         (handleExceptionIfNeeded):
1313         (setException):
1314         * API/JSBase.cpp:
1315         (JSEvaluateScript):
1316         (JSCheckScriptSyntax):
1317         * API/JSContextRef.cpp:
1318         (JSGlobalContextRetain):
1319         (JSGlobalContextRelease):
1320         (JSGlobalContextCopyName):
1321         (JSGlobalContextSetName):
1322         (JSGlobalContextGetRemoteInspectionEnabled):
1323         (JSGlobalContextSetRemoteInspectionEnabled):
1324         (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
1325         (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
1326         (JSGlobalContextGetDebuggerRunLoop):
1327         (JSGlobalContextSetDebuggerRunLoop):
1328         (JSGlobalContextGetAugmentableInspectorController):
1329         * API/JSValue.mm:
1330         (reportExceptionToInspector):
1331         * API/glib/JSCClass.cpp:
1332         (jscContextForObject):
1333         * API/glib/JSCContext.cpp:
1334         (jsc_context_evaluate_in_object):
1335         * debugger/Debugger.cpp:
1336         (JSC::Debugger::pauseIfNeeded):
1337         * debugger/DebuggerCallFrame.cpp:
1338         (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
1339         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
1340         * interpreter/CallFrame.cpp:
1341         (JSC::CallFrame::vmEntryGlobalObject): Deleted.
1342         * interpreter/CallFrame.h:
1343         (JSC::ExecState::scope const):
1344         (JSC::ExecState::noCaller):
1345         (JSC::ExecState::isGlobalExec const):
1346         * interpreter/Interpreter.cpp:
1347         (JSC::notifyDebuggerOfUnwinding):
1348         (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
1349         (JSC::Interpreter::debug):
1350         * runtime/CallData.cpp:
1351         (JSC::profiledCall):
1352         * runtime/Completion.cpp:
1353         (JSC::evaluate):
1354         (JSC::profiledEvaluate):
1355         (JSC::evaluateWithScopeExtension):
1356         (JSC::loadAndEvaluateModule):
1357         (JSC::loadModule):
1358         (JSC::linkAndEvaluateModule):
1359         (JSC::importModule):
1360         * runtime/ConstructData.cpp:
1361         (JSC::profiledConstruct):
1362         * runtime/Error.cpp:
1363         (JSC::getStackTrace):
1364         * runtime/VM.cpp:
1365         (JSC::VM::throwException):
1366         (JSC::VM::vmEntryGlobalObject const):
1367         * runtime/VM.h:
1368
1369 2018-08-23  Andy Estes  <aestes@apple.com>
1370
1371         [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
1372         https://bugs.webkit.org/show_bug.cgi?id=188829
1373
1374         Reviewed by Tim Horton.
1375
1376         * Configurations/FeatureDefines.xcconfig:
1377
1378 2018-08-23  Devin Rousso  <drousso@apple.com>
1379
1380         Web Inspector: support breakpoints for timers and animation-frame events
1381         https://bugs.webkit.org/show_bug.cgi?id=188778
1382
1383         Reviewed by Brian Burg.
1384
1385         * inspector/protocol/Debugger.json:
1386         Add `AnimationFrame` and `Timer` types to the list of pause reasons.
1387
1388         * inspector/protocol/DOMDebugger.json:
1389         Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
1390          - `setEventListenerBreakpoint`
1391          - `removeEventListenerBreakpoint`
1392          - `setInstrumentationBreakpoint`
1393          - `removeInstrumentationBreakpoint`
1394         Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
1395
1396         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1397         (CppProtocolTypesHeaderGenerator.generate_output):
1398         (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
1399         (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
1400         (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
1401         Generate `DefaultHash` for all `enum class` used by inspector protocols.
1402
1403         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1404         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1405         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1406         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1407         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1408         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1409         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1410
1411 2018-08-23  Michael Saboff  <msaboff@apple.com>
1412
1413         YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
1414         https://bugs.webkit.org/show_bug.cgi?id=188895
1415
1416         Reviewed by Mark Lam.
1417
1418         Found while working on another change.  This will allow processing of nested
1419         parenthesis that require saved ParenContext structures.
1420
1421         * yarr/YarrJIT.cpp:
1422         (JSC::Yarr::YarrGenerator::compile):
1423
1424 2018-08-22  Michael Saboff  <msaboff@apple.com>
1425
1426         https://bugs.webkit.org/show_bug.cgi?id=188859
1427         Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
1428
1429         Rubber-stamped by Saam Barati.
1430
1431         Deleted these two functions.
1432
1433         * jit/JITOperations.cpp:
1434         * jit/JITOperations.h:
1435
1436 2018-08-22  Mark Lam  <mark.lam@apple.com>
1437
1438         The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
1439         https://bugs.webkit.org/show_bug.cgi?id=188298
1440         <rdar://problem/42888427>
1441
1442         Reviewed by Saam Barati.
1443
1444         In the event that both targets of a Branch is the same block, then even if we'll
1445         always take one path of the branch, the other target is not unreachable because
1446         it is the same target as the one in the taken path.  Hence, it should not be
1447         jettisoned.
1448
1449         * JavaScriptCore.xcodeproj/project.pbxproj:
1450         - Added DFGCFG.h which is in use and should have been added to the project.
1451         * dfg/DFGCFGSimplificationPhase.cpp:
1452         (JSC::DFG::CFGSimplificationPhase::run):
1453
1454 2018-08-20  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1455
1456         [JSC] HeapUtil should care about pointer overflow
1457         https://bugs.webkit.org/show_bug.cgi?id=188740
1458
1459         Reviewed by Saam Barati.
1460
1461         `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
1462         For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
1463         with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
1464
1465         * heap/HeapUtil.h:
1466         (JSC::HeapUtil::findGCObjectPointersForMarking):
1467
1468 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1469
1470         [JSC] Should not rotate constant with 64
1471         https://bugs.webkit.org/show_bug.cgi?id=188556
1472
1473         Reviewed by Saam Barati.
1474
1475         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
1476         But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
1477         where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
1478         the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
1479
1480         * assembler/MacroAssembler.h:
1481         (JSC::MacroAssembler::generateRotationSeed):
1482         (JSC::MacroAssembler::rotationBlindConstant):
1483
1484 2018-08-21  Commit Queue  <commit-queue@webkit.org>
1485
1486         Unreviewed, rolling out r235107.
1487         https://bugs.webkit.org/show_bug.cgi?id=188832
1488
1489         "It revealed bugs in Blob code as well as regressed JS
1490         performance tests" (Requested by saamyjoon on #webkit).
1491
1492         Reverted changeset:
1493
1494         "JSRunLoopTimer may run part of a member function after it's
1495         destroyed"
1496         https://bugs.webkit.org/show_bug.cgi?id=188426
1497         https://trac.webkit.org/changeset/235107
1498
1499 2018-08-21  Saam barati  <sbarati@apple.com>
1500
1501         JSRunLoopTimer may run part of a member function after it's destroyed
1502         https://bugs.webkit.org/show_bug.cgi?id=188426
1503
1504         Reviewed by Mark Lam.
1505
1506         When I was reading the JSRunLoopTimer code, I noticed that it is possible
1507         to end up running timer code after the class had been destroyed.
1508         
1509         The issue I spotted was in this function:
1510         ```
1511         void JSRunLoopTimer::timerDidFire()
1512         {
1513             JSLock* apiLock = m_apiLock.get();
1514             if (!apiLock) {
1515                 // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
1516                 return;
1517             }
1518             // HERE
1519             std::lock_guard<JSLock> lock(*apiLock);
1520             RefPtr<VM> vm = apiLock->vm();
1521             if (!vm) {
1522                 // The VM has been destroyed, so we should just give up.
1523                 return;
1524             }
1525         
1526             doWork();
1527         }
1528         ```
1529         
1530         Look at the comment 'HERE'. Let's say that the timer callback thread gets context
1531         switched before grabbing the API lock. Then, some other thread destroys the VM.
1532         And let's say that the VM owns (perhaps transitively) this timer. Then, the
1533         timer would run code and access member variables after it was destroyed.
1534         
1535         This patch fixes this issue by introducing a new timer manager class. 
1536         This class manages timers on a per VM basis. When a timer is scheduled,
1537         this class refs the timer. It also calls the timer callback while actively
1538         maintaining a +1 ref to it. So, it's no longer possible to call the timer
1539         callback after the timer has been destroyed. However, calling a timer callback
1540         can still race with the VM being destroyed. We continue to detect this case and
1541         bail out of the callback early.
1542         
1543         This patch also removes a lot of duplicate code between GCActivityCallback
1544         and JSRunLoopTimer.
1545
1546         * heap/EdenGCActivityCallback.cpp:
1547         (JSC::EdenGCActivityCallback::doCollection):
1548         (JSC::EdenGCActivityCallback::lastGCLength):
1549         (JSC::EdenGCActivityCallback::deathRate):
1550         * heap/EdenGCActivityCallback.h:
1551         * heap/FullGCActivityCallback.cpp:
1552         (JSC::FullGCActivityCallback::doCollection):
1553         (JSC::FullGCActivityCallback::lastGCLength):
1554         (JSC::FullGCActivityCallback::deathRate):
1555         * heap/FullGCActivityCallback.h:
1556         * heap/GCActivityCallback.cpp:
1557         (JSC::GCActivityCallback::doWork):
1558         (JSC::GCActivityCallback::scheduleTimer):
1559         (JSC::GCActivityCallback::didAllocate):
1560         (JSC::GCActivityCallback::willCollect):
1561         (JSC::GCActivityCallback::cancel):
1562         (JSC::GCActivityCallback::cancelTimer): Deleted.
1563         (JSC::GCActivityCallback::nextFireTime): Deleted.
1564         * heap/GCActivityCallback.h:
1565         * heap/Heap.cpp:
1566         (JSC::Heap::reportAbandonedObjectGraph):
1567         (JSC::Heap::notifyIncrementalSweeper):
1568         (JSC::Heap::updateAllocationLimits):
1569         (JSC::Heap::didAllocate):
1570         * heap/IncrementalSweeper.cpp:
1571         (JSC::IncrementalSweeper::scheduleTimer):
1572         (JSC::IncrementalSweeper::doWork):
1573         (JSC::IncrementalSweeper::doSweep):
1574         (JSC::IncrementalSweeper::sweepNextBlock):
1575         (JSC::IncrementalSweeper::startSweeping):
1576         (JSC::IncrementalSweeper::stopSweeping):
1577         * heap/IncrementalSweeper.h:
1578         * heap/StopIfNecessaryTimer.cpp:
1579         (JSC::StopIfNecessaryTimer::doWork):
1580         (JSC::StopIfNecessaryTimer::scheduleSoon):
1581         * heap/StopIfNecessaryTimer.h:
1582         * runtime/JSRunLoopTimer.cpp:
1583         (JSC::epochTime):
1584         (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
1585         (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
1586         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1587         (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
1588         (JSC::JSRunLoopTimer::Manager::timerDidFire):
1589         (JSC::JSRunLoopTimer::Manager::shared):
1590         (JSC::JSRunLoopTimer::Manager::registerVM):
1591         (JSC::JSRunLoopTimer::Manager::unregisterVM):
1592         (JSC::JSRunLoopTimer::Manager::scheduleTimer):
1593         (JSC::JSRunLoopTimer::Manager::cancelTimer):
1594         (JSC::JSRunLoopTimer::Manager::timeUntilFire):
1595         (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
1596         (JSC::JSRunLoopTimer::timerDidFire):
1597         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1598         (JSC::JSRunLoopTimer::timeUntilFire):
1599         (JSC::JSRunLoopTimer::setTimeUntilFire):
1600         (JSC::JSRunLoopTimer::cancelTimer):
1601         (JSC::JSRunLoopTimer::setRunLoop): Deleted.
1602         (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
1603         (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
1604         * runtime/JSRunLoopTimer.h:
1605         (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
1606         * runtime/PromiseDeferredTimer.cpp:
1607         (JSC::PromiseDeferredTimer::doWork):
1608         (JSC::PromiseDeferredTimer::runRunLoop):
1609         (JSC::PromiseDeferredTimer::addPendingPromise):
1610         (JSC::PromiseDeferredTimer::hasPendingPromise):
1611         (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
1612         (JSC::PromiseDeferredTimer::cancelPendingPromise):
1613         (JSC::PromiseDeferredTimer::scheduleWorkSoon):
1614         * runtime/PromiseDeferredTimer.h:
1615         * runtime/VM.cpp:
1616         (JSC::VM::VM):
1617         (JSC::VM::~VM):
1618         (JSC::VM::setRunLoop):
1619         (JSC::VM::registerRunLoopTimer): Deleted.
1620         (JSC::VM::unregisterRunLoopTimer): Deleted.
1621         * runtime/VM.h:
1622         (JSC::VM::runLoop const):
1623         * wasm/js/WebAssemblyPrototype.cpp:
1624         (JSC::webAssemblyModuleValidateAsyncInternal):
1625         (JSC::instantiate):
1626         (JSC::compileAndInstantiate):
1627         (JSC::webAssemblyModuleInstantinateAsyncInternal):
1628         (JSC::webAssemblyCompileStreamingInternal):
1629         (JSC::webAssemblyInstantiateStreamingInternal):
1630
1631 2018-08-20  Saam barati  <sbarati@apple.com>
1632
1633         Inline DataView accesses into DFG/FTL
1634         https://bugs.webkit.org/show_bug.cgi?id=188573
1635         <rdar://problem/43286746>
1636
1637         Reviewed by Michael Saboff.
1638
1639         This patch teaches the DFG/FTL to inline DataView accesses. The approach is
1640         straight forward. We inline the various get*/set* operations as intrinsics.
1641         
1642         This patch takes the most obvious approach for now. We OSR exit when:
1643         - An isLittleEndian argument is provided, and is not a boolean.
1644         - The index isn't an integer.
1645         - The |this| isn't a DataView.
1646         - We do an OOB access (or see a neutered array)
1647         
1648         To implement this change in a performant way, this patch teaches the macro
1649         assembler how to emit byte swap operations. The semantics of the added functions
1650         are byteSwap + zero extend. This means for the 16bit byte swaps, we need
1651         to actually emit zero extend instructions. For the 32/64bit byte swaps,
1652         the instructions already have these semantics.
1653         
1654         This patch is just a lightweight initial implementation. There are some easy
1655         extensions we can do in future changes:
1656         - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
1657         - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
1658
1659         * assembler/MacroAssemblerARM64.h:
1660         (JSC::MacroAssemblerARM64::byteSwap16):
1661         (JSC::MacroAssemblerARM64::byteSwap32):
1662         (JSC::MacroAssemblerARM64::byteSwap64):
1663         * assembler/MacroAssemblerX86Common.h:
1664         (JSC::MacroAssemblerX86Common::byteSwap32):
1665         (JSC::MacroAssemblerX86Common::byteSwap16):
1666         (JSC::MacroAssemblerX86Common::byteSwap64):
1667         * assembler/X86Assembler.h:
1668         (JSC::X86Assembler::bswapl_r):
1669         (JSC::X86Assembler::bswapq_r):
1670         (JSC::X86Assembler::shiftInstruction16):
1671         (JSC::X86Assembler::rolw_i8r):
1672         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1673         * assembler/testmasm.cpp:
1674         (JSC::testByteSwap):
1675         (JSC::run):
1676         * bytecode/DataFormat.h:
1677         * bytecode/SpeculatedType.cpp:
1678         (JSC::dumpSpeculation):
1679         (JSC::speculationFromClassInfo):
1680         (JSC::speculationFromJSType):
1681         (JSC::speculationFromString):
1682         * bytecode/SpeculatedType.h:
1683         * dfg/DFGAbstractInterpreterInlines.h:
1684         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1685         * dfg/DFGByteCodeParser.cpp:
1686         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1687         * dfg/DFGClobberize.h:
1688         (JSC::DFG::clobberize):
1689         * dfg/DFGDoesGC.cpp:
1690         (JSC::DFG::doesGC):
1691         * dfg/DFGFixupPhase.cpp:
1692         (JSC::DFG::FixupPhase::fixupNode):
1693         * dfg/DFGNode.h:
1694         (JSC::DFG::Node::hasHeapPrediction):
1695         (JSC::DFG::Node::dataViewData):
1696         * dfg/DFGNodeType.h:
1697         * dfg/DFGPredictionPropagationPhase.cpp:
1698         * dfg/DFGSafeToExecute.h:
1699         (JSC::DFG::SafeToExecuteEdge::operator()):
1700         (JSC::DFG::safeToExecute):
1701         * dfg/DFGSpeculativeJIT.cpp:
1702         (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
1703         (JSC::DFG::SpeculativeJIT::speculate):
1704         * dfg/DFGSpeculativeJIT.h:
1705         * dfg/DFGSpeculativeJIT32_64.cpp:
1706         (JSC::DFG::SpeculativeJIT::compile):
1707         * dfg/DFGSpeculativeJIT64.cpp:
1708         (JSC::DFG::SpeculativeJIT::compile):
1709         * dfg/DFGUseKind.cpp:
1710         (WTF::printInternal):
1711         * dfg/DFGUseKind.h:
1712         (JSC::DFG::typeFilterFor):
1713         (JSC::DFG::isCell):
1714         * ftl/FTLCapabilities.cpp:
1715         (JSC::FTL::canCompile):
1716         * ftl/FTLLowerDFGToB3.cpp:
1717         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1718         (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
1719         (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
1720         (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
1721         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
1722         (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
1723         (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
1724         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1725         (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
1726         * runtime/Intrinsic.cpp:
1727         (JSC::intrinsicName):
1728         * runtime/Intrinsic.h:
1729         * runtime/JSDataViewPrototype.cpp:
1730
1731 2018-08-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1732
1733         [YARR] Extend size of fixed characters bulk matching in 64bit platform
1734         https://bugs.webkit.org/show_bug.cgi?id=181989
1735
1736         Reviewed by Michael Saboff.
1737
1738         This patch extends bulk matching style for fixed-sized characters.
1739         In 64bit environment, the GPR can hold up to 8 characters. This change
1740         reduces the code size since we can fuse multiple `mov` operations into one.
1741
1742         * assembler/LinkBuffer.h:
1743         * runtime/Options.h:
1744         * yarr/YarrJIT.cpp:
1745         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1746         (JSC::Yarr::YarrGenerator::compile):
1747
1748 2018-08-20  Devin Rousso  <drousso@apple.com>
1749
1750         Web Inspector: allow breakpoints to be set for specific event listeners
1751         https://bugs.webkit.org/show_bug.cgi?id=183138
1752
1753         Reviewed by Joseph Pecoraro.
1754
1755         * inspector/protocol/DOM.json:
1756         Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
1757         takes an `eventListenerId` and toggles whether that specific usage of that event listener
1758         should have a breakpoint and pause before running.
1759
1760 2018-08-20  Mark Lam  <mark.lam@apple.com>
1761
1762         Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
1763         https://bugs.webkit.org/show_bug.cgi?id=188769
1764
1765         Reviewed by Michael Saboff.
1766
1767         * llint/LowLevelInterpreter.asm:
1768         - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
1769           so that libunwind doesn't get confused by the 2 labels pointing to the same
1770           code address.
1771
1772 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1773
1774         [GLIB] Add API to throw exceptions using printf formatted strings
1775         https://bugs.webkit.org/show_bug.cgi?id=188698
1776
1777         Reviewed by Michael Catanzaro.
1778
1779         Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
1780         JSCException using printf formatted string.
1781
1782         * API/glib/JSCContext.cpp:
1783         (jsc_context_throw_printf):
1784         (jsc_context_throw_with_name_printf):
1785         * API/glib/JSCContext.h:
1786         * API/glib/JSCException.cpp:
1787         (jsc_exception_new_printf):
1788         (jsc_exception_new_vprintf):
1789         (jsc_exception_new_with_name_printf):
1790         (jsc_exception_new_with_name_vprintf):
1791         * API/glib/JSCException.h:
1792         * API/glib/docs/jsc-glib-4.0-sections.txt:
1793
1794 2018-08-19  Carlos Garcia Campos  <cgarcia@igalia.com>
1795
1796         [GLIB] Complete the JSCException API
1797         https://bugs.webkit.org/show_bug.cgi?id=188695
1798
1799         Reviewed by Michael Catanzaro.
1800
1801         Add more API to JSCException:
1802          - New function to get the column number
1803          - New function get exception as string (toString())
1804          - Add the possibility to create exceptions with a custom error name.
1805          - New function to get the exception error name
1806          - New function to get the exception backtrace.
1807          - New convenience function to report a exception by returning a formatted string with all the exception
1808            details, to be shown as a user error message.
1809
1810         * API/glib/JSCContext.cpp:
1811         (jsc_context_throw_with_name):
1812         * API/glib/JSCContext.h:
1813         * API/glib/JSCException.cpp:
1814         (jscExceptionEnsureProperties):
1815         (jsc_exception_new):
1816         (jsc_exception_new_with_name):
1817         (jsc_exception_get_name):
1818         (jsc_exception_get_column_number):
1819         (jsc_exception_get_back_trace_string):
1820         (jsc_exception_to_string):
1821         (jsc_exception_report):
1822         * API/glib/JSCException.h:
1823         * API/glib/docs/jsc-glib-4.0-sections.txt:
1824
1825 2018-08-19  Commit Queue  <commit-queue@webkit.org>
1826
1827         Unreviewed, rolling out r234852.
1828         https://bugs.webkit.org/show_bug.cgi?id=188736
1829
1830         Workaround is not correct (Requested by yusukesuzuki on
1831         #webkit).
1832
1833         Reverted changeset:
1834
1835         "[JSC] Should not rotate constant with 64"
1836         https://bugs.webkit.org/show_bug.cgi?id=188556
1837         https://trac.webkit.org/changeset/234852
1838
1839 2018-08-19  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1840
1841         [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
1842         https://bugs.webkit.org/show_bug.cgi?id=188716
1843
1844         Reviewed by Darin Adler.
1845
1846         Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
1847         The compiler can emit appropriate mov operations in x86 even if we use these
1848         helper functions.
1849
1850         * assembler/AssemblerBuffer.h:
1851         (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
1852         (JSC::AssemblerBuffer::putIntegral):
1853         (JSC::AssemblerBuffer::putIntegralUnchecked):
1854         * assembler/MacroAssemblerX86.h:
1855         (JSC::MacroAssemblerX86::readCallTarget):
1856         * assembler/X86Assembler.h:
1857         (JSC::X86Assembler::linkJump):
1858         (JSC::X86Assembler::readPointer):
1859         (JSC::X86Assembler::replaceWithHlt):
1860         (JSC::X86Assembler::replaceWithJump):
1861         (JSC::X86Assembler::setPointer):
1862         (JSC::X86Assembler::setInt32):
1863         (JSC::X86Assembler::setInt8):
1864         * interpreter/InterpreterInlines.h:
1865         (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
1866
1867 2018-08-17  Saam barati  <sbarati@apple.com>
1868
1869         intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
1870         https://bugs.webkit.org/show_bug.cgi?id=188707
1871         <rdar://problem/43015442>
1872
1873         Reviewed by Mark Lam.
1874
1875         We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
1876         OSR enter at the head of a block. We verify it's safe to OSR enter by checking
1877         that each incoming value is compatible with its corresponding AbstractValue.
1878         
1879         The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
1880         with abstract values that were clobbererd. This meant that the value we're
1881         verifying with at OSR entry effectively has an infinite structure set because
1882         it's clobbered. So, imagine we have code like this:
1883         ```
1884         ---> We OSR enter here, and we're clobbered here
1885         InvalidationPoint
1886         GetByOffset(@base)
1887         ```
1888         
1889         The abstract value for @base inside intersectionOfPastValuesAtHead has a
1890         clobberred structure set, so we'd allow an incoming object with any
1891         structure. However, this is wrong because the invalidation point is no
1892         longer fulfilling its promise that it filters the structure that @base has.
1893         
1894         We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
1895         as if the incoming value may be live past an InvalidationPoint.
1896         This places a stricter requirement that to safely OSR enter at any basic
1897         block, all incoming values must be compatible as if they lived past
1898         the execution of an invalidation point.
1899
1900         * dfg/DFGCFAPhase.cpp:
1901         (JSC::DFG::CFAPhase::run):
1902
1903 2018-08-17  Yusuke Suzuki  <yusukesuzuki@slowstart.org> and Fujii Hironori  <Hironori.Fujii@sony.com>
1904
1905         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
1906         https://bugs.webkit.org/show_bug.cgi?id=188589
1907
1908         Reviewed by Mark Lam.
1909         And reviewed by Yusuke Suzuki for Hironori's change.
1910
1911         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
1912         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
1913
1914         - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
1915         - We make GPRReg and FPRReg int8_t enums.
1916         - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
1917         - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
1918           if `enum : int8_t` is used instead of `enum`.
1919
1920         * assembler/ARM64Assembler.h:
1921         * assembler/ARMAssembler.h:
1922         * assembler/ARMv7Assembler.h:
1923         * assembler/MIPSAssembler.h:
1924         * assembler/MacroAssembler.h:
1925         * assembler/X86Assembler.h:
1926         * jit/CCallHelpers.h:
1927         (JSC::CCallHelpers::clampArrayToSize):
1928         * jit/FPRInfo.h:
1929         * jit/GPRInfo.h:
1930         (JSC::JSValueRegs::JSValueRegs):
1931         (JSC::JSValueRegs::tagGPR const):
1932         (JSC::JSValueRegs::payloadGPR const):
1933         (JSC::JSValueSource::JSValueSource):
1934         (JSC::JSValueSource::unboxedCell):
1935         (JSC::JSValueSource::operator bool const):
1936         (JSC::JSValueSource::base const):
1937         (JSC::JSValueSource::tagGPR const):
1938         (JSC::JSValueSource::payloadGPR const):
1939         (JSC::JSValueSource::hasKnownTag const):
1940
1941 2018-08-16  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1942
1943         [JSC] alignas for RegisterState should respect alignof(RegisterState) too
1944         https://bugs.webkit.org/show_bug.cgi?id=188686
1945
1946         Reviewed by Saam Barati.
1947
1948         RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
1949         for `alignof` for RegisterState.
1950
1951         * heap/RegisterState.h:
1952
1953 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
1954
1955         [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
1956         https://bugs.webkit.org/show_bug.cgi?id=188571
1957
1958         Reviewed by Saam Barati.
1959
1960         UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
1961         allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
1962         without considering alignment of them. This patch adds DisjunctionContext::allocationSize
1963         and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
1964         The size is always rounded to `sizeof(void*)` so that these classes are always allocated
1965         with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
1966         than or equal to `sizeof(void*)` by `static_assert`.
1967
1968         * yarr/YarrInterpreter.cpp:
1969         (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
1970         (JSC::Yarr::Interpreter::allocDisjunctionContext):
1971         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
1972         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
1973         (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
1974         (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
1975         (JSC::Yarr::Interpreter::Interpreter):
1976         (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
1977
1978 2018-08-15  Keith Miller  <keith_miller@apple.com>
1979
1980         Remove evernote hacks
1981         https://bugs.webkit.org/show_bug.cgi?id=188591
1982
1983         Reviewed by Joseph Pecoraro.
1984
1985         The hack was added in 2012 and the evernote app seems to work now.
1986         It's probably not needed anymore.
1987
1988         * API/JSValueRef.cpp:
1989         (JSValueUnprotect):
1990         (evernoteHackNeeded): Deleted.
1991
1992 2018-08-14  Fujii Hironori  <Hironori.Fujii@sony.com>
1993
1994         Unreviewed, rolling out r234874 and r234876.
1995
1996         WinCairo port can't compile
1997
1998         Reverted changesets:
1999
2000         "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
2001         https://bugs.webkit.org/show_bug.cgi?id=188589
2002         https://trac.webkit.org/changeset/234874
2003
2004         "Unreviewed, attempt to fix CLoop build"
2005         https://bugs.webkit.org/show_bug.cgi?id=188589
2006         https://trac.webkit.org/changeset/234876
2007
2008 2018-08-14  Saam barati  <sbarati@apple.com>
2009
2010         HashMap<Ref<P>, V> asserts when V is not zero for its empty value
2011         https://bugs.webkit.org/show_bug.cgi?id=188582
2012
2013         Reviewed by Sam Weinig.
2014
2015         * runtime/SparseArrayValueMap.h:
2016
2017 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2018
2019         Unreviewed, attempt to fix CLoop build
2020         https://bugs.webkit.org/show_bug.cgi?id=188589
2021
2022         * assembler/MacroAssembler.h:
2023
2024 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2025
2026         [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
2027         https://bugs.webkit.org/show_bug.cgi?id=188589
2028
2029         Reviewed by Mark Lam.
2030
2031         Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
2032         UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
2033
2034         1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
2035         2. We make GPRReg and FPRReg int8_t enums.
2036         3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
2037
2038         * assembler/ARM64Assembler.h:
2039         * assembler/ARMAssembler.h:
2040         * assembler/ARMv7Assembler.h:
2041         * assembler/MIPSAssembler.h:
2042         * assembler/X86Assembler.h:
2043         * jit/FPRInfo.h:
2044         * jit/GPRInfo.h:
2045         (JSC::JSValueRegs::JSValueRegs):
2046         (JSC::JSValueRegs::tagGPR const):
2047         (JSC::JSValueRegs::payloadGPR const):
2048         (JSC::JSValueSource::JSValueSource):
2049         (JSC::JSValueSource::unboxedCell):
2050         (JSC::JSValueSource::operator bool const):
2051         (JSC::JSValueSource::base const):
2052         (JSC::JSValueSource::tagGPR const):
2053         (JSC::JSValueSource::payloadGPR const):
2054         (JSC::JSValueSource::hasKnownTag const):
2055
2056 2018-08-14  Keith Miller  <keith_miller@apple.com>
2057
2058         Add missing availability macro.
2059         https://bugs.webkit.org/show_bug.cgi?id=188563
2060
2061         Reviewed by Mark Lam.
2062
2063         * API/JSValueRef.h:
2064
2065 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2066
2067         [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
2068         https://bugs.webkit.org/show_bug.cgi?id=188560
2069
2070         Reviewed by Keith Miller.
2071
2072         While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
2073         it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
2074         uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
2075         `m_wasSeenInJIT { false }`.
2076
2077         * bytecode/GetByIdStatus.h:
2078
2079 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2080
2081         [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
2082         https://bugs.webkit.org/show_bug.cgi?id=188557
2083
2084         Reviewed by Mark Lam.
2085
2086         DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
2087         processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
2088         in UBSan's result.
2089
2090         * dfg/DFGPredictionPropagationPhase.cpp:
2091
2092 2018-08-14  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2093
2094         [JSC] Should not rotate constant with 64
2095         https://bugs.webkit.org/show_bug.cgi?id=188556
2096
2097         Reviewed by Mark Lam.
2098
2099         To defend against JIT splaying, we rotate a constant with a randomly generated seed.
2100         But if a seed becomes 64, the following code performs `value << 64` where value's type
2101         is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
2102         range of [0, 64) not to generate code causing UBs. This is found by UBSan.
2103
2104         * assembler/MacroAssembler.h:
2105         (JSC::MacroAssembler::generateRotationSeed):
2106         (JSC::MacroAssembler::rotationBlindConstant):
2107
2108 2018-08-12  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2109
2110         Disable JIT on IA-32 without SSE2
2111         https://bugs.webkit.org/show_bug.cgi?id=188476
2112
2113         Reviewed by Michael Catanzaro.
2114
2115         Including missing header (MacroAssembler.h) in case of other
2116         operating systems than Windows too.
2117
2118         * runtime/Options.cpp:
2119
2120 2018-08-11  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2121
2122         Disable JIT on IA-32 without SSE2
2123         https://bugs.webkit.org/show_bug.cgi?id=188476
2124
2125         Reviewed by Yusuke Suzuki.
2126
2127         On IA-32 CPUs without SSE2 most of the webpages cannot load
2128         if the JIT is turned on.
2129
2130         * runtime/Options.cpp:
2131         (JSC::recomputeDependentOptions):
2132
2133 2018-08-10  Joseph Pecoraro  <pecoraro@apple.com>
2134
2135         Web Inspector: console.log fires getters for deep properties
2136         https://bugs.webkit.org/show_bug.cgi?id=187542
2137         <rdar://problem/42873158>
2138
2139         Reviewed by Saam Barati.
2140
2141         * inspector/InjectedScriptSource.js:
2142         (RemoteObject.prototype._isPreviewableObject):
2143         Avoid getters/setters when checking for simple properties to preview.
2144         Here we avoid invoking `object[property]` if it could be a user getter.
2145
2146 2018-08-10  Keith Miller  <keith_miller@apple.com>
2147
2148         Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
2149         https://bugs.webkit.org/show_bug.cgi?id=185127
2150
2151         Reviewed by Saam Barati.
2152
2153         Previously, we would truncate the indicies passed to slice to an
2154         int. This meant that the value was not getting properly clamped
2155         later.
2156
2157         This patch also removes a non-spec compliant check that slice was
2158         passed at least one argument.
2159
2160         * runtime/ArrayBuffer.cpp:
2161         (JSC::ArrayBuffer::clampValue):
2162         (JSC::ArrayBuffer::clampIndex const):
2163         (JSC::ArrayBuffer::slice const):
2164         * runtime/ArrayBuffer.h:
2165         (JSC::ArrayBuffer::clampValue): Deleted.
2166         (JSC::ArrayBuffer::clampIndex const): Deleted.
2167         * runtime/JSArrayBufferPrototype.cpp:
2168         (JSC::arrayBufferProtoFuncSlice):
2169
2170 2018-08-10  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2171
2172         Date.UTC should not return NaN with only Year param
2173         https://bugs.webkit.org/show_bug.cgi?id=188378
2174
2175         Reviewed by Keith Miller.
2176
2177         Date.UTC requires one argument for |year|. But the other ones are optional.
2178         This patch fix this handling.
2179
2180         * runtime/DateConstructor.cpp:
2181         (JSC::millisecondsFromComponents):
2182
2183 2018-08-08  Keith Miller  <keith_miller@apple.com>
2184
2185         Array.prototype.sort should call @toLength instead of ">>> 0"
2186         https://bugs.webkit.org/show_bug.cgi?id=188430
2187
2188         Reviewed by Saam Barati.
2189
2190         Also add a new function to $vm that will fetch a private
2191         property. This can be useful for running builtin helper functions.
2192
2193         * builtins/ArrayPrototype.js:
2194         (sort):
2195         * tools/JSDollarVM.cpp:
2196         (JSC::functionGetPrivateProperty):
2197         (JSC::JSDollarVM::finishCreation):
2198
2199 2018-08-08  Keith Miller  <keith_miller@apple.com>
2200
2201         Array.prototype.sort should throw TypeError if param is a not callable object
2202         https://bugs.webkit.org/show_bug.cgi?id=188382
2203
2204         Reviewed by Saam Barati.
2205
2206         Improve spec compatability by checking if the Array.prototype.sort comparator is a function
2207         before doing anything else.
2208
2209         Also, refactor the various helper functions to use let instead of var.
2210
2211         * builtins/ArrayPrototype.js:
2212         (sort.stringComparator):
2213         (sort.compactSparse):
2214         (sort.compactSlow):
2215         (sort.compact):
2216         (sort.merge):
2217         (sort.mergeSort):
2218         (sort.bucketSort):
2219         (sort.comparatorSort):
2220         (sort.stringSort):
2221         (sort):
2222
2223 2018-08-08  Michael Saboff  <msaboff@apple.com>
2224
2225         Yarr JIT should include annotations with dumpDisassembly=true
2226         https://bugs.webkit.org/show_bug.cgi?id=188415
2227
2228         Reviewed by Yusuke Suzuki.
2229
2230         Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
2231         Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
2232         then the backtracking code through the YarrPattern ops in reverse order, the disassembler
2233         needs to do the same think.
2234
2235         Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
2236         out simple methods for what was needed by the YarrDisassembler.
2237
2238         Here is abbreviated sample output after this change.
2239
2240         Generated JIT code for 8-bit regular expression /ab*c/:
2241             Code at [0x469561c03720, 0x469561c03840):
2242                 0x469561c03720: push %rbp
2243                 0x469561c03721: mov %rsp, %rbp
2244                 ...
2245                 0x469561c03762: sub $0x40, %rsp
2246              == Matching ==
2247            0:OpBodyAlternativeBegin minimum size 2
2248                 0x469561c03766: add $0x2, %esi
2249                 0x469561c03769: cmp %edx, %esi
2250                 0x469561c0376b: ja 0x469561c037fa
2251            1:OpTerm TypePatternCharacter 'a'
2252                 0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
2253                 0x469561c03776: cmp $0x61, %eax
2254                 0x469561c03779: jnz 0x469561c037e9
2255            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2256                 0x469561c0377f: xor %r9d, %r9d
2257                 0x469561c03782: cmp %edx, %esi
2258                 0x469561c03784: jz 0x469561c037a2
2259                 ...
2260                 0x469561c0379d: jmp 0x469561c03782
2261                 0x469561c037a2: mov %r9, 0x8(%rsp)
2262            3:OpTerm TypePatternCharacter 'c'
2263                 0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
2264                 0x469561c037ac: cmp $0x63, %eax
2265                 0x469561c037af: jnz 0x469561c037d1
2266            4:OpBodyAlternativeEnd
2267                 0x469561c037b5: add $0x40, %rsp
2268                 ...
2269                 0x469561c037cf: pop %rbp
2270                 0x469561c037d0: ret
2271              == Backtracking ==
2272            4:OpBodyAlternativeEnd
2273            3:OpTerm TypePatternCharacter 'c'
2274            2:OpTerm TypePatternCharacter 'b' {0,...} greedy
2275                 0x469561c037d1: mov 0x8(%rsp), %r9
2276                 ...
2277                 0x469561c037e4: jmp 0x469561c037a2
2278            1:OpTerm TypePatternCharacter 'a'
2279            0:OpBodyAlternativeBegin minimum size 2
2280                 0x469561c037e9: mov %rsi, %rax
2281                 ...
2282                 0x469561c0382f: pop %rbp
2283                 0x469561c03830: ret
2284
2285         * JavaScriptCore.xcodeproj/project.pbxproj:
2286         * Sources.txt:
2287         * runtime/RegExp.cpp:
2288         (JSC::RegExp::compile):
2289         (JSC::RegExp::compileMatchOnly):
2290         * yarr/YarrDisassembler.cpp: Added.
2291         (JSC::Yarr::YarrDisassembler::indentString):
2292         (JSC::Yarr::YarrDisassembler::YarrDisassembler):
2293         (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
2294         (JSC::Yarr::YarrDisassembler::dump):
2295         (JSC::Yarr::YarrDisassembler::dumpHeader):
2296         (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
2297         (JSC::Yarr::YarrDisassembler::dumpForInstructions):
2298         (JSC::Yarr::YarrDisassembler::dumpDisassembly):
2299         * yarr/YarrDisassembler.h: Added.
2300         (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
2301         (JSC::Yarr::YarrDisassembler::setStartOfCode):
2302         (JSC::Yarr::YarrDisassembler::setForGenerate):
2303         (JSC::Yarr::YarrDisassembler::setForBacktrack):
2304         (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
2305         (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
2306         (JSC::Yarr::YarrDisassembler::setEndOfCode):
2307         (JSC::Yarr::YarrDisassembler::indentString):
2308         * yarr/YarrJIT.cpp:
2309         (JSC::Yarr::YarrGenerator::generate):
2310         (JSC::Yarr::YarrGenerator::backtrack):
2311         (JSC::Yarr::YarrGenerator::YarrGenerator):
2312         (JSC::Yarr::YarrGenerator::compile):
2313         (JSC::Yarr::jitCompile):
2314         * yarr/YarrJIT.h:
2315         * yarr/YarrPattern.cpp:
2316         (JSC::Yarr::dumpCharacterClass):
2317         (JSC::Yarr::PatternTerm::dump):
2318         (JSC::Yarr::YarrPattern::dumpPatternString):
2319         (JSC::Yarr::YarrPattern::dumpPattern):
2320         * yarr/YarrPattern.h:
2321
2322 2018-08-05  Darin Adler  <darin@apple.com>
2323
2324         [Cocoa] More tweaks and refactoring to prepare for ARC
2325         https://bugs.webkit.org/show_bug.cgi?id=188245
2326
2327         Reviewed by Dan Bernstein.
2328
2329         * API/JSValue.mm: Use __unsafe_unretained.
2330         (JSContainerConvertor::convert): Use auto for compatibility with the above.
2331         * API/JSWrapperMap.mm:
2332         (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
2333         (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
2334
2335         * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
2336
2337 2018-08-07  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2338
2339         Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
2340         https://bugs.webkit.org/show_bug.cgi?id=188328
2341
2342         Reviewed by Saam Barati.
2343
2344         Shrinking the size of PropertyCondition can improve memory consumption by a lot.
2345         For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
2346         and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
2347         as a member field.
2348
2349         This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
2350         PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
2351         are within 48bit, we can put PropertyCondition::Kind in this unused bits.
2352         To make it easy, we add WTF::CompactPointerTuple<PointerType, Type>, which automatically
2353         folds a pointer and 1byte type into 64bit data.
2354
2355         This change shrinks PropertyCondition from 24bytes to 16bytes.
2356
2357         * bytecode/PropertyCondition.cpp:
2358         (JSC::PropertyCondition::dumpInContext const):
2359         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2360         (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
2361         (JSC::PropertyCondition::isStillValid const):
2362         (JSC::PropertyCondition::isWatchableWhenValid const):
2363         * bytecode/PropertyCondition.h:
2364         (JSC::PropertyCondition::PropertyCondition):
2365         (JSC::PropertyCondition::presenceWithoutBarrier):
2366         (JSC::PropertyCondition::absenceWithoutBarrier):
2367         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2368         (JSC::PropertyCondition::equivalenceWithoutBarrier):
2369         (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
2370         (JSC::PropertyCondition::operator bool const):
2371         (JSC::PropertyCondition::kind const):
2372         (JSC::PropertyCondition::uid const):
2373         (JSC::PropertyCondition::hasOffset const):
2374         (JSC::PropertyCondition::hasAttributes const):
2375         (JSC::PropertyCondition::hasPrototype const):
2376         (JSC::PropertyCondition::hasRequiredValue const):
2377         (JSC::PropertyCondition::hash const):
2378         (JSC::PropertyCondition::operator== const):
2379         (JSC::PropertyCondition::isHashTableDeletedValue const):
2380         (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
2381
2382 2018-08-07  Mark Lam  <mark.lam@apple.com>
2383
2384         Use a more specific PtrTag for PlatformRegisters PC and LR.
2385         https://bugs.webkit.org/show_bug.cgi?id=188366
2386         <rdar://problem/42984123>
2387
2388         Reviewed by Keith Miller.
2389
2390         Also fixed a bug in linkRegister(), which was previously returning the PC instead
2391         of LR.  It now returns LR.
2392
2393         * runtime/JSCPtrTag.h:
2394         * runtime/MachineContext.h:
2395         (JSC::MachineContext::instructionPointer):
2396         (JSC::MachineContext::linkRegister):
2397         * runtime/VMTraps.cpp:
2398         (JSC::SignalContext::SignalContext):
2399         * tools/SigillCrashAnalyzer.cpp:
2400         (JSC::SignalContext::SignalContext):
2401
2402 2018-08-07  Karo Gyoker  <karogyoker2+webkit@gmail.com>
2403
2404         Hardcoded LFENCE instruction
2405         https://bugs.webkit.org/show_bug.cgi?id=188145
2406
2407         Reviewed by Filip Pizlo.
2408
2409         Remove lfence instruction because it is crashing systems without SSE2 and
2410         this is not the way how WebKit mitigates Spectre.
2411
2412         * runtime/JSLock.cpp:
2413         (JSC::JSLock::didAcquireLock):
2414         (JSC::JSLock::willReleaseLock):
2415
2416 2018-08-04  David Kilzer  <ddkilzer@apple.com>
2417
2418         REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
2419         <https://webkit.org/b/188331>
2420
2421         Reviewed by Yusuke Suzuki.
2422
2423         * runtime/TemplateObjectDescriptor.h:
2424         (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
2425         Use `m_rawstrings` instead of `rawStrings` to calculate hash.
2426
2427 2018-08-03  Saam Barati  <sbarati@apple.com>
2428
2429         Give the `jsc` shell the JIT entitlement
2430         https://bugs.webkit.org/show_bug.cgi?id=188324
2431         <rdar://problem/42885806>
2432
2433         Reviewed by Dan Bernstein.
2434
2435         This should help us in ensuring the system jsc is able to JIT.
2436
2437         * Configurations/JSC.xcconfig:
2438         * JavaScriptCore.xcodeproj/project.pbxproj:
2439         * allow-jit-macOS.entitlements: Added.
2440
2441 2018-08-03  Alex Christensen  <achristensen@webkit.org>
2442
2443         Fix spelling of "overridden"
2444         https://bugs.webkit.org/show_bug.cgi?id=188315
2445
2446         Reviewed by Darin Adler.
2447
2448         * API/JSExport.h:
2449         * inspector/InjectedScriptSource.js:
2450
2451 2018-08-02  Saam Barati  <sbarati@apple.com>
2452
2453         Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
2454         https://bugs.webkit.org/show_bug.cgi?id=188271
2455         <rdar://problem/42850884>
2456
2457         Reviewed by Michael Saboff.
2458
2459         This patch defends against the instructionPointer containing garbage bits.
2460         See radar for details.
2461
2462         * runtime/MachineContext.h:
2463         (JSC::MachineContext::instructionPointer):
2464         * runtime/SamplingProfiler.cpp:
2465         (JSC::SamplingProfiler::takeSample):
2466         * runtime/VMTraps.cpp:
2467         (JSC::SignalContext::SignalContext):
2468         (JSC::SignalContext::tryCreate):
2469         * tools/CodeProfiling.cpp:
2470         (JSC::profilingTimer):
2471         * tools/SigillCrashAnalyzer.cpp:
2472         (JSC::SignalContext::SignalContext):
2473         (JSC::SignalContext::tryCreate):
2474         (JSC::SignalContext::dump):
2475         (JSC::installCrashHandler):
2476         * wasm/WasmFaultSignalHandler.cpp:
2477         (JSC::Wasm::trapHandler):
2478
2479 2018-08-02  David Fenton  <david_fenton@apple.com>
2480
2481         Unreviewed, rolling out r234489.
2482
2483         Caused 50+ crashes and 60+ API failures on iOS
2484
2485         Reverted changeset:
2486
2487         "[WTF] Rename String::format to String::deprecatedFormat"
2488         https://bugs.webkit.org/show_bug.cgi?id=188191
2489         https://trac.webkit.org/changeset/234489
2490
2491 2018-08-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2492
2493         Add self.queueMicrotask(f) on DOMWindow
2494         https://bugs.webkit.org/show_bug.cgi?id=188212
2495
2496         Reviewed by Ryosuke Niwa.
2497
2498         * CMakeLists.txt:
2499         * JavaScriptCore.xcodeproj/project.pbxproj:
2500         * Sources.txt:
2501         * runtime/JSGlobalObject.cpp:
2502         (JSC::enqueueJob):
2503         * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
2504         (JSC::createJSMicrotask):
2505         Export them to WebCore.
2506
2507         (JSC::JSMicrotask::run):
2508         * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
2509         Add another version of JSMicrotask which does not have arguments.
2510
2511 2018-08-01  Tomas Popela  <tpopela@redhat.com>
2512
2513         [WTF] Rename String::format to String::deprecatedFormat
2514         https://bugs.webkit.org/show_bug.cgi?id=188191
2515
2516         Reviewed by Darin Adler.
2517
2518         It should be replaced with string concatenation.
2519
2520         * bytecode/CodeBlock.cpp:
2521         (JSC::CodeBlock::nameForRegister):
2522         * inspector/InjectedScriptBase.cpp:
2523         (Inspector::InjectedScriptBase::makeCall):
2524         * inspector/InspectorBackendDispatcher.cpp:
2525         (Inspector::BackendDispatcher::getPropertyValue):
2526         * inspector/agents/InspectorConsoleAgent.cpp:
2527         (Inspector::InspectorConsoleAgent::enable):
2528         (Inspector::InspectorConsoleAgent::stopTiming):
2529         * jsc.cpp:
2530         (FunctionJSCStackFunctor::operator() const):
2531         * parser/Lexer.cpp:
2532         (JSC::Lexer<T>::invalidCharacterMessage const):
2533         * runtime/IntlDateTimeFormat.cpp:
2534         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2535         * runtime/IntlObject.cpp:
2536         (JSC::canonicalizeLocaleList):
2537         * runtime/LiteralParser.cpp:
2538         (JSC::LiteralParser<CharType>::Lexer::lex):
2539         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
2540         (JSC::LiteralParser<CharType>::parse):
2541         * runtime/LiteralParser.h:
2542         (JSC::LiteralParser::getErrorMessage):
2543
2544 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2545
2546         [INTL] Allow "unknown" formatToParts types
2547         https://bugs.webkit.org/show_bug.cgi?id=188176
2548
2549         Reviewed by Darin Adler.
2550
2551         Originally extra unexpected field types were marked as "literal", since
2552         the spec did not account for these. The ECMA 402 spec has since been updated
2553         to specify "unknown" should be used in these cases.
2554
2555         Currently there is no known way to reach these cases, so no tests can
2556         account for them. Theoretically they shoudn't exist, but they are specified,
2557         just to be safe. Marking them as "unknown" instead of "literal" hopefully
2558         will make such cases easy to identify if they ever happen.
2559
2560         * runtime/IntlDateTimeFormat.cpp:
2561         (JSC::IntlDateTimeFormat::partTypeString):
2562         * runtime/IntlNumberFormat.cpp:
2563         (JSC::IntlNumberFormat::partTypeString):
2564
2565 2018-08-01  Andy VanWagoner  <andy@vanwagoner.family>
2566
2567         [INTL] Implement hourCycle in DateTimeFormat
2568         https://bugs.webkit.org/show_bug.cgi?id=188006
2569
2570         Reviewed by Darin Adler.
2571
2572         Implemented hourCycle, updating both the skeleton and the final pattern.
2573         Changed resolveLocale to assume undefined options are not given and null
2574         strings actually mean null, which removes the tag extension.
2575
2576         * runtime/CommonIdentifiers.h:
2577         * runtime/IntlCollator.cpp:
2578         (JSC::IntlCollator::initializeCollator):
2579         * runtime/IntlDateTimeFormat.cpp:
2580         (JSC::IntlDTFInternal::localeData):
2581         (JSC::IntlDateTimeFormat::setFormatsFromPattern):
2582         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2583         (JSC::IntlDateTimeFormat::resolvedOptions):
2584         * runtime/IntlDateTimeFormat.h:
2585         * runtime/IntlObject.cpp:
2586         (JSC::resolveLocale):
2587
2588 2018-08-01  Keith Miller  <keith_miller@apple.com>
2589
2590         JSArrayBuffer should have its own JSType
2591         https://bugs.webkit.org/show_bug.cgi?id=188231
2592
2593         Reviewed by Saam Barati.
2594
2595         * runtime/JSArrayBuffer.cpp:
2596         (JSC::JSArrayBuffer::createStructure):
2597         * runtime/JSCast.h:
2598         * runtime/JSType.h:
2599
2600 2018-07-31  Keith Miller  <keith_miller@apple.com>
2601
2602         Unreviewed 32-bit build fix...
2603
2604         * dfg/DFGSpeculativeJIT32_64.cpp:
2605
2606 2018-07-31  Keith Miller  <keith_miller@apple.com>
2607
2608         Long compiling JSC files should not be unified
2609         https://bugs.webkit.org/show_bug.cgi?id=188205
2610
2611         Reviewed by Saam Barati.
2612
2613         The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
2614         to compile. Unifying them means touching anything in the same
2615         bundle as those files takes a long time to incrementally build.
2616         This patch separates those files so they build standalone.
2617
2618         * JavaScriptCore.xcodeproj/project.pbxproj:
2619         * Sources.txt:
2620         * dfg/DFGSpeculativeJIT64.cpp:
2621
2622 2018-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2623
2624         [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
2625         https://bugs.webkit.org/show_bug.cgi?id=188201
2626
2627         Reviewed by Keith Miller.
2628
2629         We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
2630         When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
2631         new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
2632         never becomes broken state. This patch removes unnecessary locking.
2633
2634         * runtime/JSObject.cpp:
2635         (JSC::JSObject::visitButterflyImpl):
2636
2637 2018-07-31  Guillaume Emont  <guijemont@igalia.com>
2638
2639         [JSC] Remove gcc warnings for 32-bit platforms
2640         https://bugs.webkit.org/show_bug.cgi?id=187803
2641
2642         Reviewed by Yusuke Suzuki.
2643
2644         * assembler/MacroAssemblerPrinter.cpp:
2645         (JSC::Printer::printPCRegister):
2646         (JSC::Printer::printRegisterID):
2647         (JSC::Printer::printAddress):
2648         * dfg/DFGSpeculativeJIT.cpp:
2649         (JSC::DFG::SpeculativeJIT::speculateNumber):
2650         (JSC::DFG::SpeculativeJIT::speculateMisc):
2651         * jit/CCallHelpers.h:
2652         (JSC::CCallHelpers::calculatePokeOffset):
2653         * runtime/Options.cpp:
2654         (JSC::parse):
2655
2656 2018-07-30  Wenson Hsieh  <wenson_hsieh@apple.com>
2657
2658         watchOS engineering build is broken after r234227
2659         https://bugs.webkit.org/show_bug.cgi?id=188180
2660
2661         Reviewed by Keith Miller.
2662
2663         In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
2664         postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
2665         `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
2666         `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
2667
2668         To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
2669         entirely, since there's no relevant version to replace them with.
2670
2671         * postprocess-headers.sh:
2672
2673 2018-07-30  Keith Miller  <keith_miller@apple.com>
2674
2675         Clarify conversion rules for JSValue property access API
2676         https://bugs.webkit.org/show_bug.cgi?id=188179
2677
2678         Reviewed by Geoffrey Garen.
2679
2680         * API/JSValue.h:
2681
2682 2018-07-30  Keith Miller  <keith_miller@apple.com>
2683
2684         Rename some JSC API functions/types.
2685         https://bugs.webkit.org/show_bug.cgi?id=188173
2686
2687         Reviewed by Saam Barati.
2688
2689         * API/JSObjectRef.cpp:
2690         (JSObjectHasPropertyForKey):
2691         (JSObjectGetPropertyForKey):
2692         (JSObjectSetPropertyForKey):
2693         (JSObjectDeletePropertyForKey):
2694         (JSObjectHasPropertyKey): Deleted.
2695         (JSObjectGetPropertyKey): Deleted.
2696         (JSObjectSetPropertyKey): Deleted.
2697         (JSObjectDeletePropertyKey): Deleted.
2698         * API/JSObjectRef.h:
2699         * API/JSValue.h:
2700         * API/JSValue.mm:
2701         (-[JSValue valueForProperty:]):
2702         (-[JSValue setValue:forProperty:]):
2703         (-[JSValue deleteProperty:]):
2704         (-[JSValue hasProperty:]):
2705         (-[JSValue defineProperty:descriptor:]):
2706         * API/tests/testapi.cpp:
2707         (TestAPI::run):
2708
2709 2018-07-30  Mark Lam  <mark.lam@apple.com>
2710
2711         Add a debugging utility to dump the memory layout of a JSCell.
2712         https://bugs.webkit.org/show_bug.cgi?id=188157
2713
2714         Reviewed by Yusuke Suzuki.
2715
2716         This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
2717         dump the memory contents of a cell and if present, its butterfly for debugging
2718         purposes.
2719
2720         Example usage for JS code when JSC_useDollarVM=true:
2721
2722             $vm.dumpCell(obj);
2723
2724         Example usage from C++ code or from lldb: 
2725
2726             (lldb) p JSC::VMInspector::dumpCellMemory(obj)
2727
2728         Some examples of dumps:
2729
2730             <0x104bc8260, Object>
2731               [0] 0x104bc8260 : 0x010016000000016c header
2732                 structureID 364 0x16c structure 0x104b721b0
2733                 indexingTypeAndMisc 0 0x0 NonArray
2734                 type 22 0x16
2735                 flags 0 0x0
2736                 cellState 1
2737               [1] 0x104bc8268 : 0x0000000000000000 butterfly
2738               [2] 0x104bc8270 : 0xffff000000000007
2739               [3] 0x104bc8278 : 0xffff000000000008
2740
2741             <0x104bb4360, Array>
2742               [0] 0x104bb4360 : 0x0108210b00000171 header
2743                 structureID 369 0x171 structure 0x104b723e0
2744                 indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
2745                 type 33 0x21
2746                 flags 8 0x8
2747                 cellState 1
2748               [1] 0x104bb4368 : 0x00000008000f4718 butterfly
2749                 base 0x8000f46e0
2750                 hasIndexingHeader YES hasAnyArrayStorage YES
2751                 publicLength 4 vectorLength 7 indexBias 2
2752                 preCapacity 2 propertyCapacity 4
2753                   <--- preCapacity
2754                   [0] 0x8000f46e0 : 0x0000000000000000
2755                   [1] 0x8000f46e8 : 0x0000000000000000
2756                   <--- propertyCapacity
2757                   [2] 0x8000f46f0 : 0x0000000000000000
2758                   [3] 0x8000f46f8 : 0x0000000000000000
2759                   [4] 0x8000f4700 : 0xffff00000000000d
2760                   [5] 0x8000f4708 : 0xffff00000000000c
2761                   <--- indexingHeader
2762                   [6] 0x8000f4710 : 0x0000000700000004
2763                   <--- butterfly
2764                   <--- arrayStorage
2765                   [7] 0x8000f4718 : 0x0000000000000000
2766                   [8] 0x8000f4720 : 0x0000000400000002
2767                   <--- indexedProperties
2768                   [9] 0x8000f4728 : 0xffff000000000008
2769                   [10] 0x8000f4730 : 0xffff000000000009
2770                   [11] 0x8000f4738 : 0xffff000000000005
2771                   [12] 0x8000f4740 : 0xffff000000000006
2772                   [13] 0x8000f4748 : 0x0000000000000000
2773                   [14] 0x8000f4750 : 0x0000000000000000
2774                   [15] 0x8000f4758 : 0x0000000000000000
2775                   <--- unallocated capacity
2776                   [16] 0x8000f4760 : 0x0000000000000000
2777                   [17] 0x8000f4768 : 0x0000000000000000
2778                   [18] 0x8000f4770 : 0x0000000000000000
2779                   [19] 0x8000f4778 : 0x0000000000000000
2780
2781         * runtime/JSObject.h:
2782         * tools/JSDollarVM.cpp:
2783         (JSC::functionDumpCell):
2784         (JSC::JSDollarVM::finishCreation):
2785         * tools/VMInspector.cpp:
2786         (JSC::VMInspector::dumpCellMemory):
2787         (JSC::IndentationScope::IndentationScope):
2788         (JSC::IndentationScope::~IndentationScope):
2789         (JSC::VMInspector::dumpCellMemoryToStream):
2790         * tools/VMInspector.h:
2791
2792 2018-07-27  Mark Lam  <mark.lam@apple.com>
2793
2794         Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
2795         https://bugs.webkit.org/show_bug.cgi?id=188123
2796         <rdar://problem/42672268>
2797
2798         Reviewed by Keith Miller.
2799
2800         1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
2801            padding space in VM and Heap, and should not cost any measurable perf to
2802            initialize and update.
2803
2804         2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
2805
2806            worldState tells us the value we failed the assertion on.
2807
2808            m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
2809            that led us here.
2810
2811            VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
2812
2813            VM::isEntered() tells us if the current VM is currently executing JS code.
2814
2815            Some of this data may be redundant, but the redundancy is intentional so that
2816            we can double check what is really happening at the time of crash.
2817
2818         * heap/Heap.cpp:
2819         (JSC::asInt):
2820         (JSC::Heap::checkConn):
2821         (JSC::Heap::changePhase):
2822         * heap/Heap.h:
2823         * runtime/VM.cpp:
2824         (JSC::VM::nextID):
2825         (JSC::VM::VM):
2826         * runtime/VM.h:
2827         (JSC::VM::numberOfIDs):
2828         (JSC::VM::id const):
2829         (JSC::VM::isEntered const):
2830
2831 2018-07-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2832
2833         [JSC] Record CoW status in ArrayProfile correctly
2834         https://bugs.webkit.org/show_bug.cgi?id=187949
2835
2836         Reviewed by Saam Barati.
2837
2838         In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
2839         This is important since our OSR exit compiler records m_observedArrayModes by calculating
2840         ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
2841         our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
2842         Array::Generic DFG nodes.
2843
2844         * bytecode/ArrayProfile.h:
2845         (JSC::asArrayModes):
2846         (JSC::ArrayProfile::ArrayProfile):
2847         * dfg/DFGOSRExit.cpp:
2848         (JSC::DFG::OSRExit::compileExit):
2849         * ftl/FTLOSRExitCompiler.cpp:
2850         (JSC::FTL::compileStub):
2851         * runtime/IndexingType.h:
2852
2853 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2854
2855         [INTL] Remove INTL sub-feature compile flags
2856         https://bugs.webkit.org/show_bug.cgi?id=188081
2857
2858         Reviewed by Michael Catanzaro.
2859
2860         Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
2861         The runtime flags are still present, and should be relied on instead.
2862         The defines for ICU features have also been updated to match HAVE() style.
2863
2864         * Configurations/FeatureDefines.xcconfig:
2865         * runtime/IntlPluralRules.cpp:
2866         (JSC::IntlPluralRules::resolvedOptions):
2867         (JSC::IntlPluralRules::select):
2868         * runtime/IntlPluralRules.h:
2869         * runtime/Options.h:
2870
2871 2018-07-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2872
2873         [JSC] Dump IndexingMode in Structure
2874         https://bugs.webkit.org/show_bug.cgi?id=188085
2875
2876         Reviewed by Keith Miller.
2877
2878         Dump IndexingMode instead of IndexingType.
2879
2880         * runtime/Structure.cpp:
2881         (JSC::Structure::dump const):
2882
2883 2018-07-26  Ross Kirsling  <ross.kirsling@sony.com>
2884
2885         String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
2886         https://bugs.webkit.org/show_bug.cgi?id=187963
2887
2888         Reviewed by Alex Christensen.
2889
2890         * inspector/InspectorBackendDispatcher.cpp:
2891         (Inspector::BackendDispatcher::dispatch):
2892         * jsc.cpp:
2893         (ModuleName::ModuleName):
2894         (resolvePath):
2895         * runtime/IntlObject.cpp:
2896         (JSC::canonicalizeLanguageTag):
2897         (JSC::removeUnicodeLocaleExtension):
2898         Update split/splitAllowingEmptyEntries usage.
2899
2900 2018-07-26  Commit Queue  <commit-queue@webkit.org>
2901
2902         Unreviewed, rolling out r234181 and r234189.
2903         https://bugs.webkit.org/show_bug.cgi?id=188075
2904
2905         These are not needed right now (Requested by thorton on
2906         #webkit).
2907
2908         Reverted changesets:
2909
2910         "Enable Web Content Filtering on watchOS"
2911         https://bugs.webkit.org/show_bug.cgi?id=187979
2912         https://trac.webkit.org/changeset/234181
2913
2914         "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
2915         https://bugs.webkit.org/show_bug.cgi?id=187985
2916         https://trac.webkit.org/changeset/234189
2917
2918 2018-07-26  Mark Lam  <mark.lam@apple.com>
2919
2920         arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
2921         https://bugs.webkit.org/show_bug.cgi?id=188065
2922         <rdar://problem/42515726>
2923
2924         Reviewed by Saam Barati.
2925
2926         * runtime/ArrayPrototype.cpp:
2927         (JSC::clearElement):
2928         (JSC::copyElements):
2929         (JSC::arrayProtoPrivateFuncConcatMemcpy):
2930
2931 2018-07-26  Andy VanWagoner  <andy@vanwagoner.family>
2932
2933         JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
2934         https://bugs.webkit.org/show_bug.cgi?id=167991
2935
2936         Reviewed by Michael Catanzaro.
2937
2938         Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
2939         Checked locale.isEmpty() before returning it from defaultLocale, so there should be
2940         no more cases where you might have an invalid locale come back from resolveLocale.
2941
2942         * runtime/IntlObject.cpp:
2943         (JSC::convertICULocaleToBCP47LanguageTag):
2944         (JSC::defaultLocale):
2945         (JSC::lookupMatcher):
2946         * runtime/IntlObject.h:
2947         * runtime/JSGlobalObject.cpp:
2948         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
2949         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
2950         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
2951         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
2952
2953 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2954
2955         REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
2956         https://bugs.webkit.org/show_bug.cgi?id=188040
2957
2958         Unreviewed build fix for AppleWin port.
2959
2960         * API/tests/testapi.c: Disabled warning C4204.
2961         (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
2962
2963 2018-07-26  Fujii Hironori  <Hironori.Fujii@sony.com>
2964
2965         [JSC API] We should support the symbol type in our C/Obj-C API
2966         https://bugs.webkit.org/show_bug.cgi?id=175836
2967
2968         Unreviewed build fix for Windows port.
2969
2970         r234227 introduced a compilation error unresolved external symbol
2971         "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
2972
2973         Windows ports are compiling testapi.c as C++ by using /TP switch.
2974
2975         * API/tests/testapi.c:
2976         (main): Removed `::` prefix of ::SetErrorMode Windows API.
2977         (dllLauncherEntryPoint): Converted into C style.
2978         * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
2979
2980 2018-07-25  Keith Miller  <keith_miller@apple.com>
2981
2982         [JSC API] We should support the symbol type in our C/Obj-C API
2983         https://bugs.webkit.org/show_bug.cgi?id=175836
2984
2985         Reviewed by Filip Pizlo.
2986
2987         This patch makes the following API additions:
2988         1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
2989         2) Create a symbol on both APIs.
2990         3) Get/Set/Delete/Define property now take ids in the Obj-C API.
2991         4) Add Get/Set/Delete in the C API.
2992
2993         We can do 3 because it is both binary and source compatable with
2994         the existing API. I added (4) because the current property access
2995         APIs only have the ability to get Strings. It was possible to
2996         merge symbols into JSStringRef but that felt confusing and exposes
2997         implementation details of our engine. The new functions match the
2998         same meaning that they have in JS, thus should be forward
2999         compatible with any future language extensions.
3000
3001         Lastly, this patch adds the same availability preproccessing phase
3002         in WebCore to JavaScriptCore, which enables TBA features for
3003         testing on previous releases.
3004
3005         * API/APICast.h:
3006         * API/JSBasePrivate.h:
3007         * API/JSContext.h:
3008         * API/JSContextPrivate.h:
3009         * API/JSContextRef.h:
3010         * API/JSContextRefInternal.h:
3011         * API/JSContextRefPrivate.h:
3012         * API/JSManagedValue.h:
3013         * API/JSObjectRef.cpp:
3014         (JSObjectHasPropertyKey):
3015         (JSObjectGetPropertyKey):
3016         (JSObjectSetPropertyKey):
3017         (JSObjectDeletePropertyKey):
3018         * API/JSObjectRef.h:
3019         * API/JSRemoteInspector.h:
3020         * API/JSTypedArray.h:
3021         * API/JSValue.h:
3022         * API/JSValue.mm:
3023         (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
3024         (performPropertyOperation):
3025         (-[JSValue valueForProperty:valueForProperty:]):
3026         (-[JSValue setValue:forProperty:setValue:forProperty:]):
3027         (-[JSValue deleteProperty:deleteProperty:]):
3028         (-[JSValue hasProperty:hasProperty:]):
3029         (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
3030         (-[JSValue isSymbol]):
3031         (-[JSValue objectForKeyedSubscript:]):
3032         (-[JSValue setObject:forKeyedSubscript:]):
3033         (-[JSValue valueForProperty:]): Deleted.
3034         (-[JSValue setValue:forProperty:]): Deleted.
3035         (-[JSValue deleteProperty:]): Deleted.
3036         (-[JSValue hasProperty:]): Deleted.
3037         (-[JSValue defineProperty:descriptor:]): Deleted.
3038         * API/JSValueRef.cpp:
3039         (JSValueGetType):
3040         (JSValueIsSymbol):
3041         (JSValueMakeSymbol):
3042         * API/JSValueRef.h:
3043         * API/WebKitAvailability.h:
3044         * API/tests/CurrentThisInsideBlockGetterTest.mm:
3045         * API/tests/CustomGlobalObjectClassTest.c:
3046         * API/tests/DateTests.mm:
3047         * API/tests/JSExportTests.mm:
3048         * API/tests/JSNode.c:
3049         * API/tests/JSNodeList.c:
3050         * API/tests/Node.c:
3051         * API/tests/NodeList.c:
3052         * API/tests/minidom.c:
3053         * API/tests/testapi.c:
3054         (main):
3055         * API/tests/testapi.cpp: Added.
3056         (APIString::APIString):
3057         (APIString::~APIString):
3058         (APIString::operator JSStringRef):
3059         (APIContext::APIContext):
3060         (APIContext::~APIContext):
3061         (APIContext::operator JSGlobalContextRef):
3062         (APIVector::APIVector):
3063         (APIVector::~APIVector):
3064         (APIVector::append):
3065         (testCAPIViaCpp):
3066         (TestAPI::evaluateScript):
3067         (TestAPI::callFunction):
3068         (TestAPI::functionReturnsTrue):
3069         (TestAPI::check):
3070         (TestAPI::checkJSAndAPIMatch):
3071         (TestAPI::interestingObjects):
3072         (TestAPI::interestingKeys):
3073         (TestAPI::run):
3074         * API/tests/testapi.mm:
3075         (testObjectiveCAPIMain):
3076         * JavaScriptCore.xcodeproj/project.pbxproj:
3077         * config.h:
3078         * postprocess-headers.sh:
3079         * shell/CMakeLists.txt:
3080         * testmem/testmem.mm:
3081
3082 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3083
3084         [INTL] Call Typed Array elements toLocaleString with locale and options
3085         https://bugs.webkit.org/show_bug.cgi?id=185796
3086
3087         Reviewed by Keith Miller.
3088
3089         Improve ECMA 402 compliance of typed array toLocaleString, passing along
3090         the locale and options to element toLocaleString calls.
3091
3092         * builtins/TypedArrayPrototype.js:
3093         (toLocaleString):
3094
3095 2018-07-25  Andy VanWagoner  <andy@vanwagoner.family>
3096
3097         [INTL] Intl constructor lengths should be configurable
3098         https://bugs.webkit.org/show_bug.cgi?id=187960
3099
3100         Reviewed by Saam Barati.
3101
3102         Removed DontDelete from Intl constructor lengths.
3103         Fixed DateTimeFormat formatToParts length.
3104
3105         * runtime/IntlCollatorConstructor.cpp:
3106         (JSC::IntlCollatorConstructor::finishCreation):
3107         * runtime/IntlDateTimeFormatConstructor.cpp:
3108         (JSC::IntlDateTimeFormatConstructor::finishCreation):
3109         * runtime/IntlDateTimeFormatPrototype.cpp:
3110         (JSC::IntlDateTimeFormatPrototype::finishCreation):
3111         * runtime/IntlNumberFormatConstructor.cpp:
3112         (JSC::IntlNumberFormatConstructor::finishCreation):
3113         * runtime/IntlPluralRulesConstructor.cpp:
3114         (JSC::IntlPluralRulesConstructor::finishCreation):
3115
3116 2018-07-24  Fujii Hironori  <Hironori.Fujii@sony.com>
3117
3118         runJITThreadLimitTests is failing
3119         https://bugs.webkit.org/show_bug.cgi?id=187886
3120         <rdar://problem/42561966>
3121
3122         Unreviewed build fix for MSVC.
3123
3124         MSVC doen't support ternary operator without second operand.
3125
3126         * dfg/DFGWorklist.cpp:
3127         (JSC::DFG::getNumberOfDFGCompilerThreads):
3128         (JSC::DFG::getNumberOfFTLCompilerThreads):
3129
3130 2018-07-24  Commit Queue  <commit-queue@webkit.org>
3131
3132         Unreviewed, rolling out r234183.
3133         https://bugs.webkit.org/show_bug.cgi?id=187983
3134
3135         cause regression in Kraken gaussian blur and desaturate
3136         (Requested by yusukesuzuki on #webkit).
3137
3138         Reverted changeset:
3139
3140         "[JSC] Record CoW status in ArrayProfile"
3141         https://bugs.webkit.org/show_bug.cgi?id=187949
3142         https://trac.webkit.org/changeset/234183
3143
3144 2018-07-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3145
3146         [JSC] Record CoW status in ArrayProfile
3147         https://bugs.webkit.org/show_bug.cgi?id=187949
3148
3149         Reviewed by Saam Barati.
3150
3151         Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
3152         Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
3153         in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
3154         seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
3155         CoW arrays.
3156
3157         In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
3158         speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
3159
3160         This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
3161
3162                                       baseline                  patched
3163
3164         stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
3165         stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
3166
3167         * bytecode/ArrayProfile.cpp:
3168         (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
3169         * bytecode/ArrayProfile.h:
3170         (JSC::asArrayModes):
3171         We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
3172
3173         (JSC::ArrayProfile::ArrayProfile):
3174         (JSC::ArrayProfile::addressOfObservedIndexingModes):
3175         (JSC::ArrayProfile::observedIndexingModes const):
3176         Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
3177         So storing the union of seen IndexingMode in `unsigned` instead.
3178
3179         * dfg/DFGArrayMode.cpp:
3180         (JSC::DFG::ArrayMode::fromObserved):
3181         * dfg/DFGArrayMode.h:
3182         (JSC::DFG::ArrayMode::withProfile const):
3183         * jit/JITCall.cpp:
3184         (JSC::JIT::compileOpCall):
3185         * jit/JITCall32_64.cpp:
3186         (JSC::JIT::compileOpCall):
3187         * jit/JITInlines.h:
3188         (JSC::JIT::emitArrayProfilingSiteWithCell):
3189         * llint/LowLevelInterpreter.asm:
3190         * llint/LowLevelInterpreter32_64.asm:
3191         * llint/LowLevelInterpreter64.asm:
3192
3193 2018-07-24  Tim Horton  <timothy_horton@apple.com>
3194
3195         Enable Web Content Filtering on watchOS
3196         https://bugs.webkit.org/show_bug.cgi?id=187979
3197         <rdar://problem/42559346>
3198
3199         Reviewed by Wenson Hsieh.
3200
3201         * Configurations/FeatureDefines.xcconfig:
3202
3203 2018-07-24  Tadeu Zagallo  <tzagallo@apple.com>
3204
3205         Don't modify Options when setting JIT thread limits
3206         https://bugs.webkit.org/show_bug.cgi?id=187886
3207
3208         Reviewed by Filip Pizlo.
3209
3210         Previously, when setting the JIT thread limit prior to the worklist
3211         initialization, it'd be set via Options, which didn't work if Options
3212         hadn't been initialized yet. Change it to use a static variable in the
3213         Worklist instead.
3214
3215         * API/JSVirtualMachine.mm:
3216         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
3217         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
3218         * API/tests/testapi.mm:
3219         (testObjectiveCAPIMain):
3220         * dfg/DFGWorklist.cpp:
3221         (JSC::DFG::getNumberOfDFGCompilerThreads):
3222         (JSC::DFG::getNumberOfFTLCompilerThreads):
3223         (JSC::DFG::setNumberOfDFGCompilerThreads):
3224         (JSC::DFG::setNumberOfFTLCompilerThreads):
3225         (JSC::DFG::ensureGlobalDFGWorklist):
3226         (JSC::DFG::ensureGlobalFTLWorklist):
3227         * dfg/DFGWorklist.h:
3228
3229 2018-07-24  Mark Lam  <mark.lam@apple.com>
3230
3231         Refactoring: make DFG::Plan a class.
3232         https://bugs.webkit.org/show_bug.cgi?id=187968
3233
3234         Reviewed by Saam Barati.
3235
3236         This patch makes all the DFG::Plan fields private, and provide accessor methods
3237         for them.  This makes it easier to reason about how these fields are used and
3238         modified.
3239
3240         * dfg/DFGAbstractInterpreterInlines.h:
3241         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3242         * dfg/DFGByteCodeParser.cpp:
3243         (JSC::DFG::ByteCodeParser::handleCall):
3244         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3245         (JSC::DFG::ByteCodeParser::handleInlining):
3246         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3247         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3248         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3249         (JSC::DFG::ByteCodeParser::handleGetById):
3250         (JSC::DFG::ByteCodeParser::handlePutById):
3251         (JSC::DFG::ByteCodeParser::parseBlock):
3252         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3253         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3254         (JSC::DFG::ByteCodeParser::parse):
3255         * dfg/DFGCFAPhase.cpp:
3256         (JSC::DFG::CFAPhase::run):
3257         (JSC::DFG::CFAPhase::injectOSR):
3258         * dfg/DFGClobberize.h:
3259         (JSC::DFG::clobberize):
3260         * dfg/DFGCommonData.cpp:
3261         (JSC::DFG::CommonData::notifyCompilingStructureTransition):
3262         * dfg/DFGCommonData.h:
3263         * dfg/DFGConstantFoldingPhase.cpp:
3264         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3265         * dfg/DFGDriver.cpp:
3266         (JSC::DFG::compileImpl):
3267         * dfg/DFGFinalizer.h:
3268         * dfg/DFGFixupPhase.cpp:
3269         (JSC::DFG::FixupPhase::fixupNode):
3270         (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
3271         * dfg/DFGGraph.cpp:
3272         (JSC::DFG::Graph::Graph):
3273         (JSC::DFG::Graph::watchCondition):
3274         (JSC::DFG::Graph::inferredTypeFor):
3275         (JSC::DFG::Graph::requiredRegisterCountForExit):
3276         (JSC::DFG::Graph::registerFrozenValues):
3277         (JSC::DFG::Graph::registerStructure):
3278         (JSC::DFG::Graph::registerAndWatchStructureTransition):
3279         (JSC::DFG::Graph::assertIsRegistered):
3280         * dfg/DFGGraph.h:
3281         (JSC::DFG::Graph::compilation):
3282         (JSC::DFG::Graph::identifiers):
3283         (JSC::DFG::Graph::watchpoints):
3284         * dfg/DFGJITCompiler.cpp:
3285         (JSC::DFG::JITCompiler::JITCompiler):
3286         (JSC::DFG::JITCompiler::link):
3287         (JSC::DFG::JITCompiler::compile):
3288         (JSC::DFG::JITCompiler::compileFunction):
3289         (JSC::DFG::JITCompiler::disassemble):
3290         * dfg/DFGJITCompiler.h:
3291         (JSC::DFG::JITCompiler::addWeakReference):
3292         * dfg/DFGJITFinalizer.cpp:
3293         (JSC::DFG::JITFinalizer::finalize):
3294         (JSC::DFG::JITFinalizer::finalizeFunction):
3295         (JSC::DFG::JITFinalizer::finalizeCommon):
3296         * dfg/DFGOSREntrypointCreationPhase.cpp:
3297         (JSC::DFG::OSREntrypointCreationPhase::run):
3298         * dfg/DFGPhase.cpp:
3299         (JSC::DFG::Phase::beginPhase):
3300         * dfg/DFGPhase.h:
3301         (JSC::DFG::runAndLog):
3302         * dfg/DFGPlan.cpp:
3303         (JSC::DFG::Plan::Plan):
3304         (JSC::DFG::Plan::computeCompileTimes const):
3305         (JSC::DFG::Plan::reportCompileTimes const):
3306         (JSC::DFG::Plan::compileInThread):
3307         (JSC::DFG::Plan::compileInThreadImpl):
3308         (JSC::DFG::Plan::isStillValid):
3309         (JSC::DFG::Plan::reallyAdd):
3310         (JSC::DFG::Plan::notifyCompiling):
3311         (JSC::DFG::Plan::notifyReady):
3312         (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
3313         (JSC::DFG::Plan::finalizeAndNotifyCallback):
3314         (JSC::DFG::Plan::key):
3315         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
3316         (JSC::DFG::Plan::finalizeInGC):
3317         (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
3318         (JSC::DFG::Plan::cancel):
3319         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3320         * dfg/DFGPlan.h:
3321         (JSC::DFG::Plan::canTierUpAndOSREnter const):
3322         (JSC::DFG::Plan::vm const):
3323         (JSC::DFG::Plan::codeBlock):
3324         (JSC::DFG::Plan::mode const):
3325         (JSC::DFG::Plan::osrEntryBytecodeIndex const):
3326         (JSC::DFG::Plan::mustHandleValues const):
3327         (JSC::DFG::Plan::threadData const):
3328         (JSC::DFG::Plan::compilation const):
3329         (JSC::DFG::Plan::finalizer const):
3330         (JSC::DFG::Plan::setFinalizer):
3331         (JSC::DFG::Plan::inlineCallFrames const):
3332         (JSC::DFG::Plan::watchpoints):
3333         (JSC::DFG::Plan::identifiers):
3334         (JSC::DFG::Plan::weakReferences):
3335         (JSC::DFG::Plan::transitions):
3336         (JSC::DFG::Plan::recordedStatuses):
3337         (JSC::DFG::Plan::willTryToTierUp const):
3338         (JSC::DFG::Plan::setWillTryToTierUp):
3339         (JSC::DFG::Plan::tierUpInLoopHierarchy):
3340         (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
3341         (JSC::DFG::Plan::stage const):
3342         (JSC::DFG::Plan::callback const):
3343         (JSC::DFG::Plan::setCallback):
3344         * dfg/DFGPlanInlines.h:
3345         (JSC::DFG::Plan::iterateCodeBlocksForGC):
3346         * dfg/DFGPreciseLocalClobberize.h:
3347         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
3348         * dfg/DFGPredictionInjectionPhase.cpp:
3349         (JSC::DFG::PredictionInjectionPhase::run):
3350         * dfg/DFGSafepoint.cpp:
3351         (JSC::DFG::Safepoint::Safepoint):
3352         (JSC::DFG::Safepoint::~Safepoint):
3353         (JSC::DFG::Safepoint::begin):
3354         * dfg/DFGSafepoint.h:
3355         * dfg/DFGSpeculativeJIT.h:
3356         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
3357         (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
3358         * dfg/DFGStackLayoutPhase.cpp:
3359         (JSC::DFG::StackLayoutPhase::run):
3360         * dfg/DFGStrengthReductionPhase.cpp:
3361         (JSC::DFG::StrengthReductionPhase::handleNode):
3362         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3363         (JSC::DFG::TierUpCheckInjectionPhase::run):
3364         * dfg/DFGTypeCheckHoistingPhase.cpp:
3365         (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
3366         * dfg/DFGWorklist.cpp:
3367         (JSC::DFG::Worklist::isActiveForVM const):
3368         (JSC::DFG::Worklist::compilationState):
3369         (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
3370         (JSC::DFG::Worklist::removeAllReadyPlansForVM):
3371         (JSC::DFG::Worklist::completeAllReadyPlansForVM):
3372         (JSC::DFG::Worklist::visitWeakReferences):
3373         (JSC::DFG::Worklist::removeDeadPlans):
3374         (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
3375         * dfg/DFGWorklistInlines.h:
3376         (JSC::DFG::Worklist::iterateCodeBlocksForGC):
3377         * ftl/FTLCompile.cpp:
3378         (JSC::FTL::compile):
3379         * ftl/FTLFail.cpp:
3380         (JSC::FTL::fail):
3381         * ftl/FTLJITFinalizer.cpp:
3382         (JSC::FTL::JITFinalizer::finalizeCommon):
3383         * ftl/FTLLink.cpp:
3384         (JSC::FTL::link):
3385         * ftl/FTLLowerDFGToB3.cpp:
3386         (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
3387         (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
3388         (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
3389         * ftl/FTLState.cpp:
3390         (JSC::FTL::State::State):
3391
3392 2018-07-24  Saam Barati  <sbarati@apple.com>
3393
3394         Make VM::canUseJIT an inlined function
3395         https://bugs.webkit.org/show_bug.cgi?id=187583
3396
3397         Reviewed by Mark Lam.
3398
3399         We know the answer to this query in initializeThreading after initializing
3400         the executable allocator. This patch makes it so that we just hold this value
3401         in a static variable and have an inlined function that just returns the value
3402         of that static variable.
3403
3404         * runtime/InitializeThreading.cpp:
3405         (JSC::initializeThreading):
3406         * runtime/VM.cpp:
3407         (JSC::VM::computeCanUseJIT):
3408         (JSC::VM::canUseJIT): Deleted.
3409         * runtime/VM.h:
3410         (JSC::VM::canUseJIT):
3411
3412 2018-07-24  Mark Lam  <mark.lam@apple.com>
3413
3414         Placate exception check verification after recent changes.
3415         https://bugs.webkit.org/show_bug.cgi?id=187961
3416         <rdar://problem/42545394>
3417
3418         Reviewed by Saam Barati.
3419
3420         * runtime/IntlObject.cpp:
3421         (JSC::intlNumberOption):
3422
3423 2018-07-23  Saam Barati  <sbarati@apple.com>
3424
3425         need to didFoldClobberWorld when we constant fold GetByVal
3426         https://bugs.webkit.org/show_bug.cgi?id=187917
3427         <rdar://problem/42505095>
3428
3429         Reviewed by Yusuke Suzuki.
3430
3431         * dfg/DFGAbstractInterpreterInlines.h:
3432         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3433
3434 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
3435
3436         [INTL] Language tags are not canonicalized
3437         https://bugs.webkit.org/show_bug.cgi?id=185836
3438
3439         Reviewed by Keith Miller.
3440
3441         Canonicalize language tags, replacing deprecated tag parts with the
3442         preferred values. Remove broken support for algorithmic numbering systems,
3443         that can cause an error in icu, and are not supported in other engines.
3444
3445         Generate the lookup functions from the language-subtag-registry.
3446
3447         Also initialize the UNumberFormat in initializeNumberFormat so any
3448         failures are thrown immediately instead of failing to format later.
3449
3450         * CMakeLists.txt:
3451         * DerivedSources.make:
3452         * JavaScriptCore.xcodeproj/project.pbxproj:
3453         * Scripts/generateIntlCanonicalizeLanguage.py: Added.
3454         * runtime/IntlDateTimeFormat.cpp:
3455         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
3456         * runtime/IntlNumberFormat.cpp:
3457         (JSC::IntlNumberFormat::initializeNumberFormat):
3458         (JSC::IntlNumberFormat::formatNumber):
3459         (JSC::IntlNumberFormat::formatToParts):
3460         (JSC::IntlNumberFormat::createNumberFormat): Deleted.
3461         * runtime/IntlNumberFormat.h:
3462         * runtime/IntlObject.cpp:
3463         (JSC::intlNumberOption):
3464         (JSC::intlDefaultNumberOption):
3465         (JSC::preferredLanguage):
3466         (JSC::preferredRegion):
3467         (JSC::canonicalLangTag):
3468         (JSC::canonicalizeLanguageTag):
3469         (JSC::defaultLocale):
3470         (JSC::removeUnicodeLocaleExtension):
3471         (JSC::numberingSystemsForLocale):
3472         (JSC::grandfatheredLangTag): Deleted.
3473         * runtime/IntlObject.h:
3474         * runtime/IntlPluralRules.cpp:
3475         (JSC::IntlPluralRules::initializePluralRules):
3476         * runtime/JSGlobalObject.cpp:
3477         (JSC::addMissingScriptLocales):
3478         (JSC::JSGlobalObject::intlCollatorAvailableLocales):
3479         (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
3480         (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
3481         (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
3482         * ucd/language-subtag-registry.txt: Added.
3483
3484 2018-07-23  Mark Lam  <mark.lam@apple.com>
3485
3486         Add some asserts to help diagnose a crash.
3487         https://bugs.webkit.org/show_bug.cgi?id=187915
3488         <rdar://problem/42508166>
3489
3490         Reviewed by Michael Saboff.
3491
3492         Add some asserts to verify that an CodeBlock alternative should always have a
3493         non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
3494         CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
3495         so that we'll retain the state of the variables that failed the assertion (again
3496         to help with diagnosis).
3497
3498         * bytecode/CodeBlock.cpp:
3499         (JSC::CodeBlock::setAlternative):
3500         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
3501         * dfg/DFGPlan.cpp:
3502         (JSC::DFG::Plan::Plan):
3503
3504 2018-07-23  Filip Pizlo  <fpizlo@apple.com>
3505
3506         Unreviewed, fix no-JIT build.
3507
3508         * bytecode/CallLinkStatus.cpp:
3509         (JSC::CallLinkStatus::computeFor):
3510         * bytecode/CodeBlock.cpp:
3511         (JSC::CodeBlock::finalizeUnconditionally):
3512         * bytecode/GetByIdStatus.cpp:
3513         (JSC::GetByIdStatus::computeFor):
3514         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3515         * bytecode/InByIdStatus.cpp:
3516         * bytecode/PutByIdStatus.cpp:
3517         (JSC::PutByIdStatus::computeForStubInfo):
3518
3519 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3520
3521         [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
3522         https://bugs.webkit.org/show_bug.cgi?id=187891
3523
3524         Reviewed by Saam Barati.
3525
3526         When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
3527         two variants are mergeable but they have "Miss" status. We make merging failed if
3528         the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
3529         if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
3530         which patch have more chances to merge variants.
3531
3532         This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
3533         is not related since it does not use this check in Transition case.
3534
3535         * bytecode/GetByIdVariant.cpp:
3536         (JSC::GetByIdVariant::attemptToMerge):
3537         * bytecode/InByIdVariant.cpp:
3538         (JSC::InByIdVariant::attemptToMerge):
3539
3540 2018-07-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3541
3542         [DFG] Fold GetByVal if the indexed value is non configurable and non writable
3543         https://bugs.webkit.org/show_bug.cgi?id=186462
3544
3545         Reviewed by Saam Barati.
3546
3547         Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
3548         property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
3549         Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
3550
3551         This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
3552         concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
3553         and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
3554         attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
3555         changed and we can safely use it. We arrange our existing code to use this protocol.
3556
3557         Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
3558         since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
3559
3560         This patch improves SixSpeed/template_string_tag.es6.
3561
3562                                           baseline                  patched
3563
3564         template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
3565
3566         * dfg/DFGAbstractInterpreterInlines.h:
3567         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3568         * runtime/JSArray.cpp:
3569         (JSC::JSArray::setLengthWithArrayStorage):
3570         * runtime/JSObject.cpp:
3571         (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
3572         (JSC::JSObject::deletePropertyByIndex):
3573         (JSC::JSObject::getOwnPropertyNames):
3574         (JSC::putIndexedDescriptor):
3575         (JSC::JSObject::defineOwnIndexedProperty):
3576         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3577         (JSC::JSObject::putIndexedDescriptor): Deleted.
3578         * runtime/JSObject.h:
3579         * runtime/SparseArrayValueMap.cpp:
3580         (JSC::SparseArrayValueMap::SparseArrayValueMap):
3581         (JSC::SparseArrayValueMap::add):
3582         (JSC::SparseArrayValueMap::putDirect):
3583         (JSC::SparseArrayValueMap::getConcurrently):
3584         (JSC::SparseArrayEntry::get const):
3585         (JSC::SparseArrayEntry::getConcurrently const):
3586         (JSC::SparseArrayEntry::put):
3587         (JSC::SparseArrayEntry::getNonSparseMode const):
3588         (JSC::SparseArrayValueMap::visitChildren):
3589         (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
3590         * runtime/SparseArrayValueMap.h:
3591         (JSC::SparseArrayEntry::SparseArrayEntry):
3592         (JSC::SparseArrayEntry::attributes const):
3593         (JSC::SparseArrayEntry::forceSet):
3594         (JSC::SparseArrayEntry::asValue):
3595
3596 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
3597
3598         We should support CreateThis in the FTL
3599         https://bugs.webkit.org/show_bug.cgi?id=164904
3600
3601         Reviewed by Yusuke Suzuki.
3602         
3603         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
3604         inference adventure.
3605         
3606         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
3607         benchmark's extremely perverse way of winning at type inference:
3608         
3609         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
3610           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
3611           benchmark was falling back to other mechanisms...
3612         
3613         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
3614           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
3615           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
3616           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
3617           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
3618           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
3619           
3620           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
3621           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
3622           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
3623           helper because it had a CreateThis.
3624         
3625         - Compilations that inlined the construction helper would have gotten super lucky with
3626           parse-time constant folding, so they knew what structure the input to the get_by_id would
3627           have at parse time. This is only profitable if the get_by_id parsing computed a
3628           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
3629           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
3630           cases, we would indeed get a finite number of cases. The parser would then prune those
3631           cases to just one - based on its knowledge of the structure - and that would result in that
3632           get_by_id being folded at parse time to a constant.
3633         
3634         - The subsequent op_call would inline based on parse-time knowledge of that constant.
3635         
3636         This patch comprehensively fixes these issues, as well as other issues that come up along the
3637         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
3638         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
3639         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
3640         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
3641         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
3642         attack raytrace's problem as a shortcoming of polyvariant profiling.
3643         
3644         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
3645           subset of the inline stack that includes the IC we're profiling. For example, if we have
3646           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
3647           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
3648           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
3649           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
3650           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
3651           from polyvariant profling. Previously, the polyvariant profiler would only look at the
3652           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
3653           had inlined bar and then baz. It may not have done that, because those calls could have
3654           required polyvariant profiling that was only available in the FTL.
3655           
3656         - A particularly interesting case is when some IC in foo-baseline is also available in
3657           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
3658           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
3659           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
3660           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
3661           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
3662           because it warns us of historical polymorphism. Historical polymorphism usually means
3663           future polymorphism. IC status code already had some merging functionality, but I needed to
3664           beef it up a lot to make this work right.
3665         
3666         - Inlining an inline cache now preserves as much information as profiling. One challenge of
3667           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
3668           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
3669           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
3670           say "I don't have such an IC". At this point the DFG compilation that included that IC that
3671           gave us the information that we used to inline the IC is no longer alive. To keep us from
3672           losing the information we learned about the IC, there is now a RecordedStatuses data
3673           structure that preserves the statuses we use for inlining ICs. We also filter those
3674           statuses according to things we learn from AI. This further reduces the risk of information
3675           about an IC being forgotten.
3676         
3677         - Exit profiling now considers whether or not an exit happened from inline code. This
3678           protects us in the case where the not-inlined version of an IC exited a lot because of
3679           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
3680           profiling data, we consider only inlined exits.
3681         
3682         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
3683           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
3684           surprising that we've had this bug.
3685         
3686         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
3687         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
3688         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
3689         prototype access folding in the bytecode parser and constant folder. That would require some
3690         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
3691         have a test that captures raytrace's behavior in the case that the parser cannot fold the
3692         get_by_id.
3693         
3694         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
3695         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
3696         compile time regression anytime we fill in FTL coverage.
3697         
3698         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
3699         speeds up and that raytrace slows down, but these changes balance out and don't affect the
3700         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
3701         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
3702         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
3703         see a significant difference. In all three cases the difference is <0.5% with a high p value,
3704         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
3705         an insignificant infinitesimal slow-down.
3706         
3707         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
3708         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
3709         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
3710
3711         * CMakeLists.txt:
3712         * JavaScriptCore.xcodeproj/project.pbxproj:
3713         * Sources.txt:
3714         * bytecode/ByValInfo.h:
3715         * bytecode/BytecodeDumper.cpp:
3716         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3717         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
3718         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
3719         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
3720         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
3721         (JSC::BytecodeDumper<Block>::printCallOp):
3722         (JSC::BytecodeDumper<Block>::dumpBytecode):
3723         (JSC::BytecodeDumper<Block>::dumpBlock):
3724         * bytecode/BytecodeDumper.h:
3725         * bytecode/CallLinkInfo.h:
3726         * bytecode/CallLinkStatus.cpp:
3727         (JSC::CallLinkStatus::computeFor):
3728         (JSC::CallLinkStatus::computeExitSiteData):
3729         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3730         (JSC::CallLinkStatus::accountForExits):
3731         (JSC::CallLinkStatus::finalize):
3732         (JSC::CallLinkStatus::filter):
3733         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
3734         * bytecode/CallLinkStatus.h:
3735         (JSC::CallLinkStatus::operator bool const):
3736         (JSC::CallLinkStatus::operator! const): Deleted.
3737         * bytecode/CallVariant.cpp:
3738         (JSC::CallVariant::finalize):
3739         (JSC::CallVariant::filter):
3740         * bytecode/CallVariant.h:
3741         (JSC::CallVariant::operator bool const):
3742         (JSC::CallVariant::operator! const): Deleted.
3743         * bytecode/CodeBlock.cpp:
3744         (JSC::CodeBlock::dumpBytecode):
3745         (JSC::CodeBlock::propagateTransitions):
3746         (JSC::CodeBlock::finalizeUnconditionally):
3747         (JSC::CodeBlock::getICStatusMap):
3748         (JSC::CodeBlock::resetJITData):
3749         (JSC::CodeBlock::getStubInfoMap): Deleted.
3750         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
3751         (JSC::CodeBlock::getByValInfoMap): Deleted.
3752         * bytecode/CodeBlock.h:
3753         * bytecode/CodeOrigin.cpp:
3754         (JSC::CodeOrigin::isApproximatelyEqualTo const):
3755         (JSC::CodeOrigin::approximateHash const):
3756         * bytecode/CodeOrigin.h:
3757         (JSC::CodeOrigin::exitingInlineKind const):
3758         * bytecode/DFGExitProfile.cpp:
3759         (JSC::DFG::FrequentExitSite::dump const):
3760         (JSC::DFG::ExitProfile::add):
3761         * bytecode/DFGExitProfile.h:
3762         (JSC::DFG::FrequentExitSite::FrequentExitSite):
3763         (JSC::DFG::FrequentExitSite::operator== const):
3764         (JSC::DFG::FrequentExitSite::subsumes const):
3765         (JSC::DFG::FrequentExitSite::hash const):
3766         (JSC::DFG::FrequentExitSite::inlineKind const):
3767         (JSC::DFG::FrequentExitSite::withInlineKind const):
3768         (JSC::DFG::QueryableExitProfile::hasExitSite const):
3769         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
3770         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
3771         * bytecode/ExitFlag.cpp: Added.
3772         (JSC::ExitFlag::dump const):
3773         * bytecode/ExitFlag.h: Added.
3774         (JSC::ExitFlag::ExitFlag):
3775         (JSC::ExitFlag::operator| const):
3776         (JSC::ExitFlag::operator|=):
3777         (JSC::ExitFlag::operator& const):
3778         (JSC::ExitFlag::operator&=):
3779         (JSC::ExitFlag::operator bool const):
3780         (JSC::ExitFlag::isSet const):
3781         * bytecode/ExitingInlineKind.cpp: Added.
3782         (WTF::printInternal):
3783         * bytecode/ExitingInlineKind.h: Added.
3784         * bytecode/GetByIdStatus.cpp:
3785         (JSC::GetByIdStatus::computeFor):
3786         (JSC::GetByIdStatus::computeForStubInfo):
3787         (JSC::GetByIdStatus::slowVersion const):
3788         (JSC::GetByIdStatus::markIfCheap):
3789         (JSC::GetByIdStatus::finalize):
3790         (JSC::GetByIdStatus::hasExitSite): Deleted.
3791         * bytecode/GetByIdStatus.h:
3792         * bytecode/GetByIdVariant.cpp:
3793         (JSC::GetByIdVariant::markIfCheap):
3794         (JSC::GetByIdVariant::finalize):
3795         * bytecode/GetByIdVariant.h:
3796         * bytecode/ICStatusMap.cpp: Added.
3797         (JSC::ICStatusContext::get const):
3798         (JSC::ICStatusContext::isInlined const):
3799         (JSC::ICStatusContext::inlineKind const):
3800         * bytecode/ICStatusMap.h: Added.
3801         * bytecode/ICStatusUtils.cpp: Added.
3802         (JSC::hasBadCacheExitSite):
3803         * bytecode/ICStatusUtils.h:
3804         * bytecode/InstanceOfStatus.cpp:
3805         (JSC::InstanceOfStatus::computeFor):
3806         * bytecode/InstanceOfStatus.h:
3807         * bytecode/PolyProtoAccessChain.h:
3808         * bytecode/PutByIdStatus.cpp:
3809         (JSC::PutByIdStatus::hasExitSite):
3810         (JSC::PutByIdStatus::computeFor):
3811         (JSC::PutByIdStatus::slowVersion const):
3812         (JSC::PutByIdStatus::markIfCheap):
3813         (JSC::PutByIdStatus::finalize):
3814         (JSC::PutByIdStatus::filter):
3815         * bytecode/PutByIdStatus.h:
3816         * bytecode/PutByIdVariant.cpp:
3817         (JSC::PutByIdVariant::markIfCheap):
3818         (JSC::PutByIdVariant::finalize):
3819         * bytecode/PutByIdVariant.h:
3820         (JSC::PutByIdVariant::structureSet const):
3821         * bytecode/RecordedStatuses.cpp: Added.
3822         (JSC::RecordedStatuses::operator=):
3823         (JSC::RecordedStatuses::RecordedStatuses):
3824         (JSC::RecordedStatuses::addCallLinkStatus):
3825         (JSC::RecordedStatuses::addGetByIdStatus):
3826         (JSC::RecordedStatuses::addPutByIdStatus):
3827         (JSC::RecordedStatuses::markIfCheap):
3828         (JSC::RecordedStatuses::finalizeWithoutDeleting):
3829         (JSC::RecordedStatuses::finalize):
3830         (JSC::RecordedStatuses::shrinkToFit):
3831         * bytecode/RecordedStatuses.h: Added.
3832         (JSC::RecordedStatuses::RecordedStatuses):
3833         (JSC::RecordedStatuses::forEachVector):
3834         * bytecode/StructureSet.cpp:
3835         (JSC::StructureSet::markIfCheap const):
3836         (JSC::StructureSet::isStillAlive const):
3837         * bytecode/StructureSet.h:
3838         * bytecode/TerminatedCodeOrigin.h: Added.
3839         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
3840         (JSC::TerminatedCodeOriginHashTranslator::hash):
3841         (JSC::TerminatedCodeOriginHashTranslator::equal):
3842         * bytecode/Watchpoint.cpp:
3843         (WTF::printInternal):
3844         * bytecode/Watchpoint.h:
3845         * dfg/DFGAbstractInterpreter.h:
3846         * dfg/DFGAbstractInterpreterInlines.h:
3847         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3848         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
3849         * dfg/DFGByteCodeParser.cpp:
3850         (JSC::DFG::ByteCodeParser::handleCall):
3851         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3852         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3853         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
3854         (JSC::DFG::ByteCodeParser::handleGetById):
3855         (JSC::DFG::ByteCodeParser::handlePutById):
3856         (JSC::DFG::ByteCodeParser::parseBlock):
3857         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3858         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
3859         (JSC::DFG::ByteCodeParser::parse):
3860         * dfg/DFGClobberize.h:
3861         (JSC::DFG::clobberize):
3862         * dfg/DFGClobbersExitState.cpp:
3863         (JSC::DFG::clobbersExitState):
3864         * dfg/DFGCommonData.h: