2019-10-09  Adrian Perez de Castro  <aperez@igalia.com>

        Unreviewed build fix for non-unified builds.

        * dfg/DFGByteCodeParser.cpp: Add missing inclusion of the GetterSetter.h header.

2019-10-09  Fujii Hironori  <Hironori.Fujii@sony.com>

        [Win] error LNK2019: unresolved external symbol "public: __cdecl JSC::Strong<enum JSC::Unknown>::Strong<enum JSC::Unknown>(class JSC::VM &,class JSC::JSValue)"
        https://bugs.webkit.org/show_bug.cgi?id=202722

        Unreviewed flaky build fix for Windows ports.

        JSC::Strong is used without including "StrongInlines.h".

        * runtime/JSCInlines.h: Added #include "StrongInlines.h".

2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] FTL vmCall should check # of arguments
        https://bugs.webkit.org/show_bug.cgi?id=202683

        Reviewed by Saam Barati.

        This patch inserts static_assert for # of arguments when using FTL vmCall.
        It turned out that such check is useful when converting ExecState* to JSGlobalObject*.
        Like, first, adding JSGlobalObject* parameter, making it compiled and removing ExecState* and m_callFrame parameter later.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
        (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
        (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::vmCall):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::callWithoutSideEffects):

2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, roll out r250848
        https://bugs.webkit.org/show_bug.cgi?id=202683

        Causing JSTests failures.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
        (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
        (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::vmCall):

2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] GetterSetter should be JSCell, not JSObject
        https://bugs.webkit.org/show_bug.cgi?id=202656

        Reviewed by Tadeu Zagallo and Saam Barati.

        Essentially, GetterSetter is not a JSObject. It is like a JSCell. But we made GetterSetter JSObject
        to leverage existing strict-eq implementations for JSObject: pointer-comparison. But given the following
        conditions,

        1. GetterSetter strict-eq comparison only happens in builtin code when using @tryGetById.
        2. RHS of that comparison is always folded into constant in DFG.
        3. We already use pointer-comparison for cells that are neither JSString nor JSBigInt.
        4. DFG strength reduction already has a rule which makes `CompareStrictEq(Cell-not-JSString/JSBigInt, Constant)` `ComparePtrEq`.

        So we already support non-JSString/JSBigInt cell comparison in JSC JS code. We should use it instead of making GetterSetter JSObject.
        This patch makes GetterSetter JSCell, and makes getterSetterStructure per-VM structure.

        The attached test reported AI validation failure. AI assumed that GetterSetter's realm should be the same to the base object. But
        this is incorrect in our runtime code: we are creating GetterSetter with lexical realm (JSGlobalObject). But the fundamental problem
        is that GetterSetter is JSObject and tied to JSGlobalObject while it is not necessary.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::getGetterById):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::regExpProtoGlobalGetter const):
        (JSC::JSGlobalObject::regExpProtoUnicodeGetter const):
        (JSC::JSGlobalObject::customGetterSetterFunctionStructure const):
        (JSC::JSGlobalObject::getterSetterStructure const): Deleted.
        * runtime/JSType.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2019-10-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: modifications to shader modules can be shared between vertex/fragment shaders
        https://bugs.webkit.org/show_bug.cgi?id=202031

        Reviewed by Dean Jackson.

        * inspector/protocol/Canvas.json:
        Create a distinct `ShaderProgram` type so that additional data can be bundled and sent to
        the frontend as part of the `programCreated` event without having to worry about having too
        many arguments.

2019-10-08  Alexey Shvayka  <shvaikalesh@gmail.com>

        JSON.parse incorrectly handles array proxies
        https://bugs.webkit.org/show_bug.cgi?id=199292

        Reviewed by Saam Barati.

        1. Use isArray to correctly detect proxied arrays.
        2. Make "length" lookup observable to array proxies and handle exceptions.

        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):

2019-10-08  Adrian Perez de Castro  <aperez@igalia.com>

        [GTK][WPE] Fix non-unified builds after r250486
        https://bugs.webkit.org/show_bug.cgi?id=202636

        Reviewed by Youenn Fablet.

        * runtime/JSLock.h: Add missing inclusion of wtf/ForbidHeapAllocation.h
        * wasm/WasmSignature.cpp: Add missing inclusions of wtf/CommaPrinter.h and
        wtf/StringPrintStream.h (needed by debug builds).
        * wasm/WasmStreamingParser.cpp: Add missing inclusion of WasmSignatureInlines.h to
        avoid missing symbols during linking.

2019-10-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] FTL vmCall should check # of arguments
        https://bugs.webkit.org/show_bug.cgi?id=202683

        Reviewed by Saam Barati.

        This patch inserts static_assert for # of arguments when using FTL vmCall.
        It turned out that such check is useful when converting ExecState* to JSGlobalObject*.
        Like, first, adding JSGlobalObject* parameter, making it compiled and removing ExecState* and m_callFrame parameter later.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileToThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
        (JSC::FTL::DFG::LowerDFGToB3::compileStrCat):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueDiv):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithSqrt):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithFRound):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitAnd):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitOr):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitXor):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineDataProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileDefineAccessorProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutGetterSetterById):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutAccessorByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateScopedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateClonedArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeys):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewSymbol):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileToPrimitive):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileSwitch):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
        (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
        (JSC::FTL::DFG::LowerDFGToB3::mapHashString):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileParseInt):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileToIndexString):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExec):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpTest):
        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFast):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetFunctionName):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compare):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScope):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutDynamicVar):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::nonSpeculativeCompare):
        (JSC::FTL::DFG::LowerDFGToB3::stringsEqual):
        (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
        (JSC::FTL::DFG::LowerDFGToB3::emitStoreBarrier):
        (JSC::FTL::DFG::LowerDFGToB3::vmCall):

2019-10-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Clean up ThunkGenerator's nativeCallTrampoline generator code
        https://bugs.webkit.org/show_bug.cgi?id=202657

        Reviewed by Saam Barati.

        ThunkGenerator has per-architecture JIT code for nativeForGenerator, but this is unnecessary.
        This patch cleans up it and unifies the implementations.

        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):

2019-10-07  Saam Barati  <sbarati@apple.com>

        Allow OSR exit to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=197993

        Reviewed by Tadeu Zagallo.

        This patch makes it so we can OSR exit to the LLInt.
        Here are the interesting implementation details:
        
        1. We no longer baseline compile everything in the inline stack.
        
        2. When the top frame is a LLInt frame, we exit to the corresponding
        LLInt bytecode. However, we need to materialize the LLInt registers
        for PC, PB, and metadata.
        
        3. When dealing with inline call frames where the caller is LLInt, we
        need to return to the appropriate place. Let's consider we're exiting
        at a place A->B (A calls B), where A is LLInt. If A is a normal call,
        we place the return PC in the frame we materialize to B to be right
        after the LLInt's inline cache for calls. If A is a varargs call, we place
        it at the return location for vararg calls. The interesting scenario here
        is where A is a getter/setter. This means that A might be get_by_id,
        get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any
        form of IC for getters/setters, we make this work by creating new LLInt
        "return location" stubs for these opcodes.
        
        4. We need to update what callee saves we store in the callee if the caller frame
        is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame.
        When we materialize the stack frame for B, we need to ensure that the LLInt callee
        saves that A uses is stored into B's preserved callee saves. Specifically, this
        is just the PB/metadata registers.
        
        This patch also fixes offlineasm's macro expansion to allow us to
        use computed label names for global labels.
        
        In a future bug, I'm going to investigate some kind of control system for
        throwing away baseline code when we tier up:
        https://bugs.webkit.org/show_bug.cgi?id=202503

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::metadataTable):
        (JSC::CodeBlock::instructionsRawPointer):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::OSRExit::compileOSRExit):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::callerReturnPC):
        (JSC::DFG::calleeSaveSlot):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit): Deleted.
        * dfg/DFGOSRExitPreparation.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * llint/LLIntData.h:
        (JSC::LLInt::getCodePtr):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/asm.rb:
        * offlineasm/transform.rb:
        * runtime/OptionsList.h:

2019-10-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Change signature of HostFunction to (JSGlobalObject*, CallFrame*)
        https://bugs.webkit.org/show_bug.cgi?id=202569

        Reviewed by Saam Barati.

        This patch changes JSC host-functions's signature from `CallFrame*` to `JSGlobalObject*, CallFrame*`.
        We would like to replace the current `ExecState*` use with `JSGlobalObject*` to fix many issues, remove
        globalExec() hack, and remove `ExecState::vm()` hack. This is important since this hack prevents us from
        implementing scalable IsoSubspace optimization, which leads to putting all JS cells in each IsoSubspace.

        To get lexical JSGlobalObject in a super fast way, we put it in JSFunction/InternalFunction's field.
        And trampoline gets JSGlobalObject from callee, and passes it as its argument. Since this trampoline already
        accesses to the field of callee to get executable address, getting another field is fairly cheap.
        The memory increase does not matter in this case. The sizeof(JSFunction) is 40. Since our allocation size of
        JSCells are rounded by 16, increasing one field does not change the actual allocation size. And # of InternalFunction
        is very limited since it is only used for constructors in JSC.

        This patch changes the signature. And for the ExecState* -> JSGlobalObject* preparation, we use `CallFrame*` name
        instead of `ExecState*` in the host-functions. And use `callFrame` variable name instead of `state` or `exec`.
        And we also get VM& from `JSGlobalObject*` instead of `CallFrame*` since it is faster.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        (JSC::APICallbackFunction::construct):
        * API/APICast.h:
        * API/JSAPIGlobalObject.mm:
        (JSC::JSAPIGlobalObject::moduleLoaderFetch):
        * API/JSBaseInternal.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::construct):
        (JSC::JSCallbackObject<Parent>::call):
        * bytecode/InlineCallFrame.h:
        * debugger/Debugger.h:
        * dfg/DFGArithMode.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGGraph.h:
        * dfg/DFGOSREntry.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        * ftl/FTLOSREntry.h:
        * inspector/ConsoleMessage.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeAsyncCall):
        * inspector/InjectedScriptManager.h:
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
        (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias):
        (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsPromiseRejectedWithNativeGetterTypeError):
        (Inspector::jsInjectedScriptHostPrototypeFunctionProxyTargetValue):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakMapEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize):
        (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIteratorEntries):
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances):
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders):
        (Inspector::jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsInjectedScriptHostPrototypeFunctionSubtype):
        (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
        (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluateWithScopeExtension):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeDescriptions):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        (Inspector::jsJavaScriptCallFrameIsTailDeleted):
        * inspector/ScriptArguments.h:
        * inspector/ScriptCallStackFactory.h:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorConsoleAgent.h:
        * interpreter/AbstractPC.h:
        * interpreter/CallFrame.h:
        (JSC::ExecState::guaranteedJSValueCallee const): Deleted.
        (JSC::ExecState::jsCallee const): Deleted.
        (JSC::ExecState::callee const): Deleted.
        (JSC::ExecState::unsafeCallee const): Deleted.
        (JSC::ExecState::codeBlock const): Deleted.
        (JSC::ExecState::addressOfCodeBlock const): Deleted.
        (JSC::ExecState::unsafeCodeBlock const): Deleted.
        (JSC::ExecState::scope const): Deleted.
        (JSC::ExecState::create): Deleted.
        (JSC::ExecState::registers): Deleted.
        (JSC::ExecState::registers const): Deleted.
        (JSC::ExecState::operator=): Deleted.
        (JSC::ExecState::callerFrame const): Deleted.
        (JSC::ExecState::callerFrameOrEntryFrame const): Deleted.
        (JSC::ExecState::unsafeCallerFrameOrEntryFrame const): Deleted.
        (JSC::ExecState::callerFrameOffset): Deleted.
        (JSC::ExecState::returnPC const): Deleted.
        (JSC::ExecState::hasReturnPC const): Deleted.
        (JSC::ExecState::clearReturnPC): Deleted.
        (JSC::ExecState::returnPCOffset): Deleted.
        (JSC::ExecState::abstractReturnPC): Deleted.
        (JSC::ExecState::topOfFrame): Deleted.
        (JSC::ExecState::setCallerFrame): Deleted.
        (JSC::ExecState::setScope): Deleted.
        (JSC::ExecState::argumentCount const): Deleted.
        (JSC::ExecState::argumentCountIncludingThis const): Deleted.
        (JSC::ExecState::argumentOffset): Deleted.
        (JSC::ExecState::argumentOffsetIncludingThis): Deleted.
        (JSC::ExecState::addressOfArgumentsStart const): Deleted.
        (JSC::ExecState::argument): Deleted.
        (JSC::ExecState::uncheckedArgument): Deleted.
        (JSC::ExecState::setArgument): Deleted.
        (JSC::ExecState::getArgumentUnsafe): Deleted.
        (JSC::ExecState::thisArgumentOffset): Deleted.
        (JSC::ExecState::thisValue): Deleted.
        (JSC::ExecState::setThisValue): Deleted.
        (JSC::ExecState::newTarget): Deleted.
        (JSC::ExecState::offsetFor): Deleted.
        (JSC::ExecState::noCaller): Deleted.
        (JSC::ExecState::isGlobalExec const): Deleted.
        (JSC::ExecState::setArgumentCountIncludingThis): Deleted.
        (JSC::ExecState::setCallee): Deleted.
        (JSC::ExecState::setCodeBlock): Deleted.
        (JSC::ExecState::setReturnPC): Deleted.
        (JSC::ExecState::iterate): Deleted.
        (JSC::ExecState::argIndexForRegister): Deleted.
        (JSC::ExecState::callerFrameAndPC): Deleted.
        (JSC::ExecState::callerFrameAndPC const): Deleted.
        (JSC::ExecState::unsafeCallerFrameAndPC const): Deleted.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::init):
        * interpreter/Register.h:
        * interpreter/ShadowChicken.h:
        * interpreter/StackVisitor.h:
        * interpreter/VMEntryRecord.h:
        (JSC::VMEntryRecord::prevTopCallFrame):
        (JSC::VMEntryRecord::unsafePrevTopCallFrame):
        * jit/CCallHelpers.h:
        * jit/JITExceptions.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionPrintStdOut):
        (functionPrintStdErr):
        (functionDebug):
        (functionDescribe):
        (functionDescribeArray):
        (functionSleepSeconds):
        (functionJSCStack):
        (functionGCAndSweep):
        (functionFullGC):
        (functionEdenGC):
        (functionHeapSize):
        (functionResetMemoryPeak):
        (functionAddressOf):
        (functionVersion):
        (functionRun):
        (functionRunString):
        (functionLoad):
        (functionLoadString):
        (functionReadFile):
        (functionCheckSyntax):
        (functionSetSamplingFlags):
        (functionClearSamplingFlags):
        (functionGetRandomSeed):
        (functionSetRandomSeed):
        (functionIsRope):
        (functionCallerSourceOrigin):
        (functionReadline):
        (functionPreciseTime):
        (functionNeverInlineFunction):
        (functionNoDFG):
        (functionNoFTL):
        (functionNoOSRExitFuzzing):
        (functionOptimizeNextInvocation):
        (functionNumberOfDFGCompiles):
        (functionCallerIsOMGCompiled):
        (functionDollarCreateRealm):
        (functionDollarEvalScript):
        (functionDollarAgentStart):
        (functionDollarAgentReceiveBroadcast):
        (functionDollarAgentReport):
        (functionDollarAgentSleep):
        (functionDollarAgentBroadcast):
        (functionDollarAgentGetReport):
        (functionDollarAgentLeaving):
        (functionDollarAgentMonotonicNow):
        (functionWaitForReport):
        (functionHeapCapacity):
        (functionFlashHeapAccess):
        (functionDisableRichSourceInfo):
        (functionMallocInALoop):
        (functionTotalCompileTime):
        (functionJSCOptions):
        (functionReoptimizationRetryCount):
        (functionTransferArrayBuffer):
        (functionFailNextNewCodeBlock):
        (functionQuit):
        (functionFalse):
        (functionUndefined1):
        (functionUndefined2):
        (functionIsInt32):
        (functionIsPureNaN):
        (functionIdentity):
        (functionEffectful42):
        (functionMakeMasquerader):
        (functionHasCustomProperties):
        (functionDumpTypesForAllVariables):
        (functionDrainMicrotasks):
        (functionReleaseWeakRefs):
        (functionIs32BitPlatform):
        (functionCreateGlobalObject):
        (functionCheckModuleSyntax):
        (functionPlatformSupportsSamplingProfiler):
        (functionGenerateHeapSnapshot):
        (functionGenerateHeapSnapshotForGCDebugging):
        (functionResetSuperSamplerState):
        (functionEnsureArrayStorage):
        (functionStartSamplingProfiler):
        (functionSamplingProfilerStackTraces):
        (functionMaxArguments):
        (functionAsyncTestStart):
        (functionAsyncTestPassed):
        (functionWebAssemblyMemoryMode):
        (functionSetUnhandledRejectionCallback):
        (runWithOptions):
        (functionDollarDetachArrayBuffer): Deleted.
        * llint/LLIntExceptions.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoopRegister::callFrame const):
        (JSC::CLoopRegister::execState const): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * runtime/ArrayBufferView.h:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        (JSC::constructWithArrayConstructor):
        (JSC::callArrayConstructor):
        (JSC::arrayConstructorPrivateFuncIsArraySlow):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSpeciesCreate):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::arrayProtoPrivateFuncConcatMemcpy):
        (JSC::arrayProtoPrivateFuncAppendMemcpy):
        * runtime/ArrayPrototype.h:
        * runtime/AsyncFunctionConstructor.cpp:
        (JSC::callAsyncFunctionConstructor):
        (JSC::constructAsyncFunctionConstructor):
        * runtime/AsyncGeneratorFunctionConstructor.cpp:
        (JSC::callAsyncGeneratorFunctionConstructor):
        (JSC::constructAsyncGeneratorFunctionConstructor):
        * runtime/AtomicsObject.cpp:
        (JSC::atomicsFuncAdd):
        (JSC::atomicsFuncAnd):
        (JSC::atomicsFuncCompareExchange):
        (JSC::atomicsFuncExchange):
        (JSC::atomicsFuncIsLockFree):
        (JSC::atomicsFuncLoad):
        (JSC::atomicsFuncOr):
        (JSC::atomicsFuncStore):
        (JSC::atomicsFuncSub):
        (JSC::atomicsFuncWait):
        (JSC::atomicsFuncWake):
        (JSC::atomicsFuncXor):
        * runtime/BigIntConstructor.cpp:
        (JSC::callBigIntConstructor):
        (JSC::bigIntConstructorFuncAsUintN):
        (JSC::bigIntConstructorFuncAsIntN):
        * runtime/BigIntPrototype.cpp:
        (JSC::bigIntProtoFuncToStringImpl):
        (JSC::bigIntProtoFuncToString):
        (JSC::bigIntProtoFuncToLocaleString):
        (JSC::bigIntProtoFuncValueOf):
        * runtime/BooleanConstructor.cpp:
        (JSC::callBooleanConstructor):
        (JSC::constructWithBooleanConstructor):
        (JSC::constructBooleanFromImmediateBoolean):
        * runtime/BooleanPrototype.cpp:
        (JSC::booleanProtoFuncToString):
        (JSC::booleanProtoFuncValueOf):
        * runtime/CallData.h:
        * runtime/CommonSlowPaths.h:
        * runtime/Completion.h:
        * runtime/ConsoleClient.h:
        * runtime/ConsoleObject.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncInfo):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncCountReset):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTakeHeapSnapshot):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeLog):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        (JSC::consoleProtoFuncRecord):
        (JSC::consoleProtoFuncRecordEnd):
        (JSC::consoleProtoFuncScreenshot):
        * runtime/ConstructData.h:
        * runtime/DateConstructor.cpp:
        (JSC::constructWithDateConstructor):
        (JSC::callDate):
        (JSC::dateParse):
        (JSC::dateNowImpl):
        (JSC::dateNow):
        (JSC::dateUTC):
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToString):
        (JSC::dateProtoFuncToUTCString):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToDateString):
        (JSC::dateProtoFuncToTimeString):
        (JSC::dateProtoFuncToLocaleString):
        (JSC::dateProtoFuncToLocaleDateString):
        (JSC::dateProtoFuncToLocaleTimeString):
        (JSC::dateProtoFuncToPrimitiveSymbol):
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncGetFullYear):
        (JSC::dateProtoFuncGetUTCFullYear):
        (JSC::dateProtoFuncGetMonth):
        (JSC::dateProtoFuncGetUTCMonth):
        (JSC::dateProtoFuncGetDate):
        (JSC::dateProtoFuncGetUTCDate):
        (JSC::dateProtoFuncGetDay):
        (JSC::dateProtoFuncGetUTCDay):
        (JSC::dateProtoFuncGetHours):
        (JSC::dateProtoFuncGetUTCHours):
        (JSC::dateProtoFuncGetMinutes):
        (JSC::dateProtoFuncGetUTCMinutes):
        (JSC::dateProtoFuncGetSeconds):
        (JSC::dateProtoFuncGetUTCSeconds):
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::dateProtoFuncGetTimezoneOffset):
        (JSC::dateProtoFuncSetTime):
        (JSC::dateProtoFuncSetMilliSeconds):
        (JSC::dateProtoFuncSetUTCMilliseconds):
        (JSC::dateProtoFuncSetSeconds):
        (JSC::dateProtoFuncSetUTCSeconds):
        (JSC::dateProtoFuncSetMinutes):
        (JSC::dateProtoFuncSetUTCMinutes):
        (JSC::dateProtoFuncSetHours):
        (JSC::dateProtoFuncSetUTCHours):
        (JSC::dateProtoFuncSetDate):
        (JSC::dateProtoFuncSetUTCDate):
        (JSC::dateProtoFuncSetMonth):
        (JSC::dateProtoFuncSetUTCMonth):
        (JSC::dateProtoFuncSetFullYear):
        (JSC::dateProtoFuncSetUTCFullYear):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncGetYear):
        (JSC::dateProtoFuncToJSON):
        * runtime/DatePrototype.h:
        * runtime/ECMAScriptSpecInternalFunctions.cpp:
        (JSC::esSpecIsConstructor):
        * runtime/ECMAScriptSpecInternalFunctions.h:
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        (JSC::constructErrorConstructor):
        (JSC::callErrorConstructor):
        (JSC::ErrorConstructor::put):
        (JSC::ErrorConstructor::deleteProperty):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionFuzz.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructWithFunctionConstructor):
        (JSC::callFunctionConstructor):
        (JSC::constructFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::callFunctionPrototype):
        (JSC::functionProtoFuncToString):
        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::callGeneratorFunctionConstructor):
        (JSC::constructGeneratorFunctionConstructor):
        * runtime/Identifier.h:
        * runtime/InspectorInstrumentationObject.cpp:
        (JSC::inspectorInstrumentationObjectLog):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::offsetOfGlobalObject):
        (JSC::InternalFunction::globalObject const):
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::constructIntlCollator):
        (JSC::callIntlCollator):
        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
        * runtime/IntlCollatorConstructor.h:
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorFuncCompare):
        (JSC::IntlCollatorPrototypeGetterCompare):
        (JSC::IntlCollatorPrototypeFuncResolvedOptions):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::constructIntlDateTimeFormat):
        (JSC::callIntlDateTimeFormat):
        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
        * runtime/IntlDateTimeFormatConstructor.h:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatFuncFormatDateTime):
        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::constructIntlNumberFormat):
        (JSC::callIntlNumberFormat):
        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
        * runtime/IntlNumberFormatConstructor.h:
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatFuncFormatNumber):
        (JSC::IntlNumberFormatPrototypeGetterFormat):
        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
        * runtime/IntlObject.cpp:
        (JSC::intlObjectFuncGetCanonicalLocales):
        * runtime/IntlPluralRulesConstructor.cpp:
        (JSC::constructIntlPluralRules):
        (JSC::callIntlPluralRules):
        (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
        * runtime/IntlPluralRulesConstructor.h:
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototypeFuncSelect):
        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
        (JSC::JSGenericArrayBufferConstructor<sharingMode>::constructArrayBuffer):
        (JSC::callArrayBuffer):
        (JSC::arrayBufferFuncIsView):
        * runtime/JSArrayBufferConstructor.h:
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        (JSC::arrayBufferProtoGetterFuncByteLength):
        (JSC::sharedArrayBufferProtoGetterFuncByteLength):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundThisNoArgsFunctionCall):
        (JSC::boundFunctionCall):
        (JSC::boundThisNoArgsFunctionConstruct):
        (JSC::boundFunctionConstruct):
        (JSC::isBoundFunction):
        (JSC::hasInstanceBoundFunction):
        (JSC::JSBoundFunction::boundArgsCopy):
        * runtime/JSBoundFunction.h:
        * runtime/JSCJSValue.h:
        * runtime/JSCell.h:
        * runtime/JSCustomGetterSetterFunction.cpp:
        (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
        * runtime/JSCustomGetterSetterFunction.h:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        (JSC::dataViewProtoGetterBuffer):
        (JSC::dataViewProtoGetterByteLength):
        (JSC::dataViewProtoGetterByteOffset):
        (JSC::dataViewProtoFuncGetInt8):
        (JSC::dataViewProtoFuncGetInt16):
        (JSC::dataViewProtoFuncGetInt32):
        (JSC::dataViewProtoFuncGetUint8):
        (JSC::dataViewProtoFuncGetUint16):
        (JSC::dataViewProtoFuncGetUint32):
        (JSC::dataViewProtoFuncGetFloat32):
        (JSC::dataViewProtoFuncGetFloat64):
        (JSC::dataViewProtoFuncSetInt8):
        (JSC::dataViewProtoFuncSetInt16):
        (JSC::dataViewProtoFuncSetInt32):
        (JSC::dataViewProtoFuncSetUint8):
        (JSC::dataViewProtoFuncSetUint16):
        (JSC::dataViewProtoFuncSetUint32):
        (JSC::dataViewProtoFuncSetFloat32):
        (JSC::dataViewProtoFuncSetFloat64):
        * runtime/JSDateMath.h:
        * runtime/JSFunction.cpp:
        (JSC::callHostFunctionAsConstructor):
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::prototypeForConstruction):
        (JSC::JSFunction::allocateAndInitializeRareData):
        (JSC::JSFunction::initializeRareData):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        (JSC::JSFunction::offsetOfGlobalObject):
        (JSC::JSFunction::globalObject const):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::JSFunction):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        (JSC::callGenericTypedArrayView):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncSlice):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalObject.cpp:
        (JSC::makeBoundFunction):
        (JSC::hasOwnLengthProperty):
        (JSC::assertCall):
        (JSC::enqueueJob):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        (JSC::globalFuncParseInt):
        (JSC::globalFuncParseFloat):
        (JSC::globalFuncDecodeURI):
        (JSC::globalFuncDecodeURIComponent):
        (JSC::globalFuncEncodeURI):
        (JSC::globalFuncEncodeURIComponent):
        (JSC::globalFuncEscape):
        (JSC::globalFuncUnescape):
        (JSC::globalFuncThrowTypeError):
        (JSC::globalFuncThrowTypeErrorArgumentsCalleeAndCaller):
        (JSC::globalFuncMakeTypeError):
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
        (JSC::globalFuncHostPromiseRejectionTracker):
        (JSC::globalFuncBuiltinLog):
        (JSC::globalFuncBuiltinDescribe):
        (JSC::globalFuncImportModule):
        (JSC::globalFuncPropertyIsEnumerable):
        (JSC::globalFuncOwnKeys):
        (JSC::globalFuncDateTimeFormat):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSLock.h:
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        (JSC::moduleLoaderRequestedModules):
        (JSC::moduleLoaderModuleDeclarationInstantiation):
        (JSC::moduleLoaderResolve):
        (JSC::moduleLoaderResolveSync):
        (JSC::moduleLoaderFetch):
        (JSC::moduleLoaderGetModuleNamespaceObject):
        (JSC::moduleLoaderEvaluate):
        * runtime/JSNativeStdFunction.cpp:
        (JSC::runStdFunction):
        * runtime/JSNativeStdFunction.h:
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        * runtime/JSObject.cpp:
        (JSC::objectPrivateFuncInstanceOf):
        * runtime/JSObject.h:
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::constructTypedArrayView):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::typedArrayViewPrivateFuncIsTypedArrayView):
        (JSC::typedArrayViewPrivateFuncLength):
        (JSC::typedArrayViewPrivateFuncGetOriginalConstructor):
        (JSC::typedArrayViewPrivateFuncSort):
        (JSC::typedArrayViewProtoFuncSet):
        (JSC::typedArrayViewProtoFuncCopyWithin):
        (JSC::typedArrayViewProtoFuncIncludes):
        (JSC::typedArrayViewProtoFuncLastIndexOf):
        (JSC::typedArrayViewProtoFuncIndexOf):
        (JSC::typedArrayViewProtoFuncJoin):
        (JSC::typedArrayViewProtoGetterFuncBuffer):
        (JSC::typedArrayViewProtoGetterFuncLength):
        (JSC::typedArrayViewProtoGetterFuncByteLength):
        (JSC::typedArrayViewProtoGetterFuncByteOffset):
        (JSC::typedArrayViewProtoFuncReverse):
        (JSC::typedArrayViewPrivateFuncSubarrayCreate):
        (JSC::typedArrayViewProtoFuncSlice):
        (JSC::typedArrayViewProtoGetterFuncToStringTag):
        * runtime/JSTypedArrayViewPrototype.h:
        * runtime/MapConstructor.cpp:
        (JSC::callMap):
        (JSC::constructMap):
        (JSC::mapPrivateFuncMapBucketHead):
        (JSC::mapPrivateFuncMapBucketNext):
        (JSC::mapPrivateFuncMapBucketKey):
        (JSC::mapPrivateFuncMapBucketValue):
        * runtime/MapConstructor.h:
        * runtime/MapPrototype.cpp:
        (JSC::getMap):
        (JSC::mapProtoFuncClear):
        (JSC::mapProtoFuncDelete):
        (JSC::mapProtoFuncGet):
        (JSC::mapProtoFuncHas):
        (JSC::mapProtoFuncSet):
        (JSC::mapProtoFuncSize):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncAbs):
        (JSC::mathProtoFuncACos):
        (JSC::mathProtoFuncASin):
        (JSC::mathProtoFuncATan):
        (JSC::mathProtoFuncATan2):
        (JSC::mathProtoFuncCeil):
        (JSC::mathProtoFuncClz32):
        (JSC::mathProtoFuncCos):
        (JSC::mathProtoFuncExp):
        (JSC::mathProtoFuncFloor):
        (JSC::mathProtoFuncHypot):
        (JSC::mathProtoFuncLog):
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):
        (JSC::mathProtoFuncPow):
        (JSC::mathProtoFuncRandom):
        (JSC::mathProtoFuncRound):
        (JSC::mathProtoFuncSign):
        (JSC::mathProtoFuncSin):
        (JSC::mathProtoFuncSqrt):
        (JSC::mathProtoFuncTan):
        (JSC::mathProtoFuncIMul):
        (JSC::mathProtoFuncACosh):
        (JSC::mathProtoFuncASinh):
        (JSC::mathProtoFuncATanh):
        (JSC::mathProtoFuncCbrt):
        (JSC::mathProtoFuncCosh):
        (JSC::mathProtoFuncExpm1):
        (JSC::mathProtoFuncFround):
        (JSC::mathProtoFuncLog1p):
        (JSC::mathProtoFuncLog10):
        (JSC::mathProtoFuncLog2):
        (JSC::mathProtoFuncSinh):
        (JSC::mathProtoFuncTanh):
        (JSC::mathProtoFuncTrunc):
        * runtime/MathObject.h:
        * runtime/Microtask.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor<errorType>::constructNativeErrorConstructor):
        (JSC::NativeErrorConstructor<errorType>::callNativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        * runtime/NativeFunction.h:
        (JSC::NativeFunction::operator()):
        (JSC::TaggedNativeFunction::operator()):
        * runtime/NullGetterFunction.cpp:
        (JSC::NullGetterFunctionInternal::callReturnUndefined):
        * runtime/NullSetterFunction.cpp:
        (JSC::NullSetterFunctionInternal::callReturnUndefined):
        * runtime/NumberConstructor.cpp:
        (JSC::constructNumberConstructor):
        (JSC::callNumberConstructor):
        (JSC::numberConstructorFuncIsInteger):
        (JSC::numberConstructorFuncIsSafeInteger):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString):
        (JSC::numberProtoFuncValueOf):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObjectWithNewTarget):
        (JSC::constructWithObjectConstructor):
        (JSC::callObjectConstructor):
        (JSC::objectConstructorGetPrototypeOf):
        (JSC::objectConstructorSetPrototypeOf):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorGetOwnPropertySymbols):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorAssign):
        (JSC::objectConstructorValues):
        (JSC::objectConstructorDefineProperty):
        (JSC::objectConstructorDefineProperties):
        (JSC::objectConstructorCreate):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::objectConstructorIsExtensible):
        (JSC::objectConstructorIs):
        (JSC::constructObject): Deleted.
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncValueOf):
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):
        * runtime/ObjectPrototype.h:
        * runtime/ProxyConstructor.cpp:
        (JSC::makeRevocableProxy):
        (JSC::proxyRevocableConstructorThrowError):
        (JSC::constructProxyObject):
        (JSC::callProxy):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        * runtime/ProxyRevoke.cpp:
        (JSC::performProxyRevoke):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        (JSC::reflectObjectDefineProperty):
        (JSC::reflectObjectGet):
        (JSC::reflectObjectGetOwnPropertyDescriptor):
        (JSC::reflectObjectGetPrototypeOf):
        (JSC::reflectObjectIsExtensible):
        (JSC::reflectObjectOwnKeys):
        (JSC::reflectObjectPreventExtensions):
        (JSC::reflectObjectSet):
        (JSC::reflectObjectSetPrototypeOf):
        * runtime/RegExpConstructor.cpp:
        (JSC::regExpConstructorDollar):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::setRegExpConstructorInput):
        (JSC::setRegExpConstructorMultiline):
        (JSC::esSpecRegExpCreate):
        (JSC::constructWithRegExpConstructor):
        (JSC::callRegExpConstructor):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTestFast):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncMatchFast):
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString):
        (JSC::regExpProtoGetterGlobal):
        (JSC::regExpProtoGetterIgnoreCase):
        (JSC::regExpProtoGetterMultiline):
        (JSC::regExpProtoGetterDotAll):
        (JSC::regExpProtoGetterSticky):
        (JSC::regExpProtoGetterUnicode):
        (JSC::regExpProtoGetterFlags):
        (JSC::regExpProtoGetterSource):
        (JSC::regExpProtoFuncSearchFast):
        (JSC::regExpProtoFuncSplitFast):
        * runtime/RegExpPrototype.h:
        * runtime/SetConstructor.cpp:
        (JSC::callSet):
        (JSC::constructSet):
        (JSC::setPrivateFuncSetBucketHead):
        (JSC::setPrivateFuncSetBucketNext):
        (JSC::setPrivateFuncSetBucketKey):
        * runtime/SetConstructor.h:
        * runtime/SetPrototype.cpp:
        (JSC::getSet):
        (JSC::setProtoFuncAdd):
        (JSC::setProtoFuncClear):
        (JSC::setProtoFuncDelete):
        (JSC::setProtoFuncHas):
        (JSC::setProtoFuncSize):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromCodePoint):
        (JSC::constructWithStringConstructor):
        (JSC::callStringConstructor):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncRepeatCharacter):
        (JSC::stringProtoFuncReplaceUsingRegExp):
        (JSC::stringProtoFuncReplaceUsingStringSearch):
        (JSC::stringProtoFuncToString):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncCodePointAt):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncSubstrImpl):
        (JSC::stringProtoFuncSubstr):
        (JSC::builtinStringSubstrInternal):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::toLocaleCase):
        (JSC::stringProtoFuncToLocaleLowerCase):
        (JSC::stringProtoFuncToLocaleUpperCase):
        (JSC::stringProtoFuncTrim):
        (JSC::stringProtoFuncTrimStart):
        (JSC::stringProtoFuncTrimEnd):
        (JSC::stringProtoFuncStartsWith):
        (JSC::stringProtoFuncEndsWith):
        (JSC::stringIncludesImpl):
        (JSC::stringProtoFuncIncludes):
        (JSC::builtinStringIncludesInternal):
        (JSC::stringProtoFuncIterator):
        (JSC::stringProtoFuncNormalize):
        * runtime/StringPrototype.h:
        * runtime/SymbolConstructor.cpp:
        (JSC::callSymbol):
        (JSC::symbolConstructorFor):
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::symbolProtoGetterDescription):
        (JSC::symbolProtoFuncToString):
        (JSC::symbolProtoFuncValueOf):
        * runtime/ThrowScope.h:
        * runtime/TypedArrayController.h:
        * runtime/VM.h:
        * runtime/VMTraps.h:
        * runtime/Watchdog.h:
        * runtime/WeakMapConstructor.cpp:
        (JSC::callWeakMap):
        (JSC::constructWeakMap):
        * runtime/WeakMapPrototype.cpp:
        (JSC::getWeakMap):
        (JSC::protoFuncWeakMapDelete):
        (JSC::protoFuncWeakMapGet):
        (JSC::protoFuncWeakMapHas):
        (JSC::protoFuncWeakMapSet):
        * runtime/WeakObjectRefConstructor.cpp:
        (JSC::callWeakRef):
        (JSC::constructWeakRef):
        * runtime/WeakObjectRefPrototype.cpp:
        (JSC::getWeakRef):
        (JSC::protoFuncWeakRefDeref):
        * runtime/WeakSetConstructor.cpp:
        (JSC::callWeakSet):
        (JSC::constructWeakSet):
        * runtime/WeakSetPrototype.cpp:
        (JSC::getWeakSet):
        (JSC::protoFuncWeakSetDelete):
        (JSC::protoFuncWeakSetHas):
        (JSC::protoFuncWeakSetAdd):
        * tools/JSDollarVM.cpp:
        (JSC::DOMJITGetterComplex::functionEnableException):
        (JSC::DOMJITFunctionObject::functionWithTypeCheck):
        (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
        (JSC::functionWasmStreamingParserAddBytes):
        (JSC::functionWasmStreamingParserFinalize):
        (JSC::functionCrash):
        (JSC::functionBreakpoint):
        (JSC::functionDFGTrue):
        (JSC::functionFTLTrue):
        (JSC::functionCpuMfence):
        (JSC::functionCpuRdtsc):
        (JSC::functionCpuCpuid):
        (JSC::functionCpuPause):
        (JSC::functionCpuClflush):
        (JSC::functionLLintTrue):
        (JSC::functionJITTrue):
        (JSC::functionNoInline):
        (JSC::functionGC):
        (JSC::functionEdenGC):
        (JSC::functionDumpSubspaceHashes):
        (JSC::functionCallFrame):
        (JSC::functionCodeBlockForFrame):
        (JSC::codeBlockFromArg):
        (JSC::functionCodeBlockFor):
        (JSC::functionDumpSourceFor):
        (JSC::functionDumpBytecodeFor):
        (JSC::doPrint):
        (JSC::functionDataLog):
        (JSC::functionPrint):
        (JSC::functionDumpCallFrame):
        (JSC::functionDumpStack):
        (JSC::functionDumpRegisters):
        (JSC::functionDumpCell):
        (JSC::functionIndexingMode):
        (JSC::functionInlineCapacity):
        (JSC::functionValue):
        (JSC::functionGetPID):
        (JSC::functionHaveABadTime):
        (JSC::functionIsHavingABadTime):
        (JSC::functionCreateGlobalObject):
        (JSC::functionCreateProxy):
        (JSC::functionCreateRuntimeArray):
        (JSC::functionCreateNullRopeString):
        (JSC::functionCreateImpureGetter):
        (JSC::functionCreateCustomGetterObject):
        (JSC::functionCreateDOMJITNodeObject):
        (JSC::functionCreateDOMJITGetterObject):
        (JSC::functionCreateDOMJITGetterComplexObject):
        (JSC::functionCreateDOMJITFunctionObject):
        (JSC::functionCreateDOMJITCheckSubClassObject):
        (JSC::functionCreateDOMJITGetterBaseJSObject):
        (JSC::functionCreateWasmStreamingParser):
        (JSC::functionCreateStaticCustomAccessor):
        (JSC::functionSetImpureGetterDelegate):
        (JSC::functionCreateBuiltin):
        (JSC::functionGetPrivateProperty):
        (JSC::functionCreateRoot):
        (JSC::functionCreateElement):
        (JSC::functionGetElement):
        (JSC::functionCreateSimpleObject):
        (JSC::functionGetHiddenValue):
        (JSC::functionSetHiddenValue):
        (JSC::functionShadowChickenFunctionsOnStack):
        (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):
        (JSC::functionFlattenDictionaryObject):
        (JSC::functionDumpBasicBlockExecutionRanges):
        (JSC::functionHasBasicBlockExecuted):
        (JSC::functionBasicBlockExecutionCount):
        (JSC::functionEnableExceptionFuzz):
        (JSC::functionEnableDebuggerModeWhenIdle):
        (JSC::functionDisableDebuggerModeWhenIdle):
        (JSC::functionDeleteAllCodeWhenIdle):
        (JSC::functionGlobalObjectCount):
        (JSC::functionGlobalObjectForObject):
        (JSC::functionGetGetterSetter):
        (JSC::functionLoadGetterFromGetterSetter):
        (JSC::functionCreateCustomTestGetterSetter):
        (JSC::functionDeltaBetweenButterflies):
        (JSC::functionTotalGCTime):
        (JSC::functionParseCount):
        (JSC::functionIsWasmSupported):
        * wasm/WasmEmbedder.h:
        * wasm/js/JSWebAssembly.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/JSWebAssembly.h:
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyCompileError):
        (JSC::callJSWebAssemblyCompileError):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        (JSC::callJSWebAssemblyInstance):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        (JSC::webAssemblyInstanceProtoFuncExports):
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyLinkError):
        (JSC::callJSWebAssemblyLinkError):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::callJSWebAssemblyMemory):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::webAssemblyMemoryProtoFuncGrow):
        (JSC::webAssemblyMemoryProtoFuncBuffer):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::webAssemblyModuleImports):
        (JSC::webAssemblyModuleExports):
        (JSC::constructJSWebAssemblyModule):
        (JSC::callJSWebAssemblyModule):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::constructJSWebAssemblyRuntimeError):
        (JSC::callJSWebAssemblyRuntimeError):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::callJSWebAssemblyTable):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncLength):
        (JSC::webAssemblyTableProtoFuncGrow):
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::callWebAssemblyWrapperFunction):
        * yarr/YarrErrorCode.h:

2019-10-07  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r250750.

        Reverting change as this broke interal test over the weekend.

        Reverted changeset:

        "Allow OSR exit to the LLInt"
        https://bugs.webkit.org/show_bug.cgi?id=197993
        https://trac.webkit.org/changeset/250750

2019-10-04  Ross Kirsling  <ross.kirsling@sony.com>

        Socket-based RWI should base64-encode backend commands on client, not server
        https://bugs.webkit.org/show_bug.cgi?id=202605

        Reviewed by Don Olmstead.

        * inspector/remote/socket/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::setupInspectorClient):

2019-10-04  Saam Barati  <sbarati@apple.com>

        Allow OSR exit to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=197993

        Reviewed by Tadeu Zagallo.

        This patch makes it so we can OSR exit to the LLInt.
        Here are the interesting implementation details:
        
        1. We no longer baseline compile everything in the inline stack.
        
        2. When the top frame is a LLInt frame, we exit to the corresponding
        LLInt bytecode. However, we need to materialize the LLInt registers
        for PC, PB, and metadata.
        
        3. When dealing with inline call frames where the caller is LLInt, we
        need to return to the appropriate place. Let's consider we're exiting
        at a place A->B (A calls B), where A is LLInt. If A is a normal call,
        we place the return PC in the frame we materialize to B to be right
        after the LLInt's inline cache for calls. If A is a varargs call, we place
        it at the return location for vararg calls. The interesting scenario here
        is where A is a getter/setter. This means that A might be get_by_id,
        get_by_val, put_by_id, or put_by_val. Since the LLInt does not have any
        form of IC for getters/setters, we make this work by creating new LLInt
        "return location" stubs for these opcodes.
        
        4. We need to update what callee saves we store in the callee if the caller frame
        is a LLInt frame. Let's consider an inline stack A->B->C, where A is a LLInt frame.
        When we materialize the stack frame for B, we need to ensure that the LLInt callee
        saves that A uses is stored into B's preserved callee saves. Specifically, this
        is just the PB/metadata registers.
        
        This patch also fixes offlineasm's macro expansion to allow us to
        use computed label names for global labels.
        
        In a future bug, I'm going to investigate some kind of control system for
        throwing away baseline code when we tier up:
        https://bugs.webkit.org/show_bug.cgi?id=202503

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::metadataTable):
        (JSC::CodeBlock::instructionsRawPointer):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        (JSC::DFG::OSRExit::compileOSRExit):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExitState::OSRExitState):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::callerReturnPC):
        (JSC::DFG::calleeSaveSlot):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit): Deleted.
        * dfg/DFGOSRExitPreparation.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * llint/LLIntData.h:
        (JSC::LLInt::getCodePtr):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/asm.rb:
        * offlineasm/transform.rb:
        * runtime/OptionsList.h:

2019-10-04  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r250583.

        Broke multiple internal API tests

        Reverted changeset:

        "[JSC] Place VM* in TLS"
        https://bugs.webkit.org/show_bug.cgi?id=202391
        https://trac.webkit.org/changeset/250583

2019-10-04  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r250594.

        Broke multiple internal API tests

        Reverted changeset:

        "Unreviewed, fix incorrect assertion"
        https://bugs.webkit.org/show_bug.cgi?id=202391
        https://trac.webkit.org/changeset/250594

2019-10-04  Alex Christensen  <achristensen@webkit.org>

        Simplify sandbox enabling macros
        https://bugs.webkit.org/show_bug.cgi?id=202536

        Reviewed by Brent Fulgham.

        * Configurations/FeatureDefines.xcconfig:

2019-10-03  Christopher Reid  <chris.reid@sony.com>

        [WinCairo] Remote Inspector doesn't gracefully shutdown
        https://bugs.webkit.org/show_bug.cgi?id=202546

        Reviewed by Ross Kirsling.

        Call shutdown before closesocket in windows to close the connection gracefully.

        This also fixes some potential threading issues where m_clientConnection 
        is set on a worker thread but cleared on the main thread.
        Remove callOnMainThread in the server too since execution gets paused during JS breakpoints.

        * inspector/remote/socket/RemoteInspectorServer.cpp:
        * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:

2019-10-03  Mark Lam  <mark.lam@apple.com>

        Fix testmasm failure on ASan builds.
        https://bugs.webkit.org/show_bug.cgi?id=202554

        Reviewed by Yusuke Suzuki.

        Gigacage is disabled on ASan builds.  So testmasm is sad.  Make the relevant test
        bail gracefully if Gigacage should be disabled.

        Also converted some ASSERTs into RELEASE_ASSERTs.  This is a test.  No reason to
        not assert always.

        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):

2019-10-03  Ross Kirsling  <ross.kirsling@sony.com>

        Socket RWI client should acquire backend commands from server
        https://bugs.webkit.org/show_bug.cgi?id=202421

        Reviewed by Devin Rousso.

        * inspector/remote/socket/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::setupInspectorClient):
        (Inspector::RemoteInspectorServer::backendCommands const):
        * inspector/remote/socket/RemoteInspectorServer.h:
        (Inspector::RemoteInspectorServer::setBackendCommandsPath):
        Assuming a path to InspectorBackendCommands.js has been provided,
        read the file and send off its base64-encoded contents in a "BackendCommands" message when setting up a client.

2019-10-03  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: tests under LayoutTests/inspector/debugger are flaky
        https://bugs.webkit.org/show_bug.cgi?id=137131
        <rdar://problem/18461335>

        Reviewed by Devin Rousso.

        Changed breakpoint resolution logic to make it consistent across platforms and
        better handle the case when there are several DebuggerPausePositions at the same
        offset (but with different types).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        * bytecode/CodeBlock.h:
        * debugger/Breakpoint.h: Removed Breakpoint::unspecifiedColumn, Optional<unsigned>
        is used instead where needed. It allows to avoid code that relies on (int)UINT_MAX => -1
        conversion.

        * debugger/Debugger.cpp:
        (JSC::Debugger::resolveBreakpoint): clarified that in the map columns are 0-based.
        * debugger/DebuggerParseData.cpp:
        (JSC::DebuggerPausePositions::breakpointLocationForLineColumn): replaced custom
        binary search with std::lower_bound. If there are several pause positions at the
        same offset they will be sorted by the type and the algorithm is guaranteed to see
        leftmost one first.

        (JSC::DebuggerPausePositions::sort): use type as secondary ordering component.
        * debugger/DebuggerParseData.h: Rearranged type constants so that Enter < Pause < Leave
        this change along with sorting by type should guarantee that in case of several pause
        positions at the same line Enter goes before Pause before Leave and the breakpoint
        resolution will yield result similar to that when each pause locations has different
        position.

        * inspector/protocol/Debugger.json: clarified that positions are 0-based.
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::column const): added helper method for computing column.

2019-10-03  Keith Miller  <keith_miller@apple.com>

        Fix assembler on ARM64E
        https://bugs.webkit.org/show_bug.cgi?id=202528

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::callOperation):
        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::callOperation):

2019-10-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] AsyncGenerator should have internal fields
        https://bugs.webkit.org/show_bug.cgi?id=201498

        Reviewed by Saam Barati.

        This patch introduces JSAsyncGenerator. We did this already for JSGenerator. This patch does the same thing for JSAsyncGenerator
        This patch cleans up JSGenerator's code to share it with JSAsyncGenerator, e.g. JSGenerator::initialValues etc.
        It improves JetStream2/async-fs by ~10%.

        We also fixed the pre-existing bug. We are using OpcodeID for the key of hashmap. And using op_add code as a part of key.
        By adding a new bytecode, it suddenly becomes 0. And 0 is not valid key in WTF::HashMap. This patch adds 1 to opcodeID when using
        for HashMap's key to fix this issue.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/AsyncGeneratorPrototype.js:
        (globalPrivate.asyncGeneratorQueueIsEmpty):
        (globalPrivate.asyncGeneratorQueueEnqueue):
        (globalPrivate.asyncGeneratorQueueDequeue):
        (globalPrivate.isExecutionState):
        (globalPrivate.isSuspendYieldState):
        (globalPrivate.asyncGeneratorReject):
        (globalPrivate.asyncGeneratorResolve):
        (asyncGeneratorYieldAwaited):
        (globalPrivate.asyncGeneratorYield):
        (globalPrivate.doAsyncGeneratorBodyCall):
        (globalPrivate.asyncGeneratorResumeNext):
        (globalPrivate.asyncGeneratorEnqueue):
        * builtins/BuiltinNames.h:
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
        (JSC::BytecodeGenerator::emitCreateAsyncGenerator):
        (JSC::BytecodeGenerator::emitYieldPoint):
        (JSC::BytecodeGenerator::emitYield):
        (JSC::BytecodeGenerator::emitAwait):
        (JSC::BytecodeGenerator::emitDelegateYield):
        (JSC::BytecodeGenerator::emitGeneratorStateChange):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitIsAsyncGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::asyncGeneratorInternalFieldIndex):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getAsyncGeneratorInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putAsyncGeneratorInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isAsyncGenerator):
        (JSC::YieldExprNode::emitBytecode):
        (JSC::AwaitExprNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToNewInternalFieldObject):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::convertToNewGenerator): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject):
        (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
        (JSC::DFG::SpeculativeJIT::compileCreateAsyncGenerator):
        (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject):
        (JSC::DFG::SpeculativeJIT::compileNewGenerator):
        (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewAsyncGenerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateAsyncGenerator):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITInlines.h:
        (JSC::JIT::copiedArithProfile):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::createInternalFieldObject):
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/JSAsyncGenerator.cpp: Copied from Source/JavaScriptCore/runtime/JSGenerator.cpp.
        (JSC::JSAsyncGenerator::create):
        (JSC::JSAsyncGenerator::createStructure):
        (JSC::JSAsyncGenerator::JSAsyncGenerator):
        (JSC::JSAsyncGenerator::finishCreation):
        (JSC::JSAsyncGenerator::visitChildren):
        * runtime/JSAsyncGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGenerator.h.
        * runtime/JSAsyncGeneratorFunction.h:
        * runtime/JSGenerator.cpp:
        (JSC::JSGenerator::finishCreation):
        * runtime/JSGenerator.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::asyncGeneratorStructure const):
        * runtime/JSType.cpp:
        (WTF::printInternal):
        * runtime/JSType.h:

2019-10-02  Keith Miller  <keith_miller@apple.com>

        FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
        https://bugs.webkit.org/show_bug.cgi?id=202493

        Reviewed by Saam Barati.

        I added this optimization for DFG but forgot to do it for the FTL
        at the same time. This patch rectifies that.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2019-10-02  Paulo Matos  <pmatos@igalia.com>

        Gardening build fix: Hide store64/load64 functions from 32bit
        https://bugs.webkit.org/show_bug.cgi?id=202453

        Unreviewed.

        Prior patch for bug 202250 breaks 32bit builds because functions
        store64 and load64 do not exist. ifdef these functions away from 32bits since
        they are not used in 32bit code path.

        * jit/AssemblyHelpers.h:

2019-10-01  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, fix incorrect assertion
        https://bugs.webkit.org/show_bug.cgi?id=202391

        * runtime/JSLock.cpp:
        (JSC::JSLock::DropAllLocks::~DropAllLocks):

2019-10-01  Saam Barati  <sbarati@apple.com>

        ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
        https://bugs.webkit.org/show_bug.cgi?id=199361
        <rdar://problem/52454940>

        Reviewed by Yusuke Suzuki.

        In a prior fix to the object allocation sinking phase, I added code where we
        made sure to insert PutHints over Phis for fields of an object at control flow
        merge points. However, that code didn't consider that the base of the PutHint
        may no longer be a valid heap location. This could cause us to emit invalid
        SSA code by referring to a node which does not dominate the PutHint location.
        This patch fixes the bug to only emit the PutHints when valid.

        This patch also makes it so that DFGValidate actually validates that the graph
        is in valid SSA form. E.g, any use of a node N must be dominated by N.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGValidate.cpp:

2019-10-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Place VM* in TLS
        https://bugs.webkit.org/show_bug.cgi?id=202391

        Reviewed by Mark Lam.

        This patch puts VM* in TLS mainly for debugging purpose. In JSLockHolder, we put VM* and save the old VM* in TLS.
        And JSLockHolder's destructor restores it. It is possible that we have two VMs A and B. After locking A, we enter
        B. In this case, when B's lock is released, we should restore TLS to A. We put the old VM* in JSLockHolder::m_previousVMInTLS
        so that we can restore it in JSLockHolder's destructor.

        This patch also cleans up Lock<JSLock> / std::lock_guard<JSLock> usage in JSRunLoopTimer and JSManagedValue by introducing
        JSLockHolder with LockIfVMIsLive tag. Previously, we are intentionally use `std::lock_guard<JSLock>` since VM* can be dead
        at these places. JSLockHolder with LockIfVMIsLive handles this case carefully: it locks JSLock when VM* is live.

        * API/JSManagedValue.mm:
        (-[JSManagedValue value]):
        * API/glib/JSCWeakValue.cpp:
        (jsc_weak_value_get_value):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLockHolder::vm):
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::timerDidFire):
        * runtime/VM.cpp:
        (JSC::VM::initializeTLS):
        * runtime/VM.h:
        (JSC::VM::exchange):
        (JSC::VM::current):

2019-10-01  Michael Saboff  <msaboff@apple.com> and Paulo Matos  <pmatos@igalia.com>

        [YARR] Properly handle surrogates when matching back references
        https://bugs.webkit.org/show_bug.cgi?id=202041

        Reviewed by Keith Miller.

        This patch is based on a work in progress patch by Paulo Matos <pmatos@igalia.com>.

        When handling back references in Unicode patterns, we can't match un-decoded surrogate characters,
        instead we need to read and process surrogate pairs.  Changed matchBackreference() to do this,
        including properly incrementing the back reference pattern and search indexes.

        In support of this change, on X86_64 we needed to free up r10 to be used exclusively for
        "patternIndex".  It was also used as a temp in tryReadUnicodeCharImpl().  Made a new named
        temp register, called unicodeTemp, to take the place of regT2(r10) in tryReadUnicodeCharImpl.
        This new temp is r14 on X86_64 and X5 on ARM64.  To free up r14 on X86_64, changed the
        old leadingSurrogateTag to be a literal.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
        (JSC::Yarr::YarrGenerator::matchBackreference):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates): Deleted.

2019-10-01  Keith Miller  <keith_miller@apple.com>

        Add support for the Wasm multi-value proposal
        https://bugs.webkit.org/show_bug.cgi?id=202250

        Reviewed by Saam Barati.

        The wasm multi-value proposal makes two major changes to the
        spec. The first is that functions may now return more than one
        value across calls. When calling to/from JS, if there is more than
        one return type we return/receive a JSArray/Iterable,
        respectively. In the Wasm calls JS case, if the iteratable object
        does not vend the exact number of objects expected by the
        signature an error is thrown.

        The second major change in the multi-value proposal allows blocks
        to have any signature type. This works in a backwards compatible
        way by exploiting the fact that the old value-type thunk signatures
        (where the block takes no arguments and returns just the value
        type i.e. [] -> [type]) were always encoded as a negative
        number. If a block has a function signature, it is encoded as a
        positive index into the type section. When a block has a function
        signature type then the values from the enclosing stack are popped
        off that stack and added to the new block's stack. In the case of
        a br/br_if to a Loop block the "argument" values should be on the
        brancher's stack.

        The biggest change in this patch is stripping down the
        WasmCallingConventions file into one simpler API that just tells
        you where the each argument should be located. It also now handles
        adding or subtracting sizeof(CallerFrameAndPC) depending on
        whether you are caller or callee. Additionally, when computing
        locations for the callee it returns a B3::ValueRep that has the
        offsetFromFP rather than offsetFromSP. Since the code has been
        cleaned up I tried to also reduce code duplication in the various
        stubs for wasm code. This patch also removes the Air specific
        calling convention code and moves that logic into the Air IR
        generator.

        Since blocks can now have arbitrary signatures the control entries
        now use a const signature* rather than just the return
        type. Additionally, what used to be the result phi is now the phis
        for all the results for non-loop blocks and the arguments for a
        loop block. Due to the control flow restrictions of wasm
        conveniently we don't have to worry about generating non-optimal
        SSA, thus we can just use phis directly rather than using a
        variable.

        Lastly, to help clean up some code in the IR generators new helper
        methods were added to create call Patchpoints. These helpers do
        most of the boiler-plate initialization.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::ImplicitAddress::ImplicitAddress):
        * assembler/LinkBuffer.cpp:
        (JSC::shouldDumpDisassemblyFor):
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::callOperation):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::callOperation):
        * b3/B3LowerToAir.cpp:
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::forEachArg):
        (JSC::B3::PatchpointSpecial::isValid):
        (JSC::B3::PatchpointSpecial::admitsStack):
        (JSC::B3::PatchpointSpecial::generate):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::resultCount const):
        (JSC::B3::Procedure::typeAtOffset const):
        (JSC::B3::Procedure::returnCount const): Deleted.
        * b3/B3StackmapGenerationParams.cpp:
        (JSC::B3::StackmapGenerationParams::code const):
        * b3/B3StackmapGenerationParams.h:
        * b3/B3ValueRep.h:
        * b3/air/AirHelpers.h: Added.
        (JSC::B3::Air::moveForType):
        (JSC::B3::Air::relaxedMoveForType):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::store64FromReg):
        (JSC::AssemblyHelpers::store32FromReg):
        (JSC::AssemblyHelpers::load64ToReg):
        (JSC::AssemblyHelpers::load32ToReg):
        * runtime/JSCConfig.h:
        * runtime/OptionsList.h:
        * tools/JSDollarVM.cpp:
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpValue):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::ConstrainedTmp::operator bool const):
        (JSC::Wasm::TypedTmp::dump const):
        (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
        (JSC::Wasm::AirIRGenerator::ControlData::dump const):
        (JSC::Wasm::AirIRGenerator::ControlData::blockType const):
        (JSC::Wasm::AirIRGenerator::ControlData::signature const):
        (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
        (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
        (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
        (JSC::Wasm::AirIRGenerator::emitCallPatchpoint):
        (JSC::Wasm::AirIRGenerator::validateInst):
        (JSC::Wasm::AirIRGenerator::tmpsForSignature):
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::toB3ResultType):
        (JSC::Wasm::AirIRGenerator::addBottom):
        (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
        (JSC::Wasm::AirIRGenerator::addTopLevel):
        (JSC::Wasm::AirIRGenerator::addLoop):
        (JSC::Wasm::AirIRGenerator::addBlock):
        (JSC::Wasm::AirIRGenerator::addIf):
        (JSC::Wasm::AirIRGenerator::addElse):
        (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
        (JSC::Wasm::AirIRGenerator::addReturn):
        (JSC::Wasm::AirIRGenerator::addBranch):
        (JSC::Wasm::AirIRGenerator::addSwitch):
        (JSC::Wasm::AirIRGenerator::endBlock):
        (JSC::Wasm::AirIRGenerator::addCall):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        (JSC::Wasm::dumpExpressionStack):
        (JSC::Wasm::AirIRGenerator::dump):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
        (JSC::Wasm::AirIRGenerator::ControlData::type const): Deleted.
        (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const): Deleted.
        (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
        (JSC::Wasm::B3IRGenerator::ControlData::dump const):
        (JSC::Wasm::B3IRGenerator::ControlData::blockType const):
        (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const):
        (JSC::Wasm::B3IRGenerator::ControlData::targetBlockForBranch):
        (JSC::Wasm::B3IRGenerator::ControlData::convertIfToBlock):
        (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::framePointer):
        (JSC::Wasm::B3IRGenerator::toB3ResultType):
        (JSC::Wasm::B3IRGenerator::addArguments):
        (JSC::Wasm::B3IRGenerator::addGrowMemory):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::addTopLevel):
        (JSC::Wasm::B3IRGenerator::addBlock):
        (JSC::Wasm::B3IRGenerator::addIf):
        (JSC::Wasm::B3IRGenerator::addElse):
        (JSC::Wasm::B3IRGenerator::addElseToUnreachable):
        (JSC::Wasm::B3IRGenerator::addReturn):
        (JSC::Wasm::B3IRGenerator::addBranch):
        (JSC::Wasm::B3IRGenerator::addSwitch):
        (JSC::Wasm::B3IRGenerator::endBlock):
        (JSC::Wasm::B3IRGenerator::createCallPatchpoint):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        (JSC::Wasm::B3IRGenerator::ControlData::type const): Deleted.
        (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidSignature const): Deleted.
        (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch const): Deleted.
        (JSC::Wasm::B3IRGenerator::createStack): Deleted.
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::didReceiveFunctionData):
        (JSC::Wasm::BBQPlan::parseAndValidateModule):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmCallingConvention.cpp:
        (JSC::Wasm::jsCallingConvention):
        (JSC::Wasm::wasmCallingConvention):
        (JSC::Wasm::jscCallingConvention): Deleted.
        (JSC::Wasm::jscCallingConventionAir): Deleted.
        (JSC::Wasm::wasmCallingConventionAir): Deleted.
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallInformation::CallInformation):
        (JSC::Wasm::CallInformation::computeResultsOffsetList):
        (JSC::Wasm::WasmCallingConvention::WasmCallingConvention):
        (JSC::Wasm::WasmCallingConvention::marshallLocationImpl const):
        (JSC::Wasm::WasmCallingConvention::marshallLocation const):
        (JSC::Wasm::WasmCallingConvention::callInformationFor const):
        (JSC::Wasm::JSCallingConvention::JSCallingConvention):
        (JSC::Wasm::JSCallingConvention::marshallLocationImpl const):
        (JSC::Wasm::JSCallingConvention::marshallLocation const):
        (JSC::Wasm::JSCallingConvention::callInformationFor const):
        (JSC::Wasm::CallingConvention::CallingConvention): Deleted.
        (JSC::Wasm::CallingConvention::marshallArgumentImpl const): Deleted.
        (JSC::Wasm::CallingConvention::marshallArgument const): Deleted.
        (JSC::Wasm::CallingConvention::headerSizeInBytes): Deleted.
        (JSC::Wasm::CallingConvention::setupFrameInPrologue const): Deleted.
        (JSC::Wasm::CallingConvention::loadArguments const): Deleted.
        (JSC::Wasm::CallingConvention::setupCall const): Deleted.
        (JSC::Wasm::CallingConventionAir::CallingConventionAir): Deleted.
        (JSC::Wasm::CallingConventionAir::prologueScratch const): Deleted.
        (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const): Deleted.
        (JSC::Wasm::CallingConventionAir::marshallArgument const): Deleted.
        (JSC::Wasm::CallingConventionAir::headerSizeInBytes): Deleted.
        (JSC::Wasm::CallingConventionAir::loadArguments const): Deleted.
        (JSC::Wasm::CallingConventionAir::setupCall const): Deleted.
        (JSC::Wasm::nextJSCOffset): Deleted.
        * wasm/WasmFormat.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::splitStack):
        (JSC::Wasm::FunctionParser::signature const):
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        (JSC::Wasm::FunctionParser<Context>::parseBody):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmInstance.h:
        * wasm/WasmMemoryInformation.cpp:
        (JSC::Wasm::getPinnedRegisters):
        * wasm/WasmOMGForOSREntryPlan.cpp:
        (JSC::Wasm::OMGForOSREntryPlan::work):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmParser.h:
        (JSC::Wasm::FailureHelper::makeString):
        (JSC::Wasm::Parser<SuccessType>::Parser):
        (JSC::Wasm::Parser<SuccessType>::peekInt7):
        (JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
        (JSC::Wasm::Parser<SuccessType>::parseValueType):
        (JSC::Wasm::Parser<SuccessType>::parseResultType): Deleted.
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseType):
        (JSC::Wasm::SectionParser::parseStart):
        * wasm/WasmSectionParser.h:
        * wasm/WasmSignature.cpp:
        (JSC::Wasm::Signature::toString const):
        (JSC::Wasm::Signature::dump const):
        (JSC::Wasm::computeHash):
        (JSC::Wasm::Signature::hash const):
        (JSC::Wasm::Signature::tryCreate):
        (JSC::Wasm::SignatureInformation::SignatureInformation):
        (JSC::Wasm::ParameterTypes::hash):
        (JSC::Wasm::ParameterTypes::equal):
        (JSC::Wasm::ParameterTypes::translate):
        (JSC::Wasm::SignatureInformation::signatureFor):
        (JSC::Wasm::SignatureInformation::adopt): Deleted.
        * wasm/WasmSignature.h:
        (JSC::Wasm::Signature::Signature):
        (JSC::Wasm::Signature::allocatedSize):
        (JSC::Wasm::Signature::returnCount const):
        (JSC::Wasm::Signature::returnType const):
        (JSC::Wasm::Signature::returnsVoid const):
        (JSC::Wasm::Signature::argument const):
        (JSC::Wasm::Signature::operator== const):
        (JSC::Wasm::Signature::getReturnType):
        (JSC::Wasm::Signature::getArgument):
        (JSC::Wasm::SignatureHash::SignatureHash):
        (JSC::Wasm::SignatureHash::equal):
        (JSC::Wasm::SignatureInformation::thunkFor const):
        (JSC::Wasm::Signature::returnType): Deleted.
        (JSC::Wasm::Signature::argument): Deleted.
        * wasm/WasmStreamingParser.cpp:
        (JSC::Wasm::StreamingParser::parseCodeSectionSize):
        (JSC::Wasm::StreamingParser::parseFunctionPayload):
        (JSC::Wasm::StreamingParser::parseSectionPayload):
        * wasm/WasmStreamingParser.h:
        (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
        (JSC::Wasm::StreamingParser::reportError):
        (JSC::Wasm::StreamingParserClient::didReceiveFunctionData): Deleted.
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
        (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::ControlData::ControlData):
        (JSC::Wasm::Validate::ControlData::dump const):
        (JSC::Wasm::Validate::ControlData::blockType const):
        (JSC::Wasm::Validate::ControlData::signature const):
        (JSC::Wasm::Validate::ControlData::branchTargetArity const):
        (JSC::Wasm::Validate::ControlData::branchTargetType const):
        (JSC::Wasm::Validate::fail const):
        (JSC::Wasm::Validate::addTableGet):
        (JSC::Wasm::Validate::addTableGrow):
        (JSC::Wasm::Validate::addTableFill):
        (JSC::Wasm::Validate::addRefIsNull):
        (JSC::Wasm::Validate::addTopLevel):
        (JSC::Wasm::splitStack):
        (JSC::Wasm::Validate::addBlock):
        (JSC::Wasm::Validate::addLoop):
        (JSC::Wasm::Validate::addIf):
        (JSC::Wasm::Validate::addElseToUnreachable):
        (JSC::Wasm::Validate::addReturn):
        (JSC::Wasm::Validate::checkBranchTarget):
        (JSC::Wasm::Validate::addSwitch):
        (JSC::Wasm::Validate::addGrowMemory):
        (JSC::Wasm::Validate::addEndToUnreachable):
        (JSC::Wasm::Validate::addCall):
        (JSC::Wasm::Validate::addCallIndirect):
        (JSC::Wasm::Validate::unify):
        (JSC::Wasm::Validate::ControlData::hasNonVoidSignature const): Deleted.
        (JSC::Wasm::Validate::ControlData::type const): Deleted.
        (JSC::Wasm::Validate::ControlData::branchTargetSignature const): Deleted.
        * wasm/generateWasmOpsHeader.py:
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::boxWasmResult):
        (JSC::Wasm::allocateResultsArray):
        (JSC::Wasm::marshallJSResult):
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSToWasm.h:
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::handleBadI64Use):
        (JSC::Wasm::wasmToJS):
        * wasm/js/WasmToJS.h:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::useTagRegisters const):
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):

2019-09-30  Alex Christensen  <achristensen@webkit.org>

        Resurrect Mac CMake build
        https://bugs.webkit.org/show_bug.cgi?id=202384

        Rubber-stamped by Tim Horton.

        * PlatformMac.cmake:

2019-09-30  Alex Christensen  <achristensen@webkit.org>

        Rename JSTokenType::EXPORT to EXPORT_ to avoid naming conflict with internal header
        https://bugs.webkit.org/show_bug.cgi?id=202385

        * parser/Keywords.table:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseModuleSourceElements):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        * parser/ParserTokens.h:

2019-09-30  Tadeu Zagallo  <tzagallo@apple.com>

        Make assertion in JSObject::putOwnDataProperty more precise
        https://bugs.webkit.org/show_bug.cgi?id=202379
        <rdar://problem/49515980>

        Reviewed by Yusuke Suzuki.

        Currently, we assert that the structure has no accessors/custom accessors, but that assertion is
        too conservative. All we need to prove is that the property being inserted either does not exist
        in the target object or is neither an accessor nor read-only.

        * runtime/JSObject.h:
        (JSC::JSObject::putOwnDataProperty): Deleted.
        (JSC::JSObject::putOwnDataPropertyMayBeIndex): Deleted.
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::validatePutOwnDataProperty):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putOwnDataPropertyMayBeIndex):

2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] HeapSnapshotBuilder m_rootData should be protected with a lock too
        https://bugs.webkit.org/show_bug.cgi?id=202389
        <rdar://problem/50717564>

        Reviewed by Mark Lam.

        While we are protecting HeapSnapshotBuilder::m_edges with a lock, we are not protecting m_rootData, which is also concurrently modified.
        This patch protects it.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):

2019-09-30  Saam Barati  <sbarati@apple.com>

        Inline caching is wrong for custom accessors and custom values
        https://bugs.webkit.org/show_bug.cgi?id=201994
        <rdar://problem/50850326>

        Reviewed by Yusuke Suzuki.

        There was an oversight in our inline caching code for custom accessors and
        custom values. We used to assume that if an object O had a custom function for
        property P, then O will forever respond to the same custom function for
        property P.
        
        This assumption was very wrong. These custom accessors/values might be
        properties in JS which are configurable, so they can be rewritten to be
        other properties. Our inline caching code would be wrong in the scenarios
        where these property descriptors got redefined.
        
        This patch makes it so that we now properly watchpoint for custom functions
        being changed. If the custom accessor has been materialized, we place an
        Equivalence watchpoint on the custom accessor. This patch also teaches
        StructureStubInfo how to watchpoint on property value equivalence. Before,
        we just watchpointed on structure transitions.
        
        This patch also adds a new property condition kind for when the custom function
        exists inside the static property table. This case is really easy to test for
        because we just need to see if the structure still has static properties and
        the static property table has the entry for a particular property. This
        property condition kind just needs to watch for structure transitions because
        an entry in the static property table can't be mutated.
        
        This patch is neutral on the microbenchmarks I've added.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::AccessCase):
        (JSC::AccessCase::couldStillSucceed const):
        (JSC::AccessCase::generateImpl):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const):
        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::customFunctionEquivalence):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::hasOneSlotBaseCondition const):
        (JSC::ObjectPropertyConditionSet::slotBaseCondition const):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecode/PolyProtoAccessChain.cpp:
        (JSC::PolyProtoAccessChain::create):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::installWatchpoint):
        (JSC::PolymorphicAccess::commit):
        (JSC::AccessGenerationState::addWatchpoint): Deleted.
        * bytecode/PolymorphicAccess.h:
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::dumpInContext const):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::isStillValid const):
        (JSC::PropertyCondition::isWatchableWhenValid const):
        (WTF::printInternal):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::customFunctionEquivalence):
        (JSC::PropertyCondition::hash const):
        (JSC::PropertyCondition::operator== const):
        * bytecode/StructureStubClearingWatchpoint.cpp:
        (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal):
        (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
        (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndInstallWatchpoint):
        (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
        (JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire):
        (JSC::StructureStubClearingWatchpoint::fireInternal): Deleted.
        * bytecode/StructureStubClearingWatchpoint.h:
        * bytecode/Watchpoint.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        * runtime/ClassInfo.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::findPropertyHashEntry const):
        * runtime/JSObject.h:
        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
        * runtime/Structure.cpp:
        (JSC::Structure::findPropertyHashEntry const):
        * runtime/Structure.h:
        * tools/JSDollarVM.cpp:
        (JSC::testStaticAccessorGetter):
        (JSC::testStaticAccessorPutter):
        (JSC::StaticCustomAccessor::StaticCustomAccessor):
        (JSC::StaticCustomAccessor::createStructure):
        (JSC::StaticCustomAccessor::create):
        (JSC::StaticCustomAccessor::getOwnPropertySlot):
        (JSC::functionCreateStaticCustomAccessor):
        (JSC::JSDollarVM::finishCreation):

2019-09-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
        https://bugs.webkit.org/show_bug.cgi?id=202382
        <rdar://problem/52669112>

        Reviewed by Saam Barati.

        If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
        we fold it to constant False. But this is wrong since `false == 0` is true in JS.
        This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
        if one of them are seen.

        * bytecode/SpeculatedType.cpp:
        (JSC::leastUpperBoundOfEquivalentSpeculations):
        (JSC::valuesCouldBeEqual):

2019-09-28  Adrian Perez de Castro  <aperez@igalia.com>

        [GTK][WPE] Fix non-unified build issue caused by r250440
        https://bugs.webkit.org/show_bug.cgi?id=202349

        Reviewed by Mark Lam.

        * dfg/DFGOSRExit.cpp: Add missing inclusion of the BytecodeUseDef.h header.

2019-09-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
        https://bugs.webkit.org/show_bug.cgi?id=202330

        Reviewed by Saam Barati.

        In toLocaleLowerCase and toLocaleUpperCase, we get `const String&` from JSString* and use it.
        But if this string is newly created one in toLocaleLowerCase and toLocaleUpperCase (like, passing a number, and number.toString() is called
        in C++), after getting `const String&`, our C++ code potentially does not have any reference to the owner of this `const String&`. So, this
        JSString* can be collected by GC, while `const String&` is used. This makes `const String&` destroyed, and causes crash.

        In this patch, we receive it as `String` instead of `const String&` to ref it. This ensures that this string is live even if the owner is collected.
        I grepped the source code and make this changes conservatively to places which looks dangerous. And I added error checks more after calling `value(exec)`.

        In this patch, I didn't introduce the change like that: `JSString::value(ExecState*)` returns `String` instead of `const String&`. Some of places are
        really performance sensitive and we want to use the current behavior when we can ensure the owners are alive. We could figure out these points, and we
        can change the default behavior of `JSString::value` function to returning `String`. But for now, I plan it as a future work.

        * dfg/DFGOperations.cpp:
        * jsc.cpp:
        (GlobalObject::moduleLoaderImportModule):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/RegExpMatchesArray.h:
        (JSC::createRegExpMatchesArray):
        * runtime/StringPrototype.cpp:
        (JSC::toLocaleCase):
        (JSC::stringProtoFuncToLocaleLowerCase):
        (JSC::stringProtoFuncToLocaleUpperCase):
        * tools/JSDollarVM.cpp:
        (JSC::functionCreateBuiltin):

2019-09-27  Keith Miller  <keith_miller@apple.com>

        OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
        https://bugs.webkit.org/show_bug.cgi?id=202324
        <rdar://problem/52669110>

        Reviewed by Yusuke Suzuki.

        This is an optimization that avoids polluting the array profile.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::OSRExit::compileExit):

2019-09-27  Alexey Shvayka  <shvaikalesh@gmail.com>

        Non-standard Error properties should not be enumerable
        https://bugs.webkit.org/show_bug.cgi?id=198975

        Reviewed by Ross Kirsling.

        Define non-standard Error properties "line", "column", and "sourceURL" as non-enumerable to match other engines.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):

2019-09-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG recursive-tail-call optimization should not emit jump to call-frame with varargs
        https://bugs.webkit.org/show_bug.cgi?id=202299
        <rdar://problem/52669116>

        Reviewed by Saam Barati.

        When converting recursive-tail-call to jump to the upper call frame, we picked call-frame which is spread by LoadVarargs.
        This is wrong since this call-frame does not know the exact number of arguments. We are using InlineCallFrame::argumentCountIncludingThis,
        but this is maximal argumentCountIncludingThis when InlineCallFrame is Varargs call-frame. Let's see the simple example.

            'use strict';
            var count = 0;
            function foo() {
                count--;
                if (count === 0)
                    return 30;
                return foo(42, 42); // HERE
            }

            function test() {
                count = 100;
                return foo(...[42, 42]); // THERE
            }
            noInline(test);

        In the above case, currently, we convert HERE's foo call to the jump to the prologue of the foo function inlined by "test". But since foo is called
        in a varargs form, "test" emits LoadVarargs, and it also emits `SetArgumentMaybe` for 1st and 2nd arguments. Since HERE's foo call is actually passing
        two arguments, we emit a Phi node which Upsilon is from SetArgumentMaybe and 42 Constant. This is wrong since SetArgumentMaybe should not be used. Later,
        SSA conversion phase emits Upsilon with SetArgumentMaybe, and since SetArgumentMaybe is simply removed in SSA conversion phase, it ends up emitting
        Upsilon without a child.

        We are currently only performing recursive-tail-call optimization when argument count matches. Given this condition, we should not pick varargs CallFrame
        as a jump target.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):

2019-09-26  Alexey Shvayka  <shvaikalesh@gmail.com>

        toExponential, toFixed, and toPrecision should allow arguments up to 100
        https://bugs.webkit.org/show_bug.cgi?id=199163

        Reviewed by Ross Kirsling.

        Previously, the spec gave fixed range of [0,20] for Number.prototype.{toExponential,toFixed} argument and
        range of [1,21] for Number.prototype.toPrecision argument, but allowed implementations to permit a larger range.
        Historically, only SpiderMonkey accepted a larger range, and other implementations threw a RangeError outside the range.
        Later the spec was changed (see https://github.com/tc39/ecma262/pull/857) to specify the SpiderMonkey behavior.

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential): Accept arguments between 0 and 100.
        (JSC::numberProtoFuncToFixed): Accept arguments between 0 and 100.
        (JSC::numberProtoFuncToPrecision): Accept arguments between 1 and 100.
        (JSC::getIntegerArgumentInRange): Inline to improve readability.

2019-09-26  Mark Lam  <mark.lam@apple.com>

        We need to initialize the Gigacage first in setJITEnabled() when disabling the JIT.
        https://bugs.webkit.org/show_bug.cgi?id=202257

        Reviewed by Saam Barati.

        Because of an OS quirk, even after the JIT region has been unmapped, the OS thinks
        that region is reserved, and as such, can cause Gigacage allocation to fail.  We
        work around this by initializing the Gigacage first.

        Note: when called, setJITEnabled() is always called extra early in the process
        bootstrap.  Under normal operation (when setJITEnabled() isn't called at all), we
        will naturally initialize the Gigacage before we allocate the JIT region. 
        Hence, this workaround is merely ensuring the same behavior of allocation ordering.

        This patch only applies to iOS.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::setJITEnabled):

2019-09-25  Guillaume Emont  <guijemont@igalia.com>

        testapi: slow devices need more time before watchdog fires
        https://bugs.webkit.org/show_bug.cgi?id=202149

        Reviewed by Mark Lam.

        In testExecutionTimeLimit(), the time that we leave for the watchdog
        to fire is often not enough on (slower) arm and mips devices, creating
        a testapi failure.
        This change also skips FTL-specific testing when FTL is disabled.

        * API/tests/ExecutionTimeLimitTest.cpp:
        (testExecutionTimeLimit):

2019-09-24  Christopher Reid  <chris.reid@sony.com>

        [WinCairo] Start RemoteInspectorServer
        https://bugs.webkit.org/show_bug.cgi?id=199938
        <rdar://problem/53323048>

        Reviewed by Fujii Hironori.

        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
          - Fixed some network byte order issues
          - Need to check for POLLHUP in isReadable as closed windows sockets don't have POLLIN set

2019-09-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        [ES6] Come up with a test for Proxy.[[GetOwnProperty]] that tests the isExtensible error when the  result of the trap is undefined
        https://bugs.webkit.org/show_bug.cgi?id=154376

        Reviewed by Ross Kirsling.

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performInternalMethodGetOwnProperty): Remove resolved FIXME comments.

2019-09-24  Alexey Proskuryakov  <ap@apple.com>

        JavaScriptCore (still) doesn't unlock the engineering keychain
        https://bugs.webkit.org/show_bug.cgi?id=202123

        Reviewed by Dan Bernstein.

        Unlike WebKit, JavaScriptCore only defines CODE_SIGN_IDENTITY in ToolExecutable
        configuration, not in DebugRelease. As a result, it's not defined when running
        the script for Unlock Keychain phase.

        Fix this by moving CODE_SIGN_IDENTITY to DebugRelease configuration, matching
        WebKit. As a result, we are now using consistent signing options in all targets.

        * Configurations/DebugRelease.xcconfig:
        * Configurations/ToolExecutable.xcconfig:
        When moving, removed a special case for Production, as that's never used with
        DebugRelease (also, the Profile case was incorrect).

2019-09-24  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueBitRShift into DFG
        https://bugs.webkit.org/show_bug.cgi?id=192663

        Reviewed by Robin Morisset.

        We are introducing a new node called ValueBitRShift that is
        responsible to handle speculation of `UntypedUse` and `BigIntUse` during
        DFG. Following the approach of other bitwise operations, we
        now have 2 nodes to handle ">>" operator during JIT, mainly because
        of the introduction of BigInt, that makes this operator result into
        Int32 or BigInt. We renamed `BitRShift` to `ArithBitRShift` and such
        node handles Integers and Numbers speculation and can only return
        Int32 values.

        * bytecode/BytecodeList.rb:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Opcode.h:

        Adding support to ValueProfile to `op_rshift` to be used during
        prediction propagation.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

        Adding support to still do constant propagation of ValueBitRShift when
        it is `UntypedUse`.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

        `ValueBitRshift` can trigger GC when it is `BigIntUse` because the
        operation `JSBigInt::signedRightShift` potentially allocates new
        JSBigInts. It also can trigger GC when it is `UntypedUse` because it
        can execute arbitrary code.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

        The fixup rule of `ValueBitRShift` checks if it should fixup for
        `BigIntUse` or `UntypedUse`. If those checks fail, we fallback to
        `ArithBitRShift`.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasNumericResult):
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:

        We are using the same rule used by `ValueBitLShift` to propagate
        types. We try to propagate the type based on operation's input, but
        fallback to `getHeapPrediction()` if this is not possible.

        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
        (JSC::DFG::SpeculativeJIT::compileValueBitRShift):
        (JSC::DFG::SpeculativeJIT::compileShiftOp):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shiftOp):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitRShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileBitRShift): Deleted.
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2019-09-24  Mark Lam  <mark.lam@apple.com>

        Refactor cellSize() out of VMInspector::verifyCellSize().
        https://bugs.webkit.org/show_bug.cgi?id=202132

        Reviewed by Saam Barati.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CellSize.h: Added.
        (JSC::isDynamicallySizedType):
        (JSC::cellSize):
        * runtime/DirectArguments.h:
        * runtime/JSBigInt.h:
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSType.h:
        (JSC::isDynamicallySizedType): Deleted.
        * tools/VMInspectorInlines.h:
        (JSC::VMInspector::verifyCellSize):

2019-09-23  Mark Lam  <mark.lam@apple.com>

        Introducing Integrity audit functions.
        https://bugs.webkit.org/show_bug.cgi?id=202085

        Reviewed by Saam Barati.

        This patch's main goal is to introduce the Integrity audit functions.  They can
        be used wherever we want to audit a cell to probabilistically ensure it is not
        corrupted.  However, to keep this patch small, we will only introduce the audit
        tool here with one example use in SlotVisitor.  We'll follow up later with more
        patches to deploy this tool throughout the VM.

        1. Introduced Integrity audit functions that can be configured at several
           AuditLevels:
               None - don't do any audits.
               Minimal - do a minimal quick audit (minimize perf impact).
               Full - do a full audit of the many aspects of a cell.
               Random - randomly do a full audit with a probability dictated by
                    Options::randomIntegrityAuditRate() between 0.0 (never audit) and
                    1.0 (audit at every chance).

           The default AuditLevel for Debug builds is Random.
           The default AuditLevel for Release builds is None.
           The default Options::randomIntegrityAuditRate() is 0.05.

           How full audits work?
           ====================
           The full audit uses the VMInspector::verifyCell() template function to do its
           job.  The reason for keeping this separate is to allow the template function
           to be used later for debug checks that want to take some custom action on
           verification failure instead of crashing with a RELEASE_ASSERT.

           Full audit of a cell pointer includes:
           a. Verify that a cell designated as a LargeAllocation is in the heap's
              set of LargeAllocations.

           b. Verify that a cell not designated as a LargeAllocation is actually in its
              MarkedBlock's bounds.

           c. Verify that the cell's container (LargeAllocation / MarkedBlock) actually
              belongs to the current VM.

           d. Verify that a cell in a MarkedBlock is properly aligned on the block's
              allocation unit size.

           e. If the cell is not an ImmutableButterfly, verify that it is not located in
              the Gigacage.

           f. Verify that the cell's JSType matches its StructureBlob's JSType.

           g. Verify that the cell size as dictated by the cell ClassInfo does not exceed
              the size of the allocation unit size (as expected by the container
              MarkedBlock or LargeAllocation).

              Some cells are dynamically size (see isDynamicallySizedType()).  For these
              cells, we compute their sizes and verify that the size does not exceed the
              allocation unit size.  Their sizes should also be greater or equal to the
              static cell size as dictated by their ClassInfo.

           h. If a cell has a butterfly, verify that the butterfly is in its the JSValue
              Gigacage.

           We can add more verifications later, or make some these more robust, but this
           is a start for now.

           How random audits work?
           ======================
           Random audits are triggered by the m_triggerBits bits in VM::m_integrityRandom.
           m_triggerBits is a 64-bit bitfield.

           If Options::randomIntegrityAuditRate() is 0, m_triggerBits will always be 0,
           and no audits will be done.

           If Options::randomIntegrityAuditRate() is non-zero, m_triggerBits will be
           initialized as follows:

                | 1 reload bit | ... 63 trigger bits ... |

           The reload bit is always set (more details below).
           Each of the 63 trigger bits are randomly set depending if the following is true
           for the bit:

                VM::random() <= Options::randomIntegrityAuditRate() * UINT_MAX

           When Integrity::auditCell() is called, we take the bottom bit as the trigger
           bit for the current cell, and shifts the rest down by 1.

           If m_triggerBits is non-null after the shift, the taken trigger bit will dictate
           whether we do a full audit on the current cell or not.

           Once the reload bit reaches the bottom, we call a reload function to
           re-initialize m_triggerBits.  The reload function also returns a bool
           indicating whether to trigger a full audit of the current cell.

           With this scheme, we only need to call the reload function once every 64 calls
           to Integrity::auditCell(), and can efficiently determine whether to trigger
           the audit the other 63 times with the probability specified in
           Options::randomIntegrityAuditRate().

        2. Embedded the C++ class size of JSCells into their ClassInfo.  This is used in
           the full audits to verify cell sizes.

        3. Added isDynamicallySizedType() to check if a JSType has a dynamic size allocation
           i.e. the size of instances of this type is not determined by the static C++
           size of its class, but rather, depends on some runtime variable.

        4. Made the VMInspector a friend of several classes so that it can access their
           private methods and fields.

        5. Moved the inline function JSBigInt::allocationSize() from BigInt.cpp to its
           header file so that we can use it in VMInspector::verifyCellSize().

        6. Gave the JSModuleNamespaceObject() its own JSType so that we can identify it
           as a dynamically sized object.

        7. Increased the randomness of VM::random() (which is implemented with WeakRandom)
           by re-seeding it with a cryptographically random number each GC.

        8. Called Integrity::auditCell() on SlotVisitor::appendJSCellOrAuxiliary()'s cell
           as an example use of auditCell().  More uses will be added in later patches to
           follow.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * heap/Heap.cpp:
        (JSC::Heap::runBeginPhase):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
        * runtime/ClassInfo.h:
        * runtime/DirectArguments.h:
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::allocationSize): Deleted.
        * runtime/JSBigInt.h:
        (JSC::JSBigInt::allocationSize):
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSType.cpp:
        (WTF::printInternal):
        * runtime/JSType.h:
        (JSC::isDynamicallySizedType):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/OptionsList.h:
        * runtime/Structure.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::random):
        (JSC::VM::integrityRandom):
        * tools/Integrity.cpp: Added.
        (JSC::Integrity::Random::Random):
        (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
        (JSC::Integrity::auditCellFully):
        (JSC::Integrity::auditCellMinimallySlow):
        * tools/Integrity.h: Added.
        (JSC::Integrity::auditCell):
        * tools/IntegrityInlines.h: Added.
        (JSC::Integrity::Random::shouldAudit):
        (JSC::Integrity::auditCellMinimally):
        (JSC::Integrity::auditCellRandomly):
        * tools/VMInspector.h:
        (JSC::VMInspector::unusedVerifier):
        (JSC::VMInspector::verifyCellSize):
        * tools/VMInspectorInlines.h: Added.
        (JSC::VMInspector::verifyCellSize):
        (JSC::VMInspector::verifyCell):

2019-09-23  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r250262.
        https://bugs.webkit.org/show_bug.cgi?id=202126

        "Breaks Win64 builds because of MSVC bug" (Requested by mlam|a
        on #webkit).

        Reverted changeset:

        "Reduce the amount of memory needed to store Options."
        https://bugs.webkit.org/show_bug.cgi?id=202105
        https://trac.webkit.org/changeset/250262

2019-09-23  Ross Kirsling  <ross.kirsling@sony.com>

        Array methods should throw TypeError upon attempting to modify a string
        https://bugs.webkit.org/show_bug.cgi?id=201910

        Reviewed by Keith Miller.

        We currently allow Array prototype methods to modify strings that they are called upon in certain cases.
        (In particular, we're inconsistent about permitting writes to the length property.)

        According to section 22.1.3 of the ES spec, this should result in a TypeError.
        https://tc39.es/ecma262/#sec-properties-of-the-array-prototype-object
        (Test262 cases are needed, but the key is that all such methods use Set(..., true) which throws on failure.)

        * runtime/ArrayPrototype.cpp:
        (JSC::putLength):
        (JSC::setLength):
        Never update the length property of a non-JSArray without checking whether we're actually allowed to.

2019-09-23  Mark Lam  <mark.lam@apple.com>

        Lazy JSGlobalObject property materialization should not use putDirectWithoutTransition.
        https://bugs.webkit.org/show_bug.cgi?id=202122
        <rdar://problem/55535249>

        Reviewed by Yusuke Suzuki.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2019-09-23  Mark Lam  <mark.lam@apple.com>

        Reduce the amount of memory needed to store Options.
        https://bugs.webkit.org/show_bug.cgi?id=202105

        Reviewed by Yusuke Suzuki.

        The size of the JSC::Config needed to store the Options is now reduced to 4K
        instead of 16K, enabled by constexpr template magic.

        1. Instead of all options in a large array of OptionEntry (which is a union of
           all the option types), we now have separate arrays for each of the types of
           options.  For example,

                Removed g_jscConfig.options[].
                Added g_jscConfig.typeBoolOptions[].
                Added g_jscConfig.typeInt32Options[].
                Added g_jscConfig.typeDoubleOptions[].
                ...

           We used to find the storage for the option using g_jscConfig.options[Options::ID].
           We now find the storage for each type of option using
           g_jscConfig.options[optionTypeSpecificIndex<OptionTypeID, OptionID>()].  For
           example, Options::useJIT() used to be implemented as:

               inline bool& Options::useJIT()
               {
                    return g_jscConfig.options[Options::useJITID];
               }

           ... which is now replaced with:

               inline bool& Options::useJIT()
               {
                    return g_jscConfig.typeBoolOptions[optionTypeSpecificIndex<OptionTypeID::Bool, OptionID::useJIT>()];
               }

        2. Introduce the optionTypeSpecificIndex() constexpr template function for
           computing the index of each option in their respective type specific options
           array.

        3. Introduce OptionTypes, OptionTypeID, and OptionID.

           The OptionTypes namespace replaces OptionEntry as the container of option types.
           The OptionID enum class replaces Options::ID.
           The OptionTypeID enum class is new and is used together with OptionID in
               constexpr templates to compute the typeSpecificIndex of options.

        4. Removed the OptionEntry struct and OptionEntry.h.  After (1), this struct is
           only used in the Option class.  We just moved the union of option types (that
           OptionEntry embeds) into the Option class.

           Moved class OptionRange into OptionsList.h.

        5. Removed the large OptionEntry arrays from JSC::Config.
           Added type specific options arrays.
           Also ordered these arrays to maximize compactness and minimize internal fragmentation.

        6. Changed scaleJITPolicy() to go directly to g_jscConfig.typeInt32Options[]
           instead of going through the Option wrapper object.  This allows us to simplify
           things and make the Option class a read only interface of options.

        7. Changed Options::initialize() to only compute the option default value once.
           The default value specified in the OptionsList may not always be a constant.
           Sometimes, it is a function call.

        8. The Option class now only gives read only access to the options.

           The Option class' role is to provide an interface for reading an option at any
           given OptionID without first knowing about the type of the specific option.
           It is useful for iterating options, and is currently only used by
           Options::dumpOption().

           Technically, we could merge all the Option class code into its single client.
           We opted not to do this because the amount of code is non-trivial, and the
           Option class does a good job of encapsulating this functionality.

        * API/glib/JSCOptions.cpp:
        (jscOptionsSetValue):
        (jscOptionsGetValue):
        (jsc_options_foreach):
        (jsc_options_get_option_group):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSCConfig.h:
        * runtime/OptionEntry.h: Removed.
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        (JSC::overrideOptionWithHeuristic):
        (JSC::scaleJITPolicy):
        (JSC::recomputeDependentOptions):
        (JSC::Options::initialize):
        (JSC::Options::setOptionWithoutAlias):
        (JSC::Options::dumpAllOptions):
        (JSC::Options::dumpOption):
        (JSC::Option::Option):
        (JSC::Option::defaultOption const):
        (JSC::Option::dump const):
        (JSC::Option::operator== const):
        * runtime/Options.h:
        (JSC::Option::id const):
        (JSC::Option::name const):
        (JSC::Option::description const):
        (JSC::Option::type const):
        (JSC::Option::availability const):
        (JSC::Option::isOverridden const):
        (JSC::Option::Option):
        (JSC::Option::idIndex const):
        (JSC::Option::defaultOption const): Deleted.
        (JSC::Option::boolVal): Deleted.
        (JSC::Option::unsignedVal): Deleted.
        (JSC::Option::doubleVal): Deleted.
        (JSC::Option::int32Val): Deleted.
        (JSC::Option::optionRangeVal): Deleted.
        (JSC::Option::optionStringVal): Deleted.
        (JSC::Option::gcLogLevelVal): Deleted.
        * runtime/OptionsList.h:
        (JSC::OptionRange::operator= ):
        (JSC::OptionRange::rangeString const):
        (JSC::optionTypeSpecificIndex):
        (JSC::countNumberOfJSCOptionsOfType):

2019-09-23  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: show WebGPU shader pipelines
        https://bugs.webkit.org/show_bug.cgi?id=201675
        <rdar://problem/55543450>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
        frontend of a new program

2019-09-23  Zan Dobersek  <zdobersek@igalia.com>

        testmasm: integer operands loaded as unsigned values
        https://bugs.webkit.org/show_bug.cgi?id=202099

        Reviewed by Mark Lam.

        Suppress GCC warnings about comparing signed and unsigned values in
        test cases introduced in r247913 by using signed integer types for
        loading 32-bit and 64-bit integer operand values.

        * assembler/testmasm.cpp:
        (JSC::testBranchTestBit32RegReg):
        (JSC::testBranchTestBit32RegImm):
        (JSC::testBranchTestBit32AddrImm):
        (JSC::testBranchTestBit64RegReg):
        (JSC::testBranchTestBit64RegImm):
        (JSC::testBranchTestBit64AddrImm):

2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Int52Rep(DoubleRepAnyIntUse) should not call operation function
        https://bugs.webkit.org/show_bug.cgi?id=202072

        Reviewed by Mark Lam.

        Inline doubleToStrictInt52 in FTL since it is very simple function.
        This change improves JetStream2/stanford-crypto-sha256 by ~5%.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::doubleToStrictInt52):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::doubleToInt64):
        * ftl/FTLOutput.h:

2019-09-22  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, follow-up change after r250198
        https://bugs.webkit.org/show_bug.cgi?id=201633

        * b3/testb3_5.cpp:
        (testCheckAddRemoveCheckWithSExt16):

2019-09-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove CheckAdd in JetStream2/async-fs's Math.random function
        https://bugs.webkit.org/show_bug.cgi?id=201633

        Reviewed by Mark Lam.

        Int52Rep is used in DFG and FTL to calculate Int52 things faster. This is typically used when user code see uint32_t type.
        In JS, we handles Int32 well, but if the value exceeds Int32 range (like, using 0xffffffff), we use Int52 instead not to fallback to Double.

        The problem is that we do not have optimizations for Int52's overflow checks. This emits many ArithAdd(Int52Rep x 2, CheckOverflow). Each
        of them emits OSR exit, which prevents dead-store-elimination in B3, and makes ValueToInt32(Int52) alive if it is referenced from some variable which
        can be seen if OSR exit occurs.

        In this patch, we perform strength-reduction for CheckAdd, converting to Add. We already have such a thing. But the existing one does not handle instructions
        well emitted when Int52 is used.

        When Int52 is used, we typically have the sequence like,

            Int64 @78 = SExt32(@73, DFG:@67<Int52>) // Widen Int32 to Int64
            Int64 @81 = Shl(@78, $12(@80), DFG:@162<Int52>) // Convert Int32 to Int52

        While we have Shl handling for integer-range optimization in B3ReduceStrength, we lack handling of SExt32 while it is very easy.
        This patch adds SExt8, SExt16, SExt32, and ZExt32 handling to B3ReduceStrength's integer range analysis.
        This converts many CheckAdd in JetStream2/async-fs's hot function to simple Add, and removes a bunch of unnecessary instructions which exist because of this OSR exit.
        We can see ~5% improvement in JetStream2/async-fs.

        * b3/B3ReduceStrength.cpp:
        * b3/testb3.h:
        (int16Operands):
        (int8Operands):
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_5.cpp:
        (testCheckAddRemoveCheckWithSExt8):
        (testCheckAddRemoveCheckWithSExt16):
        (testCheckAddRemoveCheckWithSExt32):
        (testCheckAddRemoveCheckWithZExt32):

2019-09-21  Mark Lam  <mark.lam@apple.com>

        Move JSLexicalEnvironment, DirectArguments, and ScopedArguments cells out of the Gigacage.
        https://bugs.webkit.org/show_bug.cgi?id=202082

        Reviewed by Tadeu Zagallo.

        They are not being caged anyway.

        * runtime/DirectArguments.h:
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::subspaceFor):
        * runtime/ScopedArguments.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2019-09-21  Tadeu Zagallo  <tzagallo@apple.com>

        AccessCase should strongly visit its dependencies while on stack
        https://bugs.webkit.org/show_bug.cgi?id=201986
        <rdar://problem/55521953>

        Reviewed by Saam Barati and Yusuke Suzuki.

        AccessCase::doesCalls is responsible for specifying the cells it depends on, so that
        MarkingGCAwareJITStubRoutine can strongly visit them while the stub is on stack. However,
        it was missing most of its dependencies, which led to it being collected while on stack.
        This manifested in the flaky test stress/ftl-put-by-id-setter-exception-interesting-live-state.js
        as the PolymorphicAccess being collected and removing its exception handler from the code
        block, which led to exception propagating past the try/catch.

        In order to fix this, we abstract the dependency gathering logic from AccessCase into
        forEachDependentCell and use it to implement visitWeak as well as doesCalls in order to
        guarantee that their implementation is consistent.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::forEachDependentCell const):
        (JSC::AccessCase::doesCalls const):
        (JSC::AccessCase::visitWeak const):
        * bytecode/AccessCase.h:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::lastSeenCallee const):
        (JSC::CallLinkInfo::haveLastSeenCallee const):
        (JSC::CallLinkInfo::lastSeenCallee): Deleted.
        (JSC::CallLinkInfo::haveLastSeenCallee): Deleted.
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::isDirect const):
        (JSC::CallLinkInfo::isLinked const):
        (JSC::CallLinkInfo::stub const):
        (JSC::CallLinkInfo::forEachDependentCell const):
        (JSC::CallLinkInfo::isLinked): Deleted.
        (JSC::CallLinkInfo::stub): Deleted.
        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::isStillLive const):
        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::forEachDependentCell const):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::areStillLive const):
        * bytecode/ObjectPropertyConditionSet.h:
        (JSC::ObjectPropertyConditionSet::forEachDependentCell const):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillLive const):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::forEachDependentCell const):
        * jit/PolymorphicCallStubRoutine.cpp:
        (JSC::PolymorphicCallStubRoutine::visitWeak):
        * jit/PolymorphicCallStubRoutine.h:
        (JSC::PolymorphicCallStubRoutine::forEachDependentCell):

2019-09-21  David Kilzer  <ddkilzer@apple.com>

        clang-tidy: Fix unnecessary copy/ref churn of for loop variables in WTF/JavaScriptCore
        <https://webkit.org/b/202069>

        Reviewed by Mark Lam.

        Fix unwanted copying/ref churn of loop variables by making them
        const references.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setConstantIdentifierSetRegisters):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::activateExtraDomains):
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::pushListingsNow):
        * parser/Parser.h:
        (JSC::Scope::computeLexicallyCapturedVariablesAndPurgeCandidates):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performGetOwnPropertyNames):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::registerForReportAtExit):
        (JSC::SamplingProfiler::reportTopFunctions):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/TypeSet.cpp:
        (JSC::StructureShape::inspectorRepresentation):
        (JSC::StructureShape::merge):

2019-09-20  Keith Miller  <keith_miller@apple.com>

        eliding a move in Air O0 needs to mark the dest's old reg as available
        https://bugs.webkit.org/show_bug.cgi?id=202066

        Reviewed by Saam Barati.

        Also adds a new release method that handles all the invariants of
        returning a register to the available register pool.

        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
        (JSC::B3::Air::GenerateAndAllocateRegisters::release):
        (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
        (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
        (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:

2019-09-20  Mark Lam  <mark.lam@apple.com>

        Harden assertion in StructureIDTable::get().
        https://bugs.webkit.org/show_bug.cgi?id=202067
        <rdar://problem/55577923>

        Reviewed by Keith Miller.

        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::get):

2019-09-20  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r250114.

        Broke ~16 webgpu/ tests on Mojave wk2

        Reverted changeset:

        "Web Inspector: Canvas: show WebGPU shader pipelines"
        https://bugs.webkit.org/show_bug.cgi?id=201675
        https://trac.webkit.org/changeset/250114

2019-09-20  Paulo Matos  <pmatos@igalia.com>

        Implement memory monitoring functions for Linux OS
        https://bugs.webkit.org/show_bug.cgi?id=200391

        Reviewed by Žan Doberšek.

        * jsc.cpp:

2019-09-20  Devin Rousso  <drousso@apple.com>

        ASSERT NOT REACHED in Inspector::InjectedScriptModule::ensureInjected() seen with inspector/heap/getRemoteObject.html
        https://bugs.webkit.org/show_bug.cgi?id=201713
        <rdar://problem/55290349>

        Reviewed by Joseph Pecoraro.

        Expose the `Exception` object by leveraging an `Expected` of `JSValue` as the return value
        instead of using a referenced `bool` (which wouldn't include any of the exception's info).

        * bindings/ScriptFunctionCall.h:
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::wrapCallFrames const):
        (Inspector::InjectedScript::wrapObject const):
        (Inspector::InjectedScript::wrapJSONString const):
        (Inspector::InjectedScript::wrapTable const):
        (Inspector::InjectedScript::previewValue const):
        (Inspector::InjectedScript::findObjectById const):
        (Inspector::InjectedScript::releaseObjectGroup):

        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled const):
        (Inspector::InjectedScriptBase::makeCall):
        (Inspector::InjectedScriptBase::makeAsyncCall):

        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        (Inspector::InjectedScriptManager::injectedScriptFor):

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):

2019-09-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
        https://bugs.webkit.org/show_bug.cgi?id=202014

        Reviewed by Saam Barati.

        Let's look into the bytecode generated by the test.

            [   0] enter
            [   1] get_scope          loc4
            [   3] mov                loc5, loc4
            [   6] check_traps
            [   7] mov                loc6, callee
            [  10] create_direct_arguments loc7
            [  12] to_this            this
            [  15] mov                loc8, loc7
            [  18] mov                loc9, loc6
            [  21] mov                loc12, Undefined(const0)
            [  24] get_by_id          loc11, loc6, 0
            [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
            [  34] mov                loc11, loc6
            [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
            [  45] jmp                17(->62)
            [  47] mov                loc16, loc6
            [  50] mov                loc15, this
            [  53] mov                loc14, loc8
            [  56] call               loc11, loc11, 3, 22
            ...

        call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
        This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
        And it is not in the previous place to loc13 (|this| is not loc12).

        On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
        But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
        that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.

        The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
        CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
        LoadVarargs clobbers it. And we eventually use it and crash.

            60:<!0:-> LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)

        This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.

        In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
        DFG should not assume that the previous register to firstFreeReg is used for |this|.

        This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
        represent that `maxArgumentCountIncludingThis` includes |this| count.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
        (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
        (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
        (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
        (JSC::CallLinkInfo::maxNumArguments): Deleted.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::dump const):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
        (JSC::CallLinkStatus::maxNumArguments const): Deleted.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        * jit/JITCall.cpp:
        (JSC::JIT::compileSetupFrame):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileSetupFrame):
        * jit/JITOperations.cpp:

2019-09-19  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: show WebGPU shader pipelines
        https://bugs.webkit.org/show_bug.cgi?id=201675

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        Add a `ProgramType` enum that conveys the type of shader program/pipeline when notifying the
        frontend of a new program

2019-09-19  Mark Lam  <mark.lam@apple.com>

        Rename VMInspector::m_list to m_vmList.
        https://bugs.webkit.org/show_bug.cgi?id=202015

        Reviewed by Yusuke Suzuki.

        m_vmList is more descriptive, and this rename helps grep-ability by disambiguating
        it from other m_lists in the code base.

        * tools/VMInspector.cpp:
        (JSC::VMInspector::add):
        (JSC::VMInspector::remove):
        * tools/VMInspector.h:
        (JSC::VMInspector::iterate):

2019-09-19  Mark Lam  <mark.lam@apple.com>

        Reduce the number of required tag bits for the JSValue.
        https://bugs.webkit.org/show_bug.cgi?id=201990

        Reviewed by Yusuke Suzuki.

        We're reducing the number of tag bits to 15.  It should just work.

        How did we arrive at 15 bits?
        ============================
        Currently, the minimum number of top bits used by doubles is 13-bits.  The
        highest double bit encoding are:

            "negative" pureNaN: starts with 0xfff8
            negative infinity:  starts with 0xfff0
            highest number:     starts with 0xffe*
            lowest number:      starts with 0x0000

        Requirements:
        1. We need tags for 2 range of numbers: pointers (all 0s at the top), and ints
           (all 1s at the top).

        2. We want to be able to add an offset to double bits and ensure that they never
           end up in the ranges for pointers and ints.

        3. The int tag must be higher than whatever value is produced in the top bits
           when boxing a double.  We have code that relies on this relationship being
           true and checks if a JSValue is an int by checking if the tag bits are above
           or equal to the int tag.

        4. We don't want to burn more than 2 CPU registers for tag / mask registers.

        Based on the bit encoding of doubles, the full number range of the top 13 bits
        are used in valid double numbers.  This means the minimum tag bits must be greater
        than 13.

        Consider a 14-bit tag.  The DoubleEncodeOffset will be 1 << 50 i.e. starts with
        0x0004.  With this encoding,
            "negative" pureNaN: maps to 0xfff8 + 0x0004 => 0xfffc

        i.e. the top 14 bits are all set.  This conflicts with the int number range.

        Next, consider a 15-bit tag.  The DoubleEncodeOffset will be 1 << 49 i.e. starts
        with 0x0002.  With this encoding:
            "negative" pureNaN: maps to 0xfff8 + 0x0002 => 0xfffa
            negative infinity:  maps to 0xfff0 + 0x0002 => 0xfff2

        i.e. 0xfffe (top 5 bits set) is available to represent ints.  This is the encoding
        that we'll adopt in this patch.

        Alternate encodings schemes to consider in the future:
        =====================================================
        1. If we're willing and able to purifyNaN at all the places that can produce a
           "negative" pureNaN, e.g. after a division, then we can remove the "negative"
           pureNaN as a valid double bit encoding.  With this, we can now box doubles
           with just a 14-bit tag, and DoubleEncodeOffset will be 1 << 50 i.e. starts with
           0x0004.

           With this encoding, the top double, negative infinity, is encoded as follows:

                negative infinity:  maps to 0xfff0 + 0x0004 => 0xfff4

           i.e. leaving 0xfffc as the tag for ints.

           We didn't adopt this scheme at this time because it adds complexity, and may
           have performance impact from the extra purifyNaN checks.

           Ref: https://bugs.webkit.org/show_bug.cgi?id=202002

        2. If we're willing to use 3 tag registers or always materialize one of them, we
           can also adopt a 14-bit tag as follows:

               Pointer {  0000:PPPP:PPPP:PPPP
                        / 0002:****:****:****
               Double  {         ...
                        \ FFFC:****:****:****
               Integer {  FFFF:0000:IIII:IIII

           where ...
               NumberMask is 0xfffc: any bits set in the top 14 bits is a number.
               IntMask is 0xffff: value is int if value & IntMask == IntMask.
               NotCellMask is NumberMask | OtherTag.

           Since the highest double is "negative" pureNaN i.e. starts with 0xfff8, adding
           a DoubleEncodeOffset of 1<<50 (starts with 0x0004) produces 0xfffc which is
           still less than 0xffff.

           We didn't adopt this scheme at this time because it adds complexity and may
           have a performance impact from either burning another register, or materializing
           the 3rd mask.

           Ref: https://bugs.webkit.org/show_bug.cgi?id=202005

        * runtime/JSCJSValue.h:

2019-09-19  Mark Lam  <mark.lam@apple.com>

        Refactoring: fix broken indentation in JSNonDestructibleProxy.h.
        https://bugs.webkit.org/show_bug.cgi?id=201989

        Reviewed by Saam Barati.

        This patch only unindent the code to get it back to compliant formatting.
        There is no actual code change.

        * runtime/JSNonDestructibleProxy.h:
        (JSC::JSNonDestructibleProxy::subspaceFor):
        (JSC::JSNonDestructibleProxy::create):
        (JSC::JSNonDestructibleProxy::createStructure):
        (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):

2019-09-19  Tadeu Zagallo  <tzagallo@apple.com>

        Syntax checker should report duplicate __proto__ properties
        https://bugs.webkit.org/show_bug.cgi?id=201897
        <rdar://problem/53201788>

        Reviewed by Mark Lam.

        Currently we have two ways of parsing object literals:
        - parseObjectLiteral: this is called in sloppy mode, and as an optimization for syntax checking,
          it doesn't allocate string literals while parsing properties. It does still allocate identifiers,
          but it won't store them in the Property object that it creates for each parsed property. This
          method backtracks and calls parseObjectStrictLiteral if it finds any getters or setters.
        - parseObjectStrictLiteral: this is called in strict mode, or when the object contains getters/setters
          as stated above. This will always allocate string literals as well as identifiers and store them in
          the Property object, even during syntax checking.

        From looking at the history, it seems that there was a distinction between these two methods:
        parseStrictObjectLiteral was introduced in r62848 and contained an extra check for duplicate
        getters/setters or properties defined as both getters/setters and constants. That distinction
        was removed and the only distinction that remained was whether we build strings and store the
        strings and properties as part of the Property object created by SyntaxChecker::createProperty.
        However, this optimization is no longer valid, since we need to throw a SyntaxError for duplicate
        __proto__ properties in object literals even in sloppy mode, which means that we do need to build
        the strings and identifiers and store them as part of the Property objects.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseStrictObjectLiteral): Deleted.
        * parser/Parser.h:

2019-09-19  Mark Lam  <mark.lam@apple.com>

        Remove a now unnecessary hack to work around static const needing external linkage.
        https://bugs.webkit.org/show_bug.cgi?id=201988

        Reviewed by Saam Barati.

        MacroAssembler::dataTempRegister is now a constexpr, thereby ensuring that it's
        inlinable.

        * b3/B3Common.cpp:
        (JSC::B3::pinnedExtendedOffsetAddrRegister):

2019-09-19  Mark Lam  <mark.lam@apple.com>

        Replace JSValue #defines with static constexpr values.
        https://bugs.webkit.org/show_bug.cgi?id=201966

        Reviewed by Yusuke Suzuki.

        static constexpr is the modern C++ way to define these constants.

        Some of the values are typed int64_t and some are int32_t.  The original #define
        values are int64_t.  Hence, we adopt int64_t as the default type to use here.

        However, some of these constants are being used as 32-bit values, and the code
        was static_cast'ing them into int32_t.  This set of constants are all the small
        values that fit in an int32_t anyway.  So, we're putting these in int32_t instead
        so that we don't have to keep casting them.  In the few places where they are
        used as int64_t, they will automatically get up-casted anyway.

        In this patch, we also did the following:

        1. Renamed TagMask to NotCellMask, because everywhere in the code, we're
           basically using it to filter out cells like this:

              if (value & NotCellMask) then goto handleNotCellCase;

        2. Renamed TagTypeNumber to NumberTag for a shorter name.

           Ditto for TagBitTypeOther, TagBitBool, TagBitUndefined, TagBitsWasm, and TagWasmMask.
           They are now OtherTag, BoolTag, UndefinedTag, WasmTag, and WasmMask.

        3. Introduced DoubleEncodeOffsetBit so that client code do not embed this value
           as a literal constant.  We now define DoubleEncodeOffset based on
           DoubleEncodeOffsetBit ensuring consistency.

        4. Introduced MiscTag so that clients don't have to put this set of tags together
           themselves.

        5. Removed static asserts for tags in LLIntData.cpp because the offlineasm now
           captures these values correctly with constexpr statements.  These static
           asserts were holdovers from the old days back when we had to define LLInt
           constant values manually, and we needed a mechanism to detect when the values
           have changed in the source.

        6. Replaced some runtime asserts in RegisterSet.cpp with static_asserts.

        7. In Wasm::wasmToJS(), we were constructing the value of JSValue::DoubleEncodeOffset
           constant by left shifting 1 by JSValue::DoubleEncodeOffsetBit.  There's no need
           to do this for ARM64 because the constant can be loaded efficiently with a single
           MOVZ instruction.  So, we add a CPU(ARM64) case to just move the constant into
           the target register.

        * assembler/AbortReason.h:
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateWithGuard):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::executeOSRExit):
        (JSC::DFG::OSRExit::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::spill):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileInt52Compare):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
        (JSC::FTL::DFG::LowerDFGToB3::compileBooleanToNumber):
        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetArgument):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileInById):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorStructurePname):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetEnumeratorGenericPname):
        (JSC::FTL::DFG::LowerDFGToB3::getById):
        (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
        (JSC::FTL::DFG::LowerDFGToB3::isInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isNotInt32):
        (JSC::FTL::DFG::LowerDFGToB3::boxInt32):
        (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
        (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
        (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
        (JSC::FTL::DFG::LowerDFGToB3::boxDouble):
        (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
        (JSC::FTL::DFG::LowerDFGToB3::isCell):
        (JSC::FTL::DFG::LowerDFGToB3::isNotMisc):
        (JSC::FTL::DFG::LowerDFGToB3::isNotBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::boxBoolean):
        (JSC::FTL::DFG::LowerDFGToB3::isNotOther):
        (JSC::FTL::DFG::LowerDFGToB3::isOther):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        (JSC::FTL::compileStub):
        * interpreter/CalleeBits.h:
        (JSC::CalleeBits::boxWasm):
        (JSC::CalleeBits::isWasm const):
        (JSC::CalleeBits::asWasmCallee const):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::AssemblyHelpers::jitAssertIsCell):
        (JSC::AssemblyHelpers::jitAssertTagsInPlace):
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitSaveThenMaterializeTagRegisters):
        (JSC::AssemblyHelpers::emitRestoreSavedTagRegisters):
        (JSC::AssemblyHelpers::emitMaterializeTagCheckRegisters):
        (JSC::AssemblyHelpers::branchIfNotCell):
        (JSC::AssemblyHelpers::branchIfCell):
        (JSC::AssemblyHelpers::branchIfOther):
        (JSC::AssemblyHelpers::branchIfNotOther):
        (JSC::AssemblyHelpers::branchIfInt32):
        (JSC::AssemblyHelpers::branchIfNotInt32):
        (JSC::AssemblyHelpers::branchIfNumber):
        (JSC::AssemblyHelpers::branchIfNotNumber):
        (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
        (JSC::AssemblyHelpers::branchIfBoolean):
        (JSC::AssemblyHelpers::branchIfNotBoolean):
        (JSC::AssemblyHelpers::boxDouble):
        (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
        (JSC::AssemblyHelpers::boxInt52):
        (JSC::AssemblyHelpers::boxBooleanPayload):
        (JSC::AssemblyHelpers::boxInt32):
        * jit/CallFrameShuffleData.h:
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::CallFrameShuffler):
        (JSC::CallFrameShuffler::dump const):
        (JSC::CallFrameShuffler::prepareAny):
        * jit/CallFrameShuffler.h:
        (JSC::CallFrameShuffler::getFreeRegister const):
        * jit/CallFrameShuffler64.cpp:
        (JSC::CallFrameShuffler::emitBox):
        (JSC::CallFrameShuffler::tryAcquireNumberTagRegister):
        (JSC::CallFrameShuffler::tryAcquireTagTypeNumber): Deleted.
        * jit/GPRInfo.h:
        (JSC::GPRInfo::reservedRegisters):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITBitAndGenerator.cpp:
        (JSC::JITBitAndGenerator::generateFastPath):
        * jit/JITBitOrGenerator.cpp:
        (JSC::JITBitOrGenerator::generateFastPath):
        * jit/JITBitXorGenerator.cpp:
        (JSC::JITBitXorGenerator::generateFastPath):
        * jit/JITCall.cpp:
        (JSC::JIT::compileTailCall):
        * jit/JITDivGenerator.cpp:
        (JSC::JITDivGenerator::generateFastPath):
        * jit/JITInlines.h:
        (JSC::JIT::emitPatchableJumpIfNotInt):
        * jit/JITLeftShiftGenerator.cpp:
        (JSC::JITLeftShiftGenerator::generateFastPath):
        * jit/JITMulGenerator.cpp:
        (JSC::JITMulGenerator::generateFastPath):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_overrides_has_instance):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_undefined_or_null):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_cell_with_type):
        (JSC::JIT::emit_op_is_object):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jundefined_or_null):
        (JSC::JIT::emit_op_jnundefined_or_null):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/JITRightShiftGenerator.cpp:
        (JSC::JITRightShiftGenerator::generateFastPath):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::runtimeTagRegisters):
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        (JSC::RegisterSet::ftlCalleeSaveRegisters):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::arityFixupGenerator):
        (JSC::absThunkGenerator):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/cloop.rb:
        * offlineasm/x86.rb:
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isUndefinedOrNull const):
        (JSC::JSValue::isCell const):
        (JSC::JSValue::isInt32 const):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::asDouble const):
        (JSC::JSValue::isNumber const):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):

2019-09-18  Devin Rousso  <drousso@apple.com>

        Web Inspector: Better handling for large arrays and collections in Object Trees
        https://bugs.webkit.org/show_bug.cgi?id=143589
        <rdar://problem/16135388>

        Reviewed by Joseph Pecoraro.

        Adds two buttons before the "Prototype" item in expanded object/collection previews:
         - Show %d More
         - Show All (%d More)

        The default `fetchCount` increment is `100`. The first button will only be shown if there
        are more than `100` items remaining (haven't been shown).

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.getProperties):
        (InjectedScript.prototype.getDisplayableProperties):
        (InjectedScript.prototype.getCollectionEntries):
        (InjectedScript.prototype._getProperties):
        (InjectedScript.prototype._internalPropertyDescriptors):
        (InjectedScript.prototype._propertyDescriptors):
        (InjectedScript.prototype._propertyDescriptors.createFakeValueDescriptor):
        (InjectedScript.prototype._propertyDescriptors.processProperties):
        (InjectedScript.prototype._getSetEntries):
        (InjectedScript.prototype._getMapEntries):
        (InjectedScript.prototype._getWeakMapEntries):
        (InjectedScript.prototype._getWeakSetEntries):
        (InjectedScript.prototype._getIteratorEntries):
        (InjectedScript.prototype._entries):
        (RemoteObject.prototype._generatePreview):
        (InjectedScript.prototype._propertyDescriptors.arrayIndexPropertyNames): Deleted.
        Don't include boolean property descriptor values if they are `false.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetEntries):

        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getDisplayableProperties):
        (Inspector::InjectedScript::getCollectionEntries):

        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::asInt): Added.
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
        (Inspector::InspectorRuntimeAgent::getCollectionEntries):

        * inspector/protocol/Runtime.json:
        Add `fetchStart`/`fetchCount` to `getProperties`/`getDisplayableProperties`/`getCollectionEntries`.
        Mark boolean properties as optional so they can be omitted if `false`.

2019-09-18  Joonghun Park  <pjh0718@gmail.com>

        Unreviewed. Remove build warning since r249976.

        No new tests, no behavioral changes.

        This patch removes the build warning below.
        warning: control reaches end of non-void function [-Wreturn-type]

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked const):

2019-09-18  Saam Barati  <sbarati@apple.com>

        TOCTOU bug in havingABadTime related assertion in DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=201953
        <rdar://problem/53803524>

        Reviewed by Yusuke Suzuki.

        We had code in DFGSpeculativeJIT like:
        
        if (!globalObject->isHavingABadTime()) {
            <-- here -->
            Structure* s = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
            assert 's' has expected indexing type
        }
        
        The problem is, we may have a bad time before we actually load the structure
        inside the if. We may have a bad time while we're at the "<-- here -->" in the
        above program. The fix is to first load the structure, then check if we're
        having a bad time. If we're still not having a bad time, it's valid to assert
        things about the structure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewArray):

2019-09-18  Chris Dumez  <cdumez@apple.com>

        Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*()
        https://bugs.webkit.org/show_bug.cgi?id=201947
        <rdar://problem/55453612>

        Reviewed by Mark Lam.

        Stop calling WTF::initializeMainThread() in JSGlobalContextCreate*(). I started doing so in <https://trac.webkit.org/changeset/248533>
        but it is causing crashes for apps using this JS API on background threads. It is also no longer necessary as of
        <https://trac.webkit.org/changeset/249064>.

        * API/JSContextRef.cpp:
        (JSContextGroupCreate):
        (JSGlobalContextCreate):
        (JSGlobalContextCreateInGroup):

2019-09-18  Saam Barati  <sbarati@apple.com>

        Phantom insertion phase may disagree with arguments forwarding about live ranges
        https://bugs.webkit.org/show_bug.cgi?id=200715
        <rdar://problem/54301717>

        Reviewed by Yusuke Suzuki.

        The issue is that Phantom insertion phase was disagreeing about live ranges
        from the arguments forwarding phase. The effect is that Phantom insertion
        would insert a Phantom creating a longer live range than what arguments
        forwarding was analyzing. Arguments forwarding will look for the last DFG
        use or the last bytecode use of a variable it wants to eliminate. It then
        does an interference analysis to ensure that nothing clobbers other variables
        it needs to recover the sunken allocation during OSR exit.
        
        Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
        in the current epoch, there is no need to insert a phantom for it. We
        determine where we might need a Phantom by looking at bytecode kills. In this
        analysis, we have a mapping from bytecode local to DFG node. However, we
        sometimes forgot to remove the entry when a local is killed. So, if the first
        kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
        However, if the variable gets killed again, we might errantly insert a Phantom
        for the prior variable which should've already been killed. The solution is to
        clear the entry in our mapping when a variable is killed.
        
        The program in question was like this:
        
        1: DirectArguments
        ...
        2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
        ...
        clobber things needed for recovery
        ...
        
        Arguments elimination would transform the program since between @1 and
        @2, nothing clobbers values needed for exit and nothing escapes @1. The
        program becomes:
        
        1: PhantomDirectArguments
        ...
        2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
        ...
        clobber things needed for recovery of @1
        ...
        
        
        Phantom insertion would then transform the program into:
        
        1: PhantomDirectArguments
        ...
        2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
        ...
        clobber things needed for recovery of @1
        ...
        3: Phantom(@1)
        ...
        
        This is wrong because Phantom insertion and arguments forwarding must agree on live
        ranges, otherwise the interference analysis performed by arguments forwarding will
        not correctly analyze up until where the value might be recovered.

        * dfg/DFGPhantomInsertionPhase.cpp:

2019-09-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r250002.
        https://bugs.webkit.org/show_bug.cgi?id=201943

        Patching of the callee and call is not atomic (Requested by
        tadeuzagallo on #webkit).

        Reverted changeset:

        "Change WebAssembly calling conventions"
        https://bugs.webkit.org/show_bug.cgi?id=201799
        https://trac.webkit.org/changeset/250002

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generator should have internal fields
        https://bugs.webkit.org/show_bug.cgi?id=201159

        Reviewed by Keith Miller.

        This patch makes generator's internal states InternalField instead of private properties.
        Each generator function produces a generator with different [[Prototype]], which makes generators have different Structures.
        As a result, Generator.prototype.next etc.'s implementation becomes megamorphic even if it is not necessary.

        If we make these structures adaptively poly-proto, some generators get poly-proto structures while others are not, resulting
        in megamorphic lookup in Generator.prototype.next. If we make all the generator's structure poly-proto, it makes Generator.prototype.next
        lookup suboptimal for now.

        In this patch, we start with a relatively simple solution. This patch introduces JSGenerator class, and it has internal fields for generator's internal
        states. We extend promise-internal-field access bytecodes to access to these fields from bytecode so that Generator.prototype.next can access
        these fields without using megamorphic get_by_id_direct.

        And we attach JSGeneratorType to JSGenerator so that we can efficiently implement `@isGenerator()` check in bytecode.

        We reserve the offset = 0 slot for the future poly-proto extension for JSGenerator. By reserving this slot, non-poly-proto JSGenerator and poly-proto
        JSGenerator still can offer the way to access to the same Generator internal fields with the same offset while poly-proto JSGenerator can get offset = 0
        inline-storage slot for PolyProto implementation.

        This patch adds op_create_generator since it is distinct from op_create_promise once we add PolyProto support.
        In the future when we introduce some kind of op_create_async_generator we will probably share only one bytecode for both generator and async generator.

        This patch offers around 10% improvement in JetStream2/Basic. And this patch is the basis of optimization of JetStream2/async-fs which leverages async generators significantly.

        This patch includes several design decisions.

            1. We add a new JSGenerator instead of leveraging JSFinalObject. The main reason is that we would like to have JSGeneratorType to quickly query `@isGenerator`.
            2. This patch currently does not include object-allocation-sinking support for JSGenerator, but it is trivial, and will be added. And this patch also does not include poly-proto
               support for JSGenerator. The main reason is simply because this patch is already large enough, and I do not want to make this patch larger and larger.
            3. We can support arbitrary sized inline-storage: Reserving 0-5 offsets for internal fields, and start putting all the other things to the subsequent internal fields. But for now,
               we are not taking this approach just because I'm not sure this is necessary. If we found such a pattern, we can easily extend the current one but for now, I would like to keep
               this patch simple.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/AsyncFunctionPrototype.js:
        (globalPrivate.asyncFunctionResume):
        * builtins/GeneratorPrototype.js:
        (globalPrivate.generatorResume):
        (next):
        (return):
        (throw):
        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::run):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromJSType):
        * bytecode/SpeculatedType.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitPutGeneratorFields):
        (JSC::BytecodeGenerator::emitCreateGenerator):
        (JSC::BytecodeGenerator::emitNewGenerator):
        (JSC::BytecodeGenerator::emitYield):
        (JSC::BytecodeGenerator::emitDelegateYield):
        (JSC::BytecodeGenerator::emitGeneratorStateChange):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitIsGenerator):
        (JSC::BytecodeGenerator::generatorStateRegister):
        (JSC::BytecodeGenerator::generatorValueRegister):
        (JSC::BytecodeGenerator::generatorResumeModeRegister):
        (JSC::BytecodeGenerator::generatorFrameRegister):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::generatorInternalFieldIndex):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getGeneratorInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putGeneratorInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isGenerator):
        (JSC::FunctionNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupIsCellWithType):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToNewGenerator):
        (JSC::DFG::Node::speculatedTypeForQuery):
        (JSC::DFG::Node::hasStructure):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCreatePromise):
        (JSC::DFG::SpeculativeJIT::compileCreateGenerator):
        (JSC::DFG::SpeculativeJIT::compileNewGenerator):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewGenerator):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateGenerator):
        (JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_internal_field):
        (JSC::JIT::emit_op_put_internal_field):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/JSGenerator.cpp: Added.
        (JSC::JSGenerator::create):
        (JSC::JSGenerator::createStructure):
        (JSC::JSGenerator::JSGenerator):
        (JSC::JSGenerator::finishCreation):
        (JSC::JSGenerator::visitChildren):
        * runtime/JSGenerator.h: Copied from Source/JavaScriptCore/runtime/JSGeneratorFunction.h.
        * runtime/JSGeneratorFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::generatorStructure const):
        * runtime/JSType.cpp:
        (WTF::printInternal):
        * runtime/JSType.h:

2019-09-17  Keith Miller  <keith_miller@apple.com>

        Move comment explaining our Options to OptionsList.h
        https://bugs.webkit.org/show_bug.cgi?id=201891

        Rubber-stamped by Mark Lam.

        We moved the list so we should move the comment.

        * runtime/Options.h:
        * runtime/OptionsList.h:

2019-09-17  Keith Miller  <keith_miller@apple.com>

        Elide unnecessary moves in Air O0
        https://bugs.webkit.org/show_bug.cgi?id=201703

        Reviewed by Saam Barati.

        This patch also removes the code that would try to reuse temps in
        WasmAirIRGenerator. That code makes it hard to accurately
        determine where a temp dies as it could be reused again
        later. Thus every temp, may appear to live for a long time in the
        global ordering.

        This appears to be a minor progression on the overall score of
        wasm subtests in JS2 and a 10% wasm-JIT memory usage reduction.

        This patch also fixes an issue where we didn't ask Patchpoints
        for early clobber registers when determining what callee saves
        were used by the program.

        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
        (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
        * b3/air/AirBasicBlock.h:
        * b3/air/AirCode.h:
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/testair.cpp:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::didKill): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::didKill): Deleted.
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseBody):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::didKill): Deleted.

2019-09-17  Mark Lam  <mark.lam@apple.com>

        Use constexpr instead of const in symbol definitions that are obviously constexpr.
        https://bugs.webkit.org/show_bug.cgi?id=201879

        Rubber-stamped by Joseph Pecoraro.

        const may require external storage  (at the compiler's whim) though these
        currently do not.  constexpr makes it clear that the value is a literal constant
        that can be inlined.  In most cases in the code, when we say static const, we
        actually mean static constexpr.  I'm changing the code to reflect this.

        * API/JSAPIValueWrapper.h:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        * API/JSContextRef.cpp:
        * API/JSWrapperMap.mm:
        * API/tests/CompareAndSwapTest.cpp:
        * API/tests/TypedArrayCTest.cpp:
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):
        * KeywordLookupGenerator.py:
        (Trie.printAsC):
        * assembler/ARMv7Assembler.h:
        * assembler/AssemblerBuffer.h:
        * assembler/AssemblerCommon.h:
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARM64E.h:
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerCodeRef.h:
        * assembler/MacroAssemblerMIPS.h:
        * assembler/MacroAssemblerX86.h:
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::absDouble):
        (JSC::MacroAssemblerX86Common::negateDouble):
        * assembler/MacroAssemblerX86_64.h:
        * assembler/X86Assembler.h:
        * b3/B3Bank.h:
        * b3/B3CheckSpecial.h:
        * b3/B3DuplicateTails.cpp:
        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/B3FixSSA.cpp:
        * b3/B3FoldPathConstants.cpp:
        * b3/B3InferSwitches.cpp:
        * b3/B3Kind.h:
        * b3/B3LowerToAir.cpp:
        * b3/B3NativeTraits.h:
        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/B3ReduceLoopStrength.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/B3ValueKey.h:
        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
        * b3/air/AirAllocateStackByGraphColoring.cpp:
        * b3/air/AirArg.h:
        * b3/air/AirCCallSpecial.h:
        * b3/air/AirEmitShuffle.cpp:
        * b3/air/AirFixObviousSpills.cpp:
        * b3/air/AirFormTable.h:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        * b3/air/AirPrintSpecial.h:
        * b3/air/AirStackAllocation.cpp:
        * b3/air/AirTmp.h:
        * b3/testb3_6.cpp:
        (testInterpreter):
        * bytecode/AccessCase.cpp:
        * bytecode/CallLinkStatus.cpp:
        * bytecode/CallVariant.h:
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.h:
        * bytecode/DFGExitProfile.h:
        * bytecode/DirectEvalCodeCache.h:
        * bytecode/ExecutableToCodeBlockEdge.h:
        * bytecode/GetterSetterAccessCase.cpp:
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/ObjectPropertyCondition.h:
        * bytecode/ObjectPropertyConditionSet.cpp:
        * bytecode/PolymorphicAccess.cpp:
        * bytecode/PropertyCondition.h:
        * bytecode/SpeculatedType.h:
        * bytecode/StructureStubInfo.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.h:
        * bytecode/UnlinkedEvalCodeBlock.h:
        * bytecode/UnlinkedFunctionCodeBlock.h:
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecode/UnlinkedModuleProgramCodeBlock.h:
        * bytecode/UnlinkedProgramCodeBlock.h:
        * bytecode/ValueProfile.h:
        * bytecode/VirtualRegister.h:
        * bytecode/Watchpoint.h:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        * bytecompiler/RegisterID.h:
        * debugger/Breakpoint.h:
        * debugger/DebuggerParseData.cpp:
        * debugger/DebuggerPrimitives.h:
        * debugger/DebuggerScope.h:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCommon.h:
        * dfg/DFGCompilationKey.h:
        * dfg/DFGDesiredGlobalProperty.h:
        * dfg/DFGEdgeDominates.h:
        * dfg/DFGEpoch.h:
        * dfg/DFGForAllKills.h:
        (JSC::DFG::forAllKilledNodesAtNodeIndex):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::isLiveInBytecode):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLazyNode.h:
        * dfg/DFGMinifiedID.h:
        * dfg/DFGMovHintRemovalPhase.cpp:
        * dfg/DFGNodeFlowProjection.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGPhantomInsertionPhase.cpp:
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGPropertyTypeKey.h:
        * dfg/DFGPureValue.h:
        * dfg/DFGPutStackSinkingPhase.cpp:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::compileClampDoubleToByte):
        (JSC::DFG::SpeculativeJIT::compileArithRounding):
        (JSC::DFG::compileArithPowIntegerFastPath):
        (JSC::DFG::SpeculativeJIT::compileArithPow):
        (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGStructureAbstractValue.h:
        * dfg/DFGVarargsForwardingPhase.cpp:
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct const):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * disassembler/ARM64/A64DOpcode.h:
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRandom):
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLSlowPathCallKey.h:
        * heap/CellContainer.h:
        * heap/CellState.h:
        * heap/ConservativeRoots.h:
        * heap/GCSegmentedArray.h:
        * heap/HandleBlock.h:
        * heap/Heap.cpp:
        (JSC::Heap::updateAllocationLimits):
        * heap/Heap.h:
        * heap/HeapSnapshot.h:
        * heap/HeapUtil.h:
        (JSC::HeapUtil::findGCObjectPointersForMarking):
        * heap/IncrementalSweeper.cpp:
        * heap/LargeAllocation.h:
        * heap/MarkedBlock.cpp:
        * heap/Strong.h:
        * heap/VisitRaceKey.h:
        * heap/Weak.h:
        * heap/WeakBlock.h:
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHostPrototype.h:
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (CppProtocolTypesHeaderGenerator._generate_versions):
        * inspector/scripts/tests/generic/expected/version.json-result:
        * interpreter/Interpreter.h:
        * interpreter/ShadowChicken.cpp:
        * jit/BinarySwitch.cpp:
        * jit/CallFrameShuffler.h:
        * jit/ExecutableAllocator.h:
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        * jit/ICStats.h:
        * jit/JITThunks.h:
        * jit/Reg.h:
        * jit/RegisterSet.h:
        * jit/TempRegisterSet.h:
        * jsc.cpp:
        * parser/ASTBuilder.h:
        * parser/Nodes.h:
        * parser/SourceCodeKey.h:
        * parser/SyntaxChecker.h:
        * parser/VariableEnvironment.h:
        * profiler/ProfilerOrigin.h:
        * profiler/ProfilerOriginStack.h:
        * profiler/ProfilerUID.h:
        * runtime/AbstractModuleRecord.cpp:
        * runtime/ArrayBufferNeuteringWatchpointSet.h:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayConventions.h:
        * runtime/ArrayIteratorPrototype.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::setLength):
        * runtime/AsyncFromSyncIteratorPrototype.h:
        * runtime/AsyncGeneratorFunctionPrototype.h:
        * runtime/AsyncGeneratorPrototype.h:
        * runtime/AsyncIteratorPrototype.h:
        * runtime/AtomicsObject.cpp:
        * runtime/BigIntConstructor.h:
        * runtime/BigIntPrototype.h:
        * runtime/BooleanPrototype.h:
        * runtime/ClonedArguments.h:
        * runtime/CodeCache.h:
        * runtime/ControlFlowProfiler.h:
        * runtime/CustomGetterSetter.h:
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.h:
        * runtime/DefinePropertyAttributes.h:
        * runtime/ErrorPrototype.h:
        * runtime/EvalExecutable.h:
        * runtime/Exception.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        * runtime/ExceptionHelpers.h:
        * runtime/ExecutableBase.h:
        * runtime/FunctionExecutable.h:
        * runtime/FunctionRareData.h:
        * runtime/GeneratorPrototype.h:
        * runtime/GenericArguments.h:
        * runtime/GenericOffset.h:
        * runtime/GetPutInfo.h:
        * runtime/GetterSetter.h:
        * runtime/GlobalExecutable.h:
        * runtime/Identifier.h:
        * runtime/InspectorInstrumentationObject.h:
        * runtime/InternalFunction.h:
        * runtime/IntlCollatorConstructor.h:
        * runtime/IntlCollatorPrototype.h:
        * runtime/IntlDateTimeFormatConstructor.h:
        * runtime/IntlDateTimeFormatPrototype.h:
        * runtime/IntlNumberFormatConstructor.h:
        * runtime/IntlNumberFormatPrototype.h:
        * runtime/IntlObject.h:
        * runtime/IntlPluralRulesConstructor.h:
        * runtime/IntlPluralRulesPrototype.h:
        * runtime/IteratorPrototype.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        * runtime/JSArray.h:
        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBufferView.h:
        * runtime/JSBigInt.h:
        * runtime/JSCJSValue.h:
        * runtime/JSCell.h:
        * runtime/JSCustomGetterSetterFunction.h:
        * runtime/JSDataView.h:
        * runtime/JSDataViewPrototype.h:
        * runtime/JSDestructibleObject.h:
        * runtime/JSFixedArray.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGlobalLexicalEnvironment.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSImmutableButterfly.h:
        * runtime/JSInternalPromiseConstructor.h:
        * runtime/JSInternalPromiseDeferred.h:
        * runtime/JSInternalPromisePrototype.h:
        * runtime/JSLexicalEnvironment.h:
        * runtime/JSModuleEnvironment.h:
        * runtime/JSModuleLoader.h:
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSNonDestructibleProxy.h:
        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:
        * runtime/JSObject.h:
        * runtime/JSPromiseConstructor.h:
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromisePrototype.h:
        * runtime/JSPropertyNameEnumerator.h:
        * runtime/JSProxy.h:
        * runtime/JSScope.h:
        * runtime/JSScriptFetchParameters.h:
        * runtime/JSScriptFetcher.h:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSourceCode.h:
        * runtime/JSString.cpp:
        * runtime/JSString.h:
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTemplateObjectDescriptor.h:
        * runtime/JSTypeInfo.h:
        * runtime/MapPrototype.h:
        * runtime/MinimumReservedZoneSize.h:
        * runtime/ModuleProgramExecutable.h:
        * runtime/NativeExecutable.h:
        * runtime/NativeFunction.h:
        * runtime/NativeStdFunctionCell.h:
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.h:
        * runtime/ProgramExecutable.h:
        * runtime/PromiseDeferredTimer.cpp:
        * runtime/PropertyMapHashTable.h:
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::add):
        * runtime/PrototypeKey.h:
        * runtime/ProxyConstructor.h:
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performGetOwnPropertyNames):
        * runtime/ProxyRevoke.h:
        * runtime/ReflectObject.h:
        * runtime/RegExp.h:
        * runtime/RegExpCache.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpKey.h:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.h:
        * runtime/RegExpStringIteratorPrototype.h:
        * runtime/SamplingProfiler.cpp:
        * runtime/ScopedArgumentsTable.h:
        * runtime/ScriptExecutable.h:
        * runtime/SetPrototype.h:
        * runtime/SmallStrings.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/StringConstructor.h:
        * runtime/StringIteratorPrototype.h:
        * runtime/StringObject.h:
        * runtime/StringPrototype.h:
        * runtime/Structure.h:
        * runtime/StructureChain.h:
        * runtime/StructureRareData.h:
        * runtime/StructureTransitionTable.h:
        * runtime/Symbol.h:
        * runtime/SymbolConstructor.h:
        * runtime/SymbolPrototype.h:
        * runtime/SymbolTable.h:
        * runtime/TemplateObjectDescriptor.h:
        * runtime/TypeProfiler.cpp:
        * runtime/TypeProfiler.h:
        * runtime/TypeProfilerLog.cpp:
        * runtime/VarOffset.h:
        * testRegExp.cpp:
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::checkIfRecorded):
        * tools/JSDollarVM.cpp:
        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmBBQPlan.cpp:
        * wasm/WasmFaultSignalHandler.cpp:
        * wasm/WasmFunctionParser.h:
        * wasm/WasmOMGForOSREntryPlan.cpp:
        * wasm/WasmOMGPlan.cpp:
        * wasm/WasmPlan.cpp:
        * wasm/WasmSignature.cpp:
        * wasm/WasmSignature.h:
        * wasm/WasmWorklist.cpp:
        * wasm/js/JSWebAssembly.h:
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/WebAssemblyCompileErrorConstructor.h:
        * wasm/js/WebAssemblyCompileErrorPrototype.h:
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyInstanceConstructor.h:
        * wasm/js/WebAssemblyInstancePrototype.h:
        * wasm/js/WebAssemblyLinkErrorConstructor.h:
        * wasm/js/WebAssemblyLinkErrorPrototype.h:
        * wasm/js/WebAssemblyMemoryConstructor.h:
        * wasm/js/WebAssemblyMemoryPrototype.h:
        * wasm/js/WebAssemblyModuleConstructor.h:
        * wasm/js/WebAssemblyModulePrototype.h:
        * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
        * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
        * wasm/js/WebAssemblyTableConstructor.h:
        * wasm/js/WebAssemblyTablePrototype.h:
        * wasm/js/WebAssemblyToJSCallee.h:
        * yarr/Yarr.h:
        * yarr/YarrParser.h:
        * yarr/generateYarrCanonicalizeUnicode:

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        Follow-up after String.codePointAt optimization
        https://bugs.webkit.org/show_bug.cgi?id=201889

        Reviewed by Saam Barati.

        Follow-up after string.codePointAt DFG / FTL optimizations,

        1. Gracefully accept arguments more than expected for intrinsics
        2. Check BadType in String.codePointAt, String.charAt, and String.charCodeAt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):

2019-09-17  Tadeu Zagallo  <tzagallo@apple.com>

        Change WebAssembly calling conventions
        https://bugs.webkit.org/show_bug.cgi?id=201799

        Reviewed by Saam Barati.

        Currently, the Wasm::Callee writes itself to CallFrameSlot::callee. However, this won't work when
        we have the Wasm interpreter, since we need the callee in order to know which function are we executing.
        This patch changes the calling conventions in preparation for the interpreter, so that the caller
        becomes responsible for writing the callee into the call frame.
        However, there are exceptions to this rule: stubs can still write to the callee slot, since they are individually
        generated and will still be present in the interpreter. We keep this design to avoid emitting unnecessary
        code when we know statically who is the callee:
        - Caller writes to call frame: intra-module direct wasm calls, indirect wasm calls, JS-to-wasm stub (new frame), JS-to-wasm IC.
        - Callee writes to call frame: inter-module wasm-to-wasm stub, JS-to-wasm stub (callee frame), wasm-to-JS stub, OMG osr entry

        Additionally, this patch also changes it so that the callee keeps track of its callers, instead of having a global mapping
        of calls in the Wasm::CodeBlock. This makes it easier to repatch all callers of a given Callee when it tiers up.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::addCall):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        (JSC::Wasm::parseAndCompileAir):
        * wasm/WasmAirIRGenerator.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::BBQPlan):
        (JSC::Wasm::BBQPlan::prepare):
        (JSC::Wasm::BBQPlan::compileFunctions):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::Callee::Callee):
        (JSC::Wasm::repatchMove):
        (JSC::Wasm::repatchCall):
        (JSC::Wasm::BBQCallee::addCaller):
        (JSC::Wasm::BBQCallee::addAndLinkCaller):
        (JSC::Wasm::BBQCallee::repatchCallers):
        * wasm/WasmCallee.h:
        (JSC::Wasm::Callee::entrypoint):
        (JSC::Wasm::Callee::code const):
        (JSC::Wasm::Callee::calleeSaveRegisters):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::CodeBlock):
        * wasm/WasmCodeBlock.h:
        (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::boxedCalleeLoadLocationFromFunctionIndexSpace):
        * wasm/WasmEmbedder.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::WasmToWasmImportableFunction::offsetOfBoxedCalleeLoadLocation):
        * wasm/WasmInstance.h:
        (JSC::Wasm::Instance::offsetOfBoxedCalleeLoadLocation):
        * wasm/WasmOMGForOSREntryPlan.cpp:
        (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
        (JSC::Wasm::OMGForOSREntryPlan::work):
        * wasm/WasmOMGForOSREntryPlan.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::OMGPlan):
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmOMGPlan.h:
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::triggerOMGReplacementCompile):
        (JSC::Wasm::doOSREntry):
        (JSC::Wasm::triggerOSREntryNow):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSToWasm.h:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):

2019-09-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CheckArray+NonArray is not filtering out Array in AI
        https://bugs.webkit.org/show_bug.cgi?id=201857
        <rdar://problem/54194820>

        Reviewed by Keith Miller.

        The code of DFG::ArrayMode::alreadyChecked is different from SpeculativeJIT's CheckArray / CheckStructure.
        While we assume CheckArray+NonArray ensures it only passes non-array inputs, DFG::ArrayMode::alreadyChecked
        accepts arrays too. So CheckArray+NonArray is removed in AI if the input is proven that it is an array.
        This patch aligns DFG::ArrayMode::alreadyChecked to the checks done at runtime.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked const):

2019-09-17  Saam Barati  <sbarati@apple.com>

        CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
        https://bugs.webkit.org/show_bug.cgi?id=201853
        <rdar://problem/53805461>

        Reviewed by Yusuke Suzuki.

        We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
        out SlowPutArrayStorage. It does no such thing. We just check that the object
        is either ScopedArguments/DirectArguments.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.

2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>

        Wasm StreamingParser should validate that number of functions matches number of declarations
        https://bugs.webkit.org/show_bug.cgi?id=201850
        <rdar://problem/55290186>

        Reviewed by Yusuke Suzuki.

        Currently, when parsing the code section, we check that the number of functions matches the number
        of declarations in the function section. However, that check is never performed if the module does
        not have a code section. To fix that, we perform the check again in StreamingParser::finalize.

        * wasm/WasmStreamingParser.cpp:
        (JSC::Wasm::StreamingParser::finalize):

2019-09-16  Michael Saboff  <msaboff@apple.com>

        [JSC] Perform check again when we found non-BMP characters
        https://bugs.webkit.org/show_bug.cgi?id=201647

        Reviewed by Yusuke Suzuki.

        We need to check for end of input for non-BMP characters when matching a character class that contains
        both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
        end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
        After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
        label to back out the index++ for the first surrogate of the non-BMP character.

        Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
        first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
        we increment for the second surrogate.

        While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
        loop to check the count at loop top instead of loop bottom.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

2019-09-16  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add missing syntax errors for await in function parameter default expressions
        https://bugs.webkit.org/show_bug.cgi?id=201615

        Reviewed by Darin Adler.

        This patch rectifies two oversights:
          1. We were prohibiting `async function f(x = (await) => {}) {}` but not `async function f(x = await => {}) {}`
             (and likewise for async arrow functions).
          2. We were not prohibiting `(x = await => {}) => {}` in an async context
             (regardless of parentheses, but note that this one *only* applies to arrow functions).

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::isArrowFunctionParameters): Fix case (1).
        (JSC::Parser<LexerType>::parseFunctionInfo): Fix case (2).
        (JSC::Parser<LexerType>::parseAwaitExpression): Convert unfailing check into an ASSERT.
        (JSC::Parser<LexerType>::parsePrimaryExpression): Adjust error message for case (2).

2019-09-16  Tadeu Zagallo  <tzagallo@apple.com>

        SamplingProfiler should hold API lock before reporting results
        https://bugs.webkit.org/show_bug.cgi?id=201829

        Reviewed by Yusuke Suzuki.

        Right now, the SamplingProfiler crashes in debug builds when trying
        report results if it finds a JSFunction on the stack that doesn't have
        RareData. It tries to allocate the function's rare data when we call
        getOwnPropertySlot in order to get the function's name, but that fails
        because we are not holding the VM's API lock. We fix it by just holding
        the lock before reporting the results.

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::reportDataToOptionFile):

2019-09-16  David Kilzer  <ddkilzer@apple.com>

        [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()
        <https://webkit.org/b/201804>

        Reviewed by Saam Barati.

        * b3/testb3_8.cpp:
        (testFastForwardCopy32): Allocate arrays using
        WTF::makeUniqueArray<uint32_t> to fix leaks caused by continue
        statements.

2019-09-16  Saam Barati  <sbarati@apple.com>

        JSObject::putInlineSlow should not ignore "__proto__" for Proxy
        https://bugs.webkit.org/show_bug.cgi?id=200386
        <rdar://problem/53854946>

        Reviewed by Yusuke Suzuki.

        We used to ignore '__proto__' in putInlineSlow when the object in question
        was Proxy. There is no reason for this, and it goes against the spec. So
        I've removed that condition. This also has the effect that it fixes an
        assertion firing inside our inline caching code which dictates that for a
        property replace that the base value's structure must be equal to the
        structure when we grabbed the structure prior to the put operation.
        The old code caused a weird edge case where we broke this invariant.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):

2019-09-15  David Kilzer  <ddkilzer@apple.com>

        Leak of NSMapTable in -[JSVirtualMachine addManagedReference:withOwner:]
        <https://webkit.org/b/201803>

        Reviewed by Dan Bernstein.

        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addManagedReference:withOwner:]): Use
        RetainPtr<> to fix the leak.

2019-09-14  Yusuke Suzuki  <ysuzuki@apple.com>

        Retire x86 32bit JIT support
        https://bugs.webkit.org/show_bug.cgi?id=201790

        Reviewed by Mark Lam.

        Now, Xcode no longer has ability to build 32bit binary, so we cannot even test it on macOS.
        Fedora stops shipping x86 32bit kernel. Our x86/x86_64 JIT requires SSE2, and so such relatively modern CPUs
        can use JIT by switching x86 to x86_64. And these CPUs are modern enough to run CLoop at high speed.
        WebKit already disabled x86 JIT by default while the implementation exists. So literary, it is not tested.

        While x86 32bit becomes less useful, x86 32bit JIT backend is very complicated and is being a major maintenance burden.
        This is due to very few # of registers. Which scatters a lot of isX86 / CPU(X86) in Baseline, DFG, and Yarr.

        This patch retires x86 JIT support from JavaScriptCore and CSS JIT. We still keep MacroAssembler and GPRInfo / FPRInfo,
        MachineContext information since they are useful even though JIT is not supported.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compileCreateRest):
        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::callExceptionFuzz):
        (JSC::AssemblyHelpers::debugCall):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsImpl):
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::prepareForTailCall):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        (JSC::arityFixupGenerator):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::emitModOrDiv):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::generateReturn):
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrJIT.h:

2019-09-13  Mark Lam  <mark.lam@apple.com>

        jsc -d stopped working.
        https://bugs.webkit.org/show_bug.cgi?id=201787

        Reviewed by Joseph Pecoraro.

        The reason is because, in this case, the jsc shell is trying to set an option
        after the VM has been instantiated.  The fix is simply to move all options
        initialization before the VM is instantiated.

        * jsc.cpp:
        (runWithOptions):
        (jscmain):

2019-09-13  Mark Lam  <mark.lam@apple.com>

        watchOS requires PageSize alignment of 16K for JSC::Config.
        https://bugs.webkit.org/show_bug.cgi?id=201786
        <rdar://problem/55357890>

        Reviewed by Yusuke Suzuki.

        * runtime/JSCConfig.h:

2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, follow-up fix after r249842
        https://bugs.webkit.org/show_bug.cgi?id=201750

        Michael reviewed this offline. When performing nearCall, we need to invalidate cache registers.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::nearCall):
        (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):

2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>

        Date.prototype.toJSON does not execute steps 1-2
        https://bugs.webkit.org/show_bug.cgi?id=105282

        Reviewed by Ross Kirsling.

        According to https://tc39.es/ecma262/#sec-built-in-function-objects, built-in methods must be
        strict mode functions. Before this change, `this` value in Date.prototype.toJSON was resolved
        using sloppy mode semantics, resulting in `toISOString` being called on global object if `this`
        value equals `null` or `undefined`.

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToJSON): Resolve thisValue using strict semantics and simplify std::isfinite check.

2019-09-13  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy() should do its !Gigacage assertion on exit.
        https://bugs.webkit.org/show_bug.cgi?id=201780
        <rdar://problem/55354867>

        Reviewed by Robin Morisset.

        Re-doing previous fix.

        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        (JSC::GigacageAssertScope::GigacageAssertScope): Deleted.
        (JSC::GigacageAssertScope::~GigacageAssertScope): Deleted.

2019-09-13  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy() should do its !Gigacage assertion on exit.
        https://bugs.webkit.org/show_bug.cgi?id=201780
        <rdar://problem/55354867>

        Reviewed by Robin Morisset.

        * jit/ExecutableAllocator.h:
        (JSC::GigacageAssertScope::GigacageAssertScope):
        (JSC::GigacageAssertScope::~GigacageAssertScope):
        (JSC::performJITMemcpy):

2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Micro-optimize YarrJIT's surrogate pair handling
        https://bugs.webkit.org/show_bug.cgi?id=201750

        Reviewed by Michael Saboff.

        Optimize sequence of machine code used to get code-point with unicode flag.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):

2019-09-13  Mark Lam  <mark.lam@apple.com>

        We should assert $vm is enabled on entry and exit in its functions.
        https://bugs.webkit.org/show_bug.cgi?id=201762
        <rdar://problem/55338742>

        Rubber-stamped by Michael Saboff.

        1. Also do the same for FunctionOverrides.
        2. Added the DollarVMAssertScope and FunctionOverridesAssertScope to achieve this.
        3. Also added assertions to lambda functions in $vm.

        * tools/FunctionOverrides.cpp:
        (JSC::FunctionOverridesAssertScope::FunctionOverridesAssertScope):
        (JSC::FunctionOverridesAssertScope::~FunctionOverridesAssertScope):
        (JSC::FunctionOverrides::overrides):
        (JSC::FunctionOverrides::FunctionOverrides):
        (JSC::FunctionOverrides::reinstallOverrides):
        (JSC::initializeOverrideInfo):
        (JSC::FunctionOverrides::initializeOverrideFor):
        (JSC::parseClause):
        (JSC::FunctionOverrides::parseOverridesInFile):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
        (JSC::JSDollarVMCallFrame::createStructure):
        (JSC::JSDollarVMCallFrame::create):
        (JSC::JSDollarVMCallFrame::finishCreation):
        (JSC::JSDollarVMCallFrame::addProperty):
        (JSC::Element::Element):
        (JSC::Element::create):
        (JSC::Element::visitChildren):
        (JSC::Element::createStructure):
        (JSC::Root::Root):
        (JSC::Root::setElement):
        (JSC::Root::create):
        (JSC::Root::createStructure):
        (JSC::Root::visitChildren):
        (JSC::SimpleObject::SimpleObject):
        (JSC::SimpleObject::create):
        (JSC::SimpleObject::visitChildren):
        (JSC::SimpleObject::createStructure):
        (JSC::ImpureGetter::ImpureGetter):
        (JSC::ImpureGetter::createStructure):
        (JSC::ImpureGetter::create):
        (JSC::ImpureGetter::finishCreation):
        (JSC::ImpureGetter::getOwnPropertySlot):
        (JSC::ImpureGetter::visitChildren):
        (JSC::CustomGetter::CustomGetter):
        (JSC::CustomGetter::createStructure):
        (JSC::CustomGetter::create):
        (JSC::CustomGetter::getOwnPropertySlot):
        (JSC::CustomGetter::customGetter):
        (JSC::CustomGetter::customGetterAcessor):
        (JSC::RuntimeArray::create):
        (JSC::RuntimeArray::destroy):
        (JSC::RuntimeArray::getOwnPropertySlot):
        (JSC::RuntimeArray::getOwnPropertySlotByIndex):
        (JSC::RuntimeArray::createPrototype):
        (JSC::RuntimeArray::createStructure):
        (JSC::RuntimeArray::finishCreation):
        (JSC::RuntimeArray::RuntimeArray):
        (JSC::RuntimeArray::lengthGetter):
        (JSC::DOMJITNode::DOMJITNode):
        (JSC::DOMJITNode::createStructure):
        (JSC::DOMJITNode::checkSubClassSnippet):
        (JSC::DOMJITNode::create):
        (JSC::DOMJITGetter::DOMJITGetter):
        (JSC::DOMJITGetter::createStructure):
        (JSC::DOMJITGetter::create):
        (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetter::customGetter):
        (JSC::DOMJITGetter::finishCreation):
        (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
        (JSC::DOMJITGetterComplex::createStructure):
        (JSC::DOMJITGetterComplex::create):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetterComplex::functionEnableException):
        (JSC::DOMJITGetterComplex::customGetter):
        (JSC::DOMJITGetterComplex::finishCreation):
        (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
        (JSC::DOMJITFunctionObject::createStructure):
        (JSC::DOMJITFunctionObject::create):
        (JSC::DOMJITFunctionObject::functionWithTypeCheck):
        (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
        (JSC::DOMJITFunctionObject::checkSubClassSnippet):
        (JSC::DOMJITFunctionObject::finishCreation):
        (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
        (JSC::DOMJITCheckSubClassObject::createStructure):
        (JSC::DOMJITCheckSubClassObject::create):
        (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
        (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
        (JSC::DOMJITCheckSubClassObject::finishCreation):
        (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
        (JSC::DOMJITGetterBaseJSObject::createStructure):
        (JSC::DOMJITGetterBaseJSObject::create):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetterBaseJSObject::customGetter):
        (JSC::DOMJITGetterBaseJSObject::finishCreation):
        (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
        (JSC::JSTestCustomGetterSetter::create):
        (JSC::JSTestCustomGetterSetter::createStructure):
        (JSC::customSetAccessor):
        (JSC::customSetValue):
        (JSC::JSTestCustomGetterSetter::finishCreation):
        (JSC::Element::handleOwner):
        (JSC::Element::finishCreation):
        (JSC::WasmStreamingParser::WasmStreamingParser):
        (JSC::WasmStreamingParser::create):
        (JSC::WasmStreamingParser::createStructure):
        (JSC::WasmStreamingParser::finishCreation):
        (JSC::functionWasmStreamingParserAddBytes):
        (JSC::functionWasmStreamingParserFinalize):
        (JSC::functionCrash):
        (JSC::functionBreakpoint):
        (JSC::functionDFGTrue):
        (JSC::functionFTLTrue):
        (JSC::functionCpuMfence):
        (JSC::functionCpuRdtsc):
        (JSC::functionCpuCpuid):
        (JSC::functionCpuPause):
        (JSC::functionCpuClflush):
        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
        (JSC::getExecutableForFunction):
        (JSC::functionLLintTrue):
        (JSC::functionJITTrue):
        (JSC::functionNoInline):
        (JSC::functionGC):
        (JSC::functionEdenGC):
        (JSC::functionDumpSubspaceHashes):
        (JSC::functionCallFrame):
        (JSC::functionCodeBlockForFrame):
        (JSC::codeBlockFromArg):
        (JSC::functionCodeBlockFor):
        (JSC::functionDumpSourceFor):
        (JSC::functionDumpBytecodeFor):
        (JSC::doPrint):
        (JSC::functionDataLog):
        (JSC::functionPrint):
        (JSC::functionDumpCallFrame):
        (JSC::functionDumpStack):
        (JSC::functionDumpRegisters):
        (JSC::functionDumpCell):
        (JSC::functionIndexingMode):
        (JSC::functionInlineCapacity):
        (JSC::functionValue):
        (JSC::functionGetPID):
        (JSC::functionHaveABadTime):
        (JSC::functionIsHavingABadTime):
        (JSC::functionCreateGlobalObject):
        (JSC::functionCreateProxy):
        (JSC::functionCreateRuntimeArray):
        (JSC::functionCreateNullRopeString):
        (JSC::functionCreateImpureGetter):
        (JSC::functionCreateCustomGetterObject):
        (JSC::functionCreateDOMJITNodeObject):
        (JSC::functionCreateDOMJITGetterObject):
        (JSC::functionCreateDOMJITGetterComplexObject):
        (JSC::functionCreateDOMJITFunctionObject):
        (JSC::functionCreateDOMJITCheckSubClassObject):
        (JSC::functionCreateDOMJITGetterBaseJSObject):
        (JSC::functionCreateWasmStreamingParser):
        (JSC::functionSetImpureGetterDelegate):
        (JSC::functionCreateBuiltin):
        (JSC::functionGetPrivateProperty):
        (JSC::functionCreateRoot):
        (JSC::functionCreateElement):
        (JSC::functionGetElement):
        (JSC::functionCreateSimpleObject):
        (JSC::functionGetHiddenValue):
        (JSC::functionSetHiddenValue):
        (JSC::functionShadowChickenFunctionsOnStack):
        (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):
        (JSC::functionFlattenDictionaryObject):
        (JSC::functionDumpBasicBlockExecutionRanges):
        (JSC::functionHasBasicBlockExecuted):
        (JSC::functionBasicBlockExecutionCount):
        (JSC::functionEnableExceptionFuzz):
        (JSC::changeDebuggerModeWhenIdle):
        (JSC::functionEnableDebuggerModeWhenIdle):
        (JSC::functionDisableDebuggerModeWhenIdle):
        (JSC::functionDeleteAllCodeWhenIdle):
        (JSC::functionGlobalObjectCount):
        (JSC::functionGlobalObjectForObject):
        (JSC::functionGetGetterSetter):
        (JSC::functionLoadGetterFromGetterSetter):
        (JSC::functionCreateCustomTestGetterSetter):
        (JSC::functionDeltaBetweenButterflies):
        (JSC::functionTotalGCTime):
        (JSC::functionParseCount):
        (JSC::functionIsWasmSupported):
        (JSC::JSDollarVM::finishCreation):
        (JSC::JSDollarVM::addFunction):
        (JSC::JSDollarVM::addConstructibleFunction):
        * tools/JSDollarVM.h:
        (JSC::DollarVMAssertScope::DollarVMAssertScope):
        (JSC::DollarVMAssertScope::~DollarVMAssertScope):

2019-09-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Formatter: Pretty Print HTML resources (including inline <script>/<style>)
        https://bugs.webkit.org/show_bug.cgi?id=201535
        <rdar://problem/29119232>

        Reviewed by Devin Rousso.

        * debugger/Debugger.cpp:
        (JSC::Debugger::resolveBreakpoint):
        When resolving a breakpoint inside of an inline <script> we need to adjust
        based on the starting position of the <script> in the HTML resource.

2019-09-13  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] X86Registers.h callee-save register definition is wrong
        https://bugs.webkit.org/show_bug.cgi?id=201756

        Reviewed by Mark Lam.

        I think nobody is using X86 JIT backend, but it is simply wrong.
        edi and esi should be callee-save.

        * assembler/X86Registers.h:

2019-09-12  Mark Lam  <mark.lam@apple.com>

        Harden JSC against the abuse of runtime options.
        https://bugs.webkit.org/show_bug.cgi?id=201597
        <rdar://problem/55167068>

        Reviewed by Filip Pizlo.

        Linux parts contributed by Carlos Garcia Campos <cgarcia@igalia.com>.

        1. Introduce a JSC::Config struct that will be protected as ReadOnly once the
           first VM instance is constructed.  The end of the VM constructor calls
           Config::permanentlyFreeze() which will make the Config ReadOnly.

           Note: this is currently only supported for OS(DARWIN) and OS(LINUX).
           OS(WINDOWS) will need to implement some missing pieces before it can enable
           this hardening (see FIXME in JSCConfig.cpp).

           The hardening strategy here is to put immutable global values into the Config.
           Any modifications that need to be made to these values must be done before the
           first VM instance is done instantiating.  This ensures that no script will
           ever run while the Config is still writable.

           Also, the policy for this hardening is that a process is opted in by default.
           If there's a valid need to disable this hardening (e.g. for some test
           environments), the relevant process will need to opt itself out by calling
           Config::configureForTesting().

           The jsc shell, WK2 UI and WebContent processes are opted in by default.
           Only test processes may be opt out.

        2. Put all JSC::Options in the Config.  This enforces the invariant that options
           can only be changed before we instantiate a VM.  Once a VM is instantiated,
           the options are immutable.

        3. Remove functionForceGCSlowPaths() from the jsc shell.  Setting
           Options::forceGCSlowPaths this way is no longer allowed.

        4. Re-factored the Options code (Options.h) into:
           - OptionEntry.h: the data structure that stores the option values.
           - OptionsList.h: the list of options.
           - Options.h: the Options singleton object which is the interface for accessing options.

           Renamed the JSC_OPTIONS macro to FOR_EACH_JSC_OPTION, because
           "FOR_EACH_JSC_OPTION(SET_OPTION_VALUE)" reads a lot better than
           "JSC_OPTIONS(FOR_EACH_OPTION)".

        5. Change testapi to call Config::configureForTesting().  Parts of testapi makes
           use of setting options in its tests.  Hence, this hardening is disabled for
           testapi.

           Note: the jsc shell does enable this hardening.

        6. Put ExecutableAllocator's immutable globals in the Config.

        7. RELEASE_ASSERT that restrictedOptionsEnabled in order to use the
           FunctionOverrides test utility.

        8. RELEASE_ASSERT that Options::useDollarVM() is enabled in order to use the $vm.

           We must RELEASE_ASSERT(Options::useDollarVM()) in all JSDollarVM functions
           that are non-trivial at an eye's glance.  This includes (but is not limited to):
               constructors
               create() factory
               createStructure() factory
               finishCreation()
               HOST_CALL or operation functions
               Constructors and methods of utility and test classes

           The only exception are some constexpr constructors used for instantiating
           globals (since these must have trivial constructors) e.g. DOMJITAttribute.
           Instead, these constructors should always be ALWAYS_INLINE.

        * API/glib/JSCOptions.cpp:
        (jscOptionsSetValue):
        (jscOptionsGetValue):
        (jsc_options_foreach):
        (jsc_options_get_option_group):
        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.cpp:
        (configureJSCForTesting):
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * jit/ExecutableAllocator.cpp:
        (JSC::isJITEnabled):
        (JSC::ExecutableAllocator::setJITEnabled):
        (JSC::ExecutableAllocator::initializeUnderlyingAllocator):
        (JSC::ExecutableAllocator::isValid const):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::isValidExecutableMemory):
        (JSC::ExecutableAllocator::getLock const):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        (JSC::startOfFixedExecutableMemoryPoolImpl):
        (JSC::endOfFixedExecutableMemoryPoolImpl):
        (JSC::isJITPC):
        (JSC::dumpJITMemory):
        (JSC::ExecutableAllocator::initialize):
        (JSC::ExecutableAllocator::singleton):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCOptions):
        (jscmain):
        (functionForceGCSlowPaths): Deleted.
        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::parse):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSCConfig.cpp: Added.
        (JSC::Config::disableFreezingForTesting):
        (JSC::Config::enableRestrictedOptions):
        (JSC::Config::permanentlyFreeze):
        * runtime/JSCConfig.h: Added.
        (JSC::Config::configureForTesting):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::exposeDollarVM):
        * runtime/OptionEntry.h: Added.
        (JSC::OptionRange::operator= ):
        (JSC::OptionRange::rangeString const):
        * runtime/Options.cpp:
        (JSC::Options::isAvailable):
        (JSC::scaleJITPolicy):
        (JSC::Options::initialize):
        (JSC::Options::setOptions):
        (JSC::Options::setOptionWithoutAlias):
        (JSC::Options::setAliasedOption):
        (JSC::Option::dump const):
        (JSC::Option::operator== const):
        (): Deleted.
        (JSC::Options::enableRestrictedOptions): Deleted.
        * runtime/Options.h:
        (JSC::Option::Option):
        (JSC::Option::defaultOption const):
        (JSC::Option::boolVal):
        (JSC::Option::unsignedVal):
        (JSC::Option::doubleVal):
        (JSC::Option::int32Val):
        (JSC::Option::optionRangeVal):
        (JSC::Option::optionStringVal):
        (JSC::Option::gcLogLevelVal):
        (JSC::OptionRange::operator= ): Deleted.
        (JSC::OptionRange::rangeString const): Deleted.
        * runtime/OptionsList.h: Added.
        (JSC::countNumberOfJSCOptions):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * tools/FunctionOverrides.cpp:
        (JSC::FunctionOverrides::FunctionOverrides):
        (JSC::FunctionOverrides::reinstallOverrides):
        (JSC::FunctionOverrides::initializeOverrideFor):
        (JSC::FunctionOverrides::parseOverridesInFile):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVMCallFrame::JSDollarVMCallFrame):
        (JSC::JSDollarVMCallFrame::createStructure):
        (JSC::JSDollarVMCallFrame::create):
        (JSC::JSDollarVMCallFrame::finishCreation):
        (JSC::JSDollarVMCallFrame::addProperty):
        (JSC::Element::Element):
        (JSC::Element::create):
        (JSC::Element::createStructure):
        (JSC::Root::Root):
        (JSC::Root::create):
        (JSC::Root::createStructure):
        (JSC::SimpleObject::SimpleObject):
        (JSC::SimpleObject::create):
        (JSC::SimpleObject::createStructure):
        (JSC::ImpureGetter::ImpureGetter):
        (JSC::ImpureGetter::createStructure):
        (JSC::ImpureGetter::create):
        (JSC::ImpureGetter::finishCreation):
        (JSC::ImpureGetter::getOwnPropertySlot):
        (JSC::CustomGetter::CustomGetter):
        (JSC::CustomGetter::createStructure):
        (JSC::CustomGetter::create):
        (JSC::CustomGetter::getOwnPropertySlot):
        (JSC::CustomGetter::customGetter):
        (JSC::CustomGetter::customGetterAcessor):
        (JSC::RuntimeArray::create):
        (JSC::RuntimeArray::destroy):
        (JSC::RuntimeArray::getOwnPropertySlot):
        (JSC::RuntimeArray::getOwnPropertySlotByIndex):
        (JSC::RuntimeArray::createPrototype):
        (JSC::RuntimeArray::createStructure):
        (JSC::RuntimeArray::finishCreation):
        (JSC::RuntimeArray::RuntimeArray):
        (JSC::RuntimeArray::lengthGetter):
        (JSC::DOMJITNode::DOMJITNode):
        (JSC::DOMJITNode::createStructure):
        (JSC::DOMJITNode::checkSubClassSnippet):
        (JSC::DOMJITNode::create):
        (JSC::DOMJITGetter::DOMJITGetter):
        (JSC::DOMJITGetter::createStructure):
        (JSC::DOMJITGetter::create):
        (JSC::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
        (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetter::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetter::customGetter):
        (JSC::DOMJITGetter::finishCreation):
        (JSC::DOMJITGetterComplex::DOMJITGetterComplex):
        (JSC::DOMJITGetterComplex::createStructure):
        (JSC::DOMJITGetterComplex::create):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetterComplex::functionEnableException):
        (JSC::DOMJITGetterComplex::customGetter):
        (JSC::DOMJITGetterComplex::finishCreation):
        (JSC::DOMJITFunctionObject::DOMJITFunctionObject):
        (JSC::DOMJITFunctionObject::createStructure):
        (JSC::DOMJITFunctionObject::create):
        (JSC::DOMJITFunctionObject::functionWithTypeCheck):
        (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
        (JSC::DOMJITFunctionObject::checkSubClassSnippet):
        (JSC::DOMJITFunctionObject::finishCreation):
        (JSC::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
        (JSC::DOMJITCheckSubClassObject::createStructure):
        (JSC::DOMJITCheckSubClassObject::create):
        (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
        (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
        (JSC::DOMJITCheckSubClassObject::finishCreation):
        (JSC::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
        (JSC::DOMJITGetterBaseJSObject::createStructure):
        (JSC::DOMJITGetterBaseJSObject::create):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
        (JSC::DOMJITGetterBaseJSObject::customGetter):
        (JSC::DOMJITGetterBaseJSObject::finishCreation):
        (JSC::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
        (JSC::JSTestCustomGetterSetter::create):
        (JSC::JSTestCustomGetterSetter::createStructure):
        (JSC::customSetAccessor):
        (JSC::customSetValue):
        (JSC::JSTestCustomGetterSetter::finishCreation):
        (JSC::Element::handleOwner):
        (JSC::Element::finishCreation):
        (JSC::WasmStreamingParser::WasmStreamingParser):
        (JSC::WasmStreamingParser::create):
        (JSC::WasmStreamingParser::createStructure):
        (JSC::WasmStreamingParser::finishCreation):
        (JSC::functionWasmStreamingParserAddBytes):
        (JSC::functionWasmStreamingParserFinalize):
        (JSC::functionCrash):
        (JSC::functionBreakpoint):
        (JSC::functionDFGTrue):
        (JSC::functionFTLTrue):
        (JSC::functionCpuMfence):
        (JSC::functionCpuRdtsc):
        (JSC::functionCpuCpuid):
        (JSC::functionCpuPause):
        (JSC::functionCpuClflush):
        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
        (JSC::getExecutableForFunction):
        (JSC::functionLLintTrue):
        (JSC::functionJITTrue):
        (JSC::functionNoInline):
        (JSC::functionGC):
        (JSC::functionEdenGC):
        (JSC::functionDumpSubspaceHashes):
        (JSC::functionCallFrame):
        (JSC::functionCodeBlockForFrame):
        (JSC::codeBlockFromArg):
        (JSC::functionCodeBlockFor):
        (JSC::functionDumpSourceFor):
        (JSC::functionDumpBytecodeFor):
        (JSC::doPrint):
        (JSC::functionDataLog):
        (JSC::functionPrint):
        (JSC::functionDumpCallFrame):
        (JSC::functionDumpStack):
        (JSC::functionDumpRegisters):
        (JSC::functionDumpCell):
        (JSC::functionIndexingMode):
        (JSC::functionInlineCapacity):
        (JSC::functionValue):
        (JSC::functionGetPID):
        (JSC::functionHaveABadTime):
        (JSC::functionIsHavingABadTime):
        (JSC::functionCreateGlobalObject):
        (JSC::functionCreateProxy):
        (JSC::functionCreateRuntimeArray):
        (JSC::functionCreateNullRopeString):
        (JSC::functionCreateImpureGetter):
        (JSC::functionCreateCustomGetterObject):
        (JSC::functionCreateDOMJITNodeObject):
        (JSC::functionCreateDOMJITGetterObject):
        (JSC::functionCreateDOMJITGetterComplexObject):
        (JSC::functionCreateDOMJITFunctionObject):
        (JSC::functionCreateDOMJITCheckSubClassObject):
        (JSC::functionCreateDOMJITGetterBaseJSObject):
        (JSC::functionCreateWasmStreamingParser):
        (JSC::functionSetImpureGetterDelegate):
        (JSC::functionCreateBuiltin):
        (JSC::functionGetPrivateProperty):
        (JSC::functionCreateRoot):
        (JSC::functionCreateElement):
        (JSC::functionGetElement):
        (JSC::functionCreateSimpleObject):
        (JSC::functionGetHiddenValue):
        (JSC::functionSetHiddenValue):
        (JSC::functionShadowChickenFunctionsOnStack):
        (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):
        (JSC::functionFlattenDictionaryObject):
        (JSC::functionDumpBasicBlockExecutionRanges):
        (JSC::functionHasBasicBlockExecuted):
        (JSC::functionBasicBlockExecutionCount):
        (JSC::functionEnableExceptionFuzz):
        (JSC::changeDebuggerModeWhenIdle):
        (JSC::functionEnableDebuggerModeWhenIdle):
        (JSC::functionDisableDebuggerModeWhenIdle):
        (JSC::functionDeleteAllCodeWhenIdle):
        (JSC::functionGlobalObjectCount):
        (JSC::functionGlobalObjectForObject):
        (JSC::functionGetGetterSetter):
        (JSC::functionLoadGetterFromGetterSetter):
        (JSC::functionCreateCustomTestGetterSetter):
        (JSC::functionDeltaBetweenButterflies):
        (JSC::functionTotalGCTime):
        (JSC::functionParseCount):
        (JSC::functionIsWasmSupported):
        (JSC::JSDollarVM::finishCreation):
        (JSC::JSDollarVM::addFunction):
        (JSC::JSDollarVM::addConstructibleFunction):
        * tools/JSDollarVM.h:

2019-09-11  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
        https://bugs.webkit.org/show_bug.cgi?id=201650

        Reviewed by Joseph Pecoraro.

        Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.

        A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
        required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
        `-webkit-canvas` client of a `WebGPUDevice`.

        * inspector/protocol/Canvas.json:
         - Add `powerPreference` key to `ContextAttributes` type.
         - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
         - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
         - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
           really a "canvas".

2019-09-11  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add StringCodePointAt intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=201673

        Reviewed by Michael Saboff.

        JetStream2/UniPoker executes String#codePointAt frequently. We should handle it in ThunkGenerator, DFG, and FTL like we are doing so for String#charCodeAt.
        This patch adds these supports for String#codePointAt to get ~10% score improvement in JetStream2/UniPoker.

        In ThunkGenerator, we add a thunk for String#codePointAt, which accelerates LLInt and Baseline. In DFG, we handle this as StringCodePointAt node, and emit
        inlined code in DFG and FTL. The characteristics of StringCodePointAt node is basically the same to StringCharAt. It has String array-mode, so it emits
        preceding CheckArray. This ensures that (1) StringCodePointAt node itself does not do GC since the string is always resolved, and (2) we can skip the rope
        check. This thing is just the same to the existing StringCharCodeAt mechanism.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadCharacterString):
        * jit/ThunkGenerators.cpp:
        (JSC::stringGetByValGenerator):
        (JSC::stringCharLoad):
        (JSC::stringPrototypeCodePointAtThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):

2019-09-11  Michael Saboff  <msaboff@apple.com>

        JSC crashes due to stack overflow while building RegExp
        https://bugs.webkit.org/show_bug.cgi?id=201649

        Reviewed by Yusuke Suzuki.

        Check for running out of stack when we are optimizing RegExp containing BOL terms or
        other deep copying of disjunctions.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
        (JSC::Yarr::YarrPatternConstructor::copyTerm):
        (JSC::Yarr::YarrPatternConstructor::error):
        (JSC::Yarr::YarrPattern::compile):

2019-09-11  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r249753.

        caused inspector/canvas/shaderProgram-add-remove-webgl.html to
        crash on all Mac platforms.

        Reverted changeset:

        "Web Inspector: Canvas: instrument WebGPUDevice instead of
        GPUCanvasContext"
        https://bugs.webkit.org/show_bug.cgi?id=201650
        https://trac.webkit.org/changeset/249753

2019-09-10  Devin Rousso  <drousso@apple.com>

        Web Inspector: Canvas: instrument WebGPUDevice instead of GPUCanvasContext
        https://bugs.webkit.org/show_bug.cgi?id=201650

        Reviewed by Joseph Pecoraro.

        Most of the actual "work" done with Web GPU actually uses a `WebGPUDevice`.

        A `GPUCanvasContext` is basically just a display "client" of the device, and isn't even
        required (e.g. compute pipeline).  We should treat the `GPUCanvasContext` almost like a
        `-webkit-canvas` client of a `WebGPUDevice`.

        * inspector/protocol/Canvas.json:
         - Add `powerPreference` key to `ContextAttributes` type.
         - Rename `requestCSSCanvasClientNodes` command to `requestClientNodes` for the above reason.
         - Rename `cssCanvasClientNodesChanged` event to `clientNodesChanged` for the above reason.
         - Rename `resolveCanvasContext` command to `resolveContext` since a `WebGPUDevice` isn't
           really a "canvas".

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
        https://bugs.webkit.org/show_bug.cgi?id=201634

        Reviewed by Mark Lam and Robin Morisset.

        This patch includes two things. One is fixing 32bit bitwise operation with allOne constants. Another is fixing the existing bug in BitAnd strength reduction.

        1. 32bit bitwise operation with allOne constants

            Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
            For example, in BitAnd strength reduction,

                1034             // Turn this: BitAnd(value, all-ones)
                1035             // Into this: value.
                1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
                1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
                1038                 replaceWithIdentity(m_value->child(0));
                1039                 break;
                1040             }

            We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,

                262 inline bool Value::isInt(int64_t value) const
                263 {
                264     return hasInt() && asInt() == value;
                265 }

            So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,

                257 inline int64_t Value::asInt() const
                258 {
                259     return hasInt32() ? asInt32() : asInt64();
                260 }

            So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
            We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).

        2. BitAnd and BitOr strength reduction bug

            We also fix the following optimization.

                // Turn this: BitAnd(Op(value, constant1), constant2)
                //     where !(constant1 & constant2)
                //       and Op is BitOr or BitXor
                // into this: BitAnd(value, constant2)

            Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.

                // Turn this: BitAnd(BitXor(x, allOnes), c)
                // Into this: BitXor(BitOr(x, ~c), allOnes)

            And we also found that this not-used optimization has a bug not inserting a newly produced constant B3::Value. This patch also fixes it.

        For both, this patch adds tests. And (2) fix can be ensured that the testb3 does not crash with validate-graph option.

        * b3/B3LowerToAir.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/testb3.h:
        * b3/testb3_2.cpp:
        (testBitAndNotNot32):
        (testBitAndNotImm):
        (testBitAndNotImm32):
        (testBitOrAndAndArgs32):
        (testBitOrAndSameArgs32):
        (testBitOrNotNot32):
        (testBitOrNotImm32):
        (addBitTests):
        * b3/testb3_3.cpp:
        (testBitXorAndAndArgs32):
        (testBitXorAndSameArgs32):

2019-09-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r249721.
        https://bugs.webkit.org/show_bug.cgi?id=201667

        Discovering existing bug (Requested by yusukesuzuki on
        #webkit).

        Reverted changeset:

        "[JSC] 32bit bitwide operation with all-one (-1) is wrong in
        B3"
        https://bugs.webkit.org/show_bug.cgi?id=201634
        https://trac.webkit.org/changeset/249721

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
        https://bugs.webkit.org/show_bug.cgi?id=201664
        <rdar://problem/52126927>

        Reviewed by Tadeu Zagallo.

        We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result.
        This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters.
        Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread,
        we can see half-baked JITData structure which holds garbage pointers.

        But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons.

        1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are
           called while taking this exact same lock, so dead-lock can happen.
        2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT
           compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock.

        Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that
        JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::ensureJITDataSlow):

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
        https://bugs.webkit.org/show_bug.cgi?id=198253

        Reviewed by Mark Lam.

        ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
        When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
        it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.

        In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.

        * parser/ResultType.h:
        (JSC::ResultType::bigIntOrInt32Type):

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3
        https://bugs.webkit.org/show_bug.cgi?id=201634

        Reviewed by Mark Lam.

        Accidentally, the B3::Value is ConstInt32(-1), `value->isInt(std::numeric_limits<uint32_t>::max())` returns `false`!
        For example, in BitAnd strength reduction,

            1034             // Turn this: BitAnd(value, all-ones)
            1035             // Into this: value.
            1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
            1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
            1038                 replaceWithIdentity(m_value->child(0));
            1039                 break;
            1040             }

        We use `m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max())`. However, Value::isInt is,

            262 inline bool Value::isInt(int64_t value) const
            263 {
            264     return hasInt() && asInt() == value;
            265 }

        So, UINT32_MAX is expanded to int64_t, but it is not -1 since UINT32_MAX can be representable in int64_t. And Value::asInt implementation is,

            257 inline int64_t Value::asInt() const
            258 {
            259     return hasInt32() ? asInt32() : asInt64();
            260 }

        So, we perform `static_cast<int64_t>(-1) == static_cast<int64_t>(UINT32_MAX)`. This is false, but this comparison is not what we want!
        We should use `isInt32` and `isInt64` for bit patterns (like, operands for Bitwise opcodes).

        We also fix the following optimization.

            // Turn this: BitAnd(Op(value, constant1), constant2)
            //     where !(constant1 & constant2)
            //       and Op is BitOr or BitXor
            // into this: BitAnd(value, constant2)

        Since we stop further optimization when we match `if (m_value->child(1)->hasInt())`, the following optimization is never taken.

            // Turn this: BitAnd(BitXor(x, allOnes), c)
            // Into this: BitXor(BitOr(x, ~c), allOnes)

        We add 32bit version of B3 tests for these optimizations.

        * b3/B3LowerToAir.cpp:
        * b3/B3ReduceStrength.cpp:
        * b3/testb3.h:
        * b3/testb3_2.cpp:
        (testBitAndNotNot32):
        (testBitAndNotImm):
        (testBitAndNotImm32):
        (testBitOrAndAndArgs32):
        (testBitOrAndSameArgs32):
        (testBitOrNotNot32):
        (testBitOrNotImm32):
        (addBitTests):
        * b3/testb3_3.cpp:
        (testBitXorAndAndArgs32):
        (testBitXorAndSameArgs32):

2019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [WebAssembly] Use StreamingParser in existing Wasm::BBQPlan
        https://bugs.webkit.org/show_bug.cgi?id=189043

        Reviewed by Keith Miller.

        This patch integrates Wasm::StreamingParser into the existing Wasm::BBQPlan.
        And remove Wasm::ModuleParser. This patch paves the way to implementing Wasm streaming features by
        using Wasm::StreamingParser.

        Currently, we are not using streaming feature of StreamingParser. In a subsequent patch, we will
        create a mechanism to pipe a chunk of data to streaming parser to enable WebAssembly.compileStreaming
        and instantiateStreaming.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * tools/JSDollarVM.cpp:
        (JSC::WasmStreamingParser::WasmStreamingParser):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::parseAndCompileAir):
        * wasm/WasmAirIRGenerator.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile): Use FunctionData, it is good since it is more strongly typed.
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::BBQPlan):
        (JSC::Wasm::BBQPlan::didReceiveFunctionData): Add a callback, which invokes validation.
        (JSC::Wasm::BBQPlan::parseAndValidateModule): Use StreamingParser instead of old ModuleParser.
        (JSC::Wasm::BBQPlan::compileFunctions):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmModuleParser.cpp: Removed.
        * wasm/WasmModuleParser.h: Removed.
        * wasm/WasmOMGForOSREntryPlan.cpp:
        (JSC::Wasm::OMGForOSREntryPlan::work):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::fail): Make fail function callable multiple times. The first error will be used.
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseCode): Since the Code section is specially handled in StreamingParser, this code is never used.
        * wasm/WasmStreamingParser.cpp:
        (JSC::Wasm::StreamingParser::StreamingParser):
        (JSC::Wasm::StreamingParser::parseCodeSectionSize):
        (JSC::Wasm::StreamingParser::parseFunctionPayload):
        (JSC::Wasm::StreamingParser::parseSectionPayload):
        (JSC::Wasm::StreamingParser::finalize): Call client's callbacks at appropriate timings.
        * wasm/WasmStreamingParser.h:
        (JSC::Wasm::StreamingParserClient::didReceiveSectionData):
        (JSC::Wasm::StreamingParserClient::didReceiveFunctionData):
        (JSC::Wasm::StreamingParserClient::didFinishParsing): Add StreamingParserClient,
        which has 3 callbacks right now. StreamingParser gets this client and call these callbacks
        at appropriate timings.
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::validateFunction):
        * wasm/WasmValidate.h: Use FunctionData, it is good since it is more strongly typed.

2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
        https://bugs.webkit.org/show_bug.cgi?id=201622

        Reviewed by Mark Lam.

        CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
        this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
        the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::setConstantRegisters):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::addConstantLazily):
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
        (JSC::DFG::SymbolTableAdaptor::add):
        (JSC::DFG::FunctionExecutableAdaptor::add):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::registerFrozenValues):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::emit const):

2019-09-09  Robin Morisset  <rmorisset@apple.com>

        [Air] highOrderAdjacents in AbstractColoringAllocator::conservativeHeuristic should be some kind of array
        https://bugs.webkit.org/show_bug.cgi?id=197305

        Reviewed by Keith Miller.

        Currently it is a HashSet, but it only ever holds at most registerCount() items. And linear search tends to be faster on such a small collection than hashing + searching in a HashSet.
        Further benefits include avoiding the allocation of the HashSet, not actually adding the nodes adjacent to V (since there are no duplicates in the adjacency lists).

        This patch also contains a trivial optimization: if the remaining number of nodes to consider + the number of highOrderAdjacents already seen is smaller than registerCount() we can return true directly.
        Apart from that, the patch got some trivial cleanup of GraphColoringRegisterAllocation::allocateOnBank() (that for example was only logging the number of iterations for FP registers, and not the more interesting number for GP registers).

        The time spent in the register allocator throughout JetStream2 on this MacBook Pro moves from 3767 / 3710 / 3785 ms to 3551 / 3454 / 3503 ms.
        So about a 6% speedup for that phase, and between 1 and 1.5% speedup for FTL/OMG compilation overall.

        No new tests as there is no intended change to the code being generated, and this was already tested by running testb3 + JetStream2.

        * b3/air/AirAllocateRegistersByGraphColoring.cpp:

2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use metadata table to iterate specific bytecode metadata instead of propertyAccessInstructions vector
        https://bugs.webkit.org/show_bug.cgi?id=201613

        Reviewed by Mark Lam.

        We do not need to maintain propertyAccessInstructions vector to access metadata tied to a specific bytecode opcode
        since we have MetadataTable::forEach<Op> feature. This removes propertyAccessInstructions entirely, and fixes the
        issue that `op_create_promise` missed propertyAccessInstructions registration (a name "propertyAccessInstructions" is
        misleading, it is like "instructions-requires-llint-finalize").

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::applyModification):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addPropertyAccessInstruction): Deleted.
        (JSC::UnlinkedCodeBlock::numberOfPropertyAccessInstructions const): Deleted.
        (JSC::UnlinkedCodeBlock::propertyAccessInstructions const): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitDirectGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCreateThis):
        (JSC::BytecodeGenerator::emitToThis):
        * runtime/CachedTypes.cpp:
        (JSC::CachedCodeBlock<CodeBlockType>::decode const):
        (JSC::CachedCodeBlock<CodeBlockType>::encode):

2019-09-07  Keith Miller  <keith_miller@apple.com>

        OSR entry into wasm misses some contexts
        https://bugs.webkit.org/show_bug.cgi?id=201569

        Reviewed by Yusuke Suzuki.

        This patch fixes an issue where we could fail to capture some of
        our contexts when OSR entering into wasm code. Before we would
        only capture the state of the block immediately surrounding the
        entrance loop block header. We actually need to capture all
        enclosed stacks.

        Additionally, we don't need to use variables for all the captured
        values. We can use a Phi and insert an upsilon just below the
        captured value.

        * interpreter/CallFrame.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCallerIsOMGCompiled):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
        (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
        (JSC::Wasm::AirIRGenerator::addLoop):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::createStack):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::addConstant):
        (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
        (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
        (JSC::Wasm::dumpExpressionStack):
        (JSC::Wasm::B3IRGenerator::dump):
        (JSC::Wasm::B3IRGenerator::Stack::Stack): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::append): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::takeLast): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::last): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::size const): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::isEmpty const): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::at const): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::variableAt const): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::shrink): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::swap): Deleted.
        (JSC::Wasm::B3IRGenerator::Stack::dump const): Deleted.
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser::controlStack):

2019-09-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Promise resolve/reject functions should be created more efficiently
        https://bugs.webkit.org/show_bug.cgi?id=201488

        Reviewed by Mark Lam.

        While r246553 fixed an important issue, it makes anonymous-builtin-function creation costly since it enforces FunctionRareData allocations.
        Unfortunately, anonymous-builtin-function function can be created frequently since this type of function is used
        for `resolve` and `reject` arguments of Promise's executor (e.g. `new Promise((resolve, reject) => ...)`'s resolve and reject).
        Since we are now always creating FunctionRareData for these functions, this additional allocation makes promise creation slower.

        In this patch, we use `isAnonymousBuiltinFunction` information for `hasReifiedName` correctly. And we propagate `isAnonymousBuiltinFunction` information
        to FunctionRareData to initialize `m_hasReifiedName` correctly. Then we can avoid unnecessary FunctionRareData allocation, which makes
        anonymous-builtin-function creation faster.

        We can ensure that this patch does not revert r246553's fix by running JSTests/stress/builtin-private-function-name.js test.
        The simple microbenchmark shows 1.7x improvement.

                                              ToT                     Patched

            promise-creation-many       45.6701+-0.1488     ^     26.8663+-1.8336        ^ definitely 1.6999x faster

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::create):
        (JSC::FunctionRareData::FunctionRareData):
        * runtime/FunctionRareData.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::allocateRareData):
        (JSC::JSFunction::allocateAndInitializeRareData):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::hasReifiedName const):

2019-09-07  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy() source buffer should not be in the Gigacage.
        https://bugs.webkit.org/show_bug.cgi?id=201577
        <rdar://problem/55142606>

        Reviewed by Michael Saboff.

        Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
        buffer is not in the Gigacage.

        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):

2019-09-07  Mark Lam  <mark.lam@apple.com>

        The jsc shell should allow disabling of the Gigacage for testing purposes.
        https://bugs.webkit.org/show_bug.cgi?id=201579

        Reviewed by Michael Saboff.

        Check for the same GIGACAGE_ENABLED env var that is checked by Gigacage code.  If
        this env var is present and it has a falsy value, then do not
        forbidDisablingPrimitiveGigacage() in the jsc shell.

        * jsc.cpp:
        (jscmain):

2019-09-06  Mark Lam  <mark.lam@apple.com>

        Harden protection of the Gigacage Config parameters.
        https://bugs.webkit.org/show_bug.cgi?id=201570
        <rdar://problem/55134229>

        Reviewed by Saam Barati.

        Just renaming some function names here.

        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageConditionally):
        * jsc.cpp:
        (jscmain):

2019-09-06  Ross Kirsling  <ross.kirsling@sony.com>

        Math.round() produces wrong result for value prior to 0.5
        https://bugs.webkit.org/show_bug.cgi?id=185115

        Reviewed by Saam Barati.

        Our Math.round implementation goes in the wrong direction for double values like 0.49999999999999994.
        This requires just a subtle adjustment for three of our four versions; only baseline JIT needed a full rewrite.

        Specifically:
          - While 0.49999999999999994 is representable, 1 - 0.49999999999999994 is not (it turns into 0.5),
            so taking the difference between ceil(value)` and `value` is problematic.
          - The baseline implementation was doing `floor(x + 0.5)` for positive doubles and slowpathing negative ones
            (by falling back to jsRound). This patch gives baseline a legitimate implementation too.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithRounding):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
        * jit/ThunkGenerators.cpp:
        (JSC::roundThunkGenerator):
        * runtime/MathCommon.cpp:

2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>

        Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
        https://bugs.webkit.org/show_bug.cgi?id=201366

        Reviewed by Saam Barati.

        It is possible for the log buffer to be full right as someone is trying to
        log a function prologue. In such a case the machine stack has already been
        updated to include the new JavaScript call frame, but the prologue packet
        cannot be included in the update because the log is full. This would mean
        that the update fails to rationalize the machine stack with the shadow
        log / stack. Namely, the current JavaScript call frame is unable to
        find a matching prologue (the one we are holding to include after the update)
        and inserts a questionable value into the stack; and in the process
        missing and removing real potential tail calls.

        For example:
        
            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function start() { return first(); }

        If the the log fills up just as we are entering `b` then we may have a list
        full log of packets looking like:

          Shadow Log:
            ...
            { prologue-packet: entering `start` ... }
            { prologue-packet: entering `first` ... }
            { tail-packet: leaving `first` with a tail call }

          Incoming Packet:
            { prologue-packet: entering `second` ... }

          Current JS Stack:
            second
            start

        Since the Current JavaScript stack already has `second`, if we process the
        log without the prologue for `second` then we push a confused entry on the
        shadow stack and clear the log such that we eventually lose the tail-call
        information for `first` to `second`.

        This patch solves this issue by providing enough extra space in the log
        to always process the incoming packet when that forces an update. This way
        clients can continue to behave exactly as they are.

        --

        We also document a corner case in some circumstances where the shadow
        log may currently be insufficient to know how to reconcile:
        
        For example:

            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function doNothingTail() { return Math.random() }
            function start() {
                for (i=0;i<1000;++i) doNothingTail();
                return first();
            }

        In this case the ShadowChicken log may be processed multiple times due
        to the many calls to `doNothingTail` / `Math.random()`. When calling the
        Native function no prologue packet is emitted, so it is unclear that we
        temporarly go deeper and come back out on the stack, so the log appears
        to have lots of doNothingTail calls reusing the same frame:

          Shadow Log:
            ...
            , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
            , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [125] tail-packet:{frame = 0x7ffeef8971f0}
            , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [127] tail-packet:{frame = 0x7ffeef8971f0}
            ...
            , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [141] tail-packet:{frame = 0x7ffeef8971f0}
            , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [143] tail-packet:{frame = 0x7ffeef8971f0}
            , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
            , [145] tail-packet:{frame = 0x7ffeef8971f0}
            , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
            ...

        This log would seem to be indistinguishable from real tail recursion, such as:

            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function doNothingTail(n) {
                return n ? doNothingTail(n-1) : first();
            }
            function start() {
                return doNothingTail(1000);
            }

        Likewise there are more cases where the shadow log appears to be ambiguous with determining
        the appropriate parent call frame with intermediate function calls. In practice this may
        not be too problematic, as this is a best effort reconstruction of tail deleted frames.
        It seems likely we would only show additional frames that did in fact happen serially
        between JavaScript call frames, but may not actually be the proper parent frames
        heirachy in the stack.

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::Packet::dump const):
        (JSC::ShadowChicken::Frame::dump const):
        (JSC::ShadowChicken::dump const):
        Improved debugging output. Especially for functions.

        (JSC::ShadowChicken::ShadowChicken):
        Make space in the log for 1 additional packet to process when we slow log.

        (JSC::ShadowChicken::log):
        Include this packet in our update.

        (JSC::ShadowChicken::update):
        Address an edge case where we can eliminate tail-deleted frames that don't make sense.

2019-09-06  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r249566.

        Causes inspector layout test crashes under GuardMalloc

        Reverted changeset:

        "Tail Deleted Frames shown in Web Inspector are sometimes
        incorrect (Shadow Chicken)"
        https://bugs.webkit.org/show_bug.cgi?id=201366
        https://trac.webkit.org/changeset/249566

2019-09-06  Guillaume Emont  <guijemont@igalia.com>

        testmasm: save r6 in JIT'ed code on ARM_THUMB2
        https://bugs.webkit.org/show_bug.cgi?id=201138

        Reviewed by Mark Lam.

        MacroAssemblerArmv7 uses r6 as a temporary register, and it is a
        callee-saved register. The JITs use
        AssemblyHelpers::emitSaveCalleeSaves() and friends to save
        callee-saved registers, but there is no such mechanism in testmasm,
        which seems to make the assumption that the macroassembler does not
        use callee-saved registers (which I guess is true for all other
        architectures, but not for Armv7).

        This issue means that testmasm crashes on Armv7 since code generated
        by gcc uses r6, and it gets modified by JIT'ed code.

        This change makes sure that we save and restore r6 for all code
        compiled by testmasm on Armv7.

        * assembler/testmasm.cpp:
        (JSC::emitFunctionPrologue):
        (JSC::emitFunctionEpilogue):
        (JSC::testSimple):
        (JSC::testGetEffectiveAddress):
        (JSC::testBranchTruncateDoubleToInt32):
        (JSC::testBranchTestBit32RegReg):
        (JSC::testBranchTestBit32RegImm):
        (JSC::testBranchTestBit32AddrImm):
        (JSC::testBranchTestBit64RegReg):
        (JSC::testBranchTestBit64RegImm):
        (JSC::testBranchTestBit64AddrImm):
        (JSC::testCompareDouble):
        (JSC::testMul32WithImmediates):
        (JSC::testMul32SignExtend):
        (JSC::testCompareFloat):
        (JSC::testProbeReadsArgumentRegisters):
        (JSC::testProbeWritesArgumentRegisters):
        (JSC::testProbePreservesGPRS):
        (JSC::testProbeModifiesStackPointer):
        (JSC::testProbeModifiesProgramCounter):
        (JSC::testProbeModifiesStackValues):
        (JSC::testByteSwap):
        (JSC::testMoveDoubleConditionally32):
        (JSC::testMoveDoubleConditionally64):
        (JSC::testCagePreservesPACFailureBit):

2019-09-05  Joseph Pecoraro  <pecoraro@apple.com>

        Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
        https://bugs.webkit.org/show_bug.cgi?id=201366

        Reviewed by Saam Barati.

        It is possible for the log buffer to be full right as someone is trying to
        log a function prologue. In such a case the machine stack has already been
        updated to include the new JavaScript call frame, but the prologue packet
        cannot be included in the update because the log is full. This would mean
        that the update fails to rationalize the machine stack with the shadow
        log / stack. Namely, the current JavaScript call frame is unable to
        find a matching prologue (the one we are holding to include after the update)
        and inserts a questionable value into the stack; and in the process
        missing and removing real potential tail calls.

        For example:
        
            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function start() { return first(); }

        If the the log fills up just as we are entering `b` then we may have a list
        full log of packets looking like:

          Shadow Log:
            ...
            { prologue-packet: entering `start` ... }
            { prologue-packet: entering `first` ... }
            { tail-packet: leaving `first` with a tail call }

          Incoming Packet:
            { prologue-packet: entering `second` ... }

          Current JS Stack:
            second
            start

        Since the Current JavaScript stack already has `second`, if we process the
        log without the prologue for `second` then we push a confused entry on the
        shadow stack and clear the log such that we eventually lose the tail-call
        information for `first` to `second`.

        This patch solves this issue by providing enough extra space in the log
        to always process the incoming packet when that forces an update. This way
        clients can continue to behave exactly as they are.

        --

        We also document a corner case in some circumstances where the shadow
        log may currently be insufficient to know how to reconcile:
        
        For example:

            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function doNothingTail() { return Math.random() }
            function start() {
                for (i=0;i<1000;++i) doNothingTail();
                return first();
            }

        In this case the ShadowChicken log may be processed multiple times due
        to the many calls to `doNothingTail` / `Math.random()`. When calling the
        Native function no prologue packet is emitted, so it is unclear that we
        temporarly go deeper and come back out on the stack, so the log appears
        to have lots of doNothingTail calls reusing the same frame:

          Shadow Log:
            ...
            , [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
            , [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [125] tail-packet:{frame = 0x7ffeef8971f0}
            , [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [127] tail-packet:{frame = 0x7ffeef8971f0}
            ...
            , [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [141] tail-packet:{frame = 0x7ffeef8971f0}
            , [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
            , [143] tail-packet:{frame = 0x7ffeef8971f0}
            , [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
            , [145] tail-packet:{frame = 0x7ffeef8971f0}
            , [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
            ...

        This log would seem to be indistinguishable from real tail recursion, such as:

            "use strict";
            function third() { return 1; }
            function second() { return third(); }
            function first() { return second(); }
            function doNothingTail(n) {
                return n ? doNothingTail(n-1) : first();
            }
            function start() {
                return doNothingTail(1000);
            }

        Likewise there are more cases where the shadow log appears to be ambiguous with determining
        the appropriate parent call frame with intermediate function calls. In practice this may
        not be too problematic, as this is a best effort reconstruction of tail deleted frames.
        It seems likely we would only show additional frames that did in fact happen serially
        between JavaScript call frames, but may not actually be the proper parent frames
        heirachy in the stack.

        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::Packet::dump const):
        (JSC::ShadowChicken::Frame::dump const):
        (JSC::ShadowChicken::dump const):
        Improved debugging output. Especially for functions.

        (JSC::ShadowChicken::ShadowChicken):
        Make space in the log for 1 additional packet to process when we slow log.

        (JSC::ShadowChicken::log):
        Include this packet in our update.

        (JSC::ShadowChicken::update):
        Address an edge case where we can eliminate tail-deleted frames that don't make sense.

2019-09-05  Mark Lam  <mark.lam@apple.com>

        Refactor the Gigacage code to require less pointer casting.
        https://bugs.webkit.org/show_bug.cgi?id=201521

        Reviewed by Saam Barati.

        Change LLInt's loadCagedJSValue() to skip the caging if Gigacage is not enabled
        in the build.  This allows us to remove the unneeded stubs in WTF Gigacage.h.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageConditionally):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:
        (JSC::VM::gigacageAuxiliarySpace):

2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, follow-up after r249530 and r249509
        https://bugs.webkit.org/show_bug.cgi?id=201495

        Rename FTLOutput::weakPointer to alreadyRegisteredWeakPointer and alreadyRegisteredFrozenPointer.

        * builtins/PromiseConstructor.js:
        (nakedConstructor.Promise.resolve):
        (nakedConstructor.Promise.reject):
        (nakedConstructor.Promise):
        (nakedConstructor.InternalPromise.resolve):
        (nakedConstructor.InternalPromise.reject):
        (nakedConstructor.InternalPromise):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
        (JSC::FTL::DFG::LowerDFGToB3::frozenPointer):
        (JSC::FTL::DFG::LowerDFGToB3::weakStructure):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::alreadyRegisteredWeakPointer):
        (JSC::FTL::Output::alreadyRegisteredFrozenPointer):
        (JSC::FTL::Output::weakPointer): Deleted.

2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generalize Get/PutPromiseInternalField for InternalFieldObjectImpl
        https://bugs.webkit.org/show_bug.cgi?id=201513

        Reviewed by Ross Kirsling.

        This patch extracts JSPromise's internal fields mechanism as JSInternalFieldsObjectImpl, and make it reusable for the other objects.
        It is preparation for using this internal fields mechanism for generators, async functions, async generators, array iterators and so on.

        The profiler is telling many recompilation of Generator's resume function (including async generator's one). We are using properties
        with private-symbols as a storage for internal state of generators. However, the spec defines that each generator from different generator-functions
        has different [[Prototype]]. While we need to share one Generator.prototype.next function, generators tend to have different Structures due to
        different [[Prototype]] and accessing internal fields with `get_by_id_direct` sadly becomes super megamorphic while it is not necessary.
        And every time new Structure for new generator pops up, DFG/FTL code for generator resume function gets OSR exit or eventually this function gets
        emits super generic code unfortunately. By using internal fields for storing these state, we can avoid this performance problem.

        Bytecodes and corresponding DFG nodes are just renamed. JSPromise is now inheriting JSInternalFieldsObjectImpl, which can holds specified
        number of internal fields. And op_get_internal_field / op_put_internal_field can access these internal fields.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetInternalField):
        (JSC::BytecodeGenerator::emitPutInternalField):
        (JSC::BytecodeGenerator::emitGetPromiseInternalField): Deleted.
        (JSC::BytecodeGenerator::emitPutPromiseInternalField): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasInternalFieldIndex):
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetInternalField):
        (JSC::DFG::SpeculativeJIT::compilePutInternalField):
        (JSC::DFG::SpeculativeJIT::compileCreatePromise):
        (JSC::DFG::SpeculativeJIT::compileNewPromise):
        (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField): Deleted.
        (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetInternalField):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutInternalField):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_internal_field):
        (JSC::JIT::emit_op_put_internal_field):
        (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
        (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_internal_field):
        (JSC::JIT::emit_op_put_internal_field):
        (JSC::JIT::emit_op_get_promise_internal_field): Deleted.
        (JSC::JIT::emit_op_put_promise_internal_field): Deleted.
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSInternalFieldObjectImpl.h: Copied from Source/JavaScriptCore/runtime/JSPromise.h.
        (JSC::JSInternalFieldObjectImpl::allocationSize):
        (JSC::JSInternalFieldObjectImpl::internalField const):
        (JSC::JSInternalFieldObjectImpl::internalField):
        (JSC::JSInternalFieldObjectImpl::offsetOfInternalFields):
        (JSC::JSInternalFieldObjectImpl::offsetOfInternalField):
        (JSC::JSInternalFieldObjectImpl::JSInternalFieldObjectImpl):
        * runtime/JSInternalFieldObjectImplInlines.h: Added.
        (JSC::JSInternalFieldObjectImpl<passedNumberOfInternalFields>::visitChildren):
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::finishCreation):
        (JSC::JSPromise::visitChildren):
        (JSC::JSPromise::status const):
        (JSC::JSPromise::result const):
        (JSC::JSPromise::isHandled const):
        * runtime/JSPromise.h:
        (JSC::JSPromise::allocationSize): Deleted.
        (JSC::JSPromise::offsetOfInternalFields): Deleted.
        (JSC::JSPromise::offsetOfInternalField): Deleted.
        (): Deleted.

2019-09-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247463.
        https://bugs.webkit.org/show_bug.cgi?id=201515

        JetStream2 code-load related regression (Requested by
        yusukesuzuki on #webkit).

        Reverted changeset:

        "Keyword lookup can use memcmp to get around unaligned load
        undefined behavior"
        https://bugs.webkit.org/show_bug.cgi?id=199650
        https://trac.webkit.org/changeset/247463

2019-09-05  Tadeu Zagallo  <tzagallo@apple.com>

        LazyClassStructure::setConstructor should not store the constructor to the global object
        https://bugs.webkit.org/show_bug.cgi?id=201484
        <rdar://problem/50400451>

        Reviewed by Yusuke Suzuki.

        LazyClassStructure::setConstructor sets the constructor as a property of the global object.
        This became a problem when it started being used for WebAssembly constructors, such as Module
        and Instance, since they are properties of the WebAssembly object, not the global object. That
        resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
        was first accessed. e.g.

        globalThis.Module = x;
        WebAssembly.Module;
        globalThis.Module === WebAssembly.Module;

        * runtime/LazyClassStructure.cpp:
        (JSC::LazyClassStructure::Initializer::setConstructor):
        * runtime/LazyClassStructure.h:
        * runtime/Lookup.h:
        (JSC::reifyStaticProperty):

2019-09-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Do not use FTLOutput::weakPointer directly
        https://bugs.webkit.org/show_bug.cgi?id=201495

        Reviewed by Filip Pizlo.

        FTLOutput::weakPointer does not register the cell as a weak pointer.
        CreatePromise's implementation is accidentally using m_out.weakPointer and hits the debug assertion.
        While the current implementation is not posing correctness issue since these cells are live so long as JSGlobalObject is live,
        and we register JSGlobalObject as a weakPointer, we should always use FTLLowerDFGToB3's helper function.
        For FrozenValue, we should use frozenPointer helper function.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):

2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, partial roll out r249372 due to JetStream2/Basic ~10% regression
        https://bugs.webkit.org/show_bug.cgi?id=201373

        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitLoopHint):
        (JSC::BytecodeGenerator::emitCheckTraps):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_check_traps):
        (JSC::JIT::emitSlow_op_check_traps):
        (JSC::JIT::emitSlow_op_enter): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, rebaseline builtin generator test results
        https://bugs.webkit.org/show_bug.cgi?id=200898

        Rebaseline the result files.

        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:

2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] FunctionOverrides should have a lock to ensure concurrent access to hash table does not happen
        https://bugs.webkit.org/show_bug.cgi?id=201485

        Reviewed by Tadeu Zagallo.

        FunctionOverrides is a per-process singleton for registering overrides information. But we are accessing
        it without taking a lock. If multiple threads with multiple VMs are accessing this concurrently, we have
        a race issue like,

        1. While one thread is adding overrides information,
        2. Another thread is accessing this hash table.

        This patch adds a lock to make sure that only one thread can access this registry.

        * tools/FunctionOverrides.cpp:
        (JSC::FunctionOverrides::FunctionOverrides):
        (JSC::FunctionOverrides::reinstallOverrides):
        (JSC::FunctionOverrides::initializeOverrideFor):
        (JSC::FunctionOverrides::parseOverridesInFile):
        * tools/FunctionOverrides.h:
        (JSC::FunctionOverrides::clear):

2019-09-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make Promise implementation faster
        https://bugs.webkit.org/show_bug.cgi?id=200898

        Reviewed by Saam Barati.

        This is the major change of the Promise implementation and it improves JetStream2/async-fs by 62%.

        1. Make JSPromise C++ friendly

            Instead of using objects with private properties (properties with private symbols), we put internal fields in JSPromise.
            This avoids allocating unnecessary butterflies for these private fields, and makes allocating JSPromise and accessing these
            fields from C++ easy. Moreover, this patch reduces # of fields of JSPromise from 4 to 2 to make JSPromise compact. To access these internal
            fields efficiently from JS, we add `op_get_promise_internal_field` and `op_put_promise_internal_field` bytecodes, and corresponding DFG/FTL
            supports. They are similar to GetClosureVar / PutClosureVar implementation. These two bytecodes are intentionally generic to later expand
            this support to generator and async-generator by renaming them to `op_get_internal_field` and `op_put_internal_field`. It is filed in [1].

            We also add JSPromiseType as JSType. And structures for JSPromise should have that. So that now `@isPromise` is efficiently implemented.
            This also requires adding SpecPromiseObject and PromiseObjectUse to DFG.

            Further, by introducing another bit flag representing `alreadyResolved` to JSPromise's flags, we can remove JSPromiseDeferred. This extension
            is filed in [2].

        2. Make JSPromise constructor JS friendly

            The old JSPromise constructor was very inefficient: JSPromise constructor is InternalFunction in C++, and in it, it
            calls `initializePromise` JS function. And this `initializePromise` function invokes `executor` function passed by user program.
            If we can implement JSPromise constructor fully in JS, we can recognize `executor` and we have a chance to fully inline them.
            Unfortunately, we cannot inline JSPromise constructor for now since it takes 120 bytecode cost while our inlining threshold for
            construct is 100. We might want to investigate getting it inlined in the future[3].

            We can avoid C++ <-> JS dance in such an important operation, allocating JSPromise. This patch introduces @nakedConstructor
            annotation to builtin JS. And this is propagated as `ConstructorKind::Naked`. If this kind is attached, the bytecode generator
            do not emit `op_create_this` implicitly and the constructor does not return `this` object implicitly. The naked constructor allows
            us to emit bare-metal bytecode, specifically necessary to allocate non-final JSObject from JS constructor. We introduce op_create_promise,
            which is similar to op_create_this, but it allocates JSPromise. And by using @createPromise bytecode intrinsic, we implement
            JSPromise constructor fully in JS.
            With this, we can start introducing object-allocation-sinking for JSPromise too. It is filed in [4].

        3. DFG supports for JSPromise operations

            This patch adds four DFG nodes, CreatePromise, NewPromise, GetPromiseInternalField, and PutPromiseInternalField. CreatePromise mimics CreateThis,
            and NewPromise mimics NewObject. CreatePromise can be converted to NewPromise with some condition checks and NewPromise can efficiently allocate
            promises. CreatePromise and NewPromise have `isInternalPromise` flag so that InternalPromise is also correctly handled in DFG.
            When converting CreatePromise to NewPromise, we need to get the correct structure with a specified `callee.prototype`. We mimic the mechanism
            used in CreateThis, but we use InternalFunctionAllocationProfile instead of ObjectAllocationProfile because (1) InternalFunctionAllocationProfile
            can handle non-final JSObjects and (2) we do not need to handle inline-capacity for promises. To make InternalFunctionAllocationProfile usable
            in DFG, we connect watchpoint to InternalFunctionAllocationProfile's invalidation so that DFG code can notice when InternalFunctionAllocationProfile's
            structure is invalidated: `callee.prototype` is replaced.

        4. Avoid creating unnecessary promises

            Some promises are never shown to users, and they are never rejected. One example is `await`'s promise. And some of promise creation can be avoided.
            For example, when resolving a value with `Promise.resolve`, if a value is promise and if it's `then` method is the builtin `then`, we can avoid creating
            intermediate promise. To handle these things well, we introduce `@resolveWithoutPromise`, `@rejectWithoutPromise`, and `@fulfillWithoutPromise`. They
            take `onFulfilled` and `onRejected` handlers and they do not need an intermediate promise for resolving. This removes internal promise allocations
            in major cases and makes promise / async-functions efficient. And we also expose builtin `then` function as `@then`, and insert `@isPromise(xxx) && then === @then`
            check to take a fast path. We introduced four types of promise reactions to avoid some of object allocations. And microtask reaction is handling these four types.

        5. Avoid creating resolving-functions and promise capabilities

            Resolving functions have `alreadyResolved` flag to prevent calling `resolve` and `reject` multiple times. For the first resolving function creation, this
            patch embeds one bit flag to JSPromise itself which indicates `alreadyResolved` in the first created resolving functions (resolving functions can be later
            created again for the same promise. In that case, we just create a usual resolving functions). By doing so, we avoid unnecessary resolving functions
            and promise capability allocations. We introduce a wrapper function `@resolvePromiseWithFirstResolvingFunctionCallCheck` and `@rejectPromiseWithFirstResolvingFunctionCallCheck`.
            The resolving functions which are first created with `@newPromiseCapability` can be mechanically replaced with the calls to these functions, e.g. replacing
            `promiseCapability.@resolve.@call(@undefined, value)` with `@resolvePromiseWithFirstResolvingFunctionCallCheck(promise, value)`.
            This mechanism will be used to drop JSPromiseDeferred in a separate patch.

        JetStream2/async-fs results.
            ToT:
                Running async-fs:
                    Startup: 116.279
                    Worst Case: 151.515
                    Average: 176.630
                    Score: 145.996
                    Wall time: 0:01.149

            Patched:
                Running async-fs:
                    Startup: 166.667
                    Worst Case: 267.857
                    Average: 299.080
                    Score: 237.235
                    Wall time: 0:00.683

        [1]: https://bugs.webkit.org/show_bug.cgi?id=201159
        [2]: https://bugs.webkit.org/show_bug.cgi?id=201160
        [3]: https://bugs.webkit.org/show_bug.cgi?id=201452
        [4]: https://bugs.webkit.org/show_bug.cgi?id=201158

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/wkbuiltins/builtins_generate_combined_header.py:
        (ConstructAbility):
        (ConstructorKind):
        * Scripts/wkbuiltins/builtins_generate_separate_header.py:
        * Scripts/wkbuiltins/builtins_generator.py:
        (BuiltinsGenerator.generate_embedded_code_data_for_function):
        (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
        * Scripts/wkbuiltins/builtins_model.py:
        (BuiltinFunction.__init__):
        (BuiltinFunction.fromString):
        * Scripts/wkbuiltins/builtins_templates.py:
        * builtins/AsyncFromSyncIteratorPrototype.js:
        (next.try):
        (next):
        (return.try):
        (return):
        (throw.try):
        (throw):
        * builtins/AsyncFunctionPrototype.js:
        (globalPrivate.asyncFunctionResume):
        * builtins/AsyncGeneratorPrototype.js:
        (globalPrivate.asyncGeneratorQueueIsEmpty):
        (globalPrivate.asyncGeneratorQueueEnqueue):
        (globalPrivate.asyncGeneratorQueueDequeue):
        (globalPrivate.asyncGeneratorReject):
        (globalPrivate.asyncGeneratorResolve):
        (globalPrivate.asyncGeneratorYield):
        (onRejected):
        (globalPrivate.awaitValue):
        (onFulfilled):
        (globalPrivate.doAsyncGeneratorBodyCall):
        (globalPrivate.asyncGeneratorResumeNext):
        (globalPrivate.asyncGeneratorEnqueue):
        (globalPrivate.asyncGeneratorDequeue): Deleted.
        (const.onRejected): Deleted.
        (const.onFulfilled): Deleted.
        (globalPrivate.asyncGeneratorResumeNext.): Deleted.
        * builtins/BuiltinExecutableCreator.h:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
        (JSC::BuiltinExecutables::createDefaultConstructor):
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        (JSC::BuiltinExecutables::createExecutable):
        (JSC::createBuiltinExecutable): Deleted.
        * builtins/BuiltinExecutables.h:
        * builtins/BuiltinNames.h:
        * builtins/BuiltinUtils.h:
        * builtins/ModuleLoader.js:
        (forceFulfillPromise):
        * builtins/PromiseConstructor.js:
        (nakedConstructor.Promise.resolve):
        (nakedConstructor.Promise.reject):
        (nakedConstructor.Promise):
        (nakedConstructor.InternalPromise.resolve):
        (nakedConstructor.InternalPromise.reject):
        (nakedConstructor.InternalPromise):
        * builtins/PromiseOperations.js:
        (globalPrivate.newPromiseReaction):
        (globalPrivate.newPromiseCapability):
        (globalPrivate.newHandledRejectedPromise):
        (globalPrivate.triggerPromiseReactions):
        (globalPrivate.resolvePromise):
        (globalPrivate.rejectPromise):
        (globalPrivate.fulfillPromise):
        (globalPrivate.resolvePromiseWithFirstResolvingFunctionCallCheck):
        (globalPrivate.rejectPromiseWithFirstResolvingFunctionCallCheck):
        (globalPrivate.createResolvingFunctions.resolve):
        (globalPrivate.createResolvingFunctions.reject):
        (globalPrivate.createResolvingFunctions):
        (globalPrivate.promiseReactionJobWithoutPromise):
        (globalPrivate.resolveWithoutPromise):
        (globalPrivate.rejectWithoutPromise):
        (globalPrivate.fulfillWithoutPromise):
        (resolve):
        (reject):
        (globalPrivate.createResolvingFunctionsWithoutPromise):
        (globalPrivate.promiseReactionJob):
        (globalPrivate.promiseResolveThenableJobFast):
        (globalPrivate.promiseResolveThenableJobWithoutPromiseFast):
        (globalPrivate.promiseResolveThenableJob):
        (globalPrivate.isPromise): Deleted.
        (globalPrivate.newPromiseCapability.executor): Deleted.
        (globalPrivate.initializePromise): Deleted.
        * builtins/PromisePrototype.js:
        (then):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        * bytecode/Opcode.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromClassInfo):
        (JSC::speculationFromJSType):
        (JSC::speculationFromString):
        * bytecode/SpeculatedType.h:
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitGetPromiseInternalField):
        (JSC::BytecodeGenerator::emitPutPromiseInternalField):
        (JSC::BytecodeGenerator::emitCreatePromise):
        (JSC::BytecodeGenerator::emitNewPromise):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::promiseRegister):
        (JSC::BytecodeGenerator::emitIsPromise):
        (JSC::BytecodeGenerator::promiseCapabilityRegister): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::promiseInternalFieldIndex):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getPromiseInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putPromiseInternalField):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isPromise):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_createPromise):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_newPromise):
        (JSC::FunctionNode::emitBytecode):
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToNewPromise):
        (JSC::DFG::Node::hasIsInternalPromise):
        (JSC::DFG::Node::isInternalPromise):
        (JSC::DFG::Node::hasInternalFieldIndex):
        (JSC::DFG::Node::internalFieldIndex):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasStructure):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGPromotedHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        (JSC::DFG::SpeculativeJIT::speculatePromiseObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::compileGetPromiseInternalField):
        (JSC::DFG::SpeculativeJIT::compilePutPromiseInternalField):
        (JSC::DFG::SpeculativeJIT::compileCreatePromise):
        (JSC::DFG::SpeculativeJIT::compileNewPromise):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewPromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreatePromise):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetPromiseInternalField):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutPromiseInternalField):
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculatePromiseObject):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_promise_internal_field):
        (JSC::JIT::emit_op_put_promise_internal_field):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_promise_internal_field):
        (JSC::JIT::emit_op_put_promise_internal_field):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/ConstructAbility.h:
        * runtime/ConstructorKind.h: Copied from Source/JavaScriptCore/runtime/ConstructAbility.h.
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::FunctionRareData):
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        (JSC::FunctionRareData::clear):
        * runtime/FunctionRareData.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructureSlow):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/JSCast.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::enqueueJob):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayProtoValuesFunction const):
        (JSC::JSGlobalObject::promiseProtoThenFunction const):
        (JSC::JSGlobalObject::initializePromiseFunction const): Deleted.
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::createStructure):
        * runtime/JSInternalPromiseConstructor.cpp:
        (JSC::JSInternalPromiseConstructor::create):
        (JSC::JSInternalPromiseConstructor::createStructure):
        (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
        (JSC::constructPromise): Deleted.
        * runtime/JSInternalPromiseConstructor.h:
        * runtime/JSInternalPromisePrototype.cpp:
        (JSC::JSInternalPromisePrototype::create):
        * runtime/JSMicrotask.cpp:
        (JSC::createJSMicrotask):
        (JSC::JSMicrotask::run):
        * runtime/JSMicrotask.h:
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::createStructure):
        (JSC::JSPromise::finishCreation):
        (JSC::JSPromise::visitChildren):
        (JSC::JSPromise::status const):
        (JSC::JSPromise::result const):
        (JSC::JSPromise::isHandled const):
        (JSC::JSPromise::initialize): Deleted.
        * runtime/JSPromise.h:
        (JSC::JSPromise::allocationSize):
        (JSC::JSPromise::offsetOfInternalFields):
        (JSC::JSPromise::offsetOfInternalField):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::create):
        (JSC::JSPromiseConstructor::createStructure):
        (JSC::JSPromiseConstructor::JSPromiseConstructor):
        (JSC::JSPromiseConstructor::finishCreation):
        (JSC::constructPromise): Deleted.
        (JSC::callPromise): Deleted.
        * runtime/JSPromiseConstructor.h:
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::create):
        (JSC::JSPromisePrototype::finishCreation):
        (JSC::JSPromisePrototype::addOwnInternalSlots):
        * runtime/JSPromisePrototype.h:
        * runtime/JSType.cpp:
        (WTF::printInternal):
        * runtime/JSType.h:

2019-09-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Local Overrides - Provide substitution content for resource loads (URL based)
        https://bugs.webkit.org/show_bug.cgi?id=201262
        <rdar://problem/13108764>

        Reviewed by Devin Rousso.

        When interception is enabled, Network requests that match any of the configured
        interception patterns will be paused on the backend and allowed to be modified
        by the frontend.

        Currently the only time a network request can be intercepted is during the
        HTTP response. However, this intercepting interface is mean to extend to
        HTTP requests as well.

        When a response is to be intercepted a new event is sent to the frontend:

          `Network.responseIntercepted` event

        With a `requestId` to identify that network request. The frontend
        must respond with one of the following commands to continue:

          `Network.interceptContinue`     - proceed with the response unmodified
          `Network.interceptWithResponse` - provide a response

        The response is paused in the meantime.

        * inspector/protocol/Network.json:
        New interfaces for intercepting network responses and suppling override content.

        * Scripts/generate-combined-inspector-json.py:
        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification.load_specification):
        Complete allowing comments in JSON protocol files.

        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator._generate_invocation_for_command):
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        Allow optional enums in ObjC interfaces.

2019-09-03  Mark Lam  <mark.lam@apple.com>

        Structure::storedPrototype() and storedPrototypeObject() should assert with isCompilationThread(), not !isMainThread().
        https://bugs.webkit.org/show_bug.cgi?id=201449

        Reviewed by Yusuke Suzuki.

        Using !isMainThread() in the assertion also disables the assertion for the mutator
        of worker threads.  This is not what we intended.

        * runtime/StructureInlines.h:
        (JSC::Structure::storedPrototype const):
        (JSC::Structure::storedPrototypeObject const):

2019-09-04  Mark Lam  <mark.lam@apple.com>

        Disambiguate a symbol used in JSDollarVM.
        https://bugs.webkit.org/show_bug.cgi?id=201466
        <rdar://problem/51826672>

        Reviewed by Tadeu Zagallo.

        This was causing a build issue on some internal build.

        * tools/JSDollarVM.cpp:

2019-09-03  Mark Lam  <mark.lam@apple.com>

        Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
        https://bugs.webkit.org/show_bug.cgi?id=201309
        <rdar://problem/54832121>

        Reviewed by Yusuke Suzuki.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * runtime/JSArrayBufferView.h:
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::possiblySharedBufferImpl):
        (JSC::JSArrayBufferView::possiblySharedBuffer):
        (JSC::JSArrayBufferView::byteOffsetImpl):
        (JSC::JSArrayBufferView::byteOffset):
        (JSC::JSArrayBufferView::byteOffsetConcurrently):

2019-09-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: implement blackboxing of script resources
        https://bugs.webkit.org/show_bug.cgi?id=17240
        <rdar://problem/5732847>

        Reviewed by Joseph Pecoraro.

        When a script is blackboxed and the debugger attempts to pause in that script, the pause
        reason/data will be saved and execution will continue until it has left the blackboxed
        script. Once outside, execution is paused with the saved reason/data.

        This is especially useful when debugging issues using libraries/frameworks, as it allows the
        developer to "skip" the internal logic of the library/framework and instead focus only on
        how they're using it.

        * inspector/protocol/Debugger.json:
        Add `setShouldBlackboxURL` command.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent):
        (Inspector::InspectorDebuggerAgent::enable):
        (Inspector::InspectorDebuggerAgent::updatePauseReasonAndData): Added.
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::cancelPauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::setShouldBlackboxURL): Added.
        (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::didPause):
        (Inspector::InspectorDebuggerAgent::didContinue):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        (Inspector::InspectorDebuggerAgent::clearPauseDetails): Added.
        (Inspector::InspectorDebuggerAgent::clearBreakDetails): Deleted.
        Renamed "break" to "pause" to match `Debugger` naming.

        * debugger/Debugger.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::setBlackboxType): Added.
        (JSC::Debugger::clearBlackbox): Added.
        (JSC::Debugger::isBlacklisted const): Deleted.
        (JSC::Debugger::addToBlacklist): Deleted.
        (JSC::Debugger::clearBlacklist): Deleted.

2019-09-03  Mark Lam  <mark.lam@apple.com>

        Remove the need to pass performJITMemcpy as a pointer.
        https://bugs.webkit.org/show_bug.cgi?id=201413

        Reviewed by Michael Saboff.

        We want performJITMemcpy to always be inlined.  In this patch, we also clean up
        some template parameters to use enums instead of booleans to better document the
        intent of the code.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::fillNops):
        (JSC::ARM64Assembler::linkJump):
        (JSC::ARM64Assembler::linkCall):
        (JSC::ARM64Assembler::relinkJump):
        (JSC::ARM64Assembler::relinkCall):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::relinkJumpOrCall):
        (JSC::ARM64Assembler::CopyFunction::CopyFunction): Deleted.
        (JSC::ARM64Assembler::CopyFunction::operator()): Deleted.
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::fillNops):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::linkJumpT1):
        (JSC::ARMv7Assembler::linkJumpT2):
        (JSC::ARMv7Assembler::linkJumpT3):
        (JSC::ARMv7Assembler::linkJumpT4):
        (JSC::ARMv7Assembler::linkConditionalJumpT4):
        (JSC::ARMv7Assembler::linkBX):
        (JSC::ARMv7Assembler::linkConditionalBX):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::emitNops):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::fillNops):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::link):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::link):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        * jit/ExecutableAllocator.h:
        (JSC::performJITMemcpy):
        * runtime/JSCPtrTag.h:

2019-09-03  Devin Rousso  <drousso@apple.com>

        REGRESSION (r249078): Flaky crash in com.apple.JavaScriptCore: Inspector::InjectedScriptModule::ensureInjected
        https://bugs.webkit.org/show_bug.cgi?id=201201
        <rdar://problem/54771560>

        Reviewed by Joseph Pecoraro.

        * inspector/InjectedScriptSource.js:
        (let.InjectedScript.prototype.injectModule):
        (let.InjectedScript.prototype._evaluateOn):
        (CommandLineAPI):
        (let.InjectedScript.prototype.setInspectObject): Deleted.
        (let.InjectedScript.prototype.addCommandLineAPIGetter): Deleted.
        (let.InjectedScript.prototype.addCommandLineAPIMethod.func.toString): Deleted.
        (let.InjectedScript.prototype.addCommandLineAPIMethod): Deleted.
        (InjectedScript.CommandLineAPI): Deleted.
        Allow injected script "extensions" (e.g. CommandLineAPIModuleSource.js) to modify objects
        directly, instead of having them call functions.

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        Make sure to reset `hadException` to `false` before making another call.

2019-09-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove BytecodeGenerator::emitPopScope
        https://bugs.webkit.org/show_bug.cgi?id=201395

        Reviewed by Saam Barati.

        Use emitGetParentScope. And this patch also removes several unnecessary mov bytecode emissions.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::popLexicalScopeInternal):
        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
        (JSC::BytecodeGenerator::emitPopWithScope):
        (JSC::BytecodeGenerator::emitPopScope): Deleted.
        * bytecompiler/BytecodeGenerator.h:

2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Merge op_check_traps into op_enter and op_loop_hint
        https://bugs.webkit.org/show_bug.cgi?id=201373

        Reviewed by Mark Lam.

        This patch removes op_check_traps. Previously we were conditionally emitting op_check_traps based on Options and Platform configurations.
        But now we are always emitting op_check_traps. So it is not necessary to have separate bytecode as op_check_traps. We can do checking in
        op_enter and op_loop_hint.

        While this patch moves check_traps implementation to op_enter and op_loop_hint, we keep separate DFG nodes (CheckTraps or InvalidationPoint),
        since inserted nodes are different based on configurations and options. And emitting multiple DFG nodes from one bytecode is easy.

        We also inline op_enter's slow path's write-barrier emission in LLInt.

        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitLoopHint):
        (JSC::BytecodeGenerator::emitCheckTraps): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::emitEnterOptimizationCheck): Deleted.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emitSlow_op_enter):
        (JSC::JIT::emit_op_check_traps): Deleted.
        (JSC::JIT::emitSlow_op_check_traps): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter): Deleted.
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPaths.h:

2019-09-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Fix testb3 debug failures
        https://bugs.webkit.org/show_bug.cgi?id=201382

        Reviewed by Mark Lam.

        Fix testb3 debug failures due to incorrect types of operations like pointer + int32.

        * b3/testb3_8.cpp:
        (testByteCopyLoop):
        (testByteCopyLoopStartIsLoopDependent):
        (testByteCopyLoopBoundIsLoopDependent):

2019-09-01  Mark Lam  <mark.lam@apple.com>

        Speculative build fix for ARMv7 and MIPS.
        https://bugs.webkit.org/show_bug.cgi?id=201389

        Not reviewed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] LLInt op should not emit the same code three times
        https://bugs.webkit.org/show_bug.cgi?id=201370

        Reviewed by Mark Lam.

        LLInt op macro (not llintOp macro) is used to generate some stub code like llint_program_prologue.
        But now it generates the same code three times for narrow, wide16, and wide32. We should emit code only once.

        * llint/LowLevelInterpreter.asm:

2019-08-30  Mark Lam  <mark.lam@apple.com>

        Remove some obsolete statements that have no effect.
        https://bugs.webkit.org/show_bug.cgi?id=201357

        Reviewed by Saam Barati.

        This patch removes 3 statements that look like this:

            result->butterfly(); // Ensure that the butterfly is in to-space.

        The statement just reads a field and does nothing with it.  This is a no-op
        logic-wise, and the comment that accompanies it is obsolete.

        * dfg/DFGOperations.cpp:

2019-08-30  Mark Lam  <mark.lam@apple.com>

        Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
        https://bugs.webkit.org/show_bug.cgi?id=201345

        Reviewed by Yusuke Suzuki.

        This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
        the wrong pointer for capture the cell headerWord and zapReason.  As a result,
        we get junk for those 2 values.

        Previously, we were only capturing the upper 32-bits of the cell header slot,
        and the lower 32-bit of the next slot in the zapped cell.  We now capture the
        full 64-bits of both slots.  If the second slot did not contain a zapReason as we
        expect, the upper 32-bits might give us a clue as to what type of value the slot
        contains.

        This patch also adds capturing of the found MarkedBlock address for the zapped
        cell, as well as some state bit values.

        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::reportZappedCellAndCrash):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Generate new.target register only when it is used
        https://bugs.webkit.org/show_bug.cgi?id=201335

        Reviewed by Mark Lam.

        Since bytecode generator knows whether new.target register can be used, we should emit and use new.target register
        only when it is actually required.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::newTarget):
        * parser/Nodes.h:
        (JSC::ScopeNode::needsNewTargetRegisterForThisScope const):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
        https://bugs.webkit.org/show_bug.cgi?id=201331

        Reviewed by Mark Lam.

        SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
        For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.

            1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
            2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable

        Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
        This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
        by profiled CodeBlock.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
        * bytecode/JumpTable.h:
        (JSC::SimpleJumpTable::cloneNonJITPart const):
        (JSC::SimpleJumpTable::clear):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):

2019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
        https://bugs.webkit.org/show_bug.cgi?id=201332

        Reviewed by Mark Lam.

        When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
        that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
        does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):

2019-08-29  Devin Rousso  <drousso@apple.com>

        Web Inspector: Debugger: async event listener stack traces should be available in Workers
        https://bugs.webkit.org/show_bug.cgi?id=200903

        Reviewed by Joseph Pecoraro.

        * inspector/agents/InspectorDebuggerAgent.h:
        (Inspector::InspectorDebuggerAgent::enabled): Added.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorDebuggerAgent::enable):
        (Inspector::InspectorDebuggerAgent::disable):
        Allow subclasses to extend what it means for the `InspectorDebuggerAgent` to be `enabled`.

2019-08-29  Keith Rollin  <krollin@apple.com>

        Update .xcconfig symbols to reflect the current set of past and future product versions.
        https://bugs.webkit.org/show_bug.cgi?id=200720
        <rdar://problem/54305032>

        Reviewed by Alex Christensen.

        Remove version symbols related to old OS's we no longer support,
        ensure that version symbols are defined for OS's we do support.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/Version.xcconfig:

2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Repatch should construct CallCases and CasesValue at the same time
        https://bugs.webkit.org/show_bug.cgi?id=201325

        Reviewed by Saam Barati.

        In linkPolymorphicCall, we should create callCases and casesValue at the same time to assert `callCases.size() == casesValue.size()`.
        If the call variant is isClosureCall and InternalFunction, we skip adding it to casesValue. So we should not add this variant to callCases too.

        * jit/Repatch.cpp:
        (JSC::linkPolymorphicCall):

2019-08-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ObjectAllocationSinkingPhase wrongly deals with always-taken branches during interpretation
        https://bugs.webkit.org/show_bug.cgi?id=198650

        Reviewed by Saam Barati.

        Object Allocation Sinking phase has a lightweight abstract interpreter which interprets DFG nodes related to allocations and properties.
        This interpreter is lightweight since it does not track abstract values and conditions as deeply as AI does. It can happen that this
        interpreter interpret the control-flow edge that AI proved that is never taken.
        AI already knows some control-flow edges are never taken, and based on this information, AI can remove CheckStructure nodes. But
        ObjectAllocationSinking phase can trace this never-taken edges and propagate structure information that contradicts to the analysis
        done in ObjectAllocationSinking.

        Let's see the example.

            BB#0
                35: NewObject([%AM:Object])
                ...
                47: Branch(ConstantTrue, T:#1, F:#2)

            BB#1 // This basic block is never taken due to @47's jump.
                ...
                71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
                72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
                ...
                XX: Jump(#2)

            BB#2
                ...
                92: CheckStructure(@35, [%Dx:Object])
                93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
                ...

        AI removes @92 because AI knows BB#0 only takes BB#1 branch. @35's Structure is always %Dx so @92 is redundant.
        AI proved that @71 and @72 are always executed while BB#0 -> BB#2 edge is never taken so that @35 object's structure is proven at @92.
        After AI removes @92, ObjectAllocationSinking starts looking into this graph.

            BB#0
                35: NewObject([%AM:Object])
                ...
                47: Branch(ConstantTrue, T:#1, F:#2)

            BB#1 // This basic block is never taken due to @47's jump.
                ...
                71: PutByOffset(@35, @66, id2{a}, 0, W:NamedProperties(2))
                72: PutStructure(@35, %AM:Object -> %Dx:Object, ID:60066)
                ...
                XX: Jump(#2)

            BB#2
                ...
                93: PutByOffset(@35, @35, id2{a}, 0, W:NamedProperties(2))
                ...
                YY: Jump(#3)

            BB#3
                ...
                ZZ: <HERE> want to materialize @35's sunk object.

        Since AI does not change the @47 Branch to Jump (it is OK anyway), BB#0 -> BB#2 edge remains and ObjectAllocationSinking phase propagates information in
        BB#0's %AM structure information to BB#2. ObjectAllocationSinking phase converts @35 to PhantomNewObject, removes PutByOffset and PutStructure, and
        insert MaterializeNewObject in @ZZ. At this point, ObjectAllocationSinking lightweight interpreter gets two structures while AI gets one: @35's original
        one (%AM) and @72's replaced one (%Dx). Since AI already proved @ZZ only gets %Dx, AI removed @92 CheckStructure. But this is not known to ObjectAllocationSinking
        phase's interpretation. So when creating recovery data, MultiPutByOffset includes two structures, %AM and %Dx. This is OK since MultiPutByOffset takes
        conservative set of structures and performs switching. But the problem here is that %AM's id2{a} offset is -1 since %AM does not have such a property.
        So when creating MultiPutByOffset in ObjectAllocationSinking, we accidentally create MultiPutByOffset with -1 offset data, and lowering phase hits the debug
        assertion.

            187: MultiPutByOffset(@138, @138, id2{a}, <Replace: [%AM:Object], offset = -1, >, <Replace: [%Dx:Object], offset = 0, >)

        This bug is harmless since %AM structure comparison never meets at runtime. But we are not considering the case including `-1` offset property in MultiPutByOffset data.
        In this patch, we just filter out apparently wrong structures when creating MultiPutByOffset in ObjectAllocationSinking. This is OK since it never comes at runtime.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2019-08-29  Devin Rousso  <drousso@apple.com>

        Web Inspector: DOMDebugger: support event breakpoints in Worker contexts
        https://bugs.webkit.org/show_bug.cgi?id=200651

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOMDebugger.json:
        Make the domain available in "worker" contexts as well.

2019-08-29  Keith Rollin  <krollin@apple.com>

        Remove 32-bit macOS support
        https://bugs.webkit.org/show_bug.cgi?id=201282
        <rdar://problem/54821667>

        Reviewed by Anders Carlsson.

        WebKit doesn’t support 32-bit Mac any more, so remove checks and code
        for that platform.

        * API/JSBase.h:
        * runtime/VM.h:

2019-08-29  Keith Rollin  <krollin@apple.com>

        Remove support for macOS < 10.13 (part 3)
        https://bugs.webkit.org/show_bug.cgi?id=201224
        <rdar://problem/54795934>

        Reviewed by Darin Adler.

        Remove symbols in WebKitTargetConditionals.xcconfig related to macOS
        10.13, including WK_MACOS_1013 and WK_MACOS_BEFORE_1013, and suffixes
        like _MACOS_SINCE_1013.

        * Configurations/WebKitTargetConditionals.xcconfig:

2019-08-29  Mark Lam  <mark.lam@apple.com>

        Remove a bad assertion in ByteCodeParser::inlineCall().
        https://bugs.webkit.org/show_bug.cgi?id=201292
        <rdar://problem/54121659>

        Reviewed by Michael Saboff.

        In the DFG bytecode parser, we've already computed the inlining cost of a candidate
        inlining target, and determine that it is worth inlining before invoking
        ByteCodeParser::inlineCall().  However, in ByteCodeParser::inlineCall(), it
        recomputes the inlining cost again only for the purpose of asserting that it isn't
        too high.

        Not consider a badly written test that does the following:

            function bar() {
                ...
                foo(); // Call in a hot loop here.
                ...
            }

            bar(); // <===== foo is inlineable into bar here.
            noInline(foo); // <===== Change mind, and make foo not inlineable.
            bar();

        With this bad test, the following racy scenario can occur:

        1. the first invocation of bar() gets hot, and a concurrent compile is kicked off.
        2. the compiler thread computes foo()'s inliningCost() and determines that it is
           worthy to be inlined, and will imminently call inlineCall().
        3. the mutator calls the noInline() test utility on foo(), thereby making it NOT
           inlineable.
        4. the compiler thread calls inlineCall().  In inlineCall(), it re-computes the
           inliningCost for foo() and now finds that it is not inlineable.  An assertion
           failure follows.

        Technically, the test is in error because noInline() shouldn't be used that way.
        However, fuzzers that are not clued into noInline()'s proper usage may generate
        code like this.

        On the other hand, ByteCodeParser::inlineCall() should not be recomputing that the
        inlining cost and asserting on it.  The only reason inlineCall() is invoked is
        because it was already previously determined that a target function is inlineable
        based on its inlining cost.  Today, in practice, I don't think we have any real
        world condition where the mutator can affect the inlining cost of a target
        function midway through execution.  So, this assertion isn't a problem if no one
        writes a test that abuses noInline().  However, should things change such that the
        mutator is able to affect the inlining cost of a target function, then it is
        incorrect for the compiler to assume that the inlining cost is immutable.  Once
        the compiler decides to inline a function, it should just follow through.

        This patch removes this assertion in ByteCodeParser::inlineCall().  It is an
        annoyance at best (for fuzzers), and at worst, incorrect if the mutator gains the
        ability to affect the inlining cost of a target function.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inlineCall):

2019-08-28  Mark Lam  <mark.lam@apple.com>

        DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.
        https://bugs.webkit.org/show_bug.cgi?id=201281
        <rdar://problem/54028228>

        Reviewed by Yusuke Suzuki and Saam Barati.

        This (see title above) is already the preferred idiom used in most places in our
        compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
        compileStringCharAt().  Consider the following:

            bool prototypeChainIsSane = false;
            if (globalObject->stringPrototypeChainIsSane()) {
                ...
                m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
                m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));

                prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
            }

        What's essential for correctness here is that the stringPrototype and objectPrototype
        structures be loaded before the loads in the second stringPrototypeChainIsSane()
        check.  Without a loadLoadFence before the second stringPrototypeChainIsSane()
        check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom
        for doing this right is to pre-load the structures first, do a loadLoadFence, and
        then do the IsSane check just once after e.g.

            Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
            Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);

            if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
                && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
                && globalObject->arrayPrototypeChainIsSane()) {

                m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
                m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
                ...
            }

        This patch changes DFG's SpeculativeJIT::compileGetByValOnString() and FTL's
        compileStringCharAt() to follow the same idiom.

        We also fix a bad assertion in Structure::storedPrototype() and
        Structure::storedPrototypeObject().  The assertion is only correct when those
        methods are called from the mutator thread.  The assertion has been updated to
        only check its test condition if the current thread is the mutator thread.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        * runtime/StructureInlines.h:
        (JSC::Structure::storedPrototype const):
        (JSC::Structure::storedPrototypeObject const):

2019-08-28  Mark Lam  <mark.lam@apple.com>

        Placate exception check validation in DFG's operationHasGenericProperty().
        https://bugs.webkit.org/show_bug.cgi?id=201245
        <rdar://problem/54777512>

        Reviewed by Robin Morisset.

        * dfg/DFGOperations.cpp:

2019-08-28  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed. Restabilize non-unified build.

        * runtime/PropertySlot.h:

2019-08-28  Mark Lam  <mark.lam@apple.com>

        Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.
        https://bugs.webkit.org/show_bug.cgi?id=201006
        <rdar://problem/52053991>

        Reviewed by Yusuke Suzuki.

        We already ensured that it is not possible to overflow in Wasm::FunctionParser's
        parse().  It is unnecessary and misleading to do those overflow checks in
        AirIRGenerator and B3IRGenerator.  The only check that is necessary is that
        m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory
        situation.

        This patch changes these unnecessary checks to assertions instead.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addLocal):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addLocal):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addLocal):

2019-08-28  Keith Rollin  <krollin@apple.com>

        Remove support for macOS < 10.13 (part 2)
        https://bugs.webkit.org/show_bug.cgi?id=201197
        <rdar://problem/54759985>

        Update conditionals that reference WK_MACOS_1013 and suffixes like
        _MACOS_SINCE_1013, assuming that we're always building on 10.13 or
        later and that these conditionals are always True or False.

        See Bug 200694 for earlier changes in this area.

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2019-08-28  Mark Lam  <mark.lam@apple.com>

        Gardening: Rebase test results after r249175.
        https://bugs.webkit.org/show_bug.cgi?id=201172

        Not reviewed.

        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:

2019-08-27  Michael Saboff  <msaboff@apple.com>

        Update PACCage changes for builds without Gigacage, but with signed pointers
        https://bugs.webkit.org/show_bug.cgi?id=201202

        Reviewed by Saam Barati.

        Factored out the untagging of pointers and added that to both the Gigacage enabled
        and disabled code paths.  Did this for the LLInt as well as the JITs.

        * JavaScriptCore.xcodeproj/project.pbxproj: Added arm64e.rb to offlineasm file list.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * llint/LowLevelInterpreter64.asm:

2019-08-27  Mark Lam  <mark.lam@apple.com>

        Refactor to use VM& instead of VM* at as many places as possible.
        https://bugs.webkit.org/show_bug.cgi?id=201172

        Reviewed by Yusuke Suzuki.

        Using VM& documents more clearly that the VM pointer is expected to never be null
        in most cases.  There are a few places where it can be null (e.g JSLock, and
        DFG::Plan).  Those will be left using a VM*.

        Also converted some uses of ExecState* to using VM& instead since the ExecState*
        is only there to fetch the VM pointer.  Doing this also reduces the number of
        times we have to compute VM* from ExecState*.

        This patch is not exhaustive in converting to use VM&, but applies the change to
        many commonly used pieces of code for a start.

        Also fixed a missing exception check in JSString::toIdentifier() and
        JSValue::toPropertyKey() exposed by this patch.

        * API/APICast.h:
        (toJS):
        * API/JSAPIGlobalObject.mm:
        (JSC::JSAPIGlobalObject::moduleLoaderResolve):
        (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
        (JSC::JSAPIGlobalObject::moduleLoaderFetch):
        (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
        (JSC::JSAPIGlobalObject::loadAndEvaluateJSScriptModule):
        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::asCallbackObject):
        (JSC::JSCallbackObject<Parent>::~JSCallbackObject):
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deletePropertyByIndex):
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        * API/JSContext.mm:
        (-[JSContext dependencyIdentifiersForModuleJSScript:]):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (classInfoPrivate):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectCopyPropertyNames):
        (JSPropertyNameAccumulatorAddName):
        (JSObjectGetProxyTarget):
        * API/JSScriptRef.cpp:
        (parseScript):
        * API/JSValueRef.cpp:
        (JSValueMakeString):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier const):
        * API/glib/JSCContext.cpp:
        (jsc_context_check_syntax):
        * KeywordLookupGenerator.py:
        (Trie.printSubTreeAsC):
        * Scripts/wkbuiltins/builtins_generate_wrapper_header.py:
        (BuiltinsWrapperHeaderGenerator.generate_constructor):
        * Scripts/wkbuiltins/builtins_templates.py:
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptCallArgumentHandler::appendArgument):
        (Deprecated::ScriptFunctionCall::call):
        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * builtins/BuiltinNames.cpp:
        (JSC::BuiltinNames::BuiltinNames):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::getPublicName const):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::vm const):
        * bytecode/BytecodeDumper.h:
        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
        (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
        (JSC::BytecodeGeneratorification::run):
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        (JSC::BytecodeIntrinsicRegistry::sentinelMapBucketValue):
        (JSC::BytecodeIntrinsicRegistry::sentinelSetBucketValue):
        * bytecode/CallVariant.h:
        (JSC::CallVariant::internalFunction const):
        (JSC::CallVariant::function const):
        (JSC::CallVariant::isClosureCall const):
        (JSC::CallVariant::executable const):
        (JSC::CallVariant::functionExecutable const):
        (JSC::CallVariant::nativeExecutable const):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpSource):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::setConstantIdentifierSetRegisters):
        (JSC::CodeBlock::setNumParameters):
        (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::replacement):
        (JSC::CodeBlock::computeCapabilityLevel):
        (JSC::CodeBlock::noticeIncomingCall):
        (JSC::CodeBlock::nameForRegister):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::vm const):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        (JSC::CodeBlock::valueProfileForArgument):
        * bytecode/DeferredSourceDump.cpp:
        (JSC::DeferredSourceDump::DeferredSourceDump):
        * bytecode/EvalCodeBlock.h:
        * bytecode/FunctionCodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/GlobalCodeBlock.h:
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        * bytecode/ModuleProgramCodeBlock.h:
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
        * bytecode/PolyProtoAccessChain.cpp:
        (JSC::PolyProtoAccessChain::create):
        * bytecode/ProgramCodeBlock.h:
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isWatchableWhenValid const):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::initGetByIdSelf):
        (JSC::StructureStubInfo::initPutByIdReplace):
        (JSC::StructureStubInfo::initInByIdSelf):
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::addSetConstant):
        (JSC::UnlinkedCodeBlock::addConstant):
        (JSC::UnlinkedCodeBlock::addFunctionDecl):
        (JSC::UnlinkedCodeBlock::addFunctionExpr):
        * bytecode/UnlinkedEvalCodeBlock.h:
        * bytecode/UnlinkedFunctionCodeBlock.h:
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::generateUnlinkedFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecode/UnlinkedGlobalCodeBlock.h:
        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
        * bytecode/UnlinkedModuleProgramCodeBlock.h:
        * bytecode/UnlinkedProgramCodeBlock.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::getVariablesUnderTDZ):
        (JSC::BytecodeGenerator::addBigIntConstant):
        (JSC::BytecodeGenerator::addTemplateObjectConstant):
        (JSC::BytecodeGenerator::emitNewDefaultConstructor):
        (JSC::BytecodeGenerator::emitSetFunctionNameIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::vm const):
        (JSC::BytecodeGenerator::propertyNames const):
        (JSC::BytecodeGenerator::emitNodeInTailPosition):
        (JSC::BytecodeGenerator::emitDefineClassElements):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
        (JSC::ArrayNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
        (JSC::InstanceOfNode::emitBytecode):
        * debugger/Debugger.cpp:
        * debugger/DebuggerParseData.cpp:
        (JSC::gatherDebuggerParseData):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::next):
        (JSC::DebuggerScope::name const):
        (JSC::DebuggerScope::location const):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
        * dfg/DFGFrozenValue.h:
        (JSC::DFG::FrozenValue::FrozenValue):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::emitStackOverflowCheck):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::exceptionCheck):
        (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
        (JSC::DFG::JITCompiler::fastExceptionCheck):
        (JSC::DFG::JITCompiler::vm):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::getValue const):
        (JSC::DFG::LazyJSValue::emit const):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileOSRExit):
        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
        * dfg/DFGOSRExitCompilerCommon.h:
        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        (JSC::DFG::binaryOp):
        (JSC::DFG::bitwiseBinaryOp):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::compileStringSlice):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
        (JSC::DFG::SpeculativeJIT::emitStringBranch):
        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileNewArray):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::compileArrayPush):
        (JSC::DFG::SpeculativeJIT::compileTypeOf):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        (JSC::DFG::SpeculativeJIT::compileStringReplace):
        (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
        (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
        (JSC::DFG::SpeculativeJIT::compileObjectKeys):
        (JSC::DFG::SpeculativeJIT::compileCreateThis):
        (JSC::DFG::SpeculativeJIT::compileNewObject):
        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        (JSC::DFG::SpeculativeJIT::compileProfileType):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::vm):
        (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitThunkGenerator):
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * dfg/DFGThunks.h:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::visitWeakReferences):
        * dynbench.cpp:
        (main):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        (JSC::FTL::DFG::LowerDFGToB3::boolify):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::genericGenerationThunkGenerator):
        (JSC::FTL::osrExitGenerationThunkGenerator):
        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
        * ftl/FTLThunks.h:
        * heap/CellContainer.h:
        * heap/CellContainerInlines.h:
        (JSC::CellContainer::vm const):
        (JSC::CellContainer::heap const):
        * heap/CompleteSubspace.cpp:
        (JSC::CompleteSubspace::tryAllocateSlow):
        (JSC::CompleteSubspace::reallocateLargeAllocationNonVirtual):
        * heap/GCActivityCallback.h:
        * heap/GCAssertions.h:
        * heap/HandleSet.cpp:
        (JSC::HandleSet::HandleSet):
        * heap/HandleSet.h:
        (JSC::HandleSet::vm):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::releaseDelayedReleasedObjects):
        (JSC::Heap::protect):
        (JSC::Heap::unprotect):
        (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::completeAllJITPlans):
        (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::removeDeadCompilerWorklistEntries):
        (JSC::Heap::isAnalyzingHeap const):
        (JSC::Heap::gatherExtraHeapData):
        (JSC::Heap::protectedObjectTypeCounts):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::deleteAllCodeBlocks):
        (JSC::Heap::deleteAllUnlinkedCodeBlocks):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::checkConn):
        (JSC::Heap::runEndPhase):
        (JSC::Heap::stopThePeriphery):
        (JSC::Heap::finalize):
        (JSC::Heap::requestCollection):
        (JSC::Heap::sweepInFinalize):
        (JSC::Heap::sweepArrayBuffers):
        (JSC::Heap::deleteSourceProviderCaches):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::addCoreConstraints):
        * heap/Heap.h:
        * heap/HeapCell.h:
        * heap/HeapCellInlines.h:
        (JSC::HeapCell::heap const):
        (JSC::HeapCell::vm const):
        * heap/HeapInlines.h:
        (JSC::Heap::vm const):
        * heap/IsoSubspacePerVM.cpp:
        (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
        * heap/LargeAllocation.cpp:
        (JSC::LargeAllocation::sweep):
        (JSC::LargeAllocation::assertValidCell const):
        * heap/LargeAllocation.h:
        (JSC::LargeAllocation::vm const):
        * heap/LocalAllocator.cpp:
        (JSC::LocalAllocator::allocateSlowCase):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::Handle):
        (JSC::MarkedBlock::aboutToMarkSlow):
        (JSC::MarkedBlock::assertMarksNotStale):
        (JSC::MarkedBlock::areMarksStale):
        (JSC::MarkedBlock::isMarked):
        (JSC::MarkedBlock::assertValidCell const):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::vm const):
        (JSC::MarkedBlock::vm const):
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::heap const):
        (JSC::MarkedBlock::Handle::specializedSweep):
        * heap/SlotVisitor.cpp:
        (JSC::validate):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::vm):
        (JSC::SlotVisitor::vm const):
        * heap/StopIfNecessaryTimer.cpp:
        (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
        * heap/StopIfNecessaryTimer.h:
        * heap/Strong.h:
        (JSC::Strong::operator=):
        * heap/WeakSet.h:
        (JSC::WeakSet::WeakSet):
        (JSC::WeakSet::vm const):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::savedResultAlias const):
        (Inspector::JSInjectedScriptHost::internalConstructorName):
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::constructInternalProperty):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        (Inspector::JSInjectedScriptHost::queryInstances):
        (Inspector::JSInjectedScriptHost::queryHolders):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::valueForScopeLocation):
        (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
        (Inspector::JSJavaScriptCallFrame::functionName const):
        (Inspector::JSJavaScriptCallFrame::type const):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::populateAuditObject):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::gc):
        * interpreter/FrameTracers.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
        (JSC::StackVisitor::Frame::computeLineAndColumn const):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitDumbVirtualCall):
        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
        (JSC::AssemblyHelpers::branchIfValue):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::vm):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        * jit/JITOperations.cpp:
        (JSC::operationNewFunctionCommon):
        (JSC::tryGetByValOptimize):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        (JSC::JITThunks::ctiNativeTailCall):
        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
        (JSC::JITThunks::ctiInternalFunctionCall):
        (JSC::JITThunks::ctiInternalFunctionConstruct):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Plan::vm):
        (JSC::JITWorklist::completeAllForVM):
        (JSC::JITWorklist::poll):
        (JSC::JITWorklist::compileLater):
        (JSC::JITWorklist::compileNow):
        * jit/Repatch.cpp:
        (JSC::readPutICCallTarget):
        (JSC::ftlThunkAwareRepatchCall):
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::linkDirectFor):
        (JSC::revertCall):
        (JSC::unlinkFor):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        * jit/ThunkGenerator.h:
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkCallThunkGenerator):
        (JSC::linkPolymorphicCallThunkGenerator):
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeTailCallGenerator):
        (JSC::nativeTailCallWithoutSavedTagsGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::internalFunctionCallGenerator):
        (JSC::internalFunctionConstructGenerator):
        (JSC::arityFixupGenerator):
        (JSC::unreachableGenerator):
        (JSC::stringGetByValGenerator):
        (JSC::charToString):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::clz32ThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::truncThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::imulThunkGenerator):
        (JSC::randomThunkGenerator):
        (JSC::boundThisNoArgsFunctionCallGenerator):
        * jit/ThunkGenerators.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        (GlobalObject::moduleLoaderImportModule):
        (GlobalObject::moduleLoaderResolve):
        (GlobalObject::moduleLoaderCreateImportMetaProperties):
        (functionDescribe):
        (functionDescribeArray):
        (JSCMemoryFootprint::addProperty):
        (functionRun):
        (functionRunString):
        (functionReadFile):
        (functionCallerSourceOrigin):
        (functionReadline):
        (functionDollarCreateRealm):
        (functionDollarEvalScript):
        (functionDollarAgentGetReport):
        (functionWaitForReport):
        (functionJSCOptions):
        (functionCheckModuleSyntax):
        (functionGenerateHeapSnapshotForGCDebugging):
        (functionWebAssemblyMemoryMode):
        (dumpException):
        (checkUncaughtException):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        (JSC::Lexer<T>::lexExpectIdentifier):
        * parser/ModuleAnalyzer.cpp:
        (JSC::ModuleAnalyzer::ModuleAnalyzer):
        * parser/ModuleAnalyzer.h:
        (JSC::ModuleAnalyzer::vm):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::isArrowFunctionParameters):
        (JSC::Parser<LexerType>::parseSourceElements):
        (JSC::Parser<LexerType>::parseModuleSourceElements):
        (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
        (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseSingleFunction):
        (JSC::Parser<LexerType>::parseStatementListItem):
        (JSC::Parser<LexerType>::parseObjectRestAssignmentElement):
        (JSC::Parser<LexerType>::parseAssignmentElement):
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        (JSC::Parser<LexerType>::parseForStatement):
        (JSC::Parser<LexerType>::parseBreakStatement):
        (JSC::Parser<LexerType>::parseContinueStatement):
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::maybeParseAsyncFunctionDeclarationStatement):
        (JSC::Parser<LexerType>::createGeneratorParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClassDeclaration):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseImportClauseItem):
        (JSC::Parser<LexerType>::parseImportDeclaration):
        (JSC::Parser<LexerType>::parseExportSpecifier):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseAssignmentExpression):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseObjectLiteral):
        (JSC::Parser<LexerType>::parseStrictObjectLiteral):
        (JSC::Parser<LexerType>::parseClassExpression):
        (JSC::Parser<LexerType>::parseFunctionExpression):
        (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        (JSC::Parser<LexerType>::parseMemberExpression):
        (JSC::Parser<LexerType>::parseArrowFunctionExpression):
        (JSC::Parser<LexerType>::parseUnaryExpression):
        * parser/Parser.h:
        (JSC::isArguments):
        (JSC::isEval):
        (JSC::isEvalOrArgumentsIdentifier):
        (JSC::Scope::Scope):
        (JSC::Scope::declareParameter):
        (JSC::Scope::setInnerArrowFunctionUsesEvalAndUseArgumentsIfNeeded):
        (JSC::Scope::collectFreeVariables):
        (JSC::Parser::canRecurse):
        (JSC::parse):
        (JSC::parseFunctionForFunctionConstructor):
        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeEmptyIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
        (JSC::IdentifierArena::makeNumericIdentifier):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::SyntaxChecker):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        * profiler/ProfilerBytecode.cpp:
        (JSC::Profiler::Bytecode::toJS const):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::toJS const):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::toJS const):
        * profiler/ProfilerCompiledBytecode.cpp:
        (JSC::Profiler::CompiledBytecode::toJS const):
        * profiler/ProfilerEvent.cpp:
        (JSC::Profiler::Event::toJS const):
        * profiler/ProfilerOSRExit.cpp:
        (JSC::Profiler::OSRExit::toJS const):
        * profiler/ProfilerOSRExitSite.cpp:
        (JSC::Profiler::OSRExitSite::toJS const):
        * profiler/ProfilerUID.cpp:
        (JSC::Profiler::UID::toJS const):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::finishCreation):
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        (JSC::AbstractModuleRecord::resolveExportImpl):
        (JSC::getExportedNames):
        (JSC::AbstractModuleRecord::getModuleNamespace):
        * runtime/ArrayBufferNeuteringWatchpointSet.cpp:
        (JSC::ArrayBufferNeuteringWatchpointSet::fireAll):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::fastJoin):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::slowJoin):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        * runtime/AsyncFunctionPrototype.cpp:
        (JSC::AsyncFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorPrototype.cpp:
        (JSC::AsyncGeneratorPrototype::finishCreation):
        * runtime/AtomicsObject.cpp:
        (JSC::AtomicsObject::finishCreation):
        (JSC::atomicsFuncWait):
        (JSC::operationAtomicsAdd):
        (JSC::operationAtomicsAnd):
        (JSC::operationAtomicsCompareExchange):
        (JSC::operationAtomicsExchange):
        (JSC::operationAtomicsIsLockFree):
        (JSC::operationAtomicsLoad):
        (JSC::operationAtomicsOr):
        (JSC::operationAtomicsStore):
        (JSC::operationAtomicsSub):
        (JSC::operationAtomicsXor):
        * runtime/BigIntPrototype.cpp:
        (JSC::BigIntPrototype::finishCreation):
        (JSC::bigIntProtoFuncToString):
        * runtime/CachedTypes.cpp:
        (JSC::CachedUniquedStringImplBase::decode const):
        (JSC::CachedIdentifier::decode const):
        (JSC::CachedJSValue::decode const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        (JSC::generateUnlinkedCodeBlockImpl):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/Completion.cpp:
        (JSC::checkSyntaxInternal):
        (JSC::checkModuleSyntax):
        (JSC::loadAndEvaluateModule):
        (JSC::loadModule):
        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):
        (JSC::formateDateInstance):
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncToISOString):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/ErrorInstance.cpp:
        (JSC::appendSourceToError):
        (JSC::ErrorInstance::finishCreation):
        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionHelpers.cpp:
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::clear):
        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * runtime/GeneratorPrototype.cpp:
        (JSC::GeneratorPrototype::finishCreation):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertyNames):
        * runtime/GetterSetter.h:
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::from):
        (JSC::Identifier::checkCurrentAtomStringTable):
        * runtime/Identifier.h:
        (JSC::Identifier::fromString):
        (JSC::Identifier::createLCharFromUChar):
        (JSC::Identifier::Identifier):
        (JSC::Identifier::add):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::Identifier):
        (JSC::Identifier::add):
        (JSC::Identifier::fromUid):
        (JSC::Identifier::fromString):
        (JSC::identifierToJSValue):
        (JSC::identifierToSafePublicJSValue):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::resolvedOptions):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototype::finishCreation):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
        (JSC::IntlDateTimeFormat::resolvedOptions):
        (JSC::IntlDateTimeFormat::format):
        (JSC::IntlDateTimeFormat::formatToParts):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::formatNumber):
        (JSC::IntlNumberFormat::resolvedOptions):
        (JSC::IntlNumberFormat::formatToParts):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        * runtime/IntlObject.cpp:
        (JSC::lookupSupportedLocales):
        (JSC::supportedLocales):
        (JSC::intlObjectFuncGetCanonicalLocales):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::initializePluralRules):
        (JSC::IntlPluralRules::resolvedOptions):
        (JSC::IntlPluralRules::select):
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototype::finishCreation):
        * runtime/JSArray.h:
        (JSC::asArray):
        (JSC::isJSArray):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::JSArrayBufferPrototype::finishCreation):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitiveByIndex):
        (JSC::JSValue::dumpForBacktrace const):
        (JSC::JSValue::toStringSlowCase const):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toPropertyKey const):
        (JSC::JSValue::get const):
        * runtime/JSCast.h:
        (JSC::jsCast):
        * runtime/JSCell.cpp:
        (JSC::JSCell::dump const):
        (JSC::JSCell::dumpToStream):
        (JSC::JSCell::putByIndex):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::structure const):
        (JSC::ExecState::vm const):
        (JSC::tryAllocateCellHelper):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::finishCreation):
        * runtime/JSFixedArray.cpp:
        (JSC::JSFixedArray::dumpToStream):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        (JSC::RetrieveCallerFunctionFunctor::operator() const):
        (JSC::JSFunction::reifyName):
        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
        (JSC::JSFunction::assertTypeInfoFlagInvariants):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::deletePropertyByIndex):
        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertyNames):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::exposeDollarVM):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncEscape):
        (JSC::globalFuncUnescape):
        (JSC::globalFuncBuiltinDescribe):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnPropertySlot):
        (JSC::JSModuleEnvironment::put):
        (JSC::JSModuleEnvironment::deleteProperty):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::finishCreation):
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::moduleLoaderParseModule):
        (JSC::moduleLoaderRequestedModules):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::finishCreation):
        (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::finishCreation):
        (JSC::PropertyNameForFunctionCall::value const):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::toString const):
        (JSC::JSObject::reifyAllStaticProperties):
        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
        * runtime/JSObject.h:
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::butterflyPreCapacity):
        (JSC::JSObject::butterflyTotalSize):
        (JSC::makeIdentifier):
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::finishCreation):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::finishCreation):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        * runtime/JSRunLoopTimer.h:
        * runtime/JSString.cpp:
        (JSC::JSString::dumpToStream):
        (JSC::JSRopeString::resolveRopeWithFunction const):
        (JSC::jsStringWithCacheSlowCase):
        * runtime/JSString.h:
        (JSC::jsEmptyString):
        (JSC::jsSingleCharacterString):
        (JSC::jsNontrivialString):
        (JSC::JSString::toIdentifier const):
        (JSC::JSString::toAtomString const):
        (JSC::JSString::toExistingAtomString const):
        (JSC::JSString::value const):
        (JSC::JSString::tryGetValue const):
        (JSC::JSString::getIndex):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        (JSC::jsStringWithCache):
        (JSC::JSRopeString::unsafeView const):
        (JSC::JSRopeString::viewWithUnderlyingString const):
        (JSC::JSString::unsafeView const):
        * runtime/JSStringInlines.h:
        (JSC::jsMakeNontrivialString):
        (JSC::repeatCharacter):
        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::join):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSTemplateObjectDescriptor.cpp:
        (JSC::JSTemplateObjectDescriptor::createTemplateObject):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::typedArrayViewProtoGetterFuncToStringTag):
        * runtime/LazyClassStructure.cpp:
        (JSC::LazyClassStructure::Initializer::setConstructor):
        * runtime/LazyProperty.h:
        (JSC::LazyProperty::Initializer::Initializer):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::tryJSONPParse):
        (JSC::LiteralParser<CharType>::makeIdentifier):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::int32ToStringInternal):
        (JSC::numberToStringInternal):
        (JSC::int52ToString):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectConstructorAssign):
        (JSC::objectConstructorValues):
        (JSC::defineProperties):
        (JSC::setIntegrityLevel):
        (JSC::testIntegrityLevel):
        (JSC::ownPropertyKeys):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromRegisterArray):
        (JSC::jsStringFromArguments):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
        (JSC::PromiseDeferredTimer::hasPendingPromise):
        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
        (JSC::PromiseDeferredTimer::cancelPendingPromise):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (JSC::PropertyNameArray::vm):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::getValue const):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::getOwnPropertySlotByIndex):
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::putByIndexCommon):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::deletePropertyByIndex):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        * runtime/RegExpGlobalData.cpp:
        (JSC::RegExpGlobalData::getBackref):
        (JSC::RegExpGlobalData::getLastParen):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::createEmptyRegExpMatchesArray):
        * runtime/RegExpMatchesArray.h:
        (JSC::createRegExpMatchesArray):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoGetterFlags):
        (JSC::regExpProtoGetterSourceInternal):
        (JSC::regExpProtoGetterSource):
        * runtime/RegExpStringIteratorPrototype.cpp:
        (JSC::RegExpStringIteratorPrototype::finishCreation):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
        (JSC::setupJIT):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::computeLineAndColumn const):
        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):
        (JSC::stringFromCodePoint):
        (JSC::stringConstructor):
        (JSC::callStringConstructor):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlotByIndex):
        (JSC::StringObject::getOwnPropertyNames):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        (JSC::jsStringWithReuse):
        (JSC::jsSubstring):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::StringPrototype::create):
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::replaceUsingRegExpSearch):
        (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
        (JSC::operationStringProtoFuncReplaceRegExpString):
        (JSC::replaceUsingStringSearch):
        (JSC::operationStringProtoFuncReplaceGeneric):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncSplitFast):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::toLocaleCase):
        (JSC::trimString):
        (JSC::normalize):
        * runtime/StringPrototypeInlines.h:
        (JSC::stringSlice):
        * runtime/StringRecursionChecker.cpp:
        (JSC::StringRecursionChecker::emptyString):
        * runtime/Structure.cpp:
        (JSC::Structure::didTransitionFromThisStructure const):
        * runtime/StructureInlines.h:
        (JSC::Structure::didReplaceProperty):
        (JSC::Structure::shouldConvertToPolyProto):
        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        (JSC::symbolProtoGetterDescription):
        (JSC::symbolProtoFuncToString):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::setRareDataCodeBlock):
        * runtime/TestRunnerUtils.cpp:
        (JSC::getExecutableForFunction):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getHostFunction):
        (JSC::VM::getCTIInternalFunctionTrampolineFor):
        (JSC::VM::shrinkFootprintWhenIdle):
        (JSC::logSanitizeStack):
        (JSC::sanitizeStackForVM):
        (JSC::VM::emptyPropertyNameEnumeratorSlow):
        * runtime/VM.h:
        (JSC::VM::getCTIStub):
        (JSC::WeakSet::heap const):
        * runtime/VMTraps.cpp:
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        * runtime/WeakObjectRefPrototype.cpp:
        (JSC::WeakObjectRefPrototype::finishCreation):
        * runtime/WeakSetPrototype.cpp:
        (JSC::WeakSetPrototype::finishCreation):
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::printVerificationHeader):
        (JSC::HeapVerifier::verifyCellList):
        (JSC::HeapVerifier::validateJSCell):
        (JSC::HeapVerifier::reportCell):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVMCallFrame::finishCreation):
        (JSC::JSDollarVMCallFrame::addProperty):
        (JSC::CustomGetter::getOwnPropertySlot):
        (JSC::CustomGetter::customGetter):
        (JSC::CustomGetter::customGetterAcessor):
        (JSC::DOMJITGetter::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetter::finishCreation):
        (JSC::DOMJITGetterComplex::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterComplex::finishCreation):
        (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
        (JSC::DOMJITFunctionObject::finishCreation):
        (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
        (JSC::DOMJITCheckSubClassObject::finishCreation):
        (JSC::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (JSC::DOMJITGetterBaseJSObject::finishCreation):
        (JSC::customSetAccessor):
        (JSC::customSetValue):
        (JSC::JSTestCustomGetterSetter::finishCreation):
        (JSC::WasmStreamingParser::finishCreation):
        (JSC::getExecutableForFunction):
        (JSC::functionCodeBlockFor):
        (JSC::functionIndexingMode):
        (JSC::functionValue):
        (JSC::functionCreateBuiltin):
        (JSC::functionGetPrivateProperty):
        (JSC::JSDollarVM::finishCreation):
        (JSC::JSDollarVM::addFunction):
        (JSC::JSDollarVM::addConstructibleFunction):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpRegisters):
        (JSC::VMInspector::dumpCellMemoryToStream):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::setGlobal):
        (JSC::Wasm::Instance::setFunctionWrapper):
        (JSC::Wasm::setWasmTableElement):
        (JSC::Wasm::doWasmRefFunc):
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::set):
        (JSC::Wasm::FuncRefTable::setFunction):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::resolve):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::handleBadI64Use):
        (JSC::Wasm::wasmToJS):
        (JSC::Wasm::wasmToJSException):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleImports):
        (JSC::webAssemblyModuleExports):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::finishCreation):
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):

2019-08-27  Devin Rousso  <drousso@apple.com>

        Web Inspector: don't attach properties to `injectedScript` for the CommandLineAPI
        https://bugs.webkit.org/show_bug.cgi?id=201193

        Reviewed by Joseph Pecoraro.

        For some reason, adding `injectedScript._inspectObject` inside CommandLineAPIModuleSource.js
        causes inspector/debugger/tail-deleted-frames-this-value.html to fail.

        We should have a similar approach to adding command line api getters and functions, in that
        the CommandLineAPIModuleSource.js calls a function with a callback.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.inspectObject):
        (InjectedScript.prototype.setInspectObject): Added.
        (InjectedScript.prototype._evaluateOn):

2019-08-27  Mark Lam  <mark.lam@apple.com>

        constructFunctionSkippingEvalEnabledCheck() should use tryMakeString() and check for OOM.
        https://bugs.webkit.org/show_bug.cgi?id=201196
        <rdar://problem/54703775>

        Reviewed by Yusuke Suzuki.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):

2019-08-27  Keith Miller  <keith_miller@apple.com>

        When dumping Air Graphs BBQ should dump patchpoints.
        https://bugs.webkit.org/show_bug.cgi?id=201167

        Reviewed by Filip Pizlo.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator:: const):
        (JSC::Wasm::AirIRGenerator::addPatchpoint):
        (JSC::Wasm::parseAndCompileAir):

2019-08-27  Basuke Suzuki  <Basuke.Suzuki@sony.com>

        [RemoteInspector][Socket] Restructuring the components of Socket implementation
        https://bugs.webkit.org/show_bug.cgi?id=201079

        Reviewed by Ross Kirsling.

        Since the change for WeakPtr on r248386, our port start assertion failure on the usage of
        RemoteInspectorSocketEndpoint. We have to send a message to connection client, but if that
        has to be done in the same thread which weakPtr generated, it's a little bit stronger
        restriction for us to handle. In this restructure, we are stopping to use weakPtr to
        resolve circular dependency, but using a reference with invalidation method because
        everything is under our control.

        - Make SocketEndpoint a singleton. This class represents a central place to handle socket
          connections and there's no need to instantiate more than one in a process. Once every
          connection goes away, it just start sleeping until next connection is created. Very low
          resource usage when it is idle.
        - Move Socket::Connection structure from global definition to SocketEndpoint local
          structure. It is directly used in SocketEndpoint privately.
        - Move responsibility to handle message encoding/decoding task from SocketEndpoint to
          ConnectionClient. Make SocketEndpoint as plain socket handling as possible to keep it
          simple to exist long span.
        - Extract an interface from ConnectionClient as SocketEndpoint::Client which is required
          to work with SocketEndpoint. Now SocketEndpoint is very independent from others.
          SocketEndpoint::Client is the required parameter to create a connection.

        Many responsibilities are moved into ConnectionClient which was a thin interface for
        communication between RemoteInspector, RemoteInspectorServer and RemoteInspectorClient.
        It now handles followings:
        - life cycle of connection: create, listen and close or invalidation
        - sending and receiving data packed in a message.

        RemoteInspector and RemoteInspectorServer are now free from creation of SocketEndpoint.
        All communication to SocketEndpoint id now the duty of super class.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
        (Inspector::RemoteInspectorConnectionClient::~RemoteInspectorConnectionClient): Make all connection invalidated.
        (Inspector::RemoteInspectorConnectionClient::connectInet): Add itself as a listener of socket.
        (Inspector::RemoteInspectorConnectionClient::listenInet): Ditto.
        (Inspector::RemoteInspectorConnectionClient::createClient): Ditto.
        (Inspector::RemoteInspectorConnectionClient::send): Add message processing.
        (Inspector::RemoteInspectorConnectionClient::didReceive): Ditto.
        (Inspector::RemoteInspectorConnectionClient::extractEvent): Extracted from send.
        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
        * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
        (Inspector::MessageParser::MessageParser):
        (Inspector::MessageParser::pushReceivedData):
        (Inspector::MessageParser::parse):
        * inspector/remote/socket/RemoteInspectorMessageParser.h:
        (Inspector::MessageParser::MessageParser):
        (Inspector::MessageParser::Function<void):
        * inspector/remote/socket/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::connect): Remove direct communication to Socket Endpoint.
        (Inspector::RemoteInspectorServer::listenForTargets): Ditto.
        (Inspector::RemoteInspectorServer::sendWebInspectorEvent): Ditto.
        (Inspector::RemoteInspectorServer::start): Ditto.
        * inspector/remote/socket/RemoteInspectorServer.h:
        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        (Inspector::RemoteInspector::sendWebInspectorEvent): Remove direct communication to Socket Endpoint.
        (Inspector::RemoteInspector::start): Ditto.
        (Inspector::RemoteInspector::stopInternal): Ditto.
        (Inspector::RemoteInspector::pushListingsNow): Change the target of validity check to ID.
        (Inspector::RemoteInspector::pushListingsSoon): Ditto.
        (Inspector::RemoteInspector::sendMessageToRemote): Ditto.
        * inspector/remote/socket/RemoteInspectorSocket.h: Move Connection structure to RemoteInspectorSocketEndpoint.
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
        (Inspector::RemoteInspectorSocketEndpoint::singleton): Added.
        (Inspector::RemoteInspectorSocketEndpoint::RemoteInspectorSocketEndpoint): Use hard-coded thread name.
        (Inspector::RemoteInspectorSocketEndpoint::connectInet): Accept RemoteInspectorSocketEndpoint::Client as listener.
        (Inspector::RemoteInspectorSocketEndpoint::listenInet): Ditto.
        (Inspector::RemoteInspectorSocketEndpoint::createClient): Ditto.
        (Inspector::RemoteInspectorSocketEndpoint::invalidateClient): Added. Invalidate all connection from the client.
        (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled): Remove message parser handling.
        (Inspector::RemoteInspectorSocketEndpoint::send): Remove message packing.
        (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
        (Inspector::RemoteInspectorSocketEndpoint::Connection::Connection):

2019-08-26  Devin Rousso  <drousso@apple.com>

        Web Inspector: use more C++ keywords for defining agents
        https://bugs.webkit.org/show_bug.cgi?id=200959

        Reviewed by Joseph Pecoraro.

         - make constructors `protected` when the agent isn't meant to be constructed directly
         - add `virtual` destructors that are defined in the *.cpp so forward-declarations work
         - use `final` wherever possible
         - add comments to indicate where any virtual functions come from

        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAuditAgent.h:
        * inspector/agents/InspectorAuditAgent.cpp:
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/InspectorTargetAgent.h:
        * inspector/agents/InspectorTargetAgent.cpp:
        * inspector/agents/JSGlobalObjectAuditAgent.h:
        * inspector/agents/JSGlobalObjectAuditAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:

2019-08-26  Devin Rousso  <drousso@apple.com>

        Web Inspector: unify agent command error messages
        https://bugs.webkit.org/show_bug.cgi?id=200950

        Reviewed by Joseph Pecoraro.

        Different agents can sometimes have different error messages for commands that have a
        similar intended effect.  We should make our error messages more similar.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAuditAgent.cpp:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorHeapAgent.cpp:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        * inspector/agents/InspectorTargetAgent.cpp:
        * inspector/agents/JSGlobalObjectAuditAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        Elide function lists to avoid an extremely large ChangeLog entry.

2019-08-26  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Ensure x?.y ?? z is fast
        https://bugs.webkit.org/show_bug.cgi?id=200875

        Reviewed by Yusuke Suzuki.

        We anticipate `x?.y ?? z` to quickly become a common idiom in JS. With a little bytecode rearrangement,
        we can avoid the "load undefined and check it" dance in the middle and just turn this into two jumps.

        Before:
                (get x)
          ----- jundefined_or_null
          |     (get y)
          | --- jmp
          > |   (load undefined)
            > - jnundefined_or_null
              | (get z)
              > end

        After:
                (get x)
            --- jundefined_or_null
            |   (get y)
            | - jnundefined_or_null
            > | (get z)
              > end

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::popOptionalChainTarget): Added specialization.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CoalesceNode::emitBytecode):
        (JSC::OptionalChainNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeCoalesceNode): Added.
        (JSC::ASTBuilder::makeBinaryNode):
        * parser/NodeConstructors.h:
        (JSC::CoalesceNode::CoalesceNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isDeleteNode const): Added. (Replaces OptionalChainNode::m_isDelete.)

2019-08-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        Missing media controls when WebKit is built with Python3
        https://bugs.webkit.org/show_bug.cgi?id=194367

        Reviewed by Carlos Garcia Campos.

        The JavaScript minifier script jsmin.py expects a text stream
        with text type as input, but the script make-js-file-arrays.py
        was passing to it a FileIO() object. So, when the jsmin script
        called read() over this object, python3 was returning a type of
        bytes, but for python2 it returns type str.

        This caused two problems: first that jsmin failed to do any minifying
        because it was comparing strings with a variable of type bytes.
        The second major problem was in the write() function, when the
        jsmin script tried to convert a byte character to text by calling
        str() on it. Because what this does is not to convert from byte
        type to string, but to simply generate a string with the format b'c'.
        So the jsmin script was returning back as minified JS complete
        garbage in the form of "b't'b'h'b'h'b'i" for python3.

        Therefore, when WebKit was built with python3 this broke everything
        that depended on the embedded JS code that make-js-file-arrays.py
        was supposed to generate, like the media controls and the WebDriver
        atoms.

        Fix this by reworking the code in make-js-file-arrays script to
        read the data from the file using a TextIOWrapper in python 3
        with decoding for 'utf-8'. This ensures that the jsmin receives
        a text type. For python2 keep using the same FileIO class.

        On the jsmin.py script remove the problematic call to str() inside
        the write() function when running with python3.
        On top of that, add an extra check in jsmin.py script to make it
        fail if the character type read is not the one expected. This
        will cause the build to fail instead of failing silently like
        now. I did some tests and the runtime cost of this extra check
        is almost zero.

        * Scripts/jsmin.py:
        (JavascriptMinify.minify.write):
        (JavascriptMinify):
        * Scripts/make-js-file-arrays.py:
        (main):

2019-08-23  Devin Rousso  <drousso@apple.com>

        Web Inspector: create additional command line api functions for other console methods
        https://bugs.webkit.org/show_bug.cgi?id=200971

        Reviewed by Joseph Pecoraro.

        Expose all `console.*` functions in the command line API, since they're all already able to
        be referenced via the `console` object.

        Provide a simpler interface for other injected scripts to modify the command line API.

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.inspectObject):
        (InjectedScript.prototype.addCommandLineAPIGetter): Added.
        (InjectedScript.prototype.addCommandLineAPIMethod): Added.
        (InjectedScript.prototype.hasInjectedModule): Added.
        (InjectedScript.prototype.injectModule):
        (InjectedScript.prototype._evaluateOn):
        (InjectedScript.CommandLineAPI): Added.
        (InjectedScript.prototype.module): Deleted.
        (InjectedScript.prototype._savedResult): Deleted.
        (bind): Deleted.
        (BasicCommandLineAPI): Deleted.
        (clear): Deleted.
        (table): Deleted.
        (profile): Deleted.
        (profileEnd): Deleted.
        (keys): Deleted.
        (values): Deleted.
        (queryInstances): Deleted.
        (queryObjects): Deleted.
        (queryHolders): Deleted.

2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>

        Remove MaximalFlushInsertionPhase
        https://bugs.webkit.org/show_bug.cgi?id=201036

        Reviewed by Saam Barati.

        Maximal flush has found too many false positives recently, so we decided it's finally time
        to remove it instead of hacking it to fix the most recent false positive.

        The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
        for the argument count that was being flushed in a much later block. Now, since that block was
        the head of a loop, and there was a SetLocal in the same block to the same variable, this
        generated a Phi of both values, which then led to the unification of their VariableAccessData
        in the unification phase. This caused AI to assign the Int52 type to argument count, which
        broke the AI’s assumption that it should always be an Int32.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
        * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
        * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed WinCairo build fix following r249058.

        * API/tests/testapi.cpp:
        (TestAPI::callFunction):
        WinCairo chokes on `JSValueRef args[sizeof...(arguments)]` when there are no arguments, but AppleWin does not...
        MSVC must have changed somehow.

2019-08-23  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Do not overwrite argument registers in jsCallEntrypoint
        https://bugs.webkit.org/show_bug.cgi?id=200952

        Reviewed by Saam Barati.

        The c call that we emitted was incorrect. If we had an int argument that was supposed to be placed in GPR0 by this loop,
        we would clobber it while making the call (among many other possible registers). To fix this, we just inline the call 
        to isWebassemblyHostFunction.

        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):

2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>

        JSC should have public API for unhandled promise rejections
        https://bugs.webkit.org/show_bug.cgi?id=197172

        Reviewed by Keith Miller.

        This patch makes it possible to register a unhandled promise rejection callback via the JSC API.
        Since there is no event loop in such an environment, this callback fires off of the microtask queue.
        The callback receives the promise and rejection reason as arguments and its return value is ignored.

        * API/JSContextRef.cpp:
        (JSGlobalContextSetUnhandledRejectionCallback): Added.
        * API/JSContextRefPrivate.h:
        Add new C++ API call.

        * API/tests/testapi.cpp:
        (TestAPI::promiseResolveTrue): Clean up test output.
        (TestAPI::promiseRejectTrue): Clean up test output.
        (TestAPI::promiseUnhandledRejection): Added.
        (TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback): Added.
        (TestAPI::promiseEarlyHandledRejections): Added.
        (testCAPIViaCpp):
        Add new C++ API test.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionSetUnhandledRejectionCallback): Added.
        Add corresponding global to JSC shell.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setUnhandledRejectionCallback): Added.
        (JSC::JSGlobalObject::unhandledRejectionCallback const): Added.
        Keep a strong reference to the callback.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncHostPromiseRejectionTracker):
        Add default behavior.

        * runtime/VM.cpp:
        (JSC::VM::callPromiseRejectionCallback): Added.
        (JSC::VM::didExhaustMicrotaskQueue): Added.
        (JSC::VM::promiseRejected): Added.
        (JSC::VM::drainMicrotasks):
        When microtask queue is exhausted, deal with any pending unhandled rejections
        (in a manner based on RejectedPromiseTracker's reportUnhandledRejections),
        then make sure this didn't cause any new microtasks to be added to the queue.

        * runtime/VM.h:
        Store unhandled rejections.
        (This collection will always be empty in the presence of WebCore.)

2019-08-22  Mark Lam  <mark.lam@apple.com>

        VirtualRegister::dump() can use more informative CallFrame header slot names.
        https://bugs.webkit.org/show_bug.cgi?id=201062

        Reviewed by Tadeu Zagallo.

        For example, it currently dumps head3 instead of callee.  This patch changes the
        dump as follows (for 64-bit addressing):
            head0 => callerFrame
            head1 => returnPC
            head2 => codeBlock
            head3 => callee
            head4 => argumentCount

        Now, one might be wondering when would bytecode ever access callerFrame and
        returnPC?  The answer is never.  However, I don't think its the role of the
        dumper to catch a bug where these header slots are being used.  The dumper's role
        is to clearly report them so that we can see that these unexpected values are
        being used.

        * bytecode/VirtualRegister.cpp:
        (JSC::VirtualRegister::dump const):

2019-08-22  Andy Estes  <aestes@apple.com>

        [watchOS] Disable Content Filtering in the simulator build
        https://bugs.webkit.org/show_bug.cgi?id=201047

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2019-08-22  Adrian Perez de Castro  <aperez@igalia.com>

        [GTK][WPE] Fixes for non-unified builds after r248547
        https://bugs.webkit.org/show_bug.cgi?id=201044

        Reviewed by Philippe Normand.

        * b3/B3ReduceLoopStrength.cpp: Add missing inclusions of B3BasicBlockInlines.h,
        B3InsertionSet.h, and B3NaturalLoops.h
        * wasm/WasmOMGForOSREntryPlan.h: Include WasmCallee.h instead of forward-declaring
        BBQCallee in order to avoid build failure due to incomplete definition on template
        expansions.

2019-08-22  Justin Michaud  <justin_michaud@apple.com>

        Add missing exception check in canonicalizeLocaleList
        https://bugs.webkit.org/show_bug.cgi?id=201021

        Reviewed by Mark Lam.

        * runtime/IntlObject.cpp:
        (JSC::canonicalizeLocaleList):

2019-08-17  Darin Adler  <darin@apple.com>

        Use makeString and multi-argument StringBuilder::append instead of less efficient multiple appends
        https://bugs.webkit.org/show_bug.cgi?id=200862

        Reviewed by Ryosuke Niwa.

        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError): Got rid of unnecessary local variable.
        (JSC::notAFunctionSourceAppender): Use single append instead of multiple.
        Eliminate unneeded and unconventional use of makeString on a single string literal.
        (JSC::invalidParameterInstanceofNotFunctionSourceAppender): Ditto.
        (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender): Ditto.
        (JSC::createInvalidFunctionApplyParameterError): Ditto.
        (JSC::createInvalidInParameterError): Ditto.
        (JSC::createInvalidInstanceofParameterErrorNotFunction): Ditto.
        (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction): Ditto.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck): Use single append instead of multiple.
        * runtime/Options.cpp:
        (JSC::Options::dumpOption): Ditto.
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset): Ditto.
        * runtime/TypeSet.cpp:
        (JSC::StructureShape::stringRepresentation): Ditto. Also use a modern for loop.

2019-08-21  Mark Lam  <mark.lam@apple.com>

        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
        https://bugs.webkit.org/show_bug.cgi?id=201016
        <rdar://problem/54579911>

        Reviewed by Yusuke Suzuki.

        Currently, Wasm::FunctionParser is allowing

            maxFunctionParams + maxFunctionLocals * maxFunctionLocals

        ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
        maxFunctionLocals instead.

        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parse):

2019-08-21  Michael Saboff  <msaboff@apple.com>

        [JSC] incorrent JIT lead to StackOverflow
        https://bugs.webkit.org/show_bug.cgi?id=197823

        Reviewed by Tadeu Zagallo.

        Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
        throwStackOverflowErrorFromThunk() to throw the error.
        
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/ThunkGenerators.cpp:
        (JSC::boundThisNoArgsFunctionCallGenerator):

2019-08-21  Devin Rousso  <drousso@apple.com>

        Web Inspector: Page: re-add enable/disable after r248454
        https://bugs.webkit.org/show_bug.cgi?id=200947

        Reviewed by Joseph Pecoraro.

        We shouldn't design the agent system with only Web Inspector in mind. Other clients may want
        to have different functionality, not being told about frames creation/updates/destruction.
        In these cases, we should have graceful error message failures for other agents that rely on
        the Page agent.

        * inspector/protocol/Page.json:

2019-08-20  Justin Michaud  <justin_michaud@apple.com>

        Identify memcpy loops in b3
        https://bugs.webkit.org/show_bug.cgi?id=200181

        Reviewed by Saam Barati.

        Add a new pass in B3 to identify one type of forward byte copy loop and replace it with a call to a custom version of memcpy
        that will not cause GC tearing and have the correct behaviour when overlapping regions are passed in. 

        Microbenchmarks show memcpy-typed-loop-large is about 6x faster, and everything else is neutral. The optimization is disabled
        on arm for now, until we add a memcpy implementation for it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * b3/B3ReduceLoopStrength.cpp: Added.
        (JSC::B3::fastForwardCopy32):
        (JSC::B3::ReduceLoopStrength::AddrInfo::appendAddr):
        (JSC::B3::ReduceLoopStrength::ReduceLoopStrength):
        (JSC::B3::ReduceLoopStrength::reduceByteCopyLoopsToMemcpy):
        (JSC::B3::ReduceLoopStrength::hoistValue):
        (JSC::B3::ReduceLoopStrength::run):
        (JSC::B3::reduceLoopStrength):
        * b3/B3ReduceLoopStrength.h: Added.
        * b3/testb3.h:
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_8.cpp:
        (testFastForwardCopy32):
        (testByteCopyLoop):
        (testByteCopyLoopStartIsLoopDependent):
        (testByteCopyLoopBoundIsLoopDependent):
        (addCopyTests):

2019-08-20  Devin Rousso  <drousso@apple.com>

        Unreviewed, speculative build fix for High Sierra after r248925

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::HeapHolderFinder::dump):

2019-08-20  Mark Lam  <mark.lam@apple.com>

        Remove superfluous size argument to allocateCell() for fixed size objects.
        https://bugs.webkit.org/show_bug.cgi?id=200958

        Reviewed by Yusuke Suzuki.

        The size is already automatically computed by the allocateCell() template's default
        arguments.  Removing these superfluous arguments will make it easier for us to
        grep for cases where we do allocate variable size cells (for later analysis work).

        * jsc.cpp:
        (JSC::Masquerader::create):
        (JSCMemoryFootprint::create):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVMCallFrame::create):
        (JSC::Element::create):
        (JSC::Root::create):
        (JSC::SimpleObject::create):
        (JSC::ImpureGetter::create):
        (JSC::CustomGetter::create):
        (JSC::DOMJITNode::create):
        (JSC::DOMJITGetter::create):
        (JSC::DOMJITGetterComplex::create):
        (JSC::DOMJITFunctionObject::create):
        (JSC::DOMJITCheckSubClassObject::create):
        (JSC::DOMJITGetterBaseJSObject::create):
        (JSC::JSTestCustomGetterSetter::create):
        (JSC::WasmStreamingParser::create):

2019-08-20  Mark Lam  <mark.lam@apple.com>

        JSBigInt::m_length should be immutable.
        https://bugs.webkit.org/show_bug.cgi?id=200956

        Reviewed by Yusuke Suzuki.

        This is because the JSBigInt cell size is allocated with that length.  Changing
        the length after construction does not change the size of the cell, and hence,
        makes no sense.

        This patch removes the setLength() method, and decorates the m_length field with
        const to enforce that it is immutable after construction.

        * runtime/JSBigInt.h:

2019-08-20  Devin Rousso  <drousso@apple.com>

        Web Inspector: Implement `queryHolders` Command Line API
        https://bugs.webkit.org/show_bug.cgi?id=200458

        Reviewed by Joseph Pecoraro.

        Call `queryHolders(object)` from the Console to return an array of objects that strongly
        reference the given `object`. This could be very useful for finding JavaScript "leaks".

        * inspector/InjectedScriptSource.js:
        (queryHolders): Added.
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::HeapHolderFinder::HeapHolderFinder): Added.
        (Inspector::HeapHolderFinder::holders): Added.
        (Inspector::HeapHolderFinder::analyzeEdge): Added.
        (Inspector::HeapHolderFinder::analyzePropertyNameEdge): Added.
        (Inspector::HeapHolderFinder::analyzeVariableNameEdge): Added.
        (Inspector::HeapHolderFinder::analyzeIndexEdge): Added.
        (Inspector::HeapHolderFinder::analyzeNode): Added.
        (Inspector::HeapHolderFinder::setOpaqueRootReachabilityReasonForCell): Added.
        (Inspector::HeapHolderFinder::setWrappedObjectForCell): Added.
        (Inspector::HeapHolderFinder::setLabelForCell): Added.
        (Inspector::HeapHolderFinder::dump): Added.
        (Inspector::JSInjectedScriptHost::queryHolders): Added.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryHolders): Added.

        * heap/HeapAnalyzer.h: Added.
        Create an abstract base class for analyzing the Heap during a GC. Rather than create an
        entire `HeapSnapshot` for `queryHolders`, the `HeapHolderFinder` can just walk the Heap and
        only save the information it needs to determine the holders of the given `object`.

        * heap/Heap.h:
        * heap/Heap.cpp:
        (JSC::Heap::isAnalyzingHeap const): Added.
        (JSC::GatherExtraHeapData::GatherExtraHeapData): Added.
        (JSC::GatherExtraHeapData::operator() const): Added.
        (JSC::Heap::gatherExtraHeapData): Added.
        (JSC::Heap::didFinishCollection): Added.
        (JSC::Heap::isHeapSnapshotting const): Deleted.
        (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData): Deleted.
        (JSC::GatherHeapSnapshotData::operator() const): Deleted.
        (JSC::Heap::gatherExtraHeapSnapshotData): Deleted.
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::isAnalyzingHeap const): Added.
        (JSC::SlotVisitor::heapAnalyzer const): Added.
        (JSC::SlotVisitor::isBuildingHeapSnapshot const): Deleted.
        (JSC::SlotVisitor::heapSnapshotBuilder const): Deleted.
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::reset):
        (JSC::SlotVisitor::appendSlow):
        (JSC::SlotVisitor::visitChildren):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::appendUnbarriered):
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::specializedVisit):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        Rename `HeapAnalyzer` functions to be less specific to building a `HeapSnapshot`.

        * heap/HeapProfiler.h:
        (JSC::HeapProfiler::activeHeapAnalyzer const): Added.
        (JSC::HeapProfiler::activeSnapshotBuilder const): Deleted.
        * heap/HeapProfiler.cpp:
        (JSC::HeapProfiler::setActiveHeapAnalyzer): Added.
        (JSC::HeapProfiler::setActiveSnapshotBuilder): Deleted.
        * heap/HeapSnapshotBuilder.h:
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
        (JSC::HeapSnapshotBuilder::buildSnapshot):
        (JSC::HeapSnapshotBuilder::analyzeNode): Added.
        (JSC::HeapSnapshotBuilder::analyzeEdge): Added.
        (JSC::HeapSnapshotBuilder::analyzePropertyNameEdge): Added.
        (JSC::HeapSnapshotBuilder::analyzeVariableNameEdge): Added.
        (JSC::HeapSnapshotBuilder::analyzeIndexEdge): Added.
        (JSC::HeapSnapshotBuilder::appendNode): Deleted.
        (JSC::HeapSnapshotBuilder::appendEdge): Deleted.
        (JSC::HeapSnapshotBuilder::appendPropertyNameEdge): Deleted.
        (JSC::HeapSnapshotBuilder::appendVariableNameEdge): Deleted.
        (JSC::HeapSnapshotBuilder::appendIndexEdge): Deleted.

        * inspector/InjectedScriptManager.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:

        * runtime/ClassInfo.h:
        * runtime/JSCell.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::analyzeHeap): Added.
        (JSC::JSCell::heapSnapshot): Deleted.
        * runtime/JSLexicalEnvironment.h:
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::analyzeHeap): Added.
        (JSC::JSLexicalEnvironment::heapSnapshot): Deleted.
        * runtime/JSObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::analyzeHeap): Added.
        (JSC::JSObject::heapSnapshot): Deleted.
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::analyzeHeap): Added.
        (JSC::JSSegmentedVariableObject::heapSnapshot): Deleted.
        Rename `heapSnapshot` to `analyzeHeap`.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2019-08-20  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Enable by default
        https://bugs.webkit.org/show_bug.cgi?id=200931

        Reviewed by Saam Barati.

        * runtime/Options.h:

2019-08-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Array.prototype.toString should not get "join" function each time
        https://bugs.webkit.org/show_bug.cgi?id=200905

        Reviewed by Mark Lam.

        We avoid looking up `join` every time Array#toString is called. This patch implements the most profitable and easy
        case first as we are doing optimization for Array#slice: non-modified original Array. Configuring watchpoint for
        Array.prototype.join change and use this information and structure information to determine whether `join` lookup
        in Array.prototype.toString is unnecessary. This improves JetStream2/3d-raytrace-SP score by 1.6%

            ToT:     363.56
            Patched: 369.26

        This patch also renames InlineWatchpointSet fields from Watchpoint to WatchpointSet since they are not Watchpoint.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
        (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
        * runtime/ArrayPrototype.cpp:
        (JSC::speciesWatchpointIsValid):
        (JSC::canUseDefaultArrayJoinForToString):
        (JSC::arrayProtoFuncToString):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayIteratorProtocolWatchpointSet):
        (JSC::JSGlobalObject::mapIteratorProtocolWatchpointSet):
        (JSC::JSGlobalObject::setIteratorProtocolWatchpointSet):
        (JSC::JSGlobalObject::stringIteratorProtocolWatchpointSet):
        (JSC::JSGlobalObject::mapSetWatchpointSet):
        (JSC::JSGlobalObject::setAddWatchpointSet):
        (JSC::JSGlobalObject::arraySpeciesWatchpointSet):
        (JSC::JSGlobalObject::arrayJoinWatchpointSet):
        (JSC::JSGlobalObject::numberToStringWatchpointSet):
        (JSC::JSGlobalObject::arrayIteratorProtocolWatchpoint): Deleted.
        (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint): Deleted.
        (JSC::JSGlobalObject::setIteratorProtocolWatchpoint): Deleted.
        (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint): Deleted.
        (JSC::JSGlobalObject::mapSetWatchpoint): Deleted.
        (JSC::JSGlobalObject::setAddWatchpoint): Deleted.
        (JSC::JSGlobalObject::arraySpeciesWatchpoint): Deleted.
        (JSC::JSGlobalObject::numberToStringWatchpoint): Deleted.
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
        (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
        (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):

2019-08-20  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Support for JavaScript BigInt
        https://bugs.webkit.org/show_bug.cgi?id=180731
        <rdar://problem/36298748>

        Reviewed by Devin Rousso.        
        
        * inspector/InjectedScriptSource.js:
        (toStringDescription):
        (isSymbol):
        (isBigInt):
        (let.InjectedScript.prototype._fallbackWrapper):
        (let.RemoteObject):
        (let.RemoteObject.subtype):
        (let.RemoteObject.describe):
        (let.RemoteObject.prototype._appendPropertyPreviews):
        (let.RemoteObject.set _isPreviewableObjectInternal):
        (let.RemoteObject.prototype._isPreviewableObject.set add):
        * inspector/protocol/Runtime.json:
        New RemoteObject type and preview support.

        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        (JSC::runtimeTypeAsString):
        * runtime/RuntimeType.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::displayName const):
        (JSC::TypeSet::inspectorTypeSet const):
        New type for the type profiler.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::getPreview):
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::toString):
        (JSC::JSBigInt::tryGetString):
        (JSC::JSBigInt::toStringBasePowerOfTwo):
        (JSC::JSBigInt::toStringGeneric):
        * runtime/JSBigInt.h:
        BigInts are not tied to a GlobalObject, so provide a way to get a
        String for HeapSnapshot previews that are not tied to an ExecState.

2019-08-19  Devin Rousso  <drousso@apple.com>

        Web Inspector: Debugger: add a global breakpoint for pausing in the next microtask
        https://bugs.webkit.org/show_bug.cgi?id=200652

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Debugger.json:
        Add `setPauseOnMicrotasks` command.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::setPauseOnMicrotasks): Added.
        (Inspector::InspectorDebuggerAgent::willRunMicrotask): Added.
        (Inspector::InspectorDebuggerAgent::didRunMicrotask): Added.

        * debugger/Debugger.h:
        (JSC::Debugger::willRunMicrotask): Added.
        (JSC::Debugger::didRunMicrotask): Added.
        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        (Inspector::ScriptDebugServer::sourceParsed):
        (Inspector::ScriptDebugServer::willRunMicrotask): Added.
        (Inspector::ScriptDebugServer::didRunMicrotask): Added.
        (Inspector::ScriptDebugServer::canDispatchFunctionToListeners const): ADded.
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners): ADded.
        (Inspector::ScriptDebugServer::handlePause):
        (Inspector::ScriptDebugServer::dispatchDidPause): Deleted.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Deleted.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Deleted.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Deleted.
        (Inspector::ScriptDebugServer::dispatchDidContinue): Deleted.
        (Inspector::ScriptDebugServer::dispatchDidParseSource): Deleted.
        (Inspector::ScriptDebugServer::dispatchFailedToParseSource): Deleted.
        Unify the various `dispatch*` functions to use lambdas so state management is centralized.

        * runtime/JSMicrotask.cpp:
        (JSC::JSMicrotask::run):

        * inspector/agents/JSGlobalObjectDebuggerAgent.h:

2019-08-19  Devin Rousso  <drousso@apple.com>

        Web Inspector: Debugger: pause on assertion failures breakpoint doesn't work when inspecting a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=200874

        Reviewed by Joseph Pecoraro.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):

2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Proxy constructor should throw if handler is revoked Proxy
        https://bugs.webkit.org/show_bug.cgi?id=198755

        Reviewed by Saam Barati.

        Reword error message and check if handler is revoked Proxy.
        (step 4 of https://tc39.es/ecma262/#sec-proxycreate)

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::finishCreation): Add isRevoked check.

2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] OSR entry to Wasm OMG
        https://bugs.webkit.org/show_bug.cgi?id=200362

        Reviewed by Michael Saboff.

        This patch implements Wasm OSR entry mechanism from BBQ tier to OMG tier.
        We found that one of JetStream2 test heavily relies on OSR entry feature. gcc-loops-wasm consumes
        most of time in BBQ tier since one of the function takes significantly long time. And since we did
        not have OSR entry feature, we cannot use OMG function until that BBQ function finishes.

        To implement Wasm OSR feature, we first capture all locals and stacks in the patchpoint to generate
        the stackmap. Once the threshold is crossed, the patchpoint calls `MacroAssembler::probe` feature to
        capture whole register context, and C++ runtime function reads stackmap and Probe::Context to perform
        OSR entry. This patch intentionally makes OSR entry written in C++ runtime side as much as possible
        to make it easily reusable for the other tiers. For example, we are planning to introduce Wasm interpreter,
        and it can easily use this tier-up function. Because of this simplicity, this generic implementation can
        cover both BBQ Air and BBQ B3 tier-up features. So, in the feature, it is possible that we revive BBQ B3,
        and construct the wasm pipeline like, interpreter->BBQ B3->OMG B3.

        To generate OMG code for OSR entry, we add a new mode OMGForOSREntry, which mimics the FTLForOSREntry.
        In FTLForOSREntry, we cut unrelated blocks including the usual entry point in DFG tier and later convert
        graph to SSA. This is possible because DFG is not SSA. On the other hand, B3 is SSA and we cannot take the
        same thing without a hack.

        This patch introduce a hack: making all wasm locals and stack values B3::Variable for OMGForOSREntry mode.
        Then, we can cut blocks easily and we can generate the B3 graph without doing reachability analysis from the
        OSR entry point. B3 will remove unreachable blocks later.

        Tier-up function mimics DFG->FTL OSR entry heuristics and threshold as much as possible. And this patch adjusts
        the tier-up count threshold to make it close to DFG->FTL ones. Wasm tier-up is now using ExecutionCounter, which
        is inherited from Wasm::TierUpCount. Since wasm can execute concurrently, the tier-up counter can be racily updated.
        But this is OK in practice. Even if we see some more tier-up function calls or tier-up function calls are delayed,
        the critical part is guarded by a lock in tier-up function.

        In iMac Pro, it shows ~4x runtime improvement for gcc-loops-wasm. On iOS device (iPhone XR), we saw ~2x improvement.

            ToT:
                HashSet-wasm:Score: 24.6pt stdev=4.6%
                            :Time:Geometric: 204ms stdev=4.4%
                            Runtime:Time: 689ms stdev=1.0%
                            Startup:Time: 60.3ms stdev=8.4%
                gcc-loops-wasm:Score: 8.41pt stdev=6.7%
                              :Time:Geometric: 597ms stdev=6.5%
                              Runtime:Time: 8.509s stdev=0.7%
                              Startup:Time: 42ms stdev=12.4%
                quicksort-wasm:Score: 347pt stdev=20.9%
                              :Time:Geometric: 15ms stdev=18.6%
                              Runtime:Time: 28.2ms stdev=7.9%
                              Startup:Time: 8.2ms stdev=35.0%
                richards-wasm:Score: 77.6pt stdev=4.5%
                             :Time:Geometric: 64.6ms stdev=4.4%
                             Runtime:Time: 544ms stdev=3.3%
                             Startup:Time: 7.67ms stdev=6.7%
                tsf-wasm:Score: 47.9pt stdev=4.5%
                        :Time:Geometric: 104ms stdev=4.8%
                        Runtime:Time: 259ms stdev=4.4%
                        Startup:Time: 42.2ms stdev=8.5%

            Patched:
                HashSet-wasm:Score: 24.1pt stdev=4.1%
                            :Time:Geometric: 208ms stdev=4.1%
                            Runtime:Time: 684ms stdev=1.1%
                            Startup:Time: 63.2ms stdev=8.1%
                gcc-loops-wasm:Score: 15.7pt stdev=5.1%
                              :Time:Geometric: 319ms stdev=5.3%
                              Runtime:Time: 2.491s stdev=0.7%
                              Startup:Time: 41ms stdev=11.0%
                quicksort-wasm:Score: 353pt stdev=13.7%
                              :Time:Geometric: 14ms stdev=12.7%
                              Runtime:Time: 26.2ms stdev=2.9%
                              Startup:Time: 8.0ms stdev=23.7%
                richards-wasm:Score: 77.4pt stdev=5.3%
                             :Time:Geometric: 64.7ms stdev=5.3%
                             Runtime:Time: 536ms stdev=1.5%
                             Startup:Time: 7.83ms stdev=9.6%
                tsf-wasm:Score: 47.3pt stdev=5.7%
                        :Time:Geometric: 106ms stdev=6.1%
                        Runtime:Time: 250ms stdev=3.5%
                        Startup:Time: 45ms stdev=13.8%

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchAdd32):
        * b3/B3ValueRep.h:
        * bytecode/CodeBlock.h:
        * bytecode/ExecutionCounter.cpp:
        (JSC::applyMemoryUsageHeuristics):
        (JSC::ExecutionCounter<countingVariant>::setThreshold):
        * bytecode/ExecutionCounter.h:
        (JSC::ExecutionCounter::clippedThreshold):
        * dfg/DFGJITCode.h:
        * dfg/DFGOperations.cpp:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::prologueStackPointerDelta):
        * runtime/Options.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::createStack):
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        (JSC::Wasm::AirIRGenerator::outerLoopIndex const):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::emitEntryTierUpCheck):
        (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
        (JSC::Wasm::AirIRGenerator::addLoop):
        (JSC::Wasm::AirIRGenerator::addElse):
        (JSC::Wasm::AirIRGenerator::addBranch):
        (JSC::Wasm::AirIRGenerator::addSwitch):
        (JSC::Wasm::AirIRGenerator::endBlock):
        (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
        (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
        (JSC::Wasm::AirIRGenerator::dump):
        (JSC::Wasm::AirIRGenerator::emitTierUpCheck): Deleted.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::Stack::Stack):
        (JSC::Wasm::B3IRGenerator::Stack::append):
        (JSC::Wasm::B3IRGenerator::Stack::takeLast):
        (JSC::Wasm::B3IRGenerator::Stack::last):
        (JSC::Wasm::B3IRGenerator::Stack::size const):
        (JSC::Wasm::B3IRGenerator::Stack::isEmpty const):
        (JSC::Wasm::B3IRGenerator::Stack::convertToExpressionList):
        (JSC::Wasm::B3IRGenerator::Stack::at const):
        (JSC::Wasm::B3IRGenerator::Stack::variableAt const):
        (JSC::Wasm::B3IRGenerator::Stack::shrink):
        (JSC::Wasm::B3IRGenerator::Stack::swap):
        (JSC::Wasm::B3IRGenerator::Stack::dump const):
        (JSC::Wasm::B3IRGenerator::createStack):
        (JSC::Wasm::B3IRGenerator::outerLoopIndex const):
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::emitEntryTierUpCheck):
        (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::addElse):
        (JSC::Wasm::B3IRGenerator::addBranch):
        (JSC::Wasm::B3IRGenerator::addSwitch):
        (JSC::Wasm::B3IRGenerator::endBlock):
        (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
        (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock):
        (JSC::Wasm::B3IRGenerator::dump):
        (JSC::Wasm::parseAndCompile):
        (JSC::Wasm::B3IRGenerator::emitTierUpCheck): Deleted.
        (JSC::Wasm::dumpExpressionStack): Deleted.
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmBBQPlan.h:
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmCallee.h:
        * wasm/WasmCodeBlock.cpp:
        (JSC::Wasm::CodeBlock::CodeBlock):
        * wasm/WasmCodeBlock.h:
        (JSC::Wasm::CodeBlock::wasmBBQCalleeFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
        (JSC::Wasm::CodeBlock::tierUpCount): Deleted.
        * wasm/WasmCompilationMode.cpp:
        (JSC::Wasm::makeString):
        * wasm/WasmCompilationMode.h:
        * wasm/WasmContext.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp.
        (JSC::Wasm::Context::scratchBufferForSize):
        * wasm/WasmContext.h:
        * wasm/WasmContextInlines.h:
        (JSC::Wasm::Context::tryLoadInstanceFromTLS):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        (JSC::Wasm::FunctionParser<Context>::parseBody):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmOMGForOSREntryPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.cpp.
        (JSC::Wasm::OMGForOSREntryPlan::OMGForOSREntryPlan):
        (JSC::Wasm::OMGForOSREntryPlan::work):
        * wasm/WasmOMGForOSREntryPlan.h: Copied from Source/JavaScriptCore/wasm/WasmOMGPlan.h.
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        (JSC::Wasm::OMGPlan::runForIndex): Deleted.
        * wasm/WasmOMGPlan.h:
        * wasm/WasmOSREntryData.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
        (JSC::Wasm::OSREntryValue::OSREntryValue):
        (JSC::Wasm::OSREntryValue::type const):
        (JSC::Wasm::OSREntryData::OSREntryData):
        (JSC::Wasm::OSREntryData::functionIndex const):
        (JSC::Wasm::OSREntryData::loopIndex const):
        (JSC::Wasm::OSREntryData::values):
        * wasm/WasmOperations.cpp: Added.
        (JSC::Wasm::shouldTriggerOMGCompile):
        (JSC::Wasm::triggerOMGReplacementCompile):
        (JSC::Wasm::doOSREntry):
        (JSC::Wasm::triggerOSREntryNow):
        (JSC::Wasm::triggerTierUpNow):
        * wasm/WasmOperations.h: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.h.
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::triggerOMGEntryTierUpThunkGenerator):
        (JSC::Wasm::triggerOMGTierUpThunkGenerator): Deleted.
        * wasm/WasmThunks.h:
        * wasm/WasmTierUpCount.cpp: Copied from Source/JavaScriptCore/wasm/WasmCompilationMode.cpp.
        (JSC::Wasm::TierUpCount::TierUpCount):
        (JSC::Wasm::TierUpCount::addOSREntryData):
        * wasm/WasmTierUpCount.h:
        (JSC::Wasm::TierUpCount::loopIncrement):
        (JSC::Wasm::TierUpCount::functionEntryIncrement):
        (JSC::Wasm::TierUpCount::osrEntryTriggers):
        (JSC::Wasm::TierUpCount::outerLoops):
        (JSC::Wasm::TierUpCount::getLock):
        (JSC::Wasm::TierUpCount::optimizeAfterWarmUp):
        (JSC::Wasm::TierUpCount::checkIfOptimizationThresholdReached):
        (JSC::Wasm::TierUpCount::dontOptimizeAnytimeSoon):
        (JSC::Wasm::TierUpCount::optimizeNextInvocation):
        (JSC::Wasm::TierUpCount::optimizeSoon):
        (JSC::Wasm::TierUpCount::setOptimizationThresholdBasedOnCompilationResult):
        (JSC::Wasm::TierUpCount::TierUpCount): Deleted.
        (JSC::Wasm::TierUpCount::loopDecrement): Deleted.
        (JSC::Wasm::TierUpCount::functionEntryDecrement): Deleted.
        (JSC::Wasm::TierUpCount::shouldStartTierUp): Deleted.
        (JSC::Wasm::TierUpCount::count): Deleted.
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::createStack):
        (JSC::Wasm::Validate::addLoop):
        (JSC::Wasm::Validate::addElse):
        (JSC::Wasm::Validate::checkBranchTarget):
        (JSC::Wasm::Validate::addBranch):
        (JSC::Wasm::Validate::addSwitch):
        (JSC::Wasm::Validate::endBlock):
        (JSC::Wasm::Validate::unify):
        (JSC::Wasm::dumpExpressionStack):
        (JSC::Wasm::Validate::dump):

2019-08-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Date.prototype.toJSON throws if toISOString returns an object
        https://bugs.webkit.org/show_bug.cgi?id=198495

        Reviewed by Ross Kirsling.

        Don't throw TypeError if result of toISOString call is not a primitive.
        (step 4 of https://tc39.es/ecma262/#sec-date.prototype.tojson)

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToJSON): Remove isObject check.

2019-08-19  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG DataView get/set optimization should take care of the case little-endian flag is JSEmpty
        https://bugs.webkit.org/show_bug.cgi?id=200899
        <rdar://problem/54073341>

        Reviewed by Mark Lam.

        DFGByteCodeParser attempt to get constant flag for isLittleEndian for DataView get/set.
        When getting a constant in DFG, we first need to check whether it is JSEmpty. But we are missing
        this check for DataView get/set optimization.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):

2019-08-19  Tadeu Zagallo  <tzagallo@apple.com>

        JSC tool targets should unlock the keychain before codesigning
        https://bugs.webkit.org/show_bug.cgi?id=200733
        <rdar://problem/54223095>

        Reviewed by Alexey Proskuryakov.

        In r245564, we started codesigning JSC tool targets to run the datavault tests
        in testapi, but we should unlock the keychain first so that it doesn't require
        the password during builds.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2019-08-19  Michael Saboff  <msaboff@apple.com>

        Webkit jsc Crash in RegExp::matchInline (this=<optimized out>
        https://bugs.webkit.org/show_bug.cgi?id=197090

        Reviewed by Yusuke Suzuki.

        Turned the debug JIT assert into falling back to the interpreter.  In release builds, that is effectively what we do
        after exhausting the loop try count.  No sense of looping until we exceed the count, as we can exit immediately.

        * assembler/AbortReason.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):

2019-08-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF] Add makeUnique<T>, which ensures T is fast-allocated, makeUnique / makeUniqueWithoutFastMallocCheck part
        https://bugs.webkit.org/show_bug.cgi?id=200620

        Reviewed by Geoff Garen.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::setPrivateProperty):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::JSCallbackObject):
        * API/JSClassRef.cpp:
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::contextData):
        * API/JSMarkingConstraintPrivate.cpp:
        (JSContextGroupAddMarkingConstraint):
        * API/JSWrapperMap.mm:
        (-[JSWrapperMap initWithGlobalContextRef:]):
        * API/ObjCCallbackFunction.mm:
        (ArgumentTypeDelegate::typeInteger):
        (ArgumentTypeDelegate::typeDouble):
        (ArgumentTypeDelegate::typeBool):
        (ArgumentTypeDelegate::typeId):
        (ArgumentTypeDelegate::typeOfClass):
        (ArgumentTypeDelegate::typeStruct):
        (ResultTypeDelegate::typeInteger):
        (ResultTypeDelegate::typeDouble):
        (ResultTypeDelegate::typeBool):
        (ResultTypeDelegate::typeVoid):
        (ResultTypeDelegate::typeId):
        (ResultTypeDelegate::typeOfClass):
        (ResultTypeDelegate::typeBlock):
        (ResultTypeDelegate::typeStruct):
        (objCCallbackFunctionForInvocation):
        * API/glib/JSCContext.cpp:
        (jscContextSetVirtualMachine):
        * API/glib/JSCWrapperMap.cpp:
        (JSC::WrapperMap::WrapperMap):
        * assembler/ProbeStack.cpp:
        (JSC::Probe::Stack::ensurePageFor):
        * b3/B3LowerToAir.cpp:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::Procedure):
        (JSC::B3::Procedure::dominators):
        (JSC::B3::Procedure::naturalLoops):
        (JSC::B3::Procedure::backwardsCFG):
        (JSC::B3::Procedure::backwardsDominators):
        (JSC::B3::Procedure::addDataSection):
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::cCallSpecial):
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        * b3/air/testair.cpp:
        * b3/testb3.h:
        (compileProc):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/AccessCaseSnippetParams.cpp:
        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::BytecodeBasicBlock::computeImpl):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::setFrameShuffleData):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::ensureJITDataSlow):
        (JSC::CodeBlock::setCalleeSaveRegisters):
        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::createRareDataIfNecessary):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::add):
        * bytecode/DeferredCompilationCallback.cpp:
        (JSC::DeferredCompilationCallback::ensureDeferredSourceDump):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::operator=):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::CompressedLazyOperandValueProfileHolder::add):
        * bytecode/PolyProtoAccessChain.h:
        (JSC::PolyProtoAccessChain::clone):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/PutByIdVariant.cpp:
        (JSC::PutByIdVariant::operator=):
        * bytecode/RecordedStatuses.cpp:
        (JSC::RecordedStatuses::addCallLinkStatus):
        (JSC::RecordedStatuses::addGetByIdStatus):
        (JSC::RecordedStatuses::addPutByIdStatus):
        (JSC::RecordedStatuses::addInByIdStatus):
        * bytecode/StructureStubClearingWatchpoint.cpp:
        (JSC::WatchpointsOnStructureStubInfo::ensureReferenceAndAddWatchpoint):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::createRareDataIfNecessary):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::killsFor):
        (JSC::DFG::Graph::ensureCPSCFG):
        (JSC::DFG::Graph::ensureCPSDominators):
        (JSC::DFG::Graph::ensureSSADominators):
        (JSC::DFG::Graph::ensureCPSNaturalLoops):
        (JSC::DFG::Graph::ensureSSANaturalLoops):
        (JSC::DFG::Graph::ensureBackwardsCFG):
        (JSC::DFG::Graph::ensureBackwardsDominators):
        (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::slowPathCall):
        (JSC::DFG::slowPathMove):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::emitStructureCheck):
        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
        * dfg/DFGStoreBarrierInsertionPhase.cpp:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::createNewThread):
        * disassembler/Disassembler.cpp:
        (JSC::disassembleAsynchronously):
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::atSlow):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * heap/CompleteSubspace.cpp:
        (JSC::CompleteSubspace::allocatorForSlow):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::protectedObjectTypeCounts):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::addCoreConstraints):
        * heap/HeapInlines.h:
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::buildSnapshot):
        * heap/IsoCellSet.cpp:
        (JSC::IsoCellSet::addSlow):
        * heap/IsoSubspace.cpp:
        (JSC::IsoSubspace::IsoSubspace):
        * heap/MarkingConstraintSet.cpp:
        (JSC::MarkingConstraintSet::add):
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel):
        (Inspector::JSGlobalObjectConsoleClient::profile):
        (Inspector::JSGlobalObjectConsoleClient::profileEnd):
        (Inspector::JSGlobalObjectConsoleClient::warnUnimplemented):
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        (Inspector::JSGlobalObjectInspectorController::ensureInspectorAgent):
        (Inspector::JSGlobalObjectInspectorController::ensureDebuggerAgent):
        (Inspector::JSGlobalObjectInspectorController::createLazyAgents):
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::InspectorAgent):
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::logTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        (Inspector::InspectorConsoleAgent::count):
        (Inspector::InspectorConsoleAgent::countReset):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::InspectorHeapAgent):
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
        * inspector/agents/InspectorTargetAgent.cpp:
        (Inspector::InspectorTargetAgent::InspectorTargetAgent):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent):
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
        (Inspector::RemoteInspectorSocketEndpoint::createClient):
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        (JSC::JIT::link):
        * jit/JITThunks.cpp:
        (JSC::JITThunks::JITThunks):
        * jit/Repatch.cpp:
        (JSC::linkPolymorphicCall):
        * jsc.cpp:
        (runJSC):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        * parser/Parser.h:
        (JSC::Scope::pushLabel):
        (JSC::Parser<LexerType>::parse):
        * parser/ParserArena.h:
        (JSC::ParserArena::identifierArena):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::executionCounterFor):
        * runtime/Error.cpp:
        (JSC::getStackTrace):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::ensureRareDataSlow):
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::createRareDataIfNeeded):
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
        (JSC::JSRunLoopTimer::Manager::registerVM):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::addDeletedOffset):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/RegExp.cpp:
        (JSC::RegExp::finishCreation):
        * runtime/RegExp.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::ensureTemplateObjectMapImpl):
        * runtime/Structure.cpp:
        (JSC::Structure::ensurePropertyReplacementWatchpointSet):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::setObjectToStringValue):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::localToEntry):
        (JSC::SymbolTable::cloneScopePart):
        (JSC::SymbolTable::prepareForTypeProfiling):
        (JSC::SymbolTable::setRareDataCodeBlock):
        * runtime/TypeSet.cpp:
        (JSC::StructureShape::propertyHash):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::ensureHeapProfiler):
        (JSC::VM::enableTypeProfiler):
        (JSC::VM::enableControlFlowProfiler):
        (JSC::VM::queueMicrotask):
        (JSC::VM::ensureShadowChicken):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        (JSC::Wasm::AirIRGenerator::emitCheck):
        (JSC::Wasm::parseAndCompileAir):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::Worklist::Worklist):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::compile):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
        (JSC::Yarr::ByteCompiler::regexBegin):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPatternConstructor::resetForReparsing):
        (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
        (JSC::Yarr::YarrPatternConstructor::atomParentheticalAssertionBegin):
        (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
        (JSC::Yarr::anycharCreate):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternDisjunction::addNewAlternative):
        * yarr/create_regex_tables:
        * yarr/generateYarrUnicodePropertyTables.py:

2019-08-18  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Correct a->an in error messages and API docblocks
        https://bugs.webkit.org/show_bug.cgi?id=200833

        Reviewed by Don Olmstead.

        * API/JSObjectRef.h:
        * builtins/PromiseConstructor.js:
        (race):
        (reject):
        (resolve):
        * builtins/PromisePrototype.js:
        (finally):
        * jsc.cpp:
        (functionAsyncTestStart):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseIfStatement):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseResizableLimits):

2019-08-17  Darin Adler  <darin@apple.com>

        Tidy up checks to see if a character is in the Latin-1 range by using isLatin1 consistently
        https://bugs.webkit.org/show_bug.cgi?id=200861

        Reviewed by Ross Kirsling.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::record8): Use isLatin1.
        (JSC::assertCharIsIn8BitRange): Deleted. Can just assert isLatin1 directly.
        (JSC::Lexer<T>::append8): Assert isLatin1 directly.
        (JSC::characterRequiresParseStringSlowCase): Use isLatin1.
        * parser/Lexer.h:
        (JSC::Lexer<UChar>::isWhiteSpace): Ditto.
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lex): Ditto.
        (JSC::isSafeStringCharacter): Ditto.
        * runtime/Identifier.cpp:
        (JSC::Identifier::add8): Ditto.
        * runtime/LiteralParser.cpp:
        (JSC::isSafeStringCharacter): Ditto.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncRepeatCharacter): Ditto.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce): Ditto.
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy): Ditto.
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy): Ditto.

2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement optional chaining
        https://bugs.webkit.org/show_bug.cgi?id=200199

        Reviewed by Yusuke Suzuki.

        Implement the optional chaining proposal, which has now reached Stage 3 at TC39.

        This introduces a ?. operator which:
         - guards member access when the LHS is nullish, i.e. `null?.foo` and `null?.['foo']` are undefined
         - guards function calls when the LHS is nullish, i.e. `null?.()` is undefined
         - short-circuits over a whole access/call chain, i.e. `null?.a['b'](c++)` is undefined and does not increment c

        This feature can be naively viewed as a ternary in disguise, i.e. `a?.b` is like `a == null ? undefined : a.b`.
        However, since we must be sure not to double-evaluate the LHS, it's actually rather akin to a try block --
        namely, we have the bytecode generator keep an early-out label for use throughout the access and call chain.

        (Also note that document.all behaves as an object, so "nullish" means *strictly* equal to null or undefined.)

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushOptionalChainTarget): Added.
        (JSC::BytecodeGenerator::popOptionalChainTarget): Added.
        (JSC::BytecodeGenerator::emitOptionalCheck): Added.
        * bytecompiler/BytecodeGenerator.h:
        Implement early-out logic.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location.
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode): Refactor so we can emitOptionalCheck in a single location.
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::DeleteBracketNode::emitBytecode):
        (JSC::DeleteDotNode::emitBytecode):
        (JSC::CoalesceNode::emitBytecode): Clean up.
        (JSC::OptionalChainNode::emitBytecode): Added.
        Implement ?. node and emit checks where needed.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        Have OpIsUndefinedOrNull support constant registers.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createOptionalChain): Added.
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
        * parser/NodeConstructors.h:
        (JSC::OptionalChainNode::OptionalChainNode): Added.
        * parser/Nodes.h:
        (JSC::ExpressionNode::isOptionalChain const): Added.
        (JSC::ExpressionNode::isOptionalChainBase const): Added.
        (JSC::ExpressionNode::setIsOptionalChainBase): Added.
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::makeFunctionCallNode):
        (JSC::SyntaxChecker::createOptionalChain): Added.
        Introduce new token and AST node, as well as an ExpressionNode field to mark LHSes with.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):
        Parse optional chains by wrapping the access/call parse loop.

        * runtime/ExceptionHelpers.cpp:
        (JSC::functionCallBase):
        Ensure that TypeError messages don't include the '?.'.

        * runtime/Options.h:
        Update feature flag, as ?. and ?? are a double feature of "nullish-aware" operators.

2019-08-17  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Support hashbang.
        https://bugs.webkit.org/show_bug.cgi?id=200865

        Reviewed by Mark Lam.

        Hashbang (a.k.a. shebang) support is at Stage 3 in TC39:
        https://github.com/tc39/proposal-hashbang

        This allows `#!` to be treated like `//`, but only at the very start of the source text.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<T>::lexWithoutClearingLineTerminator):

2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG ToNumber should support Boolean in fixup
        https://bugs.webkit.org/show_bug.cgi?id=200864

        Reviewed by Mark Lam.

        ToNumber should speculate on Boolean, or BooleanOrInt32 in fixup phase to optimize it.

                                          ToT                     Patched

            to-number-boolean      897.6430+-26.8843    ^     87.4802+-5.2831        ^ definitely 10.2611x faster

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupToNumber):

2019-08-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] WebAssembly BBQ should switch compile mode for size of modules
        https://bugs.webkit.org/show_bug.cgi?id=200807

        Reviewed by Mark Lam.

        Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB.
        The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at
        the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory.

        Currently, I picked 10MB since the reported website is using 11MB wasm module.

        * runtime/Options.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::parseAndCompileAir):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::parseAndCompile):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmModuleInformation.h:
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseCode):
        * wasm/WasmStreamingParser.cpp:
        (JSC::Wasm::StreamingParser::parseCodeSectionSize):

2019-08-16  Mark Lam  <mark.lam@apple.com>

        More missing exception checks in string comparison operators.
        https://bugs.webkit.org/show_bug.cgi?id=200844
        <rdar://problem/54378684>

        Reviewed by Saam Barati.

        * runtime/Operations.h:
        (JSC::jsLess):
        (JSC::jsLessEq):

2019-08-16  Mark Lam  <mark.lam@apple.com>

        CodeBlock destructor should clear all of its watchpoints.
        https://bugs.webkit.org/show_bug.cgi?id=200792
        <rdar://problem/53947800>

        Reviewed by Yusuke Suzuki.

        We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison())
        because the JITCode may outlive the CodeBlock for a while.  For example, the JITCode
        is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so:

            JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame);

        The call to generatedJITCodeForCall() returns a Ref<JITCode> with the underlying
        JITCode ref'd.  Hence, while the interpreter frame is still on the stack, the
        executing JITCode instance will have a non-zero refCount, and be kept alive even
        though its CodeBlock may have already been destructed.

        Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode:
        ExecutableBase also holds a RefPtr<JITCode> m_jitCodeForCall and RefPtr<JITCode>
        m_jitCodeForConstruct.  But a CodeBlock will be uninstalled before it gets destructed.
        Hence, the uninstallation will deref the JITCode before we get to the CodeBlock
        destructor.  That said, we should be aware that a JITCode's refCount is not always
        1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so.

        For this patch, I also audited all Watchpoint subclasses to ensure that we are
        clearing all the relevant watchpoints in the CodeBlock destructor.  Here is the
        list of audited Watchpoints:

            CodeBlockJettisoningWatchpoint
            AdaptiveStructureWatchpoint
            AdaptiveInferredPropertyValueWatchpoint
                - these are held in the DFG::CommonData, and is tied to JITCode's life cycle.
                - they need to be cleared eagerly in CodeBlock's destructor.

            LLIntPrototypeLoadAdaptiveStructureWatchpoint
                - stored in m_llintGetByIdWatchpointMap in the CodeBlock.
                - this will be automatically cleared on CodeBlock destruction.

        The following does not reference CodeBlock:

            FunctionRareData::AllocationProfileClearingWatchpoint
                - stored in FunctionRareData and will be cleared automatically on
                  FunctionRareData destruction.
                - only references the owner FunctionRareData.

            ObjectToStringAdaptiveStructureWatchpoint
            ObjectToStringAdaptiveInferredPropertyValueWatchpoint
                - stored in StructureRareData and will be cleared automatically on
                  StructureRareData destruction.

            ObjectPropertyChangeAdaptiveWatchpoint
                - stored in JSGlobalObject, and will be cleared automatically on
                  JSGlobalObject destruction.
                - only references the owner JSGlobalObject.

            StructureStubClearingWatchpoint
                - stored in WatchpointsOnStructureStubInfo and will be cleared automatically
                  on WatchpointsOnStructureStubInfo destruction.

            PropertyWatchpoint
            StructureWatchpoint
                - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended
                  as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint,
                  and ObjectToStringAdaptiveInferredPropertyValueWatchpoint.
                - life cycle is handled by those 3 subclasses.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):

2019-08-16  Justin Michaud  <justin_michaud@apple.com>

        Fix InBounds speculation of typed array PutByVal and add extra step to integer range optimization to search for equality relationships on the RHS value
        https://bugs.webkit.org/show_bug.cgi?id=200782

        Reviewed by Saam Barati.

        Speculate that putByVals on typed arrays are in bounds initially, and add an extra rule to integer range optimization to 
        remove CheckInBounds when we are looping over two arrays. We do this by fixing a bug in the llint slow paths that marked 
        typed array accesses as out of bounds, and we also add an extra step to integer range optimization to search for equality
        relationships on the RHS value.

        Microbenchmarks give a 40% improvement on the memcpy loop test, and neutral on the out-of-bounds typed array test.

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSObject.h:
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::canGetIndexQuickly const):
        (JSC::JSObject::getIndexQuickly const):
        (JSC::JSObject::tryGetIndexQuickly const):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::setIndexQuickly):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canGetIndexQuicklyForTypedArray const):
        (JSC::JSObject::canSetIndexQuicklyForTypedArray const):
        (JSC::JSObject::getIndexQuicklyForTypedArray const):
        (JSC::JSObject::setIndexQuicklyForTypedArray):

2019-08-16  Mark Lam  <mark.lam@apple.com>

        [Re-land] ProxyObject should not be allow to access its target's private properties.
        https://bugs.webkit.org/show_bug.cgi?id=200739
        <rdar://problem/53972768>

        Reviewed by Yusuke Suzuki.

        Re-landing this after r200829 which resolves the test262 failure uncovered by this patch.

        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performDefineOwnProperty):

2019-08-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Promise.prototype.finally should accept non-promise objects
        https://bugs.webkit.org/show_bug.cgi?id=200829

        Reviewed by Mark Lam.

        According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise,
        since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example).
        This patch changes this check to the specified one.

        [1]: https://tc39.es/proposal-promise-finally/

        * builtins/PromisePrototype.js:
        (finally):

2019-08-16  Alexey Shvayka  <shvaikalesh@gmail.com>

        Promise constructor should check argument before [[Construct]]
        https://bugs.webkit.org/show_bug.cgi?id=198976

        Reviewed by Ross Kirsling.

        Check if argument is a function before invoking `createSubclassStructure`.
        (step 2 of https://tc39.es/ecma262/#sec-promise-executor)

        * builtins/PromiseOperations.js:
        (globalPrivate.initializePromise): Remove typeof check.
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise): Add isFunction check.

2019-08-16  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r248709.

        Caused test/built-ins/Promise/prototype/finally/this-value-
        non-promise.js to fail on test262 bot

        Reverted changeset:

        "ProxyObject should not be allow to access its target's
        private properties."
        https://bugs.webkit.org/show_bug.cgi?id=200739
        https://trac.webkit.org/changeset/248709

2019-08-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF] Add makeUnique<T>, which ensures T is fast-allocated, WTF_MAKE_FAST_ALLOCATED annotation part
        https://bugs.webkit.org/show_bug.cgi?id=200620

        Reviewed by Geoffrey Garen.

        Three patches including this one were originally one patch. I split it into three pieces to make roll-out easy.
        This part, we annotate classes / structs with WTF_MAKE_FAST_ALLOCATED and WTF_MAKE_STRUCT_FAST_ALLOCATED if
        they are allocated from std::make_unique. The second patch will switch `std::make_unique` to `WTF::makeUnique` and
        the third patch will insert a static_assert that makeUnique-allocated class T is FastMalloc-ed.
        One insight from this patch is that we tend to forget adding WTF_MAKE_STRUCT_FAST_ALLOCATED if it is just a data struct.

        * debugger/Debugger.h:
        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/should-strip-comments.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/generic/expected/version.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2019-08-15  Brent Fulgham  <bfulgham@apple.com>

        [FTW] Enable CoreFoundation use if building for Apple target
        https://bugs.webkit.org/show_bug.cgi?id=200799

        Reviewed by Alex Christensen.

        * PlatformFTW.cmake: Add missing files.

2019-08-15  Alexey Shvayka  <shvaikalesh@gmail.com>

        DateConversion::formatDateTime incorrectly formats negative years
        https://bugs.webkit.org/show_bug.cgi?id=199964

        Reviewed by Ross Kirsling.

        Currently, year is always padded to max length of 4, including the minus sign "-".
        With this change, only absolute value of year is padded to max length of 4 and
        preceded by minus sign "-" if the year is negative.
        (steps 6-10 of https://tc39.es/ecma262/#sec-datestring)

        * runtime/DateConversion.cpp:
        (JSC::appendNumber):

2019-08-15  Mark Lam  <mark.lam@apple.com>

        More missing exception checks in String.prototype.
        https://bugs.webkit.org/show_bug.cgi?id=200762
        <rdar://problem/54333896>

        Reviewed by Michael Saboff.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::operationStringProtoFuncReplaceRegExpString):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):

2019-08-15  Joseph Pecoraro  <pecoraro@apple.com>

        for-await-of has bad error message if used in non-async function
        https://bugs.webkit.org/show_bug.cgi?id=200758

        Reviewed by Ross Kirsling.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseForStatement):
        Improve error message.

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Air does not appropriately propagate ConstFloatValue to stackmap
        https://bugs.webkit.org/show_bug.cgi?id=200759

        Reviewed by Saam Barati.

        In B3MoveConstant phase, we convert ConstFloatValue and ConstDoubleValue to memory access to the table
        to avoid large immediates *except for* stackmap argument case. This is because materializing constant doubles
        and floats as memory-access before passing it to stackmap is wasteful: the stackmap may not use it actually, or
        stackmap can do better job if it knows the parameter is constant.

        Based on the above operation, B3LowerToAir phase strongly assumes that all ConstFloatValue and ConstDoubleValue
        are removed except for the case used for parameter of stackmap. With r192377, B3LowerToAir catch this case, and
        propagate constant double value as ValueRep in stackmap. While B3LowerToAir does this correctly for ConstDoubleValue,
        we missed adding this support for ConstFloatValue.

        This patch adds r192377's support for ConstFloatValue to propagate ConstFloatValue correctly to the stackmap.
        This issue starts appearing since Wasm BBQ-B3 OSR starts putting ConstFloatValue to OSR-tier-up patchpoint.

        * b3/B3LowerToAir.cpp:
        * b3/B3ValueKey.h:
        (JSC::B3::ValueKey::ValueKey):
        (JSC::B3::ValueKey::floatValue const):
        * b3/B3ValueRep.h:
        (JSC::B3::ValueRep::constantFloat):
        (JSC::B3::ValueRep::floatValue const):
        * b3/testb3.h:
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_5.cpp:
        (testPatchpointManyWarmAnyImms):
        (testPatchpointManyColdAnyImms):
        (testPatchpointManyImms): Deleted.

2019-08-14  Keith Rollin  <krollin@apple.com>

        Remove support for macOS < 10.13
        https://bugs.webkit.org/show_bug.cgi?id=200694
        <rdar://problem/54278851>

        Reviewed by Youenn Fablet.

        Update conditionals that reference __MAC_OS_X_VERSION_MIN_REQUIRED and
        __MAC_OS_X_VERSION_MAX_ALLOWED, assuming that they both have values >=
        101300. This means that expressions like
        "__MAC_OS_X_VERSION_MIN_REQUIRED < 101300" are always False and
        "__MAC_OS_X_VERSION_MIN_REQUIRED >= 101300" are always True.

        * API/WebKitAvailability.h:

2019-08-14  Mark Lam  <mark.lam@apple.com>

        ProxyObject should not be allow to access its target's private properties.
        https://bugs.webkit.org/show_bug.cgi?id=200739
        <rdar://problem/53972768>

        Reviewed by Yusuke Suzuki.

        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performDefineOwnProperty):

2019-08-14  Mark Lam  <mark.lam@apple.com>

        Missing exception check in string compare.
        https://bugs.webkit.org/show_bug.cgi?id=200743
        <rdar://problem/53975356>

        Reviewed by Michael Saboff.

        * runtime/JSString.cpp:
        (JSC::JSString::equalSlowCase const):

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix for MacroAssemblerARM64E change
        https://bugs.webkit.org/show_bug.cgi?id=200703

        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::farJump):

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Less contended MetaAllocator
        https://bugs.webkit.org/show_bug.cgi?id=200278

        Reviewed by Mark Lam.

        The profiler result of JetStream2/bomb-workers shows that we are having contention under MetaAllocator::currentStatistics.
        This function is called in ExecutableAllocator::memoryPressureMultiplier, and it is called from ExecutableCounter's threshold
        calculation. But MetaAllocator::currentStatistics takes a global lock inside MetaAllocator and causes contention. However,
        we do not need to have a lock actually: clients of MetaAllocator::currentStatistics typically use bytesReserved and bytesAllocated
        information. However, since our executable allocator is fixed-sized, bytesReserved is always the fixed size. So just reading bytesAllocated
        racily is enough.

        This patch attempts to reduce the contention by the following two things.

        1. Read bytesAllocated racily instead of calling MetaAllocator::currentStatistics. Then ExecutableCounter does not need to take a lock.
        2. page lifetime management APIs of MetaAllocator should take a second `count` parameter to batch the system calls.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::memoryStart): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::memoryEnd): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::isJITPC): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator): Deleted.
        (JSC::FixedVMPoolExecutableAllocator::genericWriteToJITRegion): Deleted.

2019-08-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make PAC jump and return more explicit
        https://bugs.webkit.org/show_bug.cgi?id=200703

        Reviewed by Mark Lam.

        This patch refactors our macro assembler, mainly related to PAC.

        1. Make far-jump explicit by renaming `jump` to `farJump`.
        2. Remove unused makeTailRecursiveCall and tailRecursiveCall.
        3. Do not make `ARM64EAssembler::ret` as `retab`. MacroAssemblerARM64E should call `retab` explicitly instead.

        * assembler/ARM64EAssembler.h:
        (JSC::ARM64EAssembler::ret): Deleted.
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::farJump):
        (JSC::MacroAssemblerARM64::makeTailRecursiveCall): Deleted.
        (JSC::MacroAssemblerARM64::tailRecursiveCall): Deleted.
        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::farJump):
        (JSC::MacroAssemblerARM64E::ret):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::farJump):
        (JSC::MacroAssemblerARMv7::relativeTableJump):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::farJump):
        (JSC::MacroAssemblerMIPS::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerMIPS::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::farJump):
        (JSC::MacroAssemblerX86::jump): Deleted.
        (JSC::MacroAssemblerX86::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerX86::makeTailRecursiveCall): Deleted.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::farJump):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::farJump):
        (JSC::MacroAssemblerX86_64::jump): Deleted.
        (JSC::MacroAssemblerX86_64::tailRecursiveCall): Deleted.
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): Deleted.
        * b3/B3LowerMacros.cpp:
        * b3/testb3_6.cpp:
        (testInterpreter):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        (JSC::virtualThunkFor):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmThunks.cpp:
        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::emitThrowWasmToJSException):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):

2019-08-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove bad semicolon in generation of ObjC methods
        https://bugs.webkit.org/show_bug.cgi?id=200655

        Reviewed by Devin Rousso.

        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_dispatcher_implementations):
        Do not include a semicolon in the method implementation.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
        Updated results.

2019-08-13  Saam Barati  <sbarati@apple.com>

        Add a way to opt out of kern TCSM for layout tests
        https://bugs.webkit.org/show_bug.cgi?id=200649
        <rdar://problem/51304923>

        Reviewed by Alexey Proskuryakov.

        * assembler/CPU.cpp:
        (JSC::isKernTCSMAvailable):
        * runtime/Options.h:

2019-08-13  Sam Weinig  <weinig@apple.com>

        Rename StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32) to avoid accidental change in behavior when replacing append with flexibleAppend
        https://bugs.webkit.org/show_bug.cgi?id=200675

        Reviewed by Darin Adler.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::tryConsumeGroupName):
        (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
        Update for rename from StringBuilder::append(UChar32) to StringBuilder::appendCharacter(UChar32).

2019-08-13  Mark Lam  <mark.lam@apple.com>

        Add phase, block, and node numbers to left margin of DFG graph dumps.
        https://bugs.webkit.org/show_bug.cgi?id=200693

        Reviewed by Saam Barati.

        When scrolling through the DFG graph dumps, it's easy to get lost as to which phase
        or block one is looking at, especially if the blocks are long.  This patch adds
        node index, block number, and phase number on the left margin of the dumps.
        Here's a sample:

               53:     %Bd:Function                   = 0x1079fd960:[Function, {}, NonArray, Proto:0x1079d8000, Leaf]
               53:     %Bf:Function                   = 0x1079b0700:[Function, {name:100, prototype:101, length:102, stackTraceLimit:103}, NonArray, Proto:0x1079d8000, Leaf]
               53:     %Bj:Function                   = 0x1079fd5e0:[Function, {name:100, length:101, toString:102, apply:103, call:104, bind:105, Symbol.hasInstance:106, caller:107, arguments:108, constructor:109}, NonArray, Proto:0x1079c0000, Leaf]
               53:     %CV:JSGlobalLexicalEnvironment = 0x1079fd6c0:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]

               53: Phase liveness analysis changed the IR.

               54: Beginning DFG phase OSR availability analysis.
               54: Before OSR availability analysis:

               54: DFG for foo#DXMNag:[0x1079a4850->0x1079a4130->0x1079c7600, DFGFunctionCall, 204 (NeverInline)]:
               54:   Fixpoint state: FixpointConverged; Form: SSA; Unification state: GloballyUnified; Ref count state: ExactRefCount
               54:   Argument formats for entrypoint index: 0 : FlushedJSValue, FlushedCell, FlushedJSValue

             0 54: Block #0 (bc#0): (OSR target)
             0 54:   Execution count: 1.000000
             0 54:   Predecessors:
             0 54:   Successors:
             0 54:   Dominated by: #0
             0 54:   Dominates: #0
             0 54:   Dominance Frontier: 
             0 54:   Iterated Dominance Frontier: 
             0 54:   Backwards dominates by: #root #0
             0 54:   Backwards dominates: #0
             0 54:   Control equivalent to: #0
             0 54:   States: StructuresAreWatched
             0 54:   Live:
             0 54:   Values 
          0  0 54:   53:< 1:-> JSConstant(JS|UseAsOther, Other, Null, bc#0, ExitValid)
          1  0 54:   64:< 2:-> JSConstant(JS|UseAsOther, NonBoolInt32, Int32: 10, bc#0, ExitValid)
          2  0 54:    3:< 5:-> JSConstant(JS|PureInt, Other, Undefined, bc#0, ExitValid)
          3  0 54:   32:< 1:-> JSConstant(JS|UseAsOther, Bool, False, bc#0, ExitValid)
          4  0 54:   19:< 2:-> JSConstant(JS|UseAsOther, OtherObj, Weak:Object: 0x1079d4000 with butterfly 0x0 (Structure %CV:JSGlobalLexicalEnvironment), StructureID: 31423, bc#0, ExitValid)

        The numbers in the left margin before the ':' are node index (i.e. the index of the
        node in the block, not to be confused with node->index() which is the node ID), block
        number, and phase number respectively.  Now, we can scroll thru the dumps quickly
        and tell at a glance when we've scrolled passed the end of a phase, or block.
        These sets of numbers can also serve as a positional marker that we can search for
        to return to a node in the dump after scrolling away.

        Currently, these numbers are only added to the DFG part.  The FTL (from lowering
        to B3 onwards) does not have this feature yet.

        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::DesiredWatchpoints::dumpInContext const):
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Prefix::dump const):
        * dfg/DFGGraph.h:
        (JSC::DFG::Prefix::Prefix):
        (JSC::DFG::Prefix::clearBlockIndex):
        (JSC::DFG::Prefix::clearNodeIndex):
        (JSC::DFG::Prefix::enable):
        (JSC::DFG::Prefix::disable):
        (JSC::DFG::Graph::prefix):
        (JSC::DFG::Graph::nextPhase):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGValueRepReductionPhase.cpp:
        (JSC::DFG::ValueRepReductionPhase::convertValueRepsToDouble):

2019-08-13  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r248533): JSC Command - Need to initializeMainThread() before processing config file
        https://bugs.webkit.org/show_bug.cgi?id=200677

        Reviewed by Mark Lam.

        We need to initialize the main thread before calling processConfigFile() since it uses RefCounted objects
        which have "is main thread" ASSERTS.

        * jsc.cpp:
        (jscmain):

2019-08-13  Devin Rousso  <drousso@apple.com>

        Web Inspector: Styles: show @supports CSS groupings
        https://bugs.webkit.org/show_bug.cgi?id=200419
        <rdar://problem/53971948>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/CSS.json:
        Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated
        and wasn't used by Web Inspector.

        * inspector/scripts/codegen/objc_generator_templates.py:
        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator.generate_output):
        Add support for including files at the end of <WebInspector/RWIProtocol.h> for compatibility
        statements so that changes to the Web Inspector protocol don't break other clients.

2019-08-13  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: Basic CommandLineAPI doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=200659
        <rdar://problem/54245476>

        Reviewed by Brian Burg.

        * inspector/InjectedScriptSource.js:
        (BasicCommandLineAPI):
        Use `method` directly since it already has been setup nicely and doesn't
        need to be bound. Technically this allows someone to add properties to
        the CommandLineAPI methods in basic mode (`dir.property = 1`) but that
        seems harmless.

2019-08-12  Sam Weinig  <weinig@apple.com>

        Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation
        https://bugs.webkit.org/show_bug.cgi?id=200614

        Reviewed by Darin Adler.

        Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and 
        StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...).
        
        Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to 
        StringBuilder::appendSubstring(...).

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::parse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
        * tools/FunctionOverrides.cpp:
        (JSC::parseClause):
        Update for renames.

2019-08-12  Adrian Perez de Castro  <aperez@igalia.com>

        [WPE][GTK] Fix building without unified sources
        https://bugs.webkit.org/show_bug.cgi?id=200641

        Reviewed by Žan Doberšek.

        * b3/B3PatchpointSpecial.cpp: Add missing inclusion of the B3ProcedureInlines.h header.
        * heap/SlotVisitor.cpp: Add missing inclusion of the BlockDirectoryInlines.h header.

2019-08-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF][JSC] Make JSC and WTF aggressively-fast-malloced
        https://bugs.webkit.org/show_bug.cgi?id=200611

        Reviewed by Saam Barati.

        This patch aggressively puts many classes into FastMalloc. In JSC side, we grep `std::make_unique` etc. to find potentially system-malloc-allocated classes.
        After this patch, all the JSC related allocations in JetStream2 cli is done from bmalloc. In the future, it would be nice that we add `WTF::makeUnique<T>` helper
        function and throw a compile error if `T` is not FastMalloc annotated[1].

        Putting WebKit classes in FastMalloc has many benefits.

        1. Simply, it is fast.
        2. vmmap can tell the amount of memory used for WebKit.
        3. bmalloc can isolate WebKit memory allocation from the rest of the world. This is useful since we can know more about what component is corrupting the memory
           from the memory corruption crash.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=200620

        * API/ObjCCallbackFunction.mm:
        * assembler/AbstractMacroAssembler.h:
        * b3/B3PhiChildren.h:
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
        * b3/air/AirDisassembler.h:
        * bytecode/AccessCaseSnippetParams.h:
        * bytecode/CallVariant.h:
        * bytecode/DeferredSourceDump.h:
        * bytecode/ExecutionCounter.h:
        * bytecode/GetByIdStatus.h:
        * bytecode/GetByIdVariant.h:
        * bytecode/InByIdStatus.h:
        * bytecode/InByIdVariant.h:
        * bytecode/InstanceOfStatus.h:
        * bytecode/InstanceOfVariant.h:
        * bytecode/PutByIdStatus.h:
        * bytecode/PutByIdVariant.h:
        * bytecode/ValueProfile.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        * dfg/DFGFlowIndexing.h:
        * dfg/DFGFlowMap.h:
        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
        (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
        * dfg/DFGMaximalFlushInsertionPhase.cpp:
        (JSC::DFG::MaximalFlushInsertionPhase::newVariableAccessData):
        * dfg/DFGOSRExit.h:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGVariableAccessData.h:
        * disassembler/ARM64/A64DOpcode.h:
        * inspector/remote/socket/RemoteInspectorMessageParser.h:
        * inspector/remote/socket/RemoteInspectorSocket.h:
        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
        * jit/PCToCodeOriginMap.h:
        * runtime/BasicBlockLocation.h:
        * runtime/DoublePredictionFuzzerAgent.h:
        * runtime/JSRunLoopTimer.h:
        * runtime/PromiseDeferredTimer.h:
        (JSC::PromiseDeferredTimer::create): PromiseDeferredTimer should be allocated as `Ref<>` instead of `std::unique_ptr` since it is inheriting ThreadSafeRefCounted<>.
        Holding such a class with std::unique_ptr could lead to potentially dangerous operations (like, someone holds it with Ref<> while it is deleted by std::unique_ptr<>).
        * runtime/RandomizingFuzzerAgent.h:
        * runtime/SymbolTable.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * tools/JSDollarVM.cpp:
        * tools/SigillCrashAnalyzer.cpp:
        * wasm/WasmFormat.h:
        * wasm/WasmMemory.cpp:
        * wasm/WasmSignature.h:
        * yarr/YarrJIT.h:

2019-08-12  Chris Dumez  <cdumez@apple.com>

        Add threading assertions to RefCounted
        https://bugs.webkit.org/show_bug.cgi?id=200507

        Reviewed by Ryosuke Niwa.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team
        investigates.

2019-08-12  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r248525.

        Revert new threading assertions while I work on fixing the
        issues they exposed

        Reverted changeset:

        "Add threading assertions to RefCounted"
        https://bugs.webkit.org/show_bug.cgi?id=200507
        https://trac.webkit.org/changeset/248525

2019-08-11  Chris Dumez  <cdumez@apple.com>

        Add threading assertions to RefCounted
        https://bugs.webkit.org/show_bug.cgi?id=200507

        Reviewed by Ryosuke Niwa.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        Disable threading assertions for DFG::Plan::m_inlineCallFrames while the JSC team
        investigates.

2019-08-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
        https://bugs.webkit.org/show_bug.cgi?id=199864

        Reviewed by Saam Barati.

        Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this.

            JSObject::put(object):
                if (can-do-fast-path(object))
                    return fast-path(object);
                // slow-path
                do {
                    object-put-check-and-setter-calls(object); // (1)
                    object = object->prototype;
                } while (is-object(object));
                return do-put(object);

        Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
        extra checks to this put.

            Derived::put(object):
                if (do-extra-check(object))
                    fail
                return JSObject::put(object)

        The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in
        JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that
        we skip the check.

        Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
        perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
        does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and
        Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
        large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.

        To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
        that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
        When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.

        Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].

        [1]: https://bugs.webkit.org/show_bug.cgi?id=200562

        * runtime/ClassInfo.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCell.cpp:
        (JSC::JSCell::doPutPropertySecurityCheck):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::doPutPropertySecurityCheck):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::hasPutPropertySecurityCheck const):

2019-08-08  Per Arne Vollan  <pvollan@apple.com>

        [Win] Fix internal build
        https://bugs.webkit.org/show_bug.cgi?id=200519

        Reviewed by Alex Christensen.

        The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts
        folder after building JSC.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:

2019-08-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: Page: don't allow the domain to be disabled
        https://bugs.webkit.org/show_bug.cgi?id=200109

        Reviewed by Brian Burg.

        The `PageAgent` is relied on by many of the other agents, so much so that it doesn't make
        sense to support the ability to "disable" (as well as "enable") the agent.

        When the first frontend connects, we should treat the `PageAgent` as active and available.

        * inspector/protocol/Page.json:
        Remove `enable`/`disable`.

2019-08-08  Michael Saboff  <msaboff@apple.com>

        OpenSource MemoryFootprint API for JSC command line tool
        https://bugs.webkit.org/show_bug.cgi?id=200541

        Reviewed by Saam Barati.

        Use wtf/spi/darwin/ProcessMemoryFootprint.h instead of WebKitAdditions/MemoryFootprint.h
        for process memory stats.

        * jsc.cpp:
        (MemoryFootprint::MemoryFootprint):

2019-08-08  Devin Rousso  <drousso@apple.com>

        Web Inspector: rename `queryObjects` to `queryInstances` for clarity
        https://bugs.webkit.org/show_bug.cgi?id=200520

        Reviewed by Brian Burg.

        * inspector/InjectedScriptSource.js:
        (queryInstances): Added.
        (queryObjects):
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::queryInstances): Added.
        (Inspector::JSInjectedScriptHost::queryObjects): Deleted.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryInstances): Added.
        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Deleted.

2019-08-08  Ross Kirsling  <ross.kirsling@sony.com>

        [JSC] Add "jump if (not) undefined or null" bytecode ops
        https://bugs.webkit.org/show_bug.cgi?id=200480

        Reviewed by Saam Barati.

        This patch introduces fused jumps for op_is_undefined_or_null, which ignores "masquerade as undefined" behavior.

        This lets us fix a edge-case bug in RequireObjectCoercible (where `({ length } = document.all)` was a TypeError)
        and moreover provides a very useful optimization for the new ?. and ?? operators, which have semantics centered
        around op_jundefined_or_null and op_jnundefined_or_null, respectively.

        * bytecode/BytecodeList.rb:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/Opcode.h:
        (JSC::isBranch):
        * bytecode/PreciseJumpTargetsInlines.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        (JSC::BytecodeGenerator::emitRequireObjectCoercible):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jundefined_or_null): Added.
        (JSC::JIT::emit_op_jnundefined_or_null): Added.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jundefined_or_null): Added.
        (JSC::JIT::emit_op_jnundefined_or_null): Added.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2019-08-07  Devin Rousso  <drousso@apple.com>

        Rebase inspector generator tests.

        Rubber-stamped by Brian Burg.

        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2019-08-07  Caio Lima  <ticaiolima@gmail.com>

        High number of cache miss on localTimeOffset
        https://bugs.webkit.org/show_bug.cgi?id=200444

        Reviewed by Darin Adler.

        This patch is separating the `LocalTimeOffsetCache` for each
        `WTF::TimeType` to avoid constant cache miss on pathological cases
        where `gregorianDateTimeToMS` and `msToGregorianDateTime` are
        intercaleted with `inputTimeType ==  WTF::LocalTime`. Such case
        happens during execution of Facebook Messenger
        (https://www.messenger.com).

        * runtime/JSDateMath.cpp:
        (JSC::localTimeOffset):
        (JSC::gregorianDateTimeToMS):
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache):
        * runtime/VM.h:
        (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache):
        (JSC::LocalTimeOffsetCache::reset):

2019-08-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
        https://bugs.webkit.org/show_bug.cgi?id=200494

        Reviewed by Saam Barati.

        The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
        But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
        This patch filters out these values with `HashSet<Callee*>::isValidValue`.

        * wasm/WasmCalleeRegistry.h:
        (JSC::Wasm::CalleeRegistry::isValidCallee):

2019-08-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r248289.
        https://bugs.webkit.org/show_bug.cgi?id=200488

        Broke internal builds (Requested by drousso on #webkit).

        Reverted changeset:

        "Web Inspector: Styles: show @supports CSS groupings"
        https://bugs.webkit.org/show_bug.cgi?id=200419
        https://trac.webkit.org/changeset/248289

2019-08-06  Devin Rousso  <drousso@apple.com>

        Web Inspector: allow comments in protocol JSON
        https://bugs.webkit.org/show_bug.cgi?id=200104

        Reviewed by Brian Burg.

        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification.load_specification):

        * inspector/scripts/tests/generic/should-strip-comments.json: Added.
        * inspector/scripts/tests/generic/expected/should-strip-comments.json-result: Added.

2019-08-06  Per Arne Vollan  <pvollan@apple.com>

        [Win] Fix AppleWin build
        https://bugs.webkit.org/show_bug.cgi?id=200455

        Reviewed by Alex Christensen.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: Styles: show @supports CSS groupings
        https://bugs.webkit.org/show_bug.cgi?id=200419

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/CSS.json:
        Rename `CSSMedia` to `Grouping` and remove the `sourceLine` value, as it was never populated
        and wasn't used by Web Inspector.

2019-08-05  Devin Rousso  <drousso@apple.com>

        Can't use $0, $1 etc when inspecting Google Docs pages because the content uses these for function names
        https://bugs.webkit.org/show_bug.cgi?id=195834

        Reviewed by Joseph Pecoraro.

        Allow the user to alias saved results by providing a different prefix (e.g. "$") from within
        Web Inspector. When changing the alias, all existing saved results will update to be
        reference-able from the new alias.

        * inspector/protocol/Runtime.json:
        Add `setSavedResultAlias` command.

        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::setSavedResultAlias): Added.

        * inspector/InjectedScriptHost.h:
        (Inspector::InjectedScriptHost::setSavedResultAlias): Added.
        (Inspector::InjectedScriptHost::savedResultAlias const): Added.
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::savedResultAlias const): Added.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::jsInjectedScriptHostPrototypeAttributeSavedResultAlias): Added.
        Store the saved result alias on the `InjectedScriptHost` since it is a shared object among
        all `InjectedScript`.

        * inspector/InjectedScriptSource.js:
        (BasicCommandLineAPI):

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: Timelines: disable related agents when the tab is closed
        https://bugs.webkit.org/show_bug.cgi?id=200118

        Reviewed by Joseph Pecoraro.

        Rework how `enable`/`disable` is used for timeline-related agents so that events are not sent
        and data isn't kept alive when the Timelines tab isn't enabled.

        * inspector/protocol/Timeline.json:
        Add `enable`/`disable` commands.

        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorHeapAgent::enable):
        (Inspector::InspectorHeapAgent::disable):

2019-08-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: rename "Stylesheet" to "Style Sheet" to match spec text
        https://bugs.webkit.org/show_bug.cgi?id=200422

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Page.json:

2019-08-05  Michael Saboff  <msaboff@apple.com>

        JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
        https://bugs.webkit.org/show_bug.cgi?id=199997

        Reviewed by Saam Barati.

        No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
        and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
        CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
        and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
        it won't be set.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2019-08-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: DOM: add a special breakpoint for "All Events"
        https://bugs.webkit.org/show_bug.cgi?id=200285

        Reviewed by Joseph Pecoraro.

        Similar to the existing "All Requests" breakpoint, there should be a way to set a breakpoint
        that would pause for any DOM event, regardless of the event's name. This is useful for
        situations where the event name isn't known, or where one simply wants to pause on the next
        entry to the event loop.

        Along these lines, make the "requestAnimationFrame", "setTimeout", and "setInterval"
        event breakpoints into special breakpoints that can be added/removed via the create
        breakpoint context menu. This simplifies the process for setting these breakpoints, and also
        makes them more discoverable (most people wouldn't consider them to be "events").

        * inspector/protocol/Debugger.json:
         - Rename the `EventListener` pause reason to `Listener`.
         - Split the `Timer` pause reason into `Interval` and `Timeout`.

        * inspector/protocol/DOMDebugger.json:
         - Split the `timer` type into `interval` and `timeout`.
         - Make `eventName` optional for `addEventBreakpoint`/`removeEventBreakpoint`. When omitted,
           the corresponding breakpoint that is added/removed is treated as a global breakpoint that
           applies to all events of that type (e.g. a global `listener` breakpoint would pause for
           any event that is fired).

2019-08-02  Keith Miller  <keith_miller@apple.com>

        Address comments on r248178
        https://bugs.webkit.org/show_bug.cgi?id=200411

        Reviewed by Saam Barati.

        * b3/B3Opcode.h:
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::tuples const):
        * b3/B3Validate.cpp:
        * b3/testb3_1.cpp:
        (main):

2019-08-02  Mark Lam  <mark.lam@apple.com>

        [ARM64E] Harden the diversity of the DOMJIT::Signature::unsafeFunction pointer.
        https://bugs.webkit.org/show_bug.cgi?id=200292
        <rdar://problem/53706881>

        Reviewed by Geoffrey Garen.

        Previously, DOMJIT::Signature::functionWithoutTypeCheck was signed as a C function
        pointer.  We can do better by signing it like a vtbl function pointer.

        No new tests needed.  The DOMJIT mechanism is covered by existing tests.

        I also manually confirmed that DOMJIT::Signature::functionWithoutTypeCheck is signed
        exactly as expected by reading its bits out of memory (not letting Clang have a
        chance to resign it into a C function pointer) and comparing it against manually
        signed bits with the expected diversifier.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::CFunctionPtr::CFunctionPtr):
        (JSC::CFunctionPtr::get const):
        (JSC::CFunctionPtr::address const):
        (JSC::CFunctionPtr::operator bool const):
        (JSC::CFunctionPtr::operator! const):
        (JSC::CFunctionPtr::operator== const):
        (JSC::CFunctionPtr::operator!= const):

        - Introduce a CFunctionPtr abstraction that is used to hold pointers to C functions.
          It can instantiated in 4 ways:

          1. The default constructor.
          2. A constructor that takes a nullptr_t.

             These 2 forms will instantiate a CFunctionPtr with a nullptr.

          3. A constructor that takes the name of a function.
          4. A constructor that takes a function pointer.

              Form 3 already knows that we're initializing with a real function, and
              that Clang will give it to use signed as a C function pointer.  So, it
              doesn't do any assertions.  This form is useful for initializing CFunctionPtrs
              embedded in const data structures.

              Form 4 is an explicit constructor that takes an arbitrary function
              pointer, but does not know if that pointer is already signed as a C function
              pointer.  Hence, this form will do a RELEASE_ASSERT that the given function
              pointer is actually signed as a C function pointer.

          Once instantiated, we are guaranteed that a C function pointer is either null
          or contains a signed C function pointer.

        * domjit/DOMJITSignature.h:
        (JSC::DOMJIT::Signature::Signature):
        - Sign functionWithoutTypeCheck as WTF_VTBL_FUNCPTR_PTRAUTH(DOMJITFunctionPtrTag).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        - Use the new CFunctionPtr to document that the retrieved signature->functionWithoutTypeCheck
          is signed as a C function pointer.

        * runtime/ClassInfo.h:
        - Update MethodTable to sign its function pointers using the new WTF_VTBL_FUNCPTR_PTRAUTH_STR
          to be consistent.  No longer need to roll its own PTRAUTH macro.

        * runtime/JSCPtrTag.h:
        - Add DOMJITFunctionPtrTag.

        * tools/JSDollarVM.cpp:
        - Update to work with the new DOMJIT::Signature constructor.

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Support WebAssembly in SamplingProfiler
        https://bugs.webkit.org/show_bug.cgi?id=200329

        Reviewed by Saam Barati.

        The sampling profiler support is critical to investigate what is actually time-consuming. This patch adds the sampling profiler support for Wasm functions
        to list up hot Wasm functions with compilation mode (BBQ or OMG). This allows us to investigate the hot functions in JetStream2 wasm tests.

        In order to retrieve wasm function information from the sampling profiler safely, we need to know whether the given Wasm CalleeBits is valid in the call frame.
        To achieve this, we start collecting valid Wasm::Callee pointers in a global hash set. Previously, each Wasm::Callee registered its code region to a hash set
        for wasm fault signal handler to know whether the faulted program-counter is in wasm region. We reuse and change this mechanism. Instead of registering code region,
        we register Wasm::Callee* to a hash set. The sampling profiler reuses this hash set to determine whether the given bits is a valid Wasm::Callee.

        The sampling profiler retrieves the information safely from valid Wasm::Callee* pointer. It is possible that this Wasm::Callee is about to be dead: ref-count is 0,
        now in the middle of the destructor of Wasm::Callee. Even in that case, fields of Wasm::Callee are still valid and can be accessed since destroying these fields happens
        after we unregister Wasm::Callee from the global hash set.

        We retrieve Wasm::IndexOrName and Wasm::CompilationMode. Copying them does not involve any allocations, locking etc. So we can safely copy them while some of threads are suspended.

        This patch also fixes the issue that we never called `unregisterCode` while every Wasm::Calllee registers its code region through `registerCode`.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::FrameWalker):
        (JSC::FrameWalker::recordJSFrame):
        (JSC::CFrameWalker::CFrameWalker):
        (JSC::SamplingProfiler::takeSample):
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::StackFrame::displayName):
        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
        (JSC::SamplingProfiler::StackFrame::functionStartLine):
        (JSC::SamplingProfiler::StackFrame::functionStartColumn):
        (JSC::SamplingProfiler::StackFrame::sourceID):
        (JSC::SamplingProfiler::StackFrame::url):
        (JSC::SamplingProfiler::reportTopBytecodes):
        (WTF::printInternal):
        * runtime/SamplingProfiler.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionIsWasmSupported):
        (JSC::JSDollarVM::finishCreation):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::Callee::Callee):
        (JSC::Wasm::Callee::~Callee):
        * wasm/WasmCallee.h:
        (JSC::Wasm::Callee::create): Deleted.
        (JSC::Wasm::Callee::entrypoint const): Deleted.
        (JSC::Wasm::Callee::calleeSaveRegisters): Deleted.
        (JSC::Wasm::Callee::indexOrName const): Deleted.
        * wasm/WasmCalleeRegistry.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::CalleeRegistry::initialize):
        (JSC::Wasm::CalleeRegistry::singleton):
        * wasm/WasmCalleeRegistry.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
        (JSC::Wasm::CalleeRegistry::getLock):
        (JSC::Wasm::CalleeRegistry::registerCallee):
        (JSC::Wasm::CalleeRegistry::unregisterCallee):
        (JSC::Wasm::CalleeRegistry::isValidCallee):
        * wasm/WasmCompilationMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        (JSC::Wasm::makeString):
        * wasm/WasmCompilationMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        (JSC::Wasm::enableFastMemory):
        (JSC::Wasm::registerCode): Deleted.
        (JSC::Wasm::unregisterCode): Deleted.
        * wasm/WasmFaultSignalHandler.h:
        * wasm/WasmIndexOrName.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] LazyJSValue should be robust for empty JSValue
        https://bugs.webkit.org/show_bug.cgi?id=200388

        Reviewed by Saam Barati.

        If the Switch DFG node is preceded by ForceOSRExit or something that invalidates the basic block,
        it can take a FrozenValue as a child which includes empty value instead of string, number etc.
        If this Switch node is kept and we reached to DFGCFGSimplificationPhase, it will use this FrozenValue.
        However, LazyJSValue using this FrozenValue strongly assumes that FrozenValue is never holding empty value.
        But this assumption is wrong. This patch makes LazyJSValue robust for empty value.

        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetStringImpl const):
        (JSC::DFG::LazyJSValue::tryGetString const):
        (JSC::DFG::LazyJSValue::strictEqual const):
        (JSC::DFG::LazyJSValue::switchLookupValue const):

2019-08-02  Devin Rousso  <drousso@apple.com>

        Web Inspector: Storage: disable related agents when the tab is closed
        https://bugs.webkit.org/show_bug.cgi?id=200117

        Reviewed by Joseph Pecoraro.

        Rework how `enable`/`disable` is used for storage-related agents so that events are not sent
        and data isn't kept alive when the Storage tab isn't enabled.

        * inspector/protocol/ApplicationCache.json:
        Add `disable` command.

2019-08-01  Keith Miller  <keith_miller@apple.com>

        B3 should support tuple types
        https://bugs.webkit.org/show_bug.cgi?id=200327

        Reviewed by Filip Pizlo.

        As part of the Wasm multi-value proposal, we need to teach B3 that
        patchpoints can return more than one value.  This is done by
        adding a new B3::Type called Tuple. Unlike, other B3 types Tuple
        is actually an encoded index into a numeric B3::Type vector on the
        procedure. This lets us distinguish any two tuples from each
        other, moreover, it's possible to get the vector of types with
        just the B3::Tuple type and the procedure.

        Since most B3 operations only expect to see a single numeric child
        there is a new Opcode, Extract, that takes yields the some, fixed,
        entry from a tuple value. Extract would be the only other change
        needed to make tuples work in B3 except that some optimizations
        expect to be able to take any non-Void value and stick it into a
        Variable of the same type. This means both Get/Set from a variable
        have to support Tuples as well. For simplicity and consistency,
        the ability to accept tuples is also applied to Phi and Upsilon.

        In order to lower a Tuple, B3Lowering needs to have a Tmp for each
        nested type in a Tuple. While we could reuse the existing
        IndexedTables to hold the extra information we need to lower
        Tuples, we instead use a two new HashTables for Value->Tmp(s) and
        Phi->Tmp(s). It's expected that Tuples will be sufficiently
        uncommon the overhead of tracking everything together would be
        prohibitive. On the other hand, we don't worry about this for
        Variables because we don't expect those to make it to lowering.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/B3Bank.h:
        (JSC::B3::bankForType):
        * b3/B3CheckValue.cpp:
        (JSC::B3::CheckValue::CheckValue):
        * b3/B3ExtractValue.cpp: Copied from Source/JavaScriptCore/b3/B3ProcedureInlines.h.
        (JSC::B3::ExtractValue::~ExtractValue):
        (JSC::B3::ExtractValue::dumpMeta const):
        * b3/B3ExtractValue.h: Copied from Source/JavaScriptCore/b3/B3FixSSA.h.
        * b3/B3FixSSA.h:
        * b3/B3LowerMacros.cpp:
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        * b3/B3LowerToAir.cpp:
        * b3/B3NativeTraits.h:
        * b3/B3Opcode.cpp:
        (JSC::B3::invertedCompare):
        (WTF::printInternal):
        * b3/B3Opcode.h:
        (JSC::B3::opcodeForConstant):
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::forEachArg):
        (JSC::B3::PatchpointSpecial::isValid):
        (JSC::B3::PatchpointSpecial::admitsStack):
        (JSC::B3::PatchpointSpecial::generate):
        * b3/B3PatchpointValue.cpp:
        (JSC::B3::PatchpointValue::dumpMeta const):
        (JSC::B3::PatchpointValue::PatchpointValue):
        * b3/B3PatchpointValue.h:
        * b3/B3Procedure.cpp:
        (JSC::B3::Procedure::addTuple):
        (JSC::B3::Procedure::isValidTuple const):
        (JSC::B3::Procedure::tupleForType const):
        (JSC::B3::Procedure::addIntConstant):
        (JSC::B3::Procedure::addConstant):
        * b3/B3Procedure.h:
        (JSC::B3::Procedure::returnCount const):
        * b3/B3ProcedureInlines.h:
        (JSC::B3::Procedure::extractFromTuple const):
        * b3/B3ReduceStrength.cpp:
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::isValidImpl):
        (JSC::B3::StackmapSpecial::isArgValidForType):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        (JSC::B3::StackmapSpecial::isArgValidForValue): Deleted.
        * b3/B3StackmapSpecial.h:
        * b3/B3StackmapValue.h:
        * b3/B3Type.cpp:
        (WTF::printInternal):
        * b3/B3Type.h:
        (JSC::B3::Type::Type):
        (JSC::B3::Type::tupleFromIndex):
        (JSC::B3::Type::kind const):
        (JSC::B3::Type::tupleIndex const):
        (JSC::B3::Type::hash const):
        (JSC::B3::Type::operator== const):
        (JSC::B3::Type::operator!= const):
        (JSC::B3::Type::isInt const):
        (JSC::B3::Type::isFloat const):
        (JSC::B3::Type::isNumeric const):
        (JSC::B3::Type::isTuple const):
        (JSC::B3::sizeofType):
        (JSC::B3::isInt): Deleted.
        (JSC::B3::isFloat): Deleted.
        * b3/B3TypeMap.h:
        (JSC::B3::TypeMap::at):
        * b3/B3Validate.cpp:
        * b3/B3Value.cpp:
        (JSC::B3::Value::isRounded const):
        (JSC::B3::Value::effects const):
        (JSC::B3::Value::typeFor):
        * b3/B3Value.h:
        * b3/B3ValueInlines.h:
        * b3/B3ValueKey.cpp:
        (JSC::B3::ValueKey::intConstant):
        * b3/B3ValueKey.h:
        (JSC::B3::ValueKey::hash const):
        * b3/B3ValueRep.h:
        * b3/B3Width.h:
        (JSC::B3::widthForType):
        * b3/air/AirArg.cpp:
        (JSC::B3::Air::Arg::canRepresent const):
        * b3/air/AirArg.h:
        * b3/air/AirCCallingConvention.cpp:
        (JSC::B3::Air::cCallResult):
        * b3/air/AirLowerMacros.cpp:
        (JSC::B3::Air::lowerMacros):
        * b3/testb3.h:
        (populateWithInterestingValues):
        * b3/testb3_1.cpp:
        (run):
        * b3/testb3_3.cpp:
        (testStorePartial8BitRegisterOnX86):
        * b3/testb3_5.cpp:
        (testPatchpointWithRegisterResult):
        (testPatchpointWithStackArgumentResult):
        (testPatchpointWithAnyResult):
        * b3/testb3_6.cpp:
        (testPatchpointDoubleRegs):
        (testSomeEarlyRegister):
        * b3/testb3_7.cpp:
        (testShuffleDoesntTrashCalleeSaves):
        (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
        (testSimpleTuplePair):
        (testSimpleTuplePairUnused):
        (testSimpleTuplePairStack):
        (tailDupedTuplePair):
        (tuplePairVariableLoop):
        (tupleNestedLoop):
        (addTupleTests):
        * b3/testb3_8.cpp:
        (testLoad):
        (addLoadTests):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::marshallArgument const):
        (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
        (JSC::Wasm::CallingConvention::setupCall const):
        (JSC::Wasm::CallingConventionAir::setupCall const):

2019-08-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use "destroy" function directly for JSWebAssemblyCodeBlock and WebAssemblyFunction
        https://bugs.webkit.org/show_bug.cgi?id=200385

        Reviewed by Mark Lam.

        These CellTypes are not using classInfo stored in the cells, so we can just call JSWebAssemblyCodeBlock::destroy
        and WebAssemblyFunction::destroy directly.

        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
        (JSC::JSWebAssemblyCodeBlockDestroyFunc::operator() const):
        * wasm/js/WebAssemblyFunctionHeapCellType.cpp:
        (JSC::WebAssemblyFunctionDestroyFunc::operator() const):

2019-08-02  Mark Lam  <mark.lam@apple.com>

        Gardening: build fix.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Not reviewed.

        * assembler/CPU.cpp:
        (JSC::hwPhysicalCPUMax):

2019-08-01  Yusuke Suzuki  <ysuzuki@apple.com>

        GetterSetter type confusion during DFG compilation
        https://bugs.webkit.org/show_bug.cgi?id=199903

        Reviewed by Mark Lam.

        In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists.
        However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding
        CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable.

        Let's consider the following graph.

            129:<!0:->     PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid)
            130:<!0:->     PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid)
            ...
            158:<!0:->     GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R<Final>/FlushedCell), R:Stack(-8), bc#187, ExitValid)  predicting Final
            210:< 1:->     DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid)
            ...
            162:<!0:->     CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid)
            163:< 1:->     GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid)
            164:< 1:->     GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)

        At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value.
        This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it
        does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now.

        But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime,
        @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value.

            124:< 2:->     JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid)
            ...
            126:< 2:->     GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)

        AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following.


            JSValue base = forNode(node->child1()).m_value;
            if (base) {
                GetterSetter* getterSetter = jsCast<GetterSetter*>(base);
                ...

        Then, jsCast casts the above object with GetterSetter accidentally.

        In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge
        filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one.
        But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope.

        In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met.
        We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::castConstant): Deleted.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):

2019-08-01  Mark Lam  <mark.lam@apple.com>

        Add crash diagnostics for debugging unexpected zapped cells.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Reviewed by Yusuke Suzuki.

        Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
        SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
        some diagnostic info.

        To facilitate this, we've made the following changes:
        1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
           cells are at least 16 bytes long.
        2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
           cell header info intact (including the cell JSType).
        3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
           the reason immediately after the first 8 bytes.  This is the same location as
           FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
           and on the free list at the same time, it is also fine to do this.
        4. Added a few utility functions to MarkedBlock for checking if a cell points
           into the block.
        5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
        6. Added some comments to document the hashes of known subspaces.
        7. Added Options::dumpZappedCellCrashData() to make this check conditional.
           We use this option to disable this check for slower machines so that their
           PLT5 performance is not impacted.

        * assembler/CPU.cpp:
        (JSC::hwL3CacheSize):
        (JSC::hwPhysicalCPUMax):
        * assembler/CPU.h:
        (JSC::hwL3CacheSize):
        (JSC::hwPhysicalCPUMax):
        * heap/FreeList.h:
        (JSC::FreeCell::offsetOfScrambledNext):
        * heap/HeapCell.h:
        (JSC::HeapCell::zap):
        (JSC::HeapCell::isZapped const):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::stopAllocating):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::start const):
        (JSC::MarkedBlock::Handle::end const):
        (JSC::MarkedBlock::Handle::contains const):
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachSubspace):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::reportZappedCellAndCrash):
        * heap/SlotVisitor.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * tools/JSDollarVM.cpp:
        (JSC::functionDumpSubspaceHashes):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpSubspaceHashes):
        * tools/VMInspector.h:

2019-08-01  Keith Miller  <keith_miller@apple.com>

        Fix bug in testMulImm32SignExtend
        https://bugs.webkit.org/show_bug.cgi?id=200358

        Reviewed by Mark Lam.

        Also, have it run in more configurations.

        * b3/testb3_2.cpp:
        (testMulImm32SignExtend):
        * b3/testb3_3.cpp:
        (addArgTests):

2019-07-31  Mark Lam  <mark.lam@apple.com>

        Rename DOMJIT safe/unsafeFunction to functionWithTypeChecks and functionWithoutTypeChecks.
        https://bugs.webkit.org/show_bug.cgi?id=200323

        Reviewed by Yusuke Suzuki.

        The DOMJIT has a notion of a safeFunction and an unsafeFunction.  The safeFunction
        is effectively the same as the unsafeFunction with added type check.  The DFG/FTL
        will emit code to call the unsafeFunction if it has already emitted the needed
        type check or proven that it isn't needed.  Otherwise, the DFG/FTL will emit
        code to call the safeFunction (which does its own type check) instead.

        This patch renames these functions to better describe their difference.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCallDOM):
        * domjit/DOMJITSignature.h:
        (JSC::DOMJIT::Signature::Signature):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
        * tools/JSDollarVM.cpp:
        (JSC::DOMJITFunctionObject::functionWithTypeCheck):
        (JSC::DOMJITFunctionObject::functionWithoutTypeCheck):
        (JSC::DOMJITFunctionObject::finishCreation):
        (JSC::DOMJITCheckSubClassObject::functionWithTypeCheck):
        (JSC::DOMJITCheckSubClassObject::functionWithoutTypeCheck):
        (JSC::DOMJITCheckSubClassObject::finishCreation):
        (JSC::DOMJITFunctionObject::safeFunction): Deleted.
        (JSC::DOMJITFunctionObject::unsafeFunction): Deleted.
        (JSC::DOMJITCheckSubClassObject::safeFunction): Deleted.
        (JSC::DOMJITCheckSubClassObject::unsafeFunction): Deleted.

2019-07-31  Alex Christensen  <achristensen@webkit.org>

        Begin organizing b3 tests
        https://bugs.webkit.org/show_bug.cgi?id=200330

        Reviewed by Keith Miller.

        * b3/testb3.h:
        * b3/testb3_1.cpp:
        (run):
        (zero): Deleted.
        (negativeZero): Deleted.
        * b3/testb3_2.cpp:
        (testBitXorTreeArgs):
        (testBitXorTreeArgsEven):
        (testBitXorTreeArgImm):
        (testBitAndTreeArg32):
        (testBitOrTreeArg32):
        (testBitAndArgs):
        (testBitAndSameArg):
        (testBitAndNotNot):
        (testBitAndNotImm):
        (testBitAndImms):
        (testBitAndArgImm):
        (testBitAndImmArg):
        (testBitAndBitAndArgImmImm):
        (testBitAndImmBitAndArgImm):
        (testBitAndArgs32):
        (testBitAndSameArg32):
        (testBitAndImms32):
        (testBitAndArgImm32):
        (testBitAndImmArg32):
        (testBitAndBitAndArgImmImm32):
        (testBitAndImmBitAndArgImm32):
        (testBitAndWithMaskReturnsBooleans):
        (testBitAndArgDouble):
        (testBitAndArgsDouble):
        (testBitAndArgImmDouble):
        (testBitAndImmsDouble):
        (testBitAndArgFloat):
        (testBitAndArgsFloat):
        (testBitAndArgImmFloat):
        (testBitAndImmsFloat):
        (testBitAndArgsFloatWithUselessDoubleConversion):
        (testBitOrArgs):
        (testBitOrSameArg):
        (testBitOrAndAndArgs):
        (testBitOrAndSameArgs):
        (testBitOrNotNot):
        (testBitOrNotImm):
        (testBitOrImms):
        (testBitOrArgImm):
        (testBitOrImmArg):
        (testBitOrBitOrArgImmImm):
        (testBitOrImmBitOrArgImm):
        (testBitOrArgs32):
        (testBitOrSameArg32):
        (testBitOrImms32):
        (testBitOrArgImm32):
        (testBitOrImmArg32):
        (addBitTests):
        * b3/testb3_3.cpp:
        (testSShrArgs):
        (testSShrImms):
        (testSShrArgImm):
        (testSShrArg32):
        (testSShrArgs32):
        (testSShrImms32):
        (testSShrArgImm32):
        (testZShrArgs):
        (testZShrImms):
        (testZShrArgImm):
        (testZShrArg32):
        (testZShrArgs32):
        (testZShrImms32):
        (testZShrArgImm32):
        (zero):
        (negativeZero):
        (addArgTests):
        (addCallTests):
        (addShrTests):
        * b3/testb3_4.cpp:
        (addSExtTests):
        * b3/testb3_6.cpp:
        (testSShrShl32):
        (testSShrShl64):
        (addSShrShTests):

2019-07-31  Devin Rousso  <drousso@apple.com>

        Web Inspector: Debugger: support emulateUserGesture parameter in Debugger.evaluateOnCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=200272

        Reviewed by Joseph Pecoraro.

        When paused, evaluating in the console should still respect the "Emulate User Gesture" checkbox.

        * inspector/protocol/Debugger.json:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):

2019-07-31  Alex Christensen  <achristensen@webkit.org>

        Split testb3 into multiple files
        https://bugs.webkit.org/show_bug.cgi?id=200326

        Reviewed by Keith Miller.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/testb3.cpp: Removed.
        * b3/testb3.h: Added.
        (hiddenTruthBecauseNoReturnIsStupid):
        (usage):
        (shouldBeVerbose):
        (compileProc):
        (invoke):
        (compileAndRun):
        (lowerToAirForTesting):
        (checkDisassembly):
        (checkUsesInstruction):
        (checkDoesNotUseInstruction):
        (populateWithInterestingValues):
        (floatingPointOperands):
        (int64Operands):
        (int32Operands):
        (add32):
        (modelLoad):
        (float>):
        (double>):
        * b3/testb3_1.cpp: Added.
        (zero):
        (negativeZero):
        (shouldRun):
        (testRotR):
        (testRotL):
        (testRotRWithImmShift):
        (testRotLWithImmShift):
        (testComputeDivisionMagic):
        (run):
        (main):
        (dllLauncherEntryPoint):
        * b3/testb3_2.cpp: Added.
        (test42):
        (testLoad42):
        (testLoadAcq42):
        (testLoadWithOffsetImpl):
        (testLoadOffsetImm9Max):
        (testLoadOffsetImm9MaxPlusOne):
        (testLoadOffsetImm9MaxPlusTwo):
        (testLoadOffsetImm9Min):
        (testLoadOffsetImm9MinMinusOne):
        (testLoadOffsetScaledUnsignedImm12Max):
        (testLoadOffsetScaledUnsignedOverImm12Max):
        (testBitXorTreeArgs):
        (testBitXorTreeArgsEven):
        (testBitXorTreeArgImm):
        (testAddTreeArg32):
        (testMulTreeArg32):
        (testBitAndTreeArg32):
        (testBitOrTreeArg32):
        (testArg):
        (testReturnConst64):
        (testReturnVoid):
        (testAddArg):
        (testAddArgs):
        (testAddArgImm):
        (testAddImmArg):
        (testAddArgMem):
        (testAddMemArg):
        (testAddImmMem):
        (testAddArg32):
        (testAddArgs32):
        (testAddArgMem32):
        (testAddMemArg32):
        (testAddImmMem32):
        (testAddNeg1):
        (testAddNeg2):
        (testAddArgZeroImmZDef):
        (testAddLoadTwice):
        (testAddArgDouble):
        (testAddArgsDouble):
        (testAddArgImmDouble):
        (testAddImmArgDouble):
        (testAddImmsDouble):
        (testAddArgFloat):
        (testAddArgsFloat):
        (testAddFPRArgsFloat):
        (testAddArgImmFloat):
        (testAddImmArgFloat):
        (testAddImmsFloat):
        (testAddArgFloatWithUselessDoubleConversion):
        (testAddArgsFloatWithUselessDoubleConversion):
        (testAddArgsFloatWithEffectfulDoubleConversion):
        (testAddMulMulArgs):
        (testMulArg):
        (testMulArgStore):
        (testMulAddArg):
        (testMulArgs):
        (testMulArgNegArg):
        (testMulNegArgArg):
        (testMulArgImm):
        (testMulImmArg):
        (testMulArgs32):
        (testMulArgs32SignExtend):
        (testMulImm32SignExtend):
        (testMulLoadTwice):
        (testMulAddArgsLeft):
        (testMulAddArgsRight):
        (testMulAddArgsLeft32):
        (testMulAddArgsRight32):
        (testMulSubArgsLeft):
        (testMulSubArgsRight):
        (testMulSubArgsLeft32):
        (testMulSubArgsRight32):
        (testMulNegArgs):
        (testMulNegArgs32):
        (testMulArgDouble):
        (testMulArgsDouble):
        (testMulArgImmDouble):
        (testMulImmArgDouble):
        (testMulImmsDouble):
        (testMulArgFloat):
        (testMulArgsFloat):
        (testMulArgImmFloat):
        (testMulImmArgFloat):
        (testMulImmsFloat):
        (testMulArgFloatWithUselessDoubleConversion):
        (testMulArgsFloatWithUselessDoubleConversion):
        (testMulArgsFloatWithEffectfulDoubleConversion):
        (testDivArgDouble):
        (testDivArgsDouble):
        (testDivArgImmDouble):
        (testDivImmArgDouble):
        (testDivImmsDouble):
        (testDivArgFloat):
        (testDivArgsFloat):
        (testDivArgImmFloat):
        (testDivImmArgFloat):
        (testDivImmsFloat):
        (testModArgDouble):
        (testModArgsDouble):
        (testModArgImmDouble):
        (testModImmArgDouble):
        (testModImmsDouble):
        (testModArgFloat):
        (testModArgsFloat):
        (testModArgImmFloat):
        (testModImmArgFloat):
        (testModImmsFloat):
        (testDivArgFloatWithUselessDoubleConversion):
        (testDivArgsFloatWithUselessDoubleConversion):
        (testDivArgsFloatWithEffectfulDoubleConversion):
        (testUDivArgsInt32):
        (testUDivArgsInt64):
        (testUModArgsInt32):
        (testUModArgsInt64):
        (testSubArg):
        (testSubArgs):
        (testSubArgImm):
        (testSubNeg):
        (testNegSub):
        (testNegValueSubOne):
        (testSubSub):
        (testSubSub2):
        (testSubAdd):
        (testSubFirstNeg):
        (testSubImmArg):
        (testSubArgMem):
        (testSubMemArg):
        (testSubImmMem):
        (testSubMemImm):
        (testSubArgs32):
        (testSubArgImm32):
        (testSubImmArg32):
        (testSubMemArg32):
        (testSubArgMem32):
        (testSubImmMem32):
        (testSubMemImm32):
        (testNegValueSubOne32):
        (testNegMulArgImm):
        (testSubMulMulArgs):
        (testSubArgDouble):
        (testSubArgsDouble):
        (testSubArgImmDouble):
        (testSubImmArgDouble):
        (testSubImmsDouble):
        (testSubArgFloat):
        (testSubArgsFloat):
        (testSubArgImmFloat):
        (testSubImmArgFloat):
        (testSubImmsFloat):
        (testSubArgFloatWithUselessDoubleConversion):
        (testSubArgsFloatWithUselessDoubleConversion):
        (testSubArgsFloatWithEffectfulDoubleConversion):
        (testTernarySubInstructionSelection):
        (testNegDouble):
        (testNegFloat):
        (testNegFloatWithUselessDoubleConversion):
        (testBitAndArgs):
        (testBitAndSameArg):
        (testBitAndNotNot):
        (testBitAndNotImm):
        (testBitAndImms):
        (testBitAndArgImm):
        (testBitAndImmArg):
        (testBitAndBitAndArgImmImm):
        (testBitAndImmBitAndArgImm):
        (testBitAndArgs32):
        (testBitAndSameArg32):
        (testBitAndImms32):
        (testBitAndArgImm32):
        (testBitAndImmArg32):
        (testBitAndBitAndArgImmImm32):
        (testBitAndImmBitAndArgImm32):
        (testBitAndWithMaskReturnsBooleans):
        (bitAndDouble):
        (testBitAndArgDouble):
        (testBitAndArgsDouble):
        (testBitAndArgImmDouble):
        (testBitAndImmsDouble):
        (bitAndFloat):
        (testBitAndArgFloat):
        (testBitAndArgsFloat):
        (testBitAndArgImmFloat):
        (testBitAndImmsFloat):
        (testBitAndArgsFloatWithUselessDoubleConversion):
        (testBitOrArgs):
        (testBitOrSameArg):
        (testBitOrAndAndArgs):
        (testBitOrAndSameArgs):
        (testBitOrNotNot):
        (testBitOrNotImm):
        (testBitOrImms):
        (testBitOrArgImm):
        (testBitOrImmArg):
        (testBitOrBitOrArgImmImm):
        (testBitOrImmBitOrArgImm):
        (testBitOrArgs32):
        (testBitOrSameArg32):
        (testBitOrImms32):
        (testBitOrArgImm32):
        (testBitOrImmArg32):
        * b3/testb3_3.cpp: Added.
        (testBitOrBitOrArgImmImm32):
        (testBitOrImmBitOrArgImm32):
        (bitOrDouble):
        (testBitOrArgDouble):
        (testBitOrArgsDouble):
        (testBitOrArgImmDouble):
        (testBitOrImmsDouble):
        (bitOrFloat):
        (testBitOrArgFloat):
        (testBitOrArgsFloat):
        (testBitOrArgImmFloat):
        (testBitOrImmsFloat):
        (testBitOrArgsFloatWithUselessDoubleConversion):
        (testBitXorArgs):
        (testBitXorSameArg):
        (testBitXorAndAndArgs):
        (testBitXorAndSameArgs):
        (testBitXorImms):
        (testBitXorArgImm):
        (testBitXorImmArg):
        (testBitXorBitXorArgImmImm):
        (testBitXorImmBitXorArgImm):
        (testBitXorArgs32):
        (testBitXorSameArg32):
        (testBitXorImms32):
        (testBitXorArgImm32):
        (testBitXorImmArg32):
        (testBitXorBitXorArgImmImm32):
        (testBitXorImmBitXorArgImm32):
        (testBitNotArg):
        (testBitNotImm):
        (testBitNotMem):
        (testBitNotArg32):
        (testBitNotImm32):
        (testBitNotMem32):
        (testNotOnBooleanAndBranch32):
        (testBitNotOnBooleanAndBranch32):
        (testShlArgs):
        (testShlImms):
        (testShlArgImm):
        (testShlSShrArgImm):
        (testShlArg32):
        (testShlArgs32):
        (testShlImms32):
        (testShlArgImm32):
        (testShlZShrArgImm32):
        (testSShrArgs):
        (testSShrImms):
        (testSShrArgImm):
        (testSShrArg32):
        (testSShrArgs32):
        (testSShrImms32):
        (testSShrArgImm32):
        (testZShrArgs):
        (testZShrImms):
        (testZShrArgImm):
        (testZShrArg32):
        (testZShrArgs32):
        (testZShrImms32):
        (testZShrArgImm32):
        (countLeadingZero):
        (testClzArg64):
        (testClzMem64):
        (testClzArg32):
        (testClzMem32):
        (testAbsArg):
        (testAbsImm):
        (testAbsMem):
        (testAbsAbsArg):
        (testAbsNegArg):
        (testAbsBitwiseCastArg):
        (testBitwiseCastAbsBitwiseCastArg):
        (testAbsArgWithUselessDoubleConversion):
        (testAbsArgWithEffectfulDoubleConversion):
        (testCeilArg):
        (testCeilImm):
        (testCeilMem):
        (testCeilCeilArg):
        (testFloorCeilArg):
        (testCeilIToD64):
        (testCeilIToD32):
        (testCeilArgWithUselessDoubleConversion):
        (testCeilArgWithEffectfulDoubleConversion):
        (testFloorArg):
        (testFloorImm):
        (testFloorMem):
        (testFloorFloorArg):
        (testCeilFloorArg):
        (testFloorIToD64):
        (testFloorIToD32):
        (testFloorArgWithUselessDoubleConversion):
        (testFloorArgWithEffectfulDoubleConversion):
        (correctSqrt):
        (testSqrtArg):
        (testSqrtImm):
        (testSqrtMem):
        (testSqrtArgWithUselessDoubleConversion):
        (testSqrtArgWithEffectfulDoubleConversion):
        (testCompareTwoFloatToDouble):
        (testCompareOneFloatToDouble):
        (testCompareFloatToDoubleThroughPhi):
        (testDoubleToFloatThroughPhi):
        (testReduceFloatToDoubleValidates):
        (testDoubleProducerPhiToFloatConversion):
        (testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
        (testDoubleProducerPhiWithNonFloatConst):
        (testDoubleArgToInt64BitwiseCast):
        (testDoubleImmToInt64BitwiseCast):
        (testTwoBitwiseCastOnDouble):
        (testBitwiseCastOnDoubleInMemory):
        (testBitwiseCastOnDoubleInMemoryIndexed):
        (testInt64BArgToDoubleBitwiseCast):
        (testInt64BImmToDoubleBitwiseCast):
        (testTwoBitwiseCastOnInt64):
        (testBitwiseCastOnInt64InMemory):
        (testBitwiseCastOnInt64InMemoryIndexed):
        (testFloatImmToInt32BitwiseCast):
        (testBitwiseCastOnFloatInMemory):
        (testInt32BArgToFloatBitwiseCast):
        (testInt32BImmToFloatBitwiseCast):
        (testTwoBitwiseCastOnInt32):
        (testBitwiseCastOnInt32InMemory):
        (testConvertDoubleToFloatArg):
        (testConvertDoubleToFloatImm):
        (testConvertDoubleToFloatMem):
        (testConvertFloatToDoubleArg):
        (testConvertFloatToDoubleImm):
        (testConvertFloatToDoubleMem):
        (testConvertDoubleToFloatToDoubleToFloat):
        (testLoadFloatConvertDoubleConvertFloatStoreFloat):
        (testFroundArg):
        (testFroundMem):
        (testIToD64Arg):
        (testIToF64Arg):
        (testIToD32Arg):
        (testIToF32Arg):
        (testIToD64Mem):
        (testIToF64Mem):
        (testIToD32Mem):
        (testIToF32Mem):
        (testIToD64Imm):
        (testIToF64Imm):
        (testIToD32Imm):
        (testIToF32Imm):
        (testIToDReducedToIToF64Arg):
        (testIToDReducedToIToF32Arg):
        (testStore32):
        (testStoreConstant):
        (testStoreConstantPtr):
        (testStore8Arg):
        (testStore8Imm):
        (testStorePartial8BitRegisterOnX86):
        (testStore16Arg):
        (testStore16Imm):
        (testTrunc):
        (testAdd1):
        (testAdd1Ptr):
        (testNeg32):
        (testNegPtr):
        (testStoreAddLoad32):
        * b3/testb3_4.cpp: Added.
        (testStoreRelAddLoadAcq32):
        (testStoreAddLoadImm32):
        (testStoreAddLoad8):
        (testStoreRelAddLoadAcq8):
        (testStoreRelAddFenceLoadAcq8):
        (testStoreAddLoadImm8):
        (testStoreAddLoad16):
        (testStoreRelAddLoadAcq16):
        (testStoreAddLoadImm16):
        (testStoreAddLoad64):
        (testStoreRelAddLoadAcq64):
        (testStoreAddLoadImm64):
        (testStoreAddLoad32Index):
        (testStoreAddLoadImm32Index):
        (testStoreAddLoad8Index):
        (testStoreAddLoadImm8Index):
        (testStoreAddLoad16Index):
        (testStoreAddLoadImm16Index):
        (testStoreAddLoad64Index):
        (testStoreAddLoadImm64Index):
        (testStoreSubLoad):
        (testStoreAddLoadInterference):
        (testStoreAddAndLoad):
        (testStoreNegLoad32):
        (testStoreNegLoadPtr):
        (testAdd1Uncommuted):
        (testLoadOffset):
        (testLoadOffsetNotConstant):
        (testLoadOffsetUsingAdd):
        (testLoadOffsetUsingAddInterference):
        (testLoadOffsetUsingAddNotConstant):
        (testLoadAddrShift):
        (testFramePointer):
        (testOverrideFramePointer):
        (testStackSlot):
        (testLoadFromFramePointer):
        (testStoreLoadStackSlot):
        (testStoreFloat):
        (testStoreDoubleConstantAsFloat):
        (testSpillGP):
        (testSpillFP):
        (testInt32ToDoublePartialRegisterStall):
        (testInt32ToDoublePartialRegisterWithoutStall):
        (testBranch):
        (testBranchPtr):
        (testDiamond):
        (testBranchNotEqual):
        (testBranchNotEqualCommute):
        (testBranchNotEqualNotEqual):
        (testBranchEqual):
        (testBranchEqualEqual):
        (testBranchEqualCommute):
        (testBranchEqualEqual1):
        (testBranchEqualOrUnorderedArgs):
        (testBranchNotEqualAndOrderedArgs):
        (testBranchEqualOrUnorderedDoubleArgImm):
        (testBranchEqualOrUnorderedFloatArgImm):
        (testBranchEqualOrUnorderedDoubleImms):
        (testBranchEqualOrUnorderedFloatImms):
        (testBranchEqualOrUnorderedFloatWithUselessDoubleConversion):
        (testBranchFold):
        (testDiamondFold):
        (testBranchNotEqualFoldPtr):
        (testBranchEqualFoldPtr):
        (testBranchLoadPtr):
        (testBranchLoad32):
        (testBranchLoad8S):
        (testBranchLoad8Z):
        (testBranchLoad16S):
        (testBranchLoad16Z):
        (testBranch8WithLoad8ZIndex):
        (testComplex):
        (testBranchBitTest32TmpImm):
        (testBranchBitTest32AddrImm):
        (testBranchBitTest32TmpTmp):
        (testBranchBitTest64TmpTmp):
        (testBranchBitTest64AddrTmp):
        (testBranchBitTestNegation):
        (testBranchBitTestNegation2):
        (testSimplePatchpoint):
        (testSimplePatchpointWithoutOuputClobbersGPArgs):
        (testSimplePatchpointWithOuputClobbersGPArgs):
        (testSimplePatchpointWithoutOuputClobbersFPArgs):
        (testSimplePatchpointWithOuputClobbersFPArgs):
        (testPatchpointWithEarlyClobber):
        (testPatchpointCallArg):
        (testPatchpointFixedRegister):
        (testPatchpointAny):
        (testPatchpointGPScratch):
        (testPatchpointFPScratch):
        (testPatchpointLotsOfLateAnys):
        (testPatchpointAnyImm):
        * b3/testb3_5.cpp: Added.
        (testPatchpointManyImms):
        (testPatchpointWithRegisterResult):
        (testPatchpointWithStackArgumentResult):
        (testPatchpointWithAnyResult):
        (testSimpleCheck):
        (testCheckFalse):
        (testCheckTrue):
        (testCheckLessThan):
        (testCheckMegaCombo):
        (testCheckTrickyMegaCombo):
        (testCheckTwoMegaCombos):
        (testCheckTwoNonRedundantMegaCombos):
        (testCheckAddImm):
        (testCheckAddImmCommute):
        (testCheckAddImmSomeRegister):
        (testCheckAdd):
        (testCheckAdd64):
        (testCheckAddFold):
        (testCheckAddFoldFail):
        (testCheckAddArgumentAliasing64):
        (testCheckAddArgumentAliasing32):
        (testCheckAddSelfOverflow64):
        (testCheckAddSelfOverflow32):
        (testCheckSubImm):
        (testCheckSubBadImm):
        (testCheckSub):
        (doubleSub):
        (testCheckSub64):
        (testCheckSubFold):
        (testCheckSubFoldFail):
        (testCheckNeg):
        (testCheckNeg64):
        (testCheckMul):
        (testCheckMulMemory):
        (testCheckMul2):
        (testCheckMul64):
        (testCheckMulFold):
        (testCheckMulFoldFail):
        (testCheckMulArgumentAliasing64):
        (testCheckMulArgumentAliasing32):
        (testCheckMul64SShr):
        (genericTestCompare):
        (modelCompare):
        (testCompareLoad):
        (testCompareImpl):
        (testCompare):
        (testEqualDouble):
        (simpleFunction):
        (testCallSimple):
        (testCallRare):
        (testCallRareLive):
        (testCallSimplePure):
        (functionWithHellaArguments):
        (testCallFunctionWithHellaArguments):
        (functionWithHellaArguments2):
        (testCallFunctionWithHellaArguments2):
        (functionWithHellaArguments3):
        (testCallFunctionWithHellaArguments3):
        (testReturnDouble):
        (testReturnFloat):
        (simpleFunctionDouble):
        (testCallSimpleDouble):
        (simpleFunctionFloat):
        (testCallSimpleFloat):
        (functionWithHellaDoubleArguments):
        (testCallFunctionWithHellaDoubleArguments):
        (functionWithHellaFloatArguments):
        (testCallFunctionWithHellaFloatArguments):
        (testLinearScanWithCalleeOnStack):
        (testChillDiv):
        (testChillDivTwice):
        (testChillDiv64):
        (testModArg):
        (testModArgs):
        (testModImms):
        (testModArg32):
        (testModArgs32):
        (testModImms32):
        (testChillModArg):
        (testChillModArgs):
        (testChillModImms):
        (testChillModArg32):
        (testChillModArgs32):
        (testChillModImms32):
        (testLoopWithMultipleHeaderEdges):
        (testSwitch):
        (testSwitchSameCaseAsDefault):
        (testSwitchChillDiv):
        (testSwitchTargettingSameBlock):
        (testSwitchTargettingSameBlockFoldPathConstant):
        (testTruncFold):
        (testZExt32):
        (testZExt32Fold):
        (testSExt32):
        (testSExt32Fold):
        (testTruncZExt32):
        (testTruncSExt32):
        (testSExt8):
        (testSExt8Fold):
        (testSExt8SExt8):
        (testSExt8SExt16):
        (testSExt8BitAnd):
        (testBitAndSExt8):
        (testSExt16):
        (testSExt16Fold):
        (testSExt16SExt16):
        (testSExt16SExt8):
        (testSExt16BitAnd):
        (testBitAndSExt16):
        (testSExt32BitAnd):
        * b3/testb3_6.cpp: Added.
        (testBitAndSExt32):
        (testBasicSelect):
        (testSelectTest):
        (testSelectCompareDouble):
        (testSelectCompareFloat):
        (testSelectCompareFloatToDouble):
        (testSelectDouble):
        (testSelectDoubleTest):
        (testSelectDoubleCompareDouble):
        (testSelectDoubleCompareFloat):
        (testSelectFloatCompareFloat):
        (testSelectDoubleCompareDoubleWithAliasing):
        (testSelectFloatCompareFloatWithAliasing):
        (testSelectFold):
        (testSelectInvert):
        (testCheckSelect):
        (testCheckSelectCheckSelect):
        (testCheckSelectAndCSE):
        (b3Pow):
        (testPowDoubleByIntegerLoop):
        (testTruncOrHigh):
        (testTruncOrLow):
        (testBitAndOrHigh):
        (testBitAndOrLow):
        (testBranch64Equal):
        (testBranch64EqualImm):
        (testBranch64EqualMem):
        (testBranch64EqualMemImm):
        (testStore8Load8Z):
        (testStore16Load16Z):
        (testSShrShl32):
        (testSShrShl64):
        (testTrivialInfiniteLoop):
        (testFoldPathEqual):
        (testLShiftSelf32):
        (testRShiftSelf32):
        (testURShiftSelf32):
        (testLShiftSelf64):
        (testRShiftSelf64):
        (testURShiftSelf64):
        (testPatchpointDoubleRegs):
        (testSpillDefSmallerThanUse):
        (testSpillUseLargerThanDef):
        (testLateRegister):
        (interpreterPrint):
        (testInterpreter):
        (testReduceStrengthCheckBottomUseInAnotherBlock):
        (testResetReachabilityDanglingReference):
        (testEntrySwitchSimple):
        (testEntrySwitchNoEntrySwitch):
        (testEntrySwitchWithCommonPaths):
        (testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
        (testEntrySwitchLoop):
        (testSomeEarlyRegister):
        (testBranchBitAndImmFusion):
        (testTerminalPatchpointThatNeedsToBeSpilled):
        (testTerminalPatchpointThatNeedsToBeSpilled2):
        (testPatchpointTerminalReturnValue):
        (testMemoryFence):
        (testStoreFence):
        (testLoadFence):
        (testTrappingLoad):
        (testTrappingStore):
        (testTrappingLoadAddStore):
        (testTrappingLoadDCE):
        (testTrappingStoreElimination):
        (testMoveConstants):
        (testPCOriginMapDoesntInsertNops):
        * b3/testb3_7.cpp: Added.
        (testPinRegisters):
        (testX86LeaAddAddShlLeft):
        (testX86LeaAddAddShlRight):
        (testX86LeaAddAdd):
        (testX86LeaAddShlRight):
        (testX86LeaAddShlLeftScale1):
        (testX86LeaAddShlLeftScale2):
        (testX86LeaAddShlLeftScale4):
        (testX86LeaAddShlLeftScale8):
        (testAddShl32):
        (testAddShl64):
        (testAddShl65):
        (testReduceStrengthReassociation):
        (testLoadBaseIndexShift2):
        (testLoadBaseIndexShift32):
        (testOptimizeMaterialization):
        (generateLoop):
        (makeArrayForLoops):
        (generateLoopNotBackwardsDominant):
        (oneFunction):
        (noOpFunction):
        (testLICMPure):
        (testLICMPureSideExits):
        (testLICMPureWritesPinned):
        (testLICMPureWrites):
        (testLICMReadsLocalState):
        (testLICMReadsPinned):
        (testLICMReads):
        (testLICMPureNotBackwardsDominant):
        (testLICMPureFoiledByChild):
        (testLICMPureNotBackwardsDominantFoiledByChild):
        (testLICMExitsSideways):
        (testLICMWritesLocalState):
        (testLICMWrites):
        (testLICMFence):
        (testLICMWritesPinned):
        (testLICMControlDependent):
        (testLICMControlDependentNotBackwardsDominant):
        (testLICMControlDependentSideExits):
        (testLICMReadsPinnedWritesPinned):
        (testLICMReadsWritesDifferentHeaps):
        (testLICMReadsWritesOverlappingHeaps):
        (testLICMDefaultCall):
        (testDepend32):
        (testDepend64):
        (testWasmBoundsCheck):
        (testWasmAddress):
        (testFastTLSLoad):
        (testFastTLSStore):
        (doubleEq):
        (doubleNeq):
        (doubleGt):
        (doubleGte):
        (doubleLt):
        (doubleLte):
        (testDoubleLiteralComparison):
        (testFloatEqualOrUnorderedFolding):
        (testFloatEqualOrUnorderedFoldingNaN):
        (testFloatEqualOrUnorderedDontFold):
        (functionNineArgs):
        (testShuffleDoesntTrashCalleeSaves):
        (testDemotePatchpointTerminal):
        (testReportUsedRegistersLateUseFollowedByEarlyDefDoesNotMarkUseAsDead):
        (testInfiniteLoopDoesntCauseBadHoisting):
        * b3/testb3_8.cpp: Added.
        (testAtomicWeakCAS):
        (testAtomicStrongCAS):
        (testAtomicXchg):
        (addAtomicTests):
        (testLoad):
        (addLoadTests):

2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Emit write barrier after storing instead of before storing
        https://bugs.webkit.org/show_bug.cgi?id=200193

        Reviewed by Saam Barati.

        I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers.

        1. Some write-barriers are emitted before stores happen

            Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this.

                1. Cell "A" is not marked yet
                2. Write-barrier is emitted onto "A"
                3. Concurrent collector scans "A"
                4. Store to "A"'s field happens
                5. (4)'s field is not rescaned

            We should emit write-barrier after stores. This patch places write-barriers after stores happen.

        2. Should emit write-barrier after the stored fields are reachable from the owner.

            We have code that is logically the same to the following.

                ```
                auto data = std::make_unique<XXX>();
                data->m_field.set(vm, owner, value);

                storeStoreBarrier();
                owner->m_data = WTFMove(data);
                ```

            This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored.
            The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not
            effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock.

            I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock.
            But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called.

        Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level.

        * bytecode/BytecodeList.rb:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::considerCaching):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setupGetByIdPrototypeCache):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/LazyPropertyInlines.h:
        (JSC::ElementType>::setMayBeNull):
        * runtime/RegExpCachedResult.h:
        (JSC::RegExpCachedResult::record):

2019-07-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make StructureChain less-tricky by using Auxiliary Buffer
        https://bugs.webkit.org/show_bug.cgi?id=200192

        Reviewed by Saam Barati.

        StructureChain has a bit tricky write barrier / mutator fence to use UniqueArray for its underlying storage.
        But, since the size of StructureChain is fixed at initialization, we should allocate an underlying storage from auxiliary memory and
        set it in its constructor instead of finishCreation. We can store values in the finishCreation so that we do not need to have
        a hacky write-barrier and mutator fence. Furthermore, we can make StructureChain non-destructible.

        This patch leverages auxiliary buffer for the implementation of StructureChain. And it also adds a test that stresses StructureChain creation.

        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        (JSC::StructureChain::create):
        (JSC::StructureChain::finishCreation):
        (JSC::StructureChain::visitChildren):
        (JSC::StructureChain::destroy): Deleted.
        * runtime/StructureChain.h:

2019-07-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Increment bytecode age only when SlotVisitor is first-visit
        https://bugs.webkit.org/show_bug.cgi?id=200196

        Reviewed by Robin Morisset.

        WriteBarrier can cause multiple visits for the same UnlinkedCodeBlock. But this does not mean that we are having multiple cycles of GC.
        We should increment the age of the UnlinkedCodeBlock only when the SlotVisitor is saying that this is the first visit.

        In practice,this almost never happens. Multiple visits can happen only when the marked UnlinkedCodeBlock gets a write-barrier. But, mutation
        of UnlinkedCodeBlock is rare or none after it is initialized. I ran all the JSTests and I cannot find any tests that get re-visiting of UnlinkedCodeBlock.
        This patch extends JSTests/stress/reparsing-unlinked-codeblock.js to ensure that UnlinkedCodeBlockJettisoning feature is working after this change.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::visitChildren):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::isFirstVisit const):
        * parser/Parser.cpp:
        * parser/Parser.h:
        (JSC::parse):
        (JSC::parseFunctionForFunctionConstructor):
        * runtime/Options.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionParseCount):
        (JSC::JSDollarVM::finishCreation):

2019-07-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247886.
        https://bugs.webkit.org/show_bug.cgi?id=200214

        "Causes PLT5 regression on some machines" (Requested by mlam|a
        on #webkit).

        Reverted changeset:

        "Add crash diagnostics for debugging unexpected zapped cells."
        https://bugs.webkit.org/show_bug.cgi?id=200149
        https://trac.webkit.org/changeset/247886

2019-07-27  Justin Michaud  <justin_michaud@apple.com>

        [X86] Emit BT instruction for shift + mask in B3
        https://bugs.webkit.org/show_bug.cgi?id=199891

        Reviewed by Keith Miller.

        - Add a new BranchTestBit air opcode, matching the intel bt instruction
        - Select this instruction for the following patterns:
          if (a & (1<<b))
          if ((a>>b)&1)
          if ((~a>>b)&1)
          if (~a & (1<<b))
        - 15% perf progression on the nonconstant microbenchmark, neutral otherwise.
        - Note: we cannot fuse loads when we have bitBase=Load, bitOffset=Tmp, since the X86 instruction has 
          different behaviour in this mode. It will read past the current dword/qword instead of wrapping around.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTestBit32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchTestBit64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::bt_ir):
        (JSC::X86Assembler::bt_im):
        (JSC::X86Assembler::btw_ir):
        (JSC::X86Assembler::btw_im):
        * assembler/testmasm.cpp:
        (JSC::int64Operands):
        (JSC::testBranchTestBit32RegReg):
        (JSC::testBranchTestBit32RegImm):
        (JSC::testBranchTestBit32AddrImm):
        (JSC::testBranchTestBit64RegReg):
        (JSC::testBranchTestBit64RegImm):
        (JSC::testBranchTestBit64AddrImm):
        (JSC::run):
        * b3/B3LowerToAir.cpp:
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testBranchBitTest32TmpImm):
        (JSC::B3::testBranchBitTest32AddrImm):
        (JSC::B3::testBranchBitTest32TmpTmp):
        (JSC::B3::testBranchBitTest64TmpTmp):
        (JSC::B3::testBranchBitTest64AddrTmp):
        (JSC::B3::run):

2019-07-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Potential GC fix for JSPropertyNameEnumerator
        https://bugs.webkit.org/show_bug.cgi?id=200151

        Reviewed by Mark Lam.

        We have been seeing some JSPropertyNameEnumerator::visitChildren crashes for a long time. The crash frequency itself is not high, but it has existed for a long time.
        The crash happens when visiting m_propertyNames. It is also possible that this crash is caused by random corruption somewhere, but JSPropertyNameEnumerator
        has some tricky (and potentially dangerous) implementations anyway.

        1. JSPropertyNameEnumerator have Vector<WriteBarrier<JSString>> and it is extended in finishCreation with a lock.
           We should use Auxiliary memory for this use case. And we should set this memory in the constructor so that
           we do not extend it in finishCreation, and we do not need a lock.
        2. JSPropertyNameEnumerator gets StructureID before allocating JSPropertyNameEnumerator. This is potentially dangerous because the conservative scan
           cannot find the Structure* since we could only have StructureID. Since allocation code happens after StructureID is retrieved, it is possible that
           the allocation causes GC and Structure* is collected.

        In this patch, we align JSPropertyNameEnumerator implementation to the modern one to avoid using Vector<WriteBarrier<JSString>>. And we can make JSPropertyNameEnumerator
        a non-destructible cell. Since JSCell's destructor is one of the cause of various issues, we should avoid it if we can.

        No behavior change. This patch adds a test stressing JSPropertyNameEnumerator.

        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::create):
        (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
        (JSC::JSPropertyNameEnumerator::finishCreation):
        (JSC::JSPropertyNameEnumerator::visitChildren):
        (JSC::JSPropertyNameEnumerator::destroy): Deleted.
        * runtime/JSPropertyNameEnumerator.h:
        * runtime/VM.cpp:
        (JSC::VM::emptyPropertyNameEnumeratorSlow):
        * runtime/VM.h:
        (JSC::VM::emptyPropertyNameEnumerator):

2019-07-26  Mark Lam  <mark.lam@apple.com>

        Add crash diagnostics for debugging unexpected zapped cells.
        https://bugs.webkit.org/show_bug.cgi?id=200149
        <rdar://problem/53570112>

        Reviewed by Yusuke Suzuki, Saam Barati, and Michael Saboff.

        Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
        SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
        some diagnostic info.

        To facilitate this, we've made the following changes:
        1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
           cells are at least 16 bytes long.
        2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
           cell header info intact (including the cell JSType).
        3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
           the reason immediately after the first 8 bytes.  This is the same location as
           FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
           and on the free list at the same time, it is also fine to do this.
        4. Added a few utility functions to MarkedBlock for checking if a cell points
           into the block.
        5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
        6. Added some comments to document the hashes of known subspaces.

        * heap/FreeList.h:
        (JSC::FreeCell::offsetOfScrambledNext):
        * heap/HeapCell.h:
        (JSC::HeapCell::zap):
        (JSC::HeapCell::isZapped const):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::stopAllocating):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::Handle::start const):
        (JSC::MarkedBlock::Handle::end const):
        (JSC::MarkedBlock::Handle::contains const):
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachSubspace):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMarkStack):
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::reportZappedCellAndCrash):
        * heap/SlotVisitor.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * tools/JSDollarVM.cpp:
        (JSC::functionDumpSubspaceHashes):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpSubspaceHashes):
        * tools/VMInspector.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use unalignedLoad for JSRopeString fiber accesses
        https://bugs.webkit.org/show_bug.cgi?id=200148

        Reviewed by Mark Lam.

        JSRopeString always have some subsequent bytes that can be accessible because MarkedBlock has Footer.
        We use WTF::unalignedLoad to get fibers. And it will be converted to one load CPU instruction.

        * heap/MarkedBlock.h:
        * runtime/JSString.h:

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        Legacy numeric literals should not permit separators or BigInt
        https://bugs.webkit.org/show_bug.cgi?id=199984

        Reviewed by Keith Miller.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::parseOctal):
        (JSC::Lexer<T>::parseDecimal):

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix due to C++17's std::invoke_result_t
        https://bugs.webkit.org/show_bug.cgi?id=200139

        Use std::result_of for now until all the supported environments implement it.

        * heap/IsoSubspace.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers
        https://bugs.webkit.org/show_bug.cgi?id=200139

        Reviewed by Mark Lam.

        PackedCellPtr will compact a pointer by leveraging the fact that JSCell pointers are 16byte aligned.
        But this fact only holds when the JSCell is not large allocation. Currently, we are using PackedCellPtr
        only for the cell types which meets the above requirement. But we would like to ensure that statically.

        In this patch, we add additional static/runtime assertions to ensure this invariant. We accept a cell
        type of either (1) it is "final" annotated and sizeof(T) is <= MarkedSpace::largeCutoff or (2) it
        is allocated from IsoSubspace.

        This patch does not change any behaviors. It just adds extra static/runtime assertions.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::subspaceFor):
        * bytecode/CodeBlockJettisoningWatchpoint.h:
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
        * dfg/DFGAdaptiveStructureWatchpoint.h:
        * heap/IsoSubspace.h:
        * heap/PackedCellPtr.h:
        (JSC::PackedCellPtr::PackedCellPtr):
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
        * runtime/ObjectToStringAdaptiveStructureWatchpoint.h:

2019-07-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make visitChildren implementation more idiomatic
        https://bugs.webkit.org/show_bug.cgi?id=200121

        Reviewed by Mark Lam.

        This patch makes visitChildren implementations more idiomatic: cast, assert, and calling Base::visitChildren.
        While this does not find interesting issues, it is still nice to have consistent implementations.
        StructureChain::visitChildren missed Base::visitChildren, but it does not have much effect since StructureChain
        is immortal cell.

        * bytecode/ExecutableToCodeBlockEdge.cpp:
        (JSC::ExecutableToCodeBlockEdge::visitChildren):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::visitChildren):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::visitChildren):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::visitChildren):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/JSImmutableButterfly.cpp:
        (JSC::JSImmutableButterfly::visitChildren):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::visitChildren):
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::visitChildren):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::visitChildren):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::visitChildren):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::visitChildren):
        * tools/JSDollarVM.cpp:
        (JSC::Root::visitChildren):
        (JSC::ImpureGetter::visitChildren):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::visitChildren):

2019-07-25  Ross Kirsling  <ross.kirsling@sony.com>

        [ESNext] Implement nullish coalescing
        https://bugs.webkit.org/show_bug.cgi?id=200072

        Reviewed by Darin Adler.

        Implement the nullish coalescing proposal, which has now reached Stage 3 at TC39.

        This introduces a ?? operator which:
          - acts like || but checks for nullishness instead of truthiness
          - has a precedence lower than || (or any other binary operator)
          - must be disambiguated with parentheses when combined with || or &&

        * bytecompiler/NodesCodegen.cpp:
        (JSC::CoalesceNode::emitBytecode): Added.
        Bytecode must use OpIsUndefinedOrNull and not OpNeqNull because of document.all.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeBinaryNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
        * parser/NodeConstructors.h:
        (JSC::CoalesceNode::CoalesceNode): Added.
        * parser/Nodes.h:
        Introduce new token and AST node.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseBinaryExpression):
        Implement early error.

        * parser/ParserTokens.h:
        Since this patch needs to shift the value of every binary operator token anyway,
        let's only bother to increment their LSBs when we actually have a precedence conflict.

        * parser/ResultType.h:
        (JSC::ResultType::definitelyIsNull const): Added.
        (JSC::ResultType::mightBeUndefinedOrNull const): Added.
        (JSC::ResultType::forCoalesce): Added.
        We can do better than forLogicalOp here; let's be as accurate as possible.

        * runtime/Options.h:
        Add runtime feature flag.

2019-07-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        Three checks are missing in Proxy internal methods
        https://bugs.webkit.org/show_bug.cgi?id=198630

        Reviewed by Darin Adler.

        Add three missing checks in Proxy internal methods.
        These checks are necessary to maintain the invariants of the essential internal methods.
        (https://github.com/tc39/ecma262/pull/666)

        1. [[GetOwnProperty]] shouldn't return non-configurable and non-writable descriptor when the target's property is writable.
        2. [[Delete]] should return `false` when the target has property and is not extensible.
        3. [[DefineOwnProperty]] should return `true` for a non-writable input descriptor when the target's property is non-configurable and writable.

        Shipping in SpiderMonkey since https://hg.mozilla.org/integration/autoland/rev/3a06bc818bc4 (version 69)
        Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/e846ad9fa5109428be50b1989314e0e4e7267919

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performInternalMethodGetOwnProperty): Add writability check.
        (JSC::ProxyObject::performDelete): Add extensibility check.
        (JSC::ProxyObject::performDefineOwnProperty): Add writability check.

2019-07-24  Mark Lam  <mark.lam@apple.com>

        Remove some unused code.
        https://bugs.webkit.org/show_bug.cgi?id=200101

        Reviewed by Yusuke Suzuki.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::Handle::zap): Deleted.
        * heap/MarkedBlock.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::appendToMutatorMarkStack): Deleted.
        * heap/SlotVisitor.h:

2019-07-24  Mark Lam  <mark.lam@apple.com>

        performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
        https://bugs.webkit.org/show_bug.cgi?id=200100
        <rdar://problem/53474939>

        Reviewed by Yusuke Suzuki.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::CopyFunction::CopyFunction):
        (JSC::ARM64Assembler::CopyFunction::operator()):
        - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
          retagCodePtr() would auth, assert, and re-pac the pointer.  This is needed in
          general because retagCodePtr() doesn't know that you will consume the pointer
          immediately (and therefore crash imminently if a failed auth is encountered).
          Since we know here that we will call with the auth'ed pointer immediately, we
          can skip the assert.

          This also has the benefit of letting Clang do a peephole optimization to emit
          a blrab instruction with the intended diversifier, instead of emitting multiple
          instructions to auth the pointer into a C function, and then using a blraaz to
          do a C function call.

        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * runtime/JSCPtrTag.h:

2019-07-24  Devin Rousso  <drousso@apple.com>

        Web Inspector: print the target of `console.screenshot` last so the target is the closest item to the image
        https://bugs.webkit.org/show_bug.cgi?id=199308

        Reviewed by Joseph Pecoraro.

        * inspector/ConsoleMessage.h:
        (Inspector::ConsoleMessage::arguments const):

        * inspector/ScriptArguments.h:
        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getFirstArgumentAsString const): Added.
        (Inspector::ScriptArguments::getFirstArgumentAsString): Deleted.

2019-07-23  Justin Michaud  <justin_michaud@apple.com>

        Sometimes we miss removable CheckInBounds
        https://bugs.webkit.org/show_bug.cgi?id=200018

        Reviewed by Saam Barati.

        We failed to remove the CheckInBounds bounds because we did not see that the index was nonnegative. This is because we do not see the relationship between the two
        separate zero constants that appear in the IR for the given test case. This patch re-adds the hack to de-duplicate m_zero that was removed in 
        <https://trac.webkit.org/changeset/241228/webkit>.

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:

2019-07-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up
        https://bugs.webkit.org/show_bug.cgi?id=200024

        Reviewed by Saam Barati.

        Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack.

        * interpreter/CLoopStack.cpp:
        (JSC::CLoopStack::CLoopStack):

2019-07-22  Saam Barati  <sbarati@apple.com>

        Turn off Wasm fast memory on iOS
        https://bugs.webkit.org/show_bug.cgi?id=200016
        <rdar://problem/53417726>

        Reviewed by Yusuke Suzuki.

        We turned them on when we disabled Gigacage on iOS. However, we re-enabled
        Gigacage on iOS, but forgot to turn wasm fast memories back off.

        * runtime/Options.h:

2019-07-22  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed non-unified build fix.

        * runtime/CachedTypes.h:

2019-07-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make DFG Local CSE and AI conservative for huge basic block
        https://bugs.webkit.org/show_bug.cgi?id=199929
        <rdar://problem/49309924>

        Reviewed by Filip Pizlo.

        In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior.
        The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine!
        DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop.
        DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that.
        As a result, the main thread is blocked due to this pathological compilation.

        By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block.
        In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase.
        We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand,
        DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock.

        We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost
        is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes
        ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming.
        Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly
        related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem,
        and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG.

        This patch has two changes.

        1. DFG AI has structure transition tracking which has quadratic complexity

        Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block.
        CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm.
        For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000).
        We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1].

        2. DFG Local CSE has quadratic complexity

        Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited,
        each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering
        implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in
        JetStream2 and Speedometer2 so I'll track it in a separate bug[2].

        This patch reduces the compilation time from ~11 seconds to ~200 ms.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=199959
        [2]: https://bugs.webkit.org/show_bug.cgi?id=200014

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
        * dfg/DFGCSEPhase.cpp:
        * runtime/Options.h:

2019-07-22  Zhifei Fang  <zhifei_fang@apple.com>

        Need to skip test cache directory data vault for non internal build
        https://bugs.webkit.org/show_bug.cgi?id=199951

        Reviewed by Alexey Proskuryakov.

        * API/tests/testapi.mm:
        (testBytecodeCacheValidation): "Cache directory `/private/tmp` is not a data vault" this error message will only be created for internal build see JSScript.mm:97

2019-07-17  Antoine Quint  <graouts@apple.com>

        Disable Pointer Events prior to watchOS 6
        https://bugs.webkit.org/show_bug.cgi?id=199890
        <rdar://problem/53206113>

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2019-07-17  Keith Miller  <keith_miller@apple.com>

        Force useLLInt to true on arm64_32
        https://bugs.webkit.org/show_bug.cgi?id=199882
        <rdar://problem/53207586>

        Reviewed by Yusuke Suzuki.

        Some jsc tests set useLLInt=false but on arm64_32 we don't support the JIT.
        This causes the option coherency checker to get angry. We should force
        useLLInt=true on arm64_32 unless useJIT=true.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2019-07-17  Christopher Reid  <chris.reid@sony.com>

        Bytecode cache should use FileSystem
        https://bugs.webkit.org/show_bug.cgi?id=199759

        Reviewed by Yusuke Suzuki.

        Update bytecode cache to use platform generic FileSystem calls.

        * API/JSScript.mm:
        * CMakeLists.txt:
        * jsc.cpp:
        * runtime/CachePayload.cpp:
        * runtime/CachePayload.h:
        * runtime/CachedBytecode.h:
        * runtime/CachedTypes.cpp:
        * runtime/CachedTypes.h:
        * runtime/CodeCache.cpp:
        * runtime/CodeCache.h:
        * runtime/Completion.cpp:
        * runtime/Completion.h:

2019-07-17  Mark Lam  <mark.lam@apple.com>

        ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
        https://bugs.webkit.org/show_bug.cgi?id=199821
        <rdar://problem/52452328>

        Reviewed by Filip Pizlo.

        Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal
        nodes in the SSAConversionPhase.  SetLocal nodes are always preceded by MovHint nodes,
        and the SSAConversionPhase always inserts a KillStack node before a MovHint node.
        Hence, a PutStack node is always preceded by a KillStack node.

        However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series
        of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack
        nodes.  However, it neglects to prepend KillStack nodes as well.  Since the
        ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes
        added during ArgumentsElimination will not be preceded by KillStack nodes.

        This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase
        before it inserts a MovHint and a PutStack node.

        Consider this test case which can manifest the above issue as a crash:

            function inlinee(value) {
                ...
                let tmp = value + 1;
            }

            function reflect() {
                return inlinee.apply(undefined, arguments);
            }

            function test(arr) {
                let object = inlinee.apply(undefined, arr);   // Uses a lot of SetArgumentMaybe nodes.
                reflect();    // Calls with a LoadVararg, which gets converted into a PutStack of a constant.
            }

        In this test case, we have a scenario where a SetArgumentMaybe's stack
        slot is reused as the stack slot for a PutStack later.  Here, the PutStack will
        put a constant undefined value.  Coincidentally, the SetArgumentMaybe may also
        initialize that stack slot to a constant undefined value.  Note that by the time
        the PutStack executes, the SetArgumentMaybe's stack slot is dead.  The liveness of
        these 2 values are distinct.

        However, because we were missing a KillStack before the PutStack, OSR availability
        analysis gets misled into thinking that the PutStack constant value is still in the
        stack slot because the value left there by the SetArgumentMaybe hasn't been killed
        off yet.  As a result, OSR exit code will attempt to recover the PutStack's undefined
        constant by loading from the stack slot instead of materializing it.  Since
        SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR
        exit when we try to recover the PutStack constant value from the stack slot, and
        end up using what ever junk value we read from there.

        Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack
        removes this conflation of the PutStack's constant value with the SetArgumentMaybe's
        constant value in the same stack slot.  And, OSR availability analysis will no
        longer be misled to load the PutStack's constant value from the stack, but will
        materialize the constant instead.

        * dfg/DFGArgumentsEliminationPhase.cpp:

2019-07-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247505.
        https://bugs.webkit.org/show_bug.cgi?id=199871

        "Caused failed ASSERT in stress test" (Requested by creid on
        #webkit).

        Reverted changeset:

        "Bytecode cache should use FileSystem"
        https://bugs.webkit.org/show_bug.cgi?id=199759
        https://trac.webkit.org/changeset/247505

2019-07-16  Christopher Reid  <chris.reid@sony.com>

        Bytecode cache should use FileSystem
        https://bugs.webkit.org/show_bug.cgi?id=199759

        Reviewed by Yusuke Suzuki.

        Update bytecode cache to use platform generic FileSystem calls.

        * API/JSScript.mm:
        * CMakeLists.txt:
        * jsc.cpp:
        * runtime/CachePayload.cpp:
        * runtime/CachePayload.h:
        * runtime/CachedBytecode.h:
        * runtime/CachedTypes.cpp:
        * runtime/CachedTypes.h:
        * runtime/CodeCache.cpp:
        * runtime/CodeCache.h:
        * runtime/Completion.cpp:
        * runtime/Completion.h:

2019-07-16  Joonghun Park  <pjh0718@gmail.com>

        [GTK] Fix a build warning in JavaScriptCore/API/tests/testapi.c
        https://bugs.webkit.org/show_bug.cgi?id=199824

        Reviewed by Alex Christensen.

        * API/tests/testapi.c:
        (main):

2019-07-15  Keith Miller  <keith_miller@apple.com>

        JSGlobalObject type macros should support feature flags and WeakRef should have one
        https://bugs.webkit.org/show_bug.cgi?id=199601

        Reviewed by Mark Lam.

        This patch refactors the various builtin type macros to have a
        parameter, which is the feature flag enabling it.  Since most
        builtin types are enabled by default this patch adds a new global
        bool typeExposedByDefault for clarity. Note, because static hash
        tables have no concept of feature flags we can't use feature flags
        with lazy properties. This is probably not a big deal as features
        that are off by default won't be allocated anywhere we care about
        memory usage anyway.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::stringObjectStructure const):
        (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted.
        * runtime/Options.h:
        * wasm/js/JSWebAssembly.cpp:

2019-07-15  Keith Miller  <keith_miller@apple.com>

        A Possible Issue of Object.create method
        https://bugs.webkit.org/show_bug.cgi?id=199744

        Reviewed by Yusuke Suzuki.

        We should call toObject on the properties argument if it was not undefined.
        See: https://tc39.es/ecma262/#sec-object.create

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):

2019-07-15  Saagar Jha  <saagarjha@apple.com>

        Keyword lookup can use memcmp to get around unaligned load undefined behavior
        https://bugs.webkit.org/show_bug.cgi?id=199650

        Reviewed by Yusuke Suzuki.

        Replace KeywordLookup's hand-rolled "memcmp" with the standard version, which reduces the need to deal with
        endianness and unaligned loads.

        * KeywordLookupGenerator.py:
        (Trie.printSubTreeAsC): Use memcmp instead of macros to test for matches.
        (Trie.printAsC): Unspecialize Lexer::parseKeyword as templating over the character type reduces the amount of
        code we need to generate and moves this task out of the Python script and into the C++ compiler.

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
        I picked trivial ones in this patch to make this easily reviewable.

        1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
        2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
           is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
           follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
           some of utility functions) in our WebAssembly JS API implementation.
        3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
           WebIDL spec, and it means that [[Get]] result is not undefined.
        4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
        5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.

        * CMakeLists.txt:
        * DerivedSources-input.xcfilelist:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
        * jit/Repatch.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject):
        (JSC::webAssemblyModuleValidateAsyncInternal):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::JSWebAssembly::instantiate):
        (JSC::webAssemblyModuleInstantinateAsyncInternal):
        (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/JSWebAssembly.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyPrototype.cpp: Removed.
        * wasm/js/WebAssemblyPrototype.h: Removed.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:

2019-07-15  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, rolling out r247440.

        Broke builds

        Reverted changeset:

        "[JSC] Improve wasm wpt test results by fixing miscellaneous
        issues"
        https://bugs.webkit.org/show_bug.cgi?id=199783
        https://trac.webkit.org/changeset/247440

2019-07-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Improve wasm wpt test results by fixing miscellaneous issues
        https://bugs.webkit.org/show_bug.cgi?id=199783

        Reviewed by Mark Lam.

        This patch fixes miscellaneous issues in our Wasm JS API implementation to improve WPT score.
        I picked trivial ones in this patch to make this easily reviewable.

        1. Remove WebAssemblyPrototype. It does not exist in the spec. Merging WebAssemblyPrototype into JSWebAssembly.
        2. Fix various attributes. It does not match to the usual JSC builtin's convention. But this change
           is correct because they are changed to be matched against WebIDL definition, and WebAssembly implementation
           follows WebIDL. In the future, we could move WebCore WebIDL things into WTF layer and even use (or leverage
           some of utility functions) in our WebAssembly JS API implementation.
        3. Fix how we interpret "present" in WebAssembly spec. This does not mean [[HasProperty]] result. It follows to
           WebIDL spec, and it means that [[Get]] result is not undefined.
        4. Add argument count check to Module.customSections, which is required because the method is defined in WebIDL.
        5. Fix toNonWrappingUint32 to match it to WebIDL's conversion rule.

        * CMakeLists.txt:
        * DerivedSources-input.xcfilelist:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * builtins/WebAssembly.js: Renamed from Source/JavaScriptCore/builtins/WebAssemblyPrototype.js.
        * jit/Repatch.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSModuleLoader.cpp:
        (JSC::moduleLoaderParseModule):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::create):
        (JSC::JSWebAssembly::finishCreation):
        (JSC::reject):
        (JSC::webAssemblyModuleValidateAsyncInternal):
        (JSC::webAssemblyCompileFunc):
        (JSC::resolve):
        (JSC::JSWebAssembly::webAssemblyModuleValidateAsync):
        (JSC::instantiate):
        (JSC::compileAndInstantiate):
        (JSC::JSWebAssembly::instantiate):
        (JSC::webAssemblyModuleInstantinateAsyncInternal):
        (JSC::JSWebAssembly::webAssemblyModuleInstantinateAsync):
        (JSC::webAssemblyInstantiateFunc):
        (JSC::webAssemblyValidateFunc):
        (JSC::webAssemblyCompileStreamingInternal):
        (JSC::webAssemblyInstantiateStreamingInternal):
        * wasm/js/JSWebAssembly.h:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toNonWrappingUint32):
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):
        (JSC::WebAssemblyMemoryConstructor::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::webAssemblyModuleCustomSections):
        (JSC::WebAssemblyModuleConstructor::finishCreation):
        * wasm/js/WebAssemblyPrototype.cpp: Removed.
        * wasm/js/WebAssemblyPrototype.h: Removed.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        (JSC::WebAssemblyTableConstructor::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:

2019-07-15  Youenn Fablet  <youenn@apple.com>

        Enable a debug WebRTC mode without any encryption
        https://bugs.webkit.org/show_bug.cgi?id=199177
        <rdar://problem/52074986>

        Reviewed by Eric Carlson.

        * inspector/protocol/Page.json:

2019-07-15  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, attempt to fix production builds after r247403.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2019-07-15  Tadeu Zagallo  <tzagallo@apple.com>

        Concurrent GC should not rely on current phase to determine if it's safe to steal conn
        https://bugs.webkit.org/show_bug.cgi?id=199786
        <rdar://problem/52505197>

        Reviewed by Saam Barati.

        In r246507, we fixed a race condition in the concurrent GC where the mutator might steal
        the conn from the collector thread while it transitions from the End phase to NotRunning.
        However, that fix was not sufficient. In the case that the mutator steals the conn, and the
        execution interleaves long enough for the mutator to progress to a different collection phase,
        the collector will resume in a phase other than NotRunning, and hence the check added to
        NotRunning will not suffice. To fix that, we add a new variable to track whether the collector
        thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to
        steal the conn, rather than relying on m_currentPhase.

        * heap/Heap.cpp:
        (JSC::Heap::runNotRunningPhase):
        (JSC::Heap::requestCollection):
        * heap/Heap.h:

2019-07-12  Keith Miller  <keith_miller@apple.com>

        Add API to get all the dependencies of a given JSScript
        https://bugs.webkit.org/show_bug.cgi?id=199746

        Reviewed by Saam Barati.

        The method only returns the dependencies if the module was
        actually evaluated. Technically, we know what the dependencies are
        at the satisfy phase but for API simplicity we only provide that
        information if the module graph was complete enough to at least
        run.

        This patch also fixes an issue where we would allow import
        specifiers that didn't start "./" or "/". For reference, We have
        this restriction to be consistent with the web/node. The
        restriction exists in order to preserve namespace for
        builtin-modules.

        Lastly, this patch makes it so that we copy all scripts in the
        API/tests/testapiScripts directory so they don't have to be
        individually added to the xcode project.

        * API/JSAPIGlobalObject.mm:
        (JSC::computeValidImportSpecifier):
        (JSC::JSAPIGlobalObject::moduleLoaderResolve):
        (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
        * API/JSContext.mm:
        (-[JSContext dependencyIdentifiersForModuleJSScript:]):
        * API/JSContextPrivate.h:
        * API/JSScript.h:
        * API/tests/testapi.mm:
        (testFetchWithTwoCycle):
        (testFetchWithThreeCycle):
        (testModuleBytecodeCache):
        (+[JSContextFileLoaderDelegate newContext]):
        (-[JSContextFileLoaderDelegate fetchModuleScript:]):
        (-[JSContextFileLoaderDelegate findScriptForKey:]):
        (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
        (testDependenciesArray):
        (testDependenciesEvaluationError):
        (testDependenciesSyntaxError):
        (testDependenciesBadImportId):
        (testDependenciesMissingImport):
        (testObjectiveCAPI):
        * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added.
        * API/tests/testapiScripts/dependencyListTests/bar.js: Added.
        * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added.
        * API/tests/testapiScripts/dependencyListTests/foo.js: Added.
        * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added.
        * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added.
        * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added.
        * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js.
        * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/ModuleLoader.js:
        (dependencyKeysIfEvaluated):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
        * runtime/JSModuleLoader.h:
        * shell/CMakeLists.txt:

2019-07-12  Justin Michaud  <justin_michaud@apple.com>

        B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
        https://bugs.webkit.org/show_bug.cgi?id=196371

        Reviewed by Keith Miller.

        Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement
        on the microbenchmark.

        * b3/B3ReduceStrength.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testSubSub):
        (JSC::B3::testSubSub2):
        (JSC::B3::testSubAdd):
        (JSC::B3::testSubFirstNeg):
        (JSC::B3::run):

2019-07-12  Caio Lima  <ticaiolima@gmail.com>

        [BigInt] Add ValueBitLShift into DFG
        https://bugs.webkit.org/show_bug.cgi?id=192664

        Reviewed by Saam Barati.

        This patch is splitting the `BitLShift` into `ArithBitLShift` and
        `ValueBitLShift` to handle BigInt speculation more efficiently during
        DFG and FTL layers. Following the same approach of other `ValueBitOps`,
        `ValueBitLShift` handles Untyped and BigInt speculations, while
        `ArithBitLShift` handles number and boolean operands and always results into
        Int32. 

        * bytecode/BytecodeList.rb:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Opcode.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantBinaryBitwiseOp):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

        We moved `BitLShift` constant fold rules to a new method
        `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and
        `ValueBitLShift`. This also enables support of constant folding on other
        bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when
        their binary use kind is UntypedUse. Such cases can happen on those
        nodes because fixup phase is conservative.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
        (JSC::DFG::ByteCodeParser::parseBlock):

        We parse `op_lshift` as `ArithBitLShift` when its operands are numbers.
        Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to
        convert `ValueBitLShift` into `ArithBitLShift` when possible.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

        `ArithBitLShift` has the same clobberize rules as former `BitLShift`.
        `ValueBitLShift` only clobberize world when it is UntypedUse.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

        `ValueBitLShift` can GC when `BigIntUse` because it allocates new
        JSBigInts to perform this operation. It also can GC on UntypedUse
        because of observable user code.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

        `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of
        other binary bitwise operations. In the case of `ValueBitLShift`
        We check if we should speculate on BigInt or Untyped and fallback to
        `ArithBitLShift` when both cheks fail.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:

        We updated `operationValueBitLShift` to handle BigInt cases. Also, we
        added `operationBitLShiftBigInt` that is used when we compile
        `ValueBitLValueBitLShift(BigIntUse)`.

        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:

        `ValueBitLShift`'s prediction propagation rules differs from other
        bitwise operations, because using only heap prediction for this node causes
        significant performance regression on Octane's zlib and mandreel.
        The reason is because of cases where a function is compiled but the
        instruction `op_lshift` was never executed before. If we use
        `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR
        than desired. To solve such issue, we are then using
        `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()`
        only on cases where we can't rely on node's input types.

        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
        (JSC::DFG::SpeculativeJIT::compileShiftOp):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shiftOp):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
        (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2019-07-12  Keith Miller  <keith_miller@apple.com>

        getIndexQuickly should be const
        https://bugs.webkit.org/show_bug.cgi?id=199747

        Reviewed by Yusuke Suzuki.

        * runtime/Butterfly.h:
        (JSC::Butterfly::indexingPayload const):
        (JSC::Butterfly::arrayStorage const):
        (JSC::Butterfly::contiguousInt32 const):
        (JSC::Butterfly::contiguousDouble const):
        (JSC::Butterfly::contiguous const):
        * runtime/JSObject.h:
        (JSC::JSObject::canGetIndexQuickly const):
        (JSC::JSObject::getIndexQuickly const):
        (JSC::JSObject::tryGetIndexQuickly const):
        (JSC::JSObject::canGetIndexQuickly): Deleted.
        (JSC::JSObject::getIndexQuickly): Deleted.

2019-07-11  Justin Michaud  <justin_michaud@apple.com>

        Add b3 macro lowering for CheckMul on arm64
        https://bugs.webkit.org/show_bug.cgi?id=199251

        Reviewed by Robin Morisset.

        - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
        - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
        - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
        - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
          and no change on the no-constant benchmark.
        Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
        to completion.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::multiplySignExtend32):
        * assembler/testmasm.cpp:
        (JSC::testMul32SignExtend):
        (JSC::run):
        * b3/B3LowerMacros.cpp:
        * b3/B3LowerToAir.cpp:
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testMulArgs32SignExtend):
        (JSC::B3::testMulImm32SignExtend):
        (JSC::B3::testMemoryFence):
        (JSC::B3::testStoreFence):
        (JSC::B3::testLoadFence):
        (JSC::B3::testPinRegisters):
        (JSC::B3::run):

2019-07-11  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, revert r243617.
        https://bugs.webkit.org/show_bug.cgi?id=196341

        Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving.
        This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed,
        and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g.
        destroyed from AutoReleasePool in some thread).

        * API/JSContext.mm:
        (-[JSContext initWithVirtualMachine:]):
        (-[JSContext dealloc]):
        (-[JSContext initWithGlobalContextRef:]):
        (-[JSContext wrapperMap]):
        (+[JSContext contextWithJSGlobalContextRef:]):
        * API/JSVirtualMachine.mm:
        (initWrapperCache):
        (wrapperCache):
        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
        (-[JSVirtualMachine contextForGlobalContextRef:]):
        (-[JSVirtualMachine addContext:forGlobalContextRef:]):
        (scanExternalObjectGraph):
        (scanExternalRememberedSet):
        * API/JSVirtualMachineInternal.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setWrapperMap):
        (JSC::JSGlobalObject::setAPIWrapper): Deleted.
        (JSC::JSGlobalObject::apiWrapper const): Deleted.
        * runtime/VM.h:

2019-07-10  Tadeu Zagallo  <tzagallo@apple.com>

        Optimize join of large empty arrays
        https://bugs.webkit.org/show_bug.cgi?id=199636

        Reviewed by Mark Lam.

        Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`.
        I added two new microbenchmarks:
        - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory.
        - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster.

                                                    baseline                    diff
        large-empty-array-join                2713.9698+-72.7621    ^     61.2335+-10.4836       ^ definitely 44.3217x faster
        large-empty-array-join-resolve-string   26.5517+-0.3995     ^     12.9309+-0.5516        ^ definitely 2.0533x faster

        large-empty-array-join memory usage with baseline (dirty):
            733012 kB current_mem
            756824 kB lifetime_peak

        large-empty-array-join memory usage with diff (dirty):
            41904 kB current_mem
            41972 kB lifetime_peak

        Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral.

        * runtime/ArrayPrototype.cpp:
        (JSC::fastJoin):

2019-07-08  Keith Miller  <keith_miller@apple.com>

        Enable Intl.PluralRules and Intl.NumberFormatToParts by default
        https://bugs.webkit.org/show_bug.cgi?id=199288

        Reviewed by Yusuke Suzuki.

        These features have been around for a while. We should turn them on by default.

        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation): Deleted.
        * runtime/IntlObject.h:
        * runtime/Options.h:

2019-07-08  Antoine Quint  <graouts@apple.com>

        [Pointer Events] Enable only on the most recent version of the supported iOS family
        https://bugs.webkit.org/show_bug.cgi?id=199562
        <rdar://problem/52766511>

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2019-07-06  Michael Saboff  <msaboff@apple.com>

        switch(String) needs to check for exceptions when resolving the string
        https://bugs.webkit.org/show_bug.cgi?id=199541

        Reviewed by Mark Lam.

        Added exception checks for resolved Strings in switch processing for all tiers.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2019-07-05  Mark Lam  <mark.lam@apple.com>

        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
        https://bugs.webkit.org/show_bug.cgi?id=199533
        <rdar://problem/52669111>

        Reviewed by Filip Pizlo.

        * dfg/DFGArgumentsEliminationPhase.cpp:

2019-07-05  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, fix build failure on ARM64_32
        https://bugs.webkit.org/show_bug.cgi?id=182434

        Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked
        the `length` is <= UINT32_MAX.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSpeciesCreate):

2019-07-05  Alexey Shvayka  <shvaikalesh@gmail.com>

        [JSC] Clean up ArraySpeciesCreate
        https://bugs.webkit.org/show_bug.cgi?id=182434

        Reviewed by Yusuke Suzuki.

        We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js
        and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor
        detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers,
        and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function.
        Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid.

        Thoroughly benchmarked: this change progresses ARES-6 by 0-1%.

        * builtins/ArrayPrototype.js:
        (filter):
        (map):
        (globalPrivate.concatSlowPath):
        (globalPrivate.arraySpeciesCreate): Deleted.
        * builtins/BuiltinNames.h:
        * runtime/ArrayConstructor.cpp:
        (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted.
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSpeciesCreate):
        * runtime/ArrayPrototype.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2019-07-05  Tadeu Zagallo  <tzagallo@apple.com>

        Unreviewed, change the value used to scribble Heap::m_worldState
        https://bugs.webkit.org/show_bug.cgi?id=199498

        Follow-up after r247160. The value used to scribble should have the
        conn bit set.

        * heap/Heap.cpp:
        (JSC::Heap::~Heap):

2019-07-05  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r247115.

        Breaks lldbWebKitTester (and by extension, test-webkitpy)

        Reverted changeset:

        "[WHLSL] Standard library is too big to directly include in
        WebCore"
        https://bugs.webkit.org/show_bug.cgi?id=198186
        https://trac.webkit.org/changeset/247115

2019-07-05  Tadeu Zagallo  <tzagallo@apple.com>

        Scribble Heap::m_worldState on destructor
        https://bugs.webkit.org/show_bug.cgi?id=199498

        Reviewed by Sam Weinig.

        The worldState is dumped when we crash due to a failed checkConn, and
        this will make it clear if the heap has already been destroyed.

        * heap/Heap.cpp:
        (JSC::Heap::~Heap):

2019-07-03  Sam Weinig  <weinig@apple.com>

        Adopt simple structured bindings in more places
        https://bugs.webkit.org/show_bug.cgi?id=199247

        Reviewed by Alex Christensen.

        Replaces simple uses of std::tie() with structured bindings. Does not touch
        uses of std::tie() that are not initial declarations, use std::ignore or in
        case where the binding is captured by a lambda, as structured bindings don't
        work for those cases yet.

        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::doWork):
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::trapHandler):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::createSourceBufferFromValue):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyValidateFunc):

2019-07-03  Keith Miller  <keith_miller@apple.com>

        PACCage should first cage leaving PAC bits intact then authenticate
        https://bugs.webkit.org/show_bug.cgi?id=199372

        Reviewed by Saam Barati.

        This ordering prevents someone from taking a signed pointer from
        outside the gigacage and using it in a struct that expects a caged
        pointer. Previously, the PACCaging just double checked that the PAC
        bits were valid for the original pointer.


               +---------------------------+
               |       |        |          |
               | "PAC" | "base" | "offset" +----+
               |       |        |          |    |
               +---------------------------+    | Caging
                |                               |
                |                               |
                |                               v
                |                +---------------------------+
                |                |       |        |          |
                | Bit Merge      | 00000 |  base  | "offset" |
                |                |       |        |          |
                |                +---------------------------+
                |                               |
                |                               |
                v                               |  Bit Merge
          +---------------------------+         |
          |       |        |          |         |
          | "PAC" |  base  | "offset" +<--------+
          |       |        |          |
          +---------------------------+
                      |
                      |
                      | Authenticate
                      |
                      v
          +---------------------------+
          |       |        |          |
          | Auth  |  base  | "offset" |
          |       |        |          |
          +---------------------------+

        The above ascii art graph shows how the PACCage system works. The
        key take away is that even if someone passes in a valid, signed
        pointer outside the cage it will still fail to authenticate as the
        "base" bits will change before authentication.


        * assembler/MacroAssemblerARM64E.h:
        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageConditionally):
        * llint/LowLevelInterpreter64.asm:

2019-07-03  Paulo Matos  <pmatos@igalia.com>

        Refactoring of architectural Register Information
        https://bugs.webkit.org/show_bug.cgi?id=198604

        Reviewed by Keith Miller.

        The goal of this patch is to centralize the register information per platform
        but access it in a platform independent way. The patch as been implemented for all
        known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has
        been centralized in an architecture per-file: each file is called assembler/<arch>Registers.h.

        RegisterInfo.h is used as a forwarding header to choose which register information to load.
        assembler/<arch>Assembler.h and jit/RegisterSet.cpp use this information in a platform
        independent way.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::gprName): Use register names from register info file.
        (JSC::ARM64Assembler::sprName): likewise.
        (JSC::ARM64Assembler::fprName): likewise.
        * assembler/ARM64Registers.h: Added.
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::gprName): Use register names from register info file.
        (JSC::ARMv7Assembler::sprName): likewise.
        (JSC::ARMv7Assembler::fprName): likewise.
        * assembler/ARMv7Registers.h: Added.
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::gprName): Use register names from register info file.
        (JSC::MIPSAssembler::sprName): likewise.
        (JSC::MIPSAssembler::fprName): likewise.
        * assembler/MIPSRegisters.h: Added.
        * assembler/RegisterInfo.h: Added.
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::gprName): Use register names from register info file.
        (JSC::X86Assembler::sprName): likewise.
        (JSC::X86Assembler::fprName): likewise.
        * assembler/X86Registers.h: Added.
        * assembler/X86_64Registers.h: Added.
        * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline).
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file.
        (JSC::RegisterSet::calleeSaveRegisters): likewise.

2019-07-02  Michael Saboff  <msaboff@apple.com>

        Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
        https://bugs.webkit.org/show_bug.cgi?id=199395

        Reviewed by Filip Pizlo.

        For destructuring assignmests, the assignment might throw a reference error if
        the RHS cannot be coerced.  The current bytecode generated for such assignments
        optimizes out the TDZ check after the coercible check.

        By saving the current state of the TDZ stack before processing the setting of 
        target destructured values and then restoring afterwards, we won't optimize out
        later TDZ check(s).

        A similar change of saving / restoring the TDZ stack where exceptions might
        happen was done for for..in loops in change set r232219.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ObjectPatternNode::bindValue const):

2019-07-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r247041.
        https://bugs.webkit.org/show_bug.cgi?id=199425

        broke some iOS arm64e tests (Requested by keith_miller on
        #webkit).

        Reverted changeset:

        "PACCage should first cage leaving PAC bits intact then
        authenticate"
        https://bugs.webkit.org/show_bug.cgi?id=199372
        https://trac.webkit.org/changeset/247041

2019-07-02  Keith Miller  <keith_miller@apple.com>

        Frozen Arrays length assignment should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=199365

        Reviewed by Yusuke Suzuki.

        * runtime/JSArray.cpp:
        (JSC::JSArray::put):

2019-07-02  Paulo Matos  <pmatos@linki.tools>

        Fix typo in if/else block and remove dead assignment
        https://bugs.webkit.org/show_bug.cgi?id=199352

        Reviewed by Alexey Proskuryakov.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment

2019-07-02  Keith Miller  <keith_miller@apple.com>

        PACCage should first cage leaving PAC bits intact then authenticate
        https://bugs.webkit.org/show_bug.cgi?id=199372

        Reviewed by Saam Barati.

        This ordering prevents someone from taking a signed pointer from
        outside the gigacage and using it in a struct that expects a caged
        pointer. Previously, the PACCaging just double checked that the PAC
        bits were valid for the original pointer.


               +---------------------------+
               |       |        |          |
               | "PAC" | "base" | "offset" +----+
               |       |        |          |    |
               +---------------------------+    | Caging
                |                               |
                |                               |
                |                               v
                |                +---------------------------+
                |                |       |        |          |
                | Bit Merge      | 00000 |  base  | "offset" |
                |                |       |        |          |
                |                +---------------------------+
                |                               |
                |                               |
                v                               |  Bit Merge
          +---------------------------+         |
          |       |        |          |         |
          | "PAC" |  base  | "offset" +<--------+
          |       |        |          |
          +---------------------------+
                      |
                      |
                      | Authenticate
                      |
                      v
          +---------------------------+
          |       |        |          |
          | Auth  |  base  | "offset" |
          |       |        |          |
          +---------------------------+

        The above ascii art graph shows how the PACCage system works. The
        key take away is that even if someone passes in a valid, signed
        pointer outside the cage it will still fail to authenticate as the
        "base" bits will change before authentication.


        * assembler/MacroAssemblerARM64E.h:
        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageConditionally):
        * llint/LowLevelInterpreter64.asm:

2019-07-01  Justin Michaud  <justin_michaud@apple.com>

        [Wasm-References] Disable references by default
        https://bugs.webkit.org/show_bug.cgi?id=199390

        Reviewed by Saam Barati.

        * runtime/Options.h:

2019-07-01  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r246946.

        Caused JSC test crashes on arm64

        Reverted changeset:

        "Add b3 macro lowering for CheckMul on arm64"
        https://bugs.webkit.org/show_bug.cgi?id=199251
        https://trac.webkit.org/changeset/246946

2019-06-28  Justin Michaud  <justin_michaud@apple.com>

        Add b3 macro lowering for CheckMul on arm64
        https://bugs.webkit.org/show_bug.cgi?id=199251

        Reviewed by Robin Morisset.

        - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
        - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
        - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
        - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
          and no change on the no-constant benchmark.
        Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
        to completion.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::multiplySignExtend32):
        * assembler/testmasm.cpp:
        (JSC::testMul32SignExtend):
        (JSC::run):
        * b3/B3LowerMacros.cpp:
        * b3/B3LowerToAir.cpp:
        * b3/air/AirOpcode.opcodes:
        * b3/testb3.cpp:
        (JSC::B3::testMulArgs32SignExtend):
        (JSC::B3::testMulImm32SignExtend):
        (JSC::B3::testMemoryFence):
        (JSC::B3::testStoreFence):
        (JSC::B3::testLoadFence):
        (JSC::B3::testPinRegisters):
        (JSC::B3::run):

2019-06-28  Konstantin Tokarev  <annulen@yandex.ru>

        Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733
        https://bugs.webkit.org/show_bug.cgi?id=199317

        Reviewed by Michael Catanzaro.

        While IconDatabase and all code using it was removed,
        ENABLE_ICONDATABASE still exists as build option and C++ macro.

        * Configurations/FeatureDefines.xcconfig:

2019-06-27  Mark Lam  <mark.lam@apple.com>

        FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top().
        https://bugs.webkit.org/show_bug.cgi?id=199291

        Reviewed by Yusuke Suzuki and Filip Pizlo.

        The sole purpose of keepAlive() is to communicate to B3 that an LValue
        needs to be kept alive past the last opportunity for a GC.  The only way
        we can get a GC is via a function call.  Hence, what keepAlive() really
        needs to communicate is that the LValue needs to be kept alive past the
        last function call.  Function calls read and write HeapRange::top().
        Currently, B3 does not shuffle writes.  Hence, simply inserting the
        keepAlive() after the calls that can GC is sufficient.

        But to be strictly correct, keepAlive() should also declare that it reads
        HeapRange::top().  This will guarantee that the keepAlive patchpoint won't
        ever be moved before the function call should B3 gain the ability to shuffle
        writes in the future.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::keepAlive):

2019-06-27  Beth Dakin  <bdakin@apple.com>

        Upstream use of MACCATALYST
        https://bugs.webkit.org/show_bug.cgi?id=199245
        rdar://problem/51687723

        Reviewed by Tim Horton.

        * Configurations/Base.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/SDKVariant.xcconfig:

2019-06-27  Saam Barati  <sbarati@apple.com>

        Make WEBGPU enabled only on Mojave and later.

        Rubber-stamped by Myles C. Maxfield.

        * Configurations/FeatureDefines.xcconfig:

2019-06-27  Don Olmstead  <don.olmstead@sony.com>

        [FTW] Build JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=199254

        Reviewed by Brent Fulgham.

        * PlatformFTW.cmake: Added.

2019-06-27  Konstantin Tokarev  <annulen@yandex.ru>

        Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API
        https://bugs.webkit.org/show_bug.cgi?id=199270

        Reviewed by Michael Catanzaro.

        This change allows building code with enabled USE(GLIB) but without
        GLib JSC API.

        * heap/Heap.cpp:
        (JSC::Heap::releaseDelayedReleasedObjects):
        * heap/Heap.h:
        * heap/HeapInlines.h:

2019-06-27  Devin Rousso  <drousso@apple.com>

        Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString
        https://bugs.webkit.org/show_bug.cgi?id=199252

        Reviewed by Joseph Pecoraro.

        Parse the arguments passed to `console.count` and `console.countReset` before sending it to
        the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString`
        nicely (e.g. without throwing an error).

        Generate call stacks for `console.countReset` to match other `console` methods. Also do this
        for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only
        have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only
        the call location is displayed).

        Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to
        better match the spec.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleObject.cpp:
        (JSC::valueOrDefaultLabelString):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncCountReset):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeLog):
        (JSC::consoleProtoFuncTimeEnd):

        * inspector/JSGlobalObjectConsoleClient.h:
        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::count):
        (Inspector::JSGlobalObjectConsoleClient::countReset):
        (Inspector::JSGlobalObjectConsoleClient::time):
        (Inspector::JSGlobalObjectConsoleClient::timeLog):
        (Inspector::JSGlobalObjectConsoleClient::timeEnd):

        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::startTiming):
        (Inspector::InspectorConsoleAgent::logTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        (Inspector::InspectorConsoleAgent::count):
        (Inspector::InspectorConsoleAgent::countReset):
        (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted.

        * inspector/ConsoleMessage.h:
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`.

2019-06-27  Fujii Hironori  <Hironori.Fujii@sony.com>

        [CMake] Bump cmake_minimum_required version to 3.10
        https://bugs.webkit.org/show_bug.cgi?id=199181

        Reviewed by Don Olmstead.

        * CMakeLists.txt:

2019-06-26  Basuke Suzuki  <Basuke.Suzuki@sony.com>

        [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation.
        https://bugs.webkit.org/show_bug.cgi?id=199035

        Reviewed by Ross Kirsling.

        Added new argument `address` to start listening. 

        * inspector/remote/socket/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::start):
        * inspector/remote/socket/RemoteInspectorServer.h:
        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
        (Inspector::Socket::listen):
        * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
        (Inspector::Socket::listen):

2019-06-26  Keith Miller  <keith_miller@apple.com>

        speciesConstruct needs to throw if the result is a DataView
        https://bugs.webkit.org/show_bug.cgi?id=199231

        Reviewed by Mark Lam.

        Previously, we only checked that the result was a
        JSArrayBufferView, which can include DataViews. This is incorrect
        as the result should be only be a TypedArray.

        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):

2019-06-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Implement console.countReset
        https://bugs.webkit.org/show_bug.cgi?id=199200

        Reviewed by Devin Rousso.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::countReset):
        * inspector/JSGlobalObjectConsoleClient.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::getCounterLabel):
        (Inspector::InspectorConsoleAgent::count):
        (Inspector::InspectorConsoleAgent::countReset):
        * inspector/agents/InspectorConsoleAgent.h:
        * runtime/ConsoleClient.h:
        * runtime/ConsoleObject.cpp:
        (JSC::ConsoleObject::finishCreation):
        (JSC::consoleProtoFuncCountReset):

2019-06-26  Keith Miller  <keith_miller@apple.com>

        remove unneeded didBecomePrototype() calls
        https://bugs.webkit.org/show_bug.cgi?id=199221

        Reviewed by Saam Barati.

        Since we now set didBecomePrototype in Structure::create we don't
        need to set it expliticly in most of our finishCreation
        methods. The only exception to this is object prototype, which we
        set as the prototype of function prototype late (via
        setPrototypeWithoutTransition).

        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/AsyncFromSyncIteratorPrototype.cpp:
        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
        * runtime/AsyncFunctionPrototype.cpp:
        (JSC::AsyncFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorPrototype.cpp:
        (JSC::AsyncGeneratorPrototype::finishCreation):
        * runtime/AsyncIteratorPrototype.cpp:
        (JSC::AsyncIteratorPrototype::finishCreation):
        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * runtime/GeneratorPrototype.cpp:
        (JSC::GeneratorPrototype::finishCreation):
        * runtime/IteratorPrototype.cpp:
        (JSC::IteratorPrototype::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/RegExpStringIteratorPrototype.cpp:
        (JSC::RegExpStringIteratorPrototype::finishCreation):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        * runtime/WeakObjectRefPrototype.cpp:
        (JSC::WeakObjectRefPrototype::finishCreation):
        * runtime/WeakSetPrototype.cpp:
        (JSC::WeakSetPrototype::finishCreation):

2019-06-25  Keith Miller  <keith_miller@apple.com>

        Structure::create should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Filip Pizlo.

        Structure::create should also assert that the indexing type makes sense
        for the prototype being used.

        * runtime/JSObject.h:
        * runtime/Structure.cpp:
        (JSC::Structure::isValidPrototype):
        (JSC::Structure::changePrototypeTransition):
        * runtime/Structure.h:
        (JSC::Structure::create): Deleted.
        * runtime/StructureInlines.h:
        (JSC::Structure::create):
        (JSC::Structure::setPrototypeWithoutTransition):

2019-06-25  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Implement console.timeLog
        https://bugs.webkit.org/show_bug.cgi?id=199184

        Reviewed by Devin Rousso.

        * inspector/JSGlobalObjectConsoleClient.cpp:
        (Inspector::JSGlobalObjectConsoleClient::timeLog):
        * inspector/JSGlobalObjectConsoleClient.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::logTiming):
        (Inspector::InspectorConsoleAgent::stopTiming):
        * inspector/agents/InspectorConsoleAgent.h:
        * runtime/ConsoleClient.h:
        * runtime/ConsoleObject.cpp:
        (JSC::ConsoleObject::finishCreation):
        (JSC::consoleProtoFuncTimeLog):

2019-06-25  Michael Catanzaro  <mcatanzaro@igalia.com>

        REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size
        https://bugs.webkit.org/show_bug.cgi?id=198518

        Reviewed by Keith Miller.

        r245586 made some bad assumptions about the size of size_t, which we can solve using the
        CPU(ADDRESS32) guard that I didn't know about.

        This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch.

        * runtime/MatchResult.h:

2019-06-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r246714.
        https://bugs.webkit.org/show_bug.cgi?id=199179

        revert to do patch in a different way. (Requested by keith_mi_
        on #webkit).

        Reverted changeset:

        "All prototypes should call didBecomePrototype()"
        https://bugs.webkit.org/show_bug.cgi?id=196315
        https://trac.webkit.org/changeset/246714

2019-06-24  Alexey Shvayka  <shvaikalesh@gmail.com>

        Add Array.prototype.{flat,flatMap} to unscopables
        https://bugs.webkit.org/show_bug.cgi?id=194322

        Reviewed by Keith Miller.

        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):

2019-06-24  Mark Lam  <mark.lam@apple.com>

        ArraySlice needs to keep the source array alive.
        https://bugs.webkit.org/show_bug.cgi?id=197374
        <rdar://problem/50304429>

        Reviewed by Michael Saboff and Filip Pizlo.

        The implementation of the FTL ArraySlice intrinsics may GC while allocating the
        result array and its butterfly.  Previously, ArraySlice already keeps the source
        butterfly alive in order to copy from it to the new butterfly after the allocation.
        Unfortunately, this is not enough.  We also need to keep the source array alive
        so that GC will scan the values in the butterfly as well.  Note: the butterfly
        does not have a visitChildren() method to do this scan.  It's the parent object's
        responsibility to do the scanning.

        This patch fixes this by introducing a keepAlive() utility method, and we use it
        to keep the source array alive while allocating the result array and butterfly.

        keepAlive() works by using a patchpoint to communicate to B3 that a value (the
        source array in this case) is still in use.  It also uses a fence to keep B3 from
        relocating the patchpoint, which may defeat the fix.

        For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the
        source array cell is kept alive.  This patch makes it explicit that we should
        keep its cell alive till after the result array has been allocated.

        For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function
        and there is no issue because the source array (in "thisObj") is in the element
        copying loop that follows the allocation of the result array.  However, for
        documentation purposes, this patch adds a call to HeapCell::use() to indicate that
        the source array need to kept alive at least until after the allocation of the
        result array.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
        (JSC::FTL::DFG::LowerDFGToB3::keepAlive):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSlice):

2019-06-22  Robin Morisset  <rmorisset@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>

        All prototypes should call didBecomePrototype()
        https://bugs.webkit.org/show_bug.cgi?id=196315

        Reviewed by Saam Barati.

        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.

        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
        create structures with invalid prototypes.
        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.

        * runtime/BigIntPrototype.cpp:
        (JSC::BigIntPrototype::finishCreation):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::finishCreation):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::finishCreation):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototype::finishCreation):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototype::finishCreation):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::JSArrayBufferPrototype::finishCreation):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::finishCreation):
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
        (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::createConsoleProperty):
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::finishCreation):
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::JSTypedArrayViewConstructor::finishCreation):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::finishCreation):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * runtime/Structure.cpp:
        (JSC::Structure::isValidPrototype):
        (JSC::Structure::changePrototypeTransition):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::setPrototypeWithoutTransition):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        (JSC::WebAssemblyInstancePrototype::finishCreation):
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::WebAssemblyModulePrototype::finishCreation):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::WebAssemblyPrototype::finishCreation):
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::WebAssemblyTablePrototype::finishCreation):

2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Strict, Sloppy and Arrow functions should have different classInfo
        https://bugs.webkit.org/show_bug.cgi?id=197631

        Reviewed by Saam Barati.

        If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class.
        This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we
        cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked
        by comparing classInfo of the cached structure and the given base structure. This implicitly assume that
        each builtin class's InternalFunction creates an instance based on one structure.

        However, Function constructor is an exception: Function constructor creates an instance which has different
        structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function
        instance with strict function structure.

        As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code.

            class A extends Function { };
            let a = new A("'use strict'");
            let b = new A("");

        While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given
        code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions
        because they have different properties. However, in the above case, a and b have the same structure while they have
        different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache.

        In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design
        works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each
        structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the
        cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL
        optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization.

        Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array
        structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile.

        * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that
        sizeof(JSAsyncFunction) == sizeof(JSFunction).
        * runtime/JSAsyncGeneratorFunction.cpp:
        * runtime/JSAsyncGeneratorFunction.h: Ditto.
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGeneratorFunction.h: Ditto.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2019-06-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ClassExpr should not store result in the middle of evaluation
        https://bugs.webkit.org/show_bug.cgi?id=199106

        Reviewed by Tadeu Zagallo.

        Let's consider the case,

            let a = class A {
                static get[a=0x12345678]() {
                }
            };

        When evaluating `class A` expression, we should not use the local register for `let a`
        until we finally store it to that register. Otherwise, `a=0x12345678` will override it.
        Out BytecodeGenerator does that this by using tempDestination and finalDestination, but
        we did not do that in ClassExprNode.

        This patch leverages tempDestination and finalDestination to store `class A` result finally,
        while we attempt to reduce mov.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):

2019-06-21  Sihui Liu  <sihui_liu@apple.com>

        openDatabase should return an empty object when WebSQL is disabled
        https://bugs.webkit.org/show_bug.cgi?id=198805

        Reviewed by Geoffrey Garen.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined):
        * runtime/JSFunction.h:

2019-06-21  Alexey Shvayka  <shvaikalesh@gmail.com>

        Remove extra check in RegExp @matchSlow
        https://bugs.webkit.org/show_bug.cgi?id=198846

        Reviewed by Joseph Pecoraro.

        Type of RegExp `exec` result is already asserted in @regExpExec.

        * builtins/RegExpPrototype.js:
        (globalPrivate.matchSlow): Remove isObject check.

2019-06-20  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
        https://bugs.webkit.org/show_bug.cgi?id=199044

        Reviewed by Saam Barati.

        Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index.
        Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::unify):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseElement):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::unify):

2019-06-18  Darin Adler  <darin@apple.com>

        Tidy up the remaining bits of the AtomicString to AtomString rename
        https://bugs.webkit.org/show_bug.cgi?id=198990

        Reviewed by Michael Catanzaro.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto.
        (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto.

2019-06-19  Alexey Shvayka  <shvaikalesh@gmail.com>

        Optimize `resolve` method lookup in Promise static methods
        https://bugs.webkit.org/show_bug.cgi?id=198864

        Reviewed by Yusuke Suzuki.

        Lookup `resolve` method only once in Promise.{all,allSettled,race}.
        (https://github.com/tc39/ecma262/pull/1506)

        Already implemented in V8.

        * builtins/PromiseConstructor.js:

2019-06-19  Tadeu Zagallo  <tzagallo@apple.com>

        Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs
        https://bugs.webkit.org/show_bug.cgi?id=199030

        Reviewed by Mark Lam.

        These assertions represent strong assumptions that the cache makes so
        it's not safe to keep executing if they fail.

        * runtime/CachedTypes.cpp:
        (JSC::Encoder::malloc):
        (JSC::Encoder::Page::alignEnd):
        (JSC::Decoder::ptrForOffsetFromBase):
        (JSC::Decoder::handleForEnvironment const):
        (JSC::Decoder::setHandleForEnvironment):
        (JSC::CachedPtr::get const):
        (JSC::CachedOptional::encode):
        (JSC::CachedOptional::decodeAsPtr const): Deleted.

2019-06-19  Adrian Perez de Castro  <aperez@igalia.com>

        [WPE][GTK] Fix build with unified sources disabled
        https://bugs.webkit.org/show_bug.cgi?id=198752

        Reviewed by Michael Catanzaro.

        * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h
        and forward declaration of WeakObjectRefPrototype.
        * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h

2019-06-19  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Rename anyfunc to funcref
        https://bugs.webkit.org/show_bug.cgi?id=198983

        Reviewed by Yusuke Suzuki.

        Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is 
        the only non-binary-format place where it is exposed to users.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::gFuncref):
        (JSC::Wasm::AirIRGenerator::tmpForType):
        (JSC::Wasm::AirIRGenerator::emitCCall):
        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::addLocal):
        (JSC::Wasm::AirIRGenerator::addConstant):
        (JSC::Wasm::AirIRGenerator::addRefFunc):
        (JSC::Wasm::AirIRGenerator::addReturn):
        (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted.
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConventionAir::marshallArgument const):
        (JSC::Wasm::CallingConventionAir::setupCall const):
        * wasm/WasmExceptionType.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::isValueType):
        (JSC::Wasm::isSubtype):
        (JSC::Wasm::TableInformation::wasmType const):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseTableHelper):
        (JSC::Wasm::SectionParser::parseElement):
        (JSC::Wasm::SectionParser::parseInitExpr):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addRefFunc):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        * wasm/wasm.json:

2019-06-19  Fujii Hironori  <Hironori.Fujii@sony.com>

        [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects
        https://bugs.webkit.org/show_bug.cgi?id=198853

        Reviewed by Don Olmstead.

        JavaScriptCore_CopyPrivateHeaders target needs to have a direct or
        indirect dependency of JavaScriptCore target for CMake Visual
        Studio generator to eliminate duplicated custom commands.

        * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders.

2019-06-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] JSLock should be WebThread aware
        https://bugs.webkit.org/show_bug.cgi?id=198911

        Reviewed by Geoffrey Garen.

        Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs
        to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content.
        But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However,
        since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be
        modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs.

        This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation,
        we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since
        JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore.

        Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking.
        We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order.

        In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released
        automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except
        for some edge cases.

        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine isWebThreadAware]):
        * API/JSVirtualMachineInternal.h:
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLock::lock):
        (JSC::JSLockHolder::init): Deleted.
        * runtime/JSLock.h:
        (JSC::JSLock::makeWebThreadAware):
        (JSC::JSLock::isWebThreadAware const):

2019-06-18  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Table.size, grow and fill instructions
        https://bugs.webkit.org/show_bug.cgi?id=198761

        Reviewed by Yusuke Suzuki.

        Add support for Table.size, grow and fill instructions. This also required
        adding support for two-byte opcodes to the ops generator.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::gAnyref):
        (JSC::Wasm::AirIRGenerator::tmpForType):
        (JSC::Wasm::AirIRGenerator::addTableSize):
        (JSC::Wasm::AirIRGenerator::addTableGrow):
        (JSC::Wasm::AirIRGenerator::addTableFill):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addTableSize):
        (JSC::Wasm::B3IRGenerator::addTableGrow):
        (JSC::Wasm::B3IRGenerator::addTableFill):
        * wasm/WasmExceptionType.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::TableInformation::wasmType const):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::doWasmTableGrow):
        (JSC::Wasm::doWasmTableFill):
        * wasm/WasmInstance.h:
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::grow):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addTableSize):
        (JSC::Wasm::Validate::addTableGrow):
        (JSC::Wasm::Validate::addTableFill):
        * wasm/generateWasmOpsHeader.py:
        (opcodeMacroizer):
        (ExtTableOpType):
        * wasm/wasm.json:

2019-06-18  Keith Miller  <keith_miller@apple.com>

        Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t.

        * runtime/VM.h:
        (JSC::VM::currentWeakRefVersion const):

2019-06-18  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for multiple tables
        https://bugs.webkit.org/show_bug.cgi?id=198760

        Reviewed by Saam Barati.

        Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the
        existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail
        to make it easier to use from jit code. 

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::addTableGet):
        (JSC::Wasm::AirIRGenerator::addTableSet):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        (JSC::Wasm::B3IRGenerator::addTableGet):
        (JSC::Wasm::B3IRGenerator::addTableSet):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmExceptionType.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::Element::Element):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::Instance):
        (JSC::Wasm::Instance::create):
        (JSC::Wasm::Instance::extraMemoryAllocated const):
        (JSC::Wasm::Instance::table):
        (JSC::Wasm::Instance::setTable):
        * wasm/WasmInstance.h:
        (JSC::Wasm::Instance::updateCachedMemory):
        (JSC::Wasm::Instance::offsetOfGlobals):
        (JSC::Wasm::Instance::offsetOfTablePtr):
        (JSC::Wasm::Instance::allocationSize):
        (JSC::Wasm::Instance::table): Deleted.
        (JSC::Wasm::Instance::setTable): Deleted.
        (JSC::Wasm::Instance::offsetOfTable): Deleted.
        * wasm/WasmModuleInformation.h:
        (JSC::Wasm::ModuleInformation::tableCount const):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseImport):
        (JSC::Wasm::SectionParser::parseTableHelper):
        (JSC::Wasm::SectionParser::parseTable):
        (JSC::Wasm::SectionParser::parseElement):
        * wasm/WasmTable.h:
        (JSC::Wasm::Table::owner const):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addTableGet):
        (JSC::Wasm::Validate::addTableSet):
        (JSC::Wasm::Validate::addCallIndirect):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
        (JSC::JSWebAssemblyInstance::visitChildren):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/wasm.json:

2019-06-18  Alexey Shvayka  <shvaikalesh@gmail.com>

        [ESNExt] String.prototype.matchAll
        https://bugs.webkit.org/show_bug.cgi?id=186694

        Reviewed by Yusuke Suzuki.

        Implement String.prototype.matchAll.
        (https://tc39.es/ecma262/#sec-string.prototype.matchall)

        Also rename @globalPrivate @constructor functions and C++ variables holding them.

        Shipping in Chrome since version 73.
        Shipping in Firefox since version 67.

        * CMakeLists.txt:
        * DerivedSources-input.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/wkbuiltins/builtins_generate_combined_header.py:
        (get_var_name):
        (generate_section_for_global_private_code_name_macro):
        * Sources.txt:
        * builtins/ArrayPrototype.js:
        (globalPrivate.ArrayIterator):
        (values):
        (keys):
        (entries):
        (globalPrivate.createArrayIterator): Deleted.
        * builtins/AsyncFromSyncIteratorPrototype.js:
        (globalPrivate.createAsyncFromSyncIterator):
        (globalPrivate.AsyncFromSyncIterator):
        (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted.
        * builtins/BuiltinNames.h:
        * builtins/MapPrototype.js:
        (globalPrivate.MapIterator):
        (values):
        (keys):
        (entries):
        (globalPrivate.createMapIterator): Deleted.
        * builtins/RegExpPrototype.js:
        (globalPrivate.RegExpStringIterator):
        (overriddenName.string_appeared_here.matchAll):
        * builtins/RegExpStringIteratorPrototype.js: Added.
        (next):
        * builtins/SetPrototype.js:
        (globalPrivate.SetIterator):
        (values):
        (entries):
        (globalPrivate.createSetIterator): Deleted.
        * builtins/StringPrototype.js:
        (matchAll):
        * builtins/TypedArrayPrototype.js:
        (values):
        (keys):
        (entries):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        * runtime/RegExpStringIteratorPrototype.cpp: Added.
        (JSC::RegExpStringIteratorPrototype::finishCreation):
        * runtime/RegExpStringIteratorPrototype.h: Added.
        * runtime/StringPrototype.cpp:

2019-06-18  Keith Miller  <keith_miller@apple.com>

        Add support for WeakRef
        https://bugs.webkit.org/show_bug.cgi?id=198710

        Reviewed by Yusuke Suzuki.

        Add support for WeakRefs which are now at stage 3
        (https://tc39.es/proposal-weakrefs). This patch doesn't add
        support for FinalizationGroups, which I'll add in another patch.

        Some other things of interest. Per the spec, we cannot collect a
        weak refs target unless it has not been dereffed (or created) in
        the current microtask turn. i.e. WeakRefs are only allowed to be
        collected at the end of a drain of the Microtask queue. My
        understanding for this behavior is to reduce implementation
        dependence on specific GC behavior in a given browser.

        We track if a WeakRef is retaining its target by using a version
        number on each WeakRef as well as on the VM. Whenever a WeakRef is
        derefed we update its version number to match the VM's then
        WriteBarrier ourselves. During marking if the VM and the WeakRef
        have the same version number, the target is visited.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionalFinalizers):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionReleaseWeakRefs):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSWeakObjectRef.cpp: Added.
        (JSC::JSWeakObjectRef::finishCreation):
        (JSC::JSWeakObjectRef::visitChildren):
        (JSC::JSWeakObjectRef::finalizeUnconditionally):
        (JSC::JSWeakObjectRef::toStringName):
        * runtime/JSWeakObjectRef.h: Added.
        * runtime/VM.cpp:
        (JSC::VM::drainMicrotasks):
        * runtime/VM.h:
        (JSC::VM::setOnEachMicrotaskTick):
        (JSC::VM::finalizeSynchronousJSExecution):
        (JSC::VM::currentWeakRefVersion const):
        * runtime/WeakObjectRefConstructor.cpp: Added.
        (JSC::WeakObjectRefConstructor::finishCreation):
        (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor):
        (JSC::callWeakRef):
        (JSC::constructWeakRef):
        * runtime/WeakObjectRefConstructor.h: Added.
        (JSC::WeakObjectRefConstructor::create):
        (JSC::WeakObjectRefConstructor::createStructure):
        * runtime/WeakObjectRefPrototype.cpp: Added.
        (JSC::WeakObjectRefPrototype::finishCreation):
        (JSC::getWeakRef):
        (JSC::protoFuncWeakRefDeref):
        * runtime/WeakObjectRefPrototype.h: Added.

2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>

        Add missing mutator fence in compileNewFunction
        https://bugs.webkit.org/show_bug.cgi?id=198849
        <rdar://problem/51733890>

        Reviewed by Saam Barati.

        Follow-up after r246553. Saam pointed out that we still need a mutator
        fence before allocating the FunctionRareData, since the allocation
        might trigger a slow path call.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):

2019-06-18  Tadeu Zagallo  <tzagallo@apple.com>

        DFG code should not reify the names of builtin functions with private names
        https://bugs.webkit.org/show_bug.cgi?id=198849
        <rdar://problem/51733890>

        Reviewed by Filip Pizlo.

        Builtin functions that have a private name call setHasReifiedName from finishCreation.
        When compiled with DFG and FTL, that does not get called and the function ends up reifying
        its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to
        true from compileNewFunction in both DFG and FTL.

        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
        * bytecode/ObjectAllocationProfile.h:
        (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype):
        * bytecode/UnlinkedFunctionExecutable.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        * runtime/FunctionExecutable.h:
        * runtime/FunctionRareData.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::isAnonymousBuiltinFunction const):

2019-06-18  Keith Miller  <keith_miller@apple.com>

        MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
        https://bugs.webkit.org/show_bug.cgi?id=198969
        <rdar://problem/51620714>

        Reviewed by Tadeu Zagallo.

        Sometimes if the parser has enough nested scopes
        MaybeParseAsGeneratorForScope can lose track of the ScopeRef it
        should be tracking. This is because the parser sometimes relocates
        its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should
        hold the scope ref it's watching.

        * parser/Parser.cpp:
        (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
        (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope):

2019-06-17  Justin Michaud  <justin_michaud@apple.com>

        Validate that table element type is funcref if using an element section
        https://bugs.webkit.org/show_bug.cgi?id=198910

        Reviewed by Yusuke Suzuki.

        Add missing validation when attempting to add an element section to an anyref table.

        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseElement):

2019-06-17  Tadeu Zagallo  <tzagallo@apple.com>

        Concurrent GC should check the conn before starting a new collection cycle
        https://bugs.webkit.org/show_bug.cgi?id=198913
        <rdar://problem/49515149>

        Reviewed by Filip Pizlo.

        Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector
        thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections
        and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent
        GC has finished processing the last pending request. The collector thread will runEndPhase and immediately
        start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in
        the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn,
        since the collector is running but doesn't have the conn anymore.

        To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator
        has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem
        trivial to determine.

        * heap/Heap.cpp:
        (JSC::Heap::runNotRunningPhase):

2019-06-17  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
        https://bugs.webkit.org/show_bug.cgi?id=197378

        Reviewed by Saam Barati.

        Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time).
        The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex,
        we will create a new CallSiteIndex continuously and leak memory.

        The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients.
        But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex
        at runtime.

        To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and
        enforce type-safety to some degree.

        We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
        (JSC::CodeBlock::removeExceptionHandlerForCallSite):
        * bytecode/CodeBlock.h:
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted.
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::addUniqueCallSiteIndex):
        (JSC::DFG::CommonData::addDisposableCallSiteIndex):
        (JSC::DFG::CommonData::removeDisposableCallSiteIndex):
        (JSC::DFG::CommonData::removeCallSiteIndex): Deleted.
        * dfg/DFGCommonData.h:
        * interpreter/CallFrame.h:
        (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex):
        (JSC::DisposableCallSiteIndex::fromCallSiteIndex):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
        (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h:
        * jit/JITInlineCacheGenerator.h:

2019-06-17  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Funcref in parameters and return types
        https://bugs.webkit.org/show_bug.cgi?id=198157

        Reviewed by Yusuke Suzuki.

        Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to 
        a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. 

        We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper
        for it so that we never need to construct JSValues when handling references. This should make threads
        easier to implement.

        Finally, we add some missing bounds checks for table.get/set.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::tmpForType):
        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::addLocal):
        (JSC::Wasm::AirIRGenerator::addConstant):
        (JSC::Wasm::AirIRGenerator::addRefFunc):
        (JSC::Wasm::AirIRGenerator::addTableSet):
        (JSC::Wasm::AirIRGenerator::setGlobal):
        (JSC::Wasm::AirIRGenerator::addReturn):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addLocal):
        (JSC::Wasm::B3IRGenerator::addTableSet):
        (JSC::Wasm::B3IRGenerator::addRefFunc):
        (JSC::Wasm::B3IRGenerator::setGlobal):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConventionAir::marshallArgument const):
        (JSC::Wasm::CallingConventionAir::setupCall const):
        * wasm/WasmExceptionType.h:
        * wasm/WasmFormat.h:
        (JSC::Wasm::isValueType):
        (JSC::Wasm::isSubtype):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::Instance):
        (JSC::Wasm::Instance::getFunctionWrapper const):
        (JSC::Wasm::Instance::setFunctionWrapper):
        * wasm/WasmInstance.h:
        * wasm/WasmModuleInformation.h:
        (JSC::Wasm::ModuleInformation::referencedFunctions const):
        (JSC::Wasm::ModuleInformation::addReferencedFunction const):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseGlobal):
        (JSC::Wasm::SectionParser::parseInitExpr):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addTableGet):
        (JSC::Wasm::Validate::addTableSet):
        (JSC::Wasm::Validate::addRefIsNull):
        (JSC::Wasm::Validate::addRefFunc):
        (JSC::Wasm::Validate::setLocal):
        (JSC::Wasm::Validate::addCall):
        (JSC::Wasm::Validate::addCallIndirect):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::isWebAssemblyHostFunction):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::visitChildren):
        * wasm/js/JSWebAssemblyRuntimeError.cpp:
        (JSC::createJSWebAssemblyRuntimeError):
        * wasm/js/JSWebAssemblyRuntimeError.h:
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::handleBadI64Use):
        (JSC::Wasm::wasmToJS):
        (JSC::Wasm::emitWasmToJSException):
        * wasm/js/WasmToJS.h:
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        * wasm/wasm.json:

2019-06-16  Darin Adler  <darin@apple.com>

        Rename AtomicString to AtomString
        https://bugs.webkit.org/show_bug.cgi?id=195276

        Reviewed by Michael Catanzaro.

        * many files: Let do-webcore-rename do the renaming.

2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Grown region of WasmTable should be initialized with null
        https://bugs.webkit.org/show_bug.cgi?id=198903

        Reviewed by Saam Barati.

        Grown region of Wasmtable is now empty. We should initialize it with null.
        We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to
        align to the naming convention.

        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::grow):
        (JSC::Wasm::Table::visitAggregate):
        (JSC::Wasm::Table::visitChildren): Deleted.
        * wasm/WasmTable.h:
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::visitChildren):

2019-06-14  Keith Miller  <keith_miller@apple.com>

        Restore PAC based cage.
        https://bugs.webkit.org/show_bug.cgi?id=198872

        Rubber-stamped by Saam Barati.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::bitFieldInsert64):
        * assembler/MacroAssemblerARM64E.h:
        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        (JSC::run):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageWithoutUntagging):
        (JSC::AssemblyHelpers::cageConditionally):
        (JSC::AssemblyHelpers::cage): Deleted.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/registers.rb:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):

2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>

        Yarr bytecode compilation failure should be gracefully handled
        https://bugs.webkit.org/show_bug.cgi?id=198700

        Reviewed by Michael Saboff.

        Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail.
        We should gracefully handle this failure as a runtime error, as we did for parse errors in [1].
        We also harden Yarr's consumed character calculation by using Checked.

        [1]: https://bugs.webkit.org/show_bug.cgi?id=185755

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::findMagicComment):
        * runtime/RegExp.cpp:
        (JSC::RegExp::byteCodeCompileIfNecessary):
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
        * runtime/RegExpInlines.h:
        (JSC::RegExp::matchInline):
        * yarr/YarrErrorCode.cpp:
        (JSC::Yarr::errorMessage):
        (JSC::Yarr::errorToThrow):
        * yarr/YarrErrorCode.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::ByteCompiler):
        (JSC::Yarr::ByteCompiler::compile):
        (JSC::Yarr::ByteCompiler::atomCharacterClass):
        (JSC::Yarr::ByteCompiler::atomBackReference):
        (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):
        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin):
        (JSC::Yarr::ByteCompiler::popParenthesesStack):
        (JSC::Yarr::ByteCompiler::closeAlternative):
        (JSC::Yarr::ByteCompiler::closeBodyAlternative):
        (JSC::Yarr::ByteCompiler::alternativeBodyDisjunction):
        (JSC::Yarr::ByteCompiler::alternativeDisjunction):
        (JSC::Yarr::ByteCompiler::emitDisjunction):

2019-06-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
        https://bugs.webkit.org/show_bug.cgi?id=198770

        Reviewed by Saam Barati.

        Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls
        are the following.

            if (callee == patchableCallee) {
                restore callee saves for tail call
                prepare for tail call
                jump to the target function
            }
            restore callee saves for slow path
            call the slow path function

        And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub
        patches the above `if` statement with the jump to the stub.

            jump to the polymorphic call stub

        This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result,
        "restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is
        correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves.
        This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled
        in that path.

        This patch does that skips after restoring callee saves.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::CallLinkInfo):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::setUpCall):
        (JSC::CallLinkInfo::calleeGPR):
        (JSC::CallLinkInfo::setCalleeGPR): Deleted.
        * jit/Repatch.cpp:
        (JSC::revertCall):
        (JSC::linkVirtualFor):
        (JSC::linkPolymorphicCall):
        * jit/Repatch.h:
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):

2019-06-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r246322.
        https://bugs.webkit.org/show_bug.cgi?id=198796

        "It's a huge page load regression on iOS" (Requested by
        saamyjoon on #webkit).

        Reverted changeset:

        "Roll out PAC cage"
        https://bugs.webkit.org/show_bug.cgi?id=198726
        https://trac.webkit.org/changeset/246322

2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>

        JSC should throw if proxy set returns falsish in strict mode context
        https://bugs.webkit.org/show_bug.cgi?id=177398

        Reviewed by Yusuke Suzuki.

        Throw TypeError exception if Proxy's `set` trap returns falsy value.
        (step 6.c of https://tc39.es/ecma262/#sec-putvalue)

        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performPut):
        (JSC::ProxyObject::put):
        (JSC::ProxyObject::putByIndexCommon):
        * runtime/ProxyObject.h:

2019-06-11  Alexey Shvayka  <shvaikalesh@gmail.com>

        Error message for non-callable Proxy `construct` trap is misleading
        https://bugs.webkit.org/show_bug.cgi?id=198637

        Reviewed by Saam Barati.

        Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]].

        * runtime/ProxyObject.cpp:
        (JSC::performProxyConstruct): Tweak error message.

2019-06-10  Tadeu Zagallo  <tzagallo@apple.com>

        AI BitURShift's result should not be unsigned
        https://bugs.webkit.org/show_bug.cgi?id=198689
        <rdar://problem/51550063>

        Reviewed by Saam Barati.

        Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
        This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
        get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
        all we have to do is store the result as a signed int32.

        * dfg/DFGAbstractInterpreterInlines.h:

2019-06-11  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed build warning fixes

        Silence -Wreturn-type warning

        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::tryCreate):

2019-06-11  Saam Barati  <sbarati@apple.com>

        Roll out PAC cage
        https://bugs.webkit.org/show_bug.cgi?id=198726

        Reviewed by Keith Miller.

        This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622.
        
        The resulting state we're in is we have Gigacage enabled on arm64.
        There is no more PAC caging.

        We're doing this because there are performance issues with PAC caging
        that we haven't resolved yet.

        * assembler/CPU.h:
        (JSC::isARM64E): Deleted.
        * assembler/MacroAssemblerARM64E.h:
        (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted.
        (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted.
        (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted.
        * b3/B3LowerToAir.cpp:
        * b3/B3PatchpointSpecial.cpp:
        (JSC::B3::PatchpointSpecial::admitsStack):
        * b3/B3StackmapSpecial.cpp:
        (JSC::B3::StackmapSpecial::forEachArgImpl):
        (JSC::B3::StackmapSpecial::isArgValidForRep):
        * b3/B3Validate.cpp:
        * b3/B3ValueRep.cpp:
        (JSC::B3::ValueRep::addUsedRegistersTo const):
        (JSC::B3::ValueRep::dump const):
        (WTF::printInternal):
        * b3/B3ValueRep.h:
        (JSC::B3::ValueRep::ValueRep):
        (JSC::B3::ValueRep::isReg const):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted.
        (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted.
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddPointer):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageConditionally):
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitDirectArgumentsGetByVal):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/PolymorphicCallStubRoutine.cpp:
        (JSC::PolymorphicCallNode::clearCallLinkInfo):
        * jit/RegisterSet.h:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayBuffer.cpp:
        (JSC::SharedArrayBufferContents::SharedArrayBufferContents):
        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
        (JSC::ArrayBufferContents::ArrayBufferContents):
        (JSC::ArrayBufferContents::destroy):
        (JSC::ArrayBufferContents::tryAllocate):
        (JSC::ArrayBufferContents::makeShared):
        (JSC::ArrayBufferContents::copyTo):
        * runtime/ArrayBuffer.h:
        (JSC::SharedArrayBufferContents::data const):
        (JSC::ArrayBufferContents::data const):
        (JSC::ArrayBuffer::data):
        (JSC::ArrayBuffer::data const):
        (JSC::ArrayBuffer::byteLength const):
        * runtime/ArrayBufferView.cpp:
        (JSC::ArrayBufferView::ArrayBufferView):
        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::baseAddress const):
        (JSC::ArrayBufferView::setRangeImpl):
        (JSC::ArrayBufferView::getRangeImpl):
        (JSC::ArrayBufferView::byteLength const): Deleted.
        * runtime/CachedTypes.cpp:
        (JSC::CachedScopedArgumentsTable::encode):
        (JSC::CachedScopedArgumentsTable::decode const):
        * runtime/CagedBarrierPtr.h:
        (JSC::CagedBarrierPtr::CagedBarrierPtr):
        (JSC::CagedBarrierPtr::set):
        (JSC::CagedBarrierPtr::get const):
        (JSC::CagedBarrierPtr::getMayBeNull const):
        (JSC::CagedBarrierPtr::operator== const):
        (JSC::CagedBarrierPtr::operator!= const):
        (JSC::CagedBarrierPtr::operator bool const):
        (JSC::CagedBarrierPtr::setWithoutBarrier):
        (JSC::CagedBarrierPtr::operator* const):
        (JSC::CagedBarrierPtr::operator-> const):
        (JSC::CagedBarrierPtr::operator[] const):
        (JSC::CagedBarrierPtr::getUnsafe const): Deleted.
        (JSC::CagedBarrierPtr::at const): Deleted.
        * runtime/DataView.cpp:
        (JSC::DataView::DataView):
        * runtime/DataView.h:
        (JSC::DataView::get):
        (JSC::DataView::set):
        * runtime/DirectArguments.cpp:
        (JSC::DirectArguments::visitChildren):
        (JSC::DirectArguments::overrideThings):
        (JSC::DirectArguments::unmapArgument):
        * runtime/DirectArguments.h:
        * runtime/GenericArguments.h:
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::visitChildren):
        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
        (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
        (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
        * runtime/GenericTypedArrayView.h:
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        (JSC::JSArrayBufferView::JSArrayBufferView):
        (JSC::JSArrayBufferView::finalize):
        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
        * runtime/JSArrayBufferView.h:
        (JSC::JSArrayBufferView::ConstructionContext::vector const):
        (JSC::JSArrayBufferView::isNeutered):
        (JSC::JSArrayBufferView::vector const):
        (JSC::JSArrayBufferView::hasVector const): Deleted.
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
        (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/Options.h:
        * runtime/ScopedArgumentsTable.cpp:
        (JSC::ScopedArgumentsTable::clone):
        (JSC::ScopedArgumentsTable::setLength):
        * runtime/ScopedArgumentsTable.h:
        * runtime/SymbolTable.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmInstance.h:
        (JSC::Wasm::Instance::cachedMemory const):
        (JSC::Wasm::Instance::updateCachedMemory):
        * wasm/WasmMemory.cpp:
        (JSC::Wasm::Memory::Memory):
        (JSC::Wasm::Memory::~Memory):
        (JSC::Wasm::Memory::grow):
        (JSC::Wasm::Memory::dump const):
        * wasm/WasmMemory.h:
        (JSC::Wasm::Memory::memory const):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):

2019-06-10  Basuke Suzuki  <Basuke.Suzuki@sony.com>

        [WinCairo] Remove build warning from RemoteInspector.
        https://bugs.webkit.org/show_bug.cgi?id=198724

        Reviewed by Joseph Pecoraro.

        In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation.
        This method is to be overwritten by sub classes so that parameter name is important
        so they are commented out rather than just removing from the definition.

        * inspector/remote/RemoteInspector.h:

2019-06-10  Sam Weinig  <weinig@apple.com>

        Remove Dashboard support
        https://bugs.webkit.org/show_bug.cgi?id=198615

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2019-06-10  Devin Rousso  <drousso@apple.com>

        Web Automation: add notifications for when remote automation is enabled/disabled
        https://bugs.webkit.org/show_bug.cgi?id=198703
        <rdar://problem/50588975>

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspectorConstants.h:

2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix for non-DFG configurations, part 2
        https://bugs.webkit.org/show_bug.cgi?id=198023

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, build fix for non-DFG configurations
        https://bugs.webkit.org/show_bug.cgi?id=198023

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2019-06-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
        https://bugs.webkit.org/show_bug.cgi?id=198023

        Reviewed by Saam Barati.

        While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications.
        When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable.
        And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge
        UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually
        be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have
        navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in
        web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will
        hit the uppermost of memory footprint. But until that, we increase our memory footprint.

        However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any
        time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain.
        One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused.
        But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression.

        But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never
        reuse these CodeCache since we do not have the navigation.

        This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC
        cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a
        heuristic. In a super pathological case, it could increase memory footprint. Consider the following example.

            UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1)
                                                                                                             ^
                                                                                                         CodeBlock(E1)

        We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and
        we will create duplicate UnlinkedCodeBlock and instructions stream for D1.

                                                                                                         UnlinkedCodeBlock(D1)
                                                                                                             ^
                                                                                                         CodeBlock(E1)

            UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2)

        But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do
        not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB).
        While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64,
        while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation.
        Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising.

        If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode
        cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption
        will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK.

        This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable ->
        UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed
        While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable ->
        UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held
        by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old.
        If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first
        heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying
        the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a
        good starting point.

        Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times.
        It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0).
        If we want to get more memory reduction for the sake of performance, we could decrease this age limit.

        Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves
        memory footprint of our target application from about 6.5 MB to about 5.9 MB.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::visitChildren):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::age const):
        (JSC::UnlinkedCodeBlock::resetAge):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        (JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks):
        (JSC::UnlinkedFunctionExecutable::finalizeUnconditionally):
        * bytecode/UnlinkedFunctionExecutable.h:
        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionalFinalizers):
        * runtime/CachedTypes.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * runtime/CodeSpecializationKind.h:
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::isInMiniMode): Deleted.
        * runtime/VM.h:
        (JSC::VM::isInMiniMode):
        (JSC::VM::useUnlinkedCodeBlockJettisoning):

2019-06-10  Timothy Hatcher  <timothy@apple.com>

        Integrate dark mode support for iOS.
        https://bugs.webkit.org/show_bug.cgi?id=198687
        rdar://problem/51545643

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2019-06-10  Adrian Perez de Castro  <aperez@igalia.com>

        [JSC] Linker fails when unified sources are not in use
        https://bugs.webkit.org/show_bug.cgi?id=198722

        Reviewed by Keith Miller.

        Added missing inclusions of headers in several files which make use of inline functions.

        * b3/B3AtomicValue.cpp:
        * b3/B3BlockInsertionSet.cpp:
        * b3/B3FenceValue.cpp:
        * b3/B3LowerMacrosAfterOptimizations.cpp:
        * b3/B3PureCSE.cpp:
        * b3/B3StackmapValue.cpp:
        * b3/B3SwitchValue.cpp:
        * b3/B3UseCounts.cpp:
        * b3/B3VariableValue.cpp:
        * b3/B3WasmAddressValue.cpp:
        * b3/B3WasmBoundsCheckValue.cpp:
        * ftl/FTLCompile.cpp:
        * wasm/WasmSectionParser.cpp:
        * wasm/WasmTable.cpp:
        * wasm/WasmValidate.cpp:

2019-06-10  Keith Miller  <keith_miller@apple.com>

        Make new Symbol/Promise API public
        https://bugs.webkit.org/show_bug.cgi?id=198709

        Reviewed by Saam Barati.

        We also need to #ifdef some tests when building for older
        platforms because the signatures for some methods are outdated on
        those platforms.

        * API/JSObjectRef.h:
        * API/JSObjectRefPrivate.h:
        * API/JSValue.h:
        * API/JSValuePrivate.h:
        * API/JSValueRef.h:
        * API/tests/testapi.mm:
        (testObjectiveCAPIMain):

2019-06-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r246150, r246160, and r246166.
        https://bugs.webkit.org/show_bug.cgi?id=198698

        Regresses page loading time on iOS 13 (Requested by keith_m__
        on #webkit).

        Reverted changesets:

        "Reenable Gigacage on ARM64."
        https://bugs.webkit.org/show_bug.cgi?id=198453
        https://trac.webkit.org/changeset/246150

        "Unrevied build fix for FTL without Gigacage."
        https://trac.webkit.org/changeset/246160

        "Fix typo in cageWithoutUntagging"
        https://bugs.webkit.org/show_bug.cgi?id=198617
        https://trac.webkit.org/changeset/246166

2019-06-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use mergePrediction in ValuePow prediction propagation
        https://bugs.webkit.org/show_bug.cgi?id=198648

        Reviewed by Saam Barati.

        We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant)
        must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard
        previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead.

        * dfg/DFGPredictionPropagationPhase.cpp:

2019-06-07  Tadeu Zagallo  <tzagallo@apple.com>

        AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
        https://bugs.webkit.org/show_bug.cgi?id=198581
        <rdar://problem/51099753>

        Reviewed by Saam Barati.

        For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
        from the object, it gets the GetterSetter structure from the CodeBlock's global object.
        However, that's not correct, since the global object for the base object might differ
        from the CodeBlock's. Instead, we try to get the global object from the base, when it's
        a constant object. Otherwise, we can't infer the value and only set the type.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2019-06-06  Devin Rousso  <drousso@apple.com>

        Web Inspector: create CommandLineAPIHost lazily like the other agents
        https://bugs.webkit.org/show_bug.cgi?id=196047
        <rdar://problem/49087835>

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::connect): Added.

2019-06-06  Keith Miller  <keith_miller@apple.com>

        Fix typo in cageWithoutUntagging
        https://bugs.webkit.org/show_bug.cgi?id=198617

        Reviewed by Saam Barati.

        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageWithoutUntagging):
        (JSC::AssemblyHelpers::cageConditionally):
        (JSC::AssemblyHelpers::cageWithoutUntaging): Deleted.

2019-06-06  Alexey Shvayka  <shvaikalesh@gmail.com>

        JSON.parse throws incorrect exception when called w/o arguments
        https://bugs.webkit.org/show_bug.cgi?id=198574

        Reviewed by Yusuke Suzuki.

        Always coerce first argument to string and attempt to parse it.
        (steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse)

        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse): Remove argumentCount check.

2019-06-06  Keith Miller  <keith_miller@apple.com>

        Unrevied build fix for FTL without Gigacage.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::caged):

2019-06-06  Michael Catanzaro  <mcatanzaro@igalia.com>

        aarch64: ‘JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’}
        https://bugs.webkit.org/show_bug.cgi?id=198014

        Reviewed by Yusuke Suzuki.

        When building for aarch64, there is a huge warning spam here. It's impossible to see any
        other warnings. This has been ongoing for so long I've begun to suspect that nobody works
        on this architecture.

        Anyway, the problem is because we need eight bits to store all possible RegisterID values,
        but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this
        struct is still happy, so I presume the change is OK.

        * assembler/ARM64Assembler.h:

2019-06-06  Keith Miller  <keith_miller@apple.com>

        Reenable Gigacage on ARM64.
        https://bugs.webkit.org/show_bug.cgi?id=198453

        Reviewed by Michael Saboff.

        This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
        old Gigacage however, arm64e uses both Gigacaging and PAC. In
        order to ensure the PAC bits are not stripped in the caging
        process we use the bit field insert instruction to take the low
        bits from caging and the high bits from the PAC authentication.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::bitFieldInsert64):
        * assembler/MacroAssemblerARM64E.h:
        * assembler/testmasm.cpp:
        (JSC::testCagePreservesPACFailureBit):
        (JSC::run):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
        (JSC::FTL::DFG::LowerDFGToB3::caged):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::cageWithoutUntaging):
        (JSC::AssemblyHelpers::cageConditionally):
        (JSC::AssemblyHelpers::cage): Deleted.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/registers.rb:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToWasm):
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):

2019-06-06  Michael Saboff  <msaboff@apple.com>

        [ARM64E]: Add disassembler support for authenticated instructions
        https://bugs.webkit.org/show_bug.cgi?id=198562

        Reviewed by Keith Miller.

        Added support for all the instructions supported in ARM64EAssembler.h.

        * disassembler/ARM64/A64DOpcode.cpp:
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeHint::format):
        (JSC::ARM64Disassembler::A64DOpcodeHint::opName):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format):
        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm):
        (JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted.

2019-06-05  Justin Michaud  <justin_michaud@apple.com>

        [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
        https://bugs.webkit.org/show_bug.cgi?id=198398

        Reviewed by Saam Barati.

        Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec).
        Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to
        support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because
        we need to write barrier it (so it should not restrict how we implement threads). This patch does, however,
        restrict the implementation of function references to require every Ref.func to have an associated wrapper. This
        can be done statically, so this too should not restrict our threads implementation. 

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addTableGet):
        (JSC::Wasm::AirIRGenerator::addTableSet):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addLocal):
        (JSC::Wasm::B3IRGenerator::addTableGet):
        (JSC::Wasm::B3IRGenerator::addTableSet):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        * wasm/WasmFormat.h:
        (JSC::Wasm::TableInformation::TableInformation):
        (JSC::Wasm::TableInformation::type const):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseTableHelper):
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::Table):
        (JSC::Wasm::Table::tryCreate):
        (JSC::Wasm::Table::grow):
        (JSC::Wasm::Table::clear):
        (JSC::Wasm::Table::set):
        (JSC::Wasm::Table::get):
        (JSC::Wasm::Table::visitChildren):
        (JSC::Wasm::FuncRefTable::FuncRefTable):
        (JSC::Wasm::FuncRefTable::setFunction):
        (JSC::Wasm::Table::~Table): Deleted.
        (JSC::Wasm::Table::clearFunction): Deleted.
        (JSC::Wasm::Table::setFunction): Deleted.
        * wasm/WasmTable.h:
        (JSC::Wasm::Table::length const):
        (JSC::Wasm::Table::type const):
        (JSC::Wasm::Table::setOwner):
        (JSC::Wasm::FuncRefTable::offsetOfFunctions):
        (JSC::Wasm::FuncRefTable::offsetOfInstances):
        (JSC::Wasm::Table::offsetOfFunctions): Deleted.
        (JSC::Wasm::Table::offsetOfInstances): Deleted.
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::addTableGet):
        (JSC::Wasm::Validate::addTableSet):
        (JSC::Wasm::Validate::addCallIndirect):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
        (JSC::JSWebAssemblyTable::finishCreation):
        (JSC::JSWebAssemblyTable::visitChildren):
        (JSC::JSWebAssemblyTable::grow):
        (JSC::JSWebAssemblyTable::get):
        (JSC::JSWebAssemblyTable::set):
        (JSC::JSWebAssemblyTable::clear):
        (JSC::JSWebAssemblyTable::getFunction): Deleted.
        (JSC::JSWebAssemblyTable::clearFunction): Deleted.
        (JSC::JSWebAssemblyTable::setFunction): Deleted.
        * wasm/js/JSWebAssemblyTable.h:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::link):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::constructJSWebAssemblyTable):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::webAssemblyTableProtoFuncGet):
        (JSC::webAssemblyTableProtoFuncSet):
        * wasm/wasm.json:

2019-06-05  Justin Michaud  <justin_michaud@apple.com>

        WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
        https://bugs.webkit.org/show_bug.cgi?id=198106

        Reviewed by Saam Barati.

        Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::moveDoubleConditionally32):

2019-06-05  Alex Christensen  <achristensen@webkit.org>

        Progress towards resurrecting Mac CMake build
        https://bugs.webkit.org/show_bug.cgi?id=197132

        Reviewed by Don Olmstead.

        * API/JSScript.mm:
        (-[JSScript readCache]):
        (-[JSScript sourceCode]):
        (-[JSScript jsSourceCode]):
        (-[JSScript writeCache:]):
        * CMakeLists.txt:

== Rolled over to ChangeLog-2019-06-05 ==
