Source/JavaScriptCore/ChangeLog

2022-05-13  Ross Kirsling  <ross.kirsling@sony.com>

        TemporalPlainTime::toTemporalTimeRecord shouldn't require all properties to be provided
        https://bugs.webkit.org/show_bug.cgi?id=240394

        Reviewed by Yusuke Suzuki and Darin Adler.

        Following the spec correction of https://github.com/tc39/proposal-temporal/pull/1862, this patch
        fixes our Temporal.PlainTime implementation to require that *one* property be provided, not *all* of them.

        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::fromDurationLike):
        * runtime/TemporalPlainTime.cpp:
        (JSC::toTemporalTimeRecord):

2022-05-13  Anjali Kumar  <anjalik_22@apple.com>

        Web Inspector: [Meta] Implement Timelines Film Strip
        https://bugs.webkit.org/show_bug.cgi?id=239350

        Reviewed by Devin Rousso and Patrick Angle.

        * inspector/protocol/Timeline.json:

2022-05-13  Lauro Moura  <lmoura@igalia.com>

        Unreviewed, non-unified build fixes
        https://bugs.webkit.org/show_bug.cgi?id=240369

        * runtime/DateConversion.cpp:

2022-05-08  Saam Barati  <sbarati@apple.com>

        Better handle clobbered registers in O0 register allocation
        https://bugs.webkit.org/show_bug.cgi?id=240205
        <rdar://87220688>

        Reviewed by Yusuke Suzuki.

        This patch makes Air's O0 register allocator better handle clobbered
        registers. We now model both early and late clobber directly, and use
        this to perform a basic interference analysis when allocating a register
        to a Tmp. An early clobber interferes with any Use in an instruction, and
        any early Defs. A late clobber interferes with any Defs in an instruction,
        and any late Uses. What this enables is an early Use can be allocated
        to a register that is only late clobbered. And a result can be allocated 
        to a register that is only early clobbered.
        
        Prior to this, the algorithm had a bug where a Use may be allocated to
        a register that is early clobbered.

        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
        (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
        (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
        (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
        (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
        (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
        (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h:
        * b3/air/testair.cpp:
        * jit/RegisterSet.h:

2022-05-11  Patrick Angle  <pangle@apple.com>

        Web Inspector: Parse InjectedScriptSource as a built-in to get guaranteed non-user-overriden JSC built-ins
        https://bugs.webkit.org/show_bug.cgi?id=152294

        Reviewed by Devin Rousso.

        Covered by existing tests, and new test cases in `LayoutTests/inspector/injected-script/observable.html`

        * CMakeLists.txt:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Build InjectedScriptSource.js as a builtin, not as a plain header file containing its source code.

        * Scripts/wkbuiltins/builtins_model.py:
        (BuiltinFunction.fromString):
        (BuiltinsCollection._parse_functions):
        - InspectorInjectedScript contains unbalanced curly brackets inside quotes. The generation of builtins is now
        hardened against this. Previously all curly brackets were counted, which meant that the source code would be cut
        off earlier than the actual end of the function.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        - CommandLineAPIModuleSource.js uses destructuring to get the `RemoteObject` and `CommandLineAPI` classes at
        instantiation. We need to treat this destructure as a single parameter, otherwise debug assertions will catch
        the discrepancy between parameter counts.

        * builtins/BuiltinNames.h:
        * bytecode/LinkTimeConstant.h:
        - Add symbols that we need to have a private version of, and for some of those symbols make them link-time constants.

        * builtins/IteratorHelpers.js:
        (globalPrivate.builtinSetIterable):
        (globalPrivate.builtinMapIterable):
        - Add reusable helpers for getting builtin iterators for Maps and Sets. This is done with private symbols that
        represent the same function that the iterator would have returned. We create a new wrapper object to allow usage
        to follow the same pattern at dealing with an unwrapped iterable object.
        
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        (Inspector::InjectedScriptManager::injectedScriptFor):
        (Inspector::InjectedScriptManager::injectedScriptSource): Deleted.
        * inspector/InjectedScriptManager.h:
        - Use the new link-time constant for the Injected Script creation function.

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        * inspector/InjectedScriptModule.h:
        - Injected modules are now provided as a JSFunction, not raw source code.

        * inspector/InjectedScriptSource.js:
        - Use private symbols throughout to ensure we get non-observable, non-overridden versions of functions and values.
        - In many cases, this is a 1:1 mapping where the new symbol is just prefixed with an `@`.
        - For pushing values to arrays, use `@arrayPush`, the builtin way of pushing a value into an array.
        - For the `Symbol` constructor, just use the existing `@createPrivateSymbol` instead of exposing a private
        version of the `Symbol` constructor..
        - `Symbol.toStringTag` is converted to `@@toStringTag`, the private version of that symbol.
        - `Math.max` in `RemoteObject.prototype._generatePreview` now uses a helper function that performs a comparison
        instead of exposing both Math and Math.max as private builtins.
        - Create objects as prototype-less using the new builtin helper @createPrototypelessObject, which can also take
        arguments that are key value pairs for near-parity with normal Object creation via `{}`.
        - Create arrays as prototype-less using the new builtin helper @createPrototypelessArray, which can also take
        arguments which are entries to put into the array.
        - For spreading arguments (for the console commandline functions) we should create a new prototypeless array to
        spread instead of spreading the raw arguments to avoid interacting with a potentially modified iterator.

        * parser/Parser.h:
        (JSC::parse):
        - Add the line number to builtin compilation logging to help identify where sometimes ambiguous errors occurred.

        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/StringPrototype.cpp:
        - Expose necessary functions/constructors via their private name for use in InjectedScriptSource.js and
        CommandLineAPIModuleSource.js

        * runtime/JSGlobalObject.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        - Add a link-time constant for the String constructor.
        - Add helpers for JSON parsing/serialization.

2022-05-10  Ross Kirsling  <ross.kirsling@sony.com>

        [Temporal] Years 0-999 should be canonically represented with 4 digits, not 6
        https://bugs.webkit.org/show_bug.cgi?id=240294

        Reviewed by Yusuke Suzuki.

        This patch implements the spec change of https://github.com/tc39/proposal-temporal/issues/2082:
        The range for 4-digit years in ISO8601 date strings should be 0-9999, not 1000-9999.

        * runtime/TemporalInstant.cpp:

2022-05-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Upstream TypedArray.prototype.fill speedup from bun
        https://bugs.webkit.org/show_bug.cgi?id=239891

        Reviewed by Saam Barati.

        This patch imports bun's improvement in TypedArray#fill[1], bun is MIT licensed.
        We use memset and its variant to fill TypedArray if possible.
        Microbenchmarks show 5x improvement.

                                         ToT                     Patched

            typed-array-fill     1092.0348+-6.2496     ^    221.3430+-9.1261        ^ definitely 4.9337x faster

        [1]: https://github.com/Jarred-Sumner/WebKit/commit/b06577c1f1de19d2ef3d4a87d14ea41909ddf5fc

        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncCopyWithin):
        (JSC::genericTypedArrayViewProtoFuncIncludes):
        (JSC::genericTypedArrayViewProtoFuncIndexOf):
        (JSC::genericTypedArrayViewProtoFuncJoin):
        (JSC::genericTypedArrayViewProtoFuncFill):
        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
        (JSC::genericTypedArrayViewProtoFuncReverse):
        (JSC::genericTypedArrayViewPrivateFuncSort):
        (JSC::genericTypedArrayViewProtoFuncSlice):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):

2022-05-10  Mark Lam  <mark.lam@apple.com>

        Add optional Integrity checks at JSC API boundaries.
        https://bugs.webkit.org/show_bug.cgi?id=240264

        Reviewed by Yusuke Suzuki.

        1. Defined ENABLE_EXTRA_INTEGRITY_CHECKS in Integrity.h.  JSC developers can enable
           this for their local build if they want to enable more prolific Integrity audits.
           This is disabled by default.

           This feature is currently only supported for USE(JSVALUE64) targets.

        The following changes only take effect if ENABLE(EXTRA_INTEGRITY_CHECKS) is enabled.
        Otherwise, these are no-ops.

        2. Added Integrity audits to all toJS and toRef conversion functions in APICast.h.
           This will help us detect if bad values are passed across the API boundary.

        3. Added some Integrity audits in JSValue.mm where the APICast ones were insufficient.

        The following changes are in effect even when ENABLE(EXTRA_INTEGRITY_CHECKS) is
        disabled.  Some of these were made to support ENABLE(EXTRA_INTEGRITY_CHECKS), and
        some are just clean up in related code that I had to touch along the way.

        4. Moved isSanePointer() to Integrity.h so that it can be used in more places.

        5. Changed VM registration with the VMInspector so that it's registered earlier
           and removed later.  Integrity audits may need to audit VM pointers while the
           VM is being constructed and destructed.

        6. Added VM::m_isInService to track when the VM is fully constructed or about to
           be destructed since the VM is now registered with the VMInspector differently
           (see (4) above).  Applied this check in places that need it.

        7. Fixed VMInspector::isValidExecutableMemory() to check the ExecutableAllocator
           directly without iterating VMs (which is completely unnecessary).

        8. Fixed VMInspector::isValidExecutableMemory() and VMInspector::codeBlockForMachinePC()
           to use AdoptLock.  This fixes a race condition where the lock can be contended
           after ensureIsSafeToLock() succeeds.

        9. Added VMInspector::isValidVM() to check if a VM pointer is registered or not.
           VMInspector caches the most recently added or found VM so that isValidVM()
           can just check the cache for its fast path.

        10. Moved the implementation of VMInspector::verifyCell() to Integrity::analyzeCell()
            and add more checks to it.  VMInspector::verifyCell() now calls Integrity::verifyCell()
            which uses Integrity::analyzeCell() to do the real cell analysis.

        11. Also strengten Integrity::auditStructureID() so that it will check if a
            Structure's memory has been released.  This change is enabled on Debug builds
            by default as well as when ENABLE(EXTRA_INTEGRITY_CHECKS).  It is disabled
            on Release builds.

        * API/APICast.h:
        (toJS):
        (toJSForGC):
        (uncheckedToJS):
        (toRef):
        (toGlobalRef):
        * API/JSContext.mm:
        * API/JSContextRef.cpp:
        * API/JSScript.mm:
        * API/JSValue.mm:
        (ObjcContainerConvertor::convert):
        (objectToValueWithoutCopy):
        (objectToValue):
        * API/JSVirtualMachine.mm:
        * API/JSWeakPrivate.cpp:
        * API/glib/JSCContext.cpp:
        * API/glib/JSCWrapperMap.cpp:
        * API/tests/JSObjectGetProxyTargetTest.cpp:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        (JSC::isSanePointer): Deleted.
        * heap/HeapFinalizerCallback.cpp:
        * heap/WeakSet.h:
        * runtime/Structure.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        (JSC::VM::isInService const):
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::checkIfRecorded):
        * tools/Integrity.cpp:
        (JSC::Integrity::Random::reloadAndCheckShouldAuditSlow):
        (JSC::Integrity::auditCellMinimallySlow):
        (JSC::Integrity::doAudit):
        (JSC::Integrity::Analyzer::analyzeVM):
        (JSC::Integrity::Analyzer::analyzeCell):
        (JSC::Integrity::doAuditSlow):
        (JSC::Integrity::verifyCell):
        (): Deleted.
        (JSC::Integrity::auditCellFully): Deleted.
        * tools/Integrity.h:
        (JSC::isSanePointer):
        (JSC::Integrity::auditCell):
        (JSC::Integrity::audit):
        * tools/IntegrityInlines.h:
        (JSC::Integrity::auditCell):
        (JSC::Integrity::auditCellFully):
        (JSC::Integrity::auditStructureID):
        (JSC::Integrity::doAudit):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::add):
        (JSC::VMInspector::remove):
        (JSC::VMInspector::isValidVMSlow):
        (JSC::VMInspector::dumpVMs):
        (JSC::VMInspector::isValidExecutableMemory):
        (JSC::VMInspector::codeBlockForMachinePC):
        (JSC::ensureIsSafeToLock): Deleted.
        * tools/VMInspector.h:
        (JSC::VMInspector::isValidVM):
        (): Deleted.
        (JSC::VMInspector::unusedVerifier): Deleted.
        * tools/VMInspectorInlines.h:
        (JSC::VMInspector::verifyCell):
        (JSC::VMInspector::verifyCellSize): Deleted.

2022-05-09  Ross Kirsling  <ross.kirsling@sony.com>

        Unreviewed, address Darin's feedback on r250361.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toIntegerWithoutRounding const):
        Normalize away -0 by unconditionally adding positive 0 (instead of making a separate zero check).

2022-05-09  Ross Kirsling  <ross.kirsling@sony.com>

        Temporal round and total methods should accept string param
        https://bugs.webkit.org/show_bug.cgi?id=240249

        Reviewed by Yusuke Suzuki.

        This patch implements https://github.com/tc39/proposal-temporal/pull/1875,
        which allows certain required string options to be passed directly instead of as part of an options object.

        Namely:
        - `{Duration, Instant, PlainTime}::round` now accept `smallestUnit` as a string param
        - `Duration::total` now accepts `unit` as a string param

        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::round const):
        (JSC::TemporalDuration::total const):
        * runtime/TemporalInstant.cpp:
        * runtime/TemporalPlainTime.cpp:
        (JSC::TemporalPlainTime::round const):

2022-05-09  Ross Kirsling  <ross.kirsling@sony.com>

        Temporal and Date must reject expanded year -000000
        https://bugs.webkit.org/show_bug.cgi?id=240263

        Reviewed by Yusuke Suzuki.

        As of the following two PRs, -000000 is officially disallowed as a representation of the year zero in ISO date strings.
        https://github.com/tc39/ecma262/pull/2550
        https://github.com/tc39/proposal-temporal/pull/1992

        This patch implements the change for Temporal and Date alike.

        * runtime/ISO8601.cpp:
        (JSC::ISO8601::parseDate):

2022-05-06  Ross Kirsling  <ross.kirsling@sony.com>

        Temporal.Duration#toString should never ignore fractionalSecondDigits
        https://bugs.webkit.org/show_bug.cgi?id=240193

        Reviewed by Yusuke Suzuki.

        This patch implements the spec correction of https://github.com/tc39/proposal-temporal/pull/1956:
        `new Temporal.Duration(1).toString({ fractionalSecondDigits: 2 })` should be P1Y0.00S, not just P1Y.

        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::toString):

2022-05-06  Ross Kirsling  <ross.kirsling@sony.com>

        ISO8601::Duration should guard against -0
        https://bugs.webkit.org/show_bug.cgi?id=240185

        Reviewed by Yusuke Suzuki.

        Currently, when we parse a negative ISO duration string or negate a positive Duration object,
        we end up storing -0 for the zero fields. This patch ensures that we always store +0 instead.

        * runtime/ISO8601.h:
        (JSC::ISO8601::Duration::operator- const):

2022-05-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add more information about MarkedBlock assertion
        https://bugs.webkit.org/show_bug.cgi?id=240176

        Reviewed by Mark Lam and Saam Barati.

        Collect more information about assertion via CRASH_WITH_INFO.

        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):

2022-05-05  Ross Kirsling  <ross.kirsling@sony.com>

        Temporal.Duration constructor should handle -0 properly
        https://bugs.webkit.org/show_bug.cgi?id=240145

        Reviewed by Yusuke Suzuki.

        r250284 broke a new test262 test which verifies that -0 is normalized to 0 in cases like
        `new Temporal.Duration(-0)` and `Temporal.Duration.from({years: -0 })`.
        This patch properly aligns these paths with the spec.

        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toIntegerWithoutRounding const): Added.
        (JSC::JSValue::toIntegerOrInfinity const):
        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::fromDurationLike):
        * runtime/TemporalDurationConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-05-06  Fujii Hironori  <Hironori.Fujii@sony.com>

        builtins-generator-tests are failing after 250242@main
        https://bugs.webkit.org/show_bug.cgi?id=239792
        <rdar://problem/92532725>

        Unreviewed resetting the results.
        Tools/Scripts/run-builtins-generator-tests --reset-results

        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:

2022-05-05  Chris Dumez  <cdumez@apple.com>

        Identifier::string() should return an AtomString
        https://bugs.webkit.org/show_bug.cgi?id=240122

        Reviewed by Yusuke Suzuki.

        Identifier::string() should return an AtomString instead of a String, since
        it holds an AtomString internally.
    
        Also add some overloads to jsString() to resolve ambiguity for some callers.

        * API/JSContext.mm:
        (-[JSContext dependencyIdentifiersForModuleJSScript:]):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::processClauseList):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):
        * jsc.cpp:
        (JSC_DEFINE_HOST_FUNCTION):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::toStringSlow):
        * runtime/Identifier.h:
        (JSC::Identifier::string const):
        (JSC::Identifier::atomString const): Deleted.
        * runtime/IdentifierInlines.h:
        (JSC::identifierToJSValue):
        (JSC::identifierToSafePublicJSValue):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::format const):
        (JSC::IntlDateTimeFormat::formatRange):
        * runtime/IntlDisplayNames.cpp:
        (JSC::IntlDisplayNames::of const):
        * runtime/IntlListFormat.cpp:
        (JSC::IntlListFormat::format const):
        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::format const):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::reifyName):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::requestImportModule):
        * runtime/JSString.h:
        (JSC::jsString):
        * runtime/JSStringInlines.h:
        (JSC::repeatCharacter):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::toLocaleCase):
        (JSC::normalize):
        * runtime/SymbolPrototype.cpp:
        (JSC::JSC_DEFINE_CUSTOM_GETTER):

2022-05-05  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, partial revert of r293813 because of proposal's issue.
        https://bugs.webkit.org/show_bug.cgi?id=240102

        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):

2022-05-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Clean up StructureID related data
        https://bugs.webkit.org/show_bug.cgi?id=240114

        Reviewed by Mark Lam.

        This patch moves structureHeapAddressSize to StructureID. And define it only when we use it.
        We also use decontaminate() in ADDRESS32 tryDecode. Strictly speaking, it is not necessary
        for now since 32bit environment does not have concurrent GC & concurrent JIT compiler, but
        it can have that.

        * runtime/JSCConfig.h:
        * runtime/StructureID.h:
        (JSC::StructureID::tryDecode const):

2022-05-05  Diego Pino Garcia  <dpino@igalia.com>

        [GCC] REGRESSION(r293605): error: cannot convert ‘<brace-enclosed initializer list>’ to ‘unsigned char:3’ in initialization
        https://bugs.webkit.org/show_bug.cgi?id=239897

        Reviewed by Yusuke Suzuki.

        * bytecode/MethodOfGettingAValueProfile.h: Move initialization of 'm_kind' to class constructor.

2022-05-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Intl.NumberFormat lacks some validation for rounding-increment
        https://bugs.webkit.org/show_bug.cgi?id=240102

        Reviewed by Ross Kirsling.

        This patch adds some validations added in Intl.NumberFormat v3[1].
        Important thing is one is TypeError and one is RangeError.
        Both are tested in test262.

        [1]: https://tc39.es/proposal-intl-numberformat-v3/out/numberformat/proposed.html#sec-initializenumberformat

        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):

2022-05-04  Ross Kirsling  <ross.kirsling@sony.com>

        Temporal.Duration constructor should throw on non-integers
        https://bugs.webkit.org/show_bug.cgi?id=240094

        Reviewed by Yusuke Suzuki.

        Belated implementation for https://github.com/tc39/proposal-temporal/pull/1872 --
        this patch makes `new Temporal.Duration(1.1)` throw just as `Temporal.Duration.from({ years: 1.1 })` does.

        * runtime/TemporalDurationConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-05-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Temporal.Instant since/until should not accept year / month / day / week units
        https://bugs.webkit.org/show_bug.cgi?id=240097

        Reviewed by Ross Kirsling.

        Temporal.Instant.{since,until} should not accept year / month / day / week units as smallestUnit / largestUnit
        according to the spec [1,2]. But we missed that and crashing with the attached test. This patch fixes it.

        [1]: https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.until
        [2]: https://tc39.es/proposal-temporal/#sec-temporal.instant.prototype.since

        * runtime/TemporalInstant.cpp:

2022-05-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use decontaminate in StructureID::decode
        https://bugs.webkit.org/show_bug.cgi?id=240088

        Reviewed by Saam Barati and Mark Lam.

        We have a bug that ENABLE(STRUCTURE_ID_WITH_SHIFT) and CPU(ADDRESS32) version of StructureID::decode
        does not have decontaminate() call. It is wrong since these ID can be decoded concurrently. This patch fixes it.

        * runtime/StructureID.h:
        (JSC::StructureID::decode const):

2022-05-04  Mark Lam  <mark.lam@apple.com>

        Use IterationStatus in more places.
        https://bugs.webkit.org/show_bug.cgi?id=239864

        Reviewed by Saam Barati.

        There's no need for a StackVisitor::Status and a VMInspector::FunctorStatus which
        represent the same idea.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::operator() const):
        * bytecode/CodeBlock.cpp:
        (JSC::RecursionCheckFunctor::operator() const):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::LineAndColumnFunctor::operator() const):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::CreateScriptCallStackFunctor::operator() const):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::callerSourceOrigin):
        (JSC::CallFrame::globalObjectOfClosestCodeBlock):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator() const):
        (JSC::Interpreter::getStackTrace):
        (JSC::GetCatchHandlerFunctor::operator() const):
        (JSC::UnwindFunctor::operator() const):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::visit):
        (JSC::CallerFunctor::operator() const):
        * jsc.cpp:
        (FunctionJSCStackFunctor::operator() const):
        (startTimeoutTimer):
        * runtime/Error.cpp:
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator() const):
        * runtime/FunctionPrototype.cpp:
        (JSC::RetrieveArgumentsFunctor::operator() const):
        (JSC::RetrieveCallerFunctionFunctor::operator() const):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/NullSetterFunction.cpp:
        (JSC::GetCallerStrictnessFunctor::operator() const):
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::checkIfRecorded):
        * tools/JSDollarVM.cpp:
        (JSC::CallerFrameJITTypeFunctor::operator() const):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::forEachVM):
        (JSC::VMInspector::isValidExecutableMemory):
        (JSC::VMInspector::codeBlockForMachinePC):
        (JSC::VMInspector::codeBlockForFrame):
        (JSC::DumpFrameFunctor::operator() const):
        (JSC::VMInspector::dumpRegisters):
        * tools/VMInspector.h:
        (JSC::VMInspector::WTF_REQUIRES_LOCK):

2022-04-30  Philippe Normand  <philn@igalia.com>

        Web Inspector: Update jsmin to 3.0.1
        https://bugs.webkit.org/show_bug.cgi?id=239924

        Reviewed by Yusuke Suzuki.

        Updated jsmin from upstream version, applying a few style changes suggested by
        check-webkit-style. This new version is Python3-only and also much faster. Old:

        time python3 /app/webkit/Source/JavaScriptCore/Scripts/jsmin.py < /app/webkit/WebKitBuild/Release/WebInspectorUI/DerivedSources/Main.js > foo.js

        real 1m21.234s
        user 0m59.580s
        sys  0m21.253s

        New:

        time python3 /app/webkit/Source/JavaScriptCore/Scripts/jsmin.py < /app/webkit/WebKitBuild/Release/WebInspectorUI/DerivedSources/Main.js > foo.js

        real 0m3.933s
        user 0m3.899s
        sys  0m0.018s

        * Scripts/jsmin.py:
        (jsmin):
        (JavascriptMinify.__init__):
        (JavascriptMinify.minify.write):
        (JavascriptMinify.minify):
        (JavascriptMinify):
        (JavascriptMinify.regex_literal):
        (JavascriptMinify.regex_literal.cannot):
        (JavascriptMinify.line_comment):
        (JavascriptMinify.block_comment):
        (JavascriptMinify.newline):
        (JavascriptMinify.minify.read): Deleted.

2022-05-03  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Implement MacroAssemblerRISCV64 move-conditionally methods
        https://bugs.webkit.org/show_bug.cgi?id=239998

        Reviewed by Yusuke Suzuki.

        Provide implementations for the variants of the move-conditionally
        operation in MacroAssemblerRISCV64. These are true macro operations,
        often requiring scratch registers and branches to implement the
        behavior since the RISC-V ISA doesn't provide appropriate instructions
        out-of-the-box.

        Test cases in testmasm are also enabled, including some additional
        guards to avoid unused-variable warnings at build-time.

        * assembler/MacroAssemblerRISCV64.h:
        (JSC::MacroAssemblerRISCV64::moveConditionally32):
        (JSC::MacroAssemblerRISCV64::moveConditionally64):
        (JSC::MacroAssemblerRISCV64::moveConditionallyFloat):
        (JSC::MacroAssemblerRISCV64::moveConditionallyDouble):
        (JSC::MacroAssemblerRISCV64::moveConditionallyTest32):
        (JSC::MacroAssemblerRISCV64::moveConditionallyTest64):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionally32):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionally64):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionallyFloat):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionallyDouble):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionallyTest32):
        (JSC::MacroAssemblerRISCV64::moveDoubleConditionallyTest64):
        (JSC::MacroAssemblerRISCV64::branchForMoveConditionally):
        * assembler/testmasm.cpp:
        (JSC::testProbeModifiesStackPointer):
        (JSC::testProbeModifiesStackValues):

2022-05-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Extend Structure heap size from 1GB to 4GB
        https://bugs.webkit.org/show_bug.cgi?id=240028

        Reviewed by Saam Barati.

        1GB was much smaller compared to StructureIDTable (which allowed 7GB).
        This patch extends 1GB to 4GB, that's maximum limit of the current encoding scheme (we can
        extend it further to 64GB if we introduce shift based on alignment, but currently not used).
        We use this 4GB on platforms which has enough virtual address space.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitNonNullDecodeStructureID):
        * runtime/JSCConfig.h:

2022-05-03  Philippe Normand  <pnormand@igalia.com> and Pavel Feldman <pavel.feldman@gmail.com> and Yury Semikhatsky <yurys@chromium.org>

        [WK2] Add API to allow embedder to set a timezone override
        https://bugs.webkit.org/show_bug.cgi?id=213884

        Reviewed by Yusuke Suzuki.

        * runtime/DateConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/DateConversion.cpp:
        (JSC::formatDateTime): Format the overridden timezone if it's enabled.
        * runtime/DateConversion.h:
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        * runtime/JSDateMath.cpp:
        (JSC::toICUTimeZone):
        (JSC::toOpaqueICUTimeZone):
        (JSC::OpaqueICUTimeZoneDeleter::operator()):
        (JSC::DateCache::calculateLocalTimeOffset):
        (JSC::DateCache::defaultTimeZone):
        (JSC::DateCache::timeZoneDisplayNameOverride):
        (JSC::DateCache::timeZoneCacheSlow): Apply timezone override if it is set.
        (JSC::DateCache::resetIfNecessary):
        * runtime/JSDateMath.h:


2022-04-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce unlinked version of invalidation
        https://bugs.webkit.org/show_bug.cgi?id=239887

        Reviewed by Saam Barati.

        This patch makes invalidation mechanism unlinked for unlinked DFG.

        1. We always use CheckTraps instead of InvalidationPoint with VMTraps so that we do not need
           to repatch existing code.
        2. We introduce load-and-branch based InvalidationPoint for unlinked DFG so that we do not need
           to repatch it to jump to OSR exit when watchpoint fires. We store this condition in DFG::JITData
           so that code can quickly access to that.
        3. We make isStillValid conditions in DFG::CommonData always true for unlinked DFG code. Instead,
           we check isJettisoned() condition of CodeBlock since it will become eventually per CodeBlock
           information (while this CodeBlock gets invalidated, unlinked DFG code itself can be used for
           the other CodeBlock).

        After this change, now, jumpReplacements for unlinked DFG becomes empty. We no longer repatch these invalidation points.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::hasInstalledVMTrapsBreakpoints const):
        (JSC::CodeBlock::canInstallVMTrapBreakpoints const):
        (JSC::CodeBlock::installVMTrapBreakpoints):
        (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::isJettisoned const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::invalidateLinkedCode):
        (JSC::DFG::CommonData::~CommonData):
        (JSC::DFG::CommonData::installVMTrapBreakpoints):
        (JSC::DFG::CommonData::invalidate): Deleted.
        (JSC::DFG::CommonData::isVMTrapBreakpoint): Deleted.
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints const):
        (JSC::DFG::CommonData::isUnlinked const):
        (JSC::DFG::CommonData::isStillValid const):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::JITCode):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        (JSC::DFG::prepareCatchOSREntry):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInvalidationPoint):
        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::JITCode):
        * ftl/FTLJITCode.h:
        (JSC::FTL::JITCode::isUnlinked const):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * jit/JITCode.cpp:
        (JSC::JITCode::isUnlinked const):
        * jit/JITCode.h:
        * runtime/VMTraps.cpp:
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        (JSC::VMTraps::handleTraps):

2022-05-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce shifting Structure encoding
        https://bugs.webkit.org/show_bug.cgi?id=239957

        Reviewed by Mark Lam.

        For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces
        shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that
        we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to
        convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate
        large virtual address space for these platforms. If we an address can have more than 36 bits, then
        we should just reserve a larger address region since we have enough address space. Current Structure
        size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per
        Structure.
        Relanding with debug build failure & crash on static atomSize assumption in IsoSubspace.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * heap/Heap.cpp:
        * heap/IsoSubspace.h:
        (JSC::GCClient::IsoSubspace::allocatorFor):
        * heap/IsoSubspaceInlines.h:
        (JSC::GCClient::IsoSubspace::allocate):
        * heap/StructureAlignedMemoryAllocator.cpp:
        (JSC::StructureMemoryManager::StructureMemoryManager):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitNonNullDecodeStructureID):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        * runtime/StructureID.h:
        (JSC::StructureID::decode const):
        (JSC::StructureID::tryDecode const):
        (JSC::StructureID::encode):
        * tools/IntegrityInlines.h:
        (JSC::Integrity::auditStructureID):

2022-05-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add ISO8601 based Temporal.PlainDate getters
        https://bugs.webkit.org/show_bug.cgi?id=239949

        Reviewed by Ross Kirsling and Dean Jackson.

        This patch adds missing getters of Temporal.PlainDate. Currently, we are not querying to Calendar.
        It will be wired once we bake Calendar completely.

        * runtime/ISO8601.cpp:
        (JSC::ISO8601::dayOfWeek):
        (JSC::ISO8601::dayOfYear):
        (JSC::ISO8601::weekOfYear):
        (JSC::ISO8601::daysInMonth):
        (JSC::ISO8601::monthCode):
        * runtime/ISO8601.h:
        * runtime/TemporalPlainDate.cpp:
        (JSC::TemporalPlainDate::from):
        (JSC::TemporalPlainDate::monthCode const):
        (JSC::TemporalPlainDate::dayOfWeek const):
        (JSC::TemporalPlainDate::dayOfYear const):
        (JSC::TemporalPlainDate::weekOfYear const):
        * runtime/TemporalPlainDate.h:
        * runtime/TemporalPlainDatePrototype.cpp:
        (JSC::JSC_DEFINE_CUSTOM_GETTER):

2022-05-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Fix ASan crash due to CString ownership
        https://bugs.webkit.org/show_bug.cgi?id=239981

        Reviewed by Darin Adler and Mark Lam.

        We need to ensure that CString is kept alive.

        * runtime/JSDateMath.cpp:
        (JSC::DateCache::timeZoneDisplayName):

2022-05-02  Justin Michaud  <justin_michaud@apple.com>

        Add option to JSC shell to wait for a USR2 signal before exiting to aid in collection of vmmaps
        https://bugs.webkit.org/show_bug.cgi?id=239919

        Reviewed by Yusuke Suzuki.

        * jsc.cpp:
        (main):

2022-05-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, reverting r293680.
        https://bugs.webkit.org/show_bug.cgi?id=239983

        crash on iOS

        Reverted changeset:

        "[JSC] Introduce shifting Structure encoding"
        https://bugs.webkit.org/show_bug.cgi?id=239957
        https://commits.webkit.org/r293680

2022-05-02  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce shifting Structure encoding
        https://bugs.webkit.org/show_bug.cgi?id=239957

        Reviewed by Mark Lam.

        For platforms which have limited amount of virtual address space (<= 36 bits), this patch introduces
        shifting Structure encoding. We align Structure on a 32-bytes boundary instead of 16 bytes so that
        we can ensure that lower 5 bits are zero. Then, we can use 1 bit for nuke, and shifting 4 bits to
        convert 36 bit address to 32 bit StructureID. By using this mechanism, we do not need to allocate
        large virtual address space for these platforms. If we an address can have more than 36 bits, then
        we should just reserve a larger address region since we have enough address space. Current Structure
        size is 112 bytes, which is 3.5 atoms at 32 bytes / atom. Hence, this alignment costs us 16 bytes per
        Structure.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * heap/Heap.cpp:
        * heap/StructureAlignedMemoryAllocator.cpp:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::emitNonNullDecodeStructureID):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSCConfig.h:
        * runtime/JSCell.h:
        (JSC::JSCell::atomSize):
        * runtime/Structure.h:
        (JSC::Structure::atomSize):
        * runtime/StructureID.h:
        (JSC::StructureID::decode const):
        (JSC::StructureID::tryDecode const):
        (JSC::StructureID::encode):
        * tools/IntegrityInlines.h:
        (JSC::Integrity::auditStructureID):

2022-05-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Revive JSC's guard against speculation collection
        https://bugs.webkit.org/show_bug.cgi?id=239939

        Reviewed by Mark Lam.

        r288815 dropped JSC's guard against structures in speculation collection, but this is wrong.
        This patch reverts it back.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        * heap/StructureAlignedMemoryAllocator.cpp:
        (JSC::StructureMemoryManager::StructureMemoryManager):
        (JSC::StructureMemoryManager::tryMallocStructureBlock):
        (JSC::StructureMemoryManager::freeStructureBlock):
        (JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
        * runtime/JSCConfig.h:
        * runtime/StructureID.h:
        (JSC::StructureID::tryDecode const):

2022-05-01  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Implement MacroAssembler::probe(), ctiMasmProbeTrampoline
        https://bugs.webkit.org/show_bug.cgi?id=239938

        Reviewed by Yusuke Suzuki.

        Implement MacroAssembler::probe() for RISCV64, along with the
        ctiMasmProbeTrampoline operation. The implementation follows the process
        of implementations for other platforms, with incoming, outgoing and
        return-address-restoration records used to store register values during
        setup and breakdown of the probe.

        Going into the probe and back out of it, the general-purpose and
        floating-point registers are stored, with the exception of global and
        thread registers (x3 and x4). After the probe, if the probe state on the
        stack is broken, the complete state is re-established before the
        registers are reloaded, with the stack pointer and return address
        registers set up last.

        Covered by probing-related unit tests in testmasm.

        * assembler/MacroAssemblerRISCV64.cpp:
        (JSC::MacroAssembler::probe):

2022-05-01  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Enable testmasm execution
        https://bugs.webkit.org/show_bug.cgi?id=239937

        Reviewed by Yusuke Suzuki.

        In testmasm, enable some additional sets of tests for RISCV64 that cover
        already-functioning behavior. In isSpecialGPR(), the function returns
        true under CPU(RISCV64) for the appropriate registers.

        In invoke(), when targeting RISCV64 and invoking JIT-produced code whose
        return type is a 32-bit integer, the resulting value is manually
        sign-extended to paper over the mismatch between zero-extended 32-bit
        values that are used and produced in JSC JIT and the sign-extended
        32-bit values that are expected in the RV64 calling convention.

        * assembler/testmasm.cpp:
        (JSC::isSpecialGPR):
        (JSC::invoke):
        (JSC::testProbePreservesGPRS):
        (JSC::testLoadBaseIndex):
        (JSC::testStoreBaseIndex):

2022-04-29  Chris Dumez  <cdumez@apple.com>

        Unreviewed, reverting r293621.

        Reverting patch while we fix internal EWS issues, will reland
        after.

        Reverted changeset:

        https://commits.webkit.org/r293621

2022-04-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use FixedVector in JumpReplacements and VariableEventStream
        https://bugs.webkit.org/show_bug.cgi?id=239892

        Reviewed by Mark Lam.

        1. Introduce DFG::VariableEventStreamBuilder. And construct DFG::VariableEventStream from that
           builder when finailizing code generation. We also make it FixedVector.
        2. Use FixedVector for JumpReplacements.

        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::shrinkToFit):
        * dfg/DFGCommonData.h:
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::noticeOSRBirth):
        (JSC::DFG::GenerationInfo::use):
        (JSC::DFG::GenerationInfo::spill):
        (JSC::DFG::GenerationInfo::setSpilled):
        (JSC::DFG::GenerationInfo::fillGPR):
        (JSC::DFG::GenerationInfo::fillJSValue):
        (JSC::DFG::GenerationInfo::fillCell):
        (JSC::DFG::GenerationInfo::fillInt32):
        (JSC::DFG::GenerationInfo::fillInt52):
        (JSC::DFG::GenerationInfo::fillStrictInt52):
        (JSC::DFG::GenerationInfo::fillBoolean):
        (JSC::DFG::GenerationInfo::fillDouble):
        (JSC::DFG::GenerationInfo::fillStorage):
        (JSC::DFG::GenerationInfo::appendBirth):
        (JSC::DFG::GenerationInfo::appendFill):
        (JSC::DFG::GenerationInfo::appendSpill):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::shrinkToFit):
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::exceptionCheck):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
        (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
        (JSC::DFG::SpeculativeJIT::compileInById):
        (JSC::DFG::SpeculativeJIT::compileInByVal):
        (JSC::DFG::SpeculativeJIT::compileHasPrivate):
        (JSC::DFG::SpeculativeJIT::noticeOSRBirth):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compilePutByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::finalizeEventStream):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::recordSetLocal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStreamBuilder::logEvent):
        (JSC::DFG::VariableEventStream::reconstruct const):
        (JSC::DFG::VariableEventStream::logEvent): Deleted.
        * dfg/DFGVariableEventStream.h:
        (JSC::DFG::VariableEventStream::VariableEventStream):
        (JSC::DFG::VariableEventStreamBuilder::appendAndLog):
        (JSC::DFG::VariableEventStreamBuilder::size const):
        (JSC::DFG::VariableEventStreamBuilder::finalize):
        (JSC::DFG::VariableEventStream::appendAndLog): Deleted.
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLState.h:

2022-04-29  Yury Semikhatsky  <yurys@chromium.org>

        Format time zone name using ICU instead of platform calls
        https://bugs.webkit.org/show_bug.cgi?id=239865

        Reviewed by Yusuke Suzuki.

        formatDateTime now uses cached display name of the timezone.

        * runtime/DateConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/DateConversion.cpp:
        (JSC::formatDateTime):
        * runtime/DateConversion.h:
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        * runtime/JSDateMath.cpp:
        (JSC::toICUTimeZone): Encapsulate bitwise_cast into typesafe functions.
        (JSC::toOpaqueICUTimeZone):
        (JSC::OpaqueICUTimeZoneDeleter::operator()):
        (JSC::DateCache::calculateLocalTimeOffset):
        (JSC::DateCache::defaultTimeZone):
        (JSC::DateCache::timeZoneDisplayName): Both standard and daylight names are computed
        once on the first access as ICU methods internally acquire locks.
        (JSC::DateCache::timeZoneCacheSlow):
        (JSC::DateCache::resetIfNecessary):
        * runtime/JSDateMath.h:

2022-04-29  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, remove unused variable
        https://bugs.webkit.org/show_bug.cgi?id=239828

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):

2022-04-27  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make DFG::OSRExit data unlinked
        https://bugs.webkit.org/show_bug.cgi?id=239828

        Reviewed by Saam Barati.

        This patch makes DFG::OSRExit unlinked. While generated OSR exit code is linked version,
        we no longer put linked data to DFG::OSRExit so that unlinked DFG can use DFG::OSRExit.
        Key changes are two things.

        1. Now, we always store compiled MacroAssemblerCodeRef in DFG::JITData regardless of whether
           we have linked / unlinked DFG. While linked DFG uses repatching to jump to this code,
           unlinked DFG looks into this vector in JITData and jump to that.
        2. MethodOfGettingAValueProfile was including CodeBlock*, ValueProfile* in CodeBlock* etc.,
           so it was linked data structure which unlinked DFG cannot use. Instead, we encode how to
           retrieve these pointers when generating OSR exit code actually, and just storing CodeOrigin,
           type, and Operand to make MethodOfGettingAValueProfile unlinked data structure. While
           CodeOrigin can include InlineCallFrame, but our first version of unlinked DFG will not perform
           inlining thus we will not include it. It also makes sizeof(MethodOfGettingAValueProfile) smaller
           from 32 bytes to 16 bytes (50% reduction).

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::offsetOfCodePtr):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
        * bytecode/CodeBlock.h:
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::emitReportValue const):
        (JSC::MethodOfGettingAValueProfile::fromLazyOperand): Deleted.
        (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
        * bytecode/MethodOfGettingAValueProfile.h:
        (JSC::MethodOfGettingAValueProfile::unaryArithProfile):
        (JSC::MethodOfGettingAValueProfile::binaryArithProfile):
        (JSC::MethodOfGettingAValueProfile::argumentValueProfile):
        (JSC::MethodOfGettingAValueProfile::bytecodeValueProfile):
        (JSC::MethodOfGettingAValueProfile::lazyOperandValueProfile):
        (JSC::MethodOfGettingAValueProfile::operator bool const):
        (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile): Deleted.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::JITCode):
        (JSC::DFG::JITCode::findPC):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        (JSC::DFG::OSRExit::compileExit):
        (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::codeLocationForRepatch const):
        (JSC::DFG::OSRExitState::OSRExitState): Deleted.
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeJITData):
        * dfg/DFGPlan.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2022-04-28  Yusuke Suzuki  <ysuzuki@apple.com>

        Support C files in Unified Builds
        https://bugs.webkit.org/show_bug.cgi?id=239873

        Reviewed by Mark Lam.

        This patch adds support for C (not CPP) files in Unified Builds
        so that we do not need to build Zydis in non-unified way.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/generate-unified-sources.sh:
        * Sources.txt:
        * UnifiedSources-output.xcfilelist:

2022-04-28  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Implement MacroAssemblerRISCV64 branchAtomicWeakCAS{8,16,32,64} methods
        https://bugs.webkit.org/show_bug.cgi?id=239806

        Reviewed by Yusuke Suzuki.

        Provide MacroAssemblerRISCV64 method implementations for the different
        branchAtomicWeakCAS variants. The 32-bit and 64-bit versions are
        straightforward, leveraging the load-reserved and store-conditional
        instructions of the corresponding sizes. For 8-bit and 16-bit versions,
        a method template is provided, loading and storing 32-bit words and
        performing additional operations to validate and change the desired
        value.

        * assembler/MacroAssemblerRISCV64.h:
        (JSC::MacroAssemblerRISCV64::branchAtomicWeakCASImpl):
        (JSC::MacroAssemblerRISCV64::branchAtomicWeakCAS8):
        (JSC::MacroAssemblerRISCV64::branchAtomicWeakCAS16):
        (JSC::MacroAssemblerRISCV64::branchAtomicWeakCAS32):
        (JSC::MacroAssemblerRISCV64::branchAtomicWeakCAS64):

2022-04-27  Dmitry Bezhetskov  <dbezhetskov@igalia.com>

        [WASM-GC] Introduce rtt types
        https://bugs.webkit.org/show_bug.cgi?id=239493

        Reviewed by Keith Miller.
        
        Add a basic support through runtime call for rtt.canon and rtt types.
        It is a prototype implementation of rtt types needed to move forward
        with wasm gc proposal (https://github.com/WebAssembly/gc/blob/main/proposals/gc/MVP.md).
        For example, we don't need to use rtt values for struct.new,
        but we do need them for the future js api.
        So, rtt.canon returns jsNull for now, but we can replace it with
        properly defined values when the spec will be ready.

        * bytecode/BytecodeList.rb:
        * llint/WebAssembly.asm:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::tmpForType):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::addRttCanon):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addRttCanon):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::WasmCallingConvention::marshallLocation const):
        * wasm/WasmFormat.h:
        (JSC::Wasm::isValueType):
        (JSC::Wasm::isValidHeapTypeKind):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmLLIntGenerator.cpp:
        (JSC::Wasm::LLIntGenerator::callInformationForCaller):
        (JSC::Wasm::LLIntGenerator::callInformationForCallee):
        (JSC::Wasm::LLIntGenerator::addArguments):
        (JSC::Wasm::LLIntGenerator::addRttCanon):
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
        * wasm/WasmOperations.h:
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::parseValueType):
        * wasm/WasmSlowPaths.cpp:
        (JSC::LLInt::WASM_SLOW_PATH_DECL):
        * wasm/WasmSlowPaths.h:
        * wasm/generateWasmOpsHeader.py:
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):
        * wasm/wasm.json:

2022-04-26  Dmitry Bezhetskov  <dbezhetskov@igalia.com>

        [WASM] Fix warning: cast from ‘char*’ to ‘JSC::Wasm::Type*’ increases required alignment of target type [-Wcast-align]
        https://bugs.webkit.org/show_bug.cgi?id=239698

        Reviewed by Darin Adler.
        
        There is a warning inside TypeDefinition on some platforms so this
        patch fixes it.

        * wasm/WasmTypeDefinition.h:
        (JSC::Wasm::FunctionSignature::FunctionSignature):
        (JSC::Wasm::FunctionSignature::storage):
        (JSC::Wasm::FunctionSignature::storage const):
        (JSC::Wasm::StructType::StructType):
        (JSC::Wasm::StructType::storage):
        (JSC::Wasm::StructType::storage const):
        (JSC::Wasm::TypeDefinition::payload):

2022-04-26  Elliott Williams  <emw@apple.com>

        Unreviewed, reverting "[Xcode] Compute PGO profdata paths instead of searching for them at build time"
        https://bugs.webkit.org/show_bug.cgi?id=239681

        This reverts commit 433f73bc052d7c978c619e28b2574df8faf6cb72.

        * Configurations/JavaScriptCore.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2022-04-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add forceUnlinkedDFG option
        https://bugs.webkit.org/show_bug.cgi?id=239751

        Reviewed by Saam Barati.

        This patch adds forceUnlinkedDFG option to start running tests with unlinked DFG (while it is not truly unlinked yet).

        * jit/JITOperations.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * runtime/Options.cpp:
        (JSC::Options::recomputeDependentOptions):
        * runtime/OptionsList.h:

2022-04-26  Elliott Williams  <emw@apple.com>

        Fix build error: "cp: JavaScriptCore.profdata is not a directory"
        https://bugs.webkit.org/show_bug.cgi?id=239681

        Unreviewed build fix.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2022-04-22  Elliott Williams  <emw@apple.com>

        [Xcode] Compute PGO profdata paths instead of searching for them at build time
        https://bugs.webkit.org/show_bug.cgi?id=239681

        Reviewed by Alexey Proskuryakov.

        Production builds should always use profdata from the SDK, internal
        release builds should use profdata from the local WebKitAdditions, and
        everyone else should use the stub profdata. Add a PROFILE_DATA_PATH
        build setting which implements these rules and replace the script
        phases that checked those paths dynamically.

        This fixes XCBuild validation issues in the open-source build, and
        should prevent production builders from using stale profdata in
        BUILT_PRODUCTS_DIR. Additionally, engineers can now build with custom
        profile data by overriding PROFILE_DATA_PATH.

        If PROFILE_DATA_PATH does not appear to be raw LLVM profiling data, it
        is decoded using compression_tool(1).

        * Configurations/JavaScriptCore.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2022-04-25  Keith Miller  <keith_miller@apple.com>

        structureIDToStructureWithScratch should only do things if ADDRESS64
        https://bugs.webkit.org/show_bug.cgi?id=239749

        Reviewed by Saam Barati.

        * llint/LowLevelInterpreter64.asm:

2022-04-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Enable change-array-by-copy
        https://bugs.webkit.org/show_bug.cgi?id=239678

        Reviewed by Saam Barati.

        * runtime/OptionsList.h:

2022-04-25  Claudio Saavedra  <csaavedra@igalia.com>

        [GLIB] Remove leftover unused variable from r292929
        https://bugs.webkit.org/show_bug.cgi?id=239715

        Reviewed by Philippe Normand.

        * API/glib/JSCWrapperMap.cpp:
        (JSC::WrapperMap::wrappedObject const): VM& vm is unused,
        remove.

2022-04-24  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Enable Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=239708

        Reviewed by Yusuke Suzuki.

        * runtime/Options.cpp:
        (JSC::Options::recomputeDependentOptions):
        Disable FTL JIT at runtime under CPU(RISCV64) since the support is still
        incomplete. This is necessary due to Baseline JIT and FTL JIT still
        being enabled at build-time on this platform for pure convenience.

2022-04-24  Diego Pino Garcia  <dpino@igalia.com>

        [GCC] Unreviewed, build fix for Ubuntu LTS/Debian after r293265

        * wasm/WasmTypeDefinition.h:
        (JSC::Wasm::FunctionSignature::operator!= const):

2022-04-24  Dmitry Bezhetskov  <dbezhetskov@igalia.com>

        [Wasm] Remove confusing isFuncref and isExternref
        https://bugs.webkit.org/show_bug.cgi?id=239699

        Reviewed by Yusuke Suzuki.

        There are two functions with the same name Wasm::Type::isFuncref and
        Wasm::isFuncref but with different behaviour, and so,
        this brings confusion into the codebase.
        The first function checks that .kind == funcref and the second one checks
        for the same but with respect to typed function references proposal.
        The second one should be used when we want to check that type is funcref, 
        so the first one is not needed and actually not used, so this patch removes it.

        The same situation is for isExternref.

        * wasm/generateWasmOpsHeader.py:
        (typeMacroizer):
        (typeMacroizerFiltered):

2022-04-24  Zan Dobersek  <zdobersek@igalia.com>

        [RISCV64] Implement MacroAssemblerRISCV64 fencing methods
        https://bugs.webkit.org/show_bug.cgi?id=239706

        Reviewed by Yusuke Suzuki.

        Provide MacroAssemblerRISCV64 implementations for the tree fencing
        methods, using the `fence` instruction but with different corresponding
        combinations of the predecessor and successor operation sets.

        * assembler/MacroAssemblerRISCV64.h:
        (JSC::MacroAssemblerRISCV64::memoryFence):
        (JSC::MacroAssemblerRISCV64::storeFence):
        (JSC::MacroAssemblerRISCV64::loadFence):

2022-04-22  Diego Pino Garcia  <dpino@igalia.com>

        Unreviewed, non-unified build fixes after r293203

        * jit/ScratchRegisterAllocator.h:

2022-04-22  Dmitry Bezhetskov  <dbezhetskov@igalia.com>

        [Refactoring] Reduce number of const and reinterpret casts
        https://bugs.webkit.org/show_bug.cgi?id=239648

        Reviewed by Yusuke Suzuki.
        
        The statement
        "reinterpret_cast<TypeDefinition*>(const_cast<char*>(functionType.m_payload)
        - sizeof(TypeDefinition))"
        is dangerous and it produces warning on some platfroms.
        There is way to avoid it and this patch is doint that.

        * wasm/WasmSlowPaths.cpp:
        (JSC::LLInt::doWasmCallIndirect):
        (JSC::LLInt::doWasmCallRef):
        * wasm/WasmTypeDefinition.h:
        (JSC::Wasm::FunctionSignature::operator== const):
        * wasm/WasmTypeDefinitionInlines.h:

2022-04-22  Geza Lore  <glore@igalia.com>

        [JSC]Throw consistent exceptions for memory.init and memory.copy
        https://bugs.webkit.org/show_bug.cgi?id=239592

        Reviewed by Yusuke Suzuki.

        For a trapping Wasm memory.init and memory.copy instruction, the LLInt
        used to throw OutOfBoundsMemoryAccess, but BBQ/OMG used to throw
        OutOfBoundsTableAccess.

        Changed BBQ/OMG to throw OutOfBoundsMemoryAccess as well.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addMemoryCopy):
        (JSC::Wasm::AirIRGenerator::addMemoryInit):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addMemoryInit):
        (JSC::Wasm::B3IRGenerator::addMemoryCopy):

2022-04-22  Mark Lam  <mark.lam@apple.com>

        Apply purifyNaN in more places.
        https://bugs.webkit.org/show_bug.cgi?id=239619
        <rdar://problem/91924480>

        Reviewed by Yusuke Suzuki.

        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toJSValue):

2022-04-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] PropertyTable should have compact mode
        https://bugs.webkit.org/show_bug.cgi?id=239451

        Reviewed by Saam Barati.

        This patch introduces "compact" version of PropertyTable. PropertyTable needs to hold two kind of integers: index and property offset.
        But for most of objects, both are pretty small and they can fit in uint8_t. If we can use uint8_t for both, we can significantly reduce
        size of allocated memory for PropertyTable (only 40% of memory is required!). This is good for memory, but also good for performance.
        Now each CompactPropertyTableEntry is 8bytes while original PropertyMapEntry was 16bytes, so CompactPropertyTableEntry can fit in CPU cache well.
        Also, not allocating large amount of memory can reduce memory allocation / deallocation cost. One of costly destruction of GC-managed objects is
        PropertyTable (and CodeBlock), and we can reduce that cost by not allocating much memory.

        The approach is following.

        1. For index vector, we use uint8_t if index can fit within uint8_t.
        2. For proprety offset, we use uint8_t and CompactPropertyTableEntry if it is suitable.
        3. Once the table gets non-compact, we keep it non-compact since we could have deleted index which has larger than uint8_t. We could improve this
           strategy when deleted indexes are cleared, but for now, we are taking simple approach.
        4. We store isCompactFlag 1 bit in the pointer to the table.
        5. We encapsulate functions modifying property table entry in PropertyTable itself, so we do not leak internal compact / non-compact mode to the user
           of PropertyTable. We remove begin() / end() iterators and instead use forEachproperty, which can implement iteration for each mode more efficiently.

        We have a further opportunity to improve this further: we can deploy 75% load factor only for compact table. Then we can increase threshold of
        compact table further and keep more and more tables compact mode. Plus, for small sized tables, small backing memory is better in terms of
        CPU cache hit (and that's measured in WTF::HashTable, and that's why WTF::Hashtable deploys 75% load factor only for small tables). This is left
        for the subsequent change.

        This change is neutral in JetStream2, 0.3% improvement in Speedometer2 with 80% confidence, and 0.41% improvement in RAMification with 95% confidence.

        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfileBase<Derived>::initializeProfile):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * dfg/DFGSpeculativeJIT.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
        * runtime/ClonedArguments.h:
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        * runtime/JSObject.cpp:
        (JSC::JSObject::analyzeHeap):
        * runtime/JSObject.h:
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        (JSC::createDataPropertyDescriptorObjectStructure):
        (JSC::createAccessorPropertyDescriptorObjectStructure):
        * runtime/ObjectConstructorInlines.h:
        (JSC::objectAssignFast):
        * runtime/PropertyOffset.h:
        * runtime/PropertySlot.h:
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::finishCreation):
        (JSC::PropertyTable::visitChildrenImpl):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::seal):
        (JSC::PropertyTable::freeze):
        (JSC::PropertyTable::isSealed const):
        (JSC::PropertyTable::isFrozen const):
        (JSC::PropertyTable::renumberPropertyOffsets):
        (JSC::PropertyTable::forEachPropertyMutable):
        * runtime/PropertyTable.h:
        (JSC::isPowerOf2):
        (JSC::nextPowerOf2):
        (JSC::PropertyTable::findImpl):
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::add):
        (JSC::PropertyTable::remove):
        (JSC::PropertyTable::take):
        (JSC::PropertyTable::updateAttributeIfExists):
        (JSC::PropertyTable::sizeInMemory):
        (JSC::PropertyTable::reinsert):
        (JSC::PropertyTable::rehash):
        (JSC::PropertyTable::skipDeletedEntries):
        (JSC::PropertyTable::usedCount const):
        (JSC::PropertyTable::dataSize):
        (JSC::PropertyTable::allocateIndexVector):
        (JSC::PropertyTable::allocateZeroedIndexVector):
        (JSC::PropertyTable::destroyIndexVector):
        (JSC::PropertyTable::canInsert):
        (JSC::PropertyTable::forEachProperty const):
        (JSC::PropertyTable::begin): Deleted.
        (JSC::PropertyTable::end): Deleted.
        (JSC::PropertyTable::begin const): Deleted.
        (JSC::PropertyTable::end const): Deleted.
        (JSC::PropertyTable::table): Deleted.
        (JSC::PropertyTable::table const): Deleted.
        * runtime/RegExpMatchesArray.h:
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyTable):
        (JSC::Structure::nonPropertyTransitionSlow):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::PropertyTableStatisticsExitLogger::~PropertyTableStatisticsExitLogger):
        (JSC::Structure::getConcurrently):
        (JSC::Structure::getPropertiesConcurrently):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::toStructureShape):
        (JSC::Structure::dump const):
        * runtime/Structure.h:
        (JSC::CompactPropertyTableEntry::CompactPropertyTableEntry):
        (JSC::CompactPropertyTableEntry::key const):
        (JSC::CompactPropertyTableEntry::setKey):
        (JSC::CompactPropertyTableEntry::offset const):
        (JSC::CompactPropertyTableEntry::setOffset):
        (JSC::CompactPropertyTableEntry::attributes const):
        (JSC::CompactPropertyTableEntry::setAttributes):
        (JSC::PropertyTableEntry::PropertyTableEntry):
        (JSC::PropertyTableEntry::key const):
        (JSC::PropertyTableEntry::setKey):
        (JSC::PropertyTableEntry::offset const):
        (JSC::PropertyTableEntry::setOffset):
        (JSC::PropertyTableEntry::attributes const):
        (JSC::PropertyTableEntry::setAttributes):
        (JSC::PropertyMapEntry::PropertyMapEntry): Deleted.
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        (JSC::Structure::forEachPropertyConcurrently):
        (JSC::Structure::forEachProperty):
        (JSC::Structure::add):
        (JSC::Structure::remove):
        (JSC::Structure::attributeChange):

2022-04-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove TempRegisterSet
        https://bugs.webkit.org/show_bug.cgi?id=239578

        Reviewed by Mark Lam.

        We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in
        heap-allocated classes. So, this does not make sense anymore. Instead of TempRegisterSet, we will consistently use
        RegisterSet to pass register info and ScratchRegisterAllocator to manage allocation of temp / scratch registers.

        We also remove the copyCalleeSavesToEntryFrameCalleeSavesBuffer function which takes no scratch register. It was
        using TempRegisterSet to allocate a scratch register, but the caller of this function was making assumptions on how
        TempRegisterSet will allocate that scratch. This is very fragile and dangerous. We should explicitly pass a scratch
        register instead in that case.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted.
        * jit/RegisterSet.h:
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        * jit/ScratchRegisterAllocator.h:
        * jit/TempRegisterSet.cpp: Removed.
        * jit/TempRegisterSet.h: Removed.
        * jit/ThunkGenerators.cpp:
        (JSC::handleExceptionGenerator):
        (JSC::handleExceptionWithCallFrameRollbackGenerator):
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::nativeForGenerator):
        (JSC::boundFunctionCallGenerator):
        (JSC::remoteFunctionCallGenerator):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2022-04-21  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, reverting r293146.
        https://bugs.webkit.org/show_bug.cgi?id=239613

        Broke JSC tests. Looks like EWS was blocked by  label
        <https://bugs.webkit.org/show_bug.cgi?id=239411>

        Reverted changeset:

        "[JSC] Remove TempRegisterSet"
        https://bugs.webkit.org/show_bug.cgi?id=239578
        https://commits.webkit.org/r293146

2022-04-20  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove TempRegisterSet
        https://bugs.webkit.org/show_bug.cgi?id=239578

        Reviewed by Mark Lam.

        We can always use RegisterSet. TempRegisterSet can save several bytes, but we have no code using TempRegisterSet in
        heap-allocated class, so this does not make sense anymore. Instead of TempRegisterSet, we should consistently use
        ScratchRegisterAllocator.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
        (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer): Deleted.
        * jit/RegisterSet.h:
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        * jit/ScratchRegisterAllocator.h:
        * jit/TempRegisterSet.cpp: Removed.
        * jit/TempRegisterSet.h: Removed.

2022-04-20  Yusuke Suzuki  <ysuzuki@apple.com>

        Fix GPRInfo inconsistency in unlinked DFG bringup
        https://bugs.webkit.org/show_bug.cgi?id=239573

        Reviewed by Mark Lam.

        Previously, we forgot changing GPRInfo::toIndex of x64 so that we got assertion in ScratchRegisterAllocator.
        This patch fixes it and test this consistency in testmasm.
        It allows unlinked DFG style register usage in x64, so we reenabled it again.

        * assembler/testmasm.cpp:
        (JSC::testGPRInfoConsistency):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toArgumentRegister):
        (JSC::GPRInfo::toIndex):

2022-04-20  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed, RISC-V build fix.

        * assembler/MacroAssemblerRISCV64.h:
        (JSC::MacroAssemblerRISCV64::store64):
        Add the store64(TrustedImmPtr, Address) overload required after 249798@main.
        It constructs a 32-bit or 64-bit TrustedImm value, based on the detected
        pointer size, and relays it to the appropriate store64() method.

2022-04-20  Zan Dobersek  <zdobersek@igalia.com>

        [JSC] Accommodate the RISCV64 C calling convention
        https://bugs.webkit.org/show_bug.cgi?id=236367
        <rdar://problem/89026012>

        Reviewed by Yusuke Suzuki.

        The 64-bit RISC-V (RV64) calling convention requires 32-bit arguments
        to be sign-extended to fill out the whole 64-bit register, fitting
        nicely with different instructions in this ISA that operate on 32-bit
        values, and differring from other 64-bit ISAs that provide partial-sized
        registers (which are aliased to the whole register).

        JSC JIT is tailored to the other ISAs, often taking shortcuts to pack
        non-sign-extended values into registers that are then accessed for those
        32-bit values through the partial-sized aliases. This can trip up RISC-V
        execution when constructing calls that pass 32-bit values to native code
        using the C calling convention.

        To avoid this, arguments setup done through the CCallHelpers class is
        enhanced to, after packing up arguments either into argument registers
        or onto the stack, another pass of the argument types for the desired
        operation is done, detecting whether the argument was supposed to be
        packed into an GPR or an FPR destination. On RV64, when packed into a
        GPR argument register that matches a 32-bit argument in the operation,
        the additional sign extension is performed on that argument register.

        GPR and FPR distinction for a given argument's register type is based
        on whether or not the double type is used as the argument's type. All
        non-double-typed arguments are passed as GPRs. Additional compile-time
        validation is provided to ensure that's the case for every operation
        that's having its arguments set up. This is relied upon when traversing
        the operation's arguments and indexing every GPR argument along the way.

        This approach only accommodates the RV64 calling convention for the
        Baseline JIT level. For higher levels, similar but probably different
        solutions will have to be crafted.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::finalizeGPRArguments):
        (JSC::CCallHelpers::gprArgsCount):
        (JSC::CCallHelpers::fprArgsCount):
        (JSC::CCallHelpers::setupArgumentsImpl):
        (JSC::CCallHelpers::setupArgumentsEntryImpl):

2022-04-20  Mikhail R. Gadelha  <mikhail@igalia.com>

        Unify calls and checks for CellTag
        https://bugs.webkit.org/show_bug.cgi?id=238025

        Reviewed by Yusuke Suzuki.

        This patch moves all the places where cell tags are written and checked
        when branching: this will be needed when implementing the concurrency on
        32 bits archs, so we can focus on changing storeCell, branchIfNotCell and
        branchIfCell to implement the mutex locks/unlocks.

        It also reduces the code size in JetStream2 by ~1% on average on 32
        bits platforms.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::store8):
        (JSC::MacroAssemblerARMv7::storePair32):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::storePair32):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsCell):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        (JSC::AssemblyHelpers::storeTrustedValue):
        (JSC::AssemblyHelpers::branchIfNotCell):
        (JSC::AssemblyHelpers::branchIfCell):
        * jit/CallFrameShuffler32_64.cpp:
        (JSC::CallFrameShuffler::emitStore):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitLoadJSCell):

2022-04-19  Michael Saboff  <msaboff@apple.com>

        Various WebKit tools need to be told about the system content path
        https://bugs.webkit.org/show_bug.cgi?id=239516

        Reviewed by Ryan Haddad.

        Added the INSTALL_PATH_PREFIX to the INSTALL_PATH for TestAPI and the JSC tools.
        This will contain the system content path prefix when enabled.

        * Configurations/TestAPI.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2022-04-19  Yusuke Suzuki  <ysuzuki@apple.com>

        REGRESSION(r292372): cloop crashes on s390x
        https://bugs.webkit.org/show_bug.cgi?id=238956

        Reviewed by Mark Lam.

        CodeBlock* is stored without tags. So we should just put it as a pointer without PayloadOffset.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall):
        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall):
        * jit/ThunkGenerators.cpp:
        (JSC::boundFunctionCallGenerator):
        (JSC::remoteFunctionCallGenerator):
        * llint/LowLevelInterpreter.asm:

2022-04-19  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, disable UnlinkedDFG code in x64
        https://bugs.webkit.org/show_bug.cgi?id=237863

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):

2022-04-19  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, do not use RELEASE_ASSERT_NOT_REACHED in super hot path to suppress warnings
        https://bugs.webkit.org/show_bug.cgi?id=239290

        * bytecode/PropertyCondition.cpp:
        (JSC::watchabilityToConcurrency):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect const):
        * runtime/Structure.h:
        (JSC::Structure::get):

2022-04-19  Martin Robinson  <mrobinson@webkit.org>

        Fix the address sanitizer build when building with gcc
        https://bugs.webkit.org/show_bug.cgi?id=238869

        Reviewed by Philippe Normand.

        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::ConfigFile):

2022-04-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use constants buffer in DFG
        https://bugs.webkit.org/show_bug.cgi?id=237863

        Reviewed by Saam Barati.

        This patch newly introduces LinkableConstant concept. We replace TrustedImmPtr::weakPointer with
        that, and it can be switched between two modes: (1) just embedding a constant pointer in machine code
        or (2) emitting a load from specific callee-save register. We use (2) for unlinked DFG code so that
        we can start decoupling constants from machine code, which will be separately allocated as DFG constant buffer.
        To introduce this mechanism, we introduce CCallHelpers::ConstantMaterializer concept, which can be used
        to materialize constant in a specified way in CCallHelpers. And we use this to implement DFG LinkableConstant.

        We also avoid embedding global object pointer in the tail call by modifying CallFrameShuffler to save it.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::transfer64):
        (JSC::MacroAssemblerARM64::transferPtr):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branchPtr):
        * assembler/MacroAssemblerRISCV64.h:
        (JSC::MacroAssemblerRISCV64::transfer64):
        (JSC::MacroAssemblerRISCV64::transferPtr):
        (JSC::MacroAssemblerRISCV64::branch64):
        (JSC::MacroAssemblerRISCV64::branchPtr):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::transfer64):
        (JSC::MacroAssemblerX86_64::transferPtr):
        (JSC::MacroAssemblerX86_64::branch64):
        (JSC::MacroAssemblerX86_64::branchPtr):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setupWithUnlinkedBaselineCode):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeJITInlineCaches):
        (JSC::CodeBlock::getICStatusMap):
        (JSC::CodeBlock::findStubInfo):
        (JSC::CodeBlock::resetBaselineJITData):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::findPC):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::offsetOfJITData):
        (JSC::CodeBlock::baselineJITData):
        (JSC::CodeBlock::setDFGJITData):
        (JSC::CodeBlock::dfgJITData):
        (JSC::CodeBlock::offsetOfBaselineJITData): Deleted.
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileSetupRegistersForEntry):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::loadLinkableConstant):
        (JSC::DFG::JITCompiler::storeLinkableConstant):
        (JSC::DFG::JITCompiler::LinkableConstant::LinkableConstant):
        (JSC::DFG::JITCompiler::LinkableConstant::materialize):
        (JSC::DFG::JITCompiler::LinkableConstant::store):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchLinkableConstant):
        (JSC::DFG::JITCompiler::branchWeakPtr): Deleted.
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::addLinkableConstant):
        (JSC::DFG::Plan::finalizeJITData):
        * dfg/DFGPlan.h:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitGetCallee):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
        (JSC::DFG::SpeculativeJIT::compileInById):
        (JSC::DFG::SpeculativeJIT::compileInByVal):
        (JSC::DFG::SpeculativeJIT::compileHasPrivate):
        (JSC::DFG::SpeculativeJIT::compilePushWithScope):
        (JSC::DFG::SpeculativeJIT::compileStringSlice):
        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compilePutByVal):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
        (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
        (JSC::DFG::SpeculativeJIT::branchLinkableConstant):
        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileArithRandom):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
        (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        (JSC::DFG::SpeculativeJIT::compileRegExpTestInline):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::executableFor): Deleted.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::globalObjectFor): Deleted.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::pokeForArgument):
        (JSC::CCallHelpers::setupArgumentsImpl):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::emitMaterializeMetadataAndConstantPoolRegisters):
        (JSC::JIT::consistencyCheckGenerator):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * jit/JITOperations.h:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        (JSC::RegisterSet::ftlCalleeSaveRegisters):
        * llint/LLIntData.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::offsetOfGlobalThis):

2022-04-18  Mark Lam  <mark.lam@apple.com>

        The VMTraps signal handler should no return SignalAction::NotHandled on codeBlockSet lock contention.
        https://bugs.webkit.org/show_bug.cgi?id=239457

        Reviewed by Yusuke Suzuki.

        The signal handler is triggered by the mutator thread due to the installed halt
        instructions in JIT code (which we already confirmed higher up in the signal handler).
        Hence, the mutator cannot be in C++ code, and therefore, cannot be already holding
        the codeBlockSet lock.  The only time the codeBlockSet lock could be in contention
        is if the Sampling Profiler thread is holding it.  In that case, we'll simply wait
        till the Sampling Profiler is done with it.  There are no lock ordering issues w.r.t.
        the Sampling Profiler on this code path.

        Note that it is not ok to return SignalAction::NotHandled here if we see contention.
        Doing so will cause the fault to be handled by the default handler, which will crash.
        It is also not productive to return SignalAction::Handled on contention.  Doing so
        will simply trigger this fault handler over and over again.  We might as well wait
        for the Sampling Profiler to release the lock, which is what we should do.

        This issue was detected by the stress/get-array-length-concurrently-change-mode.js.ftl-no-cjit-validate-sampling-profiler
        test, resulting in intermittent crashes.

        * runtime/VMTraps.cpp:

2022-04-18  Elliott Williams  <emw@apple.com>

        [XCBuild] Use XCBuild for all command-line and project builds
        https://bugs.webkit.org/show_bug.cgi?id=238916

        Reviewed by Alexey Proskuryakov.

        Switch to the new build system, without changing anything about our
        build order. Make will still build projects one-at-a-time, but this
        drops our dependency on the legacy build system.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2022-04-16  Mark Lam  <mark.lam@apple.com>

        Harden JSObject::setPrototypeOf.
        https://bugs.webkit.org/show_bug.cgi?id=239440

        Reviewed by Yusuke Suzuki.

        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeDirect):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        * runtime/JSObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSetPrototypeOf):

2022-04-16  Mark Lam  <mark.lam@apple.com>

        Fix a deadlock in VMTraps.
        https://bugs.webkit.org/show_bug.cgi?id=239421
        <rdar://problem/91851592>

        Reviewed by Michael Saboff.

        The sampling profiler first acquires the codeBlockSet lock followed by the ThreadSuspendLocker.
        VMTraps, on the other hand, first acquires the ThreadSuspendLocker followed by the
        codeBlockSet lock.  As a result, VMTraps can deadlock with the Sampling Profiler
        thread, and leave the mutator in a suspended state, or forever blocked on the
        codeBlockSet lock.

        This was discovered while running the stress/has-indexed-property-with-worsening-array-mode.js.ftl-no-cjit-validate-sampling-profiler
        test on a Debug build of jsc on an M1 MBP.  Since it requires a race condition to
        reproduce, reproducibility is not always reliable.

        * runtime/VMTraps.cpp:
        (JSC::VMTraps::tryInstallTrapBreakpoints):

2022-04-15  Chris Dumez  <cdumez@apple.com>

        Leverage StringView in more places to avoid some String allocations
        https://bugs.webkit.org/show_bug.cgi?id=239356

        Reviewed by Darin Adler.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines):
        (Inspector::ContentSearchUtilities::findMagicComment):
        * runtime/ExceptionHelpers.cpp:
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::formatToParts const):
        (JSC::IntlDateTimeFormat::formatRangeToParts):
        * runtime/IntlListFormat.cpp:
        (JSC::IntlListFormat::formatToParts const):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::formatRangeToPartsInternal):
        * tools/FunctionOverrides.cpp:
        (JSC::initializeOverrideInfo):

2022-04-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove VM& parameter from structure related code including jsDyamicCast
        https://bugs.webkit.org/show_bug.cgi?id=239362

        Reviewed by Darin Adler.

        As structure lookup no longer requires VM&, we can remove bunch of VM& parameter from various methods: classInfo, structure, methodTable etc.
        And it leads to removing VM& from jsDynamicCast. This is important since this makes it possible to incorporate the underlying mechanism of
        WebCore downcast + jsDynamicCast. I like keeping jsDynamicCast name since it is clear that this is JSCell, but we can (1) unify the underlying
        implementations and (2) add `static_assert(std::base_v<T, JSCell>)` in jsDynamicCast so that we can keep jsDynamicCast interface.
        It also has a chance to avoid unnecessary load of VM& in various places.

        We still keep JSXXX::toWrapped's VM& parameter since it is possible that we need VM& for querying wrapped one. Once we are confident that we no
        longer need it even in the future, we will remove that too in a separate patch.

        We also rename Structure::classInfo to Structure::classInfoForCells, and hiding Structure::classInfo function since JSCell::classInfo and
        Structure::classInfoForCellsare different.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::constructImpl):
        * API/APICast.h:
        (toJS):
        (toJSForGC):
        * API/JSAPIGlobalObject.mm:
        (JSC::JSAPIGlobalObject::moduleLoaderResolve):
        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::asCallbackObject):
        (JSC::JSCallbackObject<Parent>::finishCreation):
        (JSC::JSCallbackObject<Parent>::init):
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlotByIndex):
        (JSC::JSCallbackObject<Parent>::customToPrimitive):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetterImpl):
        * API/JSContext.mm:
        (-[JSContext evaluateJSScript:]):
        * API/JSContextRef.cpp:
        (JSContextGetGlobalObject):
        (JSGlobalContextSetUnhandledRejectionCallback):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrototype):
        (JSObjectSetProperty):
        (JSObjectSetPropertyForKey):
        (JSObjectSetPropertyAtIndex):
        (classInfoPrivate):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectIsConstructor):
        (JSObjectCallAsConstructor):
        (JSObjectGetProxyTarget):
        * API/JSTypedArray.cpp:
        (JSValueGetTypedArrayType):
        (JSObjectMakeTypedArrayWithArrayBuffer):
        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
        (JSObjectGetTypedArrayBytesPtr):
        (JSObjectGetTypedArrayLength):
        (JSObjectGetTypedArrayByteLength):
        (JSObjectGetTypedArrayByteOffset):
        (JSObjectGetTypedArrayBuffer):
        (JSObjectGetArrayBufferBytesPtr):
        (JSObjectGetArrayBufferByteLength):
        * API/JSValue.mm:
        (isDate):
        (isArray):
        (valueToObjectWithoutCopy):
        * API/JSValueRef.cpp:
        (JSValueIsArray):
        (JSValueIsDate):
        (JSValueIsObjectOfClass):
        (JSValueIsInstanceOfConstructor):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        (putNonEnumerable):
        (copyMethodsToObject):
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        * API/ObjCCallbackFunction.mm:
        (tryUnwrapConstructor):
        * API/glib/JSCClass.cpp:
        (isWrappedObject):
        * API/glib/JSCValue.cpp:
        (jsc_value_object_define_property_data):
        (jscValueObjectDefinePropertyAccessor):
        (jsc_value_is_array_buffer):
        (jsc_value_typed_array_get_type):
        * API/glib/JSCWrapperMap.cpp:
        (JSC::WrapperMap::wrappedObject const):
        * API/tests/JSWrapperMapTests.mm:
        (+[JSWrapperMapTests testStructureIdentity]):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::fromStructureStubInfo):
        (JSC::AccessCase::generateImpl):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::observeIndexedRead):
        * bytecode/ArrayProfile.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::filter):
        * bytecode/CallLinkStatus.h:
        * bytecode/CallVariant.cpp:
        (JSC::CallVariant::filter):
        * bytecode/CallVariant.h:
        (JSC::CallVariant::internalFunction const):
        (JSC::CallVariant::function const):
        (JSC::CallVariant::isClosureCall const):
        (JSC::CallVariant::executable const):
        (JSC::CallVariant::functionExecutable const):
        (JSC::CallVariant::nativeExecutable const):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::isConstantOwnedByUnlinkedCodeBlock const):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::determineLiveness):
        (JSC::CodeBlock::replacement):
        (JSC::CodeBlock::computeCapabilityLevel):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/GetByStatus.cpp:
        (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/GetByVariant.cpp:
        (JSC::GetByVariant::canMergeIntrinsicStructures const):
        * bytecode/InByStatus.cpp:
        (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfileBase<Derived>::possibleDefaultPropertyCount):
        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::isValidValueForPresence const):
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPropertyMiss):
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPrototypePropertyHit):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        (JSC::generateConditionsForInstanceOf):
        (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
        (JSC::generateConditionsForPropertyMissConcurrently):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        (JSC::prepareChainForCaching):
        * bytecode/PolyProtoAccessChain.cpp:
        (JSC::PolyProtoAccessChain::tryCreate):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isValidValueForAttributes):
        (JSC::PropertyCondition::isValidValueForPresence const):
        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
        * bytecode/PropertyCondition.h:
        * bytecode/PutByStatus.cpp:
        (JSC::PutByStatus::computeForStubInfo):
        * bytecode/Repatch.cpp:
        (JSC::jsToWasmICCodePtr):
        (JSC::actionForCell):
        (JSC::tryCacheGetBy):
        (JSC::tryCacheArrayGetByVal):
        (JSC::tryCachePutBy):
        (JSC::tryCacheArrayPutByVal):
        (JSC::tryCacheDeleteBy):
        (JSC::repatchDeleteBy):
        (JSC::tryCacheInBy):
        (JSC::repatchInBy):
        (JSC::tryCacheHasPrivateBrand):
        (JSC::tryCacheCheckPrivateBrand):
        (JSC::tryCacheSetPrivateBrand):
        (JSC::tryCacheInstanceOf):
        (JSC::linkPolymorphicCall):
        * bytecode/Repatch.h:
        * bytecode/RepatchInlines.h:
        (JSC::handleHostCall):
        (JSC::linkFor):
        (JSC::virtualForWithFunction):
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromStructure):
        * bytecode/StructureStubClearingWatchpoint.cpp:
        (JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        (JSC::StructureStubInfo::propagateTransitions):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::inlineAccessBaseStructure const):
        (JSC::StructureStubInfo::inlineAccessBaseStructure): Deleted.
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::classInfo const):
        * debugger/Debugger.cpp:
        (JSC::Debugger::attach):
        (JSC::Debugger::exception):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName const):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::type const):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::put):
        (JSC::DebuggerScope::deleteProperty):
        (JSC::DebuggerScope::defineOwnProperty):
        (JSC::DebuggerScope::name const):
        (JSC::DebuggerScope::location const):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::isToThisAnIdentity):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::mergeOSREntryValue):
        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
        (JSC::DFG::AdaptiveStructureWatchpoint::install):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::check):
        (JSC::DFG::ByteCodeParser::planLoad):
        (JSC::DFG::ByteCodeParser::checkPresenceForReplace):
        (JSC::DFG::ByteCodeParser::load):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::handlePutByVal):
        (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::reallyAdd):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupMakeRope):
        (JSC::DFG::FixupPhase::setSaneChainIfPossible):
        * dfg/DFGFrozenValue.h:
        (JSC::DFG::FrozenValue::FrozenValue):
        (JSC::DFG::FrozenValue::dynamicCast):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::tryGetConstantProperty):
        (JSC::DFG::Graph::tryGetConstantClosureVar):
        (JSC::DFG::Graph::tryGetFoldableView):
        (JSC::DFG::Graph::freeze):
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        (JSC::DFG::Graph::isStringPrototypeMethodSane):
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.h:
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::tryGetStringImpl const):
        (JSC::DFG::LazyJSValue::tryGetString const):
        * dfg/DFGLazyJSValue.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::dynamicCastConstant):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::getByValObject):
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        (JSC::DFG::defineDataProperty):
        (JSC::DFG::defineAccessorProperty):
        (JSC::DFG::putDynamicVar):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGStructureAbstractValue.cpp:
        (JSC::DFG::StructureAbstractValue::filterClassInfoSlow):
        (JSC::DFG::StructureAbstractValue::isSubClassOf const):
        (JSC::DFG::StructureAbstractValue::isNotSubClassOf const):
        * dfg/DFGValidate.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewInternalFieldObject):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
        * heap/GCAssertions.h:
        * heap/Heap.cpp:
        (JSC::GatherExtraHeapData::GatherExtraHeapData):
        (JSC::GatherExtraHeapData::operator() const):
        (JSC::Heap::gatherExtraHeapData):
        (JSC::Heap::protectedObjectTypeCounts):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::addCoreConstraints):
        * heap/HeapCellType.cpp:
        (JSC::DefaultDestroyFunc::operator() const):
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::descriptionForCell const):
        (JSC::HeapSnapshotBuilder::json):
        * heap/SlotVisitor.cpp:
        (JSC::validate):
        (JSC::SlotVisitor::visitChildren):
        * heap/VerifierSlotVisitor.cpp:
        (JSC::VerifierSlotVisitor::visitChildren):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::finishCreation):
        (Inspector::JSInjectedScriptHost::isPromiseRejectedWithNativeGetterTypeError):
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::proxyTargetValue):
        (Inspector::JSInjectedScriptHost::weakMapSize):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetSize):
        (Inspector::JSInjectedScriptHost::weakSetEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        (Inspector::JSInjectedScriptHost::queryInstances):
        * inspector/JSInjectedScriptHost.h:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        (Inspector::JSC_DEFINE_HOST_FUNCTION):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::finishCreation):
        (Inspector::JSJavaScriptCallFrame::caller const):
        (Inspector::JSJavaScriptCallFrame::scopeChain const):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::JSC_DEFINE_HOST_FUNCTION):
        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getArgumentAtIndexAsString const):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::snapshot):
        (Inspector::InspectorHeapAgent::getPreview):
        (Inspector::InspectorHeapAgent::getRemoteObject):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::convertToStackOverflowFrame):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator() const):
        (JSC::UnwindFunctor::notifyDebuggerOfUnwinding):
        (JSC::sanitizeRemoteFunctionException):
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::Packet::dump const):
        (JSC::ShadowChicken::Frame::dump const):
        (JSC::ShadowChicken::update):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::calleeSaveRegistersForUnwinding):
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        * jit/JITOperations.cpp:
        (JSC::getWrappedValue):
        (JSC::JSC_DEFINE_JIT_OPERATION):
        (JSC::setPrivateField):
        (JSC::definePrivateField):
        (JSC::putByVal):
        (JSC::putByValOptimize):
        (JSC::directPutByValOptimize):
        (JSC::putPrivateNameOptimize):
        (JSC::newFunctionCommon):
        (JSC::getByVal):
        (JSC::deleteById):
        (JSC::deleteByVal):
        * jsc.cpp:
        (JSC_DEFINE_CUSTOM_SETTER):
        (JSC_DEFINE_HOST_FUNCTION):
        (checkException):
        (runJSC):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setupGetByIdPrototypeCache):
        (JSC::LLInt::performLLIntGetByID):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::llint_throw_stack_overflow_error):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::finishCreation):
        (JSC::AbstractModuleRecord::link):
        (JSC::AbstractModuleRecord::evaluate):
        * runtime/AggregateErrorConstructor.cpp:
        (JSC::AggregateErrorConstructor::finishCreation):
        * runtime/AggregateErrorPrototype.cpp:
        (JSC::AggregateErrorPrototype::finishCreation):
        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBuffer::notifyDetaching):
        * runtime/ArrayConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::setLength):
        (JSC::speciesWatchpointIsValid):
        (JSC::holesMustForwardToPrototype):
        (JSC::fastJoin):
        (JSC::canUseDefaultArrayJoinForToString):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::toLocaleString):
        (JSC::fastIndexOf):
        (JSC::moveElements):
        * runtime/AsyncFromSyncIteratorPrototype.cpp:
        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
        * runtime/AsyncFunctionPrototype.cpp:
        (JSC::AsyncFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
        * runtime/AsyncGeneratorPrototype.cpp:
        (JSC::AsyncGeneratorPrototype::finishCreation):
        * runtime/AsyncIteratorPrototype.cpp:
        (JSC::AsyncIteratorPrototype::finishCreation):
        * runtime/AtomicsObject.cpp:
        (JSC::AtomicsObject::finishCreation):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        * runtime/BigIntConstructor.cpp:
        (JSC::BigIntConstructor::finishCreation):
        * runtime/BigIntObject.cpp:
        (JSC::BigIntObject::finishCreation):
        * runtime/BigIntPrototype.cpp:
        (JSC::BigIntPrototype::finishCreation):
        (JSC::toThisBigIntValue):
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::finishCreation):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp:
        (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
        * runtime/CachedTypes.cpp:
        (JSC::CachedJSValue::encode):
        (JSC::encodeCodeBlock):
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CellSize.h:
        (JSC::cellSize):
        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):
        (JSC::ClonedArguments::createWithInlineFrame):
        (JSC::ClonedArguments::createWithMachineFrame):
        (JSC::ClonedArguments::createByCopyingFrom):
        (JSC::ClonedArguments::getOwnPropertySlot):
        (JSC::ClonedArguments::materializeSpecials):
        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase):
        (JSC::CodeCache::write):
        (JSC::writeCodeBlock):
        * runtime/CodeCache.h:
        * runtime/CommonSlowPaths.cpp:
        (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
        (JSC::createInternalFieldObject):
        (JSC::iteratorNextTryFastImpl):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opInByVal):
        (JSC::CommonSlowPaths::originalStructureBeforePut):
        (JSC::CommonSlowPaths::putDirectWithReify):
        (JSC::CommonSlowPaths::putDirectAccessorWithReify):
        * runtime/CommonSlowPathsInlines.h:
        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
        * runtime/ConsoleObject.cpp:
        (JSC::ConsoleObject::finishCreation):
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::finishCreation):
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        (JSC::DatePrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        * runtime/DeferredWorkTimer.cpp:
        (JSC::DeferredWorkTimer::doWork):
        * runtime/DirectArguments.h:
        * runtime/Error.cpp:
        (JSC::getStackTrace):
        (JSC::addErrorInfo):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        (JSC::ErrorInstance::sanitizedNameString):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototypeBase::finishCreation):
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):
        (JSC::createError):
        (JSC::createInvalidFunctionApplyParameterError):
        * runtime/FinalizationRegistryConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/FinalizationRegistryPrototype.cpp:
        (JSC::FinalizationRegistryPrototype::finishCreation):
        (JSC::getFinalizationRegistry):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        (JSC::RetrieveCallerFunctionFunctor::operator() const):
        (JSC::JSC_DEFINE_CUSTOM_SETTER):
        * runtime/GeneratorFunctionPrototype.cpp:
        (JSC::GeneratorFunctionPrototype::finishCreation):
        * runtime/GeneratorPrototype.cpp:
        (JSC::GeneratorPrototype::finishCreation):
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::callGetter):
        (JSC::GetterSetter::callSetter):
        * runtime/GetterSetter.h:
        * runtime/HasOwnPropertyCache.h:
        (JSC::HasOwnPropertyCache::tryAdd):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::createSubclassStructure):
        (JSC::getFunctionRealm):
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::finishCreation):
        * runtime/IntlCollatorPrototype.cpp:
        (JSC::IntlCollatorPrototype::finishCreation):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::finishCreation):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        (JSC::IntlDateTimeFormat::handleDateTimeValue):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlDisplayNames.cpp:
        (JSC::IntlDisplayNames::finishCreation):
        * runtime/IntlDisplayNamesPrototype.cpp:
        (JSC::IntlDisplayNamesPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlListFormat.cpp:
        (JSC::IntlListFormat::finishCreation):
        * runtime/IntlListFormatPrototype.cpp:
        (JSC::IntlListFormatPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::finishCreation):
        (JSC::IntlLocale::initializeLocale):
        * runtime/IntlLocalePrototype.cpp:
        (JSC::IntlLocalePrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::finishCreation):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlObject.cpp:
        (JSC::createCollatorConstructor):
        (JSC::createDateTimeFormatConstructor):
        (JSC::createDisplayNamesConstructor):
        (JSC::createListFormatConstructor):
        (JSC::createLocaleConstructor):
        (JSC::createNumberFormatConstructor):
        (JSC::createPluralRulesConstructor):
        (JSC::createRelativeTimeFormatConstructor):
        (JSC::createSegmenterConstructor):
        (JSC::IntlObject::finishCreation):
        (JSC::canonicalizeLocaleList):
        * runtime/IntlObjectInlines.h:
        (JSC::constructIntlInstanceWithWorkaroundForLegacyIntlConstructor):
        (JSC::unwrapForLegacyIntlConstructor):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::finishCreation):
        * runtime/IntlPluralRulesPrototype.cpp:
        (JSC::IntlPluralRulesPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::finishCreation):
        * runtime/IntlRelativeTimeFormatPrototype.cpp:
        (JSC::IntlRelativeTimeFormatPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlSegmentIterator.cpp:
        (JSC::IntlSegmentIterator::finishCreation):
        * runtime/IntlSegmentIteratorPrototype.cpp:
        (JSC::IntlSegmentIteratorPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlSegmenter.cpp:
        (JSC::IntlSegmenter::finishCreation):
        * runtime/IntlSegmenterPrototype.cpp:
        (JSC::IntlSegmenterPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IntlSegments.cpp:
        (JSC::IntlSegments::finishCreation):
        * runtime/IntlSegmentsPrototype.cpp:
        (JSC::IntlSegmentsPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorClose):
        (JSC::iteratorForIterable):
        (JSC::getIterationMode):
        * runtime/IteratorPrototype.cpp:
        (JSC::IteratorPrototype::finishCreation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::eagerlyInitializeButterfly):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::appendMemcpy):
        (JSC::JSArray::fastSlice):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
        * runtime/JSArray.h:
        (JSC::JSArray::finishCreation):
        (JSC::asArray):
        (JSC::isJSArray):
        * runtime/JSArrayBuffer.h:
        (JSC::toPossiblySharedArrayBuffer):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferSpeciesConstructorSlow):
        (JSC::arrayBufferSlice):
        (JSC::arrayBufferByteLength):
        * runtime/JSArrayBufferPrototypeInlines.h:
        (JSC::speciesWatchpointIsValid):
        (JSC::arrayBufferSpeciesConstructor):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::finishCreation):
        (JSC::JSArrayBufferView::unsharedJSBuffer):
        (JSC::JSArrayBufferView::possiblySharedJSBuffer):
        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
        (JSC::validateTypedArray):
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::toWrapped):
        (JSC::JSArrayBufferView::toWrappedAllowShared):
        * runtime/JSArrayInlines.h:
        (JSC::JSArray::canFastCopy):
        (JSC::JSArray::canDoFastIndexedAccess):
        (JSC::JSArray::pushInline):
        * runtime/JSAsyncFunction.cpp:
        (JSC::JSAsyncFunction::createImpl):
        (JSC::JSAsyncFunction::create):
        (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSAsyncGeneratorFunction.cpp:
        (JSC::JSAsyncGeneratorFunction::createImpl):
        (JSC::JSAsyncGeneratorFunction::create):
        (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::getBoundFunctionStructure):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        (JSC::JSValue::dumpInContextAssumingStructure const):
        (JSC::JSValue::dumpForBacktrace const):
        (JSC::JSValue::toWTFStringForConsole const):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isCallable const):
        (JSC::JSValue::isCallableWithConcurrency const):
        (JSC::JSValue::isConstructor const):
        (JSC::JSValue::isConstructorWithConcurrency const):
        (JSC::JSValue::inherits const):
        (JSC::JSValue::classInfoOrNull const):
        (JSC::JSValue::toThis const):
        (JSC::JSValue::put):
        (JSC::JSValue::putByIndex):
        (JSC::JSValue::structureOrNull const):
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/JSCallee.cpp:
        (JSC::JSCallee::finishCreation):
        * runtime/JSCast.h:
        (JSC::jsCast):
        (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
        (JSC::JSCastingHelpers::inheritsJSTypeImpl):
        (JSC::JSCastingHelpers::InheritsTraits::inherits):
        (JSC::JSCastingHelpers::inherits):
        (JSC::jsDynamicCast):
        (JSC::jsSecureCast):
        * runtime/JSCell.cpp:
        (JSC::JSCell::dump const):
        (JSC::JSCell::dumpToStream):
        (JSC::JSCell::estimatedSizeInBytes const):
        (JSC::JSCell::put):
        (JSC::JSCell::putByIndex):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::deletePropertyByIndex):
        (JSC::JSCell::className const):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::visitChildrenImpl):
        (JSC::JSCell::isCallableWithConcurrency):
        (JSC::JSCell::isConstructorWithConcurrency):
        (JSC::JSCell::isCallable):
        (JSC::JSCell::isConstructor):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::methodTable const):
        (JSC::JSCell::inherits const):
        (JSC::JSCell::classInfo const):
        (JSC::JSCell::toBoolean const):
        (JSC::JSCell::putInline):
        * runtime/JSCustomGetterFunction.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::finishCreation):
        (JSC::getData):
        (JSC::setData):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/JSDestructibleObject.h:
        (JSC::JSDestructibleObject::JSDestructibleObject):
        * runtime/JSFinalizationRegistry.cpp:
        (JSC::JSFinalizationRegistry::finishCreation):
        (JSC::JSFinalizationRegistry::registerTarget):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::name):
        (JSC::JSFunction::toString):
        (JSC::getCalculatedDisplayName):
        (JSC::JSFunction::reifyLength):
        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
        (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
        (JSC::JSFunction::assertTypeInfoFlagInvariants):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createImpl):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
        (JSC::JSFunction::isRemoteFunction const):
        (JSC::isRemoteFunction):
        (JSC::JSFunction::asStringConcurrently const):
        * runtime/JSGeneratorFunction.cpp:
        (JSC::JSGeneratorFunction::createImpl):
        (JSC::JSGeneratorFunction::create):
        (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::toPossiblySharedNativeTypedView):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructCustomArrayBufferIfNeeded):
        (JSC::constructGenericTypedArrayViewWithArguments):
        (JSC::constructGenericTypedArrayViewImpl):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncSet):
        (JSC::genericTypedArrayViewProtoFuncSlice):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
        (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::setupAdaptiveWatchpoint):
        (JSC::JSGlobalObject::init):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::haveABadTime):
        (JSC::JSGlobalObject::fixupPrototypeChainWithObjectPrototype):
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        (JSC::JSLexicalEnvironment::put):
        * runtime/JSMap.cpp:
        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
        * runtime/JSMicrotask.cpp:
        (JSC::JSMicrotask::run):
        * runtime/JSModuleEnvironment.cpp:
        (JSC::JSModuleEnvironment::getOwnPropertySlot):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::finishCreation):
        (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
        (JSC::JSModuleLoader::provideFetch):
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::JSModuleLoader::evaluateNonVirtual):
        (JSC::JSModuleLoader::getModuleNamespaceObject):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSModuleNamespaceObject.cpp:
        (JSC::JSModuleNamespaceObject::finishCreation):
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::finishCreation):
        * runtime/JSNativeStdFunction.cpp:
        (JSC::JSNativeStdFunction::finishCreation):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::finishCreation):
        (JSC::unwrapBoxedPrimitive):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterflyImpl):
        (JSC::JSObject::estimatedSize):
        (JSC::JSObject::calculatedClassName):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::ordinarySetSlow):
        (JSC::JSObject::putInlineSlow):
        (JSC::definePropertyOnReceiverSlow):
        (JSC::JSObject::definePropertyOnReceiver):
        (JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::createInitialArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::convertFromCopyOnWrite):
        (JSC::JSObject::tryMakeWritableInt32Slow):
        (JSC::JSObject::tryMakeWritableDoubleSlow):
        (JSC::JSObject::tryMakeWritableContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototypeDirect):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::hasEnumerableProperty const):
        (JSC::JSObject::deleteProperty):
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::ordinaryToPrimitive const):
        (JSC::JSObject::getOwnStaticPropertySlot):
        (JSC::JSObject::findPropertyHashEntry const):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::isExtensible):
        (JSC::JSObject::reifyAllStaticProperties):
        (JSC::JSObject::fillGetterPropertySlot):
        (JSC::canDoFastPutDirectIndex):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::reallocateAndShrinkButterfly):
        (JSC::JSObject::allocateMoreOutOfLineStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::convertToDictionary):
        (JSC::JSObject::convertToUncacheableDictionary):
        (JSC::JSObject::shiftButterflyAfterFlattening):
        (JSC::JSObject::getEnumerableLength):
        (JSC::JSObject::getMethod):
        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
        (JSC::JSObject::needsSlowPutIndexing const):
        (JSC::JSObject::suggestedArrayStorageTransition const):
        * runtime/JSObject.h:
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::hasIndexingHeader const):
        (JSC::JSObject::getDirectIndex):
        (JSC::JSObject::getDirect const):
        (JSC::JSObject::getDirectOffset):
        (JSC::JSObject::hasCustomProperties):
        (JSC::JSObject::hasGetterSetterProperties):
        (JSC::JSObject::hasCustomGetterSetterProperties):
        (JSC::JSObject::hasNonReifiedStaticProperties):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::isStructureExtensible):
        (JSC::JSObject::indexingShouldBeSparse):
        (JSC::JSObject::staticPropertiesReified):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::finishCreation):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSObject::getPrototypeDirect const):
        (JSC::JSObject::getPrototype):
        (JSC::JSObject::getOwnNonIndexPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlotImpl):
        (JSC::JSObject::butterflyPreCapacity):
        (JSC::JSObject::butterflyTotalSize):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::canPerformFastPutInlineExcludingProto):
        (JSC::JSObject::canPerformFastPutInline):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getNonIndexPropertySlot):
        (JSC::JSObject::getOwnPropertySlotInline):
        (JSC::JSObject::mayInterceptIndexedAccesses):
        (JSC::JSObject::putInlineForJSObject):
        (JSC::JSObject::createDataProperty):
        (JSC::JSObject::hasOwnProperty const):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::validatePutOwnDataProperty):
        (JSC::getCallData):
        (JSC::getConstructData):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::getPrivateFieldSlot):
        (JSC::JSObject::hasPrivateField):
        (JSC::JSObject::getNonReifiedStaticPropertyNames):
        (JSC::JSObject::hasPrivateBrand):
        (JSC::JSObject::checkPrivateBrand):
        (JSC::JSObject::setPrivateBrand):
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::createNewPromiseCapability):
        (JSC::JSPromise::resolvedPromise):
        (JSC::callFunction):
        (JSC::JSPromise::resolve):
        (JSC::JSPromise::reject):
        (JSC::JSPromise::performPromiseThen):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::getEnumerablePropertyNames):
        * runtime/JSPropertyNameEnumerator.h:
        (JSC::propertyNameEnumerator):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::setTarget):
        (JSC::JSProxy::getOwnPropertySlot):
        (JSC::JSProxy::getOwnPropertySlotByIndex):
        (JSC::JSProxy::put):
        (JSC::JSProxy::putByIndex):
        (JSC::JSProxy::defineOwnProperty):
        (JSC::JSProxy::deleteProperty):
        (JSC::JSProxy::isExtensible):
        (JSC::JSProxy::preventExtensions):
        (JSC::JSProxy::deletePropertyByIndex):
        (JSC::JSProxy::getOwnPropertyNames):
        (JSC::JSProxy::setPrototype):
        (JSC::JSProxy::getPrototype):
        * runtime/JSRemoteFunction.cpp:
        (JSC::wrapValue):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSRemoteFunction::tryCreate):
        (JSC::JSRemoteFunction::finishCreation):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        (JSC::JSScope::resolve):
        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
        (JSC::JSScope::symbolTable):
        * runtime/JSScope.h:
        * runtime/JSSet.cpp:
        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
        * runtime/JSString.cpp:
        (JSC::JSString::dumpToStream):
        * runtime/JSStringIterator.cpp:
        (JSC::JSStringIterator::finishCreation):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * runtime/Lookup.cpp:
        (JSC::reifyStaticAccessor):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::getStaticPropertySlotFromTable):
        (JSC::reifyStaticProperty):
        * runtime/MapConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototype::finishCreation):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        (JSC::getMap):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructorBase::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::finishCreation):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::finishCreation):
        (JSC::toThisNumber):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptors):
        (JSC::objectAssignGeneric):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::toPropertyDescriptor):
        (JSC::defineProperties):
        (JSC::setIntegrityLevel):
        (JSC::testIntegrityLevel):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::ownPropertyKeys):
        * runtime/ObjectConstructorInlines.h:
        (JSC::objectAssignFast):
        * runtime/ObjectInitializationScope.cpp:
        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        (JSC::objectPrototypeHasOwnProperty):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::inferBuiltinTag):
        (JSC::objectPrototypeToString):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValueWithConcurrency):
        (JSC::normalizePrototypeChain):
        * runtime/Operations.h:
        (JSC::jsTypeofIsObjectWithConcurrency):
        (JSC::jsTypeofIsFunctionWithConcurrency):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::customGetter const):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::structureForTarget):
        (JSC::ProxyObject::finishCreation):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::put):
        (JSC::ProxyObject::putByIndexCommon):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::ProxyObject::deleteProperty):
        (JSC::ProxyObject::deletePropertyByIndex):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        * runtime/ReflectObject.cpp:
        (JSC::ReflectObject::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        (JSC::constructRegExp):
        * runtime/RegExpConstructor.h:
        (JSC::isRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::finishCreation):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/RegExpStringIteratorPrototype.cpp:
        (JSC::RegExpStringIteratorPrototype::finishCreation):
        * runtime/RuntimeType.cpp:
        (JSC::runtimeTypeForValue):
        * runtime/RuntimeType.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::processUnverifiedStackTraces):
        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
        (JSC::SamplingProfiler::reportTopBytecodes):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::hasClearableCode const):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        (JSC::ScriptExecutable::overrideLineNumber const):
        (JSC::ScriptExecutable::typeProfilingStartOffset const):
        (JSC::ScriptExecutable::typeProfilingEndOffset const):
        * runtime/ScriptExecutable.h:
        * runtime/SetConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        (JSC::getSet):
        * runtime/ShadowRealmObject.cpp:
        (JSC::ShadowRealmObject::finishCreation):
        * runtime/ShadowRealmPrototype.cpp:
        (JSC::ShadowRealmPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::putEntry):
        (JSC::SparseArrayValueMap::putDirect):
        * runtime/StringIteratorPrototype.cpp:
        (JSC::StringIteratorPrototype::finishCreation):
        * runtime/StringObject.cpp:
        (JSC::StringObject::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::replace):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyTable):
        (JSC::Structure::holesMustForwardToPrototype const):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::toStructureShape):
        (JSC::Structure::dump const):
        (JSC::Structure::dumpBrief const):
        (JSC::Structure::findPropertyHashEntry const):
        * runtime/Structure.h:
        (JSC::Structure::classInfoForCells const):
        (JSC::Structure::previousID const):
        (JSC::Structure::totalStorageCapacity const):
        (JSC::Structure::classInfo const): Deleted.
        * runtime/StructureCache.cpp:
        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::create):
        (JSC::StructureChain::finishCreation):
        * runtime/StructureInlines.h:
        (JSC::Structure::create):
        (JSC::Structure::get):
        (JSC::Structure::prototypeChain const):
        (JSC::Structure::isValid const):
        (JSC::Structure::shouldConvertToPolyProto):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::cacheSpecialPropertySlow):
        * runtime/Symbol.cpp:
        (JSC::Symbol::finishCreation):
        * runtime/SymbolObject.cpp:
        (JSC::SymbolObject::finishCreation):
        * runtime/SymbolPrototype.cpp:
        (JSC::SymbolPrototype::finishCreation):
        (JSC::tryExtractSymbol):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/TemporalCalendarPrototype.cpp:
        (JSC::TemporalCalendarPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::defaultMergeFields):
        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::finishCreation):
        (JSC::TemporalDuration::fromDurationLike):
        (JSC::TemporalDuration::toTemporalDuration):
        (JSC::TemporalDuration::from):
        * runtime/TemporalDurationPrototype.cpp:
        (JSC::TemporalDurationPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/TemporalInstant.cpp:
        * runtime/TemporalInstantPrototype.cpp:
        (JSC::TemporalInstantPrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/TemporalNow.cpp:
        (JSC::TemporalNow::finishCreation):
        * runtime/TemporalObject.cpp:
        (JSC::createCalendarConstructor):
        (JSC::createNowObject):
        (JSC::createDurationConstructor):
        (JSC::createInstantConstructor):
        (JSC::createPlainDateConstructor):
        (JSC::createPlainTimeConstructor):
        (JSC::createTimeZoneConstructor):
        (JSC::TemporalObject::finishCreation):
        * runtime/TemporalPlainDate.cpp:
        (JSC::TemporalPlainDate::finishCreation):
        * runtime/TemporalPlainDateConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/TemporalPlainDatePrototype.cpp:
        (JSC::TemporalPlainDatePrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/TemporalPlainTime.cpp:
        (JSC::TemporalPlainTime::finishCreation):
        (JSC::getTemporalCalendarWithISODefault):
        (JSC::TemporalPlainTime::from):
        (JSC::TemporalPlainTime::with const):
        * runtime/TemporalPlainTimeConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/TemporalPlainTimePrototype.cpp:
        (JSC::TemporalPlainTimePrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/TemporalTimeZonePrototype.cpp:
        (JSC::TemporalTimeZonePrototype::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/TestRunnerUtils.cpp:
        (JSC::getExecutableForFunction):
        * runtime/ThrowScope.cpp:
        (JSC::ThrowScope::throwException):
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/VM.cpp:
        (JSC::VM::throwException):
        (JSC::VM::callPromiseRejectionCallback):
        * runtime/WeakMapConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        (JSC::getWeakMap):
        * runtime/WeakObjectRefPrototype.cpp:
        (JSC::WeakObjectRefPrototype::finishCreation):
        (JSC::getWeakRef):
        * runtime/WeakSetConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/WeakSetPrototype.cpp:
        (JSC::WeakSetPrototype::finishCreation):
        (JSC::getWeakSet):
        * tools/CellProfile.h:
        (JSC::CellProfile::CellProfile):
        * tools/HeapVerifier.cpp:
        (JSC::HeapVerifier::validateJSCell):
        (JSC::HeapVerifier::reportCell):
        * tools/JSDollarVM.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::getExecutableForFunction):
        (JSC::codeBlockFromArg):
        (JSC::callWithStackSizeProbeFunction):
        (JSC::JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES):
        (JSC::JSDollarVM::finishCreation):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpCellMemoryToStream):
        * tools/VMInspector.h:
        * tools/VMInspectorInlines.h:
        (JSC::VMInspector::verifyCellSize):
        (JSC::VMInspector::verifyCell):
        * wasm/WasmGlobal.cpp:
        (JSC::Wasm::Global::set):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::setFunctionWrapper):
        (JSC::Wasm::Instance::initElementSegment):
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
        (JSC::Wasm::setWasmTableElement):
        * wasm/WasmSlowPaths.cpp:
        (JSC::LLInt::doWasmCallRef):
        (JSC::LLInt::WASM_SLOW_PATH_DECL):
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/JSWebAssemblyException.cpp:
        (JSC::JSWebAssemblyException::finishCreation):
        * wasm/js/JSWebAssemblyGlobal.cpp:
        (JSC::JSWebAssemblyGlobal::finishCreation):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::getWasmBufferFromValue):
        (JSC::createSourceBufferFromValue):
        (JSC::isWebAssemblyHostFunction):
        (JSC::fromJSValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finishCreation):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::finishCreation):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::finishCreation):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::finishCreation):
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyExceptionConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyExceptionPrototype.cpp:
        (JSC::WebAssemblyExceptionPrototype::finishCreation):
        (JSC::getException):
        (JSC::getTag):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyFunctionBase.cpp:
        (JSC::WebAssemblyFunctionBase::finishCreation):
        * wasm/js/WebAssemblyGlobalConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyGlobalPrototype.cpp:
        (JSC::getGlobal):
        (JSC::WebAssemblyGlobalPrototype::finishCreation):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        (JSC::getInstance):
        (JSC::WebAssemblyInstancePrototype::finishCreation):
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        (JSC::getMemory):
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyModulePrototype.cpp:
        (JSC::WebAssemblyModulePrototype::finishCreation):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::finishCreation):
        (JSC::WebAssemblyModuleRecord::initializeImports):
        (JSC::WebAssemblyModuleRecord::initializeExports):
        (JSC::WebAssemblyModuleRecord::evaluate):
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        (JSC::getTable):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::WebAssemblyTablePrototype::finishCreation):
        * wasm/js/WebAssemblyTagPrototype.cpp:
        (JSC::WebAssemblyTagPrototype::finishCreation):
        (JSC::getTag):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):
        (JSC::WebAssemblyWrapperFunction::finishCreation):
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-04-15  Mark Lam  <mark.lam@apple.com>

        Apply purifyNaN in more places.
        https://bugs.webkit.org/show_bug.cgi?id=239393

        Reviewed by Saam Barati.

        Also removed some unused functions.

        * wasm/WasmInstance.h:
        (JSC::Wasm::Instance::loadI64Global const):
        (JSC::Wasm::Instance::loadF32Global const): Deleted.
        (JSC::Wasm::Instance::loadF64Global const): Deleted.
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::toJSValue):

2022-04-14  Caitlin Potter  <caitp@igalia.com>

        [JSC] ShadowRealm global object has a mutable prototype
        https://bugs.webkit.org/show_bug.cgi?id=239332

        Reviewed by Yusuke Suzuki.

        This patch circumvents the `ASSERT(toThis() == this)` in JSObject::setPrototypeWithCycleCheck()
        when `this` is a GlobalObject. Ordinarily, GlobalObjects have the IsImmutablePrototypeExoticObject
        bit set and miss this pathway, however this is not the case for ShadowRealm Global Objects. 

        In addition, the JSC internal version is also modified to have a mutable prototype in the same way
        as in WebCore.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::deriveShadowRealmGlobalObject):
        (JSC::JSGlobalObject::createStructureForShadowRealm):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):

2022-04-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Reduce use of CallFrame::deprecatedVM
        https://bugs.webkit.org/show_bug.cgi?id=239326

        Reviewed by Devin Rousso.

        Reduce use of CallFrame::deprecatedVM, mainly in inspector related code to eventually remove CallFrame::deprecatedVM.

        * debugger/Debugger.cpp:
        (JSC::Debugger::evaluateBreakpointCondition):
        (JSC::Debugger::evaluateBreakpointActions):
        (JSC::Debugger::exceptionOrCaughtValue):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::globalObject):
        (JSC::DebuggerCallFrame::functionName const):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::type const):
        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
        (JSC::DebuggerCallFrame::deprecatedVMEntryGlobalObject const): Deleted.
        * debugger/DebuggerCallFrame.h:
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
        (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
        (Inspector::JSJavaScriptCallFrame::functionName const):
        (Inspector::JSJavaScriptCallFrame::scopeChain const):
        (Inspector::JSJavaScriptCallFrame::type const):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::functionName const):
        (Inspector::JavaScriptCallFrame::type const):
        (Inspector::JavaScriptCallFrame::scopeChain const):
        (Inspector::JavaScriptCallFrame::evaluateWithScopeExtension const):
        (Inspector::JavaScriptCallFrame::deprecatedVMEntryGlobalObject const): Deleted.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::debuggerScopeExtensionObject):
        (Inspector::InspectorDebuggerAgent::didPause):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):

2022-04-14  Alexey Shvayka  <ashvayka@apple.com>

        InternalFunction::createSubclassStructure() should use base object's global object
        https://bugs.webkit.org/show_bug.cgi?id=239346

        Unreviewed, account for offline feedback by Yusuke Suzuki.

        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):

2022-04-14  Alexey Shvayka  <ashvayka@apple.com>

        InternalFunction::createSubclassStructure() should use base object's global object
        https://bugs.webkit.org/show_bug.cgi?id=239346

        Reviewed by Darin Adler.

        Chrome and Firefox don't agree on interoperable behavior in case of cross-realm
        NewTarget's "prototype", so this patch aligns WebKit with Chrome to fix a web-compat issue.

        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):

2022-04-14  Chris Dumez  <cdumez@apple.com>

        Drop inefficient String::append() overloads
        https://bugs.webkit.org/show_bug.cgi?id=239289

        Reviewed by Sam Weinig.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * runtime/IntlObject.cpp:
        (JSC::resolveLocale):
        * runtime/TemporalObject.cpp:
        (JSC::ellipsizeAt):
        * tools/FunctionOverrides.cpp:
        (JSC::initializeOverrideInfo):
        (JSC::parseClause):

2022-04-14  Justin Michaud  <justin_michaud@apple.com>

        [PGO] We should be able to build WebKit to collect PGO profiles easily
        https://bugs.webkit.org/show_bug.cgi?id=238776

        Reviewed by Wenson Hsieh.

        * Configurations/JavaScriptCore.xcconfig:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2022-04-13  Chris Dumez  <cdumez@apple.com>

        Replace calls to substring(0, x) with the more concise left(x)
        https://bugs.webkit.org/show_bug.cgi?id=239306

        Reviewed by Darin Adler.

        * inspector/ScriptArguments.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::clampErrorMessage):
        * runtime/IntlNumberFormat.cpp:
        (JSC::wellFormedUnitIdentifier):
        * runtime/IntlObject.cpp:
        (JSC::resolveLocale):
        * runtime/IntlObjectInlines.h:
        (JSC::bestAvailableLocale):

2022-04-13  Michael Catanzaro  <mcatanzaro@redhat.com>

        GCC 12 -Wdangling-pointer warning spam from AbstractSlotVisitorInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=239299

        Reviewed by Mark Lam.
        
        Suppress this warning, so we can see other warnings.

        * heap/AbstractSlotVisitorInlines.h:
        (JSC::AbstractSlotVisitor::ReferrerContext::ReferrerContext):

2022-04-13  Michael Catanzaro  <mcatanzaro@redhat.com>

        Misc compiler warnings, April 2022 edition
        https://bugs.webkit.org/show_bug.cgi?id=239290

        Reviewed by Adrian Perez de Castro.

        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::watchabilityToConcurrency):
        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect const):
        * runtime/Structure.h:
        (JSC::Structure::get):

2022-04-13  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove DeprecatedCallFrameForDebugger
        https://bugs.webkit.org/show_bug.cgi?id=239045

        Reviewed by Devin Rousso.

        We should not enlarge sizeof(JSGlobalObject) by having DeprecatedCallFrameForDebugger which is only used for Debugger, and it is used
        only when we have an error when evaluating top-level SyntaxError. This patch removes it: we introduce EmptyTopLevelCallFrameForDebugger
        which can be constructed on stack and we use it instead of DeprecatedCallFrameForDebugger.

        * debugger/Debugger.cpp:
        (JSC::Debugger::updateCallFrame):
        (JSC::EmptyTopLevelCallFrameForDebugger::EmptyTopLevelCallFrameForDebugger):
        (JSC::EmptyTopLevelCallFrameForDebugger::asCallFrame):
        (JSC::Debugger::exception):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::create):
        (JSC::DebuggerCallFrame::positionForCallFrame):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::convertToStackOverflowFrame):
        (JSC::CallFrame::initDeprecatedCallFrameForDebugger): Deleted.
        * interpreter/CallFrame.h:
        (JSC::CallFrame::isEmptyTopLevelCallFrameForDebugger const):
        (JSC::CallFrame::isDeprecatedCallFrameForDebugger const): Deleted.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::deprecatedCallFrameForDebugger): Deleted.
        * runtime/JSGlobalObject.h:
        * runtime/VM.cpp:
        (JSC::VM::throwException):

2022-04-13  Chris Dumez  <cdumez@apple.com>

        Replace AtomString(const char*) with AtomString::fromLatin1(const char*)
        https://bugs.webkit.org/show_bug.cgi?id=239127

        Reviewed by Darin Adler.

        * API/JSBase.cpp:
        (JSGetMemoryUsageStatistics):
        * runtime/Identifier.h:
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::fromLatin1):
        (JSC::Identifier::fromCString): Deleted.
        * runtime/JSObject.cpp:
        (JSC::JSObject::reifyAllStaticProperties):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getNonReifiedStaticPropertyNames):

2022-04-12  Elliott Williams  <emw@apple.com>

        [Xcode] In open-source builds, disable bitcode in xcconfigs instead of build-webkit
        https://bugs.webkit.org/show_bug.cgi?id=239262

        Reviewed by Alexey Proskuryakov.

        Disable bitcode in open-source builds, as WebKit never part of an App
        Store submission. This improves support for building WebKit directly
        from the workspace.

        * Configurations/Base.xcconfig:

2022-04-12  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Move StructureCache from VM to JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=239044

        Reviewed by Saam Barati.

        We should have StructureCache per JSGlobalObject since cached structures are tied to some of JSGlobalObject.
        This can (1) reduce size of each StructureCache, (2) destroy StructureCache timely at the destruction of
        JSGlobalObject, and (3) simplifies JSGlobalObject::haveABadTime handling in the compiler.

        * bytecode/InternalFunctionAllocationProfile.h:
        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfileBase<Derived>::initializeProfile):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::createSubclassStructure):
        * runtime/IteratorOperations.cpp:
        (JSC::createIteratorResultObjectStructure):
        * runtime/JSBoundFunction.cpp:
        (JSC::getBoundFunctionStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut):
        (JSC::JSGlobalObject::haveABadTime):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::structureCache):
        * runtime/ObjectConstructor.h:
        (JSC::constructEmptyObject):
        (JSC::createDataPropertyDescriptorObjectStructure):
        (JSC::createAccessorPropertyDescriptorObjectStructure):
        * runtime/PrototypeKey.h:
        (JSC::PrototypeKey::PrototypeKey):
        (JSC::PrototypeKey::classInfo const):
        (JSC::PrototypeKey::operator== const):
        (JSC::PrototypeKey::hash const):
        (JSC::PrototypeKey::globalObject const): Deleted.
        * runtime/StructureCache.cpp:
        (JSC::StructureCache::createEmptyStructure):
        (JSC::StructureCache::emptyObjectStructureConcurrently):
        * runtime/StructureCache.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2022-04-12  Tim Horton  <timothy_horton@apple.com>

        Adopt "version set"-based linked-on-or-after checks instead of platform-specific ones
        https://bugs.webkit.org/show_bug.cgi?id=239054
        <rdar://problem/83436715>

        Reviewed by Wenson Hsieh.

        * API/JSTypedArray.cpp:
        (isLinkedBeforeTypedArrayLengthQuirk):
        * API/JSWrapperMap.mm:
        (supportsInitMethodConstructors):
        * API/tests/testapi.cpp:
        (TestAPI::promiseDrainDoesNotEatExceptions):
        * API/tests/testapi.mm:
        (testMicrotaskWithFunction):
        * runtime/JSLock.cpp:
        (JSC::JSLock::willReleaseLock):
        * runtime/ObjectPrototype.cpp:
        (JSC::isPokerBros):
        Adopt the new naming.

2022-04-12  Elliott Williams  <emw@apple.com>

        Reland "[XCBuild] Enable dependency validation by default"
        https://bugs.webkit.org/show_bug.cgi?id=238901
        <rdar://problem/91379968>

        Reviewed by Alexey Proskuryakov.

        * Configurations/DebugRelease.xcconfig: In open-source builds, disable
        VALIDATE_DEPENDENCIES when there is no PRODUCT_TYPE (i.e. not building
        a native target).

2022-04-12  Aditi Singh  <asingh@igalia.com>

        Implement Change Array by copy proposal
        https://bugs.webkit.org/show_bug.cgi?id=234604

        Reviewed by Alexey Shvayka.

        This patch implements proposal Change Array By Copy. The proposal provides additional 
        methods on Array.prototype and TypedArray.prototype to enable changes on the array by 
        returning a new copy of it with the change.
        Since, a call to intrinsic functions: Array.prototype.sort(comparefn) and 
        %TypedArray%.prototype.sort(comparefn) was needed, LinkTimeConstants have
        been added for the same.
        LinkTimeConstants were added instead of:
        function sort(comparefn) { return @arraySort.@call(this, cmp); }
        because this introduces an extra function call, which is slower.
        %%TypedArray%%.prototype.sort(comparefn) and Array.prototype.sort(comparefn) are
        implemented differently to avoid eager initialisation for TypedArrayPrototype
        because it is quite large and not commonly used on the web. 
        
        The proposal details can be found here:
        https://github.com/tc39/proposal-change-array-by-copy

        * builtins/ArrayPrototype.js:
        (toReversed):
        (toSorted):
        (toSpliced):
        (with):
        * builtins/BuiltinNames.h:
        * builtins/TypedArrayPrototype.js:
        (toReversed):
        (toSorted):
        (toSpliced):
        (with):
        (sort):
        * bytecode/LinkTimeConstant.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildrenImpl):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::typedArrayProtoSort const):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * runtime/OptionsList.h:

2022-04-12  Dmitry Bezhetskov  <dbezhetskov@igalia.com>

        [WASM-GC] Introduce structs types
        https://bugs.webkit.org/show_bug.cgi?id=237029

        Reviewed by Keith Miller.

        Introduce struct types via extending existing Signature infrastructure.
        Signature is a unique representation of Wasm function types and we use them
        to compare signatures from different wasm modules. Signatures are held globally
        in a hash set and have one point of access.

        With GC proposal and new struct types we want to represent new types uniformly with existing
        Signature infrastructure. So, in this patch we extend Signature class with two options -
        FunctionSignature and StructType. FunctionSignature (can be named as FunctionType) is a
        representation of signatures as it was before the patch and StructType is a new option which
        is representing struct types from GC proposal. Generally speaking we replace Signature class
        with new algebraic type TypeDefinition = Signature | StructType.

        This representation of struct types allows us not to change WasmType representation and 
        uniformly store FunctionType (aka FunctionSignature) or StructType. New options for types,
        for example arrays, also can be easily added. Also, we save memory because we reuse existing
        uniqueness of signatures. Additionally we can compare different struct types as fast as we do it for 
        signatures.

        As Signature class now doesn't only holds Signature it has been renamed into TypeDefinition.
        All corresponding signature related things also have been renamed.

        To access specific option two classes was introduced StructType and FunctionSignature, so TypeDefinition
        can be casted to specific option and only via it option methods of that option can be called.
        This is done with preserving the cache-locality optimization for allocation signatures.

        * CMakeLists.txt:
        * Sources.txt:
        * bytecode/BytecodeDumper.cpp:
        (JSC::Wasm::BytecodeDumper::dumpBlock):
        * bytecode/BytecodeList.rb:
        * runtime/OptionsList.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::ControlData::branchTargetArity const):
        (JSC::Wasm::AirIRGenerator::ControlData::branchTargetType const):
        (JSC::Wasm::AirIRGenerator::emitCallPatchpoint):
        (JSC::Wasm::AirIRGenerator::tmpsForSignature):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::toB3ResultType):
        (JSC::Wasm::AirIRGenerator::addArguments):
        (JSC::Wasm::AirIRGenerator::addRefFunc):
        (JSC::Wasm::AirIRGenerator::getGlobal):
        (JSC::Wasm::AirIRGenerator::setGlobal):
        (JSC::Wasm::AirIRGenerator::addCatch):
        (JSC::Wasm::AirIRGenerator::addCatchToUnreachable):
        (JSC::Wasm::AirIRGenerator::addReturn):
        (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
        (JSC::Wasm::AirIRGenerator::addCall):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        (JSC::Wasm::AirIRGenerator::addCallRef):
        (JSC::Wasm::AirIRGenerator::emitIndirectCall):
        (JSC::Wasm::parseAndCompileAir):
        * wasm/WasmAirIRGenerator.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
        (JSC::Wasm::B3IRGenerator::ControlData::hasNonVoidresult const):
        (JSC::Wasm::B3IRGenerator::ControlData::branchTargetArity const):
        (JSC::Wasm::B3IRGenerator::ControlData::branchTargetType const):
        (JSC::Wasm::B3IRGenerator::toB3ResultType):
        (JSC::Wasm::B3IRGenerator::addArguments):
        (JSC::Wasm::B3IRGenerator::emitIndirectCall):
        (JSC::Wasm::B3IRGenerator::getGlobal):
        (JSC::Wasm::B3IRGenerator::setGlobal):
        (JSC::Wasm::B3IRGenerator::addLoop):
        (JSC::Wasm::B3IRGenerator::addElseToUnreachable):
        (JSC::Wasm::B3IRGenerator::addCatch):
        (JSC::Wasm::B3IRGenerator::addCatchToUnreachable):
        (JSC::Wasm::B3IRGenerator::endBlock):
        (JSC::Wasm::B3IRGenerator::addEndToUnreachable):
        (JSC::Wasm::B3IRGenerator::createCallPatchpoint):
        (JSC::Wasm::B3IRGenerator::addCall):
        (JSC::Wasm::B3IRGenerator::addCallIndirect):
        (JSC::Wasm::B3IRGenerator::addCallRef):
        (JSC::Wasm::parseAndCompileB3):
        * wasm/WasmB3IRGenerator.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::work):
        (JSC::Wasm::BBQPlan::compileFunction):
        (JSC::Wasm::BBQPlan::didCompleteCompilation):
        * wasm/WasmCallee.h:
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::WasmCallingConvention::callInformationFor const):
        (JSC::Wasm::JSCallingConvention::callInformationFor const):
        * wasm/WasmEmbedder.h:
        * wasm/WasmEntryPlan.cpp:
        (JSC::Wasm::EntryPlan::prepare):
        * wasm/WasmFormat.h:
        (JSC::Wasm::isExternref):
        (JSC::Wasm::isFuncref):
        (JSC::Wasm::funcrefType):
        (JSC::Wasm::externrefType):
        (JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex):
        * wasm/WasmFunctionCodeBlockGenerator.cpp:
        (JSC::Wasm::FunctionCodeBlockGenerator::addSignature):
        * wasm/WasmFunctionCodeBlockGenerator.h:
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::splitStack):
        (JSC::Wasm::FunctionParser::signature const):
        (JSC::Wasm::FunctionParser<Context>::FunctionParser):
        (JSC::Wasm::FunctionParser<Context>::parse):
        (JSC::Wasm::FunctionParser<Context>::unify):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
        * wasm/WasmGlobal.cpp:
        (JSC::Wasm::Global::set):
        * wasm/WasmGlobal.h:
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::initElementSegment):
        * wasm/WasmLLIntGenerator.cpp:
        (JSC::Wasm::LLIntGenerator::ControlType::loop):
        (JSC::Wasm::LLIntGenerator::ControlType::block):
        (JSC::Wasm::LLIntGenerator::ControlType::if_):
        (JSC::Wasm::LLIntGenerator::ControlType::createTry):
        (JSC::Wasm::LLIntGenerator::ControlType::createCatch):
        (JSC::Wasm::LLIntGenerator::ControlType::branchTargetArity const):
        (JSC::Wasm::LLIntGenerator::ControlType::branchTargetType const):
        (JSC::Wasm::parseAndCompileBytecode):
        (JSC::Wasm::LLIntGenerator::LLIntGenerator):
        (JSC::Wasm::LLIntGenerator::callInformationForCaller):
        (JSC::Wasm::LLIntGenerator::callInformationForCallee):
        (JSC::Wasm::LLIntGenerator::addArguments):
        (JSC::Wasm::LLIntGenerator::addElseToUnreachable):
        (JSC::Wasm::LLIntGenerator::addCatch):
        (JSC::Wasm::LLIntGenerator::addCatchToUnreachable):
        (JSC::Wasm::LLIntGenerator::addReturn):
        (JSC::Wasm::LLIntGenerator::addEndToUnreachable):
        (JSC::Wasm::LLIntGenerator::endTopLevel):
        (JSC::Wasm::LLIntGenerator::addCall):
        (JSC::Wasm::LLIntGenerator::addCallIndirect):
        (JSC::Wasm::LLIntGenerator::addCallRef):
        * wasm/WasmLLIntGenerator.h:
        * wasm/WasmLLIntPlan.cpp:
        (JSC::Wasm::LLIntPlan::compileFunction):
        (JSC::Wasm::LLIntPlan::didCompleteCompilation):
        * wasm/WasmLimits.h:
        * wasm/WasmModule.cpp:
        (JSC::Wasm::Module::typeIndexFromFunctionIndexSpace const):
        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace const): Deleted.
        * wasm/WasmModule.h:
        * wasm/WasmModuleInformation.h:
        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize const):
        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace const):
        (JSC::Wasm::ModuleInformation::typeIndexFromFunctionIndexSpace const):
        (JSC::Wasm::ModuleInformation::exceptionIndexSpaceSize const):
        (JSC::Wasm::ModuleInformation::isImportedExceptionFromExceptionIndexSpace const):
        (JSC::Wasm::ModuleInformation::typeIndexFromExceptionIndexSpace const):
        (JSC::Wasm::ModuleInformation::importFunctionCount const):
        (JSC::Wasm::ModuleInformation::internalFunctionCount const):
        (JSC::Wasm::ModuleInformation::importExceptionCount const):
        (JSC::Wasm::ModuleInformation::internalExceptionCount const):
        (JSC::Wasm::ModuleInformation::typeCount const):
        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace const): Deleted.
        (JSC::Wasm::ModuleInformation::signatureIndexFromExceptionIndexSpace const): Deleted.
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/WasmOSREntryPlan.cpp:
        (JSC::Wasm::OSREntryPlan::work):
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
        * wasm/WasmOperations.h:
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::Parser):
        (JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
        (JSC::Wasm::Parser<SuccessType>::parseHeapType):
        (JSC::Wasm::Parser<SuccessType>::parseValueType):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseType):
        (JSC::Wasm::SectionParser::parseImport):
        (JSC::Wasm::SectionParser::parseFunction):
        (JSC::Wasm::SectionParser::parseExport):
        (JSC::Wasm::SectionParser::parseStart):
        (JSC::Wasm::SectionParser::parseInitExpr):
        (JSC::Wasm::SectionParser::parseFunctionType):
        (JSC::Wasm::SectionParser::parseStructType):
        (JSC::Wasm::SectionParser::parseGlobalType):
        (JSC::Wasm::SectionParser::parseException):
        * wasm/WasmSectionParser.h:
        * wasm/WasmSignature.cpp: Removed.
        * wasm/WasmSignature.h: Removed.
        * wasm/WasmSlowPaths.cpp:
        (JSC::LLInt::doWasmCallIndirect):
        (JSC::LLInt::WASM_SLOW_PATH_DECL):
        (JSC::LLInt::doWasmCallRef):
        * wasm/WasmStreamingParser.cpp:
        * wasm/WasmStreamingPlan.cpp:
        * wasm/WasmTable.cpp:
        (JSC::Wasm::Table::clear):
        (JSC::Wasm::FuncRefTable::FuncRefTable):
        * wasm/WasmTag.h:
        * wasm/WasmTypeDefinition.cpp: Added.
        (JSC::Wasm::TypeDefinition::toString const):
        (JSC::Wasm::TypeDefinition::dump const):
        (JSC::Wasm::FunctionSignature::toString const):
        (JSC::Wasm::FunctionSignature::dump const):
        (JSC::Wasm::StructType::toString const):
        (JSC::Wasm::StructType::dump const):
        (JSC::Wasm::computeSignatureHash):
        (JSC::Wasm::computeStructTypeHash):
        (JSC::Wasm::TypeDefinition::hash const):
        (JSC::Wasm::TypeDefinition::tryCreateFunctionSignature):
        (JSC::Wasm::TypeDefinition::tryCreateStructType):
        (JSC::Wasm::TypeInformation::TypeInformation):
        (JSC::Wasm::FunctionParameterTypes::hash):
        (JSC::Wasm::FunctionParameterTypes::equal):
        (JSC::Wasm::FunctionParameterTypes::translate):
        (JSC::Wasm::StructParameterTypes::hash):
        (JSC::Wasm::StructParameterTypes::equal):
        (JSC::Wasm::StructParameterTypes::translate):
        (JSC::Wasm::TypeInformation::typeDefinitionForFunction):
        (JSC::Wasm::TypeInformation::typeDefinitionForStruct):
        (JSC::Wasm::TypeInformation::tryCleanup):
        * wasm/WasmTypeDefinition.h: Added.
        (JSC::Wasm::FunctionSignature::FunctionSignature):
        (JSC::Wasm::FunctionSignature::argumentCount const):
        (JSC::Wasm::FunctionSignature::returnCount const):
        (JSC::Wasm::FunctionSignature::returnType const):
        (JSC::Wasm::FunctionSignature::returnsVoid const):
        (JSC::Wasm::FunctionSignature::argumentType const):
        (JSC::Wasm::FunctionSignature::getReturnType):
        (JSC::Wasm::FunctionSignature::getArgumentType):
        (JSC::Wasm::FunctionSignature::storage):
        (JSC::Wasm::FunctionSignature::storage const):
        (JSC::Wasm::StructField::operator== const):
        (JSC::Wasm::StructField::operator!= const):
        (JSC::Wasm::StructType::StructType):
        (JSC::Wasm::StructType::fieldCount const):
        (JSC::Wasm::StructType::field const):
        (JSC::Wasm::StructType::getField):
        (JSC::Wasm::StructType::storage):
        (JSC::Wasm::StructType::storage const):
        (JSC::Wasm::TypeDefinition::TypeDefinition):
        (JSC::Wasm::TypeDefinition::payload):
        (JSC::Wasm::TypeDefinition::allocatedFunctionSize):
        (JSC::Wasm::TypeDefinition::allocatedStructSize):
        (JSC::Wasm::TypeDefinition::is const):
        (JSC::Wasm::TypeDefinition::as):
        (JSC::Wasm::TypeDefinition::as const):
        (JSC::Wasm::TypeDefinition::index const):
        (JSC::Wasm::TypeDefinition::operator== const):
        (JSC::Wasm::TypeHash::TypeHash):
        (JSC::Wasm::TypeHash::operator== const):
        (JSC::Wasm::TypeHash::equal):
        (JSC::Wasm::TypeHash::hash):
        (JSC::Wasm::TypeHash::isHashTableDeletedValue const):
        (JSC::Wasm::TypeInformation::thunkFor const):
        * wasm/WasmTypeDefinitionInlines.h: Renamed from Source/JavaScriptCore/wasm/WasmSignatureInlines.h.
        (JSC::Wasm::TypeInformation::singleton):
        (JSC::Wasm::TypeInformation::get):
        (JSC::Wasm::TypeInformation::getFunctionSignature):
        * wasm/generateWasmOpsHeader.py:
        * wasm/js/JSToWasm.cpp:
        (JSC::Wasm::marshallJSResult):
        (JSC::Wasm::createJSToWasmWrapper):
        * wasm/js/JSToWasm.h:
        * wasm/js/JSWebAssemblyException.cpp:
        (JSC::JSWebAssemblyException::visitChildrenImpl):
        (JSC::JSWebAssemblyException::getArg const):
        * wasm/js/JSWebAssemblyGlobal.cpp:
        (JSC::JSWebAssemblyGlobal::type):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::fromJSValue):
        * wasm/js/JSWebAssemblyModule.cpp:
        (JSC::JSWebAssemblyModule::destroy):
        (JSC::JSWebAssemblyModule::typeIndexFromFunctionIndexSpace const):
        (JSC::JSWebAssemblyModule::generateWasmToJSStubs):
        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const): Deleted.
        * wasm/js/JSWebAssemblyModule.h:
        * wasm/js/JSWebAssemblyTag.h:
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):
        * wasm/js/WasmToJS.h:
        * wasm/js/WebAssemblyExceptionConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::WebAssemblyFunction::usesTagRegisters const):
        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
        (JSC::WebAssemblyFunction::create):
        (JSC::WebAssemblyFunction::WebAssemblyFunction):
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyFunctionBase.h:
        (JSC::WebAssemblyFunctionBase::typeIndex const):
        (JSC::WebAssemblyFunctionBase::signatureIndex const): Deleted.
        * wasm/js/WebAssemblyGlobalConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyGlobalPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::initializeImports):
        (JSC::WebAssemblyModuleRecord::initializeExports):
        * wasm/js/WebAssemblyTagConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):
        * wasm/js/WebAssemblyWrapperFunction.h:
        * wasm/wasm.json:

2022-04-12  Geza Lore  <glore@igalia.com>

        [JSC] Reduce Baseline JIT code size in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=238928

        Reviewed by Saam Barati.

        The Baseline JIT used to emit a substantial but identical sequence to
        check pinned registers and the SP at the beginning of every bytecode.
        This caused large code bloat and made it somewhat difficult to use
        debug builds on resource constrained platforms. Trying to alleviate
        this by emitting a small dispatcher after the slow path section (but
        before the stack overflow check), which then tail-calls a shared
        thunk. The opcodes then call this very small dispatcher. The source op
        of a faulting bytecode is easily visible in the link register (or on
        the stack on x86).

        This saves 34% Baseline JIT code size (and 14% overall) on a debug
        build with JetStream2. Also fixes all code-size related test failures
        on the ARMv7 debug build.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::emitConsistencyCheck):
        (JSC::JIT::compileAndLinkWithoutFinalizing):
        (JSC::JIT::link):
        * jit/JIT.h:

2022-04-11  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Reduce use of unnecessary cryptographicallyRandom numbers
        https://bugs.webkit.org/show_bug.cgi?id=239026

        Reviewed by Saam Barati.

        This patch removes cryptographically random calls in some of super hot critical path.
        MarkedBlock's use is very hot and it appears on Speedometer2 artrace. But this is just
        a random shuffling of freelist, and WeakRandom is enough for that. This patch replaces
        them with WeakRandom. It offers 0.3% improvement in Speedometer2.

        * assembler/AbstractMacroAssembler.cpp:
        (JSC::AbstractMacroAssemblerBase::initializeRandom):
        (WTF::printInternal):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssemblerBase::random):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::random): Deleted.
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::Code):
        * b3/air/AirCode.h:
        (JSC::B3::Air::Code::weakRandom): Deleted.
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::specializedSweep):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::heapRandom):

2022-04-11  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, use std::forward instead of WTFMove since it becomes template typename Vector&&
        https://bugs.webkit.org/show_bug.cgi?id=239025

        * bytecode/ObjectPropertyConditionSet.h:
        (JSC::ObjectPropertyConditionSet::create):

2022-04-10  Chris Dumez  <cdumez@apple.com>

        Unreviewed WatchOS build fix.

        * runtime/MathCommon.cpp:
        (JSC::fdlibmPow):

2022-04-10  Chris Dumez  <cdumez@apple.com>

        Unreviewed WatchOS build fix.

        * runtime/MathCommon.cpp:
        (JSC::fdlibmPow):

2022-04-10  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG / FTL should be aware of JSString's String replacement
        https://bugs.webkit.org/show_bug.cgi?id=238918

        Reviewed by Saam Barati.

        After r289359, String in JSString* can be replaced even after it is resolved. When atomizing String inside JSString*,
        we may replace the existing one to new AtomStringImpl if different AtomStringImpl is already registered in the
        AtomStringTable. However, DFG / FTL GetIndexedPropertyStorage assumes that StringImpl* in JSString* never changes after
        resolving. And this is wrong.

        This patch decouples String handling in GetIndexedPropertyStorage as ResolveRope DFG node. GetIndexedPropertyStorage no
        longer handles JSString and it is now tailored to object cases. ResolveRope does not expose StringImpl::m_data pointer,
        and instead it keeps resolved JSString*. After this change,

            GetByVal(String:@0, Untyped:@1, GetIndexedProperty(String:@0))

        is changed to

            GetByVal(ResolveRope(String:@0), Untyped:@1)

        Also, we revisit all the value(...) callsites (by changing function name) and ensure that we have no code assuming String
        cannot be changed after resolving.

        A/B test ensured that this is perf-neutral.

        * b3/B3Generate.cpp:
        (JSC::B3::generateToAir):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEqualityOpImpl):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasStorageChild const):
        (JSC::DFG::Node::storageChildIndex):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileStringCodePointAt):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
        (JSC::FTL::DFG::LowerDFGToB3::compileResolveRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCodePointAt):
        * jsc.cpp:
        (JSC_DEFINE_HOST_FUNCTION):
        * runtime/HashMapImplInlines.h:
        (JSC::jsMapHashImpl):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::displayName):
        (JSC::InternalFunction::calculatedDisplayName):
        * runtime/InternalFunction.h:
        * runtime/JSBoundFunction.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::toPreferredPrimitiveType):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::importModule):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/JSPropertyNameEnumerator.cpp:
        (JSC::JSPropertyNameEnumerator::computeNext):
        * runtime/JSRemoteFunction.h:
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::compareBigIntToOtherPrimitive):
        (JSC::compareBigInt32ToOtherPrimitive):
        * runtime/RegExpMatchesArray.h:
        (JSC::createRegExpMatchesArray):
        * runtime/StringPrototype.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/SymbolConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * tools/JSDollarVM.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-04-09  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use Vector with inline capacity in ObjectPropertyConditionSet creation
        https://bugs.webkit.org/show_bug.cgi?id=239025

        Reviewed by Keith Miller.

        Since we anyway allocate ThreadSafeRefCountedFixedVector<ObjectPropertyCondition> in ObjectPropertyConditionSet, which has exact size,
        generateXXX and mergeWith should not allocate heap Vector just for temporarily collecting ObjectPropertyCondition.
        We pick 8 in generateXXX function and 16 for mergeWith function. This looks reasonable number and at least covers all cases in Speedometer2.

        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::mergedWith const):
        (JSC::generateConditionsForPropertyMiss):
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPrototypePropertyHit):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        (JSC::generateConditionsForInstanceOf):
        (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
        (JSC::generateConditionsForPropertyMissConcurrently):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        * bytecode/ObjectPropertyConditionSet.h:
        (JSC::ObjectPropertyConditionSet::create):

2022-04-09  Adrian Perez de Castro  <aperez@igalia.com>

        [GTK][WPE] Missing inter-module documentation links
        https://bugs.webkit.org/show_bug.cgi?id=239016

        Reviewed by Michael Catanzaro.

        Add JS snippets to be used in the gi-docgen output to setup links to
        other modules. Take advantage of being able to compute the documentation
        API version suffix from the currently loaded page URL, which avoids having
        a number of templates depending on the API version and having to deal with
        the documentation API version being sometimes different than the actual API
        version of the library. The URLs for GTK3 vs. GTK4 documentation cannot be
        handled in the same way, and instead the JS snippet is also a template
        expanded by CMake to allows using the ${GTK_API_VERSION} variable there.

        * API/glib/docs/jsc.toml.in: Use added urlmap.js file.
        * API/glib/docs/urlmap.js: Added.

2022-04-08  Elliott Williams  <emw@apple.com>

        [Xcode] Avoid targeting 32-bit iOS and Mac architectures
        https://bugs.webkit.org/show_bug.cgi?id=238971

        Reviewed by Alexey Proskuryakov.

        Modern Xcode supports building armv7 iOS and i386 macOS, but only when targeting older OSes.
        We do not support these targets, but our ARCHS override implies we do. Remove our setting
        and use the default.

        This improves support for building directly from WebKit.xcworkspace to a `generic/*`
        destination.

        * Configurations/DebugRelease.xcconfig:

2022-04-08  Brent Fulgham  <bfulgham@apple.com>

        Move WebGPU to WebCore/features.json and add <model> element
        https://bugs.webkit.org/show_bug.cgi?id=238981

        Reviewed by Myles C. Maxfield

        Move WebGPU stuff to the WebCore features.json file.

        * features.json:

2022-04-08  Elliott Williams  <emw@apple.com>

        Unreviewed, reverting r292591.

        Causing spurious EWS errors

        Reverted changeset:

        "[XCBuild] Enable dependency validation by default"
        https://bugs.webkit.org/show_bug.cgi?id=238901
        https://commits.webkit.org/r292591

2022-04-08  Chris Dumez  <cdumez@apple.com>

        Reduce number of StringView to String conversions in JSC
        https://bugs.webkit.org/show_bug.cgi?id=238911

        Reviewed by Darin Adler.

        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::getValue const):
        Resolve ambiguity by explicitly converting the StringImpl to a String before
        calling jsString(). [1]

        * jsc.cpp:
        Avoid constructing a String from the StringView, just to compute a hash.
        Instead, rely on the StringViewHashTranslator for this.

        * profiler/ProfilerOSRExit.cpp:
        (JSC::Profiler::OSRExit::toJS const):
        exitKindToString() returns an ASCIILiteral whose length is always greater
        than 1 so we can call the more efficient jsNontrivialString() instead of
        jsString(). Calling jsString() here had become ambiguous because an
        ASCIILiteral can be implicitely converted to both a String and a
        StringView [2].

        * runtime/ArrayPrototype.cpp:
        (JSC::fastJoin):
        Call the new jsString() overload that takes a StringView, to avoid
        unnecessarily constructing a String in the case where the length is <= 1 [3].

        * runtime/ErrorInstance.cpp:
        (JSC::appendSourceToErrorMessage):
        * runtime/ErrorInstance.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::defaultApproximateSourceError):
        (JSC::defaultSourceAppender):
        (JSC::functionCallBase):
        (JSC::notAFunctionSourceAppender):
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
        (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
        (JSC::invalidPrototypeSourceAppender):
        * runtime/ExceptionHelpers.h:
        Call SourceAppender with a StringView since this is what we have. In most
        cases, these appenders end up calling makeString() and it is thus beneficial
        to avoid temporary/intermediate String constructions. 

        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::toStringSlow):
        Same as [3].

        * runtime/IdentifierInlines.h:
        (JSC::identifierToJSValue):
        (JSC::identifierToSafePublicJSValue):
        Same as [1].

        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::formatToParts const):
        (JSC::IntlDateTimeFormat::formatRangeToParts):
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::textInfo):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::formatRangeToPartsInternal):
        (JSC::IntlNumberFormat::formatToPartsInternal):
        Same as [2].

        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::formatToParts const):
        Same as [3].

        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::JSArrayBufferPrototype::finishCreation):
        Same as [2].

        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::requestImportModule):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        Same as [1].

        * runtime/JSString.h:
        (JSC::jsString):
        Add a jsString() overload that takes in a StringView instead of a String.
        This avoids construction of a String for call sites having a StringView
        in the event where the view's length is <= 1.

        * runtime/SymbolConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        Same as [1].


2022-04-08  Keith Miller  <keith_miller@apple.com>

        Broaden TypedArray API fix to all apps not just Bleacher Report
        https://bugs.webkit.org/show_bug.cgi?id=238955

        Reviewed by Saam Barati.

        * API/JSTypedArray.cpp:
        (isLinkedBeforeTypedArrayLengthQuirk):
        (JSObjectGetArrayBufferByteLength):
        (isBleecherReport): Deleted.

2022-04-07  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Fire structure transition watchpoint in Structure::finishCreation instead of Structure constructor
        https://bugs.webkit.org/show_bug.cgi?id=238980

        Reviewed by Saam Barati.

        After https://github.com/WebKit/WebKit/commit/dc3a347474a183891f8e07966dc09e684d7a1d13 change,
        we start using Structure::get in the main thread. However one of the difference between Structure::get and
        Structure::getConcurrently is that it can allocate GC memory: PropertyTable can be materialized.

        Structure constructor was firing structure transition watchpoint. And some of watchpoints were using
        Structure::getConcurrently. That's fine before, but now, it becomes Structure::get. It is not OK since
        we cannot allocate GC memory inside constructor of GC managed objects.

        This patch split didTransitionFromThisStructure into didTransitionFromThisStructureWithoutFiringWatchpoint and
        fireStructureTransitionWatchpoint. And firing watchpoints in Structure::finishCreation instead of Structure
        constructor so that we can allocate GC memory while firing watchpoints.

        * runtime/BrandedStructure.cpp:
        (JSC::BrandedStructure::BrandedStructure):
        (JSC::BrandedStructure::create):
        * runtime/BrandedStructure.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::didTransitionFromThisStructureWithoutFiringWatchpoint const):
        (JSC::Structure::fireStructureTransitionWatchpoint const):
        (JSC::Structure::didTransitionFromThisStructure const):
        * runtime/Structure.h:
        (JSC::Structure::finishCreation):
        * runtime/StructureInlines.h:
        (JSC::Structure::create):

2022-04-07  Elliott Williams  <emw@apple.com>

        [XCBuild] Enable dependency validation by default
        https://bugs.webkit.org/show_bug.cgi?id=238901
        <rdar://problem/91379968>

        Reviewed by Alexey Proskuryakov.

        * Configurations/DebugRelease.xcconfig:

2022-04-07  Geza Lore  <glore@igalia.com>

        [JSC][ARMv7] Support proper near calls and JUMP_ISLANDS
        https://bugs.webkit.org/show_bug.cgi?id=238143

        Reviewed by Yusuke Suzuki.

        Implement nearCall and nearTailCall as single instruction direct
        branches on ARMv7/Thumb-2. (Will need to support these for Wasm JITs,
        to implement threadSafePatchableNearcall.) To make this possible while
        also having an executable pool size larger than the branch range, I
        also ported JUMP_ISLANDS.

        To port JUMP_ISLANDS, a reformulation of the region allocations was
        necessary, which is now done in terms of the range of the
        nearCall/nearTailCall macroassembler macros. For ARM64, the behaviour
        should be identical.

        The jump islad reservation on ARMv7 is set to 5% of executable memory
        size, which is approximately the same as the baseline JIT code size
        saving provided by using short branches for near calls, so the change
        should be neutral overall with respect to executable memory
        consumption.

        Also made it possible for the --jitMemoryReservationSize option to
        request JIT memory that is larger than the default hardcoded size
        while using JUMP_ISLANDS (we need this for testing on ARMv7, which has
        a smaller default executable pool size). To do this the region
        allocators are no longer statically allocated but are held in a
        FixedVector.

        Also removed the unused repatchCompact methods from assemblers.

        * assembler/ARM64Assembler.h:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::isEven):
        (JSC::ARMv7Assembler::makeEven):
        (JSC::ARMv7Assembler::bl):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::linkTailCall):
        (JSC::ARMv7Assembler::linkCall):
        (JSC::ARMv7Assembler::relinkCall):
        (JSC::ARMv7Assembler::relinkTailCall):
        (JSC::ARMv7Assembler::prepareForAtomicRelinkJumpConcurrently):
        (JSC::ARMv7Assembler::prepareForAtomicRelinkCallConcurrently):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::canEmitJump):
        (JSC::ARMv7Assembler::isBL):
        (JSC::ARMv7Assembler::linkJumpT4):
        (JSC::ARMv7Assembler::linkConditionalJumpT4):
        (JSC::ARMv7Assembler::linkJumpAbsolute):
        (JSC::ARMv7Assembler::linkBranch):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::repatchNearCall):
        * assembler/AssemblerCommon.h:
        (JSC::isInt):
        * assembler/MIPSAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::nearTailCall):
        (JSC::MacroAssemblerARMv7::linkCall):
        * assembler/MacroAssemblerMIPS.h:
        * assembler/MacroAssemblerRISCV64.h:
        * assembler/MacroAssemblerX86Common.h:
        * assembler/X86Assembler.h:
        * bytecode/Repatch.cpp:
        (JSC::linkPolymorphicCall):
        * jit/ExecutableAllocator.cpp:
        (JSC::initializeJITPageReservation):

2022-04-07  Geza Lore  <glore@igalia.com>

        [JSC][32bit] Use constexpr tags instead of enums
        https://bugs.webkit.org/show_bug.cgi?id=238926

        Reviewed by Yusuke Suzuki.

        The *Tag values are just 32-bit constants, so define them as
        constexpr. This reduces compiler nuisance warnings about enum
        comparisons.

        * dfg/DFGSpeculativeJIT.cpp:
        * runtime/JSCJSValue.h:

2022-04-07  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK][WPE] RemoteInspector add support for IPv6
        https://bugs.webkit.org/show_bug.cgi?id=238797

        Reviewed by Adrian Perez de Castro.

        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::start): Receive a GSocketAddress instead of address and port parameters.
        * inspector/remote/glib/RemoteInspectorServer.h:

2022-04-06  Saam Barati  <sbarati@apple.com>

        Call Structure::get instead of Structure::getConcurrently on the mutator thread
        https://bugs.webkit.org/show_bug.cgi?id=238823

        Reviewed by Yusuke Suzuki.

        We try to call Structure::get instead of Structure::getConcurrently when
        we know for sure we're on the main thread. This is because getConcurrently
        is slower than get.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::couldStillSucceed const):
        (JSC::AccessCase::generateImpl):
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
        (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
        * bytecode/ObjectPropertyCondition.cpp:
        (JSC::ObjectPropertyCondition::structureEnsuresValidityAssumingImpurePropertyWatchpoint const):
        (JSC::ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::ObjectPropertyCondition::isStillValid const):
        (JSC::ObjectPropertyCondition::structureEnsuresValidity const):
        * bytecode/ObjectPropertyCondition.h:
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::ObjectPropertyConditionSet::structuresEnsureValidity const):
        (JSC::generateConditionsForPropertyMiss):
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPrototypePropertyHit):
        (JSC::generateConditionsForPrototypePropertyHitCustom):
        (JSC::generateConditionsForPrototypeEquivalenceConcurrently):
        (JSC::generateConditionsForPropertyMissConcurrently):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        (JSC::generateConditionForSelfEquivalence):
        (JSC::ObjectPropertyConditionSet::structuresEnsureValidityAssumingImpurePropertyWatchpoint const): Deleted.
        (JSC::ObjectPropertyConditionSet::isValidAndWatchable const): Deleted.
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
        (JSC::watchabilityToConcurrency):
        (JSC::PropertyCondition::isStillValid const):
        (JSC::PropertyCondition::isWatchableWhenValid const):
        (JSC::PropertyCondition::isWatchableAssumingImpurePropertyWatchpoint const):
        (JSC::PropertyCondition::isWatchable const):
        * bytecode/PropertyCondition.h:
        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
        (JSC::DFG::AdaptiveStructureWatchpoint::install):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::check):
        (JSC::DFG::ByteCodeParser::planLoad):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::hasBeenInvalidated):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::watchCondition):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setupGetByIdPrototypeCache):
        * runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp:
        (JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::install):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect const):
        * runtime/Structure.h:
        (JSC::Structure::get):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::cacheSpecialPropertySlow):

2022-04-06  Chris Dumez  <cdumez@apple.com>

        Start replacing String(const char*) constructor with a String::fromLatin1(const char*) function
        https://bugs.webkit.org/show_bug.cgi?id=238701

        Reviewed by Geoffrey Garen.

        * API/JSValue.mm:
        (createStructHandlerMap):
        (handerForStructTag):
        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::name):
        * API/glib/JSCContext.cpp:
        (jsc_context_check_syntax):
        * b3/air/testair.cpp:
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptCallArgumentHandler::appendArgument):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName const):
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        (Inspector::RemoteInspector::sendMessageToBackend):
        * jit/ExecutableAllocator.cpp:
        (JSC::dumpJITMemory):
        * jsc.cpp:
        (JSC_DEFINE_HOST_FUNCTION):
        (runWithOptions):
        (CommandLine::parseArguments):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * parser/Parser.h:
        (JSC::Parser::updateErrorMessage):
        * parser/SourceProvider.h:
        * runtime/BytecodeCacheError.cpp:
        (JSC::BytecodeCacheError::StandardError::message const):
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::keywordValue const):
        (JSC::IntlLocale::numberingSystems):
        * runtime/IntlObject.cpp:
        (JSC::numberingSystemsForLocale):
        * runtime/NumberPrototype.cpp:
        (JSC::toStringWithRadix):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::numberToStringInternal):
        (JSC::int52ToString):
        * runtime/Options.cpp:
        (JSC::Options::overrideAliasedOptionWithHeuristic):
        (JSC::Options::setAliasedOption):
        * runtime/RegExpPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::displayName):
        * runtime/StringPrototype.cpp:
        (JSC::toLocaleCase):
        * testRegExp.cpp:
        (parseArguments):
        * tools/CompilerTimingScope.cpp:
        * tools/FunctionAllowlist.cpp:
        (JSC::FunctionAllowlist::FunctionAllowlist):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-04-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Substring resolving should check 8bit / 16bit again
        https://bugs.webkit.org/show_bug.cgi?id=236775
        <rdar://problem/89253391>

        Reviewed by Saam Barati.

        Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
        becomes different from substring JSString wrapper's bit. We should not assume they are the same.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeInternal const):
        (JSC::JSRopeString::resolveRopeToAtomString const):
        (JSC::JSRopeString::resolveRopeToExistingAtomString const):
        (JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
        (JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
        * runtime/JSString.h:

2022-04-06  Chris Dumez  <cdumez@apple.com>

        Reduce number of conversions from StringView to String
        https://bugs.webkit.org/show_bug.cgi?id=238841

        Reviewed by Geoffrey Garen.

        * runtime/RegExp.h:
        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):

2022-04-06  Justin Michaud  <justin_michaud@apple.com>

        CSE should be more careful with values that have WritesPinned, ExitsSideways, or are of different sizes
        https://bugs.webkit.org/show_bug.cgi?id=238302

        Reviewed by Saam Barati.

        1) CSE for WasmAddressValue searches for any nodes marked with WritesPinned between all paths from the redundant
        WasmAddressValue to the replacement that dominates it. For a switch construct, we might miss some paths while
        performing this DFS of predecessor blocks because the termination condition was a break instead of a continue.

        2) The CSE phase looks for a pattern it calls a store after clobber. That is, two stores to the same location where 
        the first store is not observable. It searches for reads and writes that overlap with the store and its clobber, and
        bails if it finds them. When we add in CSE for WasmAddressValue, we expose the fact that WasmBoundsCheck has ExitSideways
        but does not claim to read top, even though the code it exits to totally can. This can cause us to eliminate an observable store.

        3) The store after clobber phase does not check that the size of the clobber is the same as the size of the store. Again,
        this is usually hidden by JavaScript because the sizes are usually the same. Also, when WASM fast memory is enabled, this
        bug is hidden because the loads/stores say that they may trap. That is why the unity test case only failed on iOS (although
        it does fail on mac with __XPC_JSC_useWebAssemblyFastMemory=0).

        * b3/B3EliminateCommonSubexpressions.cpp:
        * b3/testb3.h:
        * b3/testb3_8.cpp:
        (testWasmAddressDoesNotCSE):
        (addCopyTests):

2022-04-06  Xan Lopez  <xan@igalia.com>

        [JSC] Add DoNotHaveTagRegisters mode to unboxDouble
        https://bugs.webkit.org/show_bug.cgi?id=238018

        Reviewed by Yusuke Suzuki.

        Wasm cannot use unboxDouble as-is because
        GPRInfo::numberTagRegister is not available. Add a
        DoNotHaveTagRegister mode so we can get rid of some duplicated
        code.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
        (JSC::AssemblyHelpers::unboxDouble):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2022-04-06  Adrian Perez de Castro  <aperez@igalia.com>

        [JSC] Nested includes do not change offlineasm hash output
        https://bugs.webkit.org/show_bug.cgi?id=237779

        Reviewed by Mark Lam.

        The Ruby tooling around offlineasm can produce on their output a line containing a
        checksum which depends on the input files processed. This is used to avoid redoing
        in case the source files have not been changed since the last run. While there is
        code to scan the "include" directives in the main input file and take the included
        files into account for checksum calculation, included files themselves were not being
        further processed for the second or additional levels of "include:. This adds the
        missing recursive processing of "include" directives in order to take nested includes
        into account.

        * offlineasm/parser.rb: Process nested includes recursively for checksum calculation.

2022-04-06  Geza Lore  <glore@igalia.com>

        [JSC]Squash alignment warning
        https://bugs.webkit.org/show_bug.cgi?id=238670

        Unreviewed gardening.

        Squash a "cast increases required alignment of target type" due to
        poiner arithmetic via char*

        * wasm/WasmSignature.h:
        (JSC::Wasm::Signature::storage):

2022-04-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use inlined assertion for CodeBlock type
        https://bugs.webkit.org/show_bug.cgi?id=238849

        Reviewed by Michael Saboff.

        We introduced probeDebug-based CodeBlock assertion, but it is too slow and causing timeout on Debug JSC tests.
        Instead, we use inlined assertion which is much faster to prevent these Debug build timeout.

        * assembler/AbortReason.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType):
        (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameWithType):
        (JSC::AssemblyHelpers::jitAssertCodeBlockOnCallFrameIsOptimizingJIT):
        * jit/JIT.cpp:
        (JSC::JIT::compileAndLinkWithoutFinalizing):
        * jit/JITCode.h:
        (JSC::JITCode::offsetOfJITType):

2022-04-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Strictly annotate pointers with TrustedImmPtr in CCallHelpers
        https://bugs.webkit.org/show_bug.cgi?id=238827

        Reviewed by Mark Lam.

        This allows us to detect pointer use in DFG easy. This is important in unlinked DFG development.
        We also consistently use m_graph instead of m_jit.graph() in DFG::SpeculativeJIT.

        We also purge CodeBlock* embedding in DFG code completely. Now we load it from the cfr
        instead (compileLogShadowChickenTail and callOperationWithCallFrameRollbackOnException).

        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitGetCallee):
        (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::compileGetById):
        (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
        (JSC::DFG::SpeculativeJIT::compileDeleteById):
        (JSC::DFG::SpeculativeJIT::compileDeleteByVal):
        (JSC::DFG::SpeculativeJIT::compileInById):
        (JSC::DFG::SpeculativeJIT::compileInByVal):
        (JSC::DFG::SpeculativeJIT::compileHasPrivate):
        (JSC::DFG::SpeculativeJIT::compileStringSlice):
        (JSC::DFG::SpeculativeJIT::compileLoopHint):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compilePutByVal):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::compileClampDoubleToByte):
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::nextBlock):
        (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::SpeculativeJIT::identifierUID):
        (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
        (JSC::DFG::SpeculativeJIT::compileToBoolean):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileArithRandom):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBigInt32):
        (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
        (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
        (JSC::DFG::SpeculativeJIT::compileToBoolean):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitUntypedBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compileGetByVal):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithInt52Size):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileArithRandom):
        (JSC::DFG::SpeculativeJIT::compileDateGet):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
        (JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
        (JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
        (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByValImpl):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
        (JSC::FTL::DFG::LowerDFGToB3::compileObjectKeysOrObjectGetOwnPropertyNames):
        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
        (JSC::FTL::DFG::LowerDFGToB3::emitNewTypedArrayWithSize):
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/CCallHelpers.cpp:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::std::is_pointer<CURRENT_ARGUMENT_TYPE>::value): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitMathICFast):
        (JSC::JIT::emitMathICSlow):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::op_enter_handlerGenerator):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_new_regexp):
        (JSC::JIT::emitNewFuncCommon):
        (JSC::JIT::emitNewFuncExprCommon):
        (JSC::JIT::emit_op_profile_type):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_getter_by_id):
        (JSC::JIT::emit_op_put_setter_by_id):
        (JSC::JIT::emit_op_put_getter_setter_by_id):
        (JSC::JIT::emitWriteBarrier):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2022-04-05  Chris Dumez  <cdumez@apple.com>

        Avoid unnecessary String constructions in IdentifiersFactory.cpp
        https://bugs.webkit.org/show_bug.cgi?id=238819

        Reviewed by Geoffrey Garen.

        * inspector/IdentifiersFactory.cpp:
        (Inspector::addPrefixToIdentifier):
        (Inspector::IdentifiersFactory::createIdentifier):
        (Inspector::IdentifiersFactory::requestId):

2022-04-05  Chris Dumez  <cdumez@apple.com>

        Mark String(const char*) constructor as explicit
        https://bugs.webkit.org/show_bug.cgi?id=238693

        Reviewed by Geoffrey Garen.

        * API/glib/JSCContext.cpp:
        (jsc_context_check_syntax):
        * inspector/remote/socket/RemoteInspectorSocket.cpp:
        (Inspector::RemoteInspector::startAutomationSession):
        * tools/JSDollarVM.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES):

2022-04-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Reduce sizeof(BaselineCallLinkInfo) to make bug 238535 good
        https://bugs.webkit.org/show_bug.cgi?id=238777

        Reviewed by Mark Lam.

        https://bugs.webkit.org/show_bug.cgi?id=238535 adds one pointer to CallLinkInfo.
        To make BaselineCallLinkInfo small, this patch removes std::unique_ptr<CallFrameShuffleData>
        in BaselineCallLinkInfo since it can be computed in repatching code.

        * bytecode/CallLinkInfo.cpp:
        (JSC::BaselineCallLinkInfo::initialize):
        (JSC::OptimizingCallLinkInfo::setFrameShuffleData):
        (JSC::CallLinkInfo::setFrameShuffleData): Deleted.
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::frameShuffleData): Deleted.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/Repatch.cpp:
        (JSC::linkPolymorphicCall):

2022-04-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Store CodeBlock in caller side
        https://bugs.webkit.org/show_bug.cgi?id=238535

        Reviewed by Saam Barati.

        This patch changes the calling convention of JS functions. Now, we need to store CodeBlock to the stack in the caller side instead.
        This helps LLInt, unlinked Baseline, and DFG since we no longer need to load CodeBlock from callee via costly dependent loads: unlinked
        ones cannot embed CodeBlock raw pointer into the machine code itself. So we needed to load it from callee. But now, caller puts the
        right CodeBlock pointer into the stack so we do not need that code. And in most cases, caller already knows CodeBlock since it is tied
        to actually used machine code pointer.
        OSR entry also materializes CodeBlock in the stack in the OSR entry side instead of doing it in the callee side.

        This contributes to 0.3% progression in Speedometer2.

        * assembler/CPU.h:
        (JSC::prologueStackPointerDelta):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::setMonomorphicCallee):
        (JSC::CallLinkInfo::clearCallee):
        (JSC::CallLinkInfo::revertCallToStub):
        (JSC::CallLinkInfo::emitFastPathImpl):
        (JSC::CallLinkInfo::setStub):
        (JSC::OptimizingCallLinkInfo::emitDirectFastPath):
        (JSC::OptimizingCallLinkInfo::emitDirectTailCallFastPath):
        (JSC::OptimizingCallLinkInfo::initializeDirectCall):
        (JSC::OptimizingCallLinkInfo::setDirectCallTarget):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::offsetOfCodeBlock):
        * bytecode/Repatch.cpp:
        (JSC::linkMonomorphicCall):
        (JSC::linkDirectCall):
        (JSC::linkPolymorphicCall):
        * bytecode/RepatchInlines.h:
        (JSC::virtualForWithFunction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        (JSC::DFG::prepareCatchOSREntry):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * interpreter/CallFrame.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeCall):
        (JSC::AssemblyHelpers::calleeFrameCodeBlockBeforeTailCall):
        (JSC::AssemblyHelpers::prologueStackPointerDelta): Deleted.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * jit/JIT.cpp:
        (JSC::JIT::compileAndLinkWithoutFinalizing):
        (JSC::JIT::emitPutCodeBlockToFrameInPrologue): Deleted.
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * jit/JITOperations.h:
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::boundFunctionCallGenerator):
        (JSC::remoteFunctionCallGenerator):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * llint/WebAssembly.asm:
        * runtime/FunctionExecutable.h:
        * runtime/JSCast.h:
        * runtime/VM.cpp:
        (JSC::VM::getRemoteFunction):
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::doOSREntry):

2022-04-04  Saam Barati  <sbarati@apple.com>

        Turn off LLInt ICs in captive portal mode
        https://bugs.webkit.org/show_bug.cgi?id=238778
        <rdar://84830873>

        Reviewed by Yusuke Suzuki.

        * bytecode/CallLinkInfo.cpp:
        (JSC::BaselineCallLinkInfo::initialize):
        * bytecode/Repatch.cpp:
        (JSC::unlinkCall):
        * llint/LLIntCommon.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::performLLIntGetByID):
        * runtime/OptionsList.h:

2022-04-04  Geoffrey Garen  <ggaren@apple.com>

        Only check isPagedOut() under memory pressure
        https://bugs.webkit.org/show_bug.cgi?id=238742

        Reviewed by Cameron McCormack.

        Worth about 0.4% on Speedometer.

        In theory, if we're not under memory pressure, we're either (a) not
        paged out because we were not recently under memory pressure or (b)
        paged out but OK to page in again because memory is available.

        This could increase swap if a system frequently oscillated between
        yes-memory-pressure and no-memory-pressure; but in practice the systems
        we see under significant memory pressure tend to stay that way.

        * heap/FullGCActivityCallback.cpp:
        (JSC::FullGCActivityCallback::doCollection):

2022-04-02  Chris Dumez  <cdumez@apple.com>

        Add default constructor to ASCIILiteral
        https://bugs.webkit.org/show_bug.cgi?id=238700

        Reviewed by Geoffrey Garen.

        Add default constructor to ASCIILiteral, to replace the more verbose ASCIILiteral::null().

        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * Scripts/wkbuiltins/builtins_model.py:
        (BuiltinFunction.fromString):
        * runtime/ArrayBufferSharingMode.h:
        (JSC::arrayBufferSharingModeName):
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::initializeCollator):
        (JSC::IntlCollator::usageString):
        (JSC::IntlCollator::sensitivityString):
        (JSC::IntlCollator::caseFirstString):
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        (JSC::IntlDateTimeFormat::hourCycleString):
        (JSC::IntlDateTimeFormat::weekdayString):
        (JSC::IntlDateTimeFormat::eraString):
        (JSC::IntlDateTimeFormat::yearString):
        (JSC::IntlDateTimeFormat::monthString):
        (JSC::IntlDateTimeFormat::dayString):
        (JSC::IntlDateTimeFormat::dayPeriodString):
        (JSC::IntlDateTimeFormat::hourString):
        (JSC::IntlDateTimeFormat::minuteString):
        (JSC::IntlDateTimeFormat::secondString):
        (JSC::IntlDateTimeFormat::timeZoneNameString):
        (JSC::IntlDateTimeFormat::formatStyleString):
        * runtime/IntlDisplayNames.cpp:
        (JSC::IntlDisplayNames::styleString):
        (JSC::IntlDisplayNames::typeString):
        (JSC::IntlDisplayNames::fallbackString):
        (JSC::IntlDisplayNames::languageDisplayString):
        * runtime/IntlListFormat.cpp:
        (JSC::IntlListFormat::styleString):
        (JSC::IntlListFormat::typeString):
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::initializeLocale):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::styleString):
        (JSC::IntlNumberFormat::currencyDisplayString):
        (JSC::IntlNumberFormat::notationString):
        (JSC::IntlNumberFormat::currencySignString):
        (JSC::IntlNumberFormat::unitDisplayString):
        (JSC::IntlNumberFormat::compactDisplayString):
        (JSC::IntlNumberFormat::signDisplayString):
        (JSC::IntlNumberFormat::roundingModeString):
        (JSC::IntlNumberFormat::trailingZeroDisplayString):
        (JSC::IntlNumberFormat::roundingPriorityString):
        * runtime/IntlObject.cpp:
        (JSC::relevantExtensionKeyString):
        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
        (JSC::IntlRelativeTimeFormat::styleString):
        * runtime/IntlSegmenter.cpp:
        (JSC::IntlSegmenter::granularityString):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::total const):
        * runtime/TemporalObject.cpp:
        (JSC::temporalLargestUnit):
        (JSC::temporalSmallestUnit):
        * yarr/YarrErrorCode.cpp:
        (JSC::Yarr::errorMessage):

2022-04-02  Keith Miller  <keith_miller@apple.com>

        AI should do int32 optimization in ValueRep
        https://bugs.webkit.org/show_bug.cgi?id=238699

        Reviewed by Saam Barati.

        When constant folding an int52 into a ValueRep AI doesn't
        do our normal int32 boxing optimization. I'm not sure if
        it matters since I couldn't find a test but it probably
        doesn't hurt.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2022-04-02  Adrian Perez de Castro  <aperez@igalia.com>

        [GTK] Replace gtk-doc with gi-docgen
        https://bugs.webkit.org/show_bug.cgi?id=226662

        Reviewed by Michael Catanzaro.

        Import two new CMake modules which define commands to easy setup of GObject-Introspection
        and gi-docgen. These in turn allow to remove a bunch of duplicated CMake code, reuse
        the same for both the WPE and GTK ports, and remove the gnarly DocBook templates and
        other auxiliary files previously used by gtk-doc (which amount to a sizeable amount of
        code).

        While at it, do a quick pass to fix the most egregious issues reported by gi-docgen's
        linting mode and that all public symbols end up with at least some documentation in
        the generated output. Follow-up patches will be needed to keep adapting to the style
        encouraged by gi-docgen, fix linking between documented entities, make code examples
        display properly, and a few other things.

        * API/glib/JSCClass.cpp: Fix documentation comments.
        * API/glib/JSCContext.cpp: Ditto.
        * API/glib/JSCDefines.h: Ditto.
        * API/glib/JSCException.cpp: Ditto.
        * API/glib/JSCValue.cpp: Ditto.
        * API/glib/JSCVersion.cpp: Ditto.
        * API/glib/JSCVersion.h.in: Ditto.
        * API/glib/JSCVirtualMachine.cpp: Ditto.
        * API/glib/JSCWeakValue.cpp: Ditto.
        * API/glib/docs/jsc-glib-4.0-sections.txt: Removed.
        * API/glib/docs/jsc-glib-4.0.types: Removed.
        * API/glib/docs/jsc-glib-docs.sgml: Removed.
        * API/glib/docs/jsc.toml.in: Added.
        * PlatformGTK.cmake: Adapt to use the new CMake modules.

2022-04-01  Michael Saboff  <msaboff@apple.com>

        Stop copying StagedFrameworks to the secondary path by default
        https://bugs.webkit.org/show_bug.cgi?id=238688

        Reviewed by Saam Barati.

        Decoupled COPY_STAGED_FRAMEWORKS_TO_SECONDARY_PATH from USE_SYSTEM_CONTENT_PATH so we won't
        always copy frameworks to the secondary path on macOS.  Instead, the build configuration can set
        COPY_STAGED_FRAMEWORKS_TO_SECONDARY_PATH as appropriate.

        * Configurations/Base.xcconfig:

2022-04-01  Jeff Miller  <jeffm@apple.com>

        WKBundlePageUIClient console message support should include source URL, column number, and console messages with arguments
        https://bugs.webkit.org/show_bug.cgi?id=238032

        Reviewed by Alex Christensen.

        Add a function to ScriptArguments to get a vector of argument strings. As we do in
        ScriptArguments::getFirstArgumentAsString(), avoid triggering Proxy traps on a Proxy object when
        generating the vector.

        * inspector/ScriptArguments.cpp:
        (Inspector::ScriptArguments::getArgumentAtIndexAsString const):
        Refactored from getFirstArgumentAsString().
        
        (Inspector::ScriptArguments::getFirstArgumentAsString const):
        Use getArgumentAtIndexAsString().
        
        (Inspector::ScriptArguments::getArgumentsAsStrings const):
        * inspector/ScriptArguments.h:

2022-04-01  Diego Pino Garcia  <dpino@igalia.com>

        Unreviewed, fix non-unified build after r292191

        * runtime/ScriptExecutableInlines.h:

2022-03-31  Chris Dumez  <cdumez@apple.com>

        Adopt Identifier::fromString(ASCIILiteral) more broadly
        https://bugs.webkit.org/show_bug.cgi?id=238574

        Reviewed by Darin Adler.

        Adopt Identifier::fromString(ASCIILiteral) more broadly, now that it is very efficient.

        * API/JSBase.cpp:
        (JSGetMemoryUsageStatistics):
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
        * Scripts/wkbuiltins/builtins_model.py:
        (BuiltinFunction.fromString):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitThrowReferenceError):
        (JSC::BytecodeGenerator::emitThrowTypeError):
        (JSC::BytecodeGenerator::emitRequireObjectCoercible):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThrowableExpressionData::emitThrowReferenceError):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        * jsc.cpp:
        (JSC_DEFINE_CUSTOM_SETTER):
        (JSCMemoryFootprint::finishCreation):
        (JSCMemoryFootprint::addProperty):
        (JSC_DEFINE_HOST_FUNCTION):
        * parser/Nodes.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ConsoleObject.cpp:
        (JSC::ConsoleObject::finishCreation):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add): Deleted.
        * runtime/Identifier.h:
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::fromCString):
        * runtime/IntlDateTimeFormatPrototype.cpp:
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
        * runtime/IntlNumberFormatPrototype.cpp:
        (JSC::IntlNumberFormatPrototype::finishCreation):
        * runtime/IntlObject.cpp:
        (JSC::IntlObject::finishCreation):
        * runtime/JSObject.cpp:
        (JSC::JSObject::reifyAllStaticProperties):
        * runtime/JSObject.h:
        (JSC::makeIdentifier):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::getNonReifiedStaticPropertyNames):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * runtime/ProxyConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::ProxyConstructor::finishCreation):
        * runtime/ProxyObject.cpp:
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVM::finishCreation):
        (JSC::JSDollarVM::addFunction):
        (JSC::JSDollarVM::addConstructibleFunction):
        * tools/JSDollarVM.h:
        * wasm/js/JSWebAssembly.cpp:
        (JSC::JSWebAssembly::finishCreation):

2022-03-31  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove ExecutableToCodeBlockEdge
        https://bugs.webkit.org/show_bug.cgi?id=238485

        Reviewed by Keith Miller.

        It turned out that getting CodeBlock from JSFunction is critical. As we start using unlinked Baseline, we are loading
        CodeBlock from JSFunction instead of embedding it, and it roughly contributes to 0.5% regression in Speedometer2.
        It is also crucial to some other places: bound function thunk, remote function thunk, and virtual function calls.
        While the subsequent patch will embed CodeBlock into CallLinkInfo to make it fast, we also would like to keep loading
        CodeBlock from JSFunction faster since this is still used in bound function thunk etc.

        In this patch, we remove ExecutableToCodeBlockEdge to remove one-level indirection between Executable to CodeBlock.
        We can delegate ExecutableToCodeBlockEdge's job to existing Executables so that we can keep the current weak-edge
        feature without introducing ExecutableToCodeBlockEdge. It also removes ExecutableToCodeBlockEdge allocations and
        shrinks sizeof(CodeBlock) by 8 byte.

        We move key functions from ExecutableToCodeBlockEdge to ScriptExecutable, and we maintain Executable-to-CodeBlock edge
        in Executable side.

        Local testing showed that 0.3% progression in Speedometer2.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::visitChildrenImpl):
        (JSC::CodeBlock::visitChildren):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::finishCreationCommon): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ownerEdge const): Deleted.
        * bytecode/ExecutableToCodeBlockEdge.cpp: Removed.
        * bytecode/ExecutableToCodeBlockEdge.h: Removed.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::deleteAllCodeBlocks):
        (JSC::Heap::addCoreConstraints):
        * heap/Heap.h:
        (JSC::Heap::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
        (JSC::Heap::ScriptExecutableSpaceAndSet::setAndSpaceFor):
        (JSC::Heap::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
        (JSC::Heap::ScriptExecutableSpaceAndSet::outputConstraintsSetFor):
        (JSC::Heap::ScriptExecutableSpaceAndSet::finalizerSetFor):
        * heap/IsoCellSet.h:
        * jit/JIT.cpp:
        (JSC::JIT::emitPutCodeBlockToFrameInPrologue):
        * llint/LowLevelInterpreter.asm:
        * runtime/DirectEvalExecutable.cpp:
        (JSC::DirectEvalExecutable::create):
        * runtime/EvalExecutable.cpp:
        (JSC::EvalExecutable::visitChildrenImpl):
        * runtime/EvalExecutable.h:
        (JSC::EvalExecutable::codeBlock const):
        (JSC::EvalExecutable::unlinkedCodeBlock const):
        (JSC::EvalExecutable::numVariables):
        (JSC::EvalExecutable::numFunctionHoistingCandidates):
        (JSC::EvalExecutable::numTopLevelFunctionDecls):
        (JSC::EvalExecutable::allowDirectEvalCache const):
        (JSC::EvalExecutable::codeBlock): Deleted.
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::shouldKeepInConstraintSet):
        (JSC::FunctionExecutable::visitChildrenImpl):
        (JSC::FunctionExecutable::visitOutputConstraintsImpl):
        * runtime/FunctionExecutable.h:
        * runtime/FunctionExecutableInlines.h:
        (JSC::FunctionExecutable::finalizeUnconditionally):
        (JSC::FunctionExecutable::replaceCodeBlockWith):
        (JSC::FunctionExecutable::toString):
        * runtime/GlobalExecutable.cpp:
        (JSC::GlobalExecutable::visitChildrenImpl):
        (JSC::GlobalExecutable::visitOutputConstraintsImpl):
        (JSC::GlobalExecutable::replaceCodeBlockWith):
        (JSC::GlobalExecutable::finalizeUnconditionally):
        * runtime/GlobalExecutable.h:
        (JSC::GlobalExecutable::codeBlock const):
        (JSC::GlobalExecutable::unlinkedCodeBlock const):
        * runtime/IndirectEvalExecutable.cpp:
        (JSC::IndirectEvalExecutable::createImpl):
        * runtime/JSFunction.cpp:
        * runtime/JSModuleRecord.cpp:
        (JSC::JSModuleRecord::link):
        (JSC::JSModuleRecord::instantiateDeclarations):
        * runtime/ModuleProgramExecutable.cpp:
        (JSC::ModuleProgramExecutable::create):
        (JSC::ModuleProgramExecutable::visitChildrenImpl):
        * runtime/ModuleProgramExecutable.h:
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::ProgramExecutable::visitChildrenImpl):
        * runtime/ProgramExecutable.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::clearCode):
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::hasClearableCode const):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::runConstraint):
        (JSC::ScriptExecutable::visitCodeBlockEdge):
        * runtime/ScriptExecutable.h:
        * runtime/ScriptExecutableInlines.h: Copied from Source/JavaScriptCore/runtime/FunctionExecutableInlines.h.
        (JSC::ScriptExecutable::finalizeCodeBlockEdge):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::executableToCodeBlockEdgesWithConstraints): Deleted.
        (JSC::VM::executableToCodeBlockEdgesWithFinalizers): Deleted.

2022-03-31  Patrick Angle  <pangle@apple.com>

        Web Inspector: Support Container Queries in the Styles sidebar
        https://bugs.webkit.org/show_bug.cgi?id=238346

        Reviewed by Devin Rousso.

        Add new `container-rule` type for `CSS::Grouping::Type`.

        * inspector/protocol/CSS.json:

2022-03-30  Chris Dumez  <cdumez@apple.com>

        Optimize the construction of a JSC::Identifier from an ASCIILiteral
        https://bugs.webkit.org/show_bug.cgi?id=238552

        Reviewed by Geoffrey Garen.

        There are two ways to construct a JSC::Identifier from a string literal and both
        were sub-optimal:
        - template<unsigned charactersCount> static Identifier fromString(VM&, const char (&characters)[charactersCount]):
          Even though it knows the charactersCount at compile time, it doesn't leverage this information
          at all. Also, it ends up calling AtomStringImpl::add() instead of AtomStringImpl::addLiteral()
          which means we lose the knowledge that it was a string literal and the optimization that come
          with it (e.g. not copying the characters over). In this patch, I am deprecating this function
          in favor of fromString(ASCIILiteral) which is now more efficient. I'll remove it in a follow up.
        - static Identifier fromString(VM&, ASCIILiteral):
          It ended up calling the Identifier(VM&, String) constructor which meant that we were potentially constructing
          a String/StringImpl unnecessarily before atomizing it since the string may already be in the
          AtomString table. We also failed to use the smallStrings cache for literals whose length is 1,
          which would happen when calling `fromString(VM&, const char (&characters)[charactersCount])`.

        In this patch, I optimized `fromString(VM&, ASCIILiteral)` to leverage the smallStrings cache
        when necessary and call AtomStringImpl::addLiteral() instead of AtomStringImpl::add(). I also
        made sure to mark `fromString(VM&, ASCIILiteral)` and `Identifier(VM&, ASCIILiteral)` as
        ALWAYS_INLINE to make sure the compiler can optimize out the strlen() calls.

        According to A/B bots, this is a 1-1.5% progression on Speedometer and and a 1.3% progression on
        JetStream on iMac 20,1 (Intel). Sadly, this is perf-neutral on those two benchmarks on Apple
        Silicon.

        * API/JSAPIGlobalObject.mm:
        (JSC::JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties):
        * API/JSBase.cpp:
        (JSGetMemoryUsageStatistics):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * builtins/BuiltinNames.cpp:
        (JSC::BuiltinNames::BuiltinNames):
        * builtins/BuiltinUtils.h:
        * dynbench.cpp:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):
        (Inspector::constructInternalProperty):
        (Inspector::JSInjectedScriptHost::weakMapEntries):
        (Inspector::JSInjectedScriptHost::weakSetEntries):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::valueForScopeLocation):
        (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::populateAuditObject):
        * jsc.cpp:
        (GlobalObject::moduleLoaderCreateImportMetaProperties):
        (JSC_DEFINE_HOST_FUNCTION):
        (dumpException):
        * runtime/AbstractModuleRecord.cpp:
        (JSC::AbstractModuleRecord::hostResolveImportedModule):
        * runtime/AtomicsObject.cpp:
        (JSC::AtomicsObject::finishCreation):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/FinalizationRegistryPrototype.cpp:
        (JSC::FinalizationRegistryPrototype::finishCreation):
        * runtime/Identifier.cpp:
        (JSC::Identifier::addLiteral):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::fromString):
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::textInfo):
        (JSC::IntlLocale::weekInfo):
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        (JSC::IntlNumberFormat::resolvedOptions const):
        (JSC::IntlNumberFormat::formatToPartsInternal):
        * runtime/IntlPluralRules.cpp:
        (JSC::IntlPluralRules::resolvedOptions const):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::exposeDollarVM):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::finishCreation):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        * runtime/SymbolConstructor.cpp:
        * tools/JSDollarVM.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSDollarVM::finishCreation):
        * wasm/js/JSWebAssemblyGlobal.cpp:
        (JSC::JSWebAssemblyGlobal::type):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::type):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::type):
        * wasm/js/WebAssemblyGlobalConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyTagPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-03-30  Mark Lam  <mark.lam@apple.com>

        Remove obsolete --useProbeOSRExit option.
        https://bugs.webkit.org/show_bug.cgi?id=238534

        Reviewed by Saam Barati.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * runtime/Options.cpp:
        (JSC::Options::recomputeDependentOptions):
        * runtime/OptionsList.h:

2022-03-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use constants buffer to load JSGlobalObject in BaselineJIT thunks
        https://bugs.webkit.org/show_bug.cgi?id=238414

        Reviewed by Saam Barati.

        Since these thunks are only called from BaselineJIT, we can assume constants
        buffer register. And since we are always using 0 index for JSGlobalObject,
        we can encode this into these shared thunks directly instead of loading
        CodeBlock pointer from the stack.

        We also fix using OBJECT_OFFSETOF for JSGlobalObject directly. We should use
        it as JSGlobalObject::offsetOfXXX to make it clean and make it annotated that
        these fields are accessed by JIT.

        This patch also removes UnusedPointer.h since it is no longer used.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::emitVarReadOnlyCheck):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::loadConstant):
        (JSC::JIT::loadGlobalObject):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_overrides_has_instance):
        (JSC::JIT::valueIsFalseyGenerator):
        (JSC::JIT::valueIsTruthyGenerator):
        (JSC::JIT::op_throw_handlerGenerator):
        (JSC::JIT::op_check_traps_handlerGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_get_private_name_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_put_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_put_private_name_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_del_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_del_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_get_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_get_by_id_with_this_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::slow_op_put_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::generateOpResolveScopeThunk):
        (JSC::JIT::generateOpGetFromScopeThunk):
        (JSC::JIT::emitVarInjectionCheck):
        * jit/UnusedPointer.h: Removed.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::offsetOfVarInjectionWatchpoint):
        (JSC::JSGlobalObject::offsetOfVarReadOnlyWatchpoint):
        (JSC::JSGlobalObject::offsetOfFunctionProtoHasInstanceSymbolFunction):

2022-03-29  Geza Lore  <glore@igalia.com>

        [JSC][ARMv7] Cleanup GPR numbering
        https://bugs.webkit.org/show_bug.cgi?id=235027

        Reviewed by Yusuke Suzuki.

        - Make the the lower order callee save register be regCS0/llint csr0.
        Some of the CSR store/restore code relies on this and using a
        numbering scheme consistent with other targets (that is: regCS<N> maps
        to a lower number machine register than regCS<N+1>) eliminates some
        ifdefs in LLInt, and hopefully will prevent hard to find issues due to
        the mismatch from other targets that all follow this rule.

        - In the Thumb-2 instruction set, use of r0-r7 can often be encoded
        using a shorter, 16-bit instruction. Swap regT4/regT5 with
        regT7/regT6, so lower order temporaries (which are usually used first)
        map to the lower order registers that can yield denser code. This
        then simplifies BaselineJITRegisters.h, and also saves about ~1% DFG
        code size.

        - In offlineasm, prefer low order registers for temporaries.

        - Also clean up baseline instanceof op implementation.

        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo):
        * jit/BaselineJITRegisters.h:
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        (JSC::PreferredArgumentImpl::preferredArgumentJSR):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::slow_op_put_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_put_private_name):
        (JSC::JIT::emitSlow_op_put_private_name):
        (JSC::JIT::slow_op_put_private_name_callSlowOperationThenCheckExceptionGenerator):
        * llint/LowLevelInterpreter.asm:
        * offlineasm/arm.rb:

2022-03-29  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use spoolers in FTL OSR exit thunk
        https://bugs.webkit.org/show_bug.cgi?id=238444

        Reviewed by Mark Lam.

        We deploy spoolers in FTL OSR exit thunk to reduce generated code size.
        This change reduces FTLOSRExit code size in JetStream2 by 35%.

        Before:
            FTLOSRExit: 803564 (784.730469 KB) count 363 avg size 2213
        After:
            FTLOSRExit: 516432 (504.328125 KB) count 362 avg size 1426

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileExit):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2022-03-29  Patrick Angle  <pangle@apple.com>

        Web Inspector: Add check for null `entryScope` in JSC::Debugger::detach
        https://bugs.webkit.org/show_bug.cgi?id=238518

        Reviewed by Devin Rousso.

        A virtual machine may not always have an `entryScope`, which can occur if a `JSGlobalObject` is being destructed
        (which will call into `JSC::Debugger::Detach`) before a `VMEntryScope` is created or after a `VMEntryScope` has
        fallen out of scope, causing the VM's `entryScope` to be null again. In the original internal issue that led to
        finding this, this most commonly occurred in conjunction with page refresh while the debugger was paused.

        Because it is possible that we were previously paused in the VM that now has no `entryScope`, we should go ahead
        and unpause.

        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):

2022-03-29  Patrick Angle  <pangle@apple.com>

        Web Inspector: [Cocoa] Indicate a request was sent through proxy/private relay in Network tab
        https://bugs.webkit.org/show_bug.cgi?id=233202

        Reviewed by Devin Rousso.

        Add new `isProxyConnection` property to network metrics protocol object.

        * inspector/protocol/Network.json:

2022-03-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Clean up some 32bit load/store with 64bit load/store
        https://bugs.webkit.org/show_bug.cgi?id=238440

        Reviewed by Mark Lam.

        1. On OSR entry, we should copy values from scratch to stack via loadValue / storeValue instead of 32bit load/store.
        2. We should initialize tail-call's argumentCountIncludingThis slot via store64.

        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/CallFrameShuffler.cpp:
        (JSC::CallFrameShuffler::prepareAny):

2022-03-28  Mark Lam  <mark.lam@apple.com>

        The lazy symbolObjectStructure should be realized before we allocate a SymbolObject.
        https://bugs.webkit.org/show_bug.cgi?id=238474
        <rdar://problem/90918765>

        Reviewed by Yusuke Suzuki and Saam Barati.

        We should not be allocating the symbolObjectStructure while in the middle of
        initializing a SymbolObject.

        * runtime/Symbol.cpp:
        (JSC::Symbol::toObject const):
        (JSC::SymbolObject::create): Deleted.
        * runtime/SymbolObject.h:

2022-03-28  Chris Dumez  <cdumez@apple.com>

        Unreviewed, address post-landing review comment from Darin after r291972.

        * yarr/YarrJIT.cpp:

2022-03-28  Chris Dumez  <cdumez@apple.com>

        Use StringView for Yarr / RegularExpression parsing
        https://bugs.webkit.org/show_bug.cgi?id=238420

        Reviewed by Sam Weinig.

        Use StringView for Yarr / RegularExpression parsing, to avoid unnecessary String construction
        in some cases. It is not uncommon for the pattern to be a string literal.

        * yarr/RegularExpression.cpp:
        (JSC::Yarr::RegularExpression::Private::create):
        (JSC::Yarr::RegularExpression::Private::Private):
        (JSC::Yarr::RegularExpression::Private::compile):
        (JSC::Yarr::RegularExpression::RegularExpression):
        (JSC::Yarr::RegularExpression::match const):
        (JSC::Yarr::RegularExpression::searchRev const):
        (JSC::Yarr::replace):
        * yarr/RegularExpression.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::interpret):
        * yarr/YarrInterpreter.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::jitCompile):
        (JSC::Yarr::jitCompileInlinedTest):
        * yarr/YarrJIT.h:
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):
        (JSC::Yarr::parse):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::compile):
        (JSC::Yarr::YarrPattern::YarrPattern):
        (JSC::Yarr::YarrPattern::dumpPatternString):
        (JSC::Yarr::YarrPattern::dumpPattern):
        * yarr/YarrPattern.h:
        * yarr/YarrSyntaxChecker.cpp:
        (JSC::Yarr::checkSyntax):
        * yarr/YarrSyntaxChecker.h:

2022-03-27  Lauro Moura  <lmoura@igalia.com>

        Unreviewed, non-unified buildfix
        https://bugs.webkit.org/show_bug.cgi?id=238436

        * dfg/DFGStrengthReductionPhase.cpp:

2022-03-26  Yusuke Suzuki  <ysuzuki@apple.com>

        Use static_assert instead of COMPILE_ASSERT
        https://bugs.webkit.org/show_bug.cgi?id=238417

        Reviewed by Mark Lam.

        * assembler/ARM64Assembler.h:
        * assembler/ARMv7Assembler.h:
        * assembler/MacroAssemblerX86Common.h:
        * bytecode/Opcode.h:
        * bytecode/VirtualRegister.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
        (JSC::DFG::SpeculativeJIT::compileToBooleanObjectOrOther):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * inspector/InspectorProtocolTypes.h:
        (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/expected/type-with-open-parameters.json-result:
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        * parser/Parser.h:
        * runtime/JSCell.cpp:
        * runtime/JSObject.h:
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/Structure.h:
        (JSC::Structure::outOfLineCapacity):
        * yarr/YarrInterpreter.cpp:

2022-03-26  Yusuke Suzuki  <ysuzuki@apple.com>

        Use unary static_assert
        https://bugs.webkit.org/show_bug.cgi?id=238412

        Reviewed by Mark Lam.

        Replace `static_assert(..., "");` with `static_assert(...);`

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::relinkJumpOrCall):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::putIntegralUnchecked):
        * assembler/MacroAssemblerCodeRef.h:
        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
        * bytecode/ArrayProfile.h:
        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash):
        * bytecode/ParseHash.cpp:
        (JSC::ParseHash::ParseHash):
        * bytecode/Watchpoint.h:
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::llintBaselineCalleeSaveRegisters):
        (JSC::RegisterSet::dfgCalleeSaveRegisters):
        (JSC::RegisterSet::ftlCalleeSaveRegisters):
        * runtime/CachedBytecode.cpp:
        (JSC::CachedBytecode::commitUpdates const):
        * runtime/ClonedArguments.h:
        * runtime/DirectArguments.h:
        * runtime/DirectEvalExecutable.h:
        * runtime/ErrorConstructor.h:
        * runtime/IndirectEvalExecutable.h:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSBoundFunction.h:
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::subspaceFor):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
        * runtime/JSString.h:
        * runtime/NativeFunction.h:
        * runtime/Operations.h:
        (JSC::jsString):
        * runtime/RegExpObject.h:
        * runtime/ScopedArguments.h:
        * runtime/ScopedArgumentsTable.cpp:
        * runtime/TypedArrayAdaptors.h:
        (JSC::IntegralTypedArrayAdaptor::toJSValue):
        * runtime/TypedArrayType.h:
        * runtime/WeakMapImpl.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
        (JSC::Wasm::AirIRGenerator::emitModOrDiv):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):

2022-03-26  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Include argumentRegisters in identity of SlowPathCallKey when clobberAllRegsInFTLICSlowPath is enabled
        https://bugs.webkit.org/show_bug.cgi?id=238411

        Reviewed by Mark Lam.

        While SlowPathCallKey includes argumentRegisters, it is not used for its identity check. But this argumentRegisters
        is effectual on the resulting code in FTLThunks if Options::clobberAllRegsInFTLICSlowPath is set. This causes
        x64 Debug JSC test failures after enabling DataIC because the same FTLThunks should not be picked for different
        argument registers when Options::clobberAllRegsInFTLICSlowPath is true.

        However, always including argumentRegisters in the identity check will cause a code size regression since we will
        lose a chance to duplicate thunks when argumentRegisters is ineffectual. Note that Options::clobberAllRegsInFTLICSlowPath
        is only set for debugging use cases. Hence, argumentRegisters is normally not effectual.

        In this patch, we include argumentRegisters in SlowPathCallKey's identity check only when Options::clobberAllRegsInFTLICSlowPath
        is set.  And we also refactor SlowPathCallKey to reduce size of it from 40 to 24.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::CFunctionPtr::CFunctionPtr):
        (JSC::FunctionPtr::FunctionPtr):
        * ftl/FTLSlowPathCall.cpp:
        (JSC::FTL::SlowPathCallContext::keyWithTarget const):
        * ftl/FTLSlowPathCallKey.cpp:
        (JSC::FTL::SlowPathCallKey::dump const):
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::callTarget const):
        (JSC::FTL::SlowPathCallKey::usedRegisters const):
        (JSC::FTL::SlowPathCallKey::argumentRegistersIfClobberingCheckIsEnabled const):
        (JSC::FTL::SlowPathCallKey::indirectOffset const):
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        (JSC::FTL::SlowPathCallKey::isEmptyValue const):
        (JSC::FTL::SlowPathCallKey::isDeletedValue const):
        (JSC::FTL::SlowPathCallKey::operator== const):
        (JSC::FTL::SlowPathCallKey::hash const):
        (JSC::FTL::SlowPathCallKey::argumentRegisters const): Deleted.
        * ftl/FTLThunks.cpp:
        (JSC::FTL::registerClobberCheck):
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/HashableRegisterSet.h: Removed.
        * jit/RegisterSet.h:
        (JSC::RegisterSetHash::hash):
        (JSC::RegisterSetHash::equal):

2022-03-25  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Clean up DataIC polymorphic call code for OptimizingCallLinkInfo
        https://bugs.webkit.org/show_bug.cgi?id=238395

        Reviewed by Saam Barati.

        When using DataIC, return address is already appropriate in non-tail call case
        in polymorphic call stub code. This patch cleans up the code to align it to
        DataIC BaselineCallLinkInfo.

        * bytecode/Repatch.cpp:
        (JSC::linkPolymorphicCall):

2022-03-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, reverting r291745.
        https://bugs.webkit.org/show_bug.cgi?id=238399

        JSC debug test failures

        Reverted changeset:

        "[JSC] Add DoNotHaveTagRegisters mode to unboxDouble"
        https://bugs.webkit.org/show_bug.cgi?id=238018
        https://commits.webkit.org/r291745

2022-03-24  Justin Michaud  <justin_michaud@apple.com>

        AI should not set the structure for ObjectCreate
        https://bugs.webkit.org/show_bug.cgi?id=238349

        Reviewed by Saam Barati and Yusuke Suzuki.

        The AbstractInterpreter should not set the structure for ObjectCreate because it might change by
        the time the constant folding phase runs if the structure cache is cleared.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2022-03-25  Wenson Hsieh  <wenson_hsieh@apple.com>

        Enable PGO when building for release and production
        https://bugs.webkit.org/show_bug.cgi?id=238119
        rdar://90182309

        Reviewed by Alexey Proskuryakov and Geoff Garen.

        See WebCore/ChangeLog for more information.

        * Configurations/Base.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2022-03-24  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use Data CallIC in unlinked DFG
        https://bugs.webkit.org/show_bug.cgi?id=238176

        Reviewed by Saam Barati.

        This patch enables Data CallIC when Options::useDataICInOptimizingJIT() is true
        to pave the way to introducing unlinked DFG.

        The most complicated part is DFG tail call handling. We load CallLinkInfo in one
        non-callee-save register, and we set up CallFrameShuffleData to keep this value
        in the same register even after call frame shuffling for the tail call. This must
        be non-callee-save register since callee-save registers are restored to values
        of the one-level upper caller for the tail-call.

        We also clean up CallLinkInfo code so that many functions work well with DataIC.
        Currently, direct calls are not supported, and we will not emit direct calls when
        unlinked DFG is used.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/CallLinkInfo.cpp:
        (JSC::BaselineCallLinkInfo::initialize):
        (JSC::OptimizingCallLinkInfo::emitFastPath):
        (JSC::OptimizingCallLinkInfo::emitTailCallFastPath):
        (JSC::OptimizingCallLinkInfo::slowPathStart):
        (JSC::OptimizingCallLinkInfo::emitDirectFastPath):
        (JSC::OptimizingCallLinkInfo::emitDirectTailCallFastPath):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::isDataIC const):
        (JSC::CallLinkInfo::useDataIC const):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::setUsesDataICs): Deleted.
        * bytecode/Repatch.cpp:
        (JSC::linkPolymorphicCall):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::addCallLinkInfo):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::prepareForTailCallSlow):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2022-03-25  Keith Miller  <keith_miller@apple.com>

        Remove unused JITOperation, operationTryOSREnterAtCatch.
        https://bugs.webkit.org/show_bug.cgi?id=238379

        Reviewed by Mark Lam.

        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2022-03-25  Chris Dumez  <cdumez@apple.com>

        Start preparing WebCore for making the String(const char*) constructor explicit
        https://bugs.webkit.org/show_bug.cgi?id=238336

        Reviewed by Geoffrey Garen.

        Start preparing WebCore for making the String(const char*) constructor explicit.
        Making this constructor explicit helps catch at compile time cases where the ""_s
        prefix is missing on String literals.

        * API/JSValue.mm:
        (createStructHandlerMap):
        (handerForStructTag):
        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass):
        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::run):

2022-03-25  Diego Pino Garcia  <dpino@igalia.com>

        Unreviewed, fix non-unified build after r291779

        * wasm/WasmExceptionType.h:

2022-03-24  Don Olmstead  <don.olmstead@sony.com>

        Non-unified build fixes, late March 2022 edition
        https://bugs.webkit.org/show_bug.cgi?id=238358

        Unreviewed non-unified build fixes.

        * bytecode/ExitKind.cpp:
        * bytecode/ExitKind.h:
        * heap/RootMarkReason.cpp:
        * heap/RootMarkReason.h:
        * runtime/CallData.h:

2022-03-24  Chris Dumez  <cdumez@apple.com>

        FileSystem::pathByAppendingComponent() should take in StringViews instead of Strings
        https://bugs.webkit.org/show_bug.cgi?id=238344

        Reviewed by Geoff Garen.

        * jsc.cpp:

2022-03-24  Chris Dumez  <cdumez@apple.com>

        String's startsWith() / endsWith() / replace() should take in a StringView instead of a String
        https://bugs.webkit.org/show_bug.cgi?id=238333

        Reviewed by Geoff Garen.

        * runtime/FileBasedFuzzerAgent.cpp:
        (JSC::FileBasedFuzzerAgent::getPredictionInternal):
        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::singularUnit):
        * runtime/TemporalObject.cpp:
        (JSC::singularUnit):

2022-03-24  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] JSRemoteFunction thunk should materialize code-pointer
        https://bugs.webkit.org/show_bug.cgi?id=238313

        Reviewed by Mark Lam.

        When invoking a JSRemoteFunction, we must first wrap the arguments passed to it.
        The wrapping operation may trigger a GC, and GC can jettison JIT code. As a result,
        even though we know that the target JSFunction has JIT code that we want to execute,
        the JIT code may be jettisoned (while wrapping the arguments for it) before we get
        to the call. This resulted in occasional crashes on the JSTests/stress/shadow-realm-evaluate.js test.

        This patch fixes this by doing a null check on the JIT code just before calling it,
        and if null (i.e. the JIT code has been jettisoned), re-materializing the JIT code
        first before making the call.

        * jit/JITOperations.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * jit/JITOperations.h:
        * jit/ThunkGenerators.cpp:
        (JSC::remoteFunctionCallGenerator):

2022-03-23  Geza Lore  <glore@igalia.com>

        [JSC] Fix remoteFunctionCallGenerator on MIPS
        https://bugs.webkit.org/show_bug.cgi?id=238274

        Reviewed by Yusuke Suzuki.

        Eliminate register conflict (nonArgGPR0 == regT4, which is used in
        valueRegs)

        * jit/ThunkGenerators.cpp:
        (JSC::remoteFunctionCallGenerator):

2022-03-23  Chris Dumez  <cdumez@apple.com>

        Prepare JSC for making the String(const char*) constructor explicit
        https://bugs.webkit.org/show_bug.cgi?id=238264

        Reviewed by Geoff Garen.

        Prepare JSC for making the String(const char*) constructor explicit. Making this constructor
        explicit helps catch many instances where we're constructing a String from a literal but we
        are missing the ""_s suffix.

        * API/JSAPIGlobalObject.cpp:
        * API/JSAPIGlobalObject.mm:
        (JSC::computeValidImportSpecifier):
        (JSC::JSAPIGlobalObject::moduleLoaderFetch):
        * API/JSAPIValueWrapper.cpp:
        * API/JSAPIWrapperObject.mm:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        * API/JSScript.mm:
        (-[JSScript readCache]):
        * API/JSTypedArray.cpp:
        (JSObjectMakeTypedArrayWithArrayBuffer):
        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
        * API/JSValue.mm:
        (createStructHandlerMap):
        (handerForStructTag):
        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::name):
        * API/glib/JSAPIWrapperGlobalObject.cpp:
        * API/glib/JSAPIWrapperObjectGLib.cpp:
        * API/glib/JSCCallbackFunction.cpp:
        * API/tests/JSONParseTest.cpp:
        (testJSONParse):
        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptCallArgumentHandler::appendArgument):
        * bytecode/CodeBlock.cpp:
        * bytecode/EvalCodeBlock.cpp:
        * bytecode/ExecutableToCodeBlockEdge.cpp:
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/FunctionCodeBlock.cpp:
        * bytecode/ModuleProgramCodeBlock.cpp:
        * bytecode/ProgramCodeBlock.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecode/UnlinkedEvalCodeBlock.cpp:
        * bytecode/UnlinkedFunctionCodeBlock.cpp:
        * bytecode/UnlinkedFunctionExecutable.cpp:
        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
        * bytecode/UnlinkedProgramCodeBlock.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitHasPrivateBrand):
        (JSC::BytecodeGenerator::emitCheckPrivateBrand):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitSaveComputedFieldName):
        (JSC::BaseDotNode::emitGetPropertyValue):
        (JSC::BaseDotNode::emitPutProperty):
        (JSC::PostfixNode::emitDot):
        (JSC::DeleteBracketNode::emitBytecode):
        (JSC::DeleteDotNode::emitBytecode):
        (JSC::PrefixNode::emitDot):
        (JSC::InstanceOfNode::emitBytecode):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName const):
        * debugger/DebuggerScope.cpp:
        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json):
        * heap/RootMarkReason.cpp:
        (JSC::rootMarkReasonDescription):
        * heap/RootMarkReason.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * inspector/agents/InspectorAuditAgent.cpp:
        (Inspector::InspectorAuditAgent::run):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::getScriptSource):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        (Inspector::InspectorHeapAgent::getRemoteObject):
        * jit/ExecutableAllocator.cpp:
        (JSC::dumpJITMemory):
        * jit/JITCode.cpp:
        (JSC::JITCode::typeName):
        * jit/JITCode.h:
        * jit/JITOperations.cpp:
        (JSC::getWrappedValue):
        * jsc.cpp:
        (toCString):
        (JSC_DEFINE_HOST_FUNCTION):
        (runWithOptions):
        (CommandLine::parseArguments):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleVarargsCheckpoint):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::scanRegExp):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parsePrimaryExpression):
        * runtime/AbstractModuleRecord.cpp:
        * runtime/AggregateErrorConstructor.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayIteratorPrototype.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/AsyncFromSyncIteratorPrototype.cpp:
        * runtime/AsyncFunctionConstructor.cpp:
        * runtime/AsyncFunctionPrototype.cpp:
        * runtime/AsyncGeneratorFunctionConstructor.cpp:
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        * runtime/AsyncGeneratorPrototype.cpp:
        * runtime/AsyncIteratorPrototype.cpp:
        * runtime/AtomicsObject.cpp:
        * runtime/BigIntConstructor.cpp:
        * runtime/BigIntObject.cpp:
        * runtime/BigIntPrototype.cpp:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/BytecodeCacheError.cpp:
        (JSC::BytecodeCacheError::StandardError::message const):
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CallData.h:
        * runtime/ClassInfo.h:
        * runtime/ClonedArguments.cpp:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/Completion.cpp:
        (JSC::checkModuleSyntax):
        (JSC::createSymbolForEntryPointModule):
        * runtime/ConsoleObject.cpp:
        * runtime/ConstructData.cpp:
        (JSC::construct):
        * runtime/ConstructData.h:
        * runtime/CustomGetterSetter.cpp:
        * runtime/DOMAttributeGetterSetter.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/DirectArguments.cpp:
        * runtime/Error.h:
        (JSC::throwVMError):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/EvalExecutable.cpp:
        * runtime/Exception.cpp:
        * runtime/ExceptionHelpers.cpp:
        (JSC::notAFunctionSourceAppender):
        (JSC::invalidParameterInSourceAppender):
        (JSC::invalidParameterInstanceofSourceAppender):
        (JSC::invalidPrototypeSourceAppender):
        (JSC::createTDZError):
        (JSC::createInvalidPrivateNameError):
        (JSC::createRedefinedPrivateNameError):
        (JSC::createPrivateMethodAccessError):
        (JSC::createReinstallPrivateMethodError):
        * runtime/ExecutableBase.cpp:
        * runtime/FinalizationRegistryConstructor.cpp:
        * runtime/FinalizationRegistryPrototype.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::toStringSlow):
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionRareData.cpp:
        * runtime/GeneratorFunctionConstructor.cpp:
        * runtime/GeneratorFunctionPrototype.cpp:
        * runtime/GeneratorPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/GlobalExecutable.cpp:
        * runtime/HashMapImpl.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/IntlCollator.cpp:
        (JSC::IntlCollator::initializeCollator):
        * runtime/IntlCollatorConstructor.cpp:
        * runtime/IntlCollatorPrototype.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
        * runtime/IntlDateTimeFormatConstructor.cpp:
        * runtime/IntlDateTimeFormatPrototype.cpp:
        * runtime/IntlDisplayNames.cpp:
        * runtime/IntlDisplayNamesConstructor.cpp:
        * runtime/IntlDisplayNamesPrototype.cpp:
        * runtime/IntlListFormat.cpp:
        * runtime/IntlListFormatConstructor.cpp:
        * runtime/IntlListFormatPrototype.cpp:
        * runtime/IntlLocale.cpp:
        (JSC::IntlLocale::initializeLocale):
        * runtime/IntlLocaleConstructor.cpp:
        * runtime/IntlLocalePrototype.cpp:
        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::initializeNumberFormat):
        * runtime/IntlNumberFormatConstructor.cpp:
        * runtime/IntlNumberFormatPrototype.cpp:
        * runtime/IntlObject.cpp:
        (JSC::intlStringOption):
        * runtime/IntlObject.h:
        * runtime/IntlPluralRules.cpp:
        * runtime/IntlPluralRulesConstructor.cpp:
        * runtime/IntlPluralRulesPrototype.cpp:
        * runtime/IntlRelativeTimeFormat.cpp:
        (JSC::IntlRelativeTimeFormat::initializeRelativeTimeFormat):
        * runtime/IntlRelativeTimeFormatConstructor.cpp:
        * runtime/IntlRelativeTimeFormatPrototype.cpp:
        * runtime/IntlSegmentIterator.cpp:
        * runtime/IntlSegmentIteratorPrototype.cpp:
        * runtime/IntlSegmenter.cpp:
        * runtime/IntlSegmenterConstructor.cpp:
        * runtime/IntlSegmenterPrototype.cpp:
        * runtime/IntlSegments.cpp:
        * runtime/IntlSegmentsPrototype.cpp:
        * runtime/IteratorPrototype.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBufferConstructor.cpp:
        * runtime/JSArrayBufferPrototype.cpp:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSAsyncFunction.cpp:
        * runtime/JSAsyncGenerator.cpp:
        * runtime/JSAsyncGeneratorFunction.cpp:
        * runtime/JSBigInt.cpp:
        (JSC::JSBigInt::parseInt):
        * runtime/JSBoundFunction.cpp:
        * runtime/JSCallee.cpp:
        * runtime/JSCell.cpp:
        (JSC::JSCell::dumpToStream):
        (JSC::JSCell::className const):
        * runtime/JSCell.h:
        * runtime/JSCustomGetterFunction.cpp:
        * runtime/JSCustomSetterFunction.cpp:
        * runtime/JSDataView.cpp:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSC_DEFINE_CUSTOM_GETTER):
        * runtime/JSFinalizationRegistry.cpp:
        (JSC::JSFinalizationRegistry::runFinalizationCleanup):
        * runtime/JSFunction.cpp:
        * runtime/JSGenerator.cpp:
        * runtime/JSGeneratorFunction.cpp:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::create):
        (JSC::JSGenericTypedArrayView<Adaptor>::validateRange):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::speciesConstruct):
        (JSC::genericTypedArrayViewProtoFuncSet):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalLexicalEnvironment.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSImmutableButterfly.cpp:
        * runtime/JSInternalPromise.cpp:
        * runtime/JSInternalPromiseConstructor.cpp:
        * runtime/JSInternalPromisePrototype.cpp:
        * runtime/JSLexicalEnvironment.cpp:
        * runtime/JSMap.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSModuleEnvironment.cpp:
        * runtime/JSModuleLoader.cpp:
        * runtime/JSModuleNamespaceObject.cpp:
        * runtime/JSModuleRecord.cpp:
        * runtime/JSNativeStdFunction.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
        * runtime/JSPromise.cpp:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPropertyNameEnumerator.cpp:
        * runtime/JSProxy.cpp:
        * runtime/JSRemoteFunction.cpp:
        (JSC::wrapArgument):
        (JSC::wrapReturnValue):
        (JSC::JSRemoteFunction::finishCreation):
        * runtime/JSScope.cpp:
        * runtime/JSScriptFetchParameters.cpp:
        * runtime/JSScriptFetcher.cpp:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSSet.cpp:
        * runtime/JSSetIterator.cpp:
        * runtime/JSSourceCode.cpp:
        * runtime/JSString.cpp:
        (JSC::JSString::dumpToStream):
        * runtime/JSStringIterator.cpp:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSTemplateObjectDescriptor.cpp:
        * runtime/JSTypedArrayConstructors.cpp:
        * runtime/JSTypedArrayPrototypes.cpp:
        * runtime/JSTypedArrayViewConstructor.cpp:
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSTypedArrays.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/JSWeakObjectRef.cpp:
        * runtime/JSWeakSet.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parsePrimitiveValue):
        * runtime/MapConstructor.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/MathObject.cpp:
        * runtime/ModuleProgramExecutable.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeExecutable.cpp:
        * runtime/NullGetterFunction.cpp:
        * runtime/NullSetterFunction.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        (JSC::toStringWithRadix):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::numberToStringInternal):
        (JSC::int52ToString):
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/Operations.h:
        (JSC::arithmeticBinaryOp):
        (JSC::shift):
        (JSC::bitwiseBinaryOp):
        * runtime/ProgramExecutable.cpp:
        * runtime/PropertyTable.cpp:
        * runtime/ProxyConstructor.cpp:
        (JSC::ProxyConstructor::finishCreation):
        * runtime/ProxyObject.cpp:
        * runtime/ProxyRevoke.cpp:
        * runtime/ReflectObject.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::ensureEmptyRegExpSlow):
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/RegExpStringIteratorPrototype.cpp:
        * runtime/ScopedArguments.cpp:
        * runtime/ScopedArgumentsTable.cpp:
        * runtime/ScriptExecutable.cpp:
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/ShadowRealmConstructor.cpp:
        * runtime/ShadowRealmObject.cpp:
        * runtime/ShadowRealmPrototype.cpp:
        * runtime/SparseArrayValueMap.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringIteratorPrototype.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        (JSC::toLocaleCase):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * runtime/Structure.cpp:
        * runtime/StructureChain.cpp:
        * runtime/StructureRareData.cpp:
        * runtime/Symbol.cpp:
        * runtime/SymbolConstructor.cpp:
        * runtime/SymbolObject.cpp:
        * runtime/SymbolPrototype.cpp:
        * runtime/SymbolTable.cpp:
        * runtime/TemporalCalendar.cpp:
        * runtime/TemporalCalendarConstructor.cpp:
        * runtime/TemporalCalendarPrototype.cpp:
        * runtime/TemporalDuration.cpp:
        (JSC::TemporalDuration::total const):
        * runtime/TemporalDurationConstructor.cpp:
        * runtime/TemporalDurationPrototype.cpp:
        * runtime/TemporalInstant.cpp:
        * runtime/TemporalInstantConstructor.cpp:
        * runtime/TemporalInstantPrototype.cpp:
        * runtime/TemporalNow.cpp:
        * runtime/TemporalObject.cpp:
        (JSC::temporalLargestUnit):
        (JSC::temporalSmallestUnit):
        * runtime/TemporalPlainDate.cpp:
        * runtime/TemporalPlainDateConstructor.cpp:
        * runtime/TemporalPlainDatePrototype.cpp:
        * runtime/TemporalPlainTime.cpp:
        * runtime/TemporalPlainTimeConstructor.cpp:
        * runtime/TemporalPlainTimePrototype.cpp:
        * runtime/TemporalTimeZone.cpp:
        * runtime/TemporalTimeZoneConstructor.cpp:
        * runtime/TemporalTimeZonePrototype.cpp:
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::logTypesForTypeLocation):
        * runtime/TypeSet.cpp:
        (JSC::StructureShape::propertyHash):
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapPrototype.cpp:
        (JSC::WeakMapPrototype::finishCreation):
        * runtime/WeakObjectRefConstructor.cpp:
        * runtime/WeakObjectRefPrototype.cpp:
        * runtime/WeakSetConstructor.cpp:
        * runtime/WeakSetPrototype.cpp:
        (JSC::WeakSetPrototype::finishCreation):
        * testRegExp.cpp:
        * tools/FunctionAllowlist.cpp:
        (JSC::FunctionAllowlist::FunctionAllowlist):
        * tools/FunctionOverrides.cpp:
        (JSC::initializeOverrideInfo):
        * tools/JSDollarVM.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSC_DEFINE_HOST_FUNCTION_WITH_ATTRIBUTES):
        * tools/SigillCrashAnalyzer.cpp:
        (JSC::SigillCrashAnalyzer::analyze):
        * tools/VMInspector.cpp:
        (JSC::VMInspector::dumpRegisters):
        (JSC::VMInspector::dumpCellMemoryToStream):
        * wasm/WasmExceptionType.h:
        (JSC::Wasm::errorMessageForExceptionType):
        * wasm/WasmFormat.h:
        (JSC::Wasm::typeToString):
        * wasm/WasmGlobal.cpp:
        (JSC::Wasm::Global::set):
        * wasm/WasmLLIntPlan.cpp:
        (JSC::Wasm::LLIntPlan::didCompleteCompilation):
        * wasm/WasmOperations.cpp:
        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
        * wasm/js/JSToWasmICCallee.cpp:
        * wasm/js/JSWebAssembly.cpp:
        * wasm/js/JSWebAssemblyException.cpp:
        * wasm/js/JSWebAssemblyGlobal.cpp:
        (JSC::JSWebAssemblyGlobal::type):
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::fromJSValue):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
        (JSC::JSWebAssemblyInstance::tryCreate):
        * wasm/js/JSWebAssemblyMemory.cpp:
        * wasm/js/JSWebAssemblyModule.cpp:
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::type):
        * wasm/js/JSWebAssemblyTag.cpp:
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
        * wasm/js/WebAssemblyExceptionConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyExceptionPrototype.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyFunction.cpp:
        * wasm/js/WebAssemblyFunctionBase.cpp:
        * wasm/js/WebAssemblyGlobalConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyGlobalPrototype.cpp:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        * wasm/js/WebAssemblyInstancePrototype.cpp:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        * wasm/js/WebAssemblyModulePrototype.cpp:
        * wasm/js/WebAssemblyModuleRecord.cpp:
        (JSC::WebAssemblyModuleRecord::initializeExports):
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        * wasm/js/WebAssemblyTablePrototype.cpp:
        * wasm/js/WebAssemblyTagConstructor.cpp:
        * wasm/js/WebAssemblyTagPrototype.cpp:
        * wasm/js/WebAssemblyWrapperFunction.cpp:
        (JSC::WebAssemblyWrapperFunction::create):
        * yarr/RegularExpression.cpp:
        (JSC::Yarr::RegularExpression::Private::compile):
        * yarr/YarrErrorCode.cpp:
        (JSC::Yarr::errorMessage):
        * yarr/YarrErrorCode.h:

2022-03-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC][MSVC] custom getter creation needs to include classInfo since MSVC ICF is not "safe" variant
        https://bugs.webkit.org/show_bug.cgi?id=238030

        Reviewed by Alexey Shvayka.

        MSVC performs very aggressive ICF (identical code folding) and it even merges the identical two functions
        into one even though a pointer to this function is used. This means MSVC's ICF is not "safe"[1], and custom
        function weakmap is broken on MSVC since it is assuming function pointers are different for different functions.
        Unfortunately, it seems that there is no attribute / annotation to prevent this behavior, so we need to workaround it.
        Since JSCustomGetterFunction does separate thing based on attached DOMAttribute, we need to include const ClassInfo*
        into a key of JSCustomGetterFunction weakmap to ensure that two identical functions with different const ClassInfo*
        do not get the same JSCustomGetterFunction.

        [1]: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/36912.pdf

        * runtime/JSCustomGetterFunction.h:
        * runtime/JSCustomSetterFunction.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::WeakCustomGetterOrSetterHash<T>::hash):
        * runtime/JSObject.cpp:
        (JSC::WeakCustomGetterOrSetterHashTranslator::hash):
        (JSC::WeakCustomGetterOrSetterHashTranslator::equal):
        (JSC::createCustomGetterFunction):
        (JSC::createCustomSetterFunction):

2022-03-23  Chris Dumez  <cdumez@apple.com>

        Avoid unnecessary String constructor under FunctionExecutable::toStringSlow()
        https://bugs.webkit.org/show_bug.cgi?id=238263

        Reviewed by Darin Adler.

        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::toStringSlow):

2022-03-23  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, fix DataIC's slowPathJump handling
        https://bugs.webkit.org/show_bug.cgi?id=231224

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInById):

2022-03-23  Patrick Angle  <pangle@apple.com>

        No breakpoints hit on github.com, and some are invalid
        https://bugs.webkit.org/show_bug.cgi?id=235607

        Reviewed by Yusuke Suzuki.

        New test: JSTests/stress/regress-88440831.js
        Added test case in: inspector/debugger/breakpoints/resolved-dump-all-pause-locations.html

        Previously not all line terminations resulted in setting the `m_lineStart` to the current m_code, which meant
        that the location for pause-able locations and stack traces were inaccurate when they were on a line that
        terminated multi-line comments, strings, or template strings. We now always update m_lineStart when shifting for
        a line terminator, instead of only when the terminator appears outside a string or comment.

        * debugger/Breakpoint.cpp:
        (JSC::Breakpoint::resolve):
        - The existing assertions were somewhat in conflict with each other. If we permit the line number to increase,
        there is no guarantee that the column number will remain the same or increase, which can now more easily occur
        with multi-line strings. Instead, we should make sure that the overall offset has increased.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::shiftLineTerminator):
        (JSC::Lexer<T>::lexWithoutClearingLineTerminator):
        (JSC::Lexer<T>::scanTemplateString):

2022-03-23  Xan Lopez  <xan@igalia.com>

        [JSC] Add DoNotHaveTagRegisters mode to unboxDouble
        https://bugs.webkit.org/show_bug.cgi?id=238018

        Reviewed by Yusuke Suzuki.

        Wasm cannot use unboxDouble as-is because
        GPRInfo::numberTagRegister is not available. Add a
        DoNotHaveTagRegister mode so we can get rid of some duplicated
        code.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::add64):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::unboxDoubleWithoutAssertions):
        (JSC::AssemblyHelpers::unboxDouble):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2022-03-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Test DFG / FTL DataIC
        https://bugs.webkit.org/show_bug.cgi?id=231224

        Reviewed by Saam Barati.

        This patch revives DataIC in DFG and FTL, and re-enable testing to make it usable
        for unlinked DFG. Currently, only x64 / ARM64 are supported.

        * bytecode/InlineAccess.cpp:
        (JSC::InlineAccess::isCacheableArrayLength):
        (JSC::InlineAccess::isCacheableStringLength):
        (JSC::InlineAccess::rewireStubAsJumpInAccess):
        (JSC::InlineAccess::resetStubAsJumpInAccess):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetById):
        (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
        (JSC::DFG::SpeculativeJIT::compileInById):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * jit/JITCode.h:
        (JSC::JITCode::useDataIC):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::generateFastCommon):
        (JSC::generateGetByIdInlineAccess):
        (JSC::JITGetByIdGenerator::generateFastPath):
        (JSC::JITGetByIdWithThisGenerator::generateFastPath):
        (JSC::generatePutByIdInlineAccess):
        (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
        (JSC::JITPutByIdGenerator::generateFastPath):
        (JSC::JITDelByValGenerator::generateFastPath):
        (JSC::JITDelByIdGenerator::generateFastPath):
        (JSC::JITInByValGenerator::generateFastPath):
        (JSC::generateInByIdInlineAccess):
        (JSC::JITInByIdGenerator::generateFastPath):
        (JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
        (JSC::JITInstanceOfGenerator::generateFastPath):
        (JSC::JITGetByValGenerator::generateFastPath):
        (JSC::JITPutByValGenerator::generateFastPath):
        (JSC::JITPrivateBrandAccessGenerator::generateFastPath):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITInlineCacheGenerator::reportSlowPathCall):
        (JSC::JITInlineCacheGenerator::slowPathBegin const):
        (JSC::JITByIdGenerator::slowPathJump const):
        (JSC::JITInByValGenerator::slowPathJump const):
        * runtime/Options.cpp:
        (JSC::Options::recomputeDependentOptions):
        * runtime/OptionsList.h:

2022-03-22  Chris Dumez  <cdumez@apple.com>

        Use ASCIILiteral in a few more places where it is useful
        https://bugs.webkit.org/show_bug.cgi?id=238235

        Reviewed by Geoffrey Garen.

        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::toStringSlow):

2022-03-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Change Date.parse to stop returning numbers with fractional part
        https://bugs.webkit.org/show_bug.cgi?id=238050

        Reviewed by Saam Barati.

        Date.parse should return NaN or integer numbers[1,2]. This patch applies timeClip
        to the result of Date.parse to ensure that the returned value is time value.

        [1]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-date.parse
        [2]: https://tc39.es/ecma262/multipage/numbers-and-dates.html#sec-time-values-and-time-range

        * runtime/DateConstructor.cpp:
        (JSC::JSC_DEFINE_HOST_FUNCTION):

2022-03-21  Saam Barati  <sbarati@apple.com>

        Fix bug in Relationship::mergeImpl
        https://bugs.webkit.org/show_bug.cgi?id=238183
        <rdar://89822922>

        Reviewed by Yusuke Suzuki.

        * dfg/DFGIntegerRangeOptimizationPhase.cpp:

2022-03-21  Saam Barati  <sbarati@apple.com>

        AirFixObviousSpills needs to consider a PreIndex and PostIndex as clobbering the Reg used for indexing
        https://bugs.webkit.org/show_bug.cgi?id=238178
        <rdar://87345895>

        Reviewed by Mark Lam.

        Inside AirFixObviousSpills, we run a basic alias analysis for StackSlots and
        registers. For example, when we overwrite a register, we clear anything
        it's aliased with. However, the way we were doing this was by looking at
        each Arg that was Defd. However, this iteration was missing that
        PostIndex/PreIndex mutate the register that feeds into the address Arg.
        This patch fixes the issue by walking the instruction in such a way that
        we visit all the Defs we care about, both Regs and StackSlots.

        * b3/air/AirFixObviousSpills.cpp:

2022-03-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ReferenceError when using extra parens in class fields
        https://bugs.webkit.org/show_bug.cgi?id=236843

        Reviewed by Saam Barati.

        class field initializer should create its own used-variables set
        to capture used variables separately from the other variables since
        it becomes independent CodeBlock internally later. The current code
        was wrong since,

            1. Incorrectly using the current set of class-scope.
            2. Incorrectly marking only the last set while parseAssignmentExpression can create a new set inside it.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseClass):
        * parser/Parser.h:
        (JSC::Scope::markLastUsedVariablesSetAsCaptured):

2022-03-21  Jonathan Bedard  <jbedard@apple.com>

        Unreviewed, reverting r291558.

        Exceeded GitHub file size limit

        Reverted changeset:

        "Enable PGO when building for release and production"
        https://bugs.webkit.org/show_bug.cgi?id=238119
        https://commits.webkit.org/r291558

2022-03-21  Wenson Hsieh  <wenson_hsieh@apple.com>

        Enable PGO when building for release and production
        https://bugs.webkit.org/show_bug.cgi?id=238119
        rdar://90182309

        Reviewed by Saam Barati.

        See WebCore/ChangeLog for more details.

        * Configurations/Base.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Profiling/JavaScriptCore.profdata: Added.

2022-03-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Further reduce # of registers used in RegExpTestInline
        https://bugs.webkit.org/show_bug.cgi?id=238105

        Reviewed by Saam Barati.

        This patch further reduces # of registers used in RegExpTestInline.
        After flushRegisters(), we can use baseGPR for any purpose.
        We also remove x64 hack since we have enough registers for x64 even
        if we use one callee-save register in unlinked DFG.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpTestInline):

2022-03-18  Devin Rousso  <drousso@apple.com>

        Web Inspector: REGRESSION(?): Emulate User Gesture doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=232584
        <rdar://problem/84899576>

        Reviewed by Patrick Angle.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        Create overloads for these (protocol) methods so that we can avoid having to fetch the same
        `InjectedScript` more than once (i.e. if the subclass fetches the `InjectedScript` and then
        called into the baseclass, which also fetches the same `InjectedScript`).

        * debugger/Debugger.h:
        (JSC::Debugger::Client::debuggerWillEvaluate):
        (JSC::Debugger::Client::debuggerDidEvaluate):
        * debugger/Debugger.cpp:
        (JSC::Debugger::evaluateBreakpointActions):
        Pass along the current `JSGlobalObject` to eventually derive a relevant `WebCore::Document`.

2022-03-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Reduce # of registers used in RegExpTestInline to allow using unlinked DFG in x64
        https://bugs.webkit.org/show_bug.cgi?id=238092

        Reviewed by Michael Saboff.

        This patch reduces # of registers used in RegExpTestInline implementation to make it work
        well for x64 unlinked DFG since it can reduce # of registers to use one callee-save register
        for constants buffer.

        We also add YarrJITRegisters::validate to ensure that used registers meet the invariants in YarrJIT.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpTestInline):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::jitCompileInlinedTest):
        * yarr/YarrJITRegisters.h:
        (JSC::Yarr::YarrJITRegisters::validate):
        (JSC::Yarr::YarrJITRegisters::YarrJITRegisters): Deleted.

2022-03-17  Keith Miller  <keith_miller@apple.com>

        Fix crash in Bleacher Report due to bad JSObjectRef passed to API
        https://bugs.webkit.org/show_bug.cgi?id=238048
        <rdar://88766464>

        Reviewed by Yusuke Suzuki.

        Prior to the StructureID overhaul the JSObjectGetArrayBufferByteLength would
        automatically check if the JSObjectRef passed to that function was null before
        short circuiting to the non-typed array return value, 0. While technically valid
        since derefencing null is UB, this meant the Clang was covering up this crash.
        To fix this I'm adding an app specific workaround for the time being so Bleacher
        Report can fix their code to no longer pass this nullptr.

        * API/JSTypedArray.cpp:
        (isBleecherReport):
        (JSObjectGetArrayBufferByteLength):

2022-03-17  Mikhail R. Gadelha  <mikhail@igalia.com>

        Unreviewed, non-unified build fix
        https://bugs.webkit.org/show_bug.cgi?id=237929

        * dfg/DFGCapabilities.cpp:
        * jit/JITDisassembler.cpp:
        * jit/JITPlan.cpp:
        * llint/LLIntEntrypoint.cpp:
        * runtime/FileBasedFuzzerAgentBase.cpp:
        * runtime/ShadowRealmObject.cpp:
        * runtime/ShadowRealmPrototype.cpp:

2022-03-16  Devin Rousso  <drousso@apple.com>

        Web Inspector: REGRESSION(r290720): Debugger: Step next should not behave the same as Step into
        https://bugs.webkit.org/show_bug.cgi?id=237936

        Reviewed by Joseph Pecoraro.

        Covered by existing tests (not sure why they don't fail on EWS, but they fail locally).

        * debugger/Debugger.cpp:
        (JSC::Debugger::pauseIfNeeded):
        Checking that the desired `CallFrame` matches the current `CallFrame` is enough to determine
        whether the `Debugger` should pause for Step next and Step out, as both of those actions set
        a desired `CallFrame`. We explicitly do not want to check for the `bool` flags that indicate
        those actions because they have different behaviors regarding the current `CallFrame` (the
        former desires the same `CallFrame` and the latter desires the parent `CallFrame`). This
        patch partially reverts r290720.

2022-03-16  Angelos Oikonomopoulos  <angelos@igalia.com>

        MacroAssemblerARMv7: Be friendlier to DisallowMacroScratchRegisterUsage
        https://bugs.webkit.org/show_bug.cgi?id=237888

        Reviewed by Žan Doberšek.

        Only check that we're allowed to use the scratch register at sites
        where we're using it implicitly. When it's explicitly passed in by the
        caller, use invalidateCachedAddressTempRegister to invalidate it
        without asserting anything about m_allowScratchRegister.

        Since helpers can explictly make use of addressTempRegister, an
        argument can be made that this is still fragile (i.e. future changes
        could run into this). The alternative would be to have the topmost caller
        do fine-grained management of DisallowMacroScratchRegisterUsage,
        allowing it around explicit calls to MacroAssemblerARMv7 with
        scratchRegister() in the arguments and disallowing it for helpers.

        As there are currently no helpers that would trip this, this patch opts
        for the former approach, to make DisallowMacroScratchRegisterUsage
        easier to work with (there'll be more usage of the API in an upcoming
        wasm32 patch).

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::scratchRegister):
        (JSC::MacroAssemblerARMv7::load32):
        (JSC::MacroAssemblerARMv7::load16):
        (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::loadPair32):
        (JSC::MacroAssemblerARMv7::move):
        (JSC::MacroAssemblerARMv7::farJump):
        (JSC::MacroAssemblerARMv7::setupArmAddress):
        (JSC::MacroAssemblerARMv7::invalidateCachedAddressTempRegister):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::emitFastPathImpl):
        * jit/BaselineJITRegisters.h:

2022-03-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add UnlinkedDFG compilation mode enum
        https://bugs.webkit.org/show_bug.cgi?id=237934

        Reviewed by Mark Lam.

        This patch adds UnlinkedDFG compilation mode to prepare new unlinked DFG.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::inliningCost):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::watchCondition):
        (JSC::DFG::Graph::watchConditions):
        (JSC::DFG::Graph::watchGlobalProperty):
        (JSC::DFG::Graph::tryGetConstantProperty):
        (JSC::DFG::Graph::tryGetConstantClosureVar):
        (JSC::DFG::Graph::tryGetFoldableView):
        (JSC::DFG::Graph::getRegExpPrototypeProperty):
        (JSC::DFG::Graph::canOptimizeStringObjectAccess):
        (JSC::DFG::Graph::canDoFastSpread):
        * dfg/DFGGraph.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * jit/JITCompilationMode.cpp:
        (WTF::printInternal):
        * jit/JITCompilationMode.h:
        (JSC::isDFG):
        (JSC::isUnlinked):
        * jit/JITPlan.cpp:
        (JSC::JITPlan::tier const):
        (JSC::JITPlan::reportCompileTimes const):
        * jit/JITPlan.h:
        (JSC::JITPlan::isDFG const):
        (JSC::JITPlan::isUnlinked const):
        * profiler/ProfilerCompilationKind.cpp:
        (WTF::printInternal):
        * profiler/ProfilerCompilationKind.h:

2022-03-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Concurrent byteOffsetImpl should not assume non-detached array-buffer
        https://bugs.webkit.org/show_bug.cgi?id=237935

        Reviewed by Saam Barati.

        r279707 is not enough to fix the issue since underlying ArrayBuffer can be also detached concurrently to
        the compiler thread too. This patch fixes it by using dataWithoutPACValidation in the concurrent compiler
        thread.

        * runtime/ArrayBuffer.h:
        (JSC::ArrayBufferContents::dataWithoutPACValidation const):
        (JSC::ArrayBuffer::dataWithoutPACValidation):
        (JSC::ArrayBuffer::dataWithoutPACValidation const):
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::byteOffsetImpl):

2022-03-14  Adrian Perez de Castro  <aperez@igalia.com>

        [GLib] Expose typed arrays in the public API
        https://bugs.webkit.org/show_bug.cgi?id=197535

        Reviewed by Carlos Garcia Campos.

        This adds a set of new functions to operate on JSCValue objects which refer to typed
        arrays in the JavaScript side of the world. Typed array values can be created with an
        existing ArrayBuffer to hold the contents, in which case custom allocations are possible;
        or letting JSC handle allocation. Operating on typed arrays is expected to be done on an
        element-by-element basis, and in general it is recommended to use the functions dealing
        with the "length" (number of elements) of typed arrays; nevertheless it is also possible
        to retrieve their "size" and "offset" over the underlying ArrayBuffer, and/or retrieving
        said ArrayBuffer.

        * API/glib/JSCValue.cpp:
        (toTypedArrayType):
        (toJSCTypedArrayType):
        (jsc_value_new_typed_array):
        (jsc_value_new_typed_array_with_buffer):
        (jsc_value_is_typed_array):
        (jsc_value_typed_array_get_buffer):
        (jsc_value_typed_array_get_data):
        (jsc_value_typed_array_get_length):
        (jsc_value_typed_array_get_offset):
        (jsc_value_typed_array_get_size):
        (jsc_value_typed_array_get_type):
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2022-03-13  Angelos Oikonomopoulos  <angelos@igalia.com>

        [JSC] Use addressTempRegister in loadValue(void *) on 32 bits
        https://bugs.webkit.org/show_bug.cgi?id=237773

        Reviewed by Žan Doberšek.

        Instead of using one of the destination registers as an address
        temporary, use addressTempRegister instead. This allows reusing
        the value in addressTempRegister (with an appropriate offset) if
        possible, which results in a >25% size reduction for DFGOSRExit
        (JS2) on ARMv7 (though not a significant size reduction overall).
        Technically, this change could be killing some address reuse that
        was previously possible because loadValue was not clobbering
        addressTempRegister but, if so, this seems to be balanced out for
        JS2.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::BoundsNonDoubleWordOffset::within):
        (JSC::MacroAssemblerARMv7::BoundsDoubleWordOffset::within):
        (JSC::MacroAssemblerARMv7::loadPair32):
        (JSC::MacroAssemblerARMv7::setupArmAddress):
        (JSC::MacroAssemblerARMv7::absoluteAddressWithinShortOffset):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadPair32):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::loadValue):

2022-03-12  Tim Horton  <timothy_horton@apple.com>

        Adopt FALLBACK_PLATFORM_NAME in place of FALLBACK_PLATFORM
        https://bugs.webkit.org/show_bug.cgi?id=237809

        Reviewed by Per Arne Vollan.

        * Configurations/SDKVariant.xcconfig:

2022-03-11  Adrian Perez de Castro  <aperez@igalia.com>

        [GLib] Expose ArrayBuffer in the public API
        https://bugs.webkit.org/show_bug.cgi?id=237088

        Reviewed by Carlos Garcia Campos.

        This adds a set of new functions to operate on JSCValue objects which refer to array
        buffers in the JS side of the world. This allows sharing chunks of memory buffers
        efficiently with native code, without needing to copy nor encode data back and forth.

        * API/glib/JSCValue.cpp:
        (jscArrayBufferDeallocate):
        (jsc_value_new_array_buffer):
        (jsc_value_is_array_buffer):
        (jsc_value_array_buffer_get_data):
        (jsc_value_array_buffer_get_length):
        * API/glib/JSCValue.h:
        * API/glib/docs/jsc-glib-4.0-sections.txt:

2022-03-11  Mikhail R. Gadelha  <mikhail@igalia.com>

        Debug build failure after r246172: ASSERT_UNDER_CONSTEXPR_CONTEXT should work in constexpr contexts
        https://bugs.webkit.org/show_bug.cgi?id=236728

        Reviewed by Michael Catanzaro.

        ASSERT_UNDER_CONSTEXPR_CONTEXT is calling a non-constexpr function (WTFReportAssertionFailure)
        when it fails, so it cannot be used for an assert not reached.

        This patch adds a new RELEASE_ASSERT_NOT_REACHED_UNDER_CONSTEXPR_CONTEXT() macro
        that calls CRASH_UNDER_CONSTEXPR_CONTEXT() instead of WTFReportAssertionFailure.

        No functional change.

        * wasm/WasmCompilationMode.h:
        (JSC::Wasm::isOSREntry):
        (JSC::Wasm::isAnyBBQ):
        (JSC::Wasm::isAnyOMG):

2022-03-10  Elliott Williams  <emw@apple.com>

        [XCBuild] Emit a discovered dependency file from offlineasm
        https://bugs.webkit.org/show_bug.cgi?id=237329

        Reviewed by Alexey Proskuryakov.

        Xcode needs to know what files offlineasm uses and produces in order to schedule it
        correctly in incremental builds. Rather than use generated xcfilelists like WebKit does
        elsewhere in the project, emit a depfile from offlineasm based on the parse tree's source
        files.

        Discovered dependency files ("depfiles") are Makefile-formatted files which list the inputs
        used to produce an output. They are emitting during the build to a temporary directory, and
        ensure that subsequent incremental builds will re-run offlineasm when any of the included
        sources change. This is the same mechanism clang uses to track header dependencies.

        Unfortunately, the legacy build system will refuse to execute a script phase or rule that
        emits a depfile. To work around this, convert the offlineasm pipeline to be based on build
        rules, to be used by XCBuild only. The idea is that LowLevelInterpreter.asm is listed as a
        source build file in JSCLLIntSettingsExtractor, JSCLLIntOffsetsExtractor, and
        JavaScriptCore. Each target uses a build rule to generate its respective header from
        LowLevelInterpreter.asm. Xcode schedules these rule executions before any clang tasks.

        The legacy build system avoids executing the rules via EXCLUDED_SOURCE_FILE_NAMES, and
        instead uses the existing build phases, which have "(Legacy)" in their names and are now
        no-ops under XCBuild.

        Aside from working around the legacy build system's limitations, using build rules is
        probably a superior way to express what we're doing, as it gives Xcode the opportunity to
        compile other objects in parallel, and could be easily extended to compile multiple discrete
        asm files should the need arise.

        * Configurations/ToolExecutable.xcconfig: Build rules are XCBuild-only.
        * JavaScriptCore.xcodeproj/project.pbxproj: Add build rules, rename legacy scripts.
        * offlineasm/asm.rb: Add --depfile flag.
        * offlineasm/generate_offset_extractor.rb: Add --depfile flag.
        * offlineasm/generate_settings_extractor.rb: Add --depfile flag.

2022-03-10  Michael Saboff  <msaboff@apple.com>

        Catalyst JavaScriptCore, WebCore, WebKitLegacy, and WebKit shouldn't be copied to the Secondary Path
        https://bugs.webkit.org/show_bug.cgi?id=237748

        Reviewed by Mark Lam.

        Updated the configuration to exclude copying Catalyst build products to the secondary path.

        * Configurations/Base.xcconfig:

2022-03-10  Elliott Williams  <emw@apple.com>

        [XCBuild] Fix GeneratedSources dependency validation errors
        https://bugs.webkit.org/show_bug.cgi?id=237490

        Reviewed by Alexey Proskuryakov.
        
        Declare JSCBuiltins.cpp in DerivedSources.make. It's created by generate-js-builtins.py but
        was never declared as an output.

        * DerivedSources-output.xcfilelist: Autogenerated changes.
        * DerivedSources.make:

2022-03-10  Chris Dumez  <cdumez@apple.com>

        Optimize further the passing of data across threads
        https://bugs.webkit.org/show_bug.cgi?id=237695

        Reviewed by Geoffrey Garen.

        Optimize further the passing of data across threads by leveraging the optimized
        version of isolatedCopy() on r-value references whenever possible.

        * inspector/remote/RemoteConnectionToTarget.cpp:
        (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
        * inspector/remote/RemoteConnectionToTarget.h:
        * inspector/remote/RemoteControllableTarget.h:
        * jsc.cpp:
        (JSC_DEFINE_HOST_FUNCTION):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemote):
        * runtime/JSGlobalObjectDebuggable.h:
        * tools/FunctionOverrides.cpp:
        (JSC::FunctionOverrides::initializeOverrideFor):

2022-03-08  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK][WPE] Web Inspector: make it possible to use the remote inspector from other browsers
        https://bugs.webkit.org/show_bug.cgi?id=237601

        Reviewed by Michael Catanzaro.

        Make it possible to start the inspector server with 0 port, meaning any free one will be used.

        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::start): Pass the effective address to g_socket_listener_add_address and get the port.
        * inspector/remote/glib/RemoteInspectorServer.h:
        (Inspector::RemoteInspectorServer::port const): Return the port the server is listening to.

2022-03-09  Saam Barati  <sbarati@apple.com>

        Limit WK_XCODE_SUPPORTS_LTO in JavaScriptCore based on target OS
        https://bugs.webkit.org/show_bug.cgi?id=237682

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:
        * Configurations/WebKitTargetConditionals.xcconfig:

2022-03-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK][WPE] Stop using the env var WEBKIT_INSPECTOR_SERVER to connect to the inspector
        https://bugs.webkit.org/show_bug.cgi?id=237646

        Reviewed by Adrian Perez de Castro.

        Add RemoteInspector::s_inspectorServerAddress to keep the remote inspector server address instead of the
        environment variable used to start the server.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::RemoteInspector): Only call start if s_inspectorServerAddress is not null.
        (Inspector::RemoteInspector::start): Use s_inspectorServerAddress instead of querying the environment.

2022-03-08  Robin Morisset  <rmorisset@apple.com>

        [WTF] LikelyDenseUnsignedIntegerSet::add can cause a reindexing of the entire bit vector with every call in the worst case
        https://bugs.webkit.org/show_bug.cgi?id=236997

        Reviewed by Saam Barati.

        Just make it a little bit easier to change the number of stack slots in testZDefOfSpillSlotWithOffsetNeedingToBeMaterializedInARegister.

        * b3/air/testair.cpp:

2022-03-08   Robin Morisset  <rmorisset@apple.com>

        Enable tier-up in loops created by recursive tail call optimizations.
        https://bugs.webkit.org/show_bug.cgi?id=178389

        Reviewed by Saam Barati.

        Made the recursive tail call optimization only run in FTL mode, since it is a significant progression on TailBench.
        Also some trivial refactoring of handleRecursiveTailCall.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):

2022-03-08  Saam Barati  <sbarati@apple.com>

        [JSC] Enable ThinLTO
        https://bugs.webkit.org/show_bug.cgi?id=229019
        <rdar://problem/82107543>

        Reviewed by Mark Lam.

        It's a 1% speedup on Speedometer2 across x86 and arm64, and 0.5-1% speedup on
        JetStream2 depending on the device.

        * Configurations/Base.xcconfig:

2022-03-08  Chris Dumez  <cdumez@apple.com>

        Unreviewed, reverting r290975.

        Broke the build for some configurations

        Reverted changeset:

        "[XCBuild] Emit a discovered dependency file from offlineasm"
        https://bugs.webkit.org/show_bug.cgi?id=237329
        https://commits.webkit.org/r290975

2022-03-08  Mark Lam  <mark.lam@apple.com>

        Remove invalid ASSERT in LocaleIDBuilder::overrideLanguageScriptRegion().
        https://bugs.webkit.org/show_bug.cgi?id=237573
        <rdar://problem/83326232>

        Reviewed by Yusuke Suzuki.

        The ASSERT(length) in LocaleIDBuilder::overrideLanguageScriptRegion() is simply
        incorrect.  The length can be 0 if uloc_forLanguageTag returns a 0 length in
        localeIDBufferForLanguageTagWithNullTerminator().  LocaleIDBuilder::overrideLanguageScriptRegion()
        already handles this scenario correctly.  We just need to remove this incorrect ASSERT.

        Also verified that we're producing the same result on the attached test case as
        Chrome and Firefox produces.

        * runtime/IntlObject.cpp:
        (JSC::localeIDBufferForLanguageTagWithNullTerminator):

2022-03-07  Elliott Williams  <emw@apple.com>

        [XCBuild] Emit a discovered dependency file from offlineasm
        https://bugs.webkit.org/show_bug.cgi?id=237329

        Reviewed by Keith Miller.

        Xcode needs to know what files offlineasm uses and produces in order to schedule it
        correctly in incremental builds. Rather than use generated xcfilelists like WebKit does
        elsewhere in the project, emit a depfile from offlineasm based on the parse tree's source
        files.

        Discovered dependency files ("depfiles") are Makefile-formatted files which list the inputs
        used to produce an output. They are emitting during the build to a temporary directory, and
        ensure that subsequent incremental builds will re-run offlineasm when any of the included
        sources change. This is the same mechanism clang uses to track header dependencies.

        Unfortunately, the legacy build system will refuse to execute a script phase or rule that
        emits a depfile. To work around this, convert the offlineasm pipeline to be based on build
        rules, to be used by XCBuild only. The idea is that LowLevelInterpreter.asm is listed as a
        source build file in JSCLLIntSettingsExtractor, JSCLLIntOffsetsExtractor, and
        JavaScriptCore. Each target uses a build rule to generate its respective header from
        LowLevelInterpreter.asm. Xcode schedules these rule executions before any clang tasks.

        The legacy build system avoids executing the rules via EXCLUDED_SOURCE_FILE_NAMES, and
        instead uses the existing build phases, which have "(Legacy)" in their names and are now
        no-ops under XCBuild.

        Aside from working around the legacy build system's limitations, using build rules is
        probably a superior way to express what we're doing, as it gives Xcode the opportunity to
        compile other objects in parallel, and could be easily extended to compile multiple discrete
        asm files should the need arise.

        * Configurations/ToolExecutable.xcconfig: Build rules are XCBuild-only.
        * JavaScriptCore.xcodeproj/project.pbxproj: Add build rules, rename legacy scripts.
        * offlineasm/asm.rb: Add --depfile flag.
        * offlineasm/generate_offset_extractor.rb: Add --depfile flag.
        * offlineasm/generate_settings_extractor.rb: Add --depfile flag.

2022-03-07  Angelos Oikonomopoulos  <angelos@igalia.com>

        AssemblyHelpersSpoolers: use load/store pair on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=235112

        Reviewed by Žan Doberšek.

        Save ~1% code size for baseline JIT on JS2 by emitting load/store pair
        instructions on 32-bit ARM.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv6Assembler::vldmia):
        (JSC::ARMv7Assembler::vstmia):
        * assembler/CPU.h:
        (JSC::isARM):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadPair64):
        (JSC::MacroAssemblerARMv7::storePair64):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::copyLLIntBaselineCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
        * jit/AssemblyHelpersSpoolers.h:
        (JSC::AssemblyHelpers::LoadRegSpooler::executePair):
        (JSC::AssemblyHelpers::StoreRegSpooler::executePair):
        (JSC::AssemblyHelpers::CopySpooler::CopySpooler):
        (JSC::AssemblyHelpers::CopySpooler::loadPair):
        (JSC::AssemblyHelpers::CopySpooler::storePair):

2022-03-07  Zan Dobersek  <zdobersek@igalia.com>

        [JSC] Add missing CPU(RISCV64) guards in CTI thunk prologue, epilogue generators
        https://bugs.webkit.org/show_bug.cgi?id=237517

        Unreviewed, adding missing CPU(RISCV64) guards to the CTI thunk prologue
        and epilogue generators in CCallHelpers, reusing the ARM variants of the
        pair push/pop calls.

        * jit/CCallHelpers.cpp:
        (JSC::CCallHelpers::emitCTIThunkPrologue):
        (JSC::CCallHelpers::emitCTIThunkEpilogue):

2022-03-05  Mark Lam  <mark.lam@apple.com>

        Fix JITOperationList::addPointers() to support JIT_OPERATION_VALIDATION_ASSERT_ENABLED.
        https://bugs.webkit.org/show_bug.cgi?id=237504
        <rdar://problem/89770507>

        Reviewed by Saam Barati.

        According to tagJSCCodePtrImpl(), we will only use an operation's validation entry
        if Options::useJITCage().  Make JITOperationList::addPointers() conform to this.

        * assembler/JITOperationList.cpp:
        (JSC::JITOperationList::addPointers):

2022-03-05  Mark Lam  <mark.lam@apple.com>

        Optimize VMTraps::maybeNeedHandling().
        https://bugs.webkit.org/show_bug.cgi?id=237503

        Reviewed by Saam Barati.

        There's no need for VMTraps::maybeNeedHandling() to mask the VMTraps bits for
        events.  Under normal circumstances, there are no traps firing and the traps bits
        are 0 anyway.  We should optimize for this and do away with the masking.  Clients
        who use VMTraps::maybeNeedHandling() should and current do call VMTraps::needHandling()
        to get the real story on whether there are actually traps to handle or not.  Hence,
        the masking in VMTraps::maybeNeedHandling() is also not needed for correctness.

        We know from experience that changes in RETURN_IN_EXCEPTION can have an impact on
        performance.  Perhaps this change can also help performance.

        * runtime/ExceptionScope.h:
        * runtime/VMTraps.h:
        (JSC::VMTraps::maybeNeedHandling const):

2022-03-05  Mark Lam  <mark.lam@apple.com>

        Fix broken SuspendExceptionScope and remove redundant VM::DeferExceptionScope.
        https://bugs.webkit.org/show_bug.cgi?id=237441
        <rdar://problem/89769627>

        Reviewed by Yusuke Suzuki.

        SuspendExceptionScope was meant to do exactly the same thing that VM::DeferExceptionScope
        does, except that SuspendExceptionScope hasn't been updated to handle exception
        handling via VMTraps bits.

        This patch will fix SuspendExceptionScope to work like VM::DeferExceptionScope,
        and remove the now redundant VM::DeferExceptionScope.  SuspendExceptionScope is
        the better name here because the scope actually suspends any pending exception.
        This is different from other Defer scopes where we prevent some new event from
        arising and defer the event to a later time.

        * interpreter/FrameTracers.h:
        (JSC::SuspendExceptionScope::SuspendExceptionScope):
        (JSC::SuspendExceptionScope::~SuspendExceptionScope):
        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::notifyDebuggerOfUnwinding):
        * runtime/TypeProfilerLog.cpp:
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/VM.h:
        (JSC::VM::restorePreviousException): Deleted.
        (JSC::VM::DeferExceptionScope::DeferExceptionScope): Deleted.
        (JSC::VM::DeferExceptionScope::~DeferExceptionScope): Deleted.

2022-03-04  Angelos Oikonomopoulos  <angelos@igalia.com>

        [JSC] Improve reuse of known register values on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=237424

        Reviewed by Žan Doberšek.

        Reduce the generated code size by introducing and pervasively using
        setupArmAddress(AbsoluteAddress address, ...). This effectively
        replaces sequences of e.g.

            movw r6, cst1
            movt r6, cst2
            strd r0, r1, [r6]

        with

            strd r0, r1, [r6, offset]

        when a close enough address is already available in r6.

        While here, change short_move to only emit an add/sub if this results in an
        actual reduction in code size. When the add/sub would be neutral,
        prefer loading an immediate as that doesn't introduce a data dependency
        between the instructions.

        This results in a measurable but small (< 1%) reduction in the
        generated code size on JS2.

        Hat tip to Geza Lore for the suggestions.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add32):
        (JSC::MacroAssemblerARMv7::add64):
        (JSC::MacroAssemblerARMv7::or8):
        (JSC::MacroAssemblerARMv7::or16):
        (JSC::MacroAssemblerARMv7::or32):
        (JSC::MacroAssemblerARMv7::sub32):
        (JSC::MacroAssemblerARMv7::load32):
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::load16):
        (JSC::MacroAssemblerARMv7::store32):
        (JSC::MacroAssemblerARMv7::store8):
        (JSC::MacroAssemblerARMv7::store16):
        (JSC::MacroAssemblerARMv7::storePair32):
        (JSC::MacroAssemblerARMv7::short_move):
        (JSC::MacroAssemblerARMv7::add32Impl):
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest32):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::branchTest16):
        (JSC::MacroAssemblerARMv7::farJump):
        (JSC::MacroAssemblerARMv7::absoluteAddressWithinShortOffset):
        (JSC::MacroAssemblerARMv7::setupArmAddress):

2022-03-03  Michael Saboff  <msaboff@apple.com>

        Copy WebKit frameworks and XPC processes to Secondary Path
        https://bugs.webkit.org/show_bug.cgi?id=237394

        Reviewed by Saam Barati.

        Added build configuration variables and scripts to copy the built Framework to the SYSTEM_SECONDARY_CONTENT_PATH
        when it is set.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/copy-frameworks-to-secondary-path.sh: Added.

2022-03-03  Tom Tartarin  <tom@leaningtech.com>

        [JSC] Update wasm branch hinting
        https://bugs.webkit.org/show_bug.cgi?id=237411

        Reviewed by Yusuke Suzuki.

        Change the section's name.
        Clarify semantics in the parser.

        * wasm/WasmBranchHintsSectionParser.cpp:
        (JSC::Wasm::BranchHintsSectionParser::parse):
        * wasm/WasmSectionParser.cpp:
        (JSC::Wasm::SectionParser::parseCustom):

2022-03-03  Saam Barati  <sbarati@apple.com>

        Add a DeferTraps scope
        https://bugs.webkit.org/show_bug.cgi?id=237306
        <rdar://83494949>

        Reviewed by Mark Lam.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecode/CodeBlock.h:
        * bytecode/RepatchInlines.h:
        (JSC::linkFor):
        (JSC::virtualForWithFunction):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/InterpreterInlines.h:
        (JSC::Interpreter::execute):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * runtime/ExceptionScope.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/VMTraps.cpp:
        (JSC::VMTraps::handleTraps):
        (JSC::VMTraps::takeTopPriorityTrap):
        * runtime/VMTraps.h:
        (JSC::VMTraps::needHandling const):
        (JSC::VMTraps::maybeNeedHandling const):
        (JSC::VMTraps::hasTrapBit):
        (JSC::VMTraps::setTrapBit):
        * runtime/VMTrapsInlines.h:
        (JSC::DeferTraps::DeferTraps):
        (JSC::DeferTraps::~DeferTraps):

2022-03-03  Adrian Perez de Castro  <aperez@igalia.com>

        Non-unified build fixes, early March 2022 edition
        https://bugs.webkit.org/show_bug.cgi?id=237420

        Unreviewed non-unified build fixes.

        * llint/LLIntExceptions.h: Add forward declaration for WasmInstruction.

2022-03-02  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, reverting r290717.
        https://bugs.webkit.org/show_bug.cgi?id=237409

        Speedometer2

        Reverted changeset:

        "Add a DeferTraps scope"
        https://bugs.webkit.org/show_bug.cgi?id=237306
        https://commits.webkit.org/r290717

2022-03-02  Justin Michaud  <justin_michaud@apple.com>

        Refactor OpcodeTraits to support the possibility of having 2-byte WASM opcode ids in bytecode streams
        https://bugs.webkit.org/show_bug.cgi?id=237347

        The number of WASM opcodes will increase beyond 255 when WASM SIMD is implemented, and so this patch
        changes OpcodeTraits to allow for the possibility of having two-byte WASM opcodes without regressing
        JS. We have to thread these OpcodeTraits everywhere that they are used so that code can read the
        correct value when decoding an instruction stream. This patch does not change the size of WASM opcodes
        yet, although I have tested that the test suite still passes if we do increase the opcode size.

        Reviewed by Keith Miller.

        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::BytecodeBasicBlock<OpcodeTraits>::BytecodeBasicBlock):
        (JSC::BytecodeBasicBlock<OpcodeTraits>::addLength):
        (JSC::BytecodeBasicBlock<OpcodeTraits>::shrinkToFit):
        (JSC::isJumpTarget):
        (JSC::BytecodeBasicBlock<OpcodeTraits>::computeImpl):
        (JSC::BytecodeBasicBlock<JSOpcodeTraits>::compute):
        (JSC::BytecodeBasicBlock::BytecodeBasicBlock): Deleted.
        (JSC::BytecodeBasicBlock::addLength): Deleted.
        (JSC::BytecodeBasicBlock::shrinkToFit): Deleted.
        (JSC::BytecodeBasicBlock::computeImpl): Deleted.
        (JSC::BytecodeBasicBlock::compute): Deleted.
        * bytecode/BytecodeBasicBlock.h:
        (JSC::BytecodeBasicBlock::addSuccessor):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumperBase<InstructionStreamType>::printLocationAndOp):
        (JSC::BytecodeDumperBase<InstructionStreamType>::dumpValue):
        (JSC::BytecodeDumper<Block>::outOfLineJumpOffset const):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::dumpHeader):
        (JSC::CodeBlockBytecodeDumper<Block>::dumpBlock):
        (JSC::CodeBlockBytecodeDumper<Block>::dumpGraph):
        (JSC::Wasm::BytecodeDumper::dumpBlock):
        (JSC::Wasm::BytecodeDumper::registerName const):
        (JSC::Wasm::BytecodeDumper::outOfLineJumpOffset const):
        (JSC::BytecodeDumperBase::printLocationAndOp): Deleted.
        (JSC::BytecodeDumperBase::dumpValue): Deleted.
        * bytecode/BytecodeDumper.h:
        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
        (JSC::BytecodeGeneratorification::enterPoint const):
        (JSC::BytecodeGeneratorification::instructions const):
        (JSC::GeneratorLivenessAnalysis::run):
        (JSC::performGeneratorification):
        * bytecode/BytecodeGeneratorification.h:
        * bytecode/BytecodeGraph.h:
        (JSC::BytecodeGraph::blockContainsBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockForBytecodeOffset):
        (JSC::BytecodeGraph::findBasicBlockWithLeaderOffset):
        (JSC::BytecodeGraph::at const):
        (JSC::BytecodeGraph::operator[] const):
        (JSC::BytecodeGraph::first):
        (JSC::BytecodeGraph::last):
        (JSC::BytecodeGraph::dump):
        (JSC::BytecodeGraph::BytecodeGraph):
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexDef):
        (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUse):
        (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndexUseInExceptionHandler):
        (JSC::BytecodeLivenessPropagation::stepOverBytecodeIndex):
        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForInstruction):
        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
        (JSC::BytecodeLivenessPropagation::getLivenessInfoAtInstruction):
        (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
        * bytecode/BytecodeRewriter.cpp:
        (JSC::BytecodeRewriter::insertImpl):
        (JSC::BytecodeRewriter::adjustJumpTargets):
        * bytecode/BytecodeRewriter.h:
        (JSC::BytecodeRewriter::InsertionPoint::InsertionPoint):
        (JSC::BytecodeRewriter::Fragment::Fragment):
        (JSC::BytecodeRewriter::BytecodeRewriter):
        (JSC::BytecodeRewriter::insertFragmentBefore):
        (JSC::BytecodeRewriter::insertFragmentAfter):
        (JSC::BytecodeRewriter::replaceBytecodeWithFragment):
        (JSC::BytecodeRewriter::adjustAbsoluteOffset):
        (JSC::BytecodeRewriter::adjustJumpTarget):
        * bytecode/BytecodeUseDef.cpp:
        (JSC::computeUsesForBytecodeIndexImpl):
        (JSC::computeDefsForBytecodeIndexImpl):
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeIndex):
        (JSC::computeDefsForBytecodeIndex):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        (JSC::CodeBlock::notifyLexicalBindingUpdate):
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::outOfLineJumpOffset):
        (JSC::CodeBlock::outOfLineJumpTarget):
        (JSC::CodeBlock::binaryArithProfileForPC):
        (JSC::CodeBlock::unaryArithProfileForPC):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::outOfLineJumpOffset):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::bytecodeIndex):
        (JSC::CodeBlock::instructions const):
        (JSC::CodeBlock::instructionAt const):
        * bytecode/Instruction.h:
        (JSC::BaseInstruction::opcodeID const):
        (JSC::BaseInstruction::name const):
        (JSC::BaseInstruction::isWide16 const):
        (JSC::BaseInstruction::isWide32 const):
        (JSC::BaseInstruction::width const):
        (JSC::BaseInstruction::hasMetadata const):
        (JSC::BaseInstruction::hasCheckpoints const):
        (JSC::BaseInstruction::numberOfCheckpoints const):
        (JSC::BaseInstruction::sizeShiftAmount const):
        (JSC::BaseInstruction::opcodeIDWidth const):
        (JSC::BaseInstruction::opcodeIDBytes const):
        (JSC::BaseInstruction::size const):
        (JSC::BaseInstruction::is const):
        (JSC::BaseInstruction::as const):
        (JSC::BaseInstruction::asKnownWidth const):
        (JSC::BaseInstruction::cast):
        (JSC::BaseInstruction::cast const):
        (JSC::BaseInstruction::wide16 const):
        (JSC::BaseInstruction::wide32 const):
        * bytecode/InstructionStream.cpp:
        (JSC::InstructionStream::InstructionStream): Deleted.
        (JSC::InstructionStream::sizeInBytes const): Deleted.
        (JSC::InstructionStream::contains const): Deleted.
        * bytecode/InstructionStream.h:
        (JSC::InstructionStream::sizeInBytes const):
        (JSC::InstructionStream::BaseRef::operator-> const):
        (JSC::InstructionStream::BaseRef::ptr const):
        (JSC::InstructionStream::BaseRef::unwrap const):
        (JSC::InstructionStream::MutableRef::operator->):
        (JSC::InstructionStream::MutableRef::operator-> const):
        (JSC::InstructionStream::MutableRef::ptr):
        (JSC::InstructionStream::MutableRef::ptr const):
        (JSC::InstructionStream::MutableRef::unwrap):
        (JSC::InstructionStream::MutableRef::unwrap const):
        (JSC::InstructionStream::iterator::operator++):
        (JSC::InstructionStream::contains const):
        (JSC::InstructionStream::InstructionStream):
        (JSC::InstructionStreamWriter::InstructionStreamWriter):
        (JSC::InstructionStreamWriter::finalize):
        (JSC::InstructionStreamWriter::swap):
        (JSC::InstructionStreamWriter::iterator::operator++):
        * bytecode/Opcode.h:
        * bytecode/OpcodeInlines.h:
        (JSC::isOpcodeShape):
        * bytecode/OpcodeSize.h:
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForInstruction):
        (JSC::computePreciseJumpTargetsInternal):
        (JSC::computePreciseJumpTargets):
        (JSC::recomputePreciseJumpTargets):
        (JSC::findJumpTargetsForInstruction):
        * bytecode/PreciseJumpTargets.h:
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::jumpTargetForInstruction):
        (JSC::extractStoredJumpTargetsForInstruction):
        (JSC::updateStoredJumpTargetsForInstruction):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::dumpLineColumnEntry):
        (JSC::UnlinkedCodeBlock::instructions const):
        (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::instructionAt const):
        (JSC::UnlinkedCodeBlock::bytecodeOffset):
        (JSC::UnlinkedCodeBlock::opProfileControlFlowBytecodeOffsets const):
        (JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
        * bytecode/UnlinkedCodeBlockGenerator.cpp:
        (JSC::UnlinkedCodeBlockGenerator::finalize):
        (JSC::UnlinkedCodeBlockGenerator::applyModification):
        (JSC::UnlinkedCodeBlockGenerator::addOutOfLineJumpTarget):
        (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
        * bytecode/UnlinkedCodeBlockGenerator.h:
        (JSC::UnlinkedCodeBlockGenerator::addOpProfileControlFlowBytecodeOffset):
        (JSC::UnlinkedCodeBlockGenerator::outOfLineJumpOffset):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::instructions const):
        (JSC::BytecodeGenerator::withWriter):
        * bytecompiler/BytecodeGeneratorBase.h:
        * bytecompiler/BytecodeGeneratorBaseInlines.h:
        (JSC::BytecodeGeneratorBase<Traits>::recordOpcode):
        (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode16):
        (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32):
        * bytecompiler/StaticPropertyAnalysis.h:
        (JSC::StaticPropertyAnalysis::create):
        (JSC::StaticPropertyAnalysis::StaticPropertyAnalysis):
        * bytecompiler/StaticPropertyAnalyzer.h:
        (JSC::StaticPropertyAnalyzer::createThis):
        (JSC::StaticPropertyAnalyzer::newObject):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::parseGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::callerReturnPC):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileLoopHint):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOperations.cpp:
        (JSC::FTL::JSC_DEFINE_JIT_OPERATION):
        * generator/Argument.rb:
        * generator/DSL.rb:
        * generator/Opcode.rb:
        * interpreter/AbstractPC.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::currentVPC const):
        (JSC::CallFrame::setCurrentVPC):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::CatchInfo::CatchInfo):
        * interpreter/Interpreter.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_jless):
        (JSC::JIT::emit_op_jlesseq):
        (JSC::JIT::emit_op_jgreater):
        (JSC::JIT::emit_op_jgreatereq):
        (JSC::JIT::emit_op_jnless):
        (JSC::JIT::emit_op_jnlesseq):
        (JSC::JIT::emit_op_jngreater):
        (JSC::JIT::emit_op_jngreatereq):
        (JSC::JIT::emitSlow_op_jless):
        (JSC::JIT::emitSlow_op_jlesseq):
        (JSC::JIT::emitSlow_op_jgreater):
        (JSC::JIT::emitSlow_op_jgreatereq):
        (JSC::JIT::emitSlow_op_jnless):
        (JSC::JIT::emitSlow_op_jnlesseq):
        (JSC::JIT::emitSlow_op_jngreater):
        (JSC::JIT::emitSlow_op_jngreatereq):
        (JSC::JIT::emit_op_below):
        (JSC::JIT::emit_op_beloweq):
        (JSC::JIT::emit_op_jbelow):
        (JSC::JIT::emit_op_jbeloweq):
        (JSC::JIT::emit_op_unsigned):
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareUnsignedAndJump):
        (JSC::JIT::emit_compareUnsigned):
        (JSC::JIT::emit_compareAndJumpSlow):
        (JSC::JIT::emit_op_inc):
        (JSC::JIT::emit_op_dec):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emit_op_pow):
        (JSC::JIT::emitSlow_op_pow):
        (JSC::JIT::emit_op_negate):
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitBitBinaryOpFastPath):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShiftFastPath):
        (JSC::JIT::emit_op_rshift):
        (JSC::JIT::emit_op_urshift):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitMathICFast):
        (JSC::JIT::emitMathICSlow):
        (JSC::JIT::emit_op_div):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_sub):
        (JSC::JIT::emitSlow_op_sub):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_call):
        (JSC::JIT::emit_op_tail_call):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_tail_call_varargs):
        (JSC::JIT::emit_op_tail_call_forward_arguments):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emit_op_construct):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_tail_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_varargs):
        (JSC::JIT::emitSlow_op_tail_call_forward_arguments):
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emitSlow_op_construct):
        (JSC::JIT::emit_op_iterator_open):
        (JSC::JIT::emitSlow_op_iterator_open):
        (JSC::JIT::emit_op_iterator_next):
        (JSC::JIT::emitSlow_op_iterator_next):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITInlines.h:
        (JSC::JIT::fastPathResumePoint const):
        (JSC::JIT::jumpTarget):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_jmp):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_overrides_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emit_op_is_empty):
        (JSC::JIT::emit_op_typeof_is_undefined):
        (JSC::JIT::emit_op_is_undefined_or_null):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_big_int):
        (JSC::JIT::emit_op_is_cell_with_type):
        (JSC::JIT::emit_op_is_object):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_to_property_key):
        (JSC::JIT::emit_op_set_function_name):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jundefined_or_null):
        (JSC::JIT::emit_op_jnundefined_or_null):
        (JSC::JIT::emit_op_jeq_ptr):
        (JSC::JIT::emit_op_jneq_ptr):
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emit_op_jeq):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::emit_op_jneq):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_stricteq):
        (JSC::JIT::emit_op_nstricteq):
        (JSC::JIT::compileOpStrictEqJump):
        (JSC::JIT::emit_op_jstricteq):
        (JSC::JIT::emit_op_jnstricteq):
        (JSC::JIT::emitSlow_op_jstricteq):
        (JSC::JIT::emitSlow_op_jnstricteq):
        (JSC::JIT::emit_op_to_number):
        (JSC::JIT::emit_op_to_numeric):
        (JSC::JIT::emit_op_to_string):
        (JSC::JIT::emit_op_to_object):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_identity_with_profile):
        (JSC::JIT::emit_op_get_parent_scope):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emit_op_get_scope):
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emit_op_check_tdz):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emitSlow_op_jeq):
        (JSC::JIT::emitSlow_op_jneq):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        (JSC::JIT::emit_op_check_traps):
        (JSC::JIT::emit_op_nop):
        (JSC::JIT::emit_op_super_sampler_begin):
        (JSC::JIT::emit_op_super_sampler_end):
        (JSC::JIT::emitSlow_op_check_traps):
        (JSC::JIT::emit_op_new_regexp):
        (JSC::JIT::emitNewFuncCommon):
        (JSC::JIT::emit_op_new_func):
        (JSC::JIT::emit_op_new_generator_func):
        (JSC::JIT::emit_op_new_async_generator_func):
        (JSC::JIT::emit_op_new_async_func):
        (JSC::JIT::emitNewFuncExprCommon):
        (JSC::JIT::emit_op_new_func_exp):
        (JSC::JIT::emit_op_new_generator_func_exp):
        (JSC::JIT::emit_op_new_async_func_exp):
        (JSC::JIT::emit_op_new_async_generator_func_exp):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_with_size):
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
        (JSC::JIT::emit_op_log_shadow_chicken_tail):
        (JSC::JIT::emit_op_profile_control_flow):
        (JSC::JIT::emit_op_argument_count):
        (JSC::JIT::emit_op_get_rest_length):
        (JSC::JIT::emit_op_get_argument):
        (JSC::JIT::emit_op_get_prototype_of):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::emit_op_jeq):
        (JSC::JIT::emit_op_jneq):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emitSlow_op_jeq):
        (JSC::JIT::emitSlow_op_jneq):
        (JSC::JIT::emit_op_stricteq):
        (JSC::JIT::emit_op_nstricteq):
        (JSC::JIT::emit_op_jstricteq):
        (JSC::JIT::emit_op_jnstricteq):
        (JSC::JIT::emitSlow_op_jstricteq):
        (JSC::JIT::emitSlow_op_jnstricteq):
        * jit/JITOperations.cpp:
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_private_name):
        (JSC::JIT::emitSlow_op_get_private_name):
        (JSC::JIT::emit_op_set_private_brand):
        (JSC::JIT::emitSlow_op_set_private_brand):
        (JSC::JIT::emit_op_check_private_brand):
        (JSC::JIT::emitSlow_op_check_private_brand):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_val_direct):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emit_op_put_private_name):
        (JSC::JIT::emitSlow_op_put_private_name):
        (JSC::JIT::emit_op_put_getter_by_id):
        (JSC::JIT::emit_op_put_setter_by_id):
        (JSC::JIT::emit_op_put_getter_setter_by_id):
        (JSC::JIT::emit_op_put_getter_by_val):
        (JSC::JIT::emit_op_put_setter_by_val):
        (JSC::JIT::emit_op_del_by_id):
        (JSC::JIT::emitSlow_op_del_by_id):
        (JSC::JIT::emit_op_del_by_val):
        (JSC::JIT::emitSlow_op_del_by_val):
        (JSC::JIT::emit_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emit_op_get_by_id_direct):
        (JSC::JIT::emitSlow_op_get_by_id_direct):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emit_op_in_by_id):
        (JSC::JIT::emitSlow_op_in_by_id):
        (JSC::JIT::emit_op_in_by_val):
        (JSC::JIT::emitSlow_op_in_by_val):
        (JSC::JIT::emit_op_has_private_name):
        (JSC::JIT::emitSlow_op_has_private_name):
        (JSC::JIT::emit_op_has_private_brand):
        (JSC::JIT::emitSlow_op_has_private_brand):
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        (JSC::JIT::emit_op_get_from_arguments):
        (JSC::JIT::emit_op_put_to_arguments):
        (JSC::JIT::emit_op_get_internal_field):
        (JSC::JIT::emit_op_put_internal_field):
        (JSC::JIT::emit_op_get_property_enumerator):
        (JSC::JIT::emit_op_enumerator_next):
        (JSC::JIT::emit_op_enumerator_get_by_val):
        (JSC::JIT::emitSlow_op_enumerator_get_by_val):
        (JSC::JIT::emit_op_enumerator_in_by_val):
        (JSC::JIT::emit_op_enumerator_has_own_property):
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::exceptionInstructions):
        (JSC::LLInt::wasmExceptionInstructions):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::wasmReturnToThrow):
        * llint/LLIntExceptions.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::setupGetByIdPrototypeCache):
        (JSC::LLInt::performLLIntGetByID):
        (JSC::LLInt::varargsSetup):
        (JSC::LLInt::commonCallEval):
        (JSC::LLInt::dispatchToNextInstructionDuringExit):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoopRegister::operator const JSInstruction*):
        (JSC::CLoop::execute):
        (JSC::CLoopRegister::operator const Instruction*): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * llint/WebAssembly.asm:
        * runtime/CachedTypes.cpp:
        (JSC::CachedInstructionStream::encode):
        (JSC::CachedInstructionStream::decode const):
        (JSC::CachedCodeBlock::instructions const):
        * runtime/CommonSlowPaths.cpp:
        (JSC::updateArithProfileForBinaryArithOp):
        (JSC::iteratorOpenTryFastImpl):
        (JSC::iteratorNextTryFastImpl):
        * runtime/CommonSlowPaths.h:
        * runtime/JSCConfig.h:
        * runtime/JSCJSValue.h:
        * runtime/SlowPathFunction.h:
        * runtime/VM.cpp:
        (JSC::VM::addLoopHintExecutionCounter):
        (JSC::VM::getLoopHintExecutionCounter):
        (JSC::VM::removeLoopHintExecutionCounter):
        * runtime/VM.h:
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::LLIntCallee::LLIntCallee):
        (JSC::Wasm::LLIntCallee::outOfLineJumpOffset):
        (JSC::Wasm::LLIntCallee::outOfLineJumpTarget):
        * wasm/WasmCallee.h:
        * wasm/WasmFunctionCodeBlockGenerator.cpp:
        (JSC::Wasm::FunctionCodeBlockGenerator::setInstructions):
        (JSC::Wasm::FunctionCodeBlockGenerator::addOutOfLineJumpTarget):
        (JSC::Wasm::FunctionCodeBlockGenerator::outOfLineJumpOffset):
        * wasm/WasmFunctionCodeBlockGenerator.h:
        (JSC::Wasm::FunctionCodeBlockGenerator::constantRegisters const):
        (JSC::Wasm::FunctionCodeBlockGenerator::instructions const):
        (JSC::Wasm::FunctionCodeBlockGenerator::addJumpTarget):
        (JSC::Wasm::FunctionCodeBlockGenerator::numberOfJumpTargets):
        (JSC::Wasm::FunctionCodeBlockGenerator::lastJumpTarget):
        (JSC::Wasm::FunctionCodeBlockGenerator::outOfLineJumpOffset):
        (JSC::Wasm::FunctionCodeBlockGenerator::bytecodeOffset):
        (JSC::Wasm::FunctionCodeBlockGenerator::tierUpCounter):
        * wasm/WasmGeneratorTraits.h:
        * wasm/WasmLLIntGenerator.cpp:
        (JSC::Wasm::LLIntGenerator::addSwitch):
        (JSC::GenericLabel<Wasm::GeneratorTraits>::setLocation):
        * wasm/WasmLLIntTierUpCounter.cpp:
        (JSC::Wasm::LLIntTierUpCounter::addOSREntryDataForLoop):
        (JSC::Wasm::LLIntTierUpCounter::osrEntryDataForLoop const const):
        * wasm/WasmLLIntTierUpCounter.h:
        (JSC::Wasm::LLIntTierUpCounter::LLIntTierUpCounter):
        * wasm/WasmSlowPaths.cpp:
        (JSC::LLInt::WASM_SLOW_PATH_DECL):
        (JSC::LLInt::slow_path_wasm_throw_exception):
        (JSC::LLInt::slow_path_wasm_popcount):
        (JSC::LLInt::slow_path_wasm_popcountll):
        * wasm/WasmSlowPaths.h:

2022-03-01  Devin Rousso  <drousso@apple.com>

        Web Inspector: add a switch to control whether breakpoint evaluations (condition, ignore count, actions) are also affected by script blackboxing
        https://bugs.webkit.org/show_bug.cgi?id=235274

        Reviewed by Patrick Angle.

        Being able to defer breakpoint evaluations until the next actual pause can sometimes be far
        more useful than doing the breakpoint evaluations at the breakpoint's original location.

        As an example, configuring the All Events breakpoint with a `console.trace()` action and
        auto-continue enabled would not provide much useful information without also blackboxing
        breakpoint evaluations as the original pause location of the All Events breakpoint is on the
        first line of the event handler, meaning that if the script containing the event handler is
        blackboxed then the `console.trace()` would still only show that location even though the
        Sources Tab would show the first line of code outside of that script (due to the blackbox).
        Being able to also blackbox breakpoint evaluations would instead cause the `console.trace()`
        action to have the same output as the Sources Tab, since it's evaluation would be deferred
        until execution actually paused, which is further inside the event handler.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::didHitBreakpoint):
        (JSC::Debugger::evaluateBreakpointCondition):
        (JSC::Debugger::continueProgram):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::didExecuteProgram):
        (JSC::Debugger::setBlackboxBreakpointEvaluations): Added.
        Keep track of every `Breakpoint` wants to pause but is deferred due to blackboxing.
        Depending on whether breakpoint evaluations are also blackboxed (based on the flag set via
        the piping code/logic below), check if the script attempting to be paused in is blackboxed
        before or after handling breakpoint evaluations.
        Side effects of this change are:
        - breakpoint conditions are now evaluated right before that breakpoint's actions, instead of
          evaluating all breakpoint conditions before all breakpoint actions
        - if breakpoint evaluations are blackboxed, more than two breakpoints can now be evaluated
        during a single pause attempt depending on how may deferrals (with breakpoints) happened

        * debugger/Debugger.h:
        (JSC::Debugger::Observer::didDeferBreakpointPause): Added.
        Add a way to notify `InspectorDebuggerAgent` of deferred breakpoint pauses so that the
        correct `originalReason` will be used after a deferred pause.

        * inspector/protocol/Debugger.json:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::setBlackboxBreakpointEvaluations): Added.
        (Inspector::InspectorDebuggerAgent::didDeferBreakpointPause): Added.
        Add a `setBlackboxBreakpointEvaluations` command that passes directly to `Debugger`.

2022-03-01  Saam Barati  <sbarati@apple.com>

        Add a DeferTraps scope
        https://bugs.webkit.org/show_bug.cgi?id=237306
        <rdar://83494949>

        Reviewed by Mark Lam.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecode/CodeBlock.h:
        * bytecode/RepatchInlines.h:
        (JSC::linkFor):
        (JSC::virtualForWithFunction):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeModuleProgram):
        * interpreter/InterpreterInlines.h:
        (JSC::Interpreter::execute):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/VMTraps.cpp:
        (JSC::VMTraps::handleTraps):
        (JSC::VMTraps::takeTopPriorityTrap):
        * runtime/VMTraps.h:
        (JSC::VMTraps::needHandling const):
        (JSC::VMTraps::hasTrapBit):
        (JSC::VMTraps::setTrapBit):
        * runtime/VMTrapsInlines.h:
        (JSC::DeferTraps::DeferTraps):
        (JSC::DeferTraps::~DeferTraps):

2022-03-01  Fujii Hironori  <Hironori.Fujii@sony.com>

        WTF::SentinelLinkedList::iterator should have operator++ for range-for loop
        https://bugs.webkit.org/show_bug.cgi?id=237265

        Reviewed by Yusuke Suzuki.

        SentinelLinkedList::iterator isn't a pointer of node now, it
        should be deferenced before comparing with a pointer.

        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::fireAllWatchpoints):
        * heap/HandleSet.cpp:
        (JSC::HandleSet::visitStrongHandles):
        (JSC::HandleSet::protectedGlobalObjectCount):
        * heap/HandleSet.h:
        (JSC::HandleSet::forEachStrongHandle):
        * heap/IsoSubspace.cpp:
        (JSC::IsoSubspace::tryAllocateFromLowerTier):
        * heap/SubspaceInlines.h:
        (JSC::Subspace::forEachPreciseAllocation):
        * jsc.cpp:
        (Workers::broadcast):

2022-03-01  Michael Catanzaro  <mcatanzaro@gnome.org>

        Misc compiler warnings, late Feb 2022 edition
        https://bugs.webkit.org/show_bug.cgi?id=237275

        Reviewed by Adrian Perez de Castro.

        Suppress suspected false-positive -Wstringop-overflow and -Wformat-overflow warnings. Also,
        remove an unused variable.

        * API/tests/MultithreadedMultiVMExecutionTest.cpp:
        (startMultithreadedMultiVMExecutionTest):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
        * yarr/YarrJIT.cpp:

2022-03-01  Alex Christensen  <achristensen@webkit.org>

        [AppleWin] Start using Visual Studio 2022
        https://bugs.webkit.org/show_bug.cgi?id=234933

        Reviewed by Maciej Stachowiak.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj:

2022-03-01  Geza Lore  <glore@igalia.com>

        [JSC] Port EXTRA_CTI_THUNKS to all platforms
        https://bugs.webkit.org/show_bug.cgi?id=233822

        Reviewed by Saam Barati.

        Port and enable all code paths under #ifdef ENABLE(EXTRA_CTI_THUNKS)
        on all platforms, and remove the now unused code paths.

        To port the extra thunks to all platforms, it was necessary to enable
        them to do function calls to C++ slow path operations, which on some
        platforms require passing arguments on the stack. To enable this,
        CCallHelpers::emitCTIThunkPrologue and
        CCallHelpers::emitCTIThunkEpilogue are introduced that allocate some
        additional stack space on platforms where this is necessary.

        Additionally, the thunks that require subsequent exception checking
        now tail call directly to the exception check thunk, rather than
        returning to the baseline code and do a separate call to the exception
        check thunk. This saves an extra call site in the generated baseline
        ops and reduces code size on all platforms (~1.5% reduction on x86_64).

        Also factored out the statically allocated register definitions for
        baseline ops into BaselineJITRegisters.h, as there are now quite a lot
        of them and some are somewhat elaborate. This necessitates moving the
        noOverlap and preferredArgumentGPR/preferredArgumentJSR constexpr
        functions out from their previous place, so these now live in
        GPRInfo.h

        Enabling the extra CTI thunks on ARMv7/Thumb-2 saves about 25%
        baseline code size, according to --dumpLinkBufferStats.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::subPtr):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::scratchRegister):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::sub64):
        * bytecode/PolymorphicAccess.cpp:
        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::emitCTIThunkPrologue):
        (JSC::CCallHelpers::emitCTIThunkEpilogue):
        * jit/JIT.cpp:
        (JSC::JIT::emitSlowCaseCall):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::compileAndLinkWithoutFinalizing):
        (JSC::JIT::link):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emit_op_div):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_iterator_open):
        (JSC::JIT::emit_op_iterator_next):
        (JSC::JIT::emitSlow_op_iterator_next):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::generateBaselineDataICFastPath):
        (JSC::JITGetByIdWithThisGenerator::generateBaselineDataICFastPath):
        (JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
        * jit/JITInlineCacheGenerator.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::valueIsFalseyGenerator):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::valueIsTruthyGenerator):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::op_throw_handlerGenerator):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::op_enter_handlerGenerator):
        (JSC::JIT::emitSlow_op_check_traps):
        (JSC::JIT::op_check_traps_handlerGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::generateGetByValSlowCase):
        (JSC::JIT::slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_get_private_name):
        (JSC::JIT::emitSlow_op_get_private_name):
        (JSC::JIT::slow_op_get_private_name_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_set_private_brand):
        (JSC::JIT::emitSlow_op_set_private_brand):
        (JSC::JIT::emit_op_check_private_brand):
        (JSC::JIT::emitSlow_op_check_private_brand):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::slow_op_put_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_put_private_name):
        (JSC::JIT::emitSlow_op_put_private_name):
        (JSC::JIT::slow_op_put_private_name_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_del_by_id):
        (JSC::JIT::emitSlow_op_del_by_id):
        (JSC::JIT::slow_op_del_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_del_by_val):
        (JSC::JIT::emitSlow_op_del_by_val):
        (JSC::JIT::slow_op_del_by_val_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_try_get_by_id):
        (JSC::JIT::emitSlow_op_try_get_by_id):
        (JSC::JIT::emit_op_get_by_id_direct):
        (JSC::JIT::emitSlow_op_get_by_id_direct):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::slow_op_get_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_get_by_id_with_this):
        (JSC::JIT::emitSlow_op_get_by_id_with_this):
        (JSC::JIT::slow_op_get_by_id_with_this_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::slow_op_put_by_id_callSlowOperationThenCheckExceptionGenerator):
        (JSC::JIT::emitSlow_op_in_by_id):
        (JSC::JIT::emitSlow_op_in_by_val):
        (JSC::JIT::emitHasPrivateSlow):
        (JSC::JIT::emitSlow_op_has_private_name):
        (JSC::JIT::emitSlow_op_has_private_brand):
        (JSC::JIT::emitSlow_op_put_to_scope):
        (JSC::JIT::slow_op_put_to_scopeGenerator):
        (JSC::JIT::emit_op_get_property_enumerator):
        (JSC::JIT::emit_op_enumerator_next):
        (JSC::JIT::emit_enumerator_has_propertyImpl):
        (JSC::JIT::emit_op_enumerator_get_by_val):
        (JSC::JIT::emit_op_enumerator_in_by_val):
        (JSC::JIT::emit_op_enumerator_has_own_property):
        * jit/JITThunks.cpp:
        * jit/JITThunks.h:
        * jit/SlowPathCall.cpp:
        (JSC::JITSlowPathCall::call):
        (JSC::JITSlowPathCall::generateThunk):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::JITSlowPathCall):
        * jit/ThunkGenerators.cpp:
        (JSC::handleExceptionGenerator):
        (JSC::checkExceptionGenerator):
        * jit/ThunkGenerators.h:

2022-02-28  Devin Rousso  <drousso@apple.com>

        Web Inspector: [Flexbox] Add options to show each area's CSS `order` and/or DOM index in the parent flex container
        https://bugs.webkit.org/show_bug.cgi?id=237215

        Reviewed by Patrick Angle.

        This will help developers better understand how CSS `order` and the DOM index of each flex
        item interact and result in what's eventually rendered.

        * inspector/protocol/DOM.json:
        Add an optional boolean parameter to `DOM.showFlexOverlay`:
        - `showOrderNumbers` controls whether labels with the computed CSS `order` value are shown
          over each flex item's area.

2022-02-28  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use DeferTerminationForAWhile in Interpreter::unwind
        https://bugs.webkit.org/show_bug.cgi?id=237176

        Reviewed by Mark Lam.

        If we're unwinding the stack due to a regular exception (not a TerminationException), then
        we want to use a DeferTerminationForAWhile scope. This is because we want to avoid a
        TerminationException being raised (due to a concurrent termination request) in the middle
        of unwinding. The unwinding code only checks if we're handling a TerminationException before
        it starts unwinding and is not expecting this status to change in the middle. Without the
        DeferTerminationForAWhile scope, control flow may end up in an exception handler, and effectively
        "catch" the newly raised TerminationException, which should not be catchable.

        On the other hand, if we're unwinding the stack due to a TerminationException, we do not need
        nor want the DeferTerminationForAWhile scope. This is because on exit, DeferTerminationForAWhile
        will set the VMTraps NeedTermination bit if termination is in progress. The system expects the
        NeedTermination bit to be have been cleared by VMTraps::handleTraps() once the TerminationException
        has been raised. Some legacy client apps relies on this and expects to be able to re-enter the
        VM after it exits due to termination. If the NeedTermination bit is set, upon re-entry, the
        VM will behave as if a termination request is pending and terminate almost immediately, thereby
        breaking the legacy client apps.

        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::notifyDebuggerOfUnwinding):
        (JSC::sanitizeRemoteFunctionException):
        (JSC::Interpreter::unwind):
        (JSC::notifyDebuggerOfUnwinding): Deleted.

2022-02-28  Angelos Oikonomopoulos  <angelos@igalia.com>

        [JSC] Reuse known register values on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=237207

        Reviewed by Žan Doberšek.

        Set up a CachedTempRegister for each of addressTempRegister,
        dataTempRegister on ARMv7 and use them to generate shorter instruction
        sequences when possible.

        Saves 1.5-2% of code size on JS2 with no measurable difference in
        performance.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::CachedTempRegister::value):
        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssembler::probe):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::add32):
        (JSC::MacroAssemblerARMv7::getEffectiveAddress):
        (JSC::MacroAssemblerARMv7::add64):
        (JSC::MacroAssemblerARMv7::lshift32):
        (JSC::MacroAssemblerARMv7::mul32):
        (JSC::MacroAssemblerARMv7::rshift32):
        (JSC::MacroAssemblerARMv7::urshift32):
        (JSC::MacroAssemblerARMv7::load32):
        (JSC::MacroAssemblerARMv7::load16):
        (JSC::MacroAssemblerARMv7::load16SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::load8SignedExtendTo32):
        (JSC::MacroAssemblerARMv7::loadPair32):
        (JSC::MacroAssemblerARMv7::store8):
        (JSC::MacroAssemblerARMv7::storePair32):
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::loadFloat):
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARMv7::long_move):
        (JSC::MacroAssemblerARMv7::short_move):
        (JSC::MacroAssemblerARMv7::move):
        (JSC::MacroAssemblerARMv7::compare32AndSetFlags):
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::branchTest16):
        (JSC::MacroAssemblerARMv7::farJump):
        (JSC::MacroAssemblerARMv7::branchMul32):
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::nearTailCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::compare8):
        (JSC::MacroAssemblerARMv7::test8):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):
        (JSC::MacroAssemblerARMv7::setupArmAddress):
        (JSC::MacroAssemblerARMv7::makeBaseIndexBase):
        (JSC::MacroAssemblerARMv7::moveFixedWidthEncoding):
        (JSC::MacroAssemblerARMv7::cachedDataTempRegister):
        (JSC::MacroAssemblerARMv7::cachedAddressTempRegister):
        (JSC::MacroAssemblerARMv7::getCachedDataTempRegisterIDAndInvalidate):
        (JSC::MacroAssemblerARMv7::getCachedAddressTempRegisterIDAndInvalidate):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::emitFastPathImpl):

2022-02-27  Chris Dumez  <cdumez@apple.com>

        Omit template parameter for SetForScope<> variables
        https://bugs.webkit.org/show_bug.cgi?id=237258

        Reviewed by Darin Adler.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        * debugger/Debugger.cpp:
        (JSC::Debugger::dispatchFunctionToObservers):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocalOrTmp):
        (JSC::DFG::ByteCodeParser::setArgument):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::dispatch):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
        (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
        (JSC::Parser<LexerType>::parseFunctionBody):
        (JSC::Parser<LexerType>::parseFunctionParameters):
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClass):
        (JSC::Parser<LexerType>::parseProperty):
        (JSC::Parser<LexerType>::parseGetterSetter):
        (JSC::Parser<LexerType>::parseFunctionExpression):
        (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
        (JSC::Parser<LexerType>::parseArrowFunctionExpression):

2022-02-26  Basuke Suzuki  <basuke.suzuki@sony.com>

        Remove UNUSED warnings for non-Cocoa platform after r290449
        https://bugs.webkit.org/show_bug.cgi?id=237233

        Reviewed by Darin Adler.

        * runtime/JSDateMath.cpp:

2022-02-24  Mark Lam  <mark.lam@apple.com>

        Remove incorrect ASSERT.
        https://bugs.webkit.org/show_bug.cgi?id=237185
        <rdar://problem/83902782>

        Reviewed by Yusuke Suzuki.

        These debug ASSERTs were added in http://trac.webkit.org/r283632 back when we
        weren't sure that the StringImpl pointer can be null or not.  We're now certain
        that the StringImpl pointer can be null because:

        The site of the ASSERT looks like this:
        ```
            auto* impl = string->tryGetValueImpl();
            ASSERT(impl); // FIXME: rdar://83902782
            if (impl && impl->isAtom() && 
                ...
        ```
        ... where string is a JSString, which can also be a JSRopeString.

        JSString::tryGetValueImpl() is:
        ```
        inline const StringImpl* JSString::tryGetValueImpl() const
        {
            uintptr_t pointer = fiberConcurrently();
            if (pointer & isRopeInPointer)
                return nullptr;
            return bitwise_cast<StringImpl*>(pointer);
        }
        ```

        If string is a JSRopeString, the returned impl will be null.  Hence, the ASSERT is
        invalid and should be removed.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::handlePutByVal):

2022-02-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, reverting r290516.
        https://bugs.webkit.org/show_bug.cgi?id=237222

        broke debug tests

        Reverted changeset:

        "[JSC] Use DeferTerminationForAWhile in Interpreter::unwind"
        https://bugs.webkit.org/show_bug.cgi?id=237176
        https://commits.webkit.org/r290516

2022-02-25  Mark Lam  <mark.lam@apple.com>

        operationMaterializeObjectInOSR should DeferTerminationForAWhile instead of just DeferTermination.
        https://bugs.webkit.org/show_bug.cgi?id=237173
        rdar://problem/89450245

        Reviewed by Yusuke Suzuki.

        DeferTermination can throw the TerminationException on destruction of the scope
        object.  operationMaterializeObjectInOSR() was using DeferTermination, resulting
        in the TerminationException being thrown on exit.  This trips up
        validateDFGExceptionHandling testing (which is enabled on Debug builds) because the
        TerminationException is unexpected.  The solution is simply to use
        DeferTerminationForAWhile instead, and let a more natural trap checkpoint throw
        the TerminationException later.

        Also refactored notifyDebuggerOfUnwinding() to return early if a debugger is not
        present.  This avoids unnecessarily entering and exiting a DeferTermination scope
        in notifyDebuggerOfUnwinding().  This was observed while testing this change on
        the attached test case.

        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):
        * interpreter/Interpreter.cpp:
        (JSC::notifyDebuggerOfUnwinding):

2022-02-24  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use DeferTerminationForAWhile in Interpreter::unwind
        https://bugs.webkit.org/show_bug.cgi?id=237176

        Reviewed by Mark Lam.

        Interpreter::unwind calls sanitizeRemoteFunctionException, which would like to create scope (but it
        does not have user observable behavior). Problem is that, since it is creating a scope, it can throw
        a termination exception. We were using DeferTermination, but destructor of this scope can still set
        termination exception, which results in throwing a termination exception for the error handler.

        We use DeferTerminationForAWhile in the prologue of the Interpreter::unwind to ensure that this function
        will not accept termination exception coming concurrently.

        * interpreter/Interpreter.cpp:
        (JSC::sanitizeRemoteFunctionException):
        (JSC::Interpreter::unwind):

2022-02-25  Patrick Angle  <pangle@apple.com>

        Web Inspector: [Cocoa] Split remote inspector message data into smaller chunks for large messages
        https://bugs.webkit.org/show_bug.cgi?id=237110
        <rdar://89364487>

        Reviewed by Devin Rousso.

        Messages over 2 MiB will now be split into multiple chunks, which allows us to not exceed any receiving daemon
        process' memory limit under otherwise normal conditions. 2 MiB was chosen as a balance between not having to
        split most messages at all and making sure that the messages (and any copies made during the relaying of the
        messages) do not exceed the memory limits of the receiving daemon process.

        In order to prevent us from sending chunked messages to a process that doesn't support them we check for a flag
        to enable this functionality during connection setup.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::sendMessageToRemote):
        (Inspector::RemoteInspector::receivedSetupMessage):

2022-02-24  Chris Dumez  <cdumez@apple.com>

        [Cocoa] Only clear ICU cache when time zone is changed
        https://bugs.webkit.org/show_bug.cgi?id=236996

        Reviewed by Yusuke Suzuki.

        We used to unconditionally invalidate the VM's DateCache in VMEntryScope in order to
        make sure we always used the latest time zone from the host machine (in case it changed).
        This overly aggressive invalidation was causing us to repeatedly go to the disk in order
        to determine the host time zone. On Cocoa ports, we now listen to the
        kCFTimeZoneSystemTimeZoneDidChangeNotification notification and only invalidate the
        VM's DateCache in VMEntryScope if the host time zone has actually changed since the
        last time.

        * runtime/JSDateMath.cpp:
        (JSC::timeZoneChangeNotification):
        (JSC::DateCache::DateCache):
        (JSC::DateCache::resetIfNecessary):
        (JSC::DateCache::reset): Deleted.
        * runtime/JSDateMath.h:
        * runtime/VM.h:
        (JSC::VM::resetDateCacheIfNecessary):
        (JSC::VM::resetDateCache): Deleted.
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):

2022-02-24  Geza Lore  <glore@igalia.com>

        [JSC] Respect bytecode alignment in BytecodeRewriter
        https://bugs.webkit.org/show_bug.cgi?id=237092

        Reviewed by Yusuke Suzuki.

        Note: This patch only affects bytecode generation on platforms which
        set CPU(NEEDS_ALIGNED_ACCESS), which are ARMv7 and MIPS. On all other
        platforms the generated bytecode is identical.

        The previous BytecodeRewriter::removeBytecode method unconditionally
        removed the given instruction, which could then break the required
        alignment of subsequent wide ops. While this could be fixed by
        inserting padding after the removal, all current uses of
        removeBytecode are such that they constitute one half of a replace.
        Instead of adding unnecessary padding, added an explicit
        replaceBytecodeWithFragment method that removes the old instruction
        and replaces it with the given fragment, while maintaining alignment
        of the subsequent bytecode. This yields fewer nops. If removeBytecode
        turns out to be necessary later, use replaceBytecodeWithFragment with
        an empty fragment.

        * bytecode/BytecodeGeneratorification.cpp:
        (JSC::BytecodeGeneratorification::run):
        * bytecode/BytecodeRewriter.h:
        (JSC::BytecodeRewriter::Fragment::align):
        (JSC::BytecodeRewriter::insertFragmentAfter):
        (JSC::BytecodeRewriter::replaceBytecodeWithFragment):
        * bytecompiler/BytecodeGeneratorBaseInlines.h:
        (JSC::BytecodeGeneratorBase<Traits>::alignWideOpcode32):

2022-02-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] WeakMapImpl do not need to take cellLock in visitOutputConstraints and main thread
        https://bugs.webkit.org/show_bug.cgi?id=200195

        Reviewed by Mark Lam.

        WeakMapImpl::visitOutputConstraints is called in the constraint solver, so the main thread is stopped.
        WeakMapImpl::rehash can destroy the buffer, but it is only called on either the main thread or GC finalizer. As a result,
        it never happens that destroying the buffer while touching it in visitOutputConstraints. We can remove the lock guarding
        this buffer.

        * runtime/WeakMapImpl.cpp:
        (JSC::WeakMapImpl<BucketType>::visitOutputConstraints):
        * runtime/WeakMapImpl.h:
        (JSC::WeakMapImpl::WeakMapImpl):
        (JSC::WeakMapImpl::makeAndSetNewBuffer):
        (JSC::WeakMapImpl::finishCreation): Deleted.
        * runtime/WeakMapImplInlines.h:
        (JSC::WeakMapImpl<WeakMapBucket>::rehash):

2022-02-23  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Adjust thread number for GC throughput
        https://bugs.webkit.org/show_bug.cgi?id=237122

        Reviewed by Mark Lam.

        Adjust numberOfGCMarkers from 4 to 3 to make GC and main thread througput better on M1 macOS.
        3 makes sense since there is also a main thread when they are running concurrently to the
        main thread.

        It offers 1.2% improvement in Speedometer2 in M1Max MBP and 0.4% improvement in M1 MBP.

        ----------------------------------------------------------------------------------------------------------------------------------
        |               subtest                |     ms      |     ms      |  b / a   | pValue (significance using False Discovery Rate) |
        ----------------------------------------------------------------------------------------------------------------------------------
        | Elm-TodoMVC                          |107.445000   |102.856667   |0.957296  | 0.000000 (significant)                           |
        | VueJS-TodoMVC                        |21.571667    |21.805000    |1.010817  | 0.403054                                         |
        | EmberJS-TodoMVC                      |113.320000   |111.300000   |0.982174  | 0.000027 (significant)                           |
        | BackboneJS-TodoMVC                   |39.981667    |39.318333    |0.983409  | 0.002346 (significant)                           |
        | Preact-TodoMVC                       |15.516667    |15.648333    |1.008485  | 0.544754                                         |
        | AngularJS-TodoMVC                    |117.010000   |115.346667   |0.985785  | 0.000495 (significant)                           |
        | Vanilla-ES2015-TodoMVC               |57.790000    |57.176667    |0.989387  | 0.000270 (significant)                           |
        | Inferno-TodoMVC                      |55.275000    |53.755000    |0.972501  | 0.000000 (significant)                           |
        | Flight-TodoMVC                       |53.875000    |53.941667    |1.001237  | 0.739556                                         |
        | Angular2-TypeScript-TodoMVC          |36.600000    |36.471667    |0.996494  | 0.743761                                         |
        | VanillaJS-TodoMVC                    |48.058333    |47.671667    |0.991954  | 0.158193                                         |
        | jQuery-TodoMVC                       |203.433333   |201.878333   |0.992356  | 0.009271 (significant)                           |
        | EmberJS-Debug-TodoMVC                |325.058333   |319.848333   |0.983972  | 0.000003 (significant)                           |
        | React-TodoMVC                        |80.533333    |79.281667    |0.984458  | 0.000011 (significant)                           |
        | React-Redux-TodoMVC                  |134.738333   |131.801667   |0.978205  | 0.000000 (significant)                           |
        | Vanilla-ES2015-Babel-Webpack-TodoMVC |56.780000    |56.168333    |0.989227  | 0.000514 (significant)                           |
        ----------------------------------------------------------------------------------------------------------------------------------
        a mean = 293.86568
        b mean = 297.52900
        pValue = 0.0266899465
        (Bigger means are better.)
        1.012 times better
        Results ARE significant

        * runtime/Options.cpp:
        (JSC::overrideDefaults):

2022-02-23  Adrian Perez de Castro  <aperez@igalia.com>

        Ensure generated inline assembler that setups segments returns to previous state
        https://bugs.webkit.org/show_bug.cgi?id=236976

        Reviewed by Yusuke Suzuki.

        Use .previous in inline assembler in order to ensure that mixed emission of assembler
        functions and other definitions correctly puts each of them in their rightful sections
        in the output object code.

        * assembler/MacroAssemblerARM64.cpp:
        * assembler/MacroAssemblerARMv7.cpp:
        * assembler/MacroAssemblerMIPS.cpp:
        * assembler/MacroAssemblerX86Common.cpp:

2022-02-22  Chris Dumez  <cdumez@apple.com>

        Add a URL constructor that takes a String
        https://bugs.webkit.org/show_bug.cgi?id=237068

        Reviewed by Darin Adler.

        Adopt the new `URL(const String&)` constructor.

        * API/JSAPIGlobalObject.mm:
        (JSC::computeValidImportSpecifier):

2022-02-22  Alexander Kanavin  <alex@linutronix.de>

        When building introspection files, add CMAKE_C_FLAGS to the compiler flags.
        https://bugs.webkit.org/show_bug.cgi?id=232936

        Reviewed by Michael Catanzaro.

        g-ir-compiler is using a C compiler internally, so it needs to set
        the proper flags for it.

        * PlatformGTK.cmake:

2022-02-22  Asumu Takikawa  <asumu@igalia.com>

        Initial support for Wasm/ESM-integration in the WebCore module loader
        https://bugs.webkit.org/show_bug.cgi?id=236268

        Reviewed by Yusuke Suzuki.

        Adjust WebAssemblySourceProvider to inherit from a new abstract base
        class that exposes the data as a pointer and size, to allow
        implementations other than a Vector. Also add initialization
        and cleanup methods managed by RAII class.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * parser/SourceProvider.cpp:
        (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider):
        * parser/SourceProvider.h:
        (JSC::BaseWebAssemblySourceProvider::lockUnderlyingBuffer):
        (JSC::BaseWebAssemblySourceProvider::unlockUnderlyingBuffer):
        (JSC::WebAssemblySourceProviderBufferGuard::WebAssemblySourceProviderBufferGuard):
        (JSC::WebAssemblySourceProviderBufferGuard::~WebAssemblySourceProviderBufferGuard):
        * runtime/CachedTypes.cpp:
        (JSC::CachedWebAssemblySourceProvider::encode):
        * tools/JSDollarVM.cpp:
        * wasm/js/JSWebAssemblyHelpers.h:
        (JSC::getWasmBufferFromValue):
        (JSC::createSourceBufferFromValue):

2022-02-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ShadowRealm JSRemoteFunction creation should convert CopyNameAndLength errors to TypeError
        https://bugs.webkit.org/show_bug.cgi?id=237007

        Reviewed by Alexey Shvayka.

        1. Rename JSRemoteFunction::create to tryCreate since it can throw an error.
        2. Passing JSGlobalObject* as a first parameter to JSRemoteFunction::tryCreate since it can throw an error.
        3. Extract CopyNameAndLength part and convert errors to TypeError as specified.

        * jit/JITOperations.cpp:
        (JSC::getWrappedValue):
        (JSC::JSC_DEFINE_JIT_OPERATION):
        * runtime/JSRemoteFunction.cpp:
        (JSC::wrapValue):
        (JSC::JSC_DEFINE_HOST_FUNCTION):
        (JSC::JSRemoteFunction::tryCreate):
        (JSC::JSRemoteFunction::copyNameAndLength):
        (JSC::JSRemoteFunction::finishCreation):
        (JSC::JSRemoteFunction::create): Deleted.
        * runtime/JSRemoteFunction.h:

2022-02-22  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] TypeError from JSRemoteFunction should be generated by JSRemoteFunction's JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=237013

        Reviewed by Saam Barati.

        Our unwinding converts any errors inside JSRemoteFunction to TypeError. At that time, we should
        use JSRemoteFunction's JSGlobalObject for this type error.

        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator() const):
        (JSC::sanitizeRemoteFunctionException):
        (JSC::Interpreter::unwind):

2022-02-21  Robin Morisset  <rmorisset@apple.com>

        [JSC] Format the output of --reportTotalPhaseTimes=1 more nicely
        https://bugs.webkit.org/show_bug.cgi?id=237005

        Reviewed by Saam Barati.

        Before this patch:
        [B3] moveConstants total ms: 64.307583 max ms: 1.703167
        [B3] lowerToAir total ms: 151.297782 max ms: 5.426375
        [B3] generateToAir total ms: 1623.987166 max ms: 92.826750
        [B3] simplifyCFG total ms: 11.760463 max ms: 1.088083
        [B3] Air::lowerMacros total ms: 5.975679 max ms: 0.382000

        After this patch:
        total ms:   66.328 max ms:   2.283 [B3] moveConstants
        total ms:  148.097 max ms:   5.361 [B3] lowerToAir
        total ms: 1619.115 max ms:  96.307 [Total B3] generateToAir
        total ms:   11.959 max ms:   1.185 [Air] simplifyCFG
        total ms:    6.519 max ms:   0.697 [Air] Air::lowerMacros

        Concretely there are two changes:
        - use FixedWidthDouble (also introduced to WTF in this patch) to line-up the total times.
          This makes it possible to see at a glance which phases are worth optimizing and which aren't.
        - Tag phases more precisely, and in particular replace [B3] by [Air] where relevant,
          and give different tags to measurements that correspond to groups of phases instead of a single phase (e.g. generateToAir).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * b3/B3Compile.cpp:
        (JSC::B3::compile):
        * b3/B3FixSSA.cpp:
        * b3/B3Generate.cpp:
        (JSC::B3::prepareForGeneration):
        (JSC::B3::generateToAir):
        * b3/B3PhaseScope.cpp:
        (JSC::B3::PhaseScope::PhaseScope):
        * b3/B3PhaseScope.h:
        * b3/B3TimingScope.h: Removed.
        (JSC::B3::TimingScope::TimingScope): Deleted.
        * b3/B3VariableLiveness.cpp:
        (JSC::B3::VariableLiveness::VariableLiveness):
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp:
        (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
        * b3/air/AirLiveness.h:
        (JSC::B3::Air::Liveness::Liveness):
        * b3/air/AirPhaseScope.cpp:
        (JSC::B3::Air::PhaseScope::PhaseScope):
        * b3/air/AirPhaseScope.h:
        * tools/CompilerTimingScope.cpp:

2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Fix ShadowRealm unwinding
        https://bugs.webkit.org/show_bug.cgi?id=237001

        Reviewed by Saam Barati.

        This patch fixes a crash bug found by test262. Regardless of it is RemoteFunction,
        we should handle it as the same way to the other normal host functions except
        for setting m_seenRemoteFunction = true flag. Previously, we are early returning,
        this is wrong since we should stop unwinding if the caller is entry frame.

        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator() const):

2022-02-21  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Temporal.PlainDate should validate input range
        https://bugs.webkit.org/show_bug.cgi?id=236936

        Reviewed by Darin Adler.

        Implement https://tc39.es/proposal-temporal/#sec-temporal-isodatetimewithinlimits check in
        PlainDate to validate input range. For example, 0x7fffffff year should be rejected since
        it is larger than ECMAScript datetime representation value. This is checked via ISODateTimeWithinLimits
        in the spec.

        We also remove isValid assertions in ExactTime. This should not be checked in these accessors, rather,
        we should call that function when we would like to check, since PlainDate can represent a bit smaller
        value than ExactTime's minValue (minValue - nsPerDay).

        We also extend ExactTime::fromISOPartsAndOffset to handle values via Int128 to accept int32_t range years.
        By using Int128 for nanoseconds, we can even represent int32_t max / min years. And we remove
        `ASSERT(y >= -999999 && y <= 999999)` check since this is not necessary.

        * runtime/ISO8601.cpp:
        (JSC::ISO8601::ExactTime::fromISOPartsAndOffset):
        (JSC::ISO8601::isDateTimeWithinLimits):
        * runtime/ISO8601.h:
        (JSC::ISO8601::ExactTime::ExactTime): Deleted.
        (JSC::ISO8601::ExactTime::fromEpochSeconds): Deleted.
        (JSC::ISO8601::ExactTime::fromEpochMilliseconds): Deleted.
        (JSC::ISO8601::ExactTime::fromEpochMicroseconds): Deleted.
        (JSC::ISO8601::ExactTime::epochSeconds const): Deleted.
        (JSC::ISO8601::ExactTime::epochMilliseconds const): Deleted.
        (JSC::ISO8601::ExactTime::epochMicroseconds const): Deleted.
        (JSC::ISO8601::ExactTime::epochNanoseconds const): Deleted.
        (JSC::ISO8601::ExactTime::nanosecondsFraction const): Deleted.
        (JSC::ISO8601::ExactTime::asString const): Deleted.
        (JSC::ISO8601::ExactTime::isValid const): Deleted.
        (JSC::ISO8601::ExactTime::operator< const): Deleted.
        (JSC::ISO8601::ExactTime::operator<= const): Deleted.
        (JSC::ISO8601::ExactTime::operator== const): Deleted.
        (JSC::ISO8601::ExactTime::operator!= const): Deleted.
        (JSC::ISO8601::ExactTime::operator>= const): Deleted.
        (JSC::ISO8601::ExactTime::operator> const): Deleted.
        * runtime/TemporalPlainDate.cpp:
        (JSC::toPlainDate):

== Rolled over to ChangeLog-2022-02-22 ==