diff --git a/API/APICast.h b/API/APICast.h index 21f3a7d..ae9bc07 100644 --- a/API/APICast.h +++ b/API/APICast.h @@ -30,6 +30,7 @@ #include "JSCJSValue.h" #include "JSCJSValueInlines.h" #include "JSGlobalObject.h" +#include "HeapCellInlines.h" namespace JSC { class ExecState; @@ -68,7 +69,7 @@ inline JSC::JSGlobalObject* toJSGlobalObject(JSGlobalContextRef context) inline JSC::JSValue toJS(JSC::ExecState* exec, JSValueRef v) { ASSERT_UNUSED(exec, exec); -#if USE(JSVALUE32_64) +#if !CPU(ADDRESS64) JSC::JSCell* jsCell = reinterpret_cast(const_cast(v)); if (!jsCell) return JSC::jsNull(); @@ -78,28 +79,28 @@ inline JSC::JSValue toJS(JSC::ExecState* exec, JSValueRef v) else result = jsCell; #else - JSC::JSValue result = JSC::JSValue::decode(reinterpret_cast(const_cast(v))); + JSC::JSValue result = bitwise_cast(v); #endif if (!result) return JSC::jsNull(); if (result.isCell()) - RELEASE_ASSERT(result.asCell()->methodTable()); + RELEASE_ASSERT(result.asCell()->methodTable(exec->vm())); return result; } inline JSC::JSValue toJSForGC(JSC::ExecState* exec, JSValueRef v) { ASSERT_UNUSED(exec, exec); -#if USE(JSVALUE32_64) +#if !CPU(ADDRESS64) JSC::JSCell* jsCell = reinterpret_cast(const_cast(v)); if (!jsCell) return JSC::JSValue(); JSC::JSValue result = jsCell; #else - JSC::JSValue result = JSC::JSValue::decode(reinterpret_cast(const_cast(v))); + JSC::JSValue result = bitwise_cast(v); #endif if (result && result.isCell()) - RELEASE_ASSERT(result.asCell()->methodTable()); + RELEASE_ASSERT(result.asCell()->methodTable(exec->vm())); return result; } @@ -113,7 +114,7 @@ inline JSC::JSObject* toJS(JSObjectRef o) { JSC::JSObject* object = uncheckedToJS(o); if (object) - RELEASE_ASSERT(object->methodTable()); + RELEASE_ASSERT(object->methodTable(*object->vm())); return object; } @@ -127,21 +128,26 @@ inline JSC::VM* toJS(JSContextGroupRef g) return reinterpret_cast(const_cast(g)); } -inline JSValueRef toRef(JSC::ExecState* exec, JSC::JSValue v) +inline JSValueRef toRef(JSC::VM& vm, JSC::JSValue v) { - ASSERT(exec->vm().currentThreadIsHoldingAPILock()); -#if USE(JSVALUE32_64) + ASSERT(vm.currentThreadIsHoldingAPILock()); +#if !CPU(ADDRESS64) if (!v) return 0; if (!v.isCell()) - return reinterpret_cast(JSC::jsAPIValueWrapper(exec, v).asCell()); + return reinterpret_cast(JSC::JSAPIValueWrapper::create(vm, v)); return reinterpret_cast(v.asCell()); #else - UNUSED_PARAM(exec); - return reinterpret_cast(JSC::JSValue::encode(v)); + UNUSED_PARAM(vm); + return bitwise_cast(v); #endif } +inline JSValueRef toRef(JSC::ExecState* exec, JSC::JSValue v) +{ + return toRef(exec->vm(), v); +} + inline JSObjectRef toRef(JSC::JSObject* o) { return reinterpret_cast(o); diff --git a/API/APIUtils.h b/API/APIUtils.h index 782a915..7a5e8ba 100644 --- a/API/APIUtils.h +++ b/API/APIUtils.h @@ -37,17 +37,15 @@ enum class ExceptionStatus { DidNotThrow }; -inline ExceptionStatus handleExceptionIfNeeded(JSC::ExecState* exec, JSValueRef* returnedExceptionRef) +inline ExceptionStatus handleExceptionIfNeeded(JSC::CatchScope& scope, JSC::ExecState* exec, JSValueRef* returnedExceptionRef) { - JSC::VM& vm = exec->vm(); - auto scope = DECLARE_CATCH_SCOPE(vm); if (UNLIKELY(scope.exception())) { JSC::Exception* exception = scope.exception(); if (returnedExceptionRef) *returnedExceptionRef = toRef(exec, exception->value()); scope.clearException(); #if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); + scope.vm().vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception); #endif return ExceptionStatus::DidThrow; } @@ -59,7 +57,8 @@ inline void setException(JSC::ExecState* exec, JSValueRef* returnedExceptionRef, if (returnedExceptionRef) *returnedExceptionRef = toRef(exec, exception); #if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, JSC::Exception::create(exec->vm(), exception)); + JSC::VM& vm = exec->vm(); + vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, JSC::Exception::create(vm, exception)); #endif } diff --git a/API/JSAPIGlobalObject.cpp b/API/JSAPIGlobalObject.cpp new file mode 100644 index 0000000..d75c58d --- /dev/null +++ b/API/JSAPIGlobalObject.cpp @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2019 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "JSAPIGlobalObject.h" + +#if !JSC_OBJC_API_ENABLED + +namespace JSC { + +const ClassInfo JSAPIGlobalObject::s_info = { "GlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSAPIGlobalObject) }; + +const GlobalObjectMethodTable JSAPIGlobalObject::s_globalObjectMethodTable = { + &supportsRichSourceInfo, + &shouldInterruptScript, + &javaScriptRuntimeFlags, + nullptr, // queueTaskToEventLoop + &shouldInterruptScriptBeforeTimeout, + nullptr, // moduleLoaderImportModule + nullptr, // moduleLoaderResolve + nullptr, // moduleLoaderFetch + nullptr, // moduleLoaderCreateImportMetaProperties + nullptr, // moduleLoaderEvaluate + nullptr, // promiseRejectionTracker + nullptr, // defaultLanguage + nullptr, // compileStreaming + nullptr, // instantiateStreaming +}; + +} + +#endif diff --git a/API/JSAPIGlobalObject.h b/API/JSAPIGlobalObject.h new file mode 100644 index 0000000..339e5e2 --- /dev/null +++ b/API/JSAPIGlobalObject.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2019 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#pragma once + +#include "JSGlobalObject.h" + +OBJC_CLASS JSScript; + +namespace JSC { + +class JSAPIGlobalObject : public JSGlobalObject { +public: + using Base = JSGlobalObject; + + DECLARE_EXPORT_INFO; + static const GlobalObjectMethodTable s_globalObjectMethodTable; + + static JSAPIGlobalObject* create(VM& vm, Structure* structure) + { + auto* object = new (NotNull, allocateCell(vm.heap)) JSAPIGlobalObject(vm, structure); + object->finishCreation(vm); + return object; + } + + static Structure* createStructure(VM& vm, JSValue prototype) + { + auto* result = Structure::create(vm, 0, prototype, TypeInfo(GlobalObjectType, StructureFlags), info()); + result->setTransitionWatchpointIsLikelyToBeFired(true); + return result; + } + + static JSInternalPromise* moduleLoaderImportModule(JSGlobalObject*, ExecState*, JSModuleLoader*, JSString* moduleNameValue, JSValue parameters, const SourceOrigin&); + static Identifier moduleLoaderResolve(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue keyValue, JSValue referrerValue, JSValue); + static JSInternalPromise* moduleLoaderFetch(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSValue, JSValue); + static JSObject* moduleLoaderCreateImportMetaProperties(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSModuleRecord*, JSValue); + static JSValue moduleLoaderEvaluate(JSGlobalObject*, ExecState*, JSModuleLoader*, JSValue, JSValue, JSValue); + + JSValue loadAndEvaluateJSScriptModule(const JSLockHolder&, JSScript *); + +private: + JSAPIGlobalObject(VM& vm, Structure* structure) + : Base(vm, structure, &s_globalObjectMethodTable) + { } +}; + +} diff --git a/API/JSAPIGlobalObject.mm b/API/JSAPIGlobalObject.mm new file mode 100644 index 0000000..116109b --- /dev/null +++ b/API/JSAPIGlobalObject.mm @@ -0,0 +1,288 @@ +/* + * Copyright (C) 2019 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#import "config.h" +#import "JSAPIGlobalObject.h" + +#if JSC_OBJC_API_ENABLED + +#import "APICast.h" +#import "CatchScope.h" +#import "Completion.h" +#import "Error.h" +#import "Exception.h" +#import "JSContextInternal.h" +#import "JSInternalPromise.h" +#import "JSInternalPromiseDeferred.h" +#import "JSModuleLoader.h" +#import "JSNativeStdFunction.h" +#import "JSPromiseDeferred.h" +#import "JSScriptInternal.h" +#import "JSSourceCode.h" +#import "JSValueInternal.h" +#import "JSVirtualMachineInternal.h" +#import "JavaScriptCore.h" +#import "ObjectConstructor.h" +#import "SourceOrigin.h" +#import + +namespace JSC { + +const ClassInfo JSAPIGlobalObject::s_info = { "GlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSAPIGlobalObject) }; + +const GlobalObjectMethodTable JSAPIGlobalObject::s_globalObjectMethodTable = { + &supportsRichSourceInfo, + &shouldInterruptScript, + &javaScriptRuntimeFlags, + nullptr, // queueTaskToEventLoop + &shouldInterruptScriptBeforeTimeout, + &moduleLoaderImportModule, // moduleLoaderImportModule + &moduleLoaderResolve, // moduleLoaderResolve + &moduleLoaderFetch, // moduleLoaderFetch + &moduleLoaderCreateImportMetaProperties, // moduleLoaderCreateImportMetaProperties + moduleLoaderEvaluate, // moduleLoaderEvaluate + nullptr, // promiseRejectionTracker + nullptr, // defaultLanguage + nullptr, // compileStreaming + nullptr, // instantiateStreaming +}; + +static Expected computeValidImportSpecifier(const URL& base, const String& specifier) +{ + URL absoluteURL(URL(), specifier); + if (absoluteURL.isValid()) + return absoluteURL; + + if (!specifier.startsWith('/') && !specifier.startsWith("./") && !specifier.startsWith("../")) + return makeUnexpected(makeString("Module specifier: "_s, specifier, " does not start with \"/\", \"./\", or \"../\"."_s)); + + if (specifier.startsWith('/')) { + absoluteURL = URL(URL({ }, "file://"), specifier); + if (absoluteURL.isValid()) + return absoluteURL; + } + + if (base == URL()) + return makeUnexpected("Could not determine the base URL for loading."_s); + + if (!base.isValid()) + return makeUnexpected(makeString("Referrering script's url is not valid: "_s, base.string())); + + absoluteURL = URL(base, specifier); + if (absoluteURL.isValid()) + return absoluteURL; + return makeUnexpected(makeString("Could not form valid URL from identifier and base. Tried:"_s, absoluteURL.string())); +} + +Identifier JSAPIGlobalObject::moduleLoaderResolve(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSValue referrer, JSValue) +{ + VM& vm = exec->vm(); + auto scope = DECLARE_THROW_SCOPE(vm); + ASSERT_UNUSED(globalObject, globalObject == exec->lexicalGlobalObject()); + ASSERT(key.isString() || key.isSymbol()); + String name = key.toWTFString(exec); + RETURN_IF_EXCEPTION(scope, { }); + + URL base; + if (JSString* referrerString = jsDynamicCast(vm, referrer)) { + String value = referrerString->value(exec); + RETURN_IF_EXCEPTION(scope, { }); + URL referrerURL({ }, value); + RELEASE_ASSERT(referrerURL.isValid()); + base = WTFMove(referrerURL); + } + + auto result = computeValidImportSpecifier(base, name); + if (result) + return Identifier::fromString(&vm, result.value()); + + throwVMError(exec, scope, createError(exec, result.error())); + return { }; +} + +JSInternalPromise* JSAPIGlobalObject::moduleLoaderImportModule(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSString* specifierValue, JSValue, const SourceOrigin& sourceOrigin) +{ + VM& vm = globalObject->vm(); + auto scope = DECLARE_CATCH_SCOPE(vm); + auto reject = [&] (JSValue exception) -> JSInternalPromise* { + scope.clearException(); + auto* promise = JSInternalPromiseDeferred::tryCreate(exec, globalObject); + scope.clearException(); + return promise->reject(exec, exception); + }; + + auto import = [&] (URL& url) { + auto result = importModule(exec, Identifier::fromString(&vm, url), jsUndefined(), jsUndefined()); + if (UNLIKELY(scope.exception())) + return reject(scope.exception()); + return result; + }; + + auto specifier = specifierValue->value(exec); + if (UNLIKELY(scope.exception())) { + JSValue exception = scope.exception(); + scope.clearException(); + return reject(exception); + } + + String referrer = !sourceOrigin.isNull() ? sourceOrigin.string() : String(); + URL baseURL(URL(), referrer); + auto result = computeValidImportSpecifier(baseURL, specifier); + if (result) + return import(result.value()); + return reject(createError(exec, result.error())); +} + +JSInternalPromise* JSAPIGlobalObject::moduleLoaderFetch(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSValue, JSValue) +{ + VM& vm = globalObject->vm(); + auto scope = DECLARE_CATCH_SCOPE(vm); + + ASSERT(globalObject == exec->lexicalGlobalObject()); + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; + + JSInternalPromiseDeferred* deferred = JSInternalPromiseDeferred::tryCreate(exec, globalObject); + RETURN_IF_EXCEPTION(scope, nullptr); + + Identifier moduleKey = key.toPropertyKey(exec); + if (UNLIKELY(scope.exception())) { + JSValue exception = scope.exception(); + scope.clearException(); + return deferred->reject(exec, exception); + } + + if (UNLIKELY(![context moduleLoaderDelegate])) + return deferred->reject(exec, createError(exec, "No module loader provided.")); + + auto deferredPromise = Strong(vm, deferred); + auto* resolve = JSNativeStdFunction::create(vm, globalObject, 1, "resolve", [=] (ExecState* exec) { + // This captures the globalObject but that's ok because our structure keeps it alive anyway. + VM& vm = exec->vm(); + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; + id script = valueToObject(context, toRef(exec, exec->argument(0))); + + MarkedArgumentBuffer args; + + auto rejectPromise = [&] (String message) { + args.append(createTypeError(exec, message)); + call(exec, deferredPromise->JSPromiseDeferred::reject(), args, "This should never be seen..."); + return encodedJSUndefined(); + }; + + if (UNLIKELY(![script isKindOfClass:[JSScript class]])) + return rejectPromise("First argument of resolution callback is not a JSScript"_s); + + JSScript* jsScript = static_cast(script); + + JSSourceCode* source = [jsScript jsSourceCode]; + if (UNLIKELY([jsScript type] != kJSScriptTypeModule)) + return rejectPromise("The JSScript that was provided did not have expected type of kJSScriptTypeModule."_s); + + NSURL *sourceURL = [jsScript sourceURL]; + String oldModuleKey { [sourceURL absoluteString] }; + if (UNLIKELY(Identifier::fromString(&vm, oldModuleKey) != moduleKey)) + return rejectPromise(makeString("The same JSScript was provided for two different identifiers, previously: ", oldModuleKey, " and now: ", moduleKey.string())); + + args.append(source); + call(exec, deferredPromise->JSPromiseDeferred::resolve(), args, "This should never be seen..."); + return encodedJSUndefined(); + }); + + auto* reject = JSNativeStdFunction::create(vm, globalObject, 1, "reject", [=] (ExecState* exec) { + MarkedArgumentBuffer args; + args.append(exec->argument(0)); + + call(exec, deferredPromise->JSPromiseDeferred::reject(), args, "This should never be seen..."); + return encodedJSUndefined(); + }); + + [[context moduleLoaderDelegate] context:context fetchModuleForIdentifier:[::JSValue valueWithJSValueRef:toRef(exec, key) inContext:context] withResolveHandler:[::JSValue valueWithJSValueRef:toRef(exec, resolve) inContext:context] andRejectHandler:[::JSValue valueWithJSValueRef:toRef(exec, reject) inContext:context]]; + if (context.exception) { + deferred->reject(exec, toJS(exec, [context.exception JSValueRef])); + context.exception = nil; + } + return deferred->promise(); +} + +JSObject* JSAPIGlobalObject::moduleLoaderCreateImportMetaProperties(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader*, JSValue key, JSModuleRecord*, JSValue) +{ + VM& vm = exec->vm(); + auto scope = DECLARE_THROW_SCOPE(vm); + + JSObject* metaProperties = constructEmptyObject(exec, globalObject->nullPrototypeObjectStructure()); + RETURN_IF_EXCEPTION(scope, nullptr); + + metaProperties->putDirect(vm, Identifier::fromString(&vm, "filename"), key); + RETURN_IF_EXCEPTION(scope, nullptr); + + return metaProperties; +} + +JSValue JSAPIGlobalObject::moduleLoaderEvaluate(JSGlobalObject* globalObject, ExecState* exec, JSModuleLoader* moduleLoader, JSValue key, JSValue moduleRecordValue, JSValue scriptFetcher) +{ + VM& vm = exec->vm(); + auto scope = DECLARE_THROW_SCOPE(vm); + + JSContext *context = [JSContext contextWithJSGlobalContextRef:toGlobalRef(globalObject->globalExec())]; + id moduleLoaderDelegate = [context moduleLoaderDelegate]; + NSURL *url = nil; + + if ([moduleLoaderDelegate respondsToSelector:@selector(willEvaluateModule:)] || [moduleLoaderDelegate respondsToSelector:@selector(didEvaluateModule:)]) { + String moduleKey = key.toWTFString(exec); + RETURN_IF_EXCEPTION(scope, { }); + url = [NSURL URLWithString:static_cast(moduleKey)]; + } + + if ([moduleLoaderDelegate respondsToSelector:@selector(willEvaluateModule:)]) + [moduleLoaderDelegate willEvaluateModule:url]; + + scope.release(); + JSValue result = moduleLoader->evaluateNonVirtual(exec, key, moduleRecordValue, scriptFetcher); + + if ([moduleLoaderDelegate respondsToSelector:@selector(didEvaluateModule:)]) + [moduleLoaderDelegate didEvaluateModule:url]; + + return result; +} + +JSValue JSAPIGlobalObject::loadAndEvaluateJSScriptModule(const JSLockHolder&, JSScript *script) +{ + ASSERT(script.type == kJSScriptTypeModule); + VM& vm = this->vm(); + ExecState* exec = globalExec(); + auto scope = DECLARE_THROW_SCOPE(vm); + + Identifier key = Identifier::fromString(exec, String { [[script sourceURL] absoluteString] }); + JSInternalPromise* promise = importModule(exec, key, jsUndefined(), jsUndefined()); + RETURN_IF_EXCEPTION(scope, { }); + auto result = JSPromiseDeferred::tryCreate(exec, this); + RETURN_IF_EXCEPTION(scope, { }); + result->resolve(exec, promise); + return result->promise(); +} + +} + +#endif // JSC_OBJC_API_ENABLED diff --git a/runtime/JSAPIValueWrapper.cpp b/API/JSAPIValueWrapper.cpp similarity index 100% rename from runtime/JSAPIValueWrapper.cpp rename to API/JSAPIValueWrapper.cpp diff --git a/runtime/JSAPIValueWrapper.h b/API/JSAPIValueWrapper.h similarity index 78% rename from runtime/JSAPIValueWrapper.h rename to API/JSAPIValueWrapper.h index 8c7c845..aa26082 100644 --- a/runtime/JSAPIValueWrapper.h +++ b/API/JSAPIValueWrapper.h @@ -1,7 +1,7 @@ /* * Copyright (C) 1999-2001 Harri Porten (porten@kde.org) * Copyright (C) 2001 Peter Kelly (pmk@post.com) - * Copyright (C) 2003, 2004, 2005, 2007, 2008 Apple Inc. All rights reserved. + * Copyright (C) 2003-2019 Apple Inc. All rights reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Library General Public @@ -22,14 +22,14 @@ #pragma once -#include "JSCJSValue.h" -#include "JSCell.h" #include "CallFrame.h" +#include "JSCJSValue.h" +#include "JSCast.h" #include "Structure.h" namespace JSC { -class JSAPIValueWrapper : public JSCell { +class JSAPIValueWrapper final : public JSCell { friend JSValue jsAPIValueWrapper(ExecState*, JSValue); public: typedef JSCell Base; @@ -44,10 +44,9 @@ public: DECLARE_EXPORT_INFO; - static JSAPIValueWrapper* create(ExecState* exec, JSValue value) + static JSAPIValueWrapper* create(VM& vm, JSValue value) { - VM& vm = exec->vm(); - JSAPIValueWrapper* wrapper = new (NotNull, allocateCell(vm.heap)) JSAPIValueWrapper(exec); + JSAPIValueWrapper* wrapper = new (NotNull, allocateCell(vm.heap)) JSAPIValueWrapper(vm); wrapper->finishCreation(vm, value); return wrapper; } @@ -61,17 +60,12 @@ protected: } private: - JSAPIValueWrapper(ExecState* exec) - : JSCell(exec->vm(), exec->vm().apiWrapperStructure.get()) + JSAPIValueWrapper(VM& vm) + : JSCell(vm, vm.apiWrapperStructure.get()) { } WriteBarrier m_value; }; -inline JSValue jsAPIValueWrapper(ExecState* exec, JSValue value) -{ - return JSAPIValueWrapper::create(exec, value); -} - } // namespace JSC diff --git a/API/JSAPIWrapperObject.h b/API/JSAPIWrapperObject.h index 14194b6..dd874dc 100644 --- a/API/JSAPIWrapperObject.h +++ b/API/JSAPIWrapperObject.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Apple Inc. All rights reserved. + * Copyright (C) 2013-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,9 +28,8 @@ #include "JSBase.h" #include "JSDestructibleObject.h" -#include "WeakReferenceHarvester.h" -#if JSC_OBJC_API_ENABLED +#if JSC_OBJC_API_ENABLED || defined(JSC_GLIB_API_ENABLED) namespace JSC { @@ -48,11 +47,11 @@ protected: JSAPIWrapperObject(VM&, Structure*); private: - void* m_wrappedObject; + void* m_wrappedObject { nullptr }; }; } // namespace JSC -#endif // JSC_OBJC_API_ENABLED +#endif // JSC_OBJC_API_ENABLED || defined(JSC_GLIB_API_ENABLED) #endif // JSAPIWrapperObject_h diff --git a/API/JSAPIWrapperObject.mm b/API/JSAPIWrapperObject.mm index 46dc2a7..58b74e7 100644 --- a/API/JSAPIWrapperObject.mm +++ b/API/JSAPIWrapperObject.mm @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Apple Inc. All rights reserved. + * Copyright (C) 2013-2018 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -37,7 +37,7 @@ class JSAPIWrapperObjectHandleOwner : public JSC::WeakHandleOwner { public: void finalize(JSC::Handle, void*) override; - bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&) override; + bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override; }; static JSAPIWrapperObjectHandleOwner* jsAPIWrapperObjectHandleOwner() @@ -56,14 +56,14 @@ void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle handle, v JSC::WeakSet::deallocate(JSC::WeakImpl::asWeakImpl(handle.slot())); } -bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle handle, void*, JSC::SlotVisitor& visitor) +bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle handle, void*, JSC::SlotVisitor& visitor, const char**) { JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast(handle.get().asCell()); // We use the JSGlobalObject when processing weak handles to prevent the situation where using // the same Objective-C object in multiple global objects keeps all of the global objects alive. if (!wrapperObject->wrappedObject()) return false; - return JSC::Heap::isMarked(wrapperObject->structure()->globalObject()) && visitor.containsOpaqueRoot(wrapperObject->wrappedObject()); + return visitor.vm().heap.isMarked(wrapperObject->structure()->globalObject()) && visitor.containsOpaqueRoot(wrapperObject->wrappedObject()); } namespace JSC { @@ -80,7 +80,6 @@ Structure* JSCallbackObject::createStructure(VM& vm, JSGloba JSAPIWrapperObject::JSAPIWrapperObject(VM& vm, Structure* structure) : Base(vm, structure) - , m_wrappedObject(0) { } diff --git a/API/JSBase.cpp b/API/JSBase.cpp index d8917a3..44ed498 100644 --- a/API/JSBase.cpp +++ b/API/JSBase.cpp @@ -25,6 +25,7 @@ #include "config.h" #include "JSBase.h" +#include "JSBaseInternal.h" #include "JSBasePrivate.h" #include "APICast.h" @@ -47,24 +48,15 @@ using namespace JSC; -JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef thisObject, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) +JSValueRef JSEvaluateScriptInternal(const JSLockHolder&, ExecState* exec, JSContextRef ctx, JSObjectRef thisObject, const SourceCode& source, JSValueRef* exception) { - if (!ctx) { - ASSERT_NOT_REACHED(); - return 0; - } - ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + UNUSED_PARAM(ctx); JSObject* jsThisObject = toJS(thisObject); - startingLineNumber = std::max(1, startingLineNumber); - // evaluate sets "this" to the global object if it is NULL - JSGlobalObject* globalObject = exec->vmEntryGlobalObject(); - auto sourceURLString = sourceURL ? sourceURL->string() : String(); - SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, sourceURLString, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); - + VM& vm = exec->vm(); + JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); NakedPtr evaluationException; JSValue returnValue = profiledEvaluate(globalObject->globalExec(), ProfilingReason::API, source, jsThisObject, evaluationException); @@ -79,7 +71,7 @@ JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef th // We could stash it in the inspector in case an inspector is ever opened. globalObject->inspectorController().reportAPIException(exec, evaluationException); #endif - return 0; + return nullptr; } if (returnValue) @@ -89,6 +81,24 @@ JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef th return toRef(exec, jsUndefined()); } +JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef thisObject, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return nullptr; + } + ExecState* exec = toJS(ctx); + VM& vm = exec->vm(); + JSLockHolder locker(vm); + + startingLineNumber = std::max(1, startingLineNumber); + + auto sourceURLString = sourceURL ? sourceURL->string() : String(); + SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); + + return JSEvaluateScriptInternal(locker, exec, ctx, thisObject, source, exception); +} + bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourceURL, int startingLineNumber, JSValueRef* exception) { if (!ctx) { @@ -96,22 +106,23 @@ bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourc return false; } ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); startingLineNumber = std::max(1, startingLineNumber); auto sourceURLString = sourceURL ? sourceURL->string() : String(); - SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, sourceURLString, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); + SourceCode source = makeSource(script->string(), SourceOrigin { sourceURLString }, URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber())); JSValue syntaxException; - bool isValidSyntax = checkSyntax(exec->vmEntryGlobalObject()->globalExec(), source, &syntaxException); + bool isValidSyntax = checkSyntax(vm.vmEntryGlobalObject(exec)->globalExec(), source, &syntaxException); if (!isValidSyntax) { if (exception) *exception = toRef(exec, syntaxException); #if ENABLE(REMOTE_INSPECTOR) - Exception* exception = Exception::create(exec->vm(), syntaxException); - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); + Exception* exception = Exception::create(vm, syntaxException); + vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception); #endif return false; } @@ -130,9 +141,10 @@ void JSGarbageCollect(JSContextRef ctx) return; ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); - exec->vm().heap.reportAbandonedObjectGraph(); + vm.heap.reportAbandonedObjectGraph(); } void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) @@ -142,9 +154,10 @@ void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) return; } ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); - exec->vm().heap.deprecatedReportExtraMemory(size); + vm.heap.deprecatedReportExtraMemory(size); } extern "C" JS_EXPORT void JSSynchronousGarbageCollectForDebugging(JSContextRef); @@ -156,8 +169,9 @@ void JSSynchronousGarbageCollectForDebugging(JSContextRef ctx) return; ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - exec->vm().heap.collectNow(Sync, CollectionScope::Full); + VM& vm = exec->vm(); + JSLockHolder locker(vm); + vm.heap.collectNow(Sync, CollectionScope::Full); } void JSSynchronousEdenCollectForDebugging(JSContextRef ctx) @@ -166,8 +180,9 @@ void JSSynchronousEdenCollectForDebugging(JSContextRef ctx) return; ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - exec->vm().heap.collectSync(CollectionScope::Eden); + VM& vm = exec->vm(); + JSLockHolder locker(vm); + vm.heap.collectSync(CollectionScope::Eden); } void JSDisableGCTimer(void) @@ -175,7 +190,7 @@ void JSDisableGCTimer(void) GCActivityCallback::s_shouldCreateGCTimer = false; } -#if PLATFORM(IOS) +#if PLATFORM(IOS_FAMILY) && TARGET_OS_IOS // FIXME: Expose symbols to tell dyld where to find JavaScriptCore on older versions of // iOS (< 7.0). We should remove these symbols once we no longer need to support such // versions of iOS. See for more details. diff --git a/API/JSBase.h b/API/JSBase.h index 677dff1..01c1b28 100644 --- a/API/JSBase.h +++ b/API/JSBase.h @@ -68,20 +68,27 @@ typedef const struct OpaqueJSValue* JSValueRef; /*! @typedef JSObjectRef A JavaScript object. A JSObject is a JSValue. */ typedef struct OpaqueJSValue* JSObjectRef; +/* Clang's __has_declspec_attribute emulation */ +/* https://clang.llvm.org/docs/LanguageExtensions.html#has-declspec-attribute */ + +#ifndef __has_declspec_attribute +#define __has_declspec_attribute(x) 0 +#endif + /* JavaScript symbol exports */ -/* These rules should stay the same as in WebKit2/Shared/API/c/WKBase.h */ +/* These rules should stay the same as in WebKit/Shared/API/c/WKDeclarationSpecifiers.h */ #undef JS_EXPORT #if defined(JS_NO_EXPORT) #define JS_EXPORT -#elif defined(__GNUC__) && !defined(__CC_ARM) && !defined(__ARMCC__) -#define JS_EXPORT __attribute__((visibility("default"))) -#elif defined(WIN32) || defined(_WIN32) || defined(_WIN32_WCE) || defined(__CC_ARM) || defined(__ARMCC__) +#elif defined(WIN32) || defined(_WIN32) || defined(__CC_ARM) || defined(__ARMCC__) || (__has_declspec_attribute(dllimport) && __has_declspec_attribute(dllexport)) #if defined(BUILDING_JavaScriptCore) || defined(STATICALLY_LINKED_WITH_JavaScriptCore) #define JS_EXPORT __declspec(dllexport) #else #define JS_EXPORT __declspec(dllimport) #endif +#elif defined(__GNUC__) +#define JS_EXPORT __attribute__((visibility("default"))) #else /* !defined(JS_NO_EXPORT) */ #define JS_EXPORT #endif /* defined(JS_NO_EXPORT) */ @@ -136,7 +143,7 @@ JS_EXPORT void JSGarbageCollect(JSContextRef ctx); } #endif -/* Enable the Objective-C API for platforms with a modern runtime. */ +/* Enable the Objective-C API for platforms with a modern runtime. NOTE: This is duplicated in VM.h. */ #if !defined(JSC_OBJC_API_ENABLED) #if (defined(__clang__) && defined(__APPLE__) && ((defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && !defined(__i386__)) || (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE))) #define JSC_OBJC_API_ENABLED 1 diff --git a/include/JavaScriptCore/JavaScript.h b/API/JSBaseInternal.h similarity index 77% rename from include/JavaScriptCore/JavaScript.h rename to API/JSBaseInternal.h index 251e393..a274af9 100644 --- a/include/JavaScriptCore/JavaScript.h +++ b/API/JSBaseInternal.h @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Apple Inc. All rights reserved. - * Copyright (C) 2008 Alp Toker + * Copyright (C) 2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -24,14 +23,15 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef JavaScript_h -#define JavaScript_h +#pragma once #include -#include -#include -#include -#include -#include +#include -#endif /* JavaScript_h */ +namespace JSC { +class JSLockHolder; +class ExecState; +class SourceCode; +} + +extern "C" JSValueRef JSEvaluateScriptInternal(const JSC::JSLockHolder&, JSC::ExecState*, JSContextRef, JSObjectRef thisObject, const JSC::SourceCode&, JSValueRef* exception); diff --git a/API/JSBasePrivate.h b/API/JSBasePrivate.h index 1375949..2fc916b 100644 --- a/API/JSBasePrivate.h +++ b/API/JSBasePrivate.h @@ -43,7 +43,7 @@ owns a large non-GC memory region. Calling this function will encourage the garbage collector to collect soon, hoping to reclaim that large non-GC memory region. */ -JS_EXPORT void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); JS_EXPORT void JSDisableGCTimer(void); diff --git a/API/JSCallbackConstructor.h b/API/JSCallbackConstructor.h index d730ad7..3c31e07 100644 --- a/API/JSCallbackConstructor.h +++ b/API/JSCallbackConstructor.h @@ -26,19 +26,20 @@ #ifndef JSCallbackConstructor_h #define JSCallbackConstructor_h +#include "JSDestructibleObject.h" #include "JSObjectRef.h" -#include "runtime/JSDestructibleObject.h" namespace JSC { -class JSCallbackConstructor : public JSDestructibleObject { +class JSCallbackConstructor final : public JSDestructibleObject { public: typedef JSDestructibleObject Base; static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance | ImplementsDefaultHasInstance; static JSCallbackConstructor* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, JSObjectCallAsConstructorCallback callback) { - JSCallbackConstructor* constructor = new (NotNull, allocateCell(*exec->heap())) JSCallbackConstructor(globalObject, structure, classRef, callback); + VM& vm = exec->vm(); + JSCallbackConstructor* constructor = new (NotNull, allocateCell(vm.heap)) JSCallbackConstructor(globalObject, structure, classRef, callback); constructor->finishCreation(globalObject, classRef); return constructor; } diff --git a/API/JSCallbackFunction.cpp b/API/JSCallbackFunction.cpp index 684ece6..78ca55b 100644 --- a/API/JSCallbackFunction.cpp +++ b/API/JSCallbackFunction.cpp @@ -44,7 +44,7 @@ STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSCallbackFunction); const ClassInfo JSCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackFunction) }; JSCallbackFunction::JSCallbackFunction(VM& vm, Structure* structure, JSObjectCallAsFunctionCallback callback) - : InternalFunction(vm, structure) + : InternalFunction(vm, structure, APICallbackFunction::call, nullptr) , m_callback(callback) { } @@ -63,10 +63,4 @@ JSCallbackFunction* JSCallbackFunction::create(VM& vm, JSGlobalObject* globalObj return function; } -CallType JSCallbackFunction::getCallData(JSCell*, CallData& callData) -{ - callData.native.function = APICallbackFunction::call; - return CallType::Host; -} - } // namespace JSC diff --git a/API/JSCallbackFunction.h b/API/JSCallbackFunction.h index a4fdd06..f9e4f96 100644 --- a/API/JSCallbackFunction.h +++ b/API/JSCallbackFunction.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2008 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -31,11 +31,17 @@ namespace JSC { -class JSCallbackFunction : public InternalFunction { +class JSCallbackFunction final : public InternalFunction { friend struct APICallbackFunction; public: typedef InternalFunction Base; + template + static IsoSubspace* subspaceFor(VM& vm) + { + return vm.callbackFunctionSpace(); + } + static JSCallbackFunction* create(VM&, JSGlobalObject*, JSObjectCallAsFunctionCallback, const String& name); DECLARE_INFO; @@ -44,18 +50,16 @@ public: // refactor the code so this override isn't necessary static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { - return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), info()); + return Structure::create(vm, globalObject, proto, TypeInfo(InternalFunctionType, StructureFlags), info()); } private: JSCallbackFunction(VM&, Structure*, JSObjectCallAsFunctionCallback); void finishCreation(VM&, const String& name); - static CallType getCallData(JSCell*, CallData&); - JSObjectCallAsFunctionCallback functionCallback() { return m_callback; } - JSObjectCallAsFunctionCallback m_callback; + JSObjectCallAsFunctionCallback m_callback { nullptr }; }; } // namespace JSC diff --git a/API/JSCallbackObject.h b/API/JSCallbackObject.h index 43749e2..07d709b 100644 --- a/API/JSCallbackObject.h +++ b/API/JSCallbackObject.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2016 Apple Inc. All rights reserved. + * Copyright (C) 2006-2019 Apple Inc. All rights reserved. * Copyright (C) 2007 Eric Seidel * * Redistribution and use in source and binary forms, with or without @@ -122,7 +122,7 @@ public: template -class JSCallbackObject : public Parent { +class JSCallbackObject final : public Parent { protected: JSCallbackObject(ExecState*, Structure*, JSClassRef, void* data); JSCallbackObject(VM&, JSClassRef, Structure*); @@ -132,14 +132,16 @@ protected: public: typedef Parent Base; - static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData; + static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | OverridesGetCallData; + static_assert(!(StructureFlags & ImplementsDefaultHasInstance), "using customHasInstance"); ~JSCallbackObject(); static JSCallbackObject* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, void* data) { + VM& vm = exec->vm(); ASSERT_UNUSED(globalObject, !structure->globalObject() || structure->globalObject() == globalObject); - JSCallbackObject* callbackObject = new (NotNull, allocateCell(*exec->heap())) JSCallbackObject(exec, structure, classRef, data); + JSCallbackObject* callbackObject = new (NotNull, allocateCell(vm.heap)) JSCallbackObject(exec, structure, classRef, data); callbackObject->finishCreation(exec); return callbackObject; } @@ -155,18 +157,9 @@ public: void* getPrivate(); // FIXME: We should fix the warnings for extern-template in JSObject template classes: https://bugs.webkit.org/show_bug.cgi?id=161979 -#if COMPILER(CLANG) -#if __has_warning("-Wundefined-var-template") -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wundefined-var-template" -#endif -#endif + IGNORE_CLANG_WARNINGS_BEGIN("undefined-var-template") DECLARE_INFO; -#if COMPILER(CLANG) -#if __has_warning("-Wundefined-var-template") -#pragma clang diagnostic pop -#endif -#endif + IGNORE_CLANG_WARNINGS_END JSClassRef classRef() const { return m_callbackObjectData->jsClass; } bool inherits(JSClassRef) const; @@ -191,7 +184,8 @@ public: using Parent::methodTable; private: - static String className(const JSObject*); + static String className(const JSObject*, VM&); + static String toStringName(const JSObject*, ExecState*); static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType); @@ -232,7 +226,7 @@ private: static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName); std::unique_ptr m_callbackObjectData; - const ClassInfo* m_classInfo; + const ClassInfo* m_classInfo { nullptr }; }; } // namespace JSC diff --git a/API/JSCallbackObjectFunctions.h b/API/JSCallbackObjectFunctions.h index ee3ee2f..ae3a6fe 100644 --- a/API/JSCallbackObjectFunctions.h +++ b/API/JSCallbackObjectFunctions.h @@ -34,7 +34,6 @@ #include "JSLock.h" #include "JSObjectRef.h" #include "JSString.h" -#include "JSStringRef.h" #include "OpaqueJSString.h" #include "PropertyNameArray.h" #include @@ -130,14 +129,23 @@ void JSCallbackObject::init(ExecState* exec) } template -String JSCallbackObject::className(const JSObject* object) +String JSCallbackObject::className(const JSObject* object, VM& vm) { const JSCallbackObject* thisObject = jsCast(object); String thisClassName = thisObject->classRef()->className(); if (!thisClassName.isEmpty()) return thisClassName; - return Parent::className(object); + return Parent::className(object, vm); +} + +template +String JSCallbackObject::toStringName(const JSObject* object, ExecState* exec) +{ + VM& vm = exec->vm(); + const ClassInfo* info = object->classInfo(vm); + ASSERT(info); + return info->methodTable.className(object, vm); } template @@ -156,15 +164,15 @@ bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* e // optional optimization to bypass getProperty in cases when we only need to know if the property exists if (JSObjectHasPropertyCallback hasProperty = jsClass->hasProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(name); + propertyNameRef = OpaqueJSString::tryCreate(name); JSLock::DropAllLocks dropAllLocks(exec); if (hasProperty(ctx, thisRef, propertyNameRef.get())) { - slot.setCustom(thisObject, ReadOnly | DontEnum, callbackGetter); + slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, callbackGetter); return true; } } else if (JSObjectGetPropertyCallback getProperty = jsClass->getProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(name); + propertyNameRef = OpaqueJSString::tryCreate(name); JSValueRef exception = 0; JSValueRef value; { @@ -173,11 +181,11 @@ bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* e } if (exception) { throwException(exec, scope, toJS(exec, exception)); - slot.setValue(thisObject, ReadOnly | DontEnum, jsUndefined()); + slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, jsUndefined()); return true; } if (value) { - slot.setValue(thisObject, ReadOnly | DontEnum, toJS(exec, value)); + slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, toJS(exec, value)); return true; } } @@ -186,7 +194,7 @@ bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* e if (staticValues->contains(name)) { JSValue value = thisObject->getStaticValue(exec, propertyName); if (value) { - slot.setValue(thisObject, ReadOnly | DontEnum, value); + slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, value); return true; } } @@ -194,7 +202,7 @@ bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* e if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { if (staticFunctions->contains(name)) { - slot.setCustom(thisObject, ReadOnly | DontEnum, staticFunctionGetter); + slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, staticFunctionGetter); return true; } } @@ -207,7 +215,7 @@ bool JSCallbackObject::getOwnPropertySlot(JSObject* object, ExecState* e template bool JSCallbackObject::getOwnPropertySlotByIndex(JSObject* object, ExecState* exec, unsigned propertyName, PropertySlot& slot) { - return object->methodTable()->getOwnPropertySlot(object, exec, Identifier::from(exec, propertyName), slot); + return object->methodTable(exec->vm())->getOwnPropertySlot(object, exec, Identifier::from(exec, propertyName), slot); } template @@ -253,7 +261,7 @@ bool JSCallbackObject::put(JSCell* cell, ExecState* exec, PropertyName p for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectSetPropertyCallback setProperty = jsClass->setProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(name); + propertyNameRef = OpaqueJSString::tryCreate(name); JSValueRef exception = 0; bool result; { @@ -317,7 +325,7 @@ bool JSCallbackObject::putByIndex(JSCell* cell, ExecState* exec, unsigne for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectSetPropertyCallback setProperty = jsClass->setProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(propertyName.impl()); + propertyNameRef = OpaqueJSString::tryCreate(propertyName.impl()); JSValueRef exception = 0; bool result; { @@ -376,7 +384,7 @@ bool JSCallbackObject::deleteProperty(JSCell* cell, ExecState* exec, Pro for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectDeletePropertyCallback deleteProperty = jsClass->deleteProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(name); + propertyNameRef = OpaqueJSString::tryCreate(name); JSValueRef exception = 0; bool result; { @@ -414,7 +422,7 @@ template bool JSCallbackObject::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName) { JSCallbackObject* thisObject = jsCast(cell); - return thisObject->methodTable()->deleteProperty(thisObject, exec, Identifier::from(exec, propertyName)); + return thisObject->methodTable(exec->vm())->deleteProperty(thisObject, exec, Identifier::from(exec, propertyName)); } template @@ -653,7 +661,7 @@ EncodedJSValue JSCallbackObject::staticFunctionGetter(ExecState* exec, E if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { if (StaticFunctionEntry* entry = staticFunctions->get(name)) { if (JSObjectCallAsFunctionCallback callAsFunction = entry->callAsFunction) { - JSObject* o = JSCallbackFunction::create(vm, thisObj->globalObject(), callAsFunction, name); + JSObject* o = JSCallbackFunction::create(vm, thisObj->globalObject(vm), callAsFunction, name); thisObj->putDirect(vm, propertyName, o, entry->attributes); return JSValue::encode(o); } @@ -662,7 +670,7 @@ EncodedJSValue JSCallbackObject::staticFunctionGetter(ExecState* exec, E } } - return JSValue::encode(throwException(exec, scope, createReferenceError(exec, ASCIILiteral("Static function property defined with NULL callAsFunction callback.")))); + return JSValue::encode(throwException(exec, scope, createReferenceError(exec, "Static function property defined with NULL callAsFunction callback."_s))); } template @@ -680,7 +688,7 @@ EncodedJSValue JSCallbackObject::callbackGetter(ExecState* exec, Encoded for (JSClassRef jsClass = thisObj->classRef(); jsClass; jsClass = jsClass->parentClass) { if (JSObjectGetPropertyCallback getProperty = jsClass->getProperty) { if (!propertyNameRef) - propertyNameRef = OpaqueJSString::create(name); + propertyNameRef = OpaqueJSString::tryCreate(name); JSValueRef exception = 0; JSValueRef value; { @@ -697,7 +705,7 @@ EncodedJSValue JSCallbackObject::callbackGetter(ExecState* exec, Encoded } } - return JSValue::encode(throwException(exec, scope, createReferenceError(exec, ASCIILiteral("hasProperty callback returned true for a property that doesn't exist.")))); + return JSValue::encode(throwException(exec, scope, createReferenceError(exec, "hasProperty callback returned true for a property that doesn't exist."_s))); } } // namespace JSC diff --git a/API/JSClassRef.cpp b/API/JSClassRef.cpp index eb525f1..f1c9d57 100644 --- a/API/JSClassRef.cpp +++ b/API/JSClassRef.cpp @@ -35,11 +35,8 @@ #include "ObjectPrototype.h" #include "JSCInlines.h" #include -#include -using namespace std; using namespace JSC; -using namespace WTF::Unicode; const JSClassDefinition kJSClassDefinitionEmpty = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; @@ -88,19 +85,19 @@ OpaqueJSClass::OpaqueJSClass(const JSClassDefinition* definition, OpaqueJSClass* OpaqueJSClass::~OpaqueJSClass() { // The empty string is shared across threads & is an identifier, in all other cases we should have done a deep copy in className(), below. - ASSERT(!m_className.length() || !m_className.impl()->isAtomic()); + ASSERT(!m_className.length() || !m_className.impl()->isAtom()); #ifndef NDEBUG if (m_staticValues) { OpaqueJSClassStaticValuesTable::const_iterator end = m_staticValues->end(); for (OpaqueJSClassStaticValuesTable::const_iterator it = m_staticValues->begin(); it != end; ++it) - ASSERT(!it->key->isAtomic()); + ASSERT(!it->key->isAtom()); } if (m_staticFunctions) { OpaqueJSClassStaticFunctionsTable::const_iterator end = m_staticFunctions->end(); for (OpaqueJSClassStaticFunctionsTable::const_iterator it = m_staticFunctions->begin(); it != end; ++it) - ASSERT(!it->key->isAtomic()); + ASSERT(!it->key->isAtom()); } #endif @@ -119,7 +116,7 @@ Ref OpaqueJSClass::create(const JSClassDefinition* clientDefiniti JSClassDefinition protoDefinition = kJSClassDefinitionEmpty; protoDefinition.finalize = 0; - swap(definition.staticFunctions, protoDefinition.staticFunctions); // Move static functions to the prototype. + std::swap(definition.staticFunctions, protoDefinition.staticFunctions); // Move static functions to the prototype. // We are supposed to use JSClassRetain/Release but since we know that we currently have // the only reference to this class object we cheat and use a RefPtr instead. @@ -134,7 +131,7 @@ OpaqueJSClassContextData::OpaqueJSClassContextData(JSC::VM&, OpaqueJSClass* jsCl staticValues = std::make_unique(); OpaqueJSClassStaticValuesTable::const_iterator end = jsClass->m_staticValues->end(); for (OpaqueJSClassStaticValuesTable::const_iterator it = jsClass->m_staticValues->begin(); it != end; ++it) { - ASSERT(!it->key->isAtomic()); + ASSERT(!it->key->isAtom()); String valueName = it->key->isolatedCopy(); staticValues->add(valueName.impl(), std::make_unique(it->value->getProperty, it->value->setProperty, it->value->attributes, valueName)); } @@ -144,7 +141,7 @@ OpaqueJSClassContextData::OpaqueJSClassContextData(JSC::VM&, OpaqueJSClass* jsCl staticFunctions = std::make_unique(); OpaqueJSClassStaticFunctionsTable::const_iterator end = jsClass->m_staticFunctions->end(); for (OpaqueJSClassStaticFunctionsTable::const_iterator it = jsClass->m_staticFunctions->begin(); it != end; ++it) { - ASSERT(!it->key->isAtomic()); + ASSERT(!it->key->isAtom()); staticFunctions->add(it->key->isolatedCopy(), std::make_unique(it->value->callAsFunction, it->value->attributes)); } } @@ -160,7 +157,7 @@ OpaqueJSClassContextData& OpaqueJSClass::contextData(ExecState* exec) String OpaqueJSClass::className() { - // Make a deep copy, so that the caller has no chance to put the original into AtomicStringTable. + // Make a deep copy, so that the caller has no chance to put the original into AtomStringTable. return m_className.isolatedCopy(); } diff --git a/API/JSClassRef.h b/API/JSClassRef.h index fa024d3..0dd0dca 100644 --- a/API/JSClassRef.h +++ b/API/JSClassRef.h @@ -37,7 +37,10 @@ struct StaticValueEntry { WTF_MAKE_FAST_ALLOCATED; public: StaticValueEntry(JSObjectGetPropertyCallback _getProperty, JSObjectSetPropertyCallback _setProperty, JSPropertyAttributes _attributes, String& propertyName) - : getProperty(_getProperty), setProperty(_setProperty), attributes(_attributes), propertyNameRef(OpaqueJSString::create(propertyName)) + : getProperty(_getProperty) + , setProperty(_setProperty) + , attributes(_attributes) + , propertyNameRef(OpaqueJSString::tryCreate(propertyName)) { } @@ -118,7 +121,7 @@ private: OpaqueJSClassContextData& contextData(JSC::ExecState*); - // Strings in these data members should not be put into any AtomicStringTable. + // Strings in these data members should not be put into any AtomStringTable. String m_className; std::unique_ptr m_staticValues; std::unique_ptr m_staticFunctions; diff --git a/API/JSContext.h b/API/JSContext.h index 194e352..6b9c5d4 100644 --- a/API/JSContext.h +++ b/API/JSContext.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Apple Inc. All rights reserved. + * Copyright (C) 2013-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -31,7 +31,7 @@ #if JSC_OBJC_API_ENABLED -@class JSVirtualMachine, JSValue; +@class JSScript, JSVirtualMachine, JSValue, JSContext; /*! @interface @@ -39,7 +39,7 @@ JavaScript execution takes place within a context, and all JavaScript values are tied to a context. */ -NS_CLASS_AVAILABLE(10_9, 7_0) +JSC_CLASS_AVAILABLE(macos(10.9), ios(7.0)) @interface JSContext : NSObject /*! @@ -78,7 +78,7 @@ NS_CLASS_AVAILABLE(10_9, 7_0) @param sourceURL A URL for the script's source file. Used by debuggers and when reporting exceptions. This parameter is informative only: it does not change the behavior of the script. @result The last value generated by the script. */ -- (JSValue *)evaluateScript:(NSString *)script withSourceURL:(NSURL *)sourceURL NS_AVAILABLE(10_10, 8_0); +- (JSValue *)evaluateScript:(NSString *)script withSourceURL:(NSURL *)sourceURL JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @methodgroup Callback Accessors @@ -101,7 +101,7 @@ NS_CLASS_AVAILABLE(10_9, 7_0) a callback from JavaScript this method will return nil. @result The currently executing JavaScript function or nil if there isn't one. */ -+ (JSValue *)currentCallee NS_AVAILABLE(10_10, 8_0); ++ (JSValue *)currentCallee JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @method @@ -176,8 +176,7 @@ NS_CLASS_AVAILABLE(10_9, 7_0) @property @discussion Name of the JSContext. Exposed when remote debugging the context. */ -@property (copy) NSString *name NS_AVAILABLE(10_10, 8_0); - +@property (copy) NSString *name JSC_API_AVAILABLE(macos(10.10), ios(8.0)); @end /*! @@ -231,6 +230,7 @@ NS_CLASS_AVAILABLE(10_9, 7_0) @result The C API equivalent of this JSContext. */ @property (readonly) JSGlobalContextRef JSGlobalContextRef; + @end #endif diff --git a/API/JSContext.mm b/API/JSContext.mm index 5b100c7..05de4f3 100644 --- a/API/JSContext.mm +++ b/API/JSContext.mm @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Apple Inc. All rights reserved. + * Copyright (C) 2013-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,11 +26,15 @@ #include "config.h" #import "APICast.h" +#import "Completion.h" +#import "JSBaseInternal.h" #import "JSCInlines.h" #import "JSContextInternal.h" #import "JSContextPrivate.h" #import "JSContextRefInternal.h" #import "JSGlobalObject.h" +#import "JSInternalPromise.h" +#import "JSModuleLoader.h" #import "JSValueInternal.h" #import "JSVirtualMachineInternal.h" #import "JSWrapperMap.h" @@ -38,12 +42,15 @@ #import "ObjcRuntimeExtras.h" #import "StrongInlines.h" +#import + #if JSC_OBJC_API_ENABLED @implementation JSContext { JSVirtualMachine *m_virtualMachine; JSGlobalContextRef m_context; JSC::Strong m_exception; + WeakObjCPtr> m_moduleLoaderDelegate; } - (JSGlobalContextRef)JSGlobalContextRef @@ -100,24 +107,78 @@ - (JSValue *)evaluateScript:(NSString *)script withSourceURL:(NSURL *)sourceURL { JSValueRef exceptionValue = nullptr; - JSStringRef scriptJS = JSStringCreateWithCFString((CFStringRef)script); - JSStringRef sourceURLJS = sourceURL ? JSStringCreateWithCFString((CFStringRef)[sourceURL absoluteString]) : nullptr; - JSValueRef result = JSEvaluateScript(m_context, scriptJS, nullptr, sourceURLJS, 0, &exceptionValue); - if (sourceURLJS) - JSStringRelease(sourceURLJS); - JSStringRelease(scriptJS); + auto scriptJS = OpaqueJSString::tryCreate(script); + auto sourceURLJS = OpaqueJSString::tryCreate([sourceURL absoluteString]); + JSValueRef result = JSEvaluateScript(m_context, scriptJS.get(), nullptr, sourceURLJS.get(), 0, &exceptionValue); if (exceptionValue) return [self valueFromNotifyException:exceptionValue]; - return [JSValue valueWithJSValueRef:result inContext:self]; } +- (JSValue *)evaluateJSScript:(JSScript *)script +{ + JSC::ExecState* exec = toJS(m_context); + JSC::VM& vm = exec->vm(); + JSC::JSLockHolder locker(vm); + + if (script.type == kJSScriptTypeProgram) { + JSValueRef exceptionValue = nullptr; + JSC::SourceCode sourceCode = [script sourceCode]; + JSValueRef result = JSEvaluateScriptInternal(locker, exec, m_context, nullptr, sourceCode, &exceptionValue); + + if (exceptionValue) + return [self valueFromNotifyException:exceptionValue]; + return [JSValue valueWithJSValueRef:result inContext:self]; + } + + auto* globalObject = JSC::jsDynamicCast(vm, exec->lexicalGlobalObject()); + if (!globalObject) + return [JSValue valueWithNewPromiseRejectedWithReason:[JSValue valueWithNewErrorFromMessage:@"Context does not support module loading" inContext:self] inContext:self]; + + auto scope = DECLARE_CATCH_SCOPE(vm); + JSC::JSValue result = globalObject->loadAndEvaluateJSScriptModule(locker, script); + if (scope.exception()) { + JSValueRef exceptionValue = toRef(exec, scope.exception()->value()); + scope.clearException(); + return [JSValue valueWithNewPromiseRejectedWithReason:[JSValue valueWithJSValueRef:exceptionValue inContext:self] inContext:self]; + } + return [JSValue valueWithJSValueRef:toRef(vm, result) inContext:self]; +} + +- (JSValue *)dependencyIdentifiersForModuleJSScript:(JSScript *)script +{ + JSC::ExecState* exec = toJS(m_context); + JSC::VM& vm = exec->vm(); + JSC::JSLockHolder locker(vm); + + if (script.type != kJSScriptTypeModule) { + self.exceptionHandler(self, [JSValue valueWithNewErrorFromMessage:@"script is not a module" inContext:self]); + return [JSValue valueWithUndefinedInContext:self]; + } + + auto scope = DECLARE_CATCH_SCOPE(vm); + JSC::JSArray* result = exec->lexicalGlobalObject()->moduleLoader()->dependencyKeysIfEvaluated(exec, JSC::jsString(&vm, [[script sourceURL] absoluteString])); + if (scope.exception()) { + JSValueRef exceptionValue = toRef(exec, scope.exception()->value()); + scope.clearException(); + return [self valueFromNotifyException:exceptionValue]; + } + + if (!result) { + self.exceptionHandler(self, [JSValue valueWithNewErrorFromMessage:@"script has not run in context or was not evaluated successfully" inContext:self]); + return [JSValue valueWithUndefinedInContext:self]; + } + return [JSValue valueWithJSValueRef:toRef(vm, result) inContext:self]; +} + - (void)setException:(JSValue *)value { - JSC::JSLockHolder locker(toJS(m_context)); + JSC::ExecState* exec = toJS(m_context); + JSC::VM& vm = exec->vm(); + JSC::JSLockHolder locker(vm); if (value) - m_exception.set(toJS(m_context)->vm(), toJS(JSValueToObject(m_context, valueInternalValue(value), 0))); + m_exception.set(vm, toJS(JSValueToObject(m_context, valueInternalValue(value), 0))); else m_exception.clear(); } @@ -129,11 +190,6 @@ return [JSValue valueWithJSValueRef:toRef(m_exception.get()) inContext:self]; } -- (JSWrapperMap *)wrapperMap -{ - return toJS(m_context)->lexicalGlobalObject()->wrapperMap(); -} - - (JSValue *)globalObject { return [JSValue valueWithJSValueRef:JSContextGetGlobalObject(m_context) inContext:self]; @@ -141,15 +197,15 @@ + (JSContext *)currentContext { - WTFThreadData& threadData = wtfThreadData(); - CallbackData *entry = (CallbackData *)threadData.m_apiData; + Thread& thread = Thread::current(); + CallbackData *entry = (CallbackData *)thread.m_apiData; return entry ? entry->context : nil; } + (JSValue *)currentThis { - WTFThreadData& threadData = wtfThreadData(); - CallbackData *entry = (CallbackData *)threadData.m_apiData; + Thread& thread = Thread::current(); + CallbackData *entry = (CallbackData *)thread.m_apiData; if (!entry) return nil; return [JSValue valueWithJSValueRef:entry->thisValue inContext:[JSContext currentContext]]; @@ -157,17 +213,18 @@ + (JSValue *)currentCallee { - WTFThreadData& threadData = wtfThreadData(); - CallbackData *entry = (CallbackData *)threadData.m_apiData; - if (!entry) + Thread& thread = Thread::current(); + CallbackData *entry = (CallbackData *)thread.m_apiData; + // calleeValue may be null if we are initializing a promise. + if (!entry || !entry->calleeValue) return nil; return [JSValue valueWithJSValueRef:entry->calleeValue inContext:[JSContext currentContext]]; } + (NSArray *)currentArguments { - WTFThreadData& threadData = wtfThreadData(); - CallbackData *entry = (CallbackData *)threadData.m_apiData; + Thread& thread = Thread::current(); + CallbackData *entry = (CallbackData *)thread.m_apiData; if (!entry) return nil; @@ -195,15 +252,12 @@ if (!name) return nil; - return (NSString *)adoptCF(JSStringCopyCFString(kCFAllocatorDefault, name)).autorelease(); + return CFBridgingRelease(JSStringCopyCFString(kCFAllocatorDefault, name)); } - (void)setName:(NSString *)name { - JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[[name copy] autorelease]) : nullptr; - JSGlobalContextSetName(m_context, nameJS); - if (nameJS) - JSStringRelease(nameJS); + JSGlobalContextSetName(m_context, OpaqueJSString::tryCreate(name).get()); } - (BOOL)_remoteInspectionEnabled @@ -236,6 +290,16 @@ JSGlobalContextSetDebuggerRunLoop(m_context, runLoop); } +- (id)moduleLoaderDelegate +{ + return m_moduleLoaderDelegate.getAutoreleased(); +} + +- (void)setModuleLoaderDelegate:(id)moduleLoaderDelegate +{ + m_moduleLoaderDelegate = moduleLoaderDelegate; +} + @end @implementation JSContext(SubscriptSupport) @@ -294,21 +358,21 @@ - (void)beginCallbackWithData:(CallbackData *)callbackData calleeValue:(JSValueRef)calleeValue thisValue:(JSValueRef)thisValue argumentCount:(size_t)argumentCount arguments:(const JSValueRef *)arguments { - WTFThreadData& threadData = wtfThreadData(); + Thread& thread = Thread::current(); [self retain]; - CallbackData *prevStack = (CallbackData *)threadData.m_apiData; + CallbackData *prevStack = (CallbackData *)thread.m_apiData; *callbackData = (CallbackData){ prevStack, self, [self.exception retain], calleeValue, thisValue, argumentCount, arguments, nil }; - threadData.m_apiData = callbackData; + thread.m_apiData = callbackData; self.exception = nil; } - (void)endCallbackWithData:(CallbackData *)callbackData { - WTFThreadData& threadData = wtfThreadData(); + Thread& thread = Thread::current(); self.exception = callbackData->preservedException; [callbackData->preservedException release]; [callbackData->currentArguments release]; - threadData.m_apiData = callbackData->next; + thread.m_apiData = callbackData->next; [self release]; } @@ -318,6 +382,11 @@ return [[self wrapperMap] jsWrapperForObject:object inContext:self]; } +- (JSWrapperMap *)wrapperMap +{ + return toJS(m_context)->lexicalGlobalObject()->wrapperMap(); +} + - (JSValue *)wrapperForJSObject:(JSValueRef)value { JSC::JSLockHolder locker(toJS(m_context)); @@ -335,24 +404,4 @@ @end -WeakContextRef::WeakContextRef(JSContext *context) -{ - objc_initWeak(&m_weakContext, context); -} - -WeakContextRef::~WeakContextRef() -{ - objc_destroyWeak(&m_weakContext); -} - -JSContext * WeakContextRef::get() -{ - return objc_loadWeak(&m_weakContext); -} - -void WeakContextRef::set(JSContext *context) -{ - objc_storeWeak(&m_weakContext, context); -} - #endif diff --git a/API/JSContextInternal.h b/API/JSContextInternal.h index b37cfa4..958c479 100644 --- a/API/JSContextInternal.h +++ b/API/JSContextInternal.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Apple Inc. All rights reserved. + * Copyright (C) 2013-2019 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,17 +23,14 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifndef JSContextInternal_h -#define JSContextInternal_h - #import #if JSC_OBJC_API_ENABLED -#import +#import struct CallbackData { - CallbackData *next; + CallbackData* next; JSContext *context; JSValue *preservedException; JSValueRef calleeValue; @@ -43,24 +40,10 @@ struct CallbackData { NSArray *currentArguments; }; -class WeakContextRef { -public: - WeakContextRef(JSContext * = nil); - ~WeakContextRef(); - - JSContext * get(); - void set(JSContext *); - -private: - JSContext *m_weakContext; -}; - @class JSWrapperMap; @interface JSContext(Internal) -- (instancetype)initWithGlobalContextRef:(JSGlobalContextRef)context; - - (void)notifyException:(JSValueRef)exception; - (JSValue *)valueFromNotifyException:(JSValueRef)exception; - (BOOL)boolFromNotifyException:(JSValueRef)exception; @@ -68,13 +51,10 @@ private: - (void)beginCallbackWithData:(CallbackData *)callbackData calleeValue:(JSValueRef)calleeValue thisValue:(JSValueRef)thisValue argumentCount:(size_t)argumentCount arguments:(const JSValueRef *)arguments; - (void)endCallbackWithData:(CallbackData *)callbackData; +- (JSWrapperMap *)wrapperMap; - (JSValue *)wrapperForObjCObject:(id)object; - (JSValue *)wrapperForJSObject:(JSValueRef)value; -@property (readonly, retain) JSWrapperMap *wrapperMap; - @end #endif - -#endif // JSContextInternal_h diff --git a/API/JSContextPrivate.h b/API/JSContextPrivate.h index 7d1d0cb..75f526b 100644 --- a/API/JSContextPrivate.h +++ b/API/JSContextPrivate.h @@ -30,25 +30,81 @@ #import +@protocol JSModuleLoaderDelegate + +@required + +/*! @abstract Provides source code for any JS module that is actively imported. + @param context The context for which the module is being requested. + @param identifier The resolved identifier for the requested module. + @param resolve A JS function to call with the desired script for identifier. + @param reject A JS function to call when identifier cannot be fetched. + @discussion Currently, identifier will always be an absolute file URL computed from specifier of the requested module relative to the URL of the requesting script. If the requesting script does not have a URL and the module specifier is not an absolute path the module loader will fail to load the module. + + The first argument to resolve sholud always be a JSScript, otherwise the module loader will reject the module. + + Once an identifier has been resolved or rejected in a given context it will never be requested again. If a script is successfully evaluated it will not be re-evaluated on any subsequent import. + + The VM will retain all evaluated modules for the lifetime of the context. + */ +- (void)context:(JSContext *)context fetchModuleForIdentifier:(JSValue *)identifier withResolveHandler:(JSValue *)resolve andRejectHandler:(JSValue *)reject; + +@optional + +/*! @abstract This is called before the module with "key" is evaluated. + @param key The module key for the module that is about to be evaluated. + */ +- (void)willEvaluateModule:(NSURL *)key; + +/*! @abstract This is called after the module with "key" is evaluated. + @param key The module key for the module that was just evaluated. + */ +- (void)didEvaluateModule:(NSURL *)key; + +@end + @interface JSContext(Private) /*! @property @discussion Remote inspection setting of the JSContext. Default value is YES. */ -@property (setter=_setRemoteInspectionEnabled:) BOOL _remoteInspectionEnabled NS_AVAILABLE(10_10, 8_0); +@property (setter=_setRemoteInspectionEnabled:) BOOL _remoteInspectionEnabled JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @property @discussion Set whether or not the native call stack is included when reporting exceptions. Default value is YES. */ -@property (setter=_setIncludesNativeCallStackWhenReportingExceptions:) BOOL _includesNativeCallStackWhenReportingExceptions NS_AVAILABLE(10_10, 8_0); +@property (setter=_setIncludesNativeCallStackWhenReportingExceptions:) BOOL _includesNativeCallStackWhenReportingExceptions JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @property @discussion Set the run loop the Web Inspector debugger should use when evaluating JavaScript in the JSContext. */ -@property (setter=_setDebuggerRunLoop:) CFRunLoopRef _debuggerRunLoop NS_AVAILABLE(10_10, 8_0); +@property (setter=_setDebuggerRunLoop:) CFRunLoopRef _debuggerRunLoop JSC_API_AVAILABLE(macos(10.10), ios(8.0)); + +/*! @abstract The delegate the context will use when trying to load a module. Note, this delegate will be ignored for contexts returned by UIWebView. */ +@property (nonatomic, weak) id moduleLoaderDelegate JSC_API_AVAILABLE(macos(10.15), ios(13.0)); + +/*! + @method + @abstract Run a JSScript. + @param script the JSScript to evaluate. + @discussion If the provided JSScript was created with kJSScriptTypeProgram, the script will run synchronously and return the result of evaluation. + + Otherwise, if the script was created with kJSScriptTypeModule, the module will be run asynchronously and will return a promise resolved when the module and any transitive dependencies are loaded. The module loader will treat the script as if it had been returned from a delegate call to moduleLoaderDelegate. This mirrors the JavaScript dynamic import operation. + */ +// FIXME: Before making this public need to fix: https://bugs.webkit.org/show_bug.cgi?id=199714 +- (JSValue *)evaluateJSScript:(JSScript *)script JSC_API_AVAILABLE(macos(10.15), ios(13.0)); + +/*! + @method + @abstract Get the identifiers of the modules a JSScript depends on in this context. + @param script the JSScript to determine the dependencies of. + @result An Array containing all the identifiers of modules script depends on. + @discussion If the provided JSScript was not created with kJSScriptTypeModule, an exception will be thrown. Also, if the script has not already been evaluated in this context an error will be throw. + */ +- (JSValue *)dependencyIdentifiersForModuleJSScript:(JSScript *)script JSC_API_AVAILABLE(macos(10.15), ios(13.0)); @end diff --git a/API/JSContextRef.cpp b/API/JSContextRef.cpp index 541cb70..9f5fdaf 100644 --- a/API/JSContextRef.cpp +++ b/API/JSContextRef.cpp @@ -30,9 +30,9 @@ #include "APICast.h" #include "CallFrame.h" #include "InitializeThreading.h" +#include "JSAPIGlobalObject.h" #include "JSCallbackObject.h" #include "JSClassRef.h" -#include "JSGlobalObject.h" #include "JSObject.h" #include "JSCInlines.h" #include "SourceProvider.h" @@ -99,9 +99,9 @@ void JSContextGroupSetExecutionTimeLimit(JSContextGroupRef group, double limit, Watchdog& watchdog = vm.ensureWatchdog(); if (callback) { void* callbackPtr = reinterpret_cast(callback); - watchdog.setTimeLimit(std::chrono::duration_cast(std::chrono::duration(limit)), internalScriptTimeoutCallback, callbackPtr, callbackData); + watchdog.setTimeLimit(Seconds { limit }, internalScriptTimeoutCallback, callbackPtr, callbackData); } else - watchdog.setTimeLimit(std::chrono::duration_cast(std::chrono::duration(limit))); + watchdog.setTimeLimit(Seconds { limit }); } void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) @@ -138,7 +138,7 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass JSLockHolder locker(vm.ptr()); if (!globalObjectClass) { - JSGlobalObject* globalObject = JSGlobalObject::create(vm.get(), JSGlobalObject::createStructure(vm.get(), jsNull())); + JSGlobalObject* globalObject = JSAPIGlobalObject::create(vm.get(), JSAPIGlobalObject::createStructure(vm.get(), jsNull())); #if ENABLE(REMOTE_INSPECTOR) if (JSRemoteInspectorGetInspectionEnabledByDefault()) globalObject->setRemoteDebuggingEnabled(true); @@ -162,10 +162,10 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass JSGlobalContextRef JSGlobalContextRetain(JSGlobalContextRef ctx) { ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - VM& vm = exec->vm(); - gcProtect(exec->vmEntryGlobalObject()); + JSLockHolder locker(vm); + + gcProtect(vm.vmEntryGlobalObject(exec)); vm.ref(); return ctx; } @@ -173,10 +173,10 @@ JSGlobalContextRef JSGlobalContextRetain(JSGlobalContextRef ctx) void JSGlobalContextRelease(JSGlobalContextRef ctx) { ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); - VM& vm = exec->vm(); - bool protectCountIsZero = Heap::heap(exec->vmEntryGlobalObject())->unprotect(exec->vmEntryGlobalObject()); + JSLockHolder locker(vm); + + bool protectCountIsZero = vm.heap.unprotect(vm.vmEntryGlobalObject(exec)); if (protectCountIsZero) vm.heap.reportAbandonedObjectGraph(); vm.deref(); @@ -189,9 +189,10 @@ JSObjectRef JSContextGetGlobalObject(JSContextRef ctx) return 0; } ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); - return toRef(jsCast(exec->lexicalGlobalObject()->methodTable()->toThis(exec->lexicalGlobalObject(), exec, NotStrictMode))); + return toRef(jsCast(exec->lexicalGlobalObject()->methodTable(vm)->toThis(exec->lexicalGlobalObject(), exec, NotStrictMode))); } JSContextGroupRef JSContextGetGroup(JSContextRef ctx) @@ -224,13 +225,14 @@ JSStringRef JSGlobalContextCopyName(JSGlobalContextRef ctx) } ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); - String name = exec->vmEntryGlobalObject()->name(); + String name = vm.vmEntryGlobalObject(exec)->name(); if (name.isNull()) return 0; - return OpaqueJSString::create(name).leakRef(); + return OpaqueJSString::tryCreate(name).leakRef(); } void JSGlobalContextSetName(JSGlobalContextRef ctx, JSStringRef name) @@ -241,9 +243,10 @@ void JSGlobalContextSetName(JSGlobalContextRef ctx, JSStringRef name) } ExecState* exec = toJS(ctx); - JSLockHolder locker(exec); + VM& vm = exec->vm(); + JSLockHolder locker(vm); - exec->vmEntryGlobalObject()->setName(name ? name->string() : String()); + vm.vmEntryGlobalObject(exec)->setName(name ? name->string() : String()); } @@ -304,15 +307,16 @@ JSStringRef JSContextCreateBacktrace(JSContextRef ctx, unsigned maxStackSize) return 0; } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); StringBuilder builder; - CallFrame* frame = exec->vm().topCallFrame; + CallFrame* frame = vm.topCallFrame; ASSERT(maxStackSize); BacktraceFunctor functor(builder, maxStackSize); frame->iterate(functor); - return OpaqueJSString::create(builder.toString()).leakRef(); + return OpaqueJSString::tryCreate(builder.toString()).leakRef(); } bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) @@ -323,9 +327,10 @@ bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - return exec->vmEntryGlobalObject()->remoteDebuggingEnabled(); + return vm.vmEntryGlobalObject(exec)->remoteDebuggingEnabled(); } void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enabled) @@ -336,9 +341,10 @@ void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enab } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - exec->vmEntryGlobalObject()->setRemoteDebuggingEnabled(enabled); + vm.vmEntryGlobalObject(exec)->setRemoteDebuggingEnabled(enabled); } bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx) @@ -350,9 +356,10 @@ bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalCo } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - JSGlobalObject* globalObject = exec->vmEntryGlobalObject(); + JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); return globalObject->inspectorController().includesNativeCallStackWhenReportingExceptions(); #else UNUSED_PARAM(ctx); @@ -369,9 +376,10 @@ void JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions(JSGlobalCo } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - JSGlobalObject* globalObject = exec->vmEntryGlobalObject(); + JSGlobalObject* globalObject = vm.vmEntryGlobalObject(exec); globalObject->inspectorController().setIncludesNativeCallStackWhenReportingExceptions(includesNativeCallStack); #else UNUSED_PARAM(ctx); @@ -389,9 +397,10 @@ CFRunLoopRef JSGlobalContextGetDebuggerRunLoop(JSGlobalContextRef ctx) } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - return exec->vmEntryGlobalObject()->inspectorDebuggable().targetRunLoop(); + return vm.vmEntryGlobalObject(exec)->inspectorDebuggable().targetRunLoop(); #else UNUSED_PARAM(ctx); return nullptr; @@ -407,9 +416,10 @@ void JSGlobalContextSetDebuggerRunLoop(JSGlobalContextRef ctx, CFRunLoopRef runL } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - exec->vmEntryGlobalObject()->inspectorDebuggable().setTargetRunLoop(runLoop); + vm.vmEntryGlobalObject(exec)->inspectorDebuggable().setTargetRunLoop(runLoop); #else UNUSED_PARAM(ctx); UNUSED_PARAM(runLoop); @@ -426,8 +436,9 @@ Inspector::AugmentableInspectorController* JSGlobalContextGetAugmentableInspecto } ExecState* exec = toJS(ctx); - JSLockHolder lock(exec); + VM& vm = exec->vm(); + JSLockHolder lock(vm); - return &exec->vmEntryGlobalObject()->inspectorController(); + return &vm.vmEntryGlobalObject(exec)->inspectorController(); } #endif diff --git a/API/JSContextRef.h b/API/JSContextRef.h index 0c800bc..1ce7435 100644 --- a/API/JSContextRef.h +++ b/API/JSContextRef.h @@ -46,9 +46,14 @@ extern "C" { JavaScript objects between contexts in different groups will produce undefined behavior. When objects from the same context group are used in multiple threads, explicit synchronization is required. + + A JSContextGroup may need to run deferred tasks on a run loop, such as garbage collection + or resolving WebAssembly compilations. By default, calling JSContextGroupCreate will use + the run loop of the thread it was called on. Currently, there is no API to change a + JSContextGroup's run loop once it has been created. @result The created JSContextGroup. */ -JS_EXPORT JSContextGroupRef JSContextGroupCreate(void) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSContextGroupRef JSContextGroupCreate(void) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @@ -56,14 +61,14 @@ JS_EXPORT JSContextGroupRef JSContextGroupCreate(void) CF_AVAILABLE(10_6, 7_0); @param group The JSContextGroup to retain. @result A JSContextGroup that is the same as group. */ -JS_EXPORT JSContextGroupRef JSContextGroupRetain(JSContextGroupRef group) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSContextGroupRef JSContextGroupRetain(JSContextGroupRef group) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @abstract Releases a JavaScript context group. @param group The JSContextGroup to release. */ -JS_EXPORT void JSContextGroupRelease(JSContextGroupRef group) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT void JSContextGroupRelease(JSContextGroupRef group) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @@ -78,7 +83,7 @@ JS_EXPORT void JSContextGroupRelease(JSContextGroupRef group) CF_AVAILABLE(10_6, NULL to use the default object class. @result A JSGlobalContext with a global object of class globalObjectClass. */ -JS_EXPORT JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass) CF_AVAILABLE(10_5, 7_0); +JS_EXPORT JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass) JSC_API_AVAILABLE(macos(10.5), ios(7.0)); /*! @function @@ -92,7 +97,7 @@ JS_EXPORT JSGlobalContextRef JSGlobalContextCreate(JSClassRef globalObjectClass) @result A JSGlobalContext with a global object of class globalObjectClass and a context group equal to group. */ -JS_EXPORT JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClassRef globalObjectClass) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClassRef globalObjectClass) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @@ -123,7 +128,7 @@ JS_EXPORT JSObjectRef JSContextGetGlobalObject(JSContextRef ctx); @param ctx The JSContext whose group you want to get. @result ctx's group. */ -JS_EXPORT JSContextGroupRef JSContextGetGroup(JSContextRef ctx) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSContextGroupRef JSContextGetGroup(JSContextRef ctx) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @@ -131,7 +136,7 @@ JS_EXPORT JSContextGroupRef JSContextGetGroup(JSContextRef ctx) CF_AVAILABLE(10_ @param ctx The JSContext whose global context you want to get. @result ctx's global context. */ -JS_EXPORT JSGlobalContextRef JSContextGetGlobalContext(JSContextRef ctx) CF_AVAILABLE(10_7, 7_0); +JS_EXPORT JSGlobalContextRef JSContextGetGlobalContext(JSContextRef ctx) JSC_API_AVAILABLE(macos(10.7), ios(7.0)); /*! @function @@ -141,7 +146,7 @@ JS_EXPORT JSGlobalContextRef JSContextGetGlobalContext(JSContextRef ctx) CF_AVAI @discussion A JSGlobalContext's name is exposed for remote debugging to make it easier to identify the context you would like to attach to. */ -JS_EXPORT JSStringRef JSGlobalContextCopyName(JSGlobalContextRef ctx) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT JSStringRef JSGlobalContextCopyName(JSGlobalContextRef ctx) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @function @@ -149,7 +154,7 @@ JS_EXPORT JSStringRef JSGlobalContextCopyName(JSGlobalContextRef ctx) CF_AVAILAB @param ctx The JSGlobalContext that you want to name. @param name The remote debugging name to set on ctx. */ -JS_EXPORT void JSGlobalContextSetName(JSGlobalContextRef ctx, JSStringRef name) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT void JSGlobalContextSetName(JSGlobalContextRef ctx, JSStringRef name) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); #ifdef __cplusplus } diff --git a/API/JSContextRefInternal.h b/API/JSContextRefInternal.h index 79d7eb6..149f70b 100644 --- a/API/JSContextRefInternal.h +++ b/API/JSContextRefInternal.h @@ -42,7 +42,7 @@ extern "C" { @abstract Gets the run loop used by the Web Inspector debugger when evaluating JavaScript in this context. @param ctx The JSGlobalContext whose setting you want to get. */ -JS_EXPORT CFRunLoopRef JSGlobalContextGetDebuggerRunLoop(JSGlobalContextRef ctx) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT CFRunLoopRef JSGlobalContextGetDebuggerRunLoop(JSGlobalContextRef ctx) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @function @@ -50,7 +50,7 @@ JS_EXPORT CFRunLoopRef JSGlobalContextGetDebuggerRunLoop(JSGlobalContextRef ctx) @param ctx The JSGlobalContext that you want to change. @param runLoop The new value of the setting for the context. */ -JS_EXPORT void JSGlobalContextSetDebuggerRunLoop(JSGlobalContextRef ctx, CFRunLoopRef runLoop) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT void JSGlobalContextSetDebuggerRunLoop(JSGlobalContextRef ctx, CFRunLoopRef runLoop) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); #endif #ifdef __cplusplus diff --git a/API/JSContextRefPrivate.h b/API/JSContextRefPrivate.h index 19604ea..5218ad7 100644 --- a/API/JSContextRefPrivate.h +++ b/API/JSContextRefPrivate.h @@ -44,7 +44,7 @@ extern "C" { @param ctx The JSContext whose backtrace you want to get @result A string containing the backtrace */ -JS_EXPORT JSStringRef JSContextCreateBacktrace(JSContextRef ctx, unsigned maxStackSize) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSStringRef JSContextCreateBacktrace(JSContextRef ctx, unsigned maxStackSize) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @@ -85,14 +85,14 @@ typedef bool need to call JSContextGroupSetExecutionTimeLimit before you start executing any scripts. */ -JS_EXPORT void JSContextGroupSetExecutionTimeLimit(JSContextGroupRef group, double limit, JSShouldTerminateCallback callback, void* context) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT void JSContextGroupSetExecutionTimeLimit(JSContextGroupRef group, double limit, JSShouldTerminateCallback callback, void* context) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @abstract Clears the script execution time limit. @param group The JavaScript context group that the time limit is cleared on. */ -JS_EXPORT void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) CF_AVAILABLE(10_6, 7_0); +JS_EXPORT void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) JSC_API_AVAILABLE(macos(10.6), ios(7.0)); /*! @function @@ -101,7 +101,7 @@ JS_EXPORT void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) CF @result The value of the setting, true if remote inspection is enabled, otherwise false. @discussion Remote inspection is true by default. */ -JS_EXPORT bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @function @@ -109,7 +109,7 @@ JS_EXPORT bool JSGlobalContextGetRemoteInspectionEnabled(JSGlobalContextRef ctx) @param ctx The JSGlobalContext that you want to change. @param enabled The new remote inspection enabled setting for the context. */ -JS_EXPORT void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enabled) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, bool enabled) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @function @@ -118,7 +118,7 @@ JS_EXPORT void JSGlobalContextSetRemoteInspectionEnabled(JSGlobalContextRef ctx, @result The value of the setting, true if remote inspection is enabled, otherwise false. @discussion This setting is true by default. */ -JS_EXPORT bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); /*! @function @@ -126,7 +126,7 @@ JS_EXPORT bool JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions( @param ctx The JSGlobalContext that you want to change. @param includesNativeCallStack The new value of the setting for the context. */ -JS_EXPORT void JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx, bool includesNativeCallStack) CF_AVAILABLE(10_10, 8_0); +JS_EXPORT void JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions(JSGlobalContextRef ctx, bool includesNativeCallStack) JSC_API_AVAILABLE(macos(10.10), ios(8.0)); #ifdef __cplusplus } diff --git a/API/JSExport.h b/API/JSExport.h index b8a4849..5caace6 100644 --- a/API/JSExport.h +++ b/API/JSExport.h @@ -124,7 +124,7 @@ - Any lowercase letter that had followed a colon will be capitalized. Under the default conversion a selector doFoo:withBar: will be exported as - doFooWithBar. The default conversion may be overriden using the JSExportAs + doFooWithBar. The default conversion may be overridden using the JSExportAs macro, for example to export a method doFoo:withBar: as doFoo: 
diff --git a/API/JSManagedValue.h b/API/JSManagedValue.h
index 01073fa..3ebc7a4 100644
--- a/API/JSManagedValue.h
+++ b/API/JSManagedValue.h
@@ -57,7 +57,7 @@ NS_CLASS_AVAILABLE(10_9, 7_0)
 @result The new JSManagedValue.
 */
 + (JSManagedValue *)managedValueWithValue:(JSValue *)value;
-+ (JSManagedValue *)managedValueWithValue:(JSValue *)value andOwner:(id)owner NS_AVAILABLE(10_10, 8_0);
++ (JSManagedValue *)managedValueWithValue:(JSValue *)value andOwner:(id)owner JSC_API_AVAILABLE(macos(10.10), ios(8.0));
 
 /*!
 @method
diff --git a/API/JSManagedValue.mm b/API/JSManagedValue.mm
index 038a682..9f5dd88 100644
--- a/API/JSManagedValue.mm
+++ b/API/JSManagedValue.mm
@@ -33,145 +33,28 @@
 #import "Heap.h"
 #import "JSContextInternal.h"
 #import "JSValueInternal.h"
-#import "Weak.h"
+#import "JSWeakValue.h"
 #import "WeakHandleOwner.h"
 #import "ObjcRuntimeExtras.h"
 #import "JSCInlines.h"
 #import 
-#import 
 
 class JSManagedValueHandleOwner : public JSC::WeakHandleOwner {
 public:
     void finalize(JSC::Handle, void* context) override;
-    bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&) override;
+    bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override;
 };
 
-static JSManagedValueHandleOwner* managedValueHandleOwner()
+static JSManagedValueHandleOwner& managedValueHandleOwner()
 {
     static NeverDestroyed jsManagedValueHandleOwner;
-    return &jsManagedValueHandleOwner.get();
+    return jsManagedValueHandleOwner;
 }
 
-class WeakValueRef {
-public:
-    WeakValueRef()
-        : m_tag(NotSet)
-    {
-    }
-
-    ~WeakValueRef()
-    {
-        clear();
-    }
-
-    void clear()
-    {
-        switch (m_tag) {
-        case NotSet:
-            return;
-        case Primitive:
-            u.m_primitive = JSC::JSValue();
-            return;
-        case Object:
-            u.m_object.clear();
-            return;
-        case String:
-            u.m_string.clear();
-            return;
-        }
-        RELEASE_ASSERT_NOT_REACHED();
-    }
-
-    bool isClear() const
-    {
-        switch (m_tag) {
-        case NotSet:
-            return true;
-        case Primitive:
-            return !u.m_primitive;
-        case Object:
-            return !u.m_object;
-        case String:
-            return !u.m_string;
-        }
-        RELEASE_ASSERT_NOT_REACHED();
-    }
-
-    bool isSet() const { return m_tag != NotSet; }
-    bool isPrimitive() const { return m_tag == Primitive; }
-    bool isObject() const { return m_tag == Object; }
-    bool isString() const { return m_tag == String; }
-
-    void setPrimitive(JSC::JSValue primitive)
-    {
-        ASSERT(!isSet());
-        ASSERT(!u.m_primitive);
-        ASSERT(primitive.isPrimitive());
-        m_tag = Primitive;
-        u.m_primitive = primitive;
-    }
-
-    void setObject(JSC::JSObject* object, void* context)
-    {
-        ASSERT(!isSet());
-        ASSERT(!u.m_object);
-        m_tag = Object;
-        JSC::Weak weak(object, managedValueHandleOwner(), context);
-        u.m_object.swap(weak);
-    }
-
-    void setString(JSC::JSString* string, void* context)
-    {
-        ASSERT(!isSet());
-        ASSERT(!u.m_object);
-        m_tag = String;
-        JSC::Weak weak(string, managedValueHandleOwner(), context);
-        u.m_string.swap(weak);
-    }
-
-    JSC::JSObject* object()
-    {
-        ASSERT(isObject());
-        return u.m_object.get();
-    }
-
-    JSC::JSValue primitive()
-    {
-        ASSERT(isPrimitive());
-        return u.m_primitive;
-    }
-
-    JSC::JSString* string()
-    {
-        ASSERT(isString());
-        return u.m_string.get();
-    }
-
-private:
-    enum WeakTypeTag { NotSet, Primitive, Object, String };
-    WeakTypeTag m_tag;
-    union WeakValueUnion {
-    public:
-        WeakValueUnion ()
-            : m_primitive(JSC::JSValue())
-        {
-        }
-
-        ~WeakValueUnion()
-        {
-            ASSERT(!m_primitive);
-        }
-
-        JSC::JSValue m_primitive;
-        JSC::Weak m_object;
-        JSC::Weak m_string;
-    } u;
-};
-
 @implementation JSManagedValue {
     JSC::Weak m_globalObject;
     RefPtr m_lock;
-    WeakValueRef m_weakValue;
+    JSC::JSWeakValue m_weakValue;
     NSMapTable *m_owners;
 }
 
@@ -203,7 +86,8 @@ private:
 
     JSC::ExecState* exec = toJS([value.context JSGlobalContextRef]);
     JSC::JSGlobalObject* globalObject = exec->lexicalGlobalObject();
-    JSC::Weak weak(globalObject, managedValueHandleOwner(), self);
+    auto& owner = managedValueHandleOwner();
+    JSC::Weak weak(globalObject, &owner, (__bridge void*)self);
     m_globalObject.swap(weak);
 
     m_lock = &exec->vm().apiLock();
@@ -214,9 +98,9 @@ private:
 
     JSC::JSValue jsValue = toJS(exec, [value JSValueRef]);
     if (jsValue.isObject())
-        m_weakValue.setObject(JSC::jsCast(jsValue.asCell()), self);
+        m_weakValue.setObject(JSC::jsCast(jsValue.asCell()), owner, (__bridge void*)self);
     else if (jsValue.isString())
-        m_weakValue.setString(JSC::jsCast(jsValue.asCell()), self);
+        m_weakValue.setString(JSC::jsCast(jsValue.asCell()), owner, (__bridge void*)self);
     else
         m_weakValue.setPrimitive(jsValue);
     return self;
@@ -228,7 +112,7 @@ private:
     if (virtualMachine) {
         NSMapTable *copy = [m_owners copy];
         for (id owner in [copy keyEnumerator]) {
-            size_t count = reinterpret_cast(NSMapGet(m_owners, owner));
+            size_t count = reinterpret_cast(NSMapGet(m_owners, (__bridge void*)owner));
             while (count--)
                 [virtualMachine removeManagedReference:self withOwner:owner];
         }
@@ -242,32 +126,33 @@ private:
 
 - (void)didAddOwner:(id)owner
 {
-    size_t count = reinterpret_cast(NSMapGet(m_owners, owner));
-    NSMapInsert(m_owners, owner, reinterpret_cast(count + 1));
+    size_t count = reinterpret_cast(NSMapGet(m_owners, (__bridge void*)owner));
+    NSMapInsert(m_owners, (__bridge void*)owner, reinterpret_cast(count + 1));
 }
 
 - (void)didRemoveOwner:(id)owner
 {
-    size_t count = reinterpret_cast(NSMapGet(m_owners, owner));
+    size_t count = reinterpret_cast(NSMapGet(m_owners, (__bridge void*)owner));
 
     if (!count)
         return;
 
     if (count == 1) {
-        NSMapRemove(m_owners, owner);
+        NSMapRemove(m_owners, (__bridge void*)owner);
         return;
     }
 
-    NSMapInsert(m_owners, owner, reinterpret_cast(count - 1));
+    NSMapInsert(m_owners, (__bridge void*)owner, reinterpret_cast(count - 1));
 }
 
 - (JSValue *)value
 {
     WTF::Locker locker(m_lock.get());
-    if (!m_lock->vm())
+    JSC::VM* vm = m_lock->vm();
+    if (!vm)
         return nil;
 
-    JSC::JSLockHolder apiLocker(m_lock->vm());
+    JSC::JSLockHolder apiLocker(vm);
     if (!m_globalObject)
         return nil;
     if (m_weakValue.isClear())
@@ -296,15 +181,17 @@ private:
 - (void)disconnectValue;
 @end
 
-bool JSManagedValueHandleOwner::isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor& visitor)
+bool JSManagedValueHandleOwner::isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor& visitor, const char** reason)
 {
-    JSManagedValue *managedValue = static_cast(context);
-    return visitor.containsOpaqueRoot(managedValue);
+    if (UNLIKELY(reason))
+        *reason = "JSManagedValue is opaque root";
+    JSManagedValue *managedValue = (__bridge JSManagedValue *)context;
+    return visitor.containsOpaqueRoot((__bridge void*)managedValue);
 }
 
 void JSManagedValueHandleOwner::finalize(JSC::Handle, void* context)
 {
-    JSManagedValue *managedValue = static_cast(context);
+    JSManagedValue *managedValue = (__bridge JSManagedValue *)context;
     [managedValue disconnectValue];
 }
 
diff --git a/API/JSMarkingConstraintPrivate.cpp b/API/JSMarkingConstraintPrivate.cpp
index 17074e4..d9ee674 100644
--- a/API/JSMarkingConstraintPrivate.cpp
+++ b/API/JSMarkingConstraintPrivate.cpp
@@ -28,8 +28,7 @@
 
 #include "APICast.h"
 #include "JSCInlines.h"
-#include "MarkingConstraint.h"
-#include "VisitingTimeout.h"
+#include "SimpleMarkingConstraint.h"
 
 using namespace JSC;
 
@@ -41,12 +40,12 @@ struct Marker : JSMarker {
     SlotVisitor* visitor;
 };
 
-bool isMarked(JSMarkerRef, JSObjectRef objectRef)
+bool isMarked(JSMarkerRef markerRef, JSObjectRef objectRef)
 {
     if (!objectRef)
         return true; // Null is an immortal object.
     
-    return Heap::isMarked(toJS(objectRef));
+    return static_cast(markerRef)->visitor->vm().heap.isMarked(toJS(objectRef));
 }
 
 void mark(JSMarkerRef markerRef, JSObjectRef objectRef)
@@ -72,11 +71,11 @@ void JSContextGroupAddMarkingConstraint(JSContextGroupRef group, JSMarkingConstr
     // else gets marked.
     ConstraintVolatility volatility = ConstraintVolatility::GreyedByMarking;
     
-    auto constraint = std::make_unique(
+    auto constraint = std::make_unique(
         toCString("Amc", constraintIndex, "(", RawPointer(bitwise_cast(constraintCallback)), ")"),
         toCString("API Marking Constraint #", constraintIndex, " (", RawPointer(bitwise_cast(constraintCallback)), ", ", RawPointer(userData), ")"),
         [constraintCallback, userData]
-        (SlotVisitor& slotVisitor, const VisitingTimeout&) {
+        (SlotVisitor& slotVisitor) {
             Marker marker;
             marker.IsMarked = isMarked;
             marker.Mark = mark;
@@ -84,7 +83,8 @@ void JSContextGroupAddMarkingConstraint(JSContextGroupRef group, JSMarkingConstr
             
             constraintCallback(&marker, userData);
         },
-        volatility);
+        volatility,
+        ConstraintConcurrency::Sequential);
     
     vm.heap.addMarkingConstraint(WTFMove(constraint));
 }
diff --git a/API/JSObjectRef.cpp b/API/JSObjectRef.cpp
index cefef66..554d5f1 100644
--- a/API/JSObjectRef.cpp
+++ b/API/JSObjectRef.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com)
  *
  * Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,8 @@
 #include "JSFunction.h"
 #include "JSGlobalObject.h"
 #include "JSObject.h"
+#include "JSPromise.h"
+#include "JSPromiseDeferred.h"
 #include "JSRetainPtr.h"
 #include "JSString.h"
 #include "JSValueRef.h"
@@ -89,14 +91,15 @@ JSObjectRef JSObjectMake(JSContextRef ctx, JSClassRef jsClass, void* data)
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
 
     if (!jsClass)
         return toRef(constructEmptyObject(exec));
 
     JSCallbackObject* object = JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), jsClass, data);
     if (JSObject* prototype = jsClass->prototype(exec))
-        object->setPrototypeDirect(exec->vm(), prototype);
+        object->setPrototypeDirect(vm, prototype);
 
     return toRef(object);
 }
@@ -108,8 +111,9 @@ JSObjectRef JSObjectMakeFunctionWithCallback(JSContextRef ctx, JSStringRef name,
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
-    return toRef(JSCallbackFunction::create(exec->vm(), exec->lexicalGlobalObject(), callAsFunction, name ? name->string() : ASCIILiteral("anonymous")));
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    return toRef(JSCallbackFunction::create(vm, exec->lexicalGlobalObject(), callAsFunction, name ? name->string() : "anonymous"_s));
 }
 
 JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsClass, JSObjectCallAsConstructorCallback callAsConstructor)
@@ -119,14 +123,15 @@ JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsClass, JSObje
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
 
     JSValue jsPrototype = jsClass ? jsClass->prototype(exec) : 0;
     if (!jsPrototype)
         jsPrototype = exec->lexicalGlobalObject()->objectPrototype();
 
     JSCallbackConstructor* constructor = JSCallbackConstructor::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackConstructorStructure(), jsClass, callAsConstructor);
-    constructor->putDirect(exec->vm(), exec->propertyNames().prototype, jsPrototype, DontEnum | DontDelete | ReadOnly);
+    constructor->putDirect(vm, vm.propertyNames->prototype, jsPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
     return toRef(constructor);
 }
 
@@ -137,19 +142,27 @@ JSObjectRef JSObjectMakeFunction(JSContextRef ctx, JSStringRef name, unsigned pa
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     startingLineNumber = std::max(1, startingLineNumber);
-    Identifier nameID = name ? name->identifier(&exec->vm()) : Identifier::fromString(exec, "anonymous");
+    Identifier nameID = name ? name->identifier(&vm) : Identifier::fromString(exec, "anonymous");
     
     MarkedArgumentBuffer args;
     for (unsigned i = 0; i < parameterCount; i++)
         args.append(jsString(exec, parameterNames[i]->string()));
     args.append(jsString(exec, body->string()));
+    if (UNLIKELY(args.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     auto sourceURLString = sourceURL ? sourceURL->string() : String();
     JSObject* result = constructFunction(exec, exec->lexicalGlobalObject(), args, nameID, SourceOrigin { sourceURLString }, sourceURLString, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
     return toRef(result);
 }
@@ -161,19 +174,27 @@ JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSVa
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* result;
     if (argumentCount) {
         MarkedArgumentBuffer argList;
         for (size_t i = 0; i < argumentCount; ++i)
             argList.append(toJS(exec, arguments[i]));
+        if (UNLIKELY(argList.hasOverflowed())) {
+            auto throwScope = DECLARE_THROW_SCOPE(vm);
+            throwOutOfMemoryError(exec, throwScope);
+            handleExceptionIfNeeded(scope, exec, exception);
+            return 0;
+        }
 
         result = constructArray(exec, static_cast(0), argList);
     } else
         result = constructEmptyArray(exec, 0);
 
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
 
     return toRef(result);
@@ -186,14 +207,22 @@ JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, const JSVal
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; ++i)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), JSValue(), argList);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
 
     return toRef(result);
@@ -206,13 +235,15 @@ JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSVa
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue message = argumentCount ? toJS(exec, arguments[0]) : jsUndefined();
     Structure* errorStructure = exec->lexicalGlobalObject()->errorStructure();
     JSObject* result = ErrorInstance::create(exec, errorStructure, message);
 
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
 
     return toRef(result);
@@ -225,19 +256,51 @@ JSObjectRef JSObjectMakeRegExp(JSContextRef ctx, size_t argumentCount, const JSV
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; ++i)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
     
     return toRef(result);
 }
 
+JSObjectRef JSObjectMakeDeferredPromise(JSContextRef ctx, JSObjectRef* resolve, JSObjectRef* reject, JSValueRef* exception)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return nullptr;
+    }
+
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(exec);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    auto* globalObject = exec->lexicalGlobalObject();
+    JSPromiseDeferred::DeferredData data = JSPromiseDeferred::createDeferredData(exec, globalObject, globalObject->promiseConstructor());
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
+        return nullptr;
+
+    if (resolve)
+        *resolve = toRef(data.resolve);
+    if (reject)
+        *reject = toRef(data.reject);
+    return toRef(data.promise);
+}
+
 JSValueRef JSObjectGetPrototype(JSContextRef ctx, JSObjectRef object)
 {
     if (!ctx) {
@@ -248,7 +311,7 @@ JSValueRef JSObjectGetPrototype(JSContextRef ctx, JSObjectRef object)
     JSLockHolder locker(exec);
 
     JSObject* jsObject = toJS(object); 
-    return toRef(exec, jsObject->getPrototypeDirect());
+    return toRef(exec, jsObject->getPrototypeDirect(exec->vm()));
 }
 
 void JSObjectSetPrototype(JSContextRef ctx, JSObjectRef object, JSValueRef value)
@@ -259,20 +322,13 @@ void JSObjectSetPrototype(JSContextRef ctx, JSObjectRef object, JSValueRef value
     }
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
     JSValue jsValue = toJS(exec, value);
-
-    if (JSProxy* proxy = jsDynamicCast(vm, jsObject)) {
-        if (JSGlobalObject* globalObject = jsDynamicCast(vm, proxy->target())) {
-            globalObject->resetPrototype(exec->vm(), jsValue.isObject() ? jsValue : jsNull());
-            return;
-        }
-        // Someday we might use proxies for something other than JSGlobalObjects, but today is not that day.
-        RELEASE_ASSERT_NOT_REACHED();
-    }
-    jsObject->setPrototype(exec->vm(), exec, jsValue.isObject() ? jsValue : jsNull());
+    jsObject->setPrototype(vm, exec, jsValue.isObject() ? jsValue : jsNull());
+    handleExceptionIfNeeded(scope, exec, nullptr);
 }
 
 bool JSObjectHasProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName)
@@ -282,11 +338,12 @@ bool JSObjectHasProperty(JSContextRef ctx, JSObjectRef object, JSStringRef prope
         return false;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
 
     JSObject* jsObject = toJS(object);
     
-    return jsObject->hasProperty(exec, propertyName->identifier(&exec->vm()));
+    return jsObject->hasProperty(exec, propertyName->identifier(&vm));
 }
 
 JSValueRef JSObjectGetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception)
@@ -296,12 +353,14 @@ JSValueRef JSObjectGetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
 
-    JSValue jsValue = jsObject->get(exec, propertyName->identifier(&exec->vm()));
-    handleExceptionIfNeeded(exec, exception);
+    JSValue jsValue = jsObject->get(exec, propertyName->identifier(&vm));
+    handleExceptionIfNeeded(scope, exec, exception);
     return toRef(exec, jsValue);
 }
 
@@ -317,20 +376,114 @@ void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef prope
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
-    Identifier name(propertyName->identifier(&exec->vm()));
+    Identifier name(propertyName->identifier(&vm));
     JSValue jsValue = toJS(exec, value);
 
     bool doesNotHaveProperty = attributes && !jsObject->hasProperty(exec, name);
     if (LIKELY(!scope.exception())) {
         if (doesNotHaveProperty) {
             PropertyDescriptor desc(jsValue, attributes);
-            jsObject->methodTable()->defineOwnProperty(jsObject, exec, name, desc, false);
+            jsObject->methodTable(vm)->defineOwnProperty(jsObject, exec, name, desc, false);
         } else {
             PutPropertySlot slot(jsObject);
-            jsObject->methodTable()->put(jsObject, exec, name, jsValue, slot);
+            jsObject->methodTable(vm)->put(jsObject, exec, name, jsValue, slot);
         }
     }
-    handleExceptionIfNeeded(exec, exception);
+    handleExceptionIfNeeded(scope, exec, exception);
+}
+
+bool JSObjectHasPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef* exception)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return false;
+    }
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSObject* jsObject = toJS(object);
+    Identifier ident = toJS(exec, key).toPropertyKey(exec);
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
+        return false;
+
+    bool result = jsObject->hasProperty(exec, ident);
+    handleExceptionIfNeeded(scope, exec, exception);
+    return result;
+}
+
+JSValueRef JSObjectGetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef* exception)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return nullptr;
+    }
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSObject* jsObject = toJS(object);
+    Identifier ident = toJS(exec, key).toPropertyKey(exec);
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
+        return nullptr;
+
+    JSValue jsValue = jsObject->get(exec, ident);
+    handleExceptionIfNeeded(scope, exec, exception);
+    return toRef(exec, jsValue);
+}
+
+void JSObjectSetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef value, JSPropertyAttributes attributes, JSValueRef* exception)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return;
+    }
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSObject* jsObject = toJS(object);
+    JSValue jsValue = toJS(exec, value);
+
+    Identifier ident = toJS(exec, key).toPropertyKey(exec);
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
+        return;
+
+    bool doesNotHaveProperty = attributes && !jsObject->hasProperty(exec, ident);
+    if (LIKELY(!scope.exception())) {
+        if (doesNotHaveProperty) {
+            PropertyDescriptor desc(jsValue, attributes);
+            jsObject->methodTable(vm)->defineOwnProperty(jsObject, exec, ident, desc, false);
+        } else {
+            PutPropertySlot slot(jsObject);
+            jsObject->methodTable(vm)->put(jsObject, exec, ident, jsValue, slot);
+        }
+    }
+    handleExceptionIfNeeded(scope, exec, exception);
+}
+
+bool JSObjectDeletePropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef key, JSValueRef* exception)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return false;
+    }
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSObject* jsObject = toJS(object);
+    Identifier ident = toJS(exec, key).toPropertyKey(exec);
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
+        return false;
+
+    bool result = jsObject->methodTable(vm)->deleteProperty(jsObject, exec, ident);
+    handleExceptionIfNeeded(scope, exec, exception);
+    return result;
 }
 
 JSValueRef JSObjectGetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsigned propertyIndex, JSValueRef* exception)
@@ -340,12 +493,14 @@ JSValueRef JSObjectGetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsi
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
 
     JSValue jsValue = jsObject->get(exec, propertyIndex);
-    handleExceptionIfNeeded(exec, exception);
+    handleExceptionIfNeeded(scope, exec, exception);
     return toRef(exec, jsValue);
 }
 
@@ -357,13 +512,15 @@ void JSObjectSetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsigned p
         return;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
     JSValue jsValue = toJS(exec, value);
     
-    jsObject->methodTable()->putByIndex(jsObject, exec, propertyIndex, jsValue, false);
-    handleExceptionIfNeeded(exec, exception);
+    jsObject->methodTable(vm)->putByIndex(jsObject, exec, propertyIndex, jsValue, false);
+    handleExceptionIfNeeded(scope, exec, exception);
 }
 
 bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception)
@@ -373,12 +530,14 @@ bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef pr
         return false;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSObject* jsObject = toJS(object);
 
-    bool result = jsObject->methodTable()->deleteProperty(jsObject, exec, propertyName->identifier(&exec->vm()));
-    handleExceptionIfNeeded(exec, exception);
+    bool result = jsObject->methodTable(vm)->deleteProperty(jsObject, exec, propertyName->identifier(&vm));
+    handleExceptionIfNeeded(scope, exec, exception);
     return result;
 }
 
@@ -455,22 +614,22 @@ JSValueRef JSObjectGetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSSt
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* jsObject = toJS(object);
     JSValue result;
-    Identifier name(propertyName->identifier(&exec->vm()));
+    Identifier name(propertyName->identifier(&vm));
 
 
     // Get wrapped object if proxied
-    if (jsObject->inherits(vm, JSProxy::info()))
+    if (jsObject->inherits(vm))
         jsObject = jsCast(jsObject)->target();
 
-    if (jsObject->inherits(vm, JSCallbackObject::info()))
+    if (jsObject->inherits>(vm))
         result = jsCast*>(jsObject)->getPrivateProperty(name);
-    else if (jsObject->inherits(vm, JSCallbackObject::info()))
+    else if (jsObject->inherits>(vm))
         result = jsCast*>(jsObject)->getPrivateProperty(name);
 #if JSC_OBJC_API_ENABLED
-    else if (jsObject->inherits(vm, JSCallbackObject::info()))
+    else if (jsObject->inherits>(vm))
         result = jsCast*>(jsObject)->getPrivateProperty(name);
 #endif
     return toRef(exec, result);
@@ -480,26 +639,26 @@ bool JSObjectSetPrivateProperty(JSContextRef ctx, JSObjectRef object, JSStringRe
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* jsObject = toJS(object);
     JSValue jsValue = value ? toJS(exec, value) : JSValue();
-    Identifier name(propertyName->identifier(&exec->vm()));
+    Identifier name(propertyName->identifier(&vm));
 
     // Get wrapped object if proxied
-    if (jsObject->inherits(vm, JSProxy::info()))
+    if (jsObject->inherits(vm))
         jsObject = jsCast(jsObject)->target();
 
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
-        jsCast*>(jsObject)->setPrivateProperty(exec->vm(), name, jsValue);
+    if (jsObject->inherits>(vm)) {
+        jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue);
         return true;
     }
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
-        jsCast*>(jsObject)->setPrivateProperty(exec->vm(), name, jsValue);
+    if (jsObject->inherits>(vm)) {
+        jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue);
         return true;
     }
 #if JSC_OBJC_API_ENABLED
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
-        jsCast*>(jsObject)->setPrivateProperty(exec->vm(), name, jsValue);
+    if (jsObject->inherits>(vm)) {
+        jsCast*>(jsObject)->setPrivateProperty(vm, name, jsValue);
         return true;
     }
 #endif
@@ -510,24 +669,24 @@ bool JSObjectDeletePrivateProperty(JSContextRef ctx, JSObjectRef object, JSStrin
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* jsObject = toJS(object);
-    Identifier name(propertyName->identifier(&exec->vm()));
+    Identifier name(propertyName->identifier(&vm));
 
     // Get wrapped object if proxied
-    if (jsObject->inherits(vm, JSProxy::info()))
+    if (jsObject->inherits(vm))
         jsObject = jsCast(jsObject)->target();
 
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
+    if (jsObject->inherits>(vm)) {
         jsCast*>(jsObject)->deletePrivateProperty(name);
         return true;
     }
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
+    if (jsObject->inherits>(vm)) {
         jsCast*>(jsObject)->deletePrivateProperty(name);
         return true;
     }
 #if JSC_OBJC_API_ENABLED
-    if (jsObject->inherits(vm, JSCallbackObject::info())) {
+    if (jsObject->inherits>(vm)) {
         jsCast*>(jsObject)->deletePrivateProperty(name);
         return true;
     }
@@ -539,16 +698,20 @@ bool JSObjectIsFunction(JSContextRef ctx, JSObjectRef object)
 {
     if (!object)
         return false;
-    JSLockHolder locker(toJS(ctx));
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
     CallData callData;
     JSCell* cell = toJS(object);
-    return cell->methodTable()->getCallData(cell, callData) != CallType::None;
+    return cell->methodTable(vm)->getCallData(cell, callData) != CallType::None;
 }
 
 JSValueRef JSObjectCallAsFunction(JSContextRef ctx, JSObjectRef object, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (!object)
         return 0;
@@ -562,31 +725,40 @@ JSValueRef JSObjectCallAsFunction(JSContextRef ctx, JSObjectRef object, JSObject
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; i++)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     CallData callData;
-    CallType callType = jsObject->methodTable()->getCallData(jsObject, callData);
+    CallType callType = jsObject->methodTable(vm)->getCallData(jsObject, callData);
     if (callType == CallType::None)
         return 0;
 
     JSValueRef result = toRef(exec, profiledCall(exec, ProfilingReason::API, jsObject, callType, callData, jsThisObject, argList));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
     return result;
 }
 
-bool JSObjectIsConstructor(JSContextRef, JSObjectRef object)
+bool JSObjectIsConstructor(JSContextRef ctx, JSObjectRef object)
 {
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
     if (!object)
         return false;
-    JSObject* jsObject = toJS(object);
-    ConstructData constructData;
-    return jsObject->methodTable()->getConstructData(jsObject, constructData) != ConstructType::None;
+    return toJS(object)->isConstructor(vm);
 }
 
 JSObjectRef JSObjectCallAsConstructor(JSContextRef ctx, JSObjectRef object, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (!object)
         return 0;
@@ -594,16 +766,22 @@ JSObjectRef JSObjectCallAsConstructor(JSContextRef ctx, JSObjectRef object, size
     JSObject* jsObject = toJS(object);
 
     ConstructData constructData;
-    ConstructType constructType = jsObject->methodTable()->getConstructData(jsObject, constructData);
+    ConstructType constructType = jsObject->methodTable(vm)->getConstructData(jsObject, constructData);
     if (constructType == ConstructType::None)
         return 0;
 
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; i++)
         argList.append(toJS(exec, arguments[i]));
+    if (UNLIKELY(argList.hasOverflowed())) {
+        auto throwScope = DECLARE_THROW_SCOPE(vm);
+        throwOutOfMemoryError(exec, throwScope);
+        handleExceptionIfNeeded(scope, exec, exception);
+        return 0;
+    }
 
     JSObjectRef result = toRef(profiledConstruct(exec, ProfilingReason::API, jsObject, constructType, constructData, argList));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         result = 0;
     return result;
 }
@@ -611,6 +789,7 @@ JSObjectRef JSObjectCallAsConstructor(JSContextRef ctx, JSObjectRef object, size
 struct OpaqueJSPropertyNameArray {
     WTF_MAKE_FAST_ALLOCATED;
 public:
+    // FIXME: Why not inherit from RefCounted?
     OpaqueJSPropertyNameArray(VM* vm)
         : refCount(0)
         , vm(vm)
@@ -619,7 +798,7 @@ public:
     
     unsigned refCount;
     VM* vm;
-    Vector> array;
+    Vector> array;
 };
 
 JSPropertyNameArrayRef JSObjectCopyPropertyNames(JSContextRef ctx, JSObjectRef object)
@@ -635,14 +814,14 @@ JSPropertyNameArrayRef JSObjectCopyPropertyNames(JSContextRef ctx, JSObjectRef o
 
     JSObject* jsObject = toJS(object);
     JSPropertyNameArrayRef propertyNames = new OpaqueJSPropertyNameArray(vm);
-    PropertyNameArray array(vm, PropertyNameMode::Strings);
-    jsObject->methodTable()->getPropertyNames(jsObject, exec, array, EnumerationMode());
+    PropertyNameArray array(vm, PropertyNameMode::Strings, PrivateSymbolMode::Exclude);
+    jsObject->methodTable(*vm)->getPropertyNames(jsObject, exec, array, EnumerationMode());
 
     size_t size = array.size();
     propertyNames->array.reserveInitialCapacity(size);
     for (size_t i = 0; i < size; ++i)
-        propertyNames->array.uncheckedAppend(JSRetainPtr(Adopt, OpaqueJSString::create(array[i].string()).leakRef()));
-    
+        propertyNames->array.uncheckedAppend(OpaqueJSString::tryCreate(array[i].string()).releaseNonNull());
+
     return JSPropertyNameArrayRetain(propertyNames);
 }
 
@@ -667,14 +846,15 @@ size_t JSPropertyNameArrayGetCount(JSPropertyNameArrayRef array)
 
 JSStringRef JSPropertyNameArrayGetNameAtIndex(JSPropertyNameArrayRef array, size_t index)
 {
-    return array->array[static_cast(index)].get();
+    return array->array[static_cast(index)].ptr();
 }
 
 void JSPropertyNameAccumulatorAddName(JSPropertyNameAccumulatorRef array, JSStringRef propertyName)
 {
     PropertyNameArray* propertyNames = toJS(array);
-    JSLockHolder locker(propertyNames->vm());
-    propertyNames->add(propertyName->identifier(propertyNames->vm()));
+    VM* vm = propertyNames->vm();
+    JSLockHolder locker(vm);
+    propertyNames->add(propertyName->identifier(vm));
 }
 
 JSObjectRef JSObjectGetProxyTarget(JSObjectRef objectRef)
@@ -691,3 +871,12 @@ JSObjectRef JSObjectGetProxyTarget(JSObjectRef objectRef)
         result = proxy->target();
     return toRef(result);
 }
+
+JSGlobalContextRef JSObjectGetGlobalContext(JSObjectRef objectRef)
+{
+    JSObject* object = toJS(objectRef);
+    if (!object)
+        return nullptr;
+    return reinterpret_cast(object->globalObject()->globalExec());
+}
+
diff --git a/API/JSObjectRef.h b/API/JSObjectRef.h
index 95d53b7..b0dbd78 100644
--- a/API/JSObjectRef.h
+++ b/API/JSObjectRef.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Kelvin W Sherlock (ksherlock@gmail.com)
  *
  * Redistribution and use in source and binary forms, with or without
@@ -441,7 +441,7 @@ JS_EXPORT JSObjectRef JSObjectMakeConstructor(JSContextRef ctx, JSClassRef jsCla
  @discussion The behavior of this function does not exactly match the behavior of the built-in Array constructor. Specifically, if one argument 
  is supplied, this function returns an array with one element.
  */
-JS_EXPORT JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0);
+JS_EXPORT JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) JSC_API_AVAILABLE(macos(10.6), ios(7.0));
 
 /*!
  @function
@@ -452,7 +452,7 @@ JS_EXPORT JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount,
  @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result A JSObject that is a Date.
  */
-JS_EXPORT JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0);
+JS_EXPORT JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) JSC_API_AVAILABLE(macos(10.6), ios(7.0));
 
 /*!
  @function
@@ -463,7 +463,7 @@ JS_EXPORT JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, c
  @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result A JSObject that is a Error.
  */
-JS_EXPORT JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0);
+JS_EXPORT JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) JSC_API_AVAILABLE(macos(10.6), ios(7.0));
 
 /*!
  @function
@@ -474,7 +474,18 @@ JS_EXPORT JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount,
  @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result A JSObject that is a RegExp.
  */
-JS_EXPORT JSObjectRef JSObjectMakeRegExp(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) CF_AVAILABLE(10_6, 7_0);
+JS_EXPORT JSObjectRef JSObjectMakeRegExp(JSContextRef ctx, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) JSC_API_AVAILABLE(macos(10.6), ios(7.0));
+
+/*!
+ @function
+ @abstract Creates a JavaScript promise object by invoking the provided executor.
+ @param ctx The execution context to use.
+ @param resolve A pointer to a JSObjectRef in which to store the resolve function for the new promise. Pass NULL if you do not care to store the resolve callback.
+ @param reject A pointer to a JSObjectRef in which to store the reject function for the new promise. Pass NULL if you do not care to store the reject callback.
+ @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+ @result A JSObject that is a promise or NULL if an exception occurred.
+ */
+JS_EXPORT JSObjectRef JSObjectMakeDeferredPromise(JSContextRef ctx, JSObjectRef* resolve, JSObjectRef* reject, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
 
 /*!
 @function
@@ -536,9 +547,9 @@ JS_EXPORT JSValueRef JSObjectGetProperty(JSContextRef ctx, JSObjectRef object, J
 @param ctx The execution context to use.
 @param object The JSObject whose property you want to set.
 @param propertyName A JSString containing the property's name.
-@param value A JSValue to use as the property's value.
-@param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+@param value A JSValueRef to use as the property's value.
 @param attributes A logically ORed set of JSPropertyAttributes to give to the property.
+@param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
 */
 JS_EXPORT void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef value, JSPropertyAttributes attributes, JSValueRef* exception);
 
@@ -553,6 +564,54 @@ JS_EXPORT void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStrin
 */
 JS_EXPORT bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception);
 
+/*!
+ @function
+ @abstract Tests whether an object has a given property using a JSValueRef as the property key.
+ @param object The JSObject to test.
+ @param propertyKey A JSValueRef containing the property key to use when looking up the property.
+ @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+ @result true if the object has a property whose name matches propertyKey, otherwise false.
+ @discussion This function is the same as performing "propertyKey in object" from JavaScript.
+ */
+JS_EXPORT bool JSObjectHasPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef propertyKey, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+ @function
+ @abstract Gets a property from an object using a JSValueRef as the property key.
+ @param ctx The execution context to use.
+ @param object The JSObject whose property you want to get.
+ @param propertyKey A JSValueRef containing the property key to use when looking up the property.
+ @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+ @result The property's value if object has the property key, otherwise the undefined value.
+ @discussion This function is the same as performing "object[propertyKey]" from JavaScript.
+ */
+JS_EXPORT JSValueRef JSObjectGetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef propertyKey, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+ @function
+ @abstract Sets a property on an object using a JSValueRef as the property key.
+ @param ctx The execution context to use.
+ @param object The JSObject whose property you want to set.
+ @param propertyKey A JSValueRef containing the property key to use when looking up the property.
+ @param value A JSValueRef to use as the property's value.
+ @param attributes A logically ORed set of JSPropertyAttributes to give to the property.
+ @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+ @discussion This function is the same as performing "object[propertyKey] = value" from JavaScript.
+ */
+JS_EXPORT void JSObjectSetPropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef propertyKey, JSValueRef value, JSPropertyAttributes attributes, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+ @function
+ @abstract Deletes a property from an object using a JSValueRef as the property key.
+ @param ctx The execution context to use.
+ @param object The JSObject whose property you want to delete.
+ @param propertyKey A JSValueRef containing the property key to use when looking up the property.
+ @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
+ @result true if the delete operation succeeds, otherwise false (for example, if the property has the kJSPropertyAttributeDontDelete attribute set).
+ @discussion This function is the same as performing "delete object[propertyKey]" from JavaScript.
+ */
+JS_EXPORT bool JSObjectDeletePropertyForKey(JSContextRef ctx, JSObjectRef object, JSValueRef propertyKey, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
 /*!
 @function
 @abstract Gets a property from an object by numeric index.
diff --git a/API/JSObjectRefPrivate.h b/API/JSObjectRefPrivate.h
index e2bdad6..6e32612 100644
--- a/API/JSObjectRefPrivate.h
+++ b/API/JSObjectRefPrivate.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -69,6 +69,8 @@ JS_EXPORT bool JSObjectDeletePrivateProperty(JSContextRef ctx, JSObjectRef objec
 
 JS_EXPORT JSObjectRef JSObjectGetProxyTarget(JSObjectRef);
 
+JS_EXPORT JSGlobalContextRef JSObjectGetGlobalContext(JSObjectRef object);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/API/JSRemoteInspector.cpp b/API/JSRemoteInspector.cpp
index 3be61d0..9672ef0 100644
--- a/API/JSRemoteInspector.cpp
+++ b/API/JSRemoteInspector.cpp
@@ -27,6 +27,7 @@
 #include "JSRemoteInspector.h"
 
 #include "JSGlobalObjectConsoleClient.h"
+#include 
 
 #if ENABLE(REMOTE_INSPECTOR)
 #include "RemoteInspector.h"
@@ -50,7 +51,7 @@ void JSRemoteInspectorStart(void)
 #endif
 }
 
-void JSRemoteInspectorSetParentProcessInformation(pid_t pid, const uint8_t* auditData, size_t auditLength)
+void JSRemoteInspectorSetParentProcessInformation(ProcessID pid, const uint8_t* auditData, size_t auditLength)
 {
 #if ENABLE(REMOTE_INSPECTOR) && PLATFORM(COCOA)
     RetainPtr auditDataRef = adoptCF(CFDataCreate(kCFAllocatorDefault, auditData, auditLength));
diff --git a/API/JSRemoteInspector.h b/API/JSRemoteInspector.h
index 4f86510..85768e4 100644
--- a/API/JSRemoteInspector.h
+++ b/API/JSRemoteInspector.h
@@ -29,20 +29,25 @@
 #include 
 #include 
 
+#if defined(WIN32) || defined(_WIN32)
+typedef int JSProcessID;
+#else
 #include 
+typedef pid_t JSProcessID;
+#endif
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-JS_EXPORT void JSRemoteInspectorDisableAutoStart(void) CF_AVAILABLE(10_11, 9_0);
-JS_EXPORT void JSRemoteInspectorStart(void) CF_AVAILABLE(10_11, 9_0);
-JS_EXPORT void JSRemoteInspectorSetParentProcessInformation(pid_t, const uint8_t* auditData, size_t auditLength) CF_AVAILABLE(10_11, 9_0);
+JS_EXPORT void JSRemoteInspectorDisableAutoStart(void) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
+JS_EXPORT void JSRemoteInspectorStart(void) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
+JS_EXPORT void JSRemoteInspectorSetParentProcessInformation(JSProcessID, const uint8_t* auditData, size_t auditLength) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
-JS_EXPORT void JSRemoteInspectorSetLogToSystemConsole(bool) CF_AVAILABLE(10_11, 9_0);
+JS_EXPORT void JSRemoteInspectorSetLogToSystemConsole(bool) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
-JS_EXPORT bool JSRemoteInspectorGetInspectionEnabledByDefault(void) CF_AVAILABLE(10_11, 9_0);
-JS_EXPORT void JSRemoteInspectorSetInspectionEnabledByDefault(bool) CF_AVAILABLE(10_11, 9_0);
+JS_EXPORT bool JSRemoteInspectorGetInspectionEnabledByDefault(void) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
+JS_EXPORT void JSRemoteInspectorSetInspectionEnabledByDefault(bool) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
 #ifdef __cplusplus
 }
diff --git a/API/JSRetainPtr.h b/API/JSRetainPtr.h
index e400840..fd8412f 100644
--- a/API/JSRetainPtr.h
+++ b/API/JSRetainPtr.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2006, 2007, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,8 +26,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifndef JSRetainPtr_h
-#define JSRetainPtr_h
+#pragma once
 
 #include 
 #include 
@@ -42,17 +41,16 @@ enum AdoptTag { Adopt };
 
 template class JSRetainPtr {
 public:
-    JSRetainPtr() : m_ptr(0) { }
+    JSRetainPtr() = default;
     JSRetainPtr(T ptr) : m_ptr(ptr) { if (ptr) JSRetain(ptr); }
-    JSRetainPtr(AdoptTag, T ptr) : m_ptr(ptr) { }
     JSRetainPtr(const JSRetainPtr&);
-    template JSRetainPtr(const JSRetainPtr&);
+    JSRetainPtr(JSRetainPtr&&);
     ~JSRetainPtr();
     
     T get() const { return m_ptr; }
     
     void clear();
-    T leakRef();
+    T leakRef() WARN_UNUSED_RETURN;
 
     T operator->() const { return m_ptr; }
     
@@ -60,18 +58,30 @@ public:
     explicit operator bool() const { return m_ptr; }
 
     JSRetainPtr& operator=(const JSRetainPtr&);
-    template JSRetainPtr& operator=(const JSRetainPtr&);
+    JSRetainPtr& operator=(JSRetainPtr&&);
     JSRetainPtr& operator=(T);
-    template JSRetainPtr& operator=(U*);
 
-    void adopt(T);
-    
     void swap(JSRetainPtr&);
 
+    friend JSRetainPtr adopt(JSStringRef);
+    friend JSRetainPtr adopt(JSGlobalContextRef);
+
+    // FIXME: Make this private once Apple's internal code is updated to not rely on it.
+    // https://bugs.webkit.org/show_bug.cgi?id=189644
+    JSRetainPtr(AdoptTag, T);
+
 private:
-    T m_ptr;
+    T m_ptr { nullptr };
 };
 
+JSRetainPtr adopt(JSStringRef);
+JSRetainPtr adopt(JSGlobalContextRef);
+
+template inline JSRetainPtr::JSRetainPtr(AdoptTag, T ptr)
+    : m_ptr(ptr)
+{
+}
+
 inline JSRetainPtr adopt(JSStringRef o)
 {
     return JSRetainPtr(Adopt, o);
@@ -89,11 +99,9 @@ template inline JSRetainPtr::JSRetainPtr(const JSRetainPtr& o)
         JSRetain(m_ptr);
 }
 
-template template inline JSRetainPtr::JSRetainPtr(const JSRetainPtr& o)
-    : m_ptr(o.get())
+template inline JSRetainPtr::JSRetainPtr(JSRetainPtr&& o)
+    : m_ptr(o.leakRef())
 {
-    if (m_ptr)
-        JSRetain(m_ptr);
 }
 
 template inline JSRetainPtr::~JSRetainPtr()
@@ -104,39 +112,23 @@ template inline JSRetainPtr::~JSRetainPtr()
 
 template inline void JSRetainPtr::clear()
 {
-    if (T ptr = m_ptr) {
-        m_ptr = 0;
+    if (T ptr = leakRef())
         JSRelease(ptr);
-    }
 }
 
 template inline T JSRetainPtr::leakRef()
 {
-    T ptr = m_ptr;
-    m_ptr = 0;
-    return ptr;
+    return std::exchange(m_ptr, nullptr);
 }
 
 template inline JSRetainPtr& JSRetainPtr::operator=(const JSRetainPtr& o)
 {
-    T optr = o.get();
-    if (optr)
-        JSRetain(optr);
-    T ptr = m_ptr;
-    m_ptr = optr;
-    if (ptr)
-        JSRelease(ptr);
-    return *this;
+    return operator=(o.get());
 }
 
-template template inline JSRetainPtr& JSRetainPtr::operator=(const JSRetainPtr& o)
+template inline JSRetainPtr& JSRetainPtr::operator=(JSRetainPtr&& o)
 {
-    T optr = o.get();
-    if (optr)
-        JSRetain(optr);
-    T ptr = m_ptr;
-    m_ptr = optr;
-    if (ptr)
+    if (T ptr = std::exchange(m_ptr, o.leakRef()))
         JSRelease(ptr);
     return *this;
 }
@@ -145,28 +137,7 @@ template inline JSRetainPtr& JSRetainPtr::operator=(T optr)
 {
     if (optr)
         JSRetain(optr);
-    T ptr = m_ptr;
-    m_ptr = optr;
-    if (ptr)
-        JSRelease(ptr);
-    return *this;
-}
-
-template inline void JSRetainPtr::adopt(T optr)
-{
-    T ptr = m_ptr;
-    m_ptr = optr;
-    if (ptr)
-        JSRelease(ptr);
-}
-
-template template inline JSRetainPtr& JSRetainPtr::operator=(U* optr)
-{
-    if (optr)
-        JSRetain(optr);
-    T ptr = m_ptr;
-    m_ptr = optr;
-    if (ptr)
+    if (T ptr = std::exchange(m_ptr, optr))
         JSRelease(ptr);
     return *this;
 }
@@ -210,6 +181,3 @@ template inline bool operator!=(T* a, const JSRetainPtr<
 { 
     return a != b.get(); 
 }
-
-
-#endif // JSRetainPtr_h
diff --git a/API/JSScript.h b/API/JSScript.h
new file mode 100644
index 0000000..12ccb05
--- /dev/null
+++ b/API/JSScript.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import 
+
+#if JSC_OBJC_API_ENABLED
+
+NS_ASSUME_NONNULL_BEGIN
+
+@class JSVirtualMachine;
+
+/*!
+ @enum JSScriptType
+ @abstract     A constant identifying the execution type of a JSScript.
+ @constant     kJSScriptTypeProgram  The type of a normal JavaScript program.
+ @constant     kJSScriptTypeModule   The type of a module JavaScript program.
+ */
+typedef NS_ENUM(NSInteger, JSScriptType) {
+    kJSScriptTypeProgram,
+    kJSScriptTypeModule,
+};
+
+
+JSC_CLASS_AVAILABLE(macos(10.15), ios(13.0))
+@interface JSScript : NSObject
+
+/*!
+ @method
+ @abstract Create a JSScript for the specified virtual machine.
+ @param type The type of JavaScript source.
+ @param source The source code to use when the script is evaluated by the JS vm.
+ @param sourceURL The source URL to associate with this script. For modules, this is the module identifier.
+ @param cachePath A URL containing the path where the VM should cache for future execution. On creation, we use this path to load the cached bytecode off disk. If the cached bytecode at this location is stale, you should delete that file before calling this constructor.
+ @param vm The JSVirtualMachine the script can be evaluated in.
+ @param error A description of why the script could not be created if the result is nil.
+ @result The new script.
+ @discussion The file at cachePath should not be externally modified for the lifecycle of vm.
+ */
++ (nullable instancetype)scriptOfType:(JSScriptType)type withSource:(NSString *)source andSourceURL:(NSURL *)sourceURL andBytecodeCache:(nullable NSURL *)cachePath inVirtualMachine:(JSVirtualMachine *)vm error:(out NSError * _Nullable * _Nullable)error;
+
+/*!
+ @method
+ @abstract Create a JSScript for the specified virtual machine with a path to a codesigning and bytecode caching.
+ @param type The type of JavaScript source.
+ @param filePath A URL containing the path to a JS source code file on disk.
+ @param sourceURL The source URL to associate with this script. For modules, this is the module identifier.
+ @param cachePath A URL containing the path where the VM should cache for future execution. On creation, we use this path to load the cached bytecode off disk. If the cached bytecode at this location is stale, you should delete that file before calling this constructor.
+ @param vm The JSVirtualMachine the script can be evaluated in.
+ @param error A description of why the script could not be created if the result is nil.
+ @result The new script.
+ @discussion The files at filePath and cachePath should not be externally modified for the lifecycle of vm. This method will file back the memory for the source.
+
+ If the file at filePath is not ascii this method will return nil.
+ */
++ (nullable instancetype)scriptOfType:(JSScriptType)type memoryMappedFromASCIIFile:(NSURL *)filePath withSourceURL:(NSURL *)sourceURL andBytecodeCache:(nullable NSURL *)cachePath inVirtualMachine:(JSVirtualMachine *)vm error:(out NSError * _Nullable * _Nullable)error;
+
+/*!
+ @method
+ @abstract Cache the bytecode for this JSScript to disk at the path passed in during creation.
+ @param error A description of why the script could not be cached if the result is FALSE.
+ */
+- (BOOL)cacheBytecodeWithError:(out NSError * _Nullable * _Nullable)error;
+
+/*!
+ @method
+ @abstract Returns true when evaluating this JSScript will use the bytecode cache. Returns false otherwise.
+ */
+- (BOOL)isUsingBytecodeCache;
+
+/*!
+ @method
+ @abstract Returns the JSScriptType of this JSScript.
+ */
+- (JSScriptType)type;
+
+/*!
+ @method
+ @abstract Returns the sourceURL of this JSScript.
+ */
+- (NSURL *)sourceURL;
+
+@end
+
+NS_ASSUME_NONNULL_END
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSScript.mm b/API/JSScript.mm
new file mode 100644
index 0000000..ce62a38
--- /dev/null
+++ b/API/JSScript.mm
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+#import "JSScriptInternal.h"
+
+#import "APICast.h"
+#import "BytecodeCacheError.h"
+#import "CachedTypes.h"
+#import "CodeCache.h"
+#import "Identifier.h"
+#import "JSContextInternal.h"
+#import "JSScriptSourceProvider.h"
+#import "JSSourceCode.h"
+#import "JSValuePrivate.h"
+#import "JSVirtualMachineInternal.h"
+#import "Symbol.h"
+#import 
+#import 
+#import 
+#import 
+#import 
+#import 
+
+#if JSC_OBJC_API_ENABLED
+
+@implementation JSScript {
+    WeakObjCPtr m_virtualMachine;
+    JSScriptType m_type;
+    FileSystem::MappedFileData m_mappedSource;
+    String m_source;
+    RetainPtr m_sourceURL;
+    RetainPtr m_cachePath;
+    RefPtr m_cachedBytecode;
+}
+
+static JSScript *createError(NSString *message, NSError** error)
+{
+    if (error)
+        *error = [NSError errorWithDomain:@"JSScriptErrorDomain" code:1 userInfo:@{ @"message": message }];
+    return nil;
+}
+
+static bool validateBytecodeCachePath(NSURL* cachePath, NSError** error)
+{
+    if (!cachePath)
+        return true;
+
+    URL cachePathURL([cachePath absoluteURL]);
+    if (!cachePathURL.isLocalFile()) {
+        createError([NSString stringWithFormat:@"Cache path `%@` is not a local file", static_cast(cachePathURL)], error);
+        return false;
+    }
+
+    String systemPath = cachePathURL.fileSystemPath();
+
+    if (auto metadata = FileSystem::fileMetadata(systemPath)) {
+        if (metadata->type != FileMetadata::Type::File) {
+            createError([NSString stringWithFormat:@"Cache path `%@` already exists and is not a file", static_cast(systemPath)], error);
+            return false;
+        }
+    }
+
+    String directory = FileSystem::directoryName(systemPath);
+    if (directory.isNull()) {
+        createError([NSString stringWithFormat:@"Cache path `%@` does not contain in a valid directory", static_cast(systemPath)], error);
+        return false;
+    }
+
+    if (!FileSystem::fileIsDirectory(directory, FileSystem::ShouldFollowSymbolicLinks::No)) {
+        createError([NSString stringWithFormat:@"Cache directory `%@` is not a directory or does not exist", static_cast(directory)], error);
+        return false;
+    }
+
+#if USE(APPLE_INTERNAL_SDK)
+    if (rootless_check_datavault_flag(FileSystem::fileSystemRepresentation(directory).data(), nullptr)) {
+        createError([NSString stringWithFormat:@"Cache directory `%@` is not a data vault", static_cast(directory)], error);
+        return false;
+    }
+#endif
+
+    return true;
+}
+
++ (instancetype)scriptOfType:(JSScriptType)type withSource:(NSString *)source andSourceURL:(NSURL *)sourceURL andBytecodeCache:(NSURL *)cachePath inVirtualMachine:(JSVirtualMachine *)vm error:(out NSError **)error
+{
+    if (!validateBytecodeCachePath(cachePath, error))
+        return nil;
+
+    JSScript *result = [[[JSScript alloc] init] autorelease];
+    result->m_virtualMachine = vm;
+    result->m_type = type;
+    result->m_source = source;
+    result->m_sourceURL = sourceURL;
+    result->m_cachePath = cachePath;
+    [result readCache];
+    return result;
+}
+
++ (instancetype)scriptOfType:(JSScriptType)type memoryMappedFromASCIIFile:(NSURL *)filePath withSourceURL:(NSURL *)sourceURL andBytecodeCache:(NSURL *)cachePath inVirtualMachine:(JSVirtualMachine *)vm error:(out NSError **)error
+{
+    if (!validateBytecodeCachePath(cachePath, error))
+        return nil;
+
+    URL filePathURL([filePath absoluteURL]);
+    if (!filePathURL.isLocalFile())
+        return createError([NSString stringWithFormat:@"File path %@ is not a local file", static_cast(filePathURL)], error);
+
+    bool success = false;
+    String systemPath = filePathURL.fileSystemPath();
+    FileSystem::MappedFileData fileData(systemPath, success);
+    if (!success)
+        return createError([NSString stringWithFormat:@"File at path %@ could not be mapped.", static_cast(systemPath)], error);
+
+    if (!charactersAreAllASCII(reinterpret_cast(fileData.data()), fileData.size()))
+        return createError([NSString stringWithFormat:@"Not all characters in file at %@ are ASCII.", static_cast(systemPath)], error);
+
+    JSScript *result = [[[JSScript alloc] init] autorelease];
+    result->m_virtualMachine = vm;
+    result->m_type = type;
+    result->m_source = String(StringImpl::createWithoutCopying(bitwise_cast(fileData.data()), fileData.size()));
+    result->m_mappedSource = WTFMove(fileData);
+    result->m_sourceURL = sourceURL;
+    result->m_cachePath = cachePath;
+    [result readCache];
+    return result;
+}
+
+- (void)readCache
+{
+    if (!m_cachePath)
+        return;
+
+    int fd = open([m_cachePath path].UTF8String, O_RDONLY | O_EXLOCK | O_NONBLOCK, 0666);
+    if (fd == -1)
+        return;
+    auto closeFD = makeScopeExit([&] {
+        close(fd);
+    });
+
+    struct stat sb;
+    int res = fstat(fd, &sb);
+    size_t size = static_cast(sb.st_size);
+    if (res || !size)
+        return;
+
+    void* buffer = mmap(nullptr, size, PROT_READ, MAP_PRIVATE, fd, 0);
+
+    Ref cachedBytecode = JSC::CachedBytecode::create(buffer, size);
+
+    JSC::VM& vm = [m_virtualMachine vm];
+    JSC::SourceCode sourceCode = [self sourceCode];
+    JSC::SourceCodeKey key = m_type == kJSScriptTypeProgram ? sourceCodeKeyForSerializedProgram(vm, sourceCode) : sourceCodeKeyForSerializedModule(vm, sourceCode);
+    if (isCachedBytecodeStillValid(vm, cachedBytecode.copyRef(), key, m_type == kJSScriptTypeProgram ? JSC::SourceCodeType::ProgramType : JSC::SourceCodeType::ModuleType))
+        m_cachedBytecode = WTFMove(cachedBytecode);
+    else
+        ftruncate(fd, 0);
+}
+
+- (BOOL)cacheBytecodeWithError:(NSError **)error
+{
+    String errorString { };
+    [self writeCache:errorString];
+    if (!errorString.isNull()) {
+        createError(errorString, error);
+        return NO;
+    }
+
+    return YES;
+}
+
+- (BOOL)isUsingBytecodeCache
+{
+    return !!m_cachedBytecode->size();
+}
+
+- (NSURL *)sourceURL
+{
+    return m_sourceURL.get();
+}
+
+- (JSScriptType)type
+{
+    return m_type;
+}
+
+@end
+
+@implementation JSScript(Internal)
+
+- (instancetype)init
+{
+    self = [super init];
+    if (!self)
+        return nil;
+
+    self->m_cachedBytecode = JSC::CachedBytecode::create();
+
+    return self;
+}
+
+- (unsigned)hash
+{
+    return m_source.hash();
+}
+
+- (const String&)source
+{
+    return m_source;
+}
+
+- (RefPtr)cachedBytecode
+{
+    return m_cachedBytecode;
+}
+
+- (JSC::SourceCode)sourceCode
+{
+    JSC::VM& vm = [m_virtualMachine vm];
+    JSC::JSLockHolder locker(vm);
+
+    TextPosition startPosition { };
+    String url = String { [[self sourceURL] absoluteString] };
+    auto type = m_type == kJSScriptTypeModule ? JSC::SourceProviderSourceType::Module : JSC::SourceProviderSourceType::Program;
+    Ref sourceProvider = JSScriptSourceProvider::create(self, JSC::SourceOrigin(url), URL({ }, url), startPosition, type);
+    JSC::SourceCode sourceCode(WTFMove(sourceProvider), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt());
+    return sourceCode;
+}
+
+- (JSC::JSSourceCode*)jsSourceCode
+{
+    JSC::VM& vm = [m_virtualMachine vm];
+    JSC::JSLockHolder locker(vm);
+    JSC::JSSourceCode* jsSourceCode = JSC::JSSourceCode::create(vm, [self sourceCode]);
+    return jsSourceCode;
+}
+
+- (BOOL)writeCache:(String&)error
+{
+    if (self.isUsingBytecodeCache) {
+        error = "Cache for JSScript is already non-empty. Can not override it."_s;
+        return NO;
+    }
+
+    if (!m_cachePath) {
+        error = "No cache path was provided during construction of this JSScript."_s;
+        return NO;
+    }
+
+    int fd = open([m_cachePath path].UTF8String, O_CREAT | O_RDWR | O_EXLOCK | O_NONBLOCK, 0666);
+    if (fd == -1) {
+        error = makeString("Could not open or lock the bytecode cache file. It's likely another VM or process is already using it. Error: ", strerror(errno));
+        return NO;
+    }
+    auto closeFD = makeScopeExit([&] {
+        close(fd);
+    });
+
+    JSC::BytecodeCacheError cacheError;
+    JSC::SourceCode sourceCode = [self sourceCode];
+    switch (m_type) {
+    case kJSScriptTypeModule:
+        m_cachedBytecode = JSC::generateModuleBytecode([m_virtualMachine vm], sourceCode, fd, cacheError);
+        break;
+    case kJSScriptTypeProgram:
+        m_cachedBytecode = JSC::generateProgramBytecode([m_virtualMachine vm], sourceCode, fd, cacheError);
+        break;
+    }
+
+    if (cacheError.isValid()) {
+        m_cachedBytecode = JSC::CachedBytecode::create();
+        ftruncate(fd, 0);
+        error = makeString("Unable to generate bytecode for this JSScript because: ", cacheError.message());
+        return NO;
+    }
+
+    return YES;
+}
+
+@end
+
+#endif
diff --git a/API/JSScriptInternal.h b/API/JSScriptInternal.h
new file mode 100644
index 0000000..4a9427d
--- /dev/null
+++ b/API/JSScriptInternal.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#import "JSScript.h"
+#import "SourceCode.h"
+#import 
+
+#if JSC_OBJC_API_ENABLED
+
+NS_ASSUME_NONNULL_BEGIN
+
+namespace JSC {
+class CachedBytecode;
+class Identifier;
+class JSSourceCode;
+};
+
+namespace WTF {
+class String;
+};
+
+@interface JSScript(Internal)
+
+- (instancetype)init;
+- (unsigned)hash;
+- (const WTF::String&)source;
+- (RefPtr)cachedBytecode;
+- (JSC::JSSourceCode*)jsSourceCode;
+- (JSC::SourceCode)sourceCode;
+- (BOOL)writeCache:(String&)error;
+
+@end
+
+NS_ASSUME_NONNULL_END
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSScriptRef.cpp b/API/JSScriptRef.cpp
index 791738b..253caa8 100644
--- a/API/JSScriptRef.cpp
+++ b/API/JSScriptRef.cpp
@@ -41,9 +41,9 @@ using namespace JSC;
 
 struct OpaqueJSScript : public SourceProvider {
 public:
-    static WTF::Ref create(VM& vm, const SourceOrigin& sourceOrigin, const String& url, int startingLineNumber, const String& source)
+    static WTF::Ref create(VM& vm, const SourceOrigin& sourceOrigin, URL&& url, int startingLineNumber, const String& source)
     {
-        return WTF::adoptRef(*new OpaqueJSScript(vm, sourceOrigin, url, startingLineNumber, source));
+        return WTF::adoptRef(*new OpaqueJSScript(vm, sourceOrigin, WTFMove(url), startingLineNumber, source));
     }
 
     unsigned hash() const override
@@ -59,8 +59,8 @@ public:
     VM& vm() const { return m_vm; }
 
 private:
-    OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, const String& url, int startingLineNumber, const String& source)
-        : SourceProvider(sourceOrigin, url, TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
+    OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, URL&& url, int startingLineNumber, const String& source)
+        : SourceProvider(sourceOrigin, WTFMove(url), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
         , m_vm(vm)
         , m_source(source.isNull() ? *StringImpl::empty() : *source.impl())
     {
@@ -94,12 +94,12 @@ JSScriptRef JSScriptCreateReferencingImmortalASCIIText(JSContextGroupRef context
     startingLineNumber = std::max(1, startingLineNumber);
 
     auto sourceURLString = url ? url->string() : String();
-    auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, sourceURLString, startingLineNumber, String(StringImpl::createFromLiteral(source, length)));
+    auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, URL({ }, sourceURLString), startingLineNumber, String(StringImpl::createFromLiteral(source, length)));
 
     ParserError error;
     if (!parseScript(vm, SourceCode(result.copyRef()), error)) {
         if (errorMessage)
-            *errorMessage = OpaqueJSString::create(error.message()).leakRef();
+            *errorMessage = OpaqueJSString::tryCreate(error.message()).leakRef();
         if (errorLine)
             *errorLine = error.line();
         return nullptr;
@@ -116,12 +116,12 @@ JSScriptRef JSScriptCreateFromString(JSContextGroupRef contextGroup, JSStringRef
     startingLineNumber = std::max(1, startingLineNumber);
 
     auto sourceURLString = url ? url->string() : String();
-    auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, sourceURLString, startingLineNumber, source->string());
+    auto result = OpaqueJSScript::create(vm, SourceOrigin { sourceURLString }, URL({ }, sourceURLString), startingLineNumber, source->string());
 
     ParserError error;
     if (!parseScript(vm, SourceCode(result.copyRef()), error)) {
         if (errorMessage)
-            *errorMessage = OpaqueJSString::create(error.message()).leakRef();
+            *errorMessage = OpaqueJSString::tryCreate(error.message()).leakRef();
         if (errorLine)
             *errorLine = error.line();
         return nullptr;
@@ -145,8 +145,9 @@ void JSScriptRelease(JSScriptRef script)
 JSValueRef JSScriptEvaluate(JSContextRef context, JSScriptRef script, JSValueRef thisValueRef, JSValueRef* exception)
 {
     ExecState* exec = toJS(context);
-    JSLockHolder locker(exec);
-    if (&script->vm() != &exec->vm()) {
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    if (&script->vm() != &vm) {
         RELEASE_ASSERT_NOT_REACHED();
         return 0;
     }
diff --git a/API/JSScriptSourceProvider.h b/API/JSScriptSourceProvider.h
new file mode 100644
index 0000000..09e4018
--- /dev/null
+++ b/API/JSScriptSourceProvider.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#if JSC_OBJC_API_ENABLED
+
+#import "SourceProvider.h"
+
+@class JSScript;
+
+class JSScriptSourceProvider : public JSC::SourceProvider {
+public:
+    template
+    static Ref create(JSScript *script, Args&&... args)
+    {
+        return adoptRef(*new JSScriptSourceProvider(script, std::forward(args)...));
+    }
+
+    unsigned hash() const override;
+    StringView source() const override;
+    RefPtr cachedBytecode() const override;
+
+private:
+    template
+    JSScriptSourceProvider(JSScript *script, Args&&... args)
+        : SourceProvider(std::forward(args)...)
+        , m_script(script)
+    { }
+
+    RetainPtr m_script;
+};
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSScriptSourceProvider.mm b/API/JSScriptSourceProvider.mm
new file mode 100644
index 0000000..ff86317
--- /dev/null
+++ b/API/JSScriptSourceProvider.mm
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+#import "JSScriptSourceProvider.h"
+
+#if JSC_OBJC_API_ENABLED
+
+#import "JSScriptInternal.h"
+
+unsigned JSScriptSourceProvider::hash() const
+{
+    return [m_script.get() hash];
+}
+
+StringView JSScriptSourceProvider::source() const
+{
+    return [m_script.get() source];
+}
+
+RefPtr JSScriptSourceProvider::cachedBytecode() const
+{
+    return [m_script.get() cachedBytecode];
+}
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSStringRef.cpp b/API/JSStringRef.cpp
index 9095404..f5cb875 100644
--- a/API/JSStringRef.cpp
+++ b/API/JSStringRef.cpp
@@ -29,7 +29,7 @@
 
 #include "InitializeThreading.h"
 #include "OpaqueJSString.h"
-#include 
+#include 
 
 using namespace JSC;
 using namespace WTF::Unicode;
@@ -49,7 +49,7 @@ JSStringRef JSStringCreateWithUTF8CString(const char* string)
         UChar* p = buffer.data();
         bool sourceIsAllASCII;
         const LChar* stringStart = reinterpret_cast(string);
-        if (conversionOK == convertUTF8ToUTF16(&string, string + length, &p, p + length, &sourceIsAllASCII)) {
+        if (convertUTF8ToUTF16(string, string + length, &p, p + length, &sourceIsAllASCII)) {
             if (sourceIsAllASCII)
                 return &OpaqueJSString::create(stringStart, length).leakRef();
             return &OpaqueJSString::create(buffer.data(), p - buffer.data()).leakRef();
@@ -62,7 +62,7 @@ JSStringRef JSStringCreateWithUTF8CString(const char* string)
 JSStringRef JSStringCreateWithCharactersNoCopy(const JSChar* chars, size_t numChars)
 {
     initializeThreading();
-    return OpaqueJSString::create(StringImpl::createWithoutCopying(reinterpret_cast(chars), numChars)).leakRef();
+    return OpaqueJSString::tryCreate(StringImpl::createWithoutCopying(reinterpret_cast(chars), numChars)).leakRef();
 }
 
 JSStringRef JSStringRetain(JSStringRef string)
@@ -102,20 +102,18 @@ size_t JSStringGetUTF8CString(JSStringRef string, char* buffer, size_t bufferSiz
         return 0;
 
     char* destination = buffer;
-    ConversionResult result;
+    bool failed = false;
     if (string->is8Bit()) {
         const LChar* source = string->characters8();
-        result = convertLatin1ToUTF8(&source, source + string->length(), &destination, destination + bufferSize - 1);
+        convertLatin1ToUTF8(&source, source + string->length(), &destination, destination + bufferSize - 1);
     } else {
         const UChar* source = string->characters16();
-        result = convertUTF16ToUTF8(&source, source + string->length(), &destination, destination + bufferSize - 1, true);
+        auto result = convertUTF16ToUTF8(&source, source + string->length(), &destination, destination + bufferSize - 1);
+        failed = result != ConversionOK && result != TargetExhausted;
     }
 
     *destination++ = '\0';
-    if (result != conversionOK && result != targetExhausted)
-        return 0;
-
-    return destination - buffer;
+    return failed ? 0 : destination - buffer;
 }
 
 bool JSStringIsEqual(JSStringRef a, JSStringRef b)
@@ -125,9 +123,5 @@ bool JSStringIsEqual(JSStringRef a, JSStringRef b)
 
 bool JSStringIsEqualToUTF8CString(JSStringRef a, const char* b)
 {
-    JSStringRef bBuf = JSStringCreateWithUTF8CString(b);
-    bool result = JSStringIsEqual(a, bBuf);
-    JSStringRelease(bBuf);
-    
-    return result;
+    return JSStringIsEqual(a, adoptRef(JSStringCreateWithUTF8CString(b)).get());
 }
diff --git a/API/JSStringRefCF.cpp b/API/JSStringRefCF.cpp
index 0587259..1367715 100644
--- a/API/JSStringRefCF.cpp
+++ b/API/JSStringRefCF.cpp
@@ -49,10 +49,10 @@ JSStringRef JSStringCreateWithCFString(CFStringRef string)
     if (static_cast(convertedSize) == length && static_cast(usedBufferLength) == length)
         return &OpaqueJSString::create(lcharBuffer.data(), length).leakRef();
 
-    auto buffer = std::make_unique(length);
-    CFStringGetCharacters(string, CFRangeMake(0, length), buffer.get());
+    Vector buffer(length);
+    CFStringGetCharacters(string, CFRangeMake(0, length), buffer.data());
     static_assert(sizeof(UniChar) == sizeof(UChar), "UniChar and UChar must be same size");
-    return &OpaqueJSString::create(reinterpret_cast(buffer.get()), length).leakRef();
+    return &OpaqueJSString::create(reinterpret_cast(buffer.data()), length).leakRef();
 }
 
 CFStringRef JSStringCopyCFString(CFAllocatorRef allocator, JSStringRef string)
diff --git a/API/JSTypedArray.cpp b/API/JSTypedArray.cpp
index 5fb29e7..993bf2c 100644
--- a/API/JSTypedArray.cpp
+++ b/API/JSTypedArray.cpp
@@ -141,7 +141,7 @@ JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef valueRef,
 
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
 
     JSValue value = toJS(exec, valueRef);
     if (!value.isObject())
@@ -157,7 +157,9 @@ JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef valueRef,
 JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType, size_t length, JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (arrayType == kJSTypedArrayTypeNone || arrayType == kJSTypedArrayTypeArrayBuffer)
         return nullptr;
@@ -166,7 +168,7 @@ JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType,
 
     auto buffer = ArrayBuffer::tryCreate(length, elementByteSize);
     JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, length);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return nullptr;
     return toRef(result);
 }
@@ -174,19 +176,21 @@ JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType,
 JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JSTypedArrayType arrayType, void* bytes, size_t length, JSTypedArrayBytesDeallocator destructor, void* destructorContext, JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (arrayType == kJSTypedArrayTypeNone || arrayType == kJSTypedArrayTypeArrayBuffer)
         return nullptr;
 
     unsigned elementByteSize = elementSize(toTypedArrayType(arrayType));
 
-    RefPtr buffer = ArrayBuffer::createFromBytes(bytes, length, [=](void* p) {
+    auto buffer = ArrayBuffer::createFromBytes(bytes, length, [=](void* p) {
         if (destructor)
             destructor(p, destructorContext);
     });
     JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, length / elementByteSize);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return nullptr;
     return toRef(result);
 }
@@ -195,7 +199,8 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArray
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (arrayType == kJSTypedArrayTypeNone || arrayType == kJSTypedArrayTypeArrayBuffer)
         return nullptr;
@@ -210,7 +215,7 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArray
     unsigned elementByteSize = elementSize(toTypedArrayType(arrayType));
 
     JSObject* result = createTypedArray(exec, arrayType, WTFMove(buffer), 0, buffer->byteLength() / elementByteSize);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return nullptr;
     return toRef(result);
 }
@@ -219,7 +224,8 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JST
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     if (arrayType == kJSTypedArrayTypeNone || arrayType == kJSTypedArrayTypeArrayBuffer)
         return nullptr;
@@ -231,7 +237,7 @@ JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JST
     }
 
     JSObject* result = createTypedArray(exec, arrayType, jsBuffer->impl(), offset, length);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return nullptr;
     return toRef(result);
 }
@@ -240,7 +246,7 @@ void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JSV
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* object = toJS(objectRef);
 
     if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object)) {
@@ -291,11 +297,11 @@ JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef objectRef,
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* object = toJS(objectRef);
 
     if (JSArrayBufferView* typedArray = jsDynamicCast(vm, object))
-        return toRef(exec->vm().m_typedArrayController->toJS(exec, typedArray->globalObject(), typedArray->possiblySharedBuffer()));
+        return toRef(vm.m_typedArrayController->toJS(exec, typedArray->globalObject(vm), typedArray->possiblySharedBuffer()));
 
     return nullptr;
 }
@@ -303,15 +309,17 @@ JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef objectRef,
 JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception)
 {
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     auto buffer = ArrayBuffer::createFromBytes(bytes, byteLength, [=](void* p) {
         if (bytesDeallocator)
             bytesDeallocator(p, deallocatorContext);
     });
 
-    JSArrayBuffer* jsBuffer = JSArrayBuffer::create(exec->vm(), exec->lexicalGlobalObject()->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    JSArrayBuffer* jsBuffer = JSArrayBuffer::create(vm, exec->lexicalGlobalObject()->arrayBufferStructure(ArrayBufferSharingMode::Default), WTFMove(buffer));
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return nullptr;
 
     return toRef(jsBuffer);
@@ -321,13 +329,13 @@ void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef objectRef, JS
 {
     ExecState* exec = toJS(ctx);
     VM& vm = exec->vm();
-    JSLockHolder locker(exec);
+    JSLockHolder locker(vm);
     JSObject* object = toJS(objectRef);
 
     if (JSArrayBuffer* jsBuffer = jsDynamicCast(vm, object)) {
         ArrayBuffer* buffer = jsBuffer->impl();
         if (buffer->isWasmMemory()) {
-            setException(exec, exception, createTypeError(exec, ASCIILiteral("Cannot get the backing buffer for a WebAssembly.Memory")));
+            setException(exec, exception, createTypeError(exec, "Cannot get the backing buffer for a WebAssembly.Memory"_s));
             return nullptr;
         }
 
diff --git a/API/JSTypedArray.h b/API/JSTypedArray.h
index e23b76d..7eaf76c 100644
--- a/API/JSTypedArray.h
+++ b/API/JSTypedArray.h
@@ -45,7 +45,7 @@ extern "C" {
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             A JSObjectRef that is a Typed Array with all elements set to zero or NULL if there was an error.
  */
-JS_EXPORT JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType, size_t length, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType arrayType, size_t length, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -60,7 +60,7 @@ JS_EXPORT JSObjectRef JSObjectMakeTypedArray(JSContextRef ctx, JSTypedArrayType
  @result                   A JSObjectRef Typed Array whose backing store is the same as the one pointed to by bytes or NULL if there was an error.
  @discussion               If an exception is thrown during this function the bytesDeallocator will always be called.
  */
-JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JSTypedArrayType arrayType, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JSTypedArrayType arrayType, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -71,7 +71,7 @@ JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithBytesNoCopy(JSContextRef ctx, JS
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             A JSObjectRef that is a Typed Array or NULL if there was an error. The backing store of the Typed Array will be buffer.
  */
-JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef buffer, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef buffer, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -84,7 +84,7 @@ JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBuffer(JSContextRef ctx, JS
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             A JSObjectRef that is a Typed Array or NULL if there was an error. The backing store of the Typed Array will be buffer.
  */
-JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef buffer, size_t byteOffset, size_t length, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRef ctx, JSTypedArrayType arrayType, JSObjectRef buffer, size_t byteOffset, size_t length, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -95,7 +95,7 @@ JS_EXPORT JSObjectRef JSObjectMakeTypedArrayWithArrayBufferAndOffset(JSContextRe
  @result             A pointer to the raw data buffer that serves as object's backing store or NULL if object is not a Typed Array object.
  @discussion         The pointer returned by this function is temporary and is not guaranteed to remain valid across JavaScriptCore API calls.
  */
-JS_EXPORT void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -105,7 +105,7 @@ JS_EXPORT void* JSObjectGetTypedArrayBytesPtr(JSContextRef ctx, JSObjectRef obje
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             The length of the Typed Array object or 0 if the object is not a Typed Array object.
  */
-JS_EXPORT size_t JSObjectGetTypedArrayLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT size_t JSObjectGetTypedArrayLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -115,7 +115,7 @@ JS_EXPORT size_t JSObjectGetTypedArrayLength(JSContextRef ctx, JSObjectRef objec
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             The byte length of the Typed Array object or 0 if the object is not a Typed Array object.
  */
-JS_EXPORT size_t JSObjectGetTypedArrayByteLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT size_t JSObjectGetTypedArrayByteLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -125,7 +125,7 @@ JS_EXPORT size_t JSObjectGetTypedArrayByteLength(JSContextRef ctx, JSObjectRef o
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             The byte offset of the Typed Array object or 0 if the object is not a Typed Array object.
  */
-JS_EXPORT size_t JSObjectGetTypedArrayByteOffset(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT size_t JSObjectGetTypedArrayByteOffset(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -135,7 +135,7 @@ JS_EXPORT size_t JSObjectGetTypedArrayByteOffset(JSContextRef ctx, JSObjectRef o
  @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result             A JSObjectRef with a JSTypedArrayType of kJSTypedArrayTypeArrayBuffer or NULL if object is not a Typed Array.
  */
-JS_EXPORT JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 // ------------- Array Buffer functions -------------
 
@@ -151,7 +151,7 @@ JS_EXPORT JSObjectRef JSObjectGetTypedArrayBuffer(JSContextRef ctx, JSObjectRef
  @result                   A JSObjectRef Array Buffer whose backing store is the same as the one pointed to by bytes or NULL if there was an error.
  @discussion               If an exception is thrown during this function the bytesDeallocator will always be called.
  */
-JS_EXPORT JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, void* bytes, size_t byteLength, JSTypedArrayBytesDeallocator bytesDeallocator, void* deallocatorContext, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -161,7 +161,7 @@ JS_EXPORT JSObjectRef JSObjectMakeArrayBufferWithBytesNoCopy(JSContextRef ctx, v
  @result           A pointer to the raw data buffer that serves as object's backing store or NULL if object is not an Array Buffer object.
  @discussion       The pointer returned by this function is temporary and is not guaranteed to remain valid across JavaScriptCore API calls.
  */
-JS_EXPORT void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /*!
  @function
@@ -171,7 +171,7 @@ JS_EXPORT void* JSObjectGetArrayBufferBytesPtr(JSContextRef ctx, JSObjectRef obj
  @param exception  A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result           The number of bytes stored in the data object.
  */
-JS_EXPORT size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT size_t JSObjectGetArrayBufferByteLength(JSContextRef ctx, JSObjectRef object, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 #ifdef __cplusplus
 }
diff --git a/API/JSValue.h b/API/JSValue.h
index 1410dd7..1b5845e 100644
--- a/API/JSValue.h
+++ b/API/JSValue.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -132,6 +132,45 @@ NS_CLASS_AVAILABLE(10_9, 7_0)
 */
 + (JSValue *)valueWithNewErrorFromMessage:(NSString *)message inContext:(JSContext *)context;
 
+/*!
+@method
+@abstract Create a new promise object using the provided executor callback.
+@param callback A callback block invoked while the promise object is being initialized. The resolve and reject parameters are functions that can be called to notify any pending reactions about the state of the new promise object.
+@param context The JSContext to which the resulting JSValue belongs.
+@result The JSValue representing a new promise JavaScript object.
+@discussion This method is equivalent to calling the Promise constructor in JavaScript. the resolve and reject callbacks each normally take a single value, which they forward to all relevent pending reactions. While inside the executor callback context will act as if it were in any other callback, except calleeFunction will be nil. This also means means the new promise object may be accessed via [context thisValue].
+*/
++ (JSValue *)valueWithNewPromiseInContext:(JSContext *)context fromExecutor:(void (^)(JSValue *resolve, JSValue *reject))callback JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+@method
+@abstract Create a new resolved promise object with the provided value.
+@param result The result value to be passed to any reactions.
+@param context The JSContext to which the resulting JSValue belongs.
+@result The JSValue representing a new promise JavaScript object.
+@discussion This method is equivalent to calling [JSValue valueWithNewPromiseFromExecutor:^(JSValue *resolve, JSValue *reject) { [resolve callWithArguments:@[result]]; } inContext:context]
+*/
++ (JSValue *)valueWithNewPromiseResolvedWithResult:(id)result inContext:(JSContext *)context JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+@method
+@abstract Create a new rejected promise object with the provided value.
+@param reason The result value to be passed to any reactions.
+@param context The JSContext to which the resulting JSValue belongs.
+@result The JSValue representing a new promise JavaScript object.
+@discussion This method is equivalent to calling [JSValue valueWithNewPromiseFromExecutor:^(JSValue *resolve, JSValue *reject) { [reject callWithArguments:@[reason]]; } inContext:context]
+*/
++ (JSValue *)valueWithNewPromiseRejectedWithReason:(id)reason inContext:(JSContext *)context JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
+/*!
+@method
+@abstract Create a new, unique, symbol object.
+@param description The description of the symbol object being created.
+@param context The JSContext to which the resulting JSValue belongs.
+@result The JSValue representing a unique JavaScript value with type symbol.
+*/
++ (JSValue *)valueWithNewSymbolFromDescription:(NSString *)description inContext:(JSContext *)context JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
 /*!
 @method
 @abstract Create the JavaScript value null.
@@ -302,63 +341,6 @@ NS_CLASS_AVAILABLE(10_9, 7_0)
 */
 - (NSDictionary *)toDictionary;
 
-/*!
-@methodgroup Accessing Properties
-*/
-/*!
-@method
-@abstract Access a property of a JSValue.
-@result The JSValue for the requested property or the JSValue undefined 
- if the property does not exist.
-*/
-- (JSValue *)valueForProperty:(NSString *)property;
-
-/*!
-@method
-@abstract Set a property on a JSValue.
-*/
-- (void)setValue:(id)value forProperty:(NSString *)property;
-
-/*!
-@method
-@abstract Delete a property from a JSValue.
-@result YES if deletion is successful, NO otherwise.
-*/
-- (BOOL)deleteProperty:(NSString *)property;
-
-/*!
-@method
-@abstract Check if a JSValue has a property.
-@discussion This method has the same function as the JavaScript operator in.
-@result Returns YES if property is present on the value.
-*/
-- (BOOL)hasProperty:(NSString *)property;
-
-/*!
-@method
-@abstract Define properties with custom descriptors on JSValues.
-@discussion This method may be used to create a data or accessor property on an object.
- This method operates in accordance with the Object.defineProperty method in the 
- JavaScript language.
-*/
-- (void)defineProperty:(NSString *)property descriptor:(id)descriptor;
-
-/*!
-@method
-@abstract Access an indexed (numerical) property on a JSValue.
-@result The JSValue for the property at the specified index. 
- Returns the JavaScript value undefined if no property exists at that index. 
-*/
-- (JSValue *)valueAtIndex:(NSUInteger)index;
-
-/*!
-@method
-@abstract Set an indexed (numerical) property on a JSValue.
-@discussion For JSValues that are JavaScript arrays, indices greater than 
- UINT_MAX - 1 will not affect the length of the array.
-*/
-- (void)setValue:(id)value atIndex:(NSUInteger)index;
-
 /*!
 @functiongroup Checking JavaScript Types
 */
@@ -406,13 +388,19 @@ NS_CLASS_AVAILABLE(10_9, 7_0)
 @property
 @abstract Check if a JSValue is an array.
 */ 
-@property (readonly) BOOL isArray NS_AVAILABLE(10_11, 9_0);
+@property (readonly) BOOL isArray JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
 /*!
 @property
 @abstract Check if a JSValue is a date.
 */ 
-@property (readonly) BOOL isDate NS_AVAILABLE(10_11, 9_0);
+@property (readonly) BOOL isDate JSC_API_AVAILABLE(macos(10.11), ios(9.0));
+
+/*!
+ @property
+ @abstract Check if a JSValue is a symbol.
+ */
+@property (readonly) BOOL isSymbol JSC_API_AVAILABLE(macos(10.15), ios(13.0));
 
 /*!
 @method
@@ -555,6 +543,77 @@ Create a JSValue from a CGRect.
 
 @end
 
+/*!
+ @category
+ @discussion These methods enable querying properties on a JSValue.
+ */
+@interface JSValue (PropertyAccess)
+
+#if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED < 101500) || (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED < 130000)
+typedef NSString *JSValueProperty;
+#else
+typedef id JSValueProperty;
+#endif
+
+/*!
+ @method
+ @abstract Access a property of a JSValue.
+ @result The JSValue for the requested property or the JSValue undefined
+ if the property does not exist.
+ @discussion Corresponds to the JavaScript operation object[property]. Starting with macOS 10.15 and iOS 13, 'property' can be any 'id' and will be converted to a JSValue using the conversion rules of valueWithObject:inContext:. Prior to macOS 10.15 and iOS 13, 'property' was expected to be an NSString *.
+ */
+- (JSValue *)valueForProperty:(JSValueProperty)property;
+
+/*!
+ @method
+ @abstract Set a property on a JSValue.
+ @discussion Corresponds to the JavaScript operation object[property] = value. Starting with macOS 10.15 and iOS 13, 'property' can be any 'id' and will be converted to a JSValue using the conversion rules of valueWithObject:inContext:. Prior to macOS 10.15 and iOS 13, 'property' was expected to be an NSString *.
+ */
+- (void)setValue:(id)value forProperty:(JSValueProperty)property;
+
+/*!
+ @method
+ @abstract Delete a property from a JSValue.
+ @result YES if deletion is successful, NO otherwise.
+ @discussion Corresponds to the JavaScript operation delete object[property]. Starting with macOS 10.15 and iOS 13, 'property' can be any 'id' and will be converted to a JSValue using the conversion rules of valueWithObject:inContext:. Prior to macOS 10.15 and iOS 13, 'property' was expected to be an NSString *.
+ */
+- (BOOL)deleteProperty:(JSValueProperty)property;
+
+/*!
+ @method
+ @abstract Check if a JSValue has a property.
+ @discussion This method has the same function as the JavaScript operator in.
+ @result Returns YES if property is present on the value.
+ @discussion Corresponds to the JavaScript operation property in object. Starting with macOS 10.15 and iOS 13, 'property' can be any 'id' and will be converted to a JSValue using the conversion rules of valueWithObject:inContext:. Prior to macOS 10.15 and iOS 13, 'property' was expected to be an NSString *.
+ */
+- (BOOL)hasProperty:(JSValueProperty)property;
+
+/*!
+ @method
+ @abstract Define properties with custom descriptors on JSValues.
+ @discussion This method may be used to create a data or accessor property on an object.
+ This method operates in accordance with the Object.defineProperty method in the JavaScript language. Starting with macOS 10.15 and iOS 13, 'property' can be any 'id' and will be converted to a JSValue using the conversion rules of valueWithObject:inContext:. Prior to macOS 10.15 and iOS 13, 'property' was expected to be an NSString *.
+ */
+- (void)defineProperty:(JSValueProperty)property descriptor:(id)descriptor;
+
+/*!
+ @method
+ @abstract Access an indexed (numerical) property on a JSValue.
+ @result The JSValue for the property at the specified index.
+ Returns the JavaScript value undefined if no property exists at that index.
+ */
+- (JSValue *)valueAtIndex:(NSUInteger)index;
+
+/*!
+ @method
+ @abstract Set an indexed (numerical) property on a JSValue.
+ @discussion For JSValues that are JavaScript arrays, indices greater than
+ UINT_MAX - 1 will not affect the length of the array.
+ */
+- (void)setValue:(id)value atIndex:(NSUInteger)index;
+
+@end
+
 /*!
 @category
 @discussion Instances of JSValue implement the following methods in order to enable
@@ -569,13 +628,16 @@ Create a JSValue from a CGRect.
 @/textblock
 
  An object key passed as a subscript will be converted to a JavaScript value,
- and then the value converted to a string used as a property name.
+ and then the value using the same rules as valueWithObject:inContext:. In macOS
+ 10.14 and iOS 12 and below, the key argument of
+ setObject:object forKeyedSubscript:key was restricted to an
+ NSObject  * but that restriction was never used internally.
 */
 @interface JSValue (SubscriptSupport)
 
 - (JSValue *)objectForKeyedSubscript:(id)key;
 - (JSValue *)objectAtIndexedSubscript:(NSUInteger)index;
-- (void)setObject:(id)object forKeyedSubscript:(NSObject  *)key;
+- (void)setObject:(id)object forKeyedSubscript:(id)key;
 - (void)setObject:(id)object atIndexedSubscript:(NSUInteger)index;
 
 @end
diff --git a/API/JSValue.mm b/API/JSValue.mm
index 6986fae..86e10cf 100644
--- a/API/JSValue.mm
+++ b/API/JSValue.mm
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -31,18 +31,21 @@
 #import "Exception.h"
 #import "JavaScriptCore.h"
 #import "JSContextInternal.h"
+#import "JSObjectRefPrivate.h"
 #import "JSVirtualMachineInternal.h"
 #import "JSValueInternal.h"
+#import "JSValuePrivate.h"
 #import "JSWrapperMap.h"
 #import "ObjcRuntimeExtras.h"
 #import "JSCInlines.h"
 #import "JSCJSValue.h"
 #import "Strong.h"
 #import "StrongInlines.h"
+#import 
 #import 
 #import 
 #import 
-#import 
+#import 
 #import 
 #import 
 #import 
@@ -66,6 +69,21 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     JSValueRef m_value;
 }
 
+- (void)dealloc
+{
+    JSValueUnprotect([_context JSGlobalContextRef], m_value);
+    [_context release];
+    _context = nil;
+    [super dealloc];
+}
+
+- (NSString *)description
+{
+    if (id wrapped = tryUnwrapObjcObject([_context JSGlobalContextRef], m_value))
+        return [wrapped description];
+    return [self toString];
+}
+
 - (JSValueRef)JSValueRef
 {
     return m_value;
@@ -108,21 +126,16 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
 
 + (JSValue *)valueWithNewRegularExpressionFromPattern:(NSString *)pattern flags:(NSString *)flags inContext:(JSContext *)context
 {
-    JSStringRef patternString = JSStringCreateWithCFString((CFStringRef)pattern);
-    JSStringRef flagsString = JSStringCreateWithCFString((CFStringRef)flags);
-    JSValueRef arguments[2] = { JSValueMakeString([context JSGlobalContextRef], patternString), JSValueMakeString([context JSGlobalContextRef], flagsString) };
-    JSStringRelease(patternString);
-    JSStringRelease(flagsString);
-
+    auto patternString = OpaqueJSString::tryCreate(pattern);
+    auto flagsString = OpaqueJSString::tryCreate(flags);
+    JSValueRef arguments[2] = { JSValueMakeString([context JSGlobalContextRef], patternString.get()), JSValueMakeString([context JSGlobalContextRef], flagsString.get()) };
     return [JSValue valueWithJSValueRef:JSObjectMakeRegExp([context JSGlobalContextRef], 2, arguments, 0) inContext:context];
 }
 
 + (JSValue *)valueWithNewErrorFromMessage:(NSString *)message inContext:(JSContext *)context
 {
-    JSStringRef string = JSStringCreateWithCFString((CFStringRef)message);
-    JSValueRef argument = JSValueMakeString([context JSGlobalContextRef], string);
-    JSStringRelease(string);
-
+    auto string = OpaqueJSString::tryCreate(message);
+    JSValueRef argument = JSValueMakeString([context JSGlobalContextRef], string.get());
     return [JSValue valueWithJSValueRef:JSObjectMakeError([context JSGlobalContextRef], 1, &argument, 0) inContext:context];
 }
 
@@ -136,6 +149,54 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     return [JSValue valueWithJSValueRef:JSValueMakeUndefined([context JSGlobalContextRef]) inContext:context];
 }
 
++ (JSValue *)valueWithNewSymbolFromDescription:(NSString *)description inContext:(JSContext *)context
+{
+    auto string = OpaqueJSString::tryCreate(description);
+    return [JSValue valueWithJSValueRef:JSValueMakeSymbol([context JSGlobalContextRef], string.get()) inContext:context];
+}
+
++ (JSValue *)valueWithNewPromiseInContext:(JSContext *)context fromExecutor:(void (^)(JSValue *, JSValue *))executor
+{
+    JSObjectRef resolve;
+    JSObjectRef reject;
+    JSValueRef exception = nullptr;
+    JSObjectRef promise = JSObjectMakeDeferredPromise([context JSGlobalContextRef], &resolve, &reject, &exception);
+    if (exception) {
+        [context notifyException:exception];
+        return [JSValue valueWithUndefinedInContext:context];
+    }
+
+    JSValue *result = [JSValue valueWithJSValueRef:promise inContext:context];
+    JSValue *rejection = [JSValue valueWithJSValueRef:reject inContext:context];
+    CallbackData callbackData;
+    const size_t argumentCount = 2;
+    JSValueRef arguments[argumentCount];
+    arguments[0] = resolve;
+    arguments[1] = reject;
+
+    [context beginCallbackWithData:&callbackData calleeValue:nullptr thisValue:promise argumentCount:argumentCount arguments:arguments];
+    executor([JSValue valueWithJSValueRef:resolve inContext:context], rejection);
+    if (context.exception)
+        [rejection callWithArguments:@[context.exception]];
+    [context endCallbackWithData:&callbackData];
+
+    return result;
+}
+
++ (JSValue *)valueWithNewPromiseResolvedWithResult:(id)result inContext:(JSContext *)context
+{
+    return [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *resolve, JSValue *) {
+        [resolve callWithArguments:@[result]];
+    }];
+}
+
++ (JSValue *)valueWithNewPromiseRejectedWithReason:(id)reason inContext:(JSContext *)context
+{
+    return [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *, JSValue *reject) {
+        [reject callWithArguments:@[reason]];
+    }];
+}
+
 - (id)toObject
 {
     return valueToObject(_context, m_value);
@@ -219,72 +280,80 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     return result;
 }
 
-- (JSValue *)valueForProperty:(NSString *)propertyName
+template
+inline Expected performPropertyOperation(NSStringFunction stringFunction, JSValueFunction jsFunction, JSValue* value, id propertyKey, Types... arguments)
 {
-    JSValueRef exception = 0;
-    JSObjectRef object = JSValueToObject([_context JSGlobalContextRef], m_value, &exception);
+    JSContext* context = [value context];
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject([context JSGlobalContextRef], [value JSValueRef], &exception);
     if (exception)
-        return [_context valueFromNotifyException:exception];
+        return Unexpected(exception);
 
-    JSStringRef name = JSStringCreateWithCFString((CFStringRef)propertyName);
-    JSValueRef result = JSObjectGetProperty([_context JSGlobalContextRef], object, name, &exception);
-    JSStringRelease(name);
-    if (exception)
-        return [_context valueFromNotifyException:exception];
-
-    return [JSValue valueWithJSValueRef:result inContext:_context];
+    Result result;
+    // If it's a NSString already, reduce indirection and just pass the NSString.
+    if ([propertyKey isKindOfClass:[NSString class]]) {
+        auto name = OpaqueJSString::tryCreate((NSString *)propertyKey);
+        result = stringFunction([context JSGlobalContextRef], object, name.get(), arguments..., &exception);
+    } else
+        result = jsFunction([context JSGlobalContextRef], object, [[JSValue valueWithObject:propertyKey inContext:context] JSValueRef], arguments..., &exception);
+    return Expected(result);
 }
 
-- (void)setValue:(id)value forProperty:(NSString *)propertyName
+- (JSValue *)valueForProperty:(id)key
 {
-    JSValueRef exception = 0;
-    JSObjectRef object = JSValueToObject([_context JSGlobalContextRef], m_value, &exception);
-    if (exception) {
-        [_context notifyException:exception];
-        return;
-    }
+    auto result = performPropertyOperation(JSObjectGetProperty, JSObjectGetPropertyForKey, self, key);
+    if (!result)
+        return [_context valueFromNotifyException:result.error()];
 
-    JSStringRef name = JSStringCreateWithCFString((CFStringRef)propertyName);
-    JSObjectSetProperty([_context JSGlobalContextRef], object, name, objectToValue(_context, value), 0, &exception);
-    JSStringRelease(name);
-    if (exception) {
-        [_context notifyException:exception];
+    return [JSValue valueWithJSValueRef:result.value() inContext:_context];
+}
+
+
+- (void)setValue:(id)value forProperty:(JSValueProperty)key
+{
+    // We need Unit business because void can't be assigned to in performPropertyOperation and I don't want to duplicate the code...
+    using Unit = std::tuple<>;
+    auto stringSetProperty = [] (auto... args) -> Unit {
+        JSObjectSetProperty(args...);
+        return { };
+    };
+
+    auto jsValueSetProperty = [] (auto... args) -> Unit {
+        JSObjectSetPropertyForKey(args...);
+        return { };
+    };
+
+    auto result = performPropertyOperation(stringSetProperty, jsValueSetProperty, self, key, objectToValue(_context, value), kJSPropertyAttributeNone);
+    if (!result) {
+        [_context notifyException:result.error()];
         return;
     }
 }
 
-- (BOOL)deleteProperty:(NSString *)propertyName
+- (BOOL)deleteProperty:(JSValueProperty)key
 {
-    JSValueRef exception = 0;
-    JSObjectRef object = JSValueToObject([_context JSGlobalContextRef], m_value, &exception);
-    if (exception)
-        return [_context boolFromNotifyException:exception];
-
-    JSStringRef name = JSStringCreateWithCFString((CFStringRef)propertyName);
-    BOOL result = JSObjectDeleteProperty([_context JSGlobalContextRef], object, name, &exception);
-    JSStringRelease(name);
-    if (exception)
-        return [_context boolFromNotifyException:exception];
-
-    return result;
+    Expected result = performPropertyOperation(JSObjectDeleteProperty, JSObjectDeletePropertyForKey, self, key);
+    if (!result)
+        return [_context boolFromNotifyException:result.error()];
+    return result.value();
 }
 
-- (BOOL)hasProperty:(NSString *)propertyName
+- (BOOL)hasProperty:(JSValueProperty)key
 {
-    JSValueRef exception = 0;
-    JSObjectRef object = JSValueToObject([_context JSGlobalContextRef], m_value, &exception);
-    if (exception)
-        return [_context boolFromNotifyException:exception];
+    // The C-api doesn't return an exception value for the string version of has property.
+    auto stringHasProperty = [] (JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef*) -> BOOL {
+        return JSObjectHasProperty(ctx, object, propertyName);
+    };
 
-    JSStringRef name = JSStringCreateWithCFString((CFStringRef)propertyName);
-    BOOL result = JSObjectHasProperty([_context JSGlobalContextRef], object, name);
-    JSStringRelease(name);
-    return result;
+    Expected result = performPropertyOperation(stringHasProperty, JSObjectHasPropertyForKey, self, key);
+    if (!result)
+        return [_context boolFromNotifyException:result.error()];
+    return result.value();
 }
 
-- (void)defineProperty:(NSString *)property descriptor:(id)descriptor
+- (void)defineProperty:(JSValueProperty)key descriptor:(id)descriptor
 {
-    [[_context globalObject][@"Object"] invokeMethod:@"defineProperty" withArguments:@[ self, property, descriptor ]];
+    [[_context globalObject][@"Object"] invokeMethod:@"defineProperty" withArguments:@[ self, key, descriptor ]];
 }
 
 - (JSValue *)valueAtIndex:(NSUInteger)index
@@ -357,6 +426,11 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     return JSValueIsObject([_context JSGlobalContextRef], m_value);
 }
 
+- (BOOL)isSymbol
+{
+    return JSValueIsSymbol([_context JSGlobalContextRef], m_value);
+}
+
 - (BOOL)isArray
 {
     return JSValueIsArray([_context JSGlobalContextRef], m_value);
@@ -446,9 +520,8 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     if (exception)
         return [_context valueFromNotifyException:exception];
 
-    JSStringRef name = JSStringCreateWithCFString((CFStringRef)method);
-    JSValueRef function = JSObjectGetProperty([_context JSGlobalContextRef], thisObject, name, &exception);
-    JSStringRelease(name);
+    auto name = OpaqueJSString::tryCreate(method);
+    JSValueRef function = JSObjectGetProperty([_context JSGlobalContextRef], thisObject, name.get(), &exception);
     if (exception)
         return [_context valueFromNotifyException:exception];
 
@@ -539,13 +612,7 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
 
 - (JSValue *)objectForKeyedSubscript:(id)key
 {
-    if (![key isKindOfClass:[NSString class]]) {
-        key = [[JSValue valueWithObject:key inContext:_context] toString];
-        if (!key)
-            return [JSValue valueWithUndefinedInContext:_context];
-    }
-
-    return [self valueForProperty:(NSString *)key];
+    return [self valueForProperty:key];
 }
 
 - (JSValue *)objectAtIndexedSubscript:(NSUInteger)index
@@ -553,15 +620,9 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
     return [self valueAtIndex:index];
 }
 
-- (void)setObject:(id)object forKeyedSubscript:(NSObject  *)key
+- (void)setObject:(id)object forKeyedSubscript:(id)key
 {
-    if (![key isKindOfClass:[NSString class]]) {
-        key = [[JSValue valueWithObject:key inContext:_context] toString];
-        if (!key)
-            return;
-    }
-
-    [self setValue:object forProperty:(NSString *)key];
+    [self setValue:object forProperty:key];
 }
 
 - (void)setObject:(id)object atIndexedSubscript:(NSUInteger)index
@@ -574,13 +635,13 @@ NSString * const JSPropertyDescriptorSetKey = @"set";
 inline bool isDate(JSC::VM& vm, JSObjectRef object, JSGlobalContextRef context)
 {
     JSC::JSLockHolder locker(toJS(context));
-    return toJS(object)->inherits(vm, JSC::DateInstance::info());
+    return toJS(object)->inherits(vm);
 }
 
 inline bool isArray(JSC::VM& vm, JSObjectRef object, JSGlobalContextRef context)
 {
     JSC::JSLockHolder locker(toJS(context));
-    return toJS(object)->inherits(vm, JSC::JSArray::info());
+    return toJS(object)->inherits(vm);
 }
 
 @implementation JSValue(Internal)
@@ -611,14 +672,14 @@ public:
 
 private:
     JSGlobalContextRef m_context;
-    HashMap m_objectMap;
+    HashMap m_objectMap;
     Vector m_worklist;
     Vector> m_jsValues;
 };
 
 inline id JSContainerConvertor::convert(JSValueRef value)
 {
-    HashMap::iterator iter = m_objectMap.find(value);
+    auto iter = m_objectMap.find(value);
     if (iter != m_objectMap.end())
         return iter->value;
 
@@ -649,8 +710,9 @@ JSContainerConvertor::Task JSContainerConvertor::take()
 static void reportExceptionToInspector(JSGlobalContextRef context, JSC::JSValue exceptionValue)
 {
     JSC::ExecState* exec = toJS(context);
-    JSC::Exception* exception = JSC::Exception::create(exec->vm(), exceptionValue);
-    exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception);
+    JSC::VM& vm = exec->vm();
+    JSC::Exception* exception = JSC::Exception::create(vm, exceptionValue);
+    vm.vmEntryGlobalObject(exec)->inspectorController().reportAPIException(exec, exception);
 }
 #endif
 
@@ -670,31 +732,29 @@ static JSContainerConvertor::Task valueToObjectWithoutCopy(JSGlobalContextRef co
             primitive = [NSNumber numberWithDouble:JSValueToNumber(context, value, 0)];
         } else if (JSValueIsString(context, value)) {
             // Would be nice to unique strings, too.
-            JSStringRef jsstring = JSValueToStringCopy(context, value, 0);
-            NSString * stringNS = (NSString *)JSStringCopyCFString(kCFAllocatorDefault, jsstring);
-            JSStringRelease(jsstring);
-            primitive = [stringNS autorelease];
+            auto jsstring = adoptRef(JSValueToStringCopy(context, value, 0));
+            primitive = CFBridgingRelease(JSStringCopyCFString(kCFAllocatorDefault, jsstring.get()));
         } else if (JSValueIsNull(context, value))
             primitive = [NSNull null];
         else {
             ASSERT(JSValueIsUndefined(context, value));
             primitive = nil;
         }
-        return (JSContainerConvertor::Task){ value, primitive, ContainerNone };
+        return { value, primitive, ContainerNone };
     }
 
     JSObjectRef object = JSValueToObject(context, value, 0);
 
     if (id wrapped = tryUnwrapObjcObject(context, object))
-        return (JSContainerConvertor::Task){ object, wrapped, ContainerNone };
+        return { object, wrapped, ContainerNone };
 
     if (isDate(vm, object, context))
-        return (JSContainerConvertor::Task){ object, [NSDate dateWithTimeIntervalSince1970:JSValueToNumber(context, object, 0) / 1000.0], ContainerNone };
+        return { object, [NSDate dateWithTimeIntervalSince1970:JSValueToNumber(context, object, 0) / 1000.0], ContainerNone };
 
     if (isArray(vm, object, context))
-        return (JSContainerConvertor::Task){ object, [NSMutableArray array], ContainerArray };
+        return { object, [NSMutableArray array], ContainerArray };
 
-    return (JSContainerConvertor::Task){ object, [NSMutableDictionary dictionary], ContainerDictionary };
+    return { object, [NSMutableDictionary dictionary], ContainerDictionary };
 }
 
 static id containerValueToObject(JSGlobalContextRef context, JSContainerConvertor::Task task)
@@ -714,9 +774,8 @@ static id containerValueToObject(JSGlobalContextRef context, JSContainerConverto
             ASSERT([current.objc isKindOfClass:[NSMutableArray class]]);
             NSMutableArray *array = (NSMutableArray *)current.objc;
         
-            JSStringRef lengthString = JSStringCreateWithUTF8CString("length");
-            unsigned length = JSC::toUInt32(JSValueToNumber(context, JSObjectGetProperty(context, js, lengthString, 0), 0));
-            JSStringRelease(lengthString);
+            auto lengthString = OpaqueJSString::tryCreate("length"_s);
+            unsigned length = JSC::toUInt32(JSValueToNumber(context, JSObjectGetProperty(context, js, lengthString.get(), 0), 0));
 
             for (unsigned i = 0; i < length; ++i) {
                 id objc = convertor.convert(JSObjectGetPropertyAtIndex(context, js, i, 0));
@@ -734,7 +793,7 @@ static id containerValueToObject(JSGlobalContextRef context, JSContainerConverto
             for (size_t i = 0; i < length; ++i) {
                 JSStringRef propertyName = JSPropertyNameArrayGetNameAtIndex(propertyNameArray, i);
                 if (id objc = convertor.convert(JSObjectGetProperty(context, js, propertyName, 0)))
-                    dictionary[[(NSString *)JSStringCopyCFString(kCFAllocatorDefault, propertyName) autorelease]] = objc;
+                    dictionary[(__bridge NSString *)adoptCF(JSStringCopyCFString(kCFAllocatorDefault, propertyName)).get()] = objc;
             }
 
             JSPropertyNameArrayRelease(propertyNameArray);
@@ -776,15 +835,13 @@ id valueToString(JSGlobalContextRef context, JSValueRef value, JSValueRef* excep
             return wrapped;
     }
 
-    JSStringRef jsstring = JSValueToStringCopy(context, value, exception);
+    auto jsstring = adoptRef(JSValueToStringCopy(context, value, exception));
     if (*exception) {
         ASSERT(!jsstring);
         return nil;
     }
 
-    RetainPtr stringCF = adoptCF(JSStringCopyCFString(kCFAllocatorDefault, jsstring));
-    JSStringRelease(jsstring);
-    return (NSString *)stringCF.autorelease();
+    return CFBridgingRelease(JSStringCopyCFString(kCFAllocatorDefault, jsstring.get()));
 }
 
 id valueToDate(JSGlobalContextRef context, JSValueRef value, JSValueRef* exception)
@@ -808,11 +865,11 @@ id valueToArray(JSGlobalContextRef context, JSValueRef value, JSValueRef* except
     }
 
     if (JSValueIsObject(context, value))
-        return containerValueToObject(context, (JSContainerConvertor::Task){ value, [NSMutableArray array], ContainerArray});
+        return containerValueToObject(context, { value, [NSMutableArray array], ContainerArray});
 
     JSC::JSLockHolder locker(toJS(context));
     if (!(JSValueIsNull(context, value) || JSValueIsUndefined(context, value))) {
-        JSC::JSObject* exceptionObject = JSC::createTypeError(toJS(context), ASCIILiteral("Cannot convert primitive to NSArray"));
+        JSC::JSObject* exceptionObject = JSC::createTypeError(toJS(context), "Cannot convert primitive to NSArray"_s);
         *exception = toRef(exceptionObject);
 #if ENABLE(REMOTE_INSPECTOR)
         reportExceptionToInspector(context, exceptionObject);
@@ -830,11 +887,11 @@ id valueToDictionary(JSGlobalContextRef context, JSValueRef value, JSValueRef* e
     }
 
     if (JSValueIsObject(context, value))
-        return containerValueToObject(context, (JSContainerConvertor::Task){ value, [NSMutableDictionary dictionary], ContainerDictionary});
+        return containerValueToObject(context, { value, [NSMutableDictionary dictionary], ContainerDictionary});
 
     JSC::JSLockHolder locker(toJS(context));
     if (!(JSValueIsNull(context, value) || JSValueIsUndefined(context, value))) {
-        JSC::JSObject* exceptionObject = JSC::createTypeError(toJS(context), ASCIILiteral("Cannot convert primitive to NSDictionary"));
+        JSC::JSObject* exceptionObject = JSC::createTypeError(toJS(context), "Cannot convert primitive to NSDictionary"_s);
         *exception = toRef(exceptionObject);
 #if ENABLE(REMOTE_INSPECTOR)
         reportExceptionToInspector(context, exceptionObject);
@@ -863,7 +920,7 @@ public:
 
 private:
     JSContext *m_context;
-    HashMap m_objectMap;
+    HashMap<__unsafe_unretained id, JSValueRef> m_objectMap;
     Vector m_worklist;
     Vector> m_jsValues;
 };
@@ -911,49 +968,47 @@ static ObjcContainerConvertor::Task objectToValueWithoutCopy(JSContext *context,
     JSGlobalContextRef contextRef = [context JSGlobalContextRef];
 
     if (!object)
-        return (ObjcContainerConvertor::Task){ object, JSValueMakeUndefined(contextRef), ContainerNone };
+        return { object, JSValueMakeUndefined(contextRef), ContainerNone };
 
     if (!class_conformsToProtocol(object_getClass(object), getJSExportProtocol())) {
         if ([object isKindOfClass:[NSArray class]])
-            return (ObjcContainerConvertor::Task){ object, JSObjectMakeArray(contextRef, 0, NULL, 0), ContainerArray };
+            return { object, JSObjectMakeArray(contextRef, 0, NULL, 0), ContainerArray };
 
         if ([object isKindOfClass:[NSDictionary class]])
-            return (ObjcContainerConvertor::Task){ object, JSObjectMake(contextRef, 0, 0), ContainerDictionary };
+            return { object, JSObjectMake(contextRef, 0, 0), ContainerDictionary };
 
         if ([object isKindOfClass:[NSNull class]])
-            return (ObjcContainerConvertor::Task){ object, JSValueMakeNull(contextRef), ContainerNone };
+            return { object, JSValueMakeNull(contextRef), ContainerNone };
 
         if ([object isKindOfClass:[JSValue class]])
-            return (ObjcContainerConvertor::Task){ object, ((JSValue *)object)->m_value, ContainerNone };
+            return { object, ((JSValue *)object)->m_value, ContainerNone };
 
         if ([object isKindOfClass:[NSString class]]) {
-            JSStringRef string = JSStringCreateWithCFString((CFStringRef)object);
-            JSValueRef js = JSValueMakeString(contextRef, string);
-            JSStringRelease(string);
-            return (ObjcContainerConvertor::Task){ object, js, ContainerNone };
+            auto string = OpaqueJSString::tryCreate((NSString *)object);
+            return { object, JSValueMakeString(contextRef, string.get()), ContainerNone };
         }
 
         if ([object isKindOfClass:[NSNumber class]]) {
             if (isNSBoolean(object))
-                return (ObjcContainerConvertor::Task){ object, JSValueMakeBoolean(contextRef, [object boolValue]), ContainerNone };
-            return (ObjcContainerConvertor::Task){ object, JSValueMakeNumber(contextRef, [object doubleValue]), ContainerNone };
+                return { object, JSValueMakeBoolean(contextRef, [object boolValue]), ContainerNone };
+            return { object, JSValueMakeNumber(contextRef, [object doubleValue]), ContainerNone };
         }
 
         if ([object isKindOfClass:[NSDate class]]) {
             JSValueRef argument = JSValueMakeNumber(contextRef, [object timeIntervalSince1970] * 1000.0);
             JSObjectRef result = JSObjectMakeDate(contextRef, 1, &argument, 0);
-            return (ObjcContainerConvertor::Task){ object, result, ContainerNone };
+            return { object, result, ContainerNone };
         }
 
         if ([object isKindOfClass:[JSManagedValue class]]) {
             JSValue *value = [static_cast(object) value];
             if (!value)
-                return (ObjcContainerConvertor::Task) { object, JSValueMakeUndefined(contextRef), ContainerNone };
-            return (ObjcContainerConvertor::Task){ object, value->m_value, ContainerNone };
+                return  { object, JSValueMakeUndefined(contextRef), ContainerNone };
+            return { object, value->m_value, ContainerNone };
         }
     }
 
-    return (ObjcContainerConvertor::Task){ object, valueInternalValue([context wrapperForObjCObject:object]), ContainerNone };
+    return { object, valueInternalValue([context wrapperForObjCObject:object]), ContainerNone };
 }
 
 JSValueRef objectToValue(JSContext *context, id object)
@@ -986,13 +1041,11 @@ JSValueRef objectToValue(JSContext *context, id object)
             NSDictionary *dictionary = (NSDictionary *)current.objc;
             for (id key in [dictionary keyEnumerator]) {
                 if ([key isKindOfClass:[NSString class]]) {
-                    JSStringRef propertyName = JSStringCreateWithCFString((CFStringRef)key);
-                    JSObjectSetProperty(contextRef, js, propertyName, convertor.convert([dictionary objectForKey:key]), 0, 0);
-                    JSStringRelease(propertyName);
+                    auto propertyName = OpaqueJSString::tryCreate((NSString *)key);
+                    JSObjectSetProperty(contextRef, js, propertyName.get(), convertor.convert([dictionary objectForKey:key]), 0, 0);
                 }
             }
         }
-        
     } while (!convertor.isWorkListEmpty());
 
     return task.js;
@@ -1054,19 +1107,19 @@ static StructHandlers* createStructHandlerMap()
             return;
         char idType[3];
         // Check 2nd argument type is "@"
-        char* secondType = method_copyArgumentType(method, 3);
-        if (strcmp(secondType, "@") != 0) {
-            free(secondType);
-            return;
+        {
+            auto secondType = adoptSystem(method_copyArgumentType(method, 3));
+            if (strcmp(secondType.get(), "@") != 0)
+                return;
         }
-        free(secondType);
         // Check result type is also "@"
         method_getReturnType(method, idType, 3);
         if (strcmp(idType, "@") != 0)
             return;
-        char* type = method_copyArgumentType(method, 2);
-        structHandlers->add(StringImpl::create(type), (StructTagHandler){ selector, 0 });
-        free(type);
+        {
+            auto type = adoptSystem(method_copyArgumentType(method, 2));
+            structHandlers->add(StringImpl::create(type.get()), (StructTagHandler) { selector, 0 });
+        }
     });
 
     // Step 2: find all to instance methods in JSValue.
@@ -1081,10 +1134,8 @@ static StructHandlers* createStructHandlerMap()
         if (method_getNumberOfArguments(method) != 2)
             return;
         // Try to find a matching valueWith:context: method.
-        char* type = method_copyReturnType(method);
-
-        StructHandlers::iterator iter = structHandlers->find(type);
-        free(type);
+        auto type = adoptSystem(method_copyReturnType(method));
+        StructHandlers::iterator iter = structHandlers->find(type.get());
         if (iter == structHandlers->end())
             return;
         StructTagHandler& handler = iter->value;
@@ -1117,7 +1168,7 @@ static StructHandlers* createStructHandlerMap()
 
 static StructTagHandler* handerForStructTag(const char* encodedType)
 {
-    static StaticLock handerForStructTagLock;
+    static Lock handerForStructTagLock;
     LockHolder lockHolder(&handerForStructTagLock);
 
     static StructHandlers* structHandlers = createStructHandlerMap();
@@ -1140,21 +1191,6 @@ static StructTagHandler* handerForStructTag(const char* encodedType)
     return handler ? handler->valueToTypeSEL : nil;
 }
 
-- (void)dealloc
-{
-    JSValueUnprotect([_context JSGlobalContextRef], m_value);
-    [_context release];
-    _context = nil;
-    [super dealloc];
-}
-
-- (NSString *)description
-{
-    if (id wrapped = tryUnwrapObjcObject([_context JSGlobalContextRef], m_value))
-        return [wrapped description];
-    return [self toString];
-}
-
 NSInvocation *typeToValueInvocationFor(const char* encodedType)
 {
     SEL selector = [JSValue selectorForStructToValue:encodedType];
diff --git a/API/JSValueInternal.h b/API/JSValueInternal.h
index 4f1a8f6..54b755e 100644
--- a/API/JSValueInternal.h
+++ b/API/JSValueInternal.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -26,8 +26,7 @@
 #ifndef JSValueInternal_h
 #define JSValueInternal_h
 
-#import 
-#import 
+#import 
 
 #if JSC_OBJC_API_ENABLED
 
diff --git a/include/JavaScriptCore/JavaScriptCore.h b/API/JSValuePrivate.h
similarity index 76%
rename from include/JavaScriptCore/JavaScriptCore.h
rename to API/JSValuePrivate.h
index b2fde1d..35d3d10 100644
--- a/include/JavaScriptCore/JavaScriptCore.h
+++ b/API/JSValuePrivate.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -20,23 +20,17 @@
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifndef JavaScriptCore_h
-#define JavaScriptCore_h
+#if JSC_OBJC_API_ENABLED
 
-#include 
-#include 
+#import 
 
-#if defined(__OBJC__) && JSC_OBJC_API_ENABLED
+@interface JSValue(JSPrivate)
 
-#import "JSContext.h"
-#import "JSValue.h"
-#import "JSManagedValue.h"
-#import "JSVirtualMachine.h"
-#import "JSExport.h"
+// Currently empty. May be used again in the future.
 
-#endif
+@end
 
-#endif /* JavaScriptCore_h */
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSValueRef.cpp b/API/JSValueRef.cpp
index 64ac6c3..2b39fbe 100644
--- a/API/JSValueRef.cpp
+++ b/API/JSValueRef.cpp
@@ -36,6 +36,7 @@
 #include "JSCallbackObject.h"
 #include "JSGlobalObject.h"
 #include "JSONObject.h"
+#include "JSObjectRefPrivate.h"
 #include "JSString.h"
 #include "LiteralParser.h"
 #include "Protect.h"
@@ -54,17 +55,6 @@
 
 using namespace JSC;
 
-#if PLATFORM(MAC)
-static bool evernoteHackNeeded()
-{
-    static const int32_t webkitLastVersionWithEvernoteHack = 35133959;
-    static bool hackNeeded = CFEqual(CFBundleGetIdentifier(CFBundleGetMainBundle()), CFSTR("com.evernote.Evernote"))
-        && NSVersionOfLinkTimeLibrary("JavaScriptCore") <= webkitLastVersionWithEvernoteHack;
-
-    return hackNeeded;
-}
-#endif
-
 ::JSType JSValueGetType(JSContextRef ctx, JSValueRef value)
 {
     if (!ctx) {
@@ -86,6 +76,8 @@ static bool evernoteHackNeeded()
         return kJSTypeNumber;
     if (jsValue.isString())
         return kJSTypeString;
+    if (jsValue.isSymbol())
+        return kJSTypeSymbol;
     ASSERT(jsValue.isObject());
     return kJSTypeObject;
 }
@@ -162,6 +154,18 @@ bool JSValueIsObject(JSContextRef ctx, JSValueRef value)
     return toJS(exec, value).isObject();
 }
 
+bool JSValueIsSymbol(JSContextRef ctx, JSValueRef value)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return false;
+    }
+    ExecState* exec = toJS(ctx);
+    JSLockHolder locker(exec);
+
+    return toJS(exec, value).isSymbol();
+}
+
 bool JSValueIsArray(JSContextRef ctx, JSValueRef value)
 {
     if (!ctx) {
@@ -172,7 +176,7 @@ bool JSValueIsArray(JSContextRef ctx, JSValueRef value)
     VM& vm = exec->vm();
     JSLockHolder locker(exec);
 
-    return toJS(exec, value).inherits(vm, JSArray::info());
+    return toJS(exec, value).inherits(vm);
 }
 
 bool JSValueIsDate(JSContextRef ctx, JSValueRef value)
@@ -185,7 +189,7 @@ bool JSValueIsDate(JSContextRef ctx, JSValueRef value)
     VM& vm = exec->vm();
     JSLockHolder locker(exec);
 
-    return toJS(exec, value).inherits(vm, DateInstance::info());
+    return toJS(exec, value).inherits(vm);
 }
 
 bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsClass)
@@ -201,15 +205,15 @@ bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsCla
     JSValue jsValue = toJS(exec, value);
     
     if (JSObject* o = jsValue.getObject()) {
-        if (o->inherits(vm, JSProxy::info()))
+        if (o->inherits(vm))
             o = jsCast(o)->target();
 
-        if (o->inherits(vm, JSCallbackObject::info()))
+        if (o->inherits>(vm))
             return jsCast*>(o)->inherits(jsClass);
-        if (o->inherits(vm, JSCallbackObject::info()))
+        if (o->inherits>(vm))
             return jsCast*>(o)->inherits(jsClass);
 #if JSC_OBJC_API_ENABLED
-        if (o->inherits(vm, JSCallbackObject::info()))
+        if (o->inherits>(vm))
             return jsCast*>(o)->inherits(jsClass);
 #endif
     }
@@ -223,13 +227,15 @@ bool JSValueIsEqual(JSContextRef ctx, JSValueRef a, JSValueRef b, JSValueRef* ex
         return false;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue jsA = toJS(exec, a);
     JSValue jsB = toJS(exec, b);
 
     bool result = JSValue::equal(exec, jsA, jsB); // false if an exception is thrown
-    handleExceptionIfNeeded(exec, exception);
+    handleExceptionIfNeeded(scope, exec, exception);
     
     return result;
 }
@@ -256,15 +262,17 @@ bool JSValueIsInstanceOfConstructor(JSContextRef ctx, JSValueRef value, JSObject
         return false;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue jsValue = toJS(exec, value);
 
     JSObject* jsConstructor = toJS(constructor);
-    if (!jsConstructor->structure()->typeInfo().implementsHasInstance())
+    if (!jsConstructor->structure(vm)->typeInfo().implementsHasInstance())
         return false;
     bool result = jsConstructor->hasInstance(exec, jsValue); // false if an exception is thrown
-    handleExceptionIfNeeded(exec, exception);
+    handleExceptionIfNeeded(scope, exec, exception);
     return result;
 }
 
@@ -316,6 +324,21 @@ JSValueRef JSValueMakeNumber(JSContextRef ctx, double value)
     return toRef(exec, jsNumber(purifyNaN(value)));
 }
 
+JSValueRef JSValueMakeSymbol(JSContextRef ctx, JSStringRef description)
+{
+    if (!ctx) {
+        ASSERT_NOT_REACHED();
+        return nullptr;
+    }
+    ExecState* exec = toJS(ctx);
+    VM& vm = exec->vm();
+    JSLockHolder locker(exec);
+
+    if (!description)
+        return toRef(exec, Symbol::create(vm));
+    return toRef(exec, Symbol::createWithDescription(vm, description->string()));
+}
+
 JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string)
 {
     if (!ctx) {
@@ -353,14 +376,17 @@ JSStringRef JSValueCreateJSONString(JSContextRef ctx, JSValueRef apiValue, unsig
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
     JSValue value = toJS(exec, apiValue);
     String result = JSONStringify(exec, value, indent);
     if (exception)
         *exception = 0;
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         return 0;
-    return OpaqueJSString::create(result).leakRef();
+    return OpaqueJSString::tryCreate(result).leakRef();
 }
 
 bool JSValueToBoolean(JSContextRef ctx, JSValueRef value)
@@ -383,12 +409,14 @@ double JSValueToNumber(JSContextRef ctx, JSValueRef value, JSValueRef* exception
         return PNaN;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue jsValue = toJS(exec, value);
 
     double number = jsValue.toNumber(exec);
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         number = PNaN;
     return number;
 }
@@ -400,12 +428,14 @@ JSStringRef JSValueToStringCopy(JSContextRef ctx, JSValueRef value, JSValueRef*
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue jsValue = toJS(exec, value);
     
-    auto stringRef(OpaqueJSString::create(jsValue.toWTFString(exec)));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    auto stringRef(OpaqueJSString::tryCreate(jsValue.toWTFString(exec)));
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         stringRef = nullptr;
     return stringRef.leakRef();
 }
@@ -417,12 +447,14 @@ JSObjectRef JSValueToObject(JSContextRef ctx, JSValueRef value, JSValueRef* exce
         return 0;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
 
     JSValue jsValue = toJS(exec, value);
     
     JSObjectRef objectRef = toRef(jsValue.toObject(exec));
-    if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow)
+    if (handleExceptionIfNeeded(scope, exec, exception) == ExceptionStatus::DidThrow)
         objectRef = 0;
     return objectRef;
 }
@@ -442,11 +474,6 @@ void JSValueProtect(JSContextRef ctx, JSValueRef value)
 
 void JSValueUnprotect(JSContextRef ctx, JSValueRef value)
 {
-#if PLATFORM(MAC)
-    if ((!value || !ctx) && evernoteHackNeeded())
-        return;
-#endif
-
     ExecState* exec = toJS(ctx);
     JSLockHolder locker(exec);
 
diff --git a/API/JSValueRef.h b/API/JSValueRef.h
index 9815de7..911b4bf 100644
--- a/API/JSValueRef.h
+++ b/API/JSValueRef.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006 Apple Inc.  All rights reserved.
+ * Copyright (C) 2006-2019 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -42,6 +42,7 @@
 @constant     kJSTypeNumber     A primitive number value.
 @constant     kJSTypeString     A primitive string value.
 @constant     kJSTypeObject     An object value (meaning that this JSValueRef is a JSObjectRef).
+@constant     kJSTypeSymbol     A primitive symbol value.
 */
 typedef enum {
     kJSTypeUndefined,
@@ -49,7 +50,8 @@ typedef enum {
     kJSTypeBoolean,
     kJSTypeNumber,
     kJSTypeString,
-    kJSTypeObject
+    kJSTypeObject,
+    kJSTypeSymbol JSC_API_AVAILABLE(macos(10.15), ios(13.0))
 } JSType;
 
 /*!
@@ -80,7 +82,7 @@ typedef enum {
     kJSTypedArrayTypeFloat64Array,
     kJSTypedArrayTypeArrayBuffer,
     kJSTypedArrayTypeNone,
-} JSTypedArrayType CF_ENUM_AVAILABLE(10_12, 10_0);
+} JSTypedArrayType JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 #ifdef __cplusplus
 extern "C" {
@@ -140,6 +142,15 @@ JS_EXPORT bool JSValueIsNumber(JSContextRef ctx, JSValueRef value);
 */
 JS_EXPORT bool JSValueIsString(JSContextRef ctx, JSValueRef value);
 
+/*!
+@function
+@abstract       Tests whether a JavaScript value's type is the symbol type.
+@param ctx      The execution context to use.
+@param value    The JSValue to test.
+@result         true if value's type is the symbol type, otherwise false.
+*/
+JS_EXPORT bool JSValueIsSymbol(JSContextRef ctx, JSValueRef value) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
 /*!
 @function
 @abstract       Tests whether a JavaScript value's type is the object type.
@@ -149,6 +160,7 @@ JS_EXPORT bool JSValueIsString(JSContextRef ctx, JSValueRef value);
 */
 JS_EXPORT bool JSValueIsObject(JSContextRef ctx, JSValueRef value);
 
+
 /*!
 @function
 @abstract Tests whether a JavaScript value is an object with a given class in its class chain.
@@ -166,7 +178,7 @@ JS_EXPORT bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClas
 @param value    The JSValue to test.
 @result         true if value is an array, otherwise false.
 */
-JS_EXPORT bool JSValueIsArray(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(10_11, 9_0);
+JS_EXPORT bool JSValueIsArray(JSContextRef ctx, JSValueRef value) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
 /*!
 @function
@@ -175,7 +187,7 @@ JS_EXPORT bool JSValueIsArray(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(1
 @param value    The JSValue to test.
 @result         true if value is a date, otherwise false.
 */
-JS_EXPORT bool JSValueIsDate(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(10_11, 9_0);
+JS_EXPORT bool JSValueIsDate(JSContextRef ctx, JSValueRef value) JSC_API_AVAILABLE(macos(10.11), ios(9.0));
 
 /*!
 @function
@@ -185,7 +197,7 @@ JS_EXPORT bool JSValueIsDate(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(10
 @param exception    A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
 @result             A value of type JSTypedArrayType that identifies value's Typed Array type, or kJSTypedArrayTypeNone if the value is not a Typed Array object.
  */
-JS_EXPORT JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef value, JSValueRef* exception) CF_AVAILABLE(10_12, 10_0);
+JS_EXPORT JSTypedArrayType JSValueGetTypedArrayType(JSContextRef ctx, JSValueRef value, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.12), ios(10.0));
 
 /* Comparing values */
 
@@ -267,6 +279,15 @@ JS_EXPORT JSValueRef JSValueMakeNumber(JSContextRef ctx, double number);
 */
 JS_EXPORT JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string);
 
+/*!
+ @function
+ @abstract            Creates a JavaScript value of the symbol type.
+ @param ctx           The execution context to use.
+ @param description   A description of the newly created symbol value.
+ @result              A unique JSValue of the symbol type, whose description matches the one provided.
+ */
+JS_EXPORT JSValueRef JSValueMakeSymbol(JSContextRef ctx, JSStringRef description) JSC_API_AVAILABLE(macos(10.15), ios(13.0));
+
 /* Converting to and from JSON formatted strings */
 
 /*!
@@ -276,7 +297,7 @@ JS_EXPORT JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string);
  @param string   The JSString containing the JSON string to be parsed.
  @result         A JSValue containing the parsed value, or NULL if the input is invalid.
  */
-JS_EXPORT JSValueRef JSValueMakeFromJSONString(JSContextRef ctx, JSStringRef string) CF_AVAILABLE(10_7, 7_0);
+JS_EXPORT JSValueRef JSValueMakeFromJSONString(JSContextRef ctx, JSStringRef string) JSC_API_AVAILABLE(macos(10.7), ios(7.0));
 
 /*!
  @function
@@ -287,7 +308,7 @@ JS_EXPORT JSValueRef JSValueMakeFromJSONString(JSContextRef ctx, JSStringRef str
  @param exception A pointer to a JSValueRef in which to store an exception, if any. Pass NULL if you do not care to store an exception.
  @result         A JSString with the result of serialization, or NULL if an exception is thrown.
  */
-JS_EXPORT JSStringRef JSValueCreateJSONString(JSContextRef ctx, JSValueRef value, unsigned indent, JSValueRef* exception) CF_AVAILABLE(10_7, 7_0);
+JS_EXPORT JSStringRef JSValueCreateJSONString(JSContextRef ctx, JSValueRef value, unsigned indent, JSValueRef* exception) JSC_API_AVAILABLE(macos(10.7), ios(7.0));
 
 /* Converting to primitive values */
 
diff --git a/API/JSVirtualMachine.h b/API/JSVirtualMachine.h
index ccf9264..e9c75da 100644
--- a/API/JSVirtualMachine.h
+++ b/API/JSVirtualMachine.h
@@ -33,6 +33,11 @@
  or set of execution resources. Thread safety is supported by locking the
  virtual machine, with concurrent JavaScript execution supported by allocating
  separate instances of JSVirtualMachine.
+
+ A virtual machine may need to run deferred tasks on a run loop, such as garbage collection
+ or resolving WebAssembly compilations. By default, a virtual machine will use the run loop
+ of the thread it was initialized on. Currently, there is no API to change a
+ JSVirtualMachine's run loop once it has been initialized.
 */
 NS_CLASS_AVAILABLE(10_9, 7_0)
 @interface JSVirtualMachine : NSObject
diff --git a/API/JSVirtualMachine.mm b/API/JSVirtualMachine.mm
index 5145ad9..d1b6b94 100644
--- a/API/JSVirtualMachine.mm
+++ b/API/JSVirtualMachine.mm
@@ -30,19 +30,20 @@
 #if JSC_OBJC_API_ENABLED
 
 #import "APICast.h"
+#import "DFGWorklist.h"
 #import "JSManagedValueInternal.h"
-#import "JSVirtualMachine.h"
 #import "JSVirtualMachineInternal.h"
+#import "JSVirtualMachinePrivate.h"
 #import "JSWrapperMap.h"
 #import "SigillCrashAnalyzer.h"
 #import "SlotVisitorInlines.h"
 #import 
+#import 
 #import 
-#import 
 
 static NSMapTable *globalWrapperCache = 0;
 
-static StaticLock wrapperCacheMutex;
+static Lock wrapperCacheMutex;
 
 static void initWrapperCache()
 {
@@ -68,14 +69,14 @@ static NSMapTable *wrapperCache()
 
 + (void)addWrapper:(JSVirtualMachine *)wrapper forJSContextGroupRef:(JSContextGroupRef)group
 {
-    std::lock_guard lock(wrapperCacheMutex);
-    NSMapInsert(wrapperCache(), group, wrapper);
+    std::lock_guard lock(wrapperCacheMutex);
+    NSMapInsert(wrapperCache(), group, (__bridge void*)wrapper);
 }
 
 + (JSVirtualMachine *)wrapperForJSContextGroupRef:(JSContextGroupRef)group
 {
-    std::lock_guard lock(wrapperCacheMutex);
-    return static_cast(NSMapGet(wrapperCache(), group));
+    std::lock_guard lock(wrapperCacheMutex);
+    return (__bridge JSVirtualMachine *)NSMapGet(wrapperCache(), group);
 }
 
 @end
@@ -153,7 +154,7 @@ static id getInternalObjcObject(id object)
 - (bool)isOldExternalObject:(id)object
 {
     JSC::VM* vm = toJS(m_group);
-    return vm->heap.collectorSlotVisitor().containsOpaqueRoot(object);
+    return vm->heap.collectorSlotVisitor().containsOpaqueRoot((__bridge void*)object);
 }
 
 - (void)addExternalRememberedObject:(id)object
@@ -186,11 +187,10 @@ static id getInternalObjcObject(id object)
         ownedObjects = [[NSMapTable alloc] initWithKeyOptions:weakIDOptions valueOptions:integerOptions capacity:1];
 
         [m_externalObjectGraph setObject:ownedObjects forKey:owner];
-        [ownedObjects release];
     }
 
-    size_t count = reinterpret_cast(NSMapGet(ownedObjects, object));
-    NSMapInsert(ownedObjects, object, reinterpret_cast(count + 1));
+    size_t count = reinterpret_cast(NSMapGet(ownedObjects, (__bridge void*)object));
+    NSMapInsert(ownedObjects, (__bridge void*)object, reinterpret_cast(count + 1));
 }
 
 - (void)removeManagedReference:(id)object withOwner:(id)owner
@@ -211,14 +211,14 @@ static id getInternalObjcObject(id object)
     if (!ownedObjects)
         return;
    
-    size_t count = reinterpret_cast(NSMapGet(ownedObjects, object));
+    size_t count = reinterpret_cast(NSMapGet(ownedObjects, (__bridge void*)object));
     if (count > 1) {
-        NSMapInsert(ownedObjects, object, reinterpret_cast(count - 1));
+        NSMapInsert(ownedObjects, (__bridge void*)object, reinterpret_cast(count - 1));
         return;
     }
     
     if (count == 1)
-        NSMapRemove(ownedObjects, object);
+        NSMapRemove(ownedObjects, (__bridge void*)object);
 
     if (![ownedObjects count]) {
         [m_externalObjectGraph removeObjectForKey:owner];
@@ -245,12 +245,12 @@ JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *virtualMachine)
 
 - (JSContext *)contextForGlobalContextRef:(JSGlobalContextRef)globalContext
 {
-    return static_cast(NSMapGet(m_contextCache, globalContext));
+    return (__bridge JSContext *)NSMapGet(m_contextCache, globalContext);
 }
 
 - (void)addContext:(JSContext *)wrapper forGlobalContextRef:(JSGlobalContextRef)globalContext
 {
-    NSMapInsert(m_contextCache, globalContext, wrapper);
+    NSMapInsert(m_contextCache, globalContext, (__bridge void*)wrapper);
 }
 
 - (Lock&)externalDataMutex
@@ -268,6 +268,50 @@ JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *virtualMachine)
     return m_externalRememberedSet;
 }
 
+- (void)shrinkFootprintWhenIdle
+{
+    JSC::VM* vm = toJS(m_group);
+    JSC::JSLockHolder locker(vm);
+    vm->shrinkFootprintWhenIdle();
+}
+
+#if ENABLE(DFG_JIT)
+
++ (NSUInteger)setNumberOfDFGCompilerThreads:(NSUInteger)numberOfThreads
+{
+    JSC::DFG::Worklist* worklist = JSC::DFG::existingGlobalDFGWorklistOrNull();
+    if (worklist)
+        return worklist->setNumberOfThreads(numberOfThreads, JSC::Options::priorityDeltaOfDFGCompilerThreads());
+    else
+        return JSC::DFG::setNumberOfDFGCompilerThreads(numberOfThreads);
+}
+
++ (NSUInteger)setNumberOfFTLCompilerThreads:(NSUInteger)numberOfThreads
+{
+    JSC::DFG::Worklist* worklist = JSC::DFG::existingGlobalFTLWorklistOrNull();
+    if (worklist)
+        return worklist->setNumberOfThreads(numberOfThreads, JSC::Options::priorityDeltaOfFTLCompilerThreads());
+    else
+        return JSC::DFG::setNumberOfFTLCompilerThreads(numberOfThreads);
+}
+
+#endif // ENABLE(DFG_JIT)
+
+- (JSC::VM&)vm
+{
+    return *toJS(m_group);
+}
+
+- (BOOL)isWebThreadAware
+{
+    return [self vm].apiLock().isWebThreadAware();
+}
+
++ (void)setCrashOnVMCreation:(BOOL)shouldCrash
+{
+    JSC::VM::setCrashOnVMCreation(shouldCrash);
+}
+
 @end
 
 static void scanExternalObjectGraph(JSC::VM& vm, JSC::SlotVisitor& visitor, void* root, bool lockAcquired)
@@ -283,14 +327,13 @@ static void scanExternalObjectGraph(JSC::VM& vm, JSC::SlotVisitor& visitor, void
         while (!stack.isEmpty()) {
             void* nextRoot = stack.last();
             stack.removeLast();
-            if (visitor.containsOpaqueRootTriState(nextRoot) == TrueTriState)
+            if (!visitor.addOpaqueRoot(nextRoot))
                 continue;
-            visitor.addOpaqueRoot(nextRoot);
 
             auto appendOwnedObjects = [&] {
-                NSMapTable *ownedObjects = [externalObjectGraph objectForKey:static_cast(nextRoot)];
+                NSMapTable *ownedObjects = [externalObjectGraph objectForKey:(__bridge id)nextRoot];
                 for (id ownedObject in ownedObjects)
-                    stack.append(static_cast(ownedObject));
+                    stack.append((__bridge void*)ownedObject);
             };
 
             if (lockAcquired)
@@ -323,12 +366,10 @@ void scanExternalRememberedSet(JSC::VM& vm, JSC::SlotVisitor& visitor)
             NSMapTable *ownedObjects = [externalObjectGraph objectForKey:key];
             bool lockAcquired = true;
             for (id ownedObject in ownedObjects)
-                scanExternalObjectGraph(vm, visitor, ownedObject, lockAcquired);
+                scanExternalObjectGraph(vm, visitor, (__bridge void*)ownedObject, lockAcquired);
         }
         [externalRememberedSet removeAllObjects];
     }
-
-    visitor.mergeIfNecessary();
 }
 
 #endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSVirtualMachineInternal.h b/API/JSVirtualMachineInternal.h
index 5ca9a7f..b533482 100644
--- a/API/JSVirtualMachineInternal.h
+++ b/API/JSVirtualMachineInternal.h
@@ -46,8 +46,12 @@ JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *);
 
 - (JSContext *)contextForGlobalContextRef:(JSGlobalContextRef)globalContext;
 - (void)addContext:(JSContext *)wrapper forGlobalContextRef:(JSGlobalContextRef)globalContext;
+- (JSC::VM&)vm;
+
+- (BOOL)isWebThreadAware;
 
 @end
+
 #endif // defined(__OBJC__)
 
 void scanExternalObjectGraph(JSC::VM&, JSC::SlotVisitor&, void* root);
diff --git a/API/JSVirtualMachinePrivate.h b/API/JSVirtualMachinePrivate.h
new file mode 100644
index 0000000..950afc7
--- /dev/null
+++ b/API/JSVirtualMachinePrivate.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "JSExportMacros.h"
+#include 
+
+#if JSC_OBJC_API_ENABLED
+
+#import 
+
+@interface JSVirtualMachine(JSPrivate)
+
+/*!
+@method
+@discussion Shrinks the memory footprint of the VM by deleting various internal caches,
+ running synchronous garbage collection, and releasing memory back to the OS. Note: this
+ API waits until no JavaScript is running on the stack before it frees any memory. It's
+ best to call this API when no JavaScript is running on the stack for this reason. However, if
+ you do call this API when JavaScript is running on the stack, the API will wait until all JavaScript
+ on the stack finishes running to free memory back to the OS. Therefore, calling this
+ API may not synchronously free memory.
+*/
+
+- (void)shrinkFootprintWhenIdle JSC_API_AVAILABLE(macos(10.14), ios(12.0));
+
+#if ENABLE(DFG_JIT)
+
+/*!
+@method
+@abstract Set the number of threads to be used by the DFG JIT compiler.
+@discussion If called after the VM has been initialized, it will terminate
+ threads until it meets the new limit or create new threads accordingly if the
+ new limit is higher than the previous limit. If called before initialization,
+ the Options value for the number of DFG threads will be updated to ensure the
+ DFG compiler already starts with the up-to-date limit.
+@param numberOfThreads The number of threads the DFG compiler should use going forward
+@result The previous number of threads being used by the DFG compiler
+*/
++ (NSUInteger)setNumberOfDFGCompilerThreads:(NSUInteger)numberOfThreads JSC_API_AVAILABLE(macos(10.14), ios(12.0));
+
+/*!
+@method
+@abstract Set the number of threads to be used by the FTL JIT compiler.
+@discussion If called after the VM has been initialized, it will terminate
+ threads until it meets the new limit or create new threads accordingly if the
+ new limit is higher than the previous limit. If called before initialization,
+ the Options value for the number of FTL threads will be updated to ensure the
+ FTL compiler already starts with the up-to-date limit.
+@param numberOfThreads The number of threads the FTL compiler should use going forward
+@result The previous number of threads being used by the FTL compiler
+*/
++ (NSUInteger)setNumberOfFTLCompilerThreads:(NSUInteger)numberOfThreads JSC_API_AVAILABLE(macos(10.14), ios(12.0));
+
+/*!
+@method
+@abstract Allows embedders of JSC to specify that JSC should crash the process if a VM is created when unexpected.
+@param shouldCrash Sets process-wide state that indicates whether VM creation should crash or not.
+*/
++ (void)setCrashOnVMCreation:(BOOL)shouldCrash;
+
+#endif // ENABLE(DFG_JIT)
+
+@end
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/JSWeakObjectMapRefPrivate.cpp b/API/JSWeakObjectMapRefPrivate.cpp
index 28cf244..c6b396d 100644
--- a/API/JSWeakObjectMapRefPrivate.cpp
+++ b/API/JSWeakObjectMapRefPrivate.cpp
@@ -34,7 +34,6 @@
 #include "Weak.h"
 #include "WeakGCMapInlines.h"
 
-using namespace WTF;
 using namespace JSC;
 
 #ifdef __cplusplus
@@ -44,10 +43,11 @@ extern "C" {
 JSWeakObjectMapRef JSWeakObjectMapCreate(JSContextRef context, void* privateData, JSWeakMapDestroyedCallback callback)
 {
     ExecState* exec = toJS(context);
-    JSLockHolder locker(exec);
-    RefPtr map = OpaqueJSWeakObjectMap::create(exec->vm(), privateData, callback);
-    exec->lexicalGlobalObject()->registerWeakMap(map.get());
-    return map.get();
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto map = OpaqueJSWeakObjectMap::create(vm, privateData, callback);
+    exec->lexicalGlobalObject()->registerWeakMap(map.ptr());
+    return map.ptr();
 }
 
 void JSWeakObjectMapSet(JSContextRef ctx, JSWeakObjectMapRef map, void* key, JSObjectRef object)
@@ -57,13 +57,14 @@ void JSWeakObjectMapSet(JSContextRef ctx, JSWeakObjectMapRef map, void* key, JSO
         return;
     }
     ExecState* exec = toJS(ctx);
-    JSLockHolder locker(exec);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
     JSObject* obj = toJS(object);
     if (!obj)
         return;
-    ASSERT(obj->inherits(exec->vm(), JSProxy::info())
-        || obj->inherits(exec->vm(), JSCallbackObject::info())
-        || obj->inherits(exec->vm(), JSCallbackObject::info()));
+    ASSERT(obj->inherits(vm)
+        || obj->inherits>(vm)
+        || obj->inherits>(vm));
     map->map().set(key, obj);
 }
 
diff --git a/API/JSWeakValue.cpp b/API/JSWeakValue.cpp
new file mode 100644
index 0000000..77fcac6
--- /dev/null
+++ b/API/JSWeakValue.cpp
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2013, 2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSWeakValue.h"
+
+#include "JSCInlines.h"
+#include "WeakHandleOwner.h"
+
+namespace JSC {
+
+JSWeakValue::~JSWeakValue()
+{
+    clear();
+}
+
+void JSWeakValue::clear()
+{
+    switch (m_tag) {
+    case WeakTypeTag::NotSet:
+        return;
+    case WeakTypeTag::Primitive:
+        m_value.primitive = JSValue();
+        return;
+    case WeakTypeTag::Object:
+        m_value.object.clear();
+        return;
+    case WeakTypeTag::String:
+        m_value.string.clear();
+        return;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+bool JSWeakValue::isClear() const
+{
+    switch (m_tag) {
+    case WeakTypeTag::NotSet:
+        return true;
+    case WeakTypeTag::Primitive:
+        return !m_value.primitive;
+    case WeakTypeTag::Object:
+        return !m_value.object;
+    case WeakTypeTag::String:
+        return !m_value.string;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+void JSWeakValue::setPrimitive(JSValue primitive)
+{
+    ASSERT(!isSet());
+    ASSERT(!m_value.primitive);
+    ASSERT(primitive.isPrimitive());
+    m_tag = WeakTypeTag::Primitive;
+    m_value.primitive = primitive;
+}
+
+void JSWeakValue::setObject(JSObject* object, WeakHandleOwner& owner, void* context)
+{
+    ASSERT(!isSet());
+    ASSERT(!m_value.object);
+    m_tag = WeakTypeTag::Object;
+    Weak weak(object, &owner, context);
+    m_value.object.swap(weak);
+}
+
+void JSWeakValue::setString(JSString* string, WeakHandleOwner& owner, void* context)
+{
+    ASSERT(!isSet());
+    ASSERT(!m_value.string);
+    m_tag = WeakTypeTag::String;
+    Weak weak(string, &owner, context);
+    m_value.string.swap(weak);
+}
+
+} // namespace JSC
diff --git a/API/JSWeakValue.h b/API/JSWeakValue.h
new file mode 100644
index 0000000..177ef41
--- /dev/null
+++ b/API/JSWeakValue.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2013, 2016 Apple Inc.  All rights reserved.
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "JSCJSValue.h"
+#include "Weak.h"
+
+namespace JSC {
+
+class JSObject;
+class JSString;
+class WeakHandleOwner;
+
+class JSWeakValue {
+public:
+    JSWeakValue() = default;
+    ~JSWeakValue();
+
+    void clear();
+    bool isClear() const;
+
+    bool isSet() const { return m_tag != WeakTypeTag::NotSet; }
+    bool isPrimitive() const { return m_tag == WeakTypeTag::Primitive; }
+    bool isObject() const { return m_tag == WeakTypeTag::Object; }
+    bool isString() const { return m_tag == WeakTypeTag::String; }
+
+    void setPrimitive(JSValue);
+    void setObject(JSObject*, WeakHandleOwner&, void* context);
+    void setString(JSString*, WeakHandleOwner&, void* context);
+
+    JSObject* object() const
+    {
+        ASSERT(isObject());
+        return m_value.object.get();
+    }
+
+    JSValue primitive() const
+    {
+        ASSERT(isPrimitive());
+        return m_value.primitive;
+    }
+
+    JSString* string() const
+    {
+        ASSERT(isString());
+        return m_value.string.get();
+    }
+
+private:
+    enum class WeakTypeTag { NotSet, Primitive, Object, String };
+
+    WeakTypeTag m_tag { WeakTypeTag::NotSet };
+
+    union WeakValueUnion {
+        WeakValueUnion()
+            : primitive(JSValue())
+        {
+        }
+
+        ~WeakValueUnion()
+        {
+            ASSERT(!primitive);
+        }
+
+        JSValue primitive;
+        Weak object;
+        Weak string;
+    } m_value;
+};
+
+} // namespace JSC
diff --git a/API/JSWrapperMap.mm b/API/JSWrapperMap.mm
index ef78ef1..d469b75 100644
--- a/API/JSWrapperMap.mm
+++ b/API/JSWrapperMap.mm
@@ -28,6 +28,7 @@
 
 #if JSC_OBJC_API_ENABLED
 #import "APICast.h"
+#import "APIUtils.h"
 #import "JSAPIWrapperObject.h"
 #import "JSCInlines.h"
 #import "JSCallbackObject.h"
@@ -39,7 +40,6 @@
 #import "WeakGCMap.h"
 #import "WeakGCMapInlines.h"
 #import 
-#import 
 #import 
 
 #include 
@@ -47,7 +47,7 @@
 #if PLATFORM(APPLETV)
 #else
 static const int32_t firstJavaScriptCoreVersionWithInitConstructorSupport = 0x21A0400; // 538.4.0
-#if PLATFORM(IOS)
+#if PLATFORM(IOS_FAMILY)
 static const uint32_t firstSDKVersionWithInitConstructorSupport = DYLD_IOS_VERSION_10_0;
 #elif PLATFORM(MAC)
 static const uint32_t firstSDKVersionWithInitConstructorSupport = 0xA0A00; // OSX 10.10.0
@@ -62,6 +62,8 @@ static const uint32_t firstSDKVersionWithInitConstructorSupport = 0xA0A00; // OS
 
 @end
 
+static const constexpr unsigned InitialBufferSize { 256 };
+
 // Default conversion of selectors to property names.
 // All semicolons are removed, lowercase letters following a semicolon are capitalized.
 static NSString *selectorToPropertyName(const char* start)
@@ -75,10 +77,10 @@ static NSString *selectorToPropertyName(const char* start)
     size_t header = firstColon - start;
     // The new string needs to be long enough to hold 'header', plus the remainder of the string, excluding
     // at least one ':', but including a '\0'. (This is conservative if there are more than one ':').
-    char* buffer = static_cast(malloc(header + strlen(firstColon + 1) + 1));
+    Vector buffer(header + strlen(firstColon + 1) + 1);
     // Copy 'header' characters, set output to point to the end of this & input to point past the first ':'.
-    memcpy(buffer, start, header);
-    char* output = buffer + header;
+    memcpy(buffer.data(), start, header);
+    char* output = buffer.data() + header;
     const char* input = start + header + 1;
 
     // On entry to the loop, we have already skipped over a ':' from the input.
@@ -89,7 +91,7 @@ static NSString *selectorToPropertyName(const char* start)
         while ((c = *(input++)) == ':');
         // Copy the character, converting to upper case if necessary.
         // If the character we copy is '\0', then we're done!
-        if (!(*(output++) = toupper(c)))
+        if (!(*(output++) = toASCIIUpper(c)))
             goto done;
         // Loop over characters other than ':'.
         while ((c = *(input++)) != ':') {
@@ -101,31 +103,31 @@ static NSString *selectorToPropertyName(const char* start)
         // If we get here, we've consumed a ':' - wash, rinse, repeat.
     }
 done:
-    NSString *result = [NSString stringWithUTF8String:buffer];
-    free(buffer);
-    return result;
+    return [NSString stringWithUTF8String:buffer.data()];
 }
 
 static bool constructorHasInstance(JSContextRef ctx, JSObjectRef constructorRef, JSValueRef possibleInstance, JSValueRef*)
 {
     JSC::ExecState* exec = toJS(ctx);
-    JSC::JSLockHolder locker(exec);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
 
     JSC::JSObject* constructor = toJS(constructorRef);
     JSC::JSValue instance = toJS(exec, possibleInstance);
-    return JSC::JSObject::defaultHasInstance(exec, instance, constructor->get(exec, exec->propertyNames().prototype));
+    return JSC::JSObject::defaultHasInstance(exec, instance, constructor->get(exec, vm.propertyNames->prototype));
 }
 
 static JSC::JSObject* makeWrapper(JSContextRef ctx, JSClassRef jsClass, id wrappedObject)
 {
     JSC::ExecState* exec = toJS(ctx);
-    JSC::JSLockHolder locker(exec);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
 
     ASSERT(jsClass);
     JSC::JSCallbackObject* object = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->objcWrapperObjectStructure(), jsClass, 0);
-    object->setWrappedObject(wrappedObject);
+    object->setWrappedObject((__bridge void*)wrappedObject);
     if (JSC::JSObject* prototype = jsClass->prototype(exec))
-        object->setPrototypeDirect(exec->vm(), prototype);
+        object->setPrototypeDirect(vm, prototype);
 
     return object;
 }
@@ -177,14 +179,31 @@ static NSMutableDictionary *createRenameMap(Protocol *protocol, BOOL isInstanceM
     return renameMap;
 }
 
-inline void putNonEnumerable(JSValue *base, NSString *propertyName, JSValue *value)
+inline void putNonEnumerable(JSContext *context, JSValue *base, NSString *propertyName, JSValue *value)
 {
-    [base defineProperty:propertyName descriptor:@{
-        JSPropertyDescriptorValueKey: value,
-        JSPropertyDescriptorWritableKey: @YES,
-        JSPropertyDescriptorEnumerableKey: @NO,
-        JSPropertyDescriptorConfigurableKey: @YES
-    }];
+    if (![base isObject])
+        return;
+    JSC::ExecState* exec = toJS([context JSGlobalContextRef]);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSC::JSObject* baseObject = JSC::asObject(toJS(exec, [base JSValueRef]));
+    auto name = OpaqueJSString::tryCreate(propertyName);
+    if (!name)
+        return;
+
+    JSC::PropertyDescriptor descriptor;
+    descriptor.setValue(toJS(exec, [value JSValueRef]));
+    descriptor.setEnumerable(false);
+    descriptor.setConfigurable(true);
+    descriptor.setWritable(true);
+    bool shouldThrow = false;
+    baseObject->methodTable(vm)->defineOwnProperty(baseObject, exec, name->identifier(&vm), descriptor, shouldThrow);
+
+    JSValueRef exception = 0;
+    if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow)
+        [context valueFromNotifyException:exception];
 }
 
 static bool isInitFamilyMethod(NSString *name)
@@ -249,30 +268,45 @@ static void copyMethodsToObject(JSContext *context, Class objcClass, Protocol *p
             name = renameMap[name];
             if (!name)
                 name = selectorToPropertyName(nameCStr);
-            if ([object hasProperty:name])
+            auto exec = toJS([context JSGlobalContextRef]);
+            JSValue *existingMethod = object[name];
+            // ObjCCallbackFunction does a dynamic lookup for the
+            // selector before calling the method. In order to save
+            // memory we only put one callback object in any givin
+            // prototype chain. However, to handle the client trying
+            // to override normal builtins e.g. "toString" we check if
+            // the existing value on the prototype chain is an ObjC
+            // callback already.
+            if ([existingMethod isObject] && JSC::jsDynamicCast(exec->vm(), toJS(exec, [existingMethod JSValueRef])))
                 return;
             JSObjectRef method = objCCallbackFunctionForMethod(context, objcClass, protocol, isInstanceMethod, sel, types);
             if (method)
-                putNonEnumerable(object, name, [JSValue valueWithJSValueRef:method inContext:context]);
+                putNonEnumerable(context, object, name, [JSValue valueWithJSValueRef:method inContext:context]);
         }
     });
 
     [renameMap release];
 }
 
-static bool parsePropertyAttributes(objc_property_t property, char*& getterName, char*& setterName)
+struct Property {
+    const char* name;
+    RetainPtr getterName;
+    RetainPtr setterName;
+};
+
+static bool parsePropertyAttributes(objc_property_t objcProperty, Property& property)
 {
     bool readonly = false;
     unsigned attributeCount;
-    objc_property_attribute_t* attributes = property_copyAttributeList(property, &attributeCount);
+    auto attributes = adoptSystem(property_copyAttributeList(objcProperty, &attributeCount));
     if (attributeCount) {
         for (unsigned i = 0; i < attributeCount; ++i) {
             switch (*(attributes[i].name)) {
             case 'G':
-                getterName = strdup(attributes[i].value);
+                property.getterName = @(attributes[i].value);
                 break;
             case 'S':
-                setterName = strdup(attributes[i].value);
+                property.setterName = @(attributes[i].value);
                 break;
             case 'R':
                 readonly = true;
@@ -281,33 +315,28 @@ static bool parsePropertyAttributes(objc_property_t property, char*& getterName,
                 break;
             }
         }
-        free(attributes);
     }
     return readonly;
 }
 
-static char* makeSetterName(const char* name)
+static RetainPtr makeSetterName(const char* name)
 {
     size_t nameLength = strlen(name);
-    char* setterName = (char*)malloc(nameLength + 5); // "set" Name ":\0"
-    setterName[0] = 's';
-    setterName[1] = 'e';
-    setterName[2] = 't';
-    setterName[3] = toupper(*name);
-    memcpy(setterName + 4, name + 1, nameLength - 1);
-    setterName[nameLength + 3] = ':';
-    setterName[nameLength + 4] = '\0';
-    return setterName;
+    // "set" Name ":\0"  => nameLength + 5.
+    Vector buffer(nameLength + 5);
+    buffer[0] = 's';
+    buffer[1] = 'e';
+    buffer[2] = 't';
+    buffer[3] = toASCIIUpper(*name);
+    memcpy(buffer.data() + 4, name + 1, nameLength - 1);
+    buffer[nameLength + 3] = ':';
+    buffer[nameLength + 4] = '\0';
+    return @(buffer.data());
 }
 
 static void copyPrototypeProperties(JSContext *context, Class objcClass, Protocol *protocol, JSValue *prototypeValue)
 {
     // First gather propreties into this list, then handle the methods (capturing the accessor methods).
-    struct Property {
-        const char* name;
-        char* getterName;
-        char* setterName;
-    };
     __block Vector propertyList;
 
     // Map recording the methods used as getters/setters.
@@ -316,41 +345,36 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco
     // Useful value.
     JSValue *undefined = [JSValue valueWithUndefinedInContext:context];
 
-    forEachPropertyInProtocol(protocol, ^(objc_property_t property){
-        char* getterName = 0;
-        char* setterName = 0;
-        bool readonly = parsePropertyAttributes(property, getterName, setterName);
-        const char* name = property_getName(property);
+    forEachPropertyInProtocol(protocol, ^(objc_property_t objcProperty) {
+        const char* name = property_getName(objcProperty);
+        Property property { name, nullptr, nullptr };
+        bool readonly = parsePropertyAttributes(objcProperty, property);
 
-        // Add the names of the getter & setter methods to 
-        if (!getterName)
-            getterName = strdup(name);
-        accessorMethods[@(getterName)] = undefined;
+        // Add the names of the getter & setter methods to
+        if (!property.getterName)
+            property.getterName = @(name);
+        accessorMethods[property.getterName.get()] = undefined;
         if (!readonly) {
-            if (!setterName)
-                setterName = makeSetterName(name);
-            accessorMethods[@(setterName)] = undefined;
+            if (!property.setterName)
+                property.setterName = makeSetterName(name);
+            accessorMethods[property.setterName.get()] = undefined;
         }
 
         // Add the properties to a list.
-        propertyList.append((Property){ name, getterName, setterName });
+        propertyList.append(WTFMove(property));
     });
 
     // Copy methods to the prototype, capturing accessors in the accessorMethods map.
     copyMethodsToObject(context, objcClass, protocol, YES, prototypeValue, accessorMethods);
 
     // Iterate the propertyList & generate accessor properties.
-    for (size_t i = 0; i < propertyList.size(); ++i) {
-        Property& property = propertyList[i];
-
-        JSValue *getter = accessorMethods[@(property.getterName)];
-        free(property.getterName);
+    for (auto& property : propertyList) {
+        JSValue* getter = accessorMethods[property.getterName.get()];
         ASSERT(![getter isUndefined]);
 
-        JSValue *setter = undefined;
+        JSValue* setter = undefined;
         if (property.setterName) {
-            setter = accessorMethods[@(property.setterName)];
-            free(property.setterName);
+            setter = accessorMethods[property.setterName.get()];
             ASSERT(![setter isUndefined]);
         }
         
@@ -369,6 +393,7 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco
     JSClassRef m_classRef;
     JSC::Weak m_prototype;
     JSC::Weak m_constructor;
+    JSC::Weak m_structure;
 }
 
 - (instancetype)initForClass:(Class)cls;
@@ -409,7 +434,7 @@ static JSC::JSObject* allocateConstructorForCustomClass(JSContext *context, cons
         return constructorWithCustomBrand(context, [NSString stringWithFormat:@"%sConstructor", className], cls);
 
     // For each protocol that the class implements, gather all of the init family methods into a hash table.
-    __block HashMap initTable;
+    __block HashMap initTable;
     Protocol *exportProtocol = getJSExportProtocol();
     for (Class currentClass = cls; currentClass; currentClass = class_getSuperclass(currentClass)) {
         forEachProtocolImplementingProtocol(currentClass, exportProtocol, ^(Protocol *protocol, bool&) {
@@ -417,7 +442,7 @@ static JSC::JSObject* allocateConstructorForCustomClass(JSContext *context, cons
                 const char* name = sel_getName(selector);
                 if (!isInitFamilyMethod(@(name)))
                     return;
-                initTable.set(name, protocol);
+                initTable.set(name, (__bridge CFTypeRef)protocol);
             });
         });
     }
@@ -437,7 +462,7 @@ static JSC::JSObject* allocateConstructorForCustomClass(JSContext *context, cons
 
             numberOfInitsFound++;
             initMethod = selector;
-            initProtocol = iter->value;
+            initProtocol = (__bridge Protocol *)iter->value;
             types = method_getTypeEncoding(method);
         });
 
@@ -486,8 +511,9 @@ typedef std::pair ConstructorPrototypePair;
 
         JSValue* prototype = [JSValue valueWithJSValueRef:toRef(jsPrototype) inContext:context];
         JSValue* constructor = [JSValue valueWithJSValueRef:toRef(jsConstructor) inContext:context];
-        putNonEnumerable(prototype, @"constructor", constructor);
-        putNonEnumerable(constructor, @"prototype", prototype);
+
+        putNonEnumerable(context, prototype, @"constructor", constructor);
+        putNonEnumerable(context, constructor, @"prototype", prototype);
 
         Protocol *exportProtocol = getJSExportProtocol();
         forEachProtocolImplementingProtocol(m_class, exportProtocol, ^(Protocol *protocol, bool&){
@@ -513,16 +539,20 @@ typedef std::pair ConstructorPrototypePair;
         if (JSObjectRef method = objCCallbackFunctionForBlock(context, object)) {
             JSValue *constructor = [JSValue valueWithJSValueRef:method inContext:context];
             JSValue *prototype = [JSValue valueWithNewObjectInContext:context];
-            putNonEnumerable(constructor, @"prototype", prototype);
-            putNonEnumerable(prototype, @"constructor", constructor);
+            putNonEnumerable(context, constructor, @"prototype", prototype);
+            putNonEnumerable(context, prototype, @"constructor", constructor);
             return toJS(method);
         }
     }
 
-    JSC::JSObject* prototype = [self prototypeInContext:context];
+    JSC::Structure* structure = [self structureInContext:context];
 
-    JSC::JSObject* wrapper = makeWrapper([context JSGlobalContextRef], m_classRef, object);
-    JSObjectSetPrototype([context JSGlobalContextRef], toRef(wrapper), toRef(prototype));
+    JSC::ExecState* exec = toJS([context JSGlobalContextRef]);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+
+    auto wrapper = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), structure, m_classRef, 0);
+    wrapper->setWrappedObject((__bridge void*)object);
     return wrapper;
 }
 
@@ -544,11 +574,25 @@ typedef std::pair ConstructorPrototypePair;
     return prototype;
 }
 
+- (JSC::Structure*)structureInContext:(JSContext *)context
+{
+    JSC::Structure* structure = m_structure.get();
+    if (structure)
+        return structure;
+
+    JSC::ExecState* exec = toJS([context JSGlobalContextRef]);
+    JSC::JSGlobalObject* globalObject = toJSGlobalObject([context JSGlobalContextRef]);
+    JSC::JSObject* prototype = [self prototypeInContext:context];
+    m_structure = JSC::JSCallbackObject::createStructure(exec->vm(), globalObject, prototype);
+
+    return m_structure.get();
+}
+
 @end
 
 @implementation JSWrapperMap {
     NSMutableDictionary *m_classMap;
-    std::unique_ptr> m_cachedJSWrappers;
+    std::unique_ptr> m_cachedJSWrappers;
     NSMapTable *m_cachedObjCWrappers;
 }
 
@@ -562,7 +606,7 @@ typedef std::pair ConstructorPrototypePair;
     NSPointerFunctionsOptions valueOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality;
     m_cachedObjCWrappers = [[NSMapTable alloc] initWithKeyOptions:keyOptions valueOptions:valueOptions capacity:0];
 
-    m_cachedJSWrappers = std::make_unique>(toJS(context)->vm());
+    m_cachedJSWrappers = std::make_unique>(toJS(context)->vm());
 
     ASSERT(!toJSGlobalObject(context)->wrapperMap());
     toJSGlobalObject(context)->setWrapperMap(self);
@@ -595,10 +639,10 @@ typedef std::pair ConstructorPrototypePair;
         });
 
         if (!conformsToExportProtocol)
-            return m_classMap[(id)cls] = [self classInfoForClass:class_getSuperclass(cls)];
+            return m_classMap[cls] = [self classInfoForClass:class_getSuperclass(cls)];
     }
 
-    return m_classMap[(id)cls] = [[[JSObjCClassInfo alloc] initForClass:cls] autorelease];
+    return m_classMap[cls] = [[[JSObjCClassInfo alloc] initForClass:cls] autorelease];
 }
 
 - (JSValue *)jsWrapperForObject:(id)object inContext:(JSContext *)context
@@ -627,10 +671,10 @@ typedef std::pair ConstructorPrototypePair;
 - (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value inContext:context
 {
     ASSERT(toJSGlobalObject([context JSGlobalContextRef])->wrapperMap() == self);
-    JSValue *wrapper = static_cast(NSMapGet(m_cachedObjCWrappers, value));
+    JSValue *wrapper = (__bridge JSValue *)NSMapGet(m_cachedObjCWrappers, value);
     if (!wrapper) {
         wrapper = [[[JSValue alloc] initWithValue:value inContext:context] autorelease];
-        NSMapInsert(m_cachedObjCWrappers, value, wrapper);
+        NSMapInsert(m_cachedObjCWrappers, value, (__bridge void*)wrapper);
     }
     return wrapper;
 }
@@ -646,8 +690,8 @@ id tryUnwrapObjcObject(JSGlobalContextRef context, JSValueRef value)
     ASSERT(!exception);
     JSC::JSLockHolder locker(toJS(context));
     JSC::VM& vm = toJS(context)->vm();
-    if (toJS(object)->inherits(vm, JSC::JSCallbackObject::info()))
-        return (id)JSC::jsCast(toJS(object))->wrappedObject();
+    if (toJS(object)->inherits>(vm))
+        return (__bridge id)JSC::jsCast(toJS(object))->wrappedObject();
     if (id target = tryUnwrapConstructor(&vm, object))
         return target;
     return nil;
diff --git a/API/JavaScriptCore b/API/JavaScriptCore
deleted file mode 120000
index 945c9b4..0000000
--- a/API/JavaScriptCore
+++ /dev/null
@@ -1 +0,0 @@
-.
\ No newline at end of file
diff --git a/API/ObjCCallbackFunction.h b/API/ObjCCallbackFunction.h
index 4d5b736..c30c156 100644
--- a/API/ObjCCallbackFunction.h
+++ b/API/ObjCCallbackFunction.h
@@ -48,13 +48,19 @@ class ObjCCallbackFunction : public InternalFunction {
 public:
     typedef InternalFunction Base;
 
+    template
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return vm.objCCallbackFunctionSpace();
+    }
+
     static ObjCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, std::unique_ptr);
     static void destroy(JSCell*);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
         ASSERT(globalObject);
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(InternalFunctionType, StructureFlags), info());
     }
 
     DECLARE_EXPORT_INFO;
@@ -65,9 +71,6 @@ protected:
     ObjCCallbackFunction(VM&, Structure*, JSObjectCallAsFunctionCallback, JSObjectCallAsConstructorCallback, std::unique_ptr);
 
 private:
-    static CallType getCallData(JSCell*, CallData&);
-    static ConstructType getConstructData(JSCell*, ConstructData&);
-
     JSObjectCallAsFunctionCallback functionCallback() { return m_functionCallback; }
     JSObjectCallAsConstructorCallback constructCallback() { return m_constructCallback; }
 
diff --git a/API/ObjCCallbackFunction.mm b/API/ObjCCallbackFunction.mm
index b014783..c4e73a8 100644
--- a/API/ObjCCallbackFunction.mm
+++ b/API/ObjCCallbackFunction.mm
@@ -121,7 +121,7 @@ private:
             return;
         }
 
-        *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("Argument does not match Objective-C Class")));
+        *exception = toRef(JSC::createTypeError(toJS(contextRef), "Argument does not match Objective-C Class"_s));
     }
 
     RetainPtr m_class;
@@ -458,7 +458,7 @@ static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext,
 
     if (impl->type() == CallbackInitMethod) {
         JSGlobalContextRef contextRef = [context JSGlobalContextRef];
-        *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("Cannot call a class constructor without |new|")));
+        *exception = toRef(JSC::createTypeError(toJS(contextRef), "Cannot call a class constructor without |new|"_s));
         return JSValueMakeUndefined(contextRef);
     }
 
@@ -497,16 +497,16 @@ static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerCont
         return nullptr;
 
     if (!JSValueIsObject(contextRef, result)) {
-        *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("Objective-C blocks called as constructors must return an object.")));
+        *exception = toRef(JSC::createTypeError(toJS(contextRef), "Objective-C blocks called as constructors must return an object."_s));
         return nullptr;
     }
-    return (JSObjectRef)result;
+    return const_cast(result);
 }
 
 const JSC::ClassInfo ObjCCallbackFunction::s_info = { "CallbackFunction", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ObjCCallbackFunction) };
 
 ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::Structure* structure, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, std::unique_ptr impl)
-    : Base(vm, structure)
+    : Base(vm, structure, APICallbackFunction::call, impl->isConstructible() ? APICallbackFunction::construct : nullptr)
     , m_functionCallback(functionCallback)
     , m_constructCallback(constructCallback)
     , m_impl(WTFMove(impl))
@@ -528,22 +528,6 @@ void ObjCCallbackFunction::destroy(JSCell* cell)
     function.~ObjCCallbackFunction();
 }
 
-
-CallType ObjCCallbackFunction::getCallData(JSCell*, CallData& callData)
-{
-    callData.native.function = APICallbackFunction::call;
-    return CallType::Host;
-}
-
-ConstructType ObjCCallbackFunction::getConstructData(JSCell* cell, ConstructData& constructData)
-{
-    ObjCCallbackFunction* callback = jsCast(cell);
-    if (!callback->impl()->isConstructible())
-        return Base::getConstructData(cell, constructData);
-    constructData.native.function = APICallbackFunction::construct;
-    return ConstructType::Host;
-}
-
 String ObjCCallbackFunctionImpl::name()
 {
     if (m_type == CallbackInitMethod)
@@ -564,7 +548,7 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb
         RELEASE_ASSERT(!thisObject);
         target = [m_instanceClass alloc];
         if (!target || ![target isKindOfClass:m_instanceClass.get()]) {
-            *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("self type check failed for Objective-C instance method")));
+            *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s));
             return JSValueMakeUndefined(contextRef);
         }
         [m_invocation setTarget:target];
@@ -574,7 +558,7 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb
     case CallbackInstanceMethod: {
         target = tryUnwrapObjcObject(contextRef, thisObject);
         if (!target || ![target isKindOfClass:m_instanceClass.get()]) {
-            *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("self type check failed for Objective-C instance method")));
+            *exception = toRef(JSC::createTypeError(toJS(contextRef), "self type check failed for Objective-C instance method"_s));
             return JSValueMakeUndefined(contextRef);
         }
         [m_invocation setTarget:target];
@@ -619,7 +603,7 @@ static bool blockSignatureContainsClass()
 {
     static bool containsClass = ^{
         id block = ^(NSString *string){ return string; };
-        return _Block_has_signature(block) && strstr(_Block_signature(block), "NSString");
+        return _Block_has_signature((__bridge void*)block) && strstr(_Block_signature((__bridge void*)block), "NSString");
     }();
     return containsClass;
 }
@@ -675,10 +659,11 @@ static JSObjectRef objCCallbackFunctionForInvocation(JSContext *context, NSInvoc
     }
 
     JSC::ExecState* exec = toJS([context JSGlobalContextRef]);
-    JSC::JSLockHolder locker(exec);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
     auto impl = std::make_unique(invocation, type, instanceClass, WTFMove(arguments), WTFMove(result));
     const String& name = impl->name();
-    return toRef(JSC::ObjCCallbackFunction::create(exec->vm(), exec->lexicalGlobalObject(), name, WTFMove(impl)));
+    return toRef(JSC::ObjCCallbackFunction::create(vm, exec->lexicalGlobalObject(), name, WTFMove(impl)));
 }
 
 JSObjectRef objCCallbackFunctionForInit(JSContext *context, Class cls, Protocol *protocol, SEL sel, const char* types)
@@ -692,18 +677,20 @@ JSObjectRef objCCallbackFunctionForMethod(JSContext *context, Class cls, Protoco
 {
     NSInvocation *invocation = [NSInvocation invocationWithMethodSignature:[NSMethodSignature signatureWithObjCTypes:types]];
     [invocation setSelector:sel];
-    // We need to retain the target Class because m_invocation doesn't retain it by default (and we don't want it to).
-    // FIXME: What releases it?
-    if (!isInstanceMethod)
-        [invocation setTarget:[cls retain]];
+    if (!isInstanceMethod) {
+        [invocation setTarget:cls];
+        // We need to retain the target Class because m_invocation doesn't retain it by default (and we don't want it to).
+        // FIXME: What releases it?
+        CFRetain((__bridge CFTypeRef)cls);
+    }
     return objCCallbackFunctionForInvocation(context, invocation, isInstanceMethod ? CallbackInstanceMethod : CallbackClassMethod, isInstanceMethod ? cls : nil, _protocol_getMethodTypeEncoding(protocol, sel, YES, isInstanceMethod));
 }
 
 JSObjectRef objCCallbackFunctionForBlock(JSContext *context, id target)
 {
-    if (!_Block_has_signature(target))
+    if (!_Block_has_signature((__bridge void*)target))
         return nullptr;
-    const char* signature = _Block_signature(target);
+    const char* signature = _Block_signature((__bridge void*)target);
     NSInvocation *invocation = [NSInvocation invocationWithMethodSignature:[NSMethodSignature signatureWithObjCTypes:signature]];
 
     // We don't want to use -retainArguments because that leaks memory. Arguments 
@@ -717,7 +704,7 @@ JSObjectRef objCCallbackFunctionForBlock(JSContext *context, id target)
 
 id tryUnwrapConstructor(JSC::VM* vm, JSObjectRef object)
 {
-    if (!toJS(object)->inherits(*vm, JSC::ObjCCallbackFunction::info()))
+    if (!toJS(object)->inherits(*vm))
         return nil;
     JSC::ObjCCallbackFunctionImpl* impl = static_cast(toJS(object))->impl();
     if (!impl->isConstructible())
diff --git a/API/ObjcRuntimeExtras.h b/API/ObjcRuntimeExtras.h
index fa44ff6..20d8b85 100644
--- a/API/ObjcRuntimeExtras.h
+++ b/API/ObjcRuntimeExtras.h
@@ -23,22 +23,28 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
+#import 
 #import 
 #import 
 #import 
+#import 
 #import 
+#import 
+
+template
+inline std::unique_ptr> adoptSystem(U value)
+{
+    return std::unique_ptr>(value);
+}
 
 inline bool protocolImplementsProtocol(Protocol *candidate, Protocol *target)
 {
     unsigned protocolProtocolsCount;
-    Protocol ** protocolProtocols = protocol_copyProtocolList(candidate, &protocolProtocolsCount);
+    auto protocolProtocols = adoptSystem<__unsafe_unretained Protocol*[]>(protocol_copyProtocolList(candidate, &protocolProtocolsCount));
     for (unsigned i = 0; i < protocolProtocolsCount; ++i) {
-        if (protocol_isEqual(protocolProtocols[i], target)) {
-            free(protocolProtocols);
+        if (protocol_isEqual(protocolProtocols[i], target))
             return true;
-        }
     }
-    free(protocolProtocols);
     return false;
 }
 
@@ -47,14 +53,15 @@ inline void forEachProtocolImplementingProtocol(Class cls, Protocol *target, voi
     ASSERT(cls);
     ASSERT(target);
 
-    Vector worklist;
+    Vector worklist;
     HashSet visited;
 
     // Initially fill the worklist with the Class's protocols.
-    unsigned protocolsCount;
-    Protocol ** protocols = class_copyProtocolList(cls, &protocolsCount);
-    worklist.append(protocols, protocolsCount);
-    free(protocols);
+    {
+        unsigned protocolsCount;
+        auto protocols = adoptSystem<__unsafe_unretained Protocol*[]>(class_copyProtocolList(cls, &protocolsCount));
+        worklist.append(protocols.get(), protocolsCount);
+    }
 
     bool stop = false;
     while (!worklist.isEmpty()) {
@@ -62,7 +69,7 @@ inline void forEachProtocolImplementingProtocol(Class cls, Protocol *target, voi
         worklist.removeLast();
 
         // Are we encountering this Protocol for the first time?
-        if (!visited.add(protocol).isNewEntry)
+        if (!visited.add((__bridge void*)protocol).isNewEntry)
             continue;
 
         // If it implements the protocol, make the callback.
@@ -73,37 +80,36 @@ inline void forEachProtocolImplementingProtocol(Class cls, Protocol *target, voi
         }
 
         // Add incorporated protocols to the worklist.
-        protocols = protocol_copyProtocolList(protocol, &protocolsCount);
-        worklist.append(protocols, protocolsCount);
-        free(protocols);
+        {
+            unsigned protocolsCount;
+            auto protocols = adoptSystem<__unsafe_unretained Protocol*[]>(protocol_copyProtocolList(protocol, &protocolsCount));
+            worklist.append(protocols.get(), protocolsCount);
+        }
     }
 }
 
 inline void forEachMethodInClass(Class cls, void (^callback)(Method))
 {
     unsigned count;
-    Method* methods = class_copyMethodList(cls, &count);
+    auto methods = adoptSystem(class_copyMethodList(cls, &count));
     for (unsigned i = 0; i < count; ++i)
         callback(methods[i]);
-    free(methods);
 }
 
 inline void forEachMethodInProtocol(Protocol *protocol, BOOL isRequiredMethod, BOOL isInstanceMethod, void (^callback)(SEL, const char*))
 {
     unsigned count;
-    struct objc_method_description* methods = protocol_copyMethodDescriptionList(protocol, isRequiredMethod, isInstanceMethod, &count);
+    auto methods = adoptSystem(protocol_copyMethodDescriptionList(protocol, isRequiredMethod, isInstanceMethod, &count));
     for (unsigned i = 0; i < count; ++i)
         callback(methods[i].name, methods[i].types);
-    free(methods);
 }
 
 inline void forEachPropertyInProtocol(Protocol *protocol, void (^callback)(objc_property_t))
 {
     unsigned count;
-    objc_property_t* properties = protocol_copyPropertyList(protocol, &count);
+    auto properties = adoptSystem(protocol_copyPropertyList(protocol, &count));
     for (unsigned i = 0; i < count; ++i)
         callback(properties[i]);
-    free(properties);
 }
 
 template
@@ -124,13 +130,14 @@ void skipPair(const char*& position)
 class StringRange {
     WTF_MAKE_NONCOPYABLE(StringRange);
 public:
-    StringRange(const char* begin, const char* end) : m_ptr(strndup(begin, end - begin)) { }
-    ~StringRange() { free(m_ptr); }
-    operator const char*() const { return m_ptr; }
-    const char* get() const { return m_ptr; }
+    StringRange(const char* begin, const char* end)
+        : m_string(begin, end - begin)
+    { }
+    operator const char*() const { return m_string.data(); }
+    const char* get() const { return m_string.data(); }
 
 private:
-    char* m_ptr;
+    CString m_string;
 };
 
 class StructBuffer {
@@ -140,16 +147,13 @@ public:
     {
         NSUInteger size, alignment;
         NSGetSizeAndAlignment(encodedType, &size, &alignment);
-        --alignment;
-        m_allocation = static_cast(malloc(size + alignment));
-        m_buffer = reinterpret_cast((reinterpret_cast(m_allocation) + alignment) & ~alignment);
+        m_buffer = fastAlignedMalloc(alignment, size);
     }
 
-    ~StructBuffer() { free(m_allocation); }
+    ~StructBuffer() { fastAlignedFree(m_buffer); }
     operator void*() const { return m_buffer; }
 
 private:
-    void* m_allocation;
     void* m_buffer;
 };
 
diff --git a/API/OpaqueJSString.cpp b/API/OpaqueJSString.cpp
index 07a79ad..77a2e1c 100644
--- a/API/OpaqueJSString.cpp
+++ b/API/OpaqueJSString.cpp
@@ -34,7 +34,7 @@
 
 using namespace JSC;
 
-RefPtr OpaqueJSString::create(const String& string)
+RefPtr OpaqueJSString::tryCreate(const String& string)
 {
     if (string.isNull())
         return nullptr;
@@ -42,6 +42,14 @@ RefPtr OpaqueJSString::create(const String& string)
     return adoptRef(new OpaqueJSString(string));
 }
 
+RefPtr OpaqueJSString::tryCreate(String&& string)
+{
+    if (string.isNull())
+        return nullptr;
+
+    return adoptRef(new OpaqueJSString(WTFMove(string)));
+}
+
 OpaqueJSString::~OpaqueJSString()
 {
     // m_characters is put in a local here to avoid an extra atomic load.
diff --git a/API/OpaqueJSString.h b/API/OpaqueJSString.h
index 208131b..4a4b5ed 100644
--- a/API/OpaqueJSString.h
+++ b/API/OpaqueJSString.h
@@ -51,7 +51,8 @@ struct OpaqueJSString : public ThreadSafeRefCounted {
         return adoptRef(*new OpaqueJSString(characters, length));
     }
 
-    JS_EXPORT_PRIVATE static RefPtr create(const String&);
+    JS_EXPORT_PRIVATE static RefPtr tryCreate(const String&);
+    JS_EXPORT_PRIVATE static RefPtr tryCreate(String&&);
 
     JS_EXPORT_PRIVATE ~OpaqueJSString();
 
@@ -81,6 +82,12 @@ private:
     {
     }
 
+    explicit OpaqueJSString(String&& string)
+        : m_string(WTFMove(string))
+        , m_characters(m_string.impl() && m_string.is8Bit() ? nullptr : const_cast(m_string.characters16()))
+    {
+    }
+
     OpaqueJSString(const LChar* characters, unsigned length)
         : m_string(characters, length)
         , m_characters(nullptr)
diff --git a/API/WebKitAvailability.h b/API/WebKitAvailability.h
index 8227520..0f6afb6 100644
--- a/API/WebKitAvailability.h
+++ b/API/WebKitAvailability.h
@@ -69,15 +69,12 @@
 #endif /* !TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED < 101100 */
 
 #if defined(BUILDING_GTK__)
-#undef CF_AVAILABLE
-#define CF_AVAILABLE(_mac, _ios)
-#undef CF_ENUM_AVAILABLE
-#define CF_ENUM_AVAILABLE(_mac, _ios)
+#undef JSC_API_AVAILABLE
+#define JSC_API_AVAILABLE(...)
 #endif
 
 #else
-#define CF_AVAILABLE(_mac, _ios)
-#define CF_ENUM_AVAILABLE(_mac, _ios)
+#define JSC_API_AVAILABLE(...)
 #endif
 
 #endif /* __WebKitAvailability__ */
diff --git a/API/glib/JSAPIWrapperGlobalObject.cpp b/API/glib/JSAPIWrapperGlobalObject.cpp
new file mode 100644
index 0000000..6ae1945
--- /dev/null
+++ b/API/glib/JSAPIWrapperGlobalObject.cpp
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSAPIWrapperGlobalObject.h"
+
+#include "JSCInlines.h"
+#include "JSCallbackObject.h"
+#include "Structure.h"
+#include 
+
+class JSAPIWrapperGlobalObjectHandleOwner : public JSC::WeakHandleOwner {
+public:
+    void finalize(JSC::Handle, void*) override;
+};
+
+static JSAPIWrapperGlobalObjectHandleOwner* jsAPIWrapperGlobalObjectHandleOwner()
+{
+    static NeverDestroyed jsWrapperGlobalObjectHandleOwner;
+    return &jsWrapperGlobalObjectHandleOwner.get();
+}
+
+void JSAPIWrapperGlobalObjectHandleOwner::finalize(JSC::Handle handle, void*)
+{
+    auto* wrapperObject = static_cast(handle.get().asCell());
+    if (!wrapperObject->wrappedObject())
+        return;
+
+    JSC::Heap::heap(wrapperObject)->releaseSoon(std::unique_ptr(wrapperObject->wrappedObject()));
+    JSC::WeakSet::deallocate(JSC::WeakImpl::asWeakImpl(handle.slot()));
+}
+
+namespace JSC {
+
+template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperGlobalObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) };
+
+template<> const bool JSCallbackObject::needsDestruction = false;
+
+template <>
+Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject*, JSValue proto)
+{
+    return Structure::create(vm, nullptr, proto, TypeInfo(GlobalObjectType, StructureFlags), &s_info);
+}
+
+template<>
+JSCallbackObject* JSCallbackObject::create(VM& vm, JSClassRef classRef, Structure* structure)
+{
+    JSCallbackObject* callbackObject = new (NotNull, allocateCell>(vm.heap)) JSCallbackObject(vm, classRef, structure);
+    callbackObject->finishCreation(vm);
+    return callbackObject;
+}
+
+JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject(VM& vm, Structure* structure)
+    : Base(vm, structure)
+{
+}
+
+void JSAPIWrapperGlobalObject::finishCreation(VM& vm)
+{
+    Base::finishCreation(vm);
+    WeakSet::allocate(this, jsAPIWrapperGlobalObjectHandleOwner(), 0); // Balanced in JSAPIWrapperGlobalObjectHandleOwner::finalize.
+}
+
+void JSAPIWrapperGlobalObject::visitChildren(JSCell* cell, JSC::SlotVisitor& visitor)
+{
+    Base::visitChildren(cell, visitor);
+}
+
+} // namespace JSC
diff --git a/API/glib/JSAPIWrapperGlobalObject.h b/API/glib/JSAPIWrapperGlobalObject.h
new file mode 100644
index 0000000..d54a9ec
--- /dev/null
+++ b/API/glib/JSAPIWrapperGlobalObject.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "JSBase.h"
+#include "JSCGLibWrapperObject.h"
+#include "JSGlobalObject.h"
+
+namespace JSC {
+
+class JSAPIWrapperGlobalObject : public JSGlobalObject {
+public:
+    typedef JSGlobalObject Base;
+
+    void finishCreation(VM&);
+    static void visitChildren(JSCell*, JSC::SlotVisitor&);
+
+    JSCGLibWrapperObject* wrappedObject() const { return m_wrappedObject; }
+    void setWrappedObject(JSCGLibWrapperObject* wrappedObject) { m_wrappedObject = wrappedObject; }
+
+protected:
+    JSAPIWrapperGlobalObject(VM&, Structure*);
+
+private:
+    JSCGLibWrapperObject* m_wrappedObject;
+};
+
+} // namespace JSC
diff --git a/API/glib/JSAPIWrapperObjectGLib.cpp b/API/glib/JSAPIWrapperObjectGLib.cpp
new file mode 100644
index 0000000..867fd42
--- /dev/null
+++ b/API/glib/JSAPIWrapperObjectGLib.cpp
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSAPIWrapperObject.h"
+
+#include "JSCGLibWrapperObject.h"
+#include "JSCInlines.h"
+#include "JSCallbackObject.h"
+#include "Structure.h"
+#include 
+
+class JSAPIWrapperObjectHandleOwner : public JSC::WeakHandleOwner {
+public:
+    void finalize(JSC::Handle, void*) override;
+    bool isReachableFromOpaqueRoots(JSC::Handle, void* context, JSC::SlotVisitor&, const char**) override;
+};
+
+static JSAPIWrapperObjectHandleOwner* jsAPIWrapperObjectHandleOwner()
+{
+    static NeverDestroyed jsWrapperObjectHandleOwner;
+    return &jsWrapperObjectHandleOwner.get();
+}
+
+void JSAPIWrapperObjectHandleOwner::finalize(JSC::Handle handle, void*)
+{
+    auto* wrapperObject = static_cast(handle.get().asCell());
+    if (!wrapperObject->wrappedObject())
+        return;
+
+    JSC::Heap::heap(wrapperObject)->releaseSoon(std::unique_ptr(static_cast(wrapperObject->wrappedObject())));
+    JSC::WeakSet::deallocate(JSC::WeakImpl::asWeakImpl(handle.slot()));
+}
+
+bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle handle, void*, JSC::SlotVisitor& visitor, const char**)
+{
+    JSC::JSAPIWrapperObject* wrapperObject = JSC::jsCast(handle.get().asCell());
+    // We use the JSGlobalObject when processing weak handles to prevent the situation where using
+    // the same wrapped object in multiple global objects keeps all of the global objects alive.
+    if (!wrapperObject->wrappedObject())
+        return false;
+    return visitor.vm().heap.isMarked(wrapperObject->structure()->globalObject()) && visitor.containsOpaqueRoot(wrapperObject->wrappedObject());
+}
+
+namespace JSC {
+
+template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCallbackObject) };
+
+template<> const bool JSCallbackObject::needsDestruction = true;
+
+template <>
+Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)
+{
+    return Structure::create(vm, globalObject, proto, TypeInfo(ObjectType, StructureFlags), &s_info);
+}
+
+JSAPIWrapperObject::JSAPIWrapperObject(VM& vm, Structure* structure)
+    : Base(vm, structure)
+{
+}
+
+void JSAPIWrapperObject::finishCreation(VM& vm)
+{
+    Base::finishCreation(vm);
+    WeakSet::allocate(this, jsAPIWrapperObjectHandleOwner(), 0); // Balanced in JSAPIWrapperObjectHandleOwner::finalize.
+}
+
+void JSAPIWrapperObject::setWrappedObject(void* wrappedObject)
+{
+    ASSERT(!m_wrappedObject);
+    m_wrappedObject = wrappedObject;
+}
+
+void JSAPIWrapperObject::visitChildren(JSCell* cell, JSC::SlotVisitor& visitor)
+{
+    Base::visitChildren(cell, visitor);
+}
+
+} // namespace JSC
diff --git a/API/glib/JSCAutocleanups.h b/API/glib/JSCAutocleanups.h
new file mode 100644
index 0000000..9dfa93f
--- /dev/null
+++ b/API/glib/JSCAutocleanups.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCAutoPtr_h
+#define JSCAutoPtr_h
+
+#ifdef G_DEFINE_AUTOPTR_CLEANUP_FUNC
+#ifndef __GI_SCANNER__
+
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (JSCClass, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (JSCContext, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (JSCException, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (JSCValue, g_object_unref)
+G_DEFINE_AUTOPTR_CLEANUP_FUNC (JSCVirtualMachine, g_object_unref)
+
+#endif /* __GI_SCANNER__ */
+#endif /* G_DEFINE_AUTOPTR_CLEANUP_FUNC */
+
+#endif /* JSCAutoPtr_h */
diff --git a/API/glib/JSCCallbackFunction.cpp b/API/glib/JSCCallbackFunction.cpp
new file mode 100644
index 0000000..e222a40
--- /dev/null
+++ b/API/glib/JSCCallbackFunction.cpp
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "JSCCallbackFunction.h"
+
+#include "APICallbackFunction.h"
+#include "APICast.h"
+#include "IsoSubspacePerVM.h"
+#include "JSCClassPrivate.h"
+#include "JSCContextPrivate.h"
+#include "JSDestructibleObjectHeapCellType.h"
+#include "JSCExceptionPrivate.h"
+#include "JSCInlines.h"
+#include "JSFunction.h"
+#include "JSGlobalObject.h"
+#include "JSLock.h"
+
+namespace JSC {
+
+static JSValueRef callAsFunction(JSContextRef callerContext, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    return static_cast(toJS(function))->call(callerContext, thisObject, argumentCount, arguments, exception);
+}
+
+static JSObjectRef callAsConstructor(JSContextRef callerContext, JSObjectRef constructor, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    return static_cast(toJS(constructor))->construct(callerContext, argumentCount, arguments, exception);
+}
+
+const ClassInfo JSCCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSCCallbackFunction) };
+
+JSCCallbackFunction* JSCCallbackFunction::create(VM& vm, JSGlobalObject* globalObject, const String& name, Type type, JSCClass* jscClass, GRefPtr&& closure, GType returnType, Optional>&& parameters)
+{
+    Structure* structure = globalObject->glibCallbackFunctionStructure();
+    JSCCallbackFunction* function = new (NotNull, allocateCell(vm.heap)) JSCCallbackFunction(vm, structure, type, jscClass, WTFMove(closure), returnType, WTFMove(parameters));
+    function->finishCreation(vm, name);
+    return function;
+}
+
+JSCCallbackFunction::JSCCallbackFunction(VM& vm, Structure* structure, Type type, JSCClass* jscClass, GRefPtr&& closure, GType returnType, Optional>&& parameters)
+    : InternalFunction(vm, structure, APICallbackFunction::call, type == Type::Constructor ? APICallbackFunction::construct : nullptr)
+    , m_functionCallback(callAsFunction)
+    , m_constructCallback(callAsConstructor)
+    , m_type(type)
+    , m_class(jscClass)
+    , m_closure(WTFMove(closure))
+    , m_returnType(returnType)
+    , m_parameters(WTFMove(parameters))
+{
+    ASSERT(type != Type::Constructor || jscClass);
+    if (G_CLOSURE_NEEDS_MARSHAL(m_closure.get()))
+        g_closure_set_marshal(m_closure.get(), g_cclosure_marshal_generic);
+}
+
+JSValueRef JSCCallbackFunction::call(JSContextRef callerContext, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    JSLockHolder locker(toJS(callerContext));
+    auto context = jscContextGetOrCreate(toGlobalRef(globalObject()->globalExec()));
+    auto* jsContext = jscContextGetJSContext(context.get());
+
+    if (m_type == Type::Constructor) {
+        *exception = toRef(JSC::createTypeError(toJS(jsContext), "cannot call a class constructor without |new|"_s));
+        return JSValueMakeUndefined(jsContext);
+    }
+
+    gpointer instance = nullptr;
+    if (m_type == Type::Method) {
+        instance = jscContextWrappedObject(context.get(), thisObject);
+        if (!instance) {
+            *exception = toRef(JSC::createTypeError(toJS(jsContext), "invalid instance type in method"_s));
+            return JSValueMakeUndefined(jsContext);
+        }
+    }
+
+    auto callbackData = jscContextPushCallback(context.get(), toRef(this), thisObject, argumentCount, arguments);
+
+    // GClosure always expect to have at least the instance parameter.
+    bool addInstance = instance || (m_parameters && m_parameters->isEmpty());
+
+    auto parameterCount = m_parameters ? std::min(m_parameters->size(), argumentCount) : 1;
+    if (addInstance)
+        parameterCount++;
+    auto* values = static_cast(g_alloca(sizeof(GValue) * parameterCount));
+    memset(values, 0, sizeof(GValue) * parameterCount);
+
+    size_t firstParameter = 0;
+    if (addInstance) {
+        g_value_init(&values[0], G_TYPE_POINTER);
+        g_value_set_pointer(&values[0], instance);
+        firstParameter = 1;
+    }
+    if (m_parameters) {
+        for (size_t i = firstParameter; i < parameterCount && !*exception; ++i)
+            jscContextJSValueToGValue(context.get(), arguments[i - firstParameter], m_parameters.value()[i - firstParameter], &values[i], exception);
+    } else {
+        auto* parameters = g_ptr_array_new_full(argumentCount, g_object_unref);
+        for (size_t i = 0; i < argumentCount; ++i)
+            g_ptr_array_add(parameters, jscContextGetOrCreateValue(context.get(), arguments[i]).leakRef());
+        g_value_init(&values[firstParameter], G_TYPE_PTR_ARRAY);
+        g_value_take_boxed(&values[firstParameter], parameters);
+    }
+
+    GValue returnValue = G_VALUE_INIT;
+    if (m_returnType != G_TYPE_NONE)
+        g_value_init(&returnValue, m_returnType);
+
+    if (!*exception)
+        g_closure_invoke(m_closure.get(), m_returnType != G_TYPE_NONE ? &returnValue : nullptr, parameterCount, values, nullptr);
+
+    for (size_t i = 0; i < parameterCount; ++i)
+        g_value_unset(&values[i]);
+
+    if (auto* jscException = jsc_context_get_exception(context.get()))
+        *exception = jscExceptionGetJSValue(jscException);
+
+    jscContextPopCallback(context.get(), WTFMove(callbackData));
+
+    if (m_returnType == G_TYPE_NONE)
+        return JSValueMakeUndefined(jsContext);
+
+    auto* retval = *exception ? JSValueMakeUndefined(jsContext) : jscContextGValueToJSValue(context.get(), &returnValue, exception);
+    g_value_unset(&returnValue);
+    return retval;
+}
+
+JSObjectRef JSCCallbackFunction::construct(JSContextRef callerContext, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    JSLockHolder locker(toJS(callerContext));
+    auto context = jscContextGetOrCreate(toGlobalRef(globalObject()->globalExec()));
+    auto* jsContext = jscContextGetJSContext(context.get());
+
+    if (m_returnType == G_TYPE_NONE) {
+        *exception = toRef(JSC::createTypeError(toJS(jsContext), "constructors cannot be void"_s));
+        return nullptr;
+    }
+
+    auto callbackData = jscContextPushCallback(context.get(), toRef(this), nullptr, argumentCount, arguments);
+
+    GValue returnValue = G_VALUE_INIT;
+    g_value_init(&returnValue, m_returnType);
+
+    if (m_parameters && m_parameters->isEmpty()) {
+        // GClosure always expect to have at least the instance parameter.
+        GValue dummyValue = G_VALUE_INIT;
+        g_value_init(&dummyValue, G_TYPE_POINTER);
+        g_closure_invoke(m_closure.get(), &returnValue, 1, &dummyValue, nullptr);
+        g_value_unset(&dummyValue);
+    } else {
+        auto parameterCount = m_parameters ? std::min(m_parameters->size(), argumentCount) : 1;
+        auto* values = static_cast(g_alloca(sizeof(GValue) * parameterCount));
+        memset(values, 0, sizeof(GValue) * parameterCount);
+
+        if (m_parameters) {
+            for (size_t i = 0; i < parameterCount && !*exception; ++i)
+                jscContextJSValueToGValue(context.get(), arguments[i], m_parameters.value()[i], &values[i], exception);
+        } else {
+            auto* parameters = g_ptr_array_new_full(argumentCount, g_object_unref);
+            for (size_t i = 0; i < argumentCount; ++i)
+                g_ptr_array_add(parameters, jscContextGetOrCreateValue(context.get(), arguments[i]).leakRef());
+            g_value_init(&values[0], G_TYPE_PTR_ARRAY);
+            g_value_take_boxed(&values[0], parameters);
+        }
+
+        if (!*exception)
+            g_closure_invoke(m_closure.get(), &returnValue, parameterCount, values, nullptr);
+
+        for (size_t i = 0; i < parameterCount; ++i)
+            g_value_unset(&values[i]);
+    }
+
+    if (auto* jscException = jsc_context_get_exception(context.get()))
+        *exception = jscExceptionGetJSValue(jscException);
+
+    jscContextPopCallback(context.get(), WTFMove(callbackData));
+
+    if (*exception) {
+        g_value_unset(&returnValue);
+        return nullptr;
+    }
+
+    switch (g_type_fundamental(G_VALUE_TYPE(&returnValue))) {
+    case G_TYPE_POINTER:
+    case G_TYPE_BOXED:
+    case G_TYPE_OBJECT:
+        if (auto* ptr = returnValue.data[0].v_pointer)
+            return toRef(jscClassGetOrCreateJSWrapper(m_class.get(), context.get(), ptr));
+        *exception = toRef(JSC::createTypeError(toJS(jsContext), "constructor returned null"_s));
+        break;
+    default:
+        *exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("invalid type ", g_type_name(G_VALUE_TYPE(&returnValue)), " returned by constructor")));
+        break;
+    }
+    g_value_unset(&returnValue);
+    return nullptr;
+}
+
+void JSCCallbackFunction::destroy(JSCell* cell)
+{
+    static_cast(cell)->JSCCallbackFunction::~JSCCallbackFunction();
+}
+
+IsoSubspace* JSCCallbackFunction::subspaceForImpl(VM& vm)
+{
+    NeverDestroyed perVM([] (VM& vm) -> IsoSubspacePerVM::SubspaceParameters { return ISO_SUBSPACE_PARAMETERS(vm.destructibleObjectHeapCellType.get(), JSCCallbackFunction); });
+    return &perVM.get().forVM(vm);
+}
+
+} // namespace JSC
diff --git a/API/glib/JSCCallbackFunction.h b/API/glib/JSCCallbackFunction.h
new file mode 100644
index 0000000..2c59b9b
--- /dev/null
+++ b/API/glib/JSCCallbackFunction.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "InternalFunction.h"
+#include "JSObjectRef.h"
+#include 
+#include 
+
+typedef struct _JSCClass JSCClass;
+
+namespace JSC {
+
+class JSCCallbackFunction : public InternalFunction {
+    friend struct APICallbackFunction;
+public:
+    typedef InternalFunction Base;
+
+    template
+    static IsoSubspace* subspaceFor(VM& vm)
+    {
+        return subspaceForImpl(vm);
+    }
+
+    enum class Type {
+        Function,
+        Method,
+        Constructor
+    };
+
+    static JSCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, Type, JSCClass*, GRefPtr&&, GType, Optional>&&);
+    static void destroy(JSCell*);
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        ASSERT(globalObject);
+        return Structure::create(vm, globalObject, prototype, TypeInfo(InternalFunctionType, StructureFlags), info());
+    }
+
+    DECLARE_INFO;
+
+    JSValueRef call(JSContextRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception);
+    JSObjectRef construct(JSContextRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception);
+
+private:
+    static IsoSubspace* subspaceForImpl(VM&);
+    
+    JSCCallbackFunction(VM&, Structure*, Type, JSCClass*, GRefPtr&&, GType, Optional>&&);
+
+    JSObjectCallAsFunctionCallback functionCallback() { return m_functionCallback; }
+    JSObjectCallAsConstructorCallback constructCallback() { return m_constructCallback; }
+
+    JSObjectCallAsFunctionCallback m_functionCallback;
+    JSObjectCallAsConstructorCallback m_constructCallback;
+    Type m_type;
+    GRefPtr m_class;
+    GRefPtr m_closure;
+    GType m_returnType;
+    Optional> m_parameters;
+};
+
+} // namespace JSC
diff --git a/API/glib/JSCClass.cpp b/API/glib/JSCClass.cpp
new file mode 100644
index 0000000..4c054be
--- /dev/null
+++ b/API/glib/JSCClass.cpp
@@ -0,0 +1,865 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCClass.h"
+
+#include "APICast.h"
+#include "JSAPIWrapperGlobalObject.h"
+#include "JSAPIWrapperObject.h"
+#include "JSCCallbackFunction.h"
+#include "JSCClassPrivate.h"
+#include "JSCContextPrivate.h"
+#include "JSCExceptionPrivate.h"
+#include "JSCInlines.h"
+#include "JSCValuePrivate.h"
+#include "JSCallbackObject.h"
+#include "JSRetainPtr.h"
+#include 
+#include 
+
+/**
+ * SECTION: JSCClass
+ * @short_description: JavaScript custom class
+ * @title: JSCClass
+ * @see_also: JSCContext
+ *
+ * A JSSClass represents a custom JavaScript class registered by the user in a #JSCContext.
+ * It allows to create new JavaScripts objects whose instances are created by the user using
+ * this API.
+ * It's possible to add constructors, properties and methods for a JSSClass by providing
+ * #GCallbacks to implement them.
+ */
+
+enum {
+    PROP_0,
+
+    PROP_CONTEXT,
+    PROP_NAME,
+    PROP_PARENT
+};
+
+typedef struct _JSCClassPrivate {
+    JSGlobalContextRef context;
+    CString name;
+    JSClassRef jsClass;
+    JSCClassVTable* vtable;
+    GDestroyNotify destroyFunction;
+    JSCClass* parentClass;
+    JSC::Weak prototype;
+} JSCClassPrivate;
+
+struct _JSCClass {
+    GObject parent;
+
+    JSCClassPrivate* priv;
+};
+
+struct _JSCClassClass {
+    GObjectClass parent_class;
+};
+
+WEBKIT_DEFINE_TYPE(JSCClass, jsc_class, G_TYPE_OBJECT)
+
+class VTableExceptionHandler {
+public:
+    VTableExceptionHandler(JSCContext* context, JSValueRef* exception)
+        : m_context(context)
+        , m_exception(exception)
+        , m_savedException(exception ? jsc_context_get_exception(m_context) : nullptr)
+    {
+    }
+
+    ~VTableExceptionHandler()
+    {
+        if (!m_exception)
+            return;
+
+        auto* exception = jsc_context_get_exception(m_context);
+        if (m_savedException.get() == exception)
+            return;
+
+        *m_exception = jscExceptionGetJSValue(exception);
+        if (m_savedException)
+            jsc_context_throw_exception(m_context, m_savedException.get());
+        else
+            jsc_context_clear_exception(m_context);
+    }
+
+private:
+    JSCContext* m_context { nullptr };
+    JSValueRef* m_exception { nullptr };
+    GRefPtr m_savedException;
+};
+
+static bool isWrappedObject(JSC::JSObject* jsObject)
+{
+    JSC::ExecState* exec = jsObject->globalObject()->globalExec();
+    if (jsObject->isGlobalObject())
+        return jsObject->inherits>(exec->vm());
+    return jsObject->inherits>(exec->vm());
+}
+
+static JSClassRef wrappedObjectClass(JSC::JSObject* jsObject)
+{
+    ASSERT(isWrappedObject(jsObject));
+    if (jsObject->isGlobalObject())
+        return JSC::jsCast*>(jsObject)->classRef();
+    return JSC::jsCast*>(jsObject)->classRef();
+}
+
+static GRefPtr jscContextForObject(JSC::JSObject* jsObject)
+{
+    ASSERT(isWrappedObject(jsObject));
+    JSC::JSGlobalObject* globalObject = jsObject->globalObject();
+    JSC::ExecState* exec = globalObject->globalExec();
+    if (jsObject->isGlobalObject()) {
+        JSC::VM& vm = globalObject->vm();
+        if (auto* globalScopeExtension = vm.vmEntryGlobalObject(exec)->globalScopeExtension())
+            exec = JSC::JSScope::objectAtScope(globalScopeExtension)->globalObject()->globalExec();
+    }
+    return jscContextGetOrCreate(toGlobalRef(exec));
+}
+
+static JSValueRef getProperty(JSContextRef callerContext, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception)
+{
+    JSC::JSLockHolder locker(toJS(callerContext));
+    auto* jsObject = toJS(object);
+    if (!isWrappedObject(jsObject))
+        return nullptr;
+
+    auto context = jscContextForObject(jsObject);
+    gpointer instance = jscContextWrappedObject(context.get(), object);
+    if (!instance)
+        return nullptr;
+
+    VTableExceptionHandler exceptionHandler(context.get(), exception);
+
+    JSClassRef jsClass = wrappedObjectClass(jsObject);
+    for (auto* jscClass = jscContextGetRegisteredClass(context.get(), jsClass); jscClass; jscClass = jscClass->priv->parentClass) {
+        if (!jscClass->priv->vtable)
+            continue;
+
+        if (auto* getPropertyFunction = jscClass->priv->vtable->get_property) {
+            if (GRefPtr value = adoptGRef(getPropertyFunction(jscClass, context.get(), instance, propertyName->string().utf8().data())))
+                return jscValueGetJSValue(value.get());
+        }
+    }
+    return nullptr;
+}
+
+static bool setProperty(JSContextRef callerContext, JSObjectRef object, JSStringRef propertyName, JSValueRef value, JSValueRef* exception)
+{
+    JSC::JSLockHolder locker(toJS(callerContext));
+    auto* jsObject = toJS(object);
+    if (!isWrappedObject(jsObject))
+        return false;
+
+    auto context = jscContextForObject(jsObject);
+    gpointer instance = jscContextWrappedObject(context.get(), object);
+    if (!instance)
+        return false;
+
+    VTableExceptionHandler exceptionHandler(context.get(), exception);
+
+    GRefPtr propertyValue;
+    JSClassRef jsClass = wrappedObjectClass(jsObject);
+    for (auto* jscClass = jscContextGetRegisteredClass(context.get(), jsClass); jscClass; jscClass = jscClass->priv->parentClass) {
+        if (!jscClass->priv->vtable)
+            continue;
+
+        if (auto* setPropertyFunction = jscClass->priv->vtable->set_property) {
+            if (!propertyValue)
+                propertyValue = jscContextGetOrCreateValue(context.get(), value);
+            if (setPropertyFunction(jscClass, context.get(), instance, propertyName->string().utf8().data(), propertyValue.get()))
+                return true;
+        }
+    }
+    return false;
+}
+
+static bool hasProperty(JSContextRef callerContext, JSObjectRef object, JSStringRef propertyName)
+{
+    JSC::JSLockHolder locker(toJS(callerContext));
+    auto* jsObject = toJS(object);
+    if (!isWrappedObject(jsObject))
+        return false;
+
+    auto context = jscContextForObject(jsObject);
+    gpointer instance = jscContextWrappedObject(context.get(), object);
+    if (!instance)
+        return false;
+
+    JSClassRef jsClass = wrappedObjectClass(jsObject);
+    for (auto* jscClass = jscContextGetRegisteredClass(context.get(), jsClass); jscClass; jscClass = jscClass->priv->parentClass) {
+        if (!jscClass->priv->vtable)
+            continue;
+
+        if (auto* hasPropertyFunction = jscClass->priv->vtable->has_property) {
+            if (hasPropertyFunction(jscClass, context.get(), instance, propertyName->string().utf8().data()))
+                return true;
+        }
+    }
+
+    return false;
+}
+
+static bool deleteProperty(JSContextRef callerContext, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception)
+{
+    JSC::JSLockHolder locker(toJS(callerContext));
+    auto* jsObject = toJS(object);
+    if (!isWrappedObject(jsObject))
+        return false;
+
+    auto context = jscContextForObject(jsObject);
+    gpointer instance = jscContextWrappedObject(context.get(), object);
+    if (!instance)
+        return false;
+
+    VTableExceptionHandler exceptionHandler(context.get(), exception);
+
+    JSClassRef jsClass = wrappedObjectClass(jsObject);
+    for (auto* jscClass = jscContextGetRegisteredClass(context.get(), jsClass); jscClass; jscClass = jscClass->priv->parentClass) {
+        if (!jscClass->priv->vtable)
+            continue;
+
+        if (auto* deletePropertyFunction = jscClass->priv->vtable->delete_property) {
+            if (deletePropertyFunction(jscClass, context.get(), instance, propertyName->string().utf8().data()))
+                return true;
+        }
+    }
+    return false;
+}
+
+static void getPropertyNames(JSContextRef callerContext, JSObjectRef object, JSPropertyNameAccumulatorRef propertyNames)
+{
+    JSC::JSLockHolder locker(toJS(callerContext));
+    auto* jsObject = toJS(object);
+    if (!isWrappedObject(jsObject))
+        return;
+
+    auto context = jscContextForObject(jsObject);
+    gpointer instance = jscContextWrappedObject(context.get(), object);
+    if (!instance)
+        return;
+
+    JSClassRef jsClass = wrappedObjectClass(jsObject);
+    for (auto* jscClass = jscContextGetRegisteredClass(context.get(), jsClass); jscClass; jscClass = jscClass->priv->parentClass) {
+        if (!jscClass->priv->vtable)
+            continue;
+
+        if (auto* enumeratePropertiesFunction = jscClass->priv->vtable->enumerate_properties) {
+            GUniquePtr properties(enumeratePropertiesFunction(jscClass, context.get(), instance));
+            if (properties) {
+                unsigned i = 0;
+                while (const auto* name = properties.get()[i++]) {
+                    JSRetainPtr propertyName(Adopt, JSStringCreateWithUTF8CString(name));
+                    JSPropertyNameAccumulatorAddName(propertyNames, propertyName.get());
+                }
+            }
+        }
+    }
+}
+
+static void jscClassGetProperty(GObject* object, guint propID, GValue* value, GParamSpec* paramSpec)
+{
+    JSCClass* jscClass = JSC_CLASS(object);
+
+    switch (propID) {
+    case PROP_NAME:
+        g_value_set_string(value, jscClass->priv->name.data());
+        break;
+    case PROP_PARENT:
+        g_value_set_object(value, jscClass->priv->parentClass);
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscClassSetProperty(GObject* object, guint propID, const GValue* value, GParamSpec* paramSpec)
+{
+    JSCClass* jscClass = JSC_CLASS(object);
+
+    switch (propID) {
+    case PROP_CONTEXT:
+        jscClass->priv->context = jscContextGetJSContext(JSC_CONTEXT(g_value_get_object(value)));
+        break;
+    case PROP_NAME:
+        jscClass->priv->name = g_value_get_string(value);
+        break;
+    case PROP_PARENT:
+        if (auto* parent = g_value_get_object(value))
+            jscClass->priv->parentClass = JSC_CLASS(parent);
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscClassDispose(GObject* object)
+{
+    JSCClass* jscClass = JSC_CLASS(object);
+    if (jscClass->priv->jsClass) {
+        JSClassRelease(jscClass->priv->jsClass);
+        jscClass->priv->jsClass = nullptr;
+    }
+
+    G_OBJECT_CLASS(jsc_class_parent_class)->dispose(object);
+}
+
+static void jsc_class_class_init(JSCClassClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+    objClass->dispose = jscClassDispose;
+    objClass->get_property = jscClassGetProperty;
+    objClass->set_property = jscClassSetProperty;
+
+    /**
+     * JSCClass:context:
+     *
+     * The #JSCContext in which the class was registered.
+     */
+    g_object_class_install_property(objClass,
+        PROP_CONTEXT,
+        g_param_spec_object(
+            "context",
+            "JSCContext",
+            "JSC Context",
+            JSC_TYPE_CONTEXT,
+            static_cast(WEBKIT_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY)));
+
+    /**
+     * JSCClass:name:
+     *
+     * The name of the class.
+     */
+    g_object_class_install_property(objClass,
+        PROP_NAME,
+        g_param_spec_string(
+            "name",
+            "Name",
+            "The class name",
+            nullptr,
+            static_cast(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)));
+
+    /**
+     * JSCClass:parent:
+     *
+     * The parent class or %NULL in case of final classes.
+     */
+    g_object_class_install_property(objClass,
+        PROP_PARENT,
+        g_param_spec_object(
+            "parent",
+            "Partent",
+            "The parent class",
+            JSC_TYPE_CLASS,
+            static_cast(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)));
+}
+
+/**
+ * JSCClassGetPropertyFunction:
+ * @jsc_class: a #JSCClass
+ * @context: a #JSCContext
+ * @instance: the @jsc_class instance
+ * @name: the property name
+ *
+ * The type of get_property in #JSCClassVTable. This is only required when you need to handle
+ * external properties not added to the prototype.
+ *
+ * Returns: (transfer full) (nullable): a #JSCValue or %NULL to forward the request to
+ *    the parent class or prototype chain
+ */
+
+/**
+ * JSCClassSetPropertyFunction:
+ * @jsc_class: a #JSCClass
+ * @context: a #JSCContext
+ * @instance: the @jsc_class instance
+ * @name: the property name
+ * @value: the #JSCValue to set
+ *
+ * The type of set_property in #JSCClassVTable. This is only required when you need to handle
+ * external properties not added to the prototype.
+ *
+ * Returns: %TRUE if handled or %FALSE to forward the request to the parent class or prototype chain.
+ */
+
+/**
+ * JSCClassHasPropertyFunction:
+ * @jsc_class: a #JSCClass
+ * @context: a #JSCContext
+ * @instance: the @jsc_class instance
+ * @name: the property name
+ *
+ * The type of has_property in #JSCClassVTable. This is only required when you need to handle
+ * external properties not added to the prototype.
+ *
+ * Returns: %TRUE if @instance has a property with @name or %FALSE to forward the request
+ *    to the parent class or prototype chain.
+ */
+
+/**
+ * JSCClassDeletePropertyFunction:
+ * @jsc_class: a #JSCClass
+ * @context: a #JSCContext
+ * @instance: the @jsc_class instance
+ * @name: the property name
+ *
+ * The type of delete_property in #JSCClassVTable. This is only required when you need to handle
+ * external properties not added to the prototype.
+ *
+ * Returns: %TRUE if handled or %FALSE to to forward the request to the parent class or prototype chain.
+ */
+
+/**
+ * JSCClassEnumeratePropertiesFunction:
+ * @jsc_class: a #JSCClass
+ * @context: a #JSCContext
+ * @instance: the @jsc_class instance
+ *
+ * The type of enumerate_properties in #JSCClassVTable. This is only required when you need to handle
+ * external properties not added to the prototype.
+ *
+ * Returns: (array zero-terminated=1) (transfer full) (nullable): a %NULL-terminated array of strings
+ *    containing the property names, or %NULL if @instance doesn't have enumerable properties.
+ */
+
+/**
+ * JSCClassVTable:
+ * @get_property: a #JSCClassGetPropertyFunction for getting a property.
+ * @set_property: a #JSCClassSetPropertyFunction for setting a property.
+ * @has_property: a #JSCClassHasPropertyFunction for querying a property.
+ * @delete_property: a #JSCClassDeletePropertyFunction for deleting a property.
+ * @enumerate_properties: a #JSCClassEnumeratePropertiesFunction for enumerating properties.
+ *
+ * Virtual table for a JSCClass. This can be optionally used when registering a #JSCClass in a #JSCContext
+ * to provide a custom implementation for the class. All virtual functions are optional and can be set to
+ * %NULL to fallback to the default implementation.
+ */
+
+GRefPtr jscClassCreate(JSCContext* context, const char* name, JSCClass* parentClass, JSCClassVTable* vtable, GDestroyNotify destroyFunction)
+{
+    GRefPtr jscClass = adoptGRef(JSC_CLASS(g_object_new(JSC_TYPE_CLASS, "context", context, "name", name, "parent", parentClass, nullptr)));
+
+    JSCClassPrivate* priv = jscClass->priv;
+    priv->vtable = vtable;
+    priv->destroyFunction = destroyFunction;
+
+    JSClassDefinition definition = kJSClassDefinitionEmpty;
+    definition.className = priv->name.data();
+
+#define SET_IMPL_IF_NEEDED(definitionFunc, vtableFunc) \
+    for (auto* klass = jscClass.get(); klass; klass = klass->priv->parentClass) { \
+        if (klass->priv->vtable && klass->priv->vtable->vtableFunc) { \
+            definition.definitionFunc = definitionFunc; \
+            break; \
+        } \
+    }
+
+    SET_IMPL_IF_NEEDED(getProperty, get_property);
+    SET_IMPL_IF_NEEDED(setProperty, set_property);
+    SET_IMPL_IF_NEEDED(hasProperty, has_property);
+    SET_IMPL_IF_NEEDED(deleteProperty, delete_property);
+    SET_IMPL_IF_NEEDED(getPropertyNames, enumerate_properties);
+
+#undef SET_IMPL_IF_NEEDED
+
+    priv->jsClass = JSClassCreate(&definition);
+
+    GUniquePtr prototypeName(g_strdup_printf("%sPrototype", priv->name.data()));
+    JSClassDefinition prototypeDefinition = kJSClassDefinitionEmpty;
+    prototypeDefinition.className = prototypeName.get();
+    JSClassRef prototypeClass = JSClassCreate(&prototypeDefinition);
+    priv->prototype = jscContextGetOrCreateJSWrapper(context, prototypeClass);
+    JSClassRelease(prototypeClass);
+
+    if (priv->parentClass)
+        JSObjectSetPrototype(jscContextGetJSContext(context), toRef(priv->prototype.get()), toRef(priv->parentClass->priv->prototype.get()));
+    return jscClass;
+}
+
+JSClassRef jscClassGetJSClass(JSCClass* jscClass)
+{
+    return jscClass->priv->jsClass;
+}
+
+JSC::JSObject* jscClassGetOrCreateJSWrapper(JSCClass* jscClass, JSCContext* context, gpointer wrappedObject)
+{
+    JSCClassPrivate* priv = jscClass->priv;
+    return jscContextGetOrCreateJSWrapper(context, priv->jsClass, toRef(priv->prototype.get()), wrappedObject, priv->destroyFunction);
+}
+
+JSGlobalContextRef jscClassCreateContextWithJSWrapper(JSCClass* jscClass, JSCContext* context, gpointer wrappedObject)
+{
+    JSCClassPrivate* priv = jscClass->priv;
+    return jscContextCreateContextWithJSWrapper(context, priv->jsClass, toRef(priv->prototype.get()), wrappedObject, priv->destroyFunction);
+}
+
+void jscClassInvalidate(JSCClass* jscClass)
+{
+    jscClass->priv->context = nullptr;
+}
+
+/**
+ * jsc_class_get_name:
+ * @jsc_class: a @JSCClass
+ *
+ * Get the class name of @jsc_class
+ *
+ * Returns: (transfer none): the name of @jsc_class
+ */
+const char* jsc_class_get_name(JSCClass* jscClass)
+{
+    g_return_val_if_fail(JSC_IS_CLASS(jscClass), nullptr);
+
+    return jscClass->priv->name.data();
+}
+
+/**
+ * jsc_class_get_parent:
+ * @jsc_class: a @JSCClass
+ *
+ * Get the parent class of @jsc_class
+ *
+ * Returns: (transfer none): the parent class of @jsc_class
+ */
+JSCClass* jsc_class_get_parent(JSCClass* jscClass)
+{
+    g_return_val_if_fail(JSC_IS_CLASS(jscClass), nullptr);
+
+    return jscClass->priv->parentClass;
+}
+
+static GRefPtr jscClassCreateConstructor(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, Optional>&& parameters)
+{
+    // If the constructor doesn't have arguments, we need to swap the fake instance and user data to ensure
+    // user data is the first parameter and fake instance ignored.
+    GRefPtr closure;
+    if (parameters && parameters->isEmpty() && userData)
+        closure = adoptGRef(g_cclosure_new_swap(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+    else
+        closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+    JSCClassPrivate* priv = jscClass->priv;
+    JSC::ExecState* exec = toJS(priv->context);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto* functionObject = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), String::fromUTF8(name),
+        JSC::JSCCallbackFunction::Type::Constructor, jscClass, WTFMove(closure), returnType, WTFMove(parameters));
+    auto context = jscContextGetOrCreate(priv->context);
+    auto constructor = jscContextGetOrCreateValue(context.get(), toRef(functionObject));
+    GRefPtr prototype = jscContextGetOrCreateValue(context.get(), toRef(priv->prototype.get()));
+    auto nonEnumerable = static_cast(JSC_VALUE_PROPERTY_CONFIGURABLE | JSC_VALUE_PROPERTY_WRITABLE);
+    jsc_value_object_define_property_data(constructor.get(), "prototype", nonEnumerable, prototype.get());
+    jsc_value_object_define_property_data(prototype.get(), "constructor", nonEnumerable, constructor.get());
+    return constructor;
+}
+
+/**
+ * jsc_class_add_constructor: (skip)
+ * @jsc_class: a #JSCClass
+ * @name: (nullable): the constructor name or %NULL
+ * @callback: (scope async): a #GCallback to be called to create an instance of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the constructor return value
+ * @n_params: the number of parameter types to follow or 0 if constructor doesn't receive parameters.
+ * @...: a list of #GTypes, one for each parameter.
+ *
+ * Add a constructor to @jsc_class. If @name is %NULL, the class name will be used. When new
+ * is used with the constructor or jsc_value_constructor_call() is called, @callback is invoked receiving the
+ * parameters and @user_data as the last parameter. When the constructor object is cleared in the #JSCClass context,
+ * @destroy_notify is called with @user_data as parameter.
+ *
+ * This function creates the constructor, which needs to be added to an object as a property to be able to use it. Use
+ * jsc_context_set_value() to make the constructor available in the global object.
+ *
+ * Note that the value returned by @callback is adopted by @jsc_class, and the #GDestroyNotify passed to
+ * jsc_context_register_class() is responsible for disposing of it.
+ *
+ * Returns: (transfer full): a #JSCValue representing the class constructor.
+ */
+JSCValue* jsc_class_add_constructor(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned paramCount, ...)
+{
+    g_return_val_if_fail(JSC_IS_CLASS(jscClass), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+
+    JSCClassPrivate* priv = jscClass->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    if (!name)
+        name = priv->name.data();
+
+    va_list args;
+    va_start(args, paramCount);
+    Vector parameters;
+    if (paramCount) {
+        parameters.reserveInitialCapacity(paramCount);
+        for (unsigned i = 0; i < paramCount; ++i)
+            parameters.uncheckedAppend(va_arg(args, GType));
+    }
+    va_end(args);
+
+    return jscClassCreateConstructor(jscClass, name ? name : priv->name.data(), callback, userData, destroyNotify, returnType, WTFMove(parameters)).leakRef();
+
+}
+
+/**
+ * jsc_class_add_constructorv: (rename-to jsc_class_add_constructor)
+ * @jsc_class: a #JSCClass
+ * @name: (nullable): the constructor name or %NULL
+ * @callback: (scope async): a #GCallback to be called to create an instance of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the constructor return value
+ * @n_parameters: the number of parameters
+ * @parameter_types: (nullable) (array length=n_parameters) (element-type GType): a list of #GTypes, one for each parameter, or %NULL
+ *
+ * Add a constructor to @jsc_class. If @name is %NULL, the class name will be used. When new
+ * is used with the constructor or jsc_value_constructor_call() is called, @callback is invoked receiving the
+ * parameters and @user_data as the last parameter. When the constructor object is cleared in the #JSCClass context,
+ * @destroy_notify is called with @user_data as parameter.
+ *
+ * This function creates the constructor, which needs to be added to an object as a property to be able to use it. Use
+ * jsc_context_set_value() to make the constructor available in the global object.
+ *
+ * Note that the value returned by @callback is adopted by @jsc_class, and the #GDestroyNotify passed to
+ * jsc_context_register_class() is responsible for disposing of it.
+ *
+ * Returns: (transfer full): a #JSCValue representing the class constructor.
+ */
+JSCValue* jsc_class_add_constructorv(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned parametersCount, GType* parameterTypes)
+{
+    g_return_val_if_fail(JSC_IS_CLASS(jscClass), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+    g_return_val_if_fail(!parametersCount || parameterTypes, nullptr);
+
+    JSCClassPrivate* priv = jscClass->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    if (!name)
+        name = priv->name.data();
+
+    Vector parameters;
+    if (parametersCount) {
+        parameters.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            parameters.uncheckedAppend(parameterTypes[i]);
+    }
+
+    return jscClassCreateConstructor(jscClass, name ? name : priv->name.data(), callback, userData, destroyNotify, returnType, WTFMove(parameters)).leakRef();
+}
+
+/**
+ * jsc_class_add_constructor_variadic:
+ * @jsc_class: a #JSCClass
+ * @name: (nullable): the constructor name or %NULL
+ * @callback: (scope async): a #GCallback to be called to create an instance of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the constructor return value
+ *
+ * Add a constructor to @jsc_class. If @name is %NULL, the class name will be used. When new
+ * is used with the constructor or jsc_value_constructor_call() is called, @callback is invoked receiving
+ * a #GPtrArray of #JSCValues as arguments and @user_data as the last parameter. When the constructor object
+ * is cleared in the #JSCClass context, @destroy_notify is called with @user_data as parameter.
+ *
+ * This function creates the constructor, which needs to be added to an object as a property to be able to use it. Use
+ * jsc_context_set_value() to make the constructor available in the global object.
+ *
+ * Note that the value returned by @callback is adopted by @jsc_class, and the #GDestroyNotify passed to
+ * jsc_context_register_class() is responsible for disposing of it.
+ *
+ * Returns: (transfer full): a #JSCValue representing the class constructor.
+ */
+JSCValue* jsc_class_add_constructor_variadic(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType)
+{
+    g_return_val_if_fail(JSC_IS_CLASS(jscClass), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+
+    JSCClassPrivate* priv = jscClass->priv;
+    g_return_val_if_fail(jscClass->priv->context, nullptr);
+
+    if (!name)
+        name = priv->name.data();
+
+    return jscClassCreateConstructor(jscClass, name ? name : priv->name.data(), callback, userData, destroyNotify, returnType, WTF::nullopt).leakRef();
+}
+
+static void jscClassAddMethod(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, Optional>&& parameters)
+{
+    JSCClassPrivate* priv = jscClass->priv;
+    GRefPtr closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+    JSC::ExecState* exec = toJS(priv->context);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), String::fromUTF8(name),
+        JSC::JSCCallbackFunction::Type::Method, jscClass, WTFMove(closure), returnType, WTFMove(parameters)));
+    auto context = jscContextGetOrCreate(priv->context);
+    auto method = jscContextGetOrCreateValue(context.get(), functionObject);
+    GRefPtr prototype = jscContextGetOrCreateValue(context.get(), toRef(priv->prototype.get()));
+    auto nonEnumerable = static_cast(JSC_VALUE_PROPERTY_CONFIGURABLE | JSC_VALUE_PROPERTY_WRITABLE);
+    jsc_value_object_define_property_data(prototype.get(), name, nonEnumerable, method.get());
+}
+
+/**
+ * jsc_class_add_method: (skip)
+ * @jsc_class: a #JSCClass
+ * @name: the method name
+ * @callback: (scope async): a #GCallback to be called to invoke method @name of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the method return value, or %G_TYPE_NONE if the method is void.
+ * @n_params: the number of parameter types to follow or 0 if the method doesn't receive parameters.
+ * @...: a list of #GTypes, one for each parameter.
+ *
+ * Add method with @name to @jsc_class. When the method is called by JavaScript or jsc_value_object_invoke_method(),
+ * @callback is called receiving the class instance as first parameter, followed by the method parameters and then
+ * @user_data as last parameter. When the method is cleared in the #JSCClass context, @destroy_notify is called with
+ * @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be transfer full. In case of non-refcounted boxed types, you should use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as the instance parameter.
+ */
+void jsc_class_add_method(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned paramCount, ...)
+{
+    g_return_if_fail(JSC_IS_CLASS(jscClass));
+    g_return_if_fail(name);
+    g_return_if_fail(callback);
+    g_return_if_fail(jscClass->priv->context);
+
+    va_list args;
+    va_start(args, paramCount);
+    Vector parameters;
+    if (paramCount) {
+        parameters.reserveInitialCapacity(paramCount);
+        for (unsigned i = 0; i < paramCount; ++i)
+            parameters.uncheckedAppend(va_arg(args, GType));
+    }
+    va_end(args);
+
+    jscClassAddMethod(jscClass, name, callback, userData, destroyNotify, returnType, WTFMove(parameters));
+}
+
+/**
+ * jsc_class_add_methodv: (rename-to jsc_class_add_method)
+ * @jsc_class: a #JSCClass
+ * @name: the method name
+ * @callback: (scope async): a #GCallback to be called to invoke method @name of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the method return value, or %G_TYPE_NONE if the method is void.
+ * @n_parameters: the number of parameter types to follow or 0 if the method doesn't receive parameters.
+ * @parameter_types: (nullable) (array length=n_parameters) (element-type GType): a list of #GTypes, one for each parameter, or %NULL
+ *
+ * Add method with @name to @jsc_class. When the method is called by JavaScript or jsc_value_object_invoke_method(),
+ * @callback is called receiving the class instance as first parameter, followed by the method parameters and then
+ * @user_data as last parameter. When the method is cleared in the #JSCClass context, @destroy_notify is called with
+ * @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be transfer full. In case of non-refcounted boxed types, you should use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as the instance parameter.
+ */
+void jsc_class_add_methodv(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned parametersCount, GType *parameterTypes)
+{
+    g_return_if_fail(JSC_IS_CLASS(jscClass));
+    g_return_if_fail(name);
+    g_return_if_fail(callback);
+    g_return_if_fail(!parametersCount || parameterTypes);
+    g_return_if_fail(jscClass->priv->context);
+
+    Vector parameters;
+    if (parametersCount) {
+        parameters.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            parameters.uncheckedAppend(parameterTypes[i]);
+    }
+
+    jscClassAddMethod(jscClass, name, callback, userData, destroyNotify, returnType, WTFMove(parameters));
+}
+
+/**
+ * jsc_class_add_method_variadic:
+ * @jsc_class: a #JSCClass
+ * @name: the method name
+ * @callback: (scope async): a #GCallback to be called to invoke method @name of @jsc_class
+ * @user_data: (closure): user data to pass to @callback
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the method return value, or %G_TYPE_NONE if the method is void.
+ *
+ * Add method with @name to @jsc_class. When the method is called by JavaScript or jsc_value_object_invoke_method(),
+ * @callback is called receiving the class instance as first parameter, followed by a #GPtrArray of #JSCValues
+ * with the method arguments and then @user_data as last parameter. When the method is cleared in the #JSCClass context,
+ * @destroy_notify is called with @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be transfer full. In case of non-refcounted boxed types, you should use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as the instance parameter.
+ */
+void jsc_class_add_method_variadic(JSCClass* jscClass, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType)
+{
+    g_return_if_fail(JSC_IS_CLASS(jscClass));
+    g_return_if_fail(name);
+    g_return_if_fail(callback);
+    g_return_if_fail(jscClass->priv->context);
+
+    jscClassAddMethod(jscClass, name, callback, userData, destroyNotify, returnType, WTF::nullopt);
+}
+
+/**
+ * jsc_class_add_property:
+ * @jsc_class: a #JSCClass
+ * @name: the property name
+ * @property_type: the #GType of the property value
+ * @getter: (scope async) (nullable): a #GCallback to be called to get the property value
+ * @setter: (scope async) (nullable): a #GCallback to be called to set the property value
+ * @user_data: (closure): user data to pass to @getter and @setter
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ *
+ * Add a property with @name to @jsc_class. When the property value needs to be getted, @getter is called
+ * receiving the the class instance as first parameter and @user_data as last parameter. When the property
+ * value needs to be set, @setter is called receiving the the class instance as first parameter, followed
+ * by the value to be set and then @user_data as the last parameter. When the property is cleared in the
+ * #JSCClass context, @destroy_notify is called with @user_data as parameter.
+ *
+ * Note that the value returned by @getter must be transfer full. In case of non-refcounted boxed types, you should use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as the instance parameter.
+ */
+void jsc_class_add_property(JSCClass* jscClass, const char* name, GType propertyType, GCallback getter, GCallback setter, gpointer userData, GDestroyNotify destroyNotify)
+{
+    g_return_if_fail(JSC_IS_CLASS(jscClass));
+    g_return_if_fail(name);
+    g_return_if_fail(propertyType != G_TYPE_INVALID && propertyType != G_TYPE_NONE);
+    g_return_if_fail(getter || setter);
+
+    JSCClassPrivate* priv = jscClass->priv;
+    g_return_if_fail(priv->context);
+
+    auto context = jscContextGetOrCreate(priv->context);
+    GRefPtr prototype = jscContextGetOrCreateValue(context.get(), toRef(priv->prototype.get()));
+    jsc_value_object_define_property_accessor(prototype.get(), name, JSC_VALUE_PROPERTY_CONFIGURABLE, propertyType, getter, setter, userData, destroyNotify);
+}
diff --git a/API/glib/JSCClass.h b/API/glib/JSCClass.h
new file mode 100644
index 0000000..8774196
--- /dev/null
+++ b/API/glib/JSCClass.h
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCClass_h
+#define JSCClass_h
+
+#include 
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_CLASS            (jsc_class_get_type())
+#define JSC_CLASS(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_CLASS, JSCClass))
+#define JSC_IS_CLASS(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_CLASS))
+
+typedef struct _JSCClass JSCClass;
+typedef struct _JSCClassClass JSCClassClass;
+
+typedef struct _JSCContext JSCContext;
+
+typedef JSCValue *(*JSCClassGetPropertyFunction)        (JSCClass   *jsc_class,
+                                                         JSCContext *context,
+                                                         gpointer    instance,
+                                                         const char *name);
+typedef gboolean (*JSCClassSetPropertyFunction)         (JSCClass   *jsc_class,
+                                                         JSCContext *context,
+                                                         gpointer    instance,
+                                                         const char *name,
+                                                         JSCValue   *value);
+typedef gboolean (*JSCClassHasPropertyFunction)         (JSCClass   *jsc_class,
+                                                         JSCContext *context,
+                                                         gpointer    instance,
+                                                         const char *name);
+typedef gboolean (*JSCClassDeletePropertyFunction)      (JSCClass   *jsc_class,
+                                                         JSCContext *context,
+                                                         gpointer    instance,
+                                                         const char *name);
+typedef gchar  **(*JSCClassEnumeratePropertiesFunction) (JSCClass   *jsc_class,
+                                                         JSCContext *context,
+                                                         gpointer    instance);
+
+
+typedef struct {
+    JSCClassGetPropertyFunction get_property;
+    JSCClassSetPropertyFunction set_property;
+    JSCClassHasPropertyFunction has_property;
+    JSCClassDeletePropertyFunction delete_property;
+    JSCClassEnumeratePropertiesFunction enumerate_properties;
+
+    /*< private >*/
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+} JSCClassVTable;
+
+JSC_API GType
+jsc_class_get_type                 (void);
+
+JSC_API const char *
+jsc_class_get_name                 (JSCClass      *jsc_class);
+
+JSC_API JSCClass *
+jsc_class_get_parent               (JSCClass      *jsc_class);
+
+JSC_API JSCValue *
+jsc_class_add_constructor          (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type,
+                                    guint          n_params,
+                                    ...);
+
+JSC_API JSCValue *
+jsc_class_add_constructorv         (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type,
+                                    guint          n_parameters,
+                                    GType         *parameter_types);
+
+JSC_API JSCValue *
+jsc_class_add_constructor_variadic (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type);
+
+JSC_API void
+jsc_class_add_method               (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type,
+                                    guint          n_params,
+                                    ...);
+
+JSC_API void
+jsc_class_add_methodv              (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type,
+                                    guint          n_parameters,
+                                    GType         *parameter_types);
+
+JSC_API void
+jsc_class_add_method_variadic      (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GCallback      callback,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify,
+                                    GType          return_type);
+
+JSC_API void
+jsc_class_add_property             (JSCClass      *jsc_class,
+                                    const char    *name,
+                                    GType          property_type,
+                                    GCallback      getter,
+                                    GCallback      setter,
+                                    gpointer       user_data,
+                                    GDestroyNotify destroy_notify);
+
+G_END_DECLS
+
+#endif /* JSCClass_h */
diff --git a/API/glib/JSCClassPrivate.h b/API/glib/JSCClassPrivate.h
new file mode 100644
index 0000000..605daf5
--- /dev/null
+++ b/API/glib/JSCClassPrivate.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "APICast.h"
+#include "JSCClass.h"
+#include "JSCContext.h"
+#include "JSCValue.h"
+#include 
+
+GRefPtr jscClassCreate(JSCContext*, const char*, JSCClass*, JSCClassVTable*, GDestroyNotify);
+JSClassRef jscClassGetJSClass(JSCClass*);
+JSC::JSObject* jscClassGetOrCreateJSWrapper(JSCClass*, JSCContext*, gpointer);
+JSGlobalContextRef jscClassCreateContextWithJSWrapper(JSCClass*, JSCContext*, gpointer);
+void jscClassInvalidate(JSCClass*);
diff --git a/API/glib/JSCContext.cpp b/API/glib/JSCContext.cpp
new file mode 100644
index 0000000..e01e970
--- /dev/null
+++ b/API/glib/JSCContext.cpp
@@ -0,0 +1,1081 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCContext.h"
+
+#include "JSCClassPrivate.h"
+#include "JSCContextPrivate.h"
+#include "JSCExceptionPrivate.h"
+#include "JSCInlines.h"
+#include "JSCValuePrivate.h"
+#include "JSCVirtualMachinePrivate.h"
+#include "JSCWrapperMap.h"
+#include "JSRetainPtr.h"
+#include "JSWithScope.h"
+#include "OpaqueJSString.h"
+#include "Parser.h"
+#include 
+#include 
+
+/**
+ * SECTION: JSCContext
+ * @short_description: JavaScript execution context
+ * @title: JSCContext
+ *
+ * JSCContext represents a JavaScript execution context, where all operations
+ * take place and where the values will be associated.
+ *
+ * When a new context is created, a global object is allocated and the built-in JavaScript
+ * objects (Object, Function, String, Array) are populated. You can execute JavaScript in
+ * the context by using jsc_context_evaluate() or jsc_context_evaluate_with_source_uri().
+ * It's also possible to register custom objects in the context with jsc_context_register_class().
+ */
+
+enum {
+    PROP_0,
+
+    PROP_VIRTUAL_MACHINE,
+};
+
+struct JSCContextExceptionHandler {
+    JSCContextExceptionHandler(JSCExceptionHandler handler, void* userData = nullptr, GDestroyNotify destroyNotifyFunction = nullptr)
+        : handler(handler)
+        , userData(userData)
+        , destroyNotifyFunction(destroyNotifyFunction)
+    {
+    }
+
+    ~JSCContextExceptionHandler()
+    {
+        if (destroyNotifyFunction)
+            destroyNotifyFunction(userData);
+    }
+
+    JSCContextExceptionHandler(JSCContextExceptionHandler&& other)
+    {
+        std::swap(handler, other.handler);
+        std::swap(userData, other.userData);
+        std::swap(destroyNotifyFunction, other.destroyNotifyFunction);
+    }
+
+    JSCContextExceptionHandler(const JSCContextExceptionHandler&) = delete;
+    JSCContextExceptionHandler& operator=(const JSCContextExceptionHandler&) = delete;
+
+    JSCExceptionHandler handler { nullptr };
+    void* userData { nullptr };
+    GDestroyNotify destroyNotifyFunction { nullptr };
+};
+
+struct _JSCContextPrivate {
+    GRefPtr vm;
+    JSRetainPtr jsContext;
+    GRefPtr exception;
+    Vector exceptionHandlers;
+};
+
+WEBKIT_DEFINE_TYPE(JSCContext, jsc_context, G_TYPE_OBJECT)
+
+static void jscContextSetVirtualMachine(JSCContext* context, GRefPtr&& vm)
+{
+    JSCContextPrivate* priv = context->priv;
+    if (vm) {
+        ASSERT(!priv->vm);
+        priv->vm = WTFMove(vm);
+        ASSERT(!priv->jsContext);
+        GUniquePtr name(g_strdup_printf("%p-jsContext", &Thread::current()));
+        if (auto* data = g_object_get_data(G_OBJECT(priv->vm.get()), name.get())) {
+            priv->jsContext = static_cast(data);
+            g_object_set_data(G_OBJECT(priv->vm.get()), name.get(), nullptr);
+        } else
+            priv->jsContext = JSRetainPtr(Adopt, JSGlobalContextCreateInGroup(jscVirtualMachineGetContextGroup(priv->vm.get()), nullptr));
+        auto* globalObject = toJSGlobalObject(priv->jsContext.get());
+        if (!globalObject->wrapperMap())
+            globalObject->setWrapperMap(std::make_unique(priv->jsContext.get()));
+        jscVirtualMachineAddContext(priv->vm.get(), context);
+    } else if (priv->vm) {
+        ASSERT(priv->jsContext);
+        jscVirtualMachineRemoveContext(priv->vm.get(), context);
+        priv->jsContext = nullptr;
+        priv->vm = nullptr;
+    }
+}
+
+static void jscContextGetProperty(GObject* object, guint propID, GValue* value, GParamSpec* paramSpec)
+{
+    JSCContextPrivate* priv = JSC_CONTEXT(object)->priv;
+
+    switch (propID) {
+    case PROP_VIRTUAL_MACHINE:
+        g_value_set_object(value, priv->vm.get());
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscContextSetProperty(GObject* object, guint propID, const GValue* value, GParamSpec* paramSpec)
+{
+    JSCContext* context = JSC_CONTEXT(object);
+
+    switch (propID) {
+    case PROP_VIRTUAL_MACHINE:
+        if (gpointer vm = g_value_get_object(value))
+            jscContextSetVirtualMachine(context, GRefPtr(JSC_VIRTUAL_MACHINE(vm)));
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscContextConstructed(GObject* object)
+{
+    G_OBJECT_CLASS(jsc_context_parent_class)->constructed(object);
+
+    JSCContext* context = JSC_CONTEXT(object);
+    if (!context->priv->vm)
+        jscContextSetVirtualMachine(context, adoptGRef(jsc_virtual_machine_new()));
+
+    context->priv->exceptionHandlers.append(JSCContextExceptionHandler([](JSCContext* context, JSCException* exception, gpointer) {
+        jsc_context_throw_exception(context, exception);
+    }));
+}
+
+static void jscContextDispose(GObject* object)
+{
+    JSCContext* context = JSC_CONTEXT(object);
+    jscContextSetVirtualMachine(context, nullptr);
+
+    G_OBJECT_CLASS(jsc_context_parent_class)->dispose(object);
+}
+
+static void jsc_context_class_init(JSCContextClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+    objClass->get_property = jscContextGetProperty;
+    objClass->set_property = jscContextSetProperty;
+    objClass->constructed = jscContextConstructed;
+    objClass->dispose = jscContextDispose;
+
+    /**
+     * JSCContext:virtual-machine:
+     *
+     * The #JSCVirtualMachine in which the context was created.
+     */
+    g_object_class_install_property(objClass,
+        PROP_VIRTUAL_MACHINE,
+        g_param_spec_object(
+            "virtual-machine",
+            "JSCVirtualMachine",
+            "JSC Virtual Machine",
+            JSC_TYPE_VIRTUAL_MACHINE,
+            static_cast(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)));
+}
+
+GRefPtr jscContextGetOrCreate(JSGlobalContextRef jsContext)
+{
+    auto vm = jscVirtualMachineGetOrCreate(toRef(&toJS(jsContext)->vm()));
+    if (GRefPtr context = jscVirtualMachineGetContext(vm.get(), jsContext))
+        return context;
+
+    GUniquePtr name(g_strdup_printf("%p-jsContext", &Thread::current()));
+    g_object_set_data(G_OBJECT(vm.get()), name.get(), jsContext);
+    return adoptGRef(jsc_context_new_with_virtual_machine(vm.get()));
+}
+
+JSGlobalContextRef jscContextGetJSContext(JSCContext* context)
+{
+    ASSERT(JSC_IS_CONTEXT(context));
+
+    JSCContextPrivate* priv = context->priv;
+    return priv->jsContext.get();
+}
+
+static JSC::WrapperMap& wrapperMap(JSCContext* context)
+{
+    auto* map = toJSGlobalObject(context->priv->jsContext.get())->wrapperMap();
+    ASSERT(map);
+    return *map;
+}
+
+GRefPtr jscContextGetOrCreateValue(JSCContext* context, JSValueRef jsValue)
+{
+    return wrapperMap(context).gobjectWrapper(context, jsValue);
+}
+
+void jscContextValueDestroyed(JSCContext* context, JSValueRef jsValue)
+{
+    wrapperMap(context).unwrap(jsValue);
+}
+
+JSC::JSObject* jscContextGetJSWrapper(JSCContext* context, gpointer wrappedObject)
+{
+    return wrapperMap(context).jsWrapper(wrappedObject);
+}
+
+JSC::JSObject* jscContextGetOrCreateJSWrapper(JSCContext* context, JSClassRef jsClass, JSValueRef prototype, gpointer wrappedObject, GDestroyNotify destroyFunction)
+{
+    if (auto* jsWrapper = jscContextGetJSWrapper(context, wrappedObject))
+        return jsWrapper;
+
+    return wrapperMap(context).createJSWrappper(context->priv->jsContext.get(), jsClass, prototype, wrappedObject, destroyFunction);
+}
+
+JSGlobalContextRef jscContextCreateContextWithJSWrapper(JSCContext* context, JSClassRef jsClass, JSValueRef prototype, gpointer wrappedObject, GDestroyNotify destroyFunction)
+{
+    return wrapperMap(context).createContextWithJSWrappper(jscVirtualMachineGetContextGroup(context->priv->vm.get()), jsClass, prototype, wrappedObject, destroyFunction);
+}
+
+gpointer jscContextWrappedObject(JSCContext* context, JSObjectRef jsObject)
+{
+    return wrapperMap(context).wrappedObject(context->priv->jsContext.get(), jsObject);
+}
+
+JSCClass* jscContextGetRegisteredClass(JSCContext* context, JSClassRef jsClass)
+{
+    return wrapperMap(context).registeredClass(jsClass);
+}
+
+CallbackData jscContextPushCallback(JSCContext* context, JSValueRef calleeValue, JSValueRef thisValue, size_t argumentCount, const JSValueRef* arguments)
+{
+    Thread& thread = Thread::current();
+    auto* previousStack = static_cast(thread.m_apiData);
+    CallbackData data = { context, WTFMove(context->priv->exception), calleeValue, thisValue, argumentCount, arguments, previousStack };
+    thread.m_apiData = &data;
+    return data;
+}
+
+void jscContextPopCallback(JSCContext* context, CallbackData&& data)
+{
+    Thread& thread = Thread::current();
+    context->priv->exception = WTFMove(data.preservedException);
+    thread.m_apiData = data.next;
+}
+
+JSValueRef jscContextGArrayToJSArray(JSCContext* context, GPtrArray* gArray, JSValueRef* exception)
+{
+    JSCContextPrivate* priv = context->priv;
+    auto* jsArray = JSObjectMakeArray(priv->jsContext.get(), 0, nullptr, exception);
+    if (*exception)
+        return JSValueMakeUndefined(priv->jsContext.get());
+
+    if (!gArray)
+        return jsArray;
+
+    auto* jsArrayObject = JSValueToObject(priv->jsContext.get(), jsArray, exception);
+    if (*exception)
+        return JSValueMakeUndefined(priv->jsContext.get());
+
+    for (unsigned i = 0; i < gArray->len; ++i) {
+        gpointer item = g_ptr_array_index(gArray, i);
+        if (!item)
+            JSObjectSetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, JSValueMakeNull(priv->jsContext.get()), exception);
+        else if (JSC_IS_VALUE(item))
+            JSObjectSetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, jscValueGetJSValue(JSC_VALUE(item)), exception);
+        else
+            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid item type in GPtrArray")));
+
+        if (*exception)
+            return JSValueMakeUndefined(priv->jsContext.get());
+    }
+
+    return jsArray;
+}
+
+static GRefPtr jscContextJSArrayToGArray(JSCContext* context, JSValueRef jsArray, JSValueRef* exception)
+{
+    JSCContextPrivate* priv = context->priv;
+    if (JSValueIsNull(priv->jsContext.get(), jsArray))
+        return nullptr;
+
+    if (!JSValueIsArray(priv->jsContext.get(), jsArray)) {
+        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GPtrArray")));
+        return nullptr;
+    }
+
+    auto* jsArrayObject = JSValueToObject(priv->jsContext.get(), jsArray, exception);
+    if (*exception)
+        return nullptr;
+
+    JSRetainPtr lengthString(Adopt, JSStringCreateWithUTF8CString("length"));
+    auto* jsLength = JSObjectGetProperty(priv->jsContext.get(), jsArrayObject, lengthString.get(), exception);
+    if (*exception)
+        return nullptr;
+
+    auto length = JSC::toUInt32(JSValueToNumber(priv->jsContext.get(), jsLength, exception));
+    if (*exception)
+        return nullptr;
+
+    GRefPtr gArray = adoptGRef(g_ptr_array_new_with_free_func(g_object_unref));
+    for (unsigned i = 0; i < length; ++i) {
+        auto* jsItem = JSObjectGetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, exception);
+        if (*exception)
+            return nullptr;
+
+        g_ptr_array_add(gArray.get(), jsItem ? jscContextGetOrCreateValue(context, jsItem).leakRef() : nullptr);
+    }
+
+    return gArray;
+}
+
+GUniquePtr jscContextJSArrayToGStrv(JSCContext* context, JSValueRef jsArray, JSValueRef* exception)
+{
+    JSCContextPrivate* priv = context->priv;
+    if (JSValueIsNull(priv->jsContext.get(), jsArray))
+        return nullptr;
+
+    if (!JSValueIsArray(priv->jsContext.get(), jsArray)) {
+        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv")));
+        return nullptr;
+    }
+
+    auto* jsArrayObject = JSValueToObject(priv->jsContext.get(), jsArray, exception);
+    if (*exception)
+        return nullptr;
+
+    JSRetainPtr lengthString(Adopt, JSStringCreateWithUTF8CString("length"));
+    auto* jsLength = JSObjectGetProperty(priv->jsContext.get(), jsArrayObject, lengthString.get(), exception);
+    if (*exception)
+        return nullptr;
+
+    auto length = JSC::toUInt32(JSValueToNumber(priv->jsContext.get(), jsLength, exception));
+    if (*exception)
+        return nullptr;
+
+    GUniquePtr strv(static_cast(g_new0(char*, length + 1)));
+    for (unsigned i = 0; i < length; ++i) {
+        auto* jsItem = JSObjectGetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, exception);
+        if (*exception)
+            return nullptr;
+
+        auto jsValueItem = jscContextGetOrCreateValue(context, jsItem);
+        if (!jsc_value_is_string(jsValueItem.get())) {
+            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv: item ", String::number(i), " is not a string")));
+            return nullptr;
+        }
+
+        strv.get()[i] = jsc_value_to_string(jsValueItem.get());
+    }
+
+    return strv;
+}
+
+JSValueRef jscContextGValueToJSValue(JSCContext* context, const GValue* value, JSValueRef* exception)
+{
+    JSCContextPrivate* priv = context->priv;
+
+    switch (g_type_fundamental(G_VALUE_TYPE(value))) {
+    case G_TYPE_BOOLEAN:
+        return JSValueMakeBoolean(priv->jsContext.get(), g_value_get_boolean(value));
+    case G_TYPE_CHAR:
+    case G_TYPE_INT:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_int);
+    case G_TYPE_ENUM:
+        return JSValueMakeNumber(priv->jsContext.get(), g_value_get_enum(value));
+    case G_TYPE_FLAGS:
+        return JSValueMakeNumber(priv->jsContext.get(), g_value_get_flags(value));
+    case G_TYPE_UCHAR:
+    case G_TYPE_UINT:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_uint);
+    case G_TYPE_FLOAT:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_float);
+    case G_TYPE_DOUBLE:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_double);
+    case G_TYPE_LONG:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_long);
+    case G_TYPE_ULONG:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_ulong);
+    case G_TYPE_INT64:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_int64);
+    case G_TYPE_UINT64:
+        return JSValueMakeNumber(priv->jsContext.get(), value->data[0].v_uint64);
+    case G_TYPE_STRING:
+        if (const char* stringValue = g_value_get_string(value)) {
+            JSRetainPtr jsString(Adopt, JSStringCreateWithUTF8CString(stringValue));
+            return JSValueMakeString(priv->jsContext.get(), jsString.get());
+        }
+        return JSValueMakeNull(priv->jsContext.get());
+    case G_TYPE_POINTER:
+    case G_TYPE_OBJECT:
+    case G_TYPE_BOXED:
+        if (auto* ptr = value->data[0].v_pointer) {
+            if (auto* jsWrapper = jscContextGetJSWrapper(context, ptr))
+                return toRef(jsWrapper);
+
+            if (g_type_is_a(G_VALUE_TYPE(value), JSC_TYPE_VALUE))
+                return jscValueGetJSValue(JSC_VALUE(ptr));
+
+            if (g_type_is_a(G_VALUE_TYPE(value), JSC_TYPE_EXCEPTION))
+                return jscExceptionGetJSValue(JSC_EXCEPTION(ptr));
+
+            if (g_type_is_a(G_VALUE_TYPE(value), G_TYPE_PTR_ARRAY))
+                return jscContextGArrayToJSArray(context, static_cast(ptr), exception);
+
+            if (g_type_is_a(G_VALUE_TYPE(value), G_TYPE_STRV)) {
+                auto** strv = static_cast(ptr);
+                auto strvLength = g_strv_length(strv);
+                GRefPtr gArray = adoptGRef(g_ptr_array_new_full(strvLength, g_object_unref));
+                for (unsigned i = 0; i < strvLength; i++)
+                    g_ptr_array_add(gArray.get(), jsc_value_new_string(context, strv[i]));
+                return jscContextGArrayToJSArray(context, gArray.get(), exception);
+            }
+        } else
+            return JSValueMakeNull(priv->jsContext.get());
+
+        break;
+    case G_TYPE_PARAM:
+    case G_TYPE_INTERFACE:
+    case G_TYPE_VARIANT:
+    default:
+        break;
+    }
+
+    *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
+    return JSValueMakeUndefined(priv->jsContext.get());
+}
+
+void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType type, GValue* value, JSValueRef* exception)
+{
+    JSCContextPrivate* priv = context->priv;
+    g_value_init(value, type);
+
+    auto fundamentalType = g_type_fundamental(G_VALUE_TYPE(value));
+    switch (fundamentalType) {
+    case G_TYPE_INT:
+        g_value_set_int(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_FLOAT:
+        g_value_set_float(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_DOUBLE:
+        g_value_set_double(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_BOOLEAN:
+        g_value_set_boolean(value, JSValueToBoolean(priv->jsContext.get(), jsValue));
+        break;
+    case G_TYPE_STRING:
+        if (!JSValueIsNull(priv->jsContext.get(), jsValue)) {
+            JSRetainPtr jsString(Adopt, JSValueToStringCopy(priv->jsContext.get(), jsValue, exception));
+            if (*exception)
+                return;
+            size_t maxSize = JSStringGetMaximumUTF8CStringSize(jsString.get());
+            auto* string = static_cast(g_malloc(maxSize));
+            JSStringGetUTF8CString(jsString.get(), string, maxSize);
+            g_value_take_string(value, string);
+        } else
+            g_value_set_string(value, nullptr);
+        break;
+    case G_TYPE_CHAR:
+        g_value_set_schar(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_UCHAR:
+        g_value_set_uchar(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_UINT:
+        g_value_set_uint(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_POINTER:
+    case G_TYPE_OBJECT:
+    case G_TYPE_BOXED: {
+        gpointer wrappedObject = nullptr;
+
+        if (!JSValueIsNull(priv->jsContext.get(), jsValue)) {
+            auto jsObject = JSValueToObject(priv->jsContext.get(), jsValue, exception);
+            if (*exception)
+                return;
+
+            wrappedObject = jscContextWrappedObject(context, jsObject);
+            if (!wrappedObject) {
+                if (g_type_is_a(G_VALUE_TYPE(value), JSC_TYPE_VALUE)) {
+                    auto jscValue = jscContextGetOrCreateValue(context, jsValue);
+                    g_value_set_object(value, jscValue.get());
+                    return;
+                }
+
+                if (g_type_is_a(G_VALUE_TYPE(value), JSC_TYPE_EXCEPTION)) {
+                    auto exception = jscExceptionCreate(context, jsValue);
+                    g_value_set_object(value, exception.get());
+                    return;
+                }
+
+                if (g_type_is_a(G_VALUE_TYPE(value), G_TYPE_PTR_ARRAY)) {
+                    auto gArray = jscContextJSArrayToGArray(context, jsValue, exception);
+                    if (!*exception)
+                        g_value_take_boxed(value, gArray.leakRef());
+                    return;
+                }
+
+                if (g_type_is_a(G_VALUE_TYPE(value), G_TYPE_STRV)) {
+                    auto strv = jscContextJSArrayToGStrv(context, jsValue, exception);
+                    if (!*exception)
+                        g_value_take_boxed(value, strv.release());
+                    return;
+                }
+
+                *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "invalid pointer type"_s));
+                return;
+            }
+        }
+        if (fundamentalType == G_TYPE_POINTER)
+            g_value_set_pointer(value, wrappedObject);
+        else if (fundamentalType == G_TYPE_BOXED)
+            g_value_set_boxed(value, wrappedObject);
+        else if (G_IS_OBJECT(wrappedObject))
+            g_value_set_object(value, wrappedObject);
+        else
+            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "wrapped object is not a GObject"_s));
+        break;
+    }
+    case G_TYPE_LONG:
+        g_value_set_long(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_ULONG:
+        g_value_set_ulong(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_INT64:
+        g_value_set_int64(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_UINT64:
+        g_value_set_uint64(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_ENUM:
+        g_value_set_enum(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_FLAGS:
+        g_value_set_flags(value, JSValueToNumber(priv->jsContext.get(), jsValue, exception));
+        break;
+    case G_TYPE_PARAM:
+    case G_TYPE_INTERFACE:
+    case G_TYPE_VARIANT:
+    default:
+        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
+        break;
+    }
+}
+
+/**
+ * jsc_context_new:
+ *
+ * Create a new #JSCContext. The context is created in a new #JSCVirtualMachine.
+ * Use jsc_context_new_with_virtual_machine() to create a new #JSCContext in an
+ * existing #JSCVirtualMachine.
+ *
+ * Returns: (transfer full): the newly created #JSCContext.
+ */
+JSCContext* jsc_context_new()
+{
+    return JSC_CONTEXT(g_object_new(JSC_TYPE_CONTEXT, nullptr));
+}
+
+/**
+ * jsc_context_new_with_virtual_machine:
+ * @vm: a #JSCVirtualMachine
+ *
+ * Create a new #JSCContext in @virtual_machine.
+ *
+ * Returns: (transfer full): the newly created #JSCContext.
+ */
+JSCContext* jsc_context_new_with_virtual_machine(JSCVirtualMachine* vm)
+{
+    g_return_val_if_fail(JSC_IS_VIRTUAL_MACHINE(vm), nullptr);
+    return JSC_CONTEXT(g_object_new(JSC_TYPE_CONTEXT, "virtual-machine", vm, nullptr));
+}
+
+/**
+ * jsc_context_get_virtual_machine:
+ * @context: a #JSCContext
+ *
+ * Get the #JSCVirtualMachine where @context was created.
+ *
+ * Returns: (transfer none): the #JSCVirtualMachine where the #JSCContext was created.
+ */
+JSCVirtualMachine* jsc_context_get_virtual_machine(JSCContext* context)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return context->priv->vm.get();
+}
+
+/**
+ * jsc_context_get_exception:
+ * @context: a #JSCContext
+ *
+ * Get the last unhandled exception thrown in @context by API functions calls.
+ *
+ * Returns: (transfer none) (nullable): a #JSCException or %NULL if there isn't any
+ *    unhandled exception in the #JSCContext.
+ */
+JSCException* jsc_context_get_exception(JSCContext *context)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return context->priv->exception.get();
+}
+
+/**
+ * jsc_context_throw:
+ * @context: a #JSCContext
+ * @error_message: an error message
+ *
+ * Throw an exception to @context using the given error message. The created #JSCException
+ * can be retrieved with jsc_context_get_exception().
+ */
+void jsc_context_throw(JSCContext* context, const char* errorMessage)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+
+    context->priv->exception = adoptGRef(jsc_exception_new(context, errorMessage));
+}
+
+/**
+ * jsc_context_throw_printf:
+ * @context: a #JSCContext
+ * @format: the string format
+ * @...: the parameters to insert into the format string
+ *
+ * Throw an exception to @context using the given formatted string as error message.
+ * The created #JSCException can be retrieved with jsc_context_get_exception().
+ */
+void jsc_context_throw_printf(JSCContext* context, const char* format, ...)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+
+    va_list args;
+    va_start(args, format);
+    context->priv->exception = adoptGRef(jsc_exception_new_vprintf(context, format, args));
+    va_end(args);
+}
+
+/**
+ * jsc_context_throw_with_name:
+ * @context: a #JSCContext
+ * @error_name: the error name
+ * @error_message: an error message
+ *
+ * Throw an exception to @context using the given error name and message. The created #JSCException
+ * can be retrieved with jsc_context_get_exception().
+ */
+void jsc_context_throw_with_name(JSCContext* context, const char* errorName, const char* errorMessage)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+    g_return_if_fail(errorName);
+
+    context->priv->exception = adoptGRef(jsc_exception_new_with_name(context, errorName, errorMessage));
+}
+
+/**
+ * jsc_context_throw_with_name_printf:
+ * @context: a #JSCContext
+ * @error_name: the error name
+ * @format: the string format
+ * @...: the parameters to insert into the format string
+ *
+ * Throw an exception to @context using the given error name and the formatted string as error message.
+ * The created #JSCException can be retrieved with jsc_context_get_exception().
+ */
+void jsc_context_throw_with_name_printf(JSCContext* context, const char* errorName, const char* format, ...)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+
+    va_list args;
+    va_start(args, format);
+    context->priv->exception = adoptGRef(jsc_exception_new_with_name_vprintf(context, errorName, format, args));
+    va_end(args);
+}
+
+/**
+ * jsc_context_throw_exception:
+ * @context: a #JSCContext
+ * @exception: a #JSCException
+ *
+ * Throw @exception to @context.
+ */
+void jsc_context_throw_exception(JSCContext* context, JSCException* exception)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+    g_return_if_fail(JSC_IS_EXCEPTION(exception));
+
+    context->priv->exception = exception;
+}
+
+/**
+ * jsc_context_clear_exception:
+ * @context: a #JSCContext
+ *
+ * Clear the uncaught exception in @context if any.
+ */
+void jsc_context_clear_exception(JSCContext* context)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+
+    context->priv->exception = nullptr;
+}
+
+/**
+ * JSCExceptionHandler:
+ * @context: a #JSCContext
+ * @exception: a #JSCException
+ * @user_data: user data
+ *
+ * Function used to handle JavaScript exceptions in a #JSCContext.
+ */
+
+/**
+ * jsc_context_push_exception_handler:
+ * @context: a #JSCContext
+ * @handler: a #JSCExceptionHandler
+ * @user_data: (closure): user data to pass to @handler
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ *
+ * Push an exception handler in @context. Whenever a JavaScript exception happens in
+ * the #JSCContext, the given @handler will be called. The default #JSCExceptionHandler
+ * simply calls jsc_context_throw_exception() to throw the exception to the #JSCContext.
+ * If you don't want to catch the exception, but only get notified about it, call
+ * jsc_context_throw_exception() in @handler like the default one does.
+ * The last exception handler pushed is the only one used by the #JSCContext, use
+ * jsc_context_pop_exception_handler() to remove it and set the previous one. When @handler
+ * is removed from the context, @destroy_notify i called with @user_data as parameter.
+ */
+void jsc_context_push_exception_handler(JSCContext* context, JSCExceptionHandler handler, gpointer userData, GDestroyNotify destroyNotify)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+    g_return_if_fail(handler);
+
+    context->priv->exceptionHandlers.append({ handler, userData, destroyNotify });
+}
+
+/**
+ * jsc_context_pop_exception_handler:
+ * @context: a #JSCContext
+ *
+ * Remove the last #JSCExceptionHandler previously pushed to @context with
+ * jsc_context_push_exception_handler().
+ */
+void jsc_context_pop_exception_handler(JSCContext* context)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+    g_return_if_fail(context->priv->exceptionHandlers.size() > 1);
+
+    context->priv->exceptionHandlers.removeLast();
+}
+
+bool jscContextHandleExceptionIfNeeded(JSCContext* context, JSValueRef jsException)
+{
+    if (!jsException)
+        return false;
+
+    auto exception = jscExceptionCreate(context, jsException);
+    ASSERT(!context->priv->exceptionHandlers.isEmpty());
+    const auto& exceptionHandler = context->priv->exceptionHandlers.last();
+    exceptionHandler.handler(context, exception.get(), exceptionHandler.userData);
+
+    return true;
+}
+
+/**
+ * jsc_context_get_current:
+ *
+ * Get the #JSCContext that is currently executing a function. This should only be
+ * called within a function or method callback, otherwise %NULL will be returned.
+ *
+ * Returns: (transfer none) (nullable): the #JSCContext that is currently executing.
+ */
+JSCContext* jsc_context_get_current()
+{
+    auto* data = static_cast(Thread::current().m_apiData);
+    return data ? data->context.get() : nullptr;
+}
+
+/**
+ * jsc_context_evaluate:
+ * @context: a #JSCContext
+ * @code: a JavaScript script to evaluate
+ * @length: length of @code, or -1 if @code is a nul-terminated string
+ *
+ * Evaluate @code in @context.
+ *
+ * Returns: (transfer full): a #JSCValue representing the last value generated by the script.
+ */
+JSCValue* jsc_context_evaluate(JSCContext* context, const char* code, gssize length)
+{
+    return jsc_context_evaluate_with_source_uri(context, code, length, nullptr, 0);
+}
+
+static JSValueRef evaluateScriptInContext(JSGlobalContextRef jsContext, String&& script, const char* uri, unsigned lineNumber, JSValueRef* exception)
+{
+    JSRetainPtr scriptJS(Adopt, OpaqueJSString::tryCreate(WTFMove(script)).leakRef());
+    JSRetainPtr sourceURI = uri ? adopt(JSStringCreateWithUTF8CString(uri)) : nullptr;
+    return JSEvaluateScript(jsContext, scriptJS.get(), nullptr, sourceURI.get(), lineNumber, exception);
+}
+
+/**
+ * jsc_context_evaluate_with_source_uri:
+ * @context: a #JSCContext
+ * @code: a JavaScript script to evaluate
+ * @length: length of @code, or -1 if @code is a nul-terminated string
+ * @uri: the source URI
+ * @line_number: the starting line number
+ *
+ * Evaluate @code in @context using @uri as the source URI. The @line_number is the starting line number
+ * in @uri; the value is one-based so the first line is 1. @uri and @line_number will be shown in exceptions and
+ * they don't affect the behavior of the script.
+ *
+ * Returns: (transfer full): a #JSCValue representing the last value generated by the script.
+ */
+JSCValue* jsc_context_evaluate_with_source_uri(JSCContext* context, const char* code, gssize length, const char* uri, unsigned lineNumber)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(code, nullptr);
+
+    JSValueRef exception = nullptr;
+    JSValueRef result = evaluateScriptInContext(context->priv->jsContext.get(), String::fromUTF8(code, length < 0 ? strlen(code) : length), uri, lineNumber, &exception);
+    if (jscContextHandleExceptionIfNeeded(context, exception))
+        return jsc_value_new_undefined(context);
+
+    return jscContextGetOrCreateValue(context, result).leakRef();
+}
+
+/**
+ * jsc_context_evaluate_in_object:
+ * @context: a #JSCContext
+ * @code: a JavaScript script to evaluate
+ * @length: length of @code, or -1 if @code is a nul-terminated string
+ * @object_instance: (nullable): an object instance
+ * @object_class: (nullable): a #JSCClass or %NULL to use the default
+ * @uri: the source URI
+ * @line_number: the starting line number
+ * @object: (out) (transfer full): return location for a #JSCValue.
+ *
+ * Evaluate @code and create an new object where symbols defined in @code will be added as properties,
+ * instead of being added to @context global object. The new object is returned as @object parameter.
+ * Similar to how jsc_value_new_object() works, if @object_instance is not %NULL @object_class must be provided too.
+ * The @line_number is the starting line number in @uri; the value is one-based so the first line is 1.
+ * @uri and @line_number will be shown in exceptions and they don't affect the behavior of the script.
+ *
+ * Returns: (transfer full): a #JSCValue representing the last value generated by the script.
+ */
+JSCValue* jsc_context_evaluate_in_object(JSCContext* context, const char* code, gssize length, gpointer instance, JSCClass* objectClass, const char* uri, unsigned lineNumber, JSCValue** object)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(code, nullptr);
+    g_return_val_if_fail(!instance || JSC_IS_CLASS(objectClass), nullptr);
+    g_return_val_if_fail(object && !*object, nullptr);
+
+    JSRetainPtr objectContext(Adopt,
+        instance ? jscClassCreateContextWithJSWrapper(objectClass, context, instance) : JSGlobalContextCreateInGroup(jscVirtualMachineGetContextGroup(context->priv->vm.get()), nullptr));
+    JSC::ExecState* exec = toJS(objectContext.get());
+    JSC::VM& vm = exec->vm();
+    auto* jsObject = vm.vmEntryGlobalObject(exec);
+    jsObject->setGlobalScopeExtension(JSC::JSWithScope::create(vm, jsObject, jsObject->globalScope(), toJS(JSContextGetGlobalObject(context->priv->jsContext.get()))));
+    JSValueRef exception = nullptr;
+    JSValueRef result = evaluateScriptInContext(objectContext.get(), String::fromUTF8(code, length < 0 ? strlen(code) : length), uri, lineNumber, &exception);
+    if (jscContextHandleExceptionIfNeeded(context, exception))
+        return jsc_value_new_undefined(context);
+
+    *object = jscContextGetOrCreateValue(context, JSContextGetGlobalObject(objectContext.get())).leakRef();
+
+    return jscContextGetOrCreateValue(context, result).leakRef();
+}
+
+/**
+ * JSCCheckSyntaxMode:
+ * @JSC_CHECK_SYNTAX_MODE_SCRIPT: mode to check syntax of a script
+ * @JSC_CHECK_SYNTAX_MODE_MODULE: mode to check syntax of a module
+ *
+ * Enum values to specify a mode to check for syntax errors in jsc_context_check_syntax().
+ */
+
+/**
+ * JSCCheckSyntaxResult:
+ * @JSC_CHECK_SYNTAX_RESULT_SUCCESS: no errors
+ * @JSC_CHECK_SYNTAX_RESULT_RECOVERABLE_ERROR: recoverable syntax error
+ * @JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR: irrecoverable syntax error
+ * @JSC_CHECK_SYNTAX_RESULT_UNTERMINATED_LITERAL_ERROR: unterminated literal error
+ * @JSC_CHECK_SYNTAX_RESULT_OUT_OF_MEMORY_ERROR: out of memory error
+ * @JSC_CHECK_SYNTAX_RESULT_STACK_OVERFLOW_ERROR: stack overflow error
+ *
+ * Enum values to specify the result of jsc_context_check_syntax().
+ */
+
+/**
+ * jsc_context_check_syntax:
+ * @context: a #JSCContext
+ * @code: a JavaScript script to check
+ * @length: length of @code, or -1 if @code is a nul-terminated string
+ * @mode: a #JSCCheckSyntaxMode
+ * @uri: the source URI
+ * @line_number: the starting line number
+ * @exception: (out) (optional) (transfer full): return location for a #JSCException, or %NULL to ignore
+ *
+ * Check the given @code in @context for syntax errors. The @line_number is the starting line number in @uri;
+ * the value is one-based so the first line is 1. @uri and @line_number are only used to fill the @exception.
+ * In case of errors @exception will be set to a new #JSCException with the details. You can pass %NULL to
+ * @exception to ignore the error details.
+ *
+ * Returns: a #JSCCheckSyntaxResult
+ */
+JSCCheckSyntaxResult jsc_context_check_syntax(JSCContext* context, const char* code, gssize length, JSCCheckSyntaxMode mode, const char* uri, unsigned lineNumber, JSCException **exception)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR);
+    g_return_val_if_fail(code, JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR);
+    g_return_val_if_fail(!exception || !*exception, JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR);
+
+    lineNumber = std::max(1, lineNumber);
+
+    auto* jsContext = context->priv->jsContext.get();
+    JSC::ExecState* exec = toJS(jsContext);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+
+    String sourceURLString = uri ? String::fromUTF8(uri) : String();
+    JSC::SourceCode source = JSC::makeSource(String::fromUTF8(code, length < 0 ? strlen(code) : length), JSC::SourceOrigin { sourceURLString },
+        URL({ }, sourceURLString), TextPosition(OrdinalNumber::fromOneBasedInt(lineNumber), OrdinalNumber()));
+    bool success = false;
+    JSC::ParserError error;
+    switch (mode) {
+    case JSC_CHECK_SYNTAX_MODE_SCRIPT:
+        success = !!JSC::parse(&vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin,
+            JSC::JSParserStrictMode::NotStrict, JSC::JSParserScriptMode::Classic, JSC::SourceParseMode::ProgramMode, JSC::SuperBinding::NotNeeded, error);
+        break;
+    case JSC_CHECK_SYNTAX_MODE_MODULE:
+        success = !!JSC::parse(&vm, source, JSC::Identifier(), JSC::JSParserBuiltinMode::NotBuiltin,
+            JSC::JSParserStrictMode::Strict, JSC::JSParserScriptMode::Module, JSC::SourceParseMode::ModuleAnalyzeMode, JSC::SuperBinding::NotNeeded, error);
+        break;
+    }
+
+    JSCCheckSyntaxResult result = JSC_CHECK_SYNTAX_RESULT_SUCCESS;
+    if (success)
+        return result;
+
+    switch (error.type()) {
+    case JSC::ParserError::ErrorType::SyntaxError: {
+        switch (error.syntaxErrorType()) {
+        case JSC::ParserError::SyntaxErrorType::SyntaxErrorIrrecoverable:
+            result = JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR;
+            break;
+        case JSC::ParserError::SyntaxErrorType::SyntaxErrorUnterminatedLiteral:
+            result = JSC_CHECK_SYNTAX_RESULT_UNTERMINATED_LITERAL_ERROR;
+            break;
+        case JSC::ParserError::SyntaxErrorType::SyntaxErrorRecoverable:
+            result = JSC_CHECK_SYNTAX_RESULT_RECOVERABLE_ERROR;
+            break;
+        case JSC::ParserError::SyntaxErrorType::SyntaxErrorNone:
+            ASSERT_NOT_REACHED();
+            break;
+        }
+        break;
+    }
+    case JSC::ParserError::ErrorType::StackOverflow:
+        result = JSC_CHECK_SYNTAX_RESULT_STACK_OVERFLOW_ERROR;
+        break;
+    case JSC::ParserError::ErrorType::OutOfMemory:
+        result = JSC_CHECK_SYNTAX_RESULT_OUT_OF_MEMORY_ERROR;
+        break;
+    case JSC::ParserError::ErrorType::EvalError:
+    case JSC::ParserError::ErrorType::ErrorNone:
+        ASSERT_NOT_REACHED();
+        break;
+    }
+
+    if (exception) {
+        auto* jsError = error.toErrorObject(exec->lexicalGlobalObject(), source);
+        *exception = jscExceptionCreate(context, toRef(exec, jsError)).leakRef();
+    }
+
+    return result;
+}
+
+/**
+ * jsc_context_get_global_object:
+ * @context: a #JSCContext
+ *
+ * Get a #JSCValue referencing the @context global object
+ *
+ * Returns: (transfer full): a #JSCValue
+ */
+JSCValue* jsc_context_get_global_object(JSCContext* context)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return jscContextGetOrCreateValue(context, JSContextGetGlobalObject(context->priv->jsContext.get())).leakRef();
+}
+
+/**
+ * jsc_context_set_value:
+ * @context: a #JSCContext
+ * @name: the value name
+ * @value: a #JSCValue
+ *
+ * Set a property of @context global object with @name and @value.
+ */
+void jsc_context_set_value(JSCContext* context, const char* name, JSCValue* value)
+{
+    g_return_if_fail(JSC_IS_CONTEXT(context));
+    g_return_if_fail(name);
+    g_return_if_fail(JSC_IS_VALUE(value));
+
+    auto contextObject = jscContextGetOrCreateValue(context, JSContextGetGlobalObject(context->priv->jsContext.get()));
+    jsc_value_object_set_property(contextObject.get(), name, value);
+}
+
+/**
+ * jsc_context_get_value:
+ * @context: a #JSCContext
+ * @name: the value name
+ *
+ * Get a property of @context global object with @name.
+ *
+ * Returns: (transfer full): a #JSCValue
+ */
+JSCValue* jsc_context_get_value(JSCContext* context, const char* name)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(name, nullptr);
+
+    auto contextObject = jscContextGetOrCreateValue(context, JSContextGetGlobalObject(context->priv->jsContext.get()));
+    return jsc_value_object_get_property(contextObject.get(), name);
+}
+
+/**
+ * jsc_context_register_class:
+ * @context: a #JSCContext
+ * @name: the class name
+ * @parent_class: (nullable): a #JSCClass or %NULL
+ * @vtable: (nullable): an optional #JSCClassVTable or %NULL
+ * @destroy_notify: (nullable): a destroy notifier for class instances
+ *
+ * Register a custom class in @context using the given @name. If the new class inherits from
+ * another #JSCClass, the parent should be passed as @parent_class, otherwise %NULL should be
+ * used. The optional @vtable parameter allows to provide a custom implementation for handling
+ * the class, for example, to handle external properties not added to the prototype.
+ * When an instance of the #JSCClass is cleared in the context, @destroy_notify is called with
+ * the instance as parameter.
+ *
+ * Returns: (transfer none): a #JSCClass
+ */
+JSCClass* jsc_context_register_class(JSCContext* context, const char* name, JSCClass* parentClass, JSCClassVTable* vtable, GDestroyNotify destroyFunction)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(name, nullptr);
+    g_return_val_if_fail(!parentClass || JSC_IS_CLASS(parentClass), nullptr);
+
+    auto jscClass = jscClassCreate(context, name, parentClass, vtable, destroyFunction);
+    wrapperMap(context).registerClass(jscClass.get());
+    return jscClass.get();
+}
diff --git a/API/glib/JSCContext.h b/API/glib/JSCContext.h
new file mode 100644
index 0000000..0673ffa
--- /dev/null
+++ b/API/glib/JSCContext.h
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCContext_h
+#define JSCContext_h
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_CONTEXT            (jsc_context_get_type())
+#define JSC_CONTEXT(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_CONTEXT, JSCContext))
+#define JSC_IS_CONTEXT(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_CONTEXT))
+#define JSC_CONTEXT_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST((klass),  JSC_TYPE_CONTEXT, JSCContextClass))
+#define JSC_IS_CONTEXT_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass),  JSC_TYPE_CONTEXT))
+#define JSC_CONTEXT_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS((obj),  JSC_TYPE_CONTEXT, JSCContextClass))
+
+typedef struct _JSCContext JSCContext;
+typedef struct _JSCContextClass JSCContextClass;
+typedef struct _JSCContextPrivate JSCContextPrivate;
+
+typedef void (* JSCExceptionHandler) (JSCContext   *context,
+                                      JSCException *exception,
+                                      gpointer      user_data);
+
+typedef enum {
+    JSC_CHECK_SYNTAX_MODE_SCRIPT,
+    JSC_CHECK_SYNTAX_MODE_MODULE
+} JSCCheckSyntaxMode;
+
+typedef enum {
+    JSC_CHECK_SYNTAX_RESULT_SUCCESS,
+    JSC_CHECK_SYNTAX_RESULT_RECOVERABLE_ERROR,
+    JSC_CHECK_SYNTAX_RESULT_IRRECOVERABLE_ERROR,
+    JSC_CHECK_SYNTAX_RESULT_UNTERMINATED_LITERAL_ERROR,
+    JSC_CHECK_SYNTAX_RESULT_OUT_OF_MEMORY_ERROR,
+    JSC_CHECK_SYNTAX_RESULT_STACK_OVERFLOW_ERROR,
+} JSCCheckSyntaxResult;
+
+struct _JSCContext {
+    GObject parent;
+
+    /*< private >*/
+    JSCContextPrivate *priv;
+};
+
+struct _JSCContextClass {
+    GObjectClass parent_class;
+
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+};
+
+JSC_API GType
+jsc_context_get_type                 (void);
+
+JSC_API JSCContext *
+jsc_context_new                      (void);
+
+JSC_API JSCContext *
+jsc_context_new_with_virtual_machine (JSCVirtualMachine  *vm);
+
+JSC_API JSCVirtualMachine *
+jsc_context_get_virtual_machine      (JSCContext         *context);
+
+JSC_API JSCException *
+jsc_context_get_exception            (JSCContext         *context);
+
+JSC_API void
+jsc_context_throw                    (JSCContext         *context,
+                                      const char         *error_message);
+
+JSC_API void
+jsc_context_throw_printf             (JSCContext         *context,
+                                      const char         *format,
+                                      ...) G_GNUC_PRINTF (2, 3);
+
+JSC_API void
+jsc_context_throw_with_name          (JSCContext         *context,
+                                      const char         *error_name,
+                                      const char         *error_message);
+
+JSC_API void
+jsc_context_throw_with_name_printf   (JSCContext         *context,
+                                      const char         *error_name,
+                                      const char         *format,
+                                      ...) G_GNUC_PRINTF (3, 4);
+
+JSC_API void
+jsc_context_throw_exception          (JSCContext         *context,
+                                      JSCException       *exception);
+
+JSC_API void
+jsc_context_clear_exception          (JSCContext         *context);
+
+JSC_API void
+jsc_context_push_exception_handler   (JSCContext         *context,
+                                      JSCExceptionHandler handler,
+                                      gpointer            user_data,
+                                      GDestroyNotify      destroy_notify);
+
+JSC_API void
+jsc_context_pop_exception_handler    (JSCContext         *context);
+
+JSC_API JSCContext *
+jsc_context_get_current              (void);
+
+JSC_API JSCValue *
+jsc_context_evaluate                 (JSCContext         *context,
+                                      const char         *code,
+                                      gssize              length) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API JSCValue *
+jsc_context_evaluate_with_source_uri (JSCContext         *context,
+                                      const char         *code,
+                                      gssize              length,
+                                      const char         *uri,
+                                      guint               line_number) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API JSCValue *
+jsc_context_evaluate_in_object       (JSCContext         *context,
+                                      const char         *code,
+                                      gssize              length,
+                                      gpointer            object_instance,
+                                      JSCClass           *object_class,
+                                      const char         *uri,
+                                      guint               line_number,
+                                      JSCValue          **object) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API JSCCheckSyntaxResult
+jsc_context_check_syntax             (JSCContext         *context,
+                                      const char         *code,
+                                      gssize              length,
+                                      JSCCheckSyntaxMode  mode,
+                                      const char         *uri,
+                                      unsigned            line_number,
+                                      JSCException      **exception);
+
+JSC_API JSCValue *
+jsc_context_get_global_object        (JSCContext         *context);
+
+JSC_API void
+jsc_context_set_value                (JSCContext         *context,
+                                      const char         *name,
+                                      JSCValue           *value);
+
+JSC_API JSCValue *
+jsc_context_get_value                (JSCContext         *context,
+                                      const char         *name);
+
+JSC_API JSCClass *
+jsc_context_register_class           (JSCContext         *context,
+                                      const char         *name,
+                                      JSCClass           *parent_class,
+                                      JSCClassVTable     *vtable,
+                                      GDestroyNotify      destroy_notify);
+
+G_END_DECLS
+
+#endif /* JSCContext_h */
diff --git a/API/glib/JSCContextPrivate.h b/API/glib/JSCContextPrivate.h
new file mode 100644
index 0000000..fc7270e
--- /dev/null
+++ b/API/glib/JSCContextPrivate.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "APICast.h"
+#include "JSCContext.h"
+#include "JSCValue.h"
+#include "JSContextRef.h"
+#include 
+
+GRefPtr jscContextGetOrCreate(JSGlobalContextRef);
+JSGlobalContextRef jscContextGetJSContext(JSCContext*);
+GRefPtr jscContextGetOrCreateValue(JSCContext*, JSValueRef);
+void jscContextValueDestroyed(JSCContext*, JSValueRef);
+JSC::JSObject* jscContextGetJSWrapper(JSCContext*, gpointer);
+JSC::JSObject* jscContextGetOrCreateJSWrapper(JSCContext*, JSClassRef, JSValueRef prototype = nullptr, gpointer = nullptr, GDestroyNotify = nullptr);
+JSGlobalContextRef jscContextCreateContextWithJSWrapper(JSCContext*, JSClassRef, JSValueRef prototype = nullptr, gpointer = nullptr, GDestroyNotify = nullptr);
+gpointer jscContextWrappedObject(JSCContext*, JSObjectRef);
+JSCClass* jscContextGetRegisteredClass(JSCContext*, JSClassRef);
+
+struct CallbackData {
+    GRefPtr context;
+    GRefPtr preservedException;
+    JSValueRef calleeValue;
+    JSValueRef thisValue;
+    size_t argumentCount;
+    const JSValueRef* arguments;
+
+    CallbackData* next;
+};
+CallbackData jscContextPushCallback(JSCContext*, JSValueRef calleeValue, JSValueRef thisValue, size_t argumentCount, const JSValueRef* arguments);
+void jscContextPopCallback(JSCContext*, CallbackData&&);
+
+bool jscContextHandleExceptionIfNeeded(JSCContext*, JSValueRef);
+JSValueRef jscContextGArrayToJSArray(JSCContext*, GPtrArray*, JSValueRef* exception);
+JSValueRef jscContextGValueToJSValue(JSCContext*, const GValue*, JSValueRef* exception);
+void jscContextJSValueToGValue(JSCContext*, JSValueRef, GType, GValue*, JSValueRef* exception);
diff --git a/API/glib/JSCDefines.h b/API/glib/JSCDefines.h
new file mode 100644
index 0000000..c3ffa2b
--- /dev/null
+++ b/API/glib/JSCDefines.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2011 Igalia S.L.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCDefines_h
+#define JSCDefines_h
+
+#include 
+
+#ifdef G_OS_WIN32
+#    if defined(BUILDING_JavaScriptCore) || defined(STATICALLY_LINKED_WITH_JavaScriptCore)
+#        define JSC_API __declspec(dllexport)
+#    else
+#        define JSC_API __declspec(dllimport)
+#    endif
+#else
+#    define JSC_API __attribute__((visibility("default")))
+#endif
+
+#define JSC_DEPRECATED JSC_API G_DEPRECATED
+#define JSC_DEPRECATED_FOR(f) JSC_API G_DEPRECATED_FOR(f)
+
+#endif /* JSCDefines_h */
diff --git a/API/glib/JSCException.cpp b/API/glib/JSCException.cpp
new file mode 100644
index 0000000..27198d9
--- /dev/null
+++ b/API/glib/JSCException.cpp
@@ -0,0 +1,423 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCException.h"
+
+#include "APICast.h"
+#include "JSCContextPrivate.h"
+#include "JSCExceptionPrivate.h"
+#include "JSCInlines.h"
+#include "JSRetainPtr.h"
+#include "StrongInlines.h"
+#include 
+#include 
+#include 
+
+/**
+ * SECTION: JSCException
+ * @short_description: JavaScript exception
+ * @title: JSCException
+ * @see_also: JSCContext
+ *
+ * JSCException represents a JavaScript exception.
+ */
+
+struct _JSCExceptionPrivate {
+    JSCContext* context;
+    JSC::Strong jsException;
+    bool cached;
+    GUniquePtr errorName;
+    GUniquePtr message;
+    unsigned lineNumber;
+    unsigned columnNumber;
+    GUniquePtr sourceURI;
+    GUniquePtr backtrace;
+};
+
+WEBKIT_DEFINE_TYPE(JSCException, jsc_exception, G_TYPE_OBJECT)
+
+static void jscExceptionDispose(GObject* object)
+{
+    JSCExceptionPrivate* priv = JSC_EXCEPTION(object)->priv;
+    if (priv->context) {
+        g_object_remove_weak_pointer(G_OBJECT(priv->context), reinterpret_cast(&priv->context));
+        priv->context = nullptr;
+    }
+
+    G_OBJECT_CLASS(jsc_exception_parent_class)->dispose(object);
+}
+
+static void jsc_exception_class_init(JSCExceptionClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+    objClass->dispose = jscExceptionDispose;
+}
+
+GRefPtr jscExceptionCreate(JSCContext* context, JSValueRef jsException)
+{
+    GRefPtr exception = adoptGRef(JSC_EXCEPTION(g_object_new(JSC_TYPE_EXCEPTION, nullptr)));
+    auto* jsContext = jscContextGetJSContext(context);
+    JSC::ExecState* exec = toJS(jsContext);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    exception->priv->jsException.set(vm, toJS(JSValueToObject(jsContext, jsException, nullptr)));
+    // The context has a strong reference to the exception, so we can't ref the context. We use a weak
+    // pointer instead to invalidate the exception if the context is destroyed before.
+    exception->priv->context = context;
+    g_object_add_weak_pointer(G_OBJECT(context), reinterpret_cast(&exception->priv->context));
+    return exception;
+}
+
+JSValueRef jscExceptionGetJSValue(JSCException* exception)
+{
+    return toRef(exception->priv->jsException.get());
+}
+
+void jscExceptionEnsureProperties(JSCException* exception)
+{
+    JSCExceptionPrivate* priv = exception->priv;
+    if (priv->cached)
+        return;
+
+    priv->cached = true;
+
+    auto value = jscContextGetOrCreateValue(priv->context, toRef(priv->jsException.get()));
+    auto propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "name"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->errorName.reset(jsc_value_to_string(propertyValue.get()));
+    propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "message"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->message.reset(jsc_value_to_string(propertyValue.get()));
+    propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "line"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->lineNumber = jsc_value_to_int32(propertyValue.get());
+    propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "column"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->columnNumber = jsc_value_to_int32(propertyValue.get());
+    propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "sourceURL"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->sourceURI.reset(jsc_value_to_string(propertyValue.get()));
+    propertyValue = adoptGRef(jsc_value_object_get_property(value.get(), "stack"));
+    if (!jsc_value_is_undefined(propertyValue.get()))
+        priv->backtrace.reset(jsc_value_to_string(propertyValue.get()));
+}
+
+/**
+ * jsc_exception_new:
+ * @context: a #JSCContext
+ * @message: the error message
+ *
+ * Create a new #JSCException in @context with @message.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new(JSCContext* context, const char* message)
+{
+    return jsc_exception_new_with_name(context, nullptr, message);
+}
+
+/**
+ * jsc_exception_new_printf:
+ * @context: a #JSCContext
+ * @format: the string format
+ * @...: the parameters to insert into the format string
+ *
+ * Create a new #JSCException in @context using a formatted string
+ * for the message.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new_printf(JSCContext* context, const char* format, ...)
+{
+    va_list args;
+    va_start(args, format);
+    auto* exception = jsc_exception_new_vprintf(context, format, args);
+    va_end(args);
+
+    return exception;
+}
+
+/**
+ * jsc_exception_new_vprintf:
+ * @context: a #JSCContext
+ * @format: the string format
+ * @args: the parameters to insert into the format string
+ *
+ * Create a new #JSCException in @context using a formatted string
+ * for the message. This is similar to jsc_exception_new_printf()
+ * except that the arguments to the format string are passed as a va_list.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new_vprintf(JSCContext* context, const char* format, va_list args)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    GUniqueOutPtr buffer;
+    g_vasprintf(&buffer.outPtr(), format, args);
+    return jsc_exception_new(context, buffer.get());
+}
+
+/**
+ * jsc_exception_new_with_name:
+ * @context: a #JSCContext
+ * @name: the error name
+ * @message: the error message
+ *
+ * Create a new #JSCException in @context with @name and @message.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new_with_name(JSCContext* context, const char* name, const char* message)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    auto* jsContext = jscContextGetJSContext(context);
+    JSValueRef jsMessage = nullptr;
+    if (message) {
+        JSRetainPtr jsMessageString(Adopt, JSStringCreateWithUTF8CString(message));
+        jsMessage = JSValueMakeString(jsContext, jsMessageString.get());
+    }
+
+    auto exception = jscExceptionCreate(context, JSObjectMakeError(jsContext, jsMessage ? 1 : 0, &jsMessage, nullptr));
+    if (name) {
+        auto value = jscContextGetOrCreateValue(context, toRef(exception->priv->jsException.get()));
+        GRefPtr nameValue = adoptGRef(jsc_value_new_string(context, name));
+        jsc_value_object_set_property(value.get(), "name", nameValue.get());
+    }
+
+    return exception.leakRef();
+}
+
+/**
+ * jsc_exception_new_with_name_printf:
+ * @context: a #JSCContext
+ * @name: the error name
+ * @format: the string format
+ * @...: the parameters to insert into the format string
+ *
+ * Create a new #JSCException in @context with @name and using a formatted string
+ * for the message.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new_with_name_printf(JSCContext* context, const char* name, const char* format, ...)
+{
+    va_list args;
+    va_start(args, format);
+    auto* exception = jsc_exception_new_with_name_vprintf(context, name, format, args);
+    va_end(args);
+
+    return exception;
+}
+
+/**
+ * jsc_exception_new_with_name_vprintf:
+ * @context: a #JSCContext
+ * @name: the error name
+ * @format: the string format
+ * @args: the parameters to insert into the format string
+ *
+ * Create a new #JSCException in @context with @name and using a formatted string
+ * for the message. This is similar to jsc_exception_new_with_name_printf()
+ * except that the arguments to the format string are passed as a va_list.
+ *
+ * Returns: (transfer full): a new #JSCException.
+ */
+JSCException* jsc_exception_new_with_name_vprintf(JSCContext* context, const char* name, const char* format, va_list args)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    GUniqueOutPtr buffer;
+    g_vasprintf(&buffer.outPtr(), format, args);
+    return jsc_exception_new_with_name(context, name, buffer.get());
+}
+
+/**
+ * jsc_exception_get_name:
+ * @exception: a #JSCException
+ *
+ * Get the error name of @exception
+ *
+ * Returns: the @exception error name.
+ */
+const char* jsc_exception_get_name(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->errorName.get();
+}
+
+/**
+ * jsc_exception_get_message:
+ * @exception: a #JSCException
+ *
+ * Get the error message of @exception.
+ *
+ * Returns: the @exception error message.
+ */
+const char* jsc_exception_get_message(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->message.get();
+}
+
+/**
+ * jsc_exception_get_line_number:
+ * @exception: a #JSCException
+ *
+ * Get the line number at which @exception happened.
+ *
+ * Returns: the line number of @exception.
+ */
+guint jsc_exception_get_line_number(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), 0);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, 0);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->lineNumber;
+}
+
+/**
+ * jsc_exception_get_column_number:
+ * @exception: a #JSCException
+ *
+ * Get the column number at which @exception happened.
+ *
+ * Returns: the column number of @exception.
+ */
+guint jsc_exception_get_column_number(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), 0);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, 0);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->columnNumber;
+}
+
+/**
+ * jsc_exception_get_source_uri:
+ * @exception: a #JSCException
+ *
+ * Get the source URI of @exception.
+ *
+ * Returns: (nullable): the the source URI of @exception, or %NULL.
+ */
+const char* jsc_exception_get_source_uri(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->sourceURI.get();
+}
+
+/**
+ * jsc_exception_get_backtrace_string:
+ * @exception: a #JSCException
+ *
+ * Get a string with the exception backtrace.
+ *
+ * Returns: (nullable): the exception backtrace string or %NULL.
+ */
+const char* jsc_exception_get_backtrace_string(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    jscExceptionEnsureProperties(exception);
+    return priv->backtrace.get();
+}
+
+/**
+ * jsc_exception_to_string:
+ * @exception: a #JSCException
+ *
+ * Get the string representation of @exception error.
+ *
+ * Returns: (transfer full): the string representation of @exception.
+ */
+char* jsc_exception_to_string(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    auto value = jscContextGetOrCreateValue(priv->context, toRef(priv->jsException.get()));
+    return jsc_value_to_string(value.get());
+}
+
+/**
+ * jsc_exception_report:
+ * @exception: a #JSCException
+ *
+ * Return a report message of @exception, containing all the possible details such us
+ * source URI, line, column and backtrace, and formatted to be printed.
+ *
+ * Returns: (transfer full): a new string with the exception report
+ */
+char* jsc_exception_report(JSCException* exception)
+{
+    g_return_val_if_fail(JSC_IS_EXCEPTION(exception), nullptr);
+
+    JSCExceptionPrivate* priv = exception->priv;
+    g_return_val_if_fail(priv->context, nullptr);
+
+    jscExceptionEnsureProperties(exception);
+    GString* report = g_string_new(nullptr);
+    if (priv->sourceURI)
+        report = g_string_append(report, priv->sourceURI.get());
+    if (priv->lineNumber)
+        g_string_append_printf(report, ":%d", priv->lineNumber);
+    if (priv->columnNumber)
+        g_string_append_printf(report, ":%d", priv->columnNumber);
+    report = g_string_append_c(report, ' ');
+    GUniquePtr errorMessage(jsc_exception_to_string(exception));
+    if (errorMessage)
+        report = g_string_append(report, errorMessage.get());
+    report = g_string_append_c(report, '\n');
+
+    if (priv->backtrace) {
+        GUniquePtr lines(g_strsplit(priv->backtrace.get(), "\n", 0));
+        for (unsigned i = 0; lines.get()[i]; ++i)
+            g_string_append_printf(report, "  %s\n", lines.get()[i]);
+    }
+
+    return g_string_free(report, FALSE);
+}
diff --git a/API/glib/JSCException.h b/API/glib/JSCException.h
new file mode 100644
index 0000000..45eb0aa
--- /dev/null
+++ b/API/glib/JSCException.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCException_h
+#define JSCException_h
+
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_EXCEPTION            (jsc_exception_get_type())
+#define JSC_EXCEPTION(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_EXCEPTION, JSCException))
+#define JSC_IS_EXCEPTION(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_EXCEPTION))
+#define JSC_EXCEPTION_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST((klass),  JSC_TYPE_EXCEPTION, JSCExceptionClass))
+#define JSC_IS_EXCEPTION_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass),  JSC_TYPE_EXCEPTION))
+#define JSC_EXCEPTION_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS((obj),  JSC_TYPE_EXCEPTION, JSCExceptionClass))
+
+typedef struct _JSCException JSCException;
+typedef struct _JSCExceptionClass JSCExceptionClass;
+typedef struct _JSCExceptionPrivate JSCExceptionPrivate;
+
+typedef struct _JSCContext JSCContext;
+
+struct _JSCException {
+    GObject parent;
+
+    /*< private >*/
+    JSCExceptionPrivate *priv;
+};
+
+struct _JSCExceptionClass {
+    GObjectClass parent_class;
+
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+};
+
+JSC_API GType
+jsc_exception_get_type              (void);
+
+JSC_API JSCException *
+jsc_exception_new                   (JSCContext   *context,
+                                     const char   *message);
+
+JSC_API JSCException *
+jsc_exception_new_printf            (JSCContext   *context,
+                                     const char   *format,
+                                     ...) G_GNUC_PRINTF (2, 3);
+
+JSC_API JSCException *
+jsc_exception_new_vprintf           (JSCContext   *context,
+                                     const char   *format,
+                                     va_list       args) G_GNUC_PRINTF(2, 0);
+
+JSC_API JSCException *
+jsc_exception_new_with_name         (JSCContext   *context,
+                                     const char   *name,
+                                     const char   *message);
+
+JSC_API JSCException *
+jsc_exception_new_with_name_printf  (JSCContext   *context,
+                                     const char   *name,
+                                     const char   *format,
+                                     ...) G_GNUC_PRINTF (3, 4);
+
+JSC_API JSCException *
+jsc_exception_new_with_name_vprintf (JSCContext   *context,
+                                     const char   *name,
+                                     const char   *format,
+                                     va_list       args) G_GNUC_PRINTF (3, 0);
+
+JSC_API const char *
+jsc_exception_get_name              (JSCException *exception);
+
+JSC_API const char *
+jsc_exception_get_message           (JSCException *exception);
+
+JSC_API guint
+jsc_exception_get_line_number       (JSCException *exception);
+
+JSC_API guint
+jsc_exception_get_column_number     (JSCException *exception);
+
+JSC_API const char *
+jsc_exception_get_source_uri        (JSCException *exception);
+
+JSC_API const char *
+jsc_exception_get_backtrace_string  (JSCException *exception);
+
+JSC_API char *
+jsc_exception_to_string             (JSCException *exception);
+
+JSC_API char *
+jsc_exception_report                (JSCException *exception);
+
+G_END_DECLS
+
+#endif /* JSCException_h */
diff --git a/API/glib/JSCExceptionPrivate.h b/API/glib/JSCExceptionPrivate.h
new file mode 100644
index 0000000..bb5dbc0
--- /dev/null
+++ b/API/glib/JSCExceptionPrivate.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "JSCContext.h"
+#include "JSCException.h"
+#include 
+
+GRefPtr jscExceptionCreate(JSCContext*, JSValueRef);
+JSValueRef jscExceptionGetJSValue(JSCException*);
diff --git a/API/glib/JSCGLibWrapperObject.h b/API/glib/JSCGLibWrapperObject.h
new file mode 100644
index 0000000..c2caba9
--- /dev/null
+++ b/API/glib/JSCGLibWrapperObject.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include 
+#include 
+
+namespace JSC {
+
+class JSCGLibWrapperObject {
+    WTF_MAKE_FAST_ALLOCATED;
+public:
+    JSCGLibWrapperObject(gpointer object, GDestroyNotify destroyFunction)
+        : m_object(object)
+        , m_destroyFunction(destroyFunction)
+    {
+    }
+
+    ~JSCGLibWrapperObject()
+    {
+        if (m_destroyFunction)
+            m_destroyFunction(m_object);
+    }
+
+    gpointer object() const { return m_object; }
+
+private:
+    gpointer m_object { nullptr };
+    GDestroyNotify m_destroyFunction { nullptr };
+};
+
+} // namespace JSC
diff --git a/API/glib/JSCOptions.cpp b/API/glib/JSCOptions.cpp
new file mode 100644
index 0000000..af7b345
--- /dev/null
+++ b/API/glib/JSCOptions.cpp
@@ -0,0 +1,726 @@
+/*
+ * Copyright (C) 2019 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCOptions.h"
+
+#include "Options.h"
+#include 
+#include 
+#include 
+
+/**
+ * SECTION: JSCOptions
+ * @short_description: JavaScript options
+ * @title: JSCOptions
+ *
+ * JavaScript options allow changing the behavior of the JavaScript engine.
+ * They affect the way the engine works, so it's encouraged to set the options
+ * at the very beginning of the program execution, before any other JavaScript
+ * API call. Most of the options are only useful for testing and debugging.
+ * Only a few of them are documented; you can use the undocumented options at
+ * your own risk. (You can find the list of options in the WebKit source code).
+ *
+ * The API allows to set and get any option using the types defined in #JSCOptionType.
+ * You can also iterate all the available options using jsc_options_foreach() and
+ * passing a #JSCOptionsFunc callback. If your application uses #GOptionContext to handle
+ * command line arguments, you can easily integrate the JSCOptions by adding the
+ * #GOptionGroup returned by jsc_options_get_option_group().
+ *
+ * Since: 2.24
+ */
+
+using namespace JSC;
+
+using int32 = int32_t;
+using size = size_t;
+
+static bool valueFromGValue(const GValue* gValue, bool& value)
+{
+    value = g_value_get_boolean(gValue);
+    return true;
+}
+
+static void valueToGValue(bool value, GValue* gValue)
+{
+    g_value_set_boolean(gValue, value);
+}
+
+static bool valueFromGValue(const GValue* gValue, int32_t& value)
+{
+    value = g_value_get_int(gValue);
+    return true;
+}
+
+static void valueToGValue(int32_t value, GValue* gValue)
+{
+    g_value_set_int(gValue, value);
+}
+
+#if CPU(ADDRESS64)
+static bool valueFromGValue(const GValue* gValue, unsigned& value)
+{
+    value = g_value_get_uint(gValue);
+    return true;
+}
+
+static void valueToGValue(unsigned value, GValue* gValue)
+{
+    g_value_set_uint(gValue, value);
+}
+#endif
+
+static bool valueFromGValue(const GValue* gValue, size_t& value)
+{
+    value = GPOINTER_TO_SIZE(g_value_get_pointer(gValue));
+    return true;
+}
+
+static void valueToGValue(size_t value, GValue* gValue)
+{
+    g_value_set_pointer(gValue, GSIZE_TO_POINTER(value));
+}
+
+static bool valueFromGValue(const GValue* gValue, const char*& value)
+{
+    value = g_value_dup_string(gValue);
+    return true;
+}
+
+static void valueToGValue(const char* value, GValue* gValue)
+{
+    g_value_set_string(gValue, value);
+}
+
+static bool valueFromGValue(const GValue* gValue, double& value)
+{
+    value = g_value_get_double(gValue);
+    return true;
+}
+
+static void valueToGValue(double value, GValue* gValue)
+{
+    g_value_set_double(gValue, value);
+}
+
+static bool valueFromGValue(const GValue* gValue, OptionRange& value)
+{
+    return value.init(g_value_get_string(gValue) ? g_value_get_string(gValue) : "");
+}
+
+static void valueToGValue(const OptionRange& value, GValue* gValue)
+{
+    const char* rangeString = value.rangeString();
+    g_value_set_string(gValue, !g_strcmp0(rangeString, "") ? nullptr : rangeString);
+}
+
+static bool valueFromGValue(const GValue* gValue, GCLogging::Level& value)
+{
+    switch (g_value_get_uint(gValue)) {
+    case 0:
+        value = GCLogging::Level::None;
+        return true;
+    case 1:
+        value = GCLogging::Level::Basic;
+        return true;
+    case 2:
+        value = GCLogging::Level::Verbose;
+        return true;
+    default:
+        break;
+    }
+
+    return false;
+}
+
+static void valueToGValue(GCLogging::Level value, GValue* gValue)
+{
+    switch (value) {
+    case GCLogging::Level::None:
+        g_value_set_uint(gValue, 0);
+        break;
+    case GCLogging::Level::Basic:
+        g_value_set_uint(gValue, 1);
+        break;
+    case GCLogging::Level::Verbose:
+        g_value_set_uint(gValue, 2);
+        break;
+    }
+}
+
+static gboolean jscOptionsSetValue(const char* option, const GValue* value)
+{
+#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \
+    if (!g_strcmp0(#name_, option)) {                                   \
+        type_ valueToSet;                                               \
+        if (!valueFromGValue(value, valueToSet))                        \
+            return FALSE;                                               \
+        Options::name_() = valueToSet;                                  \
+        return TRUE;                                                    \
+    }
+
+    Options::initialize();
+    JSC_OPTIONS(FOR_EACH_OPTION)
+#undef FOR_EACH_OPTION
+
+    return FALSE;
+}
+
+static gboolean jscOptionsGetValue(const char* option, GValue* value)
+{
+#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \
+    if (!g_strcmp0(#name_, option)) {                                   \
+        type_ valueToGet = Options::name_();                            \
+        valueToGValue(valueToGet, value);                               \
+        return TRUE;                                                    \
+    }
+
+    Options::initialize();
+    JSC_OPTIONS(FOR_EACH_OPTION)
+#undef FOR_EACH_OPTION
+
+    return FALSE;
+}
+
+/**
+ * jsc_options_set_boolean:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a #gboolean value.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_boolean(const char* option, gboolean value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_BOOLEAN);
+    g_value_set_boolean(&gValue, value);
+    return jscOptionsSetValue(option, &gValue);
+}
+
+/**
+ * jsc_options_get_boolean:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a #gboolean value.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_boolean(const char* option, gboolean* value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_BOOLEAN);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value =  g_value_get_boolean(&gValue);
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_int:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a #gint value.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_int(const char* option, gint value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_INT);
+    g_value_set_int(&gValue, value);
+    return jscOptionsSetValue(option, &gValue);
+}
+
+/**
+ * jsc_options_get_int:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a #gint value.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_int(const char* option, gint* value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_INT);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = g_value_get_int(&gValue);
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_uint:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a #guint value.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_uint(const char* option, guint value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_UINT);
+    g_value_set_uint(&gValue, value);
+    return jscOptionsSetValue(option, &gValue);
+}
+
+/**
+ * jsc_options_get_uint:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a #guint value.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_uint(const char* option, guint* value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_UINT);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = g_value_get_uint(&gValue);
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_size:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a #gsize value.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_size(const char* option, gsize value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_POINTER);
+    g_value_set_pointer(&gValue, GSIZE_TO_POINTER(value));
+    return jscOptionsSetValue(option, &gValue);
+}
+
+/**
+ * jsc_options_get_size:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a #gsize value.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_size(const char* option, gsize* value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_POINTER);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = GPOINTER_TO_SIZE(g_value_get_pointer(&gValue));
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_double:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a #gdouble value.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_double(const char* option, gdouble value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_DOUBLE);
+    g_value_set_double(&gValue, value);
+    return jscOptionsSetValue(option, &gValue);
+}
+
+/**
+ * jsc_options_get_double:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a #gdouble value.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_double(const char* option, gdouble* value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_DOUBLE);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = g_value_get_double(&gValue);
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_string:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a string.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_string(const char* option, const char* value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_STRING);
+    g_value_set_string(&gValue, value);
+    bool success = jscOptionsSetValue(option, &gValue);
+    g_value_unset(&gValue);
+    return success;
+}
+
+/**
+ * jsc_options_get_string:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a string.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_string(const char* option, char** value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_STRING);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = g_value_dup_string(&gValue);
+    g_value_unset(&gValue);
+    return TRUE;
+}
+
+/**
+ * jsc_options_set_range_string:
+ * @option: the option identifier
+ * @value: the value to set
+ *
+ * Set @option as a range string. The string must be in the
+ * format [!]<low>[:<high>] where low and high are #guint values.
+ * Values between low and high (both included) will be considered in
+ * the range, unless ! is used to invert the range.
+ *
+ * Returns: %TRUE if option was correctly set or %FALSE otherwise.
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_set_range_string(const char* option, const char* value)
+{
+    g_return_val_if_fail(option, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_STRING);
+    g_value_set_string(&gValue, value);
+    bool success = jscOptionsSetValue(option, &gValue);
+    g_value_unset(&gValue);
+    return success;
+}
+
+/**
+ * jsc_options_get_range_string:
+ * @option: the option identifier
+ * @value: (out): return location for the option value
+ *
+ * Get @option as a range string. The string must be in the
+ * format [!]<low>[:<high>] where low and high are #guint values.
+ * Values between low and high (both included) will be considered in
+ * the range, unless ! is used to invert the range.
+ *
+ * Returns: %TRUE if @value has been set or %FALSE if the option doesn't exist
+ *
+ * Since: 2.24
+ */
+gboolean jsc_options_get_range_string(const char* option, char** value)
+{
+    g_return_val_if_fail(option, FALSE);
+    g_return_val_if_fail(value, FALSE);
+
+    GValue gValue = G_VALUE_INIT;
+    g_value_init(&gValue, G_TYPE_STRING);
+    if (!jscOptionsGetValue(option, &gValue))
+        return FALSE;
+
+    *value = g_value_dup_string(&gValue);
+    g_value_unset(&gValue);
+    return TRUE;
+}
+
+static JSCOptionType jscOptionsType(bool)
+{
+    return JSC_OPTION_BOOLEAN;
+}
+
+static JSCOptionType jscOptionsType(int)
+{
+    return JSC_OPTION_INT;
+}
+
+#if CPU(ADDRESS64)
+static JSCOptionType jscOptionsType(unsigned)
+{
+    return JSC_OPTION_UINT;
+}
+#endif
+
+static JSCOptionType jscOptionsType(size_t)
+{
+    return JSC_OPTION_SIZE;
+}
+
+static JSCOptionType jscOptionsType(double)
+{
+    return JSC_OPTION_DOUBLE;
+}
+
+static JSCOptionType jscOptionsType(const char*)
+{
+    return JSC_OPTION_STRING;
+}
+
+static JSCOptionType jscOptionsType(const OptionRange&)
+{
+    return JSC_OPTION_RANGE_STRING;
+}
+
+/**
+ * JSCOptionType:
+ * @JSC_OPTION_BOOLEAN: A #gboolean option type.
+ * @JSC_OPTION_INT: A #gint option type.
+ * @JSC_OPTION_UINT: A #guint option type.
+ * @JSC_OPTION_SIZE: A #gsize options type.
+ * @JSC_OPTION_DOUBLE: A #gdouble options type.
+ * @JSC_OPTION_STRING: A string option type.
+ * @JSC_OPTION_RANGE_STRING: A range string option type.
+ *
+ * Enum values for options types.
+ *
+ * Since: 2.24
+ */
+
+/**
+ * JSCOptionsFunc:
+ * @option: the option name
+ * @type: the option #JSCOptionType
+ * @description: (nullable): the option description, or %NULL
+ * @user_data: user data
+ *
+ * Function used to iterate options.
+ *
+ * Not that @description string is not localized.
+ *
+ * Returns: %TRUE to stop the iteration, or %FALSE otherwise
+ *
+ * Since: 2.24
+ */
+
+/**
+ * jsc_options_foreach:
+ * @function: (scope call): a #JSCOptionsFunc callback
+ * @user_data: callback user data
+ *
+ * Iterates all available options calling @function for each one. Iteration can
+ * stop early if @function returns %FALSE.
+ *
+ * Since: 2.24
+ */
+void jsc_options_foreach(JSCOptionsFunc function, gpointer userData)
+{
+    g_return_if_fail(function);
+
+#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \
+    if (Options::Availability::availability_ == Options::Availability::Normal \
+        || Options::isAvailable(Options::name_##ID, Options::Availability::availability_)) { \
+        type_ defaultValue { };                                         \
+        auto optionType = jscOptionsType(defaultValue);                 \
+        if (function (#name_, optionType, description_, userData))      \
+            return;                                                     \
+    }
+
+    Options::initialize();
+    JSC_OPTIONS(FOR_EACH_OPTION)
+#undef FOR_EACH_OPTION
+}
+
+static gboolean setOptionEntry(const char* optionNameFull, const char* value, gpointer, GError** error)
+{
+    const char* optionName = optionNameFull + 6; // Remove the --jsc- prefix.
+    GUniquePtr option(g_strdup_printf("%s=%s", optionName, value));
+    if (!Options::setOption(option.get())) {
+        g_set_error(error, G_OPTION_ERROR, G_OPTION_ERROR_BAD_VALUE, "Failed parse value '%s' for %s", value, optionNameFull);
+        return FALSE;
+    }
+    return TRUE;
+}
+
+/**
+ * jsc_options_get_option_group:
+ *
+ * Create a #GOptionGroup to handle JSCOptions as command line arguments.
+ * The options will be exposed as command line arguments with the form
+ * --jsc-<option>=<value>.
+ * Each entry in the returned #GOptionGroup is configured to apply the
+ * corresponding option during command line parsing. Applications only need to
+ * pass the returned group to g_option_context_add_group(), and the rest will
+ * be taken care for automatically.
+ *
+ * Returns: (transfer full): a #GOptionGroup for the JSCOptions
+ *
+ * Since: 2.24
+ */
+GOptionGroup* jsc_options_get_option_group(void)
+{
+    // GOptionEntry works with const strings, so we need to keep the option names around.
+    auto* names = new Vector>;
+    GOptionGroup* group = g_option_group_new("jsc", _("JSC Options"), _("Show JSC Options"), names, [] (gpointer data) {
+        delete static_cast>*>(data);
+    });
+    g_option_group_set_translation_domain(group, GETTEXT_PACKAGE);
+
+    GArray* entries = g_array_new(TRUE, TRUE, sizeof(GOptionEntry));
+#define FOR_EACH_OPTION(type_, name_, defaultValue_, availability_, description_) \
+    if (Options::Availability::availability_ == Options::Availability::Normal \
+        || Options::isAvailable(Options::name_##ID, Options::Availability::availability_)) { \
+        GUniquePtr name(g_strdup_printf("jsc-%s", #name_));       \
+        entries = g_array_set_size(entries, entries->len + 1); \
+        GOptionEntry* entry = &g_array_index(entries, GOptionEntry, entries->len - 1); \
+        entry->long_name = name.get();                                  \
+        entry->arg = G_OPTION_ARG_CALLBACK;                             \
+        entry->arg_data = reinterpret_cast(setOptionEntry);   \
+        entry->description = description_;                              \
+        names->append(WTFMove(name));                                   \
+    }
+
+    Options::initialize();
+    JSC_OPTIONS(FOR_EACH_OPTION)
+#undef FOR_EACH_OPTION
+
+    g_option_group_add_entries(group, reinterpret_cast(entries->data));
+    return group;
+}
+
+/**
+ * JSC_OPTIONS_USE_JIT:
+ *
+ * Allows the executable pages to be allocated for JIT and thunks if %TRUE.
+ * Option type: %JSC_OPTION_BOOLEAN
+ * Default value: %TRUE.
+ *
+ * Since: 2.24
+ */
+
+/**
+ * JSC_OPTIONS_USE_DFG:
+ *
+ * Allows the DFG JIT to be used if %TRUE.
+ * Option type: %JSC_OPTION_BOOLEAN
+ * Default value: %TRUE.
+ *
+ * Since: 2.24
+ */
+
+/**
+ * JSC_OPTIONS_USE_FTL:
+ *
+ * Allows the FTL JIT to be used if %TRUE.
+ * Option type: %JSC_OPTION_BOOLEAN
+ * Default value: %TRUE.
+ *
+ * Since: 2.24
+ */
+
+/**
+ * JSC_OPTIONS_USE_LLINT:
+ *
+ * Allows the LLINT to be used if %TRUE.
+ * Option type: %JSC_OPTION_BOOLEAN
+ * Default value: %TRUE.
+ *
+ * Since: 2.24
+ */
diff --git a/API/glib/JSCOptions.h b/API/glib/JSCOptions.h
new file mode 100644
index 0000000..dee97b8
--- /dev/null
+++ b/API/glib/JSCOptions.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2019 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCOptions_h
+#define JSCOptions_h
+
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_OPTIONS_USE_JIT   "useJIT"
+#define JSC_OPTIONS_USE_DFG   "useDFGJIT"
+#define JSC_OPTIONS_USE_FTL   "useFTLJIT"
+#define JSC_OPTIONS_USE_LLINT "useLLInt"
+
+JSC_API gboolean
+jsc_options_set_boolean       (const char *option,
+                               gboolean    value);
+JSC_API gboolean
+jsc_options_get_boolean       (const char *option,
+                               gboolean   *value);
+
+JSC_API gboolean
+jsc_options_set_int           (const char *option,
+                               gint        value);
+JSC_API gboolean
+jsc_options_get_int           (const char *option,
+                               gint       *value);
+
+JSC_API gboolean
+jsc_options_set_uint          (const char *option,
+                               guint       value);
+JSC_API gboolean
+jsc_options_get_uint          (const char *option,
+                               guint      *value);
+
+JSC_API gboolean
+jsc_options_set_size          (const char *option,
+                               gsize       value);
+JSC_API gboolean
+jsc_options_get_size          (const char *option,
+                               gsize      *value);
+
+JSC_API gboolean
+jsc_options_set_double        (const char *option,
+                               gdouble     value);
+JSC_API gboolean
+jsc_options_get_double        (const char *option,
+                               gdouble    *value);
+
+JSC_API gboolean
+jsc_options_set_string        (const char *option,
+                               const char *value);
+JSC_API gboolean
+jsc_options_get_string        (const char *option,
+                               char       **value);
+
+JSC_API gboolean
+jsc_options_set_range_string  (const char *option,
+                               const char *value);
+JSC_API gboolean
+jsc_options_get_range_string  (const char *option,
+                               char       **value);
+
+typedef enum {
+    JSC_OPTION_BOOLEAN,
+    JSC_OPTION_INT,
+    JSC_OPTION_UINT,
+    JSC_OPTION_SIZE,
+    JSC_OPTION_DOUBLE,
+    JSC_OPTION_STRING,
+    JSC_OPTION_RANGE_STRING
+} JSCOptionType;
+
+typedef gboolean (* JSCOptionsFunc) (const char    *option,
+                                     JSCOptionType  type,
+                                     const char    *description,
+                                     gpointer       user_data);
+
+JSC_API void
+jsc_options_foreach                 (JSCOptionsFunc function,
+                                     gpointer       user_data);
+
+JSC_API GOptionGroup *
+jsc_options_get_option_group        (void);
+
+G_END_DECLS
+
+#endif /* JSCOptions_h */
diff --git a/API/glib/JSCValue.cpp b/API/glib/JSCValue.cpp
new file mode 100644
index 0000000..5e17749
--- /dev/null
+++ b/API/glib/JSCValue.cpp
@@ -0,0 +1,1443 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCValue.h"
+
+#include "APICast.h"
+#include "APIUtils.h"
+#include "JSCCallbackFunction.h"
+#include "JSCClassPrivate.h"
+#include "JSCContextPrivate.h"
+#include "JSCInlines.h"
+#include "JSCValuePrivate.h"
+#include "JSRetainPtr.h"
+#include "OpaqueJSString.h"
+#include 
+#include 
+#include 
+#include 
+
+/**
+ * SECTION: JSCValue
+ * @short_description: JavaScript value
+ * @title: JSCValue
+ * @see_also: JSCContext
+ *
+ * JSCValue represents a reference to a value in a #JSCContext. The JSCValue
+ * protects the referenced value from being garbage collected.
+ */
+
+enum {
+    PROP_0,
+
+    PROP_CONTEXT,
+};
+
+struct _JSCValuePrivate {
+    GRefPtr context;
+    JSValueRef jsValue;
+};
+
+WEBKIT_DEFINE_TYPE(JSCValue, jsc_value, G_TYPE_OBJECT)
+
+static void jscValueGetProperty(GObject* object, guint propID, GValue* value, GParamSpec* paramSpec)
+{
+    JSCValuePrivate* priv = JSC_VALUE(object)->priv;
+
+    switch (propID) {
+    case PROP_CONTEXT:
+        g_value_set_object(value, priv->context.get());
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscValueSetProperty(GObject* object, guint propID, const GValue* value, GParamSpec* paramSpec)
+{
+    JSCValuePrivate* priv = JSC_VALUE(object)->priv;
+
+    switch (propID) {
+    case PROP_CONTEXT:
+        priv->context = JSC_CONTEXT(g_value_get_object(value));
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscValueDispose(GObject* object)
+{
+    JSCValuePrivate* priv = JSC_VALUE(object)->priv;
+
+    if (priv->context) {
+        auto* jsContext = jscContextGetJSContext(priv->context.get());
+
+        JSValueUnprotect(jsContext, priv->jsValue);
+        jscContextValueDestroyed(priv->context.get(), priv->jsValue);
+        priv->jsValue = nullptr;
+        priv->context = nullptr;
+    }
+
+    G_OBJECT_CLASS(jsc_value_parent_class)->dispose(object);
+}
+
+static void jsc_value_class_init(JSCValueClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+
+    objClass->get_property = jscValueGetProperty;
+    objClass->set_property = jscValueSetProperty;
+    objClass->dispose = jscValueDispose;
+
+    /**
+     * JSCValue:context:
+     *
+     * The #JSCContext in which the value was created.
+     */
+    g_object_class_install_property(objClass,
+        PROP_CONTEXT,
+        g_param_spec_object(
+            "context",
+            "JSCContext",
+            "JSC Context",
+            JSC_TYPE_CONTEXT,
+            static_cast(WEBKIT_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY)));
+}
+
+JSValueRef jscValueGetJSValue(JSCValue* value)
+{
+    return value->priv->jsValue;
+}
+
+JSCValue* jscValueCreate(JSCContext* context, JSValueRef jsValue)
+{
+    auto* value = JSC_VALUE(g_object_new(JSC_TYPE_VALUE, "context", context, nullptr));
+    JSValueProtect(jscContextGetJSContext(context), jsValue);
+    value->priv->jsValue = jsValue;
+    return value;
+}
+
+/**
+ * jsc_value_get_context:
+ * @value: a #JSCValue
+ *
+ * Get the #JSCContext in which @value was created.
+ *
+ * Returns: (transfer none): the #JSCValue context.
+ */
+JSCContext* jsc_value_get_context(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    return value->priv->context.get();
+}
+
+/**
+ * jsc_value_new_undefined:
+ * @context: a #JSCContext
+ *
+ * Create a new #JSCValue referencing undefined in @context.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_undefined(JSCContext* context)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return jscContextGetOrCreateValue(context, JSValueMakeUndefined(jscContextGetJSContext(context))).leakRef();
+}
+
+/**
+ * jsc_value_is_undefined:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is undefined.
+ *
+ * Returns: whether the value is undefined.
+ */
+gboolean jsc_value_is_undefined(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsUndefined(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_new_null:
+ * @context: a #JSCContext
+ *
+ * Create a new #JSCValue referencing null in @context.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_null(JSCContext* context)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return jscContextGetOrCreateValue(context, JSValueMakeNull(jscContextGetJSContext(context))).leakRef();
+}
+
+/**
+ * jsc_value_is_null:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is null.
+ *
+ * Returns: whether the value is null.
+ */
+gboolean jsc_value_is_null(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsNull(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_new_number:
+ * @context: a #JSCContext
+ * @number: a number
+ *
+ * Create a new #JSCValue from @number.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_number(JSCContext* context, double number)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return jscContextGetOrCreateValue(context, JSValueMakeNumber(jscContextGetJSContext(context), number)).leakRef();
+}
+
+/**
+ * jsc_value_is_number:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is a number.
+ *
+ * Returns: whether the value is a number.
+ */
+gboolean jsc_value_is_number(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsNumber(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_to_double:
+ * @value: a #JSCValue
+ *
+ * Convert @value to a double.
+ *
+ * Returns: a #gdouble result of the conversion.
+ */
+double jsc_value_to_double(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), std::numeric_limits::quiet_NaN());
+
+    JSCValuePrivate* priv = value->priv;
+    JSValueRef exception = nullptr;
+    auto result = JSValueToNumber(jscContextGetJSContext(priv->context.get()), priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return std::numeric_limits::quiet_NaN();
+
+    return result;
+}
+
+/**
+ * jsc_value_to_int32:
+ * @value: a #JSCValue
+ *
+ * Convert @value to a #gint32.
+ *
+ * Returns: a #gint32 result of the conversion.
+ */
+gint32 jsc_value_to_int32(JSCValue* value)
+{
+    return JSC::toInt32(jsc_value_to_double(value));
+}
+
+/**
+ * jsc_value_new_boolean:
+ * @context: a #JSCContext
+ * @value: a #gboolean
+ *
+ * Create a new #JSCValue from @value
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_boolean(JSCContext* context, gboolean value)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    return jscContextGetOrCreateValue(context, JSValueMakeBoolean(jscContextGetJSContext(context), value)).leakRef();
+}
+
+/**
+ * jsc_value_is_boolean:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is a boolean.
+ *
+ * Returns: whether the value is a boolean.
+ */
+gboolean jsc_value_is_boolean(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsBoolean(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_to_boolean:
+ * @value: a #JSCValue
+ *
+ * Convert @value to a boolean.
+ *
+ * Returns: a #gboolean result of the conversion.
+ */
+gboolean jsc_value_to_boolean(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueToBoolean(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_new_string:
+ * @context: a #JSCContext
+ * @string: (nullable): a null-terminated string
+ *
+ * Create a new #JSCValue from @string. If you need to create a #JSCValue from a
+ * string containing null characters, use jsc_value_new_string_from_bytes() instead.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_string(JSCContext* context, const char* string)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    JSValueRef jsStringValue;
+    if (string) {
+        JSRetainPtr jsString(Adopt, JSStringCreateWithUTF8CString(string));
+        jsStringValue = JSValueMakeString(jscContextGetJSContext(context), jsString.get());
+    } else
+        jsStringValue = JSValueMakeString(jscContextGetJSContext(context), nullptr);
+    return jscContextGetOrCreateValue(context, jsStringValue).leakRef();
+}
+
+/**
+ * jsc_value_new_string_from_bytes:
+ * @context: a #JSCContext
+ * @bytes: (nullable): a #GBytes
+ *
+ * Create a new #JSCValue from @bytes.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_string_from_bytes(JSCContext* context, GBytes* bytes)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    if (!bytes)
+        return jsc_value_new_string(context, nullptr);
+
+    gsize dataSize;
+    const auto* data = static_cast(g_bytes_get_data(bytes, &dataSize));
+    auto string = String::fromUTF8(data, dataSize);
+    JSRetainPtr jsString(Adopt, OpaqueJSString::tryCreate(WTFMove(string)).leakRef());
+    return jscContextGetOrCreateValue(context, JSValueMakeString(jscContextGetJSContext(context), jsString.get())).leakRef();
+}
+
+/**
+ * jsc_value_is_string:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is a string
+ *
+ * Returns: whether the value is a string
+ */
+gboolean jsc_value_is_string(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsString(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_to_string:
+ * @value: a #JSCValue
+ *
+ * Convert @value to a string. Use jsc_value_to_string_as_bytes() instead, if you need to
+ * handle strings containing null characters.
+ *
+ * Returns: (transfer full): a null-terminated string result of the conversion.
+ */
+char* jsc_value_to_string(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    JSValueRef exception = nullptr;
+    JSRetainPtr jsString(Adopt, JSValueToStringCopy(jscContextGetJSContext(priv->context.get()), priv->jsValue, &exception));
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return nullptr;
+
+    if (!jsString)
+        return nullptr;
+
+    size_t maxSize = JSStringGetMaximumUTF8CStringSize(jsString.get());
+    auto* string = static_cast(g_malloc(maxSize));
+    if (!JSStringGetUTF8CString(jsString.get(), string, maxSize)) {
+        g_free(string);
+        return nullptr;
+    }
+
+    return string;
+}
+
+/**
+ * jsc_value_to_string_as_bytes:
+ * @value: a #JSCValue
+ *
+ * Convert @value to a string and return the results as #GBytes. This is needed
+ * to handle strings with null characters.
+ *
+ * Returns: (transfer full): a #GBytes with the result of the conversion.
+ */
+GBytes* jsc_value_to_string_as_bytes(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    JSValueRef exception = nullptr;
+    JSRetainPtr jsString(Adopt, JSValueToStringCopy(jscContextGetJSContext(priv->context.get()), priv->jsValue, &exception));
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return nullptr;
+
+    if (!jsString)
+        return nullptr;
+
+    size_t maxSize = JSStringGetMaximumUTF8CStringSize(jsString.get());
+    if (maxSize == 1)
+        return g_bytes_new_static("", 0);
+
+    auto* string = static_cast(fastMalloc(maxSize));
+    auto stringSize = JSStringGetUTF8CString(jsString.get(), string, maxSize);
+    if (!stringSize) {
+        fastFree(string);
+        return nullptr;
+    }
+
+    // Ignore the null character added by JSStringGetUTF8CString.
+    return g_bytes_new_with_free_func(string, stringSize - 1, fastFree, string);
+}
+
+/**
+ * jsc_value_new_array: (skip)
+ * @context: a #JSCContext
+ * @first_item_type: #GType of first item, or %G_TYPE_NONE
+ * @...: value of the first item, followed optionally by more type/value pairs, followed by %G_TYPE_NONE.
+ *
+ * Create a new #JSCValue referencing an array with the given items. If @first_item_type
+ * is %G_TYPE_NONE an empty array is created.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_array(JSCContext* context, GType firstItemType, ...)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    JSValueRef exception = nullptr;
+    auto* jsContext = jscContextGetJSContext(context);
+    auto* jsArray = JSObjectMakeArray(jsContext, 0, nullptr, &exception);
+    if (jscContextHandleExceptionIfNeeded(context, exception))
+        return nullptr;
+
+    auto* jsArrayObject = JSValueToObject(jsContext, jsArray, &exception);
+    if (jscContextHandleExceptionIfNeeded(context, exception))
+        return nullptr;
+
+    unsigned index = 0;
+    va_list args;
+    va_start(args, firstItemType);
+    GType itemType = firstItemType;
+    while (itemType != G_TYPE_NONE) {
+        GValue item;
+        GUniqueOutPtr error;
+        G_VALUE_COLLECT_INIT(&item, itemType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr());
+        if (error) {
+            exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect array item: ", error.get())));
+            jscContextHandleExceptionIfNeeded(context, exception);
+            jsArray = nullptr;
+            break;
+        }
+
+        auto* jsValue = jscContextGValueToJSValue(context, &item, &exception);
+        g_value_unset(&item);
+        if (jscContextHandleExceptionIfNeeded(context, exception)) {
+            jsArray = nullptr;
+            break;
+        }
+
+        JSObjectSetPropertyAtIndex(jsContext, jsArrayObject, index, jsValue, &exception);
+        if (jscContextHandleExceptionIfNeeded(context, exception)) {
+            jsArray = nullptr;
+            break;
+        }
+
+        itemType = va_arg(args, GType);
+        index++;
+    }
+    va_end(args);
+
+    return jsArray ? jscContextGetOrCreateValue(context, jsArray).leakRef() : nullptr;
+}
+
+/**
+ * jsc_value_new_array_from_garray:
+ * @context: a #JSCContext
+ * @array: (nullable) (element-type JSCValue): a #GPtrArray
+ *
+ * Create a new #JSCValue referencing an array with the items from @array. If @array
+ * is %NULL or empty a new empty array will be created. Elements of @array should be
+ * pointers to a #JSCValue.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_array_from_garray(JSCContext* context, GPtrArray* gArray)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    if (!gArray || !gArray->len)
+        return jsc_value_new_array(context, G_TYPE_NONE);
+
+    JSValueRef exception = nullptr;
+    auto* jsArray = jscContextGArrayToJSArray(context, gArray, &exception);
+    if (jscContextHandleExceptionIfNeeded(context, exception))
+        return nullptr;
+
+    return jscContextGetOrCreateValue(context, jsArray).leakRef();
+}
+
+/**
+ * jsc_value_new_array_from_strv:
+ * @context: a #JSCContext
+ * @strv: (array zero-terminated=1) (element-type utf8): a %NULL-terminated array of strings
+ *
+ * Create a new #JSCValue referencing an array of strings with the items from @strv. If @array
+ * is %NULL or empty a new empty array will be created.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_array_from_strv(JSCContext* context, const char* const* strv)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+
+    auto strvLength = strv ? g_strv_length(const_cast(strv)) : 0;
+    if (!strvLength)
+        return jsc_value_new_array(context, G_TYPE_NONE);
+
+    GRefPtr gArray = adoptGRef(g_ptr_array_new_full(strvLength, g_object_unref));
+    for (unsigned i = 0; i < strvLength; i++)
+        g_ptr_array_add(gArray.get(), jsc_value_new_string(context, strv[i]));
+
+    return jsc_value_new_array_from_garray(context, gArray.get());
+}
+
+/**
+ * jsc_value_is_array:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is an array.
+ *
+ * Returns: whether the value is an array.
+ */
+gboolean jsc_value_is_array(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsArray(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_new_object:
+ * @context: a #JSCContext
+ * @instance: (nullable) (transfer full): an object instance or %NULL
+ * @jsc_class: (nullable): the #JSCClass of @instance
+ *
+ * Create a new #JSCValue from @instance. If @instance is %NULL a new empty object is created.
+ * When @instance is provided, @jsc_class must be provided too. @jsc_class takes ownership of
+ * @instance that will be freed by the #GDestroyNotify passed to jsc_context_register_class().
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_object(JSCContext* context, gpointer instance, JSCClass* jscClass)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(!instance || JSC_IS_CLASS(jscClass), nullptr);
+
+    return jscContextGetOrCreateValue(context, instance ? toRef(jscClassGetOrCreateJSWrapper(jscClass, context, instance)) : JSObjectMake(jscContextGetJSContext(context), nullptr, nullptr)).leakRef();
+}
+
+/**
+ * jsc_value_is_object:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is an object.
+ *
+ * Returns: whether the value is an object.
+ */
+gboolean jsc_value_is_object(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    return JSValueIsObject(jscContextGetJSContext(priv->context.get()), priv->jsValue);
+}
+
+/**
+ * jsc_value_object_is_instance_of:
+ * @value: a #JSCValue
+ * @name: a class name
+ *
+ * Get whether the value referenced by @value is an instance of class @name.
+ *
+ * Returns: whether the value is an object instance of class @name.
+ */
+gboolean jsc_value_object_is_instance_of(JSCValue* value, const char* name)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+    g_return_val_if_fail(name, FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    // We use evaluate here and not get_value because classes are not necessarily a property of the global object.
+    // http://www.ecma-international.org/ecma-262/6.0/index.html#sec-global-environment-records
+    GRefPtr constructor = adoptGRef(jsc_context_evaluate(priv->context.get(), name, -1));
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, constructor->priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return FALSE;
+
+    gboolean returnValue = JSValueIsInstanceOfConstructor(jsContext, priv->jsValue, object, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return FALSE;
+
+    return returnValue;
+}
+
+/**
+ * jsc_value_object_set_property:
+ * @value: a #JSCValue
+ * @name: the property name
+ * @property: the #JSCValue to set
+ *
+ * Set @property with @name on @value.
+ */
+void jsc_value_object_set_property(JSCValue* value, const char* name, JSCValue* property)
+{
+    g_return_if_fail(JSC_IS_VALUE(value));
+    g_return_if_fail(name);
+    g_return_if_fail(JSC_IS_VALUE(property));
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return;
+
+    JSRetainPtr propertyName(Adopt, JSStringCreateWithUTF8CString(name));
+    JSObjectSetProperty(jsContext, object, propertyName.get(), property->priv->jsValue, kJSPropertyAttributeNone, &exception);
+    jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+}
+
+/**
+ * jsc_value_object_get_property:
+ * @value: a #JSCValue
+ * @name: the property name
+ *
+ * Get property with @name from @value.
+ *
+ * Returns: (transfer full): the property #JSCValue.
+ */
+JSCValue* jsc_value_object_get_property(JSCValue* value, const char* name)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+    g_return_val_if_fail(name, nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSRetainPtr propertyName(Adopt, JSStringCreateWithUTF8CString(name));
+    JSValueRef result = JSObjectGetProperty(jsContext, object, propertyName.get(), &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    return jscContextGetOrCreateValue(priv->context.get(), result).leakRef();
+}
+
+/**
+ * jsc_value_object_set_property_at_index:
+ * @value: a #JSCValue
+ * @index: the property index
+ * @property: the #JSCValue to set
+ *
+ * Set @property at @index on @value.
+ */
+void jsc_value_object_set_property_at_index(JSCValue* value, unsigned index, JSCValue* property)
+{
+    g_return_if_fail(JSC_IS_VALUE(value));
+    g_return_if_fail(JSC_IS_VALUE(property));
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return;
+
+    JSObjectSetPropertyAtIndex(jsContext, object, index, property->priv->jsValue, &exception);
+    jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+}
+
+/**
+ * jsc_value_object_get_property_at_index:
+ * @value: a #JSCValue
+ * @index: the property index
+ *
+ * Get property at @index from @value.
+ *
+ * Returns: (transfer full): the property #JSCValue.
+ */
+JSCValue* jsc_value_object_get_property_at_index(JSCValue* value, unsigned index)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSValueRef result = JSObjectGetPropertyAtIndex(jsContext, object, index, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    return jscContextGetOrCreateValue(priv->context.get(), result).leakRef();
+}
+
+/**
+ * jsc_value_object_has_property:
+ * @value: a #JSCValue
+ * @name: the property name
+ *
+ * Get whether @value has property with @name.
+ *
+ * Returns: %TRUE if @value has a property with @name, or %FALSE otherwise
+ */
+gboolean jsc_value_object_has_property(JSCValue* value, const char* name)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+    g_return_val_if_fail(name, FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return FALSE;
+
+    JSRetainPtr propertyName(Adopt, JSStringCreateWithUTF8CString(name));
+    return JSObjectHasProperty(jsContext, object, propertyName.get());
+}
+
+/**
+ * jsc_value_object_delete_property:
+ * @value: a #JSCValue
+ * @name: the property name
+ *
+ * Try to delete property with @name from @value. This function will return %FALSE if
+ * the property was defined without %JSC_VALUE_PROPERTY_CONFIGURABLE flag.
+ *
+ * Returns: %TRUE if the property was deleted, or %FALSE otherwise.
+ */
+gboolean jsc_value_object_delete_property(JSCValue* value, const char* name)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+    g_return_val_if_fail(name, FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return FALSE;
+
+    JSRetainPtr propertyName(Adopt, JSStringCreateWithUTF8CString(name));
+    gboolean result = JSObjectDeleteProperty(jsContext, object, propertyName.get(), &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return FALSE;
+
+    return result;
+}
+
+/**
+ * jsc_value_object_enumerate_properties:
+ * @value: a #JSCValue
+ *
+ * Get the list of property names of @value. Only properties defined with %JSC_VALUE_PROPERTY_ENUMERABLE
+ * flag will be collected.
+ *
+ * Returns: (array zero-terminated=1) (transfer full) (nullable): a %NULL-terminated array of strings containing the
+ *    property names, or %NULL if @value doesn't have enumerable properties.  Use g_strfreev() to free.
+ */
+char** jsc_value_object_enumerate_properties(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return nullptr;
+
+    auto* propertiesArray = JSObjectCopyPropertyNames(jsContext, object);
+    if (!propertiesArray)
+        return nullptr;
+
+    auto propertiesArraySize = JSPropertyNameArrayGetCount(propertiesArray);
+    if (!propertiesArraySize) {
+        JSPropertyNameArrayRelease(propertiesArray);
+        return nullptr;
+    }
+
+    auto* result = static_cast(g_new0(char*, propertiesArraySize + 1));
+    for (unsigned i = 0; i < propertiesArraySize; ++i) {
+        auto* jsString = JSPropertyNameArrayGetNameAtIndex(propertiesArray, i);
+        size_t maxSize = JSStringGetMaximumUTF8CStringSize(jsString);
+        auto* string = static_cast(g_malloc(maxSize));
+        JSStringGetUTF8CString(jsString, string, maxSize);
+        result[i] = string;
+    }
+    JSPropertyNameArrayRelease(propertiesArray);
+
+    return result;
+}
+
+static JSValueRef jsObjectCall(JSGlobalContextRef jsContext, JSObjectRef function, JSC::JSCCallbackFunction::Type functionType, JSObjectRef thisObject, const Vector& arguments, JSValueRef* exception)
+{
+    switch (functionType) {
+    case JSC::JSCCallbackFunction::Type::Constructor:
+        return JSObjectCallAsConstructor(jsContext, function, arguments.size(), arguments.data(), exception);
+        break;
+    case JSC::JSCCallbackFunction::Type::Method:
+        ASSERT(thisObject);
+        FALLTHROUGH;
+    case JSC::JSCCallbackFunction::Type::Function:
+        return JSObjectCallAsFunction(jsContext, function, thisObject, arguments.size(), arguments.data(), exception);
+        break;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+static GRefPtr jscValueCallFunction(JSCValue* value, JSObjectRef function, JSC::JSCCallbackFunction::Type functionType, JSObjectRef thisObject, GType firstParameterType, va_list args)
+{
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+
+    JSValueRef exception = nullptr;
+    Vector arguments;
+    GType parameterType = firstParameterType;
+    while (parameterType != G_TYPE_NONE) {
+        GValue parameter;
+        GUniqueOutPtr error;
+        G_VALUE_COLLECT_INIT(¶meter, parameterType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr());
+        if (error) {
+            exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect function paramater: ", error.get())));
+            jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+            return adoptGRef(jsc_value_new_undefined(priv->context.get()));
+        }
+
+        auto* jsValue = jscContextGValueToJSValue(priv->context.get(), ¶meter, &exception);
+        g_value_unset(¶meter);
+        if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+            return jscContextGetOrCreateValue(priv->context.get(), jsValue);
+
+        arguments.append(jsValue);
+        parameterType = va_arg(args, GType);
+    }
+
+    auto result = jsObjectCall(jsContext, function, functionType, thisObject, arguments, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return adoptGRef(jsc_value_new_undefined(priv->context.get()));
+
+    return jscContextGetOrCreateValue(priv->context.get(), result);
+}
+
+/**
+ * jsc_value_object_invoke_method: (skip)
+ * @value: a #JSCValue
+ * @name: the method name
+ * @first_parameter_type: #GType of first parameter, or %G_TYPE_NONE
+ * @...: value of the first parameter, followed optionally by more type/value pairs, followed by %G_TYPE_NONE
+ *
+ * Invoke method with @name on object referenced by @value, passing the given parameters. If
+ * @first_parameter_type is %G_TYPE_NONE no parameters will be passed to the method.
+ * The object instance will be handled automatically even when the method is a custom one
+ * registered with jsc_class_add_method(), so it should never be passed explicitly as parameter
+ * of this function.
+ *
+ * This function always returns a #JSCValue, in case of void methods a #JSCValue referencing
+ * undefined is returned.
+ *
+ * Returns: (transfer full): a #JSCValue with the return value of the method.
+ */
+JSCValue* jsc_value_object_invoke_method(JSCValue* value, const char* name, GType firstParameterType, ...)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+    g_return_val_if_fail(name, nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSRetainPtr methodName(Adopt, JSStringCreateWithUTF8CString(name));
+    JSValueRef functionValue = JSObjectGetProperty(jsContext, object, methodName.get(), &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSObjectRef function = JSValueToObject(jsContext, functionValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    va_list args;
+    va_start(args, firstParameterType);
+    auto result = jscValueCallFunction(value, function, JSC::JSCCallbackFunction::Type::Method, object, firstParameterType, args);
+    va_end(args);
+
+    return result.leakRef();
+}
+
+/**
+ * jsc_value_object_invoke_methodv: (rename-to jsc_value_object_invoke_method)
+ * @value: a #JSCValue
+ * @name: the method name
+ * @n_parameters: the number of parameters
+ * @parameters: (nullable) (array length=n_parameters) (element-type JSCValue): the #JSCValues to pass as parameters to the method, or %NULL
+ *
+ * Invoke method with @name on object referenced by @value, passing the given @parameters. If
+ * @n_parameters is 0 no parameters will be passed to the method.
+ * The object instance will be handled automatically even when the method is a custom one
+ * registered with jsc_class_add_method(), so it should never be passed explicitly as parameter
+ * of this function.
+ *
+ * This function always returns a #JSCValue, in case of void methods a #JSCValue referencing
+ * undefined is returned.
+ *
+ * Returns: (transfer full): a #JSCValue with the return value of the method.
+ */
+JSCValue* jsc_value_object_invoke_methodv(JSCValue* value, const char* name, unsigned parametersCount, JSCValue** parameters)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+    g_return_val_if_fail(name, nullptr);
+    g_return_val_if_fail(!parametersCount || parameters, nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSRetainPtr methodName(Adopt, JSStringCreateWithUTF8CString(name));
+    JSValueRef functionValue = JSObjectGetProperty(jsContext, object, methodName.get(), &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    JSObjectRef function = JSValueToObject(jsContext, functionValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    Vector arguments;
+    if (parametersCount) {
+        arguments.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            arguments.uncheckedAppend(jscValueGetJSValue(parameters[i]));
+    }
+
+    auto result = jsObjectCall(jsContext, function, JSC::JSCCallbackFunction::Type::Method, object, arguments, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        jsc_value_new_undefined(priv->context.get());
+
+    return jscContextGetOrCreateValue(priv->context.get(), result).leakRef();
+}
+
+/**
+ * JSCValuePropertyFlags:
+ * @JSC_VALUE_PROPERTY_CONFIGURABLE: the type of the property descriptor may be changed and the
+ *  property may be deleted from the corresponding object.
+ * @JSC_VALUE_PROPERTY_ENUMERABLE: the property shows up during enumeration of the properties on
+ *  the corresponding object.
+ * @JSC_VALUE_PROPERTY_WRITABLE: the value associated with the property may be changed with an
+ *  assignment operator. This doesn't have any effect when passed to jsc_value_object_define_property_accessor().
+ *
+ * Flags used when defining properties with jsc_value_object_define_property_data() and
+ * jsc_value_object_define_property_accessor().
+ */
+
+/**
+ * jsc_value_object_define_property_data:
+ * @value: a #JSCValue
+ * @property_name: the name of the property to define
+ * @flags: #JSCValuePropertyFlags
+ * @property_value: (nullable): the default property value
+ *
+ * Define or modify a property with @property_name in object referenced by @value. This is equivalent to
+ * JavaScript Object.defineProperty() when used with a data descriptor.
+ */
+void jsc_value_object_define_property_data(JSCValue* value, const char* propertyName, JSCValuePropertyFlags flags, JSCValue* propertyValue)
+{
+    g_return_if_fail(JSC_IS_VALUE(value));
+    g_return_if_fail(propertyName);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSC::ExecState* exec = toJS(jsContext);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSC::JSValue jsValue = toJS(exec, priv->jsValue);
+    JSC::JSObject* object = jsValue.toObject(exec);
+    JSValueRef exception = nullptr;
+    if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) {
+        jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+        return;
+    }
+
+    auto name = OpaqueJSString::tryCreate(String::fromUTF8(propertyName));
+    if (!name)
+        return;
+
+    JSC::PropertyDescriptor descriptor;
+    descriptor.setValue(toJS(exec, propertyValue->priv->jsValue));
+    descriptor.setEnumerable(flags & JSC_VALUE_PROPERTY_ENUMERABLE);
+    descriptor.setConfigurable(flags & JSC_VALUE_PROPERTY_CONFIGURABLE);
+    descriptor.setWritable(flags & JSC_VALUE_PROPERTY_WRITABLE);
+    object->methodTable(vm)->defineOwnProperty(object, exec, name->identifier(&vm), descriptor, true);
+    if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) {
+        jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+        return;
+    }
+}
+
+/**
+ * jsc_value_object_define_property_accessor:
+ * @value: a #JSCValue
+ * @property_name: the name of the property to define
+ * @flags: #JSCValuePropertyFlags
+ * @property_type: the #GType of the property
+ * @getter: (scope async) (nullable): a #GCallback to be called to get the property value
+ * @setter: (scope async) (nullable): a #GCallback to be called to set the property value
+ * @user_data: (closure): user data to pass to @getter and @setter
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ *
+ * Define or modify a property with @property_name in object referenced by @value. When the
+ * property value needs to be getted or set, @getter and @setter callbacks will be called.
+ * When the property is cleared in the #JSCClass context, @destroy_notify is called with
+ * @user_data as parameter. This is equivalent to JavaScript Object.defineProperty()
+ * when used with an accessor descriptor.
+ *
+ * Note that the value returned by @getter must be fully transferred. In case of boxed types, you could use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as instance parameter.
+ */
+void jsc_value_object_define_property_accessor(JSCValue* value, const char* propertyName, JSCValuePropertyFlags flags, GType propertyType, GCallback getter, GCallback setter, gpointer userData, GDestroyNotify destroyNotify)
+{
+    g_return_if_fail(JSC_IS_VALUE(value));
+    g_return_if_fail(propertyName);
+    g_return_if_fail(propertyType != G_TYPE_INVALID && propertyType != G_TYPE_NONE);
+    g_return_if_fail(getter || setter);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSC::ExecState* exec = toJS(jsContext);
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
+
+    JSC::JSValue jsValue = toJS(exec, priv->jsValue);
+    JSC::JSObject* object = jsValue.toObject(exec);
+    JSValueRef exception = nullptr;
+    if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) {
+        jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+        return;
+    }
+
+    auto name = OpaqueJSString::tryCreate(String::fromUTF8(propertyName));
+    if (!name)
+        return;
+
+    JSC::PropertyDescriptor descriptor;
+    descriptor.setEnumerable(flags & JSC_VALUE_PROPERTY_ENUMERABLE);
+    descriptor.setConfigurable(flags & JSC_VALUE_PROPERTY_CONFIGURABLE);
+    if (getter) {
+        GRefPtr closure = adoptGRef(g_cclosure_new(getter, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+        auto function = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), "get"_s,
+            JSC::JSCCallbackFunction::Type::Method, nullptr, WTFMove(closure), propertyType, Vector { });
+        descriptor.setGetter(function);
+    }
+    if (setter) {
+        GRefPtr closure = adoptGRef(g_cclosure_new(setter, userData, getter ? nullptr : reinterpret_cast(reinterpret_cast(destroyNotify))));
+        auto function = JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), "set"_s,
+            JSC::JSCCallbackFunction::Type::Method, nullptr, WTFMove(closure), G_TYPE_NONE, Vector { propertyType });
+        descriptor.setSetter(function);
+    }
+    object->methodTable(vm)->defineOwnProperty(object, exec, name->identifier(&vm), descriptor, true);
+    if (handleExceptionIfNeeded(scope, exec, &exception) == ExceptionStatus::DidThrow) {
+        jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
+        return;
+    }
+}
+
+static GRefPtr jscValueFunctionCreate(JSCContext* context, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, Optional>&& parameters)
+{
+    GRefPtr closure;
+    // If the function doesn't have arguments, we need to swap the fake instance and user data to ensure
+    // user data is the first parameter and fake instance ignored.
+    if (parameters && parameters->isEmpty() && userData)
+        closure = adoptGRef(g_cclosure_new_swap(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+    else
+        closure = adoptGRef(g_cclosure_new(callback, userData, reinterpret_cast(reinterpret_cast(destroyNotify))));
+    JSC::ExecState* exec = toJS(jscContextGetJSContext(context));
+    JSC::VM& vm = exec->vm();
+    JSC::JSLockHolder locker(vm);
+    auto* functionObject = toRef(JSC::JSCCallbackFunction::create(vm, exec->lexicalGlobalObject(), name ? String::fromUTF8(name) : "anonymous"_s,
+        JSC::JSCCallbackFunction::Type::Function, nullptr, WTFMove(closure), returnType, WTFMove(parameters)));
+    return jscContextGetOrCreateValue(context, functionObject);
+}
+
+/**
+ * jsc_value_new_function: (skip)
+ * @context: a #JSCContext:
+ * @name: (nullable): the function name or %NULL
+ * @callback: (scope async): a #GCallback.
+ * @user_data: (closure): user data to pass to @callback.
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the function return value, or %G_TYPE_NONE if the function is void.
+ * @n_params: the number of parameter types to follow or 0 if the function doesn't receive parameters.
+ * @...: a list of #GTypes, one for each parameter.
+ *
+ * Create a function in @context. If @name is %NULL an anonymous function will be created.
+ * When the function is called by JavaScript or jsc_value_function_call(), @callback is called
+ * receiving the function parameters and then @user_data as last parameter. When the function is
+ * cleared in @context, @destroy_notify is called with @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be fully transferred. In case of boxed types, you could use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as instance parameter.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_function(JSCContext* context, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned paramCount, ...)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+
+    va_list args;
+    va_start(args, paramCount);
+    Vector parameters;
+    if (paramCount) {
+        parameters.reserveInitialCapacity(paramCount);
+        for (unsigned i = 0; i < paramCount; ++i)
+            parameters.uncheckedAppend(va_arg(args, GType));
+    }
+    va_end(args);
+
+    return jscValueFunctionCreate(context, name, callback, userData, destroyNotify, returnType, WTFMove(parameters)).leakRef();
+}
+
+/**
+ * jsc_value_new_functionv: (rename-to jsc_value_new_function)
+ * @context: a #JSCContext
+ * @name: (nullable): the function name or %NULL
+ * @callback: (scope async): a #GCallback.
+ * @user_data: (closure): user data to pass to @callback.
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the function return value, or %G_TYPE_NONE if the function is void.
+ * @n_parameters: the number of parameters
+ * @parameter_types: (nullable) (array length=n_parameters) (element-type GType): a list of #GTypes, one for each parameter, or %NULL
+ *
+ * Create a function in @context. If @name is %NULL an anonymous function will be created.
+ * When the function is called by JavaScript or jsc_value_function_call(), @callback is called
+ * receiving the function parameters and then @user_data as last parameter. When the function is
+ * cleared in @context, @destroy_notify is called with @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be fully transferred. In case of boxed types, you could use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as instance parameter.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_functionv(JSCContext* context, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType, unsigned parametersCount, GType *parameterTypes)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+    g_return_val_if_fail(!parametersCount || parameterTypes, nullptr);
+
+    Vector parameters;
+    if (parametersCount) {
+        parameters.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            parameters.uncheckedAppend(parameterTypes[i]);
+    }
+
+    return jscValueFunctionCreate(context, name, callback, userData, destroyNotify, returnType, WTFMove(parameters)).leakRef();
+}
+
+/**
+ * jsc_value_new_function_variadic:
+ * @context: a #JSCContext
+ * @name: (nullable): the function name or %NULL
+ * @callback: (scope async): a #GCallback.
+ * @user_data: (closure): user data to pass to @callback.
+ * @destroy_notify: (nullable): destroy notifier for @user_data
+ * @return_type: the #GType of the function return value, or %G_TYPE_NONE if the function is void.
+ *
+ * Create a function in @context. If @name is %NULL an anonymous function will be created.
+ * When the function is called by JavaScript or jsc_value_function_call(), @callback is called
+ * receiving an #GPtrArray of #JSCValues with the arguments and then @user_data as last parameter.
+ * When the function is cleared in @context, @destroy_notify is called with @user_data as parameter.
+ *
+ * Note that the value returned by @callback must be fully transferred. In case of boxed types, you could use
+ * %G_TYPE_POINTER instead of the actual boxed #GType to ensure that the instance owned by #JSCClass is used.
+ * If you really want to return a new copy of the boxed type, use #JSC_TYPE_VALUE and return a #JSCValue created
+ * with jsc_value_new_object() that receives the copy as instance parameter.
+ *
+ * Returns: (transfer full): a #JSCValue.
+ */
+JSCValue* jsc_value_new_function_variadic(JSCContext* context, const char* name, GCallback callback, gpointer userData, GDestroyNotify destroyNotify, GType returnType)
+{
+    g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
+    g_return_val_if_fail(callback, nullptr);
+
+    return jscValueFunctionCreate(context, name, callback, userData, destroyNotify, returnType, WTF::nullopt).leakRef();
+}
+
+/**
+ * jsc_value_is_function:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is a function
+ *
+ * Returns: whether the value is a function.
+ */
+gboolean jsc_value_is_function(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    return !exception ? JSObjectIsFunction(jsContext, object) : FALSE;
+}
+
+/**
+ * jsc_value_function_call: (skip)
+ * @value: a #JSCValue
+ * @first_parameter_type: #GType of first parameter, or %G_TYPE_NONE
+ * @...: value of the first parameter, followed optionally by more type/value pairs, followed by %G_TYPE_NONE
+ *
+ * Call function referenced by @value, passing the given parameters. If @first_parameter_type
+ * is %G_TYPE_NONE no parameters will be passed to the function.
+ *
+ * This function always returns a #JSCValue, in case of void functions a #JSCValue referencing
+ * undefined is returned
+ *
+ * Returns: (transfer full): a #JSCValue with the return value of the function.
+ */
+JSCValue* jsc_value_function_call(JSCValue* value, GType firstParameterType, ...)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef function = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    va_list args;
+    va_start(args, firstParameterType);
+    auto result = jscValueCallFunction(value, function, JSC::JSCCallbackFunction::Type::Function, nullptr, firstParameterType, args);
+    va_end(args);
+
+    return result.leakRef();
+}
+
+/**
+ * jsc_value_function_callv: (rename-to jsc_value_function_call)
+ * @value: a #JSCValue
+ * @n_parameters: the number of parameters
+ * @parameters: (nullable) (array length=n_parameters) (element-type JSCValue): the #JSCValues to pass as parameters to the function, or %NULL
+ *
+ * Call function referenced by @value, passing the given @parameters. If @n_parameters
+ * is 0 no parameters will be passed to the function.
+ *
+ * This function always returns a #JSCValue, in case of void functions a #JSCValue referencing
+ * undefined is returned
+ *
+ * Returns: (transfer full): a #JSCValue with the return value of the function.
+ */
+JSCValue* jsc_value_function_callv(JSCValue* value, unsigned parametersCount, JSCValue** parameters)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+    g_return_val_if_fail(!parametersCount || parameters, nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef function = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    Vector arguments;
+    if (parametersCount) {
+        arguments.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            arguments.uncheckedAppend(jscValueGetJSValue(parameters[i]));
+    }
+
+    auto result = jsObjectCall(jsContext, function, JSC::JSCCallbackFunction::Type::Function, nullptr, arguments, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    return jscContextGetOrCreateValue(priv->context.get(), result).leakRef();
+}
+
+/**
+ * jsc_value_is_constructor:
+ * @value: a #JSCValue
+ *
+ * Get whether the value referenced by @value is a constructor.
+ *
+ * Returns: whether the value is a constructor.
+ */
+gboolean jsc_value_is_constructor(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), FALSE);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef object = JSValueToObject(jsContext, priv->jsValue, &exception);
+    return !exception ? JSObjectIsConstructor(jsContext, object) : FALSE;
+}
+
+/**
+ * jsc_value_constructor_call: (skip)
+ * @value: a #JSCValue
+ * @first_parameter_type: #GType of first parameter, or %G_TYPE_NONE
+ * @...: value of the first parameter, followed optionally by more type/value pairs, followed by %G_TYPE_NONE
+ *
+ * Invoke new with constructor referenced by @value. If @first_parameter_type
+ * is %G_TYPE_NONE no parameters will be passed to the constructor.
+ *
+ * Returns: (transfer full): a #JSCValue referencing the newly created object instance.
+ */
+JSCValue* jsc_value_constructor_call(JSCValue* value, GType firstParameterType, ...)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef function = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    va_list args;
+    va_start(args, firstParameterType);
+    auto result = jscValueCallFunction(value, function, JSC::JSCCallbackFunction::Type::Constructor, nullptr, firstParameterType, args);
+    va_end(args);
+
+    return result.leakRef();
+}
+
+/**
+ * jsc_value_constructor_callv: (rename-to jsc_value_constructor_call)
+ * @value: a #JSCValue
+ * @n_parameters: the number of parameters
+ * @parameters: (nullable) (array length=n_parameters) (element-type JSCValue): the #JSCValues to pass as parameters to the constructor, or %NULL
+ *
+ * Invoke new with constructor referenced by @value. If @n_parameters
+ * is 0 no parameters will be passed to the constructor.
+ *
+ * Returns: (transfer full): a #JSCValue referencing the newly created object instance.
+ */
+JSCValue* jsc_value_constructor_callv(JSCValue* value, unsigned parametersCount, JSCValue** parameters)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+    g_return_val_if_fail(!parametersCount || parameters, nullptr);
+
+    JSCValuePrivate* priv = value->priv;
+    auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSValueRef exception = nullptr;
+    JSObjectRef function = JSValueToObject(jsContext, priv->jsValue, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    Vector arguments;
+    if (parametersCount) {
+        arguments.reserveInitialCapacity(parametersCount);
+        for (unsigned i = 0; i < parametersCount; ++i)
+            arguments.uncheckedAppend(jscValueGetJSValue(parameters[i]));
+    }
+
+    auto result = jsObjectCall(jsContext, function, JSC::JSCCallbackFunction::Type::Constructor, nullptr, arguments, &exception);
+    if (jscContextHandleExceptionIfNeeded(priv->context.get(), exception))
+        return jsc_value_new_undefined(priv->context.get());
+
+    return jscContextGetOrCreateValue(priv->context.get(), result).leakRef();
+}
diff --git a/API/glib/JSCValue.h b/API/glib/JSCValue.h
new file mode 100644
index 0000000..fae6267
--- /dev/null
+++ b/API/glib/JSCValue.h
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCValue_h
+#define JSCValue_h
+
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_VALUE            (jsc_value_get_type())
+#define JSC_VALUE(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_VALUE, JSCValue))
+#define JSC_IS_VALUE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_VALUE))
+#define JSC_VALUE_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST((klass),  JSC_TYPE_VALUE, JSCValueClass))
+#define JSC_IS_VALUE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass),  JSC_TYPE_VALUE))
+#define JSC_VALUE_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS((obj),  JSC_TYPE_VALUE, JSCValueClass))
+
+typedef struct _JSCValue JSCValue;
+typedef struct _JSCValueClass JSCValueClass;
+typedef struct _JSCValuePrivate JSCValuePrivate;
+
+typedef struct _JSCClass JSCClass;
+typedef struct _JSCContext JSCContext;
+
+typedef enum {
+    JSC_VALUE_PROPERTY_CONFIGURABLE = 1 << 0,
+    JSC_VALUE_PROPERTY_ENUMERABLE   = 1 << 1,
+    JSC_VALUE_PROPERTY_WRITABLE     = 1 << 2
+} JSCValuePropertyFlags;
+
+struct _JSCValue {
+    GObject parent;
+
+    /*< private >*/
+    JSCValuePrivate *priv;
+};
+
+struct _JSCValueClass {
+    GObjectClass parent_class;
+
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+};
+
+JSC_API GType
+jsc_value_get_type                        (void);
+
+JSC_API JSCContext *
+jsc_value_get_context                     (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_undefined                   (JSCContext           *context);
+
+JSC_API gboolean
+jsc_value_is_undefined                    (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_null                        (JSCContext           *context);
+
+JSC_API gboolean
+jsc_value_is_null                         (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_number                      (JSCContext           *context,
+                                           double                number);
+JSC_API gboolean
+jsc_value_is_number                       (JSCValue             *value);
+
+JSC_API double
+jsc_value_to_double                       (JSCValue             *value);
+
+JSC_API gint32
+jsc_value_to_int32                        (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_boolean                     (JSCContext           *context,
+                                           gboolean              value);
+JSC_API gboolean
+jsc_value_is_boolean                      (JSCValue             *value);
+
+JSC_API gboolean
+jsc_value_to_boolean                      (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_string                      (JSCContext           *context,
+                                           const char           *string);
+
+JSC_API JSCValue *
+jsc_value_new_string_from_bytes           (JSCContext           *context,
+                                           GBytes               *bytes);
+
+JSC_API gboolean
+jsc_value_is_string                       (JSCValue             *value);
+
+JSC_API char *
+jsc_value_to_string                       (JSCValue             *value);
+
+JSC_API GBytes *
+jsc_value_to_string_as_bytes              (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_array                       (JSCContext           *context,
+                                           GType                 first_item_type,
+                                           ...);
+
+JSC_API JSCValue *
+jsc_value_new_array_from_garray           (JSCContext           *context,
+                                           GPtrArray            *array);
+
+JSC_API JSCValue *
+jsc_value_new_array_from_strv             (JSCContext           *context,
+                                           const char *const    *strv);
+
+JSC_API gboolean
+jsc_value_is_array                        (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_new_object                      (JSCContext           *context,
+                                           gpointer              instance,
+                                           JSCClass             *jsc_class);
+
+JSC_API gboolean
+jsc_value_is_object                       (JSCValue             *value);
+
+JSC_API gboolean
+jsc_value_object_is_instance_of           (JSCValue             *value,
+                                           const char           *name);
+
+JSC_API void
+jsc_value_object_set_property             (JSCValue             *value,
+                                           const char           *name,
+                                           JSCValue             *property);
+
+JSC_API JSCValue *
+jsc_value_object_get_property             (JSCValue             *value,
+                                           const char           *name);
+
+JSC_API void
+jsc_value_object_set_property_at_index    (JSCValue             *value,
+                                           guint                 index,
+                                           JSCValue             *property);
+
+JSC_API JSCValue *
+jsc_value_object_get_property_at_index    (JSCValue             *value,
+                                           guint                 index);
+
+JSC_API gboolean
+jsc_value_object_has_property             (JSCValue             *value,
+                                           const char           *name);
+
+JSC_API gboolean
+jsc_value_object_delete_property          (JSCValue             *value,
+                                           const char           *name);
+
+JSC_API gchar **
+jsc_value_object_enumerate_properties     (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_object_invoke_method            (JSCValue             *value,
+                                           const char           *name,
+                                           GType                 first_parameter_type,
+                                           ...) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API JSCValue *
+jsc_value_object_invoke_methodv           (JSCValue             *value,
+                                           const char           *name,
+                                           guint                 n_parameters,
+                                           JSCValue            **parameters) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API void
+jsc_value_object_define_property_data     (JSCValue             *value,
+                                           const char           *property_name,
+                                           JSCValuePropertyFlags flags,
+                                           JSCValue             *property_value);
+
+JSC_API void
+jsc_value_object_define_property_accessor (JSCValue             *value,
+                                           const char           *property_name,
+                                           JSCValuePropertyFlags flags,
+                                           GType                 property_type,
+                                           GCallback             getter,
+                                           GCallback             setter,
+                                           gpointer              user_data,
+                                           GDestroyNotify        destroy_notify);
+
+JSC_API JSCValue *
+jsc_value_new_function                    (JSCContext           *context,
+                                           const char           *name,
+                                           GCallback             callback,
+                                           gpointer              user_data,
+                                           GDestroyNotify        destroy_notify,
+                                           GType                 return_type,
+                                           guint                 n_params,
+                                           ...);
+
+JSC_API JSCValue *
+jsc_value_new_functionv                   (JSCContext           *context,
+                                           const char           *name,
+                                           GCallback             callback,
+                                           gpointer              user_data,
+                                           GDestroyNotify        destroy_notify,
+                                           GType                 return_type,
+                                           guint                 n_parameters,
+                                           GType                *parameter_types);
+
+JSC_API JSCValue *
+jsc_value_new_function_variadic           (JSCContext           *context,
+                                           const char           *name,
+                                           GCallback             callback,
+                                           gpointer              user_data,
+                                           GDestroyNotify        destroy_notify,
+                                           GType                 return_type);
+
+JSC_API gboolean
+jsc_value_is_function                     (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_function_call                   (JSCValue             *value,
+                                           GType                 first_parameter_type,
+                                           ...) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API JSCValue *
+jsc_value_function_callv                  (JSCValue             *value,
+                                           guint                 n_parameters,
+                                           JSCValue            **parameters) G_GNUC_WARN_UNUSED_RESULT;
+
+JSC_API gboolean
+jsc_value_is_constructor                  (JSCValue             *value);
+
+JSC_API JSCValue *
+jsc_value_constructor_call                (JSCValue             *value,
+                                           GType                 first_parameter_type,
+                                           ...);
+
+JSC_API JSCValue *
+jsc_value_constructor_callv               (JSCValue             *value,
+                                           guint                 n_parameters,
+                                           JSCValue            **parameters);
+
+G_END_DECLS
+
+#endif /* JSCValue_h */
diff --git a/API/glib/JSCValuePrivate.h b/API/glib/JSCValuePrivate.h
new file mode 100644
index 0000000..6214435
--- /dev/null
+++ b/API/glib/JSCValuePrivate.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "JSCValue.h"
+
+JSValueRef jscValueGetJSValue(JSCValue*);
+JSCValue* jscValueCreate(JSCContext*, JSValueRef);
diff --git a/API/glib/JSCVersion.cpp b/API/glib/JSCVersion.cpp
new file mode 100644
index 0000000..4bd7aa9
--- /dev/null
+++ b/API/glib/JSCVersion.cpp
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCVersion.h"
+
+/**
+ * SECTION: JSCVersion
+ * @Short_description: Provides the JavaScriptCore version
+ * @Title: JSCVersion
+ *
+ * Provides convenience functions returning JavaScriptCore's major, minor and
+ * micro versions of the JavaScriptCore library your code is running
+ * against. This is not necessarily the same as the
+ * #JSC_MAJOR_VERSION, #JSC_MINOR_VERSION or
+ * #JSC_MICRO_VERSION, which represent the version of the JavaScriptCore
+ * headers included when compiling the code.
+ *
+ */
+
+/**
+ * jsc_get_major_version:
+ *
+ * Returns the major version number of the JavaScriptCore library.
+ * (e.g. in JavaScriptCore version 1.8.3 this is 1.)
+ *
+ * This function is in the library, so it represents the JavaScriptCore library
+ * your code is running against. Contrast with the #JSC_MAJOR_VERSION
+ * macro, which represents the major version of the JavaScriptCore headers you
+ * have included when compiling your code.
+ *
+ * Returns: the major version number of the JavaScriptCore library
+ */
+guint jsc_get_major_version(void)
+{
+    return JSC_MAJOR_VERSION;
+}
+
+/**
+ * jsc_get_minor_version:
+ *
+ * Returns the minor version number of the JavaScriptCore library.
+ * (e.g. in JavaScriptCore version 1.8.3 this is 8.)
+ *
+ * This function is in the library, so it represents the JavaScriptCore library
+ * your code is running against. Contrast with the #JSC_MINOR_VERSION
+ * macro, which represents the minor version of the JavaScriptCore headers you
+ * have included when compiling your code.
+ *
+ * Returns: the minor version number of the JavaScriptCore library
+ */
+guint jsc_get_minor_version(void)
+{
+    return JSC_MINOR_VERSION;
+}
+
+/**
+ * jsc_get_micro_version:
+ *
+ * Returns the micro version number of the JavaScriptCore library.
+ * (e.g. in JavaScriptCore version 1.8.3 this is 3.)
+ *
+ * This function is in the library, so it represents the JavaScriptCore library
+ * your code is running against. Contrast with the #JSC_MICRO_VERSION
+ * macro, which represents the micro version of the JavaScriptCore headers you
+ * have included when compiling your code.
+ *
+ * Returns: the micro version number of the JavaScriptCore library
+ */
+guint jsc_get_micro_version(void)
+{
+    return JSC_MICRO_VERSION;
+}
diff --git a/API/glib/JSCVersion.h.in b/API/glib/JSCVersion.h.in
new file mode 100644
index 0000000..c445f45
--- /dev/null
+++ b/API/glib/JSCVersion.h.in
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCVersion_h
+#define JSCVersion_h
+
+#include 
+
+G_BEGIN_DECLS
+
+/**
+ * JSC_MAJOR_VERSION:
+ *
+ * Like jsc_get_major_version(), but from the headers used at
+ * application compile time, rather than from the library linked
+ * against at application run time.
+ */
+#define JSC_MAJOR_VERSION (@PROJECT_VERSION_MAJOR@)
+
+/**
+ * JSC_MINOR_VERSION:
+ *
+ * Like jsc_get_minor_version(), but from the headers used at
+ * application compile time, rather than from the library linked
+ * against at application run time.
+ */
+#define JSC_MINOR_VERSION (@PROJECT_VERSION_MINOR@)
+
+/**
+ * JSC_MICRO_VERSION:
+ *
+ * Like jsc_get_micro_version(), but from the headers used at
+ * application compile time, rather than from the library linked
+ * against at application run time.
+ */
+#define JSC_MICRO_VERSION (@PROJECT_VERSION_MICRO@)
+
+/**
+ * JSC_CHECK_VERSION:
+ * @major: major version (e.g. 1 for version 1.2.5)
+ * @minor: minor version (e.g. 2 for version 1.2.5)
+ * @micro: micro version (e.g. 5 for version 1.2.5)
+ *
+ * Returns: %TRUE if the version of the JavaScriptCore header files
+ * is the same as or newer than the passed-in version.
+ */
+#define JSC_CHECK_VERSION(major, minor, micro) \
+    (JSC_MAJOR_VERSION > (major) || \
+    (JSC_MAJOR_VERSION == (major) && JSC_MINOR_VERSION > (minor)) || \
+    (JSC_MAJOR_VERSION == (major) && JSC_MINOR_VERSION == (minor) && \
+     JSC_MICRO_VERSION >= (micro)))
+
+JSC_API guint
+jsc_get_major_version (void);
+
+JSC_API guint
+jsc_get_minor_version (void);
+
+JSC_API guint
+jsc_get_micro_version (void);
+
+G_END_DECLS
+
+#endif /* JSCVersion_h */
diff --git a/API/glib/JSCVirtualMachine.cpp b/API/glib/JSCVirtualMachine.cpp
new file mode 100644
index 0000000..c061afe
--- /dev/null
+++ b/API/glib/JSCVirtualMachine.cpp
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCVirtualMachine.h"
+
+#include "JSCContextPrivate.h"
+#include "JSCVirtualMachinePrivate.h"
+#include 
+#include 
+#include 
+
+/**
+ * SECTION: JSCVirtualMachine
+ * @short_description: JavaScript Virtual Machine
+ * @title: JSCVirtualMachine
+ * @see_also: JSCContext
+ *
+ * JSCVirtualMachine represents a group of JSCContexts. It allows
+ * concurrent JavaScript exeution by creating a different instance of
+ * JSCVirtualMachine in each thread.
+ *
+ * To create a group of JSCContexts pass the same JSCVirtualMachine
+ * instance to every JSCContext constructor.
+ */
+
+struct _JSCVirtualMachinePrivate {
+    JSContextGroupRef jsContextGroup;
+    HashMap contextCache;
+};
+
+WEBKIT_DEFINE_TYPE(JSCVirtualMachine, jsc_virtual_machine, G_TYPE_OBJECT)
+
+static Lock wrapperCacheMutex;
+
+static HashMap& wrapperMap()
+{
+    static NeverDestroyed> map;
+    return map;
+}
+
+static void addWrapper(JSContextGroupRef group, JSCVirtualMachine* vm)
+{
+    std::lock_guard lock(wrapperCacheMutex);
+    ASSERT(!wrapperMap().contains(group));
+    wrapperMap().set(group, vm);
+}
+
+static void removeWrapper(JSContextGroupRef group)
+{
+    std::lock_guard lock(wrapperCacheMutex);
+    ASSERT(wrapperMap().contains(group));
+    wrapperMap().remove(group);
+}
+
+static void jscVirtualMachineSetContextGroup(JSCVirtualMachine *vm, JSContextGroupRef group)
+{
+    if (group) {
+        ASSERT(!vm->priv->jsContextGroup);
+        vm->priv->jsContextGroup = group;
+        JSContextGroupRetain(vm->priv->jsContextGroup);
+        addWrapper(vm->priv->jsContextGroup, vm);
+    } else if (vm->priv->jsContextGroup) {
+        removeWrapper(vm->priv->jsContextGroup);
+        JSContextGroupRelease(vm->priv->jsContextGroup);
+        vm->priv->jsContextGroup = nullptr;
+    }
+}
+
+static void jscVirtualMachineEnsureContextGroup(JSCVirtualMachine *vm)
+{
+    if (vm->priv->jsContextGroup)
+        return;
+
+    auto* jsContextGroup = JSContextGroupCreate();
+    jscVirtualMachineSetContextGroup(vm, jsContextGroup);
+    JSContextGroupRelease(jsContextGroup);
+}
+
+static void jscVirtualMachineDispose(GObject* object)
+{
+    JSCVirtualMachine* vm = JSC_VIRTUAL_MACHINE(object);
+    jscVirtualMachineSetContextGroup(vm, nullptr);
+
+    G_OBJECT_CLASS(jsc_virtual_machine_parent_class)->dispose(object);
+}
+
+static void jsc_virtual_machine_class_init(JSCVirtualMachineClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+    objClass->dispose = jscVirtualMachineDispose;
+}
+
+GRefPtr jscVirtualMachineGetOrCreate(JSContextGroupRef jsContextGroup)
+{
+    GRefPtr vm = wrapperMap().get(jsContextGroup);
+    if (!vm) {
+        vm = adoptGRef(jsc_virtual_machine_new());
+        jscVirtualMachineSetContextGroup(vm.get(), jsContextGroup);
+    }
+    return vm;
+}
+
+JSContextGroupRef jscVirtualMachineGetContextGroup(JSCVirtualMachine* vm)
+{
+    jscVirtualMachineEnsureContextGroup(vm);
+    return vm->priv->jsContextGroup;
+}
+
+void jscVirtualMachineAddContext(JSCVirtualMachine* vm, JSCContext* context)
+{
+    ASSERT(vm->priv->jsContextGroup);
+    auto jsContext = jscContextGetJSContext(context);
+    ASSERT(JSContextGetGroup(jsContext) == vm->priv->jsContextGroup);
+    ASSERT(!vm->priv->contextCache.contains(jsContext));
+    vm->priv->contextCache.set(jsContext, context);
+}
+
+void jscVirtualMachineRemoveContext(JSCVirtualMachine* vm, JSCContext* context)
+{
+    ASSERT(vm->priv->jsContextGroup);
+    auto jsContext = jscContextGetJSContext(context);
+    ASSERT(JSContextGetGroup(jsContext) == vm->priv->jsContextGroup);
+    ASSERT(vm->priv->contextCache.contains(jsContext));
+    vm->priv->contextCache.remove(jsContext);
+}
+
+JSCContext* jscVirtualMachineGetContext(JSCVirtualMachine* vm, JSGlobalContextRef jsContext)
+{
+    return vm->priv->contextCache.get(jsContext);
+}
+
+/**
+ * jsc_virtual_machine_new:
+ *
+ * Create a new #JSCVirtualMachine.
+ *
+ * Returns: (transfer full): the newly created #JSCVirtualMachine.
+ */
+JSCVirtualMachine* jsc_virtual_machine_new()
+{
+    return JSC_VIRTUAL_MACHINE(g_object_new(JSC_TYPE_VIRTUAL_MACHINE, nullptr));
+}
diff --git a/API/glib/JSCVirtualMachine.h b/API/glib/JSCVirtualMachine.h
new file mode 100644
index 0000000..083c6a9
--- /dev/null
+++ b/API/glib/JSCVirtualMachine.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCVirtualMachine_h
+#define JSCVirtualMachine_h
+
+#include 
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_VIRTUAL_MACHINE            (jsc_virtual_machine_get_type())
+#define JSC_VIRTUAL_MACHINE(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_VIRTUAL_MACHINE, JSCVirtualMachine))
+#define JSC_IS_VIRTUAL_MACHINE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_VIRTUAL_MACHINE))
+#define JSC_VIRTUAL_MACHINE_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST((klass),  JSC_TYPE_VIRTUAL_MACHINE, JSCVirtualMachineClass))
+#define JSC_IS_VIRTUAL_MACHINE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass),  JSC_TYPE_VIRTUAL_MACHINE))
+#define JSC_VIRTUAL_MACHINE_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS((obj),  JSC_TYPE_VIRTUAL_MACHINE, JSCVirtualMachineClass))
+
+typedef struct _JSCVirtualMachine JSCVirtualMachine;
+typedef struct _JSCVirtualMachineClass JSCVirtualMachineClass;
+typedef struct _JSCVirtualMachinePrivate JSCVirtualMachinePrivate;
+
+struct _JSCVirtualMachine {
+    GObject parent;
+
+    /*< private >*/
+    JSCVirtualMachinePrivate *priv;
+};
+
+struct _JSCVirtualMachineClass {
+    GObjectClass parent_class;
+
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+};
+
+JSC_API GType
+jsc_virtual_machine_get_type (void);
+
+JSC_API JSCVirtualMachine *
+jsc_virtual_machine_new      (void);
+
+G_END_DECLS
+
+#endif /* JSCVirtualMachine_h */
diff --git a/API/glib/JSCVirtualMachinePrivate.h b/API/glib/JSCVirtualMachinePrivate.h
new file mode 100644
index 0000000..8fc9e70
--- /dev/null
+++ b/API/glib/JSCVirtualMachinePrivate.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "JSCContext.h"
+#include "JSCVirtualMachine.h"
+#include 
+
+GRefPtr jscVirtualMachineGetOrCreate(JSContextGroupRef);
+JSContextGroupRef jscVirtualMachineGetContextGroup(JSCVirtualMachine*);
+void jscVirtualMachineAddContext(JSCVirtualMachine*, JSCContext*);
+void jscVirtualMachineRemoveContext(JSCVirtualMachine*, JSCContext*);
+JSCContext* jscVirtualMachineGetContext(JSCVirtualMachine*, JSGlobalContextRef);
diff --git a/API/glib/JSCWeakValue.cpp b/API/glib/JSCWeakValue.cpp
new file mode 100644
index 0000000..9897ee3
--- /dev/null
+++ b/API/glib/JSCWeakValue.cpp
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCWeakValue.h"
+
+#include "APICast.h"
+#include "JSCContextPrivate.h"
+#include "JSCInlines.h"
+#include "JSCValuePrivate.h"
+#include "JSWeakValue.h"
+#include "WeakHandleOwner.h"
+#include 
+#include 
+#include 
+
+/**
+ * SECTION: JSCWeakValue
+ * @short_description: JavaScript weak value
+ * @title: JSCWeakValue
+ * @see_also: JSCValue
+ *
+ * JSCWeakValue represents a weak reference to a value in a #JSCContext. It can be used
+ * to keep a reference to a JavaScript value without protecting it from being garbage
+ * collected and without referencing the #JSCContext either.
+ */
+
+enum {
+    PROP_0,
+
+    PROP_VALUE,
+};
+
+enum {
+    CLEARED,
+
+    LAST_SIGNAL
+};
+
+struct _JSCWeakValuePrivate {
+    JSC::Weak globalObject;
+    RefPtr lock;
+    JSC::JSWeakValue weakValueRef;
+};
+
+static guint signals[LAST_SIGNAL] = { 0, };
+
+WEBKIT_DEFINE_TYPE(JSCWeakValue, jsc_weak_value, G_TYPE_OBJECT)
+
+static void jscWeakValueClear(JSCWeakValue* weakValue)
+{
+    JSCWeakValuePrivate* priv = weakValue->priv;
+    priv->globalObject.clear();
+    priv->weakValueRef.clear();
+}
+
+class JSCWeakValueHandleOwner : public JSC::WeakHandleOwner {
+public:
+    void finalize(JSC::Handle, void* context) override
+    {
+        auto* weakValue = JSC_WEAK_VALUE(context);
+        jscWeakValueClear(weakValue);
+        g_signal_emit(weakValue, signals[CLEARED], 0, nullptr);
+    }
+};
+
+static JSCWeakValueHandleOwner& weakValueHandleOwner()
+{
+    static NeverDestroyed jscWeakValueHandleOwner;
+    return jscWeakValueHandleOwner;
+}
+
+static void jscWeakValueInitialize(JSCWeakValue* weakValue, JSCValue* value)
+{
+    JSCWeakValuePrivate* priv = weakValue->priv;
+    auto* jsContext = jscContextGetJSContext(jsc_value_get_context(value));
+    JSC::ExecState* exec = toJS(jsContext);
+    JSC::JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+    auto& owner = weakValueHandleOwner();
+    JSC::Weak weak(globalObject, &owner, weakValue);
+    priv->globalObject.swap(weak);
+    priv->lock = &exec->vm().apiLock();
+
+    JSC::JSValue jsValue = toJS(exec, jscValueGetJSValue(value));
+    if (jsValue.isObject())
+        priv->weakValueRef.setObject(JSC::jsCast(jsValue.asCell()), owner, weakValue);
+    else if (jsValue.isString())
+        priv->weakValueRef.setString(JSC::jsCast(jsValue.asCell()), owner, weakValue);
+    else
+        priv->weakValueRef.setPrimitive(jsValue);
+}
+
+static void jscWeakValueSetProperty(GObject* object, guint propID, const GValue* value, GParamSpec* paramSpec)
+{
+    switch (propID) {
+    case PROP_VALUE:
+        jscWeakValueInitialize(JSC_WEAK_VALUE(object), JSC_VALUE(g_value_get_object(value)));
+        break;
+    default:
+        G_OBJECT_WARN_INVALID_PROPERTY_ID(object, propID, paramSpec);
+    }
+}
+
+static void jscWeakValueDispose(GObject* object)
+{
+    JSCWeakValue* weakValue = JSC_WEAK_VALUE(object);
+    jscWeakValueClear(weakValue);
+
+    G_OBJECT_CLASS(jsc_weak_value_parent_class)->dispose(object);
+}
+
+static void jsc_weak_value_class_init(JSCWeakValueClass* klass)
+{
+    GObjectClass* objClass = G_OBJECT_CLASS(klass);
+    objClass->set_property = jscWeakValueSetProperty;
+    objClass->dispose = jscWeakValueDispose;
+
+    /**
+     * JSCWeakValue:value:
+     *
+     * The #JSCValue referencing the JavaScript value.
+     */
+    g_object_class_install_property(objClass,
+        PROP_VALUE,
+        g_param_spec_object(
+            "value",
+            "JSCValue",
+            "JSC Value",
+            JSC_TYPE_VALUE,
+            static_cast(WEBKIT_PARAM_WRITABLE | G_PARAM_CONSTRUCT_ONLY)));
+
+    /**
+     * JSCWeakValue::cleared:
+     * @weak_value: the #JSCWeakValue
+     *
+     * This signal is emitted when the JavaScript value is destroyed.
+     */
+    signals[CLEARED] = g_signal_new(
+        "cleared",
+        G_TYPE_FROM_CLASS(klass),
+        G_SIGNAL_RUN_LAST,
+        0, nullptr, nullptr,
+        g_cclosure_marshal_generic,
+        G_TYPE_NONE, 0,
+        G_TYPE_NONE);
+}
+
+/**
+ * jsc_weak_value_new:
+ * @value: a #JSCValue
+ *
+ * Create a new #JSCWeakValue for the JavaScript value referenced by @value.
+ *
+ * Returns: (transfer full): a new #JSCWeakValue
+ */
+JSCWeakValue* jsc_weak_value_new(JSCValue* value)
+{
+    g_return_val_if_fail(JSC_IS_VALUE(value), nullptr);
+
+    return JSC_WEAK_VALUE(g_object_new(JSC_TYPE_WEAK_VALUE, "value", value, nullptr));
+}
+
+/**
+ * jsc_weak_value_get_value:
+ * @weak_value: a #JSCWeakValue
+ *
+ * Get a #JSCValue referencing the JavaScript value of @weak_value.
+ *
+ * Returns: (transfer full): a new #JSCValue or %NULL if @weak_value was cleared.
+ */
+JSCValue* jsc_weak_value_get_value(JSCWeakValue* weakValue)
+{
+    g_return_val_if_fail(JSC_IS_WEAK_VALUE(weakValue), nullptr);
+
+    JSCWeakValuePrivate* priv = weakValue->priv;
+    WTF::Locker locker(priv->lock.get());
+    JSC::VM* vm = priv->lock->vm();
+    if (!vm)
+        return nullptr;
+
+    JSC::JSLockHolder apiLocker(vm);
+    if (!priv->globalObject || priv->weakValueRef.isClear())
+        return nullptr;
+
+    JSC::JSValue value;
+    if (priv->weakValueRef.isPrimitive())
+        value = priv->weakValueRef.primitive();
+    else if (priv->weakValueRef.isString())
+        value = priv->weakValueRef.string();
+    else
+        value = priv->weakValueRef.object();
+
+    JSC::ExecState* exec = priv->globalObject->globalExec();
+    GRefPtr context = jscContextGetOrCreate(toGlobalRef(exec));
+    return jscContextGetOrCreateValue(context.get(), toRef(exec, value)).leakRef();
+}
diff --git a/API/glib/JSCWeakValue.h b/API/glib/JSCWeakValue.h
new file mode 100644
index 0000000..eec0589
--- /dev/null
+++ b/API/glib/JSCWeakValue.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#if !defined(__JSC_H_INSIDE__) && !defined(JSC_COMPILATION) && !defined(WEBKIT2_COMPILATION)
+#error "Only  can be included directly."
+#endif
+
+#ifndef JSCWeakValue_h
+#define JSCWeakValue_h
+
+#include 
+#include 
+#include 
+
+G_BEGIN_DECLS
+
+#define JSC_TYPE_WEAK_VALUE            (jsc_weak_value_get_type())
+#define JSC_WEAK_VALUE(obj)            (G_TYPE_CHECK_INSTANCE_CAST((obj), JSC_TYPE_WEAK_VALUE, JSCWeakValue))
+#define JSC_IS_WEAK_VALUE(obj)         (G_TYPE_CHECK_INSTANCE_TYPE((obj), JSC_TYPE_WEAK_VALUE))
+#define JSC_WEAK_VALUE_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST((klass),  JSC_TYPE_WEAK_VALUE, JSCWeakValueClass))
+#define JSC_IS_WEAK_VALUE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE((klass),  JSC_TYPE_WEAK_VALUE))
+#define JSC_WEAK_VALUE_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS((obj),  JSC_TYPE_WEAK_VALUE, JSCWeakValueClass))
+
+typedef struct _JSCWeakValue JSCWeakValue;
+typedef struct _JSCWeakValueClass JSCWeakValueClass;
+typedef struct _JSCWeakValuePrivate JSCWeakValuePrivate;
+
+struct _JSCWeakValue {
+    GObject parent;
+
+    /*< private >*/
+    JSCWeakValuePrivate *priv;
+};
+
+struct _JSCWeakValueClass {
+    GObjectClass parent_class;
+
+    void (*_jsc_reserved0) (void);
+    void (*_jsc_reserved1) (void);
+    void (*_jsc_reserved2) (void);
+    void (*_jsc_reserved3) (void);
+};
+
+JSC_API GType
+jsc_weak_value_get_type  (void);
+
+JSC_API JSCWeakValue *
+jsc_weak_value_new       (JSCValue     *value);
+
+JSC_API JSCValue *
+jsc_weak_value_get_value (JSCWeakValue *weak_value);
+
+G_END_DECLS
+
+#endif /* JSCWeakValue_h */
diff --git a/API/glib/JSCWrapperMap.cpp b/API/glib/JSCWrapperMap.cpp
new file mode 100644
index 0000000..11bb7c0
--- /dev/null
+++ b/API/glib/JSCWrapperMap.cpp
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#include "config.h"
+#include "JSCWrapperMap.h"
+
+#include "APICast.h"
+#include "JSAPIWrapperGlobalObject.h"
+#include "JSAPIWrapperObject.h"
+#include "JSCClassPrivate.h"
+#include "JSCContextPrivate.h"
+#include "JSCGLibWrapperObject.h"
+#include "JSCInlines.h"
+#include "JSCValuePrivate.h"
+#include "JSCallbackObject.h"
+
+namespace JSC {
+
+WrapperMap::WrapperMap(JSGlobalContextRef jsContext)
+    : m_cachedJSWrappers(std::make_unique>(toJS(jsContext)->vm()))
+{
+}
+
+WrapperMap::~WrapperMap()
+{
+    for (const auto& jscClass : m_classMap.values())
+        jscClassInvalidate(jscClass.get());
+}
+
+GRefPtr WrapperMap::gobjectWrapper(JSCContext* jscContext, JSValueRef jsValue)
+{
+    auto* jsContext = jscContextGetJSContext(jscContext);
+    JSC::JSLockHolder locker(toJS(jsContext));
+    ASSERT(toJSGlobalObject(jsContext)->wrapperMap() == this);
+    GRefPtr value = m_cachedGObjectWrappers.get(jsValue);
+    if (!value) {
+        value = adoptGRef(jscValueCreate(jscContext, jsValue));
+        m_cachedGObjectWrappers.set(jsValue, value.get());
+    }
+    return value;
+}
+
+void WrapperMap::unwrap(JSValueRef jsValue)
+{
+    ASSERT(m_cachedGObjectWrappers.contains(jsValue));
+    m_cachedGObjectWrappers.remove(jsValue);
+}
+
+void WrapperMap::registerClass(JSCClass* jscClass)
+{
+    auto* jsClass = jscClassGetJSClass(jscClass);
+    ASSERT(!m_classMap.contains(jsClass));
+    m_classMap.set(jsClass, jscClass);
+}
+
+JSCClass* WrapperMap::registeredClass(JSClassRef jsClass) const
+{
+    return m_classMap.get(jsClass);
+}
+
+JSObject* WrapperMap::createJSWrappper(JSGlobalContextRef jsContext, JSClassRef jsClass, JSValueRef prototype, gpointer wrappedObject, GDestroyNotify destroyFunction)
+{
+    ASSERT(toJSGlobalObject(jsContext)->wrapperMap() == this);
+    ExecState* exec = toJS(jsContext);
+    VM& vm = exec->vm();
+    JSLockHolder locker(vm);
+    auto* object = JSC::JSCallbackObject::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->glibWrapperObjectStructure(), jsClass, nullptr);
+    if (wrappedObject) {
+        object->setWrappedObject(new JSC::JSCGLibWrapperObject(wrappedObject, destroyFunction));
+        m_cachedJSWrappers->set(wrappedObject, object);
+    }
+    if (prototype)
+        JSObjectSetPrototype(jsContext, toRef(object), prototype);
+    else if (auto* jsPrototype = jsClass->prototype(exec))
+        object->setPrototypeDirect(vm, jsPrototype);
+    return object;
+}
+
+JSGlobalContextRef WrapperMap::createContextWithJSWrappper(JSContextGroupRef jsGroup, JSClassRef jsClass, JSValueRef prototype, gpointer wrappedObject, GDestroyNotify destroyFunction)
+{
+    Ref vm(*toJS(jsGroup));
+    JSLockHolder locker(vm.ptr());
+    auto* globalObject = JSCallbackObject::create(vm.get(), jsClass, JSCallbackObject::createStructure(vm.get(), nullptr, jsNull()));
+    if (wrappedObject) {
+        globalObject->setWrappedObject(new JSC::JSCGLibWrapperObject(wrappedObject, destroyFunction));
+        m_cachedJSWrappers->set(wrappedObject, globalObject);
+    }
+    ExecState* exec = globalObject->globalExec();
+    if (prototype)
+        globalObject->resetPrototype(vm.get(), toJS(exec, prototype));
+    else if (auto jsPrototype = jsClass->prototype(exec))
+        globalObject->resetPrototype(vm.get(), jsPrototype);
+    else
+        globalObject->resetPrototype(vm.get(), jsNull());
+
+    return JSGlobalContextRetain(toGlobalRef(exec));
+}
+
+JSObject* WrapperMap::jsWrapper(gpointer wrappedObject) const
+{
+    if (!wrappedObject)
+        return nullptr;
+    return m_cachedJSWrappers->get(wrappedObject);
+}
+
+gpointer WrapperMap::wrappedObject(JSGlobalContextRef jsContext, JSObjectRef jsObject) const
+{
+    ASSERT(toJSGlobalObject(jsContext)->wrapperMap() == this);
+    JSLockHolder locker(toJS(jsContext));
+    VM& vm = toJS(jsContext)->vm();
+    auto* object = toJS(jsObject);
+    if (object->inherits(vm, JSC::JSCallbackObject::info())) {
+        if (auto* wrapper = JSC::jsCast(object)->wrappedObject())
+            return static_cast(wrapper)->object();
+    }
+    if (object->inherits(vm, JSC::JSCallbackObject::info())) {
+        if (auto* wrapper = JSC::jsCast(object)->wrappedObject())
+            return wrapper->object();
+    }
+    return nullptr;
+}
+
+} // namespace JSC
diff --git a/API/glib/JSCWrapperMap.h b/API/glib/JSCWrapperMap.h
new file mode 100644
index 0000000..5292e14
--- /dev/null
+++ b/API/glib/JSCWrapperMap.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#pragma once
+
+#include "JSBase.h"
+#include "VM.h"
+#include "WeakGCMap.h"
+#include 
+#include 
+#include 
+#include 
+
+typedef struct _JSCClass JSCClass;
+typedef struct _JSCContext JSCContext;
+typedef struct _JSCValue JSCValue;
+
+namespace JSC {
+
+class JSObject;
+
+class WrapperMap {
+    WTF_MAKE_FAST_ALLOCATED;
+public:
+    explicit WrapperMap(JSGlobalContextRef);
+    ~WrapperMap();
+
+    GRefPtr gobjectWrapper(JSCContext*, JSValueRef);
+    void unwrap(JSValueRef);
+
+    void registerClass(JSCClass*);
+    JSCClass* registeredClass(JSClassRef) const;
+
+    JSObject* createJSWrappper(JSGlobalContextRef, JSClassRef, JSValueRef prototype, gpointer, GDestroyNotify);
+    JSGlobalContextRef createContextWithJSWrappper(JSContextGroupRef, JSClassRef, JSValueRef prototype, gpointer, GDestroyNotify);
+    JSObject* jsWrapper(gpointer wrappedObject) const;
+    gpointer wrappedObject(JSGlobalContextRef, JSObjectRef) const;
+
+private:
+    HashMap m_cachedGObjectWrappers;
+    std::unique_ptr> m_cachedJSWrappers;
+    HashMap> m_classMap;
+};
+
+} // namespace JSC
diff --git a/API/glib/docs/jsc-glib-4.0-sections.txt b/API/glib/docs/jsc-glib-4.0-sections.txt
new file mode 100644
index 0000000..3ae2225
--- /dev/null
+++ b/API/glib/docs/jsc-glib-4.0-sections.txt
@@ -0,0 +1,256 @@
+

+JSCVirtualMachine
+JSCVirtualMachine
+JSCVirtualMachine
+jsc_virtual_machine_new
+
+
+JSCVirtualMachineClass
+JSC_TYPE_VIRTUAL_MACHINE
+JSC_VIRTUAL_MACHINE
+JSC_IS_VIRTUAL_MACHINE
+JSC_VIRTUAL_MACHINE_CLASS
+JSC_IS_VIRTUAL_MACHINE_CLASS
+JSC_VIRTUAL_MACHINE_GET_CLASS
+
+
+JSCVirtualMachinePrivate
+jsc_virtual_machine_get_type
+JSC_API
+JSC_DEPRECATED
+JSC_DEPRECATED_FOR
+

+
+

+JSCContext
+JSCContext
+JSCContext
+JSCExceptionHandler
+JSCCheckSyntaxMode
+JSCCheckSyntaxResult
+jsc_context_new
+jsc_context_new_with_virtual_machine
+jsc_context_get_virtual_machine
+jsc_context_get_exception
+jsc_context_throw
+jsc_context_throw_printf
+jsc_context_throw_with_name
+jsc_context_throw_with_name_printf
+jsc_context_throw_exception
+jsc_context_clear_exception
+jsc_context_push_exception_handler
+jsc_context_pop_exception_handler
+jsc_context_get_current
+jsc_context_evaluate
+jsc_context_evaluate_with_source_uri
+jsc_context_evaluate_in_object
+jsc_context_check_syntax
+jsc_context_get_global_object
+jsc_context_set_value
+jsc_context_get_value
+jsc_context_register_class
+
+
+JSCContextClass
+JSC_TYPE_CONTEXT
+JSC_CONTEXT
+JSC_IS_CONTEXT
+JSC_CONTEXT_CLASS
+JSC_IS_CONTEXT_CLASS
+JSC_CONTEXT_GET_CLASS
+
+
+JSCContextPrivate
+jsc_context_get_type
+

+
+

+JSCValue
+JSCValue
+JSCValue
+JSCValuePropertyFlags
+jsc_value_get_context
+jsc_value_new_undefined
+jsc_value_is_undefined
+jsc_value_new_null
+jsc_value_is_null
+jsc_value_new_number
+jsc_value_is_number
+jsc_value_to_double
+jsc_value_to_int32
+jsc_value_new_boolean
+jsc_value_is_boolean
+jsc_value_to_boolean
+jsc_value_new_string
+jsc_value_new_string_from_bytes
+jsc_value_is_string
+jsc_value_to_string
+jsc_value_to_string_as_bytes
+jsc_value_new_array
+jsc_value_new_array_from_garray
+jsc_value_new_array_from_strv
+jsc_value_is_array
+jsc_value_new_object
+jsc_value_is_object
+jsc_value_object_is_instance_of
+jsc_value_object_set_property
+jsc_value_object_get_property
+jsc_value_object_set_property_at_index
+jsc_value_object_get_property_at_index
+jsc_value_object_has_property
+jsc_value_object_delete_property
+jsc_value_object_enumerate_properties
+jsc_value_object_invoke_method
+jsc_value_object_invoke_methodv
+jsc_value_object_define_property_data
+jsc_value_object_define_property_accessor
+jsc_value_new_function
+jsc_value_new_functionv
+jsc_value_new_function_variadic
+jsc_value_is_function
+jsc_value_function_call
+jsc_value_function_callv
+jsc_value_is_constructor
+jsc_value_constructor_call
+jsc_value_constructor_callv
+
+
+JSCValueClass
+JSC_TYPE_VALUE
+JSC_VALUE
+JSC_IS_VALUE
+JSC_VALUE_CLASS
+JSC_IS_VALUE_CLASS
+JSC_VALUE_GET_CLASS
+
+
+JSCValuePrivate
+jsc_value_get_type
+

+
+

+JSCWeakValue
+JSCWeakValue
+JSCWeakValue
+jsc_weak_value_new
+jsc_weak_value_get_value
+
+
+JSCWeakValueClass
+JSC_TYPE_WEAK_VALUE
+JSC_WEAK_VALUE
+JSC_IS_WEAK_VALUE
+JSC_WEAK_VALUE_CLASS
+JSC_IS_WEAK_VALUE_CLASS
+JSC_WEAK_VALUE_GET_CLASS
+
+
+JSCWeakValuePrivate
+jsc_weak_value_get_type
+

+
+

+JSCException
+JSCException
+JSCException
+jsc_exception_new
+jsc_exception_new_printf
+jsc_exception_new_vprintf
+jsc_exception_new_with_name
+jsc_exception_new_with_name_printf
+jsc_exception_new_with_name_vprintf
+jsc_exception_get_name
+jsc_exception_get_message
+jsc_exception_get_line_number
+jsc_exception_get_column_number
+jsc_exception_get_source_uri
+jsc_exception_get_backtrace_string
+jsc_exception_to_string
+jsc_exception_report
+
+
+JSCExceptionClass
+JSC_TYPE_EXCEPTION
+JSC_EXCEPTION
+JSC_IS_EXCEPTION
+JSC_EXCEPTION_CLASS
+JSC_IS_EXCEPTION_CLASS
+JSC_EXCEPTION_GET_CLASS
+
+
+JSCExceptionPrivate
+jsc_exception_get_type
+

+
+

+JSCClass
+JSCClass
+JSCClass
+JSCClassGetPropertyFunction
+JSCClassSetPropertyFunction
+JSCClassHasPropertyFunction
+JSCClassDeletePropertyFunction
+JSCClassEnumeratePropertiesFunction
+JSCClassVTable
+jsc_class_get_name
+jsc_class_get_parent
+jsc_class_add_constructor
+jsc_class_add_constructorv
+jsc_class_add_constructor_variadic
+jsc_class_add_method
+jsc_class_add_methodv
+jsc_class_add_method_variadic
+jsc_class_add_property
+
+
+JSC_TYPE_CLASS
+JSC_CLASS
+JSC_IS_CLASS
+
+
+jsc_class_get_type
+

+
+

+JSCOptions
+JSCOptions
+jsc_options_set_boolean
+jsc_options_get_boolean
+jsc_options_set_int
+jsc_options_get_int
+jsc_options_set_uint
+jsc_options_get_uint
+jsc_options_set_size
+jsc_options_get_size
+jsc_options_set_double
+jsc_options_get_double
+jsc_options_set_string
+jsc_options_get_string
+jsc_options_set_range_string
+jsc_options_get_range_string
+
+JSCOptionType
+JSCOptionsFunc
+jsc_options_foreach
+
+jsc_options_get_option_group
+
+JSC_OPTIONS_USE_JIT
+JSC_OPTIONS_USE_DFG
+JSC_OPTIONS_USE_FTL
+JSC_OPTIONS_USE_LLINT
+

+
+

+JSCVersion
+JSCVersion
+jsc_get_major_version
+jsc_get_minor_version
+jsc_get_micro_version
+
+
+JSC_MAJOR_VERSION
+JSC_MINOR_VERSION
+JSC_MICRO_VERSION
+JSC_CHECK_VERSION
+

diff --git a/API/glib/docs/jsc-glib-4.0.types b/API/glib/docs/jsc-glib-4.0.types
new file mode 100644
index 0000000..c80a76f
--- /dev/null
+++ b/API/glib/docs/jsc-glib-4.0.types
@@ -0,0 +1,6 @@
+#include 
+jsc_virtual_machine_get_type
+jsc_context_get_type
+jsc_value_get_type
+jsc_exception_get_type
+jsc_class_get_type
diff --git a/API/glib/docs/jsc-glib-docs.sgml b/API/glib/docs/jsc-glib-docs.sgml
new file mode 100644
index 0000000..1c2db5c
--- /dev/null
+++ b/API/glib/docs/jsc-glib-docs.sgml
@@ -0,0 +1,34 @@
+
+
+]>
+
+  
+    JavaScriptCore GLib Reference Manual
+    for JavaScriptCore &version;
+  
+
+  
+    Class Overview
+    
+    
+    
+    
+    
+    
+    
+    
+  
+
+  
+    Index
+  
+
+  
+    Index of new symbols in 2.24
+    
+  
+
+  
+
diff --git a/API/glib/jsc.h b/API/glib/jsc.h
new file mode 100644
index 0000000..11537f9
--- /dev/null
+++ b/API/glib/jsc.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2018 Igalia S.L.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Library General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public License
+ * along with this library; see the file COPYING.LIB.  If not, write to
+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301, USA.
+ */
+
+#ifndef __JSC_H__
+#define __JSC_H__
+
+#define __JSC_H_INSIDE__
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include 
+
+#undef __JSC_H_INSIDE__
+
+#endif /* __JSC_H__ */
diff --git a/API/tests/CompareAndSwapTest.h b/API/tests/CompareAndSwapTest.h
index 4a1fc59..e54a035 100644
--- a/API/tests/CompareAndSwapTest.h
+++ b/API/tests/CompareAndSwapTest.h
@@ -30,7 +30,7 @@ extern "C" {
 #endif
 
 /* Regression test for webkit.org/b/142513 */
-void testCompareAndSwap();
+void testCompareAndSwap(void);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/CurrentThisInsideBlockGetterTest.mm b/API/tests/CurrentThisInsideBlockGetterTest.mm
index 5ec5420..bd7e8a6 100644
--- a/API/tests/CurrentThisInsideBlockGetterTest.mm
+++ b/API/tests/CurrentThisInsideBlockGetterTest.mm
@@ -23,6 +23,7 @@
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include "config.h"
 #include "CurrentThisInsideBlockGetterTest.h"
 
 #if JSC_OBJC_API_ENABLED
@@ -82,7 +83,7 @@ static JSClassRef ConstructorClass(void)
 {
     NSMutableDictionary *privateProperties = [@{ @"constructorDescriptor" : constructorDescriptor } mutableCopy];
     JSGlobalContextRef ctx = [context JSGlobalContextRef];
-    JSObjectRef constructorRef = JSObjectMake(ctx, ConstructorClass(), (void *)CFBridgingRetain(privateProperties));
+    JSObjectRef constructorRef = JSObjectMake(ctx, ConstructorClass(), const_cast(CFBridgingRetain(privateProperties)));
     JSValue *constructor = [JSValue valueWithJSValueRef:constructorRef inContext:context];
     return constructor;
 }
diff --git a/API/tests/CustomGlobalObjectClassTest.c b/API/tests/CustomGlobalObjectClassTest.c
index 976a881..82d2dc1 100644
--- a/API/tests/CustomGlobalObjectClassTest.c
+++ b/API/tests/CustomGlobalObjectClassTest.c
@@ -23,6 +23,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include "config.h"
 #include "CustomGlobalObjectClassTest.h"
 
 #include 
@@ -100,6 +101,8 @@ void customGlobalObjectClassTest()
     JSStringRelease(script);
 
     assertTrue(executedCallback, "Executed custom global object callback");
+
+    JSGlobalContextRelease(globalContext);
 }
 
 void globalObjectSetPrototypeTest()
@@ -110,19 +113,12 @@ void globalObjectSetPrototypeTest()
     JSGlobalContextRef context = JSGlobalContextCreate(global);
     JSObjectRef object = JSContextGetGlobalObject(context);
 
+    JSValueRef originalPrototype = JSObjectGetPrototype(context, object);
     JSObjectRef above = JSObjectMake(context, 0, 0);
-    JSStringRef test = JSStringCreateWithUTF8CString("test");
-    JSValueRef value = JSValueMakeString(context, test);
-    JSObjectSetProperty(context, above, test, value, kJSPropertyAttributeDontEnum, 0);
-
     JSObjectSetPrototype(context, object, above);
-    JSStringRef script = JSStringCreateWithUTF8CString("test === \"test\"");
-    JSValueRef result = JSEvaluateScript(context, script, 0, 0, 0, 0);
-
-    assertTrue(JSValueToBoolean(context, result), "test === \"test\"");
-
-    JSStringRelease(test);
-    JSStringRelease(script);
+    JSValueRef prototypeAfterChangingAttempt = JSObjectGetPrototype(context, object);
+    assertTrue(JSValueIsStrictEqual(context, prototypeAfterChangingAttempt, originalPrototype), "Global object's [[Prototype]] cannot be changed after instantiating it");
+    JSGlobalContextRelease(context);
 }
 
 void globalObjectPrivatePropertyTest()
@@ -144,4 +140,5 @@ void globalObjectPrivatePropertyTest()
     assertTrue(JSValueIsNull(context, result), "Deleted private property is indeed no longer present");
 
     JSStringRelease(privateName);
+    JSGlobalContextRelease(context);
 }
diff --git a/API/tests/DateTests.mm b/API/tests/DateTests.mm
index 2bda3ad..6652177 100644
--- a/API/tests/DateTests.mm
+++ b/API/tests/DateTests.mm
@@ -23,6 +23,7 @@
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#import "config.h"
 #import "DateTests.h"
 #import 
 
diff --git a/API/tests/ExecutionTimeLimitTest.cpp b/API/tests/ExecutionTimeLimitTest.cpp
index 73f324d..9c86700 100644
--- a/API/tests/ExecutionTimeLimitTest.cpp
+++ b/API/tests/ExecutionTimeLimitTest.cpp
@@ -31,18 +31,17 @@
 #include "JavaScript.h"
 #include "Options.h"
 
-#include 
 #include 
+#include 
 #include 
-#include 
 #include 
+#include 
 #include 
 
 #if HAVE(MACH_EXCEPTIONS)
 #include 
 #endif
 
-using namespace std::chrono;
 using JSC::Options;
 
 static JSGlobalContextRef context = nullptr;
@@ -56,7 +55,7 @@ static JSValueRef currentCPUTimeAsJSFunctionCallback(JSContextRef ctx, JSObjectR
     UNUSED_PARAM(exception);
     
     ASSERT(JSContextGetGlobalContext(ctx) == context);
-    return JSValueMakeNumber(ctx, currentCPUTime().count() / 1000000.);
+    return JSValueMakeNumber(ctx, CPUTime::forCurrentThread().seconds());
 }
 
 bool shouldTerminateCallbackWasCalled = false;
@@ -96,7 +95,7 @@ static bool dispatchTermitateCallback(JSContextRef, void*)
 
 struct TierOptions {
     const char* tier;
-    unsigned timeLimitAdjustmentMillis;
+    Seconds timeLimitAdjustment;
     const char* optionsStr;
 };
 
@@ -107,6 +106,7 @@ static void testResetAfterTimeout(bool& failed)
     const char* reentryScript = "100";
     JSStringRef script = JSStringCreateWithUTF8CString(reentryScript);
     v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
+    JSStringRelease(script);
     if (exception) {
         printf("FAIL: Watchdog timeout was not reset.\n");
         failed = true;
@@ -119,10 +119,10 @@ static void testResetAfterTimeout(bool& failed)
 int testExecutionTimeLimit()
 {
     static const TierOptions tierOptionsList[] = {
-        { "LLINT",    0,   "--useConcurrentJIT=false --useLLInt=true --useJIT=false" },
-        { "Baseline", 0,   "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=false" },
-        { "DFG",      200,   "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=false" },
-        { "FTL",      500, "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=true" },
+        { "LLINT",    0_ms,   "--useConcurrentJIT=false --useLLInt=true --useJIT=false" },
+        { "Baseline", 0_ms,   "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=false" },
+        { "DFG",      200_ms,   "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=false" },
+        { "FTL",      500_ms, "--useConcurrentJIT=false --useLLInt=true --useJIT=true --useDFGJIT=true --useFTLJIT=true" },
     };
     
     bool failed = false;
@@ -136,8 +136,8 @@ int testExecutionTimeLimit()
 
         Options::setOptions(tierOptions.optionsStr);
         
-        unsigned tierAdjustmentMillis = tierOptions.timeLimitAdjustmentMillis;
-        double timeLimit;
+        Seconds tierAdjustment = tierOptions.timeLimitAdjustment;
+        Seconds timeLimit;
 
         context = JSGlobalContextCreateInGroup(nullptr, nullptr);
 
@@ -153,10 +153,10 @@ int testExecutionTimeLimit()
         JSStringRelease(currentCPUTimeStr);
 
         /* Test script on another thread: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, shouldTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
 
             JSStringRef script = JSStringCreateWithUTF8CString("function foo() { while (true) { } } foo();");
             exception = nullptr;
@@ -166,7 +166,7 @@ int testExecutionTimeLimit()
                 JSEvaluateScript(context, script, nullptr, nullptr, 1, exn);
             });
 
-            sleep(Seconds(timeAfterWatchdogShouldHaveFired / 1000.0));
+            sleep(timeAfterWatchdogShouldHaveFired);
 
             if (shouldTerminateCallbackWasCalled)
                 printf("PASS: %s script timed out as expected.\n", tierOptions.tier);
@@ -182,30 +182,33 @@ int testExecutionTimeLimit()
 
             thread->waitForCompletion();
             testResetAfterTimeout(failed);
+
+            JSStringRelease(script);
         }
 
         /* Test script timeout: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, shouldTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
 
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral(") break; } } foo();");
 
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             shouldTerminateCallbackWasCalled = false;
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
+            JSStringRelease(script);
 
-            if (((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)) && shouldTerminateCallbackWasCalled)
+            if (((endTime - startTime) < timeAfterWatchdogShouldHaveFired) && shouldTerminateCallbackWasCalled)
                 printf("PASS: %s script timed out as expected.\n", tierOptions.tier);
             else {
-                if ((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired))
+                if ((endTime - startTime) >= timeAfterWatchdogShouldHaveFired)
                     printf("FAIL: %s script did not time out as expected.\n", tierOptions.tier);
                 if (!shouldTerminateCallbackWasCalled)
                     printf("FAIL: %s script timeout callback was not called.\n", tierOptions.tier);
@@ -221,10 +224,10 @@ int testExecutionTimeLimit()
         }
 
         /* Test script timeout with tail calls: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, shouldTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
 
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("var startTime = currentCPUTime();"
@@ -232,7 +235,7 @@ int testExecutionTimeLimit()
                                      "'use strict';"
                                      "if (i % 1000 === 0) {"
                                         "if (currentCPUTime() - startTime >");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral("       ) { return; }");
             scriptBuilder.appendLiteral("    }");
             scriptBuilder.appendLiteral("    return recurse(i + 1); }");
@@ -241,14 +244,15 @@ int testExecutionTimeLimit()
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             shouldTerminateCallbackWasCalled = false;
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
+            JSStringRelease(script);
 
-            if (((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)) && shouldTerminateCallbackWasCalled)
+            if (((endTime - startTime) < timeAfterWatchdogShouldHaveFired) && shouldTerminateCallbackWasCalled)
                 printf("PASS: %s script with infinite tail calls timed out as expected .\n", tierOptions.tier);
             else {
-                if ((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired))
+                if ((endTime - startTime) >= timeAfterWatchdogShouldHaveFired)
                     printf("FAIL: %s script with infinite tail calls did not time out as expected.\n", tierOptions.tier);
                 if (!shouldTerminateCallbackWasCalled)
                     printf("FAIL: %s script with infinite tail calls' timeout callback was not called.\n", tierOptions.tier);
@@ -264,26 +268,28 @@ int testExecutionTimeLimit()
         }
 
         /* Test the script timeout's TerminatedExecutionException should NOT be catchable: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, shouldTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), shouldTerminateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
             
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); try { while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral(") break; } } catch(e) { } } foo();");
 
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             shouldTerminateCallbackWasCalled = false;
 
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
             
-            if (((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired)) || !shouldTerminateCallbackWasCalled) {
-                if (!((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)))
+            JSStringRelease(script);
+
+            if (((endTime - startTime) >= timeAfterWatchdogShouldHaveFired) || !shouldTerminateCallbackWasCalled) {
+                if (!((endTime - startTime) < timeAfterWatchdogShouldHaveFired))
                     printf("FAIL: %s script did not time out as expected.\n", tierOptions.tier);
                 if (!shouldTerminateCallbackWasCalled)
                     printf("FAIL: %s script timeout callback was not called.\n", tierOptions.tier);
@@ -301,28 +307,30 @@ int testExecutionTimeLimit()
         }
         
         /* Test script timeout with no callback: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, 0, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), 0, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
             
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral(") break; } } foo();");
             
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             shouldTerminateCallbackWasCalled = false;
 
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
             
-            if (((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)) && !shouldTerminateCallbackWasCalled)
+            JSStringRelease(script);
+
+            if (((endTime - startTime) < timeAfterWatchdogShouldHaveFired) && !shouldTerminateCallbackWasCalled)
                 printf("PASS: %s script timed out as expected when no callback is specified.\n", tierOptions.tier);
             else {
-                if ((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired))
+                if ((endTime - startTime) >= timeAfterWatchdogShouldHaveFired)
                     printf("FAIL: %s script did not time out as expected when no callback is specified.\n", tierOptions.tier);
                 else
                     printf("FAIL: %s script called stale callback function.\n", tierOptions.tier);
@@ -338,28 +346,30 @@ int testExecutionTimeLimit()
         }
         
         /* Test script timeout cancellation: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, cancelTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), cancelTerminateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
             
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral(") break; } } foo();");
 
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             cancelTerminateCallbackWasCalled = false;
 
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
             
-            if (((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired)) && cancelTerminateCallbackWasCalled && !exception)
+            JSStringRelease(script);
+
+            if (((endTime - startTime) >= timeAfterWatchdogShouldHaveFired) && cancelTerminateCallbackWasCalled && !exception)
                 printf("PASS: %s script timeout was cancelled as expected.\n", tierOptions.tier);
             else {
-                if (((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)) || exception)
+                if (((endTime - startTime) < timeAfterWatchdogShouldHaveFired) || exception)
                     printf("FAIL: %s script timeout was not cancelled.\n", tierOptions.tier);
                 if (!cancelTerminateCallbackWasCalled)
                     printf("FAIL: %s script timeout callback was not called.\n", tierOptions.tier);
@@ -373,33 +383,35 @@ int testExecutionTimeLimit()
         }
         
         /* Test script timeout extension: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, extendTerminateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), extendTerminateCallback, 0);
         {
-            unsigned timeBeforeExtendedDeadline = 250 + tierAdjustmentMillis;
-            unsigned timeAfterExtendedDeadline = 600 + tierAdjustmentMillis;
-            unsigned maxBusyLoopTime = 750 + tierAdjustmentMillis;
+            Seconds timeBeforeExtendedDeadline = 250_ms + tierAdjustment;
+            Seconds timeAfterExtendedDeadline = 600_ms + tierAdjustment;
+            Seconds maxBusyLoopTime = 750_ms + tierAdjustment;
 
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(maxBusyLoopTime / 1000.0); // in seconds.
+            scriptBuilder.appendFixedPrecisionNumber(maxBusyLoopTime.seconds()); // in seconds.
             scriptBuilder.appendLiteral(") break; } } foo();");
 
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
             exception = nullptr;
             extendTerminateCallbackCalled = 0;
 
-            auto startTime = currentCPUTime();
+            auto startTime = CPUTime::forCurrentThread();
             JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
-            auto endTime = currentCPUTime();
+            auto endTime = CPUTime::forCurrentThread();
             auto deltaTime = endTime - startTime;
             
-            if ((deltaTime >= milliseconds(timeBeforeExtendedDeadline)) && (deltaTime < milliseconds(timeAfterExtendedDeadline)) && (extendTerminateCallbackCalled == 2) && exception)
+            JSStringRelease(script);
+
+            if ((deltaTime >= timeBeforeExtendedDeadline) && (deltaTime < timeAfterExtendedDeadline) && (extendTerminateCallbackCalled == 2) && exception)
                 printf("PASS: %s script timeout was extended as expected.\n", tierOptions.tier);
             else {
-                if (deltaTime < milliseconds(timeBeforeExtendedDeadline))
+                if (deltaTime < timeBeforeExtendedDeadline)
                     printf("FAIL: %s script timeout was not extended as expected.\n", tierOptions.tier);
-                else if (deltaTime >= milliseconds(timeAfterExtendedDeadline))
+                else if (deltaTime >= timeAfterExtendedDeadline)
                     printf("FAIL: %s script did not timeout.\n", tierOptions.tier);
                 
                 if (extendTerminateCallbackCalled < 1)
@@ -416,14 +428,14 @@ int testExecutionTimeLimit()
 
 #if HAVE(MACH_EXCEPTIONS)
         /* Test script timeout from dispatch queue: */
-        timeLimit = (100 + tierAdjustmentMillis) / 1000.0;
-        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit, dispatchTermitateCallback, 0);
+        timeLimit = 100_ms + tierAdjustment;
+        JSContextGroupSetExecutionTimeLimit(contextGroup, timeLimit.seconds(), dispatchTermitateCallback, 0);
         {
-            unsigned timeAfterWatchdogShouldHaveFired = 300 + tierAdjustmentMillis;
+            Seconds timeAfterWatchdogShouldHaveFired = 300_ms + tierAdjustment;
 
             StringBuilder scriptBuilder;
             scriptBuilder.appendLiteral("function foo() { var startTime = currentCPUTime(); while (true) { for (var i = 0; i < 1000; i++); if (currentCPUTime() - startTime > ");
-            scriptBuilder.appendNumber(timeAfterWatchdogShouldHaveFired / 1000.0);
+            scriptBuilder.appendFixedPrecisionNumber(timeAfterWatchdogShouldHaveFired.seconds());
             scriptBuilder.appendLiteral(") break; } } foo();");
 
             JSStringRef script = JSStringCreateWithUTF8CString(scriptBuilder.toString().utf8().data());
@@ -442,17 +454,17 @@ int testExecutionTimeLimit()
             bool didSynchronize = false;
             bool& didSynchronizeRef = didSynchronize;
 
-            std::chrono::microseconds startTime;
-            std::chrono::microseconds endTime;
+            Seconds startTime;
+            Seconds endTime;
 
-            std::chrono::microseconds& startTimeRef = startTime;
-            std::chrono::microseconds& endTimeRef = endTime;
+            Seconds& startTimeRef = startTime;
+            Seconds& endTimeRef = endTime;
 
             dispatch_group_t group = dispatch_group_create();
             dispatch_group_async(group, dispatch_get_global_queue(0, 0), ^{
-                startTimeRef = currentCPUTime();
+                startTimeRef = CPUTime::forCurrentThread();
                 JSEvaluateScript(contextRef, scriptRef, nullptr, nullptr, 1, &exceptionRef);
-                endTimeRef = currentCPUTime();
+                endTimeRef = CPUTime::forCurrentThread();
                 auto locker = WTF::holdLock(syncLockRef);
                 didSynchronizeRef = true;
                 synchronizeRef.notifyAll();
@@ -461,15 +473,17 @@ int testExecutionTimeLimit()
             auto locker = holdLock(syncLock);
             synchronize.wait(syncLock, [&] { return didSynchronize; });
 
-            if (((endTime - startTime) < milliseconds(timeAfterWatchdogShouldHaveFired)) && dispatchTerminateCallbackCalled)
+            if (((endTime - startTime) < timeAfterWatchdogShouldHaveFired) && dispatchTerminateCallbackCalled)
                 printf("PASS: %s script on dispatch queue timed out as expected.\n", tierOptions.tier);
             else {
-                if ((endTime - startTime) >= milliseconds(timeAfterWatchdogShouldHaveFired))
+                if ((endTime - startTime) >= timeAfterWatchdogShouldHaveFired)
                     printf("FAIL: %s script on dispatch queue did not time out as expected.\n", tierOptions.tier);
                 if (!shouldTerminateCallbackWasCalled)
                     printf("FAIL: %s script on dispatch queue timeout callback was not called.\n", tierOptions.tier);
                 failed = true;
             }
+
+            JSStringRelease(script);
         }
 #endif
 
diff --git a/API/tests/ExecutionTimeLimitTest.h b/API/tests/ExecutionTimeLimitTest.h
index 2c937d0..830cd19 100644
--- a/API/tests/ExecutionTimeLimitTest.h
+++ b/API/tests/ExecutionTimeLimitTest.h
@@ -30,7 +30,7 @@ extern "C" {
 #endif
 
 /* Returns 1 if failures were encountered.  Else, returns 0. */
-int testExecutionTimeLimit();
+int testExecutionTimeLimit(void);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/FunctionOverridesTest.cpp b/API/tests/FunctionOverridesTest.cpp
index cf0d6dc..4629342 100644
--- a/API/tests/FunctionOverridesTest.cpp
+++ b/API/tests/FunctionOverridesTest.cpp
@@ -44,7 +44,7 @@ int testFunctionOverrides()
 
     const char* oldFunctionOverrides = Options::functionOverrides();
     
-    Options::functionOverrides() = "testapi-function-overrides.js";
+    Options::functionOverrides() = "./testapiScripts/testapi-function-overrides.js";
     JSC::FunctionOverrides::reinstallOverrides();
 
     JSGlobalContextRef context = JSGlobalContextCreateInGroup(nullptr, nullptr);
@@ -76,6 +76,7 @@ int testFunctionOverrides()
     JSStringRef script = JSStringCreateWithUTF8CString(scriptString);
     JSValueRef exception = nullptr;
     JSValueRef resultRef = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
+    JSStringRelease(script);
 
     if (!JSValueIsBoolean(context, resultRef) || !JSValueToBoolean(context, resultRef))
         failed = true;
diff --git a/API/tests/FunctionOverridesTest.h b/API/tests/FunctionOverridesTest.h
index 16237e5..2f30724 100644
--- a/API/tests/FunctionOverridesTest.h
+++ b/API/tests/FunctionOverridesTest.h
@@ -30,7 +30,7 @@ extern "C" {
 #endif
 
 /* Returns 1 if failures were encountered.  Else, returns 0. */
-int testFunctionOverrides();
+int testFunctionOverrides(void);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/GlobalContextWithFinalizerTest.h b/API/tests/GlobalContextWithFinalizerTest.h
index 1961350..5f725e7 100644
--- a/API/tests/GlobalContextWithFinalizerTest.h
+++ b/API/tests/GlobalContextWithFinalizerTest.h
@@ -32,7 +32,7 @@ extern "C" {
 #endif
 
 /* Returns 1 if failures were encountered.  Else, returns 0. */
-int testGlobalContextWithFinalizer();
+int testGlobalContextWithFinalizer(void);
     
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/JSExportTests.mm b/API/tests/JSExportTests.mm
index 1cec939..dfdc95f 100644
--- a/API/tests/JSExportTests.mm
+++ b/API/tests/JSExportTests.mm
@@ -23,6 +23,7 @@
  * THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#import "config.h"
 #import "JSExportTests.h"
 
 #import 
diff --git a/API/tests/JSNode.c b/API/tests/JSNode.c
index d0a0dc3..bc0040a 100644
--- a/API/tests/JSNode.c
+++ b/API/tests/JSNode.c
@@ -23,7 +23,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
-#include 
+#include "config.h"
 
 #include "JSNode.h"
 #include "JSNodeList.h"
diff --git a/API/tests/JSNodeList.c b/API/tests/JSNodeList.c
index f037e09..99a3295 100644
--- a/API/tests/JSNodeList.c
+++ b/API/tests/JSNodeList.c
@@ -23,7 +23,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
-#include 
+#include "config.h"
 
 #include "JSNode.h"
 #include "JSNodeList.h"
diff --git a/API/tests/JSONParseTest.h b/API/tests/JSONParseTest.h
index 13842f9..07d6ce7 100644
--- a/API/tests/JSONParseTest.h
+++ b/API/tests/JSONParseTest.h
@@ -29,7 +29,7 @@
 extern "C" {
 #endif
     
-int testJSONParse();
+int testJSONParse(void);
     
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/JSObjectGetProxyTargetTest.cpp b/API/tests/JSObjectGetProxyTargetTest.cpp
index 282f736..71821ea 100644
--- a/API/tests/JSObjectGetProxyTargetTest.cpp
+++ b/API/tests/JSObjectGetProxyTargetTest.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -49,22 +49,35 @@ int testJSObjectGetProxyTarget()
     };
     
     JSContextGroupRef group = JSContextGroupCreate();
-    JSContextRef context = JSGlobalContextCreateInGroup(group, nullptr);
+    JSGlobalContextRef context = JSGlobalContextCreateInGroup(group, nullptr);
     
     ExecState* exec = toJS(context);
     VM& vm = *toJS(group);
     JSObjectRef globalObjectProxy = JSContextGetGlobalObject(context);
-    JSProxy* globalObjectProxyObject = jsCast(toJS(globalObjectProxy));
-    JSGlobalObject* globalObjectObject = jsCast(globalObjectProxyObject->target());
-    Structure* proxyStructure = JSProxy::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), PureForwardingProxyType);
-    JSObjectRef globalObject = toRef(globalObjectObject);
-    JSProxy* jsProxyObject = JSProxy::create(vm, proxyStructure);
+
+    JSGlobalObject* globalObjectObject;
+    JSObjectRef globalObject;
+    JSProxy* jsProxyObject;
+
+    {
+        JSLockHolder locker(vm);
+        JSProxy* globalObjectProxyObject = jsCast(toJS(globalObjectProxy));
+        globalObjectObject = jsCast(globalObjectProxyObject->target());
+        Structure* proxyStructure = JSProxy::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), PureForwardingProxyType);
+        globalObject = toRef(globalObjectObject);
+        jsProxyObject = JSProxy::create(vm, proxyStructure);
+    }
     
     JSObjectRef array = JSObjectMakeArray(context, 0, nullptr, nullptr);
 
-    Structure* emptyObjectStructure = JSFinalObject::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), 0);
-    JSObject* handler = JSFinalObject::create(vm, emptyObjectStructure);
-    ProxyObject* proxyObjectObject = ProxyObject::create(exec, globalObjectObject, toJS(array), handler);
+    ProxyObject* proxyObjectObject;
+
+    {
+        JSLockHolder locker(vm);
+        Structure* emptyObjectStructure = JSFinalObject::createStructure(vm, globalObjectObject, globalObjectObject->objectPrototype(), 0);
+        JSObject* handler = JSFinalObject::create(vm, emptyObjectStructure);
+        proxyObjectObject = ProxyObject::create(exec, globalObjectObject, toJS(array), handler);
+    }
 
     JSObjectRef jsProxy = toRef(jsProxyObject);
     JSObjectRef proxyObject = toRef(proxyObjectObject);
@@ -73,14 +86,18 @@ int testJSObjectGetProxyTarget()
     test("proxy target of non-proxy is null", !JSObjectGetProxyTarget(array));
     test("proxy target of uninitialized JSProxy is null", !JSObjectGetProxyTarget(jsProxy));
     
-    jsProxyObject->setTarget(vm, globalObjectObject);
+    {
+        JSLockHolder locker(vm);
+        jsProxyObject->setTarget(vm, globalObjectObject);
+    }
     
     test("proxy target of initialized JSProxy works", JSObjectGetProxyTarget(jsProxy) == globalObject);
     
     test("proxy target of ProxyObject works", JSObjectGetProxyTarget(proxyObject) == array);
     
     test("proxy target of GlobalObject is the globalObject", JSObjectGetProxyTarget(globalObjectProxy) == globalObject);
-    
+
+    JSGlobalContextRelease(context);
     JSContextGroupRelease(group);
 
     printf("JSObjectGetProxyTargetTest: %s\n", overallResult ? "PASS" : "FAIL");
diff --git a/API/tests/JSWrapperMapTests.h b/API/tests/JSWrapperMapTests.h
new file mode 100644
index 0000000..f4d813e
--- /dev/null
+++ b/API/tests/JSWrapperMapTests.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import 
+#import 
+
+#if JSC_OBJC_API_ENABLED
+
+void runJSWrapperMapTests();
+
+#endif // JSC_OBJC_API_ENABLED
+
diff --git a/API/tests/JSWrapperMapTests.mm b/API/tests/JSWrapperMapTests.mm
new file mode 100644
index 0000000..931a945
--- /dev/null
+++ b/API/tests/JSWrapperMapTests.mm
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+#import "JSWrapperMapTests.h"
+
+#import "APICast.h"
+#import "HeapCellInlines.h"
+#import "JSValue.h"
+
+#if JSC_OBJC_API_ENABLED
+
+extern "C" void checkResult(NSString *description, bool passed);
+
+@protocol TestClassJSExport 
+- (instancetype)init;
+@end
+
+@interface TestClass : NSObject 
+@end
+
+@implementation TestClass
+@end
+
+
+@interface JSWrapperMapTests : NSObject
++ (void)testStructureIdentity;
+@end
+
+
+@implementation JSWrapperMapTests
++ (void)testStructureIdentity
+{
+    JSContext* context = [[JSContext alloc] init];
+    JSGlobalContextRef contextRef = JSGlobalContextRetain(context.JSGlobalContextRef);
+    JSC::ExecState* exec = toJS(contextRef);
+
+    context[@"TestClass"] = [TestClass class];
+    JSValue* aWrapper = [context evaluateScript:@"new TestClass()"];
+    JSValue* bWrapper = [context evaluateScript:@"new TestClass()"];
+    JSC::JSValue aValue = toJS(exec, aWrapper.JSValueRef);
+    JSC::JSValue bValue = toJS(exec, bWrapper.JSValueRef);
+    JSC::Structure* aStructure = aValue.structureOrNull();
+    JSC::Structure* bStructure = bValue.structureOrNull();
+    checkResult(@"structure should not be null", !!aStructure);
+    checkResult(@"both wrappers should share the same structure", aStructure == bStructure);
+}
+@end
+
+void runJSWrapperMapTests()
+{
+    @autoreleasepool {
+        [JSWrapperMapTests testStructureIdentity];
+    }
+}
+
+#endif // JSC_OBJC_API_ENABLED
diff --git a/API/tests/MultithreadedMultiVMExecutionTest.h b/API/tests/MultithreadedMultiVMExecutionTest.h
index 6498b67..1a9eff5 100644
--- a/API/tests/MultithreadedMultiVMExecutionTest.h
+++ b/API/tests/MultithreadedMultiVMExecutionTest.h
@@ -29,10 +29,10 @@
 extern "C" {
 #endif
 
-extern void startMultithreadedMultiVMExecutionTest();
+extern void startMultithreadedMultiVMExecutionTest(void);
 
 /* Returns 1 if failures were encountered.  Else, returns 0. */
-extern int finalizeMultithreadedMultiVMExecutionTest();
+extern int finalizeMultithreadedMultiVMExecutionTest(void);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/Node.c b/API/tests/Node.c
index db687e9..8f7d06b 100644
--- a/API/tests/Node.c
+++ b/API/tests/Node.c
@@ -23,7 +23,9 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
+#include "config.h"
 #include "Node.h"
+
 #include 
 #include 
 
diff --git a/API/tests/NodeList.c b/API/tests/NodeList.c
index 69f4cd5..22d387c 100644
--- a/API/tests/NodeList.c
+++ b/API/tests/NodeList.c
@@ -23,6 +23,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
+#include "config.h"
 #include "NodeList.h"
 
 #include 
diff --git a/API/tests/PingPongStackOverflowTest.cpp b/API/tests/PingPongStackOverflowTest.cpp
index 235dcee..fbe4687 100644
--- a/API/tests/PingPongStackOverflowTest.cpp
+++ b/API/tests/PingPongStackOverflowTest.cpp
@@ -142,7 +142,6 @@ int testPingPongStackOverflow()
         "PingPongStackOverflowObject.__proto__ = undefined;" \
         "undefined instanceof PingPongStackOverflowObject;";
 
-    JSValueRef scriptResult = nullptr;
     JSValueRef exception = nullptr;
     JSStringRef script = JSStringCreateWithUTF8CString(scriptString);
 
@@ -161,7 +160,11 @@ int testPingPongStackOverflow()
     Options::maxPerThreadStackUsage() = stackSize + Options::softReservedZoneSize();
 
     exception = nullptr;
-    scriptResult = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
+    JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception);
+
+    JSGlobalContextRelease(context);
+    context = nullptr;
+    JSStringRelease(script);
 
     if (!exception) {
         printf("FAIL: PingPongStackOverflowError not thrown in PingPongStackOverflow test\n");
diff --git a/API/tests/PingPongStackOverflowTest.h b/API/tests/PingPongStackOverflowTest.h
index a204669..c7247ae 100644
--- a/API/tests/PingPongStackOverflowTest.h
+++ b/API/tests/PingPongStackOverflowTest.h
@@ -29,7 +29,7 @@
 extern "C" {
 #endif
 
-int testPingPongStackOverflow();
+int testPingPongStackOverflow(void);
 
 #ifdef __cplusplus
 } /* extern "C" */
diff --git a/API/tests/Regress141275.mm b/API/tests/Regress141275.mm
index 18e186a..ee9af88 100644
--- a/API/tests/Regress141275.mm
+++ b/API/tests/Regress141275.mm
@@ -306,12 +306,12 @@ static void __JSTRunLoopSourceCancelCallBack(void* info, CFRunLoopRef rl, CFStri
                 NSError* error = nil;
                 if (task.evaluateBlock) {
                     [self _setupEvaluatorThreadContextIfNeeded];
-                    task.evaluateBlock(_jsContext);
-                    if (_jsContext.exception) {
-                        NSLog(@"Did fail on JSContext: %@", _jsContext.name);
-                        NSDictionary* userInfo = @{ NSLocalizedDescriptionKey : [_jsContext.exception[@"message"] toString] };
+                    task.evaluateBlock(self->_jsContext);
+                    if (self->_jsContext.exception) {
+                        NSLog(@"Did fail on JSContext: %@", self->_jsContext.name);
+                        NSDictionary* userInfo = @{ NSLocalizedDescriptionKey : [self->_jsContext.exception[@"message"] toString] };
                         error = [NSError errorWithDomain:@"JSTEvaluator" code:1 userInfo:userInfo];
-                        _jsContext.exception = nil;
+                        self->_jsContext.exception = nil;
                     }
                 }
                 [self _callCompletionHandler:task.completionHandler ifNeededWithError:error];
@@ -324,8 +324,8 @@ static void __JSTRunLoopSourceCancelCallBack(void* info, CFRunLoopRef rl, CFStri
         }
 
         dispatch_barrier_sync(_jsSourcePerformQueue, ^{
-            if ([_jsContext[@"counter"] toInt32] == scriptToEvaluate)
-                dispatch_semaphore_signal(_allScriptsDone);
+            if ([self->_jsContext[@"counter"] toInt32] == scriptToEvaluate)
+                dispatch_semaphore_signal(self->_allScriptsDone);
         });
     }
 }
diff --git a/API/tests/minidom.c b/API/tests/minidom.c
index 02b41a9..6ebb399 100644
--- a/API/tests/minidom.c
+++ b/API/tests/minidom.c
@@ -24,7 +24,7 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
  */
 
-#include 
+#include "config.h"
 
 #include "JSContextRef.h"
 #include "JSNode.h"
@@ -91,6 +91,7 @@ static JSValueRef print(JSContextRef context, JSObjectRef object, JSObjectRef th
         char stringUTF8[numChars];
         JSStringGetUTF8CString(string, stringUTF8, numChars);
         printf("%s\n", stringUTF8);
+        JSStringRelease(string);
     }
     
     return JSValueMakeUndefined(context);
diff --git a/include/JavaScriptCore/WebKitAvailability.h b/API/tests/testIncludes.m
similarity index 68%
rename from include/JavaScriptCore/WebKitAvailability.h
rename to API/tests/testIncludes.m
index e3a29fc..bfe119c 100644
--- a/include/JavaScriptCore/WebKitAvailability.h
+++ b/API/tests/testIncludes.m
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2010, 2014 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2019 Apple Inc.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -23,24 +23,20 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#ifndef __WebKitAvailability__
-#define __WebKitAvailability__
 
-#if defined(__APPLE__)
+// Since we include files that haven't passed through the rewriter we need to handle the non-rewritten values...
+#define JSC_API_AVAILABLE(...)
+#define JSC_API_DEPRECATED(...)
+#define JSC_CLASS_AVAILABLE(...)
+#define JSC_MAC_VERSION_TBA 0
+#define JSC_IOS_VERSION_TBA 0
 
-#include 
-#include 
+// umbrella header
+#import 
 
-#if defined(BUILDING_GTK__)
-#undef CF_AVAILABLE
-#define CF_AVAILABLE(_mac, _ios)
-#undef CF_ENUM_AVAILABLE
-#define CF_ENUM_AVAILABLE(_mac, _ios)
-#endif
+// private headers
+#import 
+#import 
+#import 
+#import 
 
-#else
-#define CF_AVAILABLE(_mac, _ios)
-#define CF_ENUM_AVAILABLE(_mac, _ios)
-#endif
-
-#endif /* __WebKitAvailability__ */
diff --git a/API/tests/testapi.c b/API/tests/testapi.c
index f12cc2e..fa24534 100644
--- a/API/tests/testapi.c
+++ b/API/tests/testapi.c
@@ -23,7 +23,8 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include 
+#define ASSERT_DISABLED 0
+#include "config.h"
 
 #if USE(CF)
 #include "JavaScriptCore.h"
@@ -39,12 +40,18 @@
 #include "JSScriptRefPrivate.h"
 #include "JSStringRefPrivate.h"
 #include "JSWeakPrivate.h"
+#if !OS(WINDOWS)
+#include 
+#endif
+#include 
 #include 
 #include 
 #include 
 #include 
 #include 
-#define ASSERT_DISABLED 0
+#if !OS(WINDOWS)
+#include 
+#endif
 #include 
 
 #if OS(WINDOWS)
@@ -62,10 +69,16 @@
 #include "PingPongStackOverflowTest.h"
 #include "TypedArrayCTest.h"
 
-#if JSC_OBJC_API_ENABLED
-void testObjectiveCAPI(void);
+#if COMPILER(MSVC)
+#pragma warning(disable:4204)
 #endif
 
+#if JSC_OBJC_API_ENABLED
+void testObjectiveCAPI(const char*);
+#endif
+
+int testCAPIViaCpp(const char* filter);
+
 bool assertTrue(bool value, const char* message);
 
 static JSGlobalContextRef context;
@@ -195,6 +208,16 @@ static bool MyObject_hasProperty(JSContextRef context, JSObjectRef object, JSStr
     return false;
 }
 
+static JSValueRef throwException(JSContextRef context, JSObjectRef object, JSValueRef* exception)
+{
+    JSStringRef script = JSStringCreateWithUTF8CString("throw 'an exception'");
+    JSStringRef sourceURL = JSStringCreateWithUTF8CString("test script");
+    JSValueRef result = JSEvaluateScript(context, script, object, sourceURL, 1, exception);
+    JSStringRelease(script);
+    JSStringRelease(sourceURL);
+    return result;
+}
+
 static JSValueRef MyObject_getProperty(JSContextRef context, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception)
 {
     UNUSED_PARAM(context);
@@ -217,7 +240,7 @@ static JSValueRef MyObject_getProperty(JSContextRef context, JSObjectRef object,
     }
 
     if (JSStringIsEqualToUTF8CString(propertyName, "throwOnGet")) {
-        return JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), object, JSStringCreateWithUTF8CString("test script"), 1, exception);
+        return throwException(context, object, exception);
     }
 
     if (JSStringIsEqualToUTF8CString(propertyName, "0")) {
@@ -239,7 +262,7 @@ static bool MyObject_setProperty(JSContextRef context, JSObjectRef object, JSStr
         return true; // pretend we set the property in order to swallow it
     
     if (JSStringIsEqualToUTF8CString(propertyName, "throwOnSet")) {
-        JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), object, JSStringCreateWithUTF8CString("test script"), 1, exception);
+        throwException(context, object, exception);
     }
     
     return false;
@@ -254,7 +277,7 @@ static bool MyObject_deleteProperty(JSContextRef context, JSObjectRef object, JS
         return true;
     
     if (JSStringIsEqualToUTF8CString(propertyName, "throwOnDelete")) {
-        JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), object, JSStringCreateWithUTF8CString("test script"), 1, exception);
+        throwException(context, object, exception);
         return false;
     }
 
@@ -277,6 +300,18 @@ static void MyObject_getPropertyNames(JSContextRef context, JSObjectRef object,
     JSStringRelease(propertyName);
 }
 
+static bool isValueEqualToString(JSContextRef context, JSValueRef value, const char* string)
+{
+    if (!JSValueIsString(context, value))
+        return false;
+    JSStringRef valueString = JSValueToStringCopy(context, value, NULL);
+    if (!valueString)
+        return false;
+    bool isEqual = JSStringIsEqualToUTF8CString(valueString, string);
+    JSStringRelease(valueString);
+    return isEqual;
+}
+
 static JSValueRef MyObject_callAsFunction(JSContextRef context, JSObjectRef object, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
     UNUSED_PARAM(context);
@@ -284,8 +319,8 @@ static JSValueRef MyObject_callAsFunction(JSContextRef context, JSObjectRef obje
     UNUSED_PARAM(thisObject);
     UNUSED_PARAM(exception);
 
-    if (argumentCount > 0 && JSValueIsString(context, arguments[0]) && JSStringIsEqualToUTF8CString(JSValueToStringCopy(context, arguments[0], 0), "throwOnCall")) {
-        JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), object, JSStringCreateWithUTF8CString("test script"), 1, exception);
+    if (argumentCount > 0 && isValueEqualToString(context, arguments[0], "throwOnCall")) {
+        throwException(context, object, exception);
         return JSValueMakeUndefined(context);
     }
 
@@ -300,8 +335,8 @@ static JSObjectRef MyObject_callAsConstructor(JSContextRef context, JSObjectRef
     UNUSED_PARAM(context);
     UNUSED_PARAM(object);
 
-    if (argumentCount > 0 && JSValueIsString(context, arguments[0]) && JSStringIsEqualToUTF8CString(JSValueToStringCopy(context, arguments[0], 0), "throwOnConstruct")) {
-        JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), object, JSStringCreateWithUTF8CString("test script"), 1, exception);
+    if (argumentCount > 0 && isValueEqualToString(context, arguments[0], "throwOnConstruct")) {
+        throwException(context, object, exception);
         return object;
     }
 
@@ -316,8 +351,8 @@ static bool MyObject_hasInstance(JSContextRef context, JSObjectRef constructor,
     UNUSED_PARAM(context);
     UNUSED_PARAM(constructor);
 
-    if (JSValueIsString(context, possibleValue) && JSStringIsEqualToUTF8CString(JSValueToStringCopy(context, possibleValue, 0), "throwOnHasInstance")) {
-        JSEvaluateScript(context, JSStringCreateWithUTF8CString("throw 'an exception'"), constructor, JSStringCreateWithUTF8CString("test script"), 1, exception);
+    if (isValueEqualToString(context, possibleValue, "throwOnHasInstance")) {
+        throwException(context, constructor, exception);
         return false;
     }
 
@@ -1131,9 +1166,12 @@ static bool globalContextNameTest()
     JSStringRelease(fetchName1);
     JSStringRelease(fetchName2);
 
+    JSGlobalContextRelease(context);
+
     return result;
 }
 
+IGNORE_GCC_WARNINGS_BEGIN("unused-but-set-variable")
 static void checkConstnessInJSObjectNames()
 {
     JSStaticFunction fun;
@@ -1141,6 +1179,7 @@ static void checkConstnessInJSObjectNames()
     JSStaticValue val;
     val.name = "something";
 }
+IGNORE_GCC_WARNINGS_END
 
 #ifdef __cplusplus
 extern "C" {
@@ -1183,7 +1222,6 @@ static void heapFinalizer(JSContextGroupRef group, void *userData)
 static void testMarkingConstraintsAndHeapFinalizers(void)
 {
     JSContextGroupRef group;
-    JSContextRef context;
     JSWeakRef *weakRefs;
     unsigned i;
     unsigned deadCount;
@@ -1193,11 +1231,11 @@ static void testMarkingConstraintsAndHeapFinalizers(void)
     group = JSContextGroupCreate();
     expectedContextGroup = group;
     
-    context = JSGlobalContextCreateInGroup(group, NULL);
+    JSGlobalContextRef context = JSGlobalContextCreateInGroup(group, NULL);
 
     weakRefs = (JSWeakRef*)calloc(numWeakRefs, sizeof(JSWeakRef));
 
-    JSContextGroupAddMarkingConstraint(group, markingConstraint, weakRefs);
+    JSContextGroupAddMarkingConstraint(group, markingConstraint, (void*)weakRefs);
     JSContextGroupAddHeapFinalizer(group, heapFinalizer, (void*)(uintptr_t)42);
     
     for (i = numWeakRefs; i--;)
@@ -1208,7 +1246,7 @@ static void testMarkingConstraintsAndHeapFinalizers(void)
     
     deadCount = 0;
     for (i = 0; i < numWeakRefs; i += 2) {
-        assertTrue(JSWeakGetObject(weakRefs[i]), "Marked objects stayed alive");
+        assertTrue((bool)JSWeakGetObject(weakRefs[i]), "Marked objects stayed alive");
         if (!JSWeakGetObject(weakRefs[i + 1]))
             deadCount++;
     }
@@ -1230,7 +1268,8 @@ static void testMarkingConstraintsAndHeapFinalizers(void)
     didRunHeapFinalizer = false;
     JSSynchronousGarbageCollectForDebugging(context);
     assertTrue(!didRunHeapFinalizer, "Did not run heap finalizer");
-    
+
+    JSGlobalContextRelease(context);
     JSContextGroupRelease(group);
 
     printf("PASS: Marking Constraints and Heap Finalizers.\n");
@@ -1342,23 +1381,31 @@ static void testCFStrings(void)
 int main(int argc, char* argv[])
 {
 #if OS(WINDOWS)
-    // Cygwin calls ::SetErrorMode(SEM_FAILCRITICALERRORS), which we will inherit. This is bad for
+    // Cygwin calls SetErrorMode(SEM_FAILCRITICALERRORS), which we will inherit. This is bad for
     // testing/debugging, as it causes the post-mortem debugger not to be invoked. We reset the
     // error mode here to work around Cygwin's behavior. See .
-    ::SetErrorMode(0);
+    SetErrorMode(0);
 #endif
 
+#if !OS(WINDOWS)
+    char resolvedPath[PATH_MAX];
+    realpath(argv[0], resolvedPath); 
+    char* newCWD = dirname(resolvedPath);
+    if (chdir(newCWD))
+        fprintf(stdout, "Could not chdir to: %s\n", newCWD);
+#endif
+
+    const char* filter = argc > 1 ? argv[1] : NULL;
+#if JSC_OBJC_API_ENABLED
+    testObjectiveCAPI(filter);
+#endif
+
+    RELEASE_ASSERT(!testCAPIViaCpp(filter));
+    if (filter)
+        return 0;
+
     testCompareAndSwap();
     startMultithreadedMultiVMExecutionTest();
-
-#if JSC_OBJC_API_ENABLED
-    testObjectiveCAPI();
-#endif
-
-    const char *scriptPath = "testapi.js";
-    if (argc > 1) {
-        scriptPath = argv[1];
-    }
     
     // Test garbage collection with a fresh context
     context = JSGlobalContextCreateInGroup(NULL, NULL);
@@ -1947,6 +1994,7 @@ int main(int argc, char* argv[])
     JSObjectMakeConstructor(context, nullClass, 0);
     JSClassRelease(nullClass);
 
+    const char* scriptPath = "./testapiScripts/testapi.js";
     char* scriptUTF8 = createStringWithContentsOfFile(scriptPath);
     if (!scriptUTF8) {
         printf("FAIL: Test script could not be loaded.\n");
@@ -2019,7 +2067,7 @@ int main(int argc, char* argv[])
             JSValueRef exception;
             JSStringRef code = JSStringCreateWithUTF8CString("result = 0; Promise.resolve(42).then(function (value) { result = value; });");
             JSStringRef file = JSStringCreateWithUTF8CString("");
-            assertTrue(JSEvaluateScript(context, code, globalObject, file, 1, &exception), "An exception should not be thrown");
+            assertTrue((bool)JSEvaluateScript(context, code, globalObject, file, 1, &exception), "An exception should not be thrown");
             JSStringRelease(code);
             JSStringRelease(file);
 
@@ -2033,13 +2081,29 @@ int main(int argc, char* argv[])
         JSGlobalContextRelease(context);
     }
 
-    failed = testTypedArrayCAPI() || failed;
-    failed = testExecutionTimeLimit() || failed;
-    failed = testFunctionOverrides() || failed;
-    failed = testGlobalContextWithFinalizer() || failed;
-    failed = testPingPongStackOverflow() || failed;
-    failed = testJSONParse() || failed;
-    failed = testJSObjectGetProxyTarget() || failed;
+    // Check JSObjectGetGlobalContext
+    {
+        JSGlobalContextRef context = JSGlobalContextCreateInGroup(NULL, NULL);
+        {
+            JSObjectRef globalObject = JSContextGetGlobalObject(context);
+            assertTrue(JSObjectGetGlobalContext(globalObject) == context, "global object context is correct");
+            JSObjectRef object = JSObjectMake(context, NULL, NULL);
+            assertTrue(JSObjectGetGlobalContext(object) == context, "regular object context is correct");
+            JSStringRef returnFunctionSource = JSStringCreateWithUTF8CString("return this;");
+            JSObjectRef theFunction = JSObjectMakeFunction(context, NULL, 0, NULL, returnFunctionSource, NULL, 1, NULL);
+            assertTrue(JSObjectGetGlobalContext(theFunction) == context, "function object context is correct");
+            assertTrue(JSObjectGetGlobalContext(NULL) == NULL, "NULL object context is NULL");
+            JSStringRelease(returnFunctionSource);
+        }
+        JSGlobalContextRelease(context);
+    }
+    failed |= testTypedArrayCAPI();
+    failed |= testExecutionTimeLimit();
+    failed |= testFunctionOverrides();
+    failed |= testGlobalContextWithFinalizer();
+    failed |= testPingPongStackOverflow();
+    failed |= testJSONParse();
+    failed |= testJSObjectGetProxyTarget();
 
     // Clear out local variables pointing at JSObjectRefs to allow their values to be collected
     function = NULL;
@@ -2131,8 +2195,8 @@ static char* createStringWithContentsOfFile(const char* fileName)
 }
 
 #if OS(WINDOWS)
-extern "C" __declspec(dllexport) int WINAPI dllLauncherEntryPoint(int argc, const char* argv[])
+__declspec(dllexport) int WINAPI dllLauncherEntryPoint(int argc, char* argv[])
 {
-    return main(argc, const_cast(argv));
+    return main(argc, argv);
 }
 #endif
diff --git a/API/tests/testapi.cpp b/API/tests/testapi.cpp
new file mode 100644
index 0000000..1cfd4c0
--- /dev/null
+++ b/API/tests/testapi.cpp
@@ -0,0 +1,559 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "APICast.h"
+#include "JSCJSValueInlines.h"
+#include "JSObject.h"
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+extern "C" int testCAPIViaCpp(const char* filter);
+
+class APIString {
+    WTF_MAKE_NONCOPYABLE(APIString);
+public:
+
+    APIString(const char* string)
+        : m_string(JSStringCreateWithUTF8CString(string))
+    {
+    }
+
+    ~APIString()
+    {
+        JSStringRelease(m_string);
+    }
+
+    operator JSStringRef() { return m_string; }
+
+private:
+    JSStringRef m_string;
+};
+
+class APIContext {
+    WTF_MAKE_NONCOPYABLE(APIContext);
+public:
+
+    APIContext()
+        : m_context(JSGlobalContextCreate(nullptr))
+    {
+        APIString print("print");
+        JSObjectRef printFunction = JSObjectMakeFunctionWithCallback(m_context, print, [] (JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) {
+
+            JSC::ExecState* exec = toJS(ctx);
+            for (unsigned i = 0; i < argumentCount; i++)
+                dataLog(toJS(exec, arguments[i]));
+            dataLogLn();
+            return JSValueMakeUndefined(ctx);
+        });
+
+        JSObjectSetProperty(m_context, JSContextGetGlobalObject(m_context), print, printFunction, kJSPropertyAttributeNone, nullptr);
+    }
+
+    ~APIContext()
+    {
+        JSGlobalContextRelease(m_context);
+    }
+
+    operator JSGlobalContextRef() { return m_context; }
+    operator JSC::ExecState*() { return toJS(m_context); }
+
+private:
+    JSGlobalContextRef m_context;
+};
+
+template
+class APIVector : protected Vector {
+    using Base = Vector;
+public:
+    APIVector(APIContext& context)
+        : Base()
+        , m_context(context)
+    {
+    }
+
+    ~APIVector()
+    {
+        for (auto& value : *this)
+            JSValueUnprotect(m_context, value);
+    }
+
+    using Vector::operator[];
+    using Vector::size;
+    using Vector::begin;
+    using Vector::end;
+    using typename Vector::iterator;
+
+    void append(T value)
+    {
+        JSValueProtect(m_context, value);
+        Base::append(WTFMove(value));
+    }
+
+private:
+    APIContext& m_context;
+};
+
+class TestAPI {
+public:
+    int run(const char* filter);
+
+    void basicSymbol();
+    void symbolsTypeof();
+    void symbolsDescription();
+    void symbolsGetPropertyForKey();
+    void symbolsSetPropertyForKey();
+    void symbolsHasPropertyForKey();
+    void symbolsDeletePropertyForKey();
+    void promiseResolveTrue();
+    void promiseRejectTrue();
+
+    int failed() const { return m_failed; }
+
+private:
+
+    template
+    bool check(bool condition, Strings... message);
+
+    template
+    void checkJSAndAPIMatch(const JSFunctor&, const APIFunctor&, const char* description);
+
+    // Helper methods.
+    using ScriptResult = Expected;
+    ScriptResult evaluateScript(const char* script, JSObjectRef thisObject = nullptr);
+    template
+    ScriptResult callFunction(const char* functionSource, ArgumentTypes... arguments);
+    template
+    bool functionReturnsTrue(const char* functionSource, ArgumentTypes... arguments);
+
+    // Ways to make sets of interesting things.
+    APIVector interestingObjects();
+    APIVector interestingKeys();
+
+    int m_failed { 0 };
+    APIContext context;
+};
+
+TestAPI::ScriptResult TestAPI::evaluateScript(const char* script, JSObjectRef thisObject)
+{
+    APIString scriptAPIString(script);
+    JSValueRef exception = nullptr;
+
+    JSValueRef result = JSEvaluateScript(context, scriptAPIString, thisObject, nullptr, 0, &exception);
+    if (exception)
+        return Unexpected(exception);
+    return ScriptResult(result);
+}
+
+template
+TestAPI::ScriptResult TestAPI::callFunction(const char* functionSource, ArgumentTypes... arguments)
+{
+    JSValueRef function;
+    {
+        ScriptResult functionResult = evaluateScript(functionSource);
+        if (!functionResult)
+            return functionResult;
+        function = functionResult.value();
+    }
+
+    JSValueRef exception = nullptr;
+    if (JSObjectRef functionObject = JSValueToObject(context, function, &exception)) {
+        JSValueRef args[sizeof...(arguments)] { arguments... };
+        JSValueRef result = JSObjectCallAsFunction(context, functionObject, functionObject, sizeof...(arguments), args, &exception);
+        if (!exception)
+            return ScriptResult(result);
+    }
+
+    RELEASE_ASSERT(exception);
+    return Unexpected(exception);
+}
+
+template
+bool TestAPI::functionReturnsTrue(const char* functionSource, ArgumentTypes... arguments)
+{
+    JSValueRef trueValue = JSValueMakeBoolean(context, true);
+    ScriptResult result = callFunction(functionSource, arguments...);
+    if (!result)
+        return false;
+    return JSValueIsStrictEqual(context, trueValue, result.value());
+}
+
+template
+bool TestAPI::check(bool condition, Strings... messages)
+{
+    if (!condition) {
+        dataLogLn(messages..., ": FAILED");
+        m_failed++;
+    } else
+        dataLogLn(messages..., ": PASSED");
+
+    return condition;
+}
+
+template
+void TestAPI::checkJSAndAPIMatch(const JSFunctor& jsFunctor, const APIFunctor& apiFunctor, const char* description)
+{
+    JSValueRef exception = nullptr;
+    JSValueRef result = apiFunctor(&exception);
+    ScriptResult jsResult = jsFunctor();
+    if (!jsResult) {
+        check(exception, "JS and API calls should both throw an exception while ", description);
+        check(functionReturnsTrue("(function(a, b) { return a.constructor === b.constructor; })", exception, jsResult.error()), "JS and API calls should both throw the same exception while ", description);
+    } else {
+        check(!exception, "JS and API calls should both not throw an exception while ", description);
+        check(JSValueIsStrictEqual(context, result, jsResult.value()), "JS result and API calls should return the same value while ", description);
+    }
+}
+
+APIVector TestAPI::interestingObjects()
+{
+    APIVector result(context);
+    JSObjectRef array = JSValueToObject(context, evaluateScript(
+        "[{}, [], { [Symbol.iterator]: 1 }, new Date(), new String('str'), new Map(), new Set(), new WeakMap(), new WeakSet(), new Error(), new Number(42), new Boolean(), { get length() { throw new Error(); } }];").value(), nullptr);
+
+    APIString lengthString("length");
+    unsigned length = JSValueToNumber(context, JSObjectGetProperty(context, array, lengthString, nullptr), nullptr);
+    for (unsigned i = 0; i < length; i++) {
+        JSObjectRef object = JSValueToObject(context, JSObjectGetPropertyAtIndex(context, array, i, nullptr), nullptr);
+        ASSERT(object);
+        result.append(object);
+    }
+
+    return result;
+}
+
+APIVector TestAPI::interestingKeys()
+{
+    APIVector result(context);
+    JSObjectRef array = JSValueToObject(context, evaluateScript("[{}, [], 1, Symbol.iterator, 'length']").value(), nullptr);
+
+    APIString lengthString("length");
+    unsigned length = JSValueToNumber(context, JSObjectGetProperty(context, array, lengthString, nullptr), nullptr);
+    for (unsigned i = 0; i < length; i++) {
+        JSValueRef value = JSObjectGetPropertyAtIndex(context, array, i, nullptr);
+        ASSERT(value);
+        result.append(value);
+    }
+
+    return result;
+}
+
+static const char* isSymbolFunction = "(function isSymbol(symbol) { return typeof(symbol) === 'symbol'; })";
+static const char* getSymbolDescription = "(function getSymbolDescription(symbol) { return symbol.description; })";
+static const char* getFunction = "(function get(object, key) { return object[key]; })";
+static const char* setFunction = "(function set(object, key, value) { object[key] = value; })";
+
+void TestAPI::basicSymbol()
+{
+    // Can't call Symbol as a constructor since it's not subclassable.
+    auto result = evaluateScript("Symbol('dope');");
+    check(JSValueGetType(context, result.value()) == kJSTypeSymbol, "dope get type is a symbol");
+    check(JSValueIsSymbol(context, result.value()), "dope is a symbol");
+}
+
+void TestAPI::symbolsTypeof()
+{
+    {
+        JSValueRef symbol = JSValueMakeSymbol(context, nullptr);
+        check(functionReturnsTrue(isSymbolFunction, symbol), "JSValueMakeSymbol makes a symbol value");
+    }
+    {
+        APIString description("dope");
+        JSValueRef symbol = JSValueMakeSymbol(context, description);
+        check(functionReturnsTrue(isSymbolFunction, symbol), "JSValueMakeSymbol makes a symbol value");
+    }
+}
+
+void TestAPI::symbolsDescription()
+{
+    {
+        JSValueRef symbol = JSValueMakeSymbol(context, nullptr);
+        auto result = callFunction(getSymbolDescription, symbol);
+        check(JSValueIsStrictEqual(context, result.value(), JSValueMakeUndefined(context)), "JSValueMakeSymbol with nullptr description produces a symbol value without description");
+    }
+    {
+        APIString description("dope");
+        JSValueRef symbol = JSValueMakeSymbol(context, description);
+        auto result = callFunction(getSymbolDescription, symbol);
+        check(JSValueIsStrictEqual(context, result.value(), JSValueMakeString(context, description)), "JSValueMakeSymbol with description string produces a symbol value with description");
+    }
+}
+
+void TestAPI::symbolsGetPropertyForKey()
+{
+    auto objects = interestingObjects();
+    auto keys = interestingKeys();
+
+    for (auto& object : objects) {
+        dataLogLn("\nnext object: ", toJS(context, object));
+        for (auto& key : keys) {
+            dataLogLn("Using key: ", toJS(context, key));
+            checkJSAndAPIMatch(
+            [&] {
+                return callFunction(getFunction, object, key);
+            }, [&] (JSValueRef* exception) {
+                return JSObjectGetPropertyForKey(context, object, key, exception);
+            }, "checking get property keys");
+        }
+    }
+}
+
+void TestAPI::symbolsSetPropertyForKey()
+{
+    auto jsObjects = interestingObjects();
+    auto apiObjects = interestingObjects();
+    auto keys = interestingKeys();
+
+    JSValueRef theAnswer = JSValueMakeNumber(context, 42);
+    for (size_t i = 0; i < jsObjects.size(); i++) {
+        for (auto& key : keys) {
+            JSObjectRef jsObject = jsObjects[i];
+            JSObjectRef apiObject = apiObjects[i];
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(setFunction, jsObject, key, theAnswer);
+                } , [&] (JSValueRef* exception) {
+                    JSObjectSetPropertyForKey(context, apiObject, key, theAnswer, kJSPropertyAttributeNone, exception);
+                    return JSValueMakeUndefined(context);
+                }, "setting property keys to the answer");
+            // Check get is the same on API object.
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(getFunction, apiObject, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSObjectGetPropertyForKey(context, apiObject, key, exception);
+                }, "getting property keys from API objects");
+            // Check get is the same on respective objects.
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(getFunction, jsObject, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSObjectGetPropertyForKey(context, apiObject, key, exception);
+                }, "getting property keys from respective objects");
+        }
+    }
+}
+
+void TestAPI::symbolsHasPropertyForKey()
+{
+    const char* hasFunction = "(function has(object, key) { return key in object; })";
+    auto objects = interestingObjects();
+    auto keys = interestingKeys();
+
+    JSValueRef theAnswer = JSValueMakeNumber(context, 42);
+    for (auto& object : objects) {
+        dataLogLn("\nNext object: ", toJS(context, object));
+        for (auto& key : keys) {
+            dataLogLn("Using key: ", toJS(context, key));
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(hasFunction, object, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSValueMakeBoolean(context, JSObjectHasPropertyForKey(context, object, key, exception));
+                }, "checking has property keys unset");
+
+            check(!!callFunction(setFunction, object, key, theAnswer), "set property to the answer");
+
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(hasFunction, object, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSValueMakeBoolean(context, JSObjectHasPropertyForKey(context, object, key, exception));
+                }, "checking has property keys set");
+        }
+    }
+}
+
+
+void TestAPI::symbolsDeletePropertyForKey()
+{
+    const char* deleteFunction = "(function del(object, key) { return delete object[key]; })";
+    auto objects = interestingObjects();
+    auto keys = interestingKeys();
+
+    JSValueRef theAnswer = JSValueMakeNumber(context, 42);
+    for (auto& object : objects) {
+        dataLogLn("\nNext object: ", toJS(context, object));
+        for (auto& key : keys) {
+            dataLogLn("Using key: ", toJS(context, key));
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(deleteFunction, object, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSValueMakeBoolean(context, JSObjectDeletePropertyForKey(context, object, key, exception));
+                }, "checking has property keys unset");
+
+            check(!!callFunction(setFunction, object, key, theAnswer), "set property to the answer");
+
+            checkJSAndAPIMatch(
+                [&] {
+                    return callFunction(deleteFunction, object, key);
+                }, [&] (JSValueRef* exception) {
+                    return JSValueMakeBoolean(context, JSObjectDeletePropertyForKey(context, object, key, exception));
+                }, "checking has property keys set");
+        }
+    }
+}
+
+void TestAPI::promiseResolveTrue()
+{
+    JSObjectRef resolve;
+    JSObjectRef reject;
+    JSValueRef exception = nullptr;
+    JSObjectRef promise = JSObjectMakeDeferredPromise(context, &resolve, &reject, &exception);
+    check(!exception, "No exception should be thrown creating a deferred promise");
+
+    // Ugh, we don't have any C API that takes blocks... so we do this hack to capture the runner.
+    static TestAPI* tester = this;
+    static bool passedTrueCalled = false;
+
+    APIString trueString("passedTrue");
+    auto passedTrue = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) -> JSValueRef {
+        tester->check(argumentCount && JSValueIsStrictEqual(ctx, arguments[0], JSValueMakeBoolean(ctx, true)), "function should have been called back with true");
+        passedTrueCalled = true;
+        return JSValueMakeUndefined(ctx);
+    };
+
+    APIString thenString("then");
+    JSValueRef thenFunction = JSObjectGetProperty(context, promise, thenString, &exception);
+    check(!exception && thenFunction && JSValueIsObject(context, thenFunction), "Promise should have a then object property");
+
+    JSValueRef passedTrueFunction = JSObjectMakeFunctionWithCallback(context, trueString, passedTrue);
+    JSObjectCallAsFunction(context, const_cast(thenFunction), promise, 1, &passedTrueFunction, &exception);
+    check(!exception, "No exception should be thrown setting up callback");
+
+    auto trueValue = JSValueMakeBoolean(context, true);
+    JSObjectCallAsFunction(context, resolve, resolve, 1, &trueValue, &exception);
+    check(!exception, "No exception should be thrown resolve promise");
+    check(passedTrueCalled, "then response function should have been called.");
+}
+
+void TestAPI::promiseRejectTrue()
+{
+    JSObjectRef resolve;
+    JSObjectRef reject;
+    JSValueRef exception = nullptr;
+    JSObjectRef promise = JSObjectMakeDeferredPromise(context, &resolve, &reject, &exception);
+    check(!exception, "No exception should be thrown creating a deferred promise");
+
+    // Ugh, we don't have any C API that takes blocks... so we do this hack to capture the runner.
+    static TestAPI* tester = this;
+    static bool passedTrueCalled = false;
+
+    APIString trueString("passedTrue");
+    auto passedTrue = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) -> JSValueRef {
+        tester->check(argumentCount && JSValueIsStrictEqual(ctx, arguments[0], JSValueMakeBoolean(ctx, true)), "function should have been called back with true");
+        passedTrueCalled = true;
+        return JSValueMakeUndefined(ctx);
+    };
+
+    APIString catchString("catch");
+    JSValueRef catchFunction = JSObjectGetProperty(context, promise, catchString, &exception);
+    check(!exception && catchFunction && JSValueIsObject(context, catchFunction), "Promise should have a then object property");
+
+    JSValueRef passedTrueFunction = JSObjectMakeFunctionWithCallback(context, trueString, passedTrue);
+    JSObjectCallAsFunction(context, const_cast(catchFunction), promise, 1, &passedTrueFunction, &exception);
+    check(!exception, "No exception should be thrown setting up callback");
+
+    auto trueValue = JSValueMakeBoolean(context, true);
+    JSObjectCallAsFunction(context, reject, reject, 1, &trueValue, &exception);
+    check(!exception, "No exception should be thrown resolve promise");
+    check(passedTrueCalled, "then response function should have been called.");
+}
+
+#define RUN(test) do {                                 \
+        if (!shouldRun(#test))                         \
+            break;                                     \
+        tasks.append(                                  \
+            createSharedTask(          \
+                [&] (TestAPI& tester) {                \
+                    tester.test;                       \
+                    dataLog(#test ": OK!\n");          \
+                }));                                   \
+    } while (false)
+
+int testCAPIViaCpp(const char* filter)
+{
+    dataLogLn("Starting C-API tests in C++");
+
+    Deque>> tasks;
+
+    auto shouldRun = [&] (const char* testName) -> bool {
+        return !filter || WTF::findIgnoringASCIICaseWithoutLength(testName, filter) != WTF::notFound;
+    };
+
+    RUN(basicSymbol());
+    RUN(symbolsTypeof());
+    RUN(symbolsDescription());
+    RUN(symbolsGetPropertyForKey());
+    RUN(symbolsSetPropertyForKey());
+    RUN(symbolsHasPropertyForKey());
+    RUN(symbolsDeletePropertyForKey());
+    RUN(promiseResolveTrue());
+    RUN(promiseRejectTrue());
+
+    if (tasks.isEmpty()) {
+        dataLogLn("Filtered all tests: ERROR");
+        return 1;
+    }
+
+    Lock lock;
+
+    static Atomic failed { 0 };
+    Vector> threads;
+    for (unsigned i = filter ? 1 : WTF::numberOfProcessorCores(); i--;) {
+        threads.append(Thread::create(
+            "Testapi via C++ thread",
+            [&] () {
+                TestAPI tester;
+                for (;;) {
+                    RefPtr> task;
+                    {
+                        LockHolder locker(lock);
+                        if (tasks.isEmpty())
+                            break;
+                        task = tasks.takeFirst();
+                    }
+
+                    task->run(tester);
+                }
+                failed.exchangeAdd(tester.failed());
+            }));
+    }
+
+    for (auto& thread : threads)
+        thread->waitForCompletion();
+
+    dataLogLn("C-API tests in C++ had ", failed.load(), " failures");
+    return failed.load();
+}
diff --git a/API/tests/testapi.mm b/API/tests/testapi.mm
index e98d6cf..3ca4cc9 100644
--- a/API/tests/testapi.mm
+++ b/API/tests/testapi.mm
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -23,16 +23,36 @@
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#import "config.h"
+#import "JSExportMacros.h"
 #import 
 
 #import "CurrentThisInsideBlockGetterTest.h"
+#import "DFGWorklist.h"
 #import "DateTests.h"
+#import "JSCast.h"
+#import "JSContextPrivate.h"
 #import "JSExportTests.h"
+#import "JSScript.h"
+#import "JSValuePrivate.h"
+#import "JSVirtualMachineInternal.h"
+#import "JSVirtualMachinePrivate.h"
+#import "JSWrapperMapTests.h"
 #import "Regress141275.h"
 #import "Regress141809.h"
+#import 
 
+#if __has_include()
+#define HAS_LIBPROC 1
+#import 
+#else
+#define HAS_LIBPROC 0
+#endif
 #import 
 #import 
+#import 
+#import 
+#import 
 
 extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef);
 extern "C" void JSSynchronousEdenCollectForDebugging(JSContextRef);
@@ -41,7 +61,7 @@ extern "C" bool _Block_has_signature(id);
 extern "C" const char * _Block_signature(id);
 
 extern int failed;
-extern "C" void testObjectiveCAPI(void);
+extern "C" void testObjectiveCAPI(const char*);
 extern "C" void checkResult(NSString *, bool);
 
 #if JSC_OBJC_API_ENABLED
@@ -510,6 +530,39 @@ static void* multiVMThreadMain(void* okPtr)
     return nullptr;
 }
 
+static void runJITThreadLimitTests()
+{
+#if ENABLE(DFG_JIT)
+    auto testDFG = [] {
+        unsigned defaultNumberOfThreads = JSC::Options::numberOfDFGCompilerThreads();
+        unsigned targetNumberOfThreads = 1;
+        unsigned initialNumberOfThreads = [JSVirtualMachine setNumberOfDFGCompilerThreads:targetNumberOfThreads];
+        checkResult(@"Initial number of DFG threads should be the value provided through Options", initialNumberOfThreads == defaultNumberOfThreads);
+        unsigned updatedNumberOfThreads = [JSVirtualMachine setNumberOfDFGCompilerThreads:initialNumberOfThreads];
+        checkResult(@"Number of DFG threads should have been updated", updatedNumberOfThreads == targetNumberOfThreads);
+    };
+
+    auto testFTL = [] {
+        unsigned defaultNumberOfThreads = JSC::Options::numberOfFTLCompilerThreads();
+        unsigned targetNumberOfThreads = 3;
+        unsigned initialNumberOfThreads = [JSVirtualMachine setNumberOfFTLCompilerThreads:targetNumberOfThreads];
+        checkResult(@"Initial number of FTL threads should be the value provided through Options", initialNumberOfThreads == defaultNumberOfThreads);
+        unsigned updatedNumberOfThreads = [JSVirtualMachine setNumberOfFTLCompilerThreads:initialNumberOfThreads];
+        checkResult(@"Number of FTL threads should have been updated", updatedNumberOfThreads == targetNumberOfThreads);
+    };
+
+    checkResult(@"runJITThreadLimitTests() must run at the very beginning to test the case where the global JIT worklist was not initialized yet", !JSC::DFG::existingGlobalDFGWorklistOrNull() && !JSC::DFG::existingGlobalFTLWorklistOrNull());
+
+    testDFG();
+    JSC::DFG::ensureGlobalDFGWorklist();
+    testDFG();
+
+    testFTL();
+    JSC::DFG::ensureGlobalFTLWorklist();
+    testFTL();
+#endif // ENABLE(DFG_JIT)
+}
+
 static void testObjectiveCAPIMain()
 {
     @autoreleasepool {
@@ -582,6 +635,111 @@ static void testObjectiveCAPIMain()
         checkResult(@"new Date", result.isDate);
     }
 
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *symbol = [context evaluateScript:@"Symbol('dope');"];
+        JSValue *notSymbol = [context evaluateScript:@"'dope'"];
+        checkResult(@"Should be a symbol value", symbol.isSymbol);
+        checkResult(@"Should not be a symbol value", !notSymbol.isSymbol);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *symbol = [JSValue valueWithNewSymbolFromDescription:@"dope" inContext:context];
+        checkResult(@"Should be a created from Obj-C", symbol.isSymbol);
+    }
+
+// Older platforms ifdef the type of some selectors so these tests don't work.
+// FIXME: Remove this when we stop building for macOS 10.14/iOS 12.
+#if (defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101500) || (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) && __IPHONE_OS_VERSION_MIN_REQUIRED >= 130000)
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *arrayIterator = [context evaluateScript:@"Array.prototype[Symbol.iterator]"];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        JSValue *array = [JSValue valueWithNewArrayInContext:context];
+        checkResult(@"Looking up by subscript with symbol should work", [array[iteratorSymbol] isEqual:arrayIterator]);
+        checkResult(@"Looking up by method with symbol should work", [[array valueForProperty:iteratorSymbol] isEqual:arrayIterator]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        JSValue *theAnswer = [JSValue valueWithUInt32:42 inContext:context];
+        object[iteratorSymbol] = theAnswer;
+        checkResult(@"Setting by subscript with symbol should work", [object[iteratorSymbol] isEqual:theAnswer]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        JSValue *theAnswer = [JSValue valueWithUInt32:42 inContext:context];
+        [object setValue:theAnswer forProperty:iteratorSymbol];
+        checkResult(@"Setting by method with symbol should work", [object[iteratorSymbol] isEqual:theAnswer]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        JSValue *theAnswer = [JSValue valueWithUInt32:42 inContext:context];
+        object[iteratorSymbol] = theAnswer;
+        checkResult(@"has property with symbol should work", [object hasProperty:iteratorSymbol]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        JSValue *theAnswer = [JSValue valueWithUInt32:42 inContext:context];
+        checkResult(@"delete property with symbol should work without property", [object deleteProperty:iteratorSymbol]);
+        object[iteratorSymbol] = theAnswer;
+        checkResult(@"delete property with symbol should work with property", [object deleteProperty:iteratorSymbol]);
+        checkResult(@"delete should be false with non-configurable property", ![context[@"Array"] deleteProperty:@"prototype"]);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        NSObject *objCObject = [[NSObject alloc] init];
+        JSValue *result = object[objCObject];
+        checkResult(@"getting a non-convertable object should return undefined", [result isUndefined]);
+        object[objCObject] = @(1);
+        result = object[objCObject];
+        checkResult(@"getting a non-convertable object should return the stored value", [result toUInt32] == 1);
+    }
+
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+        JSValue *object = [JSValue valueWithNewObjectInContext:context];
+        JSValue *iteratorSymbol = context[@"Symbol"][@"iterator"];
+        object[@"value"] = @(1);
+        context[@"object"] = object;
+
+        object[iteratorSymbol] = ^{
+            JSValue *result = [JSValue valueWithNewObjectInContext:context];
+            result[@"object"] = [JSContext currentThis];
+            result[@"next"] = ^{
+                JSValue *result = [JSValue valueWithNewObjectInContext:context];
+                JSValue *value = [JSContext currentThis][@"object"][@"value"];
+                [[JSContext currentThis][@"object"] deleteProperty:@"value"];
+                result[@"value"] = value;
+                result[@"done"] = [JSValue valueWithBool:[value isUndefined] inContext:context];
+                return result;
+            };
+            return result;
+        };
+
+
+        JSValue *count = [context evaluateScript:@"let count = 0; for (let v of object) { if (v !== 1) throw new Error(); count++; } count;"];
+        checkResult(@"iterator should not throw", ![context exception]);
+        checkResult(@"iteration count should be 1", [count toUInt32] == 1);
+    }
+
+#endif
+
     @autoreleasepool {
         JSCollection* myPrivateProperties = [[JSCollection alloc] init];
 
@@ -702,7 +860,7 @@ static void testObjectiveCAPIMain()
         context.exceptionHandler = ^(JSContext *, JSValue *exception) {
             exceptionSourceURL = [exception[@"sourceURL"] toString];
         };
-        NSURL *url = [NSURL fileURLWithPath:@"/foo/bar.js"];
+        NSURL *url = [NSURL fileURLWithPath:@"/foo/bar.js" isDirectory:NO];
         [context evaluateScript:@"!@#$%^&*() THIS IS NOT VALID JAVASCRIPT SYNTAX !@#$%^&*()" withSourceURL:url];
         checkResult(@"evaluateScript:withSourceURL: exception has expected sourceURL", [exceptionSourceURL isEqualToString:[url absoluteString]]);
     }
@@ -1472,6 +1630,7 @@ static void testObjectiveCAPIMain()
     currentThisInsideBlockGetterTest();
     runDateTests();
     runJSExportTests();
+    runJSWrapperMapTests();
     runRegress141275();
     runRegress141809();
 }
@@ -1507,17 +1666,1205 @@ static void checkNegativeNSIntegers()
     checkResult(@"Negative number maintained its original value", [[result toString] isEqualToString:@"-1"]);
 }
 
+enum class Resolution {
+    ResolveEager,
+    RejectEager,
+    ResolveLate,
+    RejectLate,
+};
 
-void testObjectiveCAPI()
+static void promiseWithExecutor(Resolution resolution)
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        __block JSValue *resolveCallback;
+        __block JSValue *rejectCallback;
+        JSValue *promise = [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *resolve, JSValue *reject) {
+            if (resolution == Resolution::ResolveEager)
+                [resolve callWithArguments:@[@YES]];
+            if (resolution == Resolution::RejectEager)
+                [reject callWithArguments:@[@YES]];
+            resolveCallback = resolve;
+            rejectCallback = reject;
+        }];
+
+        __block bool valueWasResolvedTrue = false;
+        __block bool valueWasRejectedTrue = false;
+        [promise invokeMethod:@"then" withArguments:@[
+            ^(JSValue *value) { valueWasResolvedTrue = [value isBoolean] && [value toBool]; },
+            ^(JSValue *value) { valueWasRejectedTrue = [value isBoolean] && [value toBool]; },
+        ]];
+
+        switch (resolution) {
+        case Resolution::ResolveEager:
+            checkResult(@"ResolveEager should have set resolve early.", valueWasResolvedTrue && !valueWasRejectedTrue);
+            break;
+        case Resolution::RejectEager:
+            checkResult(@"RejectEager should have set reject early.", !valueWasResolvedTrue && valueWasRejectedTrue);
+            break;
+        default:
+            checkResult(@"Resolve/RejectLate should have not have set anything early.", !valueWasResolvedTrue && !valueWasRejectedTrue);
+            break;
+        }
+
+        valueWasResolvedTrue = false;
+        valueWasRejectedTrue = false;
+
+        // Run script to make sure reactions don't happen again
+        [context evaluateScript:@"{ };"];
+
+        if (resolution == Resolution::ResolveLate)
+            [resolveCallback callWithArguments:@[@YES]];
+        if (resolution == Resolution::RejectLate)
+            [rejectCallback callWithArguments:@[@YES]];
+
+        switch (resolution) {
+        case Resolution::ResolveLate:
+            checkResult(@"ResolveLate should have set resolve late.", valueWasResolvedTrue && !valueWasRejectedTrue);
+            break;
+        case Resolution::RejectLate:
+            checkResult(@"RejectLate should have set reject late.", !valueWasResolvedTrue && valueWasRejectedTrue);
+            break;
+        default:
+            checkResult(@"Resolve/RejectEarly should have not have set anything late.", !valueWasResolvedTrue && !valueWasRejectedTrue);
+            break;
+        }
+    }
+}
+
+static void promiseRejectOnJSException()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        JSValue *promise = [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *, JSValue *) {
+            context.exception = [JSValue valueWithNewErrorFromMessage:@"dope" inContext:context];
+        }];
+        checkResult(@"Exception set in callback should not propagate", !context.exception);
+
+        __block bool reasonWasObject = false;
+        [promise invokeMethod:@"catch" withArguments:@[^(JSValue *reason) { reasonWasObject = [reason isObject]; }]];
+
+        checkResult(@"Setting an exception in executor causes the promise to be rejected", reasonWasObject);
+
+        promise = [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *, JSValue *) {
+            [context evaluateScript:@"throw new Error('dope');"];
+        }];
+        checkResult(@"Exception thrown in callback should not propagate", !context.exception);
+
+        reasonWasObject = false;
+        [promise invokeMethod:@"catch" withArguments:@[^(JSValue *reason) { reasonWasObject = [reason isObject]; }]];
+
+        checkResult(@"Running code that throws an exception in the executor causes the promise to be rejected", reasonWasObject);
+    }
+}
+
+static void promiseCreateResolved()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        JSValue *promise = [JSValue valueWithNewPromiseResolvedWithResult:[NSNull null] inContext:context];
+        __block bool calledWithNull = false;
+        [promise invokeMethod:@"then" withArguments:@[
+            ^(JSValue *result) { calledWithNull = [result isNull]; }
+        ]];
+
+        checkResult(@"ResolvedPromise should actually resolve the promise", calledWithNull);
+    }
+}
+
+static void promiseCreateRejected()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        JSValue *promise = [JSValue valueWithNewPromiseRejectedWithReason:[NSNull null] inContext:context];
+        __block bool calledWithNull = false;
+        [promise invokeMethod:@"then" withArguments:@[
+            [NSNull null],
+            ^(JSValue *result) { calledWithNull = [result isNull]; }
+        ]];
+
+        checkResult(@"RejectedPromise should actually reject the promise", calledWithNull);
+    }
+}
+
+static void parallelPromiseResolveTest()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        __block RefPtr thread;
+
+        Atomic shouldResolveSoon { false };
+        Atomic startedThread { false };
+        auto* shouldResolveSoonPtr = &shouldResolveSoon;
+        auto* startedThreadPtr = &startedThread;
+
+        JSValue *promise = [JSValue valueWithNewPromiseInContext:context fromExecutor:^(JSValue *resolve, JSValue *) {
+            thread = Thread::create("async thread", ^() {
+                startedThreadPtr->store(true);
+                while (!shouldResolveSoonPtr->load()) { }
+                [resolve callWithArguments:@[[NSNull null]]];
+            });
+
+        }];
+
+        shouldResolveSoon.store(true);
+        while (!startedThread.load())
+            [context evaluateScript:@"for (let i = 0; i < 10000; i++) { }"];
+
+        thread->waitForCompletion();
+
+        __block bool calledWithNull = false;
+        [promise invokeMethod:@"then" withArguments:@[
+            ^(JSValue *result) { calledWithNull = [result isNull]; }
+        ]];
+
+        checkResult(@"Promise should be resolved", calledWithNull);
+    }
+}
+
+typedef JSValue *(^ResolveBlock)(JSContext *, JSValue *, JSScript *);
+typedef void (^FetchBlock)(JSContext *, JSValue *, JSValue *, JSValue *);
+
+@interface JSContextFetchDelegate : JSContext 
+
++ (instancetype)contextWithBlockForFetch:(FetchBlock)block;
+
+@property unsigned willEvaluateModuleCallCount;
+@property unsigned didEvaluateModuleCallCount;
+@property BOOL sawBarJS;
+@property BOOL sawFooJS;
+
+@end
+
+@implementation JSContextFetchDelegate {
+    FetchBlock m_fetchBlock;
+}
+
++ (instancetype)contextWithBlockForFetch:(FetchBlock)block
+{
+    auto *result = [[JSContextFetchDelegate alloc] init];
+    result.willEvaluateModuleCallCount = 0;
+    result.didEvaluateModuleCallCount = 0;
+    result.sawBarJS = NO;
+    result.sawFooJS = NO;
+    result->m_fetchBlock = block;
+    return result;
+}
+
+- (void)context:(JSContext *)context fetchModuleForIdentifier:(JSValue *)identifier withResolveHandler:(JSValue *)resolve andRejectHandler:(JSValue *)reject
+{
+    m_fetchBlock(context, identifier, resolve, reject);
+}
+
+- (void)willEvaluateModule:(NSURL *)url
+{
+    self.willEvaluateModuleCallCount += 1;
+    self.sawBarJS |= [url isEqual:[NSURL URLWithString:@"file:///directory/bar.js"]];
+}
+
+- (void)didEvaluateModule:(NSURL *)url
+{
+    self.didEvaluateModuleCallCount += 1;
+    self.sawFooJS |= [url isEqual:[NSURL URLWithString:@"file:///foo.js"]];
+}
+
+@end
+
+static void checkModuleCodeRan(JSContext *context, JSValue *promise, JSValue *expected)
+{
+    __block BOOL promiseWasResolved = false;
+    [promise invokeMethod:@"then" withArguments:@[^(JSValue *exportValue) {
+        promiseWasResolved = true;
+        checkResult(@"module exported value 'exp' is null", [exportValue[@"exp"] isEqualToObject:expected]);
+        checkResult(@"ran is %@", [context[@"ran"] isEqualToObject:expected]);
+    }, ^(JSValue *error) {
+        NSLog(@"%@", [error toString]);
+        checkResult(@"module graph was resolved as expected", NO);
+    }]];
+    checkResult(@"Promise was resolved", promiseWasResolved);
+}
+
+static void checkModuleWasRejected(JSContext *context, JSValue *promise)
+{
+    __block BOOL promiseWasRejected = false;
+    [promise invokeMethod:@"then" withArguments:@[^() {
+        checkResult(@"module was rejected as expected", NO);
+    }, ^(JSValue *error) {
+        promiseWasRejected = true;
+        NSLog(@"%@", [error toString]);
+        checkResult(@"module graph was rejected with error", ![error isEqualWithTypeCoercionToObject:[JSValue valueWithNullInContext:context]]);
+    }]];
+}
+
+static void testFetch()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *context, JSValue *identifier, JSValue *resolve, JSValue *reject) {
+            if ([identifier isEqualToObject:@"file:///directory/bar.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import \"../foo.js\"; export let exp = null;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/directory/bar.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else if ([identifier isEqualToObject:@"file:///foo.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"globalThis.ran = null;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/foo.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else
+                [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Weird path" inContext:context]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('./bar.js');" withSourceURL:[NSURL fileURLWithPath:@"/directory" isDirectory:YES]];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, promise, null);
+        checkResult(@"Context should call willEvaluateModule: twice", context.willEvaluateModuleCallCount == 2);
+        checkResult(@"Context should call didEvaluateModule: twice", context.didEvaluateModuleCallCount == 2);
+        checkResult(@"Context should see bar.js url", !!context.sawBarJS);
+        checkResult(@"Context should see foo.js url", !!context.sawFooJS);
+    }
+}
+
+static void testFetchWithTwoCycle()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *context, JSValue *identifier, JSValue *resolve, JSValue *reject) {
+            if ([identifier isEqualToObject:@"file:///directory/bar.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import { n } from \"../foo.js\"; export let exp = n;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/directory/bar.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else if ([identifier isEqualToObject:@"file:///foo.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import \"./directory/bar.js\"; globalThis.ran = null; export let n = null;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/foo.js"]
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else
+                [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Weird path" inContext:context]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('./bar.js');" withSourceURL:[NSURL fileURLWithPath:@"/directory" isDirectory:YES]];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, promise, null);
+        checkResult(@"Context should call willEvaluateModule: twice", context.willEvaluateModuleCallCount == 2);
+        checkResult(@"Context should call didEvaluateModule: twice", context.didEvaluateModuleCallCount == 2);
+    }
+}
+
+
+static void testFetchWithThreeCycle()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *context, JSValue *identifier, JSValue *resolve, JSValue *reject) {
+            if ([identifier isEqualToObject:@"file:///directory/bar.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import { n } from \"../foo.js\"; export let foo = n;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/directory/bar.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else if ([identifier isEqualToObject:@"file:///foo.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import \"./otherDirectory/baz.js\"; export let n = null;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/foo.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else if ([identifier isEqualToObject:@"file:///otherDirectory/baz.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"import { foo } from \"../directory/bar.js\"; globalThis.ran = null; export let exp = foo;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/otherDirectory/baz.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else
+                [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Weird path" inContext:context]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('../otherDirectory/baz.js');" withSourceURL:[NSURL fileURLWithPath:@"/directory" isDirectory:YES]];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, promise, null);
+        checkResult(@"Context should call willEvaluateModule: three times", context.willEvaluateModuleCallCount == 3);
+        checkResult(@"Context should call didEvaluateModule: three times", context.didEvaluateModuleCallCount == 3);
+        checkResult(@"Context should see bar.js url", !!context.sawBarJS);
+        checkResult(@"Context should see foo.js url", !!context.sawFooJS);
+    }
+}
+
+static void testLoaderResolvesAbsoluteScriptURL()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *context, JSValue *identifier, JSValue *resolve, JSValue *reject) {
+            if ([identifier isEqualToObject:@"file:///directory/bar.js"]) {
+                [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                    withSource:@"export let exp = null; globalThis.ran = null;"
+                    andSourceURL:[NSURL fileURLWithPath:@"/directory/bar.js"] 
+                    andBytecodeCache:nil
+                    inVirtualMachine:[context virtualMachine]
+                    error:nil]]];
+            } else
+                [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Weird path" inContext:context]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('/directory/bar.js');"];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, promise, null);
+        checkResult(@"Context should call willEvaluateModule: once", context.willEvaluateModuleCallCount == 1);
+        checkResult(@"Context should call didEvaluateModule: once", context.didEvaluateModuleCallCount == 1);
+        checkResult(@"Context should see bar.js url", !!context.sawBarJS);
+        checkResult(@"Context should not see foo.js url", !context.sawFooJS);
+    }
+}
+
+static void testLoaderRejectsNilScriptURL()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *, JSValue *, JSValue *, JSValue *) {
+            checkResult(@"Code is not run", NO);
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('../otherDirectory/baz.js');"];
+        checkModuleWasRejected(context, promise);
+        checkResult(@"Context should call willEvaluateModule: zero times", context.willEvaluateModuleCallCount == 0);
+        checkResult(@"Context should call didEvaluateModule: zero times", context.didEvaluateModuleCallCount == 0);
+        checkResult(@"Context should not see bar.js url", !context.sawBarJS);
+        checkResult(@"Context should not see foo.js url", !context.sawFooJS);
+    }
+}
+
+static void testLoaderRejectsFailedFetch()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext *context, JSValue *, JSValue *, JSValue *reject) {
+            [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Nope" inContext:context]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('/otherDirectory/baz.js');"];
+        checkModuleWasRejected(context, promise);
+    }
+}
+
+static void testImportModuleTwice()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFetchDelegate contextWithBlockForFetch:^(JSContext * context, JSValue *, JSValue *resolve, JSValue *) { 
+            [resolve callWithArguments:@[[JSScript scriptOfType:kJSScriptTypeModule 
+                withSource:@"ran++; export let exp = 1;"
+                andSourceURL:[NSURL fileURLWithPath:@"/baz.js"]
+                andBytecodeCache:nil
+                inVirtualMachine:[context virtualMachine]
+                error:nil]]];
+        }];
+        context.moduleLoaderDelegate = context;
+        context[@"ran"] = @(0);
+        JSValue *promise = [context evaluateScript:@"import('/baz.js');"];
+        JSValue *promise2 = [context evaluateScript:@"import('/baz.js');"];
+        JSValue *one = [JSValue valueWithInt32:1 inContext:context];
+        checkModuleCodeRan(context, promise, one);
+        checkModuleCodeRan(context, promise2, one);
+    }
+}
+
+static NSURL *tempFile(NSString *string)
+{
+    NSURL* tempDirectory = [NSURL fileURLWithPath:NSTemporaryDirectory() isDirectory:YES];
+    return [tempDirectory URLByAppendingPathComponent:string];
+}
+
+static NSURL* cacheFileInDataVault(NSString* name)
+{
+#if USE(APPLE_INTERNAL_SDK)
+    static NSURL* dataVaultURL;
+    static dispatch_once_t once;
+    dispatch_once(&once, ^{
+        char userDir[PATH_MAX];
+        RELEASE_ASSERT(confstr(_CS_DARWIN_USER_DIR, userDir, sizeof(userDir)));
+
+        NSString *userDirPath = [[NSFileManager defaultManager] stringWithFileSystemRepresentation:userDir length:strlen(userDir)];
+        dataVaultURL = [NSURL fileURLWithPath:userDirPath isDirectory:YES];
+        dataVaultURL = [dataVaultURL URLByAppendingPathComponent:@"JavaScriptCore" isDirectory:YES];
+        rootless_mkdir_datavault(dataVaultURL.path.UTF8String, 0700, "JavaScriptCore");
+    });
+
+    return [dataVaultURL URLByAppendingPathComponent:name isDirectory:NO];
+#else
+    return tempFile(name);
+#endif
+}
+
+static void testModuleBytecodeCache()
+{
+    @autoreleasepool {
+        NSString *fooSource = @"import './otherDirectory/baz.js'; export let n = null;";
+        NSString *barSource = @"import { n } from '../foo.js'; export let foo = () => n;";
+        NSString *bazSource = @"import { foo } from '../directory/bar.js'; globalThis.ran = null; export let exp = foo();";
+
+        NSURL *fooPath = tempFile(@"foo.js");
+        NSURL *barPath = tempFile(@"bar.js");
+        NSURL *bazPath = tempFile(@"baz.js");
+
+        NSURL *fooCachePath = cacheFileInDataVault(@"foo.js.cache");
+        NSURL *barCachePath = cacheFileInDataVault(@"bar.js.cache");
+        NSURL *bazCachePath = cacheFileInDataVault(@"baz.js.cache");
+
+        NSURL *fooFakePath = [NSURL fileURLWithPath:@"/foo.js"];
+        NSURL *barFakePath = [NSURL fileURLWithPath:@"/directory/bar.js"];
+        NSURL *bazFakePath = [NSURL fileURLWithPath:@"/otherDirectory/baz.js"];
+
+        [fooSource writeToURL:fooPath atomically:NO encoding:NSASCIIStringEncoding error:nil];
+        [barSource writeToURL:barPath atomically:NO encoding:NSASCIIStringEncoding error:nil];
+        [bazSource writeToURL:bazPath atomically:NO encoding:NSASCIIStringEncoding error:nil];
+
+        auto block = ^(JSContext *context, JSValue *identifier, JSValue *resolve, JSValue *reject) {
+            JSC::Options::forceDiskCache() = true;
+            JSScript *script = nil;
+            if ([identifier isEqualToObject:[fooFakePath absoluteString]])
+                script = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:fooPath withSourceURL:fooFakePath andBytecodeCache:fooCachePath inVirtualMachine:context.virtualMachine error:nil];
+            else if ([identifier isEqualToObject:[barFakePath absoluteString]])
+                script = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:barPath withSourceURL:barFakePath andBytecodeCache:barCachePath inVirtualMachine:context.virtualMachine error:nil];
+            else if ([identifier isEqualToObject:[bazFakePath absoluteString]])
+                script = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:bazPath withSourceURL:bazFakePath andBytecodeCache:bazCachePath inVirtualMachine:context.virtualMachine error:nil];
+
+            if (script) {
+                NSError *error = nil;
+                if (![script cacheBytecodeWithError:&error])
+                    CRASH();
+                [resolve callWithArguments:@[script]];
+            } else
+                [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Weird path" inContext:context]]];
+        };
+
+        @autoreleasepool {
+            auto *context = [JSContextFetchDelegate contextWithBlockForFetch:block];
+            context.moduleLoaderDelegate = context;
+            JSValue *promise = [context evaluateScript:@"import('../otherDirectory/baz.js');" withSourceURL:[NSURL fileURLWithPath:@"/directory" isDirectory:YES]];
+            JSValue *null = [JSValue valueWithNullInContext:context];
+            checkModuleCodeRan(context, promise, null);
+            JSC::Options::forceDiskCache() = false;
+        }
+
+        NSFileManager* fileManager = [NSFileManager defaultManager];
+        BOOL removedAll = true;
+        removedAll &= [fileManager removeItemAtURL:fooPath error:nil];
+        removedAll &= [fileManager removeItemAtURL:barPath error:nil];
+        removedAll &= [fileManager removeItemAtURL:bazPath error:nil];
+        removedAll &= [fileManager removeItemAtURL:fooCachePath error:nil];
+        removedAll &= [fileManager removeItemAtURL:barCachePath error:nil];
+        removedAll &= [fileManager removeItemAtURL:bazCachePath error:nil];
+        checkResult(@"Removed all temp files created", removedAll);
+    }
+}
+
+static void testProgramBytecodeCache()
+{
+    @autoreleasepool {
+        NSString *fooSource = @"function foo() { return 42; }; function bar() { return 40; }; foo() + bar();";
+        NSURL *fooCachePath = cacheFileInDataVault(@"foo.js.cache");
+        JSContext *context = [[JSContext alloc] init];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:fooSource andSourceURL:[NSURL URLWithString:@"my-path"] andBytecodeCache:fooCachePath inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script);
+        if (![script cacheBytecodeWithError:nil])
+            CRASH();
+
+        JSC::Options::forceDiskCache() = true;
+        JSValue *result = [context evaluateJSScript:script];
+        RELEASE_ASSERT(result);
+        RELEASE_ASSERT([result isNumber]);
+        checkResult(@"result of cached program is 40+42", [[result toNumber] intValue] == 40 + 42);
+        JSC::Options::forceDiskCache() = false;
+
+        NSFileManager* fileManager = [NSFileManager defaultManager];
+        BOOL removedAll = [fileManager removeItemAtURL:fooCachePath error:nil];
+        checkResult(@"Removed all temp files created", removedAll);
+    }
+}
+
+static void testBytecodeCacheWithSyntaxError(JSScriptType type)
+{
+    @autoreleasepool {
+        NSString *fooSource = @"this is a syntax error";
+        NSURL *fooCachePath = cacheFileInDataVault(@"foo.js.cache");
+        JSContext *context = [[JSContext alloc] init];
+        JSScript *script = [JSScript scriptOfType:type withSource:fooSource andSourceURL:[NSURL URLWithString:@"my-path"] andBytecodeCache:fooCachePath inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script);
+        NSError *error = nil;
+        if ([script cacheBytecodeWithError:&error])
+            CRASH();
+        RELEASE_ASSERT(error);
+        checkResult(@"Got error when trying to cache bytecode for a script with a syntax error.", [[error description] containsString:@"Unable to generate bytecode for this JSScript because"]);
+    }
+}
+
+static void testBytecodeCacheWithSameCacheFileAndDifferentScript(bool forceDiskCache)
+{
+
+    NSURL *cachePath = cacheFileInDataVault(@"cachePath.cache");
+    NSURL *sourceURL = [NSURL URLWithString:@"my-path"];
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+        NSString *source = @"function foo() { return 42; }; function bar() { return 40; }; foo() + bar();";
+        JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        if (![script cacheBytecodeWithError:nil])
+            CRASH();
+
+        JSC::Options::forceDiskCache() = forceDiskCache;
+        JSValue *result = [context evaluateJSScript:script];
+        RELEASE_ASSERT(result);
+        RELEASE_ASSERT([result isNumber]);
+        checkResult(@"Expected 82 as result", [[result toNumber] intValue] == 82);
+    }
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+        NSString *source = @"function foo() { return 10; }; function bar() { return 20; }; foo() + bar();";
+        JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        if (![script cacheBytecodeWithError:nil])
+            CRASH();
+
+        JSC::Options::forceDiskCache() = forceDiskCache;
+        JSValue *result = [context evaluateJSScript:script];
+        RELEASE_ASSERT(result);
+        RELEASE_ASSERT([result isNumber]);
+        checkResult(@"Expected 30 as result", [[result toNumber] intValue] == 30);
+    }
+
+    JSC::Options::forceDiskCache() = false;
+
+    NSFileManager* fileManager = [NSFileManager defaultManager];
+    BOOL removedAll = [fileManager removeItemAtURL:cachePath error:nil];
+    checkResult(@"Removed all temp files created", removedAll);
+
+}
+
+static void testProgramJSScriptException()
+{
+    @autoreleasepool {
+        NSString *source = @"throw 42;";
+        JSContext *context = [[JSContext alloc] init];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:[NSURL URLWithString:@"my-path"] andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script);
+        __block bool handledException = false;
+        context.exceptionHandler = ^(JSContext *, JSValue *exception) {
+            handledException = true;
+            RELEASE_ASSERT([exception isNumber]);
+            checkResult(@"Program JSScript with exception should have the exception value be 42.", [[exception toNumber] intValue] == 42);
+        };
+
+        JSValue *result = [context evaluateJSScript:script];
+        RELEASE_ASSERT(result);
+        checkResult(@"Program JSScript with exception should return undefined.", [result isUndefined]);
+        checkResult(@"Program JSScript with exception should call exception handler.", handledException);
+    }
+}
+
+static void testCacheFileFailsWhenItsAlreadyCached()
+{
+    NSURL* cachePath = cacheFileInDataVault(@"foo.program.cache");
+    NSURL* sourceURL = [NSURL URLWithString:@"my-path"];
+    NSString *source = @"function foo() { return 42; } foo();";
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        checkResult(@"Should be able to cache the first file", [script cacheBytecodeWithError:nil]);
+    }
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        NSError* error = nil;
+        checkResult(@"Should not be able to cache the second time because the cache is already present", ![script cacheBytecodeWithError:&error]);
+        checkResult(@"Correct error message should be set", [[error description] containsString:@"Cache for JSScript is already non-empty. Can not override it."]);
+
+        JSContext* context = [[JSContext alloc] initWithVirtualMachine:vm];
+        JSC::Options::forceDiskCache() = true;
+        JSValue *result = [context evaluateJSScript:script];
+        RELEASE_ASSERT(result);
+        checkResult(@"Result should be 42", [result isNumber] && [result toInt32] == 42);
+        JSC::Options::forceDiskCache() = false;
+    }
+
+    NSFileManager* fileManager = [NSFileManager defaultManager];
+    BOOL removedAll = [fileManager removeItemAtURL:cachePath error:nil];
+    checkResult(@"Successfully removed cache file", removedAll);
+}
+
+static void testCanCacheManyFilesWithTheSameVM()
+{
+    NSMutableArray *cachePaths = [[NSMutableArray alloc] init];
+    NSMutableArray *scripts = [[NSMutableArray alloc] init];
+
+    for (unsigned i = 0; i < 10000; ++i)
+        [cachePaths addObject:cacheFileInDataVault([NSString stringWithFormat:@"cache-%d.cache", i])];
+
+    JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+    bool cachedAll = true;
+    for (NSURL *path : cachePaths) {
+        @autoreleasepool {
+            NSURL *sourceURL = [NSURL URLWithString:@"id"];
+            NSString *source = @"function foo() { return 42; } foo();";
+            JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:path inVirtualMachine:vm error:nil];
+            RELEASE_ASSERT(script);
+
+            [scripts addObject:script];
+            cachedAll &= [script cacheBytecodeWithError:nil];
+        }
+    }
+    checkResult(@"Cached all 10000 scripts", cachedAll);
+
+    JSContext *context = [[JSContext alloc] init];
+    bool all42 = true;
+    for (JSScript *script : scripts) {
+        @autoreleasepool {
+            JSValue *result = [context evaluateJSScript:script];
+            RELEASE_ASSERT(result);
+            all42 &= [result isNumber] && [result toInt32] == 42;
+        }
+    }
+    checkResult(@"All scripts returned 42", all42);
+
+    NSFileManager* fileManager = [NSFileManager defaultManager];
+    bool removedAll = true;
+    for (NSURL *path : cachePaths)
+        removedAll &= [fileManager removeItemAtURL:path error:nil];
+
+    checkResult(@"Removed all cache files", removedAll);
+}
+
+static void testIsUsingBytecodeCacheAccessor()
+{
+    NSURL* cachePath = cacheFileInDataVault(@"foo.program.cache");
+    NSURL* sourceURL = [NSURL URLWithString:@"my-path"];
+    NSString *source = @"function foo() { return 1337; } foo();";
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+        JSContext* context = [[JSContext alloc] initWithVirtualMachine:vm];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        checkResult(@"Should not yet be using the bytecode cache", ![script isUsingBytecodeCache]);
+        checkResult(@"Should be able to cache the script", [script cacheBytecodeWithError:nil]);
+        checkResult(@"Should now using the bytecode cache", [script isUsingBytecodeCache]);
+        JSC::Options::forceDiskCache() = true;
+        JSValue *result = [context evaluateJSScript:script];
+        JSC::Options::forceDiskCache() = false;
+        checkResult(@"Result should be 1337", [result isNumber] && [result toInt32] == 1337);
+    }
+
+    @autoreleasepool {
+        JSVirtualMachine *vm = [[JSVirtualMachine alloc] init];
+        JSContext* context = [[JSContext alloc] initWithVirtualMachine:vm];
+        JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:source andSourceURL:sourceURL andBytecodeCache:cachePath inVirtualMachine:vm error:nil];
+        RELEASE_ASSERT(script);
+        checkResult(@"Should be using the bytecode cache", [script isUsingBytecodeCache]);
+        JSValue *result = [context evaluateJSScript:script];
+        checkResult(@"Result should be 1337", [result isNumber] && [result toInt32] == 1337);
+    }
+
+    NSFileManager* fileManager = [NSFileManager defaultManager];
+    BOOL removedAll = [fileManager removeItemAtURL:cachePath error:nil];
+    checkResult(@"Successfully removed cache file", removedAll);
+}
+
+static void testBytecodeCacheValidation()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        auto testInvalidCacheURL = [&](NSURL* cacheURL, NSString* expectedErrorMessage)
+        {
+            NSError* error;
+            JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:@"" andSourceURL:[NSURL URLWithString:@"my-path"] andBytecodeCache:cacheURL inVirtualMachine:context.virtualMachine error:&error];
+            RELEASE_ASSERT(!script);
+            RELEASE_ASSERT(error);
+            NSString* testDesciption = [NSString stringWithFormat:@"Cache path validation for `%@` fails with message `%@`", cacheURL.absoluteString, expectedErrorMessage];
+            checkResult(testDesciption, [error.description containsString:expectedErrorMessage]);
+        };
+
+        testInvalidCacheURL([NSURL URLWithString:@""], @"Cache path `` is not a local file");
+        testInvalidCacheURL([NSURL URLWithString:@"file:///"], @"Cache path `/` already exists and is not a file");
+        testInvalidCacheURL([NSURL URLWithString:@"file:///a/b/c/d/e"], @"Cache directory `/a/b/c/d` is not a directory or does not exist");
+        testInvalidCacheURL([NSURL URLWithString:@"file:///private/tmp/file.cache"], @"Cache directory `/private/tmp` is not a data vault");
+    }
+
+#if USE(APPLE_INTERNAL_SDK)
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        auto testValidCacheURL = [&](NSURL* cacheURL)
+        {
+            NSError* error;
+            JSScript *script = [JSScript scriptOfType:kJSScriptTypeProgram withSource:@"" andSourceURL:[NSURL URLWithString:@"my-path"] andBytecodeCache:cacheURL inVirtualMachine:context.virtualMachine error:&error];
+            NSString* testDesciption = [NSString stringWithFormat:@"Cache path validation for `%@` passed", cacheURL.absoluteString];
+            checkResult(testDesciption, script && !error);
+        };
+
+        testValidCacheURL(cacheFileInDataVault(@"file.cache"));
+    }
+#endif
+}
+
+@interface JSContextFileLoaderDelegate : JSContext 
+
++ (instancetype)newContext;
+- (JSScript *)fetchModuleScript:(NSString *)relativePath;
+
+@end
+
+@implementation JSContextFileLoaderDelegate {
+    NSMutableDictionary *m_keyToScript;
+}
+
++ (instancetype)newContext
+{
+    auto *result = [[JSContextFileLoaderDelegate alloc] init];
+    result.moduleLoaderDelegate = result;
+    result->m_keyToScript = [[NSMutableDictionary alloc] init];
+    return result;
+}
+
+static NSURL *resolvePathToScripts()
+{
+    NSString *arg0 = NSProcessInfo.processInfo.arguments[0];
+    NSURL *base;
+    if ([arg0 hasPrefix:@"/"])
+        base = [NSURL fileURLWithPath:arg0 isDirectory:NO];
+    else {
+        const size_t maxLength = 10000;
+        char cwd[maxLength];
+        if (!getcwd(cwd, maxLength)) {
+            NSLog(@"getcwd errored with code: %s", strerror(errno));
+            exit(1);
+        }
+        NSURL *cwdURL = [NSURL fileURLWithPath:[NSString stringWithFormat:@"%s", cwd]];
+        base = [NSURL fileURLWithPath:arg0 isDirectory:NO relativeToURL:cwdURL];
+    }
+    return [NSURL fileURLWithPath:@"./testapiScripts/" isDirectory:YES relativeToURL:base];
+}
+
+- (JSScript *)fetchModuleScript:(NSString *)relativePath
+{
+    auto *filePath = [NSURL URLWithString:relativePath relativeToURL:resolvePathToScripts()];
+    if (auto *script = [self findScriptForKey:[filePath absoluteString]])
+        return script;
+    NSError *error;
+    auto *result = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:filePath withSourceURL:filePath andBytecodeCache:nil inVirtualMachine:[self virtualMachine] error:&error];
+    if (!result) {
+        NSLog(@"%@\n", error);
+        CRASH();
+    }
+    [m_keyToScript setObject:result forKey:[filePath absoluteString]];
+    return result;
+}
+
+- (JSScript *)findScriptForKey:(NSString *)key
+{
+    return [m_keyToScript objectForKey:key];
+}
+
+- (void)context:(JSContext *)context fetchModuleForIdentifier:(JSValue *)identifier withResolveHandler:(JSValue *)resolve andRejectHandler:(JSValue *)reject
+{
+    NSURL *filePath = [NSURL URLWithString:[identifier toString]];
+    // FIXME: We should fix this: https://bugs.webkit.org/show_bug.cgi?id=199714
+    if (auto *script = [self findScriptForKey:[identifier toString]]) {
+        [resolve callWithArguments:@[script]];
+        return;
+    }
+
+    auto* script = [JSScript scriptOfType:kJSScriptTypeModule
+        memoryMappedFromASCIIFile:filePath
+        withSourceURL:filePath
+        andBytecodeCache:nil 
+        inVirtualMachine:context.virtualMachine
+        error:nil];
+    if (script) {
+        [m_keyToScript setObject:script forKey:[identifier toString]];
+        [resolve callWithArguments:@[script]];
+    } else
+        [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Unable to create Script" inContext:context]]];
+}
+
+@end
+
+static void testLoadBasicFileLegacySPI()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('./basic.js');" withSourceURL:resolvePathToScripts()];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, promise, null);
+    }
+}
+
+
+@interface JSContextMemoryMappedLoaderDelegate : JSContext 
+
++ (instancetype)newContext;
+
+@end
+
+@implementation JSContextMemoryMappedLoaderDelegate {
+}
+
++ (instancetype)newContext
+{
+    auto *result = [[JSContextMemoryMappedLoaderDelegate alloc] init];
+    return result;
+}
+
+- (void)context:(JSContext *)context fetchModuleForIdentifier:(JSValue *)identifier withResolveHandler:(JSValue *)resolve andRejectHandler:(JSValue *)reject
+{
+    NSURL *filePath = [NSURL URLWithString:[identifier toString]];
+    auto *script = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:filePath withSourceURL:filePath andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+    if (script)
+        [resolve callWithArguments:@[script]];
+    else
+        [reject callWithArguments:@[[JSValue valueWithNewErrorFromMessage:@"Unable to create Script" inContext:context]]];
+}
+
+@end
+
+static void testLoadBasicFile()
+{
+#if HAS_LIBPROC
+    size_t count = proc_pidinfo(getpid(), PROC_PIDLISTFDS, 0, 0, 0);
+#endif
+    @autoreleasepool {
+        auto *context = [JSContextMemoryMappedLoaderDelegate newContext];
+        context.moduleLoaderDelegate = context;
+        JSValue *promise = [context evaluateScript:@"import('./basic.js');" withSourceURL:resolvePathToScripts()];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+#if HAS_LIBPROC
+        size_t afterCount = proc_pidinfo(getpid(), PROC_PIDLISTFDS, 0, 0, 0);
+        checkResult(@"JSScript should not hold a file descriptor", count == afterCount);
+#endif
+        checkModuleCodeRan(context, promise, null);
+    }
+#if HAS_LIBPROC
+    size_t after = proc_pidinfo(getpid(), PROC_PIDLISTFDS, 0, 0, 0);
+    checkResult(@"File descriptor count sholudn't change after context is dealloced", count == after);
+#endif
+}
+
+@interface JSContextAugmentedLoaderDelegate : JSContext 
+
++ (instancetype)newContext;
+
+@end
+
+@implementation JSContextAugmentedLoaderDelegate {
+}
+
++ (instancetype)newContext
+{
+    auto *result = [[JSContextAugmentedLoaderDelegate alloc] init];
+    return result;
+}
+
+- (void)context:(JSContext *)context fetchModuleForIdentifier:(JSValue *)identifier withResolveHandler:(JSValue *)resolve andRejectHandler:(JSValue *)reject
+{
+    UNUSED_PARAM(reject);
+
+    NSURL *filePath = [NSURL URLWithString:[identifier toString]];
+    NSString *pathString = [filePath absoluteString];
+    if ([pathString containsString:@"basic.js"] || [pathString containsString:@"foo.js"]) {
+        auto *script = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:filePath withSourceURL:filePath andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script);
+        [resolve callWithArguments:@[script]];
+        return;
+    }
+
+    if ([pathString containsString:@"bar.js"]) {
+        auto *script = [JSScript scriptOfType:kJSScriptTypeModule withSource:@"" andSourceURL:[NSURL fileURLWithPath:@"/not/path/to/bar.js"] andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script);
+        [resolve callWithArguments:@[script]];
+        return;
+    }
+
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+@end
+
+static void testJSScriptURL()
+{
+    @autoreleasepool {
+        auto *context = [JSContextAugmentedLoaderDelegate newContext];
+        context.moduleLoaderDelegate = context;
+        NSURL *basic = [NSURL URLWithString:@"./basic.js" relativeToURL:resolvePathToScripts()];
+        JSScript *script1 = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:basic withSourceURL:basic andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+
+        JSValue *result1 = [context evaluateJSScript:script1];
+        JSValue *null = [JSValue valueWithNullInContext:context];
+        checkModuleCodeRan(context, result1, null);
+
+        NSURL *foo = [NSURL URLWithString:@"./foo.js" relativeToURL:resolvePathToScripts()];
+        JSScript *script2 = [JSScript scriptOfType:kJSScriptTypeModule memoryMappedFromASCIIFile:foo withSourceURL:foo andBytecodeCache:nil inVirtualMachine:context.virtualMachine error:nil];
+        RELEASE_ASSERT(script2);
+        JSValue *result2 = [context evaluateJSScript:script2];
+
+        __block bool wasRejected = false;
+        [result2 invokeMethod:@"catch" withArguments:@[^(JSValue *reason) {
+            wasRejected = [reason isObject];
+            RELEASE_ASSERT([[reason toString] containsString:@"The same JSScript was provided for two different identifiers"]);
+        }]];
+
+        checkResult(@"Module JSScript imported with different identifiers is rejected", wasRejected);
+    }
+}
+
+static void testDependenciesArray()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+
+        JSScript *entryScript = [context fetchModuleScript:@"./dependencyListTests/dependenciesEntry.js"];
+
+        JSValue *promise = [context evaluateJSScript:entryScript];
+        [promise invokeMethod:@"then" withArguments:@[^(JSValue *) {
+            checkResult(@"module ran successfully", true);
+        }, ^(JSValue *) {
+            checkResult(@"module ran successfully", false);
+        }]];
+
+        checkResult(@"looking up the entry script should find the same script again.", [context findScriptForKey:[entryScript.sourceURL absoluteString]] == entryScript);
+
+        auto *deps = [context dependencyIdentifiersForModuleJSScript:entryScript];
+
+        checkResult(@"deps should be an array", [deps isArray]);
+        checkResult(@"deps should have two entries", [deps[@"length"] isEqualToObject:@(2)]);
+
+        checkResult(@"first dependency should be foo.js", [[[[context fetchModuleScript:@"./dependencyListTests/foo.js"] sourceURL] absoluteString] isEqual:[deps[@(0)] toString]]);
+        checkResult(@"second dependency should be bar.js", [[[[context fetchModuleScript:@"./dependencyListTests/bar.js"] sourceURL] absoluteString] isEqual:[deps[@(1)] toString]]);
+    }
+}
+
+static void testDependenciesEvaluationError()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+
+        JSScript *entryScript = [context fetchModuleScript:@"./dependencyListTests/referenceError.js"];
+
+        JSValue *promise = [context evaluateJSScript:entryScript];
+        [promise invokeMethod:@"then" withArguments:@[^(JSValue *) {
+            checkResult(@"module failed successfully", false);
+        }, ^(JSValue *) {
+            checkResult(@"module failed successfully", true);
+        }]];
+
+        auto *deps = [context dependencyIdentifiersForModuleJSScript:entryScript];
+        checkResult(@"deps should be an Array", [deps isArray]);
+        checkResult(@"first dependency should be foo.js", [[[[context fetchModuleScript:@"./dependencyListTests/foo.js"] sourceURL] absoluteString] isEqual:[deps[@(0)] toString]]);
+    }
+}
+
+static void testDependenciesSyntaxError()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+
+        JSScript *entryScript = [context fetchModuleScript:@"./dependencyListTests/syntaxError.js"];
+
+        JSValue *promise = [context evaluateJSScript:entryScript];
+        [promise invokeMethod:@"then" withArguments:@[^(JSValue *) {
+            checkResult(@"module failed successfully", false);
+        }, ^(JSValue *) {
+            checkResult(@"module failed successfully", true);
+        }]];
+
+        auto *deps = [context dependencyIdentifiersForModuleJSScript:entryScript];
+        checkResult(@"deps should be undefined", [deps isUndefined]);
+        checkResult(@"there should be a pending exception on the context", context.exception);
+    }
+}
+
+static void testDependenciesBadImportId()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+
+        JSScript *entryScript = [context fetchModuleScript:@"./dependencyListTests/badModuleImportId.js"];
+
+        JSValue *promise = [context evaluateJSScript:entryScript];
+        [promise invokeMethod:@"then" withArguments:@[^(JSValue *) {
+            checkResult(@"module failed successfully", false);
+        }, ^(JSValue *) {
+            checkResult(@"module failed successfully", true);
+        }]];
+
+        auto *deps = [context dependencyIdentifiersForModuleJSScript:entryScript];
+        checkResult(@"deps should be undefined", [deps isUndefined]);
+        checkResult(@"there should be a pending exception on the context", context.exception);
+    }
+}
+
+static void testDependenciesMissingImport()
+{
+    @autoreleasepool {
+        auto *context = [JSContextFileLoaderDelegate newContext];
+
+        JSScript *entryScript = [context fetchModuleScript:@"./dependencyListTests/missingImport.js"];
+
+        JSValue *promise = [context evaluateJSScript:entryScript];
+        [promise invokeMethod:@"then" withArguments:@[^(JSValue *) {
+            checkResult(@"module failed successfully", false);
+        }, ^(JSValue *) {
+            checkResult(@"module failed successfully", true);
+        }]];
+
+        auto *deps = [context dependencyIdentifiersForModuleJSScript:entryScript];
+        checkResult(@"deps should be undefined", [deps isUndefined]);
+        checkResult(@"there should be a pending exception on the context", context.exception);
+    }
+}
+
+@protocol ToString 
+- (NSString *)toString;
+@end
+
+@interface ToStringClass : NSObject
+@end
+
+@implementation ToStringClass
+- (NSString *)toString
+{
+    return @"foo";
+}
+@end
+
+@interface ToStringSubclass : ToStringClass
+@end
+
+@implementation ToStringSubclass
+- (NSString *)toString
+{
+    return @"baz";
+}
+@end
+
+@interface ToStringSubclassNoProtocol : ToStringClass
+@end
+
+@implementation ToStringSubclassNoProtocol
+- (NSString *)toString
+{
+    return @"baz";
+}
+@end
+
+static void testToString()
+{
+    @autoreleasepool {
+        JSContext *context = [[JSContext alloc] init];
+
+        JSValue *toStringClass = [JSValue valueWithObject:[[ToStringClass alloc] init] inContext:context];
+        checkResult(@"exporting a property with the same name as a builtin on Object.prototype should still be exported", [[toStringClass invokeMethod:@"toString" withArguments:@[]] isEqualToObject:@"foo"]);
+        checkResult(@"converting an object with an exported custom toObject property should use that method", [[toStringClass toString] isEqualToString:@"foo"]);
+
+        toStringClass = [JSValue valueWithObject:[[ToStringSubclass alloc] init] inContext:context];
+        checkResult(@"Calling a method on a derived class should call the derived implementation", [[toStringClass invokeMethod:@"toString" withArguments:@[]] isEqualToObject:@"baz"]);
+        checkResult(@"Converting an object with an exported custom toObject property should use that method", [[toStringClass toString] isEqualToString:@"baz"]);
+        context[@"toStringValue"] = toStringClass;
+        JSValue *hasOwnProperty = [context evaluateScript:@"toStringValue.__proto__.hasOwnProperty('toString')"];
+        checkResult(@"A subclass that exports a method exported by a super class shouldn't have a duplicate prototype method", [hasOwnProperty toBool]);
+
+        toStringClass = [JSValue valueWithObject:[[ToStringSubclassNoProtocol alloc] init] inContext:context];
+        checkResult(@"Calling a method on a derived class should call the derived implementation even when not exported on the derived class", [[toStringClass invokeMethod:@"toString" withArguments:@[]] isEqualToObject:@"baz"]);
+    }
+}
+
+#define RUN(test) do { \
+        if (!shouldRun(#test)) \
+            break; \
+        NSLog(@"%s...\n", #test); \
+        test; \
+        NSLog(@"%s: done.\n", #test); \
+    } while (false)
+
+void testObjectiveCAPI(const char* filter)
 {
     NSLog(@"Testing Objective-C API");
-    checkNegativeNSIntegers();
+
+    auto shouldRun = [&] (const char* test) -> bool {
+        if (filter)
+            return strcasestr(test, filter);
+        return true;
+    };
+
+    RUN(checkNegativeNSIntegers());
+    RUN(runJITThreadLimitTests());
+    RUN(testToString());
+
+    RUN(testLoaderResolvesAbsoluteScriptURL());
+    RUN(testFetch());
+    RUN(testFetchWithTwoCycle());
+    RUN(testFetchWithThreeCycle());
+    RUN(testImportModuleTwice());
+    RUN(testModuleBytecodeCache());
+    RUN(testProgramBytecodeCache());
+    RUN(testBytecodeCacheWithSyntaxError(kJSScriptTypeProgram));
+    RUN(testBytecodeCacheWithSyntaxError(kJSScriptTypeModule));
+    RUN(testBytecodeCacheWithSameCacheFileAndDifferentScript(false));
+    RUN(testBytecodeCacheWithSameCacheFileAndDifferentScript(true));
+    RUN(testProgramJSScriptException());
+    RUN(testCacheFileFailsWhenItsAlreadyCached());
+    RUN(testCanCacheManyFilesWithTheSameVM());
+    RUN(testIsUsingBytecodeCacheAccessor());
+    RUN(testBytecodeCacheValidation());
+
+    RUN(testLoaderRejectsNilScriptURL());
+    RUN(testLoaderRejectsFailedFetch());
+
+    RUN(testJSScriptURL());
+
+    // File loading
+    RUN(testLoadBasicFileLegacySPI());
+    RUN(testLoadBasicFile());
+
+    RUN(testDependenciesArray());
+    RUN(testDependenciesSyntaxError());
+    RUN(testDependenciesEvaluationError());
+    RUN(testDependenciesBadImportId());
+    RUN(testDependenciesMissingImport());
+
+    RUN(promiseWithExecutor(Resolution::ResolveEager));
+    RUN(promiseWithExecutor(Resolution::RejectEager));
+    RUN(promiseWithExecutor(Resolution::ResolveLate));
+    RUN(promiseWithExecutor(Resolution::RejectLate));
+    RUN(promiseRejectOnJSException());
+    RUN(promiseCreateResolved());
+    RUN(promiseCreateRejected());
+    RUN(parallelPromiseResolveTest());
+
     testObjectiveCAPIMain();
 }
 
 #else
 
-void testObjectiveCAPI()
+void testObjectiveCAPI(const char*)
 {
 }
 
diff --git a/API/tests/testapiScripts/basic.js b/API/tests/testapiScripts/basic.js
new file mode 100644
index 0000000..8528c49
--- /dev/null
+++ b/API/tests/testapiScripts/basic.js
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2019 Apple Inc.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+export let exp = null;
+globalThis.ran = null;
diff --git a/API/tests/testapiScripts/dependencyListTests/badModuleImportId.js b/API/tests/testapiScripts/dependencyListTests/badModuleImportId.js
new file mode 100644
index 0000000..7650208
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/badModuleImportId.js
@@ -0,0 +1,3 @@
+
+// This is not a valid identfier for an import so it will fail to import.
+import "sethua"
diff --git a/API/tests/testapiScripts/dependencyListTests/bar.js b/API/tests/testapiScripts/dependencyListTests/bar.js
new file mode 100644
index 0000000..010ffc8
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/bar.js
@@ -0,0 +1 @@
+export let hello = 1;
diff --git a/API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js b/API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js
new file mode 100644
index 0000000..29ce903
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js
@@ -0,0 +1,2 @@
+import "./foo.js";
+import "./bar.js";
diff --git a/API/tests/testapiScripts/dependencyListTests/foo.js b/API/tests/testapiScripts/dependencyListTests/foo.js
new file mode 100644
index 0000000..b28218a
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/foo.js
@@ -0,0 +1 @@
+export let things = null;
diff --git a/API/tests/testapiScripts/dependencyListTests/missingImport.js b/API/tests/testapiScripts/dependencyListTests/missingImport.js
new file mode 100644
index 0000000..2f53491
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/missingImport.js
@@ -0,0 +1 @@
+import "./file-that-does-not-exist.js"
diff --git a/API/tests/testapiScripts/dependencyListTests/referenceError.js b/API/tests/testapiScripts/dependencyListTests/referenceError.js
new file mode 100644
index 0000000..de55c37
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/referenceError.js
@@ -0,0 +1,3 @@
+import "./foo.js";
+
+tosehuas;
diff --git a/API/tests/testapiScripts/dependencyListTests/syntaxError.js b/API/tests/testapiScripts/dependencyListTests/syntaxError.js
new file mode 100644
index 0000000..7b42843
--- /dev/null
+++ b/API/tests/testapiScripts/dependencyListTests/syntaxError.js
@@ -0,0 +1,3 @@
+import "./foo.js";
+
+theoasutas thea tehlr  ebsa;
diff --git a/API/tests/testapiScripts/foo.js b/API/tests/testapiScripts/foo.js
new file mode 100644
index 0000000..7eafd98
--- /dev/null
+++ b/API/tests/testapiScripts/foo.js
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2019 Apple Inc.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import "./bar.js";
diff --git a/API/tests/testapi-function-overrides.js b/API/tests/testapiScripts/testapi-function-overrides.js
similarity index 100%
rename from API/tests/testapi-function-overrides.js
rename to API/tests/testapiScripts/testapi-function-overrides.js
diff --git a/API/tests/testapi.js b/API/tests/testapiScripts/testapi.js
similarity index 100%
rename from API/tests/testapi.js
rename to API/tests/testapiScripts/testapi.js
diff --git a/AUTHORS b/AUTHORS
deleted file mode 100644
index e50da8c..0000000
--- a/AUTHORS
+++ /dev/null
@@ -1,2 +0,0 @@
-Harri Porten (porten@kde.org)
-Peter Kelly (pmk@post.com)
diff --git a/CMakeLists.txt.apple b/CMakeLists.txt.apple
new file mode 100644
index 0000000..c199aa8
--- /dev/null
+++ b/CMakeLists.txt.apple
@@ -0,0 +1,1348 @@
+cmake_minimum_required(VERSION 3.10)
+include(WebKitCommon)
+set_property(DIRECTORY . PROPERTY FOLDER "JavaScriptCore")
+
+list(APPEND JavaScriptCore_UNIFIED_SOURCE_LIST_FILES
+    "Sources.txt"
+)
+
+set(JavaScriptCore_INCLUDE_DIRECTORIES
+    "${WTF_FRAMEWORK_HEADERS_DIR}"
+    "${JavaScriptCore_FRAMEWORK_HEADERS_DIR}"
+)
+
+set(JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES
+    "${CMAKE_BINARY_DIR}"
+    "${JAVASCRIPTCORE_DIR}"
+    "${JAVASCRIPTCORE_DIR}/API"
+    "${JAVASCRIPTCORE_DIR}/assembler"
+    "${JAVASCRIPTCORE_DIR}/b3"
+    "${JAVASCRIPTCORE_DIR}/b3/air"
+    "${JAVASCRIPTCORE_DIR}/bindings"
+    "${JAVASCRIPTCORE_DIR}/builtins"
+    "${JAVASCRIPTCORE_DIR}/bytecode"
+    "${JAVASCRIPTCORE_DIR}/bytecompiler"
+    "${JAVASCRIPTCORE_DIR}/dfg"
+    "${JAVASCRIPTCORE_DIR}/disassembler"
+    "${JAVASCRIPTCORE_DIR}/disassembler/ARM64"
+    "${JAVASCRIPTCORE_DIR}/disassembler/udis86"
+    "${JAVASCRIPTCORE_DIR}/domjit"
+    "${JAVASCRIPTCORE_DIR}/ftl"
+    "${JAVASCRIPTCORE_DIR}/heap"
+    "${JAVASCRIPTCORE_DIR}/debugger"
+    "${JAVASCRIPTCORE_DIR}/inspector"
+    "${JAVASCRIPTCORE_DIR}/inspector/agents"
+    "${JAVASCRIPTCORE_DIR}/inspector/augmentable"
+    "${JAVASCRIPTCORE_DIR}/inspector/remote"
+    "${JAVASCRIPTCORE_DIR}/interpreter"
+    "${JAVASCRIPTCORE_DIR}/jit"
+    "${JAVASCRIPTCORE_DIR}/llint"
+    "${JAVASCRIPTCORE_DIR}/parser"
+    "${JAVASCRIPTCORE_DIR}/profiler"
+    "${JAVASCRIPTCORE_DIR}/runtime"
+    "${JAVASCRIPTCORE_DIR}/tools"
+    "${JAVASCRIPTCORE_DIR}/wasm"
+    "${JAVASCRIPTCORE_DIR}/wasm/js"
+    "${JAVASCRIPTCORE_DIR}/yarr"
+    "${JavaScriptCore_DERIVED_SOURCES_DIR}"
+    "${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector"
+    "${JavaScriptCore_DERIVED_SOURCES_DIR}/runtime"
+    "${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr"
+)
+
+if (USE_CAPSTONE)
+    list(APPEND JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES "${THIRDPARTY_DIR}/capstone/Source/include")
+endif ()
+
+set(JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES
+    "${ICU_INCLUDE_DIRS}"
+)
+
+set(JavaScriptCore_OBJECT_LUT_SOURCES
+    runtime/ArrayConstructor.cpp
+    runtime/AsyncFromSyncIteratorPrototype.cpp
+    runtime/AsyncGeneratorPrototype.cpp
+    runtime/BigIntConstructor.cpp
+    runtime/BigIntPrototype.cpp
+    runtime/BooleanPrototype.cpp
+    runtime/DateConstructor.cpp
+    runtime/DatePrototype.cpp
+    runtime/ErrorPrototype.cpp
+    runtime/GeneratorPrototype.cpp
+    runtime/InspectorInstrumentationObject.cpp
+    runtime/IntlCollatorConstructor.cpp
+    runtime/IntlCollatorPrototype.cpp
+    runtime/IntlDateTimeFormatConstructor.cpp
+    runtime/IntlDateTimeFormatPrototype.cpp
+    runtime/IntlNumberFormatConstructor.cpp
+    runtime/IntlNumberFormatPrototype.cpp
+    runtime/IntlObject.cpp
+    runtime/IntlPluralRulesConstructor.cpp
+    runtime/IntlPluralRulesPrototype.cpp
+    runtime/JSDataViewPrototype.cpp
+    runtime/JSGlobalObject.cpp
+    runtime/JSInternalPromiseConstructor.cpp
+    runtime/JSModuleLoader.cpp
+    runtime/JSONObject.cpp
+    runtime/JSPromiseConstructor.cpp
+    runtime/JSPromisePrototype.cpp
+    runtime/MapPrototype.cpp
+    runtime/NumberConstructor.cpp
+    runtime/NumberPrototype.cpp
+    runtime/ObjectConstructor.cpp
+    runtime/ReflectObject.cpp
+    runtime/RegExpConstructor.cpp
+    runtime/RegExpPrototype.cpp
+    runtime/RegExpStringIteratorPrototype.cpp
+    runtime/SetPrototype.cpp
+    runtime/StringConstructor.cpp
+    runtime/StringPrototype.cpp
+    runtime/SymbolConstructor.cpp
+    runtime/SymbolPrototype.cpp
+
+    wasm/js/JSWebAssembly.cpp
+    wasm/js/JSToWasmICCallee.cpp
+    wasm/js/WebAssemblyCompileErrorConstructor.cpp
+    wasm/js/WebAssemblyCompileErrorPrototype.cpp
+    wasm/js/WebAssemblyFunctionHeapCellType.cpp
+    wasm/js/WebAssemblyInstanceConstructor.cpp
+    wasm/js/WebAssemblyInstancePrototype.cpp
+    wasm/js/WebAssemblyLinkErrorConstructor.cpp
+    wasm/js/WebAssemblyLinkErrorPrototype.cpp
+    wasm/js/WebAssemblyMemoryConstructor.cpp
+    wasm/js/WebAssemblyMemoryPrototype.cpp
+    wasm/js/WebAssemblyModuleConstructor.cpp
+    wasm/js/WebAssemblyModulePrototype.cpp
+    wasm/js/WebAssemblyPrototype.cpp
+    wasm/js/WebAssemblyRuntimeErrorConstructor.cpp
+    wasm/js/WebAssemblyRuntimeErrorPrototype.cpp
+    wasm/js/WebAssemblyTableConstructor.cpp
+    wasm/js/WebAssemblyTablePrototype.cpp
+)
+
+set(JavaScriptCore_LIBRARIES
+    WTF${DEBUG_SUFFIX}
+    ${ICU_I18N_LIBRARIES}
+)
+
+if (USE_CAPSTONE)
+    list(APPEND JavaScriptCore_LIBRARIES capstone)
+endif ()
+
+if (ATOMIC_INT64_REQUIRES_LIBATOMIC)
+    list(APPEND JavaScriptCore_LIBRARIES atomic)
+endif ()
+
+set(JavaScriptCore_SCRIPTS_SOURCES_DIR "${JAVASCRIPTCORE_DIR}/Scripts")
+
+# Globbing relies on the fact that generator-specific file names are prefixed with their directory.
+# Top-level scripts should have a file extension, since they are invoked during the build.
+
+set(JavaScriptCore_SCRIPTS_SOURCES_PATHS
+    ${JavaScriptCore_SCRIPTS_SOURCES_DIR}/*.pl
+    ${JavaScriptCore_SCRIPTS_SOURCES_DIR}/*.py
+    ${JavaScriptCore_SCRIPTS_SOURCES_DIR}/wkbuiltins/builtins*.py
+    ${JavaScriptCore_SCRIPTS_SOURCES_DIR}/wkbuiltins/wkbuiltins.py
+)
+
+# The directory flattening performed below mirrors what the Mac port does with private headers.
+
+file(GLOB JavaScriptCore_SCRIPTS_SOURCES ${JavaScriptCore_SCRIPTS_SOURCES_PATHS})
+
+foreach (_file ${JavaScriptCore_SCRIPTS_SOURCES})
+    get_filename_component(_script "${_file}" NAME)
+    add_custom_command(
+        OUTPUT ${JavaScriptCore_SCRIPTS_DIR}/${_script}
+        MAIN_DEPENDENCY ${_file}
+        WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}
+        COMMAND ${CMAKE_COMMAND} -E copy_if_different ${_file} ${JavaScriptCore_SCRIPTS_DIR}/${_script}
+        VERBATIM)
+    list(APPEND JavaScriptCore_SCRIPTS ${JavaScriptCore_SCRIPTS_DIR}/${_script})
+endforeach ()
+
+set(UDIS_GEN_DEP
+    disassembler/udis86/optable.xml
+    disassembler/udis86/ud_itab.py
+    disassembler/udis86/ud_opcode.py
+)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/udis86_itab.c ${JavaScriptCore_DERIVED_SOURCES_DIR}/udis86_itab.h
+    DEPENDS ${UDIS_GEN_DEP}
+    WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}
+    COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/disassembler/udis86/ud_itab.py ${JAVASCRIPTCORE_DIR}/disassembler/udis86/optable.xml ${JavaScriptCore_DERIVED_SOURCES_DIR}
+    VERBATIM)
+
+list(APPEND JavaScriptCore_HEADERS
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/udis86_itab.h
+)
+
+set(LLINT_ASM
+    llint/LowLevelInterpreter.asm
+    llint/LowLevelInterpreter32_64.asm
+    llint/LowLevelInterpreter64.asm
+)
+
+set(OFFLINE_ASM
+    offlineasm/arm.rb
+    offlineasm/arm64.rb
+    offlineasm/ast.rb
+    offlineasm/backends.rb
+    offlineasm/cloop.rb
+    offlineasm/config.rb
+    offlineasm/instructions.rb
+    offlineasm/mips.rb
+    offlineasm/offsets.rb
+    offlineasm/opt.rb
+    offlineasm/parser.rb
+    offlineasm/registers.rb
+    offlineasm/risc.rb
+    offlineasm/self_hash.rb
+    offlineasm/settings.rb
+    offlineasm/transform.rb
+    offlineasm/x86.rb
+)
+
+set(GENERATOR
+    generator/Argument.rb
+    generator/Assertion.rb
+    generator/DSL.rb
+    generator/Fits.rb
+    generator/GeneratedFile.rb
+    generator/Metadata.rb
+    generator/Opcode.rb
+    generator/OpcodeGroup.rb
+    generator/Options.rb
+    generator/Section.rb
+    generator/Template.rb
+    generator/Type.rb
+    generator/main.rb
+)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/generator/main.rb
+    DEPENDS ${GENERATOR} bytecode/BytecodeList.rb
+    COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/generator/main.rb --bytecodes_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h --init_bytecodes_asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm --bytecode_structs_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h --bytecode_indices_h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeIndices.h ${JAVASCRIPTCORE_DIR}/bytecode/BytecodeList.rb
+    VERBATIM)
+
+
+if (WTF_OS_MAC_OS_X)
+    execute_process(COMMAND bash -c "date +'%s'" OUTPUT_VARIABLE BUILD_TIME OUTPUT_STRIP_TRAILING_WHITESPACE)
+else ()
+    set(BUILD_TIME 0)
+endif ()
+
+file(WRITE ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeCacheVersion.h "#define JSC_BYTECODE_CACHE_VERSION ${BUILD_TIME}\n")
+
+list(APPEND JavaScriptCore_HEADERS
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeCacheVersion.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h
+)
+
+if (WIN32)
+    set(OFFLINE_ASM_BACKEND "X86_WIN, X86_64_WIN, C_LOOP_WIN")
+else ()
+    if (WTF_CPU_X86)
+        set(OFFLINE_ASM_BACKEND "X86")
+    elseif (WTF_CPU_X86_64)
+        set(OFFLINE_ASM_BACKEND "X86_64")
+    elseif (WTF_CPU_ARM64)
+        set(OFFLINE_ASM_BACKEND "ARM64")
+    elseif (ARM_THUMB2_DETECTED)
+        set(OFFLINE_ASM_BACKEND "ARMv7")
+    elseif (WTF_CPU_MIPS)
+        set(OFFLINE_ASM_BACKEND "MIPS")
+    endif ()
+
+    if (NOT ENABLE_JIT)
+        if (ENABLE_C_LOOP)
+            set(OFFLINE_ASM_BACKEND "C_LOOP")
+        endif ()
+    endif ()
+endif ()
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/generate_settings_extractor.rb
+    DEPENDS ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm
+    COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/generate_settings_extractor.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h ${OFFLINE_ASM_BACKEND}
+    VERBATIM)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/generate_offset_extractor.rb
+    DEPENDS LLIntSettingsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm
+    COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/generate_offset_extractor.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h ${OFFLINE_ASM_BACKEND}
+    VERBATIM)
+
+# We add the header files directly to the ADD_EXECUTABLE call instead of setting the
+# OBJECT_DEPENDS property in LLIntOffsetsExtractor.cpp because generate_offset_extractor.rb and
+# generate-bytecode-files may not regenerate the .h files in case the hash it calculates does not change.
+# In this case, if some of the dependencies specified in the ADD_CUSTOM_COMMANDs above have
+# changed the command will always be called because the mtime of the .h files will
+# always be older than that of their dependencies.
+# Additionally, setting the OBJECT_DEPENDS property will make the .h files a Makefile
+# dependency of both LLIntOffsetsExtractor and LLIntOffsetsExtractor.cpp, so the command will
+# actually be run multiple times!
+add_executable(LLIntSettingsExtractor
+    ${JAVASCRIPTCORE_DIR}/llint/LLIntSettingsExtractor.cpp
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredSettings.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h
+)
+
+add_executable(LLIntOffsetsExtractor
+    ${JAVASCRIPTCORE_DIR}/llint/LLIntOffsetsExtractor.cpp
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntDesiredOffsets.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/BytecodeStructs.h
+)
+
+target_link_libraries(LLIntSettingsExtractor WTF)
+add_dependencies(LLIntSettingsExtractor JavaScriptCoreFrameworkHeaders)
+target_link_libraries(LLIntOffsetsExtractor WTF)
+add_dependencies(LLIntOffsetsExtractor JavaScriptCoreFrameworkHeaders)
+
+# The build system will execute asm.rb every time LLIntOffsetsExtractor's mtime is newer than
+# LLIntAssembly.h's mtime. The problem we have here is: asm.rb has some built-in optimization
+# that generates a checksum of the LLIntOffsetsExtractor binary, if the checksum of the new
+# LLIntOffsetsExtractor matches, no output is generated. To make this target consistent and avoid
+# running this command for every build, we artificially update LLIntAssembly.h's mtime (using touch)
+# after every asm.rb run.
+if (MSVC AND NOT ENABLE_C_LOOP)
+    set(LLIntOutput LowLevelInterpreterWin.asm)
+    set(OFFLINE_ASM_ARGS --assembler=MASM)
+else ()
+    set(LLIntOutput LLIntAssembly.h)
+endif ()
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput}
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb
+    DEPENDS LLIntOffsetsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${JavaScriptCore_DERIVED_SOURCES_DIR}/InitBytecodes.asm
+    COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb -I${JavaScriptCore_DERIVED_SOURCES_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput} ${OFFLINE_ASM_ARGS}
+    COMMAND ${CMAKE_COMMAND} -E touch_nocreate ${JavaScriptCore_DERIVED_SOURCES_DIR}/${LLIntOutput}
+    WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}
+    VERBATIM)
+
+# The explanation for not making LLIntAssembly.h part of the OBJECT_DEPENDS property of some of
+# the .cpp files below is similar to the one in the previous comment. However, since these .cpp
+# files are used to build JavaScriptCore itself, we can just add LLIntAssembly.h to JSC_HEADERS
+# since it is used in the add_library() call at the end of this file.
+if (MSVC AND NOT ENABLE_C_LOOP)
+    enable_language(ASM_MASM)
+    if (CMAKE_SIZEOF_VOID_P EQUAL 4)
+        # Win32 needs /safeseh with assembly, but Win64 does not.
+        set(MASM_EXECUTABLE ml)
+        set(LLINT_MASM_FLAGS /safeseh /c /Fo)
+    else ()
+        set(MASM_EXECUTABLE ml64)
+        set(LLINT_MASM_FLAGS /c /Fo)
+    endif ()
+    add_custom_command(
+        OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.obj
+        DEPENDS ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.asm
+        COMMAND ${MASM_EXECUTABLE} ${LLINT_MASM_FLAGS} ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.obj ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.asm
+        VERBATIM)
+    list(APPEND JavaScriptCore_SOURCES ${JavaScriptCore_DERIVED_SOURCES_DIR}/LowLevelInterpreterWin.obj)
+else ()
+    list(APPEND JavaScriptCore_HEADERS
+        ${JavaScriptCore_DERIVED_SOURCES_DIR}/LLIntAssembly.h
+    )
+endif ()
+
+# WebAssembly generator
+
+macro(GENERATE_PYTHON _generator _additional_deps _input _output)
+    add_custom_command(
+        OUTPUT ${_output}
+        MAIN_DEPENDENCY ${_generator}
+        DEPENDS ${_input} ${_additional_deps}
+        COMMAND ${PYTHON_EXECUTABLE} ${_generator} ${_input} ${_output}
+        VERBATIM)
+    list(APPEND JavaScriptCore_HEADERS ${_output})
+    WEBKIT_ADD_SOURCE_DEPENDENCIES(${_input} ${_output})
+endmacro()
+GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmOpsHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmOps.h)
+GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmValidateInlinesHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmValidateInlines.h)
+GENERATE_PYTHON(${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasmB3IRGeneratorInlinesHeader.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/generateWasm.py ${CMAKE_CURRENT_SOURCE_DIR}/wasm/wasm.json ${JavaScriptCore_DERIVED_SOURCES_DIR}/WasmB3IRGeneratorInlines.h)
+
+# LUT generator
+
+set(HASH_LUT_GENERATOR ${CMAKE_CURRENT_SOURCE_DIR}/create_hash_table)
+macro(GENERATE_HASH_LUT _input _output)
+    add_custom_command(
+        OUTPUT ${_output}
+        MAIN_DEPENDENCY ${HASH_LUT_GENERATOR}
+        DEPENDS ${_input}
+        COMMAND ${PERL_EXECUTABLE} ${HASH_LUT_GENERATOR} ${_input} > ${_output}
+        VERBATIM)
+    list(APPEND JavaScriptCore_HEADERS ${_output})
+    WEBKIT_ADD_SOURCE_DEPENDENCIES(${_input} ${_output})
+endmacro()
+
+# GENERATOR 1-A: LUT creator
+
+foreach (_file ${JavaScriptCore_OBJECT_LUT_SOURCES})
+    get_filename_component(_name ${_file} NAME_WE)
+    GENERATE_HASH_LUT(${CMAKE_CURRENT_SOURCE_DIR}/${_file} ${JavaScriptCore_DERIVED_SOURCES_DIR}/${_name}.lut.h)
+endforeach ()
+
+set(JavaScriptCore_PUBLIC_FRAMEWORK_HEADERS
+    API/JSBase.h
+    API/JSContextRef.h
+    API/JSObjectRef.h
+    API/JSStringRef.h
+    API/JSTypedArray.h
+    API/JSValueRef.h
+    API/JavaScript.h
+    API/WebKitAvailability.h
+)
+
+set(JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/Bytecodes.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h
+
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.h
+
+    API/APICallbackFunction.h
+    API/APICast.h
+    API/APIUtils.h
+    API/JSAPIValueWrapper.h
+    API/JSAPIWrapperObject.h
+    API/JSBasePrivate.h
+    API/JSCTestRunnerUtils.h
+    API/JSCallbackConstructor.h
+    API/JSCallbackFunction.h
+    API/JSCallbackObject.h
+    API/JSCallbackObjectFunctions.h
+    API/JSClassRef.h
+    API/JSContextInternal.h
+    API/JSContextPrivate.h
+    API/JSContextRefInspectorSupport.h
+    API/JSContextRefInternal.h
+    API/JSContextRefPrivate.h
+    API/JSHeapFinalizerPrivate.h
+    API/JSManagedValueInternal.h
+    API/JSMarkingConstraintPrivate.h
+    API/JSObjectRefPrivate.h
+    API/JSRemoteInspector.h
+    API/JSRetainPtr.h
+    API/JSScriptRefPrivate.h
+    API/JSStringRefPrivate.h
+    API/JSValueInternal.h
+    API/JSValuePrivate.h
+    API/JSVirtualMachineInternal.h
+    API/JSWeakObjectMapRefInternal.h
+    API/JSWeakObjectMapRefPrivate.h
+    API/JSWeakPrivate.h
+    API/JSWrapperMap.h
+    API/ObjCCallbackFunction.h
+    API/ObjcRuntimeExtras.h
+    API/OpaqueJSString.h
+
+    assembler/ARM64Assembler.h
+    assembler/ARM64Registers.h
+    assembler/ARMv7Assembler.h
+    assembler/ARMv7Registers.h
+    assembler/AbortReason.h
+    assembler/AbstractMacroAssembler.h
+    assembler/AssemblerBuffer.h
+    assembler/AssemblerBufferWithConstantPool.h
+    assembler/AssemblerCommon.h
+    assembler/CPU.h
+    assembler/CodeLocation.h
+    assembler/LinkBuffer.h
+    assembler/MIPSAssembler.h
+    assembler/MIPSRegisters.h
+    assembler/MacroAssembler.h
+    assembler/MacroAssemblerARM64.h
+    assembler/MacroAssemblerARMv7.h
+    assembler/MacroAssemblerCodeRef.h
+    assembler/MacroAssemblerHelpers.h
+    assembler/MacroAssemblerMIPS.h
+    assembler/MacroAssemblerX86.h
+    assembler/MacroAssemblerX86Common.h
+    assembler/MacroAssemblerX86_64.h
+    assembler/Printer.h
+    assembler/RegisterInfo.h
+    assembler/X86Assembler.h
+    assembler/X86Registers.h
+    assembler/X86_64Registers.h
+
+    bindings/ScriptFunctionCall.h
+    bindings/ScriptObject.h
+    bindings/ScriptValue.h
+
+    builtins/BuiltinNames.h
+    builtins/BuiltinUtils.h
+
+    bytecode/ArrayAllocationProfile.h
+    bytecode/ArrayProfile.h
+    bytecode/ByValInfo.h
+    bytecode/BytecodeConventions.h
+    bytecode/BytecodeIntrinsicRegistry.h
+    bytecode/CallEdge.h
+    bytecode/CallLinkInfo.h
+    bytecode/CallMode.h
+    bytecode/CallVariant.h
+    bytecode/CodeBlock.h
+    bytecode/CodeBlockHash.h
+    bytecode/CodeOrigin.h
+    bytecode/CodeType.h
+    bytecode/DFGExitProfile.h
+    bytecode/DataFormat.h
+    bytecode/DirectEvalCodeCache.h
+    bytecode/ExecutableInfo.h
+    bytecode/ExecutableToCodeBlockEdge.h
+    bytecode/ExecutionCounter.h
+    bytecode/ExitKind.h
+    bytecode/ExitingInlineKind.h
+    bytecode/ExitingJITType.h
+    bytecode/ExpressionRangeInfo.h
+    bytecode/HandlerInfo.h
+    bytecode/ICStatusMap.h
+    bytecode/InlineCallFrame.h
+    bytecode/Instruction.h
+    bytecode/InstructionStream.h
+    bytecode/InternalFunctionAllocationProfile.h
+    bytecode/JumpTable.h
+    bytecode/LLIntCallLinkInfo.h
+    bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
+    bytecode/LazyOperandValueProfile.h
+    bytecode/MetadataTable.h
+    bytecode/ObjectAllocationProfile.h
+    bytecode/ObjectPropertyCondition.h
+    bytecode/Opcode.h
+    bytecode/OpcodeSize.h
+    bytecode/PropertyCondition.h
+    bytecode/PutByIdFlags.h
+    bytecode/SpecialPointer.h
+    bytecode/SpeculatedType.h
+    bytecode/StructureSet.h
+    bytecode/SuperSampler.h
+    bytecode/ToThisStatus.h
+    bytecode/TypeLocation.h
+    bytecode/UnlinkedCodeBlock.h
+    bytecode/UnlinkedEvalCodeBlock.h
+    bytecode/UnlinkedFunctionExecutable.h
+    bytecode/UnlinkedGlobalCodeBlock.h
+    bytecode/UnlinkedMetadataTable.h
+    bytecode/ValueProfile.h
+    bytecode/ValueRecovery.h
+    bytecode/VariableWriteFireDetail.h
+    bytecode/VirtualRegister.h
+    bytecode/Watchpoint.h
+
+    debugger/Breakpoint.h
+    debugger/Debugger.h
+    debugger/DebuggerCallFrame.h
+    debugger/DebuggerParseData.h
+    debugger/DebuggerPrimitives.h
+
+    dfg/DFGCommon.h
+    dfg/DFGCompilationMode.h
+    dfg/DFGMinifiedID.h
+
+    domjit/DOMJITAbstractHeap.h
+    domjit/DOMJITCallDOMGetterSnippet.h
+    domjit/DOMJITEffect.h
+    domjit/DOMJITGetterSetter.h
+    domjit/DOMJITHeapRange.h
+    domjit/DOMJITSignature.h
+
+    heap/AlignedMemoryAllocator.h
+    heap/AllocationFailureMode.h
+    heap/Allocator.h
+    heap/AllocatorInlines.h
+    heap/AllocatorForMode.h
+    heap/BlockDirectory.h
+    heap/BlockDirectoryInlines.h
+    heap/CellAttributes.h
+    heap/CellContainer.h
+    heap/CellContainerInlines.h
+    heap/CellState.h
+    heap/CollectionScope.h
+    heap/CollectorPhase.h
+    heap/CompleteSubspace.h
+    heap/CompleteSubspaceInlines.h
+    heap/ConstraintConcurrency.h
+    heap/ConstraintParallelism.h
+    heap/ConstraintVolatility.h
+    heap/DeferGC.h
+    heap/DeleteAllCodeEffort.h
+    heap/DestructionMode.h
+    heap/FastMallocAlignedMemoryAllocator.h
+    heap/FreeList.h
+    heap/FreeListInlines.h
+    heap/GCActivityCallback.h
+    heap/GCAssertions.h
+    heap/GCConductor.h
+    heap/GCDeferralContext.h
+    heap/GCIncomingRefCounted.h
+    heap/GCIncomingRefCountedInlines.h
+    heap/GCIncomingRefCountedSet.h
+    heap/GCLogging.h
+    heap/GCRequest.h
+    heap/GCSegmentedArray.h
+    heap/Handle.h
+    heap/HandleBlock.h
+    heap/HandleSet.h
+    heap/HandleTypes.h
+    heap/Heap.h
+    heap/HeapCell.h
+    heap/HeapCellInlines.h
+    heap/HeapCellType.h
+    heap/HeapFinalizerCallback.h
+    heap/HeapInlines.h
+    heap/HeapObserver.h
+    heap/HeapSnapshotBuilder.h
+    heap/IncrementalSweeper.h
+    heap/IsoCellSet.h
+    heap/IsoSubspace.h
+    heap/IsoSubspaceInlines.h
+    heap/IsoSubspacePerVM.h
+    heap/LargeAllocation.h
+    heap/LocalAllocator.h
+    heap/LocalAllocatorInlines.h
+    heap/LockDuringMarking.h
+    heap/MachineStackMarker.h
+    heap/MarkStack.h
+    heap/MarkedBlock.h
+    heap/MarkedBlockInlines.h
+    heap/MarkedBlockSet.h
+    heap/MarkedSpace.h
+    heap/MarkingConstraint.h
+    heap/MutatorState.h
+    heap/PackedCellPtr.h
+    heap/RegisterState.h
+    heap/RunningScope.h
+    heap/SimpleMarkingConstraint.h
+    heap/SlotVisitor.h
+    heap/SlotVisitorInlines.h
+    heap/Strong.h
+    heap/StrongInlines.h
+    heap/Subspace.h
+    heap/SubspaceInlines.h
+    heap/Synchronousness.h
+    heap/TinyBloomFilter.h
+    heap/VisitRaceKey.h
+    heap/Weak.h
+    heap/WeakBlock.h
+    heap/WeakHandleOwner.h
+    heap/WeakImpl.h
+    heap/WeakInlines.h
+    heap/WeakSet.h
+    heap/WeakSetInlines.h
+
+    inspector/ConsoleMessage.h
+    inspector/ContentSearchUtilities.h
+    inspector/IdentifiersFactory.h
+    inspector/InjectedScript.h
+    inspector/InjectedScriptBase.h
+    inspector/InjectedScriptHost.h
+    inspector/InjectedScriptManager.h
+    inspector/InjectedScriptModule.h
+    inspector/InspectorAgentBase.h
+    inspector/InspectorAgentRegistry.h
+    inspector/InspectorBackendDispatcher.h
+    inspector/InspectorEnvironment.h
+    inspector/InspectorFrontendChannel.h
+    inspector/InspectorFrontendRouter.h
+    inspector/InspectorProtocolTypes.h
+    inspector/InspectorTarget.h
+    inspector/PerGlobalObjectWrapperWorld.h
+    inspector/ScriptArguments.h
+    inspector/ScriptBreakpoint.h
+    inspector/ScriptCallFrame.h
+    inspector/ScriptCallStack.h
+    inspector/ScriptCallStackFactory.h
+    inspector/ScriptDebugListener.h
+    inspector/ScriptDebugServer.h
+
+    inspector/agents/InspectorAgent.h
+    inspector/agents/InspectorAuditAgent.h
+    inspector/agents/InspectorConsoleAgent.h
+    inspector/agents/InspectorDebuggerAgent.h
+    inspector/agents/InspectorHeapAgent.h
+    inspector/agents/InspectorRuntimeAgent.h
+    inspector/agents/InspectorScriptProfilerAgent.h
+    inspector/agents/InspectorTargetAgent.h
+
+    inspector/augmentable/AugmentableInspectorControllerClient.h
+
+    inspector/remote/RemoteAutomationTarget.h
+    inspector/remote/RemoteControllableTarget.h
+    inspector/remote/RemoteInspectionTarget.h
+    inspector/remote/RemoteInspector.h
+
+    interpreter/AbstractPC.h
+    interpreter/CallFrame.h
+    interpreter/CallFrameInlines.h
+    interpreter/CalleeBits.h
+    interpreter/EntryFrame.h
+    interpreter/FrameTracers.h
+    interpreter/Register.h
+    interpreter/ShadowChicken.h
+    interpreter/StackVisitor.h
+    interpreter/VMEntryRecord.h
+
+    jit/AssemblyHelpers.h
+    jit/CCallHelpers.h
+    jit/ExecutableAllocator.h
+    jit/FPRInfo.h
+    jit/GCAwareJITStubRoutine.h
+    jit/GPRInfo.h
+    jit/JITAllocator.h
+    jit/JITCode.h
+    jit/JITCodeMap.h
+    jit/JITCompilationEffort.h
+    jit/JITMathICForwards.h
+    jit/JITOperations.h
+    jit/JITStubRoutine.h
+    jit/JITThunks.h
+    jit/PolymorphicCallStubRoutine.h
+    jit/Reg.h
+    jit/RegisterAtOffset.h
+    jit/RegisterAtOffsetList.h
+    jit/RegisterSet.h
+    jit/Snippet.h
+    jit/SnippetParams.h
+    jit/SnippetReg.h
+    jit/SnippetSlowPathCalls.h
+    jit/SpillRegistersMode.h
+    jit/TagRegistersMode.h
+    jit/TempRegisterSet.h
+    jit/ThunkGenerator.h
+    jit/UnusedPointer.h
+
+    llint/LLIntOpcode.h
+
+    parser/Lexer.h
+    parser/ParserArena.h
+    parser/ParserError.h
+    parser/ParserModes.h
+    parser/ParserTokens.h
+    parser/SourceCode.h
+    parser/SourceProvider.h
+    parser/SourceProviderCache.h
+    parser/SourceProviderCacheItem.h
+    parser/UnlinkedSourceCode.h
+    parser/VariableEnvironment.h
+
+    profiler/ProfilerBytecode.h
+    profiler/ProfilerBytecodeSequence.h
+    profiler/ProfilerBytecodes.h
+    profiler/ProfilerCompilation.h
+    profiler/ProfilerCompilationKind.h
+    profiler/ProfilerCompiledBytecode.h
+    profiler/ProfilerDatabase.h
+    profiler/ProfilerEvent.h
+    profiler/ProfilerExecutionCounter.h
+    profiler/ProfilerJettisonReason.h
+    profiler/ProfilerOSRExit.h
+    profiler/ProfilerOSRExitSite.h
+    profiler/ProfilerOrigin.h
+    profiler/ProfilerOriginStack.h
+    profiler/ProfilerProfiledBytecodes.h
+    profiler/ProfilerUID.h
+
+    runtime/AbstractModuleRecord.h
+    runtime/ArgList.h
+    runtime/ArityCheckMode.h
+    runtime/ArrayBuffer.h
+    runtime/ArrayBufferSharingMode.h
+    runtime/ArrayBufferView.h
+    runtime/ArrayConventions.h
+    runtime/ArrayPrototype.h
+    runtime/ArrayStorage.h
+    runtime/AuxiliaryBarrier.h
+    runtime/AuxiliaryBarrierInlines.h
+    runtime/BasicBlockLocation.h
+    runtime/BatchedTransitionOptimizer.h
+    runtime/BigIntPrototype.h
+    runtime/BooleanObject.h
+    runtime/BooleanPrototype.h
+    runtime/Butterfly.h
+    runtime/ButterflyInlines.h
+    runtime/BytecodeCacheError.h
+    runtime/CachePayload.h
+    runtime/CacheUpdate.h
+    runtime/CachedBytecode.h
+    runtime/CachedTypes.h
+    runtime/CagedBarrierPtr.h
+    runtime/CallData.h
+    runtime/CatchScope.h
+    runtime/ClassInfo.h
+    runtime/CodeSpecializationKind.h
+    runtime/CommonIdentifiers.h
+    runtime/CompilationResult.h
+    runtime/Completion.h
+    runtime/ConcurrentJSLock.h
+    runtime/ConfigFile.h
+    runtime/ConsoleClient.h
+    runtime/ConsoleTypes.h
+    runtime/ConstantMode.h
+    runtime/ConstructAbility.h
+    runtime/ConstructData.h
+    runtime/ControlFlowProfiler.h
+    runtime/CustomGetterSetter.h
+    runtime/DOMAnnotation.h
+    runtime/DOMAttributeGetterSetter.h
+    runtime/DataView.h
+    runtime/DateInstance.h
+    runtime/DateInstanceCache.h
+    runtime/DefinePropertyAttributes.h
+    runtime/DirectArgumentsOffset.h
+    runtime/DirectEvalExecutable.h
+    runtime/DisallowScope.h
+    runtime/DisallowVMReentry.h
+    runtime/DumpContext.h
+    runtime/EnumerationMode.h
+    runtime/Error.h
+    runtime/ErrorHandlingScope.h
+    runtime/ErrorInstance.h
+    runtime/ErrorPrototype.h
+    runtime/ErrorType.h
+    runtime/EvalExecutable.h
+    runtime/Exception.h
+    runtime/ExceptionEventLocation.h
+    runtime/ExceptionHelpers.h
+    runtime/ExceptionScope.h
+    runtime/ExecutableBase.h
+    runtime/ExecutableBaseInlines.h
+    runtime/Float32Array.h
+    runtime/Float64Array.h
+    runtime/FunctionConstructor.h
+    runtime/FunctionExecutable.h
+    runtime/FunctionHasExecutedCache.h
+    runtime/FunctionPrototype.h
+    runtime/FunctionRareData.h
+    runtime/FuzzerAgent.h
+    runtime/GenericOffset.h
+    runtime/GenericTypedArrayView.h
+    runtime/GenericTypedArrayViewInlines.h
+    runtime/GetPutInfo.h
+    runtime/GlobalExecutable.h
+    runtime/HashMapImpl.h
+    runtime/Identifier.h
+    runtime/IdentifierInlines.h
+    runtime/IndexingHeader.h
+    runtime/IndexingHeaderInlines.h
+    runtime/IndexingType.h
+    runtime/InferredValue.h
+    runtime/InitializeThreading.h
+    runtime/Int16Array.h
+    runtime/Int32Array.h
+    runtime/Int8Array.h
+    runtime/InternalFunction.h
+    runtime/Intrinsic.h
+    runtime/IterationKind.h
+    runtime/IterationStatus.h
+    runtime/IteratorOperations.h
+    runtime/IteratorPrototype.h
+    runtime/JSArray.h
+    runtime/JSArrayBuffer.h
+    runtime/JSArrayBufferPrototype.h
+    runtime/JSArrayBufferView.h
+    runtime/JSArrayBufferViewInlines.h
+    runtime/JSBigInt.h
+    runtime/JSCInlines.h
+    runtime/JSCJSValue.h
+    runtime/JSCJSValueInlines.h
+    runtime/JSCPtrTag.h
+    runtime/JSCallee.h
+    runtime/JSCast.h
+    runtime/JSCell.h
+    runtime/JSCellInlines.h
+    runtime/JSDataView.h
+    runtime/JSDestructibleObject.h
+    runtime/JSDestructibleObjectHeapCellType.h
+    runtime/JSExportMacros.h
+    runtime/JSFunction.h
+    runtime/JSFunctionInlines.h
+    runtime/JSGenericTypedArrayView.h
+    runtime/JSGenericTypedArrayViewInlines.h
+    runtime/JSGenericTypedArrayViewPrototype.h
+    runtime/JSGenericTypedArrayViewPrototypeInlines.h
+    runtime/JSGlobalLexicalEnvironment.h
+    runtime/JSGlobalObject.h
+    runtime/JSGlobalObjectFunctions.h
+    runtime/JSGlobalObjectInlines.h
+    runtime/JSImmutableButterfly.h
+    runtime/JSInternalPromise.h
+    runtime/JSInternalPromiseDeferred.h
+    runtime/JSMicrotask.h
+    runtime/JSLock.h
+    runtime/JSMap.h
+    runtime/JSMapIterator.h
+    runtime/JSModuleLoader.h
+    runtime/JSModuleRecord.h
+    runtime/JSNativeStdFunction.h
+    runtime/JSNonDestructibleProxy.h
+    runtime/JSONObject.h
+    runtime/JSObject.h
+    runtime/JSObjectInlines.h
+    runtime/JSPromise.h
+    runtime/JSPromiseConstructor.h
+    runtime/JSPromiseDeferred.h
+    runtime/JSPropertyNameEnumerator.h
+    runtime/JSProxy.h
+    runtime/JSRunLoopTimer.h
+    runtime/JSScope.h
+    runtime/JSScriptFetchParameters.h
+    runtime/JSScriptFetcher.h
+    runtime/JSSegmentedVariableObject.h
+    runtime/JSSet.h
+    runtime/JSSetIterator.h
+    runtime/JSSourceCode.h
+    runtime/JSString.h
+    runtime/JSStringInlines.h
+    runtime/JSSymbolTableObject.h
+    runtime/JSType.h
+    runtime/JSTypeInfo.h
+    runtime/JSTypedArrays.h
+    runtime/JSWithScope.h
+    runtime/JSWrapperObject.h
+    runtime/LazyClassStructure.h
+    runtime/LazyProperty.h
+    runtime/LeafExecutable.h
+    runtime/Lookup.h
+    runtime/MatchResult.h
+    runtime/MathCommon.h
+    runtime/MemoryStatistics.h
+    runtime/Microtask.h
+    runtime/ModuleProgramExecutable.h
+    runtime/NativeExecutable.h
+    runtime/NativeFunction.h
+    runtime/NumberObject.h
+    runtime/NumberPrototype.h
+    runtime/NumericStrings.h
+    runtime/ObjectConstructor.h
+    runtime/ObjectInitializationScope.h
+    runtime/ObjectPrototype.h
+    runtime/Operations.h
+    runtime/Options.h
+    runtime/ParseInt.h
+    runtime/PrivateName.h
+    runtime/ProgramExecutable.h
+    runtime/PromiseDeferredTimer.h
+    runtime/PropertyDescriptor.h
+    runtime/PropertyMapHashTable.h
+    runtime/PropertyName.h
+    runtime/PropertyNameArray.h
+    runtime/PropertyOffset.h
+    runtime/PropertySlot.h
+    runtime/PropertyStorage.h
+    runtime/Protect.h
+    runtime/PrototypeKey.h
+    runtime/PureNaN.h
+    runtime/PutDirectIndexMode.h
+    runtime/PutPropertySlot.h
+    runtime/RegExp.h
+    runtime/RegExpCachedResult.h
+    runtime/RegExpGlobalData.h
+    runtime/RegExpKey.h
+    runtime/RegExpObject.h
+    runtime/RegExpStringIteratorPrototype.h
+    runtime/RuntimeFlags.h
+    runtime/RuntimeType.h
+    runtime/SamplingProfiler.h
+    runtime/ScopeOffset.h
+    runtime/ScopedArgumentsTable.h
+    runtime/ScriptExecutable.h
+    runtime/ScriptFetchParameters.h
+    runtime/ScriptFetcher.h
+    runtime/SlowPathReturnType.h
+    runtime/SmallStrings.h
+    runtime/SourceOrigin.h
+    runtime/SparseArrayValueMap.h
+    runtime/StackAlignment.h
+    runtime/StackFrame.h
+    runtime/StringObject.h
+    runtime/StringPrototype.h
+    runtime/Structure.h
+    runtime/StructureCache.h
+    runtime/StructureChain.h
+    runtime/StructureIDBlob.h
+    runtime/StructureIDTable.h
+    runtime/StructureInlines.h
+    runtime/StructureRareData.h
+    runtime/StructureRareDataInlines.h
+    runtime/StructureTransitionTable.h
+    runtime/SubspaceAccess.h
+    runtime/Symbol.h
+    runtime/SymbolPrototype.h
+    runtime/SymbolTable.h
+    runtime/SymbolTableOrScopeDepth.h
+    runtime/TemplateObjectDescriptor.h
+    runtime/TestRunnerUtils.h
+    runtime/ThrowScope.h
+    runtime/ToNativeFromValue.h
+    runtime/TypeError.h
+    runtime/TypeSet.h
+    runtime/TypedArrayAdaptors.h
+    runtime/TypedArrayController.h
+    runtime/TypedArrayInlines.h
+    runtime/TypedArrayType.h
+    runtime/TypedArrays.h
+    runtime/TypeofType.h
+    runtime/Uint16Array.h
+    runtime/Uint32Array.h
+    runtime/Uint8Array.h
+    runtime/Uint8ClampedArray.h
+    runtime/VM.h
+    runtime/VMEntryScope.h
+    runtime/VMInlines.h
+    runtime/VMTraps.h
+    runtime/VarOffset.h
+    runtime/Watchdog.h
+    runtime/WeakGCMap.h
+    runtime/WeakGCMapInlines.h
+    runtime/WriteBarrier.h
+    runtime/WriteBarrierInlines.h
+
+    wasm/WasmCapabilities.h
+    wasm/WasmCodeBlock.h
+    wasm/WasmContext.h
+    wasm/WasmEmbedder.h
+    wasm/WasmExceptionType.h
+    wasm/WasmFaultSignalHandler.h
+    wasm/WasmIndexOrName.h
+    wasm/WasmMemory.h
+    wasm/WasmMemoryMode.h
+    wasm/WasmModule.h
+    wasm/WasmName.h
+    wasm/WasmNameSection.h
+    wasm/WasmPageCount.h
+    wasm/WasmTierUpCount.h
+
+    wasm/js/JSWebAssemblyModule.h
+    wasm/js/WebAssemblyPrototype.h
+
+
+    yarr/RegularExpression.h
+    yarr/Yarr.h
+    yarr/YarrErrorCode.h
+    yarr/YarrFlags.h
+    yarr/YarrInterpreter.h
+    yarr/YarrJIT.h
+    yarr/YarrParser.h
+    yarr/YarrPattern.h
+    yarr/YarrUnicodeProperties.h
+)
+
+# GENERATOR 1-B: particular LUT creator (for 1 file only)
+GENERATE_HASH_LUT(${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table ${JavaScriptCore_DERIVED_SOURCES_DIR}/Lexer.lut.h)
+
+file(MAKE_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr)
+
+#GENERATOR: "RegExpJitTables.h": tables used by Yarr
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/RegExpJitTables.h
+    MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/yarr/create_regex_tables
+    COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/yarr/create_regex_tables ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/RegExpJitTables.h
+    VERBATIM)
+list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/RegExpJitTables.h)
+WEBKIT_ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/yarr/YarrPattern.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/RegExpJitTables.h)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/UnicodePatternTables.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/yarr/generateYarrUnicodePropertyTables.py
+    DEPENDS ${JAVASCRIPTCORE_DIR}/yarr/hasher.py ${JAVASCRIPTCORE_DIR}/ucd/DerivedBinaryProperties.txt ${JAVASCRIPTCORE_DIR}/ucd/DerivedCoreProperties.txt ${JAVASCRIPTCORE_DIR}/ucd/DerivedNormalizationProps.txt ${JAVASCRIPTCORE_DIR}/ucd/PropList.txt ${JAVASCRIPTCORE_DIR}/ucd/PropertyAliases.txt ${JAVASCRIPTCORE_DIR}/ucd/PropertyValueAliases.txt ${JAVASCRIPTCORE_DIR}/ucd/ScriptExtensions.txt ${JAVASCRIPTCORE_DIR}/ucd/Scripts.txt ${JAVASCRIPTCORE_DIR}/ucd/UnicodeData.txt ${JAVASCRIPTCORE_DIR}/ucd/emoji-data.txt
+    COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/yarr/generateYarrUnicodePropertyTables.py ${JAVASCRIPTCORE_DIR}/ucd ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/UnicodePatternTables.h
+    VERBATIM)
+list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/UnicodePatternTables.h)
+WEBKIT_ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/yarr/UnicodePatternTables.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/UnicodePatternTables.h)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/YarrCanonicalizeUnicode.cpp
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/yarr/generateYarrCanonicalizeUnicode
+    DEPENDS ${JAVASCRIPTCORE_DIR}/ucd/CaseFolding.txt
+    COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/yarr/generateYarrCanonicalizeUnicode ${JAVASCRIPTCORE_DIR}/ucd/CaseFolding.txt ${JavaScriptCore_DERIVED_SOURCES_DIR}/yarr/YarrCanonicalizeUnicode.cpp
+    VERBATIM)
+
+#GENERATOR: "IntlCanonicalizeLanguage.h": tables used by Intl
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/Scripts/generateIntlCanonicalizeLanguage.py
+    DEPENDS ${JAVASCRIPTCORE_DIR}/ucd/language-subtag-registry.txt
+    COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/Scripts/generateIntlCanonicalizeLanguage.py ${JAVASCRIPTCORE_DIR}/ucd/language-subtag-registry.txt ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h
+    VERBATIM)
+list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h)
+WEBKIT_ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/runtime/IntlObject.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/IntlCanonicalizeLanguage.h)
+
+#GENERATOR: "KeywordLookup.h": keyword decision tree used by the lexer
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/KeywordLookup.h
+    MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/KeywordLookupGenerator.py
+    DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table
+    COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/KeywordLookupGenerator.py ${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table > ${JavaScriptCore_DERIVED_SOURCES_DIR}/KeywordLookup.h
+    VERBATIM)
+list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/KeywordLookup.h)
+WEBKIT_ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/parser/Lexer.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/KeywordLookup.h)
+
+
+# Inspector Interfaces
+
+set(JavaScriptCore_INSPECTOR_SCRIPTS_DIR "${JAVASCRIPTCORE_DIR}/inspector/scripts")
+
+set(JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/cpp_generator.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/cpp_generator_templates.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_js_backend_commands.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_backend_dispatcher_header.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_backend_dispatcher_implementation.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_frontend_dispatcher_header.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_frontend_dispatcher_implementation.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_protocol_types_header.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_protocol_types_implementation.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generator.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generator_templates.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/__init__.py
+    ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/models.py
+)
+
+set(JavaScriptCore_INSPECTOR_DOMAINS
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/ApplicationCache.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Audit.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/CSS.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Canvas.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Console.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOM.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOMDebugger.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOMStorage.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Database.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Debugger.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/GenericTypes.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Heap.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Inspector.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/LayerTree.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Network.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Page.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Recording.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Runtime.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/ScriptProfiler.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Security.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Target.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Timeline.json
+    ${JAVASCRIPTCORE_DIR}/inspector/protocol/Worker.json
+)
+
+if (ENABLE_INDEXED_DATABASE)
+    list(APPEND JavaScriptCore_INSPECTOR_DOMAINS
+        ${JAVASCRIPTCORE_DIR}/inspector/protocol/IndexedDB.json
+    )
+endif ()
+
+if (ENABLE_RESOURCE_USAGE)
+    list(APPEND JavaScriptCore_INSPECTOR_DOMAINS
+        ${JAVASCRIPTCORE_DIR}/inspector/protocol/CPUProfiler.json
+        ${JAVASCRIPTCORE_DIR}/inspector/protocol/Memory.json
+    )
+endif ()
+
+if (ENABLE_SERVICE_WORKER)
+    list(APPEND JavaScriptCore_INSPECTOR_DOMAINS
+        ${JAVASCRIPTCORE_DIR}/inspector/protocol/ServiceWorker.json
+    )
+endif ()
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json
+    MAIN_DEPENDENCY ${JavaScriptCore_SCRIPTS_DIR}/generate-combined-inspector-json.py
+    DEPENDS ${JavaScriptCore_INSPECTOR_DOMAINS}
+    COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_SCRIPTS_DIR}/generate-combined-inspector-json.py ${JavaScriptCore_INSPECTOR_DOMAINS} > ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json
+    VERBATIM)
+
+# Inspector Backend Dispatchers, Frontend Dispatchers, Type Builders
+file(MAKE_DIRECTORY ${DERIVED_SOURCES_WEBINSPECTORUI_DIR}/UserInterface/Protocol)
+file(MAKE_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector)
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.cpp
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.h
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.cpp
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.h
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.cpp
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.h
+           ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendCommands.js
+    MAIN_DEPENDENCY ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json
+    DEPENDS ${JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS}
+    COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py --outputDir "${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector" --framework JavaScriptCore ${JavaScriptCore_DERIVED_SOURCES_DIR}/CombinedDomains.json
+    VERBATIM)
+
+# JSCBuiltins
+
+set(BUILTINS_GENERATOR_SCRIPTS
+    ${JavaScriptCore_SCRIPTS_DIR}/wkbuiltins.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generator.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_model.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_templates.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_combined_header.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_combined_implementation.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_separate_header.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_separate_implementation.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_wrapper_header.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_wrapper_implementation.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_internals_wrapper_header.py
+    ${JavaScriptCore_SCRIPTS_DIR}/builtins_generate_internals_wrapper_implementation.py
+    ${JavaScriptCore_SCRIPTS_DIR}/generate-js-builtins.py
+    ${JavaScriptCore_SCRIPTS_DIR}/lazywriter.py
+)
+
+set(JavaScriptCore_BUILTINS_SOURCES
+    ${JAVASCRIPTCORE_DIR}/builtins/AsyncFromSyncIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ArrayConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ArrayIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ArrayPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/AsyncFunctionPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/AsyncIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/AsyncGeneratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/DatePrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/FunctionPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/GeneratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/GlobalObject.js
+    ${JAVASCRIPTCORE_DIR}/builtins/GlobalOperations.js
+    ${JAVASCRIPTCORE_DIR}/builtins/InspectorInstrumentationObject.js
+    ${JAVASCRIPTCORE_DIR}/builtins/InternalPromiseConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/IteratorHelpers.js
+    ${JAVASCRIPTCORE_DIR}/builtins/IteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/MapIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/MapPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ModuleLoader.js
+    ${JAVASCRIPTCORE_DIR}/builtins/NumberConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ObjectConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/PromiseConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/PromiseOperations.js
+    ${JAVASCRIPTCORE_DIR}/builtins/PromisePrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/ReflectObject.js
+    ${JAVASCRIPTCORE_DIR}/builtins/RegExpPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/RegExpStringIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/SetIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/SetPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/StringConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/StringIteratorPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/StringPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/TypedArrayConstructor.js
+    ${JAVASCRIPTCORE_DIR}/builtins/TypedArrayPrototype.js
+    ${JAVASCRIPTCORE_DIR}/builtins/WebAssemblyPrototype.js
+)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.cpp ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h
+    MAIN_DEPENDENCY ${JavaScriptCore_SCRIPTS_DIR}/generate-js-builtins.py
+    DEPENDS ${JavaScriptCore_BUILTINS_SOURCES} ${BUILTINS_GENERATOR_SCRIPTS}
+    COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_SCRIPTS_DIR}/generate-js-builtins.py --framework JavaScriptCore --output-directory ${JavaScriptCore_DERIVED_SOURCES_DIR} --combined ${JavaScriptCore_BUILTINS_SOURCES}
+    VERBATIM)
+
+list(APPEND JavaScriptCore_HEADERS
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorBackendDispatchers.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorFrontendDispatchers.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/inspector/InspectorProtocolObjects.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/JSCBuiltins.h
+)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes
+    DEPENDS ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb
+    COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/b3/air/opcode_generator.rb ${JAVASCRIPTCORE_DIR}/b3/air/AirOpcode.opcodes VERBATIM
+    WORKING_DIRECTORY ${JavaScriptCore_DERIVED_SOURCES_DIR}
+)
+
+list(APPEND JavaScriptCore_HEADERS
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcode.h
+    ${JavaScriptCore_DERIVED_SOURCES_DIR}/AirOpcodeGenerated.h
+)
+
+add_custom_command(
+    OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.h ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.min.js
+    MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/inspector/InjectedScriptSource.js
+    DEPENDS ${JavaScriptCore_SCRIPTS_DIR}/xxd.pl ${JavaScriptCore_SCRIPTS_DIR}/jsmin.py
+    COMMAND ${CMAKE_COMMAND} -E echo "//# sourceURL=__InjectedScript_InjectedScriptSource.js" > ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.min.js
+    COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_SCRIPTS_DIR}/jsmin.py < ${JAVASCRIPTCORE_DIR}/inspector/InjectedScriptSource.js >> ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.min.js
+    COMMAND ${PERL_EXECUTABLE} ${JavaScriptCore_SCRIPTS_DIR}/xxd.pl InjectedScriptSource_js ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.min.js ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.h
+    VERBATIM)
+
+list(APPEND JavaScriptCore_HEADERS ${JavaScriptCore_DERIVED_SOURCES_DIR}/InjectedScriptSource.h)
+
+if (WTF_CPU_X86_64)
+    if (MSVC AND NOT ENABLE_C_LOOP)
+        add_custom_command(
+            OUTPUT ${JavaScriptCore_DERIVED_SOURCES_DIR}/JITStubsMSVC64.obj
+            MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/jit/JITStubsMSVC64.asm
+            COMMAND ml64 -nologo -c -Fo ${JavaScriptCore_DERIVED_SOURCES_DIR}/JITStubsMSVC64.obj ${JAVASCRIPTCORE_DIR}/jit/JITStubsMSVC64.asm
+            VERBATIM)
+
+        list(APPEND JavaScriptCore_SOURCES ${JavaScriptCore_DERIVED_SOURCES_DIR}/JITStubsMSVC64.obj)
+    endif ()
+endif ()
+
+WEBKIT_FRAMEWORK_DECLARE(JavaScriptCore)
+WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS()
+
+if (COMPILER_IS_GCC_OR_CLANG)
+    # Avoid using fused multiply-add instructions since this could give different results
+    # for e.g. parseInt depending on the platform and compilation flags.
+    WEBKIT_ADD_TARGET_CXX_FLAGS(JavaScriptCore -ffp-contract=off)
+endif ()
+
+WEBKIT_MAKE_FORWARDING_HEADERS(JavaScriptCore
+    TARGET_NAME JavaScriptCoreFrameworkHeaders
+    DESTINATION ${JavaScriptCore_FRAMEWORK_HEADERS_DIR}/JavaScriptCore
+    FILES ${JavaScriptCore_PUBLIC_FRAMEWORK_HEADERS}
+    FLATTENED
+)
+
+WEBKIT_MAKE_FORWARDING_HEADERS(JavaScriptCore
+    TARGET_NAME JavaScriptCorePrivateFrameworkHeaders
+    DESTINATION ${JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS_DIR}/JavaScriptCore
+    FILES ${JavaScriptCore_PRIVATE_FRAMEWORK_HEADERS}
+    FLATTENED
+)
+
+target_include_directories(LLIntSettingsExtractor PRIVATE
+    ${JavaScriptCore_INCLUDE_DIRECTORIES}
+    ${JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES}
+)
+target_include_directories(LLIntSettingsExtractor SYSTEM PRIVATE ${JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES})
+
+target_include_directories(LLIntOffsetsExtractor PRIVATE
+    ${JavaScriptCore_INCLUDE_DIRECTORIES}
+    ${JavaScriptCore_PRIVATE_INCLUDE_DIRECTORIES}
+)
+target_include_directories(LLIntOffsetsExtractor SYSTEM PRIVATE ${JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES})
+
+add_subdirectory(shell)
+
+WEBKIT_COMPUTE_SOURCES(JavaScriptCore)
+WEBKIT_WRAP_SOURCELIST(${JavaScriptCore_SOURCES})
+WEBKIT_FRAMEWORK(JavaScriptCore)
+
+if (NOT "${PORT}" STREQUAL "Mac")
+    if (${JavaScriptCore_LIBRARY_TYPE} STREQUAL "SHARED")
+        WEBKIT_POPULATE_LIBRARY_VERSION(JAVASCRIPTCORE)
+        set_target_properties(JavaScriptCore PROPERTIES VERSION ${JAVASCRIPTCORE_VERSION} SOVERSION ${JAVASCRIPTCORE_VERSION_MAJOR})
+        install(TARGETS JavaScriptCore DESTINATION "${LIB_INSTALL_DIR}")
+    endif ()
+endif ()
+
+# Force staging of shared scripts, even if they aren't directly used to build JavaScriptCore.
+
+add_custom_target(stageSharedScripts DEPENDS ${JavaScriptCore_SCRIPTS})
+add_dependencies(JavaScriptCore stageSharedScripts ${JavaScriptCore_EXTRA_DEPENDENCIES})
+
+if (USE_VERSION_STAMPER)
+    add_custom_command(
+        TARGET JavaScriptCore
+        PRE_BUILD
+        COMMAND ${PERL_EXECUTABLE} ${WEBKIT_LIBRARIES_DIR}/tools/scripts/auto-version.pl ${JavaScriptCore_DERIVED_SOURCES_DIR}
+        VERBATIM)
+
+    add_custom_command(
+        TARGET JavaScriptCore
+        POST_BUILD
+        COMMAND ${PERL_EXECUTABLE} ${WEBKIT_LIBRARIES_DIR}/tools/scripts/version-stamp.pl ${JavaScriptCore_DERIVED_SOURCES_DIR} $
+        VERBATIM)
+endif ()
diff --git a/ChangeLog b/ChangeLog
index f16bc21..e6637b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,17229 +1,5190 @@
-2017-08-09  Jason Marcell  
+2019-11-04  Kocsen Chung  
 
-        Cherry-pick r220346. rdar://problem/33805219
+        Cherry-pick r248552. rdar://problem/56868427
 
-    2017-08-07  Commit Queue  
+    Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation
+    https://bugs.webkit.org/show_bug.cgi?id=200614
+    
+    Reviewed by Darin Adler.
+    
+    Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and 
+    StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...).
+            
+    Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to 
+    StringBuilder::appendSubstring(...).
+    
+    Source/JavaScriptCore:
+    
+    * dfg/DFGStrengthReductionPhase.cpp:
+    (JSC::DFG::StrengthReductionPhase::handleNode):
+    * runtime/ConfigFile.cpp:
+    (JSC::ConfigFile::parse):
+    * runtime/LiteralParser.cpp:
+    (JSC::LiteralParser::Lexer::lexStringSlow):
+    * tools/FunctionOverrides.cpp:
+    (JSC::parseClause):
+    Update for renames.
+    
+    Source/WebCore:
+    
+    * dom/Range.cpp:
+    (WebCore::Range::toString const):
+    * editing/Editing.cpp:
+    (WebCore::stringWithRebalancedWhitespace):
+    * editing/MarkupAccumulator.cpp:
+    (WebCore::appendCharactersReplacingEntitiesInternal):
+    * editing/TextIterator.cpp:
+    (WebCore::TextIteratorCopyableText::appendToStringBuilder const):
+    * html/HTMLTextFormControlElement.cpp:
+    (WebCore::HTMLTextFormControlElement::valueWithHardLineBreaks const):
+    * html/parser/HTMLTokenizer.cpp:
+    (WebCore::HTMLTokenizer::bufferedCharacters const):
+    * platform/graphics/avfoundation/InbandTextTrackPrivateAVF.cpp:
+    (WebCore::InbandTextTrackPrivateAVF::processNativeSamples):
+    * platform/text/SegmentedString.cpp:
+    (WebCore::SegmentedString::Substring::appendTo const):
+    * platform/text/TextCodecICU.cpp:
+    (WebCore::TextCodecICU::decode):
+    * xml/XSLTProcessorLibxslt.cpp:
+    (WebCore::writeToStringBuilder):
+    Update for renames.
+    
+    Source/WebKit:
+    
+    * Shared/mac/AuxiliaryProcessMac.mm:
+    (WebKit::setAndSerializeSandboxParameters):
+    * UIProcess/WebProcessPool.cpp:
+    (WebKit::WebProcessPool::didReceiveInvalidMessage):
+    Update for renames.
+    
+    Source/WTF:
+    
+    * wtf/HexNumber.h:
+    (WTF::appendUnsignedAsHexFixedSize):
+    Add overload that explicitly takes a StringBuilder to work around rename from append to appendCharacters.
+    
+    * wtf/text/StringBuilder.cpp:
+    (WTF::StringBuilder::appendCharacters):
+    (WTF::StringBuilder::append):
+    * wtf/text/StringBuilder.h:
+    (WTF::StringBuilder::appendCharacters):
+    (WTF::StringBuilder::append):
+    (WTF::StringBuilder::appendSubstring):
+    (WTF::StringBuilder::appendLiteral):
+    (WTF::IntegerToStringConversionTrait::flush):
+    Update for renames.
+    
+    Tools:
+    
+    * TestWebKitAPI/Tests/WTF/StringBuilder.cpp:
+    (TestWebKitAPI::TEST):
+    Update for renames.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248552 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 
-            Unreviewed, rolling out r220144.
-            https://bugs.webkit.org/show_bug.cgi?id=175276
+    2019-08-12  Sam Weinig  
 
-            "It did not actually speed things up in the way I expected"
-            (Requested by saamyjoon on #webkit).
+            Replace multiparameter overloads of append() in StringBuilder as a first step toward standardizinging on the flexibleAppend() implementation
+            https://bugs.webkit.org/show_bug.cgi?id=200614
 
-            Reverted changeset:
+            Reviewed by Darin Adler.
 
-            "On memory-constrained iOS devices, reduce the rate at which
-            the JS heap grows before a GC to try to keep more memory
-            available for the system"
-            https://bugs.webkit.org/show_bug.cgi?id=175041
-            http://trac.webkit.org/changeset/220144
+            Renames StringBuilder::append(const LChar*, unsigned), StringBuilder::append(const UChar*, unsigned) and
+            StringBuilder::append(const char*, unsigned) to StringBuilder::appendCharacters(...).
 
-2017-08-02  Jason Marcell  
+            Renames StringBuilder::append(const String& string, unsigned offset, unsigned length) to
+            StringBuilder::appendSubstring(...).
 
-        Cherry-pick r220144. rdar://problem/33687404
+            * dfg/DFGStrengthReductionPhase.cpp:
+            (JSC::DFG::StrengthReductionPhase::handleNode):
+            * runtime/ConfigFile.cpp:
+            (JSC::ConfigFile::parse):
+            * runtime/LiteralParser.cpp:
+            (JSC::LiteralParser::Lexer::lexStringSlow):
+            * tools/FunctionOverrides.cpp:
+            (JSC::parseClause):
+            Update for renames.
 
-    2017-08-02  Saam Barati  
+2019-10-20  Babak Shafiei  
 
-            On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
-            https://bugs.webkit.org/show_bug.cgi?id=175041
-            
+        Cherry-pick r249538. rdar://problem/56426429
 
-            Reviewed by Filip Pizlo.
+    LazyClassStructure::setConstructor should not store the constructor to the global object
+    https://bugs.webkit.org/show_bug.cgi?id=201484
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/web-assembly-constructors-should-not-override-global-object-property.js: Added.
+    
+    Source/JavaScriptCore:
+    
+    LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+    This became a problem when it started being used for WebAssembly constructors, such as Module
+    and Instance, since they are properties of the WebAssembly object, not the global object. That
+    resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+    was first accessed. e.g.
+    
+    globalThis.Module = x;
+    WebAssembly.Module;
+    globalThis.Module === WebAssembly.Module;
+    
+    * runtime/LazyClassStructure.cpp:
+    (JSC::LazyClassStructure::Initializer::setConstructor):
+    * runtime/LazyClassStructure.h:
+    * runtime/Lookup.h:
+    (JSC::reifyStaticProperty):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 
-            The testing I have done shows that this new function is a ~10%
-            progression running JetStream on 1GB iOS devices. I've also tried
-            this on a few > 1GB iOS devices, and the testing shows this is either neutral
-            or a regression. Right now, we'll just enable this for <= 1GB devices
-            since it's a win. In the future, we might want to either look into
-            tweaking these parameters or coming up with a new function for > 1GB
-            devices.
+    2019-09-05  Tadeu Zagallo  
 
-            * heap/Heap.cpp:
-            * runtime/Options.h:
+            LazyClassStructure::setConstructor should not store the constructor to the global object
+            https://bugs.webkit.org/show_bug.cgi?id=201484
+            
 
-2017-07-31  Jason Marcell  
+            Reviewed by Yusuke Suzuki.
 
-        Cherry-pick r220012. rdar://problem/33619526
+            LazyClassStructure::setConstructor sets the constructor as a property of the global object.
+            This became a problem when it started being used for WebAssembly constructors, such as Module
+            and Instance, since they are properties of the WebAssembly object, not the global object. That
+            resulted in properties of the global object replaced whenever a lazy WebAssembly constructor
+            was first accessed. e.g.
 
-    2017-07-28  Mark Lam  
+            globalThis.Module = x;
+            WebAssembly.Module;
+            globalThis.Module === WebAssembly.Module;
 
-            ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
-            https://bugs.webkit.org/show_bug.cgi?id=174948
-            
+            * runtime/LazyClassStructure.cpp:
+            (JSC::LazyClassStructure::Initializer::setConstructor):
+            * runtime/LazyClassStructure.h:
+            * runtime/Lookup.h:
+            (JSC::reifyStaticProperty):
 
-            Reviewed by Filip Pizlo.
+2019-10-15  Kocsen Chung  
 
-            ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
-            owner StructureRareData is already known to be dead (in terms of GC liveness) but
-            hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
-            requests to fire this watchpoint.
+        Cherry-pick r250629. rdar://problem/56280996
 
-            If the GC had the chance to sweep the StructureRareData, thereby destructing the
-            ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
-            itself from the WatchpointSet it was on.  Hence, it would not have been fired.
+    FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
+    https://bugs.webkit.org/show_bug.cgi?id=202493
+    
+    Reviewed by Saam Barati.
+    
+    I added this optimization for DFG but forgot to do it for the FTL
+    at the same time. This patch rectifies that.
+    
+    * ftl/FTLOSRExitCompiler.cpp:
+    (JSC::FTL::compileStub):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250629 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 
-            But since the watchpoint hasn't been destructed yet, it still remains on the
-            WatchpointSet and needs to guard against being fired in this state.  The fix is
-            to simply return early if its owner StructureRareData is not live.  This has the
-            effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
-            not firing as we would expect.
+    2019-10-02  Keith Miller  
 
-            This patch also removes some cargo cult copying of watchpoint code which
-            instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
-            used.  This patch removes these unnecessary instantiations.
-
-            * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
-            (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
-            * runtime/StructureRareData.cpp:
-            (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
-            (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
-
-2017-07-28  Jason Marcell  
-
-        Cherry-pick r219895. rdar://problem/33595450
-
-    2017-07-25  Keith Miller  
-
-            Remove Broken CompareEq constant folding phase.
-            https://bugs.webkit.org/show_bug.cgi?id=174846
-            
+            FTL OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
+            https://bugs.webkit.org/show_bug.cgi?id=202493
 
             Reviewed by Saam Barati.
 
-            This bug happened when we would get code like the following:
+            I added this optimization for DFG but forgot to do it for the FTL
+            at the same time. This patch rectifies that.
 
-            a: JSConst(Undefined)
-            b: GetLocal(SomeObjectOrUndefined)
+            * ftl/FTLOSRExitCompiler.cpp:
+            (JSC::FTL::compileStub):
+
+2019-10-15  Kocsen Chung  
+
+        Cherry-pick r250585. rdar://problem/56280995
+
+    ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
+    https://bugs.webkit.org/show_bug.cgi?id=199361
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/allocation-sinking-hints-are-valid-ssa-2.js: Added.
+    (main.fn):
+    (main.executor):
+    (main):
+    * stress/allocation-sinking-hints-are-valid-ssa.js: Added.
+    (main.fn):
+    (main.executor):
+    (main):
+    
+    Source/JavaScriptCore:
+    
+    In a prior fix to the object allocation sinking phase, I added code where we
+    made sure to insert PutHints over Phis for fields of an object at control flow
+    merge points. However, that code didn't consider that the base of the PutHint
+    may no longer be a valid heap location. This could cause us to emit invalid
+    SSA code by referring to a node which does not dominate the PutHint location.
+    This patch fixes the bug to only emit the PutHints when valid.
+    
+    This patch also makes it so that DFGValidate actually validates that the graph
+    is in valid SSA form. E.g, any use of a node N must be dominated by N.
+    
+    * dfg/DFGObjectAllocationSinkingPhase.cpp:
+    * dfg/DFGValidate.cpp:
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-10-01  Saam Barati  
+
+            ObjectAllocationSinkingPhase shouldn't insert hints for allocations which are no longer valid
+            https://bugs.webkit.org/show_bug.cgi?id=199361
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            In a prior fix to the object allocation sinking phase, I added code where we
+            made sure to insert PutHints over Phis for fields of an object at control flow
+            merge points. However, that code didn't consider that the base of the PutHint
+            may no longer be a valid heap location. This could cause us to emit invalid
+            SSA code by referring to a node which does not dominate the PutHint location.
+            This patch fixes the bug to only emit the PutHints when valid.
+
+            This patch also makes it so that DFGValidate actually validates that the graph
+            is in valid SSA form. E.g, any use of a node N must be dominated by N.
+
+            * dfg/DFGObjectAllocationSinkingPhase.cpp:
+            * dfg/DFGValidate.cpp:
+
+2019-10-15  Kocsen Chung  
+
+        Cherry-pick r249959. rdar://problem/56280989
+
+    CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+    https://bugs.webkit.org/show_bug.cgi?id=201853
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/direct-arguments-check-array-filter-type.js: Added.
+    (foo):
+    
+    Source/JavaScriptCore:
+    
+    We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
+    out SlowPutArrayStorage. It does no such thing. We just check that the object
+    is either ScopedArguments/DirectArguments.
+    
+    * dfg/DFGArrayMode.h:
+    (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+    (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+    (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249959 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-17  Saam Barati  
+
+            CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+            https://bugs.webkit.org/show_bug.cgi?id=201853
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
+            out SlowPutArrayStorage. It does no such thing. We just check that the object
+            is either ScopedArguments/DirectArguments.
+
+            * dfg/DFGArrayMode.h:
+            (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+            (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+            (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r250058. rdar://problem/55826329
+
+    Phantom insertion phase may disagree with arguments forwarding about live ranges
+    https://bugs.webkit.org/show_bug.cgi?id=200715
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/phantom-insertion-live-range-should-agree-with-arguments-forwarding.js: Added.
+    (main.v23):
+    (main.try.v43):
+    (main.):
+    (main):
+    
+    Source/JavaScriptCore:
+    
+    The issue is that Phantom insertion phase was disagreeing about live ranges
+    from the arguments forwarding phase. The effect is that Phantom insertion
+    would insert a Phantom creating a longer live range than what arguments
+    forwarding was analyzing. Arguments forwarding will look for the last DFG
+    use or the last bytecode use of a variable it wants to eliminate. It then
+    does an interference analysis to ensure that nothing clobbers other variables
+    it needs to recover the sunken allocation during OSR exit.
+            
+    Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
+    in the current epoch, there is no need to insert a phantom for it. We
+    determine where we might need a Phantom by looking at bytecode kills. In this
+    analysis, we have a mapping from bytecode local to DFG node. However, we
+    sometimes forgot to remove the entry when a local is killed. So, if the first
+    kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
+    However, if the variable gets killed again, we might errantly insert a Phantom
+    for the prior variable which should've already been killed. The solution is to
+    clear the entry in our mapping when a variable is killed.
+            
+    The program in question was like this:
+            
+    1: DirectArguments
+    ...
+    2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+    ...
+    clobber things needed for recovery
+    ...
+            
+    Arguments elimination would transform the program since between @1 and
+    @2, nothing clobbers values needed for exit and nothing escapes @1. The
+    program becomes:
+            
+    1: PhantomDirectArguments
+    ...
+    2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+    ...
+    clobber things needed for recovery of @1
+    ...
+            
+            
+    Phantom insertion would then transform the program into:
+            
+    1: PhantomDirectArguments
+    ...
+    2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+    ...
+    clobber things needed for recovery of @1
+    ...
+    3: Phantom(@1)
+    ...
+            
+    This is wrong because Phantom insertion and arguments forwarding must agree on live
+    ranges, otherwise the interference analysis performed by arguments forwarding will
+    not correctly analyze up until where the value might be recovered.
+    
+    * dfg/DFGPhantomInsertionPhase.cpp:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250058 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-18  Saam Barati  
+
+            Phantom insertion phase may disagree with arguments forwarding about live ranges
+            https://bugs.webkit.org/show_bug.cgi?id=200715
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            The issue is that Phantom insertion phase was disagreeing about live ranges
+            from the arguments forwarding phase. The effect is that Phantom insertion
+            would insert a Phantom creating a longer live range than what arguments
+            forwarding was analyzing. Arguments forwarding will look for the last DFG
+            use or the last bytecode use of a variable it wants to eliminate. It then
+            does an interference analysis to ensure that nothing clobbers other variables
+            it needs to recover the sunken allocation during OSR exit.
+
+            Phantom insertion works by ordering the program into OSR exit epochs. If a value was used
+            in the current epoch, there is no need to insert a phantom for it. We
+            determine where we might need a Phantom by looking at bytecode kills. In this
+            analysis, we have a mapping from bytecode local to DFG node. However, we
+            sometimes forgot to remove the entry when a local is killed. So, if the first
+            kill of a variable is in the same OSR exit epoch, we won't insert a Phantom by design.
+            However, if the variable gets killed again, we might errantly insert a Phantom
+            for the prior variable which should've already been killed. The solution is to
+            clear the entry in our mapping when a variable is killed.
+
+            The program in question was like this:
+
+            1: DirectArguments
             ...
-            c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
-
-            constant folding will turn this into:
-
-            a: JSConst(Undefined)
-            b: GetLocal(SomeObjectOrUndefined)
+            2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+            ...
+            clobber things needed for recovery
             ...
-            c: CompareEq(Check:ObjectOrOther:b, Other:a)
 
-            But the SpeculativeJIT/FTL lowering will fail to check b
-            properly which leads to an assertion failure in the AI.
+            Arguments elimination would transform the program since between @1 and
+            @2, nothing clobbers values needed for exit and nothing escapes @1. The
+            program becomes:
 
-            I'll follow up with a more robust fix later. For now, I'll remove the
-            case that generates the code. Removing the code appears to be perf
-            neutral.
+            1: PhantomDirectArguments
+            ...
+            2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+            ...
+            clobber things needed for recovery of @1
+            ...
 
-            * dfg/DFGConstantFoldingPhase.cpp:
-            (JSC::DFG::ConstantFoldingPhase::foldConstants):
 
-2017-07-22  Jason Marcell  
+            Phantom insertion would then transform the program into:
 
-        Cherry-pick r219633. rdar://problem/33465535
+            1: PhantomDirectArguments
+            ...
+            2: MovHint(@1, loc1) // arguments forwarding treats this as the final kill for @1
+            ...
+            clobber things needed for recovery of @1
+            ...
+            3: Phantom(@1)
+            ...
 
-    2017-07-18  Saam Barati  
+            This is wrong because Phantom insertion and arguments forwarding must agree on live
+            ranges, otherwise the interference analysis performed by arguments forwarding will
+            not correctly analyze up until where the value might be recovered.
 
-            AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
-            https://bugs.webkit.org/show_bug.cgi?id=174515
-            
+            * dfg/DFGPhantomInsertionPhase.cpp:
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r249926. rdar://problem/55826870
+
+    [JSC] Perform check again when we found non-BMP characters
+    https://bugs.webkit.org/show_bug.cgi?id=201647
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/regexp-unicode-surrogate-pair-increment-should-involve-length-check.js: Added.
+    * stress/regexp-unicode-within-string.js: Updated test to eliminate the bogus print().
+    (testRegExpInbounds):
+    
+    Source/JavaScriptCore:
+    
+    We need to check for end of input for non-BMP characters when matching a character class that contains
+    both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
+    end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
+    After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
+    label to back out the index++ for the first surrogate of the non-BMP character.
+    
+    Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
+    first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
+    we increment for the second surrogate.
+    
+    While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
+    loop to check the count at loop top instead of loop bottom.
+    
+    * yarr/YarrJIT.cpp:
+    (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
+    (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
+    (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+    (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
+    (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249926 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-16  Michael Saboff  
+
+            [JSC] Perform check again when we found non-BMP characters
+            https://bugs.webkit.org/show_bug.cgi?id=201647
+
+            Reviewed by Yusuke Suzuki.
+
+            We need to check for end of input for non-BMP characters when matching a character class that contains
+            both BMP and non-BMP characters.  In advanceIndexAfterCharacterClassTermMatch() we were checking for
+            end of input for both BMP and non-BMP characters.  For BMP characters, this check is redundant.
+            After moving the check to after the "is BMP check", we need to decrement index after reaching the failure
+            label to back out the index++ for the first surrogate of the non-BMP character.
+
+            Added the same kind of check in generateCharacterClassOnce().  In that case, we have pre-checked the
+            first character (surrogate) for a non-BMP codepoint, so we just need to check for end of input before
+            we increment for the second surrogate.
+
+            While writing tests, I found an off by one error in backtrackCharacterClassGreedy() and changed the
+            loop to check the count at loop top instead of loop bottom.
+
+            * yarr/YarrJIT.cpp:
+            (JSC::Yarr::YarrGenerator::advanceIndexAfterCharacterClassTermMatch):
+            (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
+            (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+            (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
+            (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r249777. rdar://problem/55826876
+
+    JSC crashes due to stack overflow while building RegExp
+    https://bugs.webkit.org/show_bug.cgi?id=201649
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    New regression test.
+    
+    * stress/regexp-bol-optimize-out-of-stack.js: Added.
+    (test):
+    (catch):
+    
+    Source/JavaScriptCore:
+    
+    Check for running out of stack when we are optimizing RegExp containing BOL terms or
+    other deep copying of disjunctions.
+    
+    * yarr/YarrPattern.cpp:
+    (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
+    (JSC::Yarr::YarrPatternConstructor::copyTerm):
+    (JSC::Yarr::YarrPatternConstructor::error):
+    (JSC::Yarr::YarrPattern::compile):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249777 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-11  Michael Saboff  
+
+            JSC crashes due to stack overflow while building RegExp
+            https://bugs.webkit.org/show_bug.cgi?id=201649
+
+            Reviewed by Yusuke Suzuki.
+
+            Check for running out of stack when we are optimizing RegExp containing BOL terms or
+            other deep copying of disjunctions.
+
+            * yarr/YarrPattern.cpp:
+            (JSC::Yarr::YarrPatternConstructor::copyDisjunction):
+            (JSC::Yarr::YarrPatternConstructor::copyTerm):
+            (JSC::Yarr::YarrPatternConstructor::error):
+            (JSC::Yarr::YarrPattern::compile):
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r248951. rdar://problem/55826863
+
+    [JSC] incorrent JIT lead to StackOverflow
+    https://bugs.webkit.org/show_bug.cgi?id=197823
+    
+    Reviewed by Tadeu Zagallo.
+    
+    JSTests:
+    
+    New test.
+    
+    * stress/bound-function-stack-overflow.js: Added.
+    (foo):
+    (catch):
+    
+    Source/JavaScriptCore:
+    
+    Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
+    throwStackOverflowErrorFromThunk() to throw the error.
+            
+    * jit/JITOperations.cpp:
+    * jit/JITOperations.h:
+    * jit/ThunkGenerators.cpp:
+    (JSC::boundThisNoArgsFunctionCallGenerator):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248951 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-21  Michael Saboff  
+
+            [JSC] incorrent JIT lead to StackOverflow
+            https://bugs.webkit.org/show_bug.cgi?id=197823
+
+            Reviewed by Tadeu Zagallo.
+
+            Added stack overflow check to the bound function thunk generator.  Added a new C++ operation
+            throwStackOverflowErrorFromThunk() to throw the error.
+
+            * jit/JITOperations.cpp:
+            * jit/JITOperations.h:
+            * jit/ThunkGenerators.cpp:
+            (JSC::boundThisNoArgsFunctionCallGenerator):
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r248796. rdar://problem/55826874
+
+    [Re-land] ProxyObject should not be allow to access its target's private properties.
+    https://bugs.webkit.org/show_bug.cgi?id=200739
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Copied from JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js.
+    * stress/proxy-with-private-symbols.js:
+    
+    Source/JavaScriptCore:
+    
+    Re-landing this after r200829 which resolves the test262 failure uncovered by this patch.
+    
+    * runtime/ProxyObject.cpp:
+    (JSC::performProxyGet):
+    (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+    (JSC::ProxyObject::performHasProperty):
+    (JSC::ProxyObject::performPut):
+    (JSC::ProxyObject::performDelete):
+    (JSC::ProxyObject::performDefineOwnProperty):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-16  Mark Lam  
+
+            [Re-land] ProxyObject should not be allow to access its target's private properties.
+            https://bugs.webkit.org/show_bug.cgi?id=200739
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            Re-landing this after r200829 which resolves the test262 failure uncovered by this patch.
+
+            * runtime/ProxyObject.cpp:
+            (JSC::performProxyGet):
+            (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+            (JSC::ProxyObject::performHasProperty):
+            (JSC::ProxyObject::performPut):
+            (JSC::ProxyObject::performDelete):
+            (JSC::ProxyObject::performDefineOwnProperty):
+
+2019-09-30  Babak Shafiei  
+
+        Cherry-pick r247799. rdar://problem/55826880
+
+    performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
+    https://bugs.webkit.org/show_bug.cgi?id=200100
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    * assembler/ARM64Assembler.h:
+    (JSC::ARM64Assembler::CopyFunction::CopyFunction):
+    (JSC::ARM64Assembler::CopyFunction::operator()):
+    - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
+      retagCodePtr() would auth, assert, and re-pac the pointer.  This is needed in
+      general because retagCodePtr() doesn't know that you will consume the pointer
+      immediately (and therefore crash imminently if a failed auth is encountered).
+      Since we know here that we will call with the auth'ed pointer immediately, we
+      can skip the assert.
+    
+      This also has the benefit of letting Clang do a peephole optimization to emit
+      a blrab instruction with the intended diversifier, instead of emitting multiple
+      instructions to auth the pointer into a C function, and then using a blraaz to
+      do a C function call.
+    
+    (JSC::ARM64Assembler::linkJumpOrCall):
+    (JSC::ARM64Assembler::linkCompareAndBranch):
+    (JSC::ARM64Assembler::linkConditionalBranch):
+    (JSC::ARM64Assembler::linkTestAndBranch):
+    * assembler/LinkBuffer.cpp:
+    (JSC::LinkBuffer::copyCompactAndLinkCode):
+    * runtime/JSCPtrTag.h:
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247799 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-07-24  Mark Lam  
+
+            performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
+            https://bugs.webkit.org/show_bug.cgi?id=200100
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            * assembler/ARM64Assembler.h:
+            (JSC::ARM64Assembler::CopyFunction::CopyFunction):
+            (JSC::ARM64Assembler::CopyFunction::operator()):
+            - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
+              retagCodePtr() would auth, assert, and re-pac the pointer.  This is needed in
+              general because retagCodePtr() doesn't know that you will consume the pointer
+              immediately (and therefore crash imminently if a failed auth is encountered).
+              Since we know here that we will call with the auth'ed pointer immediately, we
+              can skip the assert.
+
+              This also has the benefit of letting Clang do a peephole optimization to emit
+              a blrab instruction with the intended diversifier, instead of emitting multiple
+              instructions to auth the pointer into a C function, and then using a blraaz to
+              do a C function call.
+
+            (JSC::ARM64Assembler::linkJumpOrCall):
+            (JSC::ARM64Assembler::linkCompareAndBranch):
+            (JSC::ARM64Assembler::linkConditionalBranch):
+            (JSC::ARM64Assembler::linkTestAndBranch):
+            * assembler/LinkBuffer.cpp:
+            (JSC::LinkBuffer::copyCompactAndLinkCode):
+            * runtime/JSCPtrTag.h:
+
+2019-09-27  Alan Coon  
+
+        Cherry-pick r250440. rdar://problem/55800893
+
+    OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
+    https://bugs.webkit.org/show_bug.cgi?id=202324
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    This is an optimization that avoids polluting the array profile.
+    
+    * dfg/DFGOSRExit.cpp:
+    (JSC::DFG::OSRExit::executeOSRExit):
+    (JSC::DFG::OSRExit::compileExit):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250440 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-27  Keith Miller  
+
+            OSR exit shouldn't bother updating get_by_id array profiles that have changed modes
+            https://bugs.webkit.org/show_bug.cgi?id=202324
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            This is an optimization that avoids polluting the array profile.
+
+            * dfg/DFGOSRExit.cpp:
+            (JSC::DFG::OSRExit::executeOSRExit):
+            (JSC::DFG::OSRExit::compileExit):
+
+2019-09-23  Alan Coon  
+
+        Cherry-pick r250116. rdar://problem/55608003
+
+    [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
+    https://bugs.webkit.org/show_bug.cgi?id=202014
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/call-varargs-inlining-should-not-clobber-previous-to-free-register.js: Added.
+    (__v0):
+    
+    Source/JavaScriptCore:
+    
+    Let's look into the bytecode generated by the test.
+    
+        [   0] enter
+        [   1] get_scope          loc4
+        [   3] mov                loc5, loc4
+        [   6] check_traps
+        [   7] mov                loc6, callee
+        [  10] create_direct_arguments loc7
+        [  12] to_this            this
+        [  15] mov                loc8, loc7
+        [  18] mov                loc9, loc6
+        [  21] mov                loc12, Undefined(const0)
+        [  24] get_by_id          loc11, loc6, 0
+        [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
+        [  34] mov                loc11, loc6
+        [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
+        [  45] jmp                17(->62)
+        [  47] mov                loc16, loc6
+        [  50] mov                loc15, this
+        [  53] mov                loc14, loc8
+        [  56] call               loc11, loc11, 3, 22
+        ...
+    
+    call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
+    This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
+    And it is not in the previous place to loc13 (|this| is not loc12).
+    
+    On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
+    But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
+    that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
+    
+    The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
+    CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
+    LoadVarargs clobbers it. And we eventually use it and crash.
+    
+        60: LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
+    
+    This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
+    
+    In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
+    DFG should not assume that the previous register to firstFreeReg is used for |this|.
+    
+    This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
+    represent that `maxArgumentCountIncludingThis` includes |this| count.
+    
+    * bytecode/CallLinkInfo.cpp:
+    (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
+    (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
+    * bytecode/CallLinkInfo.h:
+    (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
+    (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
+    (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
+    (JSC::CallLinkInfo::maxNumArguments): Deleted.
+    * bytecode/CallLinkStatus.cpp:
+    (JSC::CallLinkStatus::computeFor):
+    (JSC::CallLinkStatus::dump const):
+    * bytecode/CallLinkStatus.h:
+    (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
+    (JSC::CallLinkStatus::maxNumArguments const): Deleted.
+    * dfg/DFGByteCodeParser.cpp:
+    (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+    * dfg/DFGSpeculativeJIT32_64.cpp:
+    (JSC::DFG::SpeculativeJIT::emitCall):
+    * dfg/DFGSpeculativeJIT64.cpp:
+    (JSC::DFG::SpeculativeJIT::emitCall):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+    * jit/JITCall.cpp:
+    (JSC::JIT::compileSetupFrame):
+    * jit/JITCall32_64.cpp:
+    (JSC::JIT::compileSetupFrame):
+    * jit/JITOperations.cpp:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250116 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-19  Yusuke Suzuki  
+
+            [JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable
+            https://bugs.webkit.org/show_bug.cgi?id=202014
+
+            Reviewed by Saam Barati.
+
+            Let's look into the bytecode generated by the test.
+
+                [   0] enter
+                [   1] get_scope          loc4
+                [   3] mov                loc5, loc4
+                [   6] check_traps
+                [   7] mov                loc6, callee
+                [  10] create_direct_arguments loc7
+                [  12] to_this            this
+                [  15] mov                loc8, loc7
+                [  18] mov                loc9, loc6
+                [  21] mov                loc12, Undefined(const0)
+                [  24] get_by_id          loc11, loc6, 0
+                [  29] jneq_ptr           loc11, ApplyFunction, 18(->47)
+                [  34] mov                loc11, loc6
+                [  37] call_varargs       loc11, loc11, this, loc8, loc13, 0
+                [  45] jmp                17(->62)
+                [  47] mov                loc16, loc6
+                [  50] mov                loc15, this
+                [  53] mov                loc14, loc8
+                [  56] call               loc11, loc11, 3, 22
+                ...
+
+            call_varargs uses loc13 as firstFreeReg (first usable bottom register in the current stack-frame to spread variadic arguments after this).
+            This is correct. And call_varargs uses |this| as this argument for the call_varargs. This |this| argument is not in a region starting from loc13.
+            And it is not in the previous place to loc13 (|this| is not loc12).
+
+            On the other hand, DFG::ByteCodeParser's inlining path is always assuming that the previous to firstFreeReg is usable and part of arguments.
+            But this is wrong. loc12 in the above bytecode is used for `[  56] call               loc11, loc11, 3, 22`'s argument later, and this call assumes
+            that loc12 is not clobbered by call_varargs. But DFG and FTL clobbers it.
+
+            The test is recursively calling the same function, and we inline the same function one-level. And stack-overflow error happens when inlined
+            CallForwardVarargs (from op_call_varargs) is called. FTL recovers the frames, and at this point, outer function's loc12 is recovered to garbage since
+            LoadVarargs clobbers it. And we eventually use it and crash.
+
+                60: LoadVarargs(Check:Untyped:Kill:@30, MustGen, start = loc13, count = loc15, machineStart = loc7, machineCount = loc9, offset = 0, mandatoryMinimum = 0, limit = 2, R:World, W:Stack(-16),Stack(-14),Stack(-13),Heap, Exits, ClobbersExit, bc#37, ExitValid)
+
+            This LoadVarargs clobbers loc12, loc13, and loc15 while loc12 is used.
+
+            In all the tiers, op_call_varargs first allocates enough region to hold varargs including |this|. And we store |this| value to a correct place.
+            DFG should not assume that the previous register to firstFreeReg is used for |this|.
+
+            This patch fixes DFG::ByteCodeParser's stack region calculation for op_call_varargs inlining. And we rename maxNumArguments to maxArgumentCountIncludingThis to
+            represent that `maxArgumentCountIncludingThis` includes |this| count.
+
+            * bytecode/CallLinkInfo.cpp:
+            (JSC::CallLinkInfo::setMaxArgumentCountIncludingThis):
+            (JSC::CallLinkInfo::setMaxNumArguments): Deleted.
+            * bytecode/CallLinkInfo.h:
+            (JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis):
+            (JSC::CallLinkInfo::maxArgumentCountIncludingThis):
+            (JSC::CallLinkInfo::addressOfMaxNumArguments): Deleted.
+            (JSC::CallLinkInfo::maxNumArguments): Deleted.
+            * bytecode/CallLinkStatus.cpp:
+            (JSC::CallLinkStatus::computeFor):
+            (JSC::CallLinkStatus::dump const):
+            * bytecode/CallLinkStatus.h:
+            (JSC::CallLinkStatus::maxArgumentCountIncludingThis const):
+            (JSC::CallLinkStatus::maxNumArguments const): Deleted.
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+            * dfg/DFGSpeculativeJIT32_64.cpp:
+            (JSC::DFG::SpeculativeJIT::emitCall):
+            * dfg/DFGSpeculativeJIT64.cpp:
+            (JSC::DFG::SpeculativeJIT::emitCall):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+            * jit/JITCall.cpp:
+            (JSC::JIT::compileSetupFrame):
+            * jit/JITCall32_64.cpp:
+            (JSC::JIT::compileSetupFrame):
+            * jit/JITOperations.cpp:
+
+2019-09-17  Alan Coon  
+
+        Cherry-pick r249911. rdar://problem/55461405
+
+    JSObject::putInlineSlow should not ignore "__proto__" for Proxy
+    https://bugs.webkit.org/show_bug.cgi?id=200386
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/proxy-__proto__-in-prototype-chain.js: Added.
+    * stress/proxy-property-replace-structure-transition.js: Added.
+    
+    Source/JavaScriptCore:
+    
+    We used to ignore '__proto__' in putInlineSlow when the object in question
+    was Proxy. There is no reason for this, and it goes against the spec. So
+    I've removed that condition. This also has the effect that it fixes an
+    assertion firing inside our inline caching code which dictates that for a
+    property replace that the base value's structure must be equal to the
+    structure when we grabbed the structure prior to the put operation.
+    The old code caused a weird edge case where we broke this invariant.
+    
+    * runtime/JSObject.cpp:
+    (JSC::JSObject::putInlineSlow):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-09-16  Saam Barati  
+
+            JSObject::putInlineSlow should not ignore "__proto__" for Proxy
+            https://bugs.webkit.org/show_bug.cgi?id=200386
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            We used to ignore '__proto__' in putInlineSlow when the object in question
+            was Proxy. There is no reason for this, and it goes against the spec. So
+            I've removed that condition. This also has the effect that it fixes an
+            assertion firing inside our inline caching code which dictates that for a
+            property replace that the base value's structure must be equal to the
+            structure when we grabbed the structure prior to the put operation.
+            The old code caused a weird edge case where we broke this invariant.
+
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::putInlineSlow):
+
+2019-09-04  Mark Lam  
+
+        Cherry-pick 249345. rdar://problem/55000994
+
+    2019-08-30  Mark Lam  
+
+            Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
+            https://bugs.webkit.org/show_bug.cgi?id=201345
+
+            Reviewed by Yusuke Suzuki.
+
+            This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
+            the wrong pointer for capture the cell headerWord and zapReason.  As a result,
+            we get junk for those 2 values.
+
+            Previously, we were only capturing the upper 32-bits of the cell header slot,
+            and the lower 32-bit of the next slot in the zapped cell.  We now capture the
+            full 64-bits of both slots.  If the second slot did not contain a zapReason as we
+            expect, the upper 32-bits might give us a clue as to what type of value the slot
+            contains.
+
+            This patch also adds capturing of the found MarkedBlock address for the zapped
+            cell, as well as some state bit values.
+
+            * heap/SlotVisitor.cpp:
+            (JSC::SlotVisitor::reportZappedCellAndCrash):
+
+2019-09-04  Mark Lam  
+
+        Cherry-pick 248143, 248162. rdar://problem/55000992
+
+        Also deleted an unused function.  This is needed to resolve a merge conflict for
+        this patch.
+
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::zap): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::zap): Deleted.
+
+    2019-08-02  Mark Lam  
+
+            Gardening: build fix.
+            https://bugs.webkit.org/show_bug.cgi?id=200149
+            
+
+            Not reviewed.
+
+            * assembler/CPU.cpp:
+            (JSC::hwPhysicalCPUMax):
+
+    2019-08-01  Mark Lam  
+
+            Add crash diagnostics for debugging unexpected zapped cells.
+            https://bugs.webkit.org/show_bug.cgi?id=200149
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
+            SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
+            some diagnostic info.
+
+            To facilitate this, we've made the following changes:
+            1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
+               cells are at least 16 bytes long.
+            2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
+               cell header info intact (including the cell JSType).
+            3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
+               the reason immediately after the first 8 bytes.  This is the same location as
+               FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
+               and on the free list at the same time, it is also fine to do this.
+            4. Added a few utility functions to MarkedBlock for checking if a cell points
+               into the block.
+            5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
+            6. Added some comments to document the hashes of known subspaces.
+            7. Added Options::dumpZappedCellCrashData() to make this check conditional.
+               We use this option to disable this check for slower machines so that their
+               PLT5 performance is not impacted.
+
+            * assembler/CPU.cpp:
+            (JSC::hwL3CacheSize):
+            (JSC::hwPhysicalCPUMax):
+            * assembler/CPU.h:
+            (JSC::hwL3CacheSize):
+            (JSC::hwPhysicalCPUMax):
+            * heap/FreeList.h:
+            (JSC::FreeCell::offsetOfScrambledNext):
+            * heap/HeapCell.h:
+            (JSC::HeapCell::zap):
+            (JSC::HeapCell::isZapped const):
+            * heap/MarkedBlock.cpp:
+            (JSC::MarkedBlock::Handle::stopAllocating):
+            * heap/MarkedBlock.h:
+            (JSC::MarkedBlock::Handle::start const):
+            (JSC::MarkedBlock::Handle::end const):
+            (JSC::MarkedBlock::Handle::contains const):
+            * heap/MarkedBlockInlines.h:
+            (JSC::MarkedBlock::Handle::specializedSweep):
+            * heap/MarkedSpace.h:
+            (JSC::MarkedSpace::forEachSubspace):
+            * heap/SlotVisitor.cpp:
+            (JSC::SlotVisitor::appendToMarkStack):
+            (JSC::SlotVisitor::visitChildren):
+            (JSC::SlotVisitor::reportZappedCellAndCrash):
+            * heap/SlotVisitor.h:
+            * jit/AssemblyHelpers.cpp:
+            (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+            * runtime/Options.cpp:
+            (JSC::Options::initialize):
+            * runtime/Options.h:
+            * runtime/VM.cpp:
+            (JSC::VM::VM):
+            * tools/JSDollarVM.cpp:
+            (JSC::functionDumpSubspaceHashes):
+            (JSC::JSDollarVM::finishCreation):
+            * tools/VMInspector.cpp:
+            (JSC::VMInspector::dumpSubspaceHashes):
+            * tools/VMInspector.h:
+
+2019-09-03  Kocsen Chung  
+
+        Cherry-pick r248824. rdar://problem/55001142
+
+    [JSC] WebAssembly BBQ should switch compile mode for size of modules
+    https://bugs.webkit.org/show_bug.cgi?id=200807
+    
+    Reviewed by Mark Lam.
+    
+    Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB.
+    The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at
+    the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory.
+    
+    Currently, I picked 10MB since the reported website is using 11MB wasm module.
+    
+    * runtime/Options.h:
+    * wasm/WasmAirIRGenerator.cpp:
+    (JSC::Wasm::parseAndCompileAir):
+    * wasm/WasmB3IRGenerator.cpp:
+    (JSC::Wasm::parseAndCompile):
+    * wasm/WasmBBQPlan.cpp:
+    (JSC::Wasm::BBQPlan::compileFunctions):
+    * wasm/WasmModuleInformation.h:
+    * wasm/WasmSectionParser.cpp:
+    (JSC::Wasm::SectionParser::parseCode):
+    * wasm/WasmStreamingParser.cpp:
+    (JSC::Wasm::StreamingParser::parseCodeSectionSize):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248824 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-17  Yusuke Suzuki  
+
+            [JSC] WebAssembly BBQ should switch compile mode for size of modules
+            https://bugs.webkit.org/show_bug.cgi?id=200807
+
+            Reviewed by Mark Lam.
+
+            Some webpages use very large Wasm module, and it exhausts all executable memory in ARM64 devices since the size of executable memory region is 128MB.
+            The long term solution should be introducing Wasm interpreter. But as a short term solution, we introduce heuristics switching back to BBQ B3 at
+            the sacrifice of start-up time, since BBQ Air bloats such lengthy code, and thereby consumes a large amount of executable memory.
+
+            Currently, I picked 10MB since the reported website is using 11MB wasm module.
+
+            * runtime/Options.h:
+            * wasm/WasmAirIRGenerator.cpp:
+            (JSC::Wasm::parseAndCompileAir):
+            * wasm/WasmB3IRGenerator.cpp:
+            (JSC::Wasm::parseAndCompile):
+            * wasm/WasmBBQPlan.cpp:
+            (JSC::Wasm::BBQPlan::compileFunctions):
+            * wasm/WasmModuleInformation.h:
+            * wasm/WasmSectionParser.cpp:
+            (JSC::Wasm::SectionParser::parseCode):
+            * wasm/WasmStreamingParser.cpp:
+            (JSC::Wasm::StreamingParser::parseCodeSectionSize):
+
+2019-09-03  Kocsen Chung  
+
+        Cherry-pick r248793. rdar://problem/55001191
+
+    [JSC] Promise.prototype.finally should accept non-promise objects
+    https://bugs.webkit.org/show_bug.cgi?id=200829
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/promise-finally-should-accept-non-promise-objects.js: Added.
+    (shouldBe):
+    (Thenable):
+    (Thenable.prototype.then):
+    
+    Source/JavaScriptCore:
+    
+    According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise,
+    since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example).
+    This patch changes this check to the specified one.
+    
+    [1]: https://tc39.es/proposal-promise-finally/
+    
+    * builtins/PromisePrototype.js:
+    (finally):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248793 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-16  Yusuke Suzuki  
+
+            [JSC] Promise.prototype.finally should accept non-promise objects
+            https://bugs.webkit.org/show_bug.cgi?id=200829
+
+            Reviewed by Mark Lam.
+
+            According to the Promise.prototype.finally spec step 2[1], we should check @isObject instead of @isPromise,
+            since Promise.prototype.finally should accept thenable objects that are defined by user libraries (like, bluebird for example).
+            This patch changes this check to the specified one.
+
+            [1]: https://tc39.es/proposal-promise-finally/
+
+            * builtins/PromisePrototype.js:
+            (finally):
+
+2019-08-18  Babak Shafiei  
+
+        Cherry-pick r248800. rdar://problem/54454996
+
+    CodeBlock destructor should clear all of its watchpoints.
+    https://bugs.webkit.org/show_bug.cgi?id=200792
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    JSTests:
+    
+    * stress/codeblock-should-clear-watchpoints-on-destruction.js: Added.
+    
+    Source/JavaScriptCore:
+    
+    We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison())
+    because the JITCode may outlive the CodeBlock for a while.  For example, the JITCode
+    is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so:
+    
+        JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame);
+    
+    The call to generatedJITCodeForCall() returns a Ref with the underlying
+    JITCode ref'd.  Hence, while the interpreter frame is still on the stack, the
+    executing JITCode instance will have a non-zero refCount, and be kept alive even
+    though its CodeBlock may have already been destructed.
+    
+    Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode:
+    ExecutableBase also holds a RefPtr m_jitCodeForCall and RefPtr
+    m_jitCodeForConstruct.  But a CodeBlock will be uninstalled before it gets destructed.
+    Hence, the uninstallation will deref the JITCode before we get to the CodeBlock
+    destructor.  That said, we should be aware that a JITCode's refCount is not always
+    1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so.
+    
+    For this patch, I also audited all Watchpoint subclasses to ensure that we are
+    clearing all the relevant watchpoints in the CodeBlock destructor.  Here is the
+    list of audited Watchpoints:
+    
+        CodeBlockJettisoningWatchpoint
+        AdaptiveStructureWatchpoint
+        AdaptiveInferredPropertyValueWatchpoint
+            - these are held in the DFG::CommonData, and is tied to JITCode's life cycle.
+            - they need to be cleared eagerly in CodeBlock's destructor.
+    
+        LLIntPrototypeLoadAdaptiveStructureWatchpoint
+            - stored in m_llintGetByIdWatchpointMap in the CodeBlock.
+            - this will be automatically cleared on CodeBlock destruction.
+    
+    The following does not reference CodeBlock:
+    
+        FunctionRareData::AllocationProfileClearingWatchpoint
+            - stored in FunctionRareData and will be cleared automatically on
+              FunctionRareData destruction.
+            - only references the owner FunctionRareData.
+    
+        ObjectToStringAdaptiveStructureWatchpoint
+        ObjectToStringAdaptiveInferredPropertyValueWatchpoint
+            - stored in StructureRareData and will be cleared automatically on
+              StructureRareData destruction.
+    
+        ObjectPropertyChangeAdaptiveWatchpoint
+            - stored in JSGlobalObject, and will be cleared automatically on
+              JSGlobalObject destruction.
+            - only references the owner JSGlobalObject.
+    
+        StructureStubClearingWatchpoint
+            - stored in WatchpointsOnStructureStubInfo and will be cleared automatically
+              on WatchpointsOnStructureStubInfo destruction.
+    
+        PropertyWatchpoint
+        StructureWatchpoint
+            - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended
+              as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint,
+              and ObjectToStringAdaptiveInferredPropertyValueWatchpoint.
+            - life cycle is handled by those 3 subclasses.
+    
+    * bytecode/CodeBlock.cpp:
+    (JSC::CodeBlock::~CodeBlock):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248800 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-16  Mark Lam  
+
+            CodeBlock destructor should clear all of its watchpoints.
+            https://bugs.webkit.org/show_bug.cgi?id=200792
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            We need to clear the watchpoints explicitly (just like we do in CodeBlock::jettison())
+            because the JITCode may outlive the CodeBlock for a while.  For example, the JITCode
+            is ref'd in Interpreter::execute(JSC::CallFrameClosure&) like so:
+
+                JSValue result = closure.functionExecutable->generatedJITCodeForCall()->execute(&vm, closure.protoCallFrame);
+
+            The call to generatedJITCodeForCall() returns a Ref with the underlying
+            JITCode ref'd.  Hence, while the interpreter frame is still on the stack, the
+            executing JITCode instance will have a non-zero refCount, and be kept alive even
+            though its CodeBlock may have already been destructed.
+
+            Note: the Interpreter execute() methods aren't the only ones who would ref the JITCode:
+            ExecutableBase also holds a RefPtr m_jitCodeForCall and RefPtr
+            m_jitCodeForConstruct.  But a CodeBlock will be uninstalled before it gets destructed.
+            Hence, the uninstallation will deref the JITCode before we get to the CodeBlock
+            destructor.  That said, we should be aware that a JITCode's refCount is not always
+            1 after the JIT installs it into the CodeBlock, and it should not be assumed to be so.
+
+            For this patch, I also audited all Watchpoint subclasses to ensure that we are
+            clearing all the relevant watchpoints in the CodeBlock destructor.  Here is the
+            list of audited Watchpoints:
+
+                CodeBlockJettisoningWatchpoint
+                AdaptiveStructureWatchpoint
+                AdaptiveInferredPropertyValueWatchpoint
+                    - these are held in the DFG::CommonData, and is tied to JITCode's life cycle.
+                    - they need to be cleared eagerly in CodeBlock's destructor.
+
+                LLIntPrototypeLoadAdaptiveStructureWatchpoint
+                    - stored in m_llintGetByIdWatchpointMap in the CodeBlock.
+                    - this will be automatically cleared on CodeBlock destruction.
+
+            The following does not reference CodeBlock:
+
+                FunctionRareData::AllocationProfileClearingWatchpoint
+                    - stored in FunctionRareData and will be cleared automatically on
+                      FunctionRareData destruction.
+                    - only references the owner FunctionRareData.
+
+                ObjectToStringAdaptiveStructureWatchpoint
+                ObjectToStringAdaptiveInferredPropertyValueWatchpoint
+                    - stored in StructureRareData and will be cleared automatically on
+                      StructureRareData destruction.
+
+                ObjectPropertyChangeAdaptiveWatchpoint
+                    - stored in JSGlobalObject, and will be cleared automatically on
+                      JSGlobalObject destruction.
+                    - only references the owner JSGlobalObject.
+
+                StructureStubClearingWatchpoint
+                    - stored in WatchpointsOnStructureStubInfo and will be cleared automatically
+                      on WatchpointsOnStructureStubInfo destruction.
+
+                PropertyWatchpoint
+                StructureWatchpoint
+                    - embedded in AdaptiveInferredPropertyValueWatchpointBase, which is extended
+                      as AdaptiveInferredPropertyValueWatchpoint, ObjectPropertyChangeAdaptiveWatchpoint,
+                      and ObjectToStringAdaptiveInferredPropertyValueWatchpoint.
+                    - life cycle is handled by those 3 subclasses.
+
+            * bytecode/CodeBlock.cpp:
+            (JSC::CodeBlock::~CodeBlock):
+
+2019-08-13  Alan Coon  
+
+        Cherry-pick r248271. rdar://problem/54237771
+
+    JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+    https://bugs.webkit.org/show_bug.cgi?id=199997
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    New test.
+    
+    * stress/typedarray-no-alreadyChecked-assert.js: Added.
+    (checkIntArray):
+    (checkFloatArray):
+    
+    Source/JavaScriptCore:
+    
+    No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+    and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+    CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+    and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
+    it won't be set.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+    (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248271 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-05  Michael Saboff  
+
+            JSC: assertion failure in SpeculativeJIT::compileGetByValOnIntTypedArray
+            https://bugs.webkit.org/show_bug.cgi?id=199997
+
+            Reviewed by Saam Barati.
+
+            No need to ASSERT(node->arrayMode().alreadyChecked(...)) in SpeculativeJIT::compileGetByValOnIntTypedArray()
+            and compileGetByValOnFloatTypedArray() as the abstract interpreter is conservative and can insert a
+            CheckStructureOrEmpty which will fail the ASSERT as it checks for the SpecType of the array
+            and not for SpecEmpty.  If we added a check for the SpecEmpty in the ASSERT, there are cases where
+            it won't be set.
+
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+            (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
+2019-08-13  Alan Coon  
+
+        Cherry-pick r248149. rdar://problem/54237692
+
+    GetterSetter type confusion during DFG compilation
+    https://bugs.webkit.org/show_bug.cgi?id=199903
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/cse-propagated-constant-may-not-follow-structure-restrictions.js: Added.
+    
+    Source/JavaScriptCore:
+    
+    In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists.
+    However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding
+    CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable.
+    
+    Let's consider the following graph.
+    
+        129:     PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid)
+        130:     PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid)
+        ...
+        158:     GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R/FlushedCell), R:Stack(-8), bc#187, ExitValid)  predicting Final
+        210:< 1:->     DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid)
+        ...
+        162:     CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid)
+        163:< 1:->     GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid)
+        164:< 1:->     GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)
+    
+    At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value.
+    This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it
+    does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now.
+    
+    But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime,
+    @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value.
+    
+        124:< 2:->     JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid)
+        ...
+        126:< 2:->     GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)
+    
+    AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following.
+    
+        JSValue base = forNode(node->child1()).m_value;
+        if (base) {
+            GetterSetter* getterSetter = jsCast(base);
+            ...
+    
+    Then, jsCast casts the above object with GetterSetter accidentally.
+    
+    In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge
+    filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one.
+    But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope.
+    
+    In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met.
+    We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow.
+    
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter::executeEffects):
+    * dfg/DFGNode.h:
+    (JSC::DFG::Node::castConstant): Deleted.
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248149 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-01  Yusuke Suzuki  
+
+            GetterSetter type confusion during DFG compilation
+            https://bugs.webkit.org/show_bug.cgi?id=199903
+
+            Reviewed by Mark Lam.
+
+            In AI, we are strongly assuming that GetGetter's child constant value should be GetterSetter if it exists.
+            However, this can be wrong since nobody ensures that. AI assumed so because the control-flow and preceding
+            CheckStructure ensures that. But this preceding check can be eliminated if the node becomes (at runtime) unreachable.
+
+            Let's consider the following graph.
+
+                129:     PutByOffset(KnownCell:@115, KnownCell:@115, Check:Untyped:@124, MustGen, id5{length}, 0, W:NamedProperties(5), ClobbersExit, bc#154, ExitValid)
+                130:     PutStructure(KnownCell:@115, MustGen, %C8:Object -> %C3:Object, ID:7726, R:JSObject_butterfly, W:JSCell_indexingType,JSCell_structureID,JSCell_typeInfoFlags,JSCell_typeInfoType, ClobbersExit, bc#154, ExitInvalid)
+                ...
+                158:     GetLocal(Check:Untyped:@197, JS|MustGen|UseAsOther, Final, loc7(R/FlushedCell), R:Stack(-8), bc#187, ExitValid)  predicting Final
+                210:< 1:->     DoubleRep(Check:NotCell:@158, Double|PureInt, BytecodeDouble, Exits, bc#187, ExitValid)
+                ...
+                162:     CheckStructure(Cell:@158, MustGen, [%Ad:Object], R:JSCell_structureID, Exits, bc#192, ExitValid)
+                163:< 1:->     GetGetterSetterByOffset(KnownCell:@158, KnownCell:@158, JS|UseAsOther, OtherCell, id5{length}, 0, R:NamedProperties(5), Exits, bc#192, ExitValid)
+                164:< 1:->     GetGetter(KnownCell:@163, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)
+
+            At @163 and @164, AI proves that @158's AbstractValue is None because @210's edge filters out Cells @158 is a cell. But we do not invalidate graph status as "Invalid" even if edge filters out all possible value.
+            This is because the result of edge can be None in a valid program. For example, we can put a dependency edge between a consuming node and a producing node, where the producing node is just like a check and it
+            does not produce a value actually. So, @163 and @164 are not invalidated. This is totally fine in our compiler pipeline right now.
+
+            But after that, global CSE phase found that @115 and @158 are same and @129 dominates @158. As a result, we can replace GetGetter child's @163 with @124. Since CheckStructure is already removed (and now, at runtime,
+            @163 and @164 are never executed), we do not have any structure guarantee on @158 and the result of @163. This means that @163's CSE result can be non-GetterSetter value.
+
+                124:< 2:->     JSConstant(JS|UseAsOther, Final, Weak:Object: 0x1199e82a0 with butterfly 0x0 (Structure %B4:Object), StructureID: 49116, bc#0, ExitValid)
+                ...
+                126:< 2:->     GetGetter(KnownCell:Kill:@124, JS|UseAsOther, Function, R:GetterSetter_getter, Exits, bc#192, ExitValid)
+
+            AI filters out @124's non-cell values. But @126 can get non-GetterSetter cell at AI phase. But our AI code is like the following.
+
+
+                JSValue base = forNode(node->child1()).m_value;
+                if (base) {
+                    GetterSetter* getterSetter = jsCast(base);
+                    ...
+
+            Then, jsCast casts the above object with GetterSetter accidentally.
+
+            In general, DFG AI can get a proven constant value, which could not be shown at runtime. This happens if the processing node is unreachable at runtime while the graph is not invalid yet, because preceding edge
+            filters already filter out all the possible execution. DFG AI already considered about this possibility, and it attempts to fold a node into a constant only when the constant input matches against the expected one.
+            But several DFG nodes are not handling this correctly: GetGetter, GetSetter, and SkipScope.
+
+            In this patch, we use `jsDynamicCast` to ensure that the constant input matches against the expected (foldable) one, and fold it only when the expectation is met.
+            We also remove DFG::Node::castConstant and its use. We should not rely on the constant folded value based on graph's control-flow.
+
+            * dfg/DFGAbstractInterpreterInlines.h:
+            (JSC::DFG::AbstractInterpreter::executeEffects):
+            * dfg/DFGNode.h:
+            (JSC::DFG::Node::castConstant): Deleted.
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+
+2019-08-12  Alan Coon  
+
+        Apply patch. rdar://problem/54171876
+
+    2019-08-12  Maciej Stachowiak  
+
+            Branch build fix for r248494
+
+            * runtime/ClassInfo.h: METHOD_TABLE_ENTRY was called WTF_METHOD_TABLE_ENTRY on the branch.
+
+2019-08-12  Alan Coon  
+
+        Cherry-pick r248494. rdar://problem/54171876
+
+    Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
+    https://bugs.webkit.org/show_bug.cgi?id=199864
+    
+    Reviewed by Saam Barati.
+    
+    Source/JavaScriptCore:
+    
+    Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this.
+    
+        JSObject::put(object):
+            if (can-do-fast-path(object))
+                return fast-path(object);
+            // slow-path
+            do {
+                object-put-check-and-setter-calls(object); // (1)
+                object = object->prototype;
+            } while (is-object(object));
+            return do-put(object);
+    
+    Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
+    extra checks to this put.
+    
+        Derived::put(object):
+            if (do-extra-check(object))
+                fail
+            return JSObject::put(object)
+    
+    The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in
+    JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that
+    we skip the check.
+    
+    Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
+    perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
+    does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and
+    Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
+    large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.
+    
+    To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
+    that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
+    When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.
+    
+    Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].
+    
+    [1]: https://bugs.webkit.org/show_bug.cgi?id=200562
+    
+    * runtime/ClassInfo.h:
+    * runtime/JSCJSValue.cpp:
+    (JSC::JSValue::putToPrimitive):
+    * runtime/JSCell.cpp:
+    (JSC::JSCell::doPutPropertySecurityCheck):
+    * runtime/JSCell.h:
+    * runtime/JSObject.cpp:
+    (JSC::JSObject::putInlineSlow):
+    (JSC::JSObject::getOwnPropertyDescriptor):
+    * runtime/JSObject.h:
+    (JSC::JSObject::doPutPropertySecurityCheck):
+    * runtime/JSTypeInfo.h:
+    (JSC::TypeInfo::hasPutPropertySecurityCheck const):
+    
+    Source/WebCore:
+    
+    Test: http/tests/security/cross-frame-access-object-put-optimization.html
+    
+    * bindings/js/JSDOMWindowCustom.cpp:
+    (WebCore::JSDOMWindow::doPutPropertySecurityCheck):
+    * bindings/js/JSLocationCustom.cpp:
+    (WebCore::JSLocation::doPutPropertySecurityCheck):
+    * bindings/scripts/CodeGeneratorJS.pm:
+    (GenerateHeader):
+    * bindings/scripts/test/JS/JSTestActiveDOMObject.h:
+    
+    LayoutTests:
+    
+    * http/tests/security/cross-frame-access-object-put-optimization-expected.txt: Added.
+    * http/tests/security/cross-frame-access-object-put-optimization.html: Added.
+    * http/tests/security/resources/cross-frame-iframe-for-object-put-optimization-test.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248494 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-09  Yusuke Suzuki  
+
+            Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive
+            https://bugs.webkit.org/show_bug.cgi?id=199864
+
+            Reviewed by Saam Barati.
+
+            Our JSObject::put implementation is not correct in term of the spec. Our [[Put]] implementation is something like this.
+
+                JSObject::put(object):
+                    if (can-do-fast-path(object))
+                        return fast-path(object);
+                    // slow-path
+                    do {
+                        object-put-check-and-setter-calls(object); // (1)
+                        object = object->prototype;
+                    } while (is-object(object));
+                    return do-put(object);
+
+            Since JSObject::put is registered in the methodTable, the derived classes can override it. Some of classes are adding
+            extra checks to this put.
+
+                Derived::put(object):
+                    if (do-extra-check(object))
+                        fail
+                    return JSObject::put(object)
+
+            The problem is that Derived::put is only called when the |this| object is the Derived class. When traversing [[Prototype]] in
+            JSObject::put, at (1), we do not perform the extra checks added in Derived::put even if `object` is Derived one. This means that
+            we skip the check.
+
+            Currently, JSObject::put and WebCore checking mechanism are broken. JSObject::put should call getOwnPropertySlot at (1) to
+            perform the additional checks. This behavior is matching against the spec. However, currently, our JSObject::getOwnPropertySlot
+            does not propagate setter information. This is required to cache cacheable [[Put]] at (1) for CustomValue, CustomAccessor, and
+            Accessors. We also need to reconsider how to integrate static property setters to this mechanism. So, basically, this involves
+            large refactoring to renew our JSObject::put and JSObject::getOwnPropertySlot.
+
+            To work-around for now, we add a new TypeInfo flag, HasPutPropertySecurityCheck . And adding this flag to DOM objects
+            that implements the addition checks. We also add doPutPropertySecurityCheck method hook to perform the check in JSObject.
+            When we found this flag at (1), we perform doPutPropertySecurityCheck to properly perform the checks.
+
+            Since our JSObject::put code is old and it does not match against the spec now, we should refactor it largely. This is tracked separately in [1].
+
+            [1]: https://bugs.webkit.org/show_bug.cgi?id=200562
+
+            * runtime/ClassInfo.h:
+            * runtime/JSCJSValue.cpp:
+            (JSC::JSValue::putToPrimitive):
+            * runtime/JSCell.cpp:
+            (JSC::JSCell::doPutPropertySecurityCheck):
+            * runtime/JSCell.h:
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::putInlineSlow):
+            (JSC::JSObject::getOwnPropertyDescriptor):
+            * runtime/JSObject.h:
+            (JSC::JSObject::doPutPropertySecurityCheck):
+            * runtime/JSTypeInfo.h:
+            (JSC::TypeInfo::hasPutPropertySecurityCheck const):
+
+2019-08-12  Alan Coon  
+
+        Cherry-pick r248027. rdar://problem/53836556
+
+    [JSC] Emit write barrier after storing instead of before storing
+    https://bugs.webkit.org/show_bug.cgi?id=200193
+    
+    Reviewed by Saam Barati.
+    
+    I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers.
+    
+    1. Some write-barriers are emitted before stores happen
+    
+        Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this.
+    
+            1. Cell "A" is not marked yet
+            2. Write-barrier is emitted onto "A"
+            3. Concurrent collector scans "A"
+            4. Store to "A"'s field happens
+            5. (4)'s field is not rescaned
+    
+        We should emit write-barrier after stores. This patch places write-barriers after stores happen.
+    
+    2. Should emit write-barrier after the stored fields are reachable from the owner.
+    
+        We have code that is logically the same to the following.
+    
+            ```
+            auto data = std::make_unique();
+            data->m_field.set(vm, owner, value);
+    
+            storeStoreBarrier();
+            owner->m_data = WTFMove(data);
+            ```
+    
+        This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored.
+        The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not
+        effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock.
+    
+        I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock.
+        But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called.
+    
+    Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level.
+    
+    * bytecode/BytecodeList.rb:
+    * bytecode/CodeBlock.cpp:
+    (JSC::CodeBlock::finishCreation):
+    * bytecode/StructureStubInfo.cpp:
+    (JSC::StructureStubInfo::addAccessCase):
+    * bytecode/StructureStubInfo.h:
+    (JSC::StructureStubInfo::considerCaching):
+    * dfg/DFGPlan.cpp:
+    (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+    * jit/JITOperations.cpp:
+    * llint/LLIntSlowPaths.cpp:
+    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+    (JSC::LLInt::setupGetByIdPrototypeCache):
+    * runtime/CommonSlowPaths.cpp:
+    (JSC::SLOW_PATH_DECL):
+    * runtime/LazyPropertyInlines.h:
+    (JSC::ElementType>::setMayBeNull):
+    * runtime/RegExpCachedResult.h:
+    (JSC::RegExpCachedResult::record):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248027 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-07-30  Yusuke Suzuki  
+
+            [JSC] Emit write barrier after storing instead of before storing
+            https://bugs.webkit.org/show_bug.cgi?id=200193
+
+            Reviewed by Saam Barati.
+
+            I reviewed tricky GC-related code including visitChildren and manual writeBarrier, and I found that we have several problems with write-barriers.
+
+            1. Some write-barriers are emitted before stores happen
+
+                Some code like LazyProperty emits write-barrier before we store the value. This is wrong since JSC has concurrent collector. Let's consider the situation like this.
+
+                    1. Cell "A" is not marked yet
+                    2. Write-barrier is emitted onto "A"
+                    3. Concurrent collector scans "A"
+                    4. Store to "A"'s field happens
+                    5. (4)'s field is not rescaned
+
+                We should emit write-barrier after stores. This patch places write-barriers after stores happen.
+
+            2. Should emit write-barrier after the stored fields are reachable from the owner.
+
+                We have code that is logically the same to the following.
+
+                    ```
+                    auto data = std::make_unique();
+                    data->m_field.set(vm, owner, value);
+
+                    storeStoreBarrier();
+                    owner->m_data = WTFMove(data);
+                    ```
+
+                This is not correct. When write-barrier is emitted, the owner cannot reach to the field that is stored.
+                The actual example is AccessCase. We are emitting write-barriers with owner when creating AccessCase, but this is not
+                effective until this AccessCase is chained to StructureStubInfo, which is reachable from CodeBlock.
+
+                I don't think this is actually an issue because currently AccessCase generation is guarded by CodeBlock->m_lock. And CodeBlock::visitChildren takes this lock.
+                But emitting a write-barrier at the right place is still better. This patch places write-barriers when StructureStubInfo::addAccessCase is called.
+
+            Speculative GC fix, it was hard to reproduce the crash since we need to control concurrent collector and main thread's scheduling in an instruction-level.
+
+            * bytecode/BytecodeList.rb:
+            * bytecode/CodeBlock.cpp:
+            (JSC::CodeBlock::finishCreation):
+            * bytecode/StructureStubInfo.cpp:
+            (JSC::StructureStubInfo::addAccessCase):
+            * bytecode/StructureStubInfo.h:
+            (JSC::StructureStubInfo::considerCaching):
+            * dfg/DFGPlan.cpp:
+            (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+            * jit/JITOperations.cpp:
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+            (JSC::LLInt::setupGetByIdPrototypeCache):
+            * runtime/CommonSlowPaths.cpp:
+            (JSC::SLOW_PATH_DECL):
+            * runtime/LazyPropertyInlines.h:
+            (JSC::ElementType>::setMayBeNull):
+            * runtime/RegExpCachedResult.h:
+            (JSC::RegExpCachedResult::record):
+
+2019-08-09  Alan Coon  
+
+        Cherry-pick r248462. rdar://problem/54144119
+
+    [Win] Fix internal build
+    https://bugs.webkit.org/show_bug.cgi?id=200519
+    
+    Reviewed by Alex Christensen.
+    
+    Source/JavaScriptCore:
+    
+    The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts
+    folder after building JSC.
+    
+    * JavaScriptCore.vcxproj/JavaScriptCore.proj:
+    
+    Source/WebKitLegacy/win:
+    
+    Switch to the String::wideCharacers method, since its return type is compatible with the Win32 api.
+    
+    * WebDownloadCFNet.cpp:
+    (WebDownload::didFinish):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248462 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-08-08  Per Arne Vollan  
+
+            [Win] Fix internal build
+            https://bugs.webkit.org/show_bug.cgi?id=200519
+
+            Reviewed by Alex Christensen.
+
+            The script 'generate-js-builtins.py' cannot be found when building WebCore. Copy the JavaScriptCore Scripts
+            folder after building JSC.
+
+            * JavaScriptCore.vcxproj/JavaScriptCore.proj:
+
+2019-08-06  Alan Coon  
+
+        Apply patch. rdar://problem/53992160
+
+    2019-08-06  Per Arne Vollan  
+
+            [Win] Fix AppleWin build
+            https://bugs.webkit.org/show_bug.cgi?id=200414
+
+            Reviewed by Brent Fulgham.
+
+            * CMakeLists.txt:
+            * PlatformWin.cmake:
+            * shell/CMakeLists.txt:
+
+2019-07-29  Alan Coon  
+
+        Cherry-pick r247714. rdar://problem/53647616
+
+    [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up
+    https://bugs.webkit.org/show_bug.cgi?id=200024
+    
+    Reviewed by Saam Barati.
+    
+    Source/bmalloc:
+    
+    When we allocate IsoHeap's page, we reused VMHeap::tryAllocateLargeChunk. However, this function is originally designed
+    to be used for Large allocation in bmalloc (e.g. allocating Chunk in bmalloc). As a result, this function rounds up the
+    requested size with 1MB (bmalloc::chunkSize). As a result, all IsoHeap's 16KB page gets 1MB VA while it just uses 16KB of
+    the allocated region. This leads to VA exhaustion since IsoHeap now uses 64x VA than we expected!
+    
+    This patch fixes the above VA exhaustion issue by allocating a page by using tryVMAllocate. When allocating a page, we start
+    using a VM tag for IsoHeap. We discussed at e-mail and we decided reusing a VM tag previously assigned to CLoop Stack since
+    this is less profitable. Since this tag is not Malloc-related tag, Leaks tool can scan memory region conservatively without
+    registering allocated region into Zone, which was previously done in VMHeap and that's why we reused VMHeap for IsoHeap.
+    
+    * bmalloc/BVMTags.h:
+    * bmalloc/IsoPage.cpp:
+    (bmalloc::IsoPageBase::allocatePageMemory):
+    * bmalloc/IsoTLS.cpp:
+    (bmalloc::IsoTLS::ensureEntries):
+    * bmalloc/VMAllocate.h:
+    (bmalloc::vmAllocate):
+    
+    Source/JavaScriptCore:
+    
+    Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack.
+    
+    * interpreter/CLoopStack.cpp:
+    (JSC::CLoopStack::CLoopStack):
+    
+    Source/WebCore:
+    
+    Changed how we interpret VM tags. Add IsoHeap VM tag support, and rename WebAssembly tag
+    to Gigacage tag.
+    
+    * page/ResourceUsageData.h:
+    * page/ResourceUsageOverlay.h:
+    * page/cocoa/ResourceUsageOverlayCocoa.mm:
+    (WebCore::HistoricResourceUsageData::HistoricResourceUsageData):
+    * page/cocoa/ResourceUsageThreadCocoa.mm:
+    (WebCore::displayNameForVMTag):
+    (WebCore::categoryForVMTag):
+    
+    Source/WTF:
+    
+    Start using a VM tag for IsoHeap instead of CLoop Stack.
+    
+    * wtf/OSAllocator.h:
+    * wtf/VMTags.h:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247714 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-07-22  Yusuke Suzuki  
+
+            [bmalloc] Each IsoPage gets 1MB VA because VMHeap::tryAllocateLargeChunk rounds up
+            https://bugs.webkit.org/show_bug.cgi?id=200024
+
+            Reviewed by Saam Barati.
+
+            Discussed and we decided to use this VM tag for IsoHeap instead of CLoop stack.
+
+            * interpreter/CLoopStack.cpp:
+            (JSC::CLoopStack::CLoopStack):
+
+2019-07-29  Alan Coon  
+
+        Cherry-pick r247713. rdar://problem/53648241
+
+    Turn off Wasm fast memory on iOS
+    https://bugs.webkit.org/show_bug.cgi?id=200016
+    
+    
+    Reviewed by Yusuke Suzuki.
+    
+    We turned them on when we disabled Gigacage on iOS. However, we re-enabled
+    Gigacage on iOS, but forgot to turn wasm fast memories back off.
+    
+    * runtime/Options.h:
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247713 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-07-22  Saam Barati  
+
+            Turn off Wasm fast memory on iOS
+            https://bugs.webkit.org/show_bug.cgi?id=200016
+            
+
+            Reviewed by Yusuke Suzuki.
+
+            We turned them on when we disabled Gigacage on iOS. However, we re-enabled
+            Gigacage on iOS, but forgot to turn wasm fast memories back off.
+
+            * runtime/Options.h:
+
+2019-07-29  Alan Coon  
+
+        Cherry-pick r247703. rdar://problem/53647465
+
+    [JSC] Make DFG Local CSE and AI conservative for huge basic block
+    https://bugs.webkit.org/show_bug.cgi?id=199929
+    
+    
+    Reviewed by Filip Pizlo.
+    
+    In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior.
+    The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine!
+    DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop.
+    DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that.
+    As a result, the main thread is blocked due to this pathological compilation.
+    
+    By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block.
+    In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase.
+    We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand,
+    DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock.
+    
+    We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost
+    is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes
+    ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming.
+    Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly
+    related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem,
+    and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG.
+    
+    This patch has two changes.
+    
+    1. DFG AI has structure transition tracking which has quadratic complexity
+    
+    Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block.
+    CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm.
+    For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000).
+    We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1].
+    
+    2. DFG Local CSE has quadratic complexity
+    
+    Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited,
+    each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering
+    implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in
+    JetStream2 and Speedometer2 so I'll track it in a separate bug[2].
+    
+    This patch reduces the compilation time from ~11 seconds to ~200 ms.
+    
+    [1]: https://bugs.webkit.org/show_bug.cgi?id=199959
+    [2]: https://bugs.webkit.org/show_bug.cgi?id=200014
+    
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter::observeTransition):
+    (JSC::DFG::AbstractInterpreter::observeTransitions):
+    * dfg/DFGCSEPhase.cpp:
+    * runtime/Options.h:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247703 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-07-20  Yusuke Suzuki  
+
+            [JSC] Make DFG Local CSE and AI conservative for huge basic block
+            https://bugs.webkit.org/show_bug.cgi?id=199929
+            
 
             Reviewed by Filip Pizlo.
 
-            AirLowerAfterRegAlloc was computing the set of available scratch
-            registers incorrectly. It was always excluding callee save registers
-            from the set of live registers. It did not guarantee that live callee save
-            registers were not in the set of scratch registers that could
-            get clobbered. That's incorrect as the shuffling code is free
-            to overwrite whatever is in the scratch register it gets passed.
+            In CNN page, the main thread hangs several seconds. On less-powerful devices (like iPhone7), it hangs for ~11 seconds. This is not an acceptable behavior.
+            The reason of this is that the DFG compiler takes too long time in the compilation for a particular function. It takes 8765 ms even in powerful x64 machine!
+            DFG compiler is concurrent one. However, when GC requires all the peripheral threads to be stopped, the main thread needs to wait for the DFG compiler's stop.
+            DFG compiler stops at GC safepoints, and they are inserted between DFG phases. So, if some of DFG phases take very long time, the main thread is blocked during that.
+            As a result, the main thread is blocked due to this pathological compilation.
 
-            * b3/air/AirLowerAfterRegAlloc.cpp:
-            (JSC::B3::Air::lowerAfterRegAlloc):
-            * b3/testb3.cpp:
-            (JSC::B3::functionNineArgs):
-            (JSC::B3::testShuffleDoesntTrashCalleeSaves):
-            (JSC::B3::run):
-            * jit/RegisterSet.h:
+            By measuring the time taken in each DFG phase, we found that our AI and CSE phase have a problem having quadratic complexity for # of DFG nodes in a basic block.
+            In this patch, we add a threshold for # of DFG nodes in a basic block. If a basic block exceeds this threshold, we use conservative but O(1) algorithm for AI and Local CSE phase.
+            We did not add this threshold for Global CSE since FTL has another bytecode cost threshold which prevents us from compiling the large functions. But on the other hand,
+            DFG should compile them because DFG is intended to be a fast compiler even for a bit larger CodeBlock.
 
-2017-07-17  Jason Marcell  
+            We first attempted to reduce the threshold for DFG compilation. We are using 100000 bytecode cost for DFG compilation and it is very large. However, we found that bytecode cost
+            is not the problem in CNN page. The problematic function has 67904 cost, and it takes 8765 ms in x64 machine. However, JetStream2/octane-zlib has 61949 function and it only takes
+            ~400 ms. This difference comes from the # of DFG nodes in a basic block. The problematic function has 43297 DFG nodes in one basic block and it makes AI and Local CSE super time-consuming.
+            Rather than relying on the bytecode cost which a bit indirectly related to this pathological compile-time, we should look into # of DFG nodes in a basic block which is more directly
+            related to this problem. And we also found that 61949's Octane-zlib function is very critical for performance. This fact makes a bit hard to pick a right threshold: 67904 causes the problem,
+            and 61949 must be compiled. This is why this patch is introducing conservative analysis instead of adjusting the threshold for DFG.
 
-        Cherry-pick r219413. rdar://problem/33337335
+            This patch has two changes.
 
-    2017-06-29  Dean Jackson  
+            1. DFG AI has structure transition tracking which has quadratic complexity
 
-            Disable some features on this release branch.
-            
+            Structure transition tracking takes very long time since its complexity is O(N^2) where N is # of DFG nodes in a basic block.
+            CNN has very pathological script and it shows 43297 DFG nodes. We should reduce the complexity of this algorithm.
+            For now, we just say "structures are clobbered" if # of DFG nodes in a basic block exceeds the threshold (20000).
+            We could improve the current algorithm from O(N^2) to O(2N) without being conservative, and I'm tracking this in [1].
 
-            * Configurations/FeatureDefines.xcconfig:
+            2. DFG Local CSE has quadratic complexity
+
+            Local CSE's clobbering iterates all the impure heap values to remove the clobbered one. Since # of impure heap values tend to be proportional to # of DFG nodes we visited,
+            each CSE for a basic block gets O(N^2) complexity. To avoid this, we introduce HugeMap. This has the same interface to LargeMap and SmallMap in CSE, but its clobbering
+            implementation just clears the map completely. We can further make this O(N) without introducing conservative behavior by using epochs. For now, we do not see such a huge basic block in
+            JetStream2 and Speedometer2 so I'll track it in a separate bug[2].
+
+            This patch reduces the compilation time from ~11 seconds to ~200 ms.
+
+            [1]: https://bugs.webkit.org/show_bug.cgi?id=199959
+            [2]: https://bugs.webkit.org/show_bug.cgi?id=200014
+
+            * dfg/DFGAbstractInterpreterInlines.h:
+            (JSC::DFG::AbstractInterpreter::observeTransition):
+            (JSC::DFG::AbstractInterpreter::observeTransitions):
+            * dfg/DFGCSEPhase.cpp:
             * runtime/Options.h:
 
-2017-07-17  Saam Barati  
-
-        Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
-        https://bugs.webkit.org/show_bug.cgi?id=174584
-
-        Rubber stamped by Keith Miller.
-
-        I used it to diagnose a bug. The bug is now fixed. This custom
-        RELEASE_ASSERT is no longer needed.
-
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-
-2017-07-17  Michael Catanzaro  
-
-        -Wformat-truncation warning in ConfigFile.cpp
-        https://bugs.webkit.org/show_bug.cgi?id=174506
-
-        Reviewed by Darin Adler.
-
-        Check if the JSC config filename would be truncated due to exceeding max path length. If so,
-        return ParseError.
-
-        * runtime/ConfigFile.cpp:
-        (JSC::ConfigFile::parse):
-
-2017-07-17  Konstantin Tokarev  
-
-        [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
-        https://bugs.webkit.org/show_bug.cgi?id=174557
-
-        Reviewed by Michael Catanzaro.
-
-        * CMakeLists.txt:
-
-2017-07-14  Yusuke Suzuki  
-
-        [WTF] Use std::unique_ptr for StackTrace
-        https://bugs.webkit.org/show_bug.cgi?id=174495
-
-        Reviewed by Alex Christensen.
-
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-
-2017-07-14  Yusuke Suzuki  
-
-        [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
-        https://bugs.webkit.org/show_bug.cgi?id=174423
-
-        Reviewed by Saam Barati.
-
-        * dfg/DFGAvailabilityMap.cpp:
-        (JSC::DFG::AvailabilityMap::pruneHeap):
-        (JSC::DFG::AvailabilityMap::pruneByLiveness):
-
-2017-07-13  Michael Catanzaro  
-
-        Fix compiler warnings when building with GCC 7
-        https://bugs.webkit.org/show_bug.cgi?id=174463
-
-        Reviewed by Darin Adler.
-
-        * disassembler/udis86/udis86_decode.c:
-        (decode_operand):
-
-2017-07-13  Michael Catanzaro  
-
-        Incorrect assertion in JSC::CallLinkInfo::callTypeFor
-        https://bugs.webkit.org/show_bug.cgi?id=174467
-
-        Reviewed by Saam Barati.
-
-        * bytecode/CallLinkInfo.cpp:
-        (JSC::CallLinkInfo::callTypeFor):
-
-2017-07-13  Joseph Pecoraro  
-
-        Web Inspector: Remove unused and untested Page domain commands
-        https://bugs.webkit.org/show_bug.cgi?id=174429
-
-        Reviewed by Timothy Hatcher.
-
-        * inspector/protocol/Page.json:
-
-2017-07-13  Saam Barati  
-
-        Missing exception check in JSObject::hasInstance
-        https://bugs.webkit.org/show_bug.cgi?id=174455
-        
-
-        Reviewed by Mark Lam.
-
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::hasInstance):
-
-2017-07-13  Caio Lima  
-
-        [ESnext] Implement Object Spread
-        https://bugs.webkit.org/show_bug.cgi?id=167963
-
-        Reviewed by Saam Barati.
-
-        This patch implements ECMA262 stage 3 Object Spread proposal [1].
-        It's implemented using CopyDataPropertiesNoExclusions to copy
-        all enumerable keys from object being spreaded. The implementation of
-        CopyDataPropertiesNoExclusions follows the CopyDataProperties
-        implementation, however we don't receive excludedNames as parameter.
-
-        [1] - https://github.com/tc39/proposal-object-rest-spread
-
-        * builtins/GlobalOperations.js:
-        (globalPrivate.copyDataPropertiesNoExclusions):
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::emitLoad):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::PropertyListNode::emitBytecode):
-        (JSC::ObjectSpreadExpressionNode::emitBytecode):
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::createObjectSpreadExpression):
-        (JSC::ASTBuilder::createProperty):
-        * parser/NodeConstructors.h:
-        (JSC::PropertyNode::PropertyNode):
-        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
-        * parser/Nodes.h:
-        (JSC::ObjectSpreadExpressionNode::expression):
-        * parser/Parser.cpp:
-        (JSC::Parser::parseProperty):
-        * parser/SyntaxChecker.h:
-        (JSC::SyntaxChecker::createObjectSpreadExpression):
-        (JSC::SyntaxChecker::createProperty):
-
-2017-07-12  Mark Lam  
-
-        Gardening: build fix after r219434.
-        https://bugs.webkit.org/show_bug.cgi?id=174441
-
-        Not reviewed.
-
-        Make public some MacroAssembler functions that are needed by the probe implementationq.
-
-        * assembler/MacroAssemblerARM.h:
-        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
-        * assembler/MacroAssemblerARMv7.h:
-        (JSC::MacroAssemblerARMv7::linkCall):
-
-2017-07-12  Mark Lam  
-
-        Move Probe code from AbstractMacroAssembler to MacroAssembler.
-        https://bugs.webkit.org/show_bug.cgi?id=174441
-
-        Reviewed by Saam Barati.
-
-        This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
-        to MacroAssembler.  There is no code behavior change.
-
-        * assembler/AbstractMacroAssembler.h:
-        (JSC::AbstractMacroAssembler::Address::indexedBy):
-        (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
-        (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
-        (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
-        (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
-        (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
-        * assembler/MacroAssembler.h:
-        (JSC::MacroAssembler::CPUState::gprName):
-        (JSC::MacroAssembler::CPUState::fprName):
-        (JSC::MacroAssembler::CPUState::gpr):
-        (JSC::MacroAssembler::CPUState::fpr):
-        * assembler/MacroAssemblerARM.cpp:
-        (JSC::MacroAssembler::probe):
-        (JSC::MacroAssemblerARM::probe): Deleted.
-        * assembler/MacroAssemblerARM.h:
-        * assembler/MacroAssemblerARM64.cpp:
-        (JSC::MacroAssembler::probe):
-        (JSC::MacroAssemblerARM64::probe): Deleted.
-        * assembler/MacroAssemblerARM64.h:
-        * assembler/MacroAssemblerARMv7.cpp:
-        (JSC::MacroAssembler::probe):
-        (JSC::MacroAssemblerARMv7::probe): Deleted.
-        * assembler/MacroAssemblerARMv7.h:
-        * assembler/MacroAssemblerMIPS.h:
-        * assembler/MacroAssemblerX86Common.cpp:
-        (JSC::MacroAssembler::probe):
-        (JSC::MacroAssemblerX86Common::probe): Deleted.
-        * assembler/MacroAssemblerX86Common.h:
-
-2017-07-12  Saam Barati  
-
-        GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
-        https://bugs.webkit.org/show_bug.cgi?id=174411
-        
-
-        Reviewed by Mark Lam.
-
-        The code for deleting an argument was incorrectly referencing state
-        when it decided if it should unmap or mark a property as having its
-        descriptor modified. This patch fixes the bug where if we delete a
-        property, we would sometimes not unmap an argument when deleting it.
-
-        * runtime/GenericArgumentsInlines.h:
-        (JSC::GenericArguments::getOwnPropertySlot):
-        (JSC::GenericArguments::getOwnPropertySlotByIndex):
-        (JSC::GenericArguments::deleteProperty):
-        (JSC::GenericArguments::deletePropertyByIndex):
-
-2017-07-12  Commit Queue  
-
-        Unreviewed, rolling out r219176.
-        https://bugs.webkit.org/show_bug.cgi?id=174436
-
-        "Can cause infinite recursion on iOS" (Requested by mlam on
-        #webkit).
-
-        Reverted changeset:
-
-        "WTF::Thread should have the threads stack bounds."
-        https://bugs.webkit.org/show_bug.cgi?id=173975
-        http://trac.webkit.org/changeset/219176
-
-2017-07-12  Matt Lewis  
-
-        Unreviewed, rolling out r219401.
-
-        This revision rolled out the previous patch, but after talking
-        with reviewer, a rebaseline is what was needed.Rolling back in
-        before rebaseline.
-
-        Reverted changeset:
-
-        "Unreviewed, rolling out r219379."
-        https://bugs.webkit.org/show_bug.cgi?id=174400
-        http://trac.webkit.org/changeset/219401
-
-2017-07-12  Matt Lewis  
-
-        Unreviewed, rolling out r219379.
-
-        This revision caused a consistent failure in the test
-        fast/dom/Window/property-access-on-cached-window-after-frame-
-        removed.html.
-
-        Reverted changeset:
-
-        "Remove NAVIGATOR_HWCONCURRENCY"
-        https://bugs.webkit.org/show_bug.cgi?id=174400
-        http://trac.webkit.org/changeset/219379
-
-2017-07-12  Tooru Fujisawa [:arai]  
-
-        Wrong radix used in Unicode Escape in invalid character error message
-        https://bugs.webkit.org/show_bug.cgi?id=174419
-
-        Reviewed by Alex Christensen.
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::invalidCharacterMessage):
-
-2017-07-11  Dean Jackson  
-
-        Remove NAVIGATOR_HWCONCURRENCY
-        https://bugs.webkit.org/show_bug.cgi?id=174400
-
-        Reviewed by Sam Weinig.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-07-11  Dean Jackson  
-
-        Rolling out r219372.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-07-11  Dean Jackson  
-
-        Remove NAVIGATOR_HWCONCURRENCY
-        https://bugs.webkit.org/show_bug.cgi?id=174400
-
-        Reviewed by Sam Weinig.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-07-11  Saam Barati  
-
-        remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
-        https://bugs.webkit.org/show_bug.cgi?id=174397
-
-        Rubber stamped by David Kilzer.
-
-        * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
-        * wasm/js/WebAssemblyFunctionCell.h: Removed.
-
-2017-07-10  Saam Barati  
-
-        Allocation sinking phase should consider a CheckStructure that would fail as an escape
-        https://bugs.webkit.org/show_bug.cgi?id=174321
-        
-
-        Reviewed by Filip Pizlo.
-
-        When the allocation sinking phase was generating stores to materialize
-        objects in a cycle with each other, it would assume that each materialized
-        object had a valid, non empty, set of structures. This is an OK assumption for
-        the phase to make because how do you materialize an object with no structure?
-        
-        The abstract interpretation part of the phase will model what's in the heap.
-        However, it would sometimes model that a CheckStructure would fail. The phase
-        did nothing special for this; it just stored the empty set of structures for
-        its representation of a particular allocation. However, what the phase proved
-        in such a scenario is that, had the CheckStructure executed, it would have exited.
-        
-        This patch treats such CheckStructures and MultiGetByOffsets as escape points.
-        This will cause the allocation in question to be materialized just before
-        the CheckStructure, and then at execution time, the CheckStructure will exit.
-        
-        I wasn't able to write a test case for this. However, I was able to reproduce
-        this crash by manually editing the IR. I've opened a separate bug to help us
-        create a testing framework for writing tests for hard to reproduce bugs like this:
-        https://bugs.webkit.org/show_bug.cgi?id=174322
-
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-
-2017-07-10  Devin Rousso  
-
-        Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
-        https://bugs.webkit.org/show_bug.cgi?id=174279
-
-        Reviewed by Matt Baker.
-
-        * inspector/protocol/DOM.json:
-        Add `highlightNodeList` command that will highlight each node in the given list.
-
-2017-07-03  Brian Burg  
-
-        Web Replay: remove some unused code
-        https://bugs.webkit.org/show_bug.cgi?id=173903
-
-        Rubber-stamped by Joseph Pecoraro.
-
-        * CMakeLists.txt:
-        * Configurations/FeatureDefines.xcconfig:
-        * DerivedSources.make:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * inspector/protocol/Replay.json: Removed.
-        * replay/EmptyInputCursor.h: Removed.
-        * replay/EncodedValue.cpp: Removed.
-        * replay/EncodedValue.h: Removed.
-        * replay/InputCursor.h: Removed.
-        * replay/JSInputs.json: Removed.
-        * replay/NondeterministicInput.h: Removed.
-        * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
-        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
-        * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
-        * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
-        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
-        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
-        * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
-        * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
-        * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
-        * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
-        * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
-        * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
-        * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
-        * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
-        * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
-        * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
-        * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
-        * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
-        * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
-        * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
-        * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
-        * replay/scripts/tests/generate-enum-with-guard.json: Removed.
-        * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
-        * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
-        * replay/scripts/tests/generate-input-with-guard.json: Removed.
-        * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
-        * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
-        * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
-        * runtime/DateConstructor.cpp:
-        (JSC::constructDate):
-        (JSC::dateNow):
-        (JSC::deterministicCurrentTime): Deleted.
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::JSGlobalObject):
-        (JSC::JSGlobalObject::setInputCursor): Deleted.
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::inputCursor): Deleted.
-
-2017-07-10  Carlos Garcia Campos  
-
-        Move make-js-file-arrays.py from WebCore to JavaScriptCore
-        https://bugs.webkit.org/show_bug.cgi?id=174024
-
-        Reviewed by Michael Catanzaro.
-
-        It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
-        specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
-        Added command line option to pass the namespace to use instead of using WebCore.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
-        (main):
-
-2017-07-09  Yusuke Suzuki  
-
-        [JSC] Drop LineNumberAdder since we no longer treat  (not ) as one line terminator
-        https://bugs.webkit.org/show_bug.cgi?id=174296
-
-        Reviewed by Mark Lam.
-
-        Previously, we treat  as one line terminator. So we increase line number by one.
-        It caused a problem in scanning template literals. While template literals normalize
-         to , we still needed to increase line number by only one.
-        To handle it correctly, LineNumberAdder is introduced.
-
-        As of r219263,  is counted as two line terminators. So we do not need to have
-        LineNumberAdder. Let's just use shiftLineTerminator() instead.
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::parseTemplateLiteral):
-        (JSC::LineNumberAdder::LineNumberAdder): Deleted.
-        (JSC::LineNumberAdder::clear): Deleted.
-        (JSC::LineNumberAdder::add): Deleted.
-
-2017-07-09  Dan Bernstein  
-
-        [Xcode] ICU headers aren’t treated as system headers after r219155
-        https://bugs.webkit.org/show_bug.cgi?id=174299
-
-        Reviewed by Sam Weinig.
-
-        * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
-          C++ compilers.
-
-* runtime/IntlCollator.cpp: Removed documentation warning suppression.
-        * runtime/IntlDateTimeFormat.cpp: Ditto.
-        * runtime/JSGlobalObject.cpp: Ditto.
-        * runtime/StringPrototype.cpp: Ditto.
-
-2017-07-09  Yusuke Suzuki  
-
-        [JSC] Use fastMalloc / fastFree for STL containers
-        https://bugs.webkit.org/show_bug.cgi?id=174297
-
-        Reviewed by Sam Weinig.
-
-        In some places, we intentionally use STL containers over WTF containers.
-        For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
-        because we do not have effective empty / deleted representations in the space of key's value.
-        But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
-
-        We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
-        We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
-
-        This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
-        without compromising memory allocation throughput.
-
-        * dfg/DFGGraph.h:
-        * dfg/DFGIntegerCheckCombiningPhase.cpp:
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
-        * runtime/FunctionHasExecutedCache.h:
-        * runtime/TypeLocationCache.h:
-
-2017-07-08  Yusuke Suzuki  
-
-        Drop NOSNIFF compile flag
-        https://bugs.webkit.org/show_bug.cgi?id=174289
-
-        Reviewed by Michael Catanzaro.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-07-07  AJ Ringer  
-
-        Lower the max_protection for the separated heap
-        https://bugs.webkit.org/show_bug.cgi?id=174281
-
-        Reviewed by Oliver Hunt.
-
-        Switch to vm_protect so we can set maximum page protection.
-
-        * jit/ExecutableAllocator.cpp:
-        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
-        (JSC::ExecutableAllocator::allocate):
-
-2017-07-07  Devin Rousso  
-
-        Web Inspector: Show all elements currently using a given CSS Canvas
-        https://bugs.webkit.org/show_bug.cgi?id=173965
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-         - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
-           canvas via -webkit-canvas.
-         - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
-           added/removed from the list of -webkit-canvas clients.
-
-2017-07-07  Mark Lam  
-
-        \n\r is not the same as \r\n.
-        https://bugs.webkit.org/show_bug.cgi?id=173053
-
-        Reviewed by Keith Miller.
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::shiftLineTerminator):
-        (JSC::LineNumberAdder::add):
-
-2017-07-07  Commit Queue  
-
-        Unreviewed, rolling out r219238, r219239, and r219241.
-        https://bugs.webkit.org/show_bug.cgi?id=174265
-
-        "fast/workers/dedicated-worker-lifecycle.html is flaky"
-        (Requested by yusukesuzuki on #webkit).
-
-        Reverted changesets:
-
-        "[WTF] Implement WTF::ThreadGroup"
-        https://bugs.webkit.org/show_bug.cgi?id=174081
-        http://trac.webkit.org/changeset/219238
-
-        "Unreviewed, build fix after r219238"
-        https://bugs.webkit.org/show_bug.cgi?id=174081
-        http://trac.webkit.org/changeset/219239
-
-        "Unreviewed, CLoop build fix after r219238"
-        https://bugs.webkit.org/show_bug.cgi?id=174081
-        http://trac.webkit.org/changeset/219241
-
-2017-07-06  Yusuke Suzuki  
-
-        Unreviewed, CLoop build fix after r219238
-        https://bugs.webkit.org/show_bug.cgi?id=174081
-
-        * heap/MachineStackMarker.cpp:
-
-2017-07-05  Yusuke Suzuki  
-
-        [WTF] Implement WTF::ThreadGroup
-        https://bugs.webkit.org/show_bug.cgi?id=174081
-
-        Reviewed by Mark Lam.
-
-        Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
-        And SamplingProfiler and others interact with WTF::Thread directly.
-
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThreads):
-        (JSC::captureStack):
-        (JSC::MachineThreads::tryCopyOtherThreadStack):
-        (JSC::MachineThreads::tryCopyOtherThreadStacks):
-        (JSC::MachineThreads::gatherConservativeRoots):
-        (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
-        (JSC::ActiveMachineThreadsManager::add): Deleted.
-        (JSC::ActiveMachineThreadsManager::remove): Deleted.
-        (JSC::ActiveMachineThreadsManager::contains): Deleted.
-        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
-        (JSC::activeMachineThreadsManager): Deleted.
-        (JSC::MachineThreads::~MachineThreads): Deleted.
-        (JSC::MachineThreads::addCurrentThread): Deleted.
-        (): Deleted.
-        (JSC::MachineThreads::removeThread): Deleted.
-        (JSC::MachineThreads::removeThreadIfFound): Deleted.
-        (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
-        (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
-        (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
-        (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
-        (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
-        (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
-        (JSC::MachineThreads::MachineThread::captureStack): Deleted.
-        * heap/MachineStackMarker.h:
-        (JSC::MachineThreads::addCurrentThread):
-        (JSC::MachineThreads::getLock):
-        (JSC::MachineThreads::threads):
-        (JSC::MachineThreads::MachineThread::suspend): Deleted.
-        (JSC::MachineThreads::MachineThread::resume): Deleted.
-        (JSC::MachineThreads::MachineThread::threadID): Deleted.
-        (JSC::MachineThreads::MachineThread::stackBase): Deleted.
-        (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
-        (JSC::MachineThreads::threadsListHead): Deleted.
-        * runtime/SamplingProfiler.cpp:
-        (JSC::FrameWalker::isValidFramePointer):
-        (JSC::SamplingProfiler::SamplingProfiler):
-        (JSC::SamplingProfiler::takeSample):
-        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
-        * runtime/SamplingProfiler.h:
-        * wasm/WasmMachineThreads.cpp:
-        (JSC::Wasm::resetInstructionCacheOnAllThreads):
-
-2017-07-06  Saam Barati  
-
-        We are missing places where we invalidate the for-in context
-        https://bugs.webkit.org/show_bug.cgi?id=174184
-
-        Reviewed by Geoffrey Garen.
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::EmptyLetExpression::emitBytecode):
-        (JSC::ForInNode::emitLoopHeader):
-        (JSC::ForOfNode::emitBytecode):
-        (JSC::BindingNode::bindValue):
-
-2017-07-06  Yusuke Suzuki  
-
-        Unreviewed, suppress warnings in GCC environment
-
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlDateTimeFormat.cpp:
-        * runtime/JSGlobalObject.cpp:
-        * runtime/StringPrototype.cpp:
-
-2017-07-05  Saam Barati  
-
-        NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
-        https://bugs.webkit.org/show_bug.cgi?id=174188
-        
-
-        Reviewed by Mark Lam.
-
-        We were calling lowJSValue(edge) when we were speculating the
-        edge as double. This isn't allowed. We should have been using
-        lowDouble.
-        
-        This patch also adds a new option, called useArrayAllocationProfiling,
-        which defaults to true. When false, it will make the array allocation
-        profile not actually sample seen arrays. It'll force the allocation
-        profile's predicted indexing type to be ArrayWithUndecided. Adding
-        this option made it trivial to write a test for this bug.
-
-        * bytecode/ArrayAllocationProfile.cpp:
-        (JSC::ArrayAllocationProfile::updateIndexingType):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
-        * runtime/Options.h:
-
-2017-07-05  Yusuke Suzuki  
-
-        WTF::Thread should have the threads stack bounds.
-        https://bugs.webkit.org/show_bug.cgi?id=173975
-
-        Reviewed by Keith Miller.
-
-        There is a site in JSC that try to walk another thread's stack.
-        Currently, stack bounds are stored in WTFThreadData which is located
-        in TLS. Thus, only the thread itself can access its own WTFThreadData.
-        We workaround this situation by holding StackBounds in MachineThread in JSC,
-        but StackBounds should be put in WTF::Thread instead.
-
-        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
-        information is tightly coupled with Thread. Thus putting it in WTF::Thread
-        is natural choice.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThread::MachineThread):
-        (JSC::MachineThreads::MachineThread::captureStack):
-        * heap/MachineStackMarker.h:
-        (JSC::MachineThreads::MachineThread::stackBase):
-        (JSC::MachineThreads::MachineThread::stackEnd):
-        * runtime/InitializeThreading.cpp:
-        (JSC::initializeThreading):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::updateStackLimits):
-        (JSC::VM::committedStackByteCount):
-        * runtime/VM.h:
-        (JSC::VM::isSafeToRecurse):
-        * runtime/VMEntryScope.cpp:
-        (JSC::VMEntryScope::VMEntryScope):
-        * runtime/VMInlines.h:
-        (JSC::VM::ensureStackCapacityFor):
-        * runtime/VMTraps.cpp:
-        * yarr/YarrPattern.cpp:
-        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
-
-2017-07-05  Keith Miller  
-
-        Crashing with information should have an abort reason
-        https://bugs.webkit.org/show_bug.cgi?id=174185
-
-        Reviewed by Saam Barati.
-
-        Add crash information for the abstract interpreter and add an enum
-        value for object allocation sinking.
-
-        * assembler/AbortReason.h:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::verifyEdge):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::logDFGAssertionFailure):
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-
-2017-07-03  Myles C. Maxfield  
-
-        Remove copy of ICU headers from WebKit
-        https://bugs.webkit.org/show_bug.cgi?id=116407
-
-        Reviewed by Alex Christensen.
-
-        Use WTF's copy of ICU headers.
-
-        * Configurations/Base.xcconfig:
-        * icu/unicode/localpointer.h: Removed.
-        * icu/unicode/parseerr.h: Removed.
-        * icu/unicode/platform.h: Removed.
-        * icu/unicode/ptypes.h: Removed.
-        * icu/unicode/putil.h: Removed.
-        * icu/unicode/uchar.h: Removed.
-        * icu/unicode/ucnv.h: Removed.
-        * icu/unicode/ucnv_err.h: Removed.
-        * icu/unicode/ucol.h: Removed.
-        * icu/unicode/uconfig.h: Removed.
-        * icu/unicode/ucurr.h: Removed.
-        * icu/unicode/uenum.h: Removed.
-        * icu/unicode/uiter.h: Removed.
-        * icu/unicode/uloc.h: Removed.
-        * icu/unicode/umachine.h: Removed.
-        * icu/unicode/unorm.h: Removed.
-        * icu/unicode/unorm2.h: Removed.
-        * icu/unicode/urename.h: Removed.
-        * icu/unicode/uscript.h: Removed.
-        * icu/unicode/uset.h: Removed.
-        * icu/unicode/ustring.h: Removed.
-        * icu/unicode/utf.h: Removed.
-        * icu/unicode/utf16.h: Removed.
-        * icu/unicode/utf8.h: Removed.
-        * icu/unicode/utf_old.h: Removed.
-        * icu/unicode/utypes.h: Removed.
-        * icu/unicode/uvernum.h: Removed.
-        * icu/unicode/uversion.h: Removed.
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlDateTimeFormat.cpp:
-        (JSC::IntlDateTimeFormat::partTypeString):
-        * runtime/JSGlobalObject.cpp:
-        * runtime/StringPrototype.cpp:
-        (JSC::normalize):
-        (JSC::stringProtoFuncNormalize):
-
-2017-07-05  Devin Rousso  
-
-        Web Inspector: Allow users to log any tracked canvas context
-        https://bugs.webkit.org/show_bug.cgi?id=173397
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-        Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
-
-2017-07-05  Jonathan Bedard  
-
-        Add WebKitPrivateFrameworkStubs for iOS 11
-        https://bugs.webkit.org/show_bug.cgi?id=173988
-
-        Reviewed by David Kilzer.
-
-        * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
-        same directory for private framework stubs.
-
-2017-07-05  JF Bastien  
-
-        WebAssembly: implement name section's module name, skip unknown sections
-        https://bugs.webkit.org/show_bug.cgi?id=172008
-
-        Reviewed by Keith Miller.
-
-        Parse the WebAssembly module name properly, and skip unknown
-        sections. This is useful because as toolchains support new types
-        of names we want to keep displaying the information we know about
-        and simply ignore new information. That capability was designed
-        into WebAssembly's name section.
-
-        Failure to commit this patch would mean that WebKit won't display
-        stack trace information, which would make developers sad.
-
-        Module names were added here: https://github.com/WebAssembly/design/pull/1055
-
-        Note that this patch doesn't do anything with the parsed name! Two
-        reasons for this: module names aren't supported in binaryen yet,
-        so I can't write a simple binary test; and using the name is a
-        slightly riskier change because it requires changing StackVisitor
-        + StackFrame (where they print "[wasm code]") which requires
-        figuring out the frame's Module. The latter bit isn't trivial
-        because we only know wasm frames from their tag bits, and
-        CodeBlocks are always nullptr.
-
-        Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
-
-        I filed #174098 to use the module name.
-
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::isValidNameType):
-        * wasm/WasmNameSectionParser.cpp:
-
-2017-07-04  Joseph Pecoraro  
-
-        Cleanup some StringBuilder use
-        https://bugs.webkit.org/show_bug.cgi?id=174118
-
-        Reviewed by Andreas Kling.
-
-        * runtime/FunctionConstructor.cpp:
-        (JSC::constructFunctionSkippingEvalEnabledCheck):
-        * tools/FunctionOverrides.cpp:
-        (JSC::parseClause):
-        * wasm/WasmOMGPlan.cpp:
-        * wasm/WasmPlan.cpp:
-        * wasm/WasmValidate.cpp:
-
-2017-07-03  Saam Barati  
-
-        LayoutTest workers/bomb.html is a Crash
-        https://bugs.webkit.org/show_bug.cgi?id=167757
-        
-
-        Reviewed by Keith Miller.
-
-        VMTraps::SignalSender was accessing VM fields even after
-        the VM was destroyed. This happened when the SignalSender
-        thread was in the middle of its work() function while VMTraps
-        was notified that the VM was shutting down. The VM would proceed
-        to run its destructor even after the SignalSender thread finished
-        doing its work. This means that the SignalSender thread was accessing
-        VM field eve after VM was destructed (including itself, since it is
-        transitively owned by the VM). The VM must wait for the SignalSender
-        thread to shutdown before it can continue to destruct itself.
-
-        * runtime/VMTraps.cpp:
-        (JSC::VMTraps::willDestroyVM):
-
-2017-07-03  Saam Barati  
-
-        DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
-        https://bugs.webkit.org/show_bug.cgi?id=174110
-
-        Reviewed by Michael Saboff.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::parseBlock):
-
-2017-07-03  Saam Barati  
-
-        Add a new assertion to object allocation sinking phase
-        https://bugs.webkit.org/show_bug.cgi?id=174107
-
-        Rubber stamped by Filip Pizlo.
-
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-
-2017-07-03  Commit Queue  
-
-        Unreviewed, rolling out r219060.
-        https://bugs.webkit.org/show_bug.cgi?id=174108
-
-        crashing constantly when initializing UIWebView (Requested by
-        thorton on #webkit).
-
-        Reverted changeset:
-
-        "WTF::Thread should have the threads stack bounds."
-        https://bugs.webkit.org/show_bug.cgi?id=173975
-        http://trac.webkit.org/changeset/219060
-
-2017-07-03  Matt Lewis  
-
-        Unreviewed, rolling out r219103.
-
-        Caused multiple build failures.
-
-        Reverted changeset:
-
-        "Remove copy of ICU headers from WebKit"
-        https://bugs.webkit.org/show_bug.cgi?id=116407
-        http://trac.webkit.org/changeset/219103
-
-2017-07-03  Myles C. Maxfield  
-
-        Remove copy of ICU headers from WebKit
-        https://bugs.webkit.org/show_bug.cgi?id=116407
-
-        Reviewed by Alex Christensen.
-
-        Use WTF's copy of ICU headers.
-
-        * Configurations/Base.xcconfig:
-        * icu/unicode/localpointer.h: Removed.
-        * icu/unicode/parseerr.h: Removed.
-        * icu/unicode/platform.h: Removed.
-        * icu/unicode/ptypes.h: Removed.
-        * icu/unicode/putil.h: Removed.
-        * icu/unicode/uchar.h: Removed.
-        * icu/unicode/ucnv.h: Removed.
-        * icu/unicode/ucnv_err.h: Removed.
-        * icu/unicode/ucol.h: Removed.
-        * icu/unicode/uconfig.h: Removed.
-        * icu/unicode/ucurr.h: Removed.
-        * icu/unicode/uenum.h: Removed.
-        * icu/unicode/uiter.h: Removed.
-        * icu/unicode/uloc.h: Removed.
-        * icu/unicode/umachine.h: Removed.
-        * icu/unicode/unorm.h: Removed.
-        * icu/unicode/unorm2.h: Removed.
-        * icu/unicode/urename.h: Removed.
-        * icu/unicode/uscript.h: Removed.
-        * icu/unicode/uset.h: Removed.
-        * icu/unicode/ustring.h: Removed.
-        * icu/unicode/utf.h: Removed.
-        * icu/unicode/utf16.h: Removed.
-        * icu/unicode/utf8.h: Removed.
-        * icu/unicode/utf_old.h: Removed.
-        * icu/unicode/utypes.h: Removed.
-        * icu/unicode/uvernum.h: Removed.
-        * icu/unicode/uversion.h: Removed.
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlDateTimeFormat.cpp:
-        * runtime/JSGlobalObject.cpp:
-        * runtime/StringPrototype.cpp:
-
-2017-07-03  Saam Barati  
-
-        Add better crash logging for allocation sinking phase
-        https://bugs.webkit.org/show_bug.cgi?id=174102
-        
-
-        Rubber stamped by Filip Pizlo.
-
-        I'm trying to gather better information from crashlogs about why
-        we're crashing in the allocation sinking phase. I'm adding a allocation
-        sinking specific RELEASE_ASSERT as well as marking a few functions as
-        NEVER_INLINE to have the stack traces in the crash trace contain more
-        actionable information.
-
-        * dfg/DFGObjectAllocationSinkingPhase.cpp:
-
-2017-07-03  Sam Weinig  
-
-        [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
-        https://bugs.webkit.org/show_bug.cgi?id=174083
-
-        Reviewed by Alex Christensen.
-
-        * Configurations/FeatureDefines.xcconfig:
-        Add ENABLE_NAVIGATOR_STANDALONE.
-
-2017-07-03  Andy Estes  
-
-        [Xcode] Add an experimental setting to build with ccache
-        https://bugs.webkit.org/show_bug.cgi?id=173875
-
-        Reviewed by Tim Horton.
-
-        * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
-
-2017-07-03  Devin Rousso  
-
-        Web Inspector: Support listing WebGL2 and WebGPU contexts
-        https://bugs.webkit.org/show_bug.cgi?id=173396
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-        * inspector/scripts/codegen/generator.py:
-        (Generator.stylized_name_for_enum_value):
-        Add cases for handling new Canvas.ContextType protocol enumerations:
-         - "webgl2" maps to `WebGL2`
-         - "webgpu" maps to `WebGPU`
-
-2017-07-02  Yusuke Suzuki  
-
-        WTF::Thread should have the threads stack bounds.
-        https://bugs.webkit.org/show_bug.cgi?id=173975
-
-        Reviewed by Mark Lam.
-
-        There is a site in JSC that try to walk another thread's stack.
-        Currently, stack bounds are stored in WTFThreadData which is located
-        in TLS. Thus, only the thread itself can access its own WTFThreadData.
-        We workaround this situation by holding StackBounds in MachineThread in JSC,
-        but StackBounds should be put in WTF::Thread instead.
-
-        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
-        information is tightly coupled with Thread. Thus putting it in WTF::Thread
-        is natural choice.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThread::MachineThread):
-        (JSC::MachineThreads::MachineThread::captureStack):
-        * heap/MachineStackMarker.h:
-        (JSC::MachineThreads::MachineThread::stackBase):
-        (JSC::MachineThreads::MachineThread::stackEnd):
-        * runtime/InitializeThreading.cpp:
-        (JSC::initializeThreading):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::updateStackLimits):
-        (JSC::VM::committedStackByteCount):
-        * runtime/VM.h:
-        (JSC::VM::isSafeToRecurse):
-        * runtime/VMEntryScope.cpp:
-        (JSC::VMEntryScope::VMEntryScope):
-        * runtime/VMInlines.h:
-        (JSC::VM::ensureStackCapacityFor):
-        * runtime/VMTraps.cpp:
-        * yarr/YarrPattern.cpp:
-        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
-
-2017-07-01  Dan Bernstein  
-
-        [iOS] Remove code only needed when building for iOS 9.x
-        https://bugs.webkit.org/show_bug.cgi?id=174068
-
-        Reviewed by Tim Horton.
-
-        * Configurations/FeatureDefines.xcconfig:
-        * jit/ExecutableAllocator.cpp:
-        * runtime/Options.cpp:
-        (JSC::recomputeDependentOptions):
-
-2017-07-01  Dan Bernstein  
-
-        [macOS] Remove code only needed when building for OS X Yosemite
-        https://bugs.webkit.org/show_bug.cgi?id=174067
-
-        Reviewed by Tim Horton.
-
-        * API/WebKitAvailability.h:
-        * Configurations/Base.xcconfig:
-        * Configurations/DebugRelease.xcconfig:
-        * Configurations/FeatureDefines.xcconfig:
-        * Configurations/Version.xcconfig:
-
-2017-07-01  Yusuke Suzuki  
-
-        Unreviewed, build fix for GCC
-        https://bugs.webkit.org/show_bug.cgi?id=174034
-
-        * b3/testb3.cpp:
-        (JSC::B3::testDoubleLiteralComparison):
-
-2017-06-30  Keith Miller  
-
-        Force crashWithInfo to be out of line.
-        https://bugs.webkit.org/show_bug.cgi?id=174028
-
-        Reviewed by Filip Pizlo.
-
-        Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
-
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::logDFGAssertionFailure):
-        (JSC::DFG::Graph::logAssertionFailure):
-        (JSC::DFG::crash): Deleted.
-        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
-        * dfg/DFGGraph.h:
-
-2017-06-30  Yusuke Suzuki  
-
-        [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
-        https://bugs.webkit.org/show_bug.cgi?id=174053
-
-        Reviewed by Geoffrey Garen.
-
-        We already have AbstractMacroAssembler::random() function. Use it instead.
-
-        * jit/JIT.cpp:
-        (JSC::JIT::JIT):
-        (JSC::JIT::compileWithoutLinking):
-        * jit/JIT.h:
-
-2017-06-30  Yusuke Suzuki  
-
-        [WTF] Drop SymbolRegistry::keyForSymbol
-        https://bugs.webkit.org/show_bug.cgi?id=174052
-
-        Reviewed by Sam Weinig.
-
-        * runtime/SymbolConstructor.cpp:
-        (JSC::symbolConstructorKeyFor):
-
-2017-06-30  Saam Barati  
-
-        B3ReduceStrength should reduce EqualOrUnordered over const float input
-        https://bugs.webkit.org/show_bug.cgi?id=174039
-
-        Reviewed by Michael Saboff.
-
-        We perform this folding for ConstDoubleValue. It is simply
-        an oversight that we didn't do it for ConstFloatValue.
-
-        * b3/B3ConstFloatValue.cpp:
-        (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
-        * b3/B3ConstFloatValue.h:
-        * b3/testb3.cpp:
-        (JSC::B3::testFloatEqualOrUnorderedFolding):
-        (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
-        (JSC::B3::testFloatEqualOrUnorderedDontFold):
-        (JSC::B3::run):
-
-2017-06-30  Matt Baker  
-
-        Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
-        https://bugs.webkit.org/show_bug.cgi?id=173840
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        When truncating an asynchronous stack trace, the parent chain is traversed
-        until a locked node is found. The path from this node to the root is shared
-        by more than one stack trace, and cannot be safely modified. Starting at
-        the first locked node, the path is cloned and becomes a new stack trace tree.
-
-        However, the clone operation initialized each new AsyncStackTrace node with
-        the original node's parent. This would increment the child count of the original
-        node. When cloning nodes, new nodes should not have their parent set until the
-        next node up the parent chain is cloned.
-
-        * inspector/AsyncStackTrace.cpp:
-        (Inspector::AsyncStackTrace::truncate):
-
-2017-06-30  Michael Saboff  
-
-        RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
-        https://bugs.webkit.org/show_bug.cgi?id=174044
-
-        Reviewed by Oliver Hunt.
-
-        The .* enclosure optimization didn't respect that we can start matching from a non-zero
-        index.  This optimization treats /.*.*/ by first matching the  and
-        then finding the extent of the match by going back to the beginning of the line and going
-        forward to the end of the line.  The code that went back to the beginning of the line
-        checked for an index of 0 instead of comparing the index to the start position.  This start
-        position is passed as the initial index.
-
-        Added another temporary register to the YARR JIT to contain the start position for
-        platforms that have spare registers.
-
-        * yarr/Yarr.h:
-        * yarr/YarrInterpreter.cpp:
-        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
-        (JSC::Yarr::Interpreter::Interpreter):
-        * yarr/YarrJIT.cpp:
-        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
-        (JSC::Yarr::YarrGenerator::compile):
-        * yarr/YarrPattern.cpp:
-        (JSC::Yarr::YarrPattern::YarrPattern):
-        * yarr/YarrPattern.h:
-        (JSC::Yarr::YarrPattern::reset):
-
-2017-06-30  Saam Barati  
-
-        B3MoveConstants floatZero() returns the wrong ValueKey
-        https://bugs.webkit.org/show_bug.cgi?id=174040
-
-        Reviewed by Filip Pizlo.
-
-        It had a typo where the ValueKey for floatZero() produces a Double
-        instead of a Float.
-
-        * b3/B3MoveConstants.cpp:
-
-2017-06-30  Saam Barati  
-
-        B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
-        https://bugs.webkit.org/show_bug.cgi?id=174034
-        
-
-        Reviewed by Filip Pizlo.
-
-        B3ReduceDoubleToFloat had a bug in it where it would incorrectly
-        reduce binary operations over double constants into the same binary
-        operation over the double constants casted to floats. This is clearly
-        incorrect as these two things will produce different values. For example:
-        
-        a = DoubleConst(bitwise_cast(0x8000000000000001ull))
-        b = DoubleConst(bitwise_cast(0x0000000000000000ull))
-        c = EqualOrUnordered(@a, @b) // produces 0
-        
-        into:
-        
-        a = FloatConst(static_cast(bitwise_cast(0x8000000000000001ull)))
-        b = FloatConst(static_cast(bitwise_cast(0x0000000000000000ull)))
-        c = EqualOrUnordered(@a, @b) // produces 1
-        
-        Which produces a different value for @c.
-
-        * b3/B3ReduceDoubleToFloat.cpp:
-        * b3/testb3.cpp:
-        (JSC::B3::doubleEq):
-        (JSC::B3::doubleNeq):
-        (JSC::B3::doubleGt):
-        (JSC::B3::doubleGte):
-        (JSC::B3::doubleLt):
-        (JSC::B3::doubleLte):
-        (JSC::B3::testDoubleLiteralComparison):
-        (JSC::B3::run):
-
-2017-06-29  Jer Noble  
-
-        Make Legacy EME API controlled by RuntimeEnabled setting.
-        https://bugs.webkit.org/show_bug.cgi?id=173994
-
-        Reviewed by Sam Weinig.
-
-        * Configurations/FeatureDefines.xcconfig:
-        * runtime/CommonIdentifiers.h:
-
-2017-06-30  Ryosuke Niwa  
-
-        Ran sort-Xcode-project-file.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-
-2017-06-30  Matt Lewis  
-
-        Unreviewed, rolling out r218992.
-
-        The patch broke the iOS device builds.
-
-        Reverted changeset:
-
-        "DFG_ASSERT should allow stuffing registers before trapping."
-        https://bugs.webkit.org/show_bug.cgi?id=174005
-        http://trac.webkit.org/changeset/218992
-
-2017-06-30  Filip Pizlo  
-
-        RegExpCachedResult::setInput should reify left and right contexts
-        https://bugs.webkit.org/show_bug.cgi?id=173818
-
-        Reviewed by Keith Miller.
-        
-        If you don't reify them in setInput, then when you later try to reify them, you'll end up
-        using indices into an old input string to create a substring of a new input string. That
-        never goes well.
-
-        * runtime/RegExpCachedResult.cpp:
-        (JSC::RegExpCachedResult::setInput):
-
-2017-06-30  Keith Miller  
-
-        DFG_ASSERT should allow stuffing registers before trapping.
-        https://bugs.webkit.org/show_bug.cgi?id=174005
-
-        Reviewed by Mark Lam.
-
-        DFG_ASSERT currently prints error data to stderr before crashing,
-        which is nice for local development. In the wild, however, we
-        can't see this information in crash logs. This patch enables
-        stuffing some of the most useful information from DFG_ASSERTS into
-        up to five registers right before crashing. The values stuffed
-        should not impact any logging during local development.
-
-        * assembler/AbortReason.h:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::verifyEdge):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::logForCrash):
-        (JSC::DFG::Graph::logAssertionFailure):
-        (JSC::DFG::crash): Deleted.
-        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
-        * dfg/DFGGraph.h:
-
-2017-06-29  Saam Barati  
-
-        Calculating postCapacity in unshiftCountSlowCase is wrong
-        https://bugs.webkit.org/show_bug.cgi?id=173992
-        
-
-        Reviewed by Keith Miller.
-
-        This patch fixes a bug inside unshiftCountSlowCase where we would use
-        more memory than we allocated. The bug was when deciding how much extra
-        space we have after the vector we've allocated. This area is called the
-        postCapacity. The largest legal postCapacity value we could use is the
-        space we allocated minus the space we need:
-        largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
-        However, the code was calculating the postCapacity as:
-        postCapacity = max(newStorageCapacity - requiredVectorLength, count);
-        
-        where count is how many elements we're appending. Depending on the inputs,
-        count could be larger than (newStorageCapacity - requiredVectorLength). This
-        would cause us to use more memory than we actually allocated.
-
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::unshiftCountSlowCase):
-
-2017-06-29  Commit Queue  
-
-        Unreviewed, rolling out r218512.
-        https://bugs.webkit.org/show_bug.cgi?id=173981
-
-        "It changes the behavior of the JS API's JSEvaluateScript
-        which breaks TurboTax" (Requested by saamyjoon on #webkit).
-
-        Reverted changeset:
-
-        "test262: Completion values for control flow do not match the
-        spec"
-        https://bugs.webkit.org/show_bug.cgi?id=171265
-        http://trac.webkit.org/changeset/218512
-
-2017-06-29  JF Bastien  
-
-        WebAssembly: disable some APIs under CSP
-        https://bugs.webkit.org/show_bug.cgi?id=173892
-        
-
-        Reviewed by Daniel Bates.
-
-        We should disable parts of WebAssembly under Content Security
-        Policy as discussed here:
-
-        https://github.com/WebAssembly/design/issues/1092
-
-        Exactly what should be disabled isn't super clear, so we may as
-        well be conservative and disable many things if developers already
-        opted into CSP. It's easy to loosen what we disable later.
-
-        This patch disables:
-        - WebAssembly.Instance
-        - WebAssembly.instantiate
-        - WebAssembly.Memory
-        - WebAssembly.Table
-
-        And leaves:
-        - WebAssembly on the global object
-        - WebAssembly.Module
-        - WebAssembly.compile
-        - WebAssembly.CompileError
-        - WebAssembly.LinkError
-
-        Nothing because currently unimplmented:
-        - WebAssembly.compileStreaming
-        - WebAssembly.instantiateStreaming
-
-        That way it won't be possible to call WebAssembly-compiled code,
-        or create memories (which use fancy 4GiB allocations
-        sometimes). Table isn't really useful on its own, and eventually
-        we may make them shareable so without more details it seems benign
-        to disable them (and useless if we don't).
-
-        I haven't done anything with postMessage, so you can still
-        postMessage a WebAssembly.Module cross-CSP, but you can't
-        instantiate it so it's useless. Because of this I elected to leave
-        WebAssembly.Module and friends available.
-
-        I haven't added any new directives. It's still unsafe-eval. We can
-        add something else later, but it seems odd to add a WebAssembly as
-        a new capability and tell developers "you should have been using
-        this directive which we just implemented if you wanted to disable
-        WebAssembly which didn't exist when you adopted CSP". So IMO we
-        should keep unsafe-eval as it currently is, add WebAssembly to
-        what it disables, and later consider having two new directives
-        which do each individually or something.
-
-        In all cases I throw an EvalError *before* other WebAssembly
-        errors would be produced.
-
-        Note that, as for eval, reporting doesn't work and is tracked by
-        https://webkit.org/b/111869
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::JSGlobalObject):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::webAssemblyEnabled):
-        (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
-        (JSC::JSGlobalObject::setWebAssemblyEnabled):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::create):
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        (JSC::JSWebAssemblyMemory::create):
-        * wasm/js/JSWebAssemblyMemory.h:
-        * wasm/js/JSWebAssemblyTable.cpp:
-        (JSC::JSWebAssemblyTable::create):
-        * wasm/js/WebAssemblyMemoryConstructor.cpp:
-        (JSC::constructJSWebAssemblyMemory):
-
-2017-06-28  Keith Miller  
-
-        VMTraps has some races
-        https://bugs.webkit.org/show_bug.cgi?id=173941
-
-        Reviewed by Michael Saboff.
-
-        This patch refactors much of the VMTraps API.
-
-        On the message sending side:
-
-        1) No longer uses the Yarr JIT check to determine if we are in
-        RegExp code. That was unsound because RegExp JIT code can be run
-        on compilation threads.  Instead it looks at the current frame's
-        code block slot and checks if it is valid, which is the same as
-        what it did for JIT code previously.
-
-        2) Only have one signal sender thread, previously, there could be
-        many at once, which caused some data races. Additionally, the
-        signal sender thread is an automatic thread so it will deallocate
-        itself when not in use.
-
-        On the VMTraps breakpoint side:
-
-        1) We now have a true mapping of if we hit a breakpoint instead of
-        a JIT assertion. So the exception handler won't eat JIT assertions
-        anymore.
-
-        2) It jettisons all CodeBlocks that have VMTraps breakpoints on
-        them instead of every CodeBlock on the stack. This both prevents
-        us from hitting stale VMTraps breakpoints and also doesn't OSR
-        codeblocks that otherwise don't need to be jettisoned.
-
-        3) The old exception handler could theoretically fail for a couple
-        of reasons then resume execution with a clobbered instruction
-        set. This patch will kill the program if the exception handler
-        would fail.
-
-        This patch also refactors some of the jsc.cpp functions to take the
-        CommandLine options object instead of individual options. Also, there
-        is a new command line option that makes exceptions due to watchdog
-        timeouts an acceptable result.
-
-        * API/tests/testapi.c:
-        (main):
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::installVMTrapBreakpoints):
-        * dfg/DFGCommonData.cpp:
-        (JSC::DFG::pcCodeBlockMap):
-        (JSC::DFG::CommonData::invalidate):
-        (JSC::DFG::CommonData::~CommonData):
-        (JSC::DFG::CommonData::installVMTrapBreakpoints):
-        (JSC::DFG::codeBlockForVMTrapPC):
-        * dfg/DFGCommonData.h:
-        * jsc.cpp:
-        (functionDollarAgentStart):
-        (checkUncaughtException):
-        (checkException):
-        (runWithOptions):
-        (printUsageStatement):
-        (CommandLine::parseArguments):
-        (jscmain):
-        (runWithScripts): Deleted.
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::didAcquireLock):
-        * runtime/VMTraps.cpp:
-        (JSC::sanitizedTopCallFrame):
-        (JSC::VMTraps::tryInstallTrapBreakpoints):
-        (JSC::VMTraps::willDestroyVM):
-        (JSC::VMTraps::fireTrap):
-        (JSC::VMTraps::handleTraps):
-        (JSC::VMTraps::VMTraps):
-        (JSC::VMTraps::~VMTraps):
-        (JSC::findActiveVMAndStackBounds): Deleted.
-        (JSC::installSignalHandler): Deleted.
-        (JSC::VMTraps::addSignalSender): Deleted.
-        (JSC::VMTraps::removeSignalSender): Deleted.
-        (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
-        (JSC::VMTraps::SignalSender::send): Deleted.
-        * runtime/VMTraps.h:
-        (JSC::VMTraps::~VMTraps): Deleted.
-        (JSC::VMTraps::SignalSender::SignalSender): Deleted.
-
-2017-06-28  Devin Rousso  
-
-        Web Inspector: Instrument active pixel memory used by canvases
-        https://bugs.webkit.org/show_bug.cgi?id=173087
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-         - Add optional `memoryCost` attribute to the `Canvas` type.
-         - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
-
-2017-06-28  Joseph Pecoraro  
-
-        Web Inspector: Cleanup Protocol JSON files
-        https://bugs.webkit.org/show_bug.cgi?id=173934
-
-        Reviewed by Matt Baker.
-
-        * inspector/protocol/ApplicationCache.json:
-        * inspector/protocol/CSS.json:
-        * inspector/protocol/Console.json:
-        * inspector/protocol/DOM.json:
-        * inspector/protocol/DOMDebugger.json:
-        * inspector/protocol/Debugger.json:
-        * inspector/protocol/LayerTree.json:
-        * inspector/protocol/Network.json:
-        * inspector/protocol/Page.json:
-        * inspector/protocol/Runtime.json:
-        Be more consistent about placement of `description` property.
-
-2017-06-27  Joseph Pecoraro  
-
-        Web Inspector: Remove unused Inspector domain events
-        https://bugs.webkit.org/show_bug.cgi?id=173905
-
-        Reviewed by Matt Baker.
-
-        * inspector/protocol/Inspector.json:
-
-2017-06-28  JF Bastien  
-
-        Ensure that computed new stack pointer values do not underflow.
-        https://bugs.webkit.org/show_bug.cgi?id=173700
-        
-
-        Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
-
-        Patch by Mark Lam, with the following fix:
-
-        Re-apply this patch, it originally broke the ARM build because the llint code
-        generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
-        be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
-        and operands to emit valid code (because the second operand can be SP).
-
-        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
-           m_numCalleeLocals is sane.
-
-        2. Added underflow checks in LLInt code and VarargsFrame code.
-
-        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
-           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
-           Ensure that Options::softReservedZoneSize() is at least greater than
-           Options::reservedZoneSize() by minimumReservedZoneSize.
-
-        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
-           and only if the max size of the frame is greater than Options::reservedZoneSize().
-
-           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
-           of memory at the bottom (end) of the stack.  This means that, at any time, the
-           frame pointer must be at least Options::reservedZoneSize() bytes away from the
-           end of the stack.  Hence, if the max frame size is less than
-           Options::reservedZoneSize(), there's no way that frame pointer - max
-           frame size can underflow, and we can elide the underflow check.
-
-           Note that we use Options::reservedZoneSize() instead of
-           Options::softReservedZoneSize() for determine if we need an underflow check.
-           This is because the softStackLimit that is used for stack checks can be set
-           based on Options::reservedZoneSize() during error handling (e.g. when creating
-           strings for instantiating the Error object).  Hence, the guaranteed minimum of
-           distance between the frame pointer and the end of the stack is
-           Options::reservedZoneSize() and nor Options::softReservedZoneSize().
-
-           Note also that we ensure that Options::reservedZoneSize() is at least
-           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
-           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
-           instead of minimumReservedZoneSize gives us more chances to elide underflow
-           checks.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::generate):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
-        * dfg/DFGJITCompiler.cpp:
-        (JSC::DFG::emitStackOverflowCheck):
-        (JSC::DFG::JITCompiler::compile):
-        (JSC::DFG::JITCompiler::compileFunction):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::lower):
-        * jit/JIT.cpp:
-        (JSC::JIT::compileWithoutLinking):
-        * jit/SetupVarargsFrame.cpp:
-        (JSC::emitSetupVarargsFrameFastCase):
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
-        * llint/LowLevelInterpreter.asm:
-        * llint/LowLevelInterpreter32_64.asm:
-        * llint/LowLevelInterpreter64.asm:
-        * runtime/MinimumReservedZoneSize.h: Added.
-        * runtime/Options.cpp:
-        (JSC::recomputeDependentOptions):
-        * runtime/VM.cpp:
-        (JSC::VM::updateStackLimits):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-
-2017-06-28  Chris Dumez  
-
-        Unreviewed, rolling out r218869.
-
-        Broke the iOS build
-
-        Reverted changeset:
-
-        "Ensure that computed new stack pointer values do not
-        underflow."
-        https://bugs.webkit.org/show_bug.cgi?id=173700
-        http://trac.webkit.org/changeset/218869
-
-2017-06-28  Chris Dumez  
-
-        Unreviewed, rolling out r218873.
-
-        Broke the iOS build
-
-        Reverted changeset:
-
-        "Gardening: CLoop build fix."
-        https://bugs.webkit.org/show_bug.cgi?id=173700
-        http://trac.webkit.org/changeset/218873
-
-2017-06-28  Mark Lam  
-
-        Gardening: CLoop build fix.
-        https://bugs.webkit.org/show_bug.cgi?id=173700
-        
-
-        Not reviewed.
-
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
-
-2017-06-28  Mark Lam  
-
-        Ensure that computed new stack pointer values do not underflow.
-        https://bugs.webkit.org/show_bug.cgi?id=173700
-        
-
-        Reviewed by Filip Pizlo and Saam Barati.
-
-        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
-           m_numCalleeLocals is sane.
-
-        2. Added underflow checks in LLInt code and VarargsFrame code.
-
-        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
-           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
-           Ensure that Options::softReservedZoneSize() is at least greater than
-           Options::reservedZoneSize() by minimumReservedZoneSize.
-
-        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
-           and only if the max size of the frame is greater than Options::reservedZoneSize().
-
-           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
-           of memory at the bottom (end) of the stack.  This means that, at any time, the
-           frame pointer must be at least Options::reservedZoneSize() bytes away from the
-           end of the stack.  Hence, if the max frame size is less than
-           Options::reservedZoneSize(), there's no way that frame pointer - max
-           frame size can underflow, and we can elide the underflow check.
-
-           Note that we use Options::reservedZoneSize() instead of
-           Options::softReservedZoneSize() for determine if we need an underflow check.
-           This is because the softStackLimit that is used for stack checks can be set
-           based on Options::reservedZoneSize() during error handling (e.g. when creating
-           strings for instantiating the Error object).  Hence, the guaranteed minimum of
-           distance between the frame pointer and the end of the stack is
-           Options::reservedZoneSize() and nor Options::softReservedZoneSize().
-
-           Note also that we ensure that Options::reservedZoneSize() is at least
-           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
-           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
-           instead of minimumReservedZoneSize gives us more chances to elide underflow
-           checks.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::generate):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
-        * dfg/DFGJITCompiler.cpp:
-        (JSC::DFG::JITCompiler::compile):
-        (JSC::DFG::JITCompiler::compileFunction):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::lower):
-        * jit/JIT.cpp:
-        (JSC::JIT::compileWithoutLinking):
-        * jit/SetupVarargsFrame.cpp:
-        (JSC::emitSetupVarargsFrameFastCase):
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
-        * llint/LowLevelInterpreter.asm:
-        * llint/LowLevelInterpreter32_64.asm:
-        * llint/LowLevelInterpreter64.asm:
-        * runtime/MinimumReservedZoneSize.h: Added.
-        * runtime/Options.cpp:
-        (JSC::recomputeDependentOptions):
-        * runtime/VM.cpp:
-        (JSC::VM::updateStackLimits):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-
-2017-06-27  JF Bastien  
-
-        WebAssembly: running out of executable memory should throw OoM
-        https://bugs.webkit.org/show_bug.cgi?id=171537
-        
-
-        Reviewed by Saam Barati.
-
-        Both on first compile with BBQ as well as on tier-up with OMG,
-        running out of X memory shouldn't cause the entire program to
-        terminate. An exception will do when compiling initial code (since
-        we don't have any other fallback at the moment), and refusal to
-        tier up will do as well (it'll just be slower).
-
-        This is useful because programs which generate huge amounts of
-        code simply look like crashes, which developers report to
-        us. Getting a JavaScript exception instead is much clearer.
-
-        * jit/ExecutableAllocator.cpp:
-        (JSC::ExecutableAllocator::allocate):
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::shouldJIT):
-        * runtime/Options.h:
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::prepare):
-        (JSC::Wasm::BBQPlan::complete):
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        (JSC::Wasm::wasmToWasm):
-        * wasm/WasmBinding.h:
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::work):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finalizeCreation):
-
-2017-06-27  Saam Barati  
-
-        JITStubRoutine::passesFilter should use isJITPC
-        https://bugs.webkit.org/show_bug.cgi?id=173906
-
-        Reviewed by JF Bastien.
-
-        This patch makes JITStubRoutine use the isJITPC abstraction defined
-        inside ExecutableAllocator.h. Before, JITStubRoutine was using a
-        hardcoded platform size constant. This means it'd do the wrong thing
-        if Options::jitMemoryReservationSize() was larger than the defined
-        constant for that platform. This patch also removes a bunch of
-        dead code in that file.
-
-        * jit/ExecutableAllocator.cpp:
-        * jit/ExecutableAllocator.h:
-        * jit/JITStubRoutine.h:
-        (JSC::JITStubRoutine::passesFilter):
-        (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
-        (JSC::JITStubRoutine::filteringStartAddress): Deleted.
-        (JSC::JITStubRoutine::filteringExtentSize): Deleted.
-
-2017-06-27  Saam Barati  
-
-        Fix some stale comments in Wasm code base
-        https://bugs.webkit.org/show_bug.cgi?id=173814
-
-        Reviewed by Mark Lam.
-
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::runOMGPlanForIndex):
-
-2017-06-27  Caio Lima  
-
-        [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
-        https://bugs.webkit.org/show_bug.cgi?id=167962
-
-        Reviewed by Saam Barati.
-
-        Object Rest/Spread Destructing proposal is in stage 3[1] and this
-        Patch is a prototype implementation of it. A simple change over the
-        parser was necessary to support the new '...' token on Object Pattern
-        destruction rule. In the bytecode generator side, We changed the
-        bytecode generated on ObjectPatternNode::bindValue to store in an
-        set the identifiers of already destructured properties, following spec draft
-        section[2], and then pass it as excludedNames to CopyDataProperties.
-        The rest destructuring calls copyDataProperties to perform the
-        copy of rest properties in rhs.
-
-        We also implemented CopyDataProperties as private JS global operation
-        on builtins/GlobalOperations.js following it's specification on [3].
-        It is implemented using Set object to verify if a property is on
-        excludedNames to keep this algorithm with O(n + m) complexity, where n
-        = number of source's own properties and m = excludedNames.length.
-
-        In this implementation we aren't using excludeList as constant if
-        destructuring pattern contains computed property, i.e. we can
-        just determine the key to be excluded at runtime. If we can define all
-        identifiers in the pattern in compile time, we then create a
-        constant JSSet. This approach gives a good performance improvement,
-        since we allocate the excludeSet just once, reducing GC pressure.
-
-        [1] - https://github.com/tc39/proposal-object-rest-spread
-        [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
-        [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
-
-        * builtins/BuiltinNames.h:
-        * builtins/GlobalOperations.js:
-        (globalPrivate.copyDataProperties):
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finishCreation):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::ObjectPatternNode::bindValue):
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::appendObjectPatternEntry):
-        (JSC::ASTBuilder::appendObjectPatternRestEntry):
-        (JSC::ASTBuilder::setContainsObjectRestElement):
-        * parser/Nodes.h:
-        (JSC::ObjectPatternNode::appendEntry):
-        (JSC::ObjectPatternNode::setContainsRestElement):
-        * parser/Parser.cpp:
-        (JSC::Parser::parseDestructuringPattern):
-        (JSC::Parser::parseProperty):
-        * parser/SyntaxChecker.h:
-        (JSC::SyntaxChecker::operatorStackPop):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::asyncFunctionStructure):
-        (JSC::JSGlobalObject::setStructure): Deleted.
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::privateToObject):
-        * runtime/JSGlobalObjectFunctions.h:
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ObjectConstructor::finishCreation):
-        * runtime/SetPrototype.cpp:
-        (JSC::SetPrototype::finishCreation):
-
-2017-06-27  Yusuke Suzuki  
-
-        [JSC] Do not touch VM after notifying Ready in DFG::Worklist
-        https://bugs.webkit.org/show_bug.cgi?id=173888
-
-        Reviewed by Saam Barati.
-
-        After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
-        Thus, Plan::vm() can return a destroyed VM. Do not touch it.
-        This causes occasional SEGV / assertion failures in workers/bomb test.
-
-        * dfg/DFGWorklist.cpp:
-
-2017-06-27  Saam Barati  
-
-        Remove an inaccurate comment inside DFGClobberize.h
-        https://bugs.webkit.org/show_bug.cgi?id=163874
-
-        Reviewed by Filip Pizlo.
-
-        The comment said that Clobberize may or may not be sound if run prior to
-        doing type inference. This is not correct, though. Clobberize *must* be sound
-        prior do doing type inference since we use it inside the BytecodeParser, which
-        is the very first thing the DFG does.
-
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-
-2017-06-27  Saam Barati  
-
-        Function constructor needs to follow the spec and validate parameters and body independently
-        https://bugs.webkit.org/show_bug.cgi?id=173303
-        
-
-        Reviewed by Keith Miller.
-
-        The Function constructor must check the arguments and body strings
-        independently for syntax errors. People rely on this specified behavior
-        to verify that a particular string is a valid function body. We used
-        to check these things strings concatenated together, instead of
-        independently. For example, this used to be valid: `Function("/*", "*/){")`.
-        However, we should throw a syntax error here since "(/*)" is not a valid
-        parameter list, and "*/){" is not a valid body.
-        
-        To implement the specified behavior, we check the syntax independently of
-        both the body and the parameter list. To check that the parameter list has
-        valid syntax, we check that it is valid if in a function with an empty body.
-        To check that the body has valid syntax, we check it is valid in a function
-        with an empty parameter list.
-
-        * runtime/FunctionConstructor.cpp:
-        (JSC::constructFunctionSkippingEvalEnabledCheck):
-
-2017-06-27  Ting-Wei Lan  
-
-        Add missing includes to fix compilation error on FreeBSD
-        https://bugs.webkit.org/show_bug.cgi?id=172919
-
-        Reviewed by Mark Lam.
-
-        * API/JSRemoteInspector.h:
-        * API/tests/GlobalContextWithFinalizerTest.cpp:
-        * API/tests/TypedArrayCTest.cpp:
-
-2017-06-27  Joseph Pecoraro  
-
-        Web Inspector: Crash generating object preview for ArrayIterator
-        https://bugs.webkit.org/show_bug.cgi?id=173754
-        
-
-        Reviewed by Saam Barati.
-
-        When Inspector generates an object preview for an ArrayIterator instance it made
-        a "clone" of the original ArrayIterator instance by constructing a new object with
-        the instance's structure. However, user code could have modified that instance's
-        structure, such as adding / removing properties. The `return` property had special
-        meaning, and our clone did not fill that slot. This approach is brittle in that
-        we weren't satisfying the expectations of an object with a particular Structure,
-        and the original goal of having Web Inspector peek values of built-in Iterators
-        was to avoid observable behavior.
-
-        This tightens Web Inspector's Iterator preview to only peek values if the
-        Iterators would actually be non-observable. It also builds an ArrayIterator
-        clone like a regular object construction.
-
-        * inspector/JSInjectedScriptHost.cpp:
-        (Inspector::cloneArrayIteratorObject):
-        Build up the Object from scratch with a new ArrayIterator prototype.
-
-        (Inspector::JSInjectedScriptHost::iteratorEntries):
-        Only clone and peek iterators if it would not be observable.
-        Also update iteration to be more in line with IterationOperations, such as when
-        we call iteratorClose.
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::JSGlobalObject):
-        (JSC::JSGlobalObject::init):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
-        * runtime/JSGlobalObjectInlines.h:
-        (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
-        Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
-
-        * runtime/JSMap.cpp:
-        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
-        (JSC::JSMap::canCloneFastAndNonObservable):
-        * runtime/JSMap.h:
-        * runtime/JSSet.cpp:
-        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
-        (JSC::JSSet::canCloneFastAndNonObservable):
-        * runtime/JSSet.h:
-        Promote isIteratorProtocolFastAndNonObservable to a method.
-
-        * runtime/JSObject.cpp:
-        (JSC::canDoFastPutDirectIndex):
-        * runtime/JSTypeInfo.h:
-        (JSC::TypeInfo::isArgumentsType):
-        Helper to detect if an Object is an Arguments type.
-
-2017-06-26  Saam Barati  
-
-        RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
-        https://bugs.webkit.org/show_bug.cgi?id=173740
-
-        Reviewed by Mark Lam.
-
-        The builtin was using for-of iteration to iterate over an internal
-        list in its algorithm. For-of iteration is observable via user code
-        in the global object, so this approach was wrong as it would break if
-        a user changed the Array iteration protocol in some way.
-
-        * builtins/RegExpPrototype.js:
-        (replace):
-
-2017-06-26  Mark Lam  
-
-        Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
-        https://bugs.webkit.org/show_bug.cgi?id=173848
-
-        Reviewed by JF Bastien.
-
-        This functor only dumps the return VirtualPC.
-
-        * interpreter/Interpreter.cpp:
-        (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
-        (JSC::Interpreter::dumpRegisters):
-        (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
-        (JSC::DumpRegisterFunctor::operator()): Deleted.
-
-2017-06-26  Saam Barati  
-
-        Crash in JSC::Lexer::setCode
-        https://bugs.webkit.org/show_bug.cgi?id=172754
-
-        Reviewed by Mark Lam.
-
-        The lexer was asking one of its buffers to reserve initial space that
-        was O(text size in bytes). For large sources, this would end up causing
-        the vector to overflow and crash. This patch changes this code be like
-        the Lexer's other buffers and to only reserve a small starting buffer.
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::setCode):
-
-2017-06-26  Yusuke Suzuki  
-
-        [WTF] Drop Thread::create(obsolete things) API since we can use lambda
-        https://bugs.webkit.org/show_bug.cgi?id=173825
-
-        Reviewed by Saam Barati.
-
-        * jsc.cpp:
-        (startTimeoutThreadIfNeeded):
-        (timeoutThreadMain): Deleted.
-
-2017-06-26  Konstantin Tokarev  
-
-        Unreviewed, add missing header for CLoop
-
-        * runtime/SymbolTable.cpp:
-
-2017-06-26  Konstantin Tokarev  
-
-        Unreviewed, add missing header icncludes
-
-        * parser/Lexer.h:
-
-2017-06-25  Konstantin Tokarev  
-
-        Remove excessive headers from JavaScriptCore
-        https://bugs.webkit.org/show_bug.cgi?id=173812
-
-        Reviewed by Darin Adler.
-
-        * API/APIUtils.h:
-        * assembler/LinkBuffer.cpp:
-        * assembler/MacroAssemblerCodeRef.cpp:
-        * b3/air/AirLiveness.h:
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        * bindings/ScriptValue.cpp:
-        * bindings/ScriptValue.h:
-        * bytecode/AccessCase.cpp:
-        * bytecode/AccessCase.h:
-        * bytecode/ArrayProfile.h:
-        * bytecode/BytecodeDumper.h:
-        * bytecode/BytecodeIntrinsicRegistry.cpp:
-        * bytecode/BytecodeKills.h:
-        * bytecode/BytecodeLivenessAnalysis.h:
-        * bytecode/BytecodeUseDef.h:
-        * bytecode/CallLinkStatus.h:
-        * bytecode/CodeBlock.h:
-        * bytecode/CodeOrigin.h:
-        * bytecode/ComplexGetStatus.h:
-        * bytecode/GetByIdStatus.h:
-        * bytecode/GetByIdVariant.h:
-        * bytecode/InlineCallFrame.h:
-        * bytecode/InlineCallFrameSet.h:
-        * bytecode/Instruction.h:
-        * bytecode/InternalFunctionAllocationProfile.h:
-        * bytecode/JumpTable.h:
-        * bytecode/MethodOfGettingAValueProfile.h:
-        * bytecode/ObjectPropertyConditionSet.h:
-        * bytecode/Operands.h:
-        * bytecode/PolymorphicAccess.h:
-        * bytecode/PutByIdStatus.h:
-        * bytecode/SpeculatedType.cpp:
-        * bytecode/StructureSet.h:
-        * bytecode/StructureStubInfo.h:
-        * bytecode/UnlinkedCodeBlock.h:
-        * bytecode/UnlinkedFunctionExecutable.h:
-        * bytecode/ValueProfile.h:
-        * bytecompiler/BytecodeGenerator.cpp:
-        * bytecompiler/BytecodeGenerator.h:
-        * bytecompiler/Label.h:
-        * bytecompiler/StaticPropertyAnalysis.h:
-        * debugger/DebuggerCallFrame.cpp:
-        * dfg/DFGAbstractInterpreter.h:
-        * dfg/DFGAdjacencyList.h:
-        * dfg/DFGArgumentsUtilities.h:
-        * dfg/DFGArrayMode.h:
-        * dfg/DFGArrayifySlowPathGenerator.h:
-        * dfg/DFGBackwardsPropagationPhase.h:
-        * dfg/DFGBasicBlock.h:
-        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
-        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
-        * dfg/DFGCapabilities.h:
-        * dfg/DFGCommon.h:
-        * dfg/DFGCommonData.h:
-        * dfg/DFGDesiredIdentifiers.h:
-        * dfg/DFGDesiredWatchpoints.h:
-        * dfg/DFGDisassembler.cpp:
-        * dfg/DFGDominators.h:
-        * dfg/DFGDriver.cpp:
-        * dfg/DFGDriver.h:
-        * dfg/DFGEdgeDominates.h:
-        * dfg/DFGFinalizer.h:
-        * dfg/DFGGenerationInfo.h:
-        * dfg/DFGJITCompiler.cpp:
-        * dfg/DFGJITCompiler.h:
-        * dfg/DFGJITFinalizer.h:
-        * dfg/DFGLivenessAnalysisPhase.h:
-        * dfg/DFGMinifiedNode.h:
-        * dfg/DFGMultiGetByOffsetData.h:
-        * dfg/DFGNaturalLoops.cpp:
-        * dfg/DFGNaturalLoops.h:
-        * dfg/DFGNode.h:
-        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
-        * dfg/DFGOSRExit.h:
-        * dfg/DFGOSRExitCompilationInfo.h:
-        * dfg/DFGOSRExitCompiler.cpp:
-        * dfg/DFGOSRExitCompiler.h:
-        * dfg/DFGOSRExitJumpPlaceholder.h:
-        * dfg/DFGOperations.cpp:
-        * dfg/DFGOperations.h:
-        * dfg/DFGPlan.h:
-        * dfg/DFGPreciseLocalClobberize.h:
-        * dfg/DFGPromotedHeapLocation.h:
-        * dfg/DFGRegisteredStructure.h:
-        * dfg/DFGRegisteredStructureSet.h:
-        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
-        * dfg/DFGSlowPathGenerator.h:
-        * dfg/DFGSnippetParams.h:
-        * dfg/DFGSpeculativeJIT.h:
-        * dfg/DFGToFTLDeferredCompilationCallback.h:
-        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
-        * dfg/DFGValidate.h:
-        * dfg/DFGValueSource.h:
-        * dfg/DFGVariableEvent.h:
-        * dfg/DFGVariableEventStream.h:
-        * dfg/DFGWorklist.h:
-        * domjit/DOMJITCallDOMGetterSnippet.h:
-        * domjit/DOMJITEffect.h:
-        * ftl/FTLLink.cpp:
-        * ftl/FTLLowerDFGToB3.cpp:
-        * ftl/FTLPatchpointExceptionHandle.h:
-        * heap/AllocatorAttributes.h:
-        * heap/CodeBlockSet.h:
-        * heap/DeferGC.h:
-        * heap/GCSegmentedArray.h:
-        * heap/Heap.cpp:
-        * heap/Heap.h:
-        * heap/IncrementalSweeper.h:
-        * heap/ListableHandler.h:
-        * heap/MachineStackMarker.h:
-        * heap/MarkedAllocator.h:
-        * heap/MarkedBlock.cpp:
-        * heap/MarkedBlock.h:
-        * heap/MarkingConstraint.h:
-        * heap/SlotVisitor.cpp:
-        * heap/SlotVisitor.h:
-        * inspector/ConsoleMessage.cpp:
-        * inspector/ConsoleMessage.h:
-        * inspector/InjectedScript.h:
-        * inspector/InjectedScriptHost.h:
-        * inspector/InjectedScriptManager.cpp:
-        * inspector/JSGlobalObjectInspectorController.cpp:
-        * inspector/JavaScriptCallFrame.h:
-        * inspector/ScriptCallStack.h:
-        * inspector/ScriptCallStackFactory.cpp:
-        * inspector/ScriptDebugServer.h:
-        * inspector/agents/InspectorConsoleAgent.h:
-        * inspector/agents/InspectorDebuggerAgent.cpp:
-        * inspector/agents/InspectorDebuggerAgent.h:
-        * inspector/agents/InspectorHeapAgent.cpp:
-        * inspector/agents/InspectorHeapAgent.h:
-        * inspector/agents/InspectorRuntimeAgent.h:
-        * inspector/agents/InspectorScriptProfilerAgent.cpp:
-        * inspector/agents/InspectorScriptProfilerAgent.h:
-        * inspector/agents/JSGlobalObjectConsoleAgent.h:
-        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
-        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
-        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
-        * inspector/augmentable/AlternateDispatchableAgent.h:
-        * interpreter/CLoopStack.h:
-        * interpreter/CachedCall.h:
-        * interpreter/CallFrame.h:
-        * interpreter/Interpreter.cpp:
-        * interpreter/Interpreter.h:
-        * jit/AssemblyHelpers.cpp:
-        * jit/AssemblyHelpers.h:
-        * jit/CCallHelpers.h:
-        * jit/CallFrameShuffler.h:
-        * jit/ExecutableAllocator.h:
-        * jit/GCAwareJITStubRoutine.h:
-        * jit/HostCallReturnValue.h:
-        * jit/ICStats.h:
-        * jit/JIT.cpp:
-        * jit/JIT.h:
-        * jit/JITAddGenerator.h:
-        * jit/JITCall32_64.cpp:
-        * jit/JITCode.h:
-        * jit/JITDisassembler.cpp:
-        * jit/JITExceptions.cpp:
-        * jit/JITMathIC.h:
-        * jit/JITOpcodes.cpp:
-        * jit/JITOperations.cpp:
-        * jit/JITOperations.h:
-        * jit/JITThunks.cpp:
-        * jit/JITThunks.h:
-        * jit/JSInterfaceJIT.h:
-        * jit/PCToCodeOriginMap.h:
-        * jit/PolymorphicCallStubRoutine.h:
-        * jit/RegisterSet.h:
-        * jit/Repatch.h:
-        * jit/SetupVarargsFrame.h:
-        * jit/Snippet.h:
-        * jit/SnippetParams.h:
-        * jit/ThunkGenerators.h:
-        * jsc.cpp:
-        * llint/LLIntCLoop.h:
-        * llint/LLIntEntrypoint.h:
-        * llint/LLIntExceptions.h:
-        * llint/LLIntOfflineAsmConfig.h:
-        * llint/LLIntSlowPaths.cpp:
-        * parser/NodeConstructors.h:
-        * parser/Nodes.cpp:
-        * parser/Nodes.h:
-        * parser/Parser.cpp:
-        * parser/Parser.h:
-        * parser/ParserTokens.h:
-        * parser/SourceProviderCacheItem.h:
-        * profiler/ProfilerBytecodeSequence.h:
-        * profiler/ProfilerDatabase.cpp:
-        * profiler/ProfilerDatabase.h:
-        * profiler/ProfilerOrigin.h:
-        * profiler/ProfilerOriginStack.h:
-        * profiler/ProfilerProfiledBytecodes.h:
-        * profiler/ProfilerUID.h:
-        * runtime/AbstractModuleRecord.h:
-        * runtime/ArrayConstructor.h:
-        * runtime/ArrayConventions.h:
-        * runtime/ArrayIteratorPrototype.h:
-        * runtime/ArrayPrototype.h:
-        * runtime/BasicBlockLocation.h:
-        * runtime/Butterfly.h:
-        * runtime/CallData.cpp:
-        * runtime/CodeCache.h:
-        * runtime/CommonSlowPaths.cpp:
-        * runtime/CommonSlowPaths.h:
-        * runtime/CommonSlowPathsExceptions.cpp:
-        * runtime/Completion.cpp:
-        * runtime/ControlFlowProfiler.h:
-        * runtime/DateInstanceCache.h:
-        * runtime/ErrorConstructor.h:
-        * runtime/ErrorInstance.h:
-        * runtime/ExceptionHelpers.cpp:
-        * runtime/ExceptionHelpers.h:
-        * runtime/ExecutableBase.h:
-        * runtime/FunctionExecutable.h:
-        * runtime/HasOwnPropertyCache.h:
-        * runtime/Identifier.h:
-        * runtime/InternalFunction.h:
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlCollatorPrototype.h:
-        * runtime/IntlDateTimeFormatPrototype.h:
-        * runtime/IntlNumberFormat.cpp:
-        * runtime/IntlNumberFormatPrototype.h:
-        * runtime/IteratorOperations.cpp:
-        * runtime/JSArray.h:
-        * runtime/JSArrayBufferPrototype.h:
-        * runtime/JSCJSValue.h:
-        * runtime/JSCJSValueInlines.h:
-        * runtime/JSCell.h:
-        * runtime/JSFunction.cpp:
-        * runtime/JSFunction.h:
-        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
-        * runtime/JSGlobalObject.cpp:
-        * runtime/JSGlobalObject.h:
-        * runtime/JSGlobalObjectDebuggable.cpp:
-        * runtime/JSGlobalObjectDebuggable.h:
-        * runtime/JSGlobalObjectFunctions.cpp:
-        * runtime/JSGlobalObjectFunctions.h:
-        * runtime/JSJob.cpp:
-        * runtime/JSLock.h:
-        * runtime/JSModuleLoader.cpp:
-        * runtime/JSModuleNamespaceObject.h:
-        * runtime/JSModuleRecord.h:
-        * runtime/JSObject.cpp:
-        * runtime/JSObject.h:
-        * runtime/JSRunLoopTimer.h:
-        * runtime/JSTemplateRegistryKey.h:
-        * runtime/JSTypedArrayPrototypes.cpp:
-        * runtime/JSTypedArrayPrototypes.h:
-        * runtime/JSTypedArrays.h:
-        * runtime/LiteralParser.h:
-        * runtime/MatchResult.h:
-        * runtime/MemoryStatistics.h:
-        * runtime/PrivateName.h:
-        * runtime/PromiseDeferredTimer.h:
-        * runtime/ProxyObject.h:
-        * runtime/RegExp.h:
-        * runtime/SamplingProfiler.cpp:
-        * runtime/SmallStrings.h:
-        * runtime/StringPrototype.cpp:
-        * runtime/StringRecursionChecker.h:
-        * runtime/Structure.h:
-        * runtime/SymbolConstructor.h:
-        * runtime/SymbolPrototype.cpp:
-        * runtime/SymbolPrototype.h:
-        * runtime/TypeProfiler.h:
-        * runtime/TypeProfilerLog.h:
-        * runtime/TypedArrayType.h:
-        * runtime/VM.cpp:
-        * runtime/VM.h:
-        * runtime/VMEntryScope.h:
-        * runtime/WeakMapData.h:
-        * runtime/WriteBarrier.h:
-        * tools/FunctionOverrides.cpp:
-        * tools/FunctionOverrides.h:
-        * wasm/WasmBinding.cpp:
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        * wasm/js/WebAssemblyPrototype.cpp:
-        * yarr/Yarr.h:
-        * yarr/YarrJIT.cpp:
-        * yarr/YarrJIT.h:
-        * yarr/YarrParser.h:
-
-2017-06-24  Yusuke Suzuki  
-
-        [JSC] Clean up Object.entries implementation
-        https://bugs.webkit.org/show_bug.cgi?id=173759
-
-        Reviewed by Sam Weinig.
-
-        This patch cleans up Object.entries implementation.
-        We drop unused private functions. And we merge the
-        implementation into Object.entries.
-
-        It slightly speeds up Object.entries speed.
-
-                                     baseline                  patched
-
-            object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
-
-
-        * builtins/BuiltinNames.h:
-        * builtins/ObjectConstructor.js:
-        (entries):
-        (globalPrivate.enumerableOwnProperties): Deleted.
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ownEnumerablePropertyKeys): Deleted.
-        * runtime/ObjectConstructor.h:
-
-2017-06-24  Joseph Pecoraro  
-
-        Remove Reflect.enumerate
-        https://bugs.webkit.org/show_bug.cgi?id=173806
-
-        Reviewed by Yusuke Suzuki.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * inspector/JSInjectedScriptHost.cpp:
-        (Inspector::JSInjectedScriptHost::subtype):
-        (Inspector::JSInjectedScriptHost::getInternalProperties):
-        (Inspector::JSInjectedScriptHost::iteratorEntries):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSPropertyNameIterator.cpp: Removed.
-        * runtime/JSPropertyNameIterator.h: Removed.
-        * runtime/ReflectObject.cpp:
-        (JSC::reflectObjectEnumerate): Deleted.
-
-2017-06-23  Keith Miller  
-
-        Switch VMTraps to use halt instructions rather than breakpoint instructions
-        https://bugs.webkit.org/show_bug.cgi?id=173677
-        
-
-        Reviewed by JF Bastien.
-
-        Using the breakpoint instruction for VMTraps caused issues with lldb.
-        Since we only need some way to stop execution we can, in theory, use
-        any exceptioning instruction we want. I went with the halt instruction
-        on X86 since that is the only one byte instruction that does not
-        breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
-        On ARM we use the data cache clearing instruction with the zero register,
-        which triggers a segmentation fault.
-
-        Also, update the platform code to only use signaling VMTraps
-        on where we have an appropriate instruction (x86 and ARM64).
-
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        (testExecutionTimeLimit):
-        * assembler/ARM64Assembler.h:
-        (JSC::ARM64Assembler::replaceWithVMHalt):
-        (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
-        (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
-        * assembler/ARMAssembler.h:
-        (JSC::ARMAssembler::replaceWithBkpt): Deleted.
-        * assembler/ARMv7Assembler.h:
-        (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
-        * assembler/MIPSAssembler.h:
-        (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
-        * assembler/MacroAssemblerARM.h:
-        (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
-        (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
-        * assembler/MacroAssemblerARMv7.h:
-        (JSC::MacroAssemblerARMv7::storeFence):
-        (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
-        * assembler/MacroAssemblerMIPS.h:
-        (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
-        * assembler/MacroAssemblerX86Common.h:
-        (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
-        (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
-        * assembler/X86Assembler.h:
-        (JSC::X86Assembler::replaceWithHlt):
-        (JSC::X86Assembler::replaceWithInt3): Deleted.
-        * dfg/DFGJumpReplacement.cpp:
-        (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
-        * runtime/VMTraps.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::installSignalHandler):
-        (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::enableFastMemory):
-
-2017-06-22  Saam Barati  
-
-        The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
-        https://bugs.webkit.org/show_bug.cgi?id=173743
-        
-
-        Reviewed by Mark Lam.
-
-        The code always manually speculates, however, we weren't specifying
-        ManualOperandSpeculation when creating a JSValueOperand. This would
-        fire an assertion in JSValueOperand construction for a node like:
-        Identity(String:@otherNode)
-        
-        I spent about 45 minutes trying to craft a test and came up
-        empty. However, this fixes a debug assertion on an internal
-        Apple website.
-
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-
-2017-06-22  Saam Barati  
-
-        ValueRep(DoubleRep(@v)) can not simply convert to @v
-        https://bugs.webkit.org/show_bug.cgi?id=173687
-        
-
-        Reviewed by Mark Lam.
-
-        Consider this IR:
-         block#x
-          p: Phi() // int32 and double flows into this phi from various control flow
-          d: DoubleRep(@p)
-          some uses of @d here
-          v: ValueRep(DoubleRepUse:@d)
-          a: NewArrayWithSize(Int32:@v)
-          some more nodes here ...
-        
-        Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
-        AI proves that the Int32 check will fail. Constant folding phase removes
-        all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
-        
-        The IR then looks like this:
-        block#x
-          p: Phi() // int32 and double flows into this phi from various control flow
-          d: DoubleRep(@p)
-          some uses of @d here
-          v: ValueRep(DoubleRepUse:@d)
-          a: NewArrayWithSize(Int32:@v)
-          Unreachable
-        
-        However, there was a strength reduction rule that tries eliminate redundant
-        conversions. It used to convert the program to:
-        block#x
-          p: Phi() // int32 and double flows into this phi from various control flow
-          d: DoubleRep(@p)
-          some uses of @d here
-          a: NewArrayWithSize(Int32:@p)
-          Unreachable
-        
-        However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
-        and we'll crash. This patch removes this strength reduction rule since it
-        does not maintain what would have happened if we executed the program before
-        the rule.
-        
-        This rule is also wrong for other types of programs (I'm not sure we'd
-        actually emit this code, but if such IR were generated, we would previously
-        optimize it incorrectly):
-        @a: Constant(JSTrue)
-        @b: DoubleRep(@a)
-        @c: ValueRep(@b)
-        @d: use(@c)
-        
-        However, the strength reduction rule would've transformed this into:
-        @a: Constant(JSTrue)
-        @d: use(@a)
-        
-        And this would be wrong because node @c before the transformation would
-        have produced the JSValue jsNumber(1.0).
-        
-        This patch was neutral in the benchmark run I did.
-
-        * dfg/DFGStrengthReductionPhase.cpp:
-        (JSC::DFG::StrengthReductionPhase::handleNode):
-
-2017-06-22  JF Bastien  
-
-        ARM64: doubled executable memory limit from 32MiB to 64MiB
-        https://bugs.webkit.org/show_bug.cgi?id=173734
-        
-
-        Reviewed by Oliver Hunt.
-
-        Some WebAssembly programs stress the amount of memory we have
-        available, especially when we consider tiering (BBQ never dies,
-        and is bigger that OMG). Tiering to OMG just piles on more memory,
-        and we're also competing with JavaScript.
-
-        * jit/ExecutableAllocator.h:
-
-2017-06-22  Joseph Pecoraro  
-
-        Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
-        https://bugs.webkit.org/show_bug.cgi?id=173698
-
-        Reviewed by Matt Baker.
-
-        When pausing in a deep call stack the majority of the time spent in JavaScriptCore
-        when preparing Inspector pause information is spent generating object previews for
-        the `thisObject` of each of the call frames. In some cases, this could be more
-        than 95% of the time generating pause information. In the common case, only one of
-        these (the top frame) will ever be seen by users. This change avoids eagerly
-        generating object previews up front and let the frontend request previews if they
-        are needed.
-
-        This introduces the `Runtime.getPreview` protocol command. This can be used to:
-
-            - Get a preview for a RemoteObject that did not have a preview but could.
-            - Update a preview for a RemoteObject that had a preview.
-
-        This patch only uses it for the first case, but the second is valid and may be
-        something we want to do in the future.
-
-        * inspector/protocol/Runtime.json:
-        A new command to get an up to date preview for an object.
-
-        * inspector/InjectedScript.h:
-        * inspector/InjectedScript.cpp:
-        (Inspector::InjectedScript::getPreview):
-        * inspector/agents/InspectorRuntimeAgent.cpp:
-        (Inspector::InspectorRuntimeAgent::getPreview):
-        * inspector/agents/InspectorRuntimeAgent.h:
-        Plumbing for the new command.
-
-        * inspector/InjectedScriptSource.js:
-        (InjectedScript.prototype.getPreview):
-        Implementation just uses the existing helper.
-
-        (InjectedScript.CallFrameProxy):
-        Do not generate a preview for the this object as it may not be shown.
-        Let the frontend request a preview if it wants or needs one.
-
-2017-06-22  Joseph Pecoraro  
-
-        Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
-        https://bugs.webkit.org/show_bug.cgi?id=173686
-
-        Reviewed by Mark Lam.
-
-        * inspector/InjectedScript.cpp:
-        (Inspector::InjectedScript::functionDetails):
-        * inspector/InjectedScriptSource.js:
-        (InjectedScript.prototype.functionDetails):
-        * inspector/JSInjectedScriptHost.cpp:
-        (Inspector::JSInjectedScriptHost::functionDetails):
-
-2017-06-22  Yusuke Suzuki  
-
-        [JSC] Object.values should be implemented in C++
-        https://bugs.webkit.org/show_bug.cgi?id=173703
-
-        Reviewed by Sam Weinig.
-
-        As the same to Object.assign, Object.values() is also inherently polymorphic.
-        And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
-        result is costly.
-
-        In this patch, we implement Object.values() in C++. It can avoid above allocations.
-        Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
-        non-observable JSObject::get() calls.
-
-        This improves performance by 2.49x. And also now Object.values() beats
-        Object.keys(object).map(key => object[key]) implementation.
-
-                                             baseline                  patched
-
-            object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
-            object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
-
-        * builtins/ObjectConstructor.js:
-        (values): Deleted.
-        * runtime/ObjectConstructor.cpp:
-        (JSC::objectConstructorValues):
-
-2017-06-21  Saam Barati  
-
-        ArrayPrototype.map builtin declares a var it does not use
-        https://bugs.webkit.org/show_bug.cgi?id=173685
-
-        Reviewed by Keith Miller.
-
-        * builtins/ArrayPrototype.js:
-        (map):
-
-2017-06-21  Saam Barati  
-
-        eval virtual call is incorrect in the baseline JIT
-        https://bugs.webkit.org/show_bug.cgi?id=173587
-        
-
-        Reviewed by Michael Saboff.
-
-        When making a virtual call for call_eval, e.g, when the thing
-        we're calling isn't actually eval, we end up calling the caller
-        instead of the callee. This is clearly wrong. The code ends up
-        issuing a load for the Callee in the callers frame instead of
-        the callee we're calling. The fix is simple, we just need to
-        load the real callee. Only the 32-bit baseline JIT had this bug.
-
-        * jit/JITCall32_64.cpp:
-        (JSC::JIT::compileCallEvalSlowCase):
-
-2017-06-21  Joseph Pecoraro  
-
-        Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
-        https://bugs.webkit.org/show_bug.cgi?id=172432
-        
-
-        Reviewed by Saam Barati.
-
-        Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
-        We will proceed to improve debugging of these cases in the follow-up bugs.
-
-        * debugger/Debugger.cpp:
-        (JSC::Debugger::exception):
-        Ignore pausing on these errors.
-
-        * runtime/ErrorInstance.h:
-        (JSC::ErrorInstance::setStackOverflowError):
-        (JSC::ErrorInstance::isStackOverflowError):
-        (JSC::ErrorInstance::setOutOfMemoryError):
-        (JSC::ErrorInstance::isOutOfMemoryError):
-        * runtime/ExceptionHelpers.cpp:
-        (JSC::createStackOverflowError):
-        * runtime/Error.cpp:
-        (JSC::createOutOfMemoryError):
-        Mark these kinds of errors.
-
-2017-06-21  Saam Barati  
-
-        Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
-        https://bugs.webkit.org/show_bug.cgi?id=173609
-
-        Reviewed by Keith Miller.
-
-        This patch makes many of the IC generating functions require a locker as
-        a parameter. We do this in other places in JSC to indicate that
-        a particular API is only valid while a particular lock is held.
-        This is the case when generating ICs. This patch just makes it
-        explicit in the IC generating interface.
-
-        * bytecode/PolymorphicAccess.cpp:
-        (JSC::PolymorphicAccess::addCases):
-        (JSC::PolymorphicAccess::addCase):
-        (JSC::PolymorphicAccess::commit):
-        (JSC::PolymorphicAccess::regenerate):
-        * bytecode/PolymorphicAccess.h:
-        * bytecode/StructureStubInfo.cpp:
-        (JSC::StructureStubInfo::addAccessCase):
-        (JSC::StructureStubInfo::initStub): Deleted.
-        * bytecode/StructureStubInfo.h:
-        * jit/Repatch.cpp:
-        (JSC::tryCacheGetByID):
-        (JSC::repatchGetByID):
-        (JSC::tryCachePutByID):
-        (JSC::repatchPutByID):
-        (JSC::tryRepatchIn):
-        (JSC::repatchIn):
-
-2017-06-20  Myles C. Maxfield  
-
-        Disable font variations on macOS Sierra and iOS 10
-        https://bugs.webkit.org/show_bug.cgi?id=173618
-        
-
-        Reviewed by Jon Lee.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-06-20  Keith Miller  
-
-        Fix leak of ModuleInformations in BBQPlan constructors.
-        https://bugs.webkit.org/show_bug.cgi?id=173577
-
-        Reviewed by Saam Barati.
-
-        This patch fixes a leak in the BBQPlan constructiors. Previously,
-        the plans were calling makeRef on the newly constructed objects.
-        This patch fixes the issue and uses adoptRef instead. Additionally,
-        an old, incorrect, attempt to fix the leak is removed.
-
-        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
-        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
-        * jit/JITWorklist.cpp:
-        (JSC::JITWorklist::Thread::Thread):
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::addPendingPromise):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::BBQPlan):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-
-2017-06-20  Devin Rousso  
-
-        Web Inspector: Send context attributes for tracked canvases
-        https://bugs.webkit.org/show_bug.cgi?id=173327
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-        Add ContextAttributes object type that is optionally used for WebGL canvases.
-
-2017-06-20  Konstantin Tokarev  
-
-        Remove excessive include directives from WTF
-        https://bugs.webkit.org/show_bug.cgi?id=173553
-
-        Reviewed by Saam Barati.
-
-        * profiler/ProfilerDatabase.cpp: Added missing include directive.
-        * runtime/SamplingProfiler.cpp: Ditto.
-
-2017-06-20  Oleksandr Skachkov  
-
-        Revert changes in bug#160417 about extending `null` not being a derived class
-        https://bugs.webkit.org/show_bug.cgi?id=169293
-
-        Reviewed by Saam Barati.
-
-        Reverted changes in bug#160417 about extending `null` not being a derived class 
-        according to changes in spec:
-        https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
-
-        * builtins/BuiltinNames.h:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::BytecodeGenerator):
-        (JSC::BytecodeGenerator::emitReturn):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::ClassExprNode::emitBytecode):
-
-2017-06-20  Saam Barati  
-
-        repatchIn needs to lock the CodeBlock's lock
-        https://bugs.webkit.org/show_bug.cgi?id=173573
-
-        Reviewed by Yusuke Suzuki.
-
-        CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
-        lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
-        an IC, we must hold the CodeBlock's to prevent the executing thread from racing
-        with the marking thread. repatchIn was not grabbing the lock. I haven't been
-        able to get it to crash, but this is needed for the same reasons that get and put IC
-        regeneration grab the lock.
-
-        * jit/Repatch.cpp:
-        (JSC::repatchIn):
-
-2017-06-19  Devin Rousso  
-
-        Web Inspector: create canvas content view and details sidebar panel
-        https://bugs.webkit.org/show_bug.cgi?id=138941
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Canvas.json:
-         - Add an optional `nodeId` attribute to the `Canvas` type.
-         - Add `requestNode` command for getting the node id of the backing canvas element.
-         - Add `requestContent` command for getting the current image content of the canvas.
-
-2017-06-19  Yusuke Suzuki  
-
-        Unreviewed, build fix for ARM
-
-        * assembler/MacroAssemblerARM.h:
-        (JSC::MacroAssemblerARM::internalCompare32):
-
-2017-06-13  Yusuke Suzuki  
-
-        [DFG] More ArrayIndexOf fixups for various types
-        https://bugs.webkit.org/show_bug.cgi?id=173176
-
-        Reviewed by Saam Barati.
-
-        This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
-
-        1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
-        never contains the given search value.
-
-        2. We support Symbol and Other specialization additionally. Especially, Other is
-        useful because null/undefined can be used as a sentinel value.
-
-        One interesting thing is that Array.prototype.indexOf does not consider holes as
-        undefineds. Thus,
-
-            var array = [,,,,,,,];
-            array.indexOf(undefined); // => -1
-
-        This can be trivially achieved in JSC because Empty and Undefined are different values.
-
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        (JSC::DFG::FixupPhase::fixupArrayIndexOf):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
-        (JSC::DFG::SpeculativeJIT::speculateOther):
-        * dfg/DFGSpeculativeJIT.h:
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
-
-2017-06-19  Caio Lima  
-
-        [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
-        https://bugs.webkit.org/show_bug.cgi?id=172972
-
-        Reviewed by Mark Lam.
-
-        We are changing internalCompare32 implementation in ARM
-        MacroAssembler to emit "cmp" when the "right.value" is 0.
-        It is generating wrong comparison cases, since the
-        semantics of cmn is opposite of cmp[1]. One case that it's breaking is
-        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
-        resulting in following assembly code:
-
-        ```
-        cmn $r0, #0
-        bhi 

-        ```
-
-        However, as cmn is similar to "adds", it will never take the branch
-        when $r0 > 0. In that case, the correct opcode is "cmp". With this
-        patch we will fix current broken tests that uses
-        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
-        such as ForwardVarargs, Spread and GetRestLength.
-
-        [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
-
-        * assembler/MacroAssemblerARM.h:
-        (JSC::MacroAssemblerARM::internalCompare32):
-
-2017-06-19  Joseph Pecoraro  
-
-        test262: Completion values for control flow do not match the spec
-        https://bugs.webkit.org/show_bug.cgi?id=171265
-
-        Reviewed by Saam Barati.
-
-        * bytecompiler/BytecodeGenerator.h:
-        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
-        When we care about having proper completion values (global code
-        in programs, modules, and eval) insert undefined results for
-        control flow statements.
-
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::SourceElements::emitBytecode):
-        Reduce writing a default `undefined` value to the completion result to
-        only once before the last statement we know will produce a value.
-
-        (JSC::IfElseNode::emitBytecode):
-        (JSC::WithNode::emitBytecode):
-        (JSC::WhileNode::emitBytecode):
-        (JSC::ForNode::emitBytecode):
-        (JSC::ForInNode::emitBytecode):
-        (JSC::ForOfNode::emitBytecode):
-        (JSC::SwitchNode::emitBytecode):
-        Insert an undefined to handle cases where code may break out of an
-        if/else or with statement (break/continue).
-
-        (JSC::TryNode::emitBytecode):
-        Same handling for break cases. Also, finally block statement completion
-        values are always ignored for the try statement result.
-
-        (JSC::ClassDeclNode::emitBytecode):
-        Class declarations, like function declarations, produce an empty result.
-
-        * parser/Nodes.cpp:
-        (JSC::SourceElements::lastStatement):
-        (JSC::SourceElements::hasCompletionValue):
-        (JSC::SourceElements::hasEarlyBreakOrContinue):
-        (JSC::BlockNode::lastStatement):
-        (JSC::BlockNode::singleStatement):
-        (JSC::BlockNode::hasCompletionValue):
-        (JSC::BlockNode::hasEarlyBreakOrContinue):
-        (JSC::ScopeNode::singleStatement):
-        (JSC::ScopeNode::hasCompletionValue):
-        (JSC::ScopeNode::hasEarlyBreakOrContinue):
-        The only non-trivial cases need to loop through their list of statements
-        to determine if this has a completion value or not. Likewise for
-        determining if there is an early break / continue, meaning a break or
-        continue statement with no preceding statement that has a completion value.
-
-        * parser/Nodes.h:
-        (JSC::StatementNode::next):
-        (JSC::StatementNode::hasCompletionValue):
-        Helper to check if a statement nodes produces a completion value or not.
-
-2017-06-19  Adrian Perez de Castro  
-
-        Missing  includes make builds fail with GCC 7.x
-        https://bugs.webkit.org/show_bug.cgi?id=173544
-
-        Unreviewed gardening.
-
-        Fix compilation with GCC 7.
-
-        * API/tests/CompareAndSwapTest.cpp:
-        * runtime/VMEntryScope.h:
-
-2017-06-17  Keith Miller  
-
-        ArrayBuffer constructor needs to create subclass structures before its buffer
-        https://bugs.webkit.org/show_bug.cgi?id=173510
-
-        Reviewed by Yusuke Suzuki.
-
-        * runtime/JSArrayBufferConstructor.cpp:
-        (JSC::constructArrayBuffer):
-
-2017-06-17  Keith Miller  
-
-        ArrayPrototype methods should use JSValue::toLength for non-Arrays.
-        https://bugs.webkit.org/show_bug.cgi?id=173506
-
-        Reviewed by Ryosuke Niwa.
-
-        This patch changes the result of unshift if old length +
-        unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
-        the getLength function, which was always incorrect to use, has
-        been removed. Additionally, some cases where we were using a
-        constant for (2 ** 53) - 1 have been replaced with
-        maxSafeInteger()
-
-        * interpreter/Interpreter.cpp:
-        (JSC::sizeOfVarargs):
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoFuncToLocaleString):
-        (JSC::arrayProtoFuncPop):
-        (JSC::arrayProtoFuncPush):
-        (JSC::arrayProtoFuncReverse):
-        (JSC::arrayProtoFuncShift):
-        (JSC::arrayProtoFuncSlice):
-        (JSC::arrayProtoFuncSplice):
-        (JSC::arrayProtoFuncUnShift):
-        (JSC::arrayProtoFuncIndexOf):
-        (JSC::arrayProtoFuncLastIndexOf):
-        * runtime/JSArrayInlines.h:
-        (JSC::getLength): Deleted.
-        * runtime/JSCJSValue.cpp:
-        (JSC::JSValue::toLength):
-        * runtime/NumberConstructor.cpp:
-        (JSC::numberConstructorFuncIsSafeInteger):
-
-2017-06-16  Matt Baker  
-
-        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
-        https://bugs.webkit.org/show_bug.cgi?id=172623
-        
-
-        Reviewed by Devin Rousso and Joseph Pecoraro.
-
-        This patch adds a basic Canvas protocol. It includes Canvas and related
-        types and events for monitoring the lifetime of canvases in the page.
-
-        * CMakeLists.txt:
-        * DerivedSources.make:
-        * inspector/protocol/Canvas.json: Added.
-
-        * inspector/scripts/codegen/generator.py:
-        (Generator.stylized_name_for_enum_value):
-        Add special handling for Canvas.ContextType protocol enumeration,
-        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
-
-2017-06-16  Wenson Hsieh  
-
-        [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
-        https://bugs.webkit.org/show_bug.cgi?id=173366
-        
-
-        Reviewed by Tim Horton.
-
-        Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-06-16  Yusuke Suzuki  
-
-        [JSC] Add fast path for Object.assign
-        https://bugs.webkit.org/show_bug.cgi?id=173416
-
-        Reviewed by Mark Lam.
-
-        In Object.assign implementation, we need to ensure that given key is still enumerable own key.
-        This seems duplicate look up. And we want to avoid this. However, we still need to perform this
-        check in the face of Proxy. Proxy can observe that this check is done correctly.
-
-        In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
-        In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
-        If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
-        value by calling `slot.getValue()`.
-
-        This further improves performance of Object.assign.
-
-                                        baseline                  patched
-
-            object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
-
-        * runtime/ObjectConstructor.cpp:
-        (JSC::objectConstructorAssign):
-
-2017-06-16  Michael Saboff  
-
-        Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
-        https://bugs.webkit.org/show_bug.cgi?id=173488
-
-        Reviewed by Filip Pizlo.
-
-        ClonedArguments lazily sets its callee and interator properties and it used its own inline
-        code to initialize its butterfly.  This means that these lazily set properties can have
-        bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
-        to create the butterfly as it clears out of line properties.
-
-        * runtime/ClonedArguments.cpp:
-        (JSC::ClonedArguments::createEmpty):
-
-2017-06-16  Mark Lam  
-
-        Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
-        https://bugs.webkit.org/show_bug.cgi?id=173491
-
-        Reviewed by Keith Miller.
-
-        The implementation are based on static data. There's no need to get the
-        interpreter instance. Hence, we can make these methods static and avoid doing
-        unnecessary work to compute the interpreter this pointer.
-
-        Also removed the unused isCallBytecode method.
-
-        * bytecode/BytecodeBasicBlock.cpp:
-        (JSC::BytecodeBasicBlock::computeImpl):
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::printGetByIdOp):
-        (JSC::BytecodeDumper::printGetByIdCacheStatus):
-        (JSC::BytecodeDumper::dumpBytecode):
-        (JSC::BytecodeDumper::dumpBlock):
-        * bytecode/BytecodeLivenessAnalysis.cpp:
-        (JSC::BytecodeLivenessAnalysis::dumpResults):
-        * bytecode/BytecodeLivenessAnalysisInlines.h:
-        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
-        * bytecode/BytecodeRewriter.cpp:
-        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
-        * bytecode/CallLinkStatus.cpp:
-        (JSC::CallLinkStatus::computeFromLLInt):
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finishCreation):
-        (JSC::CodeBlock::propagateTransitions):
-        (JSC::CodeBlock::finalizeLLIntInlineCaches):
-        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
-        (JSC::CodeBlock::usesOpcode):
-        (JSC::CodeBlock::valueProfileForBytecodeOffset):
-        (JSC::CodeBlock::arithProfileForPC):
-        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
-        * bytecode/PreciseJumpTargets.cpp:
-        (JSC::getJumpTargetsForBytecodeOffset):
-        (JSC::computePreciseJumpTargetsInternal):
-        (JSC::findJumpTargetsForBytecodeOffset):
-        * bytecode/PreciseJumpTargetsInlines.h:
-        (JSC::extractStoredJumpTargetsForBytecodeOffset):
-        * bytecode/UnlinkedCodeBlock.cpp:
-        (JSC::UnlinkedCodeBlock::applyModification):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
-        (JSC::DFG::ByteCodeParser::parseBlock):
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::capabilityLevel):
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::Interpreter):
-        (JSC::Interpreter::isOpcode):
-        (): Deleted.
-        * interpreter/Interpreter.h:
-        (JSC::Interpreter::getOpcode): Deleted.
-        (JSC::Interpreter::getOpcodeID): Deleted.
-        (JSC::Interpreter::isCallBytecode): Deleted.
-        * interpreter/InterpreterInlines.h:
-        (JSC::Interpreter::getOpcode):
-        (JSC::Interpreter::getOpcodeID):
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        (JSC::JIT::privateCompileSlowCases):
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::emitNewFuncCommon):
-        (JSC::JIT::emitNewFuncExprCommon):
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::emitSlow_op_put_by_val):
-        (JSC::JIT::privateCompilePutByVal):
-        * jit/JITPropertyAccess32_64.cpp:
-        (JSC::JIT::emitSlow_op_put_by_val):
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::llint_trace_operand):
-        (JSC::LLInt::llint_trace_value):
-        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
-        * profiler/ProfilerBytecodeSequence.cpp:
-        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
-
-2017-06-16  Matt Lewis  
-
-        Unreviewed, rolling out r218376.
-
-        The patch cause multiple Layout Test Crashes.
-
-        Reverted changeset:
-
-        "Web Inspector: Instrument 2D/WebGL canvas contexts in the
-        backend"
-        https://bugs.webkit.org/show_bug.cgi?id=172623
-        http://trac.webkit.org/changeset/218376
-
-2017-06-16  Konstantin Tokarev  
-
-        REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
-        https://bugs.webkit.org/show_bug.cgi?id=173470
-
-        Reviewed by Joseph Pecoraro.
-
-        ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
-        const char* overload of StringBuilder::append() that assummes Latin1
-        encoding, not UTF8.
-
-        * runtime/ConsoleClient.cpp:
-        (JSC::ConsoleClient::printConsoleMessageWithArguments):
-
-2017-06-15  Mark Lam  
-
-        Add a JSRunLoopTimer registry in VM.
-        https://bugs.webkit.org/show_bug.cgi?id=173429
-        
-
-        Reviewed by Filip Pizlo.
-
-        This way, we can be sure we've got every JSRunLoopTimer instance covered if we
-        need to change their run loop (e.g. when setting to the WebThread's run loop).
-
-        * heap/Heap.cpp:
-        (JSC::Heap::Heap):
-        (JSC::Heap::setRunLoop): Deleted.
-        * heap/Heap.h:
-        (JSC::Heap::runLoop): Deleted.
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::setRunLoop):
-        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::registerRunLoopTimer):
-        (JSC::VM::unregisterRunLoopTimer):
-        (JSC::VM::setRunLoop):
-        * runtime/VM.h:
-        (JSC::VM::runLoop):
-
-2017-06-15  Joseph Pecoraro  
-
-        [Cocoa] Modernize some internal initializers to use instancetype instead of id
-        https://bugs.webkit.org/show_bug.cgi?id=173112
-
-        Reviewed by Wenson Hsieh.
-
-        * API/JSContextInternal.h:
-        * API/JSWrapperMap.h:
-        * API/JSWrapperMap.mm:
-        (-[JSObjCClassInfo initForClass:]):
-        (-[JSWrapperMap initWithGlobalContextRef:]):
-
-2017-06-15  Matt Baker  
-
-        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
-        https://bugs.webkit.org/show_bug.cgi?id=172623
-        
-
-        Reviewed by Devin Rousso.
-
-        This patch adds a basic Canvas protocol. It includes Canvas and related
-        types and events for monitoring the lifetime of canvases in the page.
-
-        * CMakeLists.txt:
-        * DerivedSources.make:
-        * inspector/protocol/Canvas.json: Added.
-
-        * inspector/scripts/codegen/generator.py:
-        (Generator.stylized_name_for_enum_value):
-        Add special handling for Canvas.ContextType protocol enumeration,
-        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
-
-2017-06-15  Keith Miller  
-
-        Add logging to MachineStackMarker to try to diagnose crashes in the wild
-        https://bugs.webkit.org/show_bug.cgi?id=173427
-
-        Reviewed by Mark Lam.
-
-        This patch adds some logging to the MachineStackMarker constructor
-        to help figure out where we are seeing crashes. Since macOS does
-        not support os_log_info my hope is that if we set all the callee
-        save registers before making any calls in the C++ code we can
-        figure out which calls is the source of the crash. We also, set
-        all the caller save registers before returning in case some
-        weirdness is happening in the Heap constructor.
-
-        This logging should not matter from a performance perspective. We
-        only create MachineStackMarkers when we are creating a new VM,
-        which is already expensive.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThreads):
-
-2017-06-15  Yusuke Suzuki  
-
-        [JSC] Implement Object.assign in C++
-        https://bugs.webkit.org/show_bug.cgi?id=173414
-
-        Reviewed by Saam Barati.
-
-        Implementing Object.assign in JS is not so good compared to C++ version because,
-
-        1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
-        But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
-
-        2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
-        So JS's type profile doesn't help well.
-
-        3. We have a chance to introduce various fast path for Object.assign in C++.
-
-        This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
-
-        We can see 1.65x improvement in SixSpeed object-assign.es6.
-
-                                    baseline                  patched
-
-        object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
-
-        [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
-
-        * builtins/ObjectConstructor.js:
-        (entries):
-        (assign): Deleted.
-        * runtime/JSCJSValueInlines.h:
-        (JSC::JSValue::putInline):
-        * runtime/JSCell.h:
-        * runtime/JSCellInlines.h:
-        (JSC::JSCell::putInline):
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::put):
-        * runtime/JSObject.h:
-        * runtime/JSObjectInlines.h:
-        (JSC::JSObject::putInlineForJSObject):
-        (JSC::JSObject::putInline): Deleted.
-        * runtime/ObjectConstructor.cpp:
-        (JSC::objectConstructorAssign):
-
-2017-06-14  Dan Bernstein  
-
-        [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
-        https://bugs.webkit.org/show_bug.cgi?id=168578
-
-        Reviewed by Geoff Garen.
-
-        * API/JSWrapperMap.mm:
-        (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
-        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
-        (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
-          it defines conformance to a JSExport-derived protocol and if so, avoid using the
-          superclass as a substitute as we’d normally do.
-
-        * API/ObjcRuntimeExtras.h:
-        (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
-          bail out.
-
-        * API/tests/JSExportTests.mm:
-        (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
-        (runJSExportTests): Run new test.
-
-2017-06-14  Yusuke Suzuki  
-
-        Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
-
-2017-06-14  Claudio Saavedra  
-
-        REGRESSION: 15 new jsc failures in WPE and GTK+
-        https://bugs.webkit.org/show_bug.cgi?id=173349
-
-        Reviewed by JF Bastien.
-
-        Recent changes to generateWasm.py are not accounted for from
-        CMake, which leads to WasmOps.h not being regenerated in partial
-        builds. Make generateWasm.py an additional dependency.
-        * CMakeLists.txt:
-
-2017-06-13  Joseph Pecoraro  
-
-        Debugger has unexpected effect on program correctness
-        https://bugs.webkit.org/show_bug.cgi?id=172683
-
-        Reviewed by Saam Barati.
-
-        * inspector/InjectedScriptSource.js:
-        (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
-        (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
-        (BasicCommandLineAPI):
-        Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
-        We still use it for Set / Map iteration which we can eliminate when moving to builtins.
-
-2017-06-13  JF Bastien  
-
-        WebAssembly: fix erroneous signature comment
-        https://bugs.webkit.org/show_bug.cgi?id=173334
-
-        Reviewed by Keith Miller.
-
-        * wasm/WasmSignature.h:
-
-2017-06-13  Michael Saboff  
-
-        Refactor AbsenceOfSetter to AbsenceOfSetEffects
-        https://bugs.webkit.org/show_bug.cgi?id=173322
-
-        Reviewed by Filip Pizlo.
-
-        * bytecode/ObjectPropertyCondition.h:
-        (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
-        (JSC::ObjectPropertyCondition::absenceOfSetEffect):
-        (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
-        (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
-        * bytecode/ObjectPropertyConditionSet.cpp:
-        (JSC::generateConditionsForPropertySetterMiss):
-        (JSC::generateConditionsForPropertySetterMissConcurrently):
-        * bytecode/PropertyCondition.cpp:
-        (JSC::PropertyCondition::dumpInContext):
-        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
-        (JSC::PropertyCondition::isStillValid):
-        (WTF::printInternal):
-        * bytecode/PropertyCondition.h:
-        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
-        (JSC::PropertyCondition::absenceOfSetEffect):
-        (JSC::PropertyCondition::hasPrototype):
-        (JSC::PropertyCondition::hash):
-        (JSC::PropertyCondition::operator==):
-        (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
-        (JSC::PropertyCondition::absenceOfSetter): Deleted.
-
-2017-06-13  JF Bastien  
-
-        WebAssembly: import updated spec tests
-        https://bugs.webkit.org/show_bug.cgi?id=173287
-        
-
-        Reviewed by Saam Barati.
-
-        Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
-        with a few modifications so things work.
-
-        Fix a bunch of bugs found through this process, and punt a few tests (which I
-        marked as blocked by this bug).
-
-        Fixes:
-
-        Fix load / store alignment: r216908 erroneously implemented it as bit alignment
-        instead of byte alignment. It was also missing memory-alignment.js despite it
-        being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
-        pass.
-
-        Tables can be imported or in a section. There can be only one, but sections can
-        be empty. An Elements section can exist if there's no Table, as long as it is
-        also empty.
-
-        Memories can be imported or in a section. There can be only one, but sections
-        can be empty. A Data section can exist if there's no Memory, as long as it is
-        also empty.
-
-        Prototypes: stringify without .prototype. in the string.
-
-        WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
-        not a final size, and throws a RangeError on failure, not a TypeError.
-
-        Fix compile / instantiate so the reject the promise if given an argument of the
-        wrong type (instead of failing instantly).
-
-        Fix async on neuter test.
-
-        Element section shouldn't affect any Table if any of the elements are out of
-        bounds. We need to process it in two passes.
-
-        Segment section shouldn't affect any Data if any of the segments are out of
-        bounds. We need to process it in two passes.
-
-        Empty data segments are valid, but only when there is no memory. Their index
-        still gets validated, and has to be zero.
-
-        Punts:
-
-        Error messages with context, the test seems overly restrictive but this is
-        minor.
-
-        compile/instantiate/validate property descriptors.
-
-        UTF-8 bugs.
-
-        Temporarily disable NaN tests. We need to go back and implement the following
-        semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
-        much as getting all the other tests passing.
-
-        Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
-        no_fold_promote_demote (an interesting corner case which we get wrong). mul by
-        one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
-        0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
-        to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
-        (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
-        why they're not allowed.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/WasmFunctionParser.h:
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmModuleParser.h:
-        * wasm/WasmParser.h:
-        (JSC::Wasm::Parser::consumeUTF8String):
-        * wasm/generateWasm.py:
-        (memoryLog2Alignment):
-        * wasm/js/JSWebAssemblyTable.cpp:
-        (JSC::JSWebAssemblyTable::grow):
-        * wasm/js/JSWebAssemblyTable.h:
-        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
-        * wasm/js/WebAssemblyInstancePrototype.cpp:
-        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
-        * wasm/js/WebAssemblyMemoryPrototype.cpp:
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::evaluate):
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::webAssemblyCompileFunc):
-        (JSC::resolve):
-        (JSC::instantiate):
-        (JSC::compileAndInstantiate):
-        (JSC::webAssemblyInstantiateFunc):
-        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
-        * wasm/js/WebAssemblyTablePrototype.cpp:
-        (JSC::webAssemblyTableProtoFuncGrow):
-
-2017-06-13  Michael Saboff  
-
-        DFG doesn't properly handle a property that is change to read only in a prototype
-        https://bugs.webkit.org/show_bug.cgi?id=173321
-
-        Reviewed by Filip Pizlo.
-
-        We need to check for ReadOnly as well as a not being a Setter when checking
-        an AbsenceOfSetter.
-
-        * bytecode/PropertyCondition.cpp:
-        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
-
-2017-06-13  Daniel Bates  
-
-        Implement W3C Secure Contexts Draft Specification
-        https://bugs.webkit.org/show_bug.cgi?id=158121
-        
-
-        Reviewed by Brent Fulgham.
-
-        Part 4
-
-        Adds isSecureContext to the list of common identifiers as needed to support
-        toggling its exposure from a runtime enabled feature flag.
-
-        * runtime/CommonIdentifiers.h:
-
-2017-06-13  Don Olmstead  
-
-        [JSC] Remove redundant includes in config.h
-        https://bugs.webkit.org/show_bug.cgi?id=173294
-
-        Reviewed by Alex Christensen.
-
-        * config.h:
-
-2017-06-12  Saam Barati  
-
-        We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
-        https://bugs.webkit.org/show_bug.cgi?id=172957
-        
-
-        Reviewed by Filip Pizlo.
-
-        Consider this program:
-        ```
-        block#1:
-        n: GetClosureVar(..., |this|) // this will load empty JSValue()
-        SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
-        Branch(#2, #3)
-        
-        Block#3:
-        x: GetLocal(locFoo)
-        y: CheckNotEmpty(@x)
-        ```
-        
-        If we claim that a cell check filters out the empty value, we will
-        incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
-        FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
-        
-        On 64 bit platforms:
-        - Cell use kind *now allows* the empty value to pass through.
-        - CellOrOther use kind *now allows* for the empty value to pass through
-        - NotCell use kind *no longer allows* the empty value to pass through.
-
-        * assembler/CPU.h:
-        (JSC::isARMv7IDIVSupported):
-        (JSC::isARM64):
-        (JSC::isX86):
-        (JSC::isX86_64):
-        (JSC::is64Bit):
-        (JSC::is32Bit):
-        (JSC::isMIPS):
-        Make these functions constexpr so we can use them in static variable assignment.
-
-        * bytecode/SpeculatedType.h:
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
-        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
-        (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
-        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
-        (JSC::DFG::SpeculativeJIT::speculateCell):
-        (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
-        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
-        (JSC::DFG::SpeculativeJIT::speculateString):
-        (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
-        (JSC::DFG::SpeculativeJIT::speculateSymbol):
-        (JSC::DFG::SpeculativeJIT::speculateNotCell):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
-        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
-        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
-        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
-        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
-        * dfg/DFGUseKind.h:
-        (JSC::DFG::typeFilterFor):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
-        (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
-        (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
-        (JSC::FTL::DFG::LowerDFGToB3::boolify):
-        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
-        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
-        (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
-        (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
-        (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
-        (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
-        (JSC::FTL::DFG::LowerDFGToB3::isCell):
-        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
-        (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
-        (JSC::FTL::DFG::LowerDFGToB3::speculateString):
-        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
-        (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
-
-2017-06-12  Yusuke Suzuki  
-
-        Unreviewed, suppress invalid register alloation validation assertion in 32 bit
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
-
-2017-06-12  Oleksandr Skachkov  
-
-        We incorrectly allow escaped characters in keyword tokens
-        https://bugs.webkit.org/show_bug.cgi?id=171310
-
-        Reviewed by Yusuke Suzuki.
-
-        According spec it is not allow to use escaped characters in 
-        keywords. https://tc39.github.io/ecma262/#sec-reserved-words
-        Current patch implements this requirements.
-
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::parseIdentifierSlowCase):
-        * parser/Parser.cpp:
-        (JSC::Parser::printUnexpectedTokenText):
-        * parser/ParserTokens.h:
-
-2017-06-12  Yusuke Suzuki  
-
-        Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::branch64):
-        (JSC::MacroAssemblerARM64::branchPtr):
-
-2017-06-12  Commit Queue  
-
-        Unreviewed, rolling out r218093.
-        https://bugs.webkit.org/show_bug.cgi?id=173259
-
-        Break builds (Requested by yusukesuzuki on #webkit).
-
-        Reverted changeset:
-
-        "Unreviewed, build fix for ARM64"
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-        http://trac.webkit.org/changeset/218093
-
-2017-06-12  Yusuke Suzuki  
-
-        Unreviewed, build fix for ARM64
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
-
-2017-06-09  Yusuke Suzuki  
-
-        [DFG] Add ArrayIndexOf intrinsic
-        https://bugs.webkit.org/show_bug.cgi?id=172421
-
-        Reviewed by Saam Barati.
-
-        This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
-        We emit array check and go fast path if the array is Array::Int32, Array::Double
-        or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
-        we have inlined fast paths.
-
-        With updated ARES-6 Babylon,
-
-        Before
-            firstIteration:     45.76 +- 3.87 ms
-            averageWorstCase:   24.41 +- 2.17 ms
-            steadyState:        8.01 +- 0.22 ms
-        After
-            firstIteration:     45.64 +- 4.23 ms
-            averageWorstCase:   23.03 +- 3.34 ms
-            steadyState:        7.33 +- 0.34 ms
-
-        In SixSpeed.
-                                         baseline                  patched
-
-            map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
-            map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
-            map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
-
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasArrayMode):
-        * dfg/DFGNodeType.h:
-        * dfg/DFGOperations.cpp:
-        * dfg/DFGOperations.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
-        (JSC::DFG::SpeculativeJIT::speculateObject):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::callOperation):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        (JSC::DFG::SpeculativeJIT::speculateInt32):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
-        * jit/JITOperations.h:
-        * runtime/ArrayPrototype.cpp:
-        (JSC::ArrayPrototype::finishCreation):
-        * runtime/Intrinsic.cpp:
-        (JSC::intrinsicName):
-        * runtime/Intrinsic.h:
-
-2017-06-11  Keith Miller  
-
-        TypedArray constructor with string shouldn't throw
-        https://bugs.webkit.org/show_bug.cgi?id=173181
-
-        Reviewed by JF Bastien.
-
-        We should be coercing primitive arguments to numbers in the various
-        TypedArray constructors.
-
-        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
-        (JSC::constructGenericTypedArrayViewWithArguments):
-
-2017-06-11  Yusuke Suzuki  
-
-        [WTF] Make ThreadMessage portable
-        https://bugs.webkit.org/show_bug.cgi?id=172073
-
-        Reviewed by Keith Miller.
-
-        * runtime/MachineContext.h:
-        (JSC::MachineContext::stackPointer):
-        * tools/CodeProfiling.cpp:
-        (JSC::profilingTimer):
-
-2017-06-11  Yusuke Suzuki  
-
-        [JSC] Shrink Structure size
-        https://bugs.webkit.org/show_bug.cgi?id=173239
-
-        Reviewed by Mark Lam.
-
-        We find that the size of our Structure is slightly enlarged due to paddings.
-        By changing the order of members, we can reduce the size from 120 to 112.
-        This is good because 120 and 112 are categorized into different size classes.
-        For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
-        We now save 16 bytes per Structure for free.
-
-        * runtime/ConcurrentJSLock.h:
-        * runtime/Structure.cpp:
-        (JSC::Structure::Structure):
-        * runtime/Structure.h:
-
-2017-06-11  Konstantin Tokarev  
-
-        Unreviewed, attempt to fix JSC tests on Win after r217771
-
-        * jsc.cpp:
-        (currentWorkingDirectory): buffer is not NULL-terminated
-
-2017-06-10  Yusuke Suzuki  
-
-        [WTF] Add RegisteredSymbolImpl
-        https://bugs.webkit.org/show_bug.cgi?id=173230
-
-        Reviewed by Mark Lam.
-
-        * runtime/SymbolConstructor.cpp:
-        (JSC::symbolConstructorKeyFor):
-
-2017-06-10  Dan Bernstein  
-
-        Reverted r218056 because it made the IDE reindex constantly.
-
-        * Configurations/DebugRelease.xcconfig:
-
-2017-06-10  Dan Bernstein  
-
-        [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
-        https://bugs.webkit.org/show_bug.cgi?id=173223
-
-        Reviewed by Sam Weinig.
-
-        The rebuilds were happening due to a difference in the compiler options that the IDE and
-        xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
-        xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
-        specify an appropriate path in CLANG_INDEX_STORE_PATH.
-
-        * Configurations/DebugRelease.xcconfig:
-
-2017-06-10  Yusuke Suzuki  
-
-        [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
-        https://bugs.webkit.org/show_bug.cgi?id=173227
-
-        Reviewed by Mark Lam.
-
-        The latest spec introduces slight change to RegExp.prototype.[@@search].
-        This patch applies this change. Basically, this change is done in the slow path of
-        the RegExp.prototype[@@search].
-        https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
-
-        * builtins/RegExpPrototype.js:
-        (search):
-
-2017-06-09  Chris Dumez  
-
-        Update Thread::create() to take in a WTF::Function instead of a std::function
-        https://bugs.webkit.org/show_bug.cgi?id=173175
-
-        Reviewed by Mark Lam.
-
-        * API/tests/CompareAndSwapTest.cpp:
-        (testCompareAndSwap):
-
-2017-06-09  Yusuke Suzuki  
-
-        [DFG] Add verboseDFGOSRExit
-        https://bugs.webkit.org/show_bug.cgi?id=173156
-
-        Reviewed by Saam Barati.
-
-        This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
-
-        * dfg/DFGOSRExitCompiler.cpp:
-        * runtime/Options.h:
-
-2017-06-09  Guillaume Emont  
-
-        [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
-        https://bugs.webkit.org/show_bug.cgi?id=173170
-
-        Reviewed by Yusuke Suzuki.
-
-        MIPS does not build since r217711 because it is missing this
-        implementation. This patch fixes the build.
-
-        * assembler/MacroAssemblerMIPS.h:
-        (JSC::MacroAssemblerMIPS::xor32):
-
-2017-06-09  Yusuke Suzuki  
-
-        [JSC] FTL does not require dlfcn
-        https://bugs.webkit.org/show_bug.cgi?id=173143
-
-        Reviewed by Darin Adler.
-
-        We no longer use LLVM library. Thus, dlfcn.h is not necessary.
-        Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
-
-        * ftl/FTLLowerDFGToB3.cpp:
-
-2017-06-09  Yusuke Suzuki  
-
-        [DFG] Add --verboseDFGFailure
-        https://bugs.webkit.org/show_bug.cgi?id=173155
-
-        Reviewed by Sam Weinig.
-
-        Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
-
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::verboseCapabilities):
-        (JSC::DFG::debugFail):
-        * runtime/Options.cpp:
-        (JSC::recomputeDependentOptions):
-        * runtime/Options.h:
-
-2017-06-09  Yusuke Suzuki  
-
-        [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
-        https://bugs.webkit.org/show_bug.cgi?id=173147
-
-        Reviewed by JF Bastien.
-
-        Because this value becomes -1 in non-Darwin environments.
-        Thus, we do not need to use OS(DARWIN) here.
-
-        * wasm/WasmMemory.cpp:
-
-2017-06-09  Daewoong Jang  
-
-        Reduce compiler warnings
-        https://bugs.webkit.org/show_bug.cgi?id=172078
-
-        Reviewed by Yusuke Suzuki.
-
-        * runtime/IntlDateTimeFormat.h:
-
-2017-06-08  Joseph Pecoraro  
-
-        [Cocoa] JSWrapperMap leaks for all JSContexts
-        https://bugs.webkit.org/show_bug.cgi?id=173110
-        
-
-        Reviewed by Geoffrey Garen.
-
-        * API/JSContext.mm:
-        (-[JSContext ensureWrapperMap]):
-        Ensure this allocation gets released.
-
-2017-06-08  Filip Pizlo  
-
-        REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
-        https://bugs.webkit.org/show_bug.cgi?id=161156
-
-        Reviewed by Saam Barati.
-        
-        Since LLInt does not register impure property watchpoints for self property accesses, it
-        shouldn't try to cache accesses that require a watchpoint.
-        
-        This manifested as a flaky failure because the test would fire the watchpoint after we had
-        usually already tiered up. Without concurrent JIT, we would have always tiered up before
-        getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
-        also adds a test that deterministically failed in LLInt without this change; it does so by just
-        running a lot shorter.
-
-        * llint/LLIntSlowPaths.cpp:
-        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
-
-2017-06-08  Keith Miller  
-
-        WebAssembly: We should only create wrappers for functions that can be exported
-        https://bugs.webkit.org/show_bug.cgi?id=173088
-
-        Reviewed by Saam Barati.
-
-        This patch makes it so we only create wrappers for WebAssembly functions that
-        can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
-
-        This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
-        Most of the tests were duplicates of ones in the spec-tests directory. The others I
-        have converted to use the normal API.
-
-        * jsc.cpp:
-        (GlobalObject::finishCreation):
-        (valueWithTypeOfWasmValue): Deleted.
-        (box): Deleted.
-        (callWasmFunction): Deleted.
-        (functionTestWasmModuleFunctions): Deleted.
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::prepare):
-        (JSC::Wasm::BBQPlan::compileFunctions):
-        (JSC::Wasm::BBQPlan::complete):
-        * wasm/WasmBBQPlan.h:
-        * wasm/WasmBBQPlanInlines.h:
-        (JSC::Wasm::BBQPlan::initializeCallees):
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        * wasm/WasmCodeBlock.h:
-        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
-        * wasm/WasmFormat.h:
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::work):
-
-2017-06-07  JF Bastien  
-
-        WebAssembly: test imports and exports with 16-bit characters
-        https://bugs.webkit.org/show_bug.cgi?id=165977
-        
-
-        Reviewed by Saam Barati.
-
-        Add the missing UTF-8 conversions. Improve import failure error
-        messages, otherwise it's hard to figure out which import is wrong.
-
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::create):
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::finishCreation):
-        (JSC::WebAssemblyModuleRecord::link):
-
-2017-06-07  Devin Rousso  
-
-        Web Inspector: Add ContextMenu item to log WebSocket object to console
-        https://bugs.webkit.org/show_bug.cgi?id=172878
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/Network.json:
-        Add resolveWebSocket command.
-
-2017-06-07  Jon Davis  
-
-        Update feature status for features Supported In Preview
-        https://bugs.webkit.org/show_bug.cgi?id=173071
-
-        Reviewed by Darin Adler.
-
-        Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
-        User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
-
-        * features.json:
-
-2017-06-07  Saam Barati  
-
-        Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
-        https://bugs.webkit.org/show_bug.cgi?id=172673
-        
-
-        Reviewed by Mark Lam.
-
-        This patch simply removes this assertion. It's faulty because it
-        races with the main thread when doing concurrent compilation.
-        
-        Consider a program with:
-        - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
-        - Structure S2
-        
-        The DFG IR is like so:
-          a: JSConstant(O) // FrozenValue {O, S1}
-          b: CheckStructure(@a, S2)
-          c: ToThis(@a)
-          d: CheckEq(@c, nullConstant)
-          Branch(@d)
-        
-        The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
-        When running AI, we'll notice that node @b will OSR exit, so nodes after
-        @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
-        Now, when running AI, @a will have Top for its structure set. No longer will
-        we think @b exits.
-        
-        The DFG backend asserts that under such a situation, we should have simplified
-        the CheckEq to false. However, this is a racy thing to assert, since the
-        transition from dfgWatchable() to !dfgWatchable() can happen right before we
-        enter the backend. Hence, this assertion is not valid.
-        
-        (Note, the generated code for the above program will never actually execute.
-        Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
-        S1 not transitioning. S1 transitions, so we won't actually run the code that
-        gets compiled.)
-
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
-
-2017-06-07  Yusuke Suzuki  
-
-        [JSC] has_generic_property never accepts non-String
-        https://bugs.webkit.org/show_bug.cgi?id=173057
-
-        Reviewed by Darin Adler.
-
-        We never pass non-String value to has_generic_property bytecode.
-
-        * runtime/CommonSlowPaths.cpp:
-        (JSC::SLOW_PATH_DECL):
-
-2017-06-06  Fujii Hironori  
-
-        [Win][x86-64] Some callee saved registers aren't preserved
-        https://bugs.webkit.org/show_bug.cgi?id=171266
-
-        Reviewed by Saam Barati.
-
-        * jit/RegisterSet.cpp:
-        (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
-
-2017-06-06  Mark Lam  
-
-        Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
-        https://bugs.webkit.org/show_bug.cgi?id=173035
-        
-
-        Reviewed by Geoffrey Garen and Filip Pizlo.
-
-        Also added and fixed up some assertions.
-
-        * runtime/ArrayConventions.h:
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::setLength):
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::createInitialIndexedStorage):
-        (JSC::JSObject::ensureLengthSlow):
-        (JSC::JSObject::reallocateAndShrinkButterfly):
-        * runtime/JSObject.h:
-        (JSC::JSObject::ensureLength):
-        * runtime/RegExpObject.cpp:
-        (JSC::collectMatches):
-        * runtime/RegExpPrototype.cpp:
-        (JSC::regExpProtoFuncSplitFast):
-
-2017-06-06  Saam Barati  
-
-        Make sure we restore SP when doing calls that could be to JS
-        https://bugs.webkit.org/show_bug.cgi?id=172946
-        
-
-        Reviewed by JF Bastien.
-
-        I was worried that there was a bug where we'd call JS, JS would tail call,
-        and we'd end up with a bogus SP. However, this bug does not exist since wasm
-        always calls to JS through a stub, and the stub treats SP as a callee save.
-        
-        I wrote a test for this, and also made a note that this is the needed ABI.
-
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-
-2017-06-06  Keith Miller  
-
-        OMG tier up checks should be a patchpoint
-        https://bugs.webkit.org/show_bug.cgi?id=172944
-
-        Reviewed by Saam Barati.
-
-        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
-        In order to reduce code generated out of line in each function. We generate a single stub
-        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
-        (JSC::Wasm::B3IRGenerator::addLoop):
-        * wasm/WasmThunks.cpp:
-        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
-        * wasm/WasmThunks.h:
-
-2017-06-06  Darin Adler  
-
-        Cut down use of WTF_ARRAY_LENGTH
-        https://bugs.webkit.org/show_bug.cgi?id=172997
-
-        Reviewed by Chris Dumez.
-
-        * parser/Lexer.cpp:
-        (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
-
-        * runtime/NumberPrototype.cpp:
-        (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
-
-2017-06-06  Konstantin Tokarev  
-
-        Add missing  includes
-        https://bugs.webkit.org/show_bug.cgi?id=173017
-
-        Patch by Thiago Macieira 
-        Reviewed by Yusuke Suzuki.
-
-        This patch fixes compilation with GCC 7.
-
-        * inspector/InspectorBackendDispatcher.h:
-
-2017-06-06  Filip Pizlo  
-
-        Unreviewed, fix 32-bit build.
-
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::emit_op_unreachable):
-
-2017-06-06  Joseph Pecoraro  
-
-        Unreviewed rollout r217807. Caused a test to crash.
-
-        * heap/HeapSnapshotBuilder.cpp:
-        (JSC::HeapSnapshotBuilder::buildSnapshot):
-        (JSC::HeapSnapshotBuilder::json):
-        (): Deleted.
-        * heap/HeapSnapshotBuilder.h:
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::calculatedClassName):
-
-2017-06-06  Filip Pizlo  
-
-        index out of bound in bytecodebasicblock
-        https://bugs.webkit.org/show_bug.cgi?id=172963
-
-        Reviewed by Saam Barati and Mark Lam.
-        
-        We were leaving an unterminated basic block when generating CodeForCall for a class
-        constructor. This was mostly benign since that unterminated block was not reachable, but it
-        does cause an ASSERT.
-        
-        This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
-        this really is the cleanest and most idiomatic way to solve this problem, so even though it
-        makes the change bigger it's probabably worth it.
-
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::dumpBytecode):
-        * bytecode/BytecodeList.json:
-        * bytecode/BytecodeUseDef.h:
-        (JSC::computeUsesForBytecodeOffset):
-        (JSC::computeDefsForBytecodeOffset):
-        * bytecode/Opcode.h:
-        (JSC::isTerminal):
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::generate):
-        (JSC::BytecodeGenerator::emitUnreachable):
-        * bytecompiler/BytecodeGenerator.h:
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::parseBlock):
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::capabilityLevel):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        * jit/JIT.h:
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::emit_op_unreachable):
-        * llint/LowLevelInterpreter.asm:
-        * runtime/CommonSlowPaths.cpp:
-        (JSC::SLOW_PATH_DECL):
-        * runtime/CommonSlowPaths.h:
-
-2017-06-06  Ryan Haddad  
-
-        Unreviewed, rolling out r217812.
-
-        This change caused test failures on arm64.
-
-        Reverted changeset:
-
-        "OMG tier up checks should be a patchpoint"
-        https://bugs.webkit.org/show_bug.cgi?id=172944
-        http://trac.webkit.org/changeset/217812
-
-2017-06-06  Carlos Garcia Campos  
-
-        [WPE] Enable remote inspector
-        https://bugs.webkit.org/show_bug.cgi?id=172971
-
-        Reviewed by Žan Doberšek.
-
-        We can just build the current glib remote inspector, without adding a frontend implementation and using a
-        WebKitGTK+ browser as frontend for now.
-
-        * PlatformWPE.cmake: Add remote inspector files to compilation.
-        * inspector/remote/glib/RemoteInspectorUtils.cpp:
-        (Inspector::backendCommands): Load the inspector resources library.
-
-2017-06-06  Carlos Garcia Campos  
-
-        [GLIB] Make remote inspector DBus protocol common to all glib based ports
-        https://bugs.webkit.org/show_bug.cgi?id=172970
-
-        Reviewed by Žan Doberšek.
-
-        We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
-        idea that other ports could use their own names. However, the protocol is the same, so we could use the same
-        names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
-        debug WPE, without having to implement the frontend part in WPE yet.
-
-        * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
-        * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
-
-2017-06-06  Carlos Garcia Campos  
-
-        [GTK] Web Process deadlock when closing the remote inspector frontend
-        https://bugs.webkit.org/show_bug.cgi?id=172973
-
-        Reviewed by Žan Doberšek.
-
-        We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
-        takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
-        PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
-        inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
-
-        * inspector/remote/glib/RemoteInspectorGlib.cpp:
-        (Inspector::RemoteInspector::receivedCloseMessage):
-
-2017-06-05  Saam Barati  
-
-        Try to fix features.json by adding an ESNext section.
-
-        Unreviewed.
-
-        * features.json:
-
-2017-06-05  David Kilzer  
-
-        Follow-up: Update JSC's features.json
-        https://bugs.webkit.org/show_bug.cgi?id=172942
-
-        Rubber-stamped by Jon Davis.
-
-        * features.json: Change "Supported in preview" to
-        "Supported" to try to fix .
-
-2017-06-05  Saam Barati  
-
-        We don't properly parse init_expr when the opcode is an unexpected opcode
-        https://bugs.webkit.org/show_bug.cgi?id=172945
-
-        Reviewed by JF Bastien.
-
-        The bug is a simple typo. It should use the constant
-        `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
-        macro. This failure is already caught by spec tests that fail
-        on arm64 devices.
-
-        * wasm/WasmModuleParser.cpp:
-
-2017-06-05  Keith Miller  
-
-        OMG tier up checks should be a patchpoint
-        https://bugs.webkit.org/show_bug.cgi?id=172944
-
-        Reviewed by Saam Barati.
-
-        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
-        In order to reduce code generated out of line in each function. We generate a single stub
-        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
-        (JSC::Wasm::B3IRGenerator::addLoop):
-        * wasm/WasmThunks.cpp:
-        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
-        * wasm/WasmThunks.h:
-
-2017-06-05  Joseph Pecoraro  
-
-        Remove unused VM members
-        https://bugs.webkit.org/show_bug.cgi?id=172941
-
-        Reviewed by Mark Lam.
-
-        * runtime/HashMapImpl.h:
-        (JSC::HashMapImpl::selectStructure): Deleted.
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-
-2017-06-05  Joseph Pecoraro  
-
-        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
-        https://bugs.webkit.org/show_bug.cgi?id=172848
-        
-
-        Reviewed by Saam Barati.
-
-        * heap/HeapSnapshotBuilder.h:
-        * heap/HeapSnapshotBuilder.cpp:
-        Update the snapshot version. Change the node's 0 | 1 internal value
-        to be a 32bit bit flag. This is nice in that it is both compatible
-        with the previous snapshot version and the same size. We can use more
-        flags in the future.
-
-        (JSC::HeapSnapshotBuilder::json):
-        In cases where the classInfo gives us "Object" check for a better
-        class name by checking (o).__proto__.constructor.name. We avoid this
-        check in cases where (o).hasOwnProperty("constructor") which is the
-        case for most Foo.prototype objects. Otherwise this would get the
-        name of the Foo superclass for the Foo.prototype object.
-
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::calculatedClassName):
-        Handle some possible edge cases that were not handled before. Such
-        as a JSObject without a GlobalObject, and an object which doesn't
-        have a default getPrototype. Try to make the code a little clearer.
-
-2017-06-05  Saam Barati  
-
-        Update JSC's features.json
-        https://bugs.webkit.org/show_bug.cgi?id=172942
-
-        Rubber stamped by Mark Lam.
-
-        * features.json:
-
-2017-06-04  Konstantin Tokarev  
-
-        Fix build of Windows-specific code with ICU 59.1
-        https://bugs.webkit.org/show_bug.cgi?id=172729
-
-        Reviewed by Darin Adler.
-
-        Fix conversions from WTF::String to wchar_t* and vice versa.
-
-        * jsc.cpp:
-        (currentWorkingDirectory):
-        (fetchModuleFromLocalFileSystem):
-        * runtime/DateConversion.cpp:
-        (JSC::formatDateTime):
-
-2017-06-04  Yusuke Suzuki  
-
-        [JSC] Drop unnecessary USE(CF) guard for getenv
-        https://bugs.webkit.org/show_bug.cgi?id=172903
-
-        Reviewed by Sam Weinig.
-
-        getenv is not related to USE(CF) and OS(UNIX). It seems that this
-        ifdef only hits in WinCairo, but WinCairo can use getenv.
-        Moreover, in VM::VM, we already use getenv without any ifdef guard.
-
-        This patch just drops it.
-
-        * runtime/VM.cpp:
-        (JSC::enableAssembler):
-
-2017-06-04  Yusuke Suzuki  
-
-        [JSC] Drop OS(DARWIN) for uintptr_t type conflict
-        https://bugs.webkit.org/show_bug.cgi?id=172904
-
-        Reviewed by Sam Weinig.
-
-        In non-Darwin environment, uintptr_t may have the same type
-        to uint64_t. We avoided the compile error by using OS(DARWIN).
-        But, since it depends on cstdint implementaion rather than OS, it is flaky.
-        Instead, we just use template parameter IntegralType.
-        And we describe the type constraint in a SFINAE manner.
-
-        * dfg/DFGOpInfo.h:
-        (JSC::DFG::OpInfo::OpInfo):
-
-2017-06-03  Csaba Osztrogonác  
-
-        [ARM] Unreviewed buildfix after r217711.
-
-        * assembler/MacroAssemblerARM.h:
-        (JSC::MacroAssemblerARM::xor32):
-
-2017-06-02  Yusuke Suzuki  
-
-        ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
-        https://bugs.webkit.org/show_bug.cgi?id=168844
-
-        Reviewed by Saam Barati.
-
-        As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
-
-        * parser/Parser.cpp:
-        (JSC::DepthManager::DepthManager):
-        (JSC::Parser::parseExportDeclaration):
-        * parser/Parser.h:
-        (JSC::Parser::DepthManager::DepthManager): Deleted.
-        (JSC::Parser::DepthManager::~DepthManager): Deleted.
-
-2017-06-02  Keith Miller  
-
-        Defer installing mach breakpoint handler until watchdog is actually called
-        https://bugs.webkit.org/show_bug.cgi?id=172885
-
-        Reviewed by Saam Barati.
-
-        Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
-        This hides the issue, so it won't occur as often.
-
-        * runtime/VMTraps.cpp:
-        (JSC::VMTraps::SignalSender::send):
-        (JSC::VMTraps::VMTraps): Deleted.
-        * runtime/VMTraps.h:
-
-2017-06-02  Filip Pizlo  
-
-        Atomics.load and Atomics.store need to be fully fenced
-        https://bugs.webkit.org/show_bug.cgi?id=172844
-
-        Reviewed by Keith Miller.
-        
-        Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
-        AtomicXchg(value, ptr) for the store.
-        
-        DFG needed no changes because it implements all atomics using a CAS loop.
-        
-        AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
-        
-        Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
-        is not correct according to my current understanding of the SAB memory model, which requires
-        that atomic operations are SC with respect to everything not just other atomics.
-
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
-        * ftl/FTLOutput.cpp:
-        (JSC::FTL::Output::atomicWeakCAS):
-        * ftl/FTLOutput.h:
-        * runtime/AtomicsObject.cpp:
-
-2017-06-02  Ryan Haddad  
-
-        Unreviewed, attempt to fix the iOS build after r217711.
-
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::xor32):
-        (JSC::MacroAssemblerARM64::xor64):
-
-2017-06-01  Filip Pizlo  
-
-        GC should use scrambled free-lists
-        https://bugs.webkit.org/show_bug.cgi?id=172793
-
-        Reviewed by Mark Lam.
-        
-        Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
-        The linked-list would be threaded through free memory, as is the usual convention.
-        
-        This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
-        this leads to a more natural fast-path structure and saves one register on ARM64.
-        
-        The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
-        every time they do a sweep-to-pop.
-        
-        This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
-        quite a bit. Previously, there were four copies of the allocator fast path: two in
-        MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
-        was obviously different-looking, but the other three were almost identical. This moves all of
-        that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
-        AssemblyHelpers.h.
-        
-        This appears to be just as fast as our previously allocator.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/FreeList.cpp:
-        (JSC::FreeList::FreeList):
-        (JSC::FreeList::~FreeList):
-        (JSC::FreeList::clear):
-        (JSC::FreeList::initializeList):
-        (JSC::FreeList::initializeBump):
-        (JSC::FreeList::contains):
-        (JSC::FreeList::dump):
-        * heap/FreeList.h:
-        (JSC::FreeList::allocationWillFail):
-        (JSC::FreeList::originalSize):
-        (JSC::FreeList::addressOfList):
-        (JSC::FreeList::offsetOfBlock):
-        (JSC::FreeList::offsetOfList):
-        (JSC::FreeList::offsetOfIndex):
-        (JSC::FreeList::offsetOfPayloadEnd):
-        (JSC::FreeList::offsetOfRemaining):
-        (JSC::FreeList::offsetOfOriginalSize):
-        (JSC::FreeList::FreeList): Deleted.
-        (JSC::FreeList::list): Deleted.
-        (JSC::FreeList::bump): Deleted.
-        (JSC::FreeList::operator==): Deleted.
-        (JSC::FreeList::operator!=): Deleted.
-        (JSC::FreeList::operator bool): Deleted.
-        * heap/FreeListInlines.h: Added.
-        (JSC::FreeList::addFreeCell):
-        (JSC::FreeList::allocate):
-        (JSC::FreeList::forEach):
-        (JSC::FreeList::toOffset):
-        (JSC::FreeList::fromOffset):
-        * heap/IncrementalSweeper.cpp:
-        (JSC::IncrementalSweeper::sweepNextBlock):
-        * heap/MarkedAllocator.cpp:
-        (JSC::MarkedAllocator::MarkedAllocator):
-        (JSC::MarkedAllocator::didConsumeFreeList):
-        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
-        (JSC::MarkedAllocator::tryAllocateIn):
-        (JSC::MarkedAllocator::allocateSlowCaseImpl):
-        (JSC::MarkedAllocator::stopAllocating):
-        (JSC::MarkedAllocator::prepareForAllocation):
-        (JSC::MarkedAllocator::resumeAllocating):
-        (JSC::MarkedAllocator::sweep):
-        (JSC::MarkedAllocator::setFreeList): Deleted.
-        * heap/MarkedAllocator.h:
-        (JSC::MarkedAllocator::freeList):
-        (JSC::MarkedAllocator::isFreeListedCell): Deleted.
-        * heap/MarkedAllocatorInlines.h:
-        (JSC::MarkedAllocator::isFreeListedCell):
-        (JSC::MarkedAllocator::tryAllocate):
-        (JSC::MarkedAllocator::allocate):
-        * heap/MarkedBlock.cpp:
-        (JSC::MarkedBlock::Handle::stopAllocating):
-        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
-        (JSC::MarkedBlock::Handle::resumeAllocating):
-        (JSC::MarkedBlock::Handle::zap):
-        (JSC::MarkedBlock::Handle::sweep):
-        (JSC::MarkedBlock::Handle::isFreeListedCell):
-        (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
-        * heap/MarkedBlock.h:
-        * heap/MarkedBlockInlines.h:
-        (JSC::MarkedBlock::Handle::specializedSweep):
-        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
-        (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
-        * heap/Subspace.cpp:
-        (JSC::Subspace::finishSweep):
-        * heap/Subspace.h:
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
-        * runtime/JSDestructibleObjectSubspace.cpp:
-        (JSC::JSDestructibleObjectSubspace::finishSweep):
-        * runtime/JSDestructibleObjectSubspace.h:
-        * runtime/JSSegmentedVariableObjectSubspace.cpp:
-        (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
-        * runtime/JSSegmentedVariableObjectSubspace.h:
-        * runtime/JSStringSubspace.cpp:
-        (JSC::JSStringSubspace::finishSweep):
-        * runtime/JSStringSubspace.h:
-        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
-        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
-        * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
-
-2017-06-02  Yusuke Suzuki  
-
-        [JSC] Use @globalPrivate for concatSlowPath
-        https://bugs.webkit.org/show_bug.cgi?id=172802
-
-        Reviewed by Darin Adler.
-
-        Use @globalPrivate instead of manually putting it to JSGlobalObject.
-
-        * builtins/ArrayPrototype.js:
-        (concatSlowPath): Deleted.
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-
-2017-06-01  Andy Estes  
-
-        REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
-        https://bugs.webkit.org/show_bug.cgi?id=172828
-
-        Reviewed by Beth Dakin.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-06-01  Keith Miller  
-
-        Undo rollout in r217638 with bug fix
-        https://bugs.webkit.org/show_bug.cgi?id=172824
-
-        Unreviewed, reland patch with unused set_state code removed.
-
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        (dispatchTermitateCallback):
-        (testExecutionTimeLimit):
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::didAcquireLock):
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-        (JSC::Options::initialize):
-        * runtime/Options.h:
-        * runtime/VMTraps.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
-        (JSC::installSignalHandler):
-        (JSC::VMTraps::SignalSender::send):
-        * tools/SigillCrashAnalyzer.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::dump):
-        (JSC::installCrashHandler):
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::compileFunctions):
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        (JSC::Wasm::enableFastMemory):
-        * wasm/WasmMachineThreads.cpp:
-        (JSC::Wasm::resetInstructionCacheOnAllThreads):
-
-2017-06-01  Guillaume Emont  
-
-        [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
-        https://bugs.webkit.org/show_bug.cgi?id=172800
-
-        Reviewed by Saam Barati.
-
-        This fixes a static_cast by making it a cast to int64_t
-        instead, which looks like the original intent. This fixes the
-        sampling-profiler tests in JSTests/stress.
-
-        * runtime/SamplingProfiler.cpp:
-        (JSC::SamplingProfiler::timerLoop):
-
-2017-06-01  Tomas Popela  , Mark Lam  
-
-        RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
-        https://bugs.webkit.org/show_bug.cgi?id=170945
-
-        Reviewed by Mark Lam.
-
-        Re-define PutByIdFlags as a int32_t enum explicitly because it is
-        stored as an int32_t value in UnlinkedInstruction.  This prevents
-        a bug on 64-bit big endian architectures where the word order is
-        inverted (when we convert the UnlinkedInstruction into a CodeBlock
-        Instruction), resulting in the PutByIdFlags value not being stored in
-        the 32-bit word that the rest of the code expects it to be in.
-
-        * bytecode/PutByIdFlags.h:
-
-2017-05-31  Yusuke Suzuki  
-
-        [JSC] Implement String.prototype.concat in JS builtins
-        https://bugs.webkit.org/show_bug.cgi?id=172798
-
-        Reviewed by Sam Weinig.
-
-        Since we have highly effective + operation for strings,
-        implementing String.prototype.concat in JS simplifies the
-        implementation and improves performance by using speculated
-        types.
-
-        Added microbenchmarks show performance improvement.
-
-        string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
-        string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
-        string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
-        string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
-
-        * builtins/StringPrototype.js:
-        (globalPrivate.stringConcatSlowPath):
-        (concat):
-        * runtime/StringPrototype.cpp:
-        (JSC::StringPrototype::finishCreation):
-        (JSC::stringProtoFuncConcat): Deleted.
-
-2017-05-31  Mark Lam  
-
-        Remove overrides of visitChildren() that do not add any functionality.
-        https://bugs.webkit.org/show_bug.cgi?id=172789
-        
-
-        Reviewed by Andreas Kling.
-
-        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
-        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
-        * bytecode/UnlinkedModuleProgramCodeBlock.h:
-        * bytecode/UnlinkedProgramCodeBlock.cpp:
-        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
-        * bytecode/UnlinkedProgramCodeBlock.h:
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::WebAssemblyFunction::visitChildren): Deleted.
-        * wasm/js/WebAssemblyFunction.h:
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
-        * wasm/js/WebAssemblyInstanceConstructor.h:
-        * wasm/js/WebAssemblyMemoryConstructor.cpp:
-        (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
-        * wasm/js/WebAssemblyMemoryConstructor.h:
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
-        * wasm/js/WebAssemblyModuleConstructor.h:
-        * wasm/js/WebAssemblyTableConstructor.cpp:
-        (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
-        * wasm/js/WebAssemblyTableConstructor.h:
-
-2017-05-31  Commit Queue  
-
-        Unreviewed, rolling out r217611 and r217631.
-        https://bugs.webkit.org/show_bug.cgi?id=172785
-
-        "caused wasm-hashset-many.html to become flaky." (Requested by
-        keith_miller on #webkit).
-
-        Reverted changesets:
-
-        "Reland r216808, underlying lldb bug has been fixed."
-        https://bugs.webkit.org/show_bug.cgi?id=172759
-        http://trac.webkit.org/changeset/217611
-
-        "Use dispatch queues for mach exceptions"
-        https://bugs.webkit.org/show_bug.cgi?id=172775
-        http://trac.webkit.org/changeset/217631
-
-2017-05-31  Oleksandr Skachkov  
-
-        Rolling out: Prevent async methods named 'function'
-        https://bugs.webkit.org/show_bug.cgi?id=172776
-
-        Reviewed by Mark Lam.
-
-        Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
-        https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
-        PR to spec was closed, so changes need to roll out. See
-        https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseClass):
-        (JSC::Parser::parsePropertyMethod):
-
-2017-05-31  Andy Estes  
-
-        Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
-        https://bugs.webkit.org/show_bug.cgi?id=172366
-
-        Reviewed by Daniel Bates.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-05-31  Keith Miller  
-
-        Reland r216808, underlying lldb bug has been fixed.
-        https://bugs.webkit.org/show_bug.cgi?id=172759
-
-
-        Unreviewed, relanding old patch. See: rdar://problem/31183352
-
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        (dispatchTermitateCallback):
-        (testExecutionTimeLimit):
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::didAcquireLock):
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-        (JSC::Options::initialize):
-        * runtime/Options.h:
-        * runtime/VMTraps.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
-        (JSC::installSignalHandler):
-        (JSC::VMTraps::SignalSender::send):
-        * tools/SigillCrashAnalyzer.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::dump):
-        (JSC::installCrashHandler):
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::compileFunctions):
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        (JSC::Wasm::enableFastMemory):
-        * wasm/WasmMachineThreads.cpp:
-        (JSC::Wasm::resetInstructionCacheOnAllThreads):
-
-2017-05-31  Keith Miller  
-
-        Fix leak in PromiseDeferredTimer
-        https://bugs.webkit.org/show_bug.cgi?id=172755
-
-        Reviewed by JF Bastien.
-
-        We were not properly freeing the list of dependencies if we were already tracking the promise before.
-        This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
-        where we were already tracking the promise we append the provided dependency list to the existing list.
-        Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
-        contents.
-
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::addPendingPromise):
-
-2017-05-30  Oleksandr Skachkov  
-
-        Prevent async methods named 'function' in Object literal
-        https://bugs.webkit.org/show_bug.cgi?id=172660
-
-        Reviewed by Saam Barati.
-
-        Prevent async method named 'function' in object.
-        https://github.com/tc39/ecma262/pull/884
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parsePropertyMethod):
-
-2017-05-30  Oleksandr Skachkov  
-
-        ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
-        https://bugs.webkit.org/show_bug.cgi?id=171274
-
-        Reviewed by Saam Barati.
-
-        Current patch allow to use async arrow function within constructor,
-        and allow to access to `this`. Current patch force load 'this' from 
-        virtual scope each time as we access to `this` in async arrow function
-        within constructor it is neccessary because async function can be 
-        suspended and `superCall` can be called and async function resumed. 
-   
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::emitPutGeneratorFields):
-        (JSC::BytecodeGenerator::ensureThis):
-        * bytecompiler/BytecodeGenerator.h:
-        (JSC::BytecodeGenerator::makeFunction):
-
-2017-05-30  Ali Juma  
-
-        [CredentialManagement] Incorporate IDL updates from latest spec
-        https://bugs.webkit.org/show_bug.cgi?id=172011
-
-        Reviewed by Daniel Bates.
-
-        * runtime/CommonIdentifiers.h:
-
-2017-05-30  Alex Christensen  
-
-        Update libwebrtc configuration
-        https://bugs.webkit.org/show_bug.cgi?id=172727
-
-        Reviewed by Geoffrey Garen.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-05-28  Dan Bernstein  
-
-        [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
-        https://bugs.webkit.org/show_bug.cgi?id=172691
-
-        Reviewed by Tim Horton.
-
-        * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
-        * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
-
-2017-05-28  Yusuke Suzuki  
-
-        [JSC] Provide better type information of toLength and tighten bytecode
-        https://bugs.webkit.org/show_bug.cgi?id=172690
-
-        Reviewed by Sam Weinig.
-
-        In this patch, we carefully leverage operator + in order to
-
-        1. tighten bytecode
-
-        operator+ emits to_number bytecode. What this bytecode does is the same
-        to @Number() call. It is more efficient, and it is smaller bytecode
-        than @Number() call (load global variable @Number, set up arguments, and
-        call it).
-
-        2. offer better type prediction data
-
-        Now, we have code like
-
-            length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
-
-        This is not good because DFG prediction propagation phase predicts as Double
-        since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
-        Usually, the result becomes Int32. This patch leverages to_number in a bit
-        interesting way: to_number has value profiling to offer better type prediction.
-        This value profiling can offer a chance to change the prediction to Int32 efficiently.
-        It is a bit tricky. But it is worth doing to speed up our builtin functions,
-        which should leverage all the JSC's tricky things to be optimized.
-
-        Related microbenchmarks show performance improvement.
-
-                                                  baseline                  patched
-
-            array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
-            array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
-            array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
-            array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
-            array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
-            array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
-
-
-        * builtins/GlobalOperations.js:
-        (globalPrivate.toInteger):
-        (globalPrivate.toLength):
-
-2017-05-28  Sam Weinig  
-
-        [WebIDL] @@iterator should only be accessed once when disambiguating a union type
-        https://bugs.webkit.org/show_bug.cgi?id=172684
-
-        Reviewed by Yusuke Suzuki.
-
-        * runtime/IteratorOperations.cpp:
-        (JSC::iteratorMethod):
-        (JSC::iteratorForIterable):
-        * runtime/IteratorOperations.h:
-        (JSC::forEachInIterable):
-        Add additional iterator helpers to allow union + sequence conversion code
-        to check for iterability by getting the iterator method, and iterate using
-        that method later on.
-
-2017-05-28  Yusuke Suzuki  
-
-        Unreviewed, build fix for Windows
-        https://bugs.webkit.org/show_bug.cgi?id=172413
-
-        Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
-
-        [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
-
-        * runtime/JSMap.h:
-        (JSC::isJSMap):
-        (JSC::jsDynamicCast): Deleted.
-        (JSC::>): Deleted.
-        * runtime/JSSet.h:
-        (JSC::isJSSet):
-        (JSC::jsDynamicCast): Deleted.
-        (JSC::>): Deleted.
-        * runtime/MapConstructor.cpp:
-        (JSC::constructMap):
-        * runtime/SetConstructor.cpp:
-        (JSC::constructSet):
-
-2017-05-28  Mark Lam  
-
-        Implement a faster Interpreter::getOpcodeID().
-        https://bugs.webkit.org/show_bug.cgi?id=172669
-
-        Reviewed by Saam Barati.
-
-        We can implement Interpreter::getOpcodeID() without a hash table lookup by always
-        embedding the OpcodeID in the 32-bit word just before the start of the LLInt
-        handler code that executes each opcode.  getOpcodeID() can therefore just read
-        the 32-bits before the opcode address to get its OpcodeID.
-
-        This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
-        CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
-        well, but I'll let the Linux folks turn that on after they have verified that it
-        works on linux too.
-
-        I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
-        1. we only need to initialize it once per process, not once per VM / interpreter
-           instance.
-        2. we can initialize it in the Interpreter constructor instead of requiring a
-           separate call to an initialize() function.
-
-        On debug builds, the Interpreter constructor will also verify that getOpcodeID()
-        is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
-
-        * bytecode/BytecodeList.json:
-        * generate-bytecode-files:
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::Interpreter):
-        (JSC::Interpreter::opcodeIDTable):
-        (JSC::Interpreter::initialize): Deleted.
-        * interpreter/Interpreter.h:
-        (JSC::Interpreter::getOpcode):
-        (JSC::Interpreter::getOpcodeID):
-        * llint/LowLevelInterpreter.cpp:
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-
-2017-05-27  Yusuke Suzuki  
-
-        [JSC] Map and Set constructors should have fast path for cloning
-        https://bugs.webkit.org/show_bug.cgi?id=172413
-
-        Reviewed by Saam Barati.
-
-        In this patch, we add a fast path for cloning in Set and Map constructors.
-
-        In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
-        At that time, our generic path just iterates the given set object and add
-        it to the newly created one. It is quite slow because we need to follow
-        the iterator protocol inside C++ and we need to call set.add() repeatedly
-        while the given set guarantees the elements are unique.
-
-        This patch implements clone() function to JSMap and JSSet. Cloning JSMap
-        and JSSet are done really fast without invoking any observable JS functions.
-        To check whether we can use this clone() function in Set and Map constructors,
-        we set several watchpoints.
-
-        In the case of Set,
-
-        1. Set.prototype[Symbol.iterator] is not changed.
-        2. SetIterator.prototype.next is not changed.
-        3. Set.prototype.add is not changed.
-        4. The given Set does not have [Symbol.iterator] function in its instance.
-        5. The given Set's [[Prototype]] is Set.prototype.
-        6. Newly created set's [[Prototype]] is Set.prototype.
-
-        If the above requirements are met, cloning the given Set is not observable to users.
-        Thus we can take a fast path.
-
-        Currently, we do not integrate this optimization into DFG and FTL.
-        And we do not optimize other iterables. For example, we can optimize Set
-        constructor taking Int32 Array. And we should optimize generic iterator cases too.
-        They are planned as part of a separate bug[1].
-
-        This change improves ARES-6 Air by 5.3% in steady state.
-
-        Baseline:
-            Running... Air ( 1  to go)
-            firstIteration:     76.41 +- 15.60 ms
-            averageWorstCase:   40.63 +- 7.54 ms
-            steadyState:        9.13 +- 0.51 ms
-
-
-        Patched:
-            Running... Air ( 1  to go)
-            firstIteration:     75.00 +- 22.54 ms
-            averageWorstCase:   39.18 +- 8.45 ms
-            steadyState:        8.67 +- 0.28 ms
-
-        [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
-        * runtime/HashMapImpl.h:
-        (JSC::HashMapBucket::extractValue):
-        (JSC::HashMapImpl::finishCreation):
-        (JSC::HashMapImpl::add):
-        (JSC::HashMapImpl::setUpHeadAndTail):
-        (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
-        (JSC::HashMapImpl::addNormalizedInternal):
-        * runtime/InternalFunction.cpp:
-        (JSC::InternalFunction::createSubclassStructureSlow):
-        (JSC::InternalFunction::createSubclassStructure): Deleted.
-        * runtime/InternalFunction.h:
-        (JSC::InternalFunction::createSubclassStructure):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::JSGlobalObject):
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
-        (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
-        (JSC::JSGlobalObject::mapSetWatchpoint):
-        (JSC::JSGlobalObject::setAddWatchpoint):
-        (JSC::JSGlobalObject::mapPrototype):
-        (JSC::JSGlobalObject::jsSetPrototype):
-        (JSC::JSGlobalObject::setStructure):
-        * runtime/JSGlobalObjectInlines.h:
-        (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
-        (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
-        (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
-        (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
-        * runtime/JSMap.cpp:
-        (JSC::JSMap::clone):
-        (JSC::JSMap::canCloneFastAndNonObservable):
-        * runtime/JSMap.h:
-        (JSC::jsDynamicCast):
-        (JSC::>):
-        (JSC::JSMap::createStructure): Deleted.
-        (JSC::JSMap::create): Deleted.
-        (JSC::JSMap::set): Deleted.
-        (JSC::JSMap::JSMap): Deleted.
-        * runtime/JSSet.cpp:
-        (JSC::JSSet::clone):
-        (JSC::JSSet::canCloneFastAndNonObservable):
-        * runtime/JSSet.h:
-        (JSC::jsDynamicCast):
-        (JSC::>):
-        (JSC::JSSet::createStructure): Deleted.
-        (JSC::JSSet::create): Deleted.
-        (JSC::JSSet::JSSet): Deleted.
-        * runtime/MapConstructor.cpp:
-        (JSC::constructMap):
-        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
-        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
-        * runtime/SetConstructor.cpp:
-        (JSC::constructSet):
-
-2017-05-27  Yusuke Suzuki  
-
-        [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
-        https://bugs.webkit.org/show_bug.cgi?id=172260
-
-        Reviewed by Filip Pizlo.
-
-        DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
-        to be used as a general-purpose injectable compiler over all the JIT tiers.
-
-        We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
-        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
-        (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
-        * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
-        (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
-        * bytecode/GetterSetterAccessCase.cpp:
-        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::blessCallDOMGetter):
-        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGGraph.h:
-        * dfg/DFGNode.h:
-        * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
-        * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
-        (JSC::DFG::SnippetParams::SnippetParams):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::allocateTemporaryRegistersForSnippet):
-        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
-        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
-        (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
-        * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
-        (JSC::DOMJIT::CallDOMGetterSnippet::create):
-        * domjit/DOMJITGetterSetter.h:
-        * domjit/DOMJITSignature.h:
-        * domjit/DOMJITValue.h: Removed.
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
-        * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
-        * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
-        (JSC::FTL::SnippetParams::SnippetParams):
-        * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
-        (JSC::Snippet::create):
-        (JSC::Snippet::setGenerator):
-        (JSC::Snippet::generator):
-        * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
-        (JSC::SnippetParams::~SnippetParams):
-        (JSC::SnippetParams::Value::Value):
-        (JSC::SnippetParams::Value::isGPR):
-        (JSC::SnippetParams::Value::isFPR):
-        (JSC::SnippetParams::Value::isJSValueRegs):
-        (JSC::SnippetParams::Value::gpr):
-        (JSC::SnippetParams::Value::fpr):
-        (JSC::SnippetParams::Value::jsValueRegs):
-        (JSC::SnippetParams::Value::reg):
-        (JSC::SnippetParams::Value::value):
-        (JSC::SnippetParams::SnippetParams):
-        * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
-        (JSC::SnippetReg::SnippetReg):
-        * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
-        * jsc.cpp:
-        (WTF::DOMJITNode::checkSubClassSnippet):
-        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
-        (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
-        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
-        * runtime/ClassInfo.h:
-
-2017-05-26  Keith Miller  
-
-        REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
-        https://bugs.webkit.org/show_bug.cgi?id=172654
-
-        Reviewed by Mark Lam.
-
-        The test's intent is to assert that an exception has not been
-        thrown (as indicated by the message string), but the test was
-        erroneously checking for ! the right condition. This is now fixed.
-
-        * API/tests/JSExportTests.mm:
-        (wrapperForNSObjectisObject):
-
-2017-05-26  Joseph Pecoraro  
-
-        JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
-        https://bugs.webkit.org/show_bug.cgi?id=172664
-        
-
-        Reviewed by Matt Baker.
-
-        Automatically pause on connection was triggering a pause before the
-        frontend may have initialized. Often during frontend initialization
-        the frontend may perform an action that clears the pause state requested
-        by the developer. This change defers the pause until after the frontend
-        has initialized, right before returning to the application's code.
-
-        * inspector/remote/RemoteControllableTarget.h:
-        * inspector/remote/RemoteInspectionTarget.h:
-        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
-        (Inspector::RemoteConnectionToTarget::setup):
-        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
-        (Inspector::RemoteConnectionToTarget::setup):
-        * runtime/JSGlobalObjectDebuggable.cpp:
-        (JSC::JSGlobalObjectDebuggable::connect):
-        (JSC::JSGlobalObjectDebuggable::pause): Deleted.
-        * runtime/JSGlobalObjectDebuggable.h:
-        Pass an immediatelyPause boolean on to the controller. Remove
-        the current path that invokes a pause before initialization.
-
-        * inspector/JSGlobalObjectInspectorController.h:
-        * inspector/JSGlobalObjectInspectorController.cpp:
-        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
-        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
-        Manage should immediately pause state.
-
-        (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
-        (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
-        When initialized, trigger a pause if requested.
-
-2017-05-26  Mark Lam  
-
-        Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
-        https://bugs.webkit.org/show_bug.cgi?id=172655
-
-        Reviewed by Saam Barati.
-
-        * API/tests/JSExportTests.mm:
-        (wrapperForNSObjectisObject):
-
-2017-05-26  Mark Lam  
-
-        REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
-        https://bugs.webkit.org/show_bug.cgi?id=172651
-
-        Reviewed by Saam Barati.
-
-        This is because the assertion utility functions used in testCFStrings() expects
-        to get the JSGlobalContextRef from the global context variable.  However,
-        testCFStrings() creates its own JSGlobalContextRef but does not set the global
-        context variable to it.
-
-        The fix is to make testCFStrings() initialize the global context variable properly.
-
-        * API/tests/testapi.c:
-        (testCFStrings):
-
-2017-05-26  Yusuke Suzuki  
-
-        Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
-        https://bugs.webkit.org/show_bug.cgi?id=167805
-
-        Reviewed by Saam Barati.
-
-        Since ModuleProgramExecutable is executed only once, we can skip compiling
-        code unreachable from the current program count. This can skip massive
-        initialization code.
-
-        We already do this for global code in bug#167725. This patch extends it to
-        module code.
-
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::executeModuleProgram):
-        * interpreter/Interpreter.h:
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        * runtime/JSModuleRecord.cpp:
-        (JSC::JSModuleRecord::evaluate):
-        * runtime/JSModuleRecord.h:
-        (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
-
-2017-05-26  Oleksandr Skachkov  
-
-        Prevent async methods named 'function'
-        https://bugs.webkit.org/show_bug.cgi?id=172598
-
-        Reviewed by Mark Lam.
-
-        Prevent async method named 'function' in class.
-        Link to change in ecma262 specification
-        https://github.com/tc39/ecma262/pull/884
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseClass):
-
-2017-05-25  Yusuke Suzuki  
-
-        Unreviewed, build fix for GCC
-
-        std::tuple does not have implicit constructor.
-        Thus, we cannot use implicit construction with initializer brace.
-        We should specify the name like `GetInst { }`.
-
-        * bytecompiler/BytecodeGenerator.h:
-        (JSC::StructureForInContext::addGetInst):
-
-2017-05-25  Keith Miller  
-
-        Cleanup tests after r217240
-        https://bugs.webkit.org/show_bug.cgi?id=172466
-
-        Reviewed by Mark Lam.
-
-        I forgot to make my test an actual test. Also, remove second call runJSExportTests()
-
-        * API/tests/JSExportTests.mm:
-        (wrapperForNSObjectisObject):
-        * API/tests/testapi.mm:
-        (testObjectiveCAPIMain):
-
-2017-05-25  Michael Saboff  
-
-        The default setting of Option::criticalGCMemoryThreshold is too high for iOS
-        https://bugs.webkit.org/show_bug.cgi?id=172617
-
-        Reviewed by Mark Lam.
-
-        Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
-        when tested running JetStream.
-
-        * runtime/Options.h:
-
-2017-05-25  Saam Barati  
-
-        Our for-in optimization in the bytecode generator does its static analysis incorrectly
-        https://bugs.webkit.org/show_bug.cgi?id=172532
-        
-
-        Reviewed by Mark Lam.
-
-        Our static analysis for when a for-in induction variable
-        is written to tried to its analysis as we generate
-        bytecode. This has issues, since it does not account for
-        the dynamic execution path of the program. Let's consider
-        a program where our old analysis worked:
-        
-        ```
-        for (let p in o) {
-            o[p]; // We can transform this into a fast get_direct_pname
-            p = 20;
-            o[p]; // We cannot transform this since p has been changed.
+2019-07-24  Alan Coon  
+
+        Apply patch. rdar://problem/53483188
+
+    Disable ENABLE_LAYOUT_FORMATTING_CONTEXT https://bugs.webkit.org/show_bug.cgi?id=200038 
+    
+    Reviewed by Zalan Bujtas.
+    
+    This feature is not complete. It is enabled for the trunk, but needs
+    to be disabled in branches for shipping products.
+    
+    Source/JavaScriptCore:
+    
+    * Configurations/FeatureDefines.xcconfig:
+    
+    Source/WebCore:
+    
+    No new tests -- this change does not add any new functionality.
+    
+    * Configurations/FeatureDefines.xcconfig:
+    
+    Source/WebCore/PAL:
+    
+    * Configurations/FeatureDefines.xcconfig:
+    
+    Source/WebKit:
+    
+    * Configurations/FeatureDefines.xcconfig:
+    
+    Source/WebKitLegacy/mac:
+    
+    * Configurations/FeatureDefines.xcconfig:
+    
+    Tools:
+    
+    * TestWebKitAPI/Configurations/FeatureDefines.xcconfig:
+
+    2019-07-23  Keith Rollin  
+
+            Disable ENABLE_LAYOUT_FORMATTING_CONTEXT
+            https://bugs.webkit.org/show_bug.cgi?id=200038
+            
+
+            Reviewed by Zalan Bujtas.
+
+            This feature is not complete. It is enabled for the trunk, but needs
+            to be disabled in branches for shipping products.
+
+            * Configurations/FeatureDefines.xcconfig:
+
+2019-07-17  Kocsen Chung  
+
+        Cherry-pick r247532. rdar://problem/53228435
+
+    ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
+    https://bugs.webkit.org/show_bug.cgi?id=199821
+    
+    
+    Reviewed by Filip Pizlo.
+    
+    JSTests:
+    
+    * stress/arguments-elimination-should-insert-KillStacks-before-added-PutStacks.js: Added.
+    
+    Source/JavaScriptCore:
+    
+    Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal
+    nodes in the SSAConversionPhase.  SetLocal nodes are always preceded by MovHint nodes,
+    and the SSAConversionPhase always inserts a KillStack node before a MovHint node.
+    Hence, a PutStack node is always preceded by a KillStack node.
+    
+    However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series
+    of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack
+    nodes.  However, it neglects to prepend KillStack nodes as well.  Since the
+    ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes
+    added during ArgumentsElimination will not be preceded by KillStack nodes.
+    
+    This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase
+    before it inserts a MovHint and a PutStack node.
+    
+    Consider this test case which can manifest the above issue as a crash:
+    
+        function inlinee(value) {
+            ...
+            let tmp = value + 1;
         }
-        ```
-        
-        However, our static analysis did not account for loops, which exist
-        in JavaScript. e.g, it would incorrectly compile this program as:
-        ```
-        for (let p in o) {
-            for (let i = 0; i < 20; ++i) {
-                o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
-                p = 20;
-                o[p]; // We correctly do not transform this.
-            } 
+    
+        function reflect() {
+            return inlinee.apply(undefined, arguments);
         }
-        ```
-        
-        Because of this flaw, I've made the optimization more conservative.
-        We now optimistically emit code for the optimized access. However,
-        if a for-in context is *ever* invalidated, before we pop it off
-        the stack, we rewrite the program's optimized accesses to no longer
-        be optimized. To do this, each context keeps track of its optimized
-        accesses.
-        
-        This patch also adds a new bytecode, op_nop, which is just a no-op.
-        It was helpful to add this because reverting get_direct_pname to get_by_val
-        will leave us with an extra instruction word because get_direct_pname is
-        has a length of 7 where get_by_val has a length of 6. This leaves us with
-        an extra slot that we fill with an op_nop.
-
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::dumpBytecode):
-        * bytecode/BytecodeList.json:
-        * bytecode/BytecodeUseDef.h:
-        (JSC::computeUsesForBytecodeOffset):
-        (JSC::computeDefsForBytecodeOffset):
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::emitGetByVal):
-        (JSC::BytecodeGenerator::popIndexedForInScope):
-        (JSC::BytecodeGenerator::popStructureForInScope):
-        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
-        (JSC::StructureForInContext::pop):
-        (JSC::IndexedForInContext::pop):
-        * bytecompiler/BytecodeGenerator.h:
-        (JSC::StructureForInContext::addGetInst):
-        (JSC::IndexedForInContext::addGetInst):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::parseBlock):
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::capabilityLevel):
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        * jit/JIT.h:
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::emit_op_nop):
-        * llint/LowLevelInterpreter.asm:
-
-2017-05-25  Mark Lam  
-
-        ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
-        https://bugs.webkit.org/show_bug.cgi?id=172548
-        
-
-        Reviewed by Filip Pizlo.
-
-        Consider the following scenario:
-
-        1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
-           structure transitions, e.g. structure S2 transitioning to structure S3.
-           In this case, O1 would be installed in S2's watchpoint set.
-        2. When the structure transition happens, structure S2 will fire watchpoint O1.
-        3. O1's handler will normally re-install itself in the watchpoint set of the new
-           "transitioned to" structure S3.
-        4. "Installation" here requires writing into the StructureRareData SD3 of the new
-           structure S3.  If SD3 does not exist yet, the installation process will trigger
-           the allocation of StructureRareData SD3.
-        5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
-           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
-           by the GC, and therefore will be collected soon.
-        6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
-           SD1.  This, in turn, triggers the deletion of the
-           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
-
-        After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
-        AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
-        structure S3's watchpoint set.  This is obviously incorrect because O1 is already
-        deleted.  The result is that badness happens later when S3's watchpoint set fires
-        its watchpoints and accesses the deleted O1.
-
-        The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
-        check if "this" is still valid before proceeding to re-install itself or to
-        invoke its handleFire() method.
-
-        ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
-        AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
-        and return false its owner StructureRareData is no longer reachable by the GC.
-        This ensures that it won't be deleted while it's installed to any watchpoint set.
-
-        Additional considerations and notes:
-        1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
-           being installed in watchpoint sets.  What actually happens is that
-           ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
-           (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
-           watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
-           not itself a Watchpoint object.
-
-           But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
-           instead of its Watchpoint members.  The description of the issue is still
-           accurate given the life-cycle of the Watchpoint members are embedded in the
-           enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
-           hence, they share the same life-cycle.
-
-        2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
-           m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
-           watchpoint sets.  This is safe to do even if the owner StructureRareData is no
-           longer reachable by the GC.
-
-           This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
-           is if its Watchpoint members are still installed in some watchpoint set that
-           fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
-           instance has not been deleted yet, because its destructor will automatically
-           remove the Watchpoint members from any watchpoint sets.
-
-        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
-        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
-        (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
-        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
-        * heap/FreeList.cpp:
-        (JSC::FreeList::contains):
-        * heap/FreeList.h:
-        * heap/HeapCell.h:
-        * heap/HeapCellInlines.h:
-        (JSC::HeapCell::isLive):
-        * heap/MarkedAllocator.h:
-        (JSC::MarkedAllocator::isFreeListedCell):
-        * heap/MarkedBlock.h:
-        * heap/MarkedBlockInlines.h:
-        (JSC::MarkedBlock::Handle::isFreeListedCell):
-        * runtime/StructureRareData.cpp:
-        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
-
-2017-05-23  Saam Barati  
-
-        We should not mmap zero bytes for a memory in Wasm
-        https://bugs.webkit.org/show_bug.cgi?id=172528
-        
-
-        Reviewed by Mark Lam.
-
-        This patch fixes a bug where we would call into mmap with zero bytes
-        when creating a slow WasmMemory with zero initial page size. This fix
-        is simple: if we don't have any initial bytes, we just call the constructor
-        in WasmMemory that's meant to handle this case.
-
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::Memory::create):
-
-2017-05-23  Brian Burg  
-
-        REGRESSION(r217051): Automation sessions fail to complete bootstrap
-        https://bugs.webkit.org/show_bug.cgi?id=172513
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        The changes to be more strict about typechecking messages were too strict.
-
-        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
-        (Inspector::RemoteInspector::receivedSetupMessage):
-        WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
-        into an NSDictionary as NSNull if the key isn't present in a forwarded command.
-        We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
-        [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
-
-2017-05-23  Myles C. Maxfield  
-
-        Remove dead ENABLE(FONT_LOAD_EVENTS) code
-        https://bugs.webkit.org/show_bug.cgi?id=172517
-
-        Rubber-stamped by Simon Fraser.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-05-23  Saam Barati  
-
-        CFGSimplificationPhase should not merge a block with itself
-        https://bugs.webkit.org/show_bug.cgi?id=172508
-        
-
-        Reviewed by Keith Miller.
-
-        CFGSimplificationPhase can run into or create IR that ends up with a
-        block that has a Jump to itself, and no other predecessors. It should
-        gracefully handle such IR. Before this patch, it would not. The only criteria
-        for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
-        The code is written in such a way that if we merge a block with itself, we
-        will infinite loop until we run out of memory.
-        
-        Merging a block with itself does not make sense for a few reasons. First,
-        we're joining the contents of two blocks. What is the definition of joining
-        a block with itself? I suppose we could simply unroll this self loop
-        one level, but that would not be wise because this self loop is by definition
-        unreachable unless it's the root block in the graph (which I think is
-        invalid IR since we'd never generate bytecode that would do this).
-        
-        This patch employs an easy fix: we can't merge a block with itself.
-
-        * dfg/DFGCFGSimplificationPhase.cpp:
-        (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
-        (JSC::DFG::CFGSimplificationPhase::run):
-        (JSC::DFG::CFGSimplificationPhase::convertToJump):
-        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
-
-2017-05-22  Brian Burg  
-
-        Web Inspector: webkit reload policy should match default behavior
-        https://bugs.webkit.org/show_bug.cgi?id=171385
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        Add a new option to Page.reload that allows the test harness
-        to reload its test page using the old reload behavior.
-
-        The new behavior of revalidating expired cached subresources only
-        is the current default, since only the test harness needs the old behavior.
-
-        * inspector/protocol/Page.json:
-
-2017-05-22  Keith Miller  
-
-        [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
-        https://bugs.webkit.org/show_bug.cgi?id=167708
-
-        Reviewed by Geoffrey Garen.
-
-        This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
-        class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
-
-        Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
-        creating a wrapper for NSObject.
-
-        * API/APICast.h:
-        (toJSGlobalObject):
-        * API/JSContext.mm:
-        (-[JSContext ensureWrapperMap]):
-        (-[JSContext initWithVirtualMachine:]):
-        (-[JSContext dealloc]):
-        (-[JSContext wrapperMap]):
-        (-[JSContext initWithGlobalContextRef:]):
-        (-[JSContext wrapperForObjCObject:]):
-        (-[JSContext wrapperForJSObject:]):
-        * API/JSWrapperMap.h:
-        * API/JSWrapperMap.mm:
-        (-[JSObjCClassInfo initForClass:]):
-        (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
-        (-[JSObjCClassInfo wrapperForObject:inContext:]):
-        (-[JSObjCClassInfo constructorInContext:]):
-        (-[JSObjCClassInfo prototypeInContext:]):
-        (-[JSWrapperMap initWithGlobalContextRef:]):
-        (-[JSWrapperMap classInfoForClass:]):
-        (-[JSWrapperMap jsWrapperForObject:inContext:]):
-        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
-        (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
-        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
-        (-[JSObjCClassInfo wrapperForObject:]): Deleted.
-        (-[JSObjCClassInfo constructor]): Deleted.
-        (-[JSObjCClassInfo prototype]): Deleted.
-        (-[JSWrapperMap initWithContext:]): Deleted.
-        (-[JSWrapperMap jsWrapperForObject:]): Deleted.
-        (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
-        * API/tests/JSExportTests.mm:
-        (wrapperLifetimeIsTiedToGlobalObject):
-        (runJSExportTests):
-        * API/tests/testapi.mm:
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::wrapperMap):
-        (JSC::JSGlobalObject::setWrapperMap):
-
-2017-05-22  Filip Pizlo  
-
-        FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
-        https://bugs.webkit.org/show_bug.cgi?id=172455
-
-        Reviewed by Mark Lam.
-        
-        The FTL needs to run B3's callee-save register restoration before it runs the exception
-        handler's callee-save register restoration.  This exposes B3's callee-save register
-        algorithm in AssemblyHelpers so that the FTL can call it.
-
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::generate):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
-        * heap/Subspace.cpp: Added some debugging support.
-        (JSC::Subspace::allocate):
-        (JSC::Subspace::tryAllocate):
-        (JSC::Subspace::didAllocate):
-        * heap/Subspace.h:
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::addressFor):
-        (JSC::AssemblyHelpers::emitSave):
-        (JSC::AssemblyHelpers::emitRestore):
-
-2017-05-20  Yusuke Suzuki  
-
-        [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
-        https://bugs.webkit.org/show_bug.cgi?id=172216
-
-        Reviewed by Saam Barati.
-
-        This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
-        To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
-        ArrayStorage and SlowPutArrayStorage, then it produces vector length.
-        CheckInBounds uses this vector length to perform bound checking for ArrayStorage
-        and SlowPutArrayStorage.
-
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGArrayMode.cpp:
-        (JSC::DFG::permitsBoundsCheckLowering):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGHeapLocation.cpp:
-        (WTF::printInternal):
-        * dfg/DFGHeapLocation.h:
-        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasArrayMode):
-        * dfg/DFGNodeType.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSSALoweringPhase.cpp:
-        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLAbstractHeapRepository.h:
-        (JSC::FTL::AbstractHeapRepository::forIndexingType):
-        (JSC::FTL::AbstractHeapRepository::forArrayType):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
-        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::emitArrayStoragePutByVal):
-        * jit/JITPropertyAccess32_64.cpp:
-        (JSC::JIT::emitArrayStorageLoad):
-        (JSC::JIT::emitArrayStoragePutByVal):
-
-2017-05-21  Saam Barati  
-
-        We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
-        https://bugs.webkit.org/show_bug.cgi?id=171041
-        
-
-        Reviewed by Yusuke Suzuki.
-
-        We were treating a for-loop variable declaration potentially as a top
-        level statement, e.g, in a program like this:
-        ```
-        function foo() {
-            for (let variable of expr) { }
+    
+        function test(arr) {
+            let object = inlinee.apply(undefined, arr);   // Uses a lot of SetArgumentMaybe nodes.
+            reflect();    // Calls with a LoadVararg, which gets converted into a PutStack of a constant.
         }
-        ```
-        But we should not be. This had the consequence of making this type of program
-        throw a syntax error:
-        ```
-        function foo(arg) {
-            for (let arg of expr) { }
-        }
-        ```
-        even though it should not. The fix is simple, we just need to increment the
-        statement depth before parsing anything inside the for loop.
+    
+    In this test case, we have a scenario where a SetArgumentMaybe's stack
+    slot is reused as the stack slot for a PutStack later.  Here, the PutStack will
+    put a constant undefined value.  Coincidentally, the SetArgumentMaybe may also
+    initialize that stack slot to a constant undefined value.  Note that by the time
+    the PutStack executes, the SetArgumentMaybe's stack slot is dead.  The liveness of
+    these 2 values are distinct.
+    
+    However, because we were missing a KillStack before the PutStack, OSR availability
+    analysis gets misled into thinking that the PutStack constant value is still in the
+    stack slot because the value left there by the SetArgumentMaybe hasn't been killed
+    off yet.  As a result, OSR exit code will attempt to recover the PutStack's undefined
+    constant by loading from the stack slot instead of materializing it.  Since
+    SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR
+    exit when we try to recover the PutStack constant value from the stack slot, and
+    end up using what ever junk value we read from there.
+    
+    Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack
+    removes this conflation of the PutStack's constant value with the SetArgumentMaybe's
+    constant value in the same stack slot.  And, OSR availability analysis will no
+    longer be misled to load the PutStack's constant value from the stack, but will
+    materialize the constant instead.
+    
+    * dfg/DFGArgumentsEliminationPhase.cpp:
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247532 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 
-        * parser/Parser.cpp:
-        (JSC::Parser::parseForStatement):
+    2019-07-17  Mark Lam  
 
-2017-05-19  Yusuke Suzuki  
+            ArgumentsEliminationPhase should insert KillStack nodes before PutStack nodes that it adds.
+            https://bugs.webkit.org/show_bug.cgi?id=199821
+            
 
-        [JSC] Make get_by_val & string "499" to number 499
-        https://bugs.webkit.org/show_bug.cgi?id=172225
+            Reviewed by Filip Pizlo.
 
-        Reviewed by Saam Barati.
+            Excluding the ArgumentsEliminationPhase, PutStack nodes are converted from SetLocal
+            nodes in the SSAConversionPhase.  SetLocal nodes are always preceded by MovHint nodes,
+            and the SSAConversionPhase always inserts a KillStack node before a MovHint node.
+            Hence, a PutStack node is always preceded by a KillStack node.
 
-        Property subscript will be converted by ToString. So JS code is not aware of
-        the original type of the subscript value. But our get_by_val can leverage
-        information if the given subscript is number. Thus, passing number instead of
-        string can improve the performance of get_by_val in all the tiers.
+            However, the ArgumentsEliminationPhase can convert LoadVarargs nodes into a series
+            of one or more PutStacks nodes, and it prepends MovHint nodes before the PutStack
+            nodes.  However, it neglects to prepend KillStack nodes as well.  Since the
+            ArgumentsEliminationPhase runs after the SSAConversionPhase, the PutStack nodes
+            added during ArgumentsElimination will not be preceded by KillStack nodes.
 
-        In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
-        convert the given value to Int32 index constant if the given value is a string
-        that can be converted to Int32.
+            This patch fixes this by inserting a KillStack in the ArgumentsEliminationPhase
+            before it inserts a MovHint and a PutStack node.
 
-        This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
-        appear in some code like accessing the result of JSON.
+            Consider this test case which can manifest the above issue as a crash:
 
-            map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
+                function inlinee(value) {
+                    ...
+                    let tmp = value + 1;
+                }
 
-        * bytecompiler/BytecodeGenerator.h:
-        (JSC::BytecodeGenerator::emitNodeForProperty):
-        (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::TaggedTemplateNode::emitBytecode):
-        (JSC::BracketAccessorNode::emitBytecode):
-        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
-        (JSC::FunctionCallBracketNode::emitBytecode):
-        (JSC::PostfixNode::emitBracket):
-        (JSC::PrefixNode::emitBracket):
-        (JSC::AssignBracketNode::emitBytecode):
-        (JSC::ReadModifyBracketNode::emitBytecode):
-        (JSC::ForInNode::emitLoopHeader):
-        (JSC::ForOfNode::emitBytecode):
-        (JSC::ObjectPatternNode::bindValue):
-        (JSC::AssignmentElementNode::bindValue):
+                function reflect() {
+                    return inlinee.apply(undefined, arguments);
+                }
 
-2017-05-21  Saam Barati  
+                function test(arr) {
+                    let object = inlinee.apply(undefined, arr);   // Uses a lot of SetArgumentMaybe nodes.
+                    reflect();    // Calls with a LoadVararg, which gets converted into a PutStack of a constant.
+                }
 
-        We overwrite the callee save space on the stack when throwing stack overflow from wasm
-        https://bugs.webkit.org/show_bug.cgi?id=172316
+            In this test case, we have a scenario where a SetArgumentMaybe's stack
+            slot is reused as the stack slot for a PutStack later.  Here, the PutStack will
+            put a constant undefined value.  Coincidentally, the SetArgumentMaybe may also
+            initialize that stack slot to a constant undefined value.  Note that by the time
+            the PutStack executes, the SetArgumentMaybe's stack slot is dead.  The liveness of
+            these 2 values are distinct.
 
-        Reviewed by Mark Lam.
+            However, because we were missing a KillStack before the PutStack, OSR availability
+            analysis gets misled into thinking that the PutStack constant value is still in the
+            stack slot because the value left there by the SetArgumentMaybe hasn't been killed
+            off yet.  As a result, OSR exit code will attempt to recover the PutStack's undefined
+            constant by loading from the stack slot instead of materializing it.  Since
+            SetArgumentMaybe may not actually initialize the stack slot, we get a crash in OSR
+            exit when we try to recover the PutStack constant value from the stack slot, and
+            end up using what ever junk value we read from there.
 
-        When throwing a stack overflow exception, the overflow
-        thunk would do the following:
-          move fp, sp
-          populate argument registers
-          call C code
-        
-        However, the C function is allowed to clobber our spilled
-        callee saves that live below fp. The reason I did this move is that
-        when we jump to this code, we've proven that sp is out of bounds on
-        the stack. So we're not allowed to just use its value or keep growing
-        the stack from that point. However, this patch revises this approach
-        to be the same in spirit, but actually correct. We conservatively assume
-        the B3 function we're coming from could have saved all callee saves.
-        So we emit code like this now:
-          add -maxNumCalleeSaveSpace, fp, sp
-          populate argument registers
-          call C code
-        
-        This ensures our callee saves will not be overwritten. Note
-        that fp is still in a valid stack range here, since the thing
-        calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
-        is less than our redzone size, so it's safe to decrement sp by 
-        this amount.
-        
-        The previously added wasm stack overflow test is an instance crash
-        without this change on arm64. It also appears that this test crashed
-        on some other x86 devices.
+            Fixing the ArgumentsEliminationPhase to insert KillStack before the PutStack
+            removes this conflation of the PutStack's constant value with the SetArgumentMaybe's
+            constant value in the same stack slot.  And, OSR availability analysis will no
+            longer be misled to load the PutStack's constant value from the stack, but will
+            materialize the constant instead.
 
-        * wasm/WasmThunks.cpp:
-        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+            * dfg/DFGArgumentsEliminationPhase.cpp:
 
-2017-05-20  Chris Dumez  
+2019-07-17  Kocsen Chung  
 
-        Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
-        https://bugs.webkit.org/show_bug.cgi?id=172418
+        Cherry-pick r247474. rdar://problem/53229615
 
-        Reviewed by Youenn Fablet.
+    JSGlobalObject type macros should support feature flags and WeakRef should have one
+    https://bugs.webkit.org/show_bug.cgi?id=199601
+    
+    Reviewed by Mark Lam.
+    
+    Source/JavaScriptCore:
+    
+    This patch refactors the various builtin type macros to have a
+    parameter, which is the feature flag enabling it.  Since most
+    builtin types are enabled by default this patch adds a new global
+    bool typeExposedByDefault for clarity. Note, because static hash
+    tables have no concept of feature flags we can't use feature flags
+    with lazy properties. This is probably not a big deal as features
+    that are off by default won't be allocated anywhere we care about
+    memory usage anyway.
+    
+    * runtime/CommonIdentifiers.h:
+    * runtime/JSGlobalObject.cpp:
+    (JSC::JSGlobalObject::init):
+    (JSC::JSGlobalObject::visitChildren):
+    * runtime/JSGlobalObject.h:
+    (JSC::JSGlobalObject::stringObjectStructure const):
+    (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted.
+    * runtime/Options.h:
+    * wasm/js/JSWebAssembly.cpp:
+    
+    Tools:
+    
+    JSC options need to be set before the window is created for the test.
+    
+    * DumpRenderTree/mac/DumpRenderTree.mm:
+    (resetWebViewToConsistentStateBeforeTesting):
+    * DumpRenderTree/win/DumpRenderTree.cpp:
+    (setJSCOptions):
+    (resetWebViewToConsistentStateBeforeTesting):
+    
+    LayoutTests:
+    
+    Add JSC option requirements for WeakRef tests.
+    
+    * js/script-tests/weakref-async-is-collected.js:
+    * js/script-tests/weakref-eventually-collects-values.js:
+    * js/script-tests/weakref-microtasks-dont-collect.js:
+    * js/script-tests/weakref-weakset-consistency.js:
+    * js/weakref-async-is-collected.html:
+    * js/weakref-eventually-collects-values.html:
+    * js/weakref-microtasks-dont-collect.html:
+    * js/weakref-weakset-consistency.html:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247474 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 
-        Add CommonIdentifiers that are now needed.
+    2019-07-15  Keith Miller  
 
-        * runtime/CommonIdentifiers.h:
+            JSGlobalObject type macros should support feature flags and WeakRef should have one
+            https://bugs.webkit.org/show_bug.cgi?id=199601
 
-2017-05-20  Yusuke Suzuki  
+            Reviewed by Mark Lam.
 
-        Unreviewed, add scope.release() to propertyIsEnumerable functions.
-        https://bugs.webkit.org/show_bug.cgi?id=172411
+            This patch refactors the various builtin type macros to have a
+            parameter, which is the feature flag enabling it.  Since most
+            builtin types are enabled by default this patch adds a new global
+            bool typeExposedByDefault for clarity. Note, because static hash
+            tables have no concept of feature flags we can't use feature flags
+            with lazy properties. This is probably not a big deal as features
+            that are off by default won't be allocated anywhere we care about
+            memory usage anyway.
 
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::globalFuncPropertyIsEnumerable):
-        * runtime/ObjectPrototype.cpp:
-        (JSC::objectProtoFuncPropertyIsEnumerable):
+            * runtime/CommonIdentifiers.h:
+            * runtime/JSGlobalObject.cpp:
+            (JSC::JSGlobalObject::init):
+            (JSC::JSGlobalObject::visitChildren):
+            * runtime/JSGlobalObject.h:
+            (JSC::JSGlobalObject::stringObjectStructure const):
+            (JSC::JSGlobalObject::bigIntObjectStructure const): Deleted.
+            * runtime/Options.h:
+            * wasm/js/JSWebAssembly.cpp:
 
-2017-05-20  Yusuke Suzuki  
+2019-07-15  Ryan Haddad  
 
-        [JSC] Drop MapBase
-        https://bugs.webkit.org/show_bug.cgi?id=172417
+        Unreviewed, attempt to fix production builds after r247403.
 
-        Reviewed by Sam Weinig.
-
-        MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
-        Thus MapBase is unnecessary. This patch drops it.
-        It is good because we can eliminate one indirection when accessing to map implementation.
-        Moreover, we can drop one unnecessary allocation per Map and Set.
-
-        * CMakeLists.txt:
         * JavaScriptCore.xcodeproj/project.pbxproj:
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLAbstractHeapRepository.h:
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
-        * runtime/HashMapImpl.cpp:
-        (JSC::HashMapImpl::estimatedSize):
-        (JSC::getHashMapImplKeyClassInfo): Deleted.
-        (JSC::getHashMapImplKeyValueClassInfo): Deleted.
-        * runtime/HashMapImpl.h:
-        (JSC::HashMapImpl::finishCreation):
-        (JSC::HashMapImpl::get):
-        (JSC::HashMapImpl::info): Deleted.
-        (JSC::HashMapImpl::createStructure): Deleted.
-        (JSC::HashMapImpl::create): Deleted.
-        * runtime/JSMap.h:
-        (JSC::JSMap::set):
-        (JSC::JSMap::get): Deleted.
-        * runtime/JSMapIterator.cpp:
-        (JSC::JSMapIterator::finishCreation):
-        * runtime/JSSet.h:
-        (JSC::JSSet::add): Deleted.
-        * runtime/JSSetIterator.cpp:
-        (JSC::JSSetIterator::finishCreation):
-        * runtime/MapBase.cpp: Removed.
-        * runtime/MapBase.h: Removed.
-        * runtime/MapPrototype.cpp:
-        (JSC::mapProtoFuncSize):
-        * runtime/SetConstructor.cpp:
-        (JSC::constructSet):
-        * runtime/SetPrototype.cpp:
-        (JSC::setProtoFuncSize):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
 
-2017-05-20  Yusuke Suzuki  
+2019-07-15  Tadeu Zagallo  
 
-        [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
-        https://bugs.webkit.org/show_bug.cgi?id=172411
-
-        Reviewed by Sam Weinig.
-
-        We use @Reflect.@getOwnPropertyDescriptor() to check
-
-        1. the descriptor exists,
-        2. and the descriptor.enumrable is true
-
-        But Object::propertyIsEnumerable does the completely same thing without
-        allocating a new object for property descriptor.
-
-        In this patch, we add a new private function @propertyIsEnumerable, and
-        use it in Object.assign implementation. It does not allocate unnecessary
-        objects. It is good for GC-pressure and performance.
-
-        This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
-        does not introduce a fast path for objects that do not have accessors,
-        and it could speed up things further, this patch can speed up the common
-        slow path cases that is the current implementation of Object.assign.
-
-            object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
-
-        * builtins/BuiltinNames.h:
-        * builtins/ObjectConstructor.js:
-        (globalPrivate.enumerableOwnProperties):
-        (assign):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::globalFuncPropertyIsEnumerable):
-        * runtime/JSGlobalObjectFunctions.h:
-
-2017-05-19  Yusuke Suzuki  
-
-        [JSC] Enable testapi on Mac CMake build
-        https://bugs.webkit.org/show_bug.cgi?id=172354
-
-        Reviewed by Alex Christensen.
-
-        This patch makes testapi buildable and runnable for Mac CMake port.
-
-        * API/tests/DateTests.mm:
-        (+[DateTests JSDateToNSDateTest]):
-        (+[DateTests roundTripThroughJSDateTest]):
-        This test only works with the en_US locale.
-
-        * shell/CMakeLists.txt:
-        * shell/PlatformMac.cmake:
-        Some of tests rely on ARC. We enable ARC for those files.
-
-        * shell/PlatformWin.cmake:
-        Clean up.
-
-2017-05-19  Mark Lam  
-
-        [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
-        https://bugs.webkit.org/show_bug.cgi?id=172383
-        
-
-        Reviewed by Filip Pizlo.
-
-        pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
-        available as a scratch register.  This assumption is wrong if this canTrample
-        register is used for a silentFill() after an operation that returns a result in
-        regT0 or regT1.
-
-        Turns out the only reason we need the canTrample register is for
-        SetDoubleConstant.  We can remove the need for this canTrample register by
-        introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
-        job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
-        ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
-
-        Update for re-landing: Changed ARM64 to use scratchRegister() as well.
-        scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
-        as a scratch register.
-
-        * assembler/MacroAssembler.h:
-        (JSC::MacroAssembler::moveDouble):
-        * dfg/DFGArrayifySlowPathGenerator.h:
-        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
-        (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
-        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
-        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
-        * dfg/DFGSlowPathGenerator.h:
-        (JSC::DFG::CallSlowPathGenerator::tearDown):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::silentFill):
-        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
-        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
-        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
-        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
-        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
-        (JSC::DFG::SpeculativeJIT::compileArithDiv):
-        (JSC::DFG::SpeculativeJIT::compileArraySlice):
-        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
-        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
-        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::silentFill):
-        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
-        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
-        (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compile):
-        (JSC::DFG::SpeculativeJIT::convertAnyInt):
-
-2017-05-19  Ryan Haddad  
-
-        Unreviewed, rolling out r217156.
-
-        This change broke the iOS build.
-
-        Reverted changeset:
-
-        "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
-        result registers."
-        https://bugs.webkit.org/show_bug.cgi?id=172383
-        http://trac.webkit.org/changeset/217156
-
-2017-05-19  Mark Lam  
-
-        Add missing exception check.
-        https://bugs.webkit.org/show_bug.cgi?id=172346
-        
-
-        Reviewed by Geoffrey Garen.
-
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::hasInstance):
-
-2017-05-19  Mark Lam  
-
-        DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
-        https://bugs.webkit.org/show_bug.cgi?id=172383
-        
-
-        Reviewed by Filip Pizlo.
-
-        pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
-        available as a scratch register.  This assumption is wrong if this canTrample
-        register is used for a silentFill() after an operation that returns a result in
-        regT0 or regT1.
-
-        Turns out the only reason we need the canTrample register is for
-        SetDoubleConstant.  We can remove the need for this canTrample register by
-        introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
-        job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
-        ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
-
-        * assembler/MacroAssembler.h:
-        (JSC::MacroAssembler::moveDouble):
-        * dfg/DFGArrayifySlowPathGenerator.h:
-        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
-        (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
-        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
-        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
-        * dfg/DFGSlowPathGenerator.h:
-        (JSC::DFG::CallSlowPathGenerator::tearDown):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::silentFill):
-        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
-        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
-        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
-        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
-        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
-        (JSC::DFG::SpeculativeJIT::compileArithDiv):
-        (JSC::DFG::SpeculativeJIT::compileArraySlice):
-        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
-        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
-        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::silentFill):
-        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
-        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
-        (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compile):
-        (JSC::DFG::SpeculativeJIT::convertAnyInt):
-
-2017-05-19  Filip Pizlo  
-
-        Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
-        https://bugs.webkit.org/show_bug.cgi?id=172382
-
-        Reviewed by Saam Barati.
-        
-        This is just a small clean-up - my last patch here created some unnecessary code duplication.
-
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoPrivateFuncConcatMemcpy):
-
-2017-05-19  Filip Pizlo  
-
-        arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
-        https://bugs.webkit.org/show_bug.cgi?id=172369
-
-        Reviewed by Mark Lam.
-
-        * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
-        (JSC::Subspace::allocate):
-        (JSC::Subspace::tryAllocate):
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
-        * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
-        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
-
-2017-05-18  Filip Pizlo  
-
-        B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
-        https://bugs.webkit.org/show_bug.cgi?id=172306
-
-        Reviewed by Michael Saboff.
-        
-        This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
-        fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
-        normal store instructions for fenced stores. That's wrong because then you get reorderings
-        that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
-        with respect for each other.
-        
-        This is imprecise. If you really just wanted a store-release, then every X86 store does this.
-        But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
-        respect to all other fences. If we ever did want to say that something is a store release in
-        the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
-        range without the fence flag would mean the traditional store-release, which lowers to a
-        normal store on x86. But to my knowledge, that traditional store-release is only useful for
-        unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
-        and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
-        an ARM-style store-release on x86 using xchg.
-        
-        The implication of this change is that the FTL no longer violates the SAB memory model.
-
-        * assembler/MacroAssemblerX86Common.h:
-        (JSC::MacroAssemblerX86Common::xchg8):
-        (JSC::MacroAssemblerX86Common::xchg16):
-        (JSC::MacroAssemblerX86Common::xchg32):
-        (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
-        (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
-        (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
-        (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
-        (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
-        (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
-        (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
-        (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
-        * assembler/MacroAssemblerX86_64.h:
-        (JSC::MacroAssemblerX86_64::xchg64):
-        (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
-        (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::ArgPromise::inst):
-        (JSC::B3::Air::LowerToAir::trappingInst):
-        (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
-        (JSC::B3::Air::LowerToAir::createStore):
-        (JSC::B3::Air::LowerToAir::storeOpcode):
-        (JSC::B3::Air::LowerToAir::appendStore):
-        (JSC::B3::Air::LowerToAir::append):
-        (JSC::B3::Air::LowerToAir::appendTrapping):
-        (JSC::B3::Air::LowerToAir::fillStackmap):
-        (JSC::B3::Air::LowerToAir::lower):
-        * b3/air/AirKind.cpp:
-        (JSC::B3::Air::Kind::dump):
-        * b3/air/AirKind.h:
-        (JSC::B3::Air::Kind::Kind):
-        (JSC::B3::Air::Kind::operator==):
-        (JSC::B3::Air::Kind::hash):
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        (JSC::B3::Air::lowerAfterRegAlloc):
-        * b3/air/AirLowerMacros.cpp:
-        (JSC::B3::Air::lowerMacros):
-        * b3/air/AirOpcode.opcodes:
-        * b3/air/AirValidate.cpp:
-        * b3/air/opcode_generator.rb:
-        * b3/testb3.cpp:
-        (JSC::B3::correctSqrt):
-        (JSC::B3::testSqrtArg):
-        (JSC::B3::testSqrtImm):
-        (JSC::B3::testSqrtMem):
-        (JSC::B3::testSqrtArgWithUselessDoubleConversion):
-        (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
-        (JSC::B3::testStoreRelAddLoadAcq32):
-        (JSC::B3::testTrappingLoad):
-        (JSC::B3::testTrappingStore):
-        (JSC::B3::testTrappingLoadAddStore):
-        (JSC::B3::testTrappingLoadDCE):
-
-2017-05-19  Don Olmstead  
-
-        [JSC] Remove PLATFORM(WIN) references
-        https://bugs.webkit.org/show_bug.cgi?id=172294
-
-        Reviewed by Yusuke Suzuki.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::removeThread):
-        * llint/LLIntOfflineAsmConfig.h:
-        * runtime/ConfigFile.h:
-        * runtime/VM.cpp:
-        (JSC::VM::updateStackLimits):
-
-2017-05-19  Yusuke Suzuki  
-
-        [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
-        https://bugs.webkit.org/show_bug.cgi?id=172098
+        Concurrent GC should not rely on current phase to determine if it's safe to steal conn
+        https://bugs.webkit.org/show_bug.cgi?id=199786
+        
 
         Reviewed by Saam Barati.
 
-        In this patch, we generalize CheckDOM to CheckSubClass.
-        It can accept any ClassInfo and perform ClassInfo check
-        in DFG / FTL. Now, we add a new function pointer to ClassInfo,
-        checkSubClassPatchpoint. It can create DOMJIT patchpoint
-        for that ClassInfo. It it natural that ClassInfo holds the
-        way to emit DOMJIT::Patchpoint to perform CheckSubClass
-        rather than having it in each DOMJIT getter / function
-        signature annotation.
-
-        One problem is that it enlarges the size of ClassInfo.
-        But this is the best place to put this function pointer.
-        By doing so, we can add a patchpoint for CheckSubClass
-        in an non-intrusive manner: WebCore can inject patchpoints
-        without interactive JSC.
-
-        We still have a way to reduce the size of ClassInfo if
-        we move ArrayBuffer related methods out to the other places.
-
-        This patch touches many files because we add a new function
-        pointer to ClassInfo. But they are basically mechanical change.
-
-        * API/JSAPIWrapperObject.mm:
-        * API/JSCallbackConstructor.cpp:
-        * API/JSCallbackFunction.cpp:
-        * API/JSCallbackObject.cpp:
-        * API/ObjCCallbackFunction.mm:
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * bytecode/CodeBlock.cpp:
-        * bytecode/DOMJITAccessCasePatchpointParams.h:
-        (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
-        * bytecode/EvalCodeBlock.cpp:
-        * bytecode/FunctionCodeBlock.cpp:
-        * bytecode/GetterSetterAccessCase.cpp:
-        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
-        * bytecode/ModuleProgramCodeBlock.cpp:
-        * bytecode/ProgramCodeBlock.cpp:
-        * bytecode/UnlinkedCodeBlock.cpp:
-        * bytecode/UnlinkedEvalCodeBlock.cpp:
-        * bytecode/UnlinkedFunctionCodeBlock.cpp:
-        * bytecode/UnlinkedFunctionExecutable.cpp:
-        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
-        * bytecode/UnlinkedProgramCodeBlock.cpp:
-        * debugger/DebuggerScope.cpp:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGConstantFoldingPhase.cpp:
-        (JSC::DFG::ConstantFoldingPhase::foldConstants):
-        * dfg/DFGDOMJITPatchpointParams.h:
-        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
-        (JSC::DFG::FixupPhase::fixupCheckSubClass):
-        (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::dump):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasClassInfo):
-        (JSC::DFG::Node::classInfo):
-        (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
-        (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
-        * dfg/DFGNodeType.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
-        (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::vm):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * domjit/DOMJITGetterSetter.h:
-        * domjit/DOMJITPatchpointParams.h:
-        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
-        (JSC::DOMJIT::PatchpointParams::vm):
-        * domjit/DOMJITSignature.h:
-        (JSC::DOMJIT::Signature::Signature):
-        (JSC::DOMJIT::Signature::checkDOM): Deleted.
-        * ftl/FTLAbstractHeapRepository.h:
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLDOMJITPatchpointParams.h:
-        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
-        * inspector/JSInjectedScriptHost.cpp:
-        * inspector/JSInjectedScriptHostPrototype.cpp:
-        * inspector/JSJavaScriptCallFrame.cpp:
-        * inspector/JSJavaScriptCallFramePrototype.cpp:
-        * jsc.cpp:
-        (WTF::DOMJITNode::checkSubClassPatchpoint):
-        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
-        (WTF::DOMJITFunctionObject::finishCreation):
-        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
-        (WTF::DOMJITCheckSubClassObject::createStructure):
-        (WTF::DOMJITCheckSubClassObject::create):
-        (WTF::DOMJITCheckSubClassObject::safeFunction):
-        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
-        (WTF::DOMJITCheckSubClassObject::finishCreation):
-        (GlobalObject::finishCreation):
-        (functionCreateDOMJITCheckSubClassObject):
-        (WTF::DOMJITNode::checkDOMJITNode): Deleted.
-        (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
-        * runtime/AbstractModuleRecord.cpp:
-        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
-        * runtime/ArrayConstructor.cpp:
-        * runtime/ArrayIteratorPrototype.cpp:
-        * runtime/ArrayPrototype.cpp:
-        * runtime/AsyncFunctionConstructor.cpp:
-        * runtime/AsyncFunctionPrototype.cpp:
-        * runtime/AtomicsObject.cpp:
-        * runtime/BooleanConstructor.cpp:
-        * runtime/BooleanObject.cpp:
-        * runtime/BooleanPrototype.cpp:
-        * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
-        (JSC::ClassInfo::dump):
-        * runtime/ClassInfo.h:
-        (JSC::ClassInfo::offsetOfParentClass):
-        * runtime/ClonedArguments.cpp:
-        * runtime/ConsoleObject.cpp:
-        * runtime/CustomGetterSetter.cpp:
-        * runtime/DateConstructor.cpp:
-        * runtime/DateInstance.cpp:
-        * runtime/DatePrototype.cpp:
-        * runtime/DirectArguments.cpp:
-        * runtime/Error.cpp:
-        * runtime/ErrorConstructor.cpp:
-        * runtime/ErrorInstance.cpp:
-        * runtime/ErrorPrototype.cpp:
-        * runtime/EvalExecutable.cpp:
-        * runtime/Exception.cpp:
-        * runtime/ExceptionHelpers.cpp:
-        * runtime/ExecutableBase.cpp:
-        * runtime/FunctionConstructor.cpp:
-        * runtime/FunctionExecutable.cpp:
-        * runtime/FunctionPrototype.cpp:
-        * runtime/FunctionRareData.cpp:
-        * runtime/GeneratorFunctionConstructor.cpp:
-        * runtime/GeneratorFunctionPrototype.cpp:
-        * runtime/GeneratorPrototype.cpp:
-        * runtime/GetterSetter.cpp:
-        * runtime/HashMapImpl.cpp:
-        * runtime/HashMapImpl.h:
-        * runtime/InferredType.cpp:
-        (JSC::InferredType::create):
-        * runtime/InferredTypeTable.cpp:
-        * runtime/InferredValue.cpp:
-        * runtime/InspectorInstrumentationObject.cpp:
-        * runtime/InternalFunction.cpp:
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlCollatorConstructor.cpp:
-        * runtime/IntlCollatorPrototype.cpp:
-        * runtime/IntlDateTimeFormat.cpp:
-        * runtime/IntlDateTimeFormatConstructor.cpp:
-        * runtime/IntlDateTimeFormatPrototype.cpp:
-        * runtime/IntlNumberFormat.cpp:
-        * runtime/IntlNumberFormatConstructor.cpp:
-        * runtime/IntlNumberFormatPrototype.cpp:
-        * runtime/IntlObject.cpp:
-        * runtime/IteratorPrototype.cpp:
-        * runtime/JSAPIValueWrapper.cpp:
-        * runtime/JSArray.cpp:
-        * runtime/JSArrayBuffer.cpp:
-        * runtime/JSArrayBufferConstructor.cpp:
-        * runtime/JSArrayBufferPrototype.cpp:
-        * runtime/JSArrayBufferView.cpp:
-        * runtime/JSAsyncFunction.cpp:
-        * runtime/JSBoundFunction.cpp:
-        * runtime/JSCallee.cpp:
-        * runtime/JSCustomGetterSetterFunction.cpp:
-        * runtime/JSDataView.cpp:
-        * runtime/JSDataViewPrototype.cpp:
-        * runtime/JSEnvironmentRecord.cpp:
-        * runtime/JSFixedArray.cpp:
-        * runtime/JSFunction.cpp:
-        * runtime/JSGeneratorFunction.cpp:
-        * runtime/JSGlobalLexicalEnvironment.cpp:
-        * runtime/JSGlobalObject.cpp:
-        * runtime/JSInternalPromise.cpp:
-        * runtime/JSInternalPromiseConstructor.cpp:
-        * runtime/JSInternalPromiseDeferred.cpp:
-        * runtime/JSInternalPromisePrototype.cpp:
-        * runtime/JSLexicalEnvironment.cpp:
-        * runtime/JSMap.cpp:
-        * runtime/JSMapIterator.cpp:
-        * runtime/JSModuleEnvironment.cpp:
-        * runtime/JSModuleLoader.cpp:
-        * runtime/JSModuleNamespaceObject.cpp:
-        * runtime/JSModuleRecord.cpp:
-        * runtime/JSNativeStdFunction.cpp:
-        * runtime/JSONObject.cpp:
-        * runtime/JSObject.cpp:
-        * runtime/JSPromise.cpp:
-        * runtime/JSPromiseConstructor.cpp:
-        * runtime/JSPromiseDeferred.cpp:
-        * runtime/JSPromisePrototype.cpp:
-        * runtime/JSPropertyNameEnumerator.cpp:
-        * runtime/JSPropertyNameIterator.cpp:
-        * runtime/JSProxy.cpp:
-        * runtime/JSScriptFetcher.cpp:
-        * runtime/JSSet.cpp:
-        * runtime/JSSetIterator.cpp:
-        * runtime/JSSourceCode.cpp:
-        * runtime/JSString.cpp:
-        * runtime/JSStringIterator.cpp:
-        * runtime/JSSymbolTableObject.cpp:
-        * runtime/JSTemplateRegistryKey.cpp:
-        * runtime/JSTypedArrayConstructors.cpp:
-        * runtime/JSTypedArrayPrototypes.cpp:
-        * runtime/JSTypedArrayViewConstructor.cpp:
-        * runtime/JSTypedArrays.cpp:
-        * runtime/JSWeakMap.cpp:
-        * runtime/JSWeakSet.cpp:
-        * runtime/JSWithScope.cpp:
-        * runtime/MapConstructor.cpp:
-        * runtime/MapIteratorPrototype.cpp:
-        * runtime/MapPrototype.cpp:
-        * runtime/MathObject.cpp:
-        * runtime/ModuleLoaderPrototype.cpp:
-        * runtime/ModuleProgramExecutable.cpp:
-        * runtime/NativeErrorConstructor.cpp:
-        * runtime/NativeExecutable.cpp:
-        * runtime/NativeStdFunctionCell.cpp:
-        * runtime/NullGetterFunction.cpp:
-        * runtime/NullSetterFunction.cpp:
-        * runtime/NumberConstructor.cpp:
-        * runtime/NumberObject.cpp:
-        * runtime/NumberPrototype.cpp:
-        * runtime/ObjectConstructor.cpp:
-        * runtime/ObjectPrototype.cpp:
-        * runtime/ProgramExecutable.cpp:
-        * runtime/PropertyTable.cpp:
-        * runtime/ProxyConstructor.cpp:
-        * runtime/ProxyObject.cpp:
-        * runtime/ProxyRevoke.cpp:
-        * runtime/ReflectObject.cpp:
-        * runtime/RegExp.cpp:
-        * runtime/RegExpConstructor.cpp:
-        * runtime/RegExpObject.cpp:
-        * runtime/RegExpPrototype.cpp:
-        * runtime/ScopedArguments.cpp:
-        * runtime/ScopedArgumentsTable.cpp:
-        * runtime/ScriptExecutable.cpp:
-        * runtime/SetConstructor.cpp:
-        * runtime/SetIteratorPrototype.cpp:
-        * runtime/SetPrototype.cpp:
-        * runtime/SparseArrayValueMap.cpp:
-        * runtime/StrictEvalActivation.cpp:
-        * runtime/StringConstructor.cpp:
-        * runtime/StringIteratorPrototype.cpp:
-        * runtime/StringObject.cpp:
-        * runtime/StringPrototype.cpp:
-        * runtime/Structure.cpp:
-        * runtime/StructureChain.cpp:
-        * runtime/StructureRareData.cpp:
-        * runtime/Symbol.cpp:
-        * runtime/SymbolConstructor.cpp:
-        * runtime/SymbolObject.cpp:
-        * runtime/SymbolPrototype.cpp:
-        * runtime/SymbolTable.cpp:
-        * runtime/WeakMapConstructor.cpp:
-        * runtime/WeakMapData.cpp:
-        * runtime/WeakMapPrototype.cpp:
-        * runtime/WeakSetConstructor.cpp:
-        * runtime/WeakSetPrototype.cpp:
-        * testRegExp.cpp:
-        * tools/JSDollarVM.cpp:
-        * tools/JSDollarVMPrototype.cpp:
-        * wasm/JSWebAssembly.cpp:
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        * wasm/js/JSWebAssemblyCompileError.cpp:
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        * wasm/js/JSWebAssemblyLinkError.cpp:
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        * wasm/js/JSWebAssemblyModule.cpp:
-        * wasm/js/JSWebAssemblyRuntimeError.cpp:
-        * wasm/js/JSWebAssemblyTable.cpp:
-        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
-        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
-        * wasm/js/WebAssemblyFunction.cpp:
-        * wasm/js/WebAssemblyFunctionBase.cpp:
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        * wasm/js/WebAssemblyInstancePrototype.cpp:
-        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
-        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
-        * wasm/js/WebAssemblyMemoryConstructor.cpp:
-        * wasm/js/WebAssemblyMemoryPrototype.cpp:
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        * wasm/js/WebAssemblyPrototype.cpp:
-        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
-        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
-        * wasm/js/WebAssemblyTableConstructor.cpp:
-        * wasm/js/WebAssemblyTablePrototype.cpp:
-        * wasm/js/WebAssemblyToJSCallee.cpp:
-        * wasm/js/WebAssemblyWrapperFunction.cpp:
-
-2017-05-18  JF Bastien  
-
-        WebAssembly: exports is a getter
-        https://bugs.webkit.org/show_bug.cgi?id=172129
-
-        Reviewed by Saam Barati.
-
-        As updated here: https://github.com/WebAssembly/design/pull/1062
-
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
-        * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
-        * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
-        (JSC::getInstance): helper, as in surrounding files
-        (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
-        * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
-        (JSC::getMemory):
-        (JSC::webAssemblyMemoryProtoFuncGrow):
-        (JSC::webAssemblyMemoryProtoFuncBuffer):
-        * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
-        (JSC::webAssemblyTableProtoFuncLength):
-        (JSC::webAssemblyTableProtoFuncGrow):
-        (JSC::webAssemblyTableProtoFuncGet):
-        (JSC::webAssemblyTableProtoFuncSet):
-
-2017-05-18  Saam Barati  
-
-        Proxy's [[Get]] passes incorrect receiver
-        https://bugs.webkit.org/show_bug.cgi?id=164849
-        
-
-        Reviewed by Yusuke Suzuki.
-
-        * runtime/ProxyObject.cpp:
-        (JSC::performProxyGet):
-
-2017-05-18  Andy Estes  
-
-        ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
-        https://bugs.webkit.org/show_bug.cgi?id=172305
-
-        Reviewed by Anders Carlsson.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-05-18  Saam Barati  
-
-        We need to destroy worker threads in jsc.cpp
-        https://bugs.webkit.org/show_bug.cgi?id=170751
-        
-
-        Reviewed by Filip Pizlo.
-
-        This patch fixes a bug where a $ agent worker would still
-        have compilation threads running after the thread the worker
-        was created on dies. This manifested itself inside DFG AI where
-        we would notice a string constant is atomic, then the worker
-        thread would die, destroying its atomic string table, then
-        we'd notice the same string is no longer atomic, and we'd crash
-        because we'd fail to see the same speculated type for the same
-        JSValue.
-        
-        This patch makes it so that $ agent workers destroy their VM when
-        they're done executing. Before a VM gets destroyed, it ensures that
-        all its compilation threads finish.
-
-        * jsc.cpp:
-        (functionDollarAgentStart):
-        (runJSC):
-        (jscmain):
-
-2017-05-18  Michael Saboff  
-
-        Add FTL whitelist debugging option
-        https://bugs.webkit.org/show_bug.cgi?id=172321
-
-        Reviewed by Saam Barati.
-
-        * dfg/DFGTierUpCheckInjectionPhase.cpp:
-        (JSC::DFG::ensureGlobalFTLWhitelist):
-        (JSC::DFG::TierUpCheckInjectionPhase::run):
-        * runtime/Options.h:
-        * tools/FunctionWhitelist.cpp:
-        (JSC::FunctionWhitelist::contains):
-
-2017-05-18  Filip Pizlo  
-
-        Constructor calls set this too early
-        https://bugs.webkit.org/show_bug.cgi?id=172302
-
-        Reviewed by Saam Barati.
-        
-        We were setting this before evaluating the arguments, so this code:
-        
-            var x = 42;
-            new x(x = function() { });
-        
-        Would crash because we would pass 42 as this, and create_this would treat it as a cell.
-        Dereferencing a non-cell is guaranteed to crash.
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::emitConstruct):
-        * bytecompiler/BytecodeGenerator.h:
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::NewExprNode::emitBytecode):
-        (JSC::FunctionCallValueNode::emitBytecode):
-
-2017-05-18  Saam Barati  
-
-        WebAssembly: perform stack checks
-        https://bugs.webkit.org/show_bug.cgi?id=165546
-        
-
-        Reviewed by Filip Pizlo.
-
-        This patch adds stack checks to wasm. It implements it by storing the stack
-        bounds on the Context.
-        
-        Stack checking works as normal, except we do a small optimization for terminal
-        nodes in the call tree (nodes that don't make any calls). These nodes will
-        only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
-        it's assumed the parent that called them did their stack check for them.
-        This is because all things that make calls make sure to do an extra 1024
-        bytes whenever doing a stack check.
-        
-        We also take into account stack size for potential JS calls when doing
-        stack checks since our JS stubs don't do this on their own. Each frame
-        will ensure it does a stack check large enough for any potential JS call
-        stubs it'll execute.
-        
-        Surprisingly, this patch is neutral on WasmBench and TitzerBench.
-
-        * llint/LLIntData.cpp:
-        (JSC::LLInt::Data::performAssertions):
-        * llint/LowLevelInterpreter.asm:
-        * runtime/Error.cpp:
-        (JSC::createRangeError):
-        (JSC::addErrorInfoAndGetBytecodeOffset):
-        I fixed a bug here where we assumed that the first frame that has line
-        and column info would be in our stack trace. This is not correct
-        since we limit our stack trace size. If everything in our limited
-        size stack trace is Wasm, then we won't have any frames with line
-        and column info.
-        * runtime/Error.h:
-        * runtime/ExceptionHelpers.cpp:
-        (JSC::createStackOverflowError):
-        * runtime/ExceptionHelpers.h:
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
-        * runtime/JSType.h:
-        * runtime/Options.h: I've added a new option that controls
-        whether or not we use fast TLS for the wasm context.
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToWasm):
-        * wasm/WasmContext.cpp:
-        (JSC::Wasm::loadContext):
-        (JSC::Wasm::storeContext):
-        * wasm/WasmContext.h:
-        (JSC::Wasm::useFastTLSForContext):
-        * wasm/WasmExceptionType.h:
-        * wasm/WasmMemoryInformation.h:
-        (JSC::Wasm::PinnedRegisterInfo::toSave):
-        * wasm/WasmThunks.cpp:
-        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
-        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
-        (JSC::Wasm::Thunks::stub):
-        * wasm/WasmThunks.h:
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
-        (JSC::JSWebAssemblyInstance::cachedStackLimit):
-        (JSC::JSWebAssemblyInstance::setCachedStackLimit):
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::finishCreation):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
-        This is needed for correctness because we may call into JS,
-        and then the first JS frame could stack overflow. When it stack
-        overflows, it rolls back one frame to the wasm->js call stub with
-        the wasm->js callee. It gets the lexical global object from this
-        frame, meaning it gets the global object from the callee. Therefore,
-        we must make it an object since all objects have global objects.
-        (JSC::WebAssemblyToJSCallee::create):
-        * wasm/js/WebAssemblyToJSCallee.h:
-
-2017-05-18  Keith Miller  
-
-        WebAssembly API: test with neutered inputs
-        https://bugs.webkit.org/show_bug.cgi?id=163899
-
-        Reviewed by JF Bastien.
-
-        Add tests to check that we properly throw a type error when
-        we get a transferred ArrayBuffer. Also, we should make sure
-        we cannot post message a wasm memory's ArrayBuffer.
-
-        * API/JSTypedArray.cpp:
-        (JSObjectGetArrayBufferBytesPtr):
-        * runtime/ArrayBuffer.cpp:
-        (JSC::ArrayBuffer::makeShared):
-        (JSC::ArrayBuffer::makeWasmMemory):
-        (JSC::ArrayBuffer::transferTo):
-        (JSC::ArrayBuffer::neuter):
-        (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
-        (JSC::errorMesasgeForTransfer):
-        * runtime/ArrayBuffer.h:
-        (JSC::ArrayBuffer::isLocked):
-        (JSC::ArrayBuffer::isWasmMemory):
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        (JSC::JSWebAssemblyMemory::buffer):
-        (JSC::JSWebAssemblyMemory::grow):
-
-2017-05-18  Joseph Pecoraro  
-
-        Remote Inspector: Be stricter about checking message types
-        https://bugs.webkit.org/show_bug.cgi?id=172259
-        
-
-        Reviewed by Brian Burg.
-
-        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
-        (Inspector::RemoteInspector::receivedSetupMessage):
-        (Inspector::RemoteInspector::receivedDataMessage):
-        (Inspector::RemoteInspector::receivedDidCloseMessage):
-        (Inspector::RemoteInspector::receivedIndicateMessage):
-        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
-        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
-        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
-        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
-        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
-        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
-        (Inspector::RemoteInspectorXPCConnection::handleEvent):
-        (Inspector::RemoteInspectorXPCConnection::sendMessage):
-        Bail if we don't receive the expected types for message data.
-
-2017-05-18  Filip Pizlo  
-
-        DFG inlining should be hardened for the no-result case
-        https://bugs.webkit.org/show_bug.cgi?id=172290
-
-        Reviewed by Saam Barati.
-        
-        Previously, if we were inlining a setter call, we might have a bad time because the setter's
-        result register is the invalid VirtualRegister(), and much of the intrinsic handling code
-        assumes that the result register is valid.
-        
-        This doesn't usually cause problems because people don't usually point a setter at something
-        that we recognize as an intrinsic.
-        
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
-        * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
-        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
-        (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
-        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
-        * runtime/Intrinsic.cpp: Added. I needed this to debug.
-        (JSC::intrinsicName):
-        (WTF::printInternal):
-        * runtime/Intrinsic.h:
-
-2017-05-18  Commit Queue  
-
-        Unreviewed, rolling out r217031, r217032, and r217037.
-        https://bugs.webkit.org/show_bug.cgi?id=172293
-
-        cause linking errors in Windows (Requested by yusukesuzuki on
-        #webkit).
-
-        Reverted changesets:
-
-        "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-        http://trac.webkit.org/changeset/217031
-
-        "Unreviewed, rebaseline for newly added ClassInfo"
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-        http://trac.webkit.org/changeset/217032
-
-        "Unreviewed, fix debug and non-JIT build"
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-        http://trac.webkit.org/changeset/217037
-
-2017-05-17  Yusuke Suzuki  
-
-        Unreviewed, fix debug and non-JIT build
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-
-        * jsc.cpp:
-        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
-
-2017-05-17  Yusuke Suzuki  
-
-        Unreviewed, rebaseline for newly added ClassInfo
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-
-        * wasm/js/WebAssemblyFunctionBase.cpp:
-
-2017-05-16  Yusuke Suzuki  
-
-        [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
-        https://bugs.webkit.org/show_bug.cgi?id=172098
-
-        Reviewed by Saam Barati.
-
-        In this patch, we generalize CheckDOM to CheckSubClass.
-        It can accept any ClassInfo and perform ClassInfo check
-        in DFG / FTL. Now, we add a new function pointer to ClassInfo,
-        checkSubClassPatchpoint. It can create DOMJIT patchpoint
-        for that ClassInfo. It it natural that ClassInfo holds the
-        way to emit DOMJIT::Patchpoint to perform CheckSubClass
-        rather than having it in each DOMJIT getter / function
-        signature annotation.
-
-        One problem is that it enlarges the size of ClassInfo.
-        But this is the best place to put this function pointer.
-        By doing so, we can add a patchpoint for CheckSubClass
-        in an non-intrusive manner: WebCore can inject patchpoints
-        without interactive JSC.
-
-        We still have a way to reduce the size of ClassInfo if
-        we move ArrayBuffer related methods out to the other places.
-
-        This patch touches many files because we add a new function
-        pointer to ClassInfo. But they are basically mechanical change.
-
-        * API/JSAPIWrapperObject.mm:
-        * API/JSCallbackConstructor.cpp:
-        * API/JSCallbackFunction.cpp:
-        * API/JSCallbackObject.cpp:
-        * API/ObjCCallbackFunction.mm:
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * bytecode/CodeBlock.cpp:
-        * bytecode/DOMJITAccessCasePatchpointParams.h:
-        (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
-        * bytecode/EvalCodeBlock.cpp:
-        * bytecode/FunctionCodeBlock.cpp:
-        * bytecode/GetterSetterAccessCase.cpp:
-        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
-        * bytecode/ModuleProgramCodeBlock.cpp:
-        * bytecode/ProgramCodeBlock.cpp:
-        * bytecode/UnlinkedCodeBlock.cpp:
-        * bytecode/UnlinkedEvalCodeBlock.cpp:
-        * bytecode/UnlinkedFunctionCodeBlock.cpp:
-        * bytecode/UnlinkedFunctionExecutable.cpp:
-        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
-        * bytecode/UnlinkedProgramCodeBlock.cpp:
-        * debugger/DebuggerScope.cpp:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGConstantFoldingPhase.cpp:
-        (JSC::DFG::ConstantFoldingPhase::foldConstants):
-        * dfg/DFGDOMJITPatchpointParams.h:
-        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
-        (JSC::DFG::FixupPhase::fixupCheckSubClass):
-        (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::dump):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasClassInfo):
-        (JSC::DFG::Node::classInfo):
-        (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
-        (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
-        * dfg/DFGNodeType.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
-        (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::vm):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
-        And ClassInfo knows how to perform CheckSubClass efficiently.
-        If ClassInfo does not have a way to perform CheckSubClass efficiently,
-        we just perform jsDynamicCast thing in ASM.
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * domjit/DOMJITGetterSetter.h:
-        * domjit/DOMJITPatchpointParams.h:
-        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
-        (JSC::DOMJIT::PatchpointParams::vm):
-        * domjit/DOMJITSignature.h:
-        (JSC::DOMJIT::Signature::Signature):
-        (JSC::DOMJIT::Signature::checkDOM): Deleted.
-        * ftl/FTLAbstractHeapRepository.h:
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLDOMJITPatchpointParams.h:
-        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
-        * inspector/JSInjectedScriptHost.cpp:
-        * inspector/JSInjectedScriptHostPrototype.cpp:
-        * inspector/JSJavaScriptCallFrame.cpp:
-        * inspector/JSJavaScriptCallFramePrototype.cpp:
-        * jsc.cpp:
-        (WTF::DOMJITNode::checkSubClassPatchpoint):
-        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
-        (WTF::DOMJITFunctionObject::finishCreation):
-        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
-        (WTF::DOMJITCheckSubClassObject::createStructure):
-        (WTF::DOMJITCheckSubClassObject::create):
-        (WTF::DOMJITCheckSubClassObject::safeFunction):
-        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
-        (WTF::DOMJITCheckSubClassObject::finishCreation):
-        (GlobalObject::finishCreation):
-        (functionCreateDOMJITCheckSubClassObject):
-        (WTF::DOMJITNode::checkDOMJITNode): Deleted.
-        (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
-        * runtime/AbstractModuleRecord.cpp:
-        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
-        * runtime/ArrayConstructor.cpp:
-        * runtime/ArrayIteratorPrototype.cpp:
-        * runtime/ArrayPrototype.cpp:
-        * runtime/AsyncFunctionConstructor.cpp:
-        * runtime/AsyncFunctionPrototype.cpp:
-        * runtime/AtomicsObject.cpp:
-        * runtime/BooleanConstructor.cpp:
-        * runtime/BooleanObject.cpp:
-        * runtime/BooleanPrototype.cpp:
-        * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
-        (JSC::ClassInfo::dump):
-        * runtime/ClassInfo.h:
-        (JSC::ClassInfo::offsetOfParentClass):
-        * runtime/ClonedArguments.cpp:
-        * runtime/ConsoleObject.cpp:
-        * runtime/CustomGetterSetter.cpp:
-        * runtime/DateConstructor.cpp:
-        * runtime/DateInstance.cpp:
-        * runtime/DatePrototype.cpp:
-        * runtime/DirectArguments.cpp:
-        * runtime/Error.cpp:
-        * runtime/ErrorConstructor.cpp:
-        * runtime/ErrorInstance.cpp:
-        * runtime/ErrorPrototype.cpp:
-        * runtime/EvalExecutable.cpp:
-        * runtime/Exception.cpp:
-        * runtime/ExceptionHelpers.cpp:
-        * runtime/ExecutableBase.cpp:
-        * runtime/FunctionConstructor.cpp:
-        * runtime/FunctionExecutable.cpp:
-        * runtime/FunctionPrototype.cpp:
-        * runtime/FunctionRareData.cpp:
-        * runtime/GeneratorFunctionConstructor.cpp:
-        * runtime/GeneratorFunctionPrototype.cpp:
-        * runtime/GeneratorPrototype.cpp:
-        * runtime/GetterSetter.cpp:
-        * runtime/HashMapImpl.cpp:
-        * runtime/HashMapImpl.h:
-        * runtime/InferredType.cpp:
-        (JSC::InferredType::create):
-        * runtime/InferredTypeTable.cpp:
-        * runtime/InferredValue.cpp:
-        * runtime/InspectorInstrumentationObject.cpp:
-        * runtime/InternalFunction.cpp:
-        * runtime/IntlCollator.cpp:
-        * runtime/IntlCollatorConstructor.cpp:
-        * runtime/IntlCollatorPrototype.cpp:
-        * runtime/IntlDateTimeFormat.cpp:
-        * runtime/IntlDateTimeFormatConstructor.cpp:
-        * runtime/IntlDateTimeFormatPrototype.cpp:
-        * runtime/IntlNumberFormat.cpp:
-        * runtime/IntlNumberFormatConstructor.cpp:
-        * runtime/IntlNumberFormatPrototype.cpp:
-        * runtime/IntlObject.cpp:
-        * runtime/IteratorPrototype.cpp:
-        * runtime/JSAPIValueWrapper.cpp:
-        * runtime/JSArray.cpp:
-        * runtime/JSArrayBuffer.cpp:
-        * runtime/JSArrayBufferConstructor.cpp:
-        * runtime/JSArrayBufferPrototype.cpp:
-        * runtime/JSArrayBufferView.cpp:
-        * runtime/JSAsyncFunction.cpp:
-        * runtime/JSBoundFunction.cpp:
-        * runtime/JSCallee.cpp:
-        * runtime/JSCustomGetterSetterFunction.cpp:
-        * runtime/JSDataView.cpp:
-        * runtime/JSDataViewPrototype.cpp:
-        * runtime/JSEnvironmentRecord.cpp:
-        * runtime/JSFixedArray.cpp:
-        * runtime/JSFunction.cpp:
-        * runtime/JSGeneratorFunction.cpp:
-        * runtime/JSGlobalLexicalEnvironment.cpp:
-        * runtime/JSGlobalObject.cpp:
-        * runtime/JSInternalPromise.cpp:
-        * runtime/JSInternalPromiseConstructor.cpp:
-        * runtime/JSInternalPromiseDeferred.cpp:
-        * runtime/JSInternalPromisePrototype.cpp:
-        * runtime/JSLexicalEnvironment.cpp:
-        * runtime/JSMap.cpp:
-        * runtime/JSMapIterator.cpp:
-        * runtime/JSModuleEnvironment.cpp:
-        * runtime/JSModuleLoader.cpp:
-        * runtime/JSModuleNamespaceObject.cpp:
-        * runtime/JSModuleRecord.cpp:
-        * runtime/JSNativeStdFunction.cpp:
-        * runtime/JSONObject.cpp:
-        * runtime/JSObject.cpp:
-        * runtime/JSPromise.cpp:
-        * runtime/JSPromiseConstructor.cpp:
-        * runtime/JSPromiseDeferred.cpp:
-        * runtime/JSPromisePrototype.cpp:
-        * runtime/JSPropertyNameEnumerator.cpp:
-        * runtime/JSPropertyNameIterator.cpp:
-        * runtime/JSProxy.cpp:
-        * runtime/JSScriptFetcher.cpp:
-        * runtime/JSSet.cpp:
-        * runtime/JSSetIterator.cpp:
-        * runtime/JSSourceCode.cpp:
-        * runtime/JSString.cpp:
-        * runtime/JSStringIterator.cpp:
-        * runtime/JSSymbolTableObject.cpp:
-        * runtime/JSTemplateRegistryKey.cpp:
-        * runtime/JSTypedArrayConstructors.cpp:
-        * runtime/JSTypedArrayPrototypes.cpp:
-        * runtime/JSTypedArrayViewConstructor.cpp:
-        * runtime/JSTypedArrays.cpp:
-        * runtime/JSWeakMap.cpp:
-        * runtime/JSWeakSet.cpp:
-        * runtime/JSWithScope.cpp:
-        * runtime/MapConstructor.cpp:
-        * runtime/MapIteratorPrototype.cpp:
-        * runtime/MapPrototype.cpp:
-        * runtime/MathObject.cpp:
-        * runtime/ModuleLoaderPrototype.cpp:
-        * runtime/ModuleProgramExecutable.cpp:
-        * runtime/NativeErrorConstructor.cpp:
-        * runtime/NativeExecutable.cpp:
-        * runtime/NativeStdFunctionCell.cpp:
-        * runtime/NullGetterFunction.cpp:
-        * runtime/NullSetterFunction.cpp:
-        * runtime/NumberConstructor.cpp:
-        * runtime/NumberObject.cpp:
-        * runtime/NumberPrototype.cpp:
-        * runtime/ObjectConstructor.cpp:
-        * runtime/ObjectPrototype.cpp:
-        * runtime/ProgramExecutable.cpp:
-        * runtime/PropertyTable.cpp:
-        * runtime/ProxyConstructor.cpp:
-        * runtime/ProxyObject.cpp:
-        * runtime/ProxyRevoke.cpp:
-        * runtime/ReflectObject.cpp:
-        * runtime/RegExp.cpp:
-        * runtime/RegExpConstructor.cpp:
-        * runtime/RegExpObject.cpp:
-        * runtime/RegExpPrototype.cpp:
-        * runtime/ScopedArguments.cpp:
-        * runtime/ScopedArgumentsTable.cpp:
-        * runtime/ScriptExecutable.cpp:
-        * runtime/SetConstructor.cpp:
-        * runtime/SetIteratorPrototype.cpp:
-        * runtime/SetPrototype.cpp:
-        * runtime/SparseArrayValueMap.cpp:
-        * runtime/StrictEvalActivation.cpp:
-        * runtime/StringConstructor.cpp:
-        * runtime/StringIteratorPrototype.cpp:
-        * runtime/StringObject.cpp:
-        * runtime/StringPrototype.cpp:
-        * runtime/Structure.cpp:
-        * runtime/StructureChain.cpp:
-        * runtime/StructureRareData.cpp:
-        * runtime/Symbol.cpp:
-        * runtime/SymbolConstructor.cpp:
-        * runtime/SymbolObject.cpp:
-        * runtime/SymbolPrototype.cpp:
-        * runtime/SymbolTable.cpp:
-        * runtime/WeakMapConstructor.cpp:
-        * runtime/WeakMapData.cpp:
-        * runtime/WeakMapPrototype.cpp:
-        * runtime/WeakSetConstructor.cpp:
-        * runtime/WeakSetPrototype.cpp:
-        * testRegExp.cpp:
-        * tools/JSDollarVM.cpp:
-        * tools/JSDollarVMPrototype.cpp:
-        * wasm/JSWebAssembly.cpp:
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        * wasm/js/JSWebAssemblyCompileError.cpp:
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        * wasm/js/JSWebAssemblyLinkError.cpp:
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        * wasm/js/JSWebAssemblyModule.cpp:
-        * wasm/js/JSWebAssemblyRuntimeError.cpp:
-        * wasm/js/JSWebAssemblyTable.cpp:
-        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
-        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
-        * wasm/js/WebAssemblyFunction.cpp:
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        * wasm/js/WebAssemblyInstancePrototype.cpp:
-        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
-        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
-        * wasm/js/WebAssemblyMemoryConstructor.cpp:
-        * wasm/js/WebAssemblyMemoryPrototype.cpp:
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        * wasm/js/WebAssemblyPrototype.cpp:
-        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
-        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
-        * wasm/js/WebAssemblyTableConstructor.cpp:
-        * wasm/js/WebAssemblyTablePrototype.cpp:
-        * wasm/js/WebAssemblyToJSCallee.cpp:
-        * wasm/js/WebAssemblyWrapperFunction.cpp:
-
-2017-05-17  Saam Barati  
-
-        We don't do context switches for Wasm->Wasm call indirect
-        https://bugs.webkit.org/show_bug.cgi?id=172188
-        
-
-        Reviewed by Keith Miller.
-
-        We did not do a context switch when doing an indirect call. 
-        This is clearly wrong, since the thing we're making an indirect
-        call to could be from another instance. This patch fixes this
-        oversight by doing a very simple context switch. I've also opened
-        a bug to make indirect calls fast: https://bugs.webkit.org/show_bug.cgi?id=172197
-        since this patch adds yet another branch to the indirect call path.
-        I've also added tests that either throw or crash before this change.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/js/JSWebAssemblyTable.h:
-        (JSC::JSWebAssemblyTable::offsetOfJSFunctions):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::WebAssemblyFunction::visitChildren):
-        (JSC::WebAssemblyFunction::finishCreation): Deleted.
-        * wasm/js/WebAssemblyFunction.h:
-        (JSC::WebAssemblyFunction::instance): Deleted.
-        (JSC::WebAssemblyFunction::offsetOfInstance): Deleted.
-        * wasm/js/WebAssemblyFunctionBase.cpp: Added.
-        (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
-        (JSC::WebAssemblyFunctionBase::visitChildren):
-        (JSC::WebAssemblyFunctionBase::finishCreation):
-        * wasm/js/WebAssemblyFunctionBase.h: Added.
-        (JSC::WebAssemblyFunctionBase::instance):
-        (JSC::WebAssemblyFunctionBase::offsetOfInstance):
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::link):
-        (JSC::WebAssemblyModuleRecord::evaluate):
-        * wasm/js/WebAssemblyWrapperFunction.cpp:
-        (JSC::WebAssemblyWrapperFunction::create):
-        (JSC::WebAssemblyWrapperFunction::finishCreation):
-        (JSC::WebAssemblyWrapperFunction::visitChildren):
-        * wasm/js/WebAssemblyWrapperFunction.h:
-
-2017-05-17  Filip Pizlo  
-
-        JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
-        https://bugs.webkit.org/show_bug.cgi?id=172208
-
-        Reviewed by Saam Barati.
-
-        * dfg/DFGArgumentsEliminationPhase.cpp:
-
-2017-05-17  Don Olmstead  
-
-        [Win] Support $vm.getpid()
-        https://bugs.webkit.org/show_bug.cgi?id=172248
-
-        Reviewed by Mark Lam.
-
-        * tools/JSDollarVMPrototype.cpp:
-        (JSC::functionGetPID):
-        (JSC::JSDollarVMPrototype::finishCreation):
-
-2017-05-17  Michael Saboff  
-
-        [iOS] The Garbage Collector shouldn't rely on the bmalloc scavenger for up to date memory footprint info
-        https://bugs.webkit.org/show_bug.cgi?id=172186
-
-        Reviewed by Geoffrey Garen.
-
-        The calls to bmalloc::api::memoryFootprint() and ::percentAvailableMemoryInUse() now call
-        the OS to get up to date values.  In overCriticalMemoryThreshold(), we get the current value every
-        100th call and use a cached value the rest of the time.  When colleciton is done, we start with
-        a new overCriticalMemoryThreshold value for the next cycle.
-
-        The choice of 1 out of 100 calls was validated by using JetStream and verifying that it didn't impact
-        performance and still provides timely memory footprint data.  With additional debug logging, I
-        determined that we call overCriticalMemoryThreshold() over 20,000 times/second running JetStream.
-        Other logging showed that there were over 1700 calls to overCriticalMemoryThreshold() on average per
-        GC cycle.  Dividing both of these numbers by 100 seems reasonable.
+        In r246507, we fixed a race condition in the concurrent GC where the mutator might steal
+        the conn from the collector thread while it transitions from the End phase to NotRunning.
+        However, that fix was not sufficient. In the case that the mutator steals the conn, and the
+        execution interleaves long enough for the mutator to progress to a different collection phase,
+        the collector will resume in a phase other than NotRunning, and hence the check added to
+        NotRunning will not suffice. To fix that, we add a new variable to track whether the collector
+        thread is running (m_collectorThreadIsRunning) and use it to determine whether it's safe to
+        steal the conn, rather than relying on m_currentPhase.
 
         * heap/Heap.cpp:
-        (JSC::Heap::overCriticalMemoryThreshold):
-        (JSC::Heap::updateAllocationLimits):
-        (JSC::Heap::shouldDoFullCollection):
-        * heap/Heap.h:
-
-2017-05-17  Saam Barati  
-
-        PinnedRegisters should be better modeled in IRC/Briggs
-        https://bugs.webkit.org/show_bug.cgi?id=171955
-
-        Reviewed by Filip Pizlo.
-
-        This patch fixes a bug in Briggs/IRC with respect to pinned registers.
-        Pinned registers were not part of the assignable register file in IRC/Briggs,
-        and this would lead to an asymmetry because they were modeled in the
-        interference graph. The bug is that we use registerCount() to move various
-        Tmps between various lists in the different allocators, and if a Tmp
-        interfered with a pinned register (usually via a Patchpoint's clobbered set),
-        we'd have an interference edge modeled in the degree for that Tmp, but the registerCount()
-        would make us think that this particular Tmp is not assignable. This would
-        lead us to fail to color a colorable graph. Specifically, this happened in
-        our various patchpoint tests that stress the register allocator by forcing
-        the entire register file into arguments for the patchpoint and then doing
-        interesting things with the result, arguments, etc.
-        
-        This patch fixes the bug by coming up with an more natural way to model pinned
-        registers. Pinned registers are now part of the register file. However,
-        pinned registers are live at every point in the program (this is a defining
-        property of a pinned register). In practice, this means that the only Tmps 
-        that can be assigned to pinned registers are ones that are coalescing
-        candidates. This means the program has some number of defs for a Tmp T like:
-        MoveType pinnedReg, T
-        
-        Note, if any other defs for T happen, like:
-        Add32, t1, t2, T
-        T will have an interference edge with pinnedReg, since pinnedReg is live
-        at every point in the program. Modeling pinned registers this way allows
-        IRC/Briggs to have no special casing for them. It treats it like any other
-        precolored Tmp. This allows us to do coalescing, biased coloring, etc, which
-        could all lead to a Tmp being assigned to a pinned register.
-        
-        Interestingly, we used to have special handling for the frame pointer
-        register, which in many ways, acts like a pinned register, since FP is
-        always live, and we wanted it to take place in coalescing. The allocator
-        had a side-table interference graph with FP. Interestingly, we didn't even
-        handle this properly everywhere since we could rely on a patchpoint never
-        claiming to clobber FP (this would be illegal). So the code only handled
-        the pseudo-pinned register properties of FP in various places. This patch
-        drops this special casing and pins FP since all pinned registers can take
-        part in coalescing.
-
-        * b3/B3PatchpointSpecial.h:
-        * b3/B3Procedure.cpp:
-        (JSC::B3::Procedure::mutableGPRs):
-        (JSC::B3::Procedure::mutableFPRs):
-        * b3/B3Procedure.h:
-        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
-        * b3/air/AirCode.cpp:
-        (JSC::B3::Air::Code::Code):
-        (JSC::B3::Air::Code::pinRegister):
-        (JSC::B3::Air::Code::mutableGPRs):
-        (JSC::B3::Air::Code::mutableFPRs):
-        * b3/air/AirCode.h:
-        (JSC::B3::Air::Code::pinnedRegisters):
-        * b3/air/AirSpecial.h:
-        * b3/air/testair.cpp:
-        * b3/testb3.cpp:
-        (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
-        (JSC::B3::testSpillDefSmallerThanUse):
-        (JSC::B3::testLateRegister):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
-        (JSC::B3::testMoveConstants):
-
-2017-05-16  Yusuke Suzuki  
-
-        [DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String)
-        https://bugs.webkit.org/show_bug.cgi?id=172115
-
-        Reviewed by Saam Barati.
-
-        In Fixup phase, we attempt to fold MakeRope to Identity (or reduce arguments) by dropping
-        empty strings. However, when we are in Fixup phase, we do not have much information about
-        constant values.
-
-        In ARES-6 Babylon, we find that we can constant-fold MakeRope by using constants figured
-        out by CFA. Without it, Babylon repeatedly produces rope strings. To fix this, we introduce
-        MakeRope handling in constant folding phase.
-
-        It shows 7.5% performance improvement in ARES-6 Babylon steadyState.
-
-            Before:
-
-            firstIteration:     50.02 +- 14.56 ms
-            averageWorstCase:   26.52 +- 4.52 ms
-            steadyState:        8.15 +- 0.23 ms
-
-            After:
-
-            firstIteration:     49.08 +- 12.90 ms
-            averageWorstCase:   25.16 +- 3.82 ms
-            steadyState:        7.58 +- 0.21 ms
-
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGConstantFoldingPhase.cpp:
-        (JSC::DFG::ConstantFoldingPhase::foldConstants):
-
-2017-05-16  Yusuke Suzuki  
-
-        Unreviewed, add Objective C files to CMake Mac port
-        https://bugs.webkit.org/show_bug.cgi?id=172103
-
-        * shell/PlatformMac.cmake: Added.
-
-2017-05-16  JF Bastien  
-
-        WebAssembly: enforce size limits
-        https://bugs.webkit.org/show_bug.cgi?id=165833
-        
-
-        Reviewed by Keith Miller.
-
-        Use the same limits as V8.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * wasm/WasmLimits.h: Added.
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmParser.h:
-        (JSC::Wasm::Parser::consumeUTF8String):
-
-2017-05-15  Yusuke Suzuki  
-
-        [JSC] Build testapi in non Apple ports
-        https://bugs.webkit.org/show_bug.cgi?id=172103
-
-        Reviewed by Filip Pizlo.
-
-        This patch makes JSC testapi buildable in non-Apple ports.
-        We isolate CF related tests in testapi.c. If we do not use
-        CF, we include JavaScript.h instead of JavaScriptCore.h.
-
-        By running the testapi in Linux, we found that contraints
-        test have a bug: If constraint marker runs after WeakRefs
-        are destroyed, it accesses destroyed WeakRef. This patch
-        also fixes it.
-
-        * API/tests/CurrentThisInsideBlockGetterTest.h:
-        * API/tests/CustomGlobalObjectClassTest.c:
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        * API/tests/FunctionOverridesTest.cpp:
-        * API/tests/GlobalContextWithFinalizerTest.cpp:
-        * API/tests/JSObjectGetProxyTargetTest.cpp:
-        * API/tests/MultithreadedMultiVMExecutionTest.cpp:
-        * API/tests/PingPongStackOverflowTest.cpp:
-        * API/tests/TypedArrayCTest.cpp:
-        * API/tests/testapi.c:
-        (assertEqualsAsCharactersPtr):
-        (markingConstraint):
-        (testMarkingConstraintsAndHeapFinalizers):
-        (testCFStrings):
-        (main):
-        * shell/CMakeLists.txt:
-
-2017-05-16  JF Bastien  
-
-        WebAssembly: report Memory usage to GC
-        https://bugs.webkit.org/show_bug.cgi?id=170690
-        
-
-        Reviewed by Keith Miller.
-
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        (JSC::JSWebAssemblyMemory::grow):
-        (JSC::JSWebAssemblyMemory::finishCreation):
-        (JSC::JSWebAssemblyMemory::visitChildren):
-
-2017-05-16  JF Bastien  
-
-        WebAssembly: validate load / store alignment
-        https://bugs.webkit.org/show_bug.cgi?id=168836
-        
-
-        Reviewed by Keith Miller.
-
-        * wasm/WasmFunctionParser.h: check the alignment
-        * wasm/generateWasm.py: generate the log2 alignment helper
-        (Wasm):
-        (isSimple):
-        (memoryLog2Alignment):
-        * wasm/generateWasmOpsHeader.py:
-        (memoryLog2AlignmentGenerator):
-        * wasm/wasm.json: fix formatting
-
-2017-05-15  Mark Lam  
-
-        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
-        https://bugs.webkit.org/show_bug.cgi?id=172147
-
-        Rubber-stamped by Saam Barati.
-
-        I rolled out every thing in those 2 patches except for the change to make
-        CodeBlock::finishCreation() return a bool plus its clients that depend on this.
-        I made this exception because r214931 relies on this change, and this part of
-        the change looks correct.
-
-        * builtins/BuiltinNames.h:
-        * builtins/GlobalOperations.js:
-        (globalPrivate.speciesConstructor):
-        (globalPrivate.copyDataProperties): Deleted.
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finishCreation):
-        (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
-        * bytecode/CodeBlock.h:
-        * bytecode/UnlinkedCodeBlock.h:
-        (JSC::UnlinkedCodeBlock::addBitVector):
-        (JSC::UnlinkedCodeBlock::constantRegisters):
-        (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
-        (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
-        * bytecompiler/BytecodeGenerator.cpp:
-        * bytecompiler/BytecodeGenerator.h:
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::PropertyListNode::emitBytecode):
-        (JSC::ObjectPatternNode::bindValue):
-        (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::createProperty):
-        (JSC::ASTBuilder::appendObjectPatternEntry):
-        (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
-        (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
-        (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
-        * parser/NodeConstructors.h:
-        (JSC::PropertyNode::PropertyNode):
-        (JSC::SpreadExpressionNode::SpreadExpressionNode):
-        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
-        * parser/Nodes.h:
-        (JSC::ObjectPatternNode::appendEntry):
-        (JSC::ObjectSpreadExpressionNode::expression): Deleted.
-        (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
-        * parser/Parser.cpp:
-        (JSC::Parser::parseDestructuringPattern):
-        (JSC::Parser::parseProperty):
-        * parser/SyntaxChecker.h:
-        (JSC::SyntaxChecker::createSpreadExpression):
-        (JSC::SyntaxChecker::createProperty):
-        (JSC::SyntaxChecker::operatorStackPop):
-        (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ObjectConstructor::finishCreation):
-        * runtime/SetPrototype.cpp:
-        (JSC::SetPrototype::finishCreation):
-
-2017-05-15  David Kilzer  
-
-        JSEnvironmentRecord::allocationSizeForScopeSize() and offsetOfVariable(ScopeOffset) should used checked arithmetic
-        
-
-        Reviewed by Saam Barati.
-
-        * runtime/JSEnvironmentRecord.h:
-        (JSC::JSEnvironmentRecord::offsetOfVariable): Change to return
-        size_t and use checked arithmetic.
-        (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): Change
-        to use checked arithmetic.
-
-2017-05-15  Mark Lam  
-
-        WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        
-
-        Reviewed by Filip Pizlo.
-
-        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
-        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
-        for our debugging needs.
-
-        Also added VM::throwingThread() to track which thread an exception was thrown in.
-        This may be useful if the client is entering the VM from different threads.
-
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/ExceptionScope.h:
-        (JSC::ExceptionScope::exception):
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/Options.h:
-        - Added the unexpectedExceptionStackTraceLimit option.
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        (JSC::VM::throwingThread):
-        (JSC::VM::clearException):
-
-2017-05-13  David Kilzer  
-
-        Unused lambda capture in JSContextGroupAddMarkingConstraint()
-        
-
-        Reviewed by Saam Barati.
-
-        Fixes the following warning with newer clang:
-
-            Source/JavaScriptCore/API/JSMarkingConstraintPrivate.cpp:78:11: error: lambda capture 'vm' is not used [-Werror,-Wunused-lambda-capture]
-                    [&vm, constraintCallback, userData]
-                      ^
-
-        * API/JSMarkingConstraintPrivate.cpp:
-        (JSContextGroupAddMarkingConstraint): Remove unused lambda
-        capture for '&vm'.
-
-2017-05-13  David Kilzer  
-
-        [JSC] config.rb fails when checking some clang versions
-        
-
-        Reviewed by Mark Lam.
-
-        * offlineasm/config.rb:
-        - Add support for quad-dotted version of Apple clang (800.0.12.1).
-        - Add support for checking open source clang version (5.0.0).
-
-2017-05-13  Commit Queue  
-
-        Unreviewed, rolling out r216808.
-        https://bugs.webkit.org/show_bug.cgi?id=172075
-
-        caused lldb to hang when debugging (Requested by smfr on
-        #webkit).
-
-        Reverted changeset:
-
-        "Use Mach exceptions instead of signals where possible"
-        https://bugs.webkit.org/show_bug.cgi?id=171865
-        http://trac.webkit.org/changeset/216808
-
-2017-05-13  Commit Queue  
-
-        Unreviewed, rolling out r216801.
-        https://bugs.webkit.org/show_bug.cgi?id=172072
-
-        Many memory corruption crashes on worker threads (Requested by
-        ap on #webkit).
-
-        Reverted changeset:
-
-        "WorkerRunLoop::Task::performTask() should check
-        !scriptController->isTerminatingExecution()."
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        http://trac.webkit.org/changeset/216801
-
-2017-05-12  Geoffrey Garen  
-
-        [JSC] DFG::Node should not have its own allocator
-        https://bugs.webkit.org/show_bug.cgi?id=160098
-
-        Reviewed by Saam Barati.
-
-        I just rebased the patch from .
-
-        I ran Octane and JetStream locally on a MacBook Air and I wasn't able to
-        reproduce a regression. Let's land this again and see what the bots say.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3SparseCollection.h:
-        (JSC::B3::SparseCollection::packIndices):
-        * dfg/DFGAllocator.h: Removed.
-        * dfg/DFGDriver.cpp:
-        (JSC::DFG::compileImpl):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::Graph):
-        (JSC::DFG::Graph::~Graph):
-        (JSC::DFG::Graph::deleteNode):
-        (JSC::DFG::Graph::packNodeIndices):
-        (JSC::DFG::Graph::addNodeToMapByIndex): Deleted.
-        * dfg/DFGGraph.h:
-        (JSC::DFG::Graph::addNode):
-        (JSC::DFG::Graph::maxNodeCount):
-        (JSC::DFG::Graph::nodeAt):
-        * dfg/DFGLongLivedState.cpp: Removed.
-        * dfg/DFGLongLivedState.h: Removed.
-        * dfg/DFGNode.h:
-        * dfg/DFGNodeAllocator.h:
-        * dfg/DFGPlan.cpp:
-        (JSC::DFG::Plan::compileInThread):
-        (JSC::DFG::Plan::compileInThreadImpl):
-        * dfg/DFGPlan.h:
-        * dfg/DFGWorklist.cpp:
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-
-2017-05-12  Keith Miller  
-
-        Use Mach exceptions instead of signals where possible
-        https://bugs.webkit.org/show_bug.cgi?id=171865
-
-        Reviewed by Mark Lam.
-
-        This patch adds some new JSC options. The first is an option that
-        enables or disables web assembly tier up. The second controls
-        whether or not we use mach exceptions (where available).
-
-        * API/tests/ExecutionTimeLimitTest.cpp:
-        (dispatchTermitateCallback):
-        (testExecutionTimeLimit):
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::didAcquireLock):
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-        (JSC::Options::initialize):
-        * runtime/Options.h:
-        * runtime/VMTraps.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
-        (JSC::installSignalHandler):
-        (JSC::VMTraps::SignalSender::send):
-        * tools/SigillCrashAnalyzer.cpp:
-        (JSC::SignalContext::SignalContext):
-        (JSC::SignalContext::dump):
-        (JSC::installCrashHandler):
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::compileFunctions):
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        (JSC::Wasm::enableFastMemory):
-        * wasm/WasmMachineThreads.cpp:
-        (JSC::Wasm::resetInstructionCacheOnAllThreads):
-
-2017-05-12  Mark Lam  
-
-        WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        
-
-        Reviewed by Saam Barati.
-
-        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
-        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
-        for our debugging needs.
-
-        Also added VM::throwingThread() to track which thread an exception was thrown in.
-        This may be useful if the client is entering the VM from different threads.
-
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/ExceptionScope.h:
-        (JSC::ExceptionScope::exception):
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/Options.h:
-        - Added the unexpectedExceptionStackTraceLimit option.
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        (JSC::VM::throwingThread):
-        (JSC::VM::clearException):
-
-2017-05-12  Daniel Bates  
-
-        Cleanup: Make QueueTaskToEventLoopFunctionPtr take JSGlobalObject&
-        https://bugs.webkit.org/show_bug.cgi?id=172021
-
-        Reviewed by Mark Lam.
-
-        Change the function alias for QueueTaskToEventLoopFunctionPtr to take JSGlobalObject&
-        instead of a const JSGlobalObject* as all implementations expect to be passed a non-
-        const, non-null JSGlobalObject object.
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::queueMicrotask):
-        * runtime/JSGlobalObject.h:
-        * runtime/VM.cpp:
-        (JSC::VM::queueMicrotask):
-        * runtime/VM.h: Remove JS_EXPORT_PRIVATE annotation from queueMicrotask() as
-        it is only called from JavaScriptCore code.
-
-2017-05-12  Michael Saboff  
-
-        [iOS] Use memory footprint to dynamically adjust behavior of allocators
-        https://bugs.webkit.org/show_bug.cgi?id=171944
-
-        Reviewed by Filip Pizlo.
-
-        This change is iOS only.
-
-        Added the ability to react to when memory usage is critical.  This is defined as memory
-        usage being above the newly added option criticalGCMemoryThreshold.  When we are in this
-        critical state, all collections are Full and we limit the amount of memory we allocate
-        between collections to 1/4th the memory above the critical threshold.
-
-        Changed the calculation of proportionalHeapSize to be based on process memory footprint
-        and not how big the heap is.  Also, the values of Options::smallHeapRAMFraction and
-        Options::mediumHeapRAMFraction are overriden so that most of the heap growth is happens
-        using the more agressive Options::smallHeapGrowthFactor.
-
-        * heap/Heap.cpp:
-        (JSC::Heap::Heap):
-        (JSC::Heap::overCriticalMemoryThreshold):
-        (JSC::Heap::shouldDoFullCollection):
-        (JSC::Heap::collectIfNecessaryOrDefer):
-        * heap/Heap.h:
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-        (JSC::Options::initialize):
-        * runtime/Options.h:
-
-2017-05-11  Saam Barati  
-
-        Computing optionalDefArgWidth in CheckSpecial should not consider Scratch roles
-        https://bugs.webkit.org/show_bug.cgi?id=171962
-
-        Reviewed by Filip Pizlo.
-
-        The purpose of getting the result width is to get the width of
-        the result of the arithmetic. It does not care about that the
-        Check happens to define scratches.
-
-        * b3/B3CheckSpecial.cpp:
-        (JSC::B3::CheckSpecial::forEachArg):
-        * b3/testb3.cpp:
-        (JSC::B3::testCheckMul):
-        (JSC::B3::testCheckMulMemory):
-        (JSC::B3::testCheckMul64):
-        (JSC::B3::testCheckMulFold):
-        (JSC::B3::testCheckMulFoldFail):
-        (JSC::B3::testCheckMulArgumentAliasing64):
-        (JSC::B3::testCheckMulArgumentAliasing32):
-        (JSC::B3::testCheckMul64SShr):
-
-2017-05-11  Saam Barati  
-
-        isValidForm for SimpleAddr should use ptr() instead of tmp()
-        https://bugs.webkit.org/show_bug.cgi?id=171992
-
-        Reviewed by Filip Pizlo.
-
-        Arg::tmp() asserts that its kind is Tmp. Inst::isValidForm for
-        SimpleAddr was using Arg::tmp() instead of ptr() to check
-        if the address Tmp isGP(). It should be using Arg::ptr() instead
-        of Arg::tmp() since Arg::ptr() is designed for SimpleAddr.
-        
-        This patch also fixes an incorrect assertion in the ARM64
-        macro assembler. We were asserting various atomic ops were
-        only over 32/64 bit operations. However, the code was properly handling
-        8/16/32/64 bit ops. I changed the assertion to reflect what is
-        actually going on.
-
-        * assembler/ARM64Assembler.h:
-        (JSC::ARM64Assembler::ldar):
-        (JSC::ARM64Assembler::ldxr):
-        (JSC::ARM64Assembler::ldaxr):
-        (JSC::ARM64Assembler::stxr):
-        (JSC::ARM64Assembler::stlr):
-        (JSC::ARM64Assembler::stlxr):
-        * b3/air/opcode_generator.rb:
-        * b3/testb3.cpp:
-        (JSC::B3::testLoadAcq42):
-        (JSC::B3::testStoreRelAddLoadAcq32):
-        (JSC::B3::testStoreRelAddLoadAcq8):
-        (JSC::B3::testStoreRelAddFenceLoadAcq8):
-        (JSC::B3::testStoreRelAddLoadAcq16):
-        (JSC::B3::testStoreRelAddLoadAcq64):
-        (JSC::B3::testAtomicWeakCAS):
-        (JSC::B3::testAtomicStrongCAS):
-        (JSC::B3::testAtomicXchg):
-
-2017-05-11  Matt Lewis  
-
-        Unreviewed, rolling out r216677.
-
-        Patch caused layout test crashes.
-
-        Reverted changeset:
-
-        "WorkerThread::stop() should call
-        scheduleExecutionTermination() last."
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        http://trac.webkit.org/changeset/216677
-
-2017-05-11  Don Olmstead  
-
-        [CMake] Add HAVE check for regex.h
-        https://bugs.webkit.org/show_bug.cgi?id=171950
-
-        Reviewed by Michael Catanzaro.
-
-        * runtime/ConfigFile.cpp:
-        (JSC::ConfigFile::parse):
-
-2017-05-11  Filip Pizlo  
-
-        Callers of JSString::unsafeView() should check exceptions
-        https://bugs.webkit.org/show_bug.cgi?id=171995
-
-        Reviewed by Mark Lam.
-        
-        unsafeView() can throw OOME. So, callers of unsafeView() should check for exceptions before trying
-        to access the view.
-
-        Also, I made the functions surrounding unsafeView() take ExecState* not ExecState&, to comply with
-        the rest of JSC.
-
-        * dfg/DFGOperations.cpp:
-        * jsc.cpp:
-        (printInternal):
-        (functionDebug):
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoFuncJoin):
-        * runtime/FunctionConstructor.cpp:
-        (JSC::constructFunctionSkippingEvalEnabledCheck):
-        * runtime/IntlCollatorPrototype.cpp:
-        (JSC::IntlCollatorFuncCompare):
-        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
-        (JSC::genericTypedArrayViewProtoFuncJoin):
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::globalFuncParseFloat):
-        * runtime/JSONObject.cpp:
-        (JSC::JSONProtoFuncParse):
-        * runtime/JSString.cpp:
-        (JSC::JSString::getPrimitiveNumber):
-        (JSC::JSString::toNumber):
-        * runtime/JSString.h:
-        (JSC::JSString::getIndex):
-        (JSC::JSRopeString::unsafeView):
-        (JSC::JSRopeString::viewWithUnderlyingString):
-        (JSC::JSString::unsafeView):
-        (JSC::JSString::viewWithUnderlyingString):
-        * runtime/JSStringJoiner.h:
-        (JSC::JSStringJoiner::appendWithoutSideEffects):
-        (JSC::JSStringJoiner::append):
-        * runtime/ParseInt.h:
-        (JSC::toStringView):
-        * runtime/StringPrototype.cpp:
-        (JSC::stringProtoFuncRepeatCharacter):
-        (JSC::stringProtoFuncCharAt):
-        (JSC::stringProtoFuncCharCodeAt):
-        (JSC::stringProtoFuncIndexOf):
-        (JSC::stringProtoFuncNormalize):
-
-2017-05-11  Filip Pizlo  
-
-        Offer SPI to notify clients that GC has happened
-        https://bugs.webkit.org/show_bug.cgi?id=171980
-
-        Reviewed by Geoffrey Garen.
-        
-        Sometimes when you're programming with weak references, it's most convenient if the GC tells
-        you when it finishes. This adds exactly such an API. This API is called at the *flip*: the
-        moment when the GC knows for sure which objects are dead and has definitely not allocated any
-        new objects or executed any JS code. The finalization part of the flip, which is where this
-        callback gets called, runs on the "main" thread - i.e. some thread that is attempting to
-        execute JS code and holds the JS lock. This will usually run as a side-effect of some
-        allocation or from the runloop.
-        
-        This means, for example, that if you implemented a vector of weak references and registered a
-        callback to prune the vector of null weak references, then aside from the callback, nobody
-        would ever see a null weak reference in the vector.
-
-        * API/JSHeapFinalizerPrivate.cpp: Added.
-        (JSContextGroupAddHeapFinalizer):
-        (JSContextGroupRemoveHeapFinalizer):
-        * API/JSHeapFinalizerPrivate.h: Added.
-        * API/tests/testapi.c:
-        (heapFinalizer):
-        (testMarkingConstraintsAndHeapFinalizers):
-        (main):
-        (testMarkingConstraints): Deleted.
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/Heap.cpp:
-        (JSC::Heap::finalize):
-        (JSC::Heap::addHeapFinalizerCallback):
-        (JSC::Heap::removeHeapFinalizerCallback):
-        * heap/Heap.h:
-        * heap/HeapFinalizerCallback.cpp: Added.
-        (JSC::HeapFinalizerCallback::dump):
-        * heap/HeapFinalizerCallback.h: Added.
-        (JSC::HeapFinalizerCallback::HeapFinalizerCallback):
-        (JSC::HeapFinalizerCallback::operator==):
-        (JSC::HeapFinalizerCallback::operator!=):
-        (JSC::HeapFinalizerCallback::operator bool):
-        (JSC::HeapFinalizerCallback::run):
-
-2017-05-11  Filip Pizlo  
-
-        JSWeakCreate/Retain/Release should take a JSContextGroupRef and not a JSContextRef
-        https://bugs.webkit.org/show_bug.cgi?id=171979
-
-        Reviewed by Mark Lam.
-        
-        Functions that don't execute arbitrary JS but just need access to the VM should take a
-        JSContextGroupRef, not a JSContextRef.
-
-        * API/JSWeakPrivate.cpp:
-        (JSWeakCreate):
-        (JSWeakRetain):
-        (JSWeakRelease):
-        * API/JSWeakPrivate.h:
-        * API/tests/testapi.c:
-        (testMarkingConstraints):
-
-2017-05-11  Mark Lam  
-
-        WorkerThread::stop() should call scheduleExecutionTermination() last.
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        
-
-        Reviewed by Geoffrey Garen.
-
-        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
-        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
-        for our debugging needs.
-
-        Also added VM::throwingThread() to track which thread an exception was thrown in.
-        This may be useful if the client is entering the VM from different threads.
-
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
-        * runtime/ExceptionScope.h:
-        (JSC::ExceptionScope::exception):
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        (JSC::VM::throwingThread):
-        (JSC::VM::clearException):
-
-2017-05-11  JF Bastien  
-
-        WebAssembly: stop supporting 0xD
-        https://bugs.webkit.org/show_bug.cgi?id=168788
-        
-
-        Reviewed by Saam Barati.
-
-        Only version 1 is supported by other browsers, and there shouldn't
-        be any 0xD binaries in the wild anymore.
-
-        * wasm/WasmModuleParser.cpp:
-
-2017-05-09  Sam Weinig  
-
-        Remove support for legacy Notifications
-        https://bugs.webkit.org/show_bug.cgi?id=171487
-
-        Reviewed by Jon Lee.
-
-        * Configurations/FeatureDefines.xcconfig:
-        Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
-
-2017-05-10  Commit Queue  
-
-        Unreviewed, rolling out r216635.
-        https://bugs.webkit.org/show_bug.cgi?id=171953
-
-        "Some worker tests are failing". (Requested by mlam on #webkit).
-
-        Reverted changeset:
-
-        "WorkerThread::stop() should call
-        scheduleExecutionTermination() last."
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        http://trac.webkit.org/changeset/216635
-
-2017-05-10  Mark Lam  
-
-        Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
-        https://bugs.webkit.org/show_bug.cgi?id=160337
-        
-
-        Not reviewed.
-
-        Updated a comment per Geoff's suggestion.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::tryCopyOtherThreadStack):
-
-2017-05-10  Mark Lam  
-
-        WorkerThread::stop() should call scheduleExecutionTermination() last.
-        https://bugs.webkit.org/show_bug.cgi?id=171775
-        
-
-        Reviewed by Geoffrey Garen.
-
-        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
-        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
-        for our debugging needs.
-
-        Also added VM::throwingThread() to track which thread an exception was thrown in.
-        This may be useful if the client is entering the VM from different threads.
-
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
-        * runtime/ExceptionScope.h:
-        (JSC::ExceptionScope::exception):
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        (JSC::VM::throwingThread):
-        (JSC::VM::clearException):
-
-2017-05-10  Mark Lam  
-
-        Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
-        https://bugs.webkit.org/show_bug.cgi?id=160337
-        
-
-        Reviewed by Filip Pizlo and Geoffrey Garen.
-
-        This is a workaround for . During thread initialization,
-        for some target platforms, thread state is momentarily set to 0 before being
-        filled in with the target thread's real register values. As a result, there's
-        a race condition that may result in us getting a null stackPointer during a GC scan.
-        This issue may manifest with workqueue threads where the OS may choose to recycle
-        a thread for an expired task.
-
-        The workaround is simply to indicate that there's nothing to copy and return.
-        This is correct because we will only ever observe a null pointer during thread
-        initialization. Hence, by definition, there's nothing there that we need to scan
-        yet, and therefore, nothing that needs to be copied.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::tryCopyOtherThreadStack):
-
-2017-05-10  JF Bastien  
-
-        WebAssembly: support name section
-
-        https://bugs.webkit.org/show_bug.cgi?id=171263
-
-        Reviewed by Keith Miller.
-
-        The name section is an optional custom section in the WebAssembly
-        spec. At least when debugging, developers expect to be able to use
-        this section to obtain intelligible stack traces, otherwise we
-        just number the wasm functions which is somewhat painful.
-
-        This patch parses this section, dropping its content eagerly on
-        error, and if there is a name section then backtraces use their
-        value instead of numbers. Otherwise we stick to numbers as before.
-
-        Note that the format of name sections changed in mid-February:
-          https://github.com/WebAssembly/design/pull/984
-        And binaryen was only updated in early March:
-          https://github.com/WebAssembly/binaryen/pull/933
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * interpreter/Interpreter.cpp:
-        (JSC::GetStackTraceFunctor::operator()):
-        * interpreter/StackVisitor.cpp:
-        (JSC::StackVisitor::readNonInlinedFrame):
-        (JSC::StackVisitor::Frame::functionName):
-        * interpreter/StackVisitor.h:
-        (JSC::StackVisitor::Frame::wasmFunctionIndexOrName):
-        * runtime/StackFrame.cpp:
-        (JSC::StackFrame::functionName):
-        * runtime/StackFrame.h:
-        (JSC::StackFrame::StackFrame):
-        (JSC::StackFrame::wasm):
-        * wasm/WasmBBQPlanInlines.h:
-        (JSC::Wasm::BBQPlan::initializeCallees):
-        * wasm/WasmCallee.cpp:
-        (JSC::Wasm::Callee::Callee):
-        * wasm/WasmCallee.h:
-        (JSC::Wasm::Callee::create):
-        (JSC::Wasm::Callee::indexOrName):
-        * wasm/WasmFormat.cpp:
-        (JSC::Wasm::makeString):
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::isValidExternalKind):
-        (JSC::Wasm::isValidNameType):
-        (JSC::Wasm::NameSection::get):
-        * wasm/WasmIndexOrName.cpp: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
-        (JSC::Wasm::IndexOrName::IndexOrName):
-        (JSC::Wasm::makeString):
-        * wasm/WasmIndexOrName.h: Copied from Source/JavaScriptCore/wasm/WasmFormat.cpp.
-        * wasm/WasmModuleInformation.h:
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmName.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
-        * wasm/WasmNameSectionParser.cpp: Added.
-        * wasm/WasmNameSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
-        (JSC::Wasm::NameSectionParser::NameSectionParser):
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::work):
-        * wasm/WasmParser.h:
-        (JSC::Wasm::Parser::consumeUTF8String):
-
-2017-05-10  Filip Pizlo  
-
-        Null pointer dereference in WTF::RefPtr::operator!() under slow_path_get_direct_pname
-        https://bugs.webkit.org/show_bug.cgi?id=171801
-
-        Reviewed by Michael Saboff.
-        
-        This was a goofy oversight. The for-in optimization relies on the bytecode generator
-        to detect when the loop's index variable gets mutated. We forgot to have the hooks for
-        detecting this in prefix and postfix operations (++i and i++).
-
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::PostfixNode::emitResolve):
-        (JSC::PrefixNode::emitResolve):
-
-2017-05-10  Michael Catanzaro  
-
-        [GTK] -Wmissing-field-initializers triggered by RemoteInspectorServer.cpp:128
-        https://bugs.webkit.org/show_bug.cgi?id=171273
-
-        Reviewed by Carlos Garcia Campos.
-
-        * inspector/remote/glib/RemoteInspectorGlib.cpp:
-        * inspector/remote/glib/RemoteInspectorServer.cpp:
-
-2017-05-10  Adrian Perez de Castro  
-
-        Remove some last remnants of the EFL port
-        https://bugs.webkit.org/show_bug.cgi?id=171922
-
-        Reviewed by Antonio Gomes.
-
-        The EFL port is no more.
-
-        * PlatformEfl.cmake: Removed.
-        * shell/PlatformEfl.cmake: Removed.
-
-2017-05-09  Filip Pizlo  
-
-        JSInjectedScriptHost should get a copy of the boundArgs
-        https://bugs.webkit.org/show_bug.cgi?id=171897
-
-        Reviewed by Joseph Pecoraro.
-        
-        The boundArgs array is very special - it cannot be mutated in any way. So, it makes sense
-        for the inspector to get a copy of it.
-
-        * inspector/JSInjectedScriptHost.cpp:
-        (Inspector::JSInjectedScriptHost::getInternalProperties):
-        * runtime/JSBoundFunction.cpp:
-        (JSC::JSBoundFunction::boundArgsCopy):
-        * runtime/JSBoundFunction.h:
-        (JSC::JSBoundFunction::boundArgs):
-
-2017-05-09  Mark Lam  
-
-        Unindent some code in Watchdog::shouldTerminate().
-        https://bugs.webkit.org/show_bug.cgi?id=171896
-
-        Rubber stamped by Keith Miller.
-
-        I should have done this before I landed r213107, but I forgot.  Unindenting it now.
-
-        * runtime/Watchdog.cpp:
-        (JSC::Watchdog::shouldTerminate):
-
-2017-05-09  Michael Saboff  
-
-        Cap the number of FTL compilation threads on iOS to 2
-        https://bugs.webkit.org/show_bug.cgi?id=171887
-
-        Reviewed by Filip Pizlo.
-
-        Set an iOS specific max of 2 threads.
-
-        * runtime/Options.h:
-
-2017-05-09  Filip Pizlo  
-
-        Heap::heap() should behave gracefully for null pointers
-        https://bugs.webkit.org/show_bug.cgi?id=171888
-        
-
-        Reviewed by Mark Lam.
-        
-        Some callers of Heap::heap() can pass a null cell and they will behave gracefully if we
-        return a null Heap. So, let's do that.
-        
-        This fixes a crash and it does not hurt performance. I'm seeing a possible 0.5% regression
-        with 74% probability. That's a neutral result by our usual 95% standard.
-
-        * heap/HeapInlines.h:
-        (JSC::Heap::heap):
-
-2017-05-09  Yusuke Suzuki  
-
-        Handle IDLPromise<> properly
-        https://bugs.webkit.org/show_bug.cgi?id=166752
-
-        Reviewed by Youenn Fablet.
-
-        Add JSPromise::resolve static function.
-        This applies `Promise.resolve()` conversion to a given value.
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::promiseResolveFunction):
-        * runtime/JSPromise.cpp:
-        (JSC::JSPromise::resolve):
-        * runtime/JSPromise.h:
-
-2017-05-09  Zan Dobersek  
-
-        Upstream the WPE port
-        https://bugs.webkit.org/show_bug.cgi?id=171110
-
-        Reviewed by Alex Christensen.
-
-        * PlatformWPE.cmake: Added.
-        * shell/PlatformWPE.cmake: Added.
-
-2017-05-09  Saam Barati  
-
-        CallLinkInfos belonging to Wasm->JS stubs need to be informed when we clearCode() from all Executables
-        https://bugs.webkit.org/show_bug.cgi?id=171707
-        
-
-        Reviewed by Filip Pizlo.
-
-        This patch fixes a bug where a Wasm->JS IC call stub would go stale
-        and point into a CodeBlock no longer owned by any executable. The
-        problematic scenario is this:
-
-        1. We generate the call IC which has a branch on a callee check. This
-           callee owns the Executable in question. If the branch succeeds, it
-           will call code belonging to a particular CodeBlock associated with
-           that Executable.
-
-        2. Heap::deleteAllCodeBlocks is called. This leads the Executable to clear
-           its various CodeBlock references.
-
-        3. Wasm has no idea this happened, so now it has stale ICs that point into
-           code from a CodeBlock no longer belonging to an Executable.
-
-        This patch fixes the bug by informing all JSWebAssemblyCodeBlocks to unlink
-        their CallLinkInfo when Heap::deleteAllCodeBlocks is called.
-
-        We track all JSWebAssemblyCodeBlocks by creating a new subspace for them.
-        This allows us to quickly iterate over the live JSWebAssemblyCodeBlocks in the
-        heap.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/Heap.cpp:
-        (JSC::Heap::deleteAllCodeBlocks):
-        * heap/Subspace.h:
-        * heap/SubspaceInlines.h:
-        (JSC::Subspace::forEachLiveCell):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::clearJSCallICs):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::createStructure): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::functionImportCount): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::module): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::codeBlock): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::allocationSize): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub): Deleted.
-        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Added.
-        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
-        (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace):
-        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
-        (JSC::JSWebAssemblyCodeBlockSubspace::destroy):
-        * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Added.
-
-2017-05-08  Saam Barati  
-
-        testWasmBoundsCheck and testCallFunctionWithHellaArguments is broken in testb3
-        https://bugs.webkit.org/show_bug.cgi?id=171392
-        
-
-        Reviewed by Keith Miller.
-
-        This patch fixes two bugs. The first one is:
-        Inside testb3, we were using the wrong WasmBoundsCheckValue constructor.
-        Everything compiled OK because of implicit casting in C. I've changed one
-        of the constructors to take arguments in a different order so we don't
-        run into this problem again.
-        
-        The second bug was that Air::ShufflePair::inst was assuming that a move
-        from BigImm to its destination is always valid. This is not the case.
-        For example, the store, `Move BigImm, Addr` is not allowed. I refactored
-        the code to be correct by emitting more than one instruction when needeed.
-        
-        When testing my changes, I ran ARM64 testb3 both in debug and
-        release. I ran into many pre-existing failures. I've opened
-        a new bug to fix those here: https://bugs.webkit.org/show_bug.cgi?id=171826
-
-        * b3/B3WasmBoundsCheckValue.cpp:
-        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
-        * b3/B3WasmBoundsCheckValue.h:
-        * b3/air/AirEmitShuffle.cpp:
-        (JSC::B3::Air::ShufflePair::insts):
-        (JSC::B3::Air::ShufflePair::inst): Deleted.
-        * b3/air/AirEmitShuffle.h:
-        * b3/air/AirLowerMacros.cpp:
-        (JSC::B3::Air::lowerMacros):
-        * b3/testb3.cpp:
-        (JSC::B3::testLoadAcq42):
-        (JSC::B3::testStoreRelAddLoadAcq32):
-        (JSC::B3::testStoreRelAddLoadAcq8):
-        (JSC::B3::testStoreRelAddFenceLoadAcq8):
-        (JSC::B3::testStoreRelAddLoadAcq16):
-        (JSC::B3::testStoreRelAddLoadAcq64):
-        (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
-        (JSC::B3::testCheckMul):
-        (JSC::B3::testCheckMulMemory):
-        (JSC::B3::testCheckMul64):
-        (JSC::B3::testCheckMulFold):
-        (JSC::B3::testCheckMulFoldFail):
-        (JSC::B3::testCheckMulArgumentAliasing64):
-        (JSC::B3::testCheckMulArgumentAliasing32):
-        (JSC::B3::testCheckMul64SShr):
-        (JSC::B3::testCallFunctionWithHellaArguments):
-        (JSC::B3::functionWithHellaArguments2):
-        (JSC::B3::testCallFunctionWithHellaArguments2):
-        (JSC::B3::functionWithHellaArguments3):
-        (JSC::B3::testCallFunctionWithHellaArguments3):
-        (JSC::B3::testSpillDefSmallerThanUse):
-        (JSC::B3::testLateRegister):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
-        (JSC::B3::testMoveConstants):
-        (JSC::B3::testAtomicWeakCAS):
-        (JSC::B3::testAtomicStrongCAS):
-        (JSC::B3::testAtomicXchg):
-        (JSC::B3::testWasmBoundsCheck):
-        (JSC::B3::run):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-
-2017-05-08  Filip Pizlo  
-
-        Expose a function to get proxy targets
-        https://bugs.webkit.org/show_bug.cgi?id=171797
-        
-
-        Reviewed by Mark Lam.
-        
-        This exposes a new private API function, JSObjectGetProxyTarget(), that gets the target of a
-        proxy. It works with both ProxyObject and JSProxy, but it's primarily intended for use with
-        JSProxy.
-
-        * API/JSObjectRef.cpp:
-        (JSObjectGetProxyTarget):
-        * API/JSObjectRefPrivate.h:
-        * API/tests/JSObjectGetProxyTargetTest.cpp: Added.
-        (testJSObjectGetProxyTarget):
-        * API/tests/JSObjectGetProxyTargetTest.h: Added.
-        * API/tests/testapi.c:
-        (main):
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * runtime/ProxyObject.h:
-        * shell/PlatformWin.cmake: 
-
-2017-05-08  Mark Lam  
-
-        op_throw_static_error's use of its first operand should be reflected in DFG BytecodeUseDef as well.
-        https://bugs.webkit.org/show_bug.cgi?id=171786
-        
-
-        Reviewed by Saam Barati.
-
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::dumpBytecode):
-        - Fix BytecodeDumper to dump op_throw_static_error correctly.  Previously,
-          it was expecting op1 to always be a constant.  r206870 changed it to take a
-          variable string as well.
-
-        * bytecode/BytecodeUseDef.h:
-        (JSC::computeUsesForBytecodeOffset):
-        - Fix the bug.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::parseBlock):
-        - Move the Phantom of op1 after the ThrowStaticError node, because technically,
-          the ThrowStaticError represents op_throw_static_error, and op_throw_static_error
-          uses op1.  In practice, this probably doesn't matter, but let's have the code
-          accurately communicate the behavior we're expecting.
-
-2017-05-08  JF Bastien  
-
-        WebAssembly: don't just emit extended offset adds for patch
-        https://bugs.webkit.org/show_bug.cgi?id=171799
-
-        Reviewed by Mark Lam.
-
-        It isn't necessary to restrict.
-
-        * b3/air/AirLowerStackArgs.cpp:
-        (JSC::B3::Air::lowerStackArgs):
-
-2017-05-08  Mark Lam  
-
-        Introduce ExceptionScope::assertNoException() and releaseAssertNoException().
-        https://bugs.webkit.org/show_bug.cgi?id=171776
-
-        Reviewed by Keith Miller.
-
-        Instead of ASSERT(!scope.exception()), we can now do scope.assertNoException().
-        Ditto for RELEASE_ASSERT and scope.releaseAssertNoException().  
-
-        The advantage of using ExceptionScope::assertNoException() and
-        releaseAssertNoException() is that if the assertion fails, these utility
-        functions will print the stack trace for where the unexpected exception is
-        detected as well as where the unexpected exception was thrown from.  This makes
-        it much easier to debug the source of unhandled exceptions.
-
-        * debugger/Debugger.cpp:
-        (JSC::Debugger::pauseIfNeeded):
-        * dfg/DFGOperations.cpp:
-        * interpreter/Interpreter.cpp:
-        (JSC::eval):
-        (JSC::notifyDebuggerOfUnwinding):
-        (JSC::Interpreter::executeProgram):
-        (JSC::Interpreter::executeCall):
-        (JSC::Interpreter::executeConstruct):
-        (JSC::Interpreter::prepareForRepeatCall):
-        (JSC::Interpreter::execute):
-        (JSC::Interpreter::debug):
-        * interpreter/ShadowChicken.cpp:
-        (JSC::ShadowChicken::functionsOnStack):
-        * jsc.cpp:
-        (GlobalObject::moduleLoaderResolve):
-        (GlobalObject::moduleLoaderFetch):
-        (functionGenerateHeapSnapshot):
-        (functionSamplingProfilerStackTraces):
-        (box):
-        (runWithScripts):
-        * runtime/AbstractModuleRecord.cpp:
-        (JSC::AbstractModuleRecord::finishCreation):
-        * runtime/ArrayPrototype.cpp:
-        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
-        * runtime/Completion.cpp:
-        (JSC::rejectPromise):
-        * runtime/ErrorInstance.cpp:
-        (JSC::ErrorInstance::sanitizedToString):
-        * runtime/ExceptionHelpers.cpp:
-        (JSC::createError):
-        * runtime/ExceptionScope.cpp:
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/ExceptionScope.h:
-        (JSC::ExceptionScope::assertNoException):
-        (JSC::ExceptionScope::releaseAssertNoException):
-        (JSC::ExceptionScope::unexpectedExceptionMessage):
-        * runtime/GenericArgumentsInlines.h:
-        (JSC::GenericArguments::defineOwnProperty):
-        * runtime/IntlCollator.cpp:
-        (JSC::IntlCollator::createCollator):
-        (JSC::IntlCollator::resolvedOptions):
-        * runtime/IntlDateTimeFormat.cpp:
-        (JSC::IntlDateTimeFormat::resolvedOptions):
-        (JSC::IntlDateTimeFormat::format):
-        * runtime/IntlNumberFormat.cpp:
-        (JSC::IntlNumberFormat::createNumberFormat):
-        (JSC::IntlNumberFormat::resolvedOptions):
-        * runtime/JSCJSValue.cpp:
-        (JSC::JSValue::putToPrimitiveByIndex):
-        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
-        (JSC::genericTypedArrayViewProtoFuncIncludes):
-        (JSC::genericTypedArrayViewProtoFuncIndexOf):
-        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
-        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::globalFuncHostPromiseRejectionTracker):
-        * runtime/JSModuleEnvironment.cpp:
-        (JSC::JSModuleEnvironment::getOwnPropertySlot):
-        * runtime/JSModuleLoader.cpp:
-        (JSC::JSModuleLoader::finishCreation):
-        * runtime/JSModuleNamespaceObject.cpp:
-        (JSC::JSModuleNamespaceObject::finishCreation):
-        * runtime/JSONObject.cpp:
-        (JSC::Stringifier::toJSON):
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::ordinaryToPrimitive):
-        * runtime/JSPropertyNameEnumerator.h:
-        (JSC::propertyNameEnumerator):
-        * runtime/ObjectConstructor.cpp:
-        (JSC::objectConstructorGetOwnPropertyDescriptors):
-        (JSC::objectConstructorDefineProperty):
-        * runtime/ObjectPrototype.cpp:
-        (JSC::objectProtoFuncHasOwnProperty):
-        * runtime/ProgramExecutable.cpp:
-        (JSC::ProgramExecutable::initializeGlobalProperties):
-        * runtime/ReflectObject.cpp:
-        (JSC::reflectObjectDefineProperty):
-        * runtime/SamplingProfiler.cpp:
-        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
-        * runtime/StringPrototype.cpp:
-        (JSC::stringProtoFuncRepeatCharacter):
-        * runtime/TemplateRegistry.cpp:
-        (JSC::TemplateRegistry::getTemplateObject):
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        (JSC::VM::nativeStackTraceOfLastThrow):
-        (JSC::VM::clearException):
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::create):
-
-2017-05-06  Bill Ming  
-
-        Fix 32bit Windows build by giving correct parameters to MASM
-        https://bugs.webkit.org/show_bug.cgi?id=170833
-
-        Reviewed by Alex Christensen.
-
-        * CMakeLists.txt:
-
-2017-05-06  Oleksandr Skachkov  
-
-        [ES6] Arrow function. Issue in access to this after eval('super()') within constructor
-        https://bugs.webkit.org/show_bug.cgi?id=171543
-
-        Reviewed by Saam Barati.
-
-        Current patch force to use 'this' within arrow function or eval 
-        from virtual scope each time, instead of using thisRegister.
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::ensureThis):
-
-2017-05-05  Keith Miller  
-
-        Put does not properly consult the prototype chain
-        https://bugs.webkit.org/show_bug.cgi?id=171754
-
-        Reviewed by Saam Barati.
-
-        We should do a follow up that cleans up the rest of put. See:
-        https://bugs.webkit.org/show_bug.cgi?id=171759
-
-        * runtime/JSCJSValue.cpp:
-        (JSC::JSValue::putToPrimitive):
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::putInlineSlow):
-        * runtime/JSObjectInlines.h:
-        (JSC::JSObject::canPerformFastPutInline):
-
-2017-05-05  JF Bastien  
-
-        WebAssembly: Air::Inst::generate crashes on large binary on A64
-        https://bugs.webkit.org/show_bug.cgi?id=170215
-
-        Reviewed by Filip Pizlo.
-
-        ARM can't encode all offsets in a single instruction. We usualy
-        handle this type of detail early, or the macro assembler uses a
-        scratch register to take care of the large immediate. After
-        register allocation we assumed that we would never get large
-        offsets, and asserted this was the case. That was a fine
-        assumption with JavaScript, but WebAssembly ends up generating
-        stack frames which are too big to encode.
-
-        There are two places that needed to be fixed:
-            1. AirGenerate
-            2. AirLowerStackArgs
-
-        We now unconditionally pin the dataTempRegister on ARM64, and use
-        it when immediates don't fit.
-
-        Number 1. is easy: we're just incrementing SP, make sure we can
-        use a scratch register when that happens.
-
-        Number 2. is more complex: not all Inst can receive a stack
-        argument whose base register isn't SP or FP. Specifically,
-        Patchpoints and Stackmaps get very sad because they just want to
-        know the offset value, but when we materialize the offset as
-        follows:
-
-            Move (spill337), (spill201), %r0, @8735
-
-        Becomes (where %r16 is dataTempRegister):
-            Move $1404, %r16, @8736
-            Add64 %sp, %r16, @8736
-            Move (%r16), 2032(%sp), %r0, @8736
-
-        The code currently doesn't see through our little dance. To work
-        around this issue we introduce a new Air Arg kind:
-        ExtendedOffsetAddr. This is the same as a regular Addr, but with
-        an offset which may be too big to encode. Opcodes then declare
-        whether their arguments can handle such inputs, and if so we
-        generate them, otherwise we generate Addr as shown above.
-
-        None of this affects x86 because it can always encode large
-        immediates.
-
-        This patch also drive-by converts some uses of `override` to
-        `final`. It makes the code easier to grok, and maybe helps the
-        optimizer sometimes but really that doens't matter.
-
-        * assembler/MacroAssembler.h:
-        * assembler/MacroAssemblerARM64.h:
-        * b3/B3CheckSpecial.cpp:
-        (JSC::B3::CheckSpecial::admitsExtendedOffsetAddr):
-        * b3/B3CheckSpecial.h:
-        * b3/B3Common.cpp:
-        (JSC::B3::pinnedExtendedOffsetAddrRegister): keep the CPU-specific
-        pinning information in a cpp file
-        * b3/B3Common.h:
-        * b3/B3PatchpointSpecial.cpp:
-        (JSC::B3::PatchpointSpecial::admitsExtendedOffsetAddr):
-        * b3/B3PatchpointSpecial.h:
-        * b3/B3StackmapSpecial.cpp:
-        (JSC::B3::StackmapSpecial::isArgValidForRep):
-        (JSC::B3::StackmapSpecial::repForArg):
-        * b3/B3StackmapSpecial.h:
-        * b3/air/AirArg.cpp:
-        (JSC::B3::Air::Arg::isStackMemory):
-        (JSC::B3::Air::Arg::jsHash):
-        (JSC::B3::Air::Arg::dump):
-        (WTF::printInternal):
-        (JSC::B3::Air::Arg::stackAddrImpl): Deleted. There was only one
-        use of this (in AirLowerStackArgs) and it was now confusing to
-        split the logic up between these two. Inline the code that used to
-        be here into its one usepoint instead.
-        * b3/air/AirArg.h:
-        (JSC::B3::Air::Arg::extendedOffsetAddr):
-        (JSC::B3::Air::Arg::isExtendedOffsetAddr):
-        (JSC::B3::Air::Arg::isMemory):
-        (JSC::B3::Air::Arg::base):
-        (JSC::B3::Air::Arg::offset):
-        (JSC::B3::Air::Arg::isGP):
-        (JSC::B3::Air::Arg::isFP):
-        (JSC::B3::Air::Arg::isValidForm):
-        (JSC::B3::Air::Arg::forEachTmpFast):
-        (JSC::B3::Air::Arg::forEachTmp):
-        (JSC::B3::Air::Arg::asAddress):
-        (JSC::B3::Air::Arg::stackAddr): Deleted.
-        * b3/air/AirCCallSpecial.cpp:
-        (JSC::B3::Air::CCallSpecial::isValid):
-        (JSC::B3::Air::CCallSpecial::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::CCallSpecial::generate):
-        * b3/air/AirCCallSpecial.h:
-        * b3/air/AirCode.cpp:
-        (JSC::B3::Air::Code::Code):
-        (JSC::B3::Air::Code::pinRegister): Check that the register wasn't
-        pinned before pinning it. It's likely a bug to pin the same
-        register twice.
-        * b3/air/AirCustom.h:
-        (JSC::B3::Air::PatchCustom::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::CCallCustom::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::ShuffleCustom::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::EntrySwitchCustom::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::WasmBoundsCheckCustom::admitsExtendedOffsetAddr):
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::generate):
-        * b3/air/AirInst.h:
-        * b3/air/AirInstInlines.h:
-        (JSC::B3::Air::Inst::admitsExtendedOffsetAddr):
-        * b3/air/AirLowerStackArgs.cpp:
-        (JSC::B3::Air::lowerStackArgs):
-        * b3/air/AirPrintSpecial.cpp:
-        (JSC::B3::Air::PrintSpecial::admitsExtendedOffsetAddr):
-        (JSC::B3::Air::PrintSpecial::generate):
-        * b3/air/AirPrintSpecial.h:
-        * b3/air/AirSpecial.h:
-        * b3/air/opcode_generator.rb:
-
-2017-05-05  Oliver Hunt  
-
-        Move trivial String prototype functions to JS builtins
-        https://bugs.webkit.org/show_bug.cgi?id=171737
-
-        Reviewed by Saam Barati.
-
-        Super simple change to migrate all of the old school
-        html-ifying string operations to builtin JS.
-
-        Core implementation is basically a 1-for-1 match to the spec.
-
-        * builtins/StringPrototype.js:
-        (globalPrivate.createHTML):
-        (anchor):
-        (big):
-        (blink):
-        (bold):
-        (fixed):
-        (fontcolor):
-        (fontsize):
-        (italics):
-        (link):
-        (small):
-        (strike):
-        (sub):
-        (sup):
-        * runtime/StringPrototype.cpp:
-        (JSC::StringPrototype::finishCreation):
-        (JSC::stringProtoFuncBig): Deleted.
-        (JSC::stringProtoFuncSmall): Deleted.
-        (JSC::stringProtoFuncBlink): Deleted.
-        (JSC::stringProtoFuncBold): Deleted.
-        (JSC::stringProtoFuncFixed): Deleted.
-        (JSC::stringProtoFuncItalics): Deleted.
-        (JSC::stringProtoFuncStrike): Deleted.
-        (JSC::stringProtoFuncSub): Deleted.
-        (JSC::stringProtoFuncSup): Deleted.
-        (JSC::stringProtoFuncFontcolor): Deleted.
-        (JSC::stringProtoFuncFontsize): Deleted.
-        (JSC::stringProtoFuncAnchor): Deleted.
-        (JSC::stringProtoFuncLink): Deleted.
-
-2017-05-05  Don Olmstead  
-
-        [JSC] Remove export from Intrinsic
-        https://bugs.webkit.org/show_bug.cgi?id=171752
-
-        Reviewed by Alexey Proskuryakov.
-
-        * runtime/Intrinsic.h:
-
-2017-05-05  Saam Barati  
-
-        putDirectIndex does not properly do defineOwnProperty
-        https://bugs.webkit.org/show_bug.cgi?id=171591
-        
-
-        Reviewed by Geoffrey Garen.
-
-        This patch fixes putDirectIndex and its JIT implementations to be
-        compatible with the ES6 spec. I think our code became out of date
-        when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
-        return arbitrary objects. We perform putDirectIndex on that arbitrary
-        object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
-        However, we weren't doing this. putDirectIndex assumed it could just splat
-        data into any descendent of JSObject's butterfly. For example, this means
-        we'd just splat into the butterfly of a typed array, even though a typed
-        array doesn't use its butterfly to store its indexed properties in the usual
-        way. Also, typed array properties are non-configurable, so this operation
-        should throw. This also means if we saw a ProxyObject, we'd just splat
-        into its butterfly, but this is obviously wrong because ProxyObject should
-        intercept the defineProperty operation.
-        
-        This patch fixes this issue by adding a whitelist of cell types that can
-        go down putDirectIndex's fast path. Anything not in that whitelist will
-        simply call into defineOwnProperty.
-
-        * bytecode/ByValInfo.h:
-        (JSC::jitArrayModePermitsPutDirect):
-        * dfg/DFGArrayMode.cpp:
-        (JSC::DFG::ArrayMode::refine):
-        * jit/JITOperations.cpp:
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoFuncSplice):
-        * runtime/ClonedArguments.cpp:
-        (JSC::ClonedArguments::createStructure):
-        * runtime/JSGenericTypedArrayViewInlines.h:
-        (JSC::JSGenericTypedArrayView::defineOwnProperty):
-        * runtime/JSObject.cpp:
-        (JSC::canDoFastPutDirectIndex):
-        (JSC::JSObject::defineOwnIndexedProperty):
-        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
-        (JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
-        * runtime/JSObject.h:
-        (JSC::JSObject::putDirectIndex):
-        (JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
-        * runtime/JSType.h:
-
-2017-05-05  Guillaume Emont  
-
-        [JSC] include JSCInlines.h in ObjectInitializationScope.cpp
-        https://bugs.webkit.org/show_bug.cgi?id=171744
-
-        Reviewed by Mark Lam.
-
-        * runtime/ObjectInitializationScope.cpp:
-
-
-2017-05-05  Carlos Garcia Campos  
-
-        [GTK] Assertion failure in Inspector::RemoteInspector::setRemoteInspectorClient when disposing WebKitWebContext
-        https://bugs.webkit.org/show_bug.cgi?id=171644
-
-        Reviewed by Michael Catanzaro.
-
-        Fix ASSERT that requires given client to be a valid pointer, since it's valid to pass nullptr to unset the
-        client. The ASSERT now ensures that client is set or unset. I also renamed the function to setClient because
-        setRemoteInspectorClient is redundant for a class named RemoteInspector. And added a getter too, to check if the
-        remote inspector has a client.
-
-        * inspector/remote/RemoteInspector.cpp:
-        (Inspector::RemoteInspector::setClient):
-        * inspector/remote/RemoteInspector.h:
-
-2017-05-04  Commit Queue  
-
-        Unreviewed, rolling out r216206.
-        https://bugs.webkit.org/show_bug.cgi?id=171714
-
-        Multiple LayoutTests crashing in Document::page() (Requested
-        by ap on #webkit).
-
-        Reverted changeset:
-
-        "Remove support for legacy Notifications"
-        https://bugs.webkit.org/show_bug.cgi?id=171487
-        http://trac.webkit.org/changeset/216206
-
-2017-05-04  Don Olmstead  
-
-        [Win] Remove redundant macros that are set in the CMake config
-        https://bugs.webkit.org/show_bug.cgi?id=171571
-
-        Reviewed by Brent Fulgham.
-
-        * config.h:
-
-2017-05-04  Mark Lam  
-
-        Gardening: Build fix for Windows after r216217.
-        https://bugs.webkit.org/show_bug.cgi?id=171586
-
-        Not reviewed.
-
-        * shell/PlatformWin.cmake:
-
-2017-05-04  Filip Pizlo  
-
-        JSC::Heap should expose a richer API for requesting GCs
-        https://bugs.webkit.org/show_bug.cgi?id=171690
-
-        Reviewed by Geoffrey Garen.
-        
-        I want to stop WebCore from requesting synchronous GCs. But various parts of that work
-        may cause regressions, so I'd like to land it separately from the functionality that is
-        needed on the JSC side. This change is mostly a JSC-side refactoring that does not
-        change behavior. In the future I'll land the behavior changes (i.e. not requesting sync
-        GCs).
-        
-        This change allows you to enumerate over synchronousness, so that we can make all APIs
-        take synchronousness as an argument. It replaces the collectAllGarbage API with a
-        collectNow(Synchronousness, GCRequest) API. GCRequest is a new concept, which subsumes
-        std::optional and gives us the ability to register callbacks along
-        with a GC. So, you can ask for an async GC and get a callback when it's done.
-        
-        Also adds ability to request that fastMalloc memory be released after the incremental
-        sweeper finishes.
-        
-        * API/JSBase.cpp:
-        (JSSynchronousGarbageCollectForDebugging):
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/FullGCActivityCallback.cpp:
-        (JSC::FullGCActivityCallback::doCollection):
-        * heap/FullGCActivityCallback.h:
-        * heap/GCRequest.cpp: Added.
-        (JSC::GCRequest::subsumedBy):
-        (JSC::GCRequest::dump):
-        * heap/GCRequest.h: Added.
-        (JSC::GCRequest::GCRequest):
-        * heap/Heap.cpp:
-        (JSC::Heap::collect):
-        (JSC::Heap::collectNow):
-        (JSC::Heap::collectAsync):
-        (JSC::Heap::collectSync):
-        (JSC::Heap::runBeginPhase):
-        (JSC::Heap::runEndPhase):
+        (JSC::Heap::runNotRunningPhase):
         (JSC::Heap::requestCollection):
-        (JSC::Heap::willStartCollection):
-        (JSC::Heap::sweeper):
-        (JSC::Heap::collectNowFullIfNotDoneRecently):
-        (JSC::Heap::shouldDoFullCollection):
-        (JSC::Heap::collectAllGarbage): Deleted.
-        (JSC::Heap::collectAllGarbageIfNotDoneRecently): Deleted.
         * heap/Heap.h:
-        * heap/HeapSnapshotBuilder.cpp:
-        (JSC::HeapSnapshotBuilder::buildSnapshot):
-        * heap/IncrementalSweeper.cpp:
-        (JSC::IncrementalSweeper::doSweep):
-        * heap/IncrementalSweeper.h:
-        (JSC::IncrementalSweeper::freeFastMallocMemoryAfterSweeping):
-        * heap/MarkedAllocator.cpp:
-        (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
-        * heap/MarkedSpace.cpp:
-        (JSC::MarkedSpace::sweep):
-        * heap/Synchronousness.cpp: Added.
-        (WTF::printInternal):
-        * heap/Synchronousness.h: Added.
-        * inspector/agents/InspectorHeapAgent.cpp:
-        (Inspector::InspectorHeapAgent::gc):
-        * jsc.cpp:
-        (functionGCAndSweep):
-        (runJSC):
-        * tools/JSDollarVMPrototype.cpp:
-        (JSC::JSDollarVMPrototype::gc):
-        * wasm/WasmMemory.cpp:
 
-2017-05-04  Mark Lam  
+2019-07-12  Keith Miller  
 
-        NeverDestroyed(ASCIILiteral(...)) is not thread safe.
-        https://bugs.webkit.org/show_bug.cgi?id=171586
-        
-
-        Reviewed by Yusuke Suzuki.
-
-        JavaScriptCore allows multiple VMs to be instantiated, and each of these should
-        be able to run concurrently on different threads.  There is code in the VM that
-        allocates NeverDestroyed(ASCIILiteral(...)) to defined immortal strings
-        meant to be shared by all VMs.
-
-        However, NeverDestroyed(ASCIILiteral(...)) is not thread-safe because
-        each thread will ref and deref the underlying StringImpl.  Since this ref and
-        deref is not done in a thread-safe way, the NeverDestroyed may get
-        destroyed due to the ref/deref races.  Additionally, each thread may modify the
-        StringImpl by setting its hash and also twiddling its flags.
-
-        The fix is to use the StaticStringImpl class which is safe for ref/derefing
-        concurrently from different threads.  StaticStringImpl is also pre-set with a
-        hash on construction, and its flags are set in such a way as to prevent twiddling
-        at runtime.  Hence, we will be able to share a NeverDestroyed between
-        VMs, as long as it is backed by a StaticStringImpl.
-
-        An alternative solution would be to change all the uses of NeverDestroyed
-        to use per-VM strings.  However, this solution is cumbersome, and makes it harder
-        to allocate the intended shared string.  It also uses more memory and takes more
-        CPU time because it requires allocating the same string for each VM instance.
-        The StaticStringImpl solution wins out because it is more efficient and is easier
-        to use.
-
-        The StaticStringImpl solution also can be used in WTF without a layer violation.
-        See Source/WTF/wtf/text/icu/TextBreakIteratorICU.h for an example.
-
-        Also added the MultithreadedMultiVMExecutionTest which runs multiple VMs in
-        multiple threads, all banging on the BuiltinExecutable's baseConstructorCode
-        NeverDestroyed.  The test will manifest the issue reliably (before this
-        fix) if run on an ASAN build.
-
-        * API/tests/MultithreadedMultiVMExecutionTest.cpp: Added.
-        (threadsList):
-        (startMultithreadedMultiVMExecutionTest):
-        (finalizeMultithreadedMultiVMExecutionTest):
-        * API/tests/MultithreadedMultiVMExecutionTest.h: Added.
-        * API/tests/testapi.c:
-        (main):
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * builtins/BuiltinExecutables.cpp:
-        (JSC::BuiltinExecutables::createDefaultConstructor):
-        * inspector/agents/InspectorDebuggerAgent.cpp:
-        (Inspector::objectGroupForBreakpointAction):
-        * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        (JSC::InputTraits::type):
-        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
-        (JSC::InputTraits::type):
-        (JSC::InputTraits::type):
-        * runtime/IntlObject.cpp:
-        (JSC::numberingSystemsForLocale):
-
-2017-05-04  Sam Weinig  
-
-        Remove support for legacy Notifications
-        https://bugs.webkit.org/show_bug.cgi?id=171487
-
-        Reviewed by Jon Lee.
-
-        * Configurations/FeatureDefines.xcconfig:
-        Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
-
-2017-05-04  Konstantin Tokarev  
-
-        Fix compilation with ICU 59.1
-        https://bugs.webkit.org/show_bug.cgi?id=171612
-
-        Reviewed by Mark Lam.
-
-        ICU 59.1 has broken source compatibility. Now it defines UChar as
-        char16_t, which does not allow automatic type conversion from unsigned
-        short in C++ code.
-
-        * API/JSStringRef.cpp:
-        (JSStringCreateWithCharacters):
-        (JSStringCreateWithCharactersNoCopy):
-        (JSStringGetCharactersPtr):
-        * runtime/DateConversion.cpp:
-        (JSC::formatDateTime):
-
-2017-05-04  Saam Barati  
-
-        stress/call-apply-exponential-bytecode-size.js.no-llint failing on 32-bit debug for OOM on executable memory
-        https://bugs.webkit.org/show_bug.cgi?id=171008
-
-        Reviewed by Yusuke Suzuki.
-
-        This patch lowers the threshold for .call/.apply recursion
-        in an attempt to emit less code and not impact perf.
-        We're currently failing tests on x86-32 by running out
-        of executable memory. If perf gets impacted because of this,
-        then I'll apply a stricter change just to 32-bit platforms.
-        However, if this doesn't negatively impact perf, it's all around
-        better than all platforms emit less bytecode.
-
-        * bytecompiler/NodesCodegen.cpp:
-
-2017-05-04  Yusuke Suzuki  
-
-        [JSC] Math unary functions should be handled by DFG
-        https://bugs.webkit.org/show_bug.cgi?id=171269
+        Add API to get all the dependencies of a given JSScript
+        https://bugs.webkit.org/show_bug.cgi?id=199746
 
         Reviewed by Saam Barati.
 
-        ArithSin, ArithCos, and ArithLog are just calling a C runtime function.
-        While handling them in DFG is not very effective for performance, they
-        can drop some type checks & value conversions and mark them as pure
-        operations. It is effective if they are involved in some complex
-        optimization phase. Actually, ArithLog is effective in kraken.
+        The method only returns the dependencies if the module was
+        actually evaluated. Technically, we know what the dependencies are
+        at the satisfy phase but for API simplicity we only provide that
+        information if the module graph was complete enough to at least
+        run.
 
-        While a few of Math functions have DFG nodes, basically math functions
-        are pure. And large part of these functions are just calling a C runtime
-        function. This patch generalizes these nodes in DFG as ArithUnary. And
-        we annotate many unary math functions with Intrinsics and convert them
-        to ArithUnary in DFG. It also cleans up duplicate code in ArithSin,
-        ArithCos, and ArithLog. If your math function has some good DFG / FTL
-        optimization rather than calling a C runtime function, you should add
-        a specialized DFG node, like ArithSqrt.
+        This patch also fixes an issue where we would allow import
+        specifiers that didn't start "./" or "/". For reference, We have
+        this restriction to be consistent with the web/node. The
+        restriction exists in order to preserve namespace for
+        builtin-modules.
 
-        We also create a new namespace JSC::Math. Inside it, we collect math functions.
+        Lastly, this patch makes it so that we copy all scripts in the
+        API/tests/testapiScripts directory so they don't have to be
+        individually added to the xcode project.
 
+        * API/JSAPIGlobalObject.mm:
+        (JSC::computeValidImportSpecifier):
+        (JSC::JSAPIGlobalObject::moduleLoaderResolve):
+        (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
+        * API/JSContext.mm:
+        (-[JSContext dependencyIdentifiersForModuleJSScript:]):
+        * API/JSContextPrivate.h:
+        * API/JSScript.h:
+        * API/tests/testapi.mm:
+        (testFetchWithTwoCycle):
+        (testFetchWithThreeCycle):
+        (testModuleBytecodeCache):
+        (+[JSContextFileLoaderDelegate newContext]):
+        (-[JSContextFileLoaderDelegate fetchModuleScript:]):
+        (-[JSContextFileLoaderDelegate findScriptForKey:]):
+        (-[JSContextFileLoaderDelegate context:fetchModuleForIdentifier:withResolveHandler:andRejectHandler:]):
+        (testDependenciesArray):
+        (testDependenciesEvaluationError):
+        (testDependenciesSyntaxError):
+        (testDependenciesBadImportId):
+        (testDependenciesMissingImport):
+        (testObjectiveCAPI):
+        * API/tests/testapiScripts/dependencyListTests/badModuleImportId.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/bar.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/dependenciesEntry.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/foo.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/missingImport.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/referenceError.js: Added.
+        * API/tests/testapiScripts/dependencyListTests/syntaxError.js: Added.
+        * API/tests/testapiScripts/testapi-function-overrides.js: Renamed from Source/JavaScriptCore/API/tests/testapi-function-overrides.js.
+        * API/tests/testapiScripts/testapi.js: Renamed from Source/JavaScriptCore/API/tests/testapi.js.
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/ModuleLoader.js:
+        (dependencyKeysIfEvaluated):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::dependencyKeysIfEvaluated):
+        * runtime/JSModuleLoader.h:
+        * shell/CMakeLists.txt:
+
+2019-07-12  Justin Michaud  
+
+        B3 should reduce (integer) Sub(Neg(x), y) to Neg(Add(x, y))
+        https://bugs.webkit.org/show_bug.cgi?id=196371
+
+        Reviewed by Keith Miller.
+
+        Adding these strength reductions gives 2x a (x86) and 3x (arm64) performance improvement
+        on the microbenchmark.
+
+        * b3/B3ReduceStrength.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testSubSub):
+        (JSC::B3::testSubSub2):
+        (JSC::B3::testSubAdd):
+        (JSC::B3::testSubFirstNeg):
+        (JSC::B3::run):
+
+2019-07-12  Caio Lima  
+
+        [BigInt] Add ValueBitLShift into DFG
+        https://bugs.webkit.org/show_bug.cgi?id=192664
+
+        Reviewed by Saam Barati.
+
+        This patch is splitting the `BitLShift` into `ArithBitLShift` and
+        `ValueBitLShift` to handle BigInt speculation more efficiently during
+        DFG and FTL layers. Following the same approach of other `ValueBitOps`,
+        `ValueBitLShift` handles Untyped and BigInt speculations, while
+        `ArithBitLShift` handles number and boolean operands and always results into
+        Int32. 
+
+        * bytecode/BytecodeList.rb:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/Opcode.h:
+        * dfg/DFGAbstractInterpreter.h:
         * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::handleConstantBinaryBitwiseOp):
         (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGArithMode.cpp:
-        (JSC::DFG::arithUnaryFunction):
-        (JSC::DFG::arithUnaryOperation):
-        (WTF::printInternal):
-        * dfg/DFGArithMode.h:
+
+        We moved `BitLShift` constant fold rules to a new method
+        `handleConstantBinaryBitwiseOp` to be reused by `ArithBitLShift` and
+        `ValueBitLShift`. This also enables support of constant folding on other
+        bitwise operations like `ValueBitAnd`, `ValueBitOr` and `ValueBitXor`, when
+        their binary use kind is UntypedUse. Such cases can happen on those
+        nodes because fixup phase is conservative.
+
         * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
         (JSC::DFG::BackwardsPropagationPhase::propagate):
         * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::dump):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasArithUnaryType):
-        (JSC::DFG::Node::arithUnaryType):
-        * dfg/DFGNodeType.h:
-        * dfg/DFGOperations.cpp:
-        * dfg/DFGOperations.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArithUnary):
-        (JSC::DFG::SpeculativeJIT::compileArithCos): Deleted.
-        (JSC::DFG::SpeculativeJIT::compileArithTan): Deleted.
-        (JSC::DFG::SpeculativeJIT::compileArithSin): Deleted.
-        (JSC::DFG::SpeculativeJIT::compileArithLog): Deleted.
-        * dfg/DFGSpeculativeJIT.h:
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
-        (JSC::FTL::DFG::LowerDFGToB3::compileArithSin): Deleted.
-        (JSC::FTL::DFG::LowerDFGToB3::compileArithCos): Deleted.
-        (JSC::FTL::DFG::LowerDFGToB3::compileArithTan): Deleted.
-        (JSC::FTL::DFG::LowerDFGToB3::compileArithLog): Deleted.
-        * ftl/FTLOutput.cpp:
-        (JSC::FTL::Output::doubleUnary):
-        (JSC::FTL::Output::doubleSin): Deleted.
-        (JSC::FTL::Output::doubleCos): Deleted.
-        (JSC::FTL::Output::doubleTan): Deleted.
-        (JSC::FTL::Output::doubleLog): Deleted.
-        * ftl/FTLOutput.h:
-        * runtime/Intrinsic.h:
-        * runtime/MathCommon.cpp:
-        (JSC::Math::log1p):
-        * runtime/MathCommon.h:
-        * runtime/MathObject.cpp:
-        (JSC::MathObject::finishCreation):
-        (JSC::mathProtoFuncACos):
-        (JSC::mathProtoFuncASin):
-        (JSC::mathProtoFuncATan):
-        (JSC::mathProtoFuncCos):
-        (JSC::mathProtoFuncExp):
-        (JSC::mathProtoFuncLog):
-        (JSC::mathProtoFuncSin):
-        (JSC::mathProtoFuncTan):
-        (JSC::mathProtoFuncACosh):
-        (JSC::mathProtoFuncASinh):
-        (JSC::mathProtoFuncATanh):
-        (JSC::mathProtoFuncCbrt):
-        (JSC::mathProtoFuncCosh):
-        (JSC::mathProtoFuncExpm1):
-        (JSC::mathProtoFuncLog1p):
-        (JSC::mathProtoFuncLog10):
-        (JSC::mathProtoFuncLog2):
-        (JSC::mathProtoFuncSinh):
-        (JSC::mathProtoFuncTanh):
-
-2017-05-03  Saam Barati  
-
-        How we build polymorphic cases is wrong when making a call from Wasm
-        https://bugs.webkit.org/show_bug.cgi?id=171527
-
-        Reviewed by JF Bastien.
-
-        This patches fixes a bug when we emit a polymorphic call IC from
-        Wasm. We were incorrectly assuming that if we made a call *from wasm*,
-        then the thing we are *calling to* does not have a CodeBlock. This
-        is obviously wrong. This patch fixes the incorrect assumption.
-        
-        This patch also does two more things:
-        1. Add a new option that makes us make calls to JS using a
-        slow path instead of using a call IC.
-        2. Fixes a potential GC bug where we didn't populate JSWebAssemblyCodeBlock's
-        JSWebAssemblyModule pointer.
-
-        * jit/Repatch.cpp:
-        (JSC::linkPolymorphicCall):
-        * runtime/Options.h:
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        (JSC::JSWebAssemblyCodeBlock::finishCreation):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finalizeCreation):
-
-2017-05-03  Keith Miller  
-
-        Array.prototype.sort should also allow a null comparator
-        https://bugs.webkit.org/show_bug.cgi?id=171621
-        
-
-        Reviewed by Michael Saboff.
-
-        It looks like sort not accepting a null comparator
-        causes some pages to stop working. Those pages work in
-        Chrome/Firefox so we should try to match them.
-
-        * builtins/ArrayPrototype.js:
-        (sort):
-
-2017-05-03  Mark Lam  
-
-        Use the CLoop for CPU(ARM64E).
-        https://bugs.webkit.org/show_bug.cgi?id=171620
-        
-
-        Reviewed by Geoffrey Garen.
-
-        * llint/LLIntOfflineAsmConfig.h:
-        * tools/SigillCrashAnalyzer.cpp:
-        (JSC::SigillCrashAnalyzer::dumpCodeBlock):
-
-2017-05-03  Keith Miller  
-
-        Different behaviour with the .sort(callback) method (unlike Firefox & Chrome)
-        https://bugs.webkit.org/show_bug.cgi?id=47825
-
-        Reviewed by Saam Barati.
-
-        This patch makes our sort function match the behavior of Firefox
-        and Chrome when the result of the comparison function is a
-        boolean. When we first switched to using merge sort, it regressed
-        JQuery sorting of DOM nodes by 30%. The regression was do to the
-        fact that JQuery was using compareDocumentPosition to compare the
-        locations of objects. Since one of the benchmarks would pass a
-        reverse sorted list to the sort function we would end up walking
-        the entire DOM to do comparisons. The solution to this was to
-        merge based on comparison(right, left) rather than
-        comparison(left, right). Although, in practice this does nothing
-        since sort could just as easily receive an already sorted list and
-        we're back in the same spot.
-
-        The downside of sorting with comparison(right, left) is that to
-        maintain stability when sorting, you only want to merge from right
-        when the comparison function returns a negative value. This is
-        where the problem with booleans comes in. Since booleans toNumber
-        false to 0 and true to 1 both values are "equal". This patch fixes
-        this by special casing boolean return values.
-
-
-        * builtins/ArrayPrototype.js:
-        (sort.merge):
-
-2017-05-03  Andy VanWagoner  
-
-        [INTL] Support dashed values in unicode locale extensions
-        https://bugs.webkit.org/show_bug.cgi?id=171480
-
-        Reviewed by JF Bastien.
-
-        Implements the UnicodeExtensionSubtags operation and updates the ResolveLocale operation to use it.
-        This fixes locale extensions with values that include '-'. The following calendars work now:
-        ethiopic-amete-alem
-        islamic-umalqura
-        islamic-tbla
-        islamic-civil
-        islamic-rgsa
-
-        While updating IntlObject, the comments containing spec text were replaced with a single url at the
-        top of each function pointing to the relevant part of ECMA-402.
-
-        * runtime/IntlObject.cpp:
-        (JSC::unicodeExtensionSubTags): Added.
-        (JSC::resolveLocale): Updated to latest standard.
-
-2017-05-02  Don Olmstead  
-
-        Build fix after r216078
-        https://bugs.webkit.org/show_bug.cgi?id=171554
-
-        Reviewed by Saam Barati.
-
-        * API/tests/testapi.c:
-
-2017-05-02  Filip Pizlo  
-
-        Unreviewed, fix pedantic C compilers.
-
-        * API/tests/testapi.c:
-        (markingConstraint):
-        (testMarkingConstraints):
-
-2017-05-02  Filip Pizlo  
-
-        Unreviewed, fix cmake build.
-
-        * CMakeLists.txt:
-
-2017-05-02  Filip Pizlo  
-
-        JSC C API should expose GC marking constraints and weak references
-        https://bugs.webkit.org/show_bug.cgi?id=171554
-
-        Reviewed by Geoffrey Garen.
-        
-        This exposes an API that lets you participate in the GC's fixpoint. You can ask the GC
-        what is marked and you can tell the GC to mark things. The constraint callback cannot
-        do a whole lot, but it can query marking state and it can dereference weak references.
-        
-        Additionally, this exposes a very simple weak reference API in C.
-
-        * API/JSMarkingConstraintPrivate.cpp: Added.
-        (JSC::isMarked):
-        (JSC::mark):
-        (JSContextGroupRegisterMarkingConstraint):
-        * API/JSMarkingConstraintPrivate.h: Added.
-        * API/JSWeakPrivate.cpp: Added.
-        (OpaqueJSWeak::OpaqueJSWeak):
-        (JSWeakCreate):
-        (JSWeakRetain):
-        (JSWeakRelease):
-        (JSWeakGetObject):
-        * API/JSWeakPrivate.h: Added.
-        * API/tests/testapi.c:
-        (markingConstraint):
-        (testMarkingConstraints):
-        (main):
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/SlotVisitor.h:
-        * heap/SlotVisitorInlines.h:
-        (JSC::SlotVisitor::appendHiddenUnbarriered):
-        (JSC::SlotVisitor::appendHidden):
-
-2017-05-02  Mark Lam  
-
-        JSFixedArray::allocationSize() should not allow for allocation failure.
-        https://bugs.webkit.org/show_bug.cgi?id=171516
-
-        Reviewed by Geoffrey Garen.
-
-        Since JSFixedArray::createFromArray() now handles allocation failures by throwing
-        OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
-        size to allocate) should also allow for allocation failure on overflow.
-
-        This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
-        run on 32-bit builds.
-
-        * runtime/JSFixedArray.h:
-        (JSC::JSFixedArray::tryCreate):
-        (JSC::JSFixedArray::allocationSize):
-
-2017-05-01  Zan Dobersek  
-
-        [aarch64][Linux] m_allowScratchRegister assert hit in MacroAssemblerARM64 under B3::Air::CCallSpecial::generate()
-        https://bugs.webkit.org/show_bug.cgi?id=170672
-
-        Reviewed by Filip Pizlo.
-
-        In Air::CCallSpecial::admitsStack() we reject admitting the callee argument on
-        the stack for ARM64 because that can lead to disallowed usage of the scratch
-        register in MacroAssemblerARM64 when generating a call with an address Arg
-        in Air::CCallSpecial::generate().
-
-        The testLinearScanWithCalleeOnStack test is added to testb3. It reproduces the
-        original issue by force-spilling everything on the stack and enforcing the use
-        of the linear scan register allocation by using an optimization level of 1.
-
-        * b3/air/AirCCallSpecial.cpp:
-        (JSC::B3::Air::CCallSpecial::admitsStack):
-        * b3/testb3.cpp:
-        (JSC::B3::testLinearScanWithCalleeOnStack):
-        (JSC::B3::run):
-
-2017-05-01  David Kilzer  
-
-        Stop using sprintf() in JavaScriptCore debugger
-        
-
-        Reviewed by Keith Miller.
-
-        * disassembler/udis86/udis86.c:
-        (ud_insn_hex): Switch from sprintf() to snprintf().
-
-2017-04-21  Filip Pizlo  
-
-        Air::fixObviousSpills should remove totally redundant instructions
-        https://bugs.webkit.org/show_bug.cgi?id=171131
-
-        Reviewed by Saam Barati.
-        
-        This is a modest compile-time-neutral improvement to fixObviousSpills. That phase
-        builds up a classic alias analysis data structure over spills and registers and then
-        uses it to remove the most common spill pathologies we encounter. For example, if you
-        use a spill but the spill is aliased to a register or constant, then we can replace the
-        use of the spill with a use of the register or constant.
-        
-        But that phase was missing perhaps one of the most obvious fixups that its analysis
-        allows us to do: if any instruction creates an alias we already know about, then the
-        instruction is redundant. This turned out to be super important for
-        https://bugs.webkit.org/show_bug.cgi?id=171075. That patch didn't work out, but this
-        kind of optimization might be a good clean-up for many other kinds of optimizations.
-
-        * b3/air/AirFixObviousSpills.cpp:
-
-2017-04-30  Oleksandr Skachkov  
-
-        We initialize functions too early in an eval
-        https://bugs.webkit.org/show_bug.cgi?id=161099
-
-        Reviewed by Saam Barati.
-
-        Current patch allow to fix problem with scope in function that is 
-        declared within eval. Before scope was set inside Interpretator.cpp and it
-        was scope where eval is executed, but in this case function would not 
-        see let/const variables and classes declated in eval.
-        This patch devide declaration and binding in two operation, first just declare
-        variable with function name, and second bind variable to function with correct 
-        scope
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::generate):
-        (JSC::BytecodeGenerator::BytecodeGenerator):
-        * bytecompiler/BytecodeGenerator.h:
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::execute):
-
-2017-04-30  Oleksandr Skachkov  
-
-        [ES6]. Implement Annex B.3.3 function hoisting rules for eval
-        https://bugs.webkit.org/show_bug.cgi?id=163208
-
-        Reviewed by Saam Barati.
-
-        Current patch implements Annex B.3.3 that is related to 
-        hoisting of function declaration in eval. 
-        https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
-        Function declaration in eval should create variable with 
-        function name in function scope where eval is invoked 
-        or bind to variable if it declared outside of the eval. 
-        If variable is created it can be removed by 'delete a;' command. 
-        If eval is invoke in block scope that contains let/const 
-        variable with the same name as function declaration 
-        we do not bind. This patch leads to the following behavior: 
-        '''
-        function foo() {
-           {
-             print(boo); // undefined
-             eval('{ function boo() {}}');
-             print(boo); // function boo() {}
-           }
-           print(boo); // function boo() {}
-        }
-
-        function foobar() {
-          { 
-            let boo = 10;
-            print(boo); // 10;
-            eval('{ function boo() {}}');
-            print(boo); // 10;
-          }
-          print(boo) // 10
-        }
-
-        function bar() {
-           {
-              var boo = 10;
-              print(boo); // 10
-              eval('{ function boo() {} }'); 
-              print(boo); // function boo() {}
-           }
-           print(boo); // function boo() {}
-        }       
-        
-        function bas() {
-            {
-                 let boo = 10;
-                 eval(' { function boo() {} } ');
-                 print(boo); // 10
-            }
-            print(boo); //Reference Error
-        }
-        '''
-
-        Current implementation relies on already implemented 
-        'hoist function in sloppy mode' feature, with small changes.
-        In short it works in following way: during hoisting of function 
-        with name S in eval, we are looking for first scope that 
-        contains space for variable with name S and if this scope 
-        has var type we bind function there
-
-        To implement this feature was added bytecode ops:
-        op_resolve_scope_for_hoisting_func_decl_in_eval - get variable scope 
-        or return undefined if variable can't be binded there.
-
-        There is a corner case, hoist function in eval within catch block,
-        that is not covered by this patch, and will be fixed in 
-        https://bugs.webkit.org/show_bug.cgi?id=168184
-
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::dumpBytecode):
-        * bytecode/BytecodeList.json:
-        * bytecode/BytecodeUseDef.h:
-        (JSC::computeUsesForBytecodeOffset):
-        (JSC::computeDefsForBytecodeOffset):
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finalizeLLIntInlineCaches):
-        * bytecode/EvalCodeBlock.h:
-        (JSC::EvalCodeBlock::functionHoistingCandidate):
-        (JSC::EvalCodeBlock::numFunctionHoistingCandidates):
-        * bytecode/UnlinkedEvalCodeBlock.h:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::BytecodeGenerator):
-        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
-        (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
-        * bytecompiler/BytecodeGenerator.h:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
         (JSC::DFG::ByteCodeParser::parseBlock):
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::capabilityLevel):
+
+        We parse `op_lshift` as `ArithBitLShift` when its operands are numbers.
+        Otherwise, we fallback to `ValueBitLShift` and rely on fixup phase to
+        convert `ValueBitLShift` into `ArithBitLShift` when possible.
+
         * dfg/DFGClobberize.h:
         (JSC::DFG::clobberize):
+
+        `ArithBitLShift` has the same clobberize rules as former `BitLShift`.
+        `ValueBitLShift` only clobberize world when it is UntypedUse.
+
         * dfg/DFGDoesGC.cpp:
         (JSC::DFG::doesGC):
+
+        `ValueBitLShift` can GC when `BigIntUse` because it allocates new
+        JSBigInts to perform this operation. It also can GC on UntypedUse
+        because of observable user code.
+
         * dfg/DFGFixupPhase.cpp:
         (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasIdentifier):
-        * dfg/DFGNodeType.h:
-        * dfg/DFGOperations.cpp:
-        * dfg/DFGOperations.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::callOperation):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::execute):
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        * jit/JIT.h:
-        * jit/JITOperations.h:
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
-        * jit/JITPropertyAccess32_64.cpp:
-        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
-        * llint/LowLevelInterpreter.asm:
-        * parser/Parser.cpp:
-        (JSC::Parser::parseFunctionDeclarationStatement):
-        * parser/Parser.h:
-        (JSC::Scope::getSloppyModeHoistedFunctions):
-        (JSC::Parser::declareFunction):
-        * runtime/CommonSlowPaths.cpp:
-        (JSC::SLOW_PATH_DECL):
-        * runtime/CommonSlowPaths.h:
-        * runtime/EvalExecutable.h:
-        (JSC::EvalExecutable::numFunctionHoistingCandidates):
-        (JSC::EvalExecutable::numTopLevelFunctionDecls):
-        (JSC::EvalExecutable::numberOfFunctionDecls): Deleted.
-        * runtime/JSScope.cpp:
-        (JSC::JSScope::resolve):
-        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
-        * runtime/JSScope.h:
 
-2017-04-29  Oleksandr Skachkov  
+        `ValueBitLShift` and `ArithBitLShift` has the same fixup rules of
+        other binary bitwise operations. In the case of `ValueBitLShift`
+        We check if we should speculate on BigInt or Untyped and fallback to
+        `ArithBitLShift` when both cheks fail.
 
-        Deep nesting is leading to ReferenceError for hoisted function
-        https://bugs.webkit.org/show_bug.cgi?id=171456
-
-        Reviewed by Yusuke Suzuki.
-
-        Current patch fix error that appears during hoisting of the function 
-        in block scope. Error happens only when exist some deep scope that lead
-        to increase scope stack, after which list of the hosted candidates do not 
-        copied to updated scope stack.
-
-        * parser/Parser.h:
-        (JSC::Scope::Scope):
-
-2017-04-29  Yusuke Suzuki  
-
-        [JSC] LabelScopePtr is not necessary
-        https://bugs.webkit.org/show_bug.cgi?id=171474
-
-        Reviewed by Geoffrey Garen.
-
-        Originally, LabelScopePtr is introduced because LabelScopes uses Vector<> instead of SegmentedVector<>.
-        LabelScopePtr holds the pointer to the vector owner and index instead of the pointer to LabelScope directly
-        since Vector<> can relocate LocalScopes inside it.
-        The reason why LabelScopes use Vector instead is that there is code copying this vector. SegmentedVector<>
-        prohibits copying since it is so costly. So, we used Vector<> here instead of SegmentedVector<>.
-
-        But the latest code does not have copying code for LabelScopes. Thus, we can take the same design to Label and
-        RegisterID. Just use SegmentedVector<> and Ref<>/RefPtr<>. This patch removes LabelScopePtr since it is no
-        longer necessary. And use SegmentedVector for LabelScopes.
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::reclaim):
-        (JSC::BytecodeGenerator::reclaimFreeRegisters):
-        (JSC::BytecodeGenerator::newLabelScope):
-        (JSC::BytecodeGenerator::newLabel):
-        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
-        (JSC::BytecodeGenerator::breakTarget):
-        (JSC::BytecodeGenerator::continueTarget):
-        (JSC::BytecodeGenerator::emitEnumeration):
-        * bytecompiler/BytecodeGenerator.h:
-        * bytecompiler/LabelScope.h:
-        (JSC::LabelScope::LabelScope):
-        (JSC::LabelScope::breakTarget):
-        (JSC::LabelScope::continueTarget):
-        (JSC::LabelScope::type):
-        (JSC::LabelScope::name):
-        (JSC::LabelScope::scopeDepth):
-        (JSC::LabelScope::ref):
-        (JSC::LabelScope::deref):
-        (JSC::LabelScope::refCount):
-        (JSC::LabelScopePtr::LabelScopePtr): Deleted.
-        (JSC::LabelScopePtr::operator=): Deleted.
-        (JSC::LabelScopePtr::~LabelScopePtr): Deleted.
-        (JSC::LabelScopePtr::operator!): Deleted.
-        (JSC::LabelScopePtr::operator*): Deleted.
-        (JSC::LabelScopePtr::operator->): Deleted.
-        (JSC::LabelScopePtr::null): Deleted.
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::DoWhileNode::emitBytecode):
-        (JSC::WhileNode::emitBytecode):
-        (JSC::ForNode::emitBytecode):
-        (JSC::ForInNode::emitBytecode):
-        (JSC::ContinueNode::trivialTarget):
-        (JSC::ContinueNode::emitBytecode):
-        (JSC::BreakNode::trivialTarget):
-        (JSC::BreakNode::emitBytecode):
-        (JSC::SwitchNode::emitBytecode):
-        (JSC::LabelNode::emitBytecode):
-
-2017-04-28  Mark Lam  
-
-        Revert instrumentation from https://bugs.webkit.org/show_bug.cgi?id=170086 that is no longer needed.
-        https://bugs.webkit.org/show_bug.cgi?id=170094
-
-        Reviewed by JF Bastien and Keith Miller.
-
-        * heap/Heap.cpp:
-        (JSC::Heap::resumeThePeriphery):
-
-2017-04-27  Andy VanWagoner  
-
-        [INTL] Implement the caseFirst option for Intl.Collator
-        https://bugs.webkit.org/show_bug.cgi?id=158188
-
-        Reviewed by Geoffrey Garen.
-
-        Implements the caseFirst option and unicode locale extension.
-        The caseFirst option explicitly determines whether upper or lower case comes first.
-
-        * runtime/IntlCollator.cpp:
-        (JSC::sortLocaleData): Added kf data.
-        (JSC::searchLocaleData): Added kf data.
-        (JSC::IntlCollator::initializeCollator): Set caseFirst option.
-        (JSC::IntlCollator::createCollator): Set new attributes on ICU collator.
-        (JSC::IntlCollator::caseFirstString): Added.
-        (JSC::IntlCollator::resolvedOptions): Added caseFirst property.
-        * runtime/IntlCollator.h:
-
-2017-04-27  Mark Lam  
-
-        Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
-        https://bugs.webkit.org/show_bug.cgi?id=171404
-        
-
-        Reviewed by Saam Barati.
-
-        1. Added some tryAllocate() functions in JSCellInlines.h.
-        2. Consolidated the implementations of allocateCell() template functions into a
-           single tryAllocateCellHelper() to reduce redundancy and eliminate needing to
-           copy-paste for variations of allocateCell and tryAllocateCell.
-        3. Changed JSFixedArray::createFromArray() and constructEmptyArray() to check for
-           allocation failure and throw an OutOfMemoryError.  It was already possible to
-           throw errors from these functions for other reasons.  So, their clients are
-           already ready to handle OOMEs.
-
-        * ftl/FTLOperations.cpp:
-        (JSC::FTL::operationMaterializeObjectInOSR):
-        * runtime/JSCInlines.h:
-        * runtime/JSCell.h:
-        * runtime/JSCellInlines.h:
-        (JSC::tryAllocateCellHelper):
-        (JSC::allocateCell):
-        (JSC::tryAllocateCell):
-        * runtime/JSFixedArray.h:
-        (JSC::JSFixedArray::createFromArray):
-        (JSC::JSFixedArray::tryCreate):
-        (JSC::JSFixedArray::create): Deleted.
-        * runtime/JSGlobalObject.h:
-        (JSC::constructEmptyArray):
-
-2017-04-27  Joseph Pecoraro  
-
-        Support for promise rejection events (unhandledrejection)
-        https://bugs.webkit.org/show_bug.cgi?id=150358
-        
-
-        Reviewed by Saam Barati.
-
-        Patch by Joseph Pecoraro and Yusuke Suzuki.
-
-        Implement support for promise.[[PromiseIsHandled]] and the
-        HostPromiseRejectionTracker hook for HTML to track promise rejections:
-        https://tc39.github.io/ecma262/#sec-host-promise-rejection-tracker
-        https://html.spec.whatwg.org/multipage/webappapis.html#unhandled-promise-rejections
-
-        * builtins/BuiltinNames.h:
-        New private symbols.
-
-        * builtins/PromiseOperations.js:
-        (globalPrivate.newHandledRejectedPromise):
-        Utility to create a rejected promise with [[PromiseIsHandled]] to true.
-
-        (globalPrivate.rejectPromise):
-        (globalPrivate.initializePromise):
-        * builtins/PromisePrototype.js:
-        (then):
-        Implement standard behavior of [[PromiseIsHandled]] and the host hook.
-
-        * runtime/JSPromise.cpp:
-        (JSC::JSPromise::isHandled):
-        * runtime/JSPromise.h:
-        C++ accessors for the [[PromiseIsHandled]] state.
-
-        * bytecode/BytecodeIntrinsicRegistry.cpp:
-        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
-        * bytecode/BytecodeIntrinsicRegistry.h:
-        Expose private values for the Reject / Handle enum values in built-ins.
-
-        * jsc.cpp:
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::promiseResolveFunction):
-        Add a new GlobalObjectMethodTable hook matching the promise rejection hook.
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSGlobalObjectFunctions.cpp:
-        (JSC::globalFuncHostPromiseRejectionTracker):
-        * runtime/JSGlobalObjectFunctions.h:
-        Plumb the builtin hook through to the optional GlobalObjectMethodTable hook.
-
-        * inspector/InjectedScriptSource.js:
-        (InjectedScript.prototype.createFakeValueDescriptor):
-        Silence possible rejected promises created internally via Web Inspector.
-
-2017-04-27  Saam Barati  
-
-        B3::FoldPathConstants does not consider the fall through case for Switch
-        https://bugs.webkit.org/show_bug.cgi?id=171390
-
-        Reviewed by Filip Pizlo.
-
-        foldPathConstants was not taking into account a Switch's default
-        case when it tried to constant propagate the switch's operand value.
-        e.g, we incorrectly transformed this code:
-        
-        ```
-        x = argumentGPR0;
-        switch (x) {
-        case 10: return 20;
-        
-        case 0:
-        default: return x == 0;
-        }
-        ```
-        
-        into:
-        ```
-        x = argumentGPR0;
-        switch (x) {
-        case 10: return 20;
-        
-        case 0:
-        default: return 1;
-        }
-        ```
-        
-        Because we didn't take into account the default case, we incorrectly
-        optimized the code as if case 0's block was only reachable if x is
-        equal to zero. This is obviously not true, since it's the same block
-        as the default case.
-        
-        This fix ensures that we can run the WebAssembly Tanks demo even when
-        we set webAssemblyBBQOptimizationLevel=2.
-
-        * b3/B3FoldPathConstants.cpp:
-        * b3/B3SwitchValue.cpp:
-        (JSC::B3::SwitchValue::fallThrough):
-        (JSC::B3::SwitchValue::removeCase): Deleted.
-        * b3/B3SwitchValue.h:
-        * b3/testb3.cpp:
-        (JSC::B3::testCallFunctionWithHellaArguments):
-        (JSC::B3::testSwitchSameCaseAsDefault):
-        (JSC::B3::testWasmBoundsCheck):
-        (JSC::B3::run):
-
-2017-04-27  Keith Miller  
-
-        WebAssembly: Don't tier up the same function twice
-        https://bugs.webkit.org/show_bug.cgi?id=171397
-
-        Reviewed by Filip Pizlo.
-
-        Because we don't CAS the tier up count on function entry/loop backedge and we use the least significant to indicate whether or not tier up has already started we could see the following:
-
-        Threads A and B are running count in memory is (0):
-
-        A: load tier up count (0)
-        B: load tier up count (0)
-        A: decrement count to -2 and see we need to check for tier up (0)
-        A: store -2 to count (-2)
-        A: exchangeOr(1) to tier up count (-1)
-        B: decrement count to -2 and see we need to check for tier up (-1)
-        B: store -2 to count (-2)
-        B: exchangeOr(1) to tier up count (-1)
-
-        This would cause us to tier up the same function twice, which we would rather avoid.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
-        * wasm/WasmTierUpCount.h:
-        (JSC::Wasm::TierUpCount::TierUpCount):
-        (JSC::Wasm::TierUpCount::loopDecrement):
-        (JSC::Wasm::TierUpCount::functionEntryDecrement):
-        (JSC::Wasm::TierUpCount::shouldStartTierUp):
-
-2017-04-27  Keith Miller  
-
-        REGRESSION (r215843): ASSERTION FAILED: !m_completionTasks[0].first in  JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast(JSC::VM &)
-        https://bugs.webkit.org/show_bug.cgi?id=171380
-
-        Reviewed by JF Bastien.
-
-        This patch fixes the association of VMs to Wasm::Plans. For validation
-        we want all the completion tasks to be associate with a VM. For BBQ,
-        we want the main task to not be associated with any VM.
-
-        * jsc.cpp:
-        (functionTestWasmModuleFunctions):
-        * wasm/WasmBBQPlan.cpp:
-        (JSC::Wasm::BBQPlan::BBQPlan):
-        * wasm/WasmBBQPlan.h:
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        (JSC::Wasm::CodeBlock::compileAsync):
-        * wasm/WasmCodeBlock.h:
-        (JSC::Wasm::CodeBlock::create):
-        * wasm/WasmModule.cpp:
-        (JSC::Wasm::makeValidationCallback):
-        (JSC::Wasm::Module::validateSync):
-        (JSC::Wasm::Module::validateAsync):
-        (JSC::Wasm::Module::getOrCreateCodeBlock):
-        (JSC::Wasm::Module::compileSync):
-        (JSC::Wasm::Module::compileAsync):
-        * wasm/WasmModule.h:
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::OMGPlan):
-        (JSC::Wasm::runOMGPlanForIndex):
-        * wasm/WasmOMGPlan.h:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::runCompletionTasks):
-        (JSC::Wasm::Plan::addCompletionTask):
-        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::dontFinalize):
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::constructJSWebAssemblyInstance):
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::webAssemblyValidateFunc):
-
-2017-04-27  Saam Barati  
-
-        Restore some caching functionality that got accidentally removed when doing Wasm PIC patches
-        https://bugs.webkit.org/show_bug.cgi?id=171382
-
-        Reviewed by Keith Miller.
-
-        When I created Wasm::CodeBlock, I accidentally removed caching
-        the creation of JSWebAssemblyCodeBlocks. This patch restores it.
-        It's worth keeping JSWebAssemblyModule's JSWebAssemblyCodeBlock
-        cache because creating a JSWebAssemblyCodeBlock does non trivial
-        work by creating the various IC call stubs.
-
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::codeBlock):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finalizeCreation):
-        (JSC::JSWebAssemblyInstance::create):
-        * wasm/js/JSWebAssemblyModule.h:
-
-2017-04-27  Mark Lam  
-
-        Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate().
-        https://bugs.webkit.org/show_bug.cgi?id=171344
-        
-
-        Reviewed by Filip Pizlo.
-
-        JSArray::tryCreateForInitializationPrivate() should only be used in performance
-        critical paths, and should always be used with care because it creates an
-        uninitialized object that needs to be initialized by its client before the object
-        can be released into the system.  Before the object is fully initialized:
-        a. the client should not re-enter the VM to execute JS code, and
-        b. GC should not run.
-
-        This is because until the object is fully initialized, it is an inconsistent
-        state that the GC and JS code will not be happy about.
-
-        In this patch, we do the following:
-
-        1. Renamed JSArray::tryCreateForInitializationPrivate() to
-           JSArray::tryCreateUninitializedRestricted() because "private" is a bit ambiguous
-           and can be confused with APIs that are called freely within WebKit but are
-           not meant for clients of WebKit.  In this case, we intend for use of this API
-           to be restricted to only a few carefully considered and crafted cases.
-
-        2. Introduce the ObjectInitializationScope RAII object which covers the period
-           when the uninitialized object is created and gets initialized.
-
-           ObjectInitializationScope will asserts that either the object is created
-           fully initialized (in the case where the object structure is not an "original"
-           structure) or if created uninitialized, is fully initialized at the end of
-           the scope.
-
-           If the object is created uninitialized, the ObjectInitializationScope also
-           ensures that we do not GC nor re-enter the VM to execute JS code.  This is
-           achieved by enabling DisallowGC and DisallowVMReentry scopes.
-
-           tryCreateUninitializedRestricted() and initializeIndex() now requires an
-           ObjectInitializationScope instance.  The ObjectInitializationScope replaces
-           the VM& argument because it can be used to pass the VM& itself.  This is a
-           small optimization that makes passing the ObjectInitializationScope free even
-           on release builds.
-
-        3. Factored a DisallowScope out of DisallowGC, and make DisallowGC extend it.
-           Introduce a DisallowVMReentry class that extends DisallowScope.
-
-        4. Fixed a bug found by the ObjectInitializationScope.  The bug is that there are
-           scenarios where the structure passed to tryCreateUninitializedRestricted()
-           that may not be an "original" structure.  As a result, initializeIndex() would
-           end up allocating new structures, and therefore trigger a GC.
-
-           The fix is to detect that the structure passed to tryCreateUninitializedRestricted()
-           is not an "original" one, and pre-initialize the array with 0s.
-
-           This bug was detected by existing tests. Hence, no new test needed.
-
-        5. Replaced all inappropriate uses of tryCreateUninitializedRestricted() with
-           tryCreate().  Inappropriate uses here means code that is not in performance
-           critical paths.
-
-           Similarly, replaced accompanying uses of initializeIndex() with putDirectIndex().
-
-           This patch is performance neutral (according to the JSC command line benchmarks).
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * dfg/DFGOperations.cpp:
-        * ftl/FTLOperations.cpp:
-        (JSC::FTL::operationMaterializeObjectInOSR):
-        * heap/DeferGC.cpp:
-        * heap/DeferGC.h:
-        (JSC::DisallowGC::DisallowGC):
-        (JSC::DisallowGC::initialize):
-        (JSC::DisallowGC::scopeReentryCount):
-        (JSC::DisallowGC::setScopeReentryCount):
-        (JSC::DisallowGC::~DisallowGC): Deleted.
-        (JSC::DisallowGC::isGCDisallowedOnCurrentThread): Deleted.
-        * heap/GCDeferralContextInlines.h:
-        (JSC::GCDeferralContext::~GCDeferralContext):
-        * heap/Heap.cpp:
-        (JSC::Heap::collectIfNecessaryOrDefer):
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoPrivateFuncConcatMemcpy):
-        * runtime/ClonedArguments.cpp:
-        (JSC::ClonedArguments::createWithInlineFrame):
-        (JSC::ClonedArguments::createByCopyingFrom):
-        * runtime/CommonSlowPaths.cpp:
-        (JSC::SLOW_PATH_DECL):
-        * runtime/DisallowScope.h: Added.
-        (JSC::DisallowScope::DisallowScope):
-        (JSC::DisallowScope::~DisallowScope):
-        (JSC::DisallowScope::isInEffectOnCurrentThread):
-        (JSC::DisallowScope::enable):
-        (JSC::DisallowScope::enterScope):
-        (JSC::DisallowScope::exitScope):
-        * runtime/DisallowVMReentry.cpp: Added.
-        * runtime/DisallowVMReentry.h: Added.
-        (JSC::DisallowVMReentry::DisallowVMReentry):
-        (JSC::DisallowVMReentry::initialize):
-        (JSC::DisallowVMReentry::scopeReentryCount):
-        (JSC::DisallowVMReentry::setScopeReentryCount):
-        * runtime/InitializeThreading.cpp:
-        (JSC::initializeThreading):
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::tryCreateUninitializedRestricted):
-        (JSC::JSArray::fastSlice):
-        (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
-        * runtime/JSArray.h:
-        (JSC::JSArray::tryCreateUninitializedRestricted):
-        (JSC::JSArray::tryCreate):
-        (JSC::constructArray):
-        (JSC::constructArrayNegativeIndexed):
-        (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
-        (JSC::createArrayButterfly): Deleted.
-        * runtime/JSCellInlines.h:
-        (JSC::allocateCell):
-        * runtime/JSObject.h:
-        (JSC::JSObject::initializeIndex):
-        (JSC::JSObject::initializeIndexWithoutBarrier):
-        * runtime/ObjectInitializationScope.cpp: Added.
-        (JSC::ObjectInitializationScope::ObjectInitializationScope):
-        (JSC::ObjectInitializationScope::~ObjectInitializationScope):
-        (JSC::ObjectInitializationScope::notifyAllocated):
-        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
-        * runtime/ObjectInitializationScope.h: Added.
-        (JSC::ObjectInitializationScope::ObjectInitializationScope):
-        (JSC::ObjectInitializationScope::vm):
-        (JSC::ObjectInitializationScope::notifyAllocated):
-        * runtime/Operations.h:
-        (JSC::isScribbledValue):
-        (JSC::scribble):
-        * runtime/RegExpMatchesArray.cpp:
-        (JSC::createEmptyRegExpMatchesArray):
-        * runtime/RegExpMatchesArray.h:
-        (JSC::tryCreateUninitializedRegExpMatchesArray):
-        (JSC::createRegExpMatchesArray):
-        * runtime/VMEntryScope.cpp:
-        (JSC::VMEntryScope::VMEntryScope):
-
-2017-04-27  Carlos Garcia Campos  
-
-        [GTK] Remote inspector should support inspecting targets with previous version of backend commands
-        https://bugs.webkit.org/show_bug.cgi?id=171267
-
-        Reviewed by Michael Catanzaro.
-
-        Rename GetTargetList DBus method as SetupInspectorClient since this method is actually called only once by
-        client right after connecting to the server. The method now receives the client backend commands hash as
-        argument and returns the contents of the backend commands file in case the hash doesn't match with the local
-        version.
-
-        * PlatformGTK.cmake: Add RemoteInspectorUtils to compilation.
-        * inspector/remote/glib/RemoteInspectorServer.cpp:
-        (Inspector::RemoteInspectorServer::setupInspectorClient):
-        * inspector/remote/glib/RemoteInspectorServer.h:
-        * inspector/remote/glib/RemoteInspectorUtils.cpp: Added.
-        (Inspector::backendCommands):
-        (Inspector::backendCommandsHash):
-        * inspector/remote/glib/RemoteInspectorUtils.h: Added.
-
-2017-04-27  Yusuke Suzuki  
-
-        [JSC] Handle PhantomSpread in LoadVarargs as the same to the others
-        https://bugs.webkit.org/show_bug.cgi?id=171262
-
-        Reviewed by Saam Barati.
-
-        This is follow-up patch after r215720. In that patch, accidentally
-        we did not apply the same change to LoadVarargs in argument elimination
-        phase. This patch just does the same rewriting to handle PhantomSpread
-        correctly.
-
-        * dfg/DFGArgumentsEliminationPhase.cpp:
-
-2017-04-26  Joseph Pecoraro  
-
-        Web Inspector: Uint8ClampedArray should be treated like an array, not an object
-        https://bugs.webkit.org/show_bug.cgi?id=171364
-        
-
-        Reviewed by Sam Weinig.
-
-        * inspector/JSInjectedScriptHost.cpp:
-        (Inspector::JSInjectedScriptHost::subtype):
-        Treat Uint8ClampedArray (like other Typed Arrays) as an array.
-
-2017-04-26  Saam Barati  
-
-        Print Wasm function index in stack trace
-        https://bugs.webkit.org/show_bug.cgi?id=171349
-
-        Reviewed by JF Bastien.
-
-        This patch prints a Callee's index in the function index
-        space in Error.stack.
-
-        This will lead to stack traces that have lines of text like:
-        wasm function index: 4@[wasm code]
-
-        We don't ascribe indices to everything in wasm. Specifically, the
-        Wasm->JS call stub callee does not get a name, and neither does
-        the JS -> Wasm entrypoint.
-
-        * interpreter/Interpreter.cpp:
-        (JSC::GetStackTraceFunctor::operator()):
-        * interpreter/StackVisitor.cpp:
-        (JSC::StackVisitor::readNonInlinedFrame):
-        (JSC::StackVisitor::Frame::functionName):
-        * interpreter/StackVisitor.h:
-        (JSC::StackVisitor::Frame::wasmFunctionIndex):
-        * runtime/StackFrame.cpp:
-        (JSC::StackFrame::functionName):
-        * runtime/StackFrame.h:
-        (JSC::StackFrame::StackFrame):
-        (JSC::StackFrame::wasm):
-        (JSC::StackFrame::hasBytecodeOffset):
-        (JSC::StackFrame::bytecodeOffset):
-        * wasm/WasmBBQPlanInlines.h:
-        (JSC::Wasm::BBQPlan::initializeCallees):
-        * wasm/WasmCallee.cpp:
-        (JSC::Wasm::Callee::Callee):
-        * wasm/WasmCallee.h:
-        (JSC::Wasm::Callee::create):
-        (JSC::Wasm::Callee::index):
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::work):
-
-2017-04-26  Keith Miller  
-
-        Follow up to r215843
-        https://bugs.webkit.org/show_bug.cgi?id=171361
-
-        Reviewed by Saam Barati.
-
-        This patch fixes some style comments Saam didn't get a chance to
-        request before I landed: https://bugs.webkit.org/show_bug.cgi?id=170134.
-
-        It renames Wasm::CodeBlock::m_wasmEntrypoints to
-        m_wasmIndirectCallEntrypoints, as well as fixes some copyrights and
-        indentation.
-
-        * wasm/WasmBBQPlan.cpp:
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        * wasm/WasmCodeBlock.h:
-        (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
-        * wasm/WasmOMGPlan.cpp:
-        (JSC::Wasm::OMGPlan::work):
-        * wasm/WasmTierUpCount.h:
-        (JSC::Wasm::TierUpCount::TierUpCount):
-        (JSC::Wasm::TierUpCount::loopDecrement):
-        (JSC::Wasm::TierUpCount::functionEntryDecrement):
-        (JSC::Wasm::TierUpCount::shouldStartTierUp):
-        (JSC::Wasm::TierUpCount::count):
-
-2017-04-26  Saam Barati  
-
-        ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
-        https://bugs.webkit.org/show_bug.cgi?id=170924
-        
-
-        Reviewed by Mark Lam.
-
-        The error message handler for "in" was searching for the literal
-        string "in". However, our parser incorrectly allows escaped characters
-        to be part of keywords. So this is parsed as "in" in JSC: "i\u006E".
-        It should not be parsed that way. I opened https://bugs.webkit.org/show_bug.cgi?id=171310
-        to address this issue.
-        
-        Regardless, the error message handlers should handle unexpected text gracefully.
-        All functions that try to augment error messages with the goal of
-        providing a more textual context for the error message should use
-        the original error message instead of crashing when they detect
-        unexpected text.
-        
-        This patch also changes the already buggy code that tries to find
-        the base of a function call. That could would fail for code like this:
-        "zoo.bar("/abc\)*/");". See https://bugs.webkit.org/show_bug.cgi?id=146304
-        It would think that the base is "z". However, the algorithm that tries
-        to find the base can often tell when it fails, and when it does, it should
-        happily return the approximate text error message instead of thinking
-        that the base is "z".
-
-        * runtime/ExceptionHelpers.cpp:
-        (JSC::functionCallBase):
-        (JSC::notAFunctionSourceAppender):
-        (JSC::invalidParameterInSourceAppender):
-
-2017-04-26  Keith Miller  
-
-        WebAssembly: Implement tier up
-        https://bugs.webkit.org/show_bug.cgi?id=170134
-
-        Reviewed by Filip Pizlo.
-
-        This patch implements tier up for wasm functions. Unlike with JS
-        code, wasm code needs to be able to tier up concurrently with the
-        running code.  Since JS code is synchronous we can always link on
-        the running thread, wasm, however, can run the same code on more
-        than one thread. In order to make patching work correctly, we need
-        to ensure that all patches of callsites are aligned. On ARM we get
-        this for free since every call is a near call. On X86 we ensure
-        that the 32-bit relative offset is 32-bit aligned.
-
-        This patch also modifies how Wasm::Plan works. Now Plan is a
-        abstract super class and there are two subclasses, which
-        correspond to the different tiers of our wasm engine.  The first,
-        Build Bytecode Quickly (BBQ) tier, roughly does what the old plan
-        code did before.  The new tier, Optimized Machine code Generation
-        (OMG), can be called at any point by BBQ code and compiles exactly
-        one function. Once an OMGPlan finishes it will link it's code
-        internally then reset the instruction cache of all running wasm
-        threads, via, a ThreadMessage. Once the instruction caches have
-        been reset all the other functions will be patched to call the new
-        code.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * assembler/AbstractMacroAssembler.h:
-        (JSC::AbstractMacroAssembler::ensureCacheLineSpace):
-        * assembler/CodeLocation.h:
-        (JSC::CodeLocationThreadSafeNearCall::CodeLocationThreadSafeNearCall):
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
-        * assembler/MacroAssemblerX86Common.h:
-        (JSC::MacroAssemblerX86Common::threadSafeNearCall):
-        * assembler/MacroAssemblerX86_64.h:
-        (JSC::MacroAssemblerX86_64::threadSafePatchableNearCall):
-        * b3/air/AirEmitShuffle.cpp:
-        (JSC::B3::Air::ShufflePair::inst):
-        (JSC::B3::Air::ShufflePair::opcode): Deleted.
-        * b3/air/AirEmitShuffle.h:
-        * jsc.cpp:
-        (functionTestWasmModuleFunctions):
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::didAcquireLock):
-        * runtime/Options.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::constant):
-        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
-        (JSC::Wasm::B3IRGenerator::addLoop):
-        (JSC::Wasm::B3IRGenerator::addTopLevel):
-        (JSC::Wasm::B3IRGenerator::addBlock):
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmBBQPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlan.cpp.
-        (JSC::Wasm::BBQPlan::BBQPlan):
-        (JSC::Wasm::BBQPlan::stateString):
-        (JSC::Wasm::BBQPlan::moveToState):
-        (JSC::Wasm::BBQPlan::parseAndValidateModule):
-        (JSC::Wasm::BBQPlan::prepare):
-        (JSC::Wasm::BBQPlan::ThreadCountHolder::ThreadCountHolder):
-        (JSC::Wasm::BBQPlan::ThreadCountHolder::~ThreadCountHolder):
-        (JSC::Wasm::BBQPlan::compileFunctions):
-        (JSC::Wasm::BBQPlan::complete):
-        (JSC::Wasm::BBQPlan::work):
-        * wasm/WasmBBQPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlan.h.
-        * wasm/WasmBBQPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
-        (JSC::Wasm::BBQPlan::initializeCallees):
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToWasm):
-        * wasm/WasmCallee.h:
-        (JSC::Wasm::Callee::entrypoint):
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        * wasm/WasmCodeBlock.h:
-        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
-        (JSC::Wasm::CodeBlock::tierUpCount):
-        (JSC::Wasm::CodeBlock::mode):
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::CallableFunction::CallableFunction):
-        (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation):
-        * wasm/WasmMachineThreads.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
-        (JSC::Wasm::wasmThreads):
-        (JSC::Wasm::startTrackingCurrentThread):
-        (JSC::Wasm::resetInstructionCacheOnAllThreads):
-        * wasm/WasmMachineThreads.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.h.
-        * wasm/WasmModule.cpp:
-        (JSC::Wasm::makeValidationResult):
-        (JSC::Wasm::makeValidationCallback):
-        (JSC::Wasm::Module::validateSync):
-        (JSC::Wasm::Module::validateAsync):
-        * wasm/WasmModule.h:
-        (JSC::Wasm::Module::codeBlockFor):
-        * wasm/WasmOMGPlan.cpp: Added.
-        (JSC::Wasm::OMGPlan::OMGPlan):
-        (JSC::Wasm::OMGPlan::work):
-        (JSC::Wasm::runOMGPlanForIndex):
-        * wasm/WasmOMGPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::runCompletionTasks):
-        (JSC::Wasm::Plan::addCompletionTask):
-        (JSC::Wasm::Plan::waitForCompletion):
-        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
-        (JSC::Wasm::Plan::fail):
-        (JSC::Wasm::Plan::stateString): Deleted.
-        (JSC::Wasm::Plan::moveToState): Deleted.
-        (JSC::Wasm::Plan::parseAndValidateModule): Deleted.
-        (JSC::Wasm::Plan::prepare): Deleted.
-        (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder): Deleted.
-        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder): Deleted.
-        (JSC::Wasm::Plan::compileFunctions): Deleted.
-        (JSC::Wasm::Plan::complete): Deleted.
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::exports): Deleted.
-        (JSC::Wasm::Plan::internalFunctionCount): Deleted.
-        (JSC::Wasm::Plan::takeModuleInformation): Deleted.
-        (JSC::Wasm::Plan::takeCallLinkInfos): Deleted.
-        (JSC::Wasm::Plan::takeWasmToWasmExitStubs): Deleted.
-        (JSC::Wasm::Plan::hasWork): Deleted.
-        (JSC::Wasm::Plan::hasBeenPrepared): Deleted.
-        * wasm/WasmTierUpCount.h: Renamed from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
-        (JSC::Wasm::TierUpCount::TierUpCount):
-        (JSC::Wasm::TierUpCount::loopDecrement):
-        (JSC::Wasm::TierUpCount::functionEntryDecrement):
-        (JSC::Wasm::TierUpCount::shouldStartTierUp):
-        (JSC::Wasm::TierUpCount::count):
-        * wasm/WasmWorklist.cpp:
-        * wasm/WasmWorklist.h:
-        (JSC::Wasm::Worklist::nextTicket):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
-        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): Deleted.
-        * wasm/js/JSWebAssemblyTable.cpp:
-        (JSC::JSWebAssemblyTable::setFunction):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::WebAssemblyFunction::create):
-        (JSC::WebAssemblyFunction::WebAssemblyFunction):
-        * wasm/js/WebAssemblyFunction.h:
-        (JSC::WebAssemblyFunction::signatureIndex):
-        (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation):
-        (JSC::WebAssemblyFunction::callableFunction):
-        (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation):
-        (JSC::WebAssemblyFunction::wasmEntrypoint): Deleted.
-        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint): Deleted.
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::link):
-        (JSC::WebAssemblyModuleRecord::evaluate):
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::webAssemblyValidateFunc):
-        * wasm/js/WebAssemblyWrapperFunction.cpp:
-        (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
-        (JSC::WebAssemblyWrapperFunction::create):
-        * wasm/js/WebAssemblyWrapperFunction.h:
-        (JSC::WebAssemblyWrapperFunction::signatureIndex):
-        (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation):
-        (JSC::WebAssemblyWrapperFunction::callableFunction):
-        (JSC::WebAssemblyWrapperFunction::wasmEntrypoint): Deleted.
-
-2017-04-26  Caitlin Potter  
-
-        [JSC] fix RETURN_IF_EXCEPTION() placement in ownPropertyKeys()
-        https://bugs.webkit.org/show_bug.cgi?id=171330
-
-        Reviewed by Mark Lam.
-
-        Ensure RETURN_IF_EXCEPTION() following invokation of the
-        filterPropertyIfNeeded() lambda.
-
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ownPropertyKeys):
-
-2017-04-26  Caitlin Potter  
-
-        [JSC] Object.keys() must discard property names with no PropertyDescriptor
-        https://bugs.webkit.org/show_bug.cgi?id=171291
-
-        Reviewed by Yusuke Suzuki.
-
-        Proxy objects can produce an arbitrary list of property names from the
-        "ownKeys" trap, however the Object.keys() algorithm is required to
-        discard names which do not have a PropertyDescriptor. This also
-        applies to other uses of the EnumerableOwnProperties() algorithm
-        (https://tc39.github.io/ecma262/#sec-enumerableownproperties)
-
-        Related to https://bugs.chromium.org/p/v8/issues/detail?id=6290
-
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ownPropertyKeys):
-
-2017-04-25  Andy VanWagoner  
-
-        Unhandled enumeration values in IntlDateTimeFormat.cpp
-        https://bugs.webkit.org/show_bug.cgi?id=171241
-
-        Reviewed by JF Bastien.
-
-        Added some missing cases of the UDateFormatField to partTypeString,
-        and made them conditional to the ICU version that added them.
-        This should remove the warnings that appear on platform builds using the
-        newer system ICU headers.
-
-        * runtime/IntlDateTimeFormat.cpp:
-        (JSC::IntlDateTimeFormat::partTypeString):
-
-2017-04-25  Commit Queue  
-
-        Unreviewed, rolling out r215476.
-        https://bugs.webkit.org/show_bug.cgi?id=171304
-
-        "It broke JSBench" (Requested by saamyjoon on #webkit).
-
-        Reverted changeset:
-
-        "[ES6]. Implement Annex B.3.3 function hoisting rules for
-        eval"
-        https://bugs.webkit.org/show_bug.cgi?id=163208
-        http://trac.webkit.org/changeset/215476
-
-2017-04-25  Saam Barati  
-
-        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
-        https://bugs.webkit.org/show_bug.cgi?id=171150
-        
-
-        Reviewed by Sam Weinig.
-
-        This patch fixes a huge oversight from the patch that introduced
-        op_spread/Spread. The original patch did not account for the
-        base object having Symbol.iterator or getters that could
-        change the iterator protocol. This patch fixes the oversight both
-        in the C code, as well as the DFG/FTL backends. We only perform
-        the memcpy version of spread if we've proven that it's guaranteed
-        to be side-effect free (no indexed getters), and if the iterator
-        protocol is guaranteed to be the original protocol. To do this, we
-        must prove that:
-        1. The protocol on Array.prototype hasn't changed (this is the same as the
-        introductory patch for op_spread).
-        2. The base object's __proto__ is Array.prototype
-        3. The base object does not have indexed getters
-        4. The base object does not have Symbol.iterator property.
-
-        * dfg/DFGGraph.cpp:
-        (JSC::DFG::Graph::canDoFastSpread):
-        * dfg/DFGGraph.h:
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileSpread):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
-        * runtime/JSArray.h:
-        * runtime/JSArrayInlines.h:
-        (JSC::JSArray::isIteratorProtocolFastAndNonObservable): Deleted.
-        * runtime/JSGlobalObject.h:
-        * runtime/JSGlobalObjectInlines.h:
-        (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
-        (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable): Deleted.
-
-2017-04-25  Mark Lam  
-
-        Array.prototype.slice() should ensure that end >= begin.
-        https://bugs.webkit.org/show_bug.cgi?id=170989
-        
-
-        Reviewed by Saam Barati.
-
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoFuncSlice):
-
-2017-04-25  Don Olmstead  
-
-        [Win] Use Clang's __has_declspec_attribute for export macros
-        https://bugs.webkit.org/show_bug.cgi?id=171240
-
-        Reviewed by Alex Christensen.
-
-        * runtime/JSExportMacros.h:
-
-2017-04-25  Saam Barati  
-
-        Unreviewed. Attempt armv7k build fix after r215720
-
-        I think we're just missing an include for the definition of ExecState::r().
-
-        * runtime/JSFixedArray.cpp:
-
-2017-04-25  Daniel Bates  
-
-        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
-        https://bugs.webkit.org/show_bug.cgi?id=136452
-        
-
-        Reviewed by Brent Fulgham.
-
-        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-25  Mark Lam  
-
-        Local CSE wrongly CSEs array accesses with different result types.
-        https://bugs.webkit.org/show_bug.cgi?id=170990
-        
-
-        Reviewed by Saam Barati.
-
-        The fix is to use different LocationKind enums for the different type of array
-        result types.  This makes the HeapLocation values different based on the result
-        types, and allows CSE to discern between them.
-
-        * dfg/DFGCSEPhase.cpp:
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGHeapLocation.cpp:
-        (WTF::printInternal):
-        * dfg/DFGHeapLocation.h:
-        (JSC::DFG::indexedPropertyLocForResultType):
-
-2017-04-25  Mark Lam  
-
-        Make DFG SpeculatedType dumps easier to read.
-        https://bugs.webkit.org/show_bug.cgi?id=171280
-
-        Reviewed by Saam Barati.
-
-        Adding a pretty printer to insert |s between each type string and changing the
-        dumped strings to match the SpeculatedType names case-wise.
-
-        * bytecode/SpeculatedType.cpp:
-        (JSC::PrettyPrinter::PrettyPrinter):
-        (JSC::PrettyPrinter::print):
-        (JSC::dumpSpeculation):
-        * bytecode/SpeculatedType.h:
-
-2017-04-25  JF Bastien  
-
-        lowerStackArgs: check Arg::addr.isValidForm when falling back to SP offsets
-        https://bugs.webkit.org/show_bug.cgi?id=171278
-
-        Reviewed by Filip Pizlo.
-
-        lowerStackArgs checked that the FP offsets it tries to generate
-        are valid form, but didn't check that the fallback was valid
-        form. This lead to stackAddr's assertion being dead, and the
-        MaroAssembler asserting way later on move / add when handed a huge
-        immediate.
-
-        * b3/air/AirArg.cpp:
-        (JSC::B3::Air::Arg::stackAddrImpl):
-
-2017-04-25  Zan Dobersek  
-
-        [aarch64] moveConditionally32(), moveConditionallyTest32() should move from/to 64-bit registers
-        https://bugs.webkit.org/show_bug.cgi?id=170891
-
-        Reviewed by Saam Barati.
-
-        moveConditionally32() and moveConditionallyTest32() operations in
-        MacroAssemblerARM64 properly perform comparisons and tests on 32-bit
-        values, but end up performing the moves from and to 32-bit registers.
-
-        Move operations should instead be done on 64-bit registers, just like
-        on the X86_64 platform. This is achieved by specifying 64 as the data
-        size for the csel instructions.
-
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::moveConditionally32):
-        (JSC::MacroAssemblerARM64::moveConditionallyTest32):
-
-2017-04-24  Joseph Pecoraro  
-
-        test262: test262/test/language/expressions/object/method-definition/early-errors-object-method-duplicate-parameters.js
-        https://bugs.webkit.org/show_bug.cgi?id=171190
-
-        Reviewed by Saam Barati.
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::BytecodeGenerator):
-        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
-        (JSC::BytecodeGenerator::emitNewFunction):
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::FunctionNode::emitBytecode):
-        (JSC::Scope::setSourceParseMode):
-        * parser/ParserModes.h:
-        (JSC::isFunctionParseMode):
-        (JSC::isMethodParseMode):
-        (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
-        (JSC::isGeneratorParseMode):
-        (JSC::isGeneratorWrapperParseMode):
-        * runtime/FunctionExecutable.h:
-        * runtime/JSFunction.cpp:
-        (JSC::JSFunction::getOwnPropertySlot):
-        Add a new GeneratorWrapperMethodMode parse mode. The other function types
-        (async, arrow) already have a FunctionMode and a MethodMode. Give
-        generators one as well. This lets isMethodParseMode actually be accurate.
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseInner):
-        (JSC::Parser::isArrowFunctionParameters):
-        (JSC::Parser::parseFormalParameters):
-        (JSC::stringForFunctionMode):
-        (JSC::Parser::parseFunctionParameters):
-        (JSC::Parser::parseFunctionInfo):
-        (JSC::Parser::parseClass):
-        (JSC::Parser::parsePropertyMethod):
-        * parser/Parser.h:
-        Add a duplicate parameter failure if there are duplicate parameters
-        in method syntax.
-
-2017-04-24  Andy VanWagoner  
-
-        Clean up ICU headers
-        https://bugs.webkit.org/show_bug.cgi?id=170997
-
-        Reviewed by JF Bastien.
-
-        Update all icu headers to 55.1
-
-        * icu/LICENSE: Update copyright
-        * icu/README: Explain ICU headers for OS X better
-        * icu/unicode/localpointer.h:
-        (LocalPointer::LocalPointer):
-        (LocalPointer::adoptInsteadAndCheckErrorCode):
-        * icu/unicode/platform.h:
-        * icu/unicode/putil.h:
-        * icu/unicode/ucal.h:
-        * icu/unicode/uchar.h:
-        * icu/unicode/ucnv.h:
-        * icu/unicode/ucol.h:
-        * icu/unicode/uconfig.h:
-        * icu/unicode/ucurr.h:
-        * icu/unicode/udatpg.h:
-        * icu/unicode/udisplaycontext.h:
-        * icu/unicode/uformattable.h:
-        * icu/unicode/uloc.h:
-        * icu/unicode/umachine.h:
-        * icu/unicode/unum.h:
-        * icu/unicode/unumsys.h:
-        * icu/unicode/urename.h:
-        * icu/unicode/uscript.h:
-        * icu/unicode/uset.h:
-        * icu/unicode/ustring.h:
-        * icu/unicode/utf8.h:
-        * icu/unicode/utypes.h:
-
-2017-04-24  Yusuke Suzuki  
-
-        [JSC] Use JSFixedArray directly when using call_varargs
-        https://bugs.webkit.org/show_bug.cgi?id=171057
-
-        Reviewed by Saam Barati.
-
-        Previously we always emit new_array_with_spread when calling call(...args).
-        But this array is unnecessary if varargs operation can handle Spread directly.
-
-        This patch implements a peep-hole optimization in the bytecode compiler layer
-        to omit new_array_with_spread. This is very simple and effective because this
-        peep-hole optimization is quite common when using (...args) style calls and
-        this optimization works all the tiers. While we can implement the phase to
-        omit this NewArrayWithSpread in argument elimination phase, it only works
-        for FTL. While such an optimization can work with complex data flow, this
-        peep-hole optimization can optimize a common case easily.
-
-        For now, Spread and PhantomSpread can be directly drained by CallVarargs
-        and LoadVarargs related operations. We modify DFG and FTL to handle this correctly.
-
-        This shows six-speed improvement.
-
-            spread.es6                 89.4300+-2.0236     ^     69.6015+-1.7278        ^ definitely 1.2849x faster
-            spread-generator.es6      344.7879+-5.9147     ^    331.2712+-6.8610        ^ definitely 1.0408x faster
-
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::emitCall):
-        (JSC::BytecodeGenerator::emitConstruct):
-        * dfg/DFGArgumentsEliminationPhase.cpp:
-        * dfg/DFGPreciseLocalClobberize.h:
-        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
-        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
-        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
-        * interpreter/Interpreter.cpp:
-        (JSC::sizeOfVarargs):
-        (JSC::loadVarargs):
-        * parser/Nodes.h:
-        (JSC::ArrayNode::elements):
-        * runtime/JSFixedArray.cpp:
-        (JSC::JSFixedArray::copyToArguments):
-        * runtime/JSFixedArray.h:
-
-2017-04-24  Yusuke Suzuki  
-
-        [WTF] Move JSC tools/StackTrace to WTF and unify stack trace dump code
-        https://bugs.webkit.org/show_bug.cgi?id=171199
-
-        Reviewed by Mark Lam.
-
-        This patch adds a utility method to produce demangled names with dladdr.
-        It fixes several memory leaks because the result of abi::__cxa_demangle()
-        needs to be `free`-ed.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * inspector/JSGlobalObjectInspectorController.cpp:
-        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
-        * runtime/SamplingProfiler.cpp:
-        (JSC::SamplingProfiler::StackFrame::displayName):
-        * tools/CellProfile.h:
-        * tools/CodeProfile.cpp:
-        (JSC::CodeProfile::report):
-        (JSC::symbolName): Deleted.
-
-2017-04-24  Joseph Pecoraro  
-
-        Web Inspector: ObjC RWIProtocol codegen should better handle optional members
-        https://bugs.webkit.org/show_bug.cgi?id=171251
-        
-
-        Reviewed by Brian Burg.
-
-        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
-        (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
-        * inspector/scripts/codegen/objc_generator.py:
-        (ObjCGenerator.protocol_to_objc_expression_for_member):
-        (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
-        Always be safe and nil check object property accesses, optional or not.
-
-        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
-        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
-        Rebaselined inspector generator tests.
-
-2017-04-24  Saam Barati  
-
-        ASSERTION FAILED: m_table seen with workers/wasm-hashset LayoutTests
-        https://bugs.webkit.org/show_bug.cgi?id=171119
-        
-
-        Reviewed by Keith Miller.
-
-        The HashSet of timer set notification callbacks can be accessed
-        and augmented simultaneously from different threads. e.g, the worker
-        thread can augment it while the wasm compilation thread will
-        access it. Therefore, accesses must be guarded by a lock.
-
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::scheduleTimer):
-        (JSC::JSRunLoopTimer::addTimerSetNotification):
-        (JSC::JSRunLoopTimer::removeTimerSetNotification):
-        * runtime/JSRunLoopTimer.h:
-
-2017-04-24  Joseph Pecoraro  
-
-        test262: test262/test/language/computed-property-names/class/static/getter-prototype.js
-        https://bugs.webkit.org/show_bug.cgi?id=170897
-
-        Reviewed by Saam Barati.
-
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::createArguments):
-        (JSC::ASTBuilder::createArgumentsList):
-        Reorder so all the createProperty methods are grouped together.
-
-        * parser/Parser.h:
-        * parser/Parser.cpp:
-        (JSC::Parser::parseClass):
-        (JSC::Parser::parseProperty):
-        (JSC::Parser::parseGetterSetter):
-        Refine the conditions for syntax errors for getter/setter
-        properties names. "prototype" is not allowed as a static
-        and "constructor" is not all when non-static.
-
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::putGetter):
-        (JSC::JSObject::putSetter):
-        Throw exceptions. These methods are only used by this path
-        via op_put_getter_by_val / op_put_setter_by_val.
-
-2017-04-24  Joseph Pecoraro  
-
-        test262: test262/test/language/statements/for-of/dstr-array-elem-init-fn-name-arrow.js
-        https://bugs.webkit.org/show_bug.cgi?id=171160
-
-        Reviewed by JF Bastien.
-
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::tryInferNameInPattern):
-        (JSC::ASTBuilder::tryInferNameInPatternWithIdentifier):
-        We supported getting the name from a BindingNode.
-        We extend this to support getting the name from a
-        ResolveNode inside of an AssignmentElementNode.
-
-        * parser/Nodes.h:
-        (JSC::DestructuringPatternNode::isAssignmentElementNode):
-        (JSC::AssignmentElementNode::isAssignmentElementNode):
-        Make it possible to identify an assignment element node.
-
-2017-04-24  Alex Christensen  
-
-        Reduce copies and allocations in SharedBuffer::append
-        https://bugs.webkit.org/show_bug.cgi?id=170956
-
-        Reviewed by Andreas Kling.
-
-        * runtime/ArrayBuffer.h:
-
-2017-04-24  Carlos Garcia Campos  
-
-        [GTK] Switch to use ENABLE_REMOTE_INSPECTOR instead of ENABLE_INSPECTOR_SERVER for the remote inspector
-        https://bugs.webkit.org/show_bug.cgi?id=166680
-
-        Reviewed by Michael Catanzaro.
-
-        Add GTK+ port implementation of RemoteInspector.
-
-        * PlatformGTK.cmake:
-        * inspector/remote/RemoteConnectionToTarget.h:
-        * inspector/remote/RemoteInspector.h:
-        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp: Added.
-        (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget):
-        (Inspector::RemoteConnectionToTarget::~RemoteConnectionToTarget):
-        (Inspector::RemoteConnectionToTarget::setup):
-        (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
-        (Inspector::RemoteConnectionToTarget::close):
-        (Inspector::RemoteConnectionToTarget::targetClosed):
-        (Inspector::RemoteConnectionToTarget::targetIdentifier):
-        (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
-        * inspector/remote/glib/RemoteInspectorGlib.cpp: Added.
-        (Inspector::RemoteInspector::singleton):
-        (Inspector::RemoteInspector::RemoteInspector):
-        (Inspector::RemoteInspector::start):
-        (Inspector::RemoteInspector::stopInternal):
-        (Inspector::RemoteInspector::setupConnection):
-        (Inspector::dbusConnectionCallAsyncReadyCallback):
-        (Inspector::RemoteInspector::listingForInspectionTarget):
-        (Inspector::RemoteInspector::listingForAutomationTarget):
-        (Inspector::RemoteInspector::pushListingsNow):
-        (Inspector::RemoteInspector::pushListingsSoon):
-        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
-        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
-        (Inspector::RemoteInspector::sendMessageToRemote):
-        (Inspector::RemoteInspector::receivedGetTargetListMessage):
-        (Inspector::RemoteInspector::receivedSetupMessage):
-        (Inspector::RemoteInspector::receivedDataMessage):
-        (Inspector::RemoteInspector::receivedCloseMessage):
-        (Inspector::RemoteInspector::setup):
-        (Inspector::RemoteInspector::sendMessageToTarget):
-        (Inspector::RemoteInspector::requestAutomationSession):
-        * inspector/remote/glib/RemoteInspectorServer.cpp: Added.
-        (Inspector::generateConnectionID):
-        (Inspector::RemoteInspectorServer::singleton):
-        (Inspector::RemoteInspectorServer::~RemoteInspectorServer):
-        (Inspector::RemoteInspectorServer::interfaceInfo):
-        (Inspector::RemoteInspectorServer::start):
-        (Inspector::RemoteInspectorServer::newConnectionCallback):
-        (Inspector::RemoteInspectorServer::connectionClosedCallback):
-        (Inspector::RemoteInspectorServer::newConnection):
-        (Inspector::dbusConnectionCallAsyncReadyCallback):
-        (Inspector::RemoteInspectorServer::setTargetList):
-        (Inspector::RemoteInspectorServer::clientConnectionClosedCallback):
-        (Inspector::RemoteInspectorServer::getTargetList):
-        (Inspector::RemoteInspectorServer::setup):
-        (Inspector::RemoteInspectorServer::close):
-        (Inspector::RemoteInspectorServer::clientConnectionClosed):
-        (Inspector::RemoteInspectorServer::connectionClosed):
-        (Inspector::RemoteInspectorServer::sendMessageToBackend):
-        (Inspector::RemoteInspectorServer::sendMessageToFrontend):
-        (Inspector::RemoteInspectorServer::startAutomationSession):
-        * inspector/remote/glib/RemoteInspectorServer.h: Added.
-        (Inspector::RemoteInspectorServer::isRunning):
-
-2017-04-24  Joseph Pecoraro  
-
-        test262: test262/test/language/expressions/generators/yield-as-label.js
-        https://bugs.webkit.org/show_bug.cgi?id=170979
-
-        Reviewed by Saam Barati.
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseVariableDeclarationList):
-        (JSC::Parser::parseDestructuringPattern):
-        (JSC::Parser::parseFormalParameters):
-        Converge on "Cannot" instead of "Can't" in error messages.
-
-        (JSC::Parser::parseFunctionInfo):
-        Disallow "yield" as the generator function name in function expressions.
-        This refers to the difference between Declaration and Expression, where
-        only GeneratorExpression explicitly has [+Yield] disallowing yield for
-        the generator name:
-
-            GeneratorDeclaration[Yield, Await, Default]:
-                function * BindingIdentifier[?Yield, ?Await] ...
-
-            GeneratorExpression:
-                function * BindingIdentifier[+Yield, ~Await]opt ...
-
-        (JSC::Parser::parseExpressionOrLabelStatement):
-        Disallow "yield" as a label name in strict mode or inside a generator.
-
-        (JSC::Parser::parseProperty):
-        Disallow "yield" or any keyword in object literal shorthands.
-
-        * parser/Parser.h:
-        (JSC::Parser::getToken):
-        (JSC::Parser::isDisallowedIdentifierLet):
-        (JSC::Parser::isDisallowedIdentifierYield):
-        (JSC::Parser::disallowedIdentifierLetReason):
-        (JSC::Parser::disallowedIdentifierYieldReason):
-        Follow pattern for improved error messages based on context.
-
-2017-04-23  Commit Queue  
-
-        Unreviewed, rolling out r215674.
-        https://bugs.webkit.org/show_bug.cgi?id=171212
-
-        Possible unintended commit. This patch was on the wrong bug.
-        (Requested by JoePeck on #webkit).
-
-        Reverted changeset:
-
-        "test262: test262/test/language/expressions/generators/yield-
-        as-label.js"
-        https://bugs.webkit.org/show_bug.cgi?id=170979
-        http://trac.webkit.org/changeset/215674
-
-2017-04-23  Joseph Pecoraro  
-
-        test262: test262/test/built-ins/Number/prototype/toPrecision/nan.js
-        https://bugs.webkit.org/show_bug.cgi?id=171197
-
-        Reviewed by Saam Barati.
-
-        * runtime/NumberPrototype.cpp:
-        (JSC::numberProtoFuncToExponential):
-        (JSC::numberProtoFuncToFixed):
-        (JSC::numberProtoFuncToPrecision):
-        Refine the order of operations to match the spec.
-
-2017-04-23  Joseph Pecoraro  
-
-        test262: test262/test/language/expressions/generators/yield-as-label.js
-        https://bugs.webkit.org/show_bug.cgi?id=170979
-
-        Reviewed by Saam Barati.
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseVariableDeclarationList):
-        (JSC::Parser::parseDestructuringPattern):
-        (JSC::Parser::parseFormalParameters):
-        Converge on "Cannot" instead of "Can't" in error messages.
-
-        (JSC::Parser::parseFunctionInfo):
-        Disallow "yield" as the generator function name in function expressions.
-        This refers to the difference between Declaration and Expression, where
-        only GeneratorExpression explicitly has [+Yield] disallowing yield for
-        the generator name:
-
-            GeneratorDeclaration[Yield, Await, Default]:
-                function * BindingIdentifier[?Yield, ?Await] ...
-
-            GeneratorExpression:
-                function * BindingIdentifier[+Yield, ~Await]opt ...
-
-        (JSC::Parser::parseExpressionOrLabelStatement):
-        Disallow "yield" as a label name in strict mode or inside a generator.
-
-        (JSC::Parser::parseProperty):
-        Disallow "yield" or any keyword in object literal shorthands.
-
-        * parser/Parser.h:
-        (JSC::Parser::getToken):
-        (JSC::Parser::isDisallowedIdentifierLet):
-        (JSC::Parser::isDisallowedIdentifierYield):
-        (JSC::Parser::disallowedIdentifierLetReason):
-        (JSC::Parser::disallowedIdentifierYieldReason):
-        Follow pattern for improved error messages based on context.
-
-2017-04-23  Joseph Pecoraro  
-
-        test262: test262/test/built-ins/Number/parseFloat.js
-        https://bugs.webkit.org/show_bug.cgi?id=171193
-
-        Reviewed by Yusuke Suzuki.
-
-        * runtime/CommonIdentifiers.h:
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::JSGlobalObject::visitChildren):
-        * runtime/JSGlobalObject.h:
-        (JSC::JSGlobalObject::parseFloatFunction):
-        Expose parseFloat on the global object to be shared with Number constructor.
-
-        * runtime/NumberConstructor.cpp:
-        (JSC::NumberConstructor::finishCreation):
-        parseFloat uses the same value as the global parseFloat.
-
-2017-04-22  Yusuke Suzuki  
-
-        [JSC] Use DoublyLinkedList for MachineThread
-        https://bugs.webkit.org/show_bug.cgi?id=171171
-
-        Reviewed by Mark Lam.
-
-        MachineThread can use WTF::DoublyLinkedList to simplify
-        its implementation. We should not use Vector<> etc. since
-        we do not want to call allocations during suspending and
-        resuming threads.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThreads):
-        (JSC::MachineThreads::~MachineThreads):
-        (JSC::MachineThreads::addCurrentThread):
-        (JSC::MachineThreads::removeThreadIfFound):
-        (JSC::MachineThreads::MachineThread::MachineThread):
-        (JSC::MachineThreads::tryCopyOtherThreadStacks):
-        * heap/MachineStackMarker.h:
-        (JSC::MachineThreads::threadsListHead):
-        * runtime/SamplingProfiler.cpp:
-        (JSC::FrameWalker::isValidFramePointer):
-        * runtime/VMTraps.cpp:
-        (JSC::findActiveVMAndStackBounds):
-
-2017-04-22  JF Bastien  
-
-        WebAssembly: Module.exports, Module.imports, Module.customSections are wrong
-        https://bugs.webkit.org/show_bug.cgi?id=171078
-
-        Reviewed by Saam Barati.
-
-        They're static properties of Module, not instance properties of a module.
-        https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymoduleexports
-
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        (JSC::webAssemblyModuleCustomSections):
-        (JSC::webAssemblyModuleImports):
-        (JSC::webAssemblyModuleExports):
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        (JSC::webAssemblyModuleProtoCustomSections): Deleted.
-        (JSC::webAssemblyModuleProtoImports): Deleted.
-        (JSC::webAssemblyModuleProtoExports): Deleted.
-
-2017-04-21  Saam Barati  
-
-        SharedArrayBuffer-opt.js fails with Briggs
-        https://bugs.webkit.org/show_bug.cgi?id=170948
-        
-
-        Reviewed by Michael Saboff.
-
-        The bug was not actually with Briggs, but instead was with
-        our X86-64 MacroAssembler. Michael fixed the bug here:
-        https://trac.webkit.org/changeset/215618/webkit
-        
-        The issue was we weren't adding the REX byte for AtomicXchg8,
-        leading to the incorrect encoding for the result register depending
-        on which register it was. If you look at this code, you'll see the issue:
-
-          Int32 @38 = AtomicXchg(@59, @64, width = 8, range = 0, fenceRange = 0, ControlDependent|Fence|Writes:0|Reads:0, DFG:@49)
-              AtomicXchg8 %rsi, (%rax,%rdx), @38
-                  0x2dcb5bc0015e: lock xchg %dh, (%rax,%rdx)
-          Int32 @66 = Const32(255, DFG:@49)
-          Int32 @67 = BitAnd(@38, $255(@66), DFG:@49)
-              ZeroExtend8To32 %rsi, %rax, @67
-                  0x2dcb5bc00162: movzx %sil, %eax
-
-        Air thought the result was in the lower 8 bits of %rsi,
-        however, the code we emitted stored it in the [8-15] bits
-        of %rdx. Since this issue is fixed, I'm turning Briggs back
-        on.
-
-        * b3/air/AirAllocateRegistersByGraphColoring.h:
-        (JSC::B3::Air::useIRC):
-
-2017-04-20  Mark Lam  
-
-        Refactor MASM probe to allow printing of custom types.
-        https://bugs.webkit.org/show_bug.cgi?id=171101
-
-        Reviewed by JF Bastien.
-
-        For example, this allows us to add MASM printing of CodeBlock* and Air::Args.
-
-        In general, MASM print can be used like dataLog, except that it generates JITted
-        code for doing the dataLogging later when the JITted code runs.  MASM print can
-        print any value type that a specialized Printer template or a setPrinter()
-        function implemented for that type.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * assembler/MacroAssembler.h:
-
-        * assembler/MacroAssemblerPrinter.cpp:
-        (JSC::Printer::printAllRegisters):
-        (JSC::Printer::printPCRegister):
-        (JSC::Printer::printRegisterID):
-        (JSC::Printer::printFPRegisterID):
-        (JSC::Printer::printAddress):
-        (JSC::Printer::printMemory):
-        (JSC::Printer::printCallback):
-        (JSC::printIndent): Deleted.
-        (JSC::printCPU): Deleted.
-        (JSC::printCPURegisters): Deleted.
-        (JSC::printPC): Deleted.
-        (JSC::printRegister): Deleted.
-        (JSC::printMemory): Deleted.
-        (JSC::MacroAssemblerPrinter::printCallback): Deleted.
-        * assembler/MacroAssemblerPrinter.h:
-        (JSC::AllRegisters::AllRegisters):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer>::Printer):
-        (JSC::MacroAssembler::print):
-        (JSC::MacroAssemblerPrinter::print): Deleted.
-        (JSC::MacroAssemblerPrinter::PrintArg::PrintArg): Deleted.
-        (JSC::MacroAssemblerPrinter::appendPrintArg): Deleted.
-        - Refactored to move the underlying PrintRecord (and associated data structures)
-          out to Printer.cpp/h.
-        - MacroAssemblerPrinter.cpp/h now only add custom Printers for MASM types like
-          RegisterID and Memory.  It also defines the implementation of
-          MacroAssembler::print().
-
-          As before, JIT code that wishes to use MacroAssembler::print() needs to
-          #include "MacroAssemblerPrinter.h".
-
-        - Also added the ability to specify an optional indentation (in number of chars)
-          when MASM printing AllRegisters.  This is useful because AllRegisters prints
-          a block of data unlike other printers which print inline.
-
-        * assembler/Printer.cpp: Added.
-        (JSC::Printer::printConstCharString):
-        (JSC::Printer::printIntptr):
-        (JSC::Printer::printUintptr):
-        (JSC::Printer::printPointer):
-        (JSC::Printer::setPrinter):
-        * assembler/Printer.h: Added.
-        (JSC::Printer::Context::Context):
-        (JSC::Printer::PrintRecord::PrintRecord):
-        (JSC::Printer::appendPrinter):
-        (JSC::Printer::makePrintRecordList):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::setPrinter):
-        (JSC::Printer::Printer::Printer):
-        - Data structures for creating a list of PrintRecords.  Classes which wish to
-          add custom support for MASM printing can #include "Printer.h" and implement
-          either:
-          1. a specialized Printer template, or
-          2. a setPrinter() function.
-
-          See Printer and Printer in AirPrintSpecial.h for examples of
-          (1).  See CodeBlock's setPrinter() for an example of (2).
-
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::print):
-        * b3/air/AirPrintSpecial.cpp: Added.
-        (JSC::B3::Air::PrintSpecial::PrintSpecial):
-        (JSC::B3::Air::PrintSpecial::~PrintSpecial):
-        (JSC::B3::Air::PrintSpecial::forEachArg):
-        (JSC::B3::Air::PrintSpecial::isValid):
-        (JSC::B3::Air::PrintSpecial::admitsStack):
-        (JSC::B3::Air::PrintSpecial::reportUsedRegisters):
-        (JSC::B3::Air::PrintSpecial::generate):
-        (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
-        (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
-        (JSC::B3::Air::PrintSpecial::dumpImpl):
-        (JSC::B3::Air::PrintSpecial::deepDumpImpl):
-        (JSC::Printer::printAirArg):
-        * b3/air/AirPrintSpecial.h: Added.
-        (JSC::Printer::appendAirArg):
-        (JSC::Printer::appendAirArgs):
-        (JSC::Printer::Printer::Printer):
-        (JSC::Printer::Printer::Printer):
-        - Add the print() operation for use in LowerToAir.  print() will emit a
-          PrintSpecial that will ultimately emit a MASM print to print what we want.
-        - LowerToAir's print() adds the ability to print Air::Args.
-        - Unlike in the baseline JIT and the DFG, LowerToAir's print() can perturb the
-          usage of registers.  This is because PrintSpecial is a patch point, and it
-          prevents certain optimizations.  If not used carefully, an attempt to print()
-          an Arg by taking a Tmp, can force the B3 Value into a Tmp earlier than it would
-          otherwise do so.  So, use LowerToAir's print() with care.
-
-        * bytecode/CodeBlock.cpp:
-        (JSC::setPrinter):
-        - Now we can MASM print CodeBlock*.
-        (WTF::printInternal):
-        - Now we can dataLog CodeBlock* (including null CodeBlock pointers).
-
-        * bytecode/CodeBlock.h:
-
-        * runtime/VM.cpp:
-        (JSC::VM::throwException):
-        - Use the new ability to dataLog CodeBlock*.  No need to do an explicit null
-          check before printing anymore.
-
-2017-04-21  Keith Miller  
-
-        Unreviewed, rolling out r215634.
-
-        underlying build issues should have been fixed
-
-        Reverted changeset:
-
-        "Unreviewed, rolling out r215620 and r215623."
-        https://bugs.webkit.org/show_bug.cgi?id=171139
-        http://trac.webkit.org/changeset/215634
-
-2017-04-21  Commit Queue  
-
-        Unreviewed, rolling out r215620 and r215623.
-        https://bugs.webkit.org/show_bug.cgi?id=171139
-
-        broke arm64 build (Requested by keith_miller on #webkit).
-
-        Reverted changesets:
-
-        "Add signaling API"
-        https://bugs.webkit.org/show_bug.cgi?id=170976
-        http://trac.webkit.org/changeset/215620
-
-        "Unreviewed, fix Cloop build."
-        http://trac.webkit.org/changeset/215623
-
-2017-04-21  Keith Miller  
-
-        Remove LL/SC from Atomics
-        https://bugs.webkit.org/show_bug.cgi?id=171141
-
-        Reviewed by Saam Barati.
-
-        Adding load link and store conditionally was not an actual progression
-        and the existing code is causing problems for users of Atomics. So let's
-        get rid of it.
-
-        * heap/LargeAllocation.h:
-        (JSC::LargeAllocation::testAndSetMarked):
-        * heap/MarkedBlock.h:
-        (JSC::MarkedBlock::testAndSetMarked):
-        * heap/SlotVisitor.cpp:
-        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
-
-2017-04-21  Keith Miller  
-
-        Unreviewed, fix Cloop build.
-
-        * jit/ExecutableAllocator.h:
-        (JSC::isJITPC):
-
-2017-04-20  Keith Miller  
-
-        Add signaling API
-        https://bugs.webkit.org/show_bug.cgi?id=170976
-
-        Reviewed by Filip Pizlo.
-
-        Update various uses of sigaction to use the new signaling API.
-        Also switch VMTraps to use the thread message system instead of
-        rolling it's own.
-
-        * jit/ExecutableAllocator.h:
-        (JSC::isJITPC):
-        * runtime/VMTraps.cpp:
-        (JSC::installSignalHandler):
-        (JSC::VMTraps::VMTraps):
-        (JSC::VMTraps::SignalSender::send):
-        (JSC::handleSigusr1): Deleted.
-        (JSC::handleSigtrap): Deleted.
-        (JSC::installSignalHandlers): Deleted.
-        * runtime/VMTraps.h:
-        * tools/SigillCrashAnalyzer.cpp:
-        (JSC::installCrashHandler):
-        (JSC::handleCrash): Deleted.
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        (JSC::Wasm::enableFastMemory):
-
-2017-04-21  Michael Saboff  
-
-        X86-64 Assembler doesn't handle xchg with byte register src
-        https://bugs.webkit.org/show_bug.cgi?id=171118
-
-        Reviewed by Saam Barati.
-
-        * assembler/X86Assembler.h:
-        (JSC::X86Assembler::xchgb_rm): Use oneByteOp8() since these are 8 bit opcodes.
-
-2017-04-21  Andy VanWagoner  
-
-        [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
-        https://bugs.webkit.org/show_bug.cgi?id=169458
-
-        Reviewed by JF Bastien.
-
-        Use udat_formatForFields to iterate through the parts of a formatted date string.
-        Make formatToParts and related functions dependent on ICU version >= 55.
-
-        * icu/unicode/udat.h: Update to 55.1.
-        * icu/unicode/ufieldpositer.h: Added from 55.1.
-        * icu/unicode/uvernum.h: Update to 55.1
-        * runtime/IntlDateTimeFormat.cpp:
-        (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
-        (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
-        * runtime/IntlDateTimeFormat.h:
-        * runtime/IntlDateTimeFormatPrototype.cpp:
-        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
-
-2017-04-20  Konstantin Tokarev  
-
-        [cmake] Define FORWARDING_HEADERS_DIR in WebKitFS and use it everywhere
-        https://bugs.webkit.org/show_bug.cgi?id=171071
-
-        Reviewed by Michael Catanzaro.
-
-        "${DERIVED_SOURCES_DIR}/ForwardingHeaders" path occurs very often in the
-        build system files. GTK-specifc FORWARDING_HEADERS_DIR variable should
-        be available for all ports.
-
-        * CMakeLists.txt:
-        * PlatformWin.cmake:
-
-2017-04-20  Konstantin Tokarev  
-
-        Remove unused lamda captures
-        https://bugs.webkit.org/show_bug.cgi?id=171098
-
-        Reviewed by Yusuke Suzuki.
-
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::ArrayNode::emitBytecode):
-        * ftl/FTLState.cpp:
-        (JSC::FTL::State::State):
-        * wasm/WasmB3IRGenerator.cpp:
-
-2017-04-20  Yusuke Suzuki  
-
-        [JSC][FTL] FTL should support Arrayify
-        https://bugs.webkit.org/show_bug.cgi?id=169596
-
-        Reviewed by Saam Barati.
-
-        This patch simply expands the coverage of FTL by supporting Arrayify.
-        While ArrayifyToStructure is already supported, Arrayify is not supported
-        in FTL. While supporting Arrayify in FTL itself does not offer so much
-        performance difference from DFG's one, no FTL support for Arrayify
-        prevents us applying FTL to the code including Arrayify.
-
-        * dfg/DFGArrayMode.cpp:
-        (JSC::DFG::toIndexingShape):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
-        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
-        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
-        (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure): Deleted.
-        (JSC::FTL::DFG::LowerDFGToB3::isArrayType): Deleted.
-
-2017-04-20  Mark Lam  
-
-        virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
-        https://bugs.webkit.org/show_bug.cgi?id=171079
-        
-
-        Reviewed by Saam Barati.
-
-        This is needed because tail calls would restore callee saved registers (and
-        therefore, potentially clobber the tag registers) before jumping to the thunk.
-
-        * jit/ThunkGenerators.cpp:
-        (JSC::virtualThunkFor):
-
-2017-04-20  Mark Lam  
-
-        Build fix after r215592.
-        https://bugs.webkit.org/show_bug.cgi?id=171088
-
-        Not reviewed.
-
-        * assembler/MacroAssemblerPrinter.h:
-
-2017-04-20  Mark Lam  
-
-        Update the MASM probe to only take 1 arg instead of 2 (in addition to the callback function).
-        https://bugs.webkit.org/show_bug.cgi?id=171088
-
-        Reviewed by Michael Saboff and Saam Barati.
-
-        Experience shows that we never use the 2nd arg.  So, let's remove it to reduce
-        the footprint at each probe site.
-
-        Also fix the MacroAssembler::print() function so that it is a no-op when
-        !ENABLE(MASM_PROBE).  This will allow us to have print() statements in JIT code
-        without a lot of #if ENABLE(MASM_PROBE)s later.
-
-        * assembler/AbstractMacroAssembler.h:
-        * assembler/MacroAssembler.cpp:
-        (JSC::stdFunctionCallback):
-        (JSC::MacroAssembler::probe):
-        * assembler/MacroAssembler.h:
-        * assembler/MacroAssemblerARM.cpp:
-        (JSC::MacroAssemblerARM::probe):
-        * assembler/MacroAssemblerARM.h:
-        * assembler/MacroAssemblerARM64.cpp:
-        (JSC::MacroAssemblerARM64::probe):
-        * assembler/MacroAssemblerARM64.h:
-        * assembler/MacroAssemblerARMv7.cpp:
-        (JSC::MacroAssemblerARMv7::probe):
-        * assembler/MacroAssemblerARMv7.h:
-        * assembler/MacroAssemblerPrinter.cpp:
-        (JSC::MacroAssemblerPrinter::printCallback):
-        * assembler/MacroAssemblerPrinter.h:
-        (JSC::MacroAssemblerPrinter::print):
-        (JSC::MacroAssembler::print):
-        * assembler/MacroAssemblerX86Common.cpp:
-        (JSC::MacroAssemblerX86Common::probe):
-        * assembler/MacroAssemblerX86Common.h:
-
-2017-04-20  Matt Baker  
-
-        Web Inspector: Add regular expression support to XHR breakpoints
-        https://bugs.webkit.org/show_bug.cgi?id=170099
-        
-
-        Reviewed by Joseph Pecoraro.
-
-        * inspector/protocol/DOMDebugger.json:
-        New optional `isRegex` parameter denotes whether `url` contains
-        a regular expression.
-
-2017-04-15  Filip Pizlo  
-
-        Optimize SharedArrayBuffer in the DFG+FTL
-        https://bugs.webkit.org/show_bug.cgi?id=164108
-
-        Reviewed by Saam Barati.
-        
-        This adds atomics intrinsics to the DFG and wires them through to the DFG and FTL backends. This
-        was super easy in the FTL since B3 already has comprehensive atomic intrinsics, which are more
-        powerful than what we need right now. In the DFG backend, I went with an easy-to-write
-        implementation that just reduces everything to a weak CAS loop. It's very inefficient with
-        registers (it needs ~8) but it's the DFG backend, so it's not obvious how much we care.
-        
-        To make the rare cases easy to handle, I refactored AtomicsObject.cpp so that the operations for
-        the slow paths can share code with the native functions.
-        
-        This also fixes register handling in the X86 implementations of CAS, in the case that
-        expectedAndResult is not %rax. This also fixes the ARM64 implementation of branchWeakCAS.
-        
-        I adapted the CascadeLock from WTF/benchmarks/ToyLocks.h as a microbenchmark of lock performance.
-        This benchmark performs 2.5x faster, in both the contended and uncontended case, thanks to this
-        change. It's still about 3x slower than native. I investigated this only a bit. I suspect that
-        the story will be different in asm.js code, which will get constant-folding of the typed array
-        backing store by virtue of how it uses lexically scoped variables as pointers to the heap arrays.
-        It's worth noting that the native lock I was comparing against, the very nicely-tuned
-        CascadeLock, is at the very high end of lock throughput under virtually all conditions
-        (uncontended, microcontended, held for a long time). I also compared to WTF::Lock and others, and
-        the only ones that performed better in this microbenchmark were spinlocks. I don't recommend
-        using those. So, when I say this is 3x slower than native, I really mean that it's 3x slower than
-        the fastest native lock that I have in my arsenal.
-        
-        Also worth noting is that I experimented with exposing Atomics.yield(), which uses sched_yield,
-        as a way of testing if adding a yield loop to the JS cascadeLock would help. It does not help. I
-        did not investigate why.
-
-        * assembler/AbstractMacroAssembler.h:
-        (JSC::AbstractMacroAssembler::JumpList::append):
-        * assembler/CPU.h:
-        (JSC::is64Bit):
-        (JSC::is32Bit):
-        * b3/B3Common.h:
-        (JSC::B3::is64Bit): Deleted.
-        (JSC::B3::is32Bit): Deleted.
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::appendTrapping):
-        (JSC::B3::Air::LowerToAir::appendCAS):
-        (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
         * dfg/DFGNode.h:
         (JSC::DFG::Node::hasHeapPrediction):
-        (JSC::DFG::Node::hasArrayMode):
         * dfg/DFGNodeType.h:
-        (JSC::DFG::isAtomicsIntrinsic):
-        (JSC::DFG::numExtraAtomicsArgs):
+        * dfg/DFGOperations.cpp:
+
+        We updated `operationValueBitLShift` to handle BigInt cases. Also, we
+        added `operationBitLShiftBigInt` that is used when we compile
+        `ValueBitLValueBitLShift(BigIntUse)`.
+
+        * dfg/DFGOperations.h:
         * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSSALoweringPhase.cpp:
-        (JSC::DFG::SSALoweringPhase::handleNode):
+
+        `ValueBitLShift`'s prediction propagation rules differs from other
+        bitwise operations, because using only heap prediction for this node causes
+        significant performance regression on Octane's zlib and mandreel.
+        The reason is because of cases where a function is compiled but the
+        instruction `op_lshift` was never executed before. If we use
+        `getPrediction()` we will emit a `ForceOSRExit`, resulting in more OSR
+        than desired. To solve such issue, we are then using
+        `getPredictionWithoutOSR()` and falling back to `getHeapPrediction()`
+        only on cases where we can't rely on node's input types.
+
         * dfg/DFGSafeToExecute.h:
         (JSC::DFG::safeToExecute):
         * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
-        (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
-        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
-        (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
-        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileValueLShiftOp):
+        (JSC::DFG::SpeculativeJIT::compileShiftOp):
         * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::callOperation):
+        (JSC::DFG::SpeculativeJIT::shiftOp):
         * dfg/DFGSpeculativeJIT32_64.cpp:
         (JSC::DFG::SpeculativeJIT::compile):
         * dfg/DFGSpeculativeJIT64.cpp:
         (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLAbstractHeapRepository.cpp:
-        (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
-        (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
-        * ftl/FTLAbstractHeapRepository.h:
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
         * ftl/FTLCapabilities.cpp:
         (JSC::FTL::canCompile):
         * ftl/FTLLowerDFGToB3.cpp:
         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
-        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
-        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
-        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
-        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
-        (JSC::FTL::DFG::LowerDFGToB3::loadFromIntTypedArray):
-        (JSC::FTL::DFG::LowerDFGToB3::storeType):
-        (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
-        (JSC::FTL::DFG::LowerDFGToB3::getIntTypedArrayStoreOperand):
-        (JSC::FTL::DFG::LowerDFGToB3::vmCall):
-        * ftl/FTLOutput.cpp:
-        (JSC::FTL::Output::store):
-        (JSC::FTL::Output::store32As8):
-        (JSC::FTL::Output::store32As16):
-        (JSC::FTL::Output::atomicXchgAdd):
-        (JSC::FTL::Output::atomicXchgAnd):
-        (JSC::FTL::Output::atomicXchgOr):
-        (JSC::FTL::Output::atomicXchgSub):
-        (JSC::FTL::Output::atomicXchgXor):
-        (JSC::FTL::Output::atomicXchg):
-        (JSC::FTL::Output::atomicStrongCAS):
-        * ftl/FTLOutput.h:
-        (JSC::FTL::Output::store32):
-        (JSC::FTL::Output::store64):
-        (JSC::FTL::Output::storePtr):
-        (JSC::FTL::Output::storeFloat):
-        (JSC::FTL::Output::storeDouble):
-        * jit/JITOperations.h:
-        * runtime/AtomicsObject.cpp:
-        (JSC::atomicsFuncAdd):
-        (JSC::atomicsFuncAnd):
-        (JSC::atomicsFuncCompareExchange):
-        (JSC::atomicsFuncExchange):
-        (JSC::atomicsFuncIsLockFree):
-        (JSC::atomicsFuncLoad):
-        (JSC::atomicsFuncOr):
-        (JSC::atomicsFuncStore):
-        (JSC::atomicsFuncSub):
-        (JSC::atomicsFuncWait):
-        (JSC::atomicsFuncWake):
-        (JSC::atomicsFuncXor):
-        (JSC::operationAtomicsAdd):
-        (JSC::operationAtomicsAnd):
-        (JSC::operationAtomicsCompareExchange):
-        (JSC::operationAtomicsExchange):
-        (JSC::operationAtomicsIsLockFree):
-        (JSC::operationAtomicsLoad):
-        (JSC::operationAtomicsOr):
-        (JSC::operationAtomicsStore):
-        (JSC::operationAtomicsSub):
-        (JSC::operationAtomicsXor):
-        * runtime/AtomicsObject.h:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithBitLShift):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitLShift):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBitLShift): Deleted.
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
 
-2017-04-19  Youenn Fablet  
+2019-07-12  Keith Miller  
 
-        [Mac] Allow customizing H264 encoder
-        https://bugs.webkit.org/show_bug.cgi?id=170829
-
-        Reviewed by Alex Christensen.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-19  Michael Saboff  
-
-        Tune GC related JSC options for iOS
-        https://bugs.webkit.org/show_bug.cgi?id=171019
-
-        Reviewed by Mark Lam.
-
-        Always set these GC options on iOS.
-
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-
-2017-04-19  JF Bastien  
-
-        WebAssembly: fast memory cleanups
-        https://bugs.webkit.org/show_bug.cgi?id=170909
-
-        Reviewed by Saam Barati.
-
-        * b3/B3LowerToAir.cpp: correct comment, and make wasm-independent
-        (JSC::B3::Air::LowerToAir::lower):
-        * b3/B3Procedure.h:
-        * b3/B3Validate.cpp:
-        * b3/B3Value.cpp:
-        (JSC::B3::Value::effects):
-        * b3/B3WasmBoundsCheckValue.cpp: have the creator pass in a
-        maximum, so we don't have to know so much about wasm here
-        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
-        (JSC::B3::WasmBoundsCheckValue::cloneImpl):
-        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
-        * b3/B3WasmBoundsCheckValue.h:
-        (JSC::B3::WasmBoundsCheckValue::boundsType):
-        (JSC::B3::WasmBoundsCheckValue::bounds):
-        * b3/air/AirCode.h:
-        * b3/air/AirCustom.h:
-        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
-        * b3/testb3.cpp:
-        (JSC::B3::testWasmBoundsCheck):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-        (JSC::Wasm::createJSToWasmWrapper): remove dead code
-        * wasm/WasmMemory.cpp: don't GC if no memory could possibly be free'd
-        (JSC::Wasm::Memory::initializePreallocations): verbose-only code,
-        and copy-pasta bug
-
-2017-04-19  Mark Lam  
-
-        B3StackmapSpecial should handle when stackmap values are not recoverable from a Def'ed arg.
-        https://bugs.webkit.org/show_bug.cgi?id=170973
-        
-
-        Reviewed by Filip Pizlo.
-
-        In the event of an arithmetic overflow on a binary sub instruction (where the
-        result register is same as one of the operand registers), the CheckSub FTL
-        operation will try to recover the original value in the clobbered result register.
-
-        This recover is done by adding the other operand value to the result register.
-        However, this recovery method only works if the width of the original value in
-        the result register is less or equal to the width of the expected result.  If the
-        width of the original operand value (e.g. a JSInt32) is wider than the result
-        (e.g. a machine Int32), then the sub operation would have zero extended the
-        result and cleared the upper 32-bits of the result register.  Recovery by adding
-        back the other operand will not restore the JSValue tag in the upper word.
-
-        This poses a problem if the stackmap value for the operand relies on that same
-        clobbered register.
-
-        The fix is to detect this potential scenario (i.e. width of the Def's arg < width
-        of a stackmap value).  If this condition is detected, we'll declare the stackmap
-        value to be LateColdUse to ensure that the register allocator gives it a
-        different register if needed so that it's not dependent on the clobbered register.
-
-        * b3/B3CheckSpecial.cpp:
-        (JSC::B3::CheckSpecial::forEachArg):
-        * b3/B3PatchpointSpecial.cpp:
-        (JSC::B3::PatchpointSpecial::forEachArg):
-        * b3/B3StackmapSpecial.cpp:
-        (JSC::B3::StackmapSpecial::forEachArgImpl):
-        * b3/B3StackmapSpecial.h:
-
-2017-04-19  JF Bastien  
-
-        Unreviewed, rolling out r215520.
-
-        Broke Debian 8
-
-        Reverted changeset:
-
-        "[INTL] Implement Intl.DateTimeFormat.prototype.formatToParts"
-        https://bugs.webkit.org/show_bug.cgi?id=169458
-        http://trac.webkit.org/changeset/215520
-
-2017-04-19  JF Bastien  
-
-        WebAssembly: limit slow memories
-        https://bugs.webkit.org/show_bug.cgi?id=170825
-
-        Reviewed by Saam Barati.
-
-        We limits the number of fast memories, partly because ASLR. The
-        code then falls back to slow memories. It first tries to virtually
-        allocated any declared maximum (and in there, physically the
-        initial), and if that fails it tries to physically allocate the
-        initial without any extra.
-
-        This can still be used to cause a bunch of virtual
-        allocation. This patch imposes soft limit on slow memories as
-        well. The total virtual maximum for slow memories is set at the
-        same (theoretical) value as that for fast memories.
-
-        Anything exceeding that limit causes allocation/grow to fail.
-
-        * wasm/WasmMemory.cpp:
-
-2017-04-19  JF Bastien  
-
-        Cannot compile JavaScriptCore/runtime/VMTraps.cpp on FreeBSD because std::pair has a non-trivial copy constructor
-        https://bugs.webkit.org/show_bug.cgi?id=170875
-
-        Reviewed by Mark Lam.
-
-        WTF::ExpectedDetail::ConstexprBase doesn't have a user-defined
-        copy constructor, and its implicitly-defined copy constructor is
-        deleted because the default std::pair implementation on FreeBSD
-        has a non-trivial copy constructor. /usr/include/c++/v1/__config
-        says _LIBCPP_TRIVIAL_PAIR_COPY_CTOR is disabled in order to keep
-        ABI compatibility:
-        https://svnweb.freebsd.org/changeset/base/261801.
-
-        That's a huge bummer, and I'm not a fan of broken stdlibs, but in
-        this case it's pretty nice to have a custom named type anyways and
-        costs nothing.
-
-        * runtime/VMTraps.cpp:
-        (JSC::findActiveVMAndStackBounds):
-        (JSC::handleSigusr1):
-        (JSC::handleSigtrap):
-
-2017-04-19  Andy VanWagoner  
-
-        [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
-        https://bugs.webkit.org/show_bug.cgi?id=169458
-
-        Reviewed by JF Bastien.
-
-        Use udat_formatForFields to iterate through the parts of a formatted date string.
-
-        * icu/unicode/udat.h: Update to 55.1.
-        * icu/unicode/ufieldpositer.h: Added from 55.1.
-        * runtime/IntlDateTimeFormat.cpp:
-        (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
-        (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
-        * runtime/IntlDateTimeFormat.h:
-        * runtime/IntlDateTimeFormatPrototype.cpp:
-        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
-
-2017-04-19  JF Bastien  
-
-        WebAssembly: don't expose any WebAssembly JS object if JIT is off
-        https://bugs.webkit.org/show_bug.cgi?id=170782
-
-        Reviewed by Saam Barati.
-
-        It's unexpected that we expose the global WebAssembly object if no
-        JIT is present because it can't be used to compile or
-        instantiate. Other APIs such as Memory should also be Inaccessible
-        in those circumstances.
-
-        Also ensure that we don't pre-allocate fast memories if
-        WebAssembly won't be used, and don't mark our intention to use a
-        fast TLS slot for WebAssembly.
-
-        * runtime/Options.cpp:
-        (JSC::recomputeDependentOptions):
-
-2017-04-19  Yusuke Suzuki  
-
-        r211670 broke double to int conversion.
-        https://bugs.webkit.org/show_bug.cgi?id=170961
-
-        Reviewed by Mark Lam.
-
-        In this patch, we take a template parameter way.
-        While it reduces duplicate code, it effectively produces
-        optimized code for operationToInt32SensibleSlow,
-        and fixes kraken pbkdf2 regression on Linux.
-
-        And this patch also fixes undefined behavior by changing
-        int32_t to uint32_t. If exp is 31, missingOne is 1 << 31,
-        INT32_MIN. Thus missingOne - 1 will cause int32_t overflow,
-        and it is an undefined behavior.
-
-        * runtime/MathCommon.cpp:
-        (JSC::operationToInt32SensibleSlow):
-        * runtime/MathCommon.h:
-        (JSC::toInt32Internal):
-        (JSC::toInt32):
-
-2017-04-18  Mark Lam  
-
-        r211670 broke double to int conversion.
-        https://bugs.webkit.org/show_bug.cgi?id=170961
-        
+        getIndexQuickly should be const
+        https://bugs.webkit.org/show_bug.cgi?id=199747
 
         Reviewed by Yusuke Suzuki.
 
-        This is because operationToInt32SensibleSlow() assumes that left shifts of greater
-        than 31 bits on an 31-bit value will produce a 0.  However, the spec says that
-        "if the value of the right operand is negative or is greater or equal to the
-        number of bits in the promoted left operand, the behavior is undefined."
-        See http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators.
-
-        This patch fixes this by restoring the check to prevent a shift of greater than
-        31 bits.  It also consolidates the optimization in operationToInt32SensibleSlow()
-        back into toInt32() so that we don't have 2 copies of the same code with only a
-        slight variation.
-
-        JSC benchmarks shows that performance is neutral with this patch.
-
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
-        * runtime/MathCommon.cpp:
-        (JSC::operationToInt32SensibleSlow): Deleted.
-        * runtime/MathCommon.h:
-        (JSC::toInt32):
-
-2017-04-18  Oleksandr Skachkov  
-
-        [ES6]. Implement Annex B.3.3 function hoisting rules for eval
-        https://bugs.webkit.org/show_bug.cgi?id=163208
-
-        Reviewed by Saam Barati.
-
-        Current patch implements Annex B.3.3 that is related to 
-        hoisting of function declaration in eval. 
-        https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
-        Function declaration in eval should create variable with 
-        function name in function scope where eval is invoked 
-        or bind to variable if it declared outside of the eval. 
-        If variable is created it can be removed by 'delete a;' command. 
-        If eval is invoke in block scope that contains let/const 
-        variable with the same name as function declaration 
-        we do not bind. This patch leads to the following behavior: 
-        '''
-        function foo() {
-           {
-             print(boo); // undefined
-             eval('{ function boo() {}}');
-             print(boo); // function boo() {}
-           }
-           print(boo); // function boo() {}
-        }
-
-        function foobar() {
-          { 
-            let boo = 10;
-            print(boo); // 10;
-            eval('{ function boo() {}}');
-            print(boo); // 10;
-          }
-          print(boo) // 10
-        }
-
-        function bar() {
-           {
-              var boo = 10;
-              print(boo); // 10
-              eval('{ function boo() {} }'); 
-              print(boo); // function boo() {}
-           }
-           print(boo); // function boo() {}
-        }       
-        
-        function bas() {
-            {
-                 let boo = 10;
-                 eval(' { function boo() {} } ');
-                 print(boo); // 10
-            }
-            print(boo); //Reference Error
-        }
-        '''
-
-        Current implementation relies on already implemented 
-        'hoist function in sloppy mode' feature, with small changes.
-        In short it works in following way: during hoisting of function 
-        with name S in eval, we are looking for first scope that 
-        contains space for variable with name S and if this scope 
-        has var type we bind function there
-
-        To implement this feature was added bytecode ops:
-        op_resolve_scope_for_hoisting_func_decl_in_eval - get variable scope 
-        or return undefined if variable can't be binded there.
-
-        There is a corner case, hoist function in eval within catch block,
-        that is not covered by this patch, and will be fixed in 
-        https://bugs.webkit.org/show_bug.cgi?id=168184
-
-        * bytecode/BytecodeDumper.cpp:
-        (JSC::BytecodeDumper::dumpBytecode):
-        * bytecode/BytecodeList.json:
-        * bytecode/BytecodeUseDef.h:
-        (JSC::computeUsesForBytecodeOffset):
-        (JSC::computeDefsForBytecodeOffset):
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finalizeLLIntInlineCaches):
-        * bytecode/EvalCodeBlock.h:
-        (JSC::EvalCodeBlock::functionHoistingCandidate):
-        (JSC::EvalCodeBlock::numFunctionHoistingCandidates):
-        * bytecode/UnlinkedEvalCodeBlock.h:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::BytecodeGenerator):
-        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
-        (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
-        * bytecompiler/BytecodeGenerator.h:
-        * dfg/DFGAbstractInterpreterInlines.h:
-        (JSC::DFG::AbstractInterpreter::executeEffects):
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::parseBlock):
-        * dfg/DFGCapabilities.cpp:
-        (JSC::DFG::capabilityLevel):
-        * dfg/DFGClobberize.h:
-        (JSC::DFG::clobberize):
-        * dfg/DFGDoesGC.cpp:
-        (JSC::DFG::doesGC):
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        * dfg/DFGNode.h:
-        (JSC::DFG::Node::hasIdentifier):
-        * dfg/DFGNodeType.h:
-        * dfg/DFGOperations.cpp:
-        * dfg/DFGOperations.h:
-        * dfg/DFGPredictionPropagationPhase.cpp:
-        * dfg/DFGSafeToExecute.h:
-        (JSC::DFG::safeToExecute):
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::callOperation):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        * ftl/FTLCapabilities.cpp:
-        (JSC::FTL::canCompile):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
-        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::execute):
-        * jit/JIT.cpp:
-        (JSC::JIT::privateCompileMainPass):
-        * jit/JIT.h:
-        * jit/JITOperations.h:
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
-        * jit/JITPropertyAccess32_64.cpp:
-        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
-        * llint/LowLevelInterpreter.asm:
-        * parser/Parser.cpp:
-        (JSC::Parser::parseFunctionDeclarationStatement):
-        * parser/Parser.h:
-        (JSC::Scope::getSloppyModeHoistedFunctions):
-        (JSC::Parser::declareFunction):
-        * runtime/CommonSlowPaths.cpp:
-        (JSC::SLOW_PATH_DECL):
-        * runtime/CommonSlowPaths.h:
-        * runtime/EvalExecutable.h:
-        (JSC::EvalExecutable::numFunctionHoistingCandidates):
-        (JSC::EvalExecutable::numTopLevelFunctionDecls):
-        (JSC::EvalExecutable::numberOfFunctionDecls): Deleted.
-        * runtime/JSScope.cpp:
-        (JSC::JSScope::resolve):
-        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
-        * runtime/JSScope.h:
-
-2017-04-18  Saam Barati  
-
-        Follow up to address Mark's comments after r215453
-
-        Rubber stamped by Mark Lam.
-
-        This patch chooses better names for things, adhering to Mark's suggestions
-        in https://bugs.webkit.org/show_bug.cgi?id=139847
-
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::CallFunctionCallDotNode::emitBytecode):
-        (JSC::ApplyFunctionCallDotNode::emitBytecode):
-        * parser/NodeConstructors.h:
-        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
-        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
-        * parser/Nodes.h:
-        * parser/Parser.cpp:
-        (JSC::recordCallOrApplyDepth):
-        (JSC::Parser::parseMemberExpression):
-        * parser/Parser.h:
-        (JSC::Parser::CallOrApplyDepthScope::CallOrApplyDepthScope):
-        (JSC::Parser::CallOrApplyDepthScope::distanceToInnermostChild):
-        (JSC::Parser::CallOrApplyDepthScope::~CallOrApplyDepthScope):
-        (JSC::Parser::CallOrApplyDepth::CallOrApplyDepth): Deleted.
-        (JSC::Parser::CallOrApplyDepth::maxChildDepth): Deleted.
-        (JSC::Parser::CallOrApplyDepth::~CallOrApplyDepth): Deleted.
-
-2017-04-18  Yusuke Suzuki  
-
-        [DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String)
-        https://bugs.webkit.org/show_bug.cgi?id=170943
-
-        Reviewed by Geoffrey Garen.
-
-        This patch converts ValueAdd(Int32, String) to MakeRope(ToString(Int32), String).
-        This has 2 great features.
-
-        1. MakeRope(ToString(Int32), String) is less clobbering.
-
-        While ValueAdd ends up calling functions, VM knows much about MakeRope(ToString(Int32), String)
-        and VM knows it is less clobbering. It encourages LICM and other operations that is conservatively
-        executed because of ValueAdd's clobbering.
-
-        2. Simply, MakeRope(ToString(Int32), String) is faster than ValueAdd.
-
-        While ValueAdd ends up calling a generic function, our ToString(Int32) calls well-optimized toString
-        operation. And later, MakeRope can fall into the fast path that just takes a string from a free list.
-        It is simply faster than ValueAdd.
-
-        We ensure that this patch shows performance improvement in attached benchmarks.
-
-                                                        baseline                  patched
-
-            number-to-string-with-add-empty         16.2763+-3.3930     ^     10.3142+-1.0967        ^ definitely 1.5780x faster
-            number-to-string-with-add-in-loop      168.7621+-10.9738    ^     15.5307+-3.3179        ^ definitely 10.8664x faster
-            number-to-string-with-add               18.8557+-4.8292           11.6901+-2.5650          might be 1.6130x faster
-
-        In SixSpeed,
-
-                                               baseline                  patched
-
-            template_string_tag.es5       200.1027+-20.6871    ^     25.7925+-11.4052       ^ definitely 7.7582x faster
-            template_string_tag.es6       331.3913+-12.1750    ^    286.6958+-26.0441       ^ definitely 1.1559x faster
-            for-of-array.es5              412.4344+-23.2517    ^    272.8707+-47.2118       ^ definitely 1.5115x faster
-            for-of-array.es6              504.0082+-65.5045    ^    300.3277+-12.8193       ^ definitely 1.6782x faster
-
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        (JSC::DFG::FixupPhase::createToString):
-        * dfg/DFGPredictionPropagationPhase.cpp:
-
-2017-04-18  Michael Saboff  
-
-        REGRESSION(215272): microbenchmark/seal-and-do-work and microbenchmark/freeze-and-do-work are 27x slower
-        https://bugs.webkit.org/show_bug.cgi?id=170881
-
-        Reviewed by Saam Barati.
-
-        * runtime/ObjectConstructor.cpp:
-        (JSC::objectConstructorSeal):
-        (JSC::objectConstructorFreeze):
-        Restored fast paths for final objects that don't have indexed properties.
-
-2017-04-18  Yusuke Suzuki  
-
-        [DFG] Use Phantom for base instead of getter when inlining intrinsic getter
-        https://bugs.webkit.org/show_bug.cgi?id=170947
-
-        Reviewed by Saam Barati.
-
-        getter does not need to be live after OSR Exit.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::handleGetById):
-
-2017-04-18  Yusuke Suzuki  
-
-        Unreviewed, follow-up patch after r215459
-        https://bugs.webkit.org/show_bug.cgi?id=170940
-
-        Reviewed by Filip Pizlo.
-
-        CheckCell can cause OSRExit. Thus Phantom should be placed after CheckCell.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
-        (JSC::DFG::ByteCodeParser::handleGetById):
-
-2017-04-18  Yusuke Suzuki  
-
-        [DFG] Drop unknown use of CheckCell's child2 to work ObjectAllocationSinking for Array iterator object
-        https://bugs.webkit.org/show_bug.cgi?id=170940
-
-        Reviewed by Filip Pizlo.
-
-        The second argument of CheckCell is not used in meaningful way. It is just *use* the node.
-        The problem is that it effectively *use* the child2 in ObjectAllocationSinking phase, and
-        prevent us from eliminating object allocations. Actually, it materializes Array iterator
-        when inlining `next()`. Instead, we should use Phantom in such a case.
-
-        It improves destructuring.es6 in SixSpeed 2.5x.
-
-        destructuring.es6      308.5184+-25.3490    ^    119.5680+-15.0520       ^ definitely 2.5803x faster
-
-        Note that SixSpeed tested in arewefastyet executes all the tests in one process while our SixSpeed
-        tests each one in isolated way.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
-        (JSC::DFG::ByteCodeParser::handleGetById):
-
-2017-04-18  Yusuke Suzuki  
-
-        [JSC][GTK] glib RunLoop does not accept negative start interval
-        https://bugs.webkit.org/show_bug.cgi?id=170775
-
-        Reviewed by Saam Barati.
-
-        * heap/GCActivityCallback.cpp:
-        (JSC::GCActivityCallback::scheduleTimer):
-
-2017-04-17  Saam Barati  
-
-        BytecodeGenerator ".call" and ".apply" is exponential in nesting depth
-        https://bugs.webkit.org/show_bug.cgi?id=139847
-        
-
-        Reviewed by Oliver Hunt.
-
-        The BytecodeGenerator's .apply(...) and .call(...) code would
-        emit bytecode for the evaluation of its arguments twice. This
-        is exponential, specifically, 2^n, where n is the nesting depth of
-        .call(...) or .apply(...) inside other .call(...) or .apply(...).
-        
-        The reason we emit code for the arguments twice is that we try
-        to emit efficient code for when .call or .apply is Function.prototype.call
-        or Function.prototype.apply. Because of this, we compare .call/.apply to
-        Function.prototype.call/.apply, and if they're the same, we emit a specialized
-        function call in bytecode. Otherwise, we emit the generalized version.
-        
-        This patch makes it so that each .call(...) and .apply(...) records
-        its max inner nesting depth. Then, we only perform the optimization
-        for the bottom k (where k = 6) layers of the nesting tree. The reason we
-        apply the optimization to the bottom k layers instead of top k layers
-        is that we'll produce less code this way.
-
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::CallFunctionCallDotNode::emitBytecode):
-        (JSC::ApplyFunctionCallDotNode::emitBytecode):
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::makeFunctionCallNode):
-        * parser/NodeConstructors.h:
-        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
-        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
-        * parser/Nodes.h:
-        * parser/Parser.cpp:
-        (JSC::recordCallOrApplyDepth):
-        (JSC::Parser::parseMemberExpression):
-        * parser/Parser.h:
-        (JSC::Parser::CallOrApplyDepth::CallOrApplyDepth):
-        (JSC::Parser::CallOrApplyDepth::maxChildDepth):
-        (JSC::Parser::CallOrApplyDepth::~CallOrApplyDepth):
-        * parser/SyntaxChecker.h:
-        (JSC::SyntaxChecker::makeFunctionCallNode):
-
-2017-04-17  Mark Lam  
-
-        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
-        https://bugs.webkit.org/show_bug.cgi?id=170896
-        
-
-        Reviewed by JF Bastien and Keith Miller.
-
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::appendMemcpy):
-
-2017-04-17  Joseph Pecoraro  
-
-        Web Inspector: Doesn't show size of compressed content correctly
-        https://bugs.webkit.org/show_bug.cgi?id=155112
-        
-
-        Reviewed by Alex Christensen and Timothy Hatcher.
-
-        * inspector/protocol/Network.json:
-        New, exact size metrics, available after the load completes.
-
-2017-04-17  Youenn Fablet  
-
-        Disable outdated WritableStream API
-        https://bugs.webkit.org/show_bug.cgi?id=170749
-        
-
-        Reviewed by Alex Christensen.
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::indexingPayload const):
+        (JSC::Butterfly::arrayStorage const):
+        (JSC::Butterfly::contiguousInt32 const):
+        (JSC::Butterfly::contiguousDouble const):
+        (JSC::Butterfly::contiguous const):
+        * runtime/JSObject.h:
+        (JSC::JSObject::canGetIndexQuickly const):
+        (JSC::JSObject::getIndexQuickly const):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::canGetIndexQuickly): Deleted.
+        (JSC::JSObject::getIndexQuickly): Deleted.
+
+2019-07-11  Justin Michaud  
+
+        Add b3 macro lowering for CheckMul on arm64
+        https://bugs.webkit.org/show_bug.cgi?id=199251
+
+        Reviewed by Robin Morisset.
+
+        - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
+        - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
+        - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
+        - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
+          and no change on the no-constant benchmark.
+        Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
+        to completion.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::multiplySignExtend32):
+        * assembler/testmasm.cpp:
+        (JSC::testMul32SignExtend):
+        (JSC::run):
+        * b3/B3LowerMacros.cpp:
+        * b3/B3LowerToAir.cpp:
+        * b3/air/AirOpcode.opcodes:
+        * b3/testb3.cpp:
+        (JSC::B3::testMulArgs32SignExtend):
+        (JSC::B3::testMulImm32SignExtend):
+        (JSC::B3::testMemoryFence):
+        (JSC::B3::testStoreFence):
+        (JSC::B3::testLoadFence):
+        (JSC::B3::testPinRegisters):
+        (JSC::B3::run):
+
+2019-07-11  Yusuke Suzuki  
+
+        Unreviewed, revert r243617.
+        https://bugs.webkit.org/show_bug.cgi?id=196341
+
+        Mark pointed out that JSVirtualMachine can be gone in the other thread while we are executing GC constraint-solving.
+        This patch does not account that JavaScriptCore.framework is multi-thread safe: JSVirtualMachine wrapper can be destroyed,
+        and [JSVirtualMachine dealloc] can be executed in any threads while the VM is retained and used in the other thread (e.g.
+        destroyed from AutoReleasePool in some thread).
+
+        * API/JSContext.mm:
+        (-[JSContext initWithVirtualMachine:]):
+        (-[JSContext dealloc]):
+        (-[JSContext initWithGlobalContextRef:]):
+        (-[JSContext wrapperMap]):
+        (+[JSContext contextWithJSGlobalContextRef:]):
+        * API/JSVirtualMachine.mm:
+        (initWrapperCache):
+        (wrapperCache):
+        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
+        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
+        (-[JSVirtualMachine initWithContextGroupRef:]):
+        (-[JSVirtualMachine dealloc]):
+        (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
+        (-[JSVirtualMachine contextForGlobalContextRef:]):
+        (-[JSVirtualMachine addContext:forGlobalContextRef:]):
+        (scanExternalObjectGraph):
+        (scanExternalRememberedSet):
+        * API/JSVirtualMachineInternal.h:
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::setWrapperMap):
+        (JSC::JSGlobalObject::setAPIWrapper): Deleted.
+        (JSC::JSGlobalObject::apiWrapper const): Deleted.
+        * runtime/VM.h:
+
+2019-07-10  Tadeu Zagallo  
+
+        Optimize join of large empty arrays
+        https://bugs.webkit.org/show_bug.cgi?id=199636
+
+        Reviewed by Mark Lam.
+
+        Replicate the behavior of `str.repeat(count)` when performing `new Array(count + 1).join(str)`.
+        I added two new microbenchmarks:
+        - large-empty-array-join, which does not use the result of the join and runs ~44x faster and uses ~18x less memory.
+        - large-empty-array-join-resolve-rope, which uses the result of the join and runs 2x faster.
+
+                                                    baseline                    diff
+        large-empty-array-join                2713.9698+-72.7621    ^     61.2335+-10.4836       ^ definitely 44.3217x faster
+        large-empty-array-join-resolve-string   26.5517+-0.3995     ^     12.9309+-0.5516        ^ definitely 2.0533x faster
+
+        large-empty-array-join memory usage with baseline (dirty):
+            733012 kB current_mem
+            756824 kB lifetime_peak
+
+        large-empty-array-join memory usage with diff (dirty):
+            41904 kB current_mem
+            41972 kB lifetime_peak
+
+        Additionally, I ran JetStream2, sunspider and v8-spider and all were neutral.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::fastJoin):
+
+2019-07-08  Keith Miller  
+
+        Enable Intl.PluralRules and Intl.NumberFormatToParts by default
+        https://bugs.webkit.org/show_bug.cgi?id=199288
+
+        Reviewed by Yusuke Suzuki.
+
+        These features have been around for a while. We should turn them on by default.
+
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlObject.cpp:
+        (JSC::IntlObject::finishCreation): Deleted.
+        * runtime/IntlObject.h:
+        * runtime/Options.h:
+
+2019-07-08  Antoine Quint  
+
+        [Pointer Events] Enable only on the most recent version of the supported iOS family
+        https://bugs.webkit.org/show_bug.cgi?id=199562
+        
+
+        Reviewed by Dean Jackson.
 
         * Configurations/FeatureDefines.xcconfig:
 
-2017-04-17  Yusuke Suzuki  
+2019-07-06  Michael Saboff  
 
-        [JSCOnly] Fix build failures in macOS
-        https://bugs.webkit.org/show_bug.cgi?id=170887
+        switch(String) needs to check for exceptions when resolving the string
+        https://bugs.webkit.org/show_bug.cgi?id=199541
 
-        Reviewed by Alex Christensen.
+        Reviewed by Mark Lam.
 
-        Align ICU header configuration to MacCMake port.
+        Added exception checks for resolved Strings in switch processing for all tiers.
 
-        * PlatformJSCOnly.cmake:
+        * dfg/DFGOperations.cpp:
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
 
-2017-04-17  JF Bastien  
+2019-07-05  Mark Lam  
 
-        B3: don't allow unsigned offsets in Value
-        https://bugs.webkit.org/show_bug.cgi?id=170692
+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
+        https://bugs.webkit.org/show_bug.cgi?id=199533
+        
 
         Reviewed by Filip Pizlo.
 
-        MemoryValue and similar B3 opcode classes always expects a signed
-        offset. Giving it an out-of-bounds unsigned offset causes
-        implementation-defined behavior, which can cause badness as I just
-        fixed in WebAssembly.  This patch makes it impossible to create a
-        Value opcodes with an unsigned value, or with an overly-large
-        value.
+        * dfg/DFGArgumentsEliminationPhase.cpp:
 
-        * b3/B3AtomicValue.cpp:
-        (JSC::B3::AtomicValue::AtomicValue):
-        * b3/B3AtomicValue.h:
-        * b3/B3Common.h:
-        (JSC::B3::isRepresentableAs):
-        * b3/B3EliminateCommonSubexpressions.cpp:
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::scaleForShl):
-        (JSC::B3::Air::LowerToAir::effectiveAddr):
-        (JSC::B3::Air::LowerToAir::addr):
-        (JSC::B3::Air::LowerToAir::tryAppendLea):
-        * b3/B3MemoryValue.cpp:
-        (JSC::B3::MemoryValue::isLegalOffsetImpl):
-        (JSC::B3::MemoryValue::MemoryValue):
-        * b3/B3MemoryValue.h:
-        * b3/B3MemoryValueInlines.h:
-        (JSC::B3::MemoryValue::isLegalOffsetImpl):
-        * b3/B3MoveConstants.cpp:
-        * b3/B3ReduceStrength.cpp:
-        * b3/B3StackmapSpecial.cpp:
-        (JSC::B3::StackmapSpecial::repForArg):
-        * b3/B3Value.h:
-        * b3/air/AirArg.cpp:
-        (JSC::B3::Air::Arg::stackAddrImpl):
-        * b3/air/AirArg.h:
-        (JSC::B3::Air::Arg::addr):
-        (JSC::B3::Air::Arg::stack):
-        (JSC::B3::Air::Arg::callArg):
-        (JSC::B3::Air::Arg::stackAddr):
-        (JSC::B3::Air::Arg::index):
-        (JSC::B3::Air::Arg::offset):
-        (JSC::B3::Air::Arg::isValidAddrForm):
-        (JSC::B3::Air::Arg::isValidIndexForm):
-        (JSC::B3::Air::Arg::asTrustedImm32):
-        (JSC::B3::Air::Arg::asAddress):
-        (JSC::B3::Air::Arg::asBaseIndex):
-        * b3/air/AirLowerStackArgs.cpp:
-        (JSC::B3::Air::lowerStackArgs):
-        * b3/testb3.cpp:
-        (JSC::B3::testMulArgStore):
-        (JSC::B3::testStore32):
-        (JSC::B3::testStoreConstant):
-        (JSC::B3::testStoreConstantPtr):
-        (JSC::B3::testStoreAddLoad32):
-        (JSC::B3::testStoreAddLoadImm32):
-        (JSC::B3::testStoreAddLoad8):
-        (JSC::B3::testStoreAddLoadImm8):
-        (JSC::B3::testStoreAddLoad16):
-        (JSC::B3::testStoreAddLoadImm16):
-        (JSC::B3::testStoreAddLoad64):
-        (JSC::B3::testStoreAddLoadImm64):
-        (JSC::B3::testStoreAddLoad32Index):
-        (JSC::B3::testStoreAddLoadImm32Index):
-        (JSC::B3::testStoreAddLoad64Index):
-        (JSC::B3::testStoreAddLoadImm64Index):
-        (JSC::B3::testStoreSubLoad):
-        (JSC::B3::testStoreAddLoadInterference):
-        (JSC::B3::testStoreAddAndLoad):
-        (JSC::B3::testStoreNegLoad32):
-        (JSC::B3::testStoreNegLoadPtr):
-        (JSC::B3::testLoadOffset):
-        (JSC::B3::testLoadOffsetNotConstant):
-        (JSC::B3::testLoadOffsetUsingAdd):
-        (JSC::B3::testLoadOffsetUsingAddInterference):
-        (JSC::B3::testLoadOffsetUsingAddNotConstant):
-        (JSC::B3::testStoreLoadStackSlot):
-        (JSC::B3::testLoad):
-        (JSC::B3::testInterpreter):
-        (JSC::B3::testTrappingStore):
-        (JSC::B3::testTrappingLoadAddStore):
-        (JSC::B3::testWasmAddress):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-        (JSC::Wasm::B3IRGenerator::emitLoadOp):
-        (JSC::Wasm::B3IRGenerator::emitStoreOp):
+2019-07-05  Yusuke Suzuki  
 
-2017-04-16  Joseph Pecoraro  
+        Unreviewed, fix build failure on ARM64_32
+        https://bugs.webkit.org/show_bug.cgi?id=182434
 
-        test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
-        https://bugs.webkit.org/show_bug.cgi?id=170882
+        Implicit narrowing from uint64_t to uint32_t happens. We should explicitly narrow it because we already checked
+        the `length` is <= UINT32_MAX.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSpeciesCreate):
+
+2019-07-05  Alexey Shvayka  
+
+        [JSC] Clean up ArraySpeciesCreate
+        https://bugs.webkit.org/show_bug.cgi?id=182434
+
+        Reviewed by Yusuke Suzuki.
+
+        We have duplicate code in arraySpeciesCreate, filter, map, concatSlowPath of ArrayPrototype.js
+        and speciesConstructArray of ArrayPrototype.cpp. This patch fixes cross-realm Array constructor
+        detection in native speciesConstructArray, upgrades `length` type to correctly handle large integers,
+        and exposes it as @arraySpeciesCreate. Also removes now unused @isArrayConstructor private function.
+        Native speciesConstructArray is preferred because it has fast path via speciesWatchpointIsValid.
+
+        Thoroughly benchmarked: this change progresses ARES-6 by 0-1%.
+
+        * builtins/ArrayPrototype.js:
+        (filter):
+        (map):
+        (globalPrivate.concatSlowPath):
+        (globalPrivate.arraySpeciesCreate): Deleted.
+        * builtins/BuiltinNames.h:
+        * runtime/ArrayConstructor.cpp:
+        (JSC::arrayConstructorPrivateFuncIsArrayConstructor): Deleted.
+        * runtime/ArrayConstructor.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSpeciesCreate):
+        * runtime/ArrayPrototype.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2019-07-05  Tadeu Zagallo  
+
+        Unreviewed, change the value used to scribble Heap::m_worldState
+        https://bugs.webkit.org/show_bug.cgi?id=199498
+
+        Follow-up after r247160. The value used to scribble should have the
+        conn bit set.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::~Heap):
+
+2019-07-05  Ryan Haddad  
+
+        Unreviewed, rolling out r247115.
+
+        Breaks lldbWebKitTester (and by extension, test-webkitpy)
+
+        Reverted changeset:
+
+        "[WHLSL] Standard library is too big to directly include in
+        WebCore"
+        https://bugs.webkit.org/show_bug.cgi?id=198186
+        https://trac.webkit.org/changeset/247115
+
+2019-07-05  Tadeu Zagallo  
+
+        Scribble Heap::m_worldState on destructor
+        https://bugs.webkit.org/show_bug.cgi?id=199498
+
+        Reviewed by Sam Weinig.
+
+        The worldState is dumped when we crash due to a failed checkConn, and
+        this will make it clear if the heap has already been destroyed.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::~Heap):
+
+2019-07-03  Sam Weinig  
+
+        Adopt simple structured bindings in more places
+        https://bugs.webkit.org/show_bug.cgi?id=199247
+
+        Reviewed by Alex Christensen.
+
+        Replaces simple uses of std::tie() with structured bindings. Does not touch
+        uses of std::tie() that are not initial declarations, use std::ignore or in
+        case where the binding is captured by a lambda, as structured bindings don't
+        work for those cases yet.
+
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyValidateFunc):
+
+2019-07-03  Keith Miller  
+
+        PACCage should first cage leaving PAC bits intact then authenticate
+        https://bugs.webkit.org/show_bug.cgi?id=199372
 
         Reviewed by Saam Barati.
 
-        * runtime/ObjectPrototype.cpp:
-        (JSC::objectProtoFuncToLocaleString):
-        We should be using the this value without ToObject conversion both when
-        getting the potential accessor and calling it. In strict mode, the this
-        value will remain its simple value, in non-strict it is still converted.
+        This ordering prevents someone from taking a signed pointer from
+        outside the gigacage and using it in a struct that expects a caged
+        pointer. Previously, the PACCaging just double checked that the PAC
+        bits were valid for the original pointer.
 
-2017-04-16  Joseph Pecoraro  
 
-        test262: test262/test/built-ins/isNaN/toprimitive-not-callable-throws.js
-        https://bugs.webkit.org/show_bug.cgi?id=170888
+               +---------------------------+
+               |       |        |          |
+               | "PAC" | "base" | "offset" +----+
+               |       |        |          |    |
+               +---------------------------+    | Caging
+                |                               |
+                |                               |
+                |                               v
+                |                +---------------------------+
+                |                |       |        |          |
+                | Bit Merge      | 00000 |  base  | "offset" |
+                |                |       |        |          |
+                |                +---------------------------+
+                |                               |
+                |                               |
+                v                               |  Bit Merge
+          +---------------------------+         |
+          |       |        |          |         |
+          | "PAC" |  base  | "offset" +<--------+
+          |       |        |          |
+          +---------------------------+
+                      |
+                      |
+                      | Authenticate
+                      |
+                      v
+          +---------------------------+
+          |       |        |          |
+          | Auth  |  base  | "offset" |
+          |       |        |          |
+          +---------------------------+
 
-        Reviewed by Saam Barati.
+        The above ascii art graph shows how the PACCage system works. The
+        key take away is that even if someone passes in a valid, signed
+        pointer outside the cage it will still fail to authenticate as the
+        "base" bits will change before authentication.
 
-        * runtime/ExceptionHelpers.h:
-        * runtime/ExceptionHelpers.cpp:
-        (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction):
-        Fix up this function name.
 
-        * runtime/JSObject.cpp:
-        (JSC::callToPrimitiveFunction):
-        When called with @@isPrimitive, bail on undefined or null and
-        throw a type error if the value is not callable.
+        * assembler/MacroAssemblerARM64E.h:
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageConditionally):
+        * llint/LowLevelInterpreter64.asm:
 
-        (JSC::JSObject::toPrimitive):
-        Use throw scope to check for exception.
+2019-07-03  Paulo Matos  
 
-2017-04-16  Joseph Pecoraro  
+        Refactoring of architectural Register Information
+        https://bugs.webkit.org/show_bug.cgi?id=198604
 
-        test262: test262/test/language/expressions/tagged-template/template-object.js
-        https://bugs.webkit.org/show_bug.cgi?id=170878
+        Reviewed by Keith Miller.
 
-        Reviewed by Saam Barati.
+        The goal of this patch is to centralize the register information per platform
+        but access it in a platform independent way. The patch as been implemented for all
+        known platforms: ARM64, ARMv7, MIPS, X86 and X86_64. Register information has
+        been centralized in an architecture per-file: each file is called assembler/Registers.h.
+
+        RegisterInfo.h is used as a forwarding header to choose which register information to load.
+        assembler/Assembler.h and jit/RegisterSet.cpp use this information in a platform
+        independent way.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::gprName): Use register names from register info file.
+        (JSC::ARM64Assembler::sprName): likewise.
+        (JSC::ARM64Assembler::fprName): likewise.
+        * assembler/ARM64Registers.h: Added.
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::gprName): Use register names from register info file.
+        (JSC::ARMv7Assembler::sprName): likewise.
+        (JSC::ARMv7Assembler::fprName): likewise.
+        * assembler/ARMv7Registers.h: Added.
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::gprName): Use register names from register info file.
+        (JSC::MIPSAssembler::sprName): likewise.
+        (JSC::MIPSAssembler::fprName): likewise.
+        * assembler/MIPSRegisters.h: Added.
+        * assembler/RegisterInfo.h: Added.
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::gprName): Use register names from register info file.
+        (JSC::X86Assembler::sprName): likewise.
+        (JSC::X86Assembler::fprName): likewise.
+        * assembler/X86Registers.h: Added.
+        * assembler/X86_64Registers.h: Added.
+        * jit/GPRInfo.h: Fix typo in comment (s/basline/baseline).
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::reservedHardwareRegisters): Use register properties from register info file.
+        (JSC::RegisterSet::calleeSaveRegisters): likewise.
+
+2019-07-02  Michael Saboff  
+
+        Exception from For..of loop destructured assignment eliminates TDZ checks in subsequent code
+        https://bugs.webkit.org/show_bug.cgi?id=199395
+
+        Reviewed by Filip Pizlo.
+
+        For destructuring assignmests, the assignment might throw a reference error if
+        the RHS cannot be coerced.  The current bytecode generated for such assignments
+        optimizes out the TDZ check after the coercible check.
+
+        By saving the current state of the TDZ stack before processing the setting of 
+        target destructured values and then restoring afterwards, we won't optimize out
+        later TDZ check(s).
+
+        A similar change of saving / restoring the TDZ stack where exceptions might
+        happen was done for for..in loops in change set r232219.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ObjectPatternNode::bindValue const):
+
+2019-07-02  Commit Queue  
+
+        Unreviewed, rolling out r247041.
+        https://bugs.webkit.org/show_bug.cgi?id=199425
+
+        broke some iOS arm64e tests (Requested by keith_miller on
+        #webkit).
+
+        Reverted changeset:
+
+        "PACCage should first cage leaving PAC bits intact then
+        authenticate"
+        https://bugs.webkit.org/show_bug.cgi?id=199372
+        https://trac.webkit.org/changeset/247041
+
+2019-07-02  Keith Miller  
+
+        Frozen Arrays length assignment should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=199365
+
+        Reviewed by Yusuke Suzuki.
 
         * runtime/JSArray.cpp:
         (JSC::JSArray::put):
-        The fast path for setting an Array's length should check if length is
-        writable before checking for and possibly throwing a RangeError.
 
-2017-04-16  Joseph Pecoraro  
+2019-07-02  Paulo Matos  
 
-        test262: test262/test/built-ins/Object/getOwnPropertyNames/15.2.3.4-4-44.js
-        https://bugs.webkit.org/show_bug.cgi?id=170879
+        Fix typo in if/else block and remove dead assignment
+        https://bugs.webkit.org/show_bug.cgi?id=199352
+
+        Reviewed by Alexey Proskuryakov.
+
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPattern::dumpPattern): Fix typo in if/else block and remove dead assignment
+
+2019-07-02  Keith Miller  
+
+        PACCage should first cage leaving PAC bits intact then authenticate
+        https://bugs.webkit.org/show_bug.cgi?id=199372
 
         Reviewed by Saam Barati.
 
-        * runtime/StringObject.h:
-        * runtime/StringObject.cpp:
-        (JSC::StringObject::getOwnPropertyNames):
-        (JSC::StringObject::getOwnNonIndexPropertyNames):
-        Ensure 'length' comes after all indexed properties by moving
-        it out to the getOwnNonIndexPropertyNames method which is called
-        inside of getOwnPropertyNames after JSObject handles indices.
+        This ordering prevents someone from taking a signed pointer from
+        outside the gigacage and using it in a struct that expects a caged
+        pointer. Previously, the PACCaging just double checked that the PAC
+        bits were valid for the original pointer.
 
-2017-04-16  Joseph Pecoraro  
 
-        test262: test262/test/built-ins/Date/prototype/Symbol.toPrimitive/name.js
-        https://bugs.webkit.org/show_bug.cgi?id=170884
+               +---------------------------+
+               |       |        |          |
+               | "PAC" | "base" | "offset" +----+
+               |       |        |          |    |
+               +---------------------------+    | Caging
+                |                               |
+                |                               |
+                |                               v
+                |                +---------------------------+
+                |                |       |        |          |
+                | Bit Merge      | 00000 |  base  | "offset" |
+                |                |       |        |          |
+                |                +---------------------------+
+                |                               |
+                |                               |
+                v                               |  Bit Merge
+          +---------------------------+         |
+          |       |        |          |         |
+          | "PAC" |  base  | "offset" +<--------+
+          |       |        |          |
+          +---------------------------+
+                      |
+                      |
+                      | Authenticate
+                      |
+                      v
+          +---------------------------+
+          |       |        |          |
+          | Auth  |  base  | "offset" |
+          |       |        |          |
+          +---------------------------+
 
-        Reviewed by Yusuke Suzuki.
+        The above ascii art graph shows how the PACCage system works. The
+        key take away is that even if someone passes in a valid, signed
+        pointer outside the cage it will still fail to authenticate as the
+        "base" bits will change before authentication.
 
-        * runtime/DatePrototype.cpp:
-        (JSC::DatePrototype::finishCreation):
-        * runtime/FunctionPrototype.cpp:
-        (JSC::FunctionPrototype::addFunctionProperties):
-        * runtime/RegExpPrototype.cpp:
-        (JSC::RegExpPrototype::finishCreation):
-        * runtime/SymbolPrototype.cpp:
-        (JSC::SymbolPrototype::finishCreation):
-        Give symbol property functions proper function names.
-        This addresses function.name but not function.toString().
 
-2017-04-15  Joseph Pecoraro  
+        * assembler/MacroAssemblerARM64E.h:
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageConditionally):
+        * llint/LowLevelInterpreter64.asm:
 
-        test262: test262/test/language/global-code/new.target-arrow.js
-        https://bugs.webkit.org/show_bug.cgi?id=170872
+2019-07-01  Justin Michaud  
+
+        [Wasm-References] Disable references by default
+        https://bugs.webkit.org/show_bug.cgi?id=199390
 
         Reviewed by Saam Barati.
 
-        * parser/Parser.cpp:
-        (JSC::Parser::Parser):
-        Mark the global code scope.
+        * runtime/Options.h:
 
-        (JSC::Parser::parseMemberExpression):
-        If new.target is detected in an arrow function defined in global scope
-        throw a SyntaxError.
+2019-07-01  Ryan Haddad  
 
-        * parser/Parser.h:
-        (JSC::Scope::Scope):
-        (JSC::Scope::setIsGlobalCodeScope):
-        (JSC::Scope::isGlobalCodeScope):
-        Marker for a global code scope.
+        Unreviewed, rolling out r246946.
 
-        * parser/ParserModes.h:
-        (JSC::isModuleParseMode):
-        (JSC::isProgramParseMode):
-        (JSC::isProgramOrModuleParseMode):
-        Helper for detecting global code based on parse mode.
+        Caused JSC test crashes on arm64
 
-2017-04-14  Nikita Vasilyev  
+        Reverted changeset:
 
-        Web Inspector: WebSockets: messages with non-latin letters are displayed incorrectly
-        https://bugs.webkit.org/show_bug.cgi?id=170760
+        "Add b3 macro lowering for CheckMul on arm64"
+        https://bugs.webkit.org/show_bug.cgi?id=199251
+        https://trac.webkit.org/changeset/246946
 
-        Reviewed by Joseph Pecoraro.
+2019-06-28  Justin Michaud  
 
-        Add payloadLength property, which is used to display size. When payloadLength is unavailable,
-        it is calculated from payloadData by Web Inspector frontend.
+        Add b3 macro lowering for CheckMul on arm64
+        https://bugs.webkit.org/show_bug.cgi?id=199251
 
-        This fixes  Web Inspector: WebSockets: Transferred size is incorrect.
+        Reviewed by Robin Morisset.
 
-        * inspector/protocol/Network.json:
+        - Lower CheckMul for 32-bit arguments on arm64 into a mul and then an overflow check.
+        - Add a new opcode to air on arm64 for smull (multiplySignExtend32).
+        - Fuse sign extend 32 + mul into smull (taking two 32-bit arguments and producing 64 bits). 
+        - 1.25x speedup on power of two microbenchmark, 1.15x speedup on normal constant microbenchmark, 
+          and no change on the no-constant benchmark.
+        Also, skip some of the b3 tests that were failing before this patch so that the new tests can run
+        to completion.
 
-2017-04-14  Saam Barati  
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::multiplySignExtend32):
+        * assembler/testmasm.cpp:
+        (JSC::testMul32SignExtend):
+        (JSC::run):
+        * b3/B3LowerMacros.cpp:
+        * b3/B3LowerToAir.cpp:
+        * b3/air/AirOpcode.opcodes:
+        * b3/testb3.cpp:
+        (JSC::B3::testMulArgs32SignExtend):
+        (JSC::B3::testMulImm32SignExtend):
+        (JSC::B3::testMemoryFence):
+        (JSC::B3::testStoreFence):
+        (JSC::B3::testLoadFence):
+        (JSC::B3::testPinRegisters):
+        (JSC::B3::run):
 
-        ParseInt intrinsic in DFG backend doesn't properly flush its operands
-        https://bugs.webkit.org/show_bug.cgi?id=170865
+2019-06-28  Konstantin Tokarev  
 
-        Reviewed by Mark Lam and Geoffrey Garen.
+        Remove traces of ENABLE_ICONDATABASE remaining after its removal in 219733
+        https://bugs.webkit.org/show_bug.cgi?id=199317
 
-        The DFG backend code needed to first call .gpr()/.jsValueRegs()
-        before calling flushRegisters(), or the input JSValueOperand would
-        not be flushed.
+        Reviewed by Michael Catanzaro.
 
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileParseInt):
+        While IconDatabase and all code using it was removed,
+        ENABLE_ICONDATABASE still exists as build option and C++ macro.
 
-2017-04-14  Mark Lam  
+        * Configurations/FeatureDefines.xcconfig:
 
-        Update architectures in xcconfig files.
-        https://bugs.webkit.org/show_bug.cgi?id=170867
-        
+2019-06-27  Mark Lam  
 
-        Reviewed by Joseph Pecoraro.
+        FTL keepAlive()'s patchpoint should also declare that it reads HeapRange::top().
+        https://bugs.webkit.org/show_bug.cgi?id=199291
+
+        Reviewed by Yusuke Suzuki and Filip Pizlo.
+
+        The sole purpose of keepAlive() is to communicate to B3 that an LValue
+        needs to be kept alive past the last opportunity for a GC.  The only way
+        we can get a GC is via a function call.  Hence, what keepAlive() really
+        needs to communicate is that the LValue needs to be kept alive past the
+        last function call.  Function calls read and write HeapRange::top().
+        Currently, B3 does not shuffle writes.  Hence, simply inserting the
+        keepAlive() after the calls that can GC is sufficient.
+
+        But to be strictly correct, keepAlive() should also declare that it reads
+        HeapRange::top().  This will guarantee that the keepAlive patchpoint won't
+        ever be moved before the function call should B3 gain the ability to shuffle
+        writes in the future.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::keepAlive):
+
+2019-06-27  Beth Dakin  
+
+        Upstream use of MACCATALYST
+        https://bugs.webkit.org/show_bug.cgi?id=199245
+        rdar://problem/51687723
+
+        Reviewed by Tim Horton.
 
         * Configurations/Base.xcconfig:
         * Configurations/FeatureDefines.xcconfig:
         * Configurations/JavaScriptCore.xcconfig:
-        * Configurations/ToolExecutable.xcconfig:
+        * Configurations/SDKVariant.xcconfig:
 
-2017-04-14  Keith Miller  
+2019-06-27  Saam Barati  
 
-        WebAssembly: B3IRGenerator should use phis for result types
-        https://bugs.webkit.org/show_bug.cgi?id=170863
+        Make WEBGPU enabled only on Mojave and later.
 
-        Reviewed by Filip Pizlo.
-
-        Currently, we use variables for the result types of control flow in
-        Wasm. We did this originally since we weren't sure that the phis we
-        generated would be optimal. Since then, we have verified that the edges
-        in wasm control flow ensure that each upsilon will dominate its phi
-        so we don't need to use variables.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
-        (JSC::Wasm::B3IRGenerator::addTopLevel):
-        (JSC::Wasm::B3IRGenerator::addBlock):
-        (JSC::Wasm::B3IRGenerator::addLoop):
-        (JSC::Wasm::B3IRGenerator::unify):
-
-2017-04-14  Alex Christensen  
-
-        Fix Windows build after r215368.
-        https://bugs.webkit.org/show_bug.cgi?id=170641
-
-        * CMakeLists.txt:
-        Add new directory containing files needed in WebCore.
-
-2017-04-14  Caitlin Potter  
-
-        [JSC] use ExpressionErrorClassifier for AwaitExpression operand
-        https://bugs.webkit.org/show_bug.cgi?id=170844
-
-        Reviewed by Saam Barati.
-
-        In parseAssignmentExpression(), several cover grammars are handled, and
-        use ExpressionErrorClassifier to record hints about which grammars to
-        try.
-
-        In parseAwaitExpression(), the hints recorded during parsing of the
-        operand need to be discarded, because if they propagate to the outer
-        parseAssignmentExpression(), the hints will lead the parser down invalid
-        branches that should be skipped.
-
-        This change adds an additional ExpressionErrorClassifier to
-        parseAwaitExpression(), in order to discard hints recorded trying to
-        parse the operand.
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseAwaitExpression):
-
-2017-04-14  Saam Barati  
-
-        WebAssembly: There is a short window of time where a CodeBlock could be destroyed before all of its async compilation callbacks are called
-        https://bugs.webkit.org/show_bug.cgi?id=170641
-
-        Reviewed by Keith Miller.
-
-        There is an unlikely race when a CodeBlock compilation fails,
-        the module compiles a new CodeBlock for that memory mode, all while
-        the CodeBlock is notifying its callbacks that it has finished.
-        There is a chance that the Module could deref its failed CodeBlock 
-        at that point, destroying it, before the callbacks were able to
-        grab a Ref to the CodeBlock. This patch fixes the race by having the
-        callbacks ref the CodeBlock.
-
-        This patch also has the Plan clear out all of its callbacks
-        once it gets completed. This adds an extra defense to anybody
-        that grabs refs to the Plan in the callback.
-
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        (JSC::Wasm::CodeBlock::compileAsync):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::complete):
-
-2017-04-13  Filip Pizlo  
-
-        Air::RegLiveness should be constraint-based
-        https://bugs.webkit.org/show_bug.cgi?id=170817
-
-        Reviewed by Saam Barati.
-        
-        Previously, I changed the Air liveness analyses based on Air::Liveness<> to be
-        constraint-based and this was a significant speed-up. Now I'm adding the same
-        functionality to RegLiveness.
-        
-        This is a 1% speed-up on wasm B3 -O1 compile times.
-        
-        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
-        * b3/air/AirLivenessAdapter.h:
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
-        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
-        (JSC::B3::Air::LivenessAdapter::actionsAt):
-        * b3/air/AirRegLiveness.cpp:
-        (JSC::B3::Air::RegLiveness::RegLiveness):
-        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::LocalCalcForUnifiedTmpLiveness):
-        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::execute):
-        (JSC::B3::Air::RegLiveness::LocalCalc::execute): Deleted.
-        * b3/air/AirRegLiveness.h:
-        (JSC::B3::Air::RegLiveness::Actions::Actions):
-        (JSC::B3::Air::RegLiveness::LocalCalcBase::LocalCalcBase):
-        (JSC::B3::Air::RegLiveness::LocalCalcBase::live):
-        (JSC::B3::Air::RegLiveness::LocalCalcBase::isLive):
-        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
-        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
-        (JSC::B3::Air::RegLiveness::LocalCalc::live): Deleted.
-        (JSC::B3::Air::RegLiveness::LocalCalc::isLive): Deleted.
-
-2017-04-13  JF Bastien  
-
-        WebAssembly: fix windows build
-        https://bugs.webkit.org/show_bug.cgi?id=170832
-
-        Reviewed by Mark Lam.
-
-        My previous patch re-declared isIOS which AssemblerCommon.h
-        already provided, and which was already included by Options.cpp.
-
-        * runtime/Options.cpp:
-
-2017-04-13  Saam Barati  
-
-        WebAssembly: We should be able to postMessage a JSWebAssemblyModule
-        https://bugs.webkit.org/show_bug.cgi?id=170573
-
-        Reviewed by Filip Pizlo.
-
-        This patch adds a callback to JSRunLoopTimer to notify
-        clients that a timer has been set. This is used inside
-        WorkerRunLoop in WebCore so that its RunLoop can perform
-        an iteration when it sees that a timer got set.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::scheduleTimer):
-        (JSC::JSRunLoopTimer::addTimerSetNotification):
-        (JSC::JSRunLoopTimer::removeTimerSetNotification):
-        * runtime/JSRunLoopTimer.h:
-        * wasm/WasmCodeBlock.cpp:
-        (JSC::Wasm::CodeBlock::~CodeBlock):
-        * wasm/WasmCodeBlock.h:
-        * wasm/WasmModule.cpp:
-        (JSC::Wasm::Module::~Module):
-        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
-        (JSC::Wasm::makeValidationCallback):
-        (JSC::Wasm::Module::validateSync):
-        (JSC::Wasm::Module::validateAsync):
-        (JSC::Wasm::Module::validateSyncImpl): Deleted.
-        (JSC::Wasm::Module::makeValidationCallback): Deleted.
-        * wasm/WasmModule.h:
-        (JSC::Wasm::Module::validateSync): Deleted.
-        (JSC::Wasm::Module::validateAsync): Deleted.
-        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace): Deleted.
-        (JSC::Wasm::Module::nonNullCodeBlock): Deleted.
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::create): Deleted.
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::source):
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::source): Deleted.
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-
-2017-04-13  Mark Lam  
-
-        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
-        https://bugs.webkit.org/show_bug.cgi?id=170661
-        
-
-        Reviewed by Filip Pizlo.
-
-        Previously, we were using flush() to flush the outermost frame's scopeRegister.
-        This is incorrect because flush() expects the VirtualRegister value passed to
-        it to be that of the top most inlined frame.  In the event that we reach a
-        terminal condition while inside an inlined frame, flush() will end up flushing
-        the wrong register.  The fix is simply to use flushDirect() instead.
-
-        * dfg/DFGByteCodeParser.cpp:
-        (JSC::DFG::ByteCodeParser::flush):
-
-2017-04-13  Andy VanWagoner  
-
-        Change Intl prototypes to plain objects
-        https://bugs.webkit.org/show_bug.cgi?id=168178
-
-        Reviewed by JF Bastien.
-
-        * builtins/StringPrototype.js:
-        (localeCompare): Create default Collator once instead of using prototype.
-        * runtime/IntlCollatorPrototype.cpp:
-        (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
-        * runtime/IntlCollatorPrototype.h:
-        * runtime/IntlDateTimeFormatPrototype.cpp:
-        (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
-        * runtime/IntlDateTimeFormatPrototype.h:
-        * runtime/IntlNumberFormatPrototype.cpp:
-        (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
-        * runtime/IntlNumberFormatPrototype.h:
-        * runtime/IntlObject.cpp:
-        (JSC::IntlObject::finishCreation): Don't set constructor on each prototype.
-
-2017-04-13  Oliver Hunt  
-
-        allocationSize should use safe arithmetic by default
-        https://bugs.webkit.org/show_bug.cgi?id=170804
-
-        Reviewed by JF Bastien.
-
-        Make all allocationSize() functions work in terms
-        of Checked
-
-        * runtime/DirectArguments.h:
-        (JSC::DirectArguments::offsetOfSlot):
-        (JSC::DirectArguments::allocationSize):
-        * runtime/HashMapImpl.h:
-        (JSC::HashMapBuffer::allocationSize):
-        * runtime/JSArray.h:
-        (JSC::JSArray::allocationSize):
-        * runtime/JSArrayBufferView.h:
-        (JSC::JSArrayBufferView::allocationSize):
-        * runtime/JSAsyncFunction.h:
-        (JSC::JSAsyncFunction::allocationSize):
-        * runtime/JSFixedArray.h:
-        (JSC::JSFixedArray::allocationSize):
-        * runtime/JSFunction.h:
-        (JSC::JSFunction::allocationSize):
-        * runtime/JSGeneratorFunction.h:
-        (JSC::JSGeneratorFunction::allocationSize):
-        * runtime/JSModuleNamespaceObject.h:
-        * runtime/JSObject.h:
-        (JSC::JSFinalObject::allocationSize):
-        * runtime/JSWrapperObject.h:
-        (JSC::JSWrapperObject::allocationSize):
-        * runtime/ScopedArguments.h:
-        (JSC::ScopedArguments::allocationSize):
-        * runtime/VM.h:
-        (JSC::ScratchBuffer::allocationSize):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
-        (JSC::JSWebAssemblyCodeBlock::allocationSize):
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::allocationSize):
-
-2017-04-13  JF Bastien  
-
-        WebAssembly: manage memory better
-        https://bugs.webkit.org/show_bug.cgi?id=170628
-
-        Reviewed by Keith Miller, Michael Saboff.
-
-        WebAssembly fast memories weren't managed very well. This patch
-        refactors it and puts us in a good position to further improve our
-        fast memory handling in the future.
-
-        We now cache fast memories at a process granularity, but make sure
-        that they don't consume dirty pages. We add a cap to the total
-        number of allocated fast memories to avoid ASLR degradation.
-
-        We teach the GC about memories as a kind of resource it should
-        care about because it didn't have visibility into the amount of
-        memory each represented. This allows benchmarks which allocate
-        memories back-to-back to reliably get fast memories 100% of the
-        time, even on a system under load, which wasn't the case
-        before. This reliability yields roughly 8% perf bump on x86-64
-        WasmBench.
-
-        The GC heuristic is as follows: each time we allocate a fast
-        memory we notify the GC, which then keeps track of the total
-        number of fast memories allocated since it last GC'd. We
-        separately keep track of the total number of fast memories which
-        have ever existed at any point in time (cached + allocated). This
-        is a monotonically-increasing high watermark. The GC will force a
-        full collection if, since it last ran, half or more of the high
-        watermark of fast memories was allocated.
-
-        At the same time, if we fail obtaining a fast memory from the
-        cache we do a GC to try to find one. If that fails we'll allocate
-        a new one (this can also fail, then we go to slow memory). This
-        can also be improved, but it's a good start.
-
-        This currently disables fast memories on iOS because getting fast
-        memories isn't a guaranteed thing. Rather, we get quite a few of
-        them and achieve significant speedups, but benchmarks which
-        allocate memories back-to-back end up falling behind because the
-        GC can conservatively hold onto memories, which then yields a perf
-        cliff. That cliff isn't reliable, WasmBench gets roughly 10 of 18
-        fast memories when in theory it should get all of them fast (as
-        MacOS does). The patch significantly improves the state of iOS
-        though, and in a follow-up we could re-enable fast memories.
-
-        Part of this good positioning is a facility to pre-allocate fast
-        memories very early at startup, before any fragmentation
-        occurs. This is currently disabled but worked extremely reliably
-        on iOS. Once we fix the above issues we'll want to re-visit and
-        turn on pre-allocation.
-
-        We also avoid locking for fast memory identification when
-        performing signal handling. I'm very nervous about acquiring locks
-        in a signal handler because in general signals can happen when
-        we've messed up. This isn't the case with fast memories: we're
-        raising a signal on purpose and handling it. However this doesn't
-        mean we won't mess up elsewhere! This will get more complicated
-        once we add support for multiple threads sharing memories and
-        being able to grow their memories. One example: the code calls
-        CRASH(), which executes the following code in release:
-
-            *(int *)(uintptr_t)0xbbadbeef = 0;
-
-        This is a segfault, which our fast memory signal handler tries to
-        handle. It does so by first figuring out whether 0xbbadbeef is in
-        a fast memory region, reqiring a lock. If we CRASH() while holding
-        the lock then our thread self-deadlocks, giving us no crash report
-        and a bad user experience.
-
-        Avoiding a lock therefore it's not about speed or reduced
-        contention. In fact, I'd use something else than a FIFO if these
-        were a concern. We're also doing syscalls, which dwarf any locking
-        cost.
-
-        We now only allocate 4GiB + redzone of 64k * 128 for fast memories
-        instead of 8GiB. This patch reuses the logic from
-        B3::WasmBoundsCheck to perform bounds checks when accesses could
-        exceed the redzone. We'll therefore benefit from CSE goodness when
-        it reaches WasmBoundsCheck. See bug #163469.
-
-        * b3/B3LowerToAir.cpp: fix a baaaaddd bug where unsigned->signed
-        conversion allowed out-of-bounds reads by -2GiB. I'll follow-up in
-        bug #170692 to prevent this type of bug once and for all.
-        (JSC::B3::Air::LowerToAir::lower):
-        * b3/B3Validate.cpp: update WasmBoundsCheck validation.
-        * b3/B3Value.cpp:
-        (JSC::B3::Value::effects): update WasmBoundsCheck effects.
-        * b3/B3WasmBoundsCheckValue.cpp:
-        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
-        (JSC::B3::WasmBoundsCheckValue::redzoneLimit):
-        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
-        * b3/B3WasmBoundsCheckValue.h:
-        (JSC::B3::WasmBoundsCheckValue::maximum):
-        * b3/air/AirCustom.cpp:
-        (JSC::B3::Air::WasmBoundsCheckCustom::isValidForm):
-        * b3/testb3.cpp:
-        (JSC::B3::testWasmBoundsCheck):
-        * heap/Heap.cpp:
-        (JSC::Heap::Heap):
-        (JSC::Heap::reportWebAssemblyFastMemoriesAllocated):
-        (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold):
-        (JSC::Heap::updateAllocationLimits):
-        (JSC::Heap::didAllocateWebAssemblyFastMemories):
-        (JSC::Heap::shouldDoFullCollection):
-        (JSC::Heap::collectIfNecessaryOrDefer):
-        * heap/Heap.h:
-        * runtime/InitializeThreading.cpp:
-        (JSC::initializeThreading):
-        * runtime/Options.cpp:
-        * runtime/Options.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-        (JSC::Wasm::B3IRGenerator::emitLoadOp):
-        (JSC::Wasm::B3IRGenerator::emitStoreOp):
-        (JSC::Wasm::createJSToWasmWrapper):
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        * wasm/WasmMemory.cpp: Rewrite.
-        (JSC::Wasm::makeString):
-        (JSC::Wasm::Memory::initializePreallocations):
-        (JSC::Wasm::Memory::createImpl):
-        (JSC::Wasm::Memory::create):
-        (JSC::Wasm::Memory::~Memory):
-        (JSC::Wasm::Memory::fastMappedRedzoneBytes):
-        (JSC::Wasm::Memory::fastMappedBytes):
-        (JSC::Wasm::Memory::maxFastMemoryCount):
-        (JSC::Wasm::Memory::addressIsInActiveFastMemory):
-        (JSC::Wasm::Memory::grow):
-        * wasm/WasmMemory.h:
-        (Memory::maxFastMemoryCount):
-        (Memory::addressIsInActiveFastMemory):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finishCreation):
-        (JSC::JSWebAssemblyInstance::visitChildren):
-        (JSC::JSWebAssemblyInstance::globalMemoryByteSize):
-        * wasm/js/JSWebAssemblyInstance.h:
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        (JSC::JSWebAssemblyMemory::grow):
-        (JSC::JSWebAssemblyMemory::finishCreation):
-        (JSC::JSWebAssemblyMemory::visitChildren):
-
-2017-04-13  Yusuke Suzuki  
-
-        [JSC] Use proper ifdef guard for code using MachineContext
-        https://bugs.webkit.org/show_bug.cgi?id=170800
-
-        Reviewed by Carlos Alberto Lopez Perez.
-
-        This patch drops MachineContext use if it is not available.
-        This situation can be considered like, building WebKit with musl.
-        In that case, we simply disable features that rely on MachineContext.
-        Examples are wasm fast memory, sampling profiler, and code profiling.
-
-        * runtime/Options.cpp:
-        (JSC::overrideDefaults):
-        * tools/CodeProfiling.cpp:
-        (JSC::CodeProfiling::begin):
-        (JSC::CodeProfiling::end):
-        Previously, PLATFORM(GTK) is excluded. But it is not obvious why it is excluded.
-        This patch just includes such platforms.
-
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::enableFastMemory):
-
-2017-04-12  Dan Bernstein  
-
-        [Mac] Future-proof .xcconfig files
-        https://bugs.webkit.org/show_bug.cgi?id=170802
-
-        Reviewed by Tim Horton.
-
-        * Configurations/Base.xcconfig:
-        * Configurations/DebugRelease.xcconfig:
-        * Configurations/FeatureDefines.xcconfig:
-        * Configurations/Version.xcconfig:
-
-2017-04-12  Joseph Pecoraro  
-
-        test262: test262/test/built-ins/NativeErrors/EvalError/proto.js
-        https://bugs.webkit.org/show_bug.cgi?id=170668
-
-        Reviewed by Keith Miller.
-
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        The [[Prototype]] of NativeError Constructor's should be the %Error%.
-        https://tc39.github.io/ecma262/#sec-properties-of-the-nativeerror-constructors
-
-2017-04-12  Joseph Pecoraro  
-
-        test262: test262/test/language/literals/regexp/u-dec-esc.js
-        https://bugs.webkit.org/show_bug.cgi?id=170687
-
-        Reviewed by Michael Saboff.
-
-        * yarr/YarrParser.h:
-        (JSC::Yarr::Parser::parseEscape):
-        * yarr/YarrPattern.cpp:
-        (JSC::Yarr::YarrPattern::errorMessage):
-        (JSC::Yarr::YarrPattern::compile):
-        * yarr/YarrPattern.h:
-        In unicoe patterns, invalid backreferences are an error.
-
-2017-04-12  Filip Pizlo  
-
-        Move common stack allocation utilities out of AirAllocateStackByGraphColoring.cpp
-        https://bugs.webkit.org/show_bug.cgi?id=170799
-
-        Reviewed by Michael Saboff and Keith Miller.
-        
-        When I added stack allocation to allocateRegistersByLinearScan, I reused a handful of
-        utility functions from AirAllocateStackByGraphColoring.cpp. I accomplished this by
-        putting their declarations in AirAllocateStackByGraphColoring.h.
-        
-        That was pretty weird.
-        
-        This patch moves a family of stack allocation helper functions out of
-        AirAllocateStackByGraphColoring.cpp and into the new AirStackAllocation.h|cpp. The
-        linear scan stack allocator no longer has to include the other stack allocator's
-        header, which addresses my OCD.
-        
-        I moved the functions transitively reachable from the two functions that the linear
-        scan allocator needed. This forced me to give them better names (i.e. no "fooBarImpl")
-        and short descriptive comments. I think that such comments are useful in code that is
-        doing a convoluted version of some theoretical concept.
-        
-        No behavior change.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
-        * b3/air/AirAllocateStackByGraphColoring.cpp:
-        (JSC::B3::Air::allocateStackByGraphColoring):
-        (JSC::B3::Air::allocateEscapedStackSlots): Deleted.
-        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots): Deleted.
-        * b3/air/AirAllocateStackByGraphColoring.h:
-        * b3/air/AirStackAllocation.cpp: Added.
-        (JSC::B3::Air::attemptAssignment):
-        (JSC::B3::Air::assign):
-        (JSC::B3::Air::allocateAndGetEscapedStackSlotsWithoutChangingFrameSize):
-        (JSC::B3::Air::allocateEscapedStackSlots):
-        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
-        * b3/air/AirStackAllocation.h: Added.
-
-2017-04-12  Filip Pizlo  
-
-        B3 -O1 should not allocateStackByGraphColoring
-        https://bugs.webkit.org/show_bug.cgi?id=170742
-
-        Reviewed by Keith Miller.
-        
-        One of B3 -O1's longest running phases is allocateStackByGraphColoring. One approach to
-        this would be to make that phase cheaper. But it's weird that this phase reruns
-        liveness after register allocation already ran liveness. If only it could reuse the
-        liveness computed by register allocation then it would run a lot faster. At -O2, we do
-        not want this, since we run phases between register allocation and stack allocation,
-        and those phases are free to change the liveness of spill slots (in fact,
-        fixObviousSpills will both shorten and lengthen live ranges because of load and store
-        elimination, respectively). But at -O1, we don't really need to run any phases between
-        register and stack allocation.
-        
-        This changes Air's backend in the following ways:
-        
-        - Linear scan does stack allocation. This means that we don't need to run
-          allocateStackByGraphColoring at all. In reality, we reuse some of its innards, but
-          we don't run the expensive part of it (liveness->interference->coalescing->coloring).
-          This is a speed-up because we only run liveness once and reuse it for both register
-          and stack allocation.
-        
-        - Phases that previously ran between register and stack allocation are taken care of,
-          each in its own special way:
-          
-          -> handleCalleSaves: this is now a utility function called by both
-             allocateStackByGraphColoring and allocateRegistersAndStackByLinearScan.
-          
-          -> fixObviousSpills: we didn't run this at -O1, so nothing needs to be done.
-          
-          -> lowerAfterRegAlloc: this needed to be able to run before stack allocation because
-             it could change register usage (vis a vis callee saves) and it could introduce
-             spill slots. I changed this phase to have a secondary mode for when it runs after
-             stack allocation.
-        
-        - The part of allocateStackByGraphColoring that lowered stack addresses and took care
-          of the call arg area is now a separate phase called lowerStackArgs. We run this phase
-          regardless of optimization level. It's a cheap and general lowering.
-        
-        This also removes spillEverything, because we never use that phase, we never test it,
-        and it got in the way in this refactoring.
-        
-        This is a 21% speed-up on wasm -O1 compile times. This does not significantly change
-        -O1 throughput. We had already disabled allocateStack's most important optimization
-        (spill coalescing). This probably regresses average stack frame size, but I didn't
-        measure by how much. Stack frame size is really not that important. The algorithm in
-        allocateStackByGraphColoring is about much more than optimal frame size; it also
-        tries to avoid having to zero-extend 32-bit spills, it kills dead code, and of course
-        it coalesces.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3Procedure.cpp:
-        (JSC::B3::Procedure::calleeSaveRegisterAtOffsetList):
-        (JSC::B3::Procedure::calleeSaveRegisters): Deleted.
-        * b3/B3Procedure.h:
-        * b3/B3StackmapGenerationParams.cpp:
-        (JSC::B3::StackmapGenerationParams::unavailableRegisters):
-        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.cpp.
-        (JSC::B3::Air::allocateRegistersAndStackByLinearScan):
-        (JSC::B3::Air::allocateRegistersByLinearScan): Deleted.
-        * b3/air/AirAllocateRegistersAndStackByLinearScan.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.h.
-        * b3/air/AirAllocateRegistersByLinearScan.cpp: Removed.
-        * b3/air/AirAllocateRegistersByLinearScan.h: Removed.
-        * b3/air/AirAllocateStackByGraphColoring.cpp:
-        (JSC::B3::Air::allocateEscapedStackSlots):
-        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
-        (JSC::B3::Air::allocateStackByGraphColoring):
-        * b3/air/AirAllocateStackByGraphColoring.h:
-        * b3/air/AirArg.cpp:
-        (JSC::B3::Air::Arg::stackAddr):
-        * b3/air/AirArg.h:
-        (JSC::B3::Air::Arg::stackAddr): Deleted.
-        * b3/air/AirCode.cpp:
-        (JSC::B3::Air::Code::addStackSlot):
-        (JSC::B3::Air::Code::setCalleeSaveRegisterAtOffsetList):
-        (JSC::B3::Air::Code::calleeSaveRegisterAtOffsetList):
-        (JSC::B3::Air::Code::dump):
-        * b3/air/AirCode.h:
-        (JSC::B3::Air::Code::setStackIsAllocated):
-        (JSC::B3::Air::Code::stackIsAllocated):
-        (JSC::B3::Air::Code::calleeSaveRegisters):
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::prepareForGeneration):
-        (JSC::B3::Air::generate):
-        * b3/air/AirHandleCalleeSaves.cpp:
-        (JSC::B3::Air::handleCalleeSaves):
-        * b3/air/AirHandleCalleeSaves.h:
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        (JSC::B3::Air::lowerAfterRegAlloc):
-        * b3/air/AirLowerStackArgs.cpp: Added.
-        (JSC::B3::Air::lowerStackArgs):
-        * b3/air/AirLowerStackArgs.h: Added.
-        * b3/testb3.cpp:
-        (JSC::B3::testPinRegisters):
-        * ftl/FTLCompile.cpp:
-        (JSC::FTL::compile):
-        * jit/RegisterAtOffsetList.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-
-2017-04-12  Michael Saboff  
-
-        Implement Object.isFrozen() and Object.isSealed() per ECMA spec
-        https://bugs.webkit.org/show_bug.cgi?id=170753
-
-        Reviewed by Mark Lam.
-
-        * runtime/ObjectConstructor.cpp:
-        (JSC::testIntegrityLevel): Added local helper as described in the ECMA standard.
-
-        (JSC::objectConstructorSeal):
-        (JSC::objectConstructorFreeze):
-        Eliminated incomplete special handling of JSFinalObjects.
-
-        (JSC::objectConstructorIsSealed):
-        (JSC::objectConstructorIsFrozen):
-        Refactored to use the new testIntegrityLevel() helper.
-
-2017-04-12  Yusuke Suzuki  
-
-        Use HAVE(MACHINE_CONTEXT) instead of USE(MACHINE_CONTEXT)
-        https://bugs.webkit.org/show_bug.cgi?id=170770
-
-        Rubber stamped by Mark Lam.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThread::Registers::framePointer):
-        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
-        (JSC::MachineThreads::MachineThread::Registers::llintPC):
-        * runtime/MachineContext.h:
-        (JSC::MachineContext::stackPointer):
-        (JSC::MachineContext::framePointer):
-        (JSC::MachineContext::instructionPointer):
-        (JSC::MachineContext::argumentPointer<1>):
-        (JSC::MachineContext::llintInstructionPointer):
-
-2017-04-12  Yusuke Suzuki  
-
-        [JSC] Clean up heap/MachineStackMarker by introducing USE(MACHINE_CONTEXT)
-        https://bugs.webkit.org/show_bug.cgi?id=170770
-
-        Reviewed by Mark Lam.
-
-        We use USE(MACHINE_CONTEXT) to clean up runtime/MachineContext.h. And
-        we clean up heap/MachineStackMarker.cpp by using MachineContext functions.
-
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
-        (JSC::MachineThreads::MachineThread::Registers::framePointer):
-        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
-        (JSC::MachineThreads::MachineThread::Registers::llintPC):
-        * heap/MachineStackMarker.h:
-        * runtime/MachineContext.h:
-        (JSC::MachineContext::stackPointer):
-        (JSC::MachineContext::framePointer):
-        (JSC::MachineContext::instructionPointer):
-        (JSC::MachineContext::argumentPointer<1>):
-        (JSC::MachineContext::llintInstructionPointer):
-
-2017-04-12  Yusuke Suzuki  
-
-        [WTF] Introduce Thread class and use RefPtr and align Windows Threading implementation semantics to Pthread one
-        https://bugs.webkit.org/show_bug.cgi?id=170502
-
-        Reviewed by Mark Lam.
-
-        * API/tests/CompareAndSwapTest.cpp:
-        (testCompareAndSwap):
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/testair.cpp:
-        * b3/testb3.cpp:
-        (JSC::B3::run):
-        * bytecode/SuperSampler.cpp:
-        (JSC::initializeSuperSampler):
-        * dfg/DFGWorklist.cpp:
-        * disassembler/Disassembler.cpp:
-        * heap/Heap.cpp:
-        (JSC::Heap::lastChanceToFinalize):
-        (JSC::Heap::notifyIsSafeToCollect):
-        * heap/Heap.h:
-        * heap/MachineStackMarker.cpp:
-        (JSC::MachineThreads::~MachineThreads):
-        (JSC::MachineThreads::addCurrentThread):
-        (JSC::MachineThreads::removeThread):
-        (JSC::MachineThreads::removeThreadIfFound):
-        (JSC::MachineThreads::MachineThread::MachineThread):
-        (JSC::MachineThreads::MachineThread::getRegisters):
-        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
-        (JSC::MachineThreads::MachineThread::Registers::framePointer):
-        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
-        (JSC::MachineThreads::MachineThread::Registers::llintPC):
-        (JSC::MachineThreads::MachineThread::captureStack):
-        (JSC::MachineThreads::tryCopyOtherThreadStack):
-        (JSC::MachineThreads::tryCopyOtherThreadStacks):
-        (pthreadSignalHandlerSuspendResume): Deleted.
-        (JSC::threadData): Deleted.
-        (JSC::MachineThreads::Thread::Thread): Deleted.
-        (JSC::MachineThreads::Thread::createForCurrentThread): Deleted.
-        (JSC::MachineThreads::Thread::operator==): Deleted.
-        (JSC::MachineThreads::machineThreadForCurrentThread): Deleted.
-        (JSC::MachineThreads::ThreadData::ThreadData): Deleted.
-        (JSC::MachineThreads::ThreadData::~ThreadData): Deleted.
-        (JSC::MachineThreads::ThreadData::suspend): Deleted.
-        (JSC::MachineThreads::ThreadData::resume): Deleted.
-        (JSC::MachineThreads::ThreadData::getRegisters): Deleted.
-        (JSC::MachineThreads::ThreadData::Registers::stackPointer): Deleted.
-        (JSC::MachineThreads::ThreadData::Registers::framePointer): Deleted.
-        (JSC::MachineThreads::ThreadData::Registers::instructionPointer): Deleted.
-        (JSC::MachineThreads::ThreadData::Registers::llintPC): Deleted.
-        (JSC::MachineThreads::ThreadData::freeRegisters): Deleted.
-        (JSC::MachineThreads::ThreadData::captureStack): Deleted.
-        * heap/MachineStackMarker.h:
-        (JSC::MachineThreads::MachineThread::suspend):
-        (JSC::MachineThreads::MachineThread::resume):
-        (JSC::MachineThreads::MachineThread::threadID):
-        (JSC::MachineThreads::MachineThread::stackBase):
-        (JSC::MachineThreads::MachineThread::stackEnd):
-        (JSC::MachineThreads::threadsListHead):
-        (JSC::MachineThreads::Thread::operator!=): Deleted.
-        (JSC::MachineThreads::Thread::suspend): Deleted.
-        (JSC::MachineThreads::Thread::resume): Deleted.
-        (JSC::MachineThreads::Thread::getRegisters): Deleted.
-        (JSC::MachineThreads::Thread::freeRegisters): Deleted.
-        (JSC::MachineThreads::Thread::captureStack): Deleted.
-        (JSC::MachineThreads::Thread::platformThread): Deleted.
-        (JSC::MachineThreads::Thread::stackBase): Deleted.
-        (JSC::MachineThreads::Thread::stackEnd): Deleted.
-        * jit/ICStats.cpp:
-        (JSC::ICStats::ICStats):
-        (JSC::ICStats::~ICStats):
-        * jit/ICStats.h:
-        * jsc.cpp:
-        (functionDollarAgentStart):
-        (startTimeoutThreadIfNeeded):
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::lock):
-        * runtime/JSLock.h:
-        (JSC::JSLock::ownerThread):
-        (JSC::JSLock::currentThreadIsHoldingLock):
-        * runtime/SamplingProfiler.cpp:
-        (JSC::FrameWalker::isValidFramePointer):
-        (JSC::SamplingProfiler::SamplingProfiler):
-        (JSC::SamplingProfiler::createThreadIfNecessary):
-        (JSC::SamplingProfiler::takeSample):
-        * runtime/SamplingProfiler.h:
-        * runtime/VM.h:
-        (JSC::VM::ownerThread):
-        * runtime/VMTraps.cpp:
-        (JSC::findActiveVMAndStackBounds):
-        (JSC::VMTraps::SignalSender::send):
-        (JSC::VMTraps::fireTrap):
-
-2017-04-11  Dean Jackson  
-
-        Disable outdated WritableStream API
-        https://bugs.webkit.org/show_bug.cgi?id=170749
-        
-
-        Reviewed by Tim Horton.
-
-        The API we implement is no longer accurate. Disable it until we
-        are compatible with the new specification
+        Rubber-stamped by Myles C. Maxfield.
 
         * Configurations/FeatureDefines.xcconfig:
 
-2017-04-11  Yusuke Suzuki  
+2019-06-27  Don Olmstead  
 
-        Unreviewed, build fix for CF ports after r215241
-        https://bugs.webkit.org/show_bug.cgi?id=170725
+        [FTW] Build JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=199254
 
-        * heap/GCActivityCallback.cpp:
-        (JSC::GCActivityCallback::nextFireTime):
+        Reviewed by Brent Fulgham.
 
-2017-04-11  Yusuke Suzuki  
+        * PlatformFTW.cmake: Added.
 
-        [WebCore][JSC] ResourceUsageData.{timeOfNextEdenCollection,timeOfNextFullCollection} should be MonotonicTime
-        https://bugs.webkit.org/show_bug.cgi?id=170725
+2019-06-27  Konstantin Tokarev  
 
-        Reviewed by Sam Weinig.
-
-        This patch makes GCActivityCallback return MonotonicTime instead of raw double value.
-
-        * heap/GCActivityCallback.cpp:
-        (JSC::GCActivityCallback::nextFireTime):
-        * heap/GCActivityCallback.h:
-
-2017-04-11  Guillaume Emont  
-
-        [jsc] Add missing MacroAssemblerMIPS::or32() implementation
-        https://bugs.webkit.org/show_bug.cgi?id=169714
+        Use JSC_GLIB_API_ENABLED instead of USE(GLIB) as a compile-time check for GLib JSC API
+        https://bugs.webkit.org/show_bug.cgi?id=199270
 
         Reviewed by Michael Catanzaro.
 
-        * assembler/MacroAssemblerMIPS.h:
-        (JSC::MacroAssemblerMIPS::or32):
-        Added or32(TrustedImm32, Address).
-
-2017-04-11  Joseph Pecoraro  
-
-        test262: test262/test/annexB/language/comments/multi-line-html-close.js
-        https://bugs.webkit.org/show_bug.cgi?id=170648
-
-        Reviewed by Keith Miller.
-
-        * parser/Lexer.cpp:
-        (JSC::Lexer::lex):
-        A multi-line comment that contains a line terminator is itself treated
-        like a line terminator. An HTML Close Comment that comes after it can
-        therefore treat it like it is at the start of a line, because it was
-        immediately preceeded by the equivalent of a line terminator.
-
-2017-04-11  Joseph Pecoraro  
-
-        test262: test262/test/built-ins/Array/S15.4.3_A2.2.js
-        https://bugs.webkit.org/show_bug.cgi?id=170652
-
-        Reviewed by Michael Saboff.
-
-        * runtime/ArrayConstructor.cpp:
-        (JSC::ArrayConstructor::finishCreation):
-        * runtime/BooleanConstructor.cpp:
-        (JSC::BooleanConstructor::finishCreation):
-        * runtime/DateConstructor.cpp:
-        (JSC::DateConstructor::finishCreation):
-        * runtime/FunctionConstructor.cpp:
-        (JSC::FunctionConstructor::finishCreation):
-        * runtime/JSArrayBufferConstructor.cpp:
-        (JSC::JSArrayBufferConstructor::finishCreation):
-        * runtime/NumberConstructor.cpp:
-        (JSC::NumberConstructor::finishCreation):
-        * runtime/ObjectConstructor.cpp:
-        (JSC::ObjectConstructor::finishCreation):
-        * runtime/RegExpConstructor.cpp:
-        (JSC::RegExpConstructor::finishCreation):
-        * runtime/StringConstructor.cpp:
-        (JSC::StringConstructor::finishCreation):
-        * runtime/SymbolConstructor.cpp:
-        (JSC::SymbolConstructor::finishCreation):
-        Ensure the "length" property on these native constructors is configurable (deletable).
-
-2017-04-11  Yusuke Suzuki  
-
-        Unreviewed, build fix for Windows after r215228 part 2
-        https://bugs.webkit.org/show_bug.cgi?id=170723
-
-        Since GCActivityCallback class is annotated exported, we do not need to annotate each member.
-
-        * heap/GCActivityCallback.h:
-
-2017-04-11  Yusuke Suzuki  
-
-        [JSC][GTK] Use RunLoop::Timer in GTK port
-        https://bugs.webkit.org/show_bug.cgi?id=170723
-
-        Reviewed by Carlos Garcia Campos.
-
-        This patch makes GTK port use RunLoop::Timer for JSRunLoopTimer.
-        Only Cocoa-based ports use platform-specific Timer because it
-        has additional feature that changes RunLoop to the WebThread one.
-
-        And we enable Heap timers in all the ports including JSCOnly port.
-
-        * heap/EdenGCActivityCallback.cpp:
-        (JSC::EdenGCActivityCallback::lastGCLength):
-        * heap/EdenGCActivityCallback.h:
-        * heap/FullGCActivityCallback.cpp:
-        (JSC::FullGCActivityCallback::lastGCLength):
-        * heap/FullGCActivityCallback.h:
-        * heap/GCActivityCallback.cpp:
-        (JSC::GCActivityCallback::GCActivityCallback):
-        (JSC::GCActivityCallback::doWork):
-        (JSC::GCActivityCallback::scheduleTimer):
-        (JSC::GCActivityCallback::cancelTimer):
-        (JSC::GCActivityCallback::nextFireTime):
-        (JSC::GCActivityCallback::didAllocate):
-        * heap/GCActivityCallback.h:
-        * heap/IncrementalSweeper.cpp:
-        (JSC::IncrementalSweeper::doWork):
-        (JSC::IncrementalSweeper::doSweep):
-        * heap/IncrementalSweeper.h:
-        * heap/StopIfNecessaryTimer.cpp:
-        (JSC::StopIfNecessaryTimer::scheduleSoon):
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::setRunLoop):
-        (JSC::JSRunLoopTimer::scheduleTimer):
-        (JSC::JSRunLoopTimer::cancelTimer):
-        (JSC::JSRunLoopTimer::JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::timerDidFireCallback):
-        * runtime/JSRunLoopTimer.h:
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
-
-2017-04-11  Guillaume Emont  
-
-        [jsc][mips] Add missing MacroAssembler functions after r214187
-        https://bugs.webkit.org/show_bug.cgi?id=170089
-
-        Reviewed by Yusuke Suzuki.
-
-        * assembler/MacroAssemblerMIPS.h:
-        (JSC::MacroAssemblerMIPS::loadFloat): Added.
-        (JSC::MacroAssemblerMIPS::storeFloat): Added.
-
-2017-04-11  Yusuke Suzuki  
-
-        [JSC] Enable JSRunLoopTimer for JSCOnly and Windows
-        https://bugs.webkit.org/show_bug.cgi?id=170655
-
-        Reviewed by Carlos Garcia Campos.
-
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::scheduleTimer):
-        (JSC::JSRunLoopTimer::cancelTimer):
-        * runtime/JSRunLoopTimer.h:
-
-2017-04-10  Alex Christensen  
-
-        Revert r215217
-        https://bugs.webkit.org/show_bug.cgi?id=170703
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-10  Alex Christensen  
-
-        Continue enabling WebRTC
-        https://bugs.webkit.org/show_bug.cgi?id=170703
-
-        Reviewed by Youenn Fablet.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-10  Mark Lam  
-
-        Move ProbeContext and ProbeFunction out of AbstractMacroAssembler.
-        https://bugs.webkit.org/show_bug.cgi?id=170681
-
-        Reviewed by Michael Saboff.
-
-        This is a refactoring step towards enabling custom probe printers the way printInternal() works for dataLog.
-
-        * assembler/AbstractMacroAssembler.h:
-        (JSC::AbstractMacroAssembler::ProbeContext::gpr): Deleted.
-        (JSC::AbstractMacroAssembler::ProbeContext::fpr): Deleted.
-        (JSC::AbstractMacroAssembler::ProbeContext::gprName): Deleted.
-        (JSC::AbstractMacroAssembler::ProbeContext::fprName): Deleted.
-        * assembler/MacroAssembler.cpp:
-        (JSC::stdFunctionCallback):
-        (JSC::MacroAssembler::probe):
-        * assembler/MacroAssembler.h:
-        (JSC::ProbeContext::gpr):
-        (JSC::ProbeContext::fpr):
-        (JSC::ProbeContext::gprName):
-        (JSC::ProbeContext::fprName):
-        * assembler/MacroAssemblerARM.cpp:
-        (JSC::MacroAssemblerARM::probe):
-        * assembler/MacroAssemblerARM64.cpp:
-        (JSC::arm64ProbeTrampoline):
-        (JSC::MacroAssemblerARM64::probe):
-        * assembler/MacroAssemblerARMv7.cpp:
-        (JSC::MacroAssemblerARMv7::probe):
-        * assembler/MacroAssemblerPrinter.cpp:
-        * assembler/MacroAssemblerPrinter.h:
-        * assembler/MacroAssemblerX86Common.cpp:
-        (JSC::MacroAssemblerX86Common::probe):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::abstractStructure):
-        (JSC::FTL::DFG::LowerDFGToB3::probe): Deleted.
-        - Deleted because this became a useless place-holder after the transition to B3.
-
-2017-04-10  Keith Miller  
-
-        WebAssembly: Fix B3IRGenerator for BrTable
-        https://bugs.webkit.org/show_bug.cgi?id=170685
-
-        Reviewed by JF Bastien.
-
-        For some reason this didn't get included in r215141.
-
-        This fixes an issue with BrTable and loops where we would use the loop's return type
-        as the branch target type.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch):
-        (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock):
-
-2017-04-08  Oliver Hunt  
-
-        Remove use of strcpy from JSC
-        https://bugs.webkit.org/show_bug.cgi?id=170646
-
-        Reviewed by Mark Lam.
-
-        Replace the use of strcpy with memcpy as strcpy keeps
-        on tripping various analyser warnings even though its
-        trivially safe in this case.
-
-        Essentially code hygiene, no change in behaviour, no
-        perf impact.
-
-        * dfg/DFGDisassembler.cpp:
-        (JSC::DFG::Disassembler::dumpDisassembly):
-
-2017-04-09  Joseph Pecoraro  
-
-        test262: test262/test/annexB/language/expressions/object/__proto__-fn-name.js
-        https://bugs.webkit.org/show_bug.cgi?id=170650
-
-        Reviewed by Saam Barati.
-
-        * parser/Parser.cpp:
-        (JSC::Parser::parseClass):
-        (JSC::Parser::parseProperty):
-        There needs to be special handling of:
-        
-          PropertyDefinition :  PropertyName ':' AssignmentExpression
-         
-        When the property name is __proto__. In this case the
-        SetFunctionName path does not happen, so the name "__proto__"
-        is not inferred on any anonymous function. See:
-        https://tc39.github.io/ecma262/#sec-__proto__-property-names-in-object-initializers
-
-        * parser/Parser.h:
-        * parser/SyntaxChecker.h:
-        (JSC::SyntaxChecker::createProperty):
-        * parser/ASTBuilder.h:
-        (JSC::ASTBuilder::createProperty):
-        Add an extra parameter to see if inferring / setting names are allowed.
-
-2017-04-09  Joseph Pecoraro  
-
-        test262: test262/test/annexB/language/literals/regexp/identity-escape.js
-        https://bugs.webkit.org/show_bug.cgi?id=170651
-
-        Reviewed by Saam Barati.
-
-        * yarr/YarrParser.h:
-        (JSC::Yarr::Parser::parseEscape):
-        For \8 and \9 match just the number "8" or "9" instead of both "\\" and the number.
-        See: https://tc39.github.io/ecma262/#sec-decimalescape
-
-2017-04-08  Youenn Fablet  
-
-        WebRTC tests gardening
-        https://bugs.webkit.org/show_bug.cgi?id=170508
-
-        Reviewed by Eric Carlson.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-07  Keith Miller  
-
-        WebAssembly: Fix issue with BrTable targeting a Loop
-        https://bugs.webkit.org/show_bug.cgi?id=170638
-
-        Reviewed by Saam Barati.
-
-        This fixes the same issue V8 had in: https://github.com/WebAssembly/spec/pull/456#event-1033547537
-
-        * wasm/WasmValidate.cpp:
-        (JSC::Wasm::Validate::ControlData::branchTargetSignature):
-
-2017-04-07  Keith Miller  
-
-        Add a PriorityQueue class
-        https://bugs.webkit.org/show_bug.cgi?id=170579
-
-        Reviewed by Saam Barati.
-
-        Update Wasm::Worklist to use WTF::PriorityQueue.
-
-        * wasm/WasmWorklist.cpp:
-        (JSC::Wasm::Worklist::enqueue):
-        (JSC::Wasm::Worklist::completePlanSynchronously):
-        (JSC::Wasm::Worklist::stopAllPlansForVM):
-        (JSC::Wasm::Worklist::~Worklist):
-        (JSC::Wasm::Worklist::iterate): Deleted.
-        * wasm/WasmWorklist.h:
-        (JSC::Wasm::Worklist::isHigherPriority):
-        (JSC::Wasm::Worklist::Comparator::operator()): Deleted.
-
-2017-04-07  Yuichiro Kikura  
-
-        WebGPU: implement ComputeCommandEncoder and related components
-        https://bugs.webkit.org/show_bug.cgi?id=170444
-
-        Reviewed by Alex Christensen.
-
-        I added some identifiers related with WebGPUComputeCommandEncoder based on the proposal.
-        https://webkit.org/wp-content/uploads/webgpu-api-proposal.html
-
-        * runtime/CommonIdentifiers.h:
-
-2017-04-07  Saam Barati  
-
-        WebAssembly: Module::getOrCreateCodeBlock is wrong
-        https://bugs.webkit.org/show_bug.cgi?id=170612
-
-        Reviewed by Keith Miller.
-
-        When we were getting a module's CodeBlock, we were checking if !runnable(),
-        and if !runnable(), we were re-creating the CodeBlock. This is wrong, since
-        !runnable() is true while the CodeBlock is compiling. Instead, we should check
-        if we've finished compiling, and if so, if that compilation failed.
-
-        * wasm/WasmModule.cpp:
-        (JSC::Wasm::Module::getOrCreateCodeBlock):
-
-2017-04-07  Saam Barati  
-
-        WebAssembly: Make to a compilation API that allows for multi-VM concurrent compilations of Wasm Modules
-        https://bugs.webkit.org/show_bug.cgi?id=170488
-
-        Reviewed by JF Bastien.
-
-        This patch adds a class called Wasm::Module. It contains the bits from
-        JSWebAssemblyModule that were not VM specific. JSWebAssemblyModule
-        now has a Ref. Similarly, there is now a Wasm::CodeBlock,
-        which owns the non-VM-specific bits that JSWebAssemblyCodeBlock used
-        to own.
-        
-        This patch also simplifies how we verify and compile code. Wasm::Module
-        now has an API for both sync/async validation and compilation. This
-        API abstracts away how Wasm::Plan works.
-        
-        This is hopefully the last patch needed before we can implement
-        window.postMessage for a JSWebAssemblyModule. I think all that's
-        needed now to implement postMessage is simply creating a new
-        JSWebAssemblyModule with the underlying Wasm::Module.
-        
-        This patch is neutral on WasmBench.
-        
-        Finally, this patch changes the promise deferred timer to
-        allow for new tasks to be added while we're executing
-        a task. Before, we'd deadlock if this happened.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * jsc.cpp:
-        (functionTestWasmModuleFunctions):
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::doWork):
-        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
-        * runtime/PromiseDeferredTimer.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        (JSC::Wasm::wasmToWasm):
-        (JSC::Wasm::exitStubGenerator): Deleted.
-        * wasm/WasmBinding.h:
-        * wasm/WasmCodeBlock.cpp: Added.
-        (JSC::Wasm::CodeBlock::CodeBlock):
-        (JSC::Wasm::CodeBlock::waitUntilFinished):
-        (JSC::Wasm::CodeBlock::compileAsync):
-        (JSC::Wasm::CodeBlock::isSafeToRun):
-        * wasm/WasmCodeBlock.h: Added.
-        (JSC::Wasm::CodeBlock::create):
-        (JSC::Wasm::CodeBlock::compilationFinished):
-        (JSC::Wasm::CodeBlock::runnable):
-        (JSC::Wasm::CodeBlock::errorMessage):
-        (JSC::Wasm::CodeBlock::functionImportCount):
-        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
-        * wasm/WasmModule.cpp: Added.
-        (JSC::Wasm::Module::Module):
-        (JSC::Wasm::makeValidationResult):
-        (JSC::Wasm::Module::validateSyncImpl):
-        (JSC::Wasm::Module::getOrCreateCodeBlock):
-        (JSC::Wasm::Module::compileSync):
-        (JSC::Wasm::Module::makeValidationCallback):
-        (JSC::Wasm::Module::compileAsync):
-        * wasm/WasmModule.h: Added.
-        (JSC::Wasm::Module::create):
-        (JSC::Wasm::Module::validateSync):
-        (JSC::Wasm::Module::validateAsync):
-        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
-        (JSC::Wasm::Module::moduleInformation):
-        (JSC::Wasm::Module::nonNullCodeBlock):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::addCompletionTask):
-        (JSC::Wasm::Plan::prepare):
-        (JSC::Wasm::Plan::compileFunctions):
-        (JSC::Wasm::Plan::complete):
-        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
-        (JSC::Wasm::Plan::cancel): Deleted.
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::dontFinalize):
-        (JSC::Wasm::Plan::takeWasmToWasmExitStubs):
-        (JSC::Wasm::Plan::mode):
-        (JSC::Wasm::Plan::takeWasmExitStubs): Deleted.
-        (JSC::Wasm::Plan::vm): Deleted.
-        * wasm/WasmWorklist.cpp:
-        (JSC::Wasm::Worklist::stopAllPlansForVM):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
-        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
-        (JSC::JSWebAssemblyCodeBlock::initialize): Deleted.
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        (JSC::JSWebAssemblyCodeBlock::functionImportCount):
-        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
-        (JSC::JSWebAssemblyCodeBlock::mode): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::initialized): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::plan): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::runnable): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::errorMessage): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee): Deleted.
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finalizeCreation):
-        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock): Deleted.
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::initialized): Deleted.
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::createStub):
-        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
-        (JSC::JSWebAssemblyModule::finishCreation):
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::moduleInformation):
-        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyModule::module):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::WebAssemblyFunction::create):
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::constructJSWebAssemblyInstance):
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        (JSC::WebAssemblyModuleConstructor::createModule):
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::reject):
-        (JSC::webAssemblyCompileFunc):
-        (JSC::resolve):
-        (JSC::instantiate):
-        (JSC::compileAndInstantiate):
-        (JSC::webAssemblyValidateFunc):
-
-2017-04-07  Carlos Garcia Campos  
-
-        [GTK] Update the priorities used in glib main loop sources
-        https://bugs.webkit.org/show_bug.cgi?id=170457
-
-        Reviewed by Žan Doberšek.
-
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::JSRunLoopTimer):
-
-2017-04-06  Filip Pizlo  
-
-        Rename allocateStack to allocateStackByGraphColoring.
-
-        Rubber stamped by Saam Barati.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirAllocateStack.cpp: Removed.
-        * b3/air/AirAllocateStack.h: Removed.
-        * b3/air/AirAllocateStackByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.cpp.
-        (JSC::B3::Air::allocateStackByGraphColoring):
-        (JSC::B3::Air::allocateStack): Deleted.
-        * b3/air/AirAllocateStackByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.h.
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::prepareForGeneration):
-
-2017-04-06  Michael Saboff  
-
-        Cannot Object.seal() or Object.freeze() global "this"
-        https://bugs.webkit.org/show_bug.cgi?id=170549
-
-        Reviewed by Mark Lam.
-
-        Needed to implement JSProxy::isExtensible() which returns the results of calling
-        the same on wrapped object.
-
-        Implemented step 11 of Runtime Semantics: EvalDeclarationInstantiation from the ECMAScript
-        spec to properly return a TypeError object when attempting to add properties to a
-        non-extensible global object.
-
-        * interpreter/Interpreter.cpp:
-        (JSC::Interpreter::execute):
-        * runtime/JSProxy.cpp:
-        (JSC::JSProxy::isExtensible):
-        * runtime/JSProxy.h:
-
-2017-04-06  Filip Pizlo  
-
-        Linear scan should run liveness only once
-        https://bugs.webkit.org/show_bug.cgi?id=170569
-
-        Reviewed by Keith Miller.
-        
-        Air has a longstanding design bug that Tmps from different banks are indexed independently. This
-        means that all of our analyses over Tmps do separate GP and FP passes. This does have some
-        marginal benefits (the rest of the algorithm is specialized for Bank) but it's probably net bad.
-        However, I don't want to think about solving that general problem.
-        
-        Instead, this just makes linear scan use a UnifiedTmpLiveness that uses a single "linear"
-        indexing for GP and FP. This lets me avoid the much larger refactoring (which would involve
-        substantial changes in graph coloring) while getting the bulk of the benefit (liveness runs once,
-        instead of twice, for linear scan).
-        
-        This patch implements a lot of plumbing to make it possible for Liveness<> to view Tmps as having
-        a unified indexing scheme. Tmp calls this LinearlyIndexed (to match the naming convention of
-        AbsolutelyIndexed and Indexed), while AirLiveness calls this UnifiedTmpLiveness. With this
-        change, -O1 never does any liveness analysis that uses separate GP and FP passes. I think this
-        eliminates any urgency from the larger Tmp indexing bug. We can probably live with graph coloring
-        doing separate passes.
-        
-        This is a ~6% speed-up for wasm -O1 compile times. I think this means that linear scan is no
-        longer the longest pole in the tent.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3VariableLiveness.h:
-        (JSC::B3::VariableLivenessAdapter::prepareToCompute):
-        * b3/air/AirAllocateRegistersByLinearScan.cpp:
-        (JSC::B3::Air::allocateRegistersByLinearScan):
-        * b3/air/AirCode.h:
-        (JSC::B3::Air::Code::forEachTmp):
-        * b3/air/AirLiveness.h:
-        * b3/air/AirLivenessAdapter.h:
-        (JSC::B3::Air::LivenessAdapter::Actions::Actions):
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
-        (JSC::B3::Air::LivenessAdapter::adapter):
-        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
-        (JSC::B3::Air::LivenessAdapter::actionsAt):
-        (JSC::B3::Air::LivenessAdapter::forEachUse):
-        (JSC::B3::Air::LivenessAdapter::forEachDef):
-        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::UnifiedTmpLivenessAdapter):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::numIndices):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsBank):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsRole):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::valueToIndex):
-        (JSC::B3::Air::UnifiedTmpLivenessAdapter::indexToValue):
-        * b3/air/AirLivenessConstraints.h: Removed.
-        * b3/air/AirRegLiveness.h:
-        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
-        * b3/air/AirTmp.cpp:
-        * b3/air/AirTmp.h:
-        * b3/air/AirTmpInlines.h:
-        (JSC::B3::Air::Tmp::LinearlyIndexed::LinearlyIndexed):
-        (JSC::B3::Air::Tmp::LinearlyIndexed::index):
-        (JSC::B3::Air::Tmp::linearlyIndexed):
-        (JSC::B3::Air::Tmp::indexEnd):
-        (JSC::B3::Air::Tmp::absoluteIndexEnd):
-        (JSC::B3::Air::Tmp::linearIndexEnd):
-        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
-        (JSC::B3::Air::Tmp::tmpForLinearIndex):
-        * b3/air/AirTmpMap.h: Added.
-        (JSC::B3::Air::TmpMap::TmpMap):
-        (JSC::B3::Air::TmpMap::resize):
-        (JSC::B3::Air::TmpMap::clear):
-        (JSC::B3::Air::TmpMap::operator[]):
-        (JSC::B3::Air::TmpMap::append):
-
-2017-04-06  Ryan Haddad  
-
-        Unreviewed, rolling out r215046.
-
-        This change broke internal builds.
-
-        Reverted changeset:
-
-        "WebRTC tests gardening"
-        https://bugs.webkit.org/show_bug.cgi?id=170508
-        http://trac.webkit.org/changeset/215046
-
-2017-04-06  Joseph Pecoraro  
-
-        Web Inspector: Show all headers in the Request Headers section of the Resource details sidebar
-        https://bugs.webkit.org/show_bug.cgi?id=16531
-        
-
-        Reviewed by Timothy Hatcher.
-
-        * inspector/protocol/Network.json:
-        Optional refined list of request headers in Metrics.
-
-2017-04-06  Filip Pizlo  
-
-        B3 -O1 should generate better code than -O0
-        https://bugs.webkit.org/show_bug.cgi?id=170563
-
-        Reviewed by Michael Saboff.
-        
-        Prior to this change, code generated by -O1 ran slower than code generated by -O0. This turned
-        out to be because of reduceStrength optimizations that increase live ranges and create register
-        pressure, which then creates problems for linear scan.
-        
-        It seemed obvious that canonicalizations that help isel, constant folding, and one-for-one
-        strength reductions should stay. It also seemed obvious that SSA and CFG simplification are fast
-        and harmless. So, I focused on removing:
-        
-        - CSE, which increases live ranges. This is a risky optimization when we know that we've chosen
-          to use a bad register allocator.
-        
-        - Sophisticated strength reductions that create more code, like the insane division optimization.
-        
-        - Anything that inserts basic blocks.
-        
-        CSE appeared to be the cause of half of the throughput regression of -O1 but none of the compile
-        time. This change also reduces the running time of reduceStrength by making it not a fixpoint at
-        optLevel<2.
-        
-        This makes wasm -O1 compile 17% faster. This makes wasm -O1 run 19% faster. This makes -O1 code
-        run 3% faster than -O0, and compile about 4% slower than -O0. We may yet end up choosing to use
-        -O0, but at least now -O1 isn't totally useless.
-
-        * b3/B3ReduceStrength.cpp:
-
-2017-04-06  Jon Davis  
-
-        Updates feature status for recently shipped features
-        https://bugs.webkit.org/show_bug.cgi?id=170359
-
-        Reviewed by Brian Burg.
-
-        Changed "Done" status to "Supported".
-
-        * features.json:
-
-2017-04-06  Youenn Fablet  
-
-        WebRTC tests gardening
-        https://bugs.webkit.org/show_bug.cgi?id=170508
-
-        Reviewed by Eric Carlson.
-
-        * Configurations/FeatureDefines.xcconfig:
-
-2017-04-06  Guillaume Emont  
-
-        [JSC][MIPS][DFG] Use x86 generic HasOwnProperty
-        https://bugs.webkit.org/show_bug.cgi?id=170222
-
-        Reviewed by Yusuke Suzuki.
-
-        * dfg/DFGFixupPhase.cpp:
-        (JSC::DFG::FixupPhase::fixupNode):
-        use the X86 special version for HasOwnProperty on MIPS too.
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::compile):
-        use the X86 special version for HasOwnProperty on MIPS too.
-
-2017-04-05  Saam Barati  
-
-        REGRESSION fix bad isWasm() test by ensuring proper Wasm callee bit pattern
-        https://bugs.webkit.org/show_bug.cgi?id=170494
-        
-
-        Reviewed by Yusuke Suzuki and Mark Lam.
-
-        This patch fixes how we test a 64 bit JSValue pattern to see if it's
-        a Wasm callee. We now tag Wasm::Callee's with 0b011 in their lower 3 bits.
-        The new test is for a Wasm Callee is as follows:
-        isWasm(uint64_t x)
-        {
-            return x & 0xffff000000000007 == 3;
-        }
-        
-        This test works because the lower 3 bits of the non-number immediate values are as follows:
-        undefined: 0b010
-        null:      0b010
-        true:      0b111
-        false:     0b110
-        The test rejects all of these because none have just the value 3 in their lower 3 bits.
-        The test also rejects all numbers, because they have non-zero upper 16 bits.
-        The test also rejects normal cells because they won't have the number 3 as
-        their lower 3 bits. Note, this bit pattern also allows the normal JSValue isCell(), etc,
-        predicates to work on a Wasm::Callee because the various tests will fail if you
-        bit casted a boxed Wasm::Callee* to a JSValue. isCell() would fail since it sees
-        TagBitTypeOther. The other tests also trivially fail, since it won't be a number,
-        and it won't be equal to null, undefined, true, or false. The isBoolean() predicate
-        will fail because we won't have TagBitBool set.
-
-        * interpreter/CallFrame.h:
-        (JSC::ExecState::guaranteedJSValueCallee):
-        (JSC::ExecState::calleeAsValue): Deleted.
-        * interpreter/CalleeBits.h:
-        (JSC::CalleeBits::boxWasm):
-        (JSC::CalleeBits::isWasm):
-        (JSC::CalleeBits::asWasmCallee):
-        * jit/JITOperations.cpp:
-        * runtime/JSCJSValue.h:
-
-2017-04-05  Keith Miller  
-
-        WebAssembly: Plans should be able to have more than one completion task.
-        https://bugs.webkit.org/show_bug.cgi?id=170516
-
-        Reviewed by Saam Barati.
-
-        This patch also eliminates the need for blocked tasks on the
-        PromiseDeferredTimer and pendingPromise on Wasm::Plan.
-
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::doWork):
-        (JSC::PromiseDeferredTimer::cancelPendingPromise):
-        (JSC::PromiseDeferredTimer::scheduleBlockedTask): Deleted.
-        * runtime/PromiseDeferredTimer.h:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::addCompletionTask):
-        (JSC::Wasm::Plan::complete):
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::setMode):
-        (JSC::Wasm::Plan::mode):
-        (JSC::Wasm::Plan::setModeAndPromise): Deleted.
-        (JSC::Wasm::Plan::pendingPromise): Deleted.
-        * wasm/WasmWorklist.cpp:
-        (JSC::Wasm::Worklist::enqueue):
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::constructJSWebAssemblyInstance):
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::instantiate):
-
-2017-04-05  Guilherme Iscaro  
-
-        Do not use BLX for immediates (ARM-32)
-
-        https://bugs.webkit.org/show_bug.cgi?id=170351
-
-        Reviewed by Mark Lam.
-
-        Currently the offline asm generator for 32-bit ARM code translates the
-        'call' meta-instruction (which may be found in LowLevelInterpreter.asm
-        and friends) to the ARM's BLX instrunction. The BLX instruction may be
-        used for labels (immediates) and registers and one side effect of BLX
-        is that it may switch the processor's instruction set.
-        A 'BLX register' instruction will change/remain the processor state to
-        ARM if the  register_bit[0] is set to 0 or change/remain to Thumb if
-        register_bit[0] is set to 1. However, a 'BLX label' instruction will
-        always switch the processor state. It switches ARM to thumb and vice-versa.
-        This behaviour is unwanted, since the C++ code and the offlineasm generated code
-        are both compiled using the same instruction set, thus a instruction
-        set change will likely produce a crash. In order to fix the problem the
-        BL instruction can be used for labels. It will branch just like BLX,
-        but it won't change the instruction set. It's important to note that
-        Darwin is not affected by this problem, thus to minimize the impact of
-        this change the BL instruction will only be used on non-darwin targets.
-
-        BLX reference: http://infocenter.arm.com/help/topic/com.arm.doc.dui0489i/CIHBJCDC.html?resultof=%22%62%6c%78%22%20
-
-        * offlineasm/arm.rb:
-
-2017-04-05  Keith Miller  
-
-        WebAssembly: We shouldn't need to pin size registers if we have a fast memory.
-        https://bugs.webkit.org/show_bug.cgi?id=170504
-
-        Reviewed by Mark Lam.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmMemoryInformation.h:
-        (JSC::Wasm::PinnedRegisterInfo::toSave):
-
-2017-04-05  Yusuke Suzuki  
-
-        [JSC] Suppress warnings in GCC
-        https://bugs.webkit.org/show_bug.cgi?id=170501
-
-        Reviewed by Keith Miller.
-
-        Should use ASSERT_NOT_REACHED since return-type pragma is only
-        enabled under ASSERT_DISABLED environment. We shoud use
-        ASSERT_NOTREACHED to emit assertions in debug build. It effectively
-        catches bugs while keeping performance in release build.
-
-        * b3/B3Opcode.cpp:
-        (JSC::B3::storeOpcode):
-        * b3/B3Width.h:
-        (JSC::B3::mask):
-        * runtime/Options.cpp:
-        (JSC::parse):
-        * wasm/WasmSections.h:
-        (JSC::Wasm::makeString):
-        * wasm/WasmSignature.cpp:
-        (JSC::Wasm::SignatureInformation::tryCleanup):
-        * wasm/generateWasmValidateInlinesHeader.py:
-
-2017-04-05  Carlos Garcia Campos  
-
-        Implement PromiseDeferredTimer for non CF based ports
-        https://bugs.webkit.org/show_bug.cgi?id=170391
-
-        Reviewed by Yusuke Suzuki.
-
-        RunLoop handling is only implemented for CF causing several wasm tests to fail for other ports.
-
-        * jsc.cpp:
-        (runJSC): Remove CF ifdefs.
-        * runtime/PromiseDeferredTimer.cpp:
-        (JSC::PromiseDeferredTimer::doWork): Add non CF implementation using WTF RunLoop.
-        (JSC::PromiseDeferredTimer::runRunLoop): Ditto.
-        * runtime/PromiseDeferredTimer.h:
-
-2017-04-05  Carlos Garcia Campos  
-
-        WebAssembly: several tests added in r214504 crash when building with GCC
-        https://bugs.webkit.org/show_bug.cgi?id=170390
-
-        Reviewed by Saam Barati.
-
-        The pattern foo->bar([f = WTFMove(foo)]{}); crashes when building with GCC, I assume the move happens before the
-        foo is used to invoke the function.
-
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::webAssemblyCompileFunc): Use p.vm() instead of plan->vm(), because plan is moved by the lambda.
-        (JSC::instantiate): Ditto.
-        (JSC::compileAndInstantiate): Ditto.
-
-2017-03-16  Yusuke Suzuki  
-
-        [JSC] Generate TemplateObjects at linking time
-        https://bugs.webkit.org/show_bug.cgi?id=169743
-
-        Reviewed by Keith Miller.
-
-        Currently, the code calls getTemplateObject to get appropriate template objects at runtime.
-        But this template object is constant value and never changed. So instead of creating it
-        at runtime, we should create it at linking time and store it in the constant registers.
-
-        * builtins/BuiltinNames.h:
-        * bytecode/CodeBlock.cpp:
-        (JSC::CodeBlock::finishCreation):
-        (JSC::CodeBlock::setConstantRegisters):
-        * bytecode/CodeBlock.h:
-        * bytecode/UnlinkedCodeBlock.cpp:
-        (JSC::UnlinkedCodeBlock::shrinkToFit):
-        * bytecode/UnlinkedCodeBlock.h:
-        * bytecompiler/BytecodeGenerator.cpp:
-        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
-        (JSC::BytecodeGenerator::emitGetTemplateObject):
-        * bytecompiler/BytecodeGenerator.h:
-        * bytecompiler/NodesCodegen.cpp:
-        (JSC::TaggedTemplateNode::emitBytecode):
-        * runtime/JSGlobalObject.cpp:
-        (JSC::JSGlobalObject::init):
-        (JSC::getTemplateObject): Deleted.
-        * runtime/JSTemplateRegistryKey.cpp:
-        * runtime/JSTemplateRegistryKey.h:
-        (JSC::isTemplateRegistryKey):
-
-2017-04-04  Mark Lam  
-
-        On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
-        https://bugs.webkit.org/show_bug.cgi?id=170473
-        
-
-        Reviewed by Saam Barati.
-
-        In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
-        divisor is 0, we want it to return 0.  The result is expected to be of
-        DataFormatIn32.
-
-        The ARM implementation just returns the value in the divisor register.  However,
-        the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
-        divisor register yields the wrong result format because the same register also
-        holds the upper 32-bit of the JSValue encoding.  The fix is to return an
-        immediate 0 instead.
-
-        Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
-        disabled may have contributed to this bug going unnoticed all this time.
-
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::compileArithMod):
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::jitAssertIsInt32):
-
-2017-04-04  Filip Pizlo  
-
-        Air::eliminateDeadCode should not repeatedly process the same live instructions
-        https://bugs.webkit.org/show_bug.cgi?id=170490
-
-        Reviewed by Keith Miller.
-        
-        This makes the eliminateDeadCode() fixpoint somewhat worklist-based: we track the set
-        of Insts that might be dead. Every time we detect that one is live, we remove it from
-        the set. This is a big (>2x) speed-up because lots of Insts are immediately found to
-        be live.
-        
-        This is a ~1% wasm -O1 compile time progression.
-
-        * b3/air/AirEliminateDeadCode.cpp:
-        (JSC::B3::Air::eliminateDeadCode):
-
-2017-04-04  Filip Pizlo  
-
-        Air::eliminateDeadCode() should not use a HashSet
-        https://bugs.webkit.org/show_bug.cgi?id=170487
-
-        Reviewed by Saam Barati.
-        
-        Introduce TmpSet, which is like a HashSet. Use this to make eliminateDeadCode()
-        about 50% faster, resulting in a 1% wasm -O1 compile time progression.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirEliminateDeadCode.cpp:
-        (JSC::B3::Air::eliminateDeadCode):
-        * b3/air/AirTmpSet.h: Added.
-        (JSC::B3::Air::TmpSet::TmpSet):
-        (JSC::B3::Air::TmpSet::add):
-        (JSC::B3::Air::TmpSet::remove):
-        (JSC::B3::Air::TmpSet::contains):
-        (JSC::B3::Air::TmpSet::size):
-        (JSC::B3::Air::TmpSet::isEmpty):
-        (JSC::B3::Air::TmpSet::iterator::iterator):
-        (JSC::B3::Air::TmpSet::iterator::operator*):
-        (JSC::B3::Air::TmpSet::iterator::operator++):
-        (JSC::B3::Air::TmpSet::iterator::operator==):
-        (JSC::B3::Air::TmpSet::iterator::operator!=):
-        (JSC::B3::Air::TmpSet::begin):
-        (JSC::B3::Air::TmpSet::end):
-
-2017-04-04  Keith Miller  
-
-        WebAssembly: ModuleInformation should be a ref counted thing that can be shared across threads.
-        https://bugs.webkit.org/show_bug.cgi?id=170478
-
-        Reviewed by Saam Barati.
-
-        ModuleInformation has been moved to its own file and is now
-        ThreadSafeRefCounted.  All the Strings we used to keep in the
-        ModuleInformation have been switched to Vector this has the
-        advantage that it can be passed across threads. However, this does
-        mean that we need to decode the utf8 strings in each thread. This
-        is likely not a problem because:
-
-        1) most modules have few imports/exports/custom sections.
-        2) most of the time they are ascii so the conversion is cheap.
-        3) we only have to do it once per thread, and there shouldn't be too many.
-
-        This patch also removes
-        moduleSignatureIndicesToUniquedSignatureIndices since that
-        information can already be recovered from the
-        SignatureInformation.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * jsc.cpp:
-        (functionTestWasmModuleFunctions):
-        * runtime/Identifier.h:
-        (JSC::Identifier::fromString):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmFormat.cpp:
-        (JSC::Wasm::makeString):
-        (JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::makeString):
-        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize): Deleted.
-        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace): Deleted.
-        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace): Deleted.
-        (JSC::Wasm::ModuleInformation::importFunctionCount): Deleted.
-        (JSC::Wasm::ModuleInformation::internalFunctionCount): Deleted.
-        * wasm/WasmFunctionParser.h:
-        (JSC::Wasm::FunctionParser::FunctionParser):
-        * wasm/WasmModuleInformation.cpp: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
-        (JSC::Wasm::ModuleInformation::~ModuleInformation):
-        * wasm/WasmModuleInformation.h: Added.
-        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
-        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
-        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
-        (JSC::Wasm::ModuleInformation::importFunctionCount):
-        (JSC::Wasm::ModuleInformation::internalFunctionCount):
-        (JSC::Wasm::ModuleInformation::ModuleInformation):
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmModuleParser.h:
-        (JSC::Wasm::ModuleParser::ModuleParser):
-        * wasm/WasmParser.h:
-        (JSC::Wasm::Parser::consumeUTF8String):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::parseAndValidateModule):
-        (JSC::Wasm::Plan::prepare):
-        (JSC::Wasm::Plan::compileFunctions):
-        (JSC::Wasm::Plan::complete):
-        (JSC::Wasm::Plan::cancel):
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::internalFunctionCount):
-        (JSC::Wasm::Plan::takeModuleInformation):
-        * wasm/WasmSignature.cpp:
-        (JSC::Wasm::SignatureInformation::get):
-        * wasm/WasmSignature.h:
-        * wasm/WasmValidate.cpp:
-        (JSC::Wasm::validateFunction):
-        * wasm/WasmValidate.h:
-        * wasm/js/JSWebAssemblyHelpers.h:
-        (JSC::createSourceBufferFromValue):
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::createStub):
-        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
-        (JSC::JSWebAssemblyModule::finishCreation):
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::moduleInformation):
-        (JSC::JSWebAssemblyModule::source):
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::constructJSWebAssemblyInstance):
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        (JSC::WebAssemblyModuleConstructor::createModule):
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        (JSC::webAssemblyModuleProtoCustomSections):
-        (JSC::webAssemblyModuleProtoImports):
-        (JSC::webAssemblyModuleProtoExports):
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::link):
-        * wasm/js/WebAssemblyModuleRecord.h:
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::webAssemblyCompileFunc):
-        (JSC::instantiate):
-        (JSC::compileAndInstantiate):
-
-2017-04-04  Filip Pizlo  
-
-        B3::fixSSA() needs a tune-up
-        https://bugs.webkit.org/show_bug.cgi?id=170485
-
-        Reviewed by Saam Barati.
-        
-        After the various optimizations to liveness, register allocation, and other phases, the
-        fixSSA() phase now looks like one of the top offenders. This includes a bunch of
-        changes to make this phase run faster. This is a ~7% wasm -O1 compile time progression.
-        
-        Here's what I did:
-        
-        - We now use IndexSparseSet instead of IndexMap for tracking variable values. This
-          makes it cheaper to chew through small blocks while there is a non-trivial number of
-          total variables.
-        
-        - We now do a "local SSA conversion" pass before anything else. This eliminates
-          obvious Get's. If we were using temporary Variables, it would eliminate many of
-          those. That's useful for when we use demoteValues() and duplciateTails(). For wasm
-          -O1, we mainly care about the fact that it makes a bunch of Set's dead.
-        
-        - We now do a Set DCE pass after the local SSA but before SSA conversion. This ensures
-          that any block-local live intervals of Variables disappear and don't need further
-          consideration.
-        
-        - We now cache the reaching defs calculation.
-        
-        - We now perform the reaching defs calculation lazily.
-
-        * b3/B3FixSSA.cpp:
-        (JSC::B3::demoteValues):
-        (JSC::B3::fixSSA):
-        * b3/B3SSACalculator.cpp:
-        (JSC::B3::SSACalculator::reachingDefAtTail):
-        * b3/B3VariableLiveness.cpp:
-        (JSC::B3::VariableLiveness::VariableLiveness):
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::Liveness::Liveness):
-        * dfg/DFGLivenessAnalysisPhase.cpp:
-        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): Deleted.
-        (JSC::DFG::LivenessAnalysisPhase::run): Deleted.
-        (JSC::DFG::LivenessAnalysisPhase::processBlock): Deleted.
-
-2017-04-04  Joseph Pecoraro  
-
-        Remove stale LLVM Header Path includes from JavaScriptCore
-        https://bugs.webkit.org/show_bug.cgi?id=170483
-
-        Reviewed by Mark Lam.
-
-        * Configurations/Base.xcconfig:
-
-2017-04-04  Filip Pizlo  
-
-        B3::LowerToAir incorrectly selects BitXor(AtomicStrongCAS(...), $1)
-        https://bugs.webkit.org/show_bug.cgi?id=169867
-
-        Reviewed by Saam Barati.
-        
-        The BitXor(AtomicWeakCAS(...), $1) optimization makes a lot of sense because we an fold the
-        BitXor into the CAS condition read-out. But there is no version of this that is profitable or
-        correct for AtomicStrongCAS. The inversion case is handled by Equal(AtomicStrongCAS(...), ...)
-        becoming NotEqual(AtomicStrongCAS(...), ...), and we alraedy handle that separately.
-        
-        So, the fix here is to make the BitXor CAS pattern only recognize AtomicWeakCAS.
-
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::lower):
-        * b3/testb3.cpp:
-        (JSC::B3::testAtomicStrongCAS):
-
-2017-04-04  Saam Barati  
-
-        WebAssembly: JSWebAssemblyCallee should not be a JSCell
-        https://bugs.webkit.org/show_bug.cgi?id=170135
-
-        Reviewed by Michael Saboff.
-
-        This patch is perhaps the last big change to the design of fundamental
-        Wasm API to allow for PIC. It changes JSWebAssemblyCallee into a thing
-        called Wasm::Callee. It serves the same purpose as before, except
-        Wasm::Callee is not a JSCell. I had to refactor the various parts of the
-        runtime that will see CallFrame's with Wasm::Callee's in the callee slot.
-        Thankfully, the parts of the runtime that Wasm touches are limited. The
-        main refactoring is changing the exception handling code, such as taking
-        a stack trace, to be friendly to seeing a non JSCell callee.
-        
-        The callee() function on ExecState now returns a class I added in this
-        patch called CalleeBits. CalleeBits will tell you if the callee is a
-        JSCell or a Wasm::Callee. We tag Wasm::Callee's with a 1 in their lower
-        bit so we can easily tell what is and isn't a Wasm::Callee.
-        
-        The stub that calls out from Wasm to JS still puts a JSCell callee
-        into the call frame, even though the callee logically represents a
-        Wasm frame. The reason for this is that we use the call IC infrastructure
-        to make a call out to JS code, and the code that writes the IC expects
-        a JSCell as the callee. This is knowingly part of our design. When we
-        do structured cloning of Wasm Modules, we'll need to regenerate these
-        JS call stubs.
-
-        * API/JSContextRef.cpp:
-        (BacktraceFunctor::operator()):
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * debugger/Debugger.cpp:
-        (JSC::Debugger::pauseIfNeeded):
-        (JSC::Debugger::currentDebuggerCallFrame):
-        * debugger/DebuggerCallFrame.cpp:
-        (JSC::DebuggerCallFrame::create):
-        (JSC::DebuggerCallFrame::DebuggerCallFrame):
-        (JSC::DebuggerCallFrame::currentPosition):
-        (JSC::DebuggerCallFrame::positionForCallFrame):
-        * debugger/DebuggerCallFrame.h:
-        * interpreter/CallFrame.cpp:
-        (JSC::CallFrame::vmEntryGlobalObject):
-        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
-        (JSC::CallFrame::isAnyWasmCallee):
-        (JSC::CallFrame::callerSourceOrigin):
-        * interpreter/CallFrame.h:
-        (JSC::ExecState::calleeAsValue):
-        (JSC::ExecState::jsCallee):
-        (JSC::ExecState::callee):
-        (JSC::ExecState::unsafeCallee):
-        (JSC::ExecState::scope):
-        (JSC::ExecState::iterate):
-        * interpreter/CalleeBits.h: Added.
-        (JSC::CalleeBits::CalleeBits):
-        (JSC::CalleeBits::operator=):
-        (JSC::CalleeBits::boxWasm):
-        (JSC::CalleeBits::isWasm):
-        (JSC::CalleeBits::isCell):
-        (JSC::CalleeBits::asCell):
-        (JSC::CalleeBits::asWasmCallee):
-        (JSC::CalleeBits::rawPtr):
-        * interpreter/Interpreter.cpp:
-        (JSC::GetStackTraceFunctor::operator()):
-        (JSC::Interpreter::getStackTrace):
-        (JSC::notifyDebuggerOfUnwinding):
-        (JSC::UnwindFunctor::UnwindFunctor):
-        (JSC::UnwindFunctor::operator()):
-        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
-        (JSC::Interpreter::unwind):
-        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
-        * interpreter/Interpreter.h:
-        * interpreter/Register.h:
-        (JSC::Register::pointer):
-        * interpreter/ShadowChicken.cpp:
-        (JSC::ShadowChicken::update):
-        * interpreter/ShadowChickenInlines.h:
-        (JSC::ShadowChicken::iterate):
-        * interpreter/StackVisitor.cpp:
-        (JSC::StackVisitor::StackVisitor):
-        (JSC::StackVisitor::readFrame):
-        (JSC::StackVisitor::readNonInlinedFrame):
-        (JSC::StackVisitor::readInlinedFrame):
-        (JSC::StackVisitor::Frame::calleeSaveRegisters):
-        (JSC::StackVisitor::Frame::functionName):
-        (JSC::StackVisitor::Frame::dump):
-        * interpreter/StackVisitor.h:
-        (JSC::StackVisitor::Frame::callee):
-        (JSC::StackVisitor::visit):
-        * jit/Repatch.cpp:
-        (JSC::linkFor):
-        (JSC::linkPolymorphicCall):
-        * jsc.cpp:
-        (callWasmFunction):
-        (functionTestWasmModuleFunctions):
-        * runtime/ArrayPrototype.cpp:
-        * runtime/Error.cpp:
-        (JSC::addErrorInfoAndGetBytecodeOffset):
-        * runtime/ErrorInstance.cpp:
-        (JSC::ErrorInstance::finishCreation):
-        * runtime/JSCell.cpp:
-        (JSC::JSCell::isAnyWasmCallee): Deleted.
-        * runtime/JSCell.h:
-        * runtime/JSCellInlines.h:
-        (JSC::ExecState::vm):
-        * runtime/JSFunction.cpp:
-        (JSC::RetrieveArgumentsFunctor::operator()):
-        (JSC::RetrieveCallerFunctionFunctor::operator()):
-        * runtime/JSGlobalObject.cpp:
-        * runtime/SamplingProfiler.cpp:
-        (JSC::FrameWalker::recordJSFrame):
-        (JSC::SamplingProfiler::processUnverifiedStackTraces):
-        * runtime/SamplingProfiler.h:
-        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
-        * runtime/StackFrame.cpp:
-        (JSC::StackFrame::sourceURL):
-        (JSC::StackFrame::functionName):
-        * runtime/StackFrame.h:
-        (JSC::StackFrame::wasm):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::throwException):
-        * runtime/VM.h:
-        * wasm/JSWebAssembly.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToWasm):
-        * wasm/WasmCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
-        (JSC::Wasm::Callee::Callee):
-        (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee): Deleted.
-        (JSC::JSWebAssemblyCallee::finishCreation): Deleted.
-        (JSC::JSWebAssemblyCallee::destroy): Deleted.
-        * wasm/WasmCallee.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.h.
-        (JSC::Wasm::Callee::create):
-        (JSC::JSWebAssemblyCallee::create): Deleted.
-        (JSC::JSWebAssemblyCallee::createStructure): Deleted.
-        (JSC::JSWebAssemblyCallee::entrypoint): Deleted.
-        (JSC::JSWebAssemblyCallee::calleeSaveRegisters): Deleted.
-        * wasm/WasmContext.h:
-        * wasm/WasmPlan.cpp:
-        * wasm/WasmPlan.h:
-        * wasm/WasmPlanInlines.h:
-        (JSC::Wasm::Plan::initializeCallees):
-        * wasm/WasmThunks.cpp:
-        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
-        * wasm/js/JSWebAssemblyCallee.cpp: Removed.
-        * wasm/js/JSWebAssemblyCallee.h: Removed.
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
-        (JSC::JSWebAssemblyCodeBlock::initialize):
-        (JSC::JSWebAssemblyCodeBlock::visitChildren):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
-        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
-        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
-        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
-        (JSC::JSWebAssemblyCodeBlock::allocationSize):
-        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
-        (JSC::JSWebAssemblyCodeBlock::callees): Deleted.
-        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees): Deleted.
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
-        * wasm/js/JSWebAssemblyModule.cpp:
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        (JSC::WebAssemblyFunction::create):
-        (JSC::WebAssemblyFunction::WebAssemblyFunction):
-        (JSC::WebAssemblyFunction::visitChildren):
-        (JSC::WebAssemblyFunction::finishCreation):
-        * wasm/js/WebAssemblyFunction.h:
-        (JSC::WebAssemblyFunction::wasmEntrypoint):
-        (JSC::WebAssemblyFunction::jsEntrypoint):
-        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint):
-        (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode): Deleted.
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::link):
-        (JSC::WebAssemblyModuleRecord::evaluate):
-
-2017-04-04  Keith Miller  
-
-        WasmBench asserts in debug jsc
-        https://bugs.webkit.org/show_bug.cgi?id=170462
-
-        Reviewed by Saam Barati.
-
-        The assertion should have been an if.
-
-        * wasm/WasmWorklist.cpp:
-
-2017-04-04  Filip Pizlo  
-
-        Air::lowerAfterRegAlloc should bail early if it finds no Shuffles or ColdCCalls
-        https://bugs.webkit.org/show_bug.cgi?id=170305
-
-        Reviewed by Saam Barati.
-        
-        This reduces and sometimes completely eliminates the need to run lowerAfterRegAlloc().
-        
-        This lowers the Shuffle for the arguments of a CCall before register allocation unless
-        the CCall arguments require a real shuffle (like if the CCall arguments were argument
-        registers). This lowers a ColdCCall like a CCall for optLevel<2.
-        
-        Finally, lowerAfterRegAlloc() now checks if there are any Shuffles or CCalls before it
-        does anything else. For wasm at -O1, this means that the phase doesn't run at all. This
-        is a ~3% wasm -O1 compile time progression.
-        
-        To make this easy, I changed optLevel into a property of Procedure and Code rather than
-        an argument we thread through everything. I like how Procedure and Code are dumping
-        ground classes. This does not bother me. Note that I cloned optLevel into Procedure and
-        Code so that it's cheap to query inside Air phases.
-
-        * b3/B3Compile.cpp:
-        (JSC::B3::compile):
-        * b3/B3Compile.h:
-        * b3/B3Generate.cpp:
-        (JSC::B3::prepareForGeneration):
-        (JSC::B3::generateToAir):
-        * b3/B3Generate.h:
-        * b3/B3Procedure.cpp:
-        (JSC::B3::Procedure::setOptLevel):
-        * b3/B3Procedure.h:
-        (JSC::B3::Procedure::optLevel):
-        * b3/air/AirCode.h:
-        (JSC::B3::Air::Code::isPinned):
-        (JSC::B3::Air::Code::setOptLevel):
-        (JSC::B3::Air::Code::optLevel):
-        * b3/air/AirEmitShuffle.cpp:
-        (JSC::B3::Air::ShufflePair::bank):
-        (JSC::B3::Air::ShufflePair::opcode):
-        (JSC::B3::Air::ShufflePair::inst):
-        (JSC::B3::Air::emitShuffle):
-        * b3/air/AirEmitShuffle.h:
-        (JSC::B3::Air::moveFor):
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::prepareForGeneration):
-        * b3/air/AirGenerate.h:
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        (JSC::B3::Air::lowerAfterRegAlloc):
-        * b3/air/AirLowerMacros.cpp:
-        (JSC::B3::Air::lowerMacros):
-        * b3/testb3.cpp:
-        (JSC::B3::compileProc):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-
-2017-04-04  Filip Pizlo  
-
-        Don't need to Air::reportUsedRegisters for wasm at -O1
-        https://bugs.webkit.org/show_bug.cgi?id=170459
-
-        Reviewed by Saam Barati.
-        
-        I did some refactorings to Liveness<> to try to understand its performance. Based on
-        this I concluded that the bigger immediate issue is just removing unnecessary phases
-        from -O1.
-        
-        This removes Air::reportUsedRegisters() from -O1 if the user has indicated that he is
-        not interested in StackmapGenerationParams::usedRegisters(). The logic here is a bit
-        weird because of how Air does spill code generation. The register allocator's spiller
-        will emit spill code using identifiable spill slots, which allows subsequent phases to
-        register-allocate the spill slots. We do this by a forward flow CSE phase called
-        fixObviousSpills (which is a terrible name since there is no longer anything obvious
-        about some of the spills that this phase can fix!). As is most natural for CSEs over
-        3AC, it rewires the uses of redundant computations rather than removing the redundant
-        computations. This means that if a spill got "fixed", there may be either or both of
-        the following:
-        
-        - Dead loads from the stack.
-        - Dead stores to the stack.
-        
-        We know that a load from the stack is dead if the register is dead at the point of the
-        load. We know that a store to the stack is dead if the spill slot is dead at the point
-        of the store.
-        
-        Unfortunately, liveness analysis - over either registers or spill slots - is expensive.
-        
-        Fortunately, allocateStack() already does liveness analysis over spill slots. So, we
-        baked elimination of stores to the stack into that phase. That aspect of clean-up after
-        the spill CSE comes for free.
-        
-        Also fortunately for the FTL, we have to do reportUsedRegisters() anyway. This is a
-        phase that enables StackmapGenerationParams::usedRegisters() to work, which then
-        enables the FTL's patchpoints to do crazy slow-path live range splitting. So, Air's
-        strategy for the load fix-up after spill CSE is to do it as part of
-        reportUsedRegisters().
-        
-        This patch introduces the Procedure::setNeedsUsedRegisters() API. But if you set
-        needsUsedRegisters to false then we will still run reportUsedRegisters() at -O2 as an
-        optimization - it removes dead loads from the stack that are left behind from
-        fixObviousSpills().
-        
-        This is a ~6% compile time progression at -O1.
-
-        * b3/B3Procedure.h:
-        (JSC::B3::Procedure::setNeedsUsedRegisters):
-        (JSC::B3::Procedure::needsUsedRegisters):
-        * b3/B3StackmapGenerationParams.h:
-        * b3/B3VariableLiveness.cpp:
-        (JSC::B3::VariableLiveness::VariableLiveness):
-        * b3/air/AirCode.cpp:
-        (JSC::B3::Air::Code::needsUsedRegisters):
-        * b3/air/AirCode.h:
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::prepareForGeneration):
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::Liveness::Liveness):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-
-2017-04-03  Filip Pizlo  
-
-        Air liveness should build constraints and solve them rather than repeatedly parsing IR
-        https://bugs.webkit.org/show_bug.cgi?id=170421
-
-        Reviewed by Saam Barati.
-        
-        Inst::forEach<> is expensive. The LivenessAdapter uses forEach with a particularly
-        gnarly lambda that has many extra checks. Therefore, a lot of the time spent in
-        liveness analysis is just recomputing forEach<> and that lambda to get uses and defs.
-        
-        This introduces LivenessConstraints<>, which is a liveness constraint system based on
-        Adapter. It basically caches the results of doing forEach. It'll give you the uses and
-        defs at each instruction boundary.
-        
-        This is a ~5% compile time progression at optLevel=1. It's also a ~3% compile time
-        progression at optLevel=2.
-        
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirLivenessAdapter.h:
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
-        (JSC::B3::Air::LivenessAdapter::forEachUse):
-        (JSC::B3::Air::LivenessAdapter::forEachDef):
-        * b3/air/AirLivenessConstraints.h: Added.
-        (JSC::B3::Air::LivenessConstraints::Actions::Actions):
-        (JSC::B3::Air::LivenessConstraints::LivenessConstraints):
-        (JSC::B3::Air::LivenessConstraints::at):
-
-2017-04-03  Mark Lam  
-
-        Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
-        https://bugs.webkit.org/show_bug.cgi?id=170412
-        
-
-        Reviewed by Filip Pizlo.
-
-        Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
-        reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:
-        
-            arr = new Array;
-            Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
-            for (var i = 0; i < 3; ++i) {
-                Array.prototype.push.apply(arr, ["", () => {}, {}]);
-                Array.prototype.sort.apply(arr, [() => {}, []]);
-            }
-
-        However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
-        up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
-        Heap::m_arrayBuffers.size() are the other 2.
-
-        While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
-        Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
-        without any bounds checks, and they are only reset to 0 at the start of a full
-        GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
-        to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
-        values could theoretically overflow.  Coupling this with the underflow from
-        SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
-        overflow.  Note: Heap::extraMemorySize() is used to compute the value
-        currentHeapSize.
-
-        If multiple conditions line up just right, the above overflows can result in this
-        debug assertion failure during an eden GC:
-
-            ASSERT(currentHeapSize >= m_sizeAfterLastCollect);
-
-        Otherwise, the effects of the overflows will only result in the computed
-        currentHeapSize not being representative of actual memory usage, and therefore,
-        a full GC may be triggered earlier or later than is ideal.
-
-        This patch ensures that SparseArrayValueMap::add() cannot underflow
-        Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
-        calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
-        Heap::extraMemorySize() so that their values are saturated appropriately to
-        ensure that GC collections are triggered based on representative memory usage.
+        This change allows building code with enabled USE(GLIB) but without
+        GLib JSC API.
 
         * heap/Heap.cpp:
-        (JSC::Heap::deprecatedReportExtraMemorySlowCase):
-        (JSC::Heap::extraMemorySize):
-        (JSC::Heap::updateAllocationLimits):
-        (JSC::Heap::reportExtraMemoryVisited):
-        * runtime/SparseArrayValueMap.cpp:
-        (JSC::SparseArrayValueMap::add):
+        (JSC::Heap::releaseDelayedReleasedObjects):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
 
-2017-04-03  Filip Pizlo  
+2019-06-27  Devin Rousso  
 
-        Move the Liveness<> adapters from AirLiveness.h to AirLivenessAdapter.h.
-
-        Rubber stamped by Keith Miller.
-        
-        This will make it easier to write other code that uses those adapters.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter): Deleted.
-        (JSC::B3::Air::LivenessAdapter::blockSize): Deleted.
-        (JSC::B3::Air::LivenessAdapter::forEachUse): Deleted.
-        (JSC::B3::Air::LivenessAdapter::forEachDef): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::numIndices): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex): Deleted.
-        (JSC::B3::Air::TmpLivenessAdapter::indexToValue): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex): Deleted.
-        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue): Deleted.
-        * b3/air/AirLivenessAdapter.h: Added.
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
-        (JSC::B3::Air::LivenessAdapter::blockSize):
-        (JSC::B3::Air::LivenessAdapter::forEachUse):
-        (JSC::B3::Air::LivenessAdapter::forEachDef):
-        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
-        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
-        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
-        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
-        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
-        (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
-        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
-        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
-        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
-        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
-        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex):
-        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
-
-2017-04-03  Filip Pizlo  
-
-        WTF::Liveness should have an API that focuses on actions at instruction boundaries
-        https://bugs.webkit.org/show_bug.cgi?id=170407
-
-        Reviewed by Keith Miller.
-        
-        Adopt changes to the WTF::Liveness<> API. Instead of having separate functions for the
-        early/late versions of uses and defs, we now have just a use/def API. Those
-        automatically take care of eary/late issues as needed.
-        
-        This reduces the API surface between WTF::Liveness<> and its clients, which makes it
-        easier to implement some other optimizations I'm thinking about.
-
-        * b3/B3VariableLiveness.h:
-        (JSC::B3::VariableLivenessAdapter::forEachUse):
-        (JSC::B3::VariableLivenessAdapter::forEachDef):
-        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse): Deleted.
-        (JSC::B3::VariableLivenessAdapter::forEachLateUse): Deleted.
-        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef): Deleted.
-        (JSC::B3::VariableLivenessAdapter::forEachLateDef): Deleted.
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::LivenessAdapter::blockSize):
-        (JSC::B3::Air::LivenessAdapter::forEachUse):
-        (JSC::B3::Air::LivenessAdapter::forEachDef):
-        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse): Deleted.
-        (JSC::B3::Air::LivenessAdapter::forEachLateUse): Deleted.
-        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef): Deleted.
-        (JSC::B3::Air::LivenessAdapter::forEachLateDef): Deleted.
-
-2017-04-03  Filip Pizlo  
-
-        Inst::forEachArg could compile to more compact code
-        https://bugs.webkit.org/show_bug.cgi?id=170406
-
-        Reviewed by Sam Weinig.
-        
-        Prior to this change, Inst::forEachArg compiled to a ginormous ALWAYS_INLINE switch statement.
-        It had one case for each opcode, and then each of those cases would have a switch statement over
-        the number of operands. Then the cases of that switch statement would have a sequence of calls to
-        the passed lambda. This meant that every user of forEachArg would generate an insane amount of
-        code. It also meant that the inlining achieved nothing, since the lambda would surely then not
-        be inlined - and if it was, then the icache pressure due to code bloat would surely negate any
-        benefits.
-        
-        This replaces that code with a loop over a compact look-up table. We use the opcode and number of
-        operands as keys into that look-up table. The table only takes about 20KB. It has one byte for
-        each argument in each overload of each opcode.
-        
-        I can't measure any reproducible change in performance, but the JavaScriptCore framework binary
-        shrinks by 2.7 MB. This is a 15% reduction in JavaScriptCore binary size.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3Width.h:
-        * b3/air/AirCustom.h:
-        (JSC::B3::Air::PatchCustom::forEachArg):
-        * b3/air/AirFormTable.h: Added.
-        (JSC::B3::Air::decodeFormRole):
-        (JSC::B3::Air::decodeFormBank):
-        (JSC::B3::Air::decodeFormWidth):
-        * b3/air/AirInst.h:
-        * b3/air/opcode_generator.rb:
-
-2017-04-03  Keith Miller  
-
-        WebAssembly: remove lastAllocatedMode from Memory
-        https://bugs.webkit.org/show_bug.cgi?id=170405
-
-        Reviewed by Mark Lam.
-
-        It's not used anymore so there isn't any point in keeping it around.
-
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::Memory::createImpl):
-        (JSC::Wasm::Memory::lastAllocatedMode): Deleted.
-        * wasm/WasmMemory.h:
-
-2017-04-03  Zan Dobersek  
-
-        [jsc] Add patchableJumpSize() for MIPS
-        https://bugs.webkit.org/show_bug.cgi?id=169716
-
-        Reviewed by Yusuke Suzuki.
-
-        * assembler/MIPSAssembler.h:
-        (JSC::MIPSAssembler::patchableJumpSize): Added.
-        * assembler/MacroAssemblerMIPS.h:
-        (JSC::MacroAssemblerMIPS::patchableJumpSize): Added.
-
-2017-04-03  Guillaume Emont  
-
-        [jsc] implement MIPSAssembler::relinkJumpToNop()
-        https://bugs.webkit.org/show_bug.cgi?id=169720
-
-        Reviewed by Yusuke Suzuki.
-
-        * assembler/MIPSAssembler.h:
-        (JSC::MIPSAssembler::relinkJumpToNop): Added.
-
-2017-04-02  Carlos Garcia Campos  
-
-        Share implementation of JSRunLoopTimer::timerDidFire
-        https://bugs.webkit.org/show_bug.cgi?id=170392
-
-        Reviewed by Michael Catanzaro.
-
-        The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.
-
-        * runtime/JSRunLoopTimer.cpp:
-        (JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
-        (JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
-        (JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
-        * runtime/JSRunLoopTimer.h:
-
-2017-04-01  Oleksandr Skachkov  
-
-        Object with numerical keys with gaps gets filled by NaN values
-        https://bugs.webkit.org/show_bug.cgi?id=164412
-
-        Reviewed by Mark Lam.
-
-        This patch fixes issue when object have two properties 
-        with name as number. The issue appears when during invoking 
-        convertDoubleToArrayStorage, array is filled by pNaN and 
-        method converting it to real NaN. This happeneds because a 
-        pNaN in a Double array is a hole, and Double arrays cannot 
-        have NaN values. To fix issue we need to check value and 
-        clear it if it pNaN.
-
-        * runtime/JSObject.cpp:
-        (JSC::JSObject::convertDoubleToArrayStorage):
-
-2017-03-31  Saam Barati  
-
-        WebAssembly: Make our calls out to JS PIC friendly
-        https://bugs.webkit.org/show_bug.cgi?id=170261
-
-        Reviewed by Keith Miller.
-
-        This patch removes a direct call from the module to the Wasm to JS stub.
-        Instead, we do an indirect call to the stub by loading the stub's executable
-        address off of the CodeBlock. This is to make the code we emit for comply with
-        requirements needed for PIC.
-        
-        Adding this indirection is not ideal. Although this patch is neutral on
-        WasmBench, we really want to get back to a world where we have an IC
-        call infrastructure. This patch is obviously a regression on some
-        types of programs. I've filed this bug to make sure we implement a
-        PIC compliant Wasm to JS call IC:
-        https://bugs.webkit.org/show_bug.cgi?id=170375
-
-        * wasm/WasmB3IRGenerator.cpp:
-        * wasm/WasmFormat.h:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::complete):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::initialize):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
-        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
-        (JSC::JSWebAssemblyCodeBlock::allocationSize):
-        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::offsetOfCodeBlock):
-
-2017-03-31  Keith Miller  
-
-        WebAssembly: webAssemblyB3OptimizationLevel should use defaultB3OptLevel by default
-        https://bugs.webkit.org/show_bug.cgi?id=170378
-
-        Reviewed by Saam Barati.
-
-        * runtime/Options.h:
-        * wasm/WasmB3IRGenerator.h:
-
-2017-03-31  Keith Miller  
-
-        WebAssembly: Add compilation level option
-        https://bugs.webkit.org/show_bug.cgi?id=170374
-
-        Reviewed by Mark Lam.
-
-        This patch adds an option, webAssemblyB3OptimizationLevel, which
-        changes the optimization mode wasm passes to B3.
-
-        * runtime/Options.h:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::compileFunctions):
-
-2017-03-31  Saam Barati  
-
-        WebAssembly: Strip WasmParser and WasmFunctionParser from knowing about VM
-        https://bugs.webkit.org/show_bug.cgi?id=170312
-
-        Reviewed by Mark Lam.
-
-        This is another step towards PIC-ifying Wasm. This patch removes
-        the VM field that is no longer used.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmFunctionParser.h:
-        (JSC::Wasm::FunctionParser::FunctionParser):
-        * wasm/WasmModuleParser.h:
-        (JSC::Wasm::ModuleParser::ModuleParser):
-        * wasm/WasmParser.h:
-        (JSC::Wasm::Parser::Parser):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::parseAndValidateModule):
-        (JSC::Wasm::Plan::compileFunctions):
-        * wasm/WasmValidate.cpp:
-        (JSC::Wasm::validateFunction):
-        * wasm/WasmValidate.h:
-
-2017-03-31  Saam Barati  
-
-        WebAssembly: Ref count Signature and SignatureInformation should not care about VM
-        https://bugs.webkit.org/show_bug.cgi?id=170316
-
-        Reviewed by Keith Miller.
-
-        This is yet again another step towards PIC-ifying Wasm.
-        Signature should be ref counted so we can tell when
-        no code is holding onto a Signature. This makes it easy
-        to free unused Signatures. Also, this patch rids SignatureInfo
-        of any VM knowledge. Now, there is just a single SignatureInfo that
-        lives in a process.
-
-        * runtime/VM.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        * wasm/WasmCallingConvention.h:
-        (JSC::Wasm::CallingConvention::loadArguments):
-        * wasm/WasmFormat.h:
-        * wasm/WasmFunctionParser.h:
-        (JSC::Wasm::FunctionParser::FunctionParser):
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::parseAndValidateModule):
-        (JSC::Wasm::Plan::compileFunctions):
-        (JSC::Wasm::Plan::complete):
-        * wasm/WasmSignature.cpp:
-        (JSC::Wasm::Signature::hash):
-        (JSC::Wasm::Signature::tryCreate):
-        (JSC::Wasm::SignatureInformation::SignatureInformation):
-        (JSC::Wasm::SignatureInformation::singleton):
-        (JSC::Wasm::SignatureInformation::adopt):
-        (JSC::Wasm::SignatureInformation::get):
-        (JSC::Wasm::SignatureInformation::tryCleanup):
-        (JSC::Wasm::Signature::create): Deleted.
-        (JSC::Wasm::Signature::createInvalid): Deleted.
-        (JSC::Wasm::Signature::destroy): Deleted.
-        (JSC::Wasm::SignatureInformation::~SignatureInformation): Deleted.
-        * wasm/WasmSignature.h:
-        (JSC::Wasm::Signature::allocatedSize):
-        (JSC::Wasm::Signature::operator==):
-        * wasm/WasmValidate.cpp:
-        (JSC::Wasm::validateFunction):
-        * wasm/WasmValidate.h:
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::destroy):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        * wasm/js/WebAssemblyFunction.h:
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::link):
-        (JSC::WebAssemblyModuleRecord::evaluate):
-        * wasm/js/WebAssemblyWrapperFunction.cpp:
-        (JSC::WebAssemblyWrapperFunction::create):
-        * wasm/js/WebAssemblyWrapperFunction.h:
-
-2017-03-31  Mark Lam  
-
-        Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
-        https://bugs.webkit.org/show_bug.cgi?id=170303
-        
-
-        Reviewed by Filip Pizlo.
-
-        This is because it needs to call getProperty() later to get the values for
-        initializing the array.  getProperty() can execute arbitrary code and potentially
-        trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().
-
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoFuncSplice):
-        (JSC::copySplicedArrayElements): Deleted.
-
-2017-03-31  Oleksandr Skachkov  
-
-        String.prototype.replace incorrectly applies "special replacement parameters" when passed a function
-        https://bugs.webkit.org/show_bug.cgi?id=170151
-
-        Reviewed by Saam Barati.
-
-        This patch fixes issue for String.prototype.replace when passed a function 
-        with special symbols "$$". It happeneds because substituteBackreferences applies 
-        unconditionally, but according to the spec it should be applied only for text 
-        21.1.3.16.8 https://tc39.github.io/ecma262/#sec-string.prototype.replace
-
-        * runtime/StringPrototype.cpp:
-        (JSC::replaceUsingStringSearch):
-
-2017-03-30  Saam Barati  
-
-        WebAssembly: When Wasm calls to C, it should use Wasm::Context* instead of ExecState* to get VM
-        https://bugs.webkit.org/show_bug.cgi?id=170185
-
-        Reviewed by Michael Saboff.
-
-        This is one more step in the direction of PIC-ified Wasm.
-        When we lift WasmCallee above VM, we will no longer be
-        able to get VM from ExecState*. This patch ensures that
-        we don't do that from within the Wasm runtime. Instead,
-        we use the Wasm::Context* to get the VM.
-
-        This patch also adds a new class, Wasm::Thunks. There
-        is a single Wasm::Thunks that lives in the process. It
-        is responsible for generating a thunk that Wasm relies on.
-        The only such thunk right now is the exception throwing
-        thunk.
-
-        This patch also rids WasmFaultSignalHandler from any knowledge
-        of VM. Previously, it relied on VM to get the exception handling
-        thunk.
-
-        The only part of the Wasm runtime that will be allowed
-        to get VM& from ExecState will be WasmBinding. In the
-        future, we plan to keep the calls out to JS to keep
-        a JSCell as the callee.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * dfg/DFGOSREntry.cpp:
-        (JSC::DFG::prepareOSREntry):
-        * ftl/FTLOSRExitCompiler.cpp:
-        (JSC::FTL::compileStub):
-        * interpreter/Interpreter.cpp:
-        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
-        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBufferImpl):
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
-        * jit/ThunkGenerators.cpp:
-        (JSC::throwExceptionFromWasmThunkGenerator): Deleted.
-        * jit/ThunkGenerators.h:
-        * runtime/InitializeThreading.cpp:
-        (JSC::initializeThreading):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::getAllCalleeSaveRegisterOffsets):
-        * runtime/VM.h:
-        (JSC::VM::topVMEntryFrameOffset):
-        (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
-        * wasm/WasmFaultSignalHandler.cpp:
-        (JSC::Wasm::trapHandler):
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::tryGetFastMemory):
-        * wasm/WasmThunks.cpp: Added.
-        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
-        (JSC::Wasm::Thunks::initialize):
-        (JSC::Wasm::Thunks::singleton):
-        (JSC::Wasm::Thunks::stub):
-        (JSC::Wasm::Thunks::existingStub):
-        * wasm/WasmThunks.h: Added.
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::offsetOfVM):
-        * wasm/js/JSWebAssemblyMemory.cpp:
-        (JSC::JSWebAssemblyMemory::grow):
-        * wasm/js/JSWebAssemblyMemory.h:
-        * wasm/js/WebAssemblyMemoryPrototype.cpp:
-        (JSC::webAssemblyMemoryProtoFuncGrow):
-
-2017-03-30  Mark Lam  
-
-        IntlObject should not be using JSArray::initializeIndex().
-        https://bugs.webkit.org/show_bug.cgi?id=170302
-        
-
-        Reviewed by Saam Barati.
-
-        JSArray::initializeIndex() is only meant to be used with arrays created using
-        JSArray::tryCreateForInitializationPrivate() under very constrained conditions.
-
-        * runtime/IntlObject.cpp:
-        (JSC::canonicalizeLocaleList):
-        (JSC::intlObjectFuncGetCanonicalLocales):
-
-2017-03-30  Filip Pizlo  
-
-        Air should support linear scan for optLevel<2
-        https://bugs.webkit.org/show_bug.cgi?id=170161
-
-        Reviewed by Saam Barati.
-        
-        This changes the default opt level of B3 to 2. It makes the other opt levels useful by adding a
-        new register allocator. This new linear scan allocator will produce significantly worse code.
-        But it will produce that code a lot faster than IRC or Briggs.
-        
-        The opt levels are:
-            0: no optimizations, linear scan
-            1: some optimizations, linear scan
-            2: full optimizations, graph coloring (IRC or Briggs based on CPU)
-        
-        What we used to call optLevel=1 is not called optLevel=2, or better yet,
-        optLevel=B3::defaultOptLevel(). We no longer have anything like the old optLevel=0 (which did no
-        optimizations but ran graph coloring).
-        
-        allocateRegistersByLinearScan() faithfully implements Massimiliano Poletto and Vivek Sarkar's
-        famous algorithm. It uses the variant that handles clobbered registers by avoiding assigning
-        ranges to those registers if the range overlaps a clobber. It's engineered to allocate registers
-        very quickly and generate inefficient code without falling off a cliff.
-        
-        The new optLevel=1 speeds up B3 by a factor of 2, and results in a 80% throughput regression.
-        Linear scan runs 4.7x faster than graph coloring on average.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3BasicBlockUtils.h:
-        (JSC::B3::blocksInPreOrder):
-        (JSC::B3::blocksInPostOrder):
-        * b3/B3BlockWorklist.h:
-        * b3/B3CFG.h:
-        (JSC::B3::CFG::newMap):
-        * b3/B3Common.h:
-        (JSC::B3::defaultOptLevel):
-        * b3/B3Compile.h:
-        * b3/B3DuplicateTails.cpp:
-        * b3/B3EliminateCommonSubexpressions.cpp:
-        * b3/B3FixSSA.cpp:
-        (JSC::B3::demoteValues):
-        (JSC::B3::fixSSA):
-        * b3/B3FixSSA.h:
-        * b3/B3Generate.cpp:
-        (JSC::B3::prepareForGeneration):
-        (JSC::B3::generateToAir):
-        * b3/B3Generate.h:
-        * b3/B3HeapRange.cpp: Removed.
-        * b3/B3HeapRange.h:
-        (JSC::B3::HeapRange::HeapRange): Deleted.
-        (JSC::B3::HeapRange::top): Deleted.
-        (JSC::B3::HeapRange::operator==): Deleted.
-        (JSC::B3::HeapRange::operator!=): Deleted.
-        (JSC::B3::HeapRange::operator|): Deleted.
-        (JSC::B3::HeapRange::operator bool): Deleted.
-        (JSC::B3::HeapRange::begin): Deleted.
-        (JSC::B3::HeapRange::end): Deleted.
-        (JSC::B3::HeapRange::overlaps): Deleted.
-        * b3/B3LowerToAir.cpp:
-        * b3/B3MoveConstants.cpp:
-        * b3/B3PhiChildren.h:
-        * b3/B3Procedure.cpp:
-        (JSC::B3::Procedure::dump):
-        (JSC::B3::Procedure::deleteOrphans):
-        (JSC::B3::Procedure::setBlockOrderImpl):
-        * b3/B3ReduceDoubleToFloat.cpp:
-        * b3/B3ReduceStrength.cpp:
-        * b3/B3SSACalculator.h:
-        * b3/B3UseCounts.h:
-        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
-        * b3/air/AirAllocateRegistersByLinearScan.cpp: Added.
-        (JSC::B3::Air::allocateRegistersByLinearScan):
-        * b3/air/AirAllocateRegistersByLinearScan.h: Added.
-        * b3/air/AirAllocateStack.cpp:
-        (JSC::B3::Air::allocateStack):
-        * b3/air/AirArg.cpp:
-        (WTF::printInternal):
-        * b3/air/AirArg.h:
-        (JSC::B3::Air::Arg::activeAt):
-        (JSC::B3::Air::Arg::timing):
-        (JSC::B3::Air::Arg::forEachPhase):
-        * b3/air/AirBasicBlock.h:
-        * b3/air/AirBlockWorklist.h:
-        * b3/air/AirCFG.h:
-        (JSC::B3::Air::CFG::newMap):
-        * b3/air/AirEliminateDeadCode.cpp:
-        (JSC::B3::Air::eliminateDeadCode):
-        * b3/air/AirFixObviousSpills.cpp:
-        * b3/air/AirFixPartialRegisterStalls.cpp:
-        (JSC::B3::Air::fixPartialRegisterStalls):
-        * b3/air/AirFixSpillsAfterTerminals.cpp: Added.
-        (JSC::B3::Air::fixSpillsAfterTerminals):
-        * b3/air/AirFixSpillsAfterTerminals.h: Added.
-        * b3/air/AirGenerate.cpp:
-        (JSC::B3::Air::prepareForGeneration):
-        (JSC::B3::Air::generate):
-        * b3/air/AirGenerate.h:
-        * b3/air/AirGenerationContext.h:
-        * b3/air/AirInsertionSet.h:
-        * b3/air/AirInst.cpp:
-        (JSC::B3::Air::Inst::needsPadding):
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        (JSC::B3::Air::lowerAfterRegAlloc):
-        * b3/air/AirLowerEntrySwitch.cpp:
-        (JSC::B3::Air::lowerEntrySwitch):
-        * b3/air/AirOpcode.opcodes:
-        * b3/air/AirPhaseInsertionSet.cpp: Added.
-        (JSC::B3::Air::PhaseInsertionSet::execute):
-        * b3/air/AirPhaseInsertionSet.h: Added.
-        (JSC::B3::Air::PhaseInsertion::PhaseInsertion):
-        (JSC::B3::Air::PhaseInsertion::phase):
-        (JSC::B3::Air::PhaseInsertion::operator<):
-        (JSC::B3::Air::PhaseInsertionSet::PhaseInsertionSet):
-        (JSC::B3::Air::PhaseInsertionSet::appendInsertion):
-        (JSC::B3::Air::PhaseInsertionSet::insertInst):
-        (JSC::B3::Air::PhaseInsertionSet::insert):
-        * b3/air/AirRegLiveness.h:
-        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
-        * b3/air/AirSpillEverything.cpp:
-        (JSC::B3::Air::spillEverything):
-        * b3/air/AirTmp.cpp:
-        * b3/air/AirTmp.h:
-        (JSC::B3::Air::Tmp::tmpForIndex):
-        * b3/air/AirTmpInlines.h:
-        (JSC::B3::Air::Tmp::Indexed::Indexed):
-        (JSC::B3::Air::Tmp::Indexed::index):
-        (JSC::B3::Air::Tmp::AbsolutelyIndexed::AbsolutelyIndexed):
-        (JSC::B3::Air::Tmp::AbsolutelyIndexed::index):
-        (JSC::B3::Air::Tmp::indexed):
-        (JSC::B3::Air::Tmp::absolutelyIndexed):
-        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
-        * b3/testb3.cpp:
-        (JSC::B3::compile):
-        (JSC::B3::testMulLoadTwice):
-        * jit/RegisterSet.h:
-        (JSC::RegisterSet::add):
-        (JSC::RegisterSet::remove):
-        * runtime/Options.h:
-        * wasm/WasmB3IRGenerator.h:
-
-2017-03-30  Youenn Fablet  
-
-        Clean up RTCDataChannel
-        https://bugs.webkit.org/show_bug.cgi?id=169732
-
-        Reviewed by Chris Dumez.
-
-        * runtime/CommonIdentifiers.h: Adding RTCDataChannelEvent.
-
-2017-03-30  Saam Barati  
-
-        WebAssembly: pass Wasm::Context* to vmEntryToWasm when not using fast TLS
-        https://bugs.webkit.org/show_bug.cgi?id=170182
-
-        Reviewed by Mark Lam.
-
-        This is one more step in the direction of PIC-ified Wasm.
-        I'm removing assumptions that a wasm callee is a cell. We used to use
-        the callee to get the WasmContext off the callee's VM. Instead,
-        this patch makes it so that we pass in the context as a parameter
-        to the JS entrypoint.
-
-        * heap/MarkedBlock.h:
-        (JSC::MarkedBlock::offsetOfVM): Deleted.
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::loadWasmContext):
-        (JSC::AssemblyHelpers::storeWasmContext):
-        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
-        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
-        * jsc.cpp:
-        (functionTestWasmModuleFunctions):
-        * runtime/VM.h:
-        (JSC::VM::wasmContextOffset): Deleted.
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
-        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::createJSToWasmWrapper):
-        * wasm/WasmContext.cpp:
-        (JSC::Wasm::loadContext):
-        (JSC::Wasm::storeContext):
-        (JSC::loadWasmContext): Deleted.
-        (JSC::storeWasmContext): Deleted.
-        * wasm/WasmContext.h:
-        (JSC::Wasm::useFastTLS):
-        (JSC::Wasm::useFastTLSForContext):
-        * wasm/WasmMemoryInformation.cpp:
-        (JSC::Wasm::PinnedRegisterInfo::get):
-        * wasm/WasmMemoryInformation.h:
-        (JSC::Wasm::useFastTLS): Deleted.
-        (JSC::Wasm::useFastTLSForWasmContext): Deleted.
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-
-2017-03-30  JF Bastien  
-
-        WebAssembly: fix misc JS API implementation inconsistencies
-        https://bugs.webkit.org/show_bug.cgi?id=170187
-
-        Reviewed by Keith Miller.
-
-        Auto-generate lookup tables.
-        Methods should be on prototype.
-        Exception returns should be idiomatic.
-
-        * wasm/JSWebAssembly.cpp: validate / compile / instantiate should
-        be on the prototype
-        (JSC::JSWebAssembly::create):
-        (JSC::JSWebAssembly::finishCreation):
-        (JSC::reject): Deleted.
-        (JSC::webAssemblyCompileFunc): Deleted.
-        (JSC::resolve): Deleted.
-        (JSC::instantiate): Deleted.
-        (JSC::compileAndInstantiate): Deleted.
-        (JSC::webAssemblyInstantiateFunc): Deleted.
-        (JSC::webAssemblyValidateFunc): Deleted.
-        * wasm/JSWebAssembly.h:
-        * wasm/js/WebAssemblyMemoryPrototype.cpp: move from JSWebAssembly.cpp
-        (JSC::webAssemblyMemoryProtoFuncBuffer):
-        (JSC::WebAssemblyMemoryPrototype::create):
-        (JSC::WebAssemblyMemoryPrototype::finishCreation):
-        * wasm/js/WebAssemblyMemoryPrototype.h:
-        * wasm/js/WebAssemblyPrototype.cpp:
-        (JSC::reject):
-        (JSC::webAssemblyCompileFunc):
-        (JSC::resolve):
-        (JSC::instantiate):
-        (JSC::compileAndInstantiate):
-        (JSC::webAssemblyInstantiateFunc):
-        (JSC::webAssemblyValidateFunc):
-        (JSC::webAssemblyFunctionValidate): Deleted.
-        (JSC::webAssemblyFunctionCompile): Deleted.
-        * wasm/js/WebAssemblyTablePrototype.cpp:
-        (JSC::webAssemblyTableProtoFuncGrow):
-        (JSC::webAssemblyTableProtoFuncGet):
-        (JSC::webAssemblyTableProtoFuncSet):
-        (JSC::WebAssemblyTablePrototype::create):
-        (JSC::WebAssemblyTablePrototype::finishCreation):
-        * wasm/js/WebAssemblyTablePrototype.h:
-
-2017-03-29  Keith Miller  
-
-        Unreviewed, fix the build, again. Hopefully for the last time, again!
-
-        * runtime/Options.cpp:
-
-2017-03-29  Keith Miller  
-
-        Unreviewed, fix the build, again. Hopefully for the last time!
-
-        * runtime/Options.cpp:
-        (JSC::parse):
-
-2017-03-29  Keith Miller  
-
-        Unreviewed, windows build fix.
-
-        * runtime/Options.cpp:
-        (JSC::parse):
-
-2017-03-29  Keith Miller  
-
-        WebAssembly: B3IRGenerator should pool constants
-        https://bugs.webkit.org/show_bug.cgi?id=170266
-
-        Reviewed by Filip Pizlo.
-
-        This patch adds a HashMap to B3IRGenerator that contains all the constants used in a function.
-        B3IRGenerator then uses an InsertionSet to add all those constants to the root BB. This doesn't
-        appear to be a compile time improvement but it could be valuable in the future.
-
-        * b3/B3Opcode.h:
-        (JSC::B3::opcodeForConstant):
-        * b3/B3Procedure.cpp:
-        (JSC::B3::Procedure::addConstant):
-        * b3/B3Procedure.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::constant):
-        (JSC::Wasm::B3IRGenerator::insertConstants):
-        (JSC::Wasm::B3IRGenerator::addConstant):
-        (JSC::Wasm::B3IRGenerator::dump):
-        (JSC::Wasm::parseAndCompile):
-        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
-        (JSC::Wasm::B3IRGenerator::zeroForType): Deleted.
-        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
-        (generateConstCode):
-
-2017-03-29  Saam Barati  
-
-        LinkBuffer and ExecutableAllocator shouldn't have anything to do with VM
-        https://bugs.webkit.org/show_bug.cgi?id=170210
-
-        Reviewed by Mark Lam.
-
-        This is one more step in the direction of PIC-ified Wasm.
-        LinkBuffer and ExecutableAllocator have no business knowing about VM.
-
-        * assembler/LinkBuffer.cpp:
-        (JSC::LinkBuffer::allocate):
-        * assembler/LinkBuffer.h:
-        (JSC::LinkBuffer::LinkBuffer):
-        (JSC::LinkBuffer::vm): Deleted.
-        * b3/B3Compile.cpp:
-        (JSC::B3::compile):
-        * b3/B3Compile.h:
-        * b3/air/testair.cpp:
-        * b3/testb3.cpp:
-        (JSC::B3::compileProc):
-        (JSC::B3::compileAndRun):
-        (JSC::B3::testLoadAcq42):
-        (JSC::B3::testAddArgZeroImmZDef):
-        (JSC::B3::testAddLoadTwice):
-        (JSC::B3::testMulLoadTwice):
-        (JSC::B3::testMulAddArgsLeft):
-        (JSC::B3::testMulAddArgsRight):
-        (JSC::B3::testMulAddArgsLeft32):
-        (JSC::B3::testMulAddArgsRight32):
-        (JSC::B3::testMulSubArgsLeft):
-        (JSC::B3::testMulSubArgsRight):
-        (JSC::B3::testMulSubArgsLeft32):
-        (JSC::B3::testMulSubArgsRight32):
-        (JSC::B3::testMulNegArgs):
-        (JSC::B3::testMulNegArgs32):
-        (JSC::B3::testCompareFloatToDoubleThroughPhi):
-        (JSC::B3::testDoubleToFloatThroughPhi):
-        (JSC::B3::testReduceFloatToDoubleValidates):
-        (JSC::B3::testDoubleProducerPhiToFloatConversion):
-        (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
-        (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
-        (JSC::B3::testIToD64Arg):
-        (JSC::B3::testIToF64Arg):
-        (JSC::B3::testIToD32Arg):
-        (JSC::B3::testIToF32Arg):
-        (JSC::B3::testIToD64Mem):
-        (JSC::B3::testIToF64Mem):
-        (JSC::B3::testIToD32Mem):
-        (JSC::B3::testIToF32Mem):
-        (JSC::B3::testIToDReducedToIToF64Arg):
-        (JSC::B3::testIToDReducedToIToF32Arg):
-        (JSC::B3::testStoreRelAddLoadAcq32):
-        (JSC::B3::testStoreRelAddLoadAcq8):
-        (JSC::B3::testStoreRelAddFenceLoadAcq8):
-        (JSC::B3::testStoreRelAddLoadAcq16):
-        (JSC::B3::testStoreRelAddLoadAcq64):
-        (JSC::B3::testBranch):
-        (JSC::B3::testBranchPtr):
-        (JSC::B3::testDiamond):
-        (JSC::B3::testBranchNotEqual):
-        (JSC::B3::testBranchNotEqualCommute):
-        (JSC::B3::testBranchNotEqualNotEqual):
-        (JSC::B3::testBranchEqual):
-        (JSC::B3::testBranchEqualEqual):
-        (JSC::B3::testBranchEqualCommute):
-        (JSC::B3::testBranchEqualEqual1):
-        (JSC::B3::testBranchLoadPtr):
-        (JSC::B3::testBranchLoad32):
-        (JSC::B3::testBranchLoad8S):
-        (JSC::B3::testBranchLoad8Z):
-        (JSC::B3::testBranchLoad16S):
-        (JSC::B3::testBranchLoad16Z):
-        (JSC::B3::testBranch8WithLoad8ZIndex):
-        (JSC::B3::testComplex):
-        (JSC::B3::testSimpleCheck):
-        (JSC::B3::testCheckFalse):
-        (JSC::B3::testCheckTrue):
-        (JSC::B3::testCheckLessThan):
-        (JSC::B3::testCheckMegaCombo):
-        (JSC::B3::testCheckTrickyMegaCombo):
-        (JSC::B3::testCheckTwoMegaCombos):
-        (JSC::B3::testCheckTwoNonRedundantMegaCombos):
-        (JSC::B3::testCheckAddImm):
-        (JSC::B3::testCheckAddImmCommute):
-        (JSC::B3::testCheckAddImmSomeRegister):
-        (JSC::B3::testCheckAdd):
-        (JSC::B3::testCheckAdd64):
-        (JSC::B3::testCheckAddFold):
-        (JSC::B3::testCheckAddFoldFail):
-        (JSC::B3::testCheckAddSelfOverflow64):
-        (JSC::B3::testCheckAddSelfOverflow32):
-        (JSC::B3::testCheckSubImm):
-        (JSC::B3::testCheckSubBadImm):
-        (JSC::B3::testCheckSub):
-        (JSC::B3::testCheckSub64):
-        (JSC::B3::testCheckSubFold):
-        (JSC::B3::testCheckSubFoldFail):
-        (JSC::B3::testCheckNeg):
-        (JSC::B3::testCheckNeg64):
-        (JSC::B3::testCheckMul):
-        (JSC::B3::testCheckMulMemory):
-        (JSC::B3::testCheckMul2):
-        (JSC::B3::testCheckMul64):
-        (JSC::B3::testCheckMulFold):
-        (JSC::B3::testCheckMulFoldFail):
-        (JSC::B3::testCheckMul64SShr):
-        (JSC::B3::testSwitch):
-        (JSC::B3::testSwitchChillDiv):
-        (JSC::B3::testSwitchTargettingSameBlock):
-        (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
-        (JSC::B3::testBasicSelect):
-        (JSC::B3::testSelectTest):
-        (JSC::B3::testSelectCompareDouble):
-        (JSC::B3::testSelectDouble):
-        (JSC::B3::testSelectDoubleTest):
-        (JSC::B3::testSelectDoubleCompareDouble):
-        (JSC::B3::testSelectFloatCompareFloat):
-        (JSC::B3::testSelectFold):
-        (JSC::B3::testSelectInvert):
-        (JSC::B3::testCheckSelect):
-        (JSC::B3::testCheckSelectCheckSelect):
-        (JSC::B3::testCheckSelectAndCSE):
-        (JSC::B3::testTrivialInfiniteLoop):
-        (JSC::B3::testFoldPathEqual):
-        (JSC::B3::testLShiftSelf32):
-        (JSC::B3::testRShiftSelf32):
-        (JSC::B3::testURShiftSelf32):
-        (JSC::B3::testLShiftSelf64):
-        (JSC::B3::testRShiftSelf64):
-        (JSC::B3::testURShiftSelf64):
-        (JSC::B3::testPatchpointDoubleRegs):
-        (JSC::B3::testSpillDefSmallerThanUse):
-        (JSC::B3::testSpillUseLargerThanDef):
-        (JSC::B3::testLateRegister):
-        (JSC::B3::testInterpreter):
-        (JSC::B3::testEntrySwitchSimple):
-        (JSC::B3::testEntrySwitchNoEntrySwitch):
-        (JSC::B3::testEntrySwitchWithCommonPaths):
-        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
-        (JSC::B3::testEntrySwitchLoop):
-        (JSC::B3::testSomeEarlyRegister):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
-        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
-        (JSC::B3::testPatchpointTerminalReturnValue):
-        (JSC::B3::testMemoryFence):
-        (JSC::B3::testStoreFence):
-        (JSC::B3::testLoadFence):
-        (JSC::B3::testPCOriginMapDoesntInsertNops):
-        (JSC::B3::testPinRegisters):
-        (JSC::B3::testX86LeaAddAddShlLeft):
-        (JSC::B3::testX86LeaAddAddShlRight):
-        (JSC::B3::testX86LeaAddAdd):
-        (JSC::B3::testX86LeaAddShlRight):
-        (JSC::B3::testX86LeaAddShlLeftScale1):
-        (JSC::B3::testX86LeaAddShlLeftScale2):
-        (JSC::B3::testX86LeaAddShlLeftScale4):
-        (JSC::B3::testX86LeaAddShlLeftScale8):
-        (JSC::B3::testAddShl32):
-        (JSC::B3::testAddShl64):
-        (JSC::B3::testAddShl65):
-        (JSC::B3::testLoadBaseIndexShift2):
-        (JSC::B3::testLoadBaseIndexShift32):
-        (JSC::B3::testOptimizeMaterialization):
-        (JSC::B3::testAtomicWeakCAS):
-        (JSC::B3::testAtomicStrongCAS):
-        (JSC::B3::testAtomicXchg):
-        (JSC::B3::testDepend32):
-        (JSC::B3::testDepend64):
-        (JSC::B3::testWasmBoundsCheck):
-        (JSC::B3::testWasmAddress):
-        (JSC::B3::run):
-        (JSC::B3::compile): Deleted.
-        * bytecode/PolymorphicAccess.cpp:
-        (JSC::PolymorphicAccess::regenerate):
-        * dfg/DFGJITCompiler.cpp:
-        (JSC::DFG::JITCompiler::compile):
-        (JSC::DFG::JITCompiler::compileFunction):
-        * dfg/DFGLazyJSValue.cpp:
-        (JSC::DFG::LazyJSValue::emit):
-        * dfg/DFGOSRExitCompiler.cpp:
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        * dfg/DFGThunks.cpp:
-        (JSC::DFG::osrExitGenerationThunkGenerator):
-        (JSC::DFG::osrEntryThunkGenerator):
-        * ftl/FTLCompile.cpp:
-        (JSC::FTL::compile):
-        * ftl/FTLLazySlowPath.cpp:
-        (JSC::FTL::LazySlowPath::generate):
-        * ftl/FTLLink.cpp:
-        (JSC::FTL::link):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
-        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
-        * ftl/FTLOSRExitCompiler.cpp:
-        (JSC::FTL::compileStub):
-        * ftl/FTLOSRExitHandle.cpp:
-        (JSC::FTL::OSRExitHandle::emitExitThunk):
-        * ftl/FTLSlowPathCall.cpp:
-        (JSC::FTL::SlowPathCallContext::makeCall):
-        * ftl/FTLSlowPathCall.h:
-        (JSC::FTL::callOperation):
-        * ftl/FTLState.h:
-        * ftl/FTLThunks.cpp:
-        (JSC::FTL::genericGenerationThunkGenerator):
-        (JSC::FTL::slowPathCallThunkGenerator):
-        * ftl/FTLThunks.h:
-        (JSC::FTL::generateIfNecessary):
-        (JSC::FTL::Thunks::getSlowPathCallThunk):
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::emitDumbVirtualCall):
-        * jit/AssemblyHelpers.h:
-        * jit/ExecutableAllocator.cpp:
-        (JSC::ExecutableAllocator::initializeAllocator):
-        (JSC::ExecutableAllocator::singleton):
-        (JSC::ExecutableAllocator::ExecutableAllocator):
-        (JSC::ExecutableAllocator::allocate):
-        * jit/ExecutableAllocator.h:
-        * jit/JIT.cpp:
-        (JSC::JIT::compileWithoutLinking):
-        * jit/JITCall.cpp:
-        (JSC::JIT::compileCallEvalSlowCase):
-        * jit/JITMathIC.h:
-        (JSC::JITMathIC::generateOutOfLine):
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::privateCompileHasIndexedProperty):
-        * jit/JITOpcodes32_64.cpp:
-        (JSC::JIT::privateCompileHasIndexedProperty):
-        * jit/JITOperations.cpp:
-        * jit/JITOperations.h:
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::stringGetByValStubGenerator):
-        (JSC::JIT::privateCompileGetByVal):
-        (JSC::JIT::privateCompileGetByValWithCachedId):
-        (JSC::JIT::privateCompilePutByVal):
-        (JSC::JIT::privateCompilePutByValWithCachedId):
-        * jit/JITPropertyAccess32_64.cpp:
-        (JSC::JIT::stringGetByValStubGenerator):
-        * jit/JITStubRoutine.h:
-        * jit/Repatch.cpp:
-        (JSC::ftlThunkAwareRepatchCall):
-        (JSC::linkPolymorphicCall):
-        * jit/SpecializedThunkJIT.h:
-        (JSC::SpecializedThunkJIT::finalize):
-        * jit/ThunkGenerators.cpp:
-        (JSC::throwExceptionFromCallSlowPathGenerator):
-        (JSC::linkCallThunkGenerator):
-        (JSC::linkPolymorphicCallThunkGenerator):
-        (JSC::virtualThunkFor):
-        (JSC::nativeForGenerator):
-        (JSC::arityFixupGenerator):
-        (JSC::unreachableGenerator):
-        (JSC::boundThisNoArgsFunctionCallGenerator):
-        (JSC::throwExceptionFromWasmThunkGenerator):
-        * llint/LLIntThunks.cpp:
-        (JSC::LLInt::generateThunkWithJumpTo):
-        * runtime/SamplingProfiler.cpp:
-        (JSC::SamplingProfiler::takeSample):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-        * runtime/VMTraps.cpp:
-        (JSC::VMTraps::tryInstallTrapBreakpoints):
-        * tools/VMInspector.cpp:
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        (JSC::Wasm::wasmToWasm):
-        (JSC::Wasm::exitStubGenerator):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::complete):
-        * yarr/YarrJIT.cpp:
-        (JSC::Yarr::YarrGenerator::compile):
-        (JSC::Yarr::jitCompile):
-
-2017-03-29  Keith Miller  
-
-        WebAssembly: Worklist should periodically check in to see if there are higher priority jobs to do.
-        https://bugs.webkit.org/show_bug.cgi?id=170204
-
-        Reviewed by Saam Barati.
-
-        This patch makes it so that Wasm::Plan's compileFunctions method can return periodically
-        to its caller. The main use for this is if a user asynchronously compiles a wasm module
-        then later synchronously compiles another module. In this case we want to be able to pause
-        compilation of other worklists.
-
-        This patch also adds support for size_t Options.
-
-        * runtime/Options.cpp:
-        (JSC::parse):
-        (JSC::Option::dump):
-        (JSC::Option::operator==):
-        * runtime/Options.h:
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::moveToState):
-        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
-        (JSC::Wasm::Plan::compileFunctions):
-        * wasm/WasmPlan.h:
-        * wasm/WasmWorklist.cpp:
-
-2017-03-29  Mark Lam  
-
-        Remove obsolete references to HeapTimer in JavaScriptCore.order.
-        https://bugs.webkit.org/show_bug.cgi?id=170252
-
-        Reviewed by Saam Barati.
-
-        The HeapTimer was renamed to JSRunLoopTimer back in r214504.  These HeapTimer
-        entries are now no longer meaningful.
-
-        * JavaScriptCore.order:
-
-2017-03-29  JF Bastien  
-
-        WebAssembly: add shell-only Memory mode helper
-        https://bugs.webkit.org/show_bug.cgi?id=170227
-
-        Reviewed by Mark Lam.
-
-        * jsc.cpp:
-        (GlobalObject::finishCreation):
-        (functionWebAssemblyMemoryMode):
-        * wasm/WasmMemory.h:
-        * wasm/js/JSWebAssemblyInstance.h:
-        * wasm/js/JSWebAssemblyMemory.h:
-
-2017-03-29  Keith Miller  
-
-        WebAssembly: pack OpcodeOrigin to fit in a pointer
-        https://bugs.webkit.org/show_bug.cgi?id=170244
-
-        Reviewed by Michael Saboff.
-
-        This patch makes it so we don't have to have allocate the OpcodeOrigin and can just
-        pack all the data into the pointer B3::Origin already has.
-
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmOpcodeOrigin.cpp:
-        (JSC::Wasm::OpcodeOrigin::dump):
-        * wasm/WasmOpcodeOrigin.h:
-        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
-        (JSC::Wasm::OpcodeOrigin::opcode):
-        (JSC::Wasm::OpcodeOrigin::location):
-
-2017-03-29  JF Bastien  
-
-        WebAssembly: NFC s/goto/lambda/g
-        https://bugs.webkit.org/show_bug.cgi?id=170242
-
-        Reviewed by Mark Lam.
-
-        Lambdas are more in-style than the goto I just used.
-
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::tryGetFastMemory):
-
-2017-03-28  Saam Barati  
-
-        AssemblyHelpers should not have a VM field
-        https://bugs.webkit.org/show_bug.cgi?id=170207
-
-        Reviewed by Yusuke Suzuki.
-
-        APIs that need VM should take one as a parameter. When doing position
-        independent code for Wasm, we can't tie code generation to a VM.
-
-        * b3/B3Compile.cpp:
-        (JSC::B3::compile):
-        * b3/air/testair.cpp:
-        * b3/testb3.cpp:
-        (JSC::B3::testEntrySwitchSimple):
-        (JSC::B3::testEntrySwitchNoEntrySwitch):
-        (JSC::B3::testEntrySwitchWithCommonPaths):
-        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
-        (JSC::B3::testEntrySwitchLoop):
-        * bytecode/AccessCase.cpp:
-        (JSC::AccessCase::generateWithGuard):
-        (JSC::AccessCase::generateImpl):
-        * bytecode/DOMJITAccessCasePatchpointParams.cpp:
-        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
-        * bytecode/InlineAccess.cpp:
-        (JSC::InlineAccess::dumpCacheSizesAndCrash):
-        (JSC::InlineAccess::generateSelfPropertyAccess):
-        (JSC::InlineAccess::generateSelfPropertyReplace):
-        (JSC::InlineAccess::generateArrayLength):
-        (JSC::InlineAccess::rewireStubAsJump):
-        * bytecode/InlineAccess.h:
-        * bytecode/PolymorphicAccess.cpp:
-        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
-        (JSC::PolymorphicAccess::regenerate):
-        * bytecode/PolymorphicAccess.h:
-        (JSC::AccessGenerationState::AccessGenerationState):
-        * dfg/DFGJITCompiler.cpp:
-        (JSC::DFG::JITCompiler::JITCompiler):
-        (JSC::DFG::JITCompiler::compileExceptionHandlers):
-        (JSC::DFG::JITCompiler::link):
-        (JSC::DFG::JITCompiler::compile):
-        (JSC::DFG::JITCompiler::compileFunction):
-        (JSC::DFG::JITCompiler::exceptionCheck):
-        * dfg/DFGJITCompiler.h:
-        (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
-        (JSC::DFG::JITCompiler::fastExceptionCheck):
-        (JSC::DFG::JITCompiler::vm):
-        * dfg/DFGOSRExitCompiler.cpp:
-        * dfg/DFGOSRExitCompiler.h:
-        * dfg/DFGOSRExitCompiler32_64.cpp:
-        (JSC::DFG::OSRExitCompiler::compileExit):
-        * dfg/DFGOSRExitCompiler64.cpp:
-        (JSC::DFG::OSRExitCompiler::compileExit):
-        * dfg/DFGOSRExitCompilerCommon.cpp:
-        (JSC::DFG::adjustAndJumpToTarget):
-        * dfg/DFGOSRExitCompilerCommon.h:
-        * dfg/DFGSpeculativeJIT.cpp:
-        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
-        (JSC::DFG::SpeculativeJIT::checkArray):
-        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
-        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
-        (JSC::DFG::SpeculativeJIT::compileMakeRope):
-        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
-        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
-        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
-        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
-        (JSC::DFG::SpeculativeJIT::compileSpread):
-        (JSC::DFG::SpeculativeJIT::compileArraySlice):
-        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
-        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
-        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
-        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
-        * dfg/DFGSpeculativeJIT.h:
-        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
-        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
-        (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
-        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
-        * dfg/DFGSpeculativeJIT32_64.cpp:
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
-        (JSC::DFG::SpeculativeJIT::emitBranch):
-        (JSC::DFG::SpeculativeJIT::compile):
-        * dfg/DFGSpeculativeJIT64.cpp:
-        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
-        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
-        (JSC::DFG::SpeculativeJIT::emitCall):
-        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
-        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
-        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
-        (JSC::DFG::SpeculativeJIT::emitBranch):
-        (JSC::DFG::SpeculativeJIT::compile):
-        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
-        * dfg/DFGThunks.cpp:
-        (JSC::DFG::osrEntryThunkGenerator):
-        * ftl/FTLCompile.cpp:
-        (JSC::FTL::compile):
-        * ftl/FTLJITFinalizer.h:
-        * ftl/FTLLazySlowPath.cpp:
-        (JSC::FTL::LazySlowPath::generate):
-        * ftl/FTLLazySlowPathCall.h:
-        (JSC::FTL::createLazyCallGenerator):
-        * ftl/FTLLink.cpp:
-        (JSC::FTL::link):
-        * ftl/FTLLowerDFGToB3.cpp:
-        (JSC::FTL::DFG::LowerDFGToB3::lower):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
-        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
-        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
-        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
-        (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
-        (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
-        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
-        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
-        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
-        (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
-        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
-        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
-        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
-        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
-        * ftl/FTLOSRExitCompiler.cpp:
-        (JSC::FTL::compileStub):
-        * ftl/FTLSlowPathCall.h:
-        (JSC::FTL::callOperation):
-        * ftl/FTLState.h:
-        (JSC::FTL::State::vm):
-        * ftl/FTLThunks.cpp:
-        (JSC::FTL::genericGenerationThunkGenerator):
-        (JSC::FTL::slowPathCallThunkGenerator):
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::jitReleaseAssertNoException):
-        (JSC::AssemblyHelpers::callExceptionFuzz):
-        (JSC::AssemblyHelpers::emitJumpIfException):
-        (JSC::AssemblyHelpers::emitExceptionCheck):
-        (JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
-        (JSC::AssemblyHelpers::emitLoadStructure):
-        (JSC::AssemblyHelpers::emitRandomThunk):
-        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
-        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
-        (JSC::AssemblyHelpers::debugCall):
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::AssemblyHelpers):
-        (JSC::AssemblyHelpers::codeBlock):
-        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
-        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
-        (JSC::AssemblyHelpers::barrierBranch):
-        (JSC::AssemblyHelpers::barrierStoreLoadFence):
-        (JSC::AssemblyHelpers::mutatorFence):
-        (JSC::AssemblyHelpers::storeButterfly):
-        (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
-        (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
-        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
-        (JSC::AssemblyHelpers::emitAllocateJSObject):
-        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
-        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
-        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
-        (JSC::AssemblyHelpers::vm): Deleted.
-        (JSC::AssemblyHelpers::debugCall): Deleted.
-        * jit/CCallHelpers.cpp:
-        (JSC::CCallHelpers::ensureShadowChickenPacket):
-        * jit/CCallHelpers.h:
-        (JSC::CCallHelpers::CCallHelpers):
-        (JSC::CCallHelpers::jumpToExceptionHandler):
-        * jit/JIT.cpp:
-        (JSC::JIT::emitEnterOptimizationCheck):
-        (JSC::JIT::privateCompileExceptionHandlers):
-        * jit/JIT.h:
-        (JSC::JIT::exceptionCheck):
-        (JSC::JIT::exceptionCheckWithCallFrameRollback):
-        * jit/JITMathIC.h:
-        (JSC::JITMathIC::generateOutOfLine):
-        * jit/JITOpcodes.cpp:
-        (JSC::JIT::emit_op_instanceof):
-        (JSC::JIT::emit_op_is_undefined):
-        (JSC::JIT::emit_op_jfalse):
-        (JSC::JIT::emit_op_jeq_null):
-        (JSC::JIT::emit_op_jneq_null):
-        (JSC::JIT::emit_op_jtrue):
-        (JSC::JIT::emit_op_throw):
-        (JSC::JIT::emit_op_catch):
-        (JSC::JIT::emit_op_eq_null):
-        (JSC::JIT::emit_op_neq_null):
-        (JSC::JIT::emitSlow_op_loop_hint):
-        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
-        (JSC::JIT::emit_op_log_shadow_chicken_tail):
-        * jit/JITOpcodes32_64.cpp:
-        (JSC::JIT::privateCompileCTINativeCall):
-        (JSC::JIT::emit_op_new_object):
-        (JSC::JIT::emit_op_jfalse):
-        (JSC::JIT::emit_op_jtrue):
-        (JSC::JIT::emit_op_throw):
-        (JSC::JIT::emit_op_catch):
-        (JSC::JIT::emit_op_create_this):
-        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
-        (JSC::JIT::emit_op_log_shadow_chicken_tail):
-        * jit/JITPropertyAccess.cpp:
-        (JSC::JIT::emitWriteBarrier):
-        * jit/JSInterfaceJIT.h:
-        (JSC::JSInterfaceJIT::JSInterfaceJIT):
-        (JSC::JSInterfaceJIT::vm):
-        * jit/Repatch.cpp:
-        (JSC::tryCacheGetByID):
-        (JSC::tryCachePutByID):
-        (JSC::linkPolymorphicCall):
-        (JSC::resetGetByID):
-        (JSC::resetPutByID):
-        * jit/SetupVarargsFrame.cpp:
-        (JSC::emitSetupVarargsFrameFastCase):
-        * jit/SetupVarargsFrame.h:
-        * jit/SpecializedThunkJIT.h:
-        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
-        * jit/ThunkGenerators.cpp:
-        (JSC::throwExceptionFromCallSlowPathGenerator):
-        (JSC::linkCallThunkGenerator):
-        (JSC::linkPolymorphicCallThunkGenerator):
-        (JSC::virtualThunkFor):
-        (JSC::nativeForGenerator):
-        (JSC::randomThunkGenerator):
-        (JSC::boundThisNoArgsFunctionCallGenerator):
-        (JSC::throwExceptionFromWasmThunkGenerator):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        (JSC::Wasm::wasmToWasm):
-
-2017-03-28  Keith Miller  
-
-        WebAssembly: We should have Origins
-        https://bugs.webkit.org/show_bug.cgi?id=170217
-
-        Reviewed by Mark Lam.
-
-        This patch adds wasm origins for B3::Values, called OpcodeOrigin. Currently,
-        OpcodeOrigin just tracks the original opcode and the location of that opcode.
-
-        Here's a sample:
-
-        BB#0: ; frequency = 1.000000
-            Int64 @4 = Patchpoint(generator = 0x10f487fa8, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister)
-            Int64 @5 = FramePointer()
-            Void @8 = Store(@4, @5, offset = 24, ControlDependent|Writes:Top)
-            Int64 @10 = Const64(0)
-            Void @12 = Store($0(@10), @5, offset = 16, ControlDependent|Writes:Top)
-            Int64 @13 = Patchpoint(generator = 0x10f4be7f0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister, ExitsSideways|ControlDependent|WritesPinned|ReadsPinned|Fence|Writes:Top|Reads:Top)
-            Int64 @16 = ArgumentReg(%rdi)
-            Int64 @18 = ArgumentReg(%rsi)
-            Int32 @22 = Trunc(@18, Wasm: {opcode: I64Rotl, location: 5})
-            Int64 @23 = RotL(@16, @22, Wasm: {opcode: I64Rotl, location: 5})
-            Void @27 = Return(@23, Terminal, Wasm: {opcode: End, location: 6})
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3Value.cpp:
-        (JSC::B3::Value::deepDump):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::setParser):
-        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-        (JSC::Wasm::B3IRGenerator::emitLoadOp):
-        (JSC::Wasm::B3IRGenerator::emitStoreOp):
-        (JSC::Wasm::B3IRGenerator::addConstant):
-        (JSC::Wasm::B3IRGenerator::addLoop):
-        (JSC::Wasm::B3IRGenerator::unify):
-        (JSC::Wasm::parseAndCompile):
-        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
-        (JSC::Wasm::getMemoryBaseAndSize): Deleted.
-        * wasm/WasmFunctionParser.h:
-        (JSC::Wasm::FunctionParser::currentOpcode):
-        (JSC::Wasm::FunctionParser::currentOpcodeStartingOffset):
-        (JSC::Wasm::FunctionParser::FunctionParser):
-        * wasm/WasmOpcodeOrigin.cpp: Added.
-        (JSC::Wasm::OpcodeOrigin::dump):
-        * wasm/WasmOpcodeOrigin.h: Added.
-        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
-        * wasm/WasmValidate.cpp:
-        (JSC::Wasm::Validate::setParser):
-        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
-        (CodeGenerator.generate):
-        (generateB3OpCode):
-        (generateConstCode):
-
-2017-03-28  JF Bastien  
-
-        WebAssembly: option to crash if no fast memory is available
-        https://bugs.webkit.org/show_bug.cgi?id=170219
-
-        Reviewed by Mark Lam.
-
-        * runtime/Options.h:
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::webAssemblyCouldntGetFastMemory):
-        (JSC::Wasm::tryGetFastMemory):
-
-2017-03-28  Mark Lam  
-
-        The Mutator should not be able to steal the conn if the Collector hasn't reached the NotRunning phase yet.
-        https://bugs.webkit.org/show_bug.cgi?id=170213
-        
-
-        Reviewed by Filip Pizlo.
-
-        The current condition for stealing the conn isn't tight enough.  Restricting the
-        stealing to when m_currentPhase == NotRunning ensures that the Collector is
-        really done running.
-
-        No test because this issue only manifests with a race condition that is difficult
-        to reproduce on demand.
-
-        * heap/Heap.cpp:
-        (JSC::Heap::requestCollection):
-
-2017-03-28  Keith Miller  
-
-        WebAssembly: Make WebAssembly.instantiate/compile truly asynchronous
-        https://bugs.webkit.org/show_bug.cgi?id=169187
-
-        Reviewed by Saam Barati.
-
-        This patch allows WebAssembly compilations to happen asynchronously.
-        To do so, it refactors how much of the compilation happens and adds
-        new infrastructure for async promises.
-
-        First, there is a new class, PromiseDeferredTimer that lives on
-        the VM.  PromiseDeferredTimer will manage the life-cycle of async
-        pending promises and any dependencies that promise
-        needs. PromiseDeferredTimer automagically releases the pending
-        promise and dependencies once the JSPromiseDeferred is resolved or
-        rejected. Additionally, PromiseDeferredTimer provides a mechanism
-        to poll the run-loop whenever the async task needs to synchronize
-        with the JS thread. Normally, that will be whenever the async task
-        finishes. In the case of Web Assembly we also use this feature for
-        the compile + instantiate case, where we might have more work
-        after the first async task completes (more on that later).
-
-        The next class is Wasm::Worklist, which is used to manage Wasm
-        compilation tasks. The worklist class works similarly to the
-        DFG/FTL Worklists. It has a pool of threads that it manages. One
-        interesting aspect of Wasm Worklist is that it can synchronously
-        compile a plan that is already potentially running
-        asynchronously. This can occur if a user calls
-        WebAssembly.instantiate() then new WebAssembly.instantiate() on
-        the same module. In that case the Wasm Worklist will bump the
-        priority of the running pending Plan and block the JS thread.
-
-        This patch also makes some of the Wasm Plan code cleaner. Since we
-        now defer all compilation to instantiation time, we no longer need
-        to guess at which memory we are going to get. Also, Wasm Plans now
-        track the work they have done with a state enum.
-
-        Finally, this patch makes renamed HeapTimer to JSRunLoopTimer. It
-        also adds changes test262AsyncTest to a more generic testing
-        infrastructure. Now, in addition to the old functionality, you can
-        call asyncTest() with the number of tests you expect. When the jsc
-        CLI exits, it will guarantee that asyncTestPassed() is called that
-        many times.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * heap/GCActivityCallback.h:
-        * heap/IncrementalSweeper.cpp:
-        (JSC::IncrementalSweeper::scheduleTimer):
-        (JSC::IncrementalSweeper::IncrementalSweeper):
-        * heap/IncrementalSweeper.h:
-        * heap/StopIfNecessaryTimer.cpp:
-        (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
-        * heap/StopIfNecessaryTimer.h:
-        * heap/StrongInlines.h:
-        * jsc.cpp:
-        (GlobalObject::finishCreation):
-        (printInternal):
-        (functionAsyncTestStart):
-        (functionAsyncTestPassed):
-        (functionTestWasmModuleFunctions):
-        (CommandLine::parseArguments):
-        (runJSC):
-        * runtime/JSPromiseDeferred.cpp:
-        (JSC::JSPromiseDeferred::resolve):
-        (JSC::JSPromiseDeferred::reject):
-        * runtime/JSPromiseDeferred.h:
-        (JSC::JSPromiseDeferred::promiseAsyncPending):
-        * runtime/JSRunLoopTimer.cpp: Renamed from Source/JavaScriptCore/heap/HeapTimer.cpp.
-        (JSC::JSRunLoopTimer::JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::setRunLoop):
-        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
-        (JSC::JSRunLoopTimer::timerDidFire):
-        (JSC::JSRunLoopTimer::scheduleTimer):
-        (JSC::JSRunLoopTimer::cancelTimer):
-        (JSC::JSRunLoopTimer::invalidate):
-        * runtime/JSRunLoopTimer.h: Copied from Source/JavaScriptCore/heap/HeapTimer.h.
-        * runtime/Options.h:
-        * runtime/PromiseDeferredTimer.cpp: Added.
-        (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
-        (JSC::PromiseDeferredTimer::doWork):
-        (JSC::PromiseDeferredTimer::runRunLoop):
-        (JSC::PromiseDeferredTimer::addPendingPromise):
-        (JSC::PromiseDeferredTimer::cancelPendingPromise):
-        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
-        (JSC::PromiseDeferredTimer::scheduleBlockedTask):
-        * runtime/PromiseDeferredTimer.h: Renamed from Source/JavaScriptCore/heap/HeapTimer.h.
-        (JSC::PromiseDeferredTimer::stopRunningTasks):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        (JSC::VM::~VM):
-        * runtime/VM.h:
-        * wasm/JSWebAssembly.cpp:
-        (JSC::reject):
-        (JSC::webAssemblyCompileFunc):
-        (JSC::resolve):
-        (JSC::instantiate):
-        (JSC::compileAndInstantiate):
-        (JSC::webAssemblyInstantiateFunc):
-        (JSC::webAssemblyValidateFunc):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
-        (JSC::Wasm::B3IRGenerator::memoryKind):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmB3IRGenerator.h:
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::ModuleInformation::internalFunctionCount):
-        * wasm/WasmFunctionParser.h:
-        * wasm/WasmMemory.h:
-        * wasm/WasmMemoryInformation.cpp:
-        (JSC::Wasm::MemoryInformation::MemoryInformation):
-        * wasm/WasmMemoryInformation.h:
-        (JSC::Wasm::MemoryInformation::maximum):
-        (JSC::Wasm::MemoryInformation::hasReservedMemory): Deleted.
-        (JSC::Wasm::MemoryInformation::takeReservedMemory): Deleted.
-        (JSC::Wasm::MemoryInformation::mode): Deleted.
-        * wasm/WasmModuleParser.cpp:
-        * wasm/WasmModuleParser.h:
-        (JSC::Wasm::ModuleParser::ModuleParser):
-        * wasm/WasmPlan.cpp:
-        (JSC::Wasm::Plan::Plan):
-        (JSC::Wasm::Plan::stateString):
-        (JSC::Wasm::Plan::moveToState):
-        (JSC::Wasm::Plan::fail):
-        (JSC::Wasm::Plan::parseAndValidateModule):
-        (JSC::Wasm::Plan::prepare):
-        (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder):
-        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
-        (JSC::Wasm::Plan::compileFunctions):
-        (JSC::Wasm::Plan::complete):
-        (JSC::Wasm::Plan::waitForCompletion):
-        (JSC::Wasm::Plan::cancel):
-        (JSC::Wasm::Plan::run): Deleted.
-        (JSC::Wasm::Plan::initializeCallees): Deleted.
-        * wasm/WasmPlan.h:
-        (JSC::Wasm::Plan::dontFinalize):
-        (JSC::Wasm::Plan::exports):
-        (JSC::Wasm::Plan::internalFunctionCount):
-        (JSC::Wasm::Plan::takeModuleInformation):
-        (JSC::Wasm::Plan::takeCallLinkInfos):
-        (JSC::Wasm::Plan::takeWasmExitStubs):
-        (JSC::Wasm::Plan::setModeAndPromise):
-        (JSC::Wasm::Plan::mode):
-        (JSC::Wasm::Plan::pendingPromise):
-        (JSC::Wasm::Plan::vm):
-        (JSC::Wasm::Plan::errorMessage):
-        (JSC::Wasm::Plan::failed):
-        (JSC::Wasm::Plan::hasWork):
-        (JSC::Wasm::Plan::hasBeenPrepared):
-        * wasm/WasmPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
-        (JSC::Wasm::Plan::initializeCallees):
-        * wasm/WasmValidate.cpp:
-        * wasm/WasmWorklist.cpp: Added.
-        (JSC::Wasm::Worklist::priorityString):
-        (JSC::Wasm::Worklist::QueueElement::setToNextPriority):
-        (JSC::Wasm::Worklist::iterate):
-        (JSC::Wasm::Worklist::enqueue):
-        (JSC::Wasm::Worklist::completePlanSynchronously):
-        (JSC::Wasm::Worklist::stopAllPlansForVM):
-        (JSC::Wasm::Worklist::Worklist):
-        (JSC::Wasm::Worklist::~Worklist):
-        (JSC::Wasm::existingWorklistOrNull):
-        (JSC::Wasm::ensureWorklist):
-        * wasm/WasmWorklist.h: Added.
-        (JSC::Wasm::Worklist::nextTicket):
-        (JSC::Wasm::Worklist::Comparator::operator()):
-        * wasm/js/JSWebAssemblyCallee.h:
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
-        (JSC::JSWebAssemblyCodeBlock::initialize):
-        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
-        * wasm/js/JSWebAssemblyCodeBlock.h:
-        (JSC::JSWebAssemblyCodeBlock::create):
-        (JSC::JSWebAssemblyCodeBlock::initialized):
-        (JSC::JSWebAssemblyCodeBlock::plan):
-        (JSC::JSWebAssemblyCodeBlock::runnable):
-        (JSC::JSWebAssemblyCodeBlock::errorMessage):
-        (JSC::JSWebAssemblyCodeBlock::callees):
-        * wasm/js/JSWebAssemblyHelpers.h:
-        (JSC::createSourceBufferFromValue):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finishCreation):
-        (JSC::JSWebAssemblyInstance::visitChildren):
-        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
-        (JSC::JSWebAssemblyInstance::finalizeCreation):
-        (JSC::JSWebAssemblyInstance::create):
-        (JSC::JSWebAssemblyInstance::setMemory): Deleted.
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::codeBlock):
-        (JSC::JSWebAssemblyInstance::initialized):
-        (JSC::JSWebAssemblyInstance::module):
-        (JSC::JSWebAssemblyInstance::importFunction):
-        (JSC::JSWebAssemblyInstance::setMemory):
-        (JSC::JSWebAssemblyInstance::table):
-        (JSC::JSWebAssemblyInstance::importFunctions):
-        (JSC::JSWebAssemblyInstance::setImportFunction): Deleted.
-        (JSC::JSWebAssemblyInstance::setTable): Deleted.
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::createStub):
-        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
-        (JSC::JSWebAssemblyModule::finishCreation):
-        (JSC::JSWebAssemblyModule::setCodeBlock):
-        (JSC::JSWebAssemblyModule::buildCodeBlock): Deleted.
-        (JSC::JSWebAssemblyModule::create): Deleted.
-        (JSC::JSWebAssemblyModule::codeBlock): Deleted.
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::moduleInformation):
-        (JSC::JSWebAssemblyModule::codeBlock):
-        (JSC::JSWebAssemblyModule::source):
-        (JSC::JSWebAssemblyModule::takeReservedMemory): Deleted.
-        (JSC::JSWebAssemblyModule::codeBlockFor): Deleted.
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::constructJSWebAssemblyInstance):
-        (JSC::WebAssemblyInstanceConstructor::createInstance): Deleted.
-        * wasm/js/WebAssemblyModuleConstructor.cpp:
-        (JSC::WebAssemblyModuleConstructor::createModule):
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        (JSC::webAssemblyModuleProtoImports):
-        (JSC::webAssemblyModuleProtoExports):
-        * wasm/js/WebAssemblyModuleRecord.cpp:
-        (JSC::WebAssemblyModuleRecord::finishCreation):
-        (JSC::WebAssemblyModuleRecord::link):
-        (JSC::WebAssemblyModuleRecord::evaluate):
-        * wasm/js/WebAssemblyModuleRecord.h:
-
-2017-03-28  Yusuke Suzuki  
-
-        WebAssembly: add fallback to use pinned register to load/store state
-        https://bugs.webkit.org/show_bug.cgi?id=169773
-
-        Reviewed by Saam Barati.
-
-        This patch adds a new pinned register to hold JSWebAssemblyInstance,
-        which is used to represent the context of running Wasm code.
-        While we use fast TLS to hold the context in macOS, we do not have
-        any system reserved fast TLS slot in the other systems. This pinned
-        register approach is used in these systems. These changes decouple
-        VM from Wasm module to make Wasm module position independent code.
-
-        While using fast TLS could be beneficial in x64 systems which number of
-        registers is relatively small, pinned register approach could be
-        beneficial in ARM64 which has plenty of registers. In macOS, we can
-        switch the implementation with the runtime flag. Thus macOS port can
-        compare the performance and decide which implementation is used after
-        landing this patch.
-
-        * heap/MarkedBlock.h:
-        (JSC::MarkedBlock::offsetOfVM):
-        * jit/AssemblyHelpers.cpp:
-        (JSC::AssemblyHelpers::loadWasmContext):
-        (JSC::AssemblyHelpers::storeWasmContext):
-        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
-        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::loadWasmContext): Deleted.
-        (JSC::AssemblyHelpers::storeWasmContext): Deleted.
-        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister): Deleted.
-        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister): Deleted.
-        * jit/Repatch.cpp:
-        (JSC::webAssemblyOwner):
-        (JSC::linkFor):
-        (JSC::linkPolymorphicCall):
-        (JSC::isWebAssemblyToJSCallee): Deleted.
-        * jit/ThunkGenerators.cpp:
-        (JSC::throwExceptionFromWasmThunkGenerator):
-        * llint/LLIntData.cpp:
-        (JSC::LLInt::Data::performAssertions):
-        * llint/LowLevelInterpreter.asm:
-        * runtime/JSCell.cpp:
-        (JSC::JSCell::isAnyWasmCallee):
-        * runtime/JSCellInlines.h:
-        (JSC::isWebAssemblyToJSCallee):
-        * runtime/JSType.h:
-        * runtime/StackFrame.cpp:
-        (JSC::StackFrame::functionName):
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-        (JSC::VM::wasmContextOffset):
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
-        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::getMemoryBaseAndSize):
-        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::loadWasmContext): Deleted.
-        (JSC::Wasm::storeWasmContext): Deleted.
-        (JSC::Wasm::restoreWebAssemblyGlobalState): Deleted.
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::wasmToJs):
-        * wasm/WasmContext.cpp:
-        (JSC::loadWasmContext):
-        (JSC::storeWasmContext):
-        * wasm/WasmContext.h:
-        * wasm/WasmMemoryInformation.cpp:
-        (JSC::Wasm::getPinnedRegisters):
-        (JSC::Wasm::PinnedRegisterInfo::get):
-        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
-        * wasm/WasmMemoryInformation.h:
-        (JSC::Wasm::PinnedRegisterInfo::toSave):
-        (JSC::Wasm::useFastTLS):
-        (JSC::Wasm::useFastTLSForWasmContext):
-        * wasm/js/JSWebAssemblyInstance.cpp:
-        (JSC::JSWebAssemblyInstance::finishCreation):
-        (JSC::JSWebAssemblyInstance::visitChildren):
-        * wasm/js/JSWebAssemblyInstance.h:
-        (JSC::JSWebAssemblyInstance::offsetOfCallee):
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::finishCreation):
-        (JSC::JSWebAssemblyModule::visitChildren):
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::callee):
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        (JSC::WebAssemblyFunction::create):
-        * wasm/js/WebAssemblyToJSCallee.cpp:
-        (JSC::WebAssemblyToJSCallee::create):
-        (JSC::WebAssemblyToJSCallee::createStructure):
-        (JSC::WebAssemblyToJSCallee::finishCreation):
-        (JSC::WebAssemblyToJSCallee::visitChildren):
-        (JSC::WebAssemblyToJSCallee::destroy): Deleted.
-        * wasm/js/WebAssemblyToJSCallee.h:
-
-2017-03-28  Brian Burg  
-
-        Web Inspector: Add "Disable Caches" option that only applies to the inspected page while Web Inspector is open
-        https://bugs.webkit.org/show_bug.cgi?id=169865
-        
+        Web Inspector: throw an error if console.count/console.countReset is called with an object that throws an error from toString
+        https://bugs.webkit.org/show_bug.cgi?id=199252
 
         Reviewed by Joseph Pecoraro.
 
-        * inspector/protocol/Network.json:
-        Rename the command for disabling resource caching to match the WebCore::Page
-        flag. This also removes the possibility that this could be confused for the old,
-        buggy command that this patch rips out.
+        Parse the arguments passed to `console.count` and `console.countReset` before sending it to
+        the `ConsoleClient` so that an error can be thrown if the first argument doesn't `toString`
+        nicely (e.g. without throwing an error).
 
-2017-03-25  Yusuke Suzuki  
+        Generate call stacks for `console.countReset` to match other `console` methods. Also do this
+        for `console.time`, `console.timeLog`, and `console.timeEnd`. Limit the call stack to only
+        have the top frame, so no unnecessary/extra data is sent to the frontend (right now, only
+        the call location is displayed).
 
-        [JSC] Move platformThreadSignal to WTF
-        https://bugs.webkit.org/show_bug.cgi?id=170097
+        Rename `title` to `label` for `console.time`, `console.timeLog`, and `console.timeEnd` to
+        better match the spec.
+
+        * runtime/ConsoleClient.h:
+        * runtime/ConsoleObject.cpp:
+        (JSC::valueOrDefaultLabelString):
+        (JSC::consoleProtoFuncCount):
+        (JSC::consoleProtoFuncCountReset):
+        (JSC::consoleProtoFuncTime):
+        (JSC::consoleProtoFuncTimeLog):
+        (JSC::consoleProtoFuncTimeEnd):
+
+        * inspector/JSGlobalObjectConsoleClient.h:
+        * inspector/JSGlobalObjectConsoleClient.cpp:
+        (Inspector::JSGlobalObjectConsoleClient::count):
+        (Inspector::JSGlobalObjectConsoleClient::countReset):
+        (Inspector::JSGlobalObjectConsoleClient::time):
+        (Inspector::JSGlobalObjectConsoleClient::timeLog):
+        (Inspector::JSGlobalObjectConsoleClient::timeEnd):
+
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::startTiming):
+        (Inspector::InspectorConsoleAgent::logTiming):
+        (Inspector::InspectorConsoleAgent::stopTiming):
+        (Inspector::InspectorConsoleAgent::count):
+        (Inspector::InspectorConsoleAgent::countReset):
+        (Inspector::InspectorConsoleAgent::getCounterLabel): Deleted.
+
+        * inspector/ConsoleMessage.h:
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::ConsoleMessage):
+        Allow `ConsoleMessage`s to be created with both `ScriptArguments` and a `ScriptCallStack`.
+
+2019-06-27  Fujii Hironori  
+
+        [CMake] Bump cmake_minimum_required version to 3.10
+        https://bugs.webkit.org/show_bug.cgi?id=199181
+
+        Reviewed by Don Olmstead.
+
+        * CMakeLists.txt:
+
+2019-06-26  Basuke Suzuki  
+
+        [RemoteInspector] Add address argument to listen for RemoteInspectorServer Socket implementation.
+        https://bugs.webkit.org/show_bug.cgi?id=199035
+
+        Reviewed by Ross Kirsling.
+
+        Added new argument `address` to start listening. 
+
+        * inspector/remote/socket/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::start):
+        * inspector/remote/socket/RemoteInspectorServer.h:
+        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
+        (Inspector::Socket::listen):
+        * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp:
+        (Inspector::Socket::listen):
+
+2019-06-26  Keith Miller  
+
+        speciesConstruct needs to throw if the result is a DataView
+        https://bugs.webkit.org/show_bug.cgi?id=199231
 
         Reviewed by Mark Lam.
 
-        It is a small clean up towards https://bugs.webkit.org/show_bug.cgi?id=170027.
-        platformThreadSignal uses PlatformThread in JSC, but it can be implemented in
-        WTF ThreadIdentifier.
+        Previously, we only checked that the result was a
+        JSArrayBufferView, which can include DataViews. This is incorrect
+        as the result should be only be a TypedArray.
 
-        * runtime/JSLock.cpp:
-        (JSC::JSLock::lock):
-        * runtime/JSLock.h:
-        (JSC::JSLock::ownerThread):
-        (JSC::JSLock::currentThreadIsHoldingLock):
-        * runtime/PlatformThread.h:
-        (JSC::platformThreadSignal): Deleted.
-        * runtime/VM.h:
-        (JSC::VM::ownerThread):
-        * runtime/VMTraps.cpp:
-        (JSC::VMTraps::SignalSender::send):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::speciesConstruct):
 
-2017-03-28  JF Bastien  
+2019-06-26  Joseph Pecoraro  
 
-        WebAssembly: implement Module imports/exports
-        https://bugs.webkit.org/show_bug.cgi?id=166982
+        Web Inspector: Implement console.countReset
+        https://bugs.webkit.org/show_bug.cgi?id=199200
+
+        Reviewed by Devin Rousso.
+
+        * inspector/JSGlobalObjectConsoleClient.cpp:
+        (Inspector::JSGlobalObjectConsoleClient::countReset):
+        * inspector/JSGlobalObjectConsoleClient.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::getCounterLabel):
+        (Inspector::InspectorConsoleAgent::count):
+        (Inspector::InspectorConsoleAgent::countReset):
+        * inspector/agents/InspectorConsoleAgent.h:
+        * runtime/ConsoleClient.h:
+        * runtime/ConsoleObject.cpp:
+        (JSC::ConsoleObject::finishCreation):
+        (JSC::consoleProtoFuncCountReset):
+
+2019-06-26  Keith Miller  
+
+        remove unneeded didBecomePrototype() calls
+        https://bugs.webkit.org/show_bug.cgi?id=199221
 
         Reviewed by Saam Barati.
 
-        As defined in: https://github.com/WebAssembly/design/commit/18cbacb90cd3584dd5c9aa3d392e4e55f66af6ab
+        Since we now set didBecomePrototype in Structure::create we don't
+        need to set it expliticly in most of our finishCreation
+        methods. The only exception to this is object prototype, which we
+        set as the prototype of function prototype late (via
+        setPrototypeWithoutTransition).
 
-        * wasm/WasmFormat.h:
-        (JSC::Wasm::makeString): use uppercase instead, it was only used
-        for diagnostic but is now used for the expected JS property's
-        capitalization
-        * wasm/js/WebAssemblyModulePrototype.cpp:
-        (JSC::webAssemblyModuleProtoImports):
-        (JSC::webAssemblyModuleProtoExports):
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
+        * inspector/JSJavaScriptCallFramePrototype.cpp:
+        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
+        * runtime/ArrayIteratorPrototype.cpp:
+        (JSC::ArrayIteratorPrototype::finishCreation):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+        * runtime/AsyncFromSyncIteratorPrototype.cpp:
+        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
+        * runtime/AsyncFunctionPrototype.cpp:
+        (JSC::AsyncFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorFunctionPrototype.cpp:
+        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorPrototype.cpp:
+        (JSC::AsyncGeneratorPrototype::finishCreation):
+        * runtime/AsyncIteratorPrototype.cpp:
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/GeneratorFunctionPrototype.cpp:
+        (JSC::GeneratorFunctionPrototype::finishCreation):
+        * runtime/GeneratorPrototype.cpp:
+        (JSC::GeneratorPrototype::finishCreation):
+        * runtime/IteratorPrototype.cpp:
+        (JSC::IteratorPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/MapIteratorPrototype.cpp:
+        (JSC::MapIteratorPrototype::finishCreation):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::ObjectPrototype::finishCreation):
+        * runtime/RegExpStringIteratorPrototype.cpp:
+        (JSC::RegExpStringIteratorPrototype::finishCreation):
+        * runtime/SetIteratorPrototype.cpp:
+        (JSC::SetIteratorPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        * runtime/StringIteratorPrototype.cpp:
+        (JSC::StringIteratorPrototype::finishCreation):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        * runtime/WeakObjectRefPrototype.cpp:
+        (JSC::WeakObjectRefPrototype::finishCreation):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::WeakSetPrototype::finishCreation):
 
-2017-03-27  JF Bastien  
+2019-06-25  Keith Miller  
 
-        WebAssembly: JSWebAssemblyCodeBlock.h belongs in JavaScriptCore/wasm/js not JavaScriptCore/wasm
-        https://bugs.webkit.org/show_bug.cgi?id=170160
-
-        Reviewed by Mark Lam.
-
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * wasm/js/JSWebAssemblyCodeBlock.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssemblyCodeBlock.h.
-
-2017-03-27  JF Bastien  
-
-        WebAssembly: misc memory testing
-        https://bugs.webkit.org/show_bug.cgi?id=170137
-
-        Reviewed by Keith Miller.
-
-        * wasm/js/WebAssemblyInstanceConstructor.cpp:
-        (JSC::WebAssemblyInstanceConstructor::createInstance): improve error messages
-
-2017-03-27  Michael Saboff  
-
-        Add ARM64 system instructions to disassembler
-        https://bugs.webkit.org/show_bug.cgi?id=170084
-
-        Reviewed by Saam Barati.
-
-        This changes adds support for MRS and MSR instructions, and refactors the DMB
-        disassembly to handle all of the barrier instructions.
-
-        * disassembler/ARM64/A64DOpcode.cpp:
-        (JSC::ARM64Disassembler::A64DOpcodeMSRImmediate::format):
-        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::format):
-        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::format):
-        (JSC::ARM64Disassembler::A64DOpcodeDmb::format): Deleted.
-        * disassembler/ARM64/A64DOpcode.h:
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::lBit):
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::op0):
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::op1):
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::crN):
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::crM):
-        (JSC::ARM64Disassembler::A64DOpcodeSystem::op2):
-        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::opName):
-        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::systemRegister):
-        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::opName):
-        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::option):
-        (JSC::ARM64Disassembler::A64DOpcodeDmb::opName): Deleted.
-        (JSC::ARM64Disassembler::A64DOpcodeDmb::option): Deleted.
-        (JSC::ARM64Disassembler::A64DOpcodeDmb::crM): Deleted.
-
-2017-03-26  Filip Pizlo  
-
-        B3::fixSSA should do liveness pruning
-        https://bugs.webkit.org/show_bug.cgi?id=170111
-
-        Reviewed by Saam Barati.
-        
-        This moves all of the logic of Air::Liveness<> to WTF::Liveness<> and then uses that to
-        create B3::VariableLiveness. Then this uses VariableLiveness::LiveAtHead to prune Phi
-        construction.
-        
-        This makes B3::fixSSA run twice as fast. This is a 13% progression on WasmBench compile
-        times.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3BasicBlock.h:
-        (JSC::B3::BasicBlock::get):
-        * b3/B3FixSSA.cpp:
-        (JSC::B3::fixSSA):
-        * b3/B3VariableLiveness.cpp: Added.
-        (JSC::B3::VariableLiveness::VariableLiveness):
-        (JSC::B3::VariableLiveness::~VariableLiveness):
-        * b3/B3VariableLiveness.h: Added.
-        (JSC::B3::VariableLivenessAdapter::VariableLivenessAdapter):
-        (JSC::B3::VariableLivenessAdapter::numIndices):
-        (JSC::B3::VariableLivenessAdapter::valueToIndex):
-        (JSC::B3::VariableLivenessAdapter::indexToValue):
-        (JSC::B3::VariableLivenessAdapter::blockSize):
-        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse):
-        (JSC::B3::VariableLivenessAdapter::forEachLateUse):
-        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef):
-        (JSC::B3::VariableLivenessAdapter::forEachLateDef):
-        * b3/air/AirCFG.h: Added.
-        (JSC::B3::Air::CFG::CFG):
-        (JSC::B3::Air::CFG::root):
-        (JSC::B3::Air::CFG::newMap):
-        (JSC::B3::Air::CFG::successors):
-        (JSC::B3::Air::CFG::predecessors):
-        (JSC::B3::Air::CFG::index):
-        (JSC::B3::Air::CFG::node):
-        (JSC::B3::Air::CFG::numNodes):
-        (JSC::B3::Air::CFG::dump):
-        * b3/air/AirCode.cpp:
-        (JSC::B3::Air::Code::Code):
-        * b3/air/AirCode.h:
-        (JSC::B3::Air::Code::cfg):
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
-        (JSC::B3::Air::LivenessAdapter::blockSize):
-        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse):
-        (JSC::B3::Air::LivenessAdapter::forEachLateUse):
-        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef):
-        (JSC::B3::Air::LivenessAdapter::forEachLateDef):
-        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
-        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
-        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
-        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
-        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
-        (JSC::B3::Air::Liveness::Liveness):
-        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::contains): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::live): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::isLive): Deleted.
-        (JSC::B3::Air::Liveness::LocalCalc::execute): Deleted.
-        (JSC::B3::Air::Liveness::rawLiveAtHead): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::Iterable): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::iterator::iterator): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::iterator::operator*): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::iterator::operator++): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::iterator::operator==): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::iterator::operator!=): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::begin): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::end): Deleted.
-        (JSC::B3::Air::Liveness::Iterable::contains): Deleted.
-        (JSC::B3::Air::Liveness::liveAtHead): Deleted.
-        (JSC::B3::Air::Liveness::liveAtTail): Deleted.
-        (JSC::B3::Air::Liveness::workset): Deleted.
-
-2017-03-25  Filip Pizlo  
-
-        Air::Liveness shouldn't need HashSets
-        https://bugs.webkit.org/show_bug.cgi?id=170102
-
-        Reviewed by Yusuke Suzuki.
-        
-        This converts Air::Liveness<> to no longer use HashSets or BitVectors. This turns out to be
-        easy because it's cheap enough to do a sorted merge of the things being added to liveAtHead and
-        the things in the predecessors' liveAtTail. This turns out to be faster - it's a 2% overall
-        compile time progression on WasmBench.
-        
-        * b3/B3LowerToAir.cpp:
-        (JSC::B3::Air::LowerToAir::lower): Add a FIXME unrelated to this patch.
-        * b3/air/AirLiveness.h:
-        (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc):
-        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
-        (JSC::B3::Air::AbstractLiveness::liveAtHead):
-        (JSC::B3::Air::AbstractLiveness::liveAtTail):
-        * b3/air/AirTmp.h:
-        (JSC::B3::Air::Tmp::bank):
-        (JSC::B3::Air::Tmp::tmpIndex):
-        * dfg/DFGStoreBarrierClusteringPhase.cpp:
-
-2017-03-26  Filip Pizlo  
-
-        Air should use RegisterSet for RegLiveness
-        https://bugs.webkit.org/show_bug.cgi?id=170108
-
-        Reviewed by Yusuke Suzuki.
-        
-        The biggest change here is the introduction of the new RegLiveness class. This is a
-        drop-in replacement for the old RegLiveness, which was a specialization of
-        AbstractLiveness<>, but it's about 30% faster. It gets its speed boost from just using
-        sets everywhere, which is efficient for registers since RegisterSet is just two (on
-        x86-64) or three 32-bit (on ARM64) statically allocated words. This looks like a 1%
-        compile time progression on WasmBench.
-
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * b3/B3TimingScope.cpp: Records phase timing totals.
-        (JSC::B3::TimingScope::TimingScope):
-        (JSC::B3::TimingScope::~TimingScope):
-        * b3/B3TimingScope.h:
-        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
-        (JSC::B3::Air::allocateRegistersByGraphColoring):
-        * b3/air/AirLiveness.h: Move code around and rename a bit to make it more like RegLiveness; in particular we want the `iterator` to be called `iterator` not `Iterator`, and we want it to be internal to its iterable. Also rename this template to Liveness, to match the header filename.
-        (JSC::B3::Air::Liveness::Liveness):
-        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin):
-        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end):
-        (JSC::B3::Air::Liveness::Iterable::Iterable):
-        (JSC::B3::Air::Liveness::Iterable::iterator::iterator):
-        (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter): Deleted.
-        (JSC::B3::Air::RegLivenessAdapter::numIndices): Deleted.
-        (JSC::B3::Air::RegLivenessAdapter::acceptsBank): Deleted.
-        (JSC::B3::Air::RegLivenessAdapter::acceptsRole): Deleted.
-        (JSC::B3::Air::RegLivenessAdapter::valueToIndex): Deleted.
-        (JSC::B3::Air::RegLivenessAdapter::indexToValue): Deleted.
-        (JSC::B3::Air::AbstractLiveness::AbstractLiveness): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::Iterator): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator++): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator*): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator==): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator!=): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::Iterable): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::live): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive): Deleted.
-        (JSC::B3::Air::AbstractLiveness::LocalCalc::execute): Deleted.
-        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::Iterable): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::begin): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::end): Deleted.
-        (JSC::B3::Air::AbstractLiveness::Iterable::contains): Deleted.
-        (JSC::B3::Air::AbstractLiveness::liveAtHead): Deleted.
-        (JSC::B3::Air::AbstractLiveness::liveAtTail): Deleted.
-        (JSC::B3::Air::AbstractLiveness::workset): Deleted.
-        * b3/air/AirLogRegisterPressure.cpp:
-        * b3/air/AirLowerAfterRegAlloc.cpp:
-        * b3/air/AirRegLiveness.cpp: Added.
-        (JSC::B3::Air::RegLiveness::RegLiveness):
-        (JSC::B3::Air::RegLiveness::~RegLiveness):
-        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
-        * b3/air/AirRegLiveness.h: Added.
-        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
-        (JSC::B3::Air::RegLiveness::LocalCalc::live):
-        (JSC::B3::Air::RegLiveness::LocalCalc::isLive):
-        (JSC::B3::Air::RegLiveness::liveAtHead):
-        (JSC::B3::Air::RegLiveness::liveAtTail):
-        * b3/air/AirReportUsedRegisters.cpp:
-        * jit/RegisterSet.h:
-        (JSC::RegisterSet::add):
-        (JSC::RegisterSet::remove):
-        (JSC::RegisterSet::contains):
-        (JSC::RegisterSet::subsumes):
-        (JSC::RegisterSet::iterator::iterator):
-        (JSC::RegisterSet::iterator::operator*):
-        (JSC::RegisterSet::iterator::operator++):
-        (JSC::RegisterSet::iterator::operator==):
-        (JSC::RegisterSet::iterator::operator!=):
-        (JSC::RegisterSet::begin):
-        (JSC::RegisterSet::end):
-
-2017-03-25  Filip Pizlo  
-
-        Fix wasm by returning after we do TLS.
-
-        Rubber stamped by Keith Miller.
-
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::storeWasmContext):
-
-2017-03-24  Mark Lam  
-
-        Add some instrumentation in Heap::resumeThePeriphery() to help debug an issue.
-        https://bugs.webkit.org/show_bug.cgi?id=170086
-        
-
-        Reviewed by Saam Barati.
-
-        Adding some instrumentation in Heap::resumeThePeriphery() to dump some Heap state
-        just before we RELEASE_ASSERT_NOT_REACHED.
-
-        * heap/Heap.cpp:
-        (JSC::Heap::resumeThePeriphery):
-
-2017-03-24  JF Bastien  
-
-        WebAssembly: store state in TLS instead of on VM
-        https://bugs.webkit.org/show_bug.cgi?id=169611
+        Structure::create should call didBecomePrototype()
+        https://bugs.webkit.org/show_bug.cgi?id=196315
 
         Reviewed by Filip Pizlo.
 
-        Using thread-local storage instead of VM makes code more position
-        independent. We used to store the WebAssembly top Instance (the
-        latest one in the call stack) on VM, now we instead store it in
-        TLS. This top Instance is used to access a bunch of state such as
-        Memory location, size, table (for call_indirect), etc.
+        Structure::create should also assert that the indexing type makes sense
+        for the prototype being used.
 
-        Instead of calling it "top", which is confusing, we now just call
-        it WasmContext.
+        * runtime/JSObject.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::isValidPrototype):
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+        (JSC::Structure::create): Deleted.
+        * runtime/StructureInlines.h:
+        (JSC::Structure::create):
+        (JSC::Structure::setPrototypeWithoutTransition):
 
-        Making the code PIC means future patches will be able to
-        postMessage and structured clone into IDB without having to
-        recompile the code. This wasn't possible before because we
-        hard-coded the address of VM at compilation time. That doesn't
-        work between workers, and doesn't work across reloads (which IDB
-        is intended to do).
+2019-06-25  Joseph Pecoraro  
 
-        It'll also potentially make code faster once we start tuning
-        what's in TLS, what's in which of the 4 free slots, and what's in
-        pinned registers. I'm leaving this tuning for later because
-        there's lower lying fruit for us to pick.
+        Web Inspector: Implement console.timeLog
+        https://bugs.webkit.org/show_bug.cgi?id=199184
 
-        * CMakeLists.txt:
-        * JavaScriptCore.xcodeproj/project.pbxproj:
-        * assembler/AbstractMacroAssembler.h:
-        * assembler/AllowMacroScratchRegisterUsageIf.h: Copied from assembler/AllowMacroScratchRegisterUsage.h.
-        (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
-        (JSC::AllowMacroScratchRegisterUsageIf::~AllowMacroScratchRegisterUsageIf):
-        * assembler/MacroAssembler.h:
-        (JSC::MacroAssembler::storeToTLSPtr): we previously didn't have
-        the code required to store to TLS, only to load
-        * assembler/MacroAssemblerARM64.h:
-        (JSC::MacroAssemblerARM64::loadFromTLSPtrNeedsMacroScratchRegister):
-        (JSC::MacroAssemblerARM64::storeToTLS32):
-        (JSC::MacroAssemblerARM64::storeToTLS64):
-        (JSC::MacroAssemblerARM64::storeToTLSPtrNeedsMacroScratchRegister):
-        * assembler/MacroAssemblerX86Common.h:
-        (JSC::MacroAssemblerX86Common::loadFromTLSPtrNeedsMacroScratchRegister):
-        (JSC::MacroAssemblerX86Common::storeToTLS32):
-        (JSC::MacroAssemblerX86Common::storeToTLSPtrNeedsMacroScratchRegister):
-        * assembler/MacroAssemblerX86_64.h:
-        (JSC::MacroAssemblerX86_64::loadFromTLS64): was loading 32-bit instead of 64-bit
-        (JSC::MacroAssemblerX86_64::storeToTLS64):
-        * assembler/X86Assembler.h:
-        (JSC::X86Assembler::movl_rm):
-        (JSC::X86Assembler::movq_rm):
-        * b3/testb3.cpp:
-        (JSC::B3::testFastTLSLoad):
-        (JSC::B3::testFastTLSStore):
-        (JSC::B3::run):
-        * jit/AssemblyHelpers.h:
-        (JSC::AssemblyHelpers::loadWasmContext):
-        (JSC::AssemblyHelpers::storeWasmContext):
-        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
-        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
-        * jit/Repatch.cpp:
-        (JSC::webAssemblyOwner):
-        * jit/ThunkGenerators.cpp:
-        (JSC::throwExceptionFromWasmThunkGenerator):
-        * runtime/Options.h:
-        * runtime/VM.cpp:
-        (JSC::VM::VM):
-        * runtime/VM.h:
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::loadWasmContext):
-        (JSC::Wasm::storeWasmContext):
-        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
-        (JSC::Wasm::getMemoryBaseAndSize):
-        (JSC::Wasm::restoreWebAssemblyGlobalState):
-        (JSC::Wasm::createJSToWasmWrapper):
-        (JSC::Wasm::parseAndCompile):
-        * wasm/WasmBinding.cpp:
-        (JSC::Wasm::materializeImportJSCell):
-        (JSC::Wasm::wasmToJs):
-        (JSC::Wasm::wasmToWasm):
-        * wasm/WasmContext.cpp: Added.
-        (JSC::loadWasmContext):
-        (JSC::storeWasmContext):
-        * wasm/WasmContext.h: Added. Replaces "top" JSWebAssemblyInstance.
-        * wasm/js/WebAssemblyFunction.cpp:
-        (JSC::callWebAssemblyFunction):
-        * wasm/js/WebAssemblyInstanceConstructor.h:
+        Reviewed by Devin Rousso.
 
-2017-03-24  JF Bastien  
+        * inspector/JSGlobalObjectConsoleClient.cpp:
+        (Inspector::JSGlobalObjectConsoleClient::timeLog):
+        * inspector/JSGlobalObjectConsoleClient.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::logTiming):
+        (Inspector::InspectorConsoleAgent::stopTiming):
+        * inspector/agents/InspectorConsoleAgent.h:
+        * runtime/ConsoleClient.h:
+        * runtime/ConsoleObject.cpp:
+        (JSC::ConsoleObject::finishCreation):
+        (JSC::consoleProtoFuncTimeLog):
 
-        WebAssembly: spec-tests/memory.wast.js fails in debug
-        https://bugs.webkit.org/show_bug.cgi?id=169794
+2019-06-25  Michael Catanzaro  
+
+        REGRESSION(r245586): static assertion failed: Match result and EncodedMatchResult should be the same size
+        https://bugs.webkit.org/show_bug.cgi?id=198518
 
         Reviewed by Keith Miller.
 
-        The failure was due to empty memories (with maximum size 0). Those
-        only occur in tests and in code that's trying to trip us. This
-        patch adds memory mode "none" which represents no memory. It can
-        work with either bounds checked or signaling code because it never
-        contains loads and stores.
+        r245586 made some bad assumptions about the size of size_t, which we can solve using the
+        CPU(ADDRESS32) guard that I didn't know about.
 
-        The spec tests which were failing did the following:
-            > (module (memory (data)) (func (export "memsize") (result i32) (current_memory)))
-            > (assert_return (invoke "memsize") (i32.const 0))
-            > (module (memory (data "")) (func (export "memsize") (result i32) (current_memory)))
-            > (assert_return (invoke "memsize") (i32.const 0))
-            > (module (memory (data "x")) (func (export "memsize") (result i32) (current_memory)))
-            > (assert_return (invoke "memsize") (i32.const 1))
+        This solution was developed by Mark Lam and Keith Miller. I'm just preparing the patch.
 
-        * wasm/WasmB3IRGenerator.cpp:
-        (JSC::Wasm::B3IRGenerator::memoryKind):
-        * wasm/WasmMemory.cpp:
-        (JSC::Wasm::tryGetFastMemory):
-        (JSC::Wasm::releaseFastMemory):
-        (JSC::Wasm::Memory::Memory):
-        (JSC::Wasm::Memory::createImpl):
-        (JSC::Wasm::Memory::create):
-        (JSC::Wasm::Memory::grow):
-        (JSC::Wasm::Memory::makeString):
-        * wasm/WasmMemory.h:
-        * wasm/WasmMemoryInformation.cpp:
-        (JSC::Wasm::MemoryInformation::MemoryInformation):
-        * wasm/js/JSWebAssemblyCodeBlock.cpp:
-        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
-        * wasm/js/JSWebAssemblyModule.cpp:
-        (JSC::JSWebAssemblyModule::codeBlock):
-        (JSC::JSWebAssemblyModule::finishCreation):
-        * wasm/js/JSWebAssemblyModule.h:
-        (JSC::JSWebAssemblyModule::codeBlock):
-        (JSC::JSWebAssemblyModule::codeBlockFor):
+        * runtime/MatchResult.h:
 
-2017-03-24  Mark Lam  
+2019-06-24  Commit Queue  
 
-        Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
-        https://bugs.webkit.org/show_bug.cgi?id=170064
-        
+        Unreviewed, rolling out r246714.
+        https://bugs.webkit.org/show_bug.cgi?id=199179
+
+        revert to do patch in a different way. (Requested by keith_mi_
+        on #webkit).
+
+        Reverted changeset:
+
+        "All prototypes should call didBecomePrototype()"
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+        https://trac.webkit.org/changeset/246714
+
+2019-06-24  Alexey Shvayka  
+
+        Add Array.prototype.{flat,flatMap} to unscopables
+        https://bugs.webkit.org/show_bug.cgi?id=194322
+
+        Reviewed by Keith Miller.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+
+2019-06-24  Mark Lam  
+
+        ArraySlice needs to keep the source array alive.
+        https://bugs.webkit.org/show_bug.cgi?id=197374
+        
+
+        Reviewed by Michael Saboff and Filip Pizlo.
+
+        The implementation of the FTL ArraySlice intrinsics may GC while allocating the
+        result array and its butterfly.  Previously, ArraySlice already keeps the source
+        butterfly alive in order to copy from it to the new butterfly after the allocation.
+        Unfortunately, this is not enough.  We also need to keep the source array alive
+        so that GC will scan the values in the butterfly as well.  Note: the butterfly
+        does not have a visitChildren() method to do this scan.  It's the parent object's
+        responsibility to do the scanning.
+
+        This patch fixes this by introducing a keepAlive() utility method, and we use it
+        to keep the source array alive while allocating the result array and butterfly.
+
+        keepAlive() works by using a patchpoint to communicate to B3 that a value (the
+        source array in this case) is still in use.  It also uses a fence to keep B3 from
+        relocating the patchpoint, which may defeat the fix.
+
+        For the DFG's SpeculativeJIT::compileArraySlice(), we may have lucked out and the
+        source array cell is kept alive.  This patch makes it explicit that we should
+        keep its cell alive till after the result array has been allocated.
+
+        For the Baseline JIT and LLInt, we use the arrayProtoFuncSlice() runtime function
+        and there is no issue because the source array (in "thisObj") is in the element
+        copying loop that follows the allocation of the result array.  However, for
+        documentation purposes, this patch adds a call to HeapCell::use() to indicate that
+        the source array need to kept alive at least until after the allocation of the
+        result array.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::keepAlive):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSlice):
+
+2019-06-22  Robin Morisset   and Yusuke Suzuki  
+
+        All prototypes should call didBecomePrototype()
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+
+        Reviewed by Saam Barati.
+
+        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
+
+        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
+        create structures with invalid prototypes.
+        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
+        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::BigIntPrototype::finishCreation):
+        * runtime/BooleanPrototype.cpp:
+        (JSC::BooleanPrototype::finishCreation):
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlPluralRulesPrototype.cpp:
+        (JSC::IntlPluralRulesPrototype::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::JSDataViewPrototype::finishCreation):
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
+        (JSC::JSGenericTypedArrayViewPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::createConsoleProperty):
+        * runtime/JSPromisePrototype.cpp:
+        (JSC::JSPromisePrototype::finishCreation):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::finishCreation):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        * runtime/Structure.cpp:
+        (JSC::Structure::isValidPrototype):
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::setPrototypeWithoutTransition):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        (JSC::WebAssemblyInstancePrototype::finishCreation):
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::WebAssemblyMemoryPrototype::finishCreation):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::WebAssemblyModulePrototype::finishCreation):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::WebAssemblyPrototype::finishCreation):
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::WebAssemblyTablePrototype::finishCreation):
+
+2019-06-22  Yusuke Suzuki  
+
+        [JSC] Strict, Sloppy and Arrow functions should have different classInfo
+        https://bugs.webkit.org/show_bug.cgi?id=197631
+
+        Reviewed by Saam Barati.
+
+        If a constructor inherits a builtin class, it creates a Structure which is subclassing the builtin class.
+        This is done by using InternalFunction::createSubclassStructure. But to accelerate the common cases, we
+        cache the created structure in InternalFunctionAllocationProfile. Whether the cache is valid is checked
+        by comparing classInfo of the cached structure and the given base structure. This implicitly assume that
+        each builtin class's InternalFunction creates an instance based on one structure.
+
+        However, Function constructor is an exception: Function constructor creates an instance which has different
+        structures based on a parameter. If a strict code is given (e.g. "'use strict'"), it creates a function
+        instance with strict function structure.
+
+        As a result, InternalFunctionAllocationProfile incorrectly caches the structure. Consider the following code.
+
+            class A extends Function { };
+            let a = new A("'use strict'");
+            let b = new A("");
+
+        While `a` and `b` should have different structures, `A` caches the structure for `a`, and reuse it even the given
+        code is not a strict code. This is problematic: We are separating structures of strict, sloppy, and arrow functions
+        because they have different properties. However, in the above case, a and b have the same structure while they have
+        different properties. So it causes incorrect structure-based caching in JSC. One of the example is HasOwnPropertyCache.
+
+        In this patch, we introduce JSStrictFunction, JSSloppyFunction, and JSArrowFunction classes and classInfos. This design
+        works well and already partially accepted for JSGeneratorFunction, JSAsyncGeneratorFunction, and JSAsyncFunction. Each
+        structure now has a different classInfo so that InternalFunctionAllocationProfile correctly caches and invalidates the
+        cached one based on the classInfo. Since we already have different structures for these instances, and DFG and FTL
+        optimizations are based on JSFunctionType (not classInfo), introducing these three classInfo do not break the optimization.
+
+        Note that structures on ArrayConstructor does not cause the same problem. It only uses Undecided indexing typed array
+        structure in InternalFunctionAllocationProfile, and once haveABadTime happens, it clears InternalFunctionAllocationProfile.
+
+        * runtime/JSAsyncFunction.h: This subspaceFor is not necessary since it is defined in JSFunction. And we already ensure that
+        sizeof(JSAsyncFunction) == sizeof(JSFunction).
+        * runtime/JSAsyncGeneratorFunction.cpp:
+        * runtime/JSAsyncGeneratorFunction.h: Ditto.
+        * runtime/JSFunction.cpp:
+        * runtime/JSFunction.h:
+        * runtime/JSGeneratorFunction.h: Ditto.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2019-06-22  Yusuke Suzuki  
+
+        [JSC] ClassExpr should not store result in the middle of evaluation
+        https://bugs.webkit.org/show_bug.cgi?id=199106
+
+        Reviewed by Tadeu Zagallo.
+
+        Let's consider the case,
+
+            let a = class A {
+                static get[a=0x12345678]() {
+                }
+            };
+
+        When evaluating `class A` expression, we should not use the local register for `let a`
+        until we finally store it to that register. Otherwise, `a=0x12345678` will override it.
+        Out BytecodeGenerator does that this by using tempDestination and finalDestination, but
+        we did not do that in ClassExprNode.
+
+        This patch leverages tempDestination and finalDestination to store `class A` result finally,
+        while we attempt to reduce mov.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ClassExprNode::emitBytecode):
+
+2019-06-21  Sihui Liu  
+
+        openDatabase should return an empty object when WebSQL is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=198805
 
         Reviewed by Geoffrey Garen.
 
-        * runtime/ArrayPrototype.cpp:
-        (JSC::arrayProtoPrivateFuncConcatMemcpy):
-        * runtime/JSArray.cpp:
-        (JSC::JSArray::fastSlice):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::createFunctionThatMasqueradesAsUndefined):
+        * runtime/JSFunction.h:
 
-2017-03-23  Yusuke Suzuki  
+2019-06-21  Alexey Shvayka  
 
-        [JSC] Use jsNontrivialString agressively for ToString(Int52)
-        https://bugs.webkit.org/show_bug.cgi?id=170002
+        Remove extra check in RegExp @matchSlow
+        https://bugs.webkit.org/show_bug.cgi?id=198846
 
-        Reviewed by Sam Weinig.
+        Reviewed by Joseph Pecoraro.
 
-        We use the same logic used for Int32 to use jsNontvirialString.
-        After single character check, produced string is always longer than 1.
-        Thus, we can use jsNontrivialString.
+        Type of RegExp `exec` result is already asserted in @regExpExec.
 
-        * runtime/NumberPrototype.cpp:
-        (JSC::int52ToString):
+        * builtins/RegExpPrototype.js:
+        (globalPrivate.matchSlow): Remove isObject check.
 
-2017-03-23  Yusuke Suzuki  
+2019-06-20  Justin Michaud  
 
-        [JSC] Use WeakRandom for SamplingProfiler interval fluctuation
-        https://bugs.webkit.org/show_bug.cgi?id=170045
+        [WASM-References] Add extra tests for Wasm references + fix element parsing and subtyping bugs
+        https://bugs.webkit.org/show_bug.cgi?id=199044
+
+        Reviewed by Saam Barati.
+
+        Fix parsing table indices from the element section. The byte that we previously read as the table index actually tells us how to parse the table index.
+        Fix some areas where we got the isSubtype check wrong, causing funcrefs to not be considred anyrefs.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::unify):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseElement):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::unify):
+
+2019-06-18  Darin Adler  
+
+        Tidy up the remaining bits of the AtomicString to AtomString rename
+        https://bugs.webkit.org/show_bug.cgi?id=198990
+
+        Reviewed by Michael Catanzaro.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Use flagIsAtom.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Ditto.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Ditto.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasOwnProperty): Ditto.
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringIdent): Ditto.
+
+2019-06-19  Alexey Shvayka  
+
+        Optimize `resolve` method lookup in Promise static methods
+        https://bugs.webkit.org/show_bug.cgi?id=198864
+
+        Reviewed by Yusuke Suzuki.
+
+        Lookup `resolve` method only once in Promise.{all,allSettled,race}.
+        (https://github.com/tc39/ecma262/pull/1506)
+
+        Already implemented in V8.
+
+        * builtins/PromiseConstructor.js:
+
+2019-06-19  Tadeu Zagallo  
+
+        Some of the ASSERTs in CachedTypes.cpp should be RELEASE_ASSERTs
+        https://bugs.webkit.org/show_bug.cgi?id=199030
 
         Reviewed by Mark Lam.
 
-        It is unnecessary to use cryptographicallyRandomNumber for SamplingProfiler
-        interval fluctuation. Use WeakRandom instead.
+        These assertions represent strong assumptions that the cache makes so
+        it's not safe to keep executing if they fail.
 
-        * runtime/SamplingProfiler.cpp:
-        (JSC::SamplingProfiler::SamplingProfiler):
-        (JSC::SamplingProfiler::timerLoop):
-        * runtime/SamplingProfiler.h:
+        * runtime/CachedTypes.cpp:
+        (JSC::Encoder::malloc):
+        (JSC::Encoder::Page::alignEnd):
+        (JSC::Decoder::ptrForOffsetFromBase):
+        (JSC::Decoder::handleForEnvironment const):
+        (JSC::Decoder::setHandleForEnvironment):
+        (JSC::CachedPtr::get const):
+        (JSC::CachedOptional::encode):
+        (JSC::CachedOptional::decodeAsPtr const): Deleted.
 
-2017-03-23  Mark Lam  
+2019-06-19  Adrian Perez de Castro  
 
-        Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
-        https://bugs.webkit.org/show_bug.cgi?id=170025
-        
+        [WPE][GTK] Fix build with unified sources disabled
+        https://bugs.webkit.org/show_bug.cgi?id=198752
+
+        Reviewed by Michael Catanzaro.
+
+        * runtime/WeakObjectRefConstructor.h: Add missing inclusion of InternalFunction.h
+        and forward declaration of WeakObjectRefPrototype.
+        * wasm/js/WebAssemblyFunction.cpp: Add missing inclusion of JSWebAssemblyHelpers.h
+
+2019-06-19  Justin Michaud  
+
+        [WASM-References] Rename anyfunc to funcref
+        https://bugs.webkit.org/show_bug.cgi?id=198983
+
+        Reviewed by Yusuke Suzuki.
+
+        Anyfunc should become funcref since it was renamed in the spec. We should also support the string 'anyfunc' in the table constructor since this is 
+        the only non-binary-format place where it is exposed to users.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::gFuncref):
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::emitCCall):
+        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addLocal):
+        (JSC::Wasm::AirIRGenerator::addConstant):
+        (JSC::Wasm::AirIRGenerator::addRefFunc):
+        (JSC::Wasm::AirIRGenerator::addReturn):
+        (JSC::Wasm::AirIRGenerator::gAnyfunc): Deleted.
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConventionAir::marshallArgument const):
+        (JSC::Wasm::CallingConventionAir::setupCall const):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValueType):
+        (JSC::Wasm::isSubtype):
+        (JSC::Wasm::TableInformation::wasmType const):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseExpression):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseTableHelper):
+        (JSC::Wasm::SectionParser::parseElement):
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addRefFunc):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        * wasm/wasm.json:
+
+2019-06-19  Fujii Hironori  
+
+        [CMake][Win] CombinedDomains.json is generated twice in JavaScriptCore_CopyPrivateHeaders and JavaScriptCore projects
+        https://bugs.webkit.org/show_bug.cgi?id=198853
+
+        Reviewed by Don Olmstead.
+
+        JavaScriptCore_CopyPrivateHeaders target needs to have a direct or
+        indirect dependency of JavaScriptCore target for CMake Visual
+        Studio generator to eliminate duplicated custom commands.
+
+        * CMakeLists.txt: Added JavaScriptCore as a dependency of JavaScriptCore_CopyPrivateHeaders.
+
+2019-06-18  Yusuke Suzuki  
+
+        [JSC] JSLock should be WebThread aware
+        https://bugs.webkit.org/show_bug.cgi?id=198911
+
+        Reviewed by Geoffrey Garen.
+
+        Since WebKitLegacy content rendering is done in WebThread instead of the main thread in iOS, user of WebKitLegacy (e.g. UIWebView) needs
+        to grab the WebThread lock (which is a recursive lock) in the main thread when touching the WebKitLegacy content.
+        But, WebKitLegacy can expose JSContext for the web view. And we can interact with the JS content through JavaScriptCore APIs. However,
+        since WebThread is a concept in WebCore, JavaScriptCore APIs do not grab the WebThread lock. As a result, WebKitLegacy web content can be
+        modified from the main thread without grabbing the WebThread lock through JavaScriptCore APIs.
+
+        This patch makes JSC aware of WebThread: JSLock grabs the WebThread lock before grabbing JS's lock. While this seems layering violation,
+        we already have many USE(WEB_THREAD) and WebThread aware code in WTF. Eventually, we should move WebThread code from WebCore to WTF since
+        JSC and WTF need to be aware of WebThread. But, for now, we just use the function pointer exposed by WebCore.
+
+        Since both JSLock and the WebThread lock are recursive locks, nested locking is totally OK. The possible problem is the order of locking.
+        We ensure that we always grab locks in (1) the WebThread lock and (2) JSLock order.
+
+        In JSLock, we take the WebThread lock, but we do not unlock it. This is how we use the WebThread lock: the WebThread lock is released
+        automatically when RunLoop finishes the current cycle, and in WebKitLegacy, we do not call unlocking function of the WebThread lock except
+        for some edge cases.
+
+        * API/JSVirtualMachine.mm:
+        (-[JSVirtualMachine isWebThreadAware]):
+        * API/JSVirtualMachineInternal.h:
+        * runtime/JSLock.cpp:
+        (JSC::JSLockHolder::JSLockHolder):
+        (JSC::JSLock::lock):
+        (JSC::JSLockHolder::init): Deleted.
+        * runtime/JSLock.h:
+        (JSC::JSLock::makeWebThreadAware):
+        (JSC::JSLock::isWebThreadAware const):
+
+2019-06-18  Justin Michaud  
+
+        [WASM-References] Add support for Table.size, grow and fill instructions
+        https://bugs.webkit.org/show_bug.cgi?id=198761
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for Table.size, grow and fill instructions. This also required
+        adding support for two-byte opcodes to the ops generator.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::gAnyref):
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::addTableSize):
+        (JSC::Wasm::AirIRGenerator::addTableGrow):
+        (JSC::Wasm::AirIRGenerator::addTableFill):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addTableSize):
+        (JSC::Wasm::B3IRGenerator::addTableGrow):
+        (JSC::Wasm::B3IRGenerator::addTableFill):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::TableInformation::wasmType const):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseExpression):
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::doWasmTableGrow):
+        (JSC::Wasm::doWasmTableFill):
+        * wasm/WasmInstance.h:
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::grow):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableSize):
+        (JSC::Wasm::Validate::addTableGrow):
+        (JSC::Wasm::Validate::addTableFill):
+        * wasm/generateWasmOpsHeader.py:
+        (opcodeMacroizer):
+        (ExtTableOpType):
+        * wasm/wasm.json:
+
+2019-06-18  Keith Miller  
+
+        Unreviewed, fix signature of currentWeakRefVersion to return an uintptr_t.
+
+        * runtime/VM.h:
+        (JSC::VM::currentWeakRefVersion const):
+
+2019-06-18  Justin Michaud  
+
+        [WASM-References] Add support for multiple tables
+        https://bugs.webkit.org/show_bug.cgi?id=198760
 
         Reviewed by Saam Barati.
 
-        * runtime/ArrayPrototype.cpp:
-        (JSC::copySplicedArrayElements):
-        (JSC::arrayProtoFuncSplice):
+        Support multiple wasm tables. We turn tableInformation into a tables array, and update all of the
+        existing users to give a table index. The array of Tables in Wasm::Instance is hung off the tail
+        to make it easier to use from jit code. 
 
-2017-03-23  Yusuke Suzuki  
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addTableGet):
+        (JSC::Wasm::AirIRGenerator::addTableSet):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::addTableGet):
+        (JSC::Wasm::B3IRGenerator::addTableSet):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::Element::Element):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseExpression):
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::create):
+        (JSC::Wasm::Instance::extraMemoryAllocated const):
+        (JSC::Wasm::Instance::table):
+        (JSC::Wasm::Instance::setTable):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::updateCachedMemory):
+        (JSC::Wasm::Instance::offsetOfGlobals):
+        (JSC::Wasm::Instance::offsetOfTablePtr):
+        (JSC::Wasm::Instance::allocationSize):
+        (JSC::Wasm::Instance::table): Deleted.
+        (JSC::Wasm::Instance::setTable): Deleted.
+        (JSC::Wasm::Instance::offsetOfTable): Deleted.
+        * wasm/WasmModuleInformation.h:
+        (JSC::Wasm::ModuleInformation::tableCount const):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseImport):
+        (JSC::Wasm::SectionParser::parseTableHelper):
+        (JSC::Wasm::SectionParser::parseTable):
+        (JSC::Wasm::SectionParser::parseElement):
+        * wasm/WasmTable.h:
+        (JSC::Wasm::Table::owner const):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableGet):
+        (JSC::Wasm::Validate::addTableSet):
+        (JSC::Wasm::Validate::addCallIndirect):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/wasm.json:
 
-        [JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions
-        https://bugs.webkit.org/show_bug.cgi?id=169998
+2019-06-18  Alexey Shvayka  
+
+        [ESNExt] String.prototype.matchAll
+        https://bugs.webkit.org/show_bug.cgi?id=186694
+
+        Reviewed by Yusuke Suzuki.
+
+        Implement String.prototype.matchAll.
+        (https://tc39.es/ecma262/#sec-string.prototype.matchall)
+
+        Also rename @globalPrivate @constructor functions and C++ variables holding them.
+
+        Shipping in Chrome since version 73.
+        Shipping in Firefox since version 67.
+
+        * CMakeLists.txt:
+        * DerivedSources-input.xcfilelist:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/wkbuiltins/builtins_generate_combined_header.py:
+        (get_var_name):
+        (generate_section_for_global_private_code_name_macro):
+        * Sources.txt:
+        * builtins/ArrayPrototype.js:
+        (globalPrivate.ArrayIterator):
+        (values):
+        (keys):
+        (entries):
+        (globalPrivate.createArrayIterator): Deleted.
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        (globalPrivate.createAsyncFromSyncIterator):
+        (globalPrivate.AsyncFromSyncIterator):
+        (globalPrivate.AsyncFromSyncIteratorConstructor): Deleted.
+        * builtins/BuiltinNames.h:
+        * builtins/MapPrototype.js:
+        (globalPrivate.MapIterator):
+        (values):
+        (keys):
+        (entries):
+        (globalPrivate.createMapIterator): Deleted.
+        * builtins/RegExpPrototype.js:
+        (globalPrivate.RegExpStringIterator):
+        (overriddenName.string_appeared_here.matchAll):
+        * builtins/RegExpStringIteratorPrototype.js: Added.
+        (next):
+        * builtins/SetPrototype.js:
+        (globalPrivate.SetIterator):
+        (values):
+        (entries):
+        (globalPrivate.createSetIterator): Deleted.
+        * builtins/StringPrototype.js:
+        (matchAll):
+        * builtins/TypedArrayPrototype.js:
+        (values):
+        (keys):
+        (entries):
+        * runtime/CommonIdentifiers.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/RegExpStringIteratorPrototype.cpp: Added.
+        (JSC::RegExpStringIteratorPrototype::finishCreation):
+        * runtime/RegExpStringIteratorPrototype.h: Added.
+        * runtime/StringPrototype.cpp:
+
+2019-06-18  Keith Miller  
+
+        Add support for WeakRef
+        https://bugs.webkit.org/show_bug.cgi?id=198710
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for WeakRefs which are now at stage 3
+        (https://tc39.es/proposal-weakrefs). This patch doesn't add
+        support for FinalizationGroups, which I'll add in another patch.
+
+        Some other things of interest. Per the spec, we cannot collect a
+        weak refs target unless it has not been dereffed (or created) in
+        the current microtask turn. i.e. WeakRefs are only allowed to be
+        collected at the end of a drain of the Microtask queue. My
+        understanding for this behavior is to reduce implementation
+        dependence on specific GC behavior in a given browser.
+
+        We track if a WeakRef is retaining its target by using a version
+        number on each WeakRef as well as on the VM. Whenever a WeakRef is
+        derefed we update its version number to match the VM's then
+        WriteBarrier ourselves. During marking if the VM and the WeakRef
+        have the same version number, the target is visited.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionReleaseWeakRefs):
+        * runtime/CommonIdentifiers.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSWeakObjectRef.cpp: Added.
+        (JSC::JSWeakObjectRef::finishCreation):
+        (JSC::JSWeakObjectRef::visitChildren):
+        (JSC::JSWeakObjectRef::finalizeUnconditionally):
+        (JSC::JSWeakObjectRef::toStringName):
+        * runtime/JSWeakObjectRef.h: Added.
+        * runtime/VM.cpp:
+        (JSC::VM::drainMicrotasks):
+        * runtime/VM.h:
+        (JSC::VM::setOnEachMicrotaskTick):
+        (JSC::VM::finalizeSynchronousJSExecution):
+        (JSC::VM::currentWeakRefVersion const):
+        * runtime/WeakObjectRefConstructor.cpp: Added.
+        (JSC::WeakObjectRefConstructor::finishCreation):
+        (JSC::WeakObjectRefConstructor::WeakObjectRefConstructor):
+        (JSC::callWeakRef):
+        (JSC::constructWeakRef):
+        * runtime/WeakObjectRefConstructor.h: Added.
+        (JSC::WeakObjectRefConstructor::create):
+        (JSC::WeakObjectRefConstructor::createStructure):
+        * runtime/WeakObjectRefPrototype.cpp: Added.
+        (JSC::WeakObjectRefPrototype::finishCreation):
+        (JSC::getWeakRef):
+        (JSC::protoFuncWeakRefDeref):
+        * runtime/WeakObjectRefPrototype.h: Added.
+
+2019-06-18  Tadeu Zagallo  
+
+        Add missing mutator fence in compileNewFunction
+        https://bugs.webkit.org/show_bug.cgi?id=198849
+        
 
         Reviewed by Saam Barati.
 
-        Double <-> Int52 and JSValue <-> Int52 conversions are not so cheap. Thus, Int52Rep is super carefully emitted.
-        We make addShouldSpeculateAnyInt more conservative to avoid regressions caused by the above conversions.
-        We select ArithAdd(Int52, Int52) only when this calculation is beneficial compared to added Int52Rep conversions.
+        Follow-up after r246553. Saam pointed out that we still need a mutator
+        fence before allocating the FunctionRareData, since the allocation
+        might trigger a slow path call.
 
-        This patch tighten the conditions of addShouldSpeculateAnyInt.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
 
-        1. Honor DoubleConstant.
+2019-06-18  Tadeu Zagallo  
 
-        When executing imaging-darkroom, we have a thing like that,
+        DFG code should not reify the names of builtin functions with private names
+        https://bugs.webkit.org/show_bug.cgi?id=198849
+        
 
-            132:< 2:loc36> DoubleConstant(Double|UseAsOther, AnyIntAsDouble, Double: 4607182418800017408, 1.000000, bc#114)
-            1320:< 1:loc38>        Int52Rep(Check:Int32:@82, Int52|PureInt, Int32, Exits, bc#114)
-            1321:< 1:loc39>        Int52Constant(Int52|PureInt, Boolint32Nonboolint32Int52, Double: 4607182418800017408, 1.000000, bc#114)
-            133: ArithSub(Int52Rep:@1320, Int52Rep:@1321, Int52|MustGen, Int52, CheckOverflow, Exits, bc#114)
+        Reviewed by Filip Pizlo.
 
-        The LHS of ArithSub says predicting Boolint32, and the rhs says AnyIntAsDouble. Thus we select ArithSub(Int52, Int52) instead
-        of ArithSub(Double, Double). However, it soon causes OSR exits. In imaging-darkroom, LHS's Int32 prediction will be broken.
-        While speculating Int32 in the above situation is reasonable approach since the given LHS says predicting Int32, this causes
-        severe performance regression.
+        Builtin functions that have a private name call setHasReifiedName from finishCreation.
+        When compiled with DFG and FTL, that does not get called and the function ends up reifying
+        its name. In order to fix that, we initialize FunctionRareData and set m_hasReifiedName to
+        true from compileNewFunction in both DFG and FTL.
 
-        Previously, we always select ArithSub(Double, Double). So accidentally, we do not encounter this misprediction issue.
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::offsetOfStructure):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfileWithPrototype::offsetOfPrototype):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * runtime/FunctionExecutable.h:
+        * runtime/FunctionRareData.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::isAnonymousBuiltinFunction const):
 
-        One thing can be found that we have DoubleConstant in the RHS. It means that we have `1.0` instead of `1` in the code.
-        We can see the code like `lhs - 1.0` instead of `lhs - 1` in imaging-darkroom. It offers good information that lhs and
-        the resulting value would be double. Handling the above ArithSub in double seems more appropriate rather than handling
-        it in Int52.
+2019-06-18  Keith Miller  
 
-        So, in this patch, we honor DoubleConstant. If we find DoubleConstant on one operand, we give up selecting
-        Arith[Sub,Add](Int52, Int52). This change removes OSR exits occurr in imaging-darkroom right now.
+        MaybeParseAsGeneratorForScope sometimes loses track of its scope ref
+        https://bugs.webkit.org/show_bug.cgi?id=198969
+        
 
-        2. Two Int52Rep(Double) conversions are not desirable.
+        Reviewed by Tadeu Zagallo.
 
-        We allow AnyInt ArithAdd only when the one operand of the binary operation should be speculated AnyInt. It is a bit conservative
-        decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
-        rather hurt the performance. If the one operand of the operation is already Int52, the cost for constructing ArithAdd becomes
-        cheap since only one Double to Int52 conversion could be required.
-        This recovers some regression in assorted tests while keeping kraken crypto improvements.
+        Sometimes if the parser has enough nested scopes
+        MaybeParseAsGeneratorForScope can lose track of the ScopeRef it
+        should be tracking. This is because the parser sometimes relocates
+        its ScopeRefs. To fix this MaybeParseAsGeneratorForScope should
+        hold the scope ref it's watching.
 
-        3. Avoid frequent Int52 to JSValue conversions.
+        * parser/Parser.cpp:
+        (JSC::Scope::MaybeParseAsGeneratorForScope::MaybeParseAsGeneratorForScope):
+        (JSC::Scope::MaybeParseAsGeneratorForScope::~MaybeParseAsGeneratorForScope):
 
-        Int52 to JSValue conversion is not so cheap. Thus, we would like to avoid such situations. So, in this patch, we allow
-        Arith(Int52, Int52) with AnyIntAsDouble operand only when the node is used as number. By doing so, we avoid the case like,
-        converting Int52, performing ArithAdd, and soon converting back to JSValue.
+2019-06-17  Justin Michaud  
 
-        The above 3 changes recover the regression measured in microbenchmarks/int52-back-and-forth.js and assorted benchmarks.
-        And still it keeps kraken crypto improvements.
+        Validate that table element type is funcref if using an element section
+        https://bugs.webkit.org/show_bug.cgi?id=198910
 
-                                                   baseline                  patched
+        Reviewed by Yusuke Suzuki.
 
-        imaging-darkroom                       201.112+-3.192      ^     189.532+-2.883         ^ definitely 1.0611x faster
-        stanford-crypto-pbkdf2                 103.953+-2.325            100.926+-2.396           might be 1.0300x faster
-        stanford-crypto-sha256-iterative        35.103+-1.071      ?      36.049+-1.143         ? might be 1.0270x slower
+        Add missing validation when attempting to add an element section to an anyref table.
 
-        * dfg/DFGGraph.h:
-        (JSC::DFG::Graph::addShouldSpeculateAnyInt):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseElement):
 
-== Rolled over to ChangeLog-2017-03-23 ==
+2019-06-17  Tadeu Zagallo  
+
+        Concurrent GC should check the conn before starting a new collection cycle
+        https://bugs.webkit.org/show_bug.cgi?id=198913
+        
+
+        Reviewed by Filip Pizlo.
+
+        Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector
+        thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections
+        and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent
+        GC has finished processing the last pending request. The collector thread will runEndPhase and immediately
+        start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in
+        the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn,
+        since the collector is running but doesn't have the conn anymore.
+
+        To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator
+        has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem
+        trivial to determine.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::runNotRunningPhase):
+
+2019-06-17  Yusuke Suzuki  
+
+        [JSC] Introduce DisposableCallSiteIndex to enforce type-safety
+        https://bugs.webkit.org/show_bug.cgi?id=197378
+
+        Reviewed by Saam Barati.
+
+        Some of CallSiteIndex are disposable. This is because some of CallSiteIndex are allocated and freed at runtime (not DFG/FTL compile time).
+        The example is CallSiteIndex for exception handler in GCAwareJITStubRoutineWithExceptionHandler. If we do not allocate and free CallSiteIndex,
+        we will create a new CallSiteIndex continuously and leak memory.
+
+        The other CallSiteIndex are not simply disposable because the ownership model is not unique one. They can be shared between multiple clients.
+        But not disposing them is OK because they are static one: they are allocated when compiling DFG/FTL, and we do not allocate such CallSiteIndex
+        at runtime.
+
+        To make this difference explicit and avoid disposing non-disposable CallSiteIndex accidentally, we introduce DisposableCallSiteIndex type, and
+        enforce type-safety to some degree.
+
+        We also correctly update the DisposableCallSiteIndex => CodeOrigin table when we are reusing the previously used DisposableCallSiteIndex.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::newExceptionHandlingCallSiteIndex):
+        (JSC::CodeBlock::removeExceptionHandlerForCallSite):
+        * bytecode/CodeBlock.h:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::callSiteIndexForExceptionHandling):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationState::callSiteIndexForExceptionHandling): Deleted.
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::addUniqueCallSiteIndex):
+        (JSC::DFG::CommonData::addDisposableCallSiteIndex):
+        (JSC::DFG::CommonData::removeDisposableCallSiteIndex):
+        (JSC::DFG::CommonData::removeCallSiteIndex): Deleted.
+        * dfg/DFGCommonData.h:
+        * interpreter/CallFrame.h:
+        (JSC::DisposableCallSiteIndex::DisposableCallSiteIndex):
+        (JSC::DisposableCallSiteIndex::fromCallSiteIndex):
+        * jit/GCAwareJITStubRoutine.cpp:
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
+        (JSC::createJITStubRoutine):
+        * jit/GCAwareJITStubRoutine.h:
+        * jit/JITInlineCacheGenerator.h:
+
+2019-06-17  Justin Michaud  
+
+        [WASM-References] Add support for Funcref in parameters and return types
+        https://bugs.webkit.org/show_bug.cgi?id=198157
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to 
+        a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. 
+
+        We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper
+        for it so that we never need to construct JSValues when handling references. This should make threads
+        easier to implement.
+
+        Finally, we add some missing bounds checks for table.get/set.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addLocal):
+        (JSC::Wasm::AirIRGenerator::addConstant):
+        (JSC::Wasm::AirIRGenerator::addRefFunc):
+        (JSC::Wasm::AirIRGenerator::addTableSet):
+        (JSC::Wasm::AirIRGenerator::setGlobal):
+        (JSC::Wasm::AirIRGenerator::addReturn):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addLocal):
+        (JSC::Wasm::B3IRGenerator::addTableSet):
+        (JSC::Wasm::B3IRGenerator::addRefFunc):
+        (JSC::Wasm::B3IRGenerator::setGlobal):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConventionAir::marshallArgument const):
+        (JSC::Wasm::CallingConventionAir::setupCall const):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValueType):
+        (JSC::Wasm::isSubtype):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseExpression):
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::getFunctionWrapper const):
+        (JSC::Wasm::Instance::setFunctionWrapper):
+        * wasm/WasmInstance.h:
+        * wasm/WasmModuleInformation.h:
+        (JSC::Wasm::ModuleInformation::referencedFunctions const):
+        (JSC::Wasm::ModuleInformation::addReferencedFunction const):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseGlobal):
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableGet):
+        (JSC::Wasm::Validate::addTableSet):
+        (JSC::Wasm::Validate::addRefIsNull):
+        (JSC::Wasm::Validate::addRefFunc):
+        (JSC::Wasm::Validate::setLocal):
+        (JSC::Wasm::Validate::addCall):
+        (JSC::Wasm::Validate::addCallIndirect):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::isWebAssemblyHostFunction):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/JSWebAssemblyRuntimeError.cpp:
+        (JSC::createJSWebAssemblyRuntimeError):
+        * wasm/js/JSWebAssemblyRuntimeError.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        (JSC::Wasm::emitWasmToJSException):
+        * wasm/js/WasmToJS.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/wasm.json:
+
+2019-06-16  Darin Adler  
+
+        Rename AtomicString to AtomString
+        https://bugs.webkit.org/show_bug.cgi?id=195276
+
+        Reviewed by Michael Catanzaro.
+
+        * many files: Let do-webcore-rename do the renaming.
+
+2019-06-16  Yusuke Suzuki  
+
+        [JSC] Grown region of WasmTable should be initialized with null
+        https://bugs.webkit.org/show_bug.cgi?id=198903
+
+        Reviewed by Saam Barati.
+
+        Grown region of Wasmtable is now empty. We should initialize it with null.
+        We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to
+        align to the naming convention.
+
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::visitAggregate):
+        (JSC::Wasm::Table::visitChildren): Deleted.
+        * wasm/WasmTable.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::visitChildren):
+
+2019-06-14  Keith Miller  
+
+        Restore PAC based cage.
+        https://bugs.webkit.org/show_bug.cgi?id=198872
+
+        Rubber-stamped by Saam Barati.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::bitFieldInsert64):
+        * assembler/MacroAssemblerARM64E.h:
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        (JSC::run):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageWithoutUntagging):
+        (JSC::AssemblyHelpers::cageConditionally):
+        (JSC::AssemblyHelpers::cage): Deleted.
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/registers.rb:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-06-13  Yusuke Suzuki  
+
+        Yarr bytecode compilation failure should be gracefully handled
+        https://bugs.webkit.org/show_bug.cgi?id=198700
+
+        Reviewed by Michael Saboff.
+
+        Currently, we assume that Yarr bytecode compilation does not fail. But in fact it can fail.
+        We should gracefully handle this failure as a runtime error, as we did for parse errors in [1].
+        We also harden Yarr's consumed character calculation by using Checked.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=185755
+
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findMagicComment):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::byteCodeCompileIfNecessary):
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * yarr/YarrErrorCode.cpp:
+        (JSC::Yarr::errorMessage):
+        (JSC::Yarr::errorToThrow):
+        * yarr/YarrErrorCode.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::ByteCompiler):
+        (JSC::Yarr::ByteCompiler::compile):
+        (JSC::Yarr::ByteCompiler::atomCharacterClass):
+        (JSC::Yarr::ByteCompiler::atomBackReference):
+        (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
+        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
+        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):
+        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionBegin):
+        (JSC::Yarr::ByteCompiler::popParenthesesStack):
+        (JSC::Yarr::ByteCompiler::closeAlternative):
+        (JSC::Yarr::ByteCompiler::closeBodyAlternative):
+        (JSC::Yarr::ByteCompiler::alternativeBodyDisjunction):
+        (JSC::Yarr::ByteCompiler::alternativeDisjunction):
+        (JSC::Yarr::ByteCompiler::emitDisjunction):
+
+2019-06-12  Yusuke Suzuki  
+
+        [JSC] Polymorphic call stub's slow path should restore callee saves before performing tail call
+        https://bugs.webkit.org/show_bug.cgi?id=198770
+
+        Reviewed by Saam Barati.
+
+        Polymorphic call stub is a bit specially patched in JS call site. Typical JS call site for tail calls
+        are the following.
+
+            if (callee == patchableCallee) {
+                restore callee saves for tail call
+                prepare for tail call
+                jump to the target function
+            }
+            restore callee saves for slow path
+            call the slow path function
+
+        And linking patches patchableCallee, target function, and slow path function. But polymorphic call stub
+        patches the above `if` statement with the jump to the stub.
+
+            jump to the polymorphic call stub
+
+        This is because polymorphic call stub wants to use CallFrameShuffler to get scratch registers. As a result,
+        "restore callee saves for tail call" thing needs to be done in the polymorphic call stubs. While it is
+        correctly done for the major cases, we have `slowPath` skips, and that path missed restoring callee saves.
+        This skip happens if the callee is non JSCell or non JS function, so typically, InternalFunction is handled
+        in that path.
+
+        This patch does that skips after restoring callee saves.
+
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::CallLinkInfo):
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::setUpCall):
+        (JSC::CallLinkInfo::calleeGPR):
+        (JSC::CallLinkInfo::setCalleeGPR): Deleted.
+        * jit/Repatch.cpp:
+        (JSC::revertCall):
+        (JSC::linkVirtualFor):
+        (JSC::linkPolymorphicCall):
+        * jit/Repatch.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+
+2019-06-12  Commit Queue  
+
+        Unreviewed, rolling out r246322.
+        https://bugs.webkit.org/show_bug.cgi?id=198796
+
+        "It's a huge page load regression on iOS" (Requested by
+        saamyjoon on #webkit).
+
+        Reverted changeset:
+
+        "Roll out PAC cage"
+        https://bugs.webkit.org/show_bug.cgi?id=198726
+        https://trac.webkit.org/changeset/246322
+
+2019-06-11  Alexey Shvayka  
+
+        JSC should throw if proxy set returns falsish in strict mode context
+        https://bugs.webkit.org/show_bug.cgi?id=177398
+
+        Reviewed by Yusuke Suzuki.
+
+        Throw TypeError exception if Proxy's `set` trap returns falsy value.
+        (step 6.c of https://tc39.es/ecma262/#sec-putvalue)
+
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performPut):
+        (JSC::ProxyObject::put):
+        (JSC::ProxyObject::putByIndexCommon):
+        * runtime/ProxyObject.h:
+
+2019-06-11  Alexey Shvayka  
+
+        Error message for non-callable Proxy `construct` trap is misleading
+        https://bugs.webkit.org/show_bug.cgi?id=198637
+
+        Reviewed by Saam Barati.
+
+        Just like other traps, Proxy `construct` trap is invoked with [[Call]], not [[Construct]].
+
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyConstruct): Tweak error message.
+
+2019-06-10  Tadeu Zagallo  
+
+        AI BitURShift's result should not be unsigned
+        https://bugs.webkit.org/show_bug.cgi?id=198689
+        
+
+        Reviewed by Saam Barati.
+
+        Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
+        This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
+        get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
+        all we have to do is store the result as a signed int32.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+
+2019-06-11  Michael Catanzaro  
+
+        Unreviewed build warning fixes
+
+        Silence -Wreturn-type warning
+
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::tryCreate):
+
+2019-06-11  Saam Barati  
+
+        Roll out PAC cage
+        https://bugs.webkit.org/show_bug.cgi?id=198726
+
+        Reviewed by Keith Miller.
+
+        This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622.
+        
+        The resulting state we're in is we have Gigacage enabled on arm64.
+        There is no more PAC caging.
+
+        We're doing this because there are performance issues with PAC caging
+        that we haven't resolved yet.
+
+        * assembler/CPU.h:
+        (JSC::isARM64E): Deleted.
+        * assembler/MacroAssemblerARM64E.h:
+        (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted.
+        (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted.
+        (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted.
+        * b3/B3LowerToAir.cpp:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsStack):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        * b3/B3Validate.cpp:
+        * b3/B3ValueRep.cpp:
+        (JSC::B3::ValueRep::addUsedRegistersTo const):
+        (JSC::B3::ValueRep::dump const):
+        (WTF::printInternal):
+        * b3/B3ValueRep.h:
+        (JSC::B3::ValueRep::ValueRep):
+        (JSC::B3::ValueRep::isReg const):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted.
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallNode::clearCallLinkInfo):
+        * jit/RegisterSet.h:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayBuffer.cpp:
+        (JSC::SharedArrayBufferContents::SharedArrayBufferContents):
+        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
+        (JSC::ArrayBufferContents::ArrayBufferContents):
+        (JSC::ArrayBufferContents::destroy):
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::makeShared):
+        (JSC::ArrayBufferContents::copyTo):
+        * runtime/ArrayBuffer.h:
+        (JSC::SharedArrayBufferContents::data const):
+        (JSC::ArrayBufferContents::data const):
+        (JSC::ArrayBuffer::data):
+        (JSC::ArrayBuffer::data const):
+        (JSC::ArrayBuffer::byteLength const):
+        * runtime/ArrayBufferView.cpp:
+        (JSC::ArrayBufferView::ArrayBufferView):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::baseAddress const):
+        (JSC::ArrayBufferView::setRangeImpl):
+        (JSC::ArrayBufferView::getRangeImpl):
+        (JSC::ArrayBufferView::byteLength const): Deleted.
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedScopedArgumentsTable::encode):
+        (JSC::CachedScopedArgumentsTable::decode const):
+        * runtime/CagedBarrierPtr.h:
+        (JSC::CagedBarrierPtr::CagedBarrierPtr):
+        (JSC::CagedBarrierPtr::set):
+        (JSC::CagedBarrierPtr::get const):
+        (JSC::CagedBarrierPtr::getMayBeNull const):
+        (JSC::CagedBarrierPtr::operator== const):
+        (JSC::CagedBarrierPtr::operator!= const):
+        (JSC::CagedBarrierPtr::operator bool const):
+        (JSC::CagedBarrierPtr::setWithoutBarrier):
+        (JSC::CagedBarrierPtr::operator* const):
+        (JSC::CagedBarrierPtr::operator-> const):
+        (JSC::CagedBarrierPtr::operator[] const):
+        (JSC::CagedBarrierPtr::getUnsafe const): Deleted.
+        (JSC::CagedBarrierPtr::at const): Deleted.
+        * runtime/DataView.cpp:
+        (JSC::DataView::DataView):
+        * runtime/DataView.h:
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::unmapArgument):
+        * runtime/DirectArguments.h:
+        * runtime/GenericArguments.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::visitChildren):
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        (JSC::GenericArguments::setModifiedArgumentDescriptor):
+        (JSC::GenericArguments::isModifiedArgumentDescriptor):
+        * runtime/GenericTypedArrayView.h:
+        * runtime/GenericTypedArrayViewInlines.h:
+        (JSC::GenericTypedArrayView::GenericTypedArrayView):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finalize):
+        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+        (JSC::JSArrayBufferView::isNeutered):
+        (JSC::JSArrayBufferView::vector const):
+        (JSC::JSArrayBufferView::hasVector const): Deleted.
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::createUninitialized):
+        (JSC::JSGenericTypedArrayView::estimatedSize):
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        * runtime/Options.h:
+        * runtime/ScopedArgumentsTable.cpp:
+        (JSC::ScopedArgumentsTable::clone):
+        (JSC::ScopedArgumentsTable::setLength):
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/SymbolTable.h:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::cachedMemory const):
+        (JSC::Wasm::Instance::updateCachedMemory):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::dump const):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::memory const):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-06-10  Basuke Suzuki  
+
+        [WinCairo] Remove build warning from RemoteInspector.
+        https://bugs.webkit.org/show_bug.cgi?id=198724
+
+        Reviewed by Joseph Pecoraro.
+
+        In `RemoteInspectorConnectionClient.h`, an interface was defined with empty implementation.
+        This method is to be overwritten by sub classes so that parameter name is important
+        so they are commented out rather than just removing from the definition.
+
+        * inspector/remote/RemoteInspector.h:
+
+2019-06-10  Sam Weinig  
+
+        Remove Dashboard support
+        https://bugs.webkit.org/show_bug.cgi?id=198615
+
+        Reviewed by Ryosuke Niwa.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2019-06-10  Devin Rousso  
+
+        Web Automation: add notifications for when remote automation is enabled/disabled
+        https://bugs.webkit.org/show_bug.cgi?id=198703
+        
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/remote/RemoteInspectorConstants.h:
+
+2019-06-10  Yusuke Suzuki  
+
+        Unreviewed, build fix for non-DFG configurations, part 2
+        https://bugs.webkit.org/show_bug.cgi?id=198023
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeUnconditionally):
+
+2019-06-10  Yusuke Suzuki  
+
+        Unreviewed, build fix for non-DFG configurations
+        https://bugs.webkit.org/show_bug.cgi?id=198023
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeUnconditionally):
+
+2019-06-10  Yusuke Suzuki  
+
+        [JSC] UnlinkedCodeBlock should be eventually jettisoned in VM mini mode
+        https://bugs.webkit.org/show_bug.cgi?id=198023
+
+        Reviewed by Saam Barati.
+
+        While CodeBlock is periodically jettisoned, UnlinkedCodeBlock and UnlinkedFunctionExecutable can be retained almost forever in certain type of applications.
+        When we execute a program, which has UnlinkedProgramCodeBlock retained in CodeCache. And UnlinkedProgramCodeBlock holds array of UnlinkedFunctionExecutable.
+        And UnlinkedFunctionExecutables hold UnlinkedFunctionCodeBlocks once it is generated. So eventually, this tree gets larger and larger until we purge
+        UnlinkedProgramCodeBlock from CodeCache. This is OK in the browser case. We navigate to various other pages, and UnlinkedProgramCodeBlocks should eventually
+        be pruned from CodeCache with the new ones. So this tree won't be retained forever. But the behavior is different in the other applications that do not have
+        navigations. If they only have one program which holds all, we basically retain this tree during executing this application. The same thing can happen in
+        web applications which does not have navigation and keeps alive for a long time. Once we hit CodeCache limit by periodically executing a new script, we will
+        hit the uppermost of memory footprint. But until that, we increase our memory footprint.
+
+        However, destroying these UnlinkedCodeBlocks and UnlinkedFunctionExecutables causes a tricky problem. In the browser environment, navigation can happen at any
+        time. So even if the given UnlinkedCodeBlock seems unused in the current page, it can be used when navigating to a new page which is under the same domain.
+        One example is initializing function in a script. It is only executed once per page. So once it is executed, it seems that this UnlinkedCodeBlock is unused.
+        But this will be used when we navigate to a new page. Pruning code blocks based on usage could cause performance regression.
+
+        But if our VM is mini VM mode, the story is different. In mini VM mode, we focus on memory footprint rather than performance e.g. daemons. The daemon never
+        reuse these CodeCache since we do not have the navigation.
+
+        This patch logically makes UnlinkedFunctionExecutable -> UnlinkedCodeBlock reference weak when VM is mini mode. If UnlinkedCodeBlock is used in previous GC
+        cycle, we retain it. But if it is not used, and if UnlinkedFunctionExecutable is only the cell keeping UnlinkedCodeBlock alive, we destroy it. It is a
+        heuristic. In a super pathological case, it could increase memory footprint. Consider the following example.
+
+            UnlinkedFunctionExecutable(A1) -> UnlinkedCodeBlock(B1) -> UnlinkedFunctionExecutable(C1) -> UnlinkedCodeBlock(D1)
+                                                                                                             ^
+                                                                                                         CodeBlock(E1)
+
+        We could delete A1, B1, and C1 while keeping D1. But if we eventually re-execute the same code corresponding to A1, B1, C1, they will be newly created, and
+        we will create duplicate UnlinkedCodeBlock and instructions stream for D1.
+
+                                                                                                         UnlinkedCodeBlock(D1)
+                                                                                                             ^
+                                                                                                         CodeBlock(E1)
+
+            UnlinkedFunctionExecutable(A2) -> UnlinkedCodeBlock(B2) -> UnlinkedFunctionExecutable(C2) -> UnlinkedCodeBlock(D2)
+
+        But this does not happen in practice and even it happens, we eventually discard D1 and D2 since CodeBlock E1 will be jettisoned anyway. So in practice, we do
+        not see memory footprint increase. We tested it in Gmail and the target application, but both said memory footprint reduction (30 MB / 400 MB and 1 MB /6 MB).
+        While this affects on performance much on tests which has navigation (1-3 % regression in Speedometer2, note that JetStream2 does not show regression in x64,
+        while it is not enabling mini mode), we do not apply this to non mini mode VM until we come up with a good strategy to fasten performance of re-generation.
+        Personally I think flushing destroyed UnlinkedCodeBlock to the disk sounds promising.
+
+        If UnlinkedCodeBlock is generated from bytecode cache, we do not make UnlinkedFunctionExecutable -> UnlinkedCodeBlock link weak because the decoder of the bytecode
+        cache assumes that generated JSCells won't be destroyed while the parent cells of that cell are live. This is true in the current implementation, and this assumption
+        will be broken with this patch. So, for now, we do not make this link weak. Currently, our target application does not use bytecode cache so it is OK.
+
+        This patch also introduce simple heuristic. We are counting UnlinkedCodeBlock's age. And once the age becomes maximum size, we make UnlinkedFunctionExecutable ->
+        UnlinkedCodeBlock link weak. We also use execution counter information to reset this age: CodeBlock will reset undelying UnlinkedCodeBlock's age if it has executed
+        While this heuristic is quite simple, it has some effect in practice. Basically what happens with this heuristic is that UnlinkedFunctionExecutable ->
+        UnlinkedCodeBlock link strong. When GC happens, we are executing some CodeBlocks, which become live. And ScriptExecutables -> UnlinkedFunctionExecutables held
+        by this CodeBlock become also live. Then UnlinkedFunctionExecutables can mark the child UnlinkedCodeBlocks if it is not so old.
+        If some of parent UnlinkedFunctionExecutable becomes dead, child UnlinkedCodeBlocks tends to be dead unless some live CodeBlock holds it. But it is OK for a first
+        heuristics since this means that parent code block is now considered old, reachable UnlinkedCodeBlock will be used when the parent is executed again. So destroying
+        the tree is OK even if the tree may include some new UnlinkedCodeBlock. While we could make more sophisticated mechanism to manage these lifetime, I think this is a
+        good starting point.
+
+        Based on measurement, we pick 7 as a maximum age. If we pick 0, we can get more memory reduction (1 - 1.5 MB!), while we ends up reparsing codes so many times.
+        It seems that 7 can reduce fair amount of memory while doing small # of reparsing on average (usually, 1, 2. Sometimes, 100. But not 300, which is the case in 0).
+        If we want to get more memory reduction for the sake of performance, we could decrease this age limit.
+
+        Since we do not have an automated script right now so it is a bit difficult to measure memory footprint precisely. But manual testing shows that this patch improves
+        memory footprint of our target application from about 6.5 MB to about 5.9 MB.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeUnconditionally):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        (JSC::UnlinkedCodeBlock::visitChildren):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::age const):
+        (JSC::UnlinkedCodeBlock::resetAge):
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        (JSC::UnlinkedFunctionExecutable::visitChildren):
+        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
+        (JSC::UnlinkedFunctionExecutable::decodeCachedCodeBlocks):
+        (JSC::UnlinkedFunctionExecutable::finalizeUnconditionally):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * runtime/CachedTypes.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        * runtime/CodeSpecializationKind.h:
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::isInMiniMode): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::isInMiniMode):
+        (JSC::VM::useUnlinkedCodeBlockJettisoning):
+
+2019-06-10  Timothy Hatcher  
+
+        Integrate dark mode support for iOS.
+        https://bugs.webkit.org/show_bug.cgi?id=198687
+        rdar://problem/51545643
+
+        Reviewed by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2019-06-10  Adrian Perez de Castro  
+
+        [JSC] Linker fails when unified sources are not in use
+        https://bugs.webkit.org/show_bug.cgi?id=198722
+
+        Reviewed by Keith Miller.
+
+        Added missing inclusions of headers in several files which make use of inline functions.
+
+        * b3/B3AtomicValue.cpp:
+        * b3/B3BlockInsertionSet.cpp:
+        * b3/B3FenceValue.cpp:
+        * b3/B3LowerMacrosAfterOptimizations.cpp:
+        * b3/B3PureCSE.cpp:
+        * b3/B3StackmapValue.cpp:
+        * b3/B3SwitchValue.cpp:
+        * b3/B3UseCounts.cpp:
+        * b3/B3VariableValue.cpp:
+        * b3/B3WasmAddressValue.cpp:
+        * b3/B3WasmBoundsCheckValue.cpp:
+        * ftl/FTLCompile.cpp:
+        * wasm/WasmSectionParser.cpp:
+        * wasm/WasmTable.cpp:
+        * wasm/WasmValidate.cpp:
+
+2019-06-10  Keith Miller  
+
+        Make new Symbol/Promise API public
+        https://bugs.webkit.org/show_bug.cgi?id=198709
+
+        Reviewed by Saam Barati.
+
+        We also need to #ifdef some tests when building for older
+        platforms because the signatures for some methods are outdated on
+        those platforms.
+
+        * API/JSObjectRef.h:
+        * API/JSObjectRefPrivate.h:
+        * API/JSValue.h:
+        * API/JSValuePrivate.h:
+        * API/JSValueRef.h:
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+
+2019-06-09  Commit Queue  
+
+        Unreviewed, rolling out r246150, r246160, and r246166.
+        https://bugs.webkit.org/show_bug.cgi?id=198698
+
+        Regresses page loading time on iOS 13 (Requested by keith_m__
+        on #webkit).
+
+        Reverted changesets:
+
+        "Reenable Gigacage on ARM64."
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+        https://trac.webkit.org/changeset/246150
+
+        "Unrevied build fix for FTL without Gigacage."
+        https://trac.webkit.org/changeset/246160
+
+        "Fix typo in cageWithoutUntagging"
+        https://bugs.webkit.org/show_bug.cgi?id=198617
+        https://trac.webkit.org/changeset/246166
+
+2019-06-09  Yusuke Suzuki  
+
+        [JSC] Use mergePrediction in ValuePow prediction propagation
+        https://bugs.webkit.org/show_bug.cgi?id=198648
+
+        Reviewed by Saam Barati.
+
+        We are accidentally using setPrediction. This is wrong since prediction propagation (not processInvariant)
+        must extend the speculation types to ensure we eventually reach to the fixed point. setPrediction can discard
+        previously configured predictions, can lead to oscillation potentially. Use mergePrediction instead.
+
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+2019-06-07  Tadeu Zagallo  
+
+        AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
+        https://bugs.webkit.org/show_bug.cgi?id=198581
+        
+
+        Reviewed by Saam Barati.
+
+        For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
+        from the object, it gets the GetterSetter structure from the CodeBlock's global object.
+        However, that's not correct, since the global object for the base object might differ
+        from the CodeBlock's. Instead, we try to get the global object from the base, when it's
+        a constant object. Otherwise, we can't infer the value and only set the type.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2019-06-06  Devin Rousso  
+
+        Web Inspector: create CommandLineAPIHost lazily like the other agents
+        https://bugs.webkit.org/show_bug.cgi?id=196047
+        
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/InjectedScriptManager.h:
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::connect): Added.
+
+2019-06-06  Keith Miller  
+
+        Fix typo in cageWithoutUntagging
+        https://bugs.webkit.org/show_bug.cgi?id=198617
+
+        Reviewed by Saam Barati.
+
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageWithoutUntagging):
+        (JSC::AssemblyHelpers::cageConditionally):
+        (JSC::AssemblyHelpers::cageWithoutUntaging): Deleted.
+
+2019-06-06  Alexey Shvayka  
+
+        JSON.parse throws incorrect exception when called w/o arguments
+        https://bugs.webkit.org/show_bug.cgi?id=198574
+
+        Reviewed by Yusuke Suzuki.
+
+        Always coerce first argument to string and attempt to parse it.
+        (steps 1-2 of https://tc39.github.io/ecma262/#sec-json.parse)
+
+        * runtime/JSONObject.cpp:
+        (JSC::JSONProtoFuncParse): Remove argumentCount check.
+
+2019-06-06  Keith Miller  
+
+        Unrevied build fix for FTL without Gigacage.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+
+2019-06-06  Michael Catanzaro  
+
+        aarch64: ‘JSC::ARM64Assembler::LinkRecord::::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’}
+        https://bugs.webkit.org/show_bug.cgi?id=198014
+
+        Reviewed by Yusuke Suzuki.
+
+        When building for aarch64, there is a huge warning spam here. It's impossible to see any
+        other warnings. This has been ongoing for so long I've begun to suspect that nobody works
+        on this architecture.
+
+        Anyway, the problem is because we need eight bits to store all possible RegisterID values,
+        but the bitfield is only six bits wide. Fix it. The COMPILE_ASSERT checking the size of this
+        struct is still happy, so I presume the change is OK.
+
+        * assembler/ARM64Assembler.h:
+
+2019-06-06  Keith Miller  
+
+        Reenable Gigacage on ARM64.
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+
+        Reviewed by Michael Saboff.
+
+        This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
+        old Gigacage however, arm64e uses both Gigacaging and PAC. In
+        order to ensure the PAC bits are not stripped in the caging
+        process we use the bit field insert instruction to take the low
+        bits from caging and the high bits from the PAC authentication.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::bitFieldInsert64):
+        * assembler/MacroAssemblerARM64E.h:
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        (JSC::run):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageWithoutUntaging):
+        (JSC::AssemblyHelpers::cageConditionally):
+        (JSC::AssemblyHelpers::cage): Deleted.
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/registers.rb:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-06-06  Michael Saboff  
+
+        [ARM64E]: Add disassembler support for authenticated instructions
+        https://bugs.webkit.org/show_bug.cgi?id=198562
+
+        Reviewed by Keith Miller.
+
+        Added support for all the instructions supported in ARM64EAssembler.h.
+
+        * disassembler/ARM64/A64DOpcode.cpp:
+        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing1Source::format):
+        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
+        (JSC::ARM64Disassembler::A64DOpcodeHint::format):
+        (JSC::ARM64Disassembler::A64DOpcodeHint::opName):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::format):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpName):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format):
+        * disassembler/ARM64/A64DOpcode.h:
+        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opName):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::opNum):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::mBit):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::sBit):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::wBit):
+        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreAuthenticated::immediate10):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::authOpCode):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op2):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op3):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::op4):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::mBit):
+        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::rm):
+        (JSC::ARM64Disassembler::A64DOpcodeHint::opName): Deleted.
+
+2019-06-05  Justin Michaud  
+
+        [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
+        https://bugs.webkit.org/show_bug.cgi?id=198398
+
+        Reviewed by Saam Barati.
+
+        Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec).
+        Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to
+        support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because
+        we need to write barrier it (so it should not restrict how we implement threads). This patch does, however,
+        restrict the implementation of function references to require every Ref.func to have an associated wrapper. This
+        can be done statically, so this too should not restrict our threads implementation. 
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addTableGet):
+        (JSC::Wasm::AirIRGenerator::addTableSet):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addLocal):
+        (JSC::Wasm::B3IRGenerator::addTableGet):
+        (JSC::Wasm::B3IRGenerator::addTableSet):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::TableInformation::TableInformation):
+        (JSC::Wasm::TableInformation::type const):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseExpression):
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseTableHelper):
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::tryCreate):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clear):
+        (JSC::Wasm::Table::set):
+        (JSC::Wasm::Table::get):
+        (JSC::Wasm::Table::visitChildren):
+        (JSC::Wasm::FuncRefTable::FuncRefTable):
+        (JSC::Wasm::FuncRefTable::setFunction):
+        (JSC::Wasm::Table::~Table): Deleted.
+        (JSC::Wasm::Table::clearFunction): Deleted.
+        (JSC::Wasm::Table::setFunction): Deleted.
+        * wasm/WasmTable.h:
+        (JSC::Wasm::Table::length const):
+        (JSC::Wasm::Table::type const):
+        (JSC::Wasm::Table::setOwner):
+        (JSC::Wasm::FuncRefTable::offsetOfFunctions):
+        (JSC::Wasm::FuncRefTable::offsetOfInstances):
+        (JSC::Wasm::Table::offsetOfFunctions): Deleted.
+        (JSC::Wasm::Table::offsetOfInstances): Deleted.
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableGet):
+        (JSC::Wasm::Validate::addTableSet):
+        (JSC::Wasm::Validate::addCallIndirect):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::finishCreation):
+        (JSC::JSWebAssemblyTable::visitChildren):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::get):
+        (JSC::JSWebAssemblyTable::set):
+        (JSC::JSWebAssemblyTable::clear):
+        (JSC::JSWebAssemblyTable::getFunction): Deleted.
+        (JSC::JSWebAssemblyTable::clearFunction): Deleted.
+        (JSC::JSWebAssemblyTable::setFunction): Deleted.
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+        * wasm/wasm.json:
+
+2019-06-05  Justin Michaud  
+
+        WebAssembly: pow functions returns 0 when exponent 1.0 or -1.0
+        https://bugs.webkit.org/show_bug.cgi?id=198106
+
+        Reviewed by Saam Barati.
+
+        Fix bug caused by using fcsel sX instead of fcsel dX on an f64 value in moveDoubleConditionally32.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::moveDoubleConditionally32):
+
+2019-06-05  Alex Christensen  
+
+        Progress towards resurrecting Mac CMake build
+        https://bugs.webkit.org/show_bug.cgi?id=197132
+
+        Reviewed by Don Olmstead.
+
+        * API/JSScript.mm:
+        (-[JSScript readCache]):
+        (-[JSScript sourceCode]):
+        (-[JSScript jsSourceCode]):
+        (-[JSScript writeCache:]):
+        * CMakeLists.txt:
+
+== Rolled over to ChangeLog-2019-06-05 ==
diff --git a/ChangeLog-2018-01-01 b/ChangeLog-2018-01-01
new file mode 100644
index 0000000..08337eb
--- /dev/null
+++ b/ChangeLog-2018-01-01
@@ -0,0 +1,40631 @@
+2017-12-22  Jeff Miller  
+
+        Update user-visible copyright strings to include 2018
+        https://bugs.webkit.org/show_bug.cgi?id=181141
+
+        Reviewed by Dan Bernstein.
+
+        * Info.plist:
+
+2017-12-30  Yusuke Suzuki  
+
+        [JSC] Remove unused JSTypes
+        https://bugs.webkit.org/show_bug.cgi?id=181184
+
+        Reviewed by Saam Barati.
+
+        JSType includes some unused types such as NullType. They are for
+        primitive values in old days. But now JSType is only used for JSCells.
+
+        * runtime/JSType.h:
+        * runtime/TypedArrayType.cpp:
+        (JSC::typeForTypedArrayType):
+
+2017-12-28  Saam Barati  
+
+        Remove op_assert and make @assert in builtins a function call so we have DFG/FTL coverage for builtins that use @assert in debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=181176
+
+        Reviewed by Yusuke Suzuki.
+
+        Previously, op_assert was only implemented in the LLInt and baseline JIT. This
+        meant that any builtin that used @assert was not tiering up to the DFG/FTL
+        in debug builds. This patch changes @assert to just call a host function when
+        !ASSERT_DISABLED. It's a no-op when ASSERT_DISABLED. Now, builtins that use @assert
+        will tier up to the DFG/FTL on debug builds.
+
+        * builtins/BuiltinNames.h:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitAssert): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionCallResolveNode::emitBytecode):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_assert): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CommonSlowPaths.cpp:
+        * runtime/CommonSlowPaths.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::assertCall):
+        (JSC::JSGlobalObject::init):
+
+2017-12-28  Fujii Hironori  
+
+        [Win][CMake] Use add_custom_command to copy each forwarding header files
+        https://bugs.webkit.org/show_bug.cgi?id=180921
+
+        Reviewed by Brent Fulgham.
+
+        * PlatformWin.cmake: Use WEBKIT_MAKE_FORWARDING_HEADERS.
+
+2017-12-28  Saam Barati  
+
+        Assertion used to determine if something is an async generator is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=181168
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Previous assertions were doing a get on the base value for @@asyncIterator.
+        This symbol is defined on AsyncGeneratorPrototype. The base value may change
+        its prototype, but it's still an async generator as far as our system is
+        concerned. This patch updates the assertion to check for a private property
+        on the base value.
+
+        * builtins/AsyncGeneratorPrototype.js:
+        (globalPrivate.asyncGeneratorReject):
+        (globalPrivate.asyncGeneratorResolve):
+        (globalPrivate.asyncGeneratorResumeNext):
+
+2017-12-27  Carlos Alberto Lopez Perez  
+
+        Build fix after r226299 (3)
+        https://bugs.webkit.org/show_bug.cgi?id=181160
+
+        Unreviewed build fix.
+
+        * API/tests/TypedArrayCTest.cpp: fix typo in header name.
+
+2017-12-27  Carlos Alberto Lopez Perez  
+
+        Build fix after r226299 (2)
+        https://bugs.webkit.org/show_bug.cgi?id=181160
+
+        Unreviewed build fix.
+
+        * API/tests/TypedArrayCTest.cpp: Add missing header include.
+
+2017-12-27  Carlos Alberto Lopez Perez  
+
+        Build fix after r226299
+        https://bugs.webkit.org/show_bug.cgi?id=181160
+
+        Unreviewed build fix.
+
+        * API/tests/TypedArrayCTest.cpp:
+        (assertEqualsAsNumber): Disambiguate usage of isnan.
+
+2017-12-26  Carlos Alberto Lopez Perez  
+
+        REGRESSION(r225769): Build error with constexpr std::max // std::min in libdstdc++4
+        https://bugs.webkit.org/show_bug.cgi?id=181160
+
+        Reviewed by Myles C. Maxfield.
+
+        Disambiguate usage of min and max (Use the version from stdlib).
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::setLengthWithArrayStorage):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+
+2017-12-27  Zan Dobersek  
+
+        REGRESSION(r225913): about 30 JSC test failures on ARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=181162
+
+        Reviewed by Michael Catanzaro.
+
+        Fast case in DFG::SpeculativeJIT::compileArraySlice() was enabled in
+        r225913 on all but 32-bit x86 platform. Other 32-bit platforms have the
+        same lack of GP registers, so the conditional is changed here to only
+        enable this optimization explicitly on ARM64 and x86-64.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+
+2017-12-26  Yusuke Suzuki  
+
+        [JSC] Remove std::chrono completely
+        https://bugs.webkit.org/show_bug.cgi?id=181165
+
+        Reviewed by Konstantin Tokarev.
+
+        This patch removes std::chrono use completely from JSC.
+
+        * API/JSContextRef.cpp:
+        (JSContextGroupSetExecutionTimeLimit):
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (currentCPUTimeAsJSFunctionCallback):
+        (testExecutionTimeLimit):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::timeToLive):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::timeSinceCreation):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::timerLoop):
+        (JSC::SamplingProfiler::takeSample):
+        (JSC::SamplingProfiler::reportTopFunctions):
+        (JSC::SamplingProfiler::reportTopBytecodes):
+        * runtime/SamplingProfiler.h:
+        (JSC::SamplingProfiler::setTimingInterval):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/Watchdog.cpp:
+        (JSC::Watchdog::Watchdog):
+        (JSC::Watchdog::setTimeLimit):
+        (JSC::Watchdog::shouldTerminate):
+        (JSC::Watchdog::startTimer):
+        (JSC::currentWallClockTime): Deleted.
+        * runtime/Watchdog.h:
+
+2017-12-26  Zan Dobersek  
+
+        REGRESSION(r226269): 60 JSC test failures on ARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=181163
+
+        Reviewed by Yusuke Suzuki.
+
+        In r226269, DFG::SpeculativeJIT::compile() changed behavior for the
+        GetDirectPname operation on non-x86 platforms, switching to using
+        GPRFlushedCallResult registers for the payload and tag pair of the
+        return value (through the JSValueRegsFlushedCallResult struct). This
+        tripped about 60 test cases on ARMv7.
+
+        As before this change, GPRTemporary registers should be used, but this
+        can now be done through a JSValueRegsTemporary object.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2017-12-22  Caio Lima  
+
+        [JSC] IntlCollator and IntlNumberFormat has static fields with same name
+        https://bugs.webkit.org/show_bug.cgi?id=181128
+
+        Reviewed by Yusuke Suzuki.
+
+        Minor fixes into IntlNumberFormat::initializeNumberFormat and
+        IntlCollator::initializeCollator that makes JSC unified sources
+        compile. These files were generating compilation error when placed at
+        the same UnifiedSource.cpp, because they had static variables with same name.
+
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+
+2017-12-22  Michael Catanzaro  
+
+        generate_offset_extractor.rb should not print to stderr by default
+        https://bugs.webkit.org/show_bug.cgi?id=181133
+
+        Reviewed by Mark Lam.
+
+        Remove unneeded print output.
+
+        * offlineasm/generate_offset_extractor.rb:
+
+2017-12-22  Yusuke Suzuki  
+
+        [DFG] Cleaning up and unifying 32bit code more
+        https://bugs.webkit.org/show_bug.cgi?id=181124
+
+        Reviewed by Mark Lam.
+
+        This patch unifies DFG 32bit code into 64bit code more. In this patch, we move RegExp DFG nodes
+        from 32bit / 64bit code to the common code. We change some RegExp operations to returning JSCell*
+        instead of EncodedJSValue. This simplifies DFG implementation.
+
+        And we also move HasGenericProperty since we now have JSValueRegsFlushedCallResult. ToPrimive,
+        LogShadowChickenPrologue, and LogShadowChickenTail are almost the same in 32bit and 64bit.
+        Thus, it is unified easily.
+
+        And we also move some GPRFlushedCallResult from the original places to the places just after
+        `flushRegisters()` not to spill unnecessary registers.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
+        (JSC::DFG::SpeculativeJIT::compileRegExpTest):
+        (JSC::DFG::SpeculativeJIT::compileStringReplace):
+        (JSC::DFG::SpeculativeJIT::compileHasGenericProperty):
+        (JSC::DFG::SpeculativeJIT::compileToPrimitive):
+        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
+        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * runtime/StringPrototype.cpp:
+        (JSC::jsSpliceSubstrings):
+        (JSC::jsSpliceSubstringsWithSeparators):
+        (JSC::removeUsingRegExpSearch):
+        (JSC::replaceUsingRegExpSearch):
+        (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
+        (JSC::operationStringProtoFuncReplaceRegExpString):
+        (JSC::replaceUsingStringSearch):
+        (JSC::replace):
+        (JSC::stringProtoFuncReplaceUsingRegExp):
+        (JSC::stringProtoFuncReplaceUsingStringSearch):
+        (JSC::operationStringProtoFuncReplaceGeneric):
+        * runtime/StringPrototype.h:
+
+2017-12-22  Michael Catanzaro  
+
+        [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
+        https://bugs.webkit.org/show_bug.cgi?id=179914
+        
+
+        Unreviewed.
+
+        * PlatformGTK.cmake:
+
+2017-12-22  Michael Catanzaro  
+
+        [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
+        https://bugs.webkit.org/show_bug.cgi?id=179914
+
+        Reviewed by Carlos Garcia Campos.
+
+        Add a new JavaScriptCoreGTK build target, to build JSC as a shared library. Link the
+        original JavaScriptCore build target, which is now a static library, to it. Use
+        --whole-archive to prevent all the JavaScriptCore symbols from being dropped, since none are
+        used directly by JavaScriptCoreGTK.
+
+        The installed libjavascriptcoregtk-4.0 now corresponds to the JavaScriptCoreGTK target,
+        instead of the JavaScriptCore target. There is almost no difference on the installed system,
+        except that we now use a version script when linking, to hide private symbols, since they're
+        no longer needed by libwebkit2gtk-4.0.so.
+
+        Also, move the symbols map here.
+
+        * PlatformGTK.cmake:
+        * javascriptcoregtk-symbols.map: Added.
+
+2017-12-22  Yusuke Suzuki  
+
+        [DFG] Unify bunch of DFG 32bit code into 64bit code
+        https://bugs.webkit.org/show_bug.cgi?id=181083
+
+        Reviewed by Mark Lam.
+
+        There are bunch of the completely same code in 32bit and 64bit DFG.
+        This is largely because of the old DFG code. At that time, we do not
+        have enough abstraction to describe them in one code. But now, we have
+        JSValueRegs, JSValueRegsTemporary etc. They allow DFG to write 32bit and
+        64bit handling in one code.
+
+        This patch unifies easy ones. This is nice since basically 32bit code is
+        a bit old and not maintained so much compared to 64bit. If we can drop
+        32bit specific code as much as possible, it would be nice. Furthermore,
+        we can find various mistakes in 32bit: For example, NewObject does not have
+        mutatorFence in 32bit while 64bit has it. This unification is a chance
+        to fix miscellaneous bugs in 32bit while reducing maintenance burden.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        (JSC::DFG::SpeculativeJIT::compileGetEnumerableLength):
+        (JSC::DFG::SpeculativeJIT::compileToIndexString):
+        (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis):
+        (JSC::DFG::SpeculativeJIT::compileHasStructureProperty):
+        (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator):
+        (JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname):
+        (JSC::DFG::SpeculativeJIT::compileGetGetter):
+        (JSC::DFG::SpeculativeJIT::compileGetSetter):
+        (JSC::DFG::SpeculativeJIT::compileGetCallee):
+        (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
+        (JSC::DFG::SpeculativeJIT::compileStrCat):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2017-12-22  Yusuke Suzuki  
+
+        [DFG] Add JSValueRegsFlushedCallResult
+        https://bugs.webkit.org/show_bug.cgi?id=181075
+
+        Reviewed by Mark Lam.
+
+        Add JSValueRegsFlushedCallResult, which is appropriate for the JSValueRegs result
+        of the function call after flushing. We can remove bunch of `#if USE(JSVALUE32_64)`
+        code and simplify them.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
+        (JSC::DFG::SpeculativeJIT::compileParseInt):
+        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
+        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
+        (JSC::DFG::SpeculativeJIT::compileValueAdd):
+        (JSC::DFG::SpeculativeJIT::compileArithMul):
+        (JSC::DFG::SpeculativeJIT::compileArithDiv):
+        (JSC::DFG::SpeculativeJIT::compileArithRounding):
+        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
+        (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (JSC::DFG::JSValueRegsFlushedCallResult::JSValueRegsFlushedCallResult):
+        (JSC::DFG::JSValueRegsFlushedCallResult::regs):
+
+2017-12-21  Saam Barati  
+
+        lowering get_by_val to GetById inside bytecode parser should check for BadType exit kind
+        https://bugs.webkit.org/show_bug.cgi?id=181112
+
+        Reviewed by Mark Lam.
+
+        The React subtest in Speedometer has a get_by_val it always converts
+        into a GetById in the DFG. This GetById always exits because of the incoming
+        identifier is a rope. This patch fixes this infinite exit loop
+        by only doing this transformation if we haven't exited due to BadType.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2017-12-21  Mark Lam  
+
+        Add WTF::PoisonedUniquePtr to replace std::unique_ptr when poisoning is desired.
+        https://bugs.webkit.org/show_bug.cgi?id=181062
+        
+
+        Reviewed by Chris Dumez.
+
+        * runtime/JSCPoisonedPtr.cpp:
+        - Added a needed #include.
+
+2017-12-21  Jeremy Jones  
+
+        Update FULLSCREEN_API feature defines.
+        https://bugs.webkit.org/show_bug.cgi?id=181015
+
+        Reviewed by Tim Horton.
+
+        Change enabled iphone sdk for FULLSCREEN_API.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-12-19  Yusuke Suzuki  
+
+        [JSC] Do not check isValid() in op_new_regexp
+        https://bugs.webkit.org/show_bug.cgi?id=180970
+
+        Reviewed by Saam Barati.
+
+        We should not check `isValid()` inside op_new_regexp.
+        This simplifies the semantics of NewRegexp node in DFG.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::RegExpNode::emitBytecode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2017-12-20  Saam Barati  
+
+        GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
+        https://bugs.webkit.org/show_bug.cgi?id=181054
+
+        Reviewed by Mark Lam.
+
+        Speedometer's react subtest has a function that is in an OSR exit loop because
+        we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
+        This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
+        for our compiler to not have this pathology. This patch adds a generic
+        GetPropertyEnumerator to prevent the exit loop.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
+2017-12-20  Daniel Bates  
+
+        Remove Alternative Presentation Button
+        https://bugs.webkit.org/show_bug.cgi?id=180500
+        
+
+        Reviewed by Simon Fraser.
+
+        We no longer need the alternative presentation button.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-12-19  Saam Barati  
+
+        We forgot to do index masking for in bounds int32 arrays in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=180987
+
+        Reviewed by Keith Miller.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+
+2017-12-19  Yusuke Suzuki  
+
+        [DFG][FTL] NewRegexp shoud be fast
+        https://bugs.webkit.org/show_bug.cgi?id=180960
+
+        Reviewed by Michael Saboff.
+
+        When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
+        Typical idiom like `string.match(/regexp/)` requires RegExp object creation
+        every time.
+
+        As a first step, this patch accelerates RegExp object creation by handling it
+        in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
+        to remove unnecessary RegExp object creations.
+
+        This patch improves SixSpeed/regex-u.{es5,es6}.
+
+                                     baseline                  patched
+
+            regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
+            regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_regexp):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/RegExpObject.h:
+        (JSC::RegExpObject::offsetOfRegExp):
+        (JSC::RegExpObject::allocationSize):
+
+2017-12-19  Yusuke Suzuki  
+
+        Unreviewed, include YarrErrorCode.h in Yarr.h
+        https://bugs.webkit.org/show_bug.cgi?id=180966
+
+        * yarr/Yarr.h:
+
+2017-12-19  Yusuke Suzuki  
+
+        [YARR] Yarr should return ErrorCode instead of error messages (const char*)
+        https://bugs.webkit.org/show_bug.cgi?id=180966
+
+        Reviewed by Mark Lam.
+
+        Currently, Yarr returns const char*` for an error message when needed.
+        But it is easier to handle error status if Yarr returns an error code
+        instead of `const char*`.
+
+        In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
+        `const char*`. `std::expected` would be appropriate
+        for the Yarr API interface. But it requires substantial changes removing
+        ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
+        a first step.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findMagicComment):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createRegExp):
+        * parser/Parser.cpp:
+        (JSC::Parser::parsePrimaryExpression):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createRegExp):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::RegExp):
+        (JSC::RegExp::byteCodeCompileIfNecessary):
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/RegExp.h:
+        * yarr/RegularExpression.cpp:
+        (JSC::Yarr::RegularExpression::Private::Private):
+        (JSC::Yarr::RegularExpression::Private::compile):
+        * yarr/YarrErrorCode.cpp: Added.
+        (JSC::Yarr::errorMessage):
+        * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
+        (JSC::Yarr::hasError):
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
+        (JSC::Yarr::Parser::Parser):
+        (JSC::Yarr::Parser::isIdentityEscapeAnError):
+        (JSC::Yarr::Parser::parseEscape):
+        (JSC::Yarr::Parser::parseCharacterClass):
+        (JSC::Yarr::Parser::parseParenthesesBegin):
+        (JSC::Yarr::Parser::parseParenthesesEnd):
+        (JSC::Yarr::Parser::parseQuantifier):
+        (JSC::Yarr::Parser::parseTokens):
+        (JSC::Yarr::Parser::parse):
+        (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
+        (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
+        (JSC::Yarr::parse):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
+        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
+        (JSC::Yarr::YarrPatternConstructor::setupOffsets):
+        (JSC::Yarr::YarrPattern::compile):
+        (JSC::Yarr::YarrPattern::YarrPattern):
+        (JSC::Yarr::YarrPattern::errorMessage): Deleted.
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::YarrPattern::reset):
+        * yarr/YarrSyntaxChecker.cpp:
+        (JSC::Yarr::checkSyntax):
+        * yarr/YarrSyntaxChecker.h:
+
+2017-12-18  Saam Barati  
+
+        Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
+
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+
+2017-12-16  Filip Pizlo  
+
+        Vector index masking
+        https://bugs.webkit.org/show_bug.cgi?id=180909
+
+        Reviewed by Keith Miller.
+        
+        Adopt index masking for strings.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
+        * jit/ThunkGenerators.cpp:
+        (JSC::stringCharLoad):
+
+2017-12-17  Yusuke Suzuki  
+
+        [FTL] NewArrayBuffer should be sinked if it is only used for spreading
+        https://bugs.webkit.org/show_bug.cgi?id=179762
+
+        Reviewed by Saam Barati.
+
+        This patch extends arguments elimination phase to accept NewArrayBuffer.
+        We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
+        used by spreading nodes.
+
+        This improves SixSpeed spread.es6 by 3.5x.
+
+            spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasNewArrayBufferData):
+        (JSC::DFG::Node::hasVectorLengthHint):
+        (JSC::DFG::Node::hasIndexingType):
+        (JSC::DFG::Node::indexingType):
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::isPhantomAllocation):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPromotedHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGPromotedHeapLocation.h:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationPopulateObjectInOSR):
+        (JSC::FTL::operationMaterializeObjectInOSR):
+
+2017-12-17  Yusuke Suzuki  
+
+        [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
+        https://bugs.webkit.org/show_bug.cgi?id=180916
+
+        Reviewed by Darin Adler.
+
+        This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
+        Since these cells always require calling finalizeUnconditionally, we do not need to
+        track cells by using IsoCellSet.
+
+        Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
+        avoid using a global linked-list for this in the future.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * heap/Heap.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/WeakMapImpl.cpp:
+        (JSC::WeakMapImpl::visitChildren):
+        (JSC::WeakMapImpl::finalizeUnconditionally): Deleted.
+        * runtime/WeakMapImpl.h:
+        (JSC::WeakMapImpl::isWeakMap):
+        (JSC::WeakMapImpl::isWeakSet):
+        (JSC::WeakMapImpl::subspaceFor):
+        * runtime/WeakMapImplInlines.h: Added.
+        (JSC::WeakMapImpl::finalizeUnconditionally):
+
+2017-12-17  Mark Lam  
+
+        Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
+        https://bugs.webkit.org/show_bug.cgi?id=180901
+        
+
+        Reviewed by Darin Adler.
+
+        We only need to keep a deprecated implementation of InspectorValues,
+        InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
+        older versions of Safari can link against and run with a build of the latest code
+        in WebKit trunk. Older versions of System Safari used InspectorValues (via
+        WebInspector.framework) for two things:
+
+        1. Augmented JSContexts SPIs (via WebInspector.framework).
+        2. maybe WebDriver.
+
+        Neither of these are used when running SafariForWebKitDevelopment.  Since neither
+        are used, we can stub out the symbols (InspectorValues, InspectorObjects,
+        InspectorBackendDispatcher::sendResponse) to do nothing, and
+        SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
+        run without any observable bad behavior.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * SourcesCocoa.txt:
+        * inspector/InspectorBackendDispatcher.cpp:
+        * inspector/InspectorBackendDispatcher.h:
+        * inspector/cocoa/DeprecatedInspectorValues.cpp:
+        (Inspector::InspectorValue::null):
+        (Inspector::InspectorValue::create):
+        (Inspector::InspectorValue::asValue):
+        (Inspector::InspectorValue::asObject):
+        (Inspector::InspectorValue::asArray):
+        (Inspector::InspectorValue::parseJSON):
+        (Inspector::InspectorValue::toJSONString const):
+        (Inspector::InspectorValue::asBoolean const):
+        (Inspector::InspectorValue::asDouble const):
+        (Inspector::InspectorValue::asInteger const):
+        (Inspector::InspectorValue::asString const):
+        (Inspector::InspectorValue::writeJSON const):
+        (Inspector::InspectorValue::memoryCost const):
+        (Inspector::InspectorObjectBase::openAccessors):
+        (Inspector::InspectorObjectBase::memoryCost const):
+        (Inspector::InspectorObjectBase::getBoolean const):
+        (Inspector::InspectorObjectBase::getString const):
+        (Inspector::InspectorObjectBase::getObject const):
+        (Inspector::InspectorObjectBase::getArray const):
+        (Inspector::InspectorObjectBase::getValue const):
+        (Inspector::InspectorObjectBase::remove):
+        (Inspector::InspectorObject::create):
+        (Inspector::InspectorArrayBase::get const):
+        (Inspector::InspectorArrayBase::memoryCost const):
+        (Inspector::InspectorArray::create):
+        (Inspector::BackendDispatcher::sendResponse):
+        (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
+        (Inspector::InspectorObjectBase::asObject): Deleted.
+        (Inspector::InspectorObjectBase::writeJSON const): Deleted.
+        (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
+        (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
+        (Inspector::InspectorArrayBase::asArray): Deleted.
+        (Inspector::InspectorArrayBase::writeJSON const): Deleted.
+        (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
+        * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
+
+2017-12-17  Yusuke Suzuki  
+
+        [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
+        https://bugs.webkit.org/show_bug.cgi?id=180917
+
+        Reviewed by Sam Weinig.
+
+        We do not need to hold JIT flags in VM. We add
+        static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
+
+        * interpreter/AbstractPC.cpp:
+        (JSC::AbstractPC::AbstractPC):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::ctiNativeCall):
+        (JSC::JITThunks::ctiNativeConstruct):
+        (JSC::JITThunks::ctiNativeTailCall):
+        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
+        (JSC::JITThunks::ctiInternalFunctionCall):
+        (JSC::JITThunks::ctiInternalFunctionConstruct):
+        (JSC::JITThunks::hostFunctionStub):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::setFunctionEntrypoint):
+        (JSC::LLInt::setEvalEntrypoint):
+        (JSC::LLInt::setProgramEntrypoint):
+        (JSC::LLInt::setModuleProgramEntrypoint):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::shouldJIT):
+        (JSC::LLInt::entryOSR):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/VM.cpp:
+        (JSC::VM::canUseAssembler):
+        (JSC::VM::canUseJIT):
+        (JSC::VM::canUseRegExpJIT):
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::canUseJIT): Deleted.
+        (JSC::VM::canUseRegExpJIT): Deleted.
+
+2017-12-16  Yusuke Suzuki  
+
+        [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
+        https://bugs.webkit.org/show_bug.cgi?id=180906
+
+        Reviewed by Filip Pizlo.
+
+        The number of SlotVisitors can increase after setting up m_visitCounters.
+        If it happens, our m_visitCounters misses the visit count of newly added
+        SlotVisitors. It accidentally decides that constraints are converged.
+        This leads to random assertion hits in Linux environment.
+
+        In this patch, we compare the number of SlotVisitors in didVisitSomething().
+        If the number of SlotVisitors is changed, we conservatively say we did
+        visit something.
+
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::numberOfSlotVisitors):
+        * heap/MarkingConstraintSet.h:
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::didVisitSomething const):
+
+2017-12-16  Keith Miller  
+
+        Indexing should only be computed when the new structure has an indexing header.
+        https://bugs.webkit.org/show_bug.cgi?id=180895
+
+        Reviewed by Saam Barati.
+
+        If we don't have an indexing header then we point the butterfly
+        sizeof(IndexingHeader) past the end of the butterfly. This makes
+        the computation of the offset simpler since it doesn't depend on
+        the indexing headeriness of the butterfly.
+
+        * jit/JITOperations.cpp:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+        (JSC::JSObject::putDirectInternal):
+
+2017-12-15  Ryan Haddad  
+
+        Unreviewed, rolling out r225941.
+
+        This change introduced LayoutTest crashes and assertion
+        failures.
+
+        Reverted changeset:
+
+        "Web Inspector: replace HTMLCanvasElement with
+        CanvasRenderingContext for instrumentation logic"
+        https://bugs.webkit.org/show_bug.cgi?id=180770
+        https://trac.webkit.org/changeset/225941
+
+2017-12-15  Yusuke Suzuki  
+
+        Unreviewed, 32bit JSEmpty is not nullptr + CellTag
+        https://bugs.webkit.org/show_bug.cgi?id=180804
+
+        Add 32bit path for WeakMapGet.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
+
+2017-12-14  Saam Barati  
+
+        The CleanUp after LICM is erroneously removing a Check
+        https://bugs.webkit.org/show_bug.cgi?id=180852
+        
+
+        Reviewed by Filip Pizlo.
+
+        There was a bug where CleanUp phase relied on isProved() bits and LICM
+        changed them in an invalid way. The bug is as follows:
+        
+        We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
+        inside of L1. We have a Check inside a node inside L1, say in basic block BB,
+        and that Check dominates all of L2. This is also a hoisting candidate, so we
+        hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
+        the preheader for each loop inside L1, so P1 and P2. When considering P2,
+        we execute the Check. Inside P2, before any hoisting is done, this Check
+        is dead code, because BB dominates P2. When we use AI to "execute" the
+        Check, it'll set its proof status to proved. This is because inside P2,
+        in the program before LICM runs, the Check is indeed proven at P2. But
+        it is not proven inside P1. This "execute" call will set our proof status
+        for the node inside *P1*, hence, we crash.
+        
+        The fix here is to make LICM precise when updating the ProofStatus of an edge.
+        It can trust the AI state at the preheader it hoists the node to, but it can't
+        trust the state when executing effects inside inner loops's preheaders.
+
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+
+2017-12-14  David Kilzer  
+
+        Enable -Wstrict-prototypes for WebKit
+        
+        
+
+        Rubber-stamped by Joseph Pecoraro.
+
+        * API/tests/CompareAndSwapTest.h:
+        (testCompareAndSwap): Add 'void' to C function declaration.
+        * API/tests/ExecutionTimeLimitTest.h:
+        (testExecutionTimeLimit): Ditto.
+        * API/tests/FunctionOverridesTest.h:
+        (testFunctionOverrides): Ditto.
+        * API/tests/GlobalContextWithFinalizerTest.h:
+        (testGlobalContextWithFinalizer): Ditto.
+        * API/tests/JSONParseTest.h:
+        (testJSONParse): Ditto.
+        * API/tests/MultithreadedMultiVMExecutionTest.h:
+        (startMultithreadedMultiVMExecutionTest): Ditto.
+        (finalizeMultithreadedMultiVMExecutionTest): Ditto.
+        * API/tests/PingPongStackOverflowTest.h:
+        (testPingPongStackOverflow): Ditto.
+        * Configurations/Base.xcconfig:
+        (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
+
+2017-12-14  Yusuke Suzuki  
+
+        [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
+        https://bugs.webkit.org/show_bug.cgi?id=180804
+
+        Reviewed by Saam Barati.
+
+        This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
+
+        * dfg/DFGRegisterBank.h:
+        (JSC::DFG::RegisterBank::lockedCount const):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
+
+2017-12-14  Keith Miller  
+
+        Unreviewed, forgot to add { }
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+
+2017-12-14  Devin Rousso  
+
+        Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
+        https://bugs.webkit.org/show_bug.cgi?id=180770
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+
+2017-12-14  Keith Miller  
+
+        Fix assertion in JSObject's structure setting methods
+        https://bugs.webkit.org/show_bug.cgi?id=180840
+
+        Reviewed by Mark Lam.
+
+        I forgot that when Typed Arrays have non-indexed properties
+        added to them, they call the generic code. The generic code
+        in turn calls the regular structure setting methods. Thus,
+        these assertions were invalid and we should just avoid setting
+        the indexing mask if we have a Typed Array.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+
+2017-12-14  Michael Saboff  
+
+        REGRESSION (r225695): Repro crash on yahoo login page
+        https://bugs.webkit.org/show_bug.cgi?id=180761
+
+        Reviewed by JF Bastien.
+
+        Relanding r225695 with a fix.
+
+        The fix is that we need to save the return address for a parentheses in
+        the ParenContext because it is actually used by any immediately contained
+        alternatives.
+
+        Also did a little refactoring, changing occurances of PatternContext to
+        ParenContext since that is the name of the structure.
+
+        * runtime/RegExp.cpp:
+        (JSC::byteCodeCompilePattern):
+        (JSC::RegExp::byteCodeCompileIfNecessary):
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/RegExp.h:
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * testRegExp.cpp:
+        (parseRegExpLine):
+        (runFromFiles):
+        * yarr/Yarr.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::compile):
+        (JSC::Yarr::ByteCompiler::dumpDisjunction):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
+        (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
+        (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList):
+        (JSC::Yarr::YarrGenerator::allocateParenContext):
+        (JSC::Yarr::YarrGenerator::freeParenContext):
+        (JSC::Yarr::YarrGenerator::saveParenContext):
+        (JSC::Yarr::YarrGenerator::restoreParenContext):
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
+        (JSC::Yarr::YarrGenerator::storeToFrame):
+        (JSC::Yarr::YarrGenerator::generateJITFailReturn):
+        (JSC::Yarr::YarrGenerator::clearMatches):
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::execute):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::indentForNestingLevel):
+        (JSC::Yarr::dumpUChar32):
+        (JSC::Yarr::dumpCharacterClass):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::PatternTerm::containsAnyCaptures):
+        (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
+        (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
+
+2017-12-13  Keith Miller  
+
+        JSObjects should have a mask for loading indexed properties
+        https://bugs.webkit.org/show_bug.cgi?id=180768
+
+        Reviewed by Mark Lam.
+
+        This patch adds a new member to JSObject that holds an indexing
+        mask.  The indexing mask is bitwise anded with the index used to
+        load a property.  If for whatever reason an attacker is able to
+        clobber the vectorLength of our butterfly they still won't be able
+        to read substantially past the end of the buttefly. For
+        performance reasons we don't use the indexing masking for
+        TypedArrays. Since TypedArrays are already gigacaged the risk of
+        wild reads is still restricted.
+
+        This patch is a <1% regression on Speedometer and ~3% regression
+        on JetStream in my testing.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::urshiftPtr):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * ftl/FTLAbstractHeap.cpp:
+        (JSC::FTL::IndexedAbstractHeap::baseIndex):
+        * ftl/FTLAbstractHeap.h:
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
+        (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::baseIndex):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
+        (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        (JSC::AssemblyHelpers::storeButterfly): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayStorage.h:
+        (JSC::ArrayStorage::availableVectorLength):
+        * runtime/Butterfly.h:
+        (JSC::ContiguousData::ContiguousData):
+        (JSC::ContiguousData::at const):
+        (JSC::ContiguousData::at):
+        (JSC::Butterfly::publicLength const):
+        (JSC::Butterfly::vectorLength const):
+        (JSC::Butterfly::computeIndexingMaskForVectorLength):
+        (JSC::Butterfly::computeIndexingMask):
+        (JSC::Butterfly::contiguousInt32):
+        (JSC::ContiguousData::operator[] const): Deleted.
+        (JSC::ContiguousData::operator[]): Deleted.
+        (JSC::Butterfly::publicLength): Deleted.
+        (JSC::Butterfly::vectorLength): Deleted.
+        * runtime/ButterflyInlines.h:
+        (JSC::ContiguousData::at const):
+        (JSC::ContiguousData::at):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::createFromArray):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::createInitialForValueAndSet):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::countElements):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::getEnumerableLength):
+        * runtime/JSObject.h:
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        (JSC::JSObject::butterflyIndexingMaskOffset):
+        (JSC::JSObject::butterflyIndexingMask const):
+        (JSC::JSObject::setButterflyWithIndexingMask):
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+        (JSC::JSObject::JSObject):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2017-12-14  David Kilzer  
+
+        REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
+
+        Fixes the following warning during builds:
+
+            Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
+
+        * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
+        entries for JSCPoisonedPtr.h.
+
+2017-12-14  David Kilzer  
+
+        REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
+        
+
+        * runtime/InferredValue.h: Attempt to fix build by adding
+        missing #include statements.
+
+2017-12-13  Filip Pizlo  
+
+        Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
+        https://bugs.webkit.org/show_bug.cgi?id=180783
+
+        Reviewed by Saam Barati.
+        
+        This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
+        
+            BB#1:
+                a: Load(@x)
+                b: Load(@x)
+                c: Load(@b)
+            BB#2:
+                d: Load(@b)
+            BB#3:
+                e: Load(@b)
+        
+        Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
+        with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
+        this:
+
+            BB#1:
+                a: Load(@x)
+                b: Load(@x)
+                c: Load(@a)
+                memoryAtTail: {@x=>@a, @a=>@c}
+            BB#2:
+                d: Load(@a) [sic]
+                memoryAtTail: {@b=>@d}
+            BB#3:
+                e: Load(@b)
+                memoryAtTail: {@b=>@e} [sic]
+        
+        Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
+        But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
+        map, we don't find it and leave the redundancy.
+        
+        I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
+        this. It fixes the richards regression, since richards is super dependent on B3 CSE.
+
+        * b3/B3EliminateCommonSubexpressions.cpp: Logging.
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir): Fix the bug.
+        * b3/air/AirReportUsedRegisters.cpp:
+        (JSC::B3::Air::reportUsedRegisters): Logging.
+        * dfg/DFGByteCodeParser.cpp:
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
+
+2017-12-13  Joseph Pecoraro  
+
+        REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
+        https://bugs.webkit.org/show_bug.cgi?id=180787
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findMagicComment):
+        For empty / null strings just return. There is no use
+        trying to search them for a long common syntax.
+
+2017-12-13  Saam Barati  
+
+        Arrow functions need their own structure because they have different properties than sloppy functions
+        https://bugs.webkit.org/show_bug.cgi?id=180779
+        
+
+        Reviewed by Mark Lam.
+
+        We were using the same structure for sloppy functions and
+        arrow functions. This broke our IC caching machinery because
+        these two types of functions actually have different properties.
+        This patch gives them different structures.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::selectStructureForNewFuncExp):
+        (JSC::JSFunction::create):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrowFunctionStructure const):
+
+2017-12-12  Filip Pizlo  
+
+        InferredValue should use IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=180738
+
+        Reviewed by Keith Miller.
+        
+        This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
+        its UnconditionalFinalizer.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * runtime/InferredValue.cpp:
+        (JSC::InferredValue::visitChildren):
+        (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
+        (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
+        (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
+        * runtime/InferredValue.h:
+        (JSC::InferredValue::subspaceFor):
+        * runtime/InferredValueInlines.h: Added.
+        (JSC::InferredValue::finalizeUnconditionally):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-12-13  Devin Rousso  
+
+        Web Inspector: add instrumentation for ImageBitmapRenderingContext
+        https://bugs.webkit.org/show_bug.cgi?id=180736
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+        * inspector/scripts/codegen/generator.py:
+
+2017-12-13  Saam Barati  
+
+        Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
+        https://bugs.webkit.org/show_bug.cgi?id=180771
+
+        Reviewed by JF Bastien.
+
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+
+2017-12-13  Saam Barati  
+
+        REGRESSION(r225844): Around 850 new JSC failures on 32-bit
+        https://bugs.webkit.org/show_bug.cgi?id=180764
+
+        Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
+
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+
+2017-12-13  Michael Saboff  
+
+        Unreviewed rollout of r225695. Caused a crash on yahoo login page.
+
+        That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
+
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        (JSC::byteCodeCompilePattern): Deleted.
+        (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
+        * runtime/RegExp.h:
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * testRegExp.cpp:
+        (parseRegExpLine):
+        (runFromFiles):
+        * yarr/Yarr.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::compile):
+        (JSC::Yarr::ByteCompiler::dumpDisjunction):
+        (JSC::Yarr::ByteCompiler::emitDisjunction):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
+        (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
+        (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
+        (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
+        (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
+        (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
+        (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
+        (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::execute):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::indentForNestingLevel):
+        (JSC::Yarr::dumpUChar32):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        (JSC::Yarr::dumpCharacterClass): Deleted.
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
+        (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
+        (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
+        (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
+        (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
+        (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
+        (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
+        (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
+
+2017-12-13  Mark Lam  
+
+        Fill out some Poisoned APIs, fix some bugs, and add some tests.
+        https://bugs.webkit.org/show_bug.cgi?id=180724
+        
+
+        Reviewed by JF Bastien.
+
+        * runtime/StructureTransitionTable.h:
+
+2017-12-13  Caio Lima  
+
+        [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
+        https://bugs.webkit.org/show_bug.cgi?id=180746
+
+        Reviewed by Saam Barati.
+
+        We have some uncatched exceptions that could happen due to OOM into
+        JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
+        catching such exceptions properly.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::parseInt):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toStringSlowCase const):
+
+2017-12-13  Saam Barati  
+
+        Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
+        https://bugs.webkit.org/show_bug.cgi?id=163579
+        
+
+        Reviewed by Mark Lam.
+
+        Some functions in JavaScript do not have the "caller" and "arguments" properties.
+        For example, strict functions do not. When reading our code that dealt with these
+        types of functions, it was simply all wrong. We were doing weird things depending
+        on the method table hook. This patch fixes this by doing what we should've been
+        doing all along: when the JSFunction does not own the "caller"/"arguments" property,
+        it should defer to its base class implementation for the various method table hooks.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::deleteProperty):
+        (JSC::JSFunction::defineOwnProperty):
+
+2017-12-13  Saam Barati  
+
+        TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
+        https://bugs.webkit.org/show_bug.cgi?id=180734
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        The |this| value may be TDZ. If type check hoisting phase
+        hoists a CheckStructure to it, it will crash. This patch
+        makes it so we emit CheckStructureOrEmpty for |this|.
+
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+
+2017-12-12  Yusuke Suzuki  
+
+        [JSC] Optimize Object.assign by single transition acceleration
+        https://bugs.webkit.org/show_bug.cgi?id=180644
+
+        Reviewed by Saam Barati.
+
+        Handling single transition is critical. Since this get() function is only used
+        in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
+        to accelerate it.
+
+        This improves SixSpeed/object-assign.es6 by 2.8%.
+
+                                    baseline                  patched
+
+        object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
+
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::get const):
+
+2017-12-12  Filip Pizlo  
+
+        Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
+        https://bugs.webkit.org/show_bug.cgi?id=180732
+
+        Rubber stamped by Mark Lam.
+        
+        We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
+        scalable enough to support that, so we should do it carefully.
+
+        * heap/MarkedSpace.cpp:
+        * runtime/PropertyMapHashTable.h:
+        * runtime/Structure.h:
+        * runtime/StructureRareData.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-12-12  Saam Barati  
+
+        We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
+        https://bugs.webkit.org/show_bug.cgi?id=180725
+        
+
+        Reviewed by Michael Saboff.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+
+2017-12-12  Yusuke Suzuki  
+
+        [JSC] Implement optimized WeakMap and WeakSet
+        https://bugs.webkit.org/show_bug.cgi?id=179929
+
+        Reviewed by Saam Barati.
+
+        This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
+        This is similar to HashMapImpl. But,
+
+        1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
+        do not need to have iterators.
+
+        2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
+        of auxiliary buffer. This is because we would like to allocate buffer
+        when finalizing GC. At that time, WeakMapImpl prunes dead entries and
+        shrink it if necessary. However, allocating from the GC heap during
+        finalization is not allowed.
+
+        In particular, (2) is important since it ensures any WeakMap operations
+        do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
+        and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
+        do not cause GC makes our implementation simple. To ensure this, we place
+        DisallowGC for each WeakMap's interface.
+
+        In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
+        WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
+        WeakMap, it returns value. And it returns key if it is WeakSet. If it
+        does not find a corresponding entry, it returns JSEmpty.
+        ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
+
+        This patch improves WeakMap and WeakSet operations.
+
+                                     baseline                  patched
+
+            weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
+            weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
+        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::weakMapEntries):
+        (Inspector::JSInjectedScriptHost::weakSetEntries):
+        Existing code is incorrect. They can run GC and break WeakMap's iterator.
+        We introduce takeSnapshot function to WeakMapImpl, which retrieves live
+        entries without causing any GC.
+
+        * runtime/HashMapImpl.h:
+        (JSC::shouldShrink):
+        (JSC::shouldRehashAfterAdd):
+        (JSC::nextCapacity):
+        (JSC::HashMapImpl::shouldRehashAfterAdd const):
+        (JSC::HashMapImpl::shouldShrink const):
+        (JSC::HashMapImpl::rehash):
+        (JSC::WeakMapHash::hash): Deleted.
+        (JSC::WeakMapHash::equal): Deleted.
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSWeakMap.cpp:
+        * runtime/JSWeakMap.h:
+        * runtime/JSWeakSet.cpp:
+        * runtime/JSWeakSet.h:
+        * runtime/VM.cpp:
+        * runtime/WeakGCMap.h:
+        (JSC::WeakGCMap::forEach): Deleted.
+        * runtime/WeakMapBase.cpp: Removed.
+        * runtime/WeakMapBase.h: Removed.
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakMapImpl.cpp: Added.
+        (JSC::WeakMapImpl::destroy):
+        (JSC::WeakMapImpl::visitChildren):
+        (JSC::WeakMapImpl::estimatedSize):
+        (JSC::WeakMapImpl>::visitWeakReferences):
+        (JSC::WeakMapImpl>::visitWeakReferences):
+        (JSC::WeakMapImpl::finalizeUnconditionally):
+        (JSC::WeakMapImpl>::takeSnapshot):
+        (JSC::WeakMapImpl>::takeSnapshot):
+        * runtime/WeakMapImpl.h: Added.
+        (JSC::jsWeakMapHash):
+        (JSC::nextCapacityAfterRemoveBatching):
+        (JSC::WeakMapBucket::setKey):
+        (JSC::WeakMapBucket::setValue):
+        (JSC::WeakMapBucket::key const):
+        (JSC::WeakMapBucket::value const):
+        (JSC::WeakMapBucket::copyFrom):
+        (JSC::WeakMapBucket::offsetOfKey):
+        (JSC::WeakMapBucket::offsetOfValue):
+        (JSC::WeakMapBucket::extractValue):
+        (JSC::WeakMapBucket::isEmpty):
+        (JSC::WeakMapBucket::deletedKey):
+        (JSC::WeakMapBucket::isDeleted):
+        (JSC::WeakMapBucket::makeDeleted):
+        (JSC::WeakMapBucket::visitAggregate):
+        (JSC::WeakMapBucket::clearValue):
+        (JSC::WeakMapBuffer::allocationSize):
+        (JSC::WeakMapBuffer::buffer const):
+        (JSC::WeakMapBuffer::create):
+        (JSC::WeakMapBuffer::reset):
+        (JSC::WeakMapImpl::WeakMapImpl):
+        (JSC::WeakMapImpl::finishCreation):
+        (JSC::WeakMapImpl::get):
+        (JSC::WeakMapImpl::has):
+        (JSC::WeakMapImpl::add):
+        (JSC::WeakMapImpl::remove):
+        (JSC::WeakMapImpl::size const):
+        (JSC::WeakMapImpl::offsetOfBuffer):
+        (JSC::WeakMapImpl::offsetOfCapacity):
+        (JSC::WeakMapImpl::findBucket):
+        (JSC::WeakMapImpl::buffer const):
+        (JSC::WeakMapImpl::forEach):
+        (JSC::WeakMapImpl::shouldRehashAfterAdd const):
+        (JSC::WeakMapImpl::shouldShrink const):
+        (JSC::WeakMapImpl::canUseBucket):
+        (JSC::WeakMapImpl::addInternal):
+        (JSC::WeakMapImpl::findBucketAlreadyHashed):
+        (JSC::WeakMapImpl::rehash):
+        (JSC::WeakMapImpl::checkConsistency const):
+        (JSC::WeakMapImpl::makeAndSetNewBuffer):
+        (JSC::WeakMapImpl::assertBufferIsEmpty const):
+        (JSC::WeakMapImpl::DeadKeyCleaner::target):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        (JSC::protoFuncWeakMapGet):
+        (JSC::protoFuncWeakMapHas):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::WeakSetPrototype::finishCreation):
+        (JSC::protoFuncWeakSetHas):
+        (JSC::protoFuncWeakSetAdd):
+
+2017-12-11  Filip Pizlo  
+
+        It should be possible to flag a cell for unconditional finalization
+        https://bugs.webkit.org/show_bug.cgi?id=180636
+
+        Reviewed by Saam Barati.
+        
+        UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
+        global linked list - but they had some nice properties:
+        
+        - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
+          survived and needed it.
+            -> Just needing it wasn't enough.
+            -> Just surviving wasn't enough.
+        
+        The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
+        finalizer logic to be invoked. I think that's not great. InferredType got around this by
+        making InferredStructure a cell, but this was a gross hack. For one, it meant that
+        InferredStructure would survive during the GC in which its finalizer obviated the need for its
+        existence. It's not really an idiom I want us to repeat because it sounds like the sort of
+        thing that turns out to be subtly broken.
+        
+        We really need to have a way of indicating when you have entered into the state that requires
+        your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
+        objects that need unconditional finalizers. Only the subset of that set that overlaps with the
+        set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
+        bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
+        another level to say which atoms within a MarkedBlock have unconditional finalizers.
+        
+        This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
+        IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
+        auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
+        add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
+        you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
+        about 0.8% increase in size to every object in the subspace that the set is attached to. So,
+        it makes sense to have a handful per subspace max. This change only needs one per subspace,
+        but you could imagine more if we do this for WeakReferenceHarvester.
+        
+        To absolutely minimize the possibility that this incurs costs, the add/remove/contains
+        functions can be used from any thread so long as forEachMarkedCell isn't running. This means
+        that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
+        both survive and need it for the hardest work to take place. The work of adding does involve
+        a gnarly load chain that ends in a CAS: load block handle from block, load index, load
+        segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
+        However, it's perfect for running in parallel since the only write operations are to widely
+        dispersed cache lines that contain the bits underlying the set.
+        
+        The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
+        that need unconditional finalizers, and only touches the memory of marked objects that have
+        the unconditional finalizer bit set. It will walk those objects in roughly address order. I
+        previously found that this speeds up walking over a lot of objects when I made similar changes
+        for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
+        HashSet).
+        
+        This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
+        
+        My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
+        forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
+        IsoSubspace in more places.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/AtomIndices.h: Added.
+        (JSC::AtomIndices::AtomIndices):
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * heap/Heap.h:
+        * heap/IsoCellSet.cpp: Added.
+        (JSC::IsoCellSet::IsoCellSet):
+        (JSC::IsoCellSet::~IsoCellSet):
+        (JSC::IsoCellSet::addSlow):
+        (JSC::IsoCellSet::didResizeBits):
+        (JSC::IsoCellSet::didRemoveBlock):
+        (JSC::IsoCellSet::sweepToFreeList):
+        * heap/IsoCellSet.h: Added.
+        * heap/IsoCellSetInlines.h: Added.
+        (JSC::IsoCellSet::add):
+        (JSC::IsoCellSet::remove):
+        (JSC::IsoCellSet::contains const):
+        (JSC::IsoCellSet::forEachMarkedCell):
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::didResizeBits):
+        (JSC::IsoSubspace::didRemoveBlock):
+        (JSC::IsoSubspace::didBeginSweepingToFreeList):
+        * heap/IsoSubspace.h:
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::addBlock):
+        (JSC::MarkedAllocator::removeBlock):
+        * heap/MarkedAllocator.h:
+        * heap/MarkedAllocatorInlines.h:
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::sweep):
+        (JSC::MarkedBlock::Handle::isEmpty): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::marks const):
+        (JSC::MarkedBlock::Handle::newlyAllocated const):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::isAllocated):
+        (JSC::MarkedBlock::Handle::isEmpty):
+        (JSC::MarkedBlock::Handle::emptyMode):
+        (JSC::MarkedBlock::Handle::forEachMarkedCell):
+        * heap/Subspace.cpp:
+        (JSC::Subspace::didResizeBits):
+        (JSC::Subspace::didRemoveBlock):
+        (JSC::Subspace::didBeginSweepingToFreeList):
+        * heap/Subspace.h:
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachMarkedCell):
+        * runtime/InferredStructure.cpp:
+        (JSC::InferredStructure::InferredStructure):
+        (JSC::InferredStructure::create): Deleted.
+        (JSC::InferredStructure::destroy): Deleted.
+        (JSC::InferredStructure::createStructure): Deleted.
+        (JSC::InferredStructure::visitChildren): Deleted.
+        (JSC::InferredStructure::finalizeUnconditionally): Deleted.
+        (JSC::InferredStructure::finishCreation): Deleted.
+        * runtime/InferredStructure.h:
+        * runtime/InferredStructureWatchpoint.cpp:
+        (JSC::InferredStructureWatchpoint::fireInternal):
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::visitChildren):
+        (JSC::InferredType::willStoreValueSlow):
+        (JSC::InferredType::makeTopSlow):
+        (JSC::InferredType::set):
+        (JSC::InferredType::removeStructure):
+        (JSC::InferredType::finalizeUnconditionally):
+        * runtime/InferredType.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-12-12  Saam Barati  
+
+        ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
+        https://bugs.webkit.org/show_bug.cgi?id=180723
+        
+
+        Reviewed by JF Bastien.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2017-12-04  Brian Burg  
+
+        Web Inspector: modernize InjectedScript a bit
+        https://bugs.webkit.org/show_bug.cgi?id=180367
+
+        Reviewed by Timothy Hatcher.
+
+        Stop using out parameters passed by pointer, use references instead.
+        Stop using OptOutput in favor of std::optional where possible.
+        If there is only one out-parameter and a void return type, then return the value.
+
+        * inspector/InjectedScript.h:
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::evaluate):
+        (Inspector::InjectedScript::callFunctionOn):
+        (Inspector::InjectedScript::evaluateOnCallFrame):
+        (Inspector::InjectedScript::getFunctionDetails):
+        (Inspector::InjectedScript::functionDetails):
+        (Inspector::InjectedScript::getPreview):
+        (Inspector::InjectedScript::getProperties):
+        (Inspector::InjectedScript::getDisplayableProperties):
+        (Inspector::InjectedScript::getInternalProperties):
+        (Inspector::InjectedScript::getCollectionEntries):
+        (Inspector::InjectedScript::saveResult):
+        (Inspector::InjectedScript::setExceptionValue):
+        (Inspector::InjectedScript::clearExceptionValue):
+        (Inspector::InjectedScript::inspectObject):
+        (Inspector::InjectedScript::releaseObject):
+
+        * inspector/InjectedScriptBase.h:
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::InjectedScriptBase):
+        Declare m_environment with a default initializer.
+
+        (Inspector::InjectedScriptBase::makeCall):
+        (Inspector::InjectedScriptBase::makeEvalCall):
+        Just return the result, no need for an out-parameter.
+        Rearrange some code paths now that we can just return a result.
+        Return a Ref since it is either a result value or error value.
+        Use out_ prefixes in a few places to improve readability.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::getFunctionDetails):
+        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::InspectorHeapAgent::getPreview):
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::evaluate):
+        (Inspector::InspectorRuntimeAgent::callFunctionOn):
+        (Inspector::InspectorRuntimeAgent::getPreview):
+        (Inspector::InspectorRuntimeAgent::getProperties):
+        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
+        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
+        (Inspector::InspectorRuntimeAgent::saveResult):
+        Adapt to InjectedScript changes. In some cases we need to bridge OptOutput
+        and std::optional until the former is removed from generated method signatures.
+
+2017-12-12  Caio Lima  
+
+        [ESNext][BigInt] Implement BigInt literals and JSBigInt
+        https://bugs.webkit.org/show_bug.cgi?id=179000
+
+        Reviewed by Darin Adler and Yusuke Suzuki.
+
+        This patch starts the implementation of BigInt primitive on
+        JavaScriptCore. We are introducing BigInt primitive and
+        implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
+        field implemented contiguosly on memory as inline storage of JSBigInt to
+        take advantages on performance due to cache locality. The
+        implementation allows 64 or 32 bitwise arithmetic operations.
+        JSBigInt also has m_sign to store the sign of [[BigIntData]] and
+        m_length that keeps track of BigInt length.
+        The implementation is following the V8 one. [[BigIntData]] is manipulated
+        by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
+        We also have some operations to support arithmetics over digits.
+
+        It is important to notice that on our representation,
+        JSBigInt::dataStorage()[0] represents the least significant digit and
+        JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
+
+        We are also introducing into this Patch the BigInt literals lexer and
+        syntax parsing support. The operation Strict Equals on BigInts is also being
+        implemented to enable tests.
+        These features are being implemented behind a runtime flage "--useBigInt" and
+        are disabled by default.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEqualityOp):
+        (JSC::BytecodeGenerator::addBigIntConstant):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::BigIntEntryHash::hash):
+        (JSC::BytecodeGenerator::BigIntEntryHash::equal):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BigIntNode::jsValue const):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::isToThisAnIdentity):
+        * interpreter/Interpreter.cpp:
+        (JSC::sizeOfVarargs):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createBigInt):
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseBinary):
+        (JSC::Lexer::parseOctal):
+        (JSC::Lexer::parseDecimal):
+        (JSC::Lexer::lex):
+        (JSC::Lexer::parseHex): Deleted.
+        * parser/Lexer.h:
+        * parser/NodeConstructors.h:
+        (JSC::BigIntNode::BigIntNode):
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isBigInt const):
+        (JSC::BigIntNode::value):
+        * parser/Parser.cpp:
+        (JSC::Parser::parsePrimaryExpression):
+        * parser/ParserTokens.h:
+        * parser/ResultType.h:
+        (JSC::ResultType::definitelyIsBigInt const):
+        (JSC::ResultType::mightBeBigInt const):
+        (JSC::ResultType::isNotBigInt const):
+        (JSC::ResultType::addResultType):
+        (JSC::ResultType::bigIntType):
+        (JSC::ResultType::forAdd):
+        (JSC::ResultType::forLogicalOp):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createBigInt):
+        * runtime/CommonIdentifiers.h:
+        * runtime/JSBigInt.cpp: Added.
+        (JSC::JSBigInt::visitChildren):
+        (JSC::JSBigInt::JSBigInt):
+        (JSC::JSBigInt::initialize):
+        (JSC::JSBigInt::createStructure):
+        (JSC::JSBigInt::createZero):
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::createWithLength):
+        (JSC::JSBigInt::finishCreation):
+        (JSC::JSBigInt::toPrimitive const):
+        (JSC::JSBigInt::singleDigitValueForString):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::isZero):
+        (JSC::JSBigInt::inplaceMultiplyAdd):
+        (JSC::JSBigInt::digitAdd):
+        (JSC::JSBigInt::digitSub):
+        (JSC::JSBigInt::digitMul):
+        (JSC::JSBigInt::digitPow):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::internalMultiplyAdd):
+        (JSC::JSBigInt::equalToBigInt):
+        (JSC::JSBigInt::absoluteDivSmall):
+        (JSC::JSBigInt::calculateMaximumCharactersRequired):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::estimatedSize):
+        (JSC::JSBigInt::toNumber const):
+        (JSC::JSBigInt::getPrimitiveNumber const):
+        * runtime/JSBigInt.h: Added.
+        (JSC::JSBigInt::setSign):
+        (JSC::JSBigInt::sign const):
+        (JSC::JSBigInt::setLength):
+        (JSC::JSBigInt::length const):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::offsetOfData):
+        (JSC::JSBigInt::dataStorage):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        (JSC::asBigInt):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::synthesizePrototype const):
+        (JSC::JSValue::toStringSlowCase const):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::isBigInt const):
+        (JSC::JSValue::strictEqualSlowCaseInline):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::put):
+        (JSC::JSCell::putByIndex):
+        (JSC::JSCell::toPrimitive const):
+        (JSC::JSCell::getPrimitiveNumber const):
+        (JSC::JSCell::toNumber const):
+        (JSC::JSCell::toObjectSlow const):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::isBigInt const):
+        * runtime/JSType.h:
+        * runtime/MathCommon.h:
+        (JSC::clz64):
+        * runtime/NumberPrototype.cpp:
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC::jsIsObjectTypeOrNull):
+        * runtime/Options.h:
+        * runtime/ParseInt.h:
+        * runtime/SmallStrings.h:
+        (JSC::SmallStrings::typeString const):
+        * runtime/StructureInlines.h:
+        (JSC::prototypeForLookupPrimitiveImpl):
+        * runtime/TypeofType.cpp:
+        (WTF::printInternal):
+        * runtime/TypeofType.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-12-12  Guillaume Emont  
+
+        LLInt: reserve 16 bytes of stack on MIPS for native calls
+        https://bugs.webkit.org/show_bug.cgi?id=180653
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        On MIPS, substract 24 from the stack pointer (16 for calling
+        convention + 8 to be 16-aligned) instead of the 8 on other platforms
+        (for alignment).
+
+2017-12-12  Yusuke Suzuki  
+
+        [WTF] Thread::create should have Thread::tryCreate
+        https://bugs.webkit.org/show_bug.cgi?id=180333
+
+        Reviewed by Darin Adler.
+
+        * assembler/testmasm.cpp:
+        (JSC::run):
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::run):
+        * jsc.cpp:
+        (functionDollarAgentStart):
+
+2017-12-11  Michael Saboff  
+
+        REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
+        https://bugs.webkit.org/show_bug.cgi?id=180685
+
+        Reviewed by Saam Barati.
+
+        The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
+        the character class check to return true without reading the character.  Given that
+        the character could be a surrogate pair, we need to read the character even if we
+        don't have the check it.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::testCharacterClass):
+        (JSC::Yarr::Interpreter::checkCharacterClass):
+
+2017-12-11  Saam Barati  
+
+        We need to disableCaching() in ErrorInstance when we materialize properties
+        https://bugs.webkit.org/show_bug.cgi?id=180343
+        
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
+        on puts() to a property that we lazily materialized. Forgetting to do this goes against the
+        PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
+        from a Structure A to a Structure B. However, we were telling the IC that we were caching an
+        existing property only found on Structure B. This is obviously wrong as it would lead to an
+        OOB store if we didn't already crash when generating the IC.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::put):
+        * runtime/ErrorInstance.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::didCachePropertyReplacement):
+
+2017-12-11  Fujii Hironori  
+
+        [WinCairo] DLLLauncherMain should use SetDllDirectory
+        https://bugs.webkit.org/show_bug.cgi?id=180642
+
+        Reviewed by Alex Christensen.
+
+        Windows have icuuc.dll in the system directory. WebKit should find
+        one in WebKitLibraries directory, not one in the system directory.
+
+        * shell/DLLLauncherMain.cpp:
+        (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
+
+2017-12-11  Eric Carlson  
+
+        Web Inspector: Optionally log WebKit log parameters as JSON
+        https://bugs.webkit.org/show_bug.cgi?id=180529
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
+        values. Concatenate all adjacent strings to make logging cleaner.
+        (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
+        (Inspector::ConsoleMessage::scriptState const):
+        * inspector/ConsoleMessage.h:
+
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
+        * inspector/InjectedScript.h:
+        * inspector/InjectedScriptSource.js:
+        (let.InjectedScript.prototype.wrapJSONString):
+
+2017-12-11  Joseph Pecoraro  
+
+        Remove unused builtin names
+        https://bugs.webkit.org/show_bug.cgi?id=180673
+
+        Reviewed by Keith Miller.
+
+        * builtins/BuiltinNames.h:
+
+2017-12-11  David Quesada  
+
+        Turn on ENABLE_APPLICATION_MANIFEST
+        https://bugs.webkit.org/show_bug.cgi?id=180562
+        rdar://problem/35924737
+
+        Reviewed by Geoffrey Garen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-12-10  Filip Pizlo  
+
+        Harden a few assertions in GC sweep
+        https://bugs.webkit.org/show_bug.cgi?id=180634
+
+        Reviewed by Saam Barati.
+        
+        This turns one dynamic check into a release assertion and upgrades another assertion to a release
+        assertion.
+
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::sweep):
+
+2017-12-10  Konstantin Tokarev  
+
+        [python] Modernize "except" usage for python3 compatibility
+        https://bugs.webkit.org/show_bug.cgi?id=180612
+
+        Reviewed by Michael Catanzaro.
+
+        * inspector/scripts/generate-inspector-protocol-bindings.py:
+
+2017-12-05  Filip Pizlo  
+
+        InferredType should not use UnconditionalFinalizer
+        https://bugs.webkit.org/show_bug.cgi?id=180456
+
+        Reviewed by Saam Barati.
+        
+        This turns InferredStructure into a cell so that we can unconditionally finalize them without
+        having to add things to the UnconditionalFinalizer list. I'm removing all uses of
+        UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
+        them are a top cause of lock contention in the parallel GC. Also, we don't need those data
+        structures if we use IsoSubspaces, subspace iteration, and marking constraints.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * heap/Heap.h:
+        * runtime/InferredStructure.cpp: Added.
+        (JSC::InferredStructure::create):
+        (JSC::InferredStructure::destroy):
+        (JSC::InferredStructure::createStructure):
+        (JSC::InferredStructure::visitChildren):
+        (JSC::InferredStructure::finalizeUnconditionally):
+        (JSC::InferredStructure::InferredStructure):
+        (JSC::InferredStructure::finishCreation):
+        * runtime/InferredStructure.h: Added.
+        * runtime/InferredStructureWatchpoint.cpp: Added.
+        (JSC::InferredStructureWatchpoint::fireInternal):
+        * runtime/InferredStructureWatchpoint.h: Added.
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::visitChildren):
+        (JSC::InferredType::willStoreValueSlow):
+        (JSC::InferredType::makeTopSlow):
+        (JSC::InferredType::set):
+        (JSC::InferredType::removeStructure):
+        (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
+        (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
+        (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
+        * runtime/InferredType.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-12-09  Konstantin Tokarev  
+
+        [python] Replace print >> operator with print() function for python3 compatibility
+        https://bugs.webkit.org/show_bug.cgi?id=180611
+
+        Reviewed by Michael Catanzaro.
+
+        * Scripts/make-js-file-arrays.py:
+        (main):
+
+2017-12-08  Joseph Pecoraro  
+
+        ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
+        https://bugs.webkit.org/show_bug.cgi?id=180520
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/ServiceWorker.json:
+        Include content script content in the initialization info.
+
+2017-12-08  Konstantin Tokarev  
+
+        [python] Replace print operator with print() function for python3 compatibility
+        https://bugs.webkit.org/show_bug.cgi?id=180592
+
+        Reviewed by Michael Catanzaro.
+
+        * Scripts/generateYarrUnicodePropertyTables.py:
+        (openOrExit):
+        (verifyUCDFilesExist):
+        (Aliases.parsePropertyAliasesFile):
+        (Aliases.parsePropertyValueAliasesFile):
+        * Scripts/make-js-file-arrays.py:
+        (main):
+        * generate-bytecode-files:
+
+2017-12-08  Mark Lam  
+
+        Need to unpoison native function pointers for CLoop.
+        https://bugs.webkit.org/show_bug.cgi?id=180601
+        
+
+        Reviewed by JF Bastien.
+
+        * llint/LowLevelInterpreter64.asm:
+
+2017-12-08  Michael Saboff  
+
+        YARR: JIT RegExps with greedy parenthesized sub patterns
+        https://bugs.webkit.org/show_bug.cgi?id=180538
+
+        Reviewed by JF Bastien.
+
+        This patch adds JIT support for regular expressions containing greedy counted
+        parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
+
+        Just like in the interpreter, expressions with nested parenthetical subpatterns
+        require saving the results of previous matches of the parentheses contents along
+        with any associated state.  This saved state is needed in the case that we need
+        to backtrack.  This state is called ParenContext within the code space allocated
+        for this ParenContext is managed using a simple block allocator within the JIT'ed
+        code.  The raw space managed by this allocator is passed into the JIT'ed function.
+
+        Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
+        If the JIT'ed code exhausts all its ParenContext space, it returns a new error
+        JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
+        expression.
+
+        Due to increased register usage by the parenthesis handling code, the use of
+        registers by the JIT engine was restructured, with registers used for Unicode
+        pattern matching replaced with constants.
+
+        Reworked some of the context structures that are used across the interpreter
+        and JIT implementations to make them a little more uniform and to handle the
+        needs of JIT'ing the new parentheses forms.
+
+        To help with development and debugging of this code, compiled patterns dumping
+        code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
+
+        * runtime/RegExp.cpp:
+        (JSC::byteCodeCompilePattern):
+        (JSC::RegExp::byteCodeCompileIfNecessary):
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * runtime/RegExp.h:
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * testRegExp.cpp:
+        (parseRegExpLine):
+        (runFromFiles):
+        * yarr/Yarr.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::compile):
+        (JSC::Yarr::ByteCompiler::dumpDisjunction):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
+        (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
+        (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
+        (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
+        (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList):
+        (JSC::Yarr::YarrGenerator::allocatePatternContext):
+        (JSC::Yarr::YarrGenerator::freePatternContext):
+        (JSC::Yarr::YarrGenerator::savePatternContext):
+        (JSC::Yarr::YarrGenerator::restorePatternContext):
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
+        (JSC::Yarr::YarrGenerator::storeToFrame):
+        (JSC::Yarr::YarrGenerator::generateJITFailReturn):
+        (JSC::Yarr::YarrGenerator::clearMatches):
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::execute):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::indentForNestingLevel):
+        (JSC::Yarr::dumpUChar32):
+        (JSC::Yarr::dumpCharacterClass):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::PatternTerm::containsAnyCaptures):
+        (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
+        (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
+        (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
+
+2017-12-08  Joseph Pecoraro  
+
+        Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
+        https://bugs.webkit.org/show_bug.cgi?id=180590
+        
+
+        Reviewed by Mark Lam.
+
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::enable):
+        Swap the messages to a Vector that won't change during iteration.
+
+2017-12-08  Michael Saboff  
+
+        YARR: Coalesce constructed character classes
+        https://bugs.webkit.org/show_bug.cgi?id=180537
+
+        Reviewed by JF Bastien.
+
+        When adding characters or character ranges to a character class being constructed,
+        we now coalesce adjacent characters and character ranges.  When we create a
+        character class after construction is complete, we do a final coalescing pass
+        across the character list and ranges to catch any remaining coalescing
+        opportunities.
+
+        Added an optimization for character classes that will match any character.
+        This is somewhat common in code created before the /s (dotAll) flag was added
+        to the engine.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::checkCharacterClass):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
+        (JSC::Yarr::CharacterClassConstructor::reset):
+        (JSC::Yarr::CharacterClassConstructor::charClass):
+        (JSC::Yarr::CharacterClassConstructor::addSorted):
+        (JSC::Yarr::CharacterClassConstructor::addSortedRange):
+        (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
+        (JSC::Yarr::CharacterClassConstructor::coalesceTables):
+        (JSC::Yarr::CharacterClassConstructor::anyCharacter):
+        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::anycharCreate):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::CharacterClass::CharacterClass):
+
+2017-12-07  Saam Barati  
+
+        Modify our dollar VM clflush intrinsic to aid in some perf testing
+        https://bugs.webkit.org/show_bug.cgi?id=180559
+
+        Reviewed by Mark Lam.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCpuClflush):
+        (JSC::functionDeltaBetweenButterflies):
+        (JSC::JSDollarVM::finishCreation):
+
+2017-12-07  Eric Carlson  
+
+        Simplify log channel configuration UI
+        https://bugs.webkit.org/show_bug.cgi?id=180527
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Console.json:
+
+2017-12-07  Mark Lam  
+
+        Apply poisoning to some native code pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=180541
+        
+
+        Reviewed by Filip Pizlo.
+
+        Renamed g_classInfoPoison to g_globalDataPoison.
+        Renamed g_masmPoison to g_jitCodePoison.
+        Introduced g_nativeCodePoison.
+        Applied g_nativeCodePoison to poisoning some native code pointers.
+
+        Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
+        to malloc allocated data structures (where needed).
+
+        * API/JSCallbackFunction.h:
+        (JSC::JSCallbackFunction::functionCallback):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CustomGetterSetter.h:
+        (JSC::CustomGetterSetter::getter const):
+        (JSC::CustomGetterSetter::setter const):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::getCallData):
+        (JSC::InternalFunction::getConstructData):
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::nativeFunctionFor):
+        * runtime/JSCPoison.h: Added.
+        * runtime/JSCPoisonedPtr.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoisonedPtr.h:
+        * runtime/Lookup.h:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::hashFor const):
+        * runtime/NativeExecutable.h:
+        * runtime/Structure.cpp:
+        (JSC::StructureTransitionTable::setSingleTransition):
+        * runtime/StructureTransitionTable.h:
+        (JSC::StructureTransitionTable::StructureTransitionTable):
+        (JSC::StructureTransitionTable::isUsingSingleSlot const):
+        (JSC::StructureTransitionTable::map const):
+        (JSC::StructureTransitionTable::weakImpl const):
+        (JSC::StructureTransitionTable::setMap):
+
+2017-12-07  Joseph Pecoraro  
+
+        Web Inspector: Fix style in remote inspector classes
+        https://bugs.webkit.org/show_bug.cgi?id=180545
+
+        Reviewed by Youenn Fablet.
+
+        * inspector/remote/RemoteControllableTarget.h:
+        * inspector/remote/RemoteInspectionTarget.h:
+        * runtime/JSGlobalObjectDebuggable.h:
+
+2017-12-07  Per Arne Vollan  
+
+        Use fastAlignedFree to free aligned memory.
+        https://bugs.webkit.org/show_bug.cgi?id=180540
+
+        Reviewed by Saam Barati.
+
+        * heap/IsoAlignedMemoryAllocator.cpp:
+        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+
+2017-12-07  Matt Lewis  
+
+        Unreviewed, rolling out r225634.
+
+        This caused layout tests to time out.
+
+        Reverted changeset:
+
+        "Simplify log channel configuration UI"
+        https://bugs.webkit.org/show_bug.cgi?id=180527
+        https://trac.webkit.org/changeset/225634
+
+2017-12-07  Eric Carlson  
+
+        Simplify log channel configuration UI
+        https://bugs.webkit.org/show_bug.cgi?id=180527
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Console.json:
+
+2017-12-07  Mark Lam  
+
+        [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
+        https://bugs.webkit.org/show_bug.cgi?id=180514
+
+        Reviewed by Saam Barati and JF Bastien.
+
+        Re-landing r225620 with speculative build fix for GCC 7.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::value const):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+        (JSC::initializePoison):
+        (JSC::initializeScrambledPtrKeys): Deleted.
+        * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+        * runtime/JSCScrambledPtr.cpp: Removed.
+        * runtime/JSCScrambledPtr.h: Removed.
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+
+2017-12-07  Michael Catanzaro  
+
+        Unreviewed, rolling out r225620
+        https://bugs.webkit.org/show_bug.cgi?id=180514
+        
+
+        It broke the build with GCC 7, and I don't know how to fix it.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::value const):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
+        (JSC::initializeScrambledPtrKeys):
+        * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+
+2017-12-06  Mark Lam  
+
+        Refactoring: Rename ScrambledPtr to Poisoned.
+        https://bugs.webkit.org/show_bug.cgi?id=180514
+
+        Reviewed by Saam Barati.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::value const):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr::poisonedPtr const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
+        (JSC::initializePoison):
+        (JSC::initializeScrambledPtrKeys): Deleted.
+        * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
+        * runtime/JSCScrambledPtr.cpp: Removed.
+        * runtime/JSCScrambledPtr.h: Removed.
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+
+2017-12-02  Darin Adler  
+
+        Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
+        https://bugs.webkit.org/show_bug.cgi?id=180009
+
+        Reviewed by Alex Christensen.
+
+        * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
+        * bytecode/CodeBlock.cpp: Ditto.
+        * bytecode/ExecutionCounter.cpp: Ditto.
+        * runtime/ConfigFile.cpp: Ditto.
+        * runtime/DatePrototype.cpp: Ditto.
+        * runtime/IndexingType.cpp: Ditto.
+        * runtime/JSCJSValue.cpp: Ditto.
+        * runtime/JSDateMath.cpp: Ditto.
+        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
+        * runtime/Options.cpp: Ditto.
+        (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
+
+2017-12-06  Saam Barati  
+
+        ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
+        https://bugs.webkit.org/show_bug.cgi?id=180438
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        A couple inspector methods that take stacktraces need
+        to grab the JSLock.
+
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::createScriptCallStack):
+        (Inspector::createScriptCallStackForConsole):
+
+2017-12-05  Stephan Szabo  
+
+        Switch windows build to Visual Studio 2017
+        https://bugs.webkit.org/show_bug.cgi?id=172412
+
+        Reviewed by Per Arne Vollan.
+
+        * JavaScriptCore.vcxproj/JavaScriptCore.proj:
+
+2017-12-05  JF Bastien  
+
+        WebAssembly: don't eagerly checksum
+        https://bugs.webkit.org/show_bug.cgi?id=180441
+        
+
+        Reviewed by Saam Barati.
+
+        Make checksumming of module optional for now. The bots think the
+        checksum hurt compile-time. I'd measured it and couldn't see a
+        difference, and still can't at this point in time, but we'll see
+        if disabling it fixes the bots. If so then I can make it lazy upon
+        first backtrace construction, or I can try out MD5 instead of
+        SHA1.
+
+        * runtime/Options.h:
+        * wasm/WasmModuleInformation.cpp:
+        (JSC::Wasm::ModuleInformation::ModuleInformation):
+        * wasm/WasmModuleInformation.h:
+        * wasm/WasmNameSection.h:
+        (JSC::Wasm::NameSection::NameSection):
+
+2017-12-05  Filip Pizlo  
+
+        IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
+        https://bugs.webkit.org/show_bug.cgi?id=180425
+
+        Reviewed by Saam Barati.
+        
+        Failure to do so causes leaks after starting workers.
+
+        * heap/IsoAlignedMemoryAllocator.cpp:
+        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+
+2017-12-05  Per Arne Vollan  
+
+        [Win64] Compile error in testmasm.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=180436
+
+        Reviewed by Mark Lam.
+
+        Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
+        
+        * assembler/testmasm.cpp:
+        (JSC::testGetEffectiveAddress):
+
+2017-12-01  Filip Pizlo  
+
+        GC constraint solving should be parallel
+        https://bugs.webkit.org/show_bug.cgi?id=179934
+
+        Reviewed by JF Bastien.
+        
+        This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
+        speed-up. It's more than 1% on trunk-Speedometer.
+        
+        The constraint solver supports running constraints in parallel in two different ways:
+        
+        - Run multiple constraints in parallel to each other. This only works for constraints that can
+          tolerate other constraints running concurrently to them (constraint.concurrency() ==
+          ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
+          constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
+          could probably make them concurrent, but I'm playing it safe for now.
+        
+        - A constraint can create parallel work for itself, which the constraint solver will interleave
+          with other stuff. A constraint can report that it has parallel work by returning
+          ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
+          constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
+          for as long as that function wants to run.
+        
+        It's not possible to have a non-concurrent constraint that creates parallel work.
+        
+        The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
+        most natural for two reasons:
+        
+        - No need to start any other threads.
+        
+        - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
+          access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
+          create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
+          thread, that thread will have work it can start doing immediately. Before this change, we had to
+          contribute the work found by the constraint solver to the global worklist so that it could be
+          distributed to the marker threads by load balancing. This change probably helps to avoid that
+          load balancing step.
+        
+        A lot of this change is about making it easy to iterate GC data structures in parallel. This
+        change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
+        the parallel work API. That constraint iterates the marked cells in two subspaces. This change
+        makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
+        The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
+        iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
+        RefPtr>, where ... is the type returned from the iterator. We know it's done
+        when it returns a falsish version of ... (in the current code, that's always a pointer type, so
+        done is indicated by null).
+        
+        * API/JSMarkingConstraintPrivate.cpp:
+        (JSContextGroupAddMarkingConstraint):
+        * API/JSVirtualMachine.mm:
+        (scanExternalObjectGraph):
+        (scanExternalRememberedSet):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::propagateTransitions const):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitWeakly):
+        (JSC::CodeBlock::shouldJettisonDueToOldAge):
+        (JSC::shouldMarkTransition):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::determineLiveness):
+        * dfg/DFGWorklist.cpp:
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * heap/ConstraintParallelism.h: Added.
+        (WTF::printInternal):
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::addToRememberedSet):
+        (JSC::Heap::runFixpointPhase):
+        (JSC::Heap::stopThePeriphery):
+        (JSC::Heap::resumeThePeriphery):
+        (JSC::Heap::addCoreConstraints):
+        (JSC::Heap::setBonusVisitorTask):
+        (JSC::Heap::runTaskInParallel):
+        (JSC::Heap::forEachSlotVisitor): Deleted.
+        * heap/Heap.h:
+        (JSC::Heap::worldIsRunning const):
+        (JSC::Heap::runFunctionInParallel):
+        * heap/HeapInlines.h:
+        (JSC::Heap::worldIsStopped const):
+        (JSC::Heap::isMarked):
+        (JSC::Heap::incrementDeferralDepth):
+        (JSC::Heap::decrementDeferralDepth):
+        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
+        (JSC::Heap::forEachSlotVisitor):
+        (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
+        (JSC::Heap::isMarkedConcurrently): Deleted.
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::appendNode):
+        * heap/LargeAllocation.h:
+        (JSC::LargeAllocation::isMarked):
+        (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
+        * heap/LockDuringMarking.h:
+        (JSC::lockDuringMarking):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
+        * heap/MarkedAllocator.h:
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::aboutToMark):
+        (JSC::MarkedBlock::isMarked):
+        (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
+        (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::activeWeakSetsBegin):
+        (JSC::MarkedSpace::activeWeakSetsEnd):
+        (JSC::MarkedSpace::newActiveWeakSetsBegin):
+        (JSC::MarkedSpace::newActiveWeakSetsEnd):
+        * heap/MarkingConstraint.cpp:
+        (JSC::MarkingConstraint::MarkingConstraint):
+        (JSC::MarkingConstraint::execute):
+        (JSC::MarkingConstraint::quickWorkEstimate):
+        (JSC::MarkingConstraint::workEstimate):
+        (JSC::MarkingConstraint::doParallelWork):
+        (JSC::MarkingConstraint::finishParallelWork):
+        (JSC::MarkingConstraint::doParallelWorkImpl):
+        (JSC::MarkingConstraint::finishParallelWorkImpl):
+        * heap/MarkingConstraint.h:
+        (JSC::MarkingConstraint::lastExecuteParallelism const):
+        (JSC::MarkingConstraint::parallelism const):
+        (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
+        (JSC::MarkingConstraint::workEstimate): Deleted.
+        * heap/MarkingConstraintSet.cpp:
+        (JSC::MarkingConstraintSet::MarkingConstraintSet):
+        (JSC::MarkingConstraintSet::add):
+        (JSC::MarkingConstraintSet::executeConvergence):
+        (JSC::MarkingConstraintSet::executeConvergenceImpl):
+        (JSC::MarkingConstraintSet::executeAll):
+        (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
+        (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
+        (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
+        (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
+        (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
+        (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
+        (): Deleted.
+        * heap/MarkingConstraintSet.h:
+        * heap/MarkingConstraintSolver.cpp: Added.
+        (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
+        (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
+        (JSC::MarkingConstraintSolver::didVisitSomething const):
+        (JSC::MarkingConstraintSolver::execute):
+        (JSC::MarkingConstraintSolver::drain):
+        (JSC::MarkingConstraintSolver::converge):
+        (JSC::MarkingConstraintSolver::runExecutionThread):
+        (JSC::MarkingConstraintSolver::didExecute):
+        * heap/MarkingConstraintSolver.h: Added.
+        * heap/OpaqueRootSet.h: Removed.
+        * heap/ParallelSourceAdapter.h: Added.
+        (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
+        (JSC::createParallelSourceAdapter):
+        * heap/SimpleMarkingConstraint.cpp: Added.
+        (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
+        (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
+        (JSC::SimpleMarkingConstraint::quickWorkEstimate):
+        (JSC::SimpleMarkingConstraint::executeImpl):
+        * heap/SimpleMarkingConstraint.h: Added.
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::didStartMarking):
+        (JSC::SlotVisitor::reset):
+        (JSC::SlotVisitor::appendToMarkStack):
+        (JSC::SlotVisitor::visitChildren):
+        (JSC::SlotVisitor::updateMutatorIsStopped):
+        (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
+        (JSC::SlotVisitor::drain):
+        (JSC::SlotVisitor::performIncrementOfDraining):
+        (JSC::SlotVisitor::didReachTermination):
+        (JSC::SlotVisitor::hasWork):
+        (JSC::SlotVisitor::drainFromShared):
+        (JSC::SlotVisitor::drainInParallelPassively):
+        (JSC::SlotVisitor::waitForTermination):
+        (JSC::SlotVisitor::addOpaqueRoot): Deleted.
+        (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
+        (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
+        (JSC::SlotVisitor::mergeIfNecessary): Deleted.
+        (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
+        (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
+        * heap/SlotVisitor.h:
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::addOpaqueRoot):
+        (JSC::SlotVisitor::containsOpaqueRoot const):
+        (JSC::SlotVisitor::vm):
+        (JSC::SlotVisitor::vm const):
+        * heap/Subspace.cpp:
+        (JSC::Subspace::parallelAllocatorSource):
+        (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
+        * heap/Subspace.h:
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachMarkedCellInParallel):
+        * heap/VisitCounter.h: Added.
+        (JSC::VisitCounter::VisitCounter):
+        (JSC::VisitCounter::visitCount const):
+        * heap/VisitingTimeout.h: Removed.
+        * heap/WeakBlock.cpp:
+        (JSC::WeakBlock::specializedVisit):
+        * runtime/Structure.cpp:
+        (JSC::Structure::isCheapDuringGC):
+        (JSC::Structure::markIfCheap):
+
+2017-12-04  JF Bastien  
+
+        Math: don't redundantly check for exceptions, just release scope
+        https://bugs.webkit.org/show_bug.cgi?id=180395
+
+        Rubber stamped by Mark Lam.
+
+        Two of the exceptions checks could just have been exception scope
+        releases before the return, which is ever-so-slightly more
+        efficient. The same technically applies where we have loops over
+        parameters, but doing the scope release there isn't really more
+        efficient and is way harder to read.
+
+        * runtime/MathObject.cpp:
+        (JSC::mathProtoFuncATan2):
+        (JSC::mathProtoFuncPow):
+
+2017-12-04  David Quesada  
+
+        Add a class for parsing application manifests
+        https://bugs.webkit.org/show_bug.cgi?id=177973
+        rdar://problem/34747949
+
+        Reviewed by Geoffrey Garen.
+
+        * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
+
+2017-12-04  JF Bastien  
+
+        Update std::expected to match libc++ coding style
+        https://bugs.webkit.org/show_bug.cgi?id=180264
+
+        Reviewed by Alex Christensen.
+
+        Update various uses of Expected.
+
+        * wasm/WasmModule.h:
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parseImport):
+        (JSC::Wasm::ModuleParser::parseTableHelper):
+        (JSC::Wasm::ModuleParser::parseTable):
+        (JSC::Wasm::ModuleParser::parseMemoryHelper):
+        * wasm/WasmParser.h:
+        * wasm/generateWasmValidateInlinesHeader.py:
+        (loadMacro):
+        (storeMacro):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::createStub):
+        * wasm/js/JSWebAssemblyModule.h:
+
+2017-12-04  Saam Barati  
+
+        We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
+        https://bugs.webkit.org/show_bug.cgi?id=180366
+        
+
+        Reviewed by Michael Saboff.
+
+        On the TailCall slow path, the CallFrameShuffler will build the frame with
+        respect to SP instead of FP. However, this may overwrite slots on the stack
+        that are needed if the slow path C call does a stack walk. The slow path
+        C call does a stack walk when it throws an exception. This patch fixes
+        this bug by ensuring that the top of the stack in the FTL always has enough
+        space to allow CallFrameShuffler to build a frame without overwriting any
+        items on the stack that are needed when doing a stack walk.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+
+2017-12-04  Devin Rousso  
+
+        Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
+        https://bugs.webkit.org/show_bug.cgi?id=175166
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Recording.json:
+        Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
+
+        * inspector/JSGlobalObjectConsoleClient.h:
+        * inspector/JSGlobalObjectConsoleClient.cpp:
+        (Inspector::JSGlobalObjectConsoleClient::record):
+        (Inspector::JSGlobalObjectConsoleClient::recordEnd):
+
+        * runtime/ConsoleClient.h:
+        * runtime/ConsoleObject.cpp:
+        (JSC::ConsoleObject::finishCreation):
+        (JSC::consoleProtoFuncRecord):
+        (JSC::consoleProtoFuncRecordEnd):
+
+2017-12-03  Yusuke Suzuki  
+
+        WTF shouldn't have both Thread and ThreadIdentifier
+        https://bugs.webkit.org/show_bug.cgi?id=180308
+
+        Reviewed by Darin Adler.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::llint_trace_operand):
+        (JSC::LLInt::llint_trace_value):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::traceFunctionPrologue):
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/JSLock.h:
+        (JSC::JSLock::currentThreadIsHoldingLock):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::throwingThread const):
+        (JSC::VM::clearException):
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::printVerificationHeader):
+
+2017-12-03  Caio Lima  
+
+        Rename DestroyFunc to avoid redefinition on unified build
+        https://bugs.webkit.org/show_bug.cgi?id=180335
+
+        Reviewed by Filip Pizlo.
+
+        Changing DestroyFunc structures to more specific names to avoid
+        conflits on unified builds.
+
+        * heap/HeapCellType.cpp:
+        (JSC::HeapCellType::finishSweep):
+        (JSC::HeapCellType::destroy):
+        * runtime/JSDestructibleObjectHeapCellType.cpp:
+        (JSC::JSDestructibleObjectHeapCellType::finishSweep):
+        (JSC::JSDestructibleObjectHeapCellType::destroy):
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
+        (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
+        (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
+        * runtime/JSStringHeapCellType.cpp:
+        (JSC::JSStringHeapCellType::finishSweep):
+        (JSC::JSStringHeapCellType::destroy):
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
+
+2017-12-01  JF Bastien  
+
+        JavaScriptCore: missing exception checks in Math functions that take more than one argument
+        https://bugs.webkit.org/show_bug.cgi?id=180297
+        
+
+        Reviewed by Mark Lam.
+
+        * runtime/MathObject.cpp:
+        (JSC::mathProtoFuncATan2):
+        (JSC::mathProtoFuncMax):
+        (JSC::mathProtoFuncMin):
+        (JSC::mathProtoFuncPow):
+
+2017-12-01  Mark Lam  
+
+        Let's scramble ClassInfo pointers in cells.
+        https://bugs.webkit.org/show_bug.cgi?id=180291
+        
+
+        Reviewed by JF Bastien.
+
+        * API/JSCallbackObject.h:
+        * API/JSObjectRef.cpp:
+        (classInfoPrivate):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerCodeRef.cpp:
+        (JSC::MacroAssemblerCodePtr::initialize): Deleted.
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::hash const):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSCScrambledPtr.cpp: Added.
+        (JSC::initializeScrambledPtrKeys):
+        * runtime/JSCScrambledPtr.h: Added.
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::classInfo const):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::classInfo const):
+        * runtime/Structure.h:
+        * runtime/VM.h:
+
+2017-12-01  Brian Burg  
+
+        Web Inspector: move Inspector::Protocol::Array to JSON namespace
+        https://bugs.webkit.org/show_bug.cgi?id=173662
+
+        Reviewed by Joseph Pecoraro.
+
+        Adopt new type names. Fix protocol generator to use correct type names.
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::addToFrontend):
+        Improve namings and use 'auto' when the type is obvious and repeated.
+
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::searchInTextByLines):
+        * inspector/ContentSearchUtilities.h:
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::getProperties):
+        (Inspector::InjectedScript::getDisplayableProperties):
+        (Inspector::InjectedScript::getInternalProperties):
+        (Inspector::InjectedScript::getCollectionEntries):
+        (Inspector::InjectedScript::wrapCallFrames const):
+        * inspector/InjectedScript.h:
+        * inspector/InspectorProtocolTypes.h:
+        (Inspector::Protocol::BindingTraits>::runtimeCast):
+        (Inspector::Protocol::Array::Array): Deleted.
+        (Inspector::Protocol::Array::openAccessors): Deleted.
+        (Inspector::Protocol::Array::addItem): Deleted.
+        (Inspector::Protocol::Array::create): Deleted.
+        (Inspector::Protocol::BindingTraits>::runtimeCast): Deleted.
+        (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType): Deleted.
+        Move the implementation out of this file.
+
+        * inspector/ScriptCallStack.cpp:
+        (Inspector::ScriptCallStack::buildInspectorArray const):
+        * inspector/ScriptCallStack.h:
+        * inspector/agents/InspectorAgent.cpp:
+        (Inspector::InspectorAgent::activateExtraDomain):
+        (Inspector::InspectorAgent::activateExtraDomains):
+        * inspector/agents/InspectorAgent.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::getLoggingChannels):
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
+        (Inspector::InspectorDebuggerAgent::searchInContent):
+        (Inspector::InspectorDebuggerAgent::currentCallFrames):
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::getProperties):
+        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
+        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
+        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/agents/InspectorScriptProfilerAgent.cpp:
+        (Inspector::buildSamples):
+        Use more 'auto' and rename a variable.
+
+        * inspector/scripts/codegen/cpp_generator.py:
+        (CppGenerator.cpp_protocol_type_for_type):
+        Adopt new type names. This exposed a latent bug where we should have been
+        unwrapping an AliasedType prior to generating a C++ type for it. The aliased
+        type may be an array, in which case we would have generated the wrong type.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (_generate_typedefs_for_domain.JSON):
+        (_generate_typedefs_for_domain.Inspector): Deleted.
+        * inspector/scripts/codegen/objc_generator.py:
+        (ObjCGenerator.protocol_type_for_type):
+        (ObjCGenerator.objc_protocol_export_expression_for_variable):
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        Rebaseline.
+
+        * runtime/TypeSet.cpp:
+        (JSC::TypeSet::allStructureRepresentations const):
+        (JSC::StructureShape::inspectorRepresentation):
+        * runtime/TypeSet.h:
+
+2017-12-01  Saam Barati  
+
+        Having a bad time needs to handle ArrayClass indexing type as well
+        https://bugs.webkit.org/show_bug.cgi?id=180274
+        
+
+        Reviewed by Keith Miller and Mark Lam.
+
+        We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
+        Otherwise, we'll end up with the wrong Structure, which will lead us to not
+        adhere to the spec. The bug was that we were not considering ArrayClass inside 
+        hasBrokenIndexing. This patch rewrites that function to automatically opt
+        in non-empty indexing types as broken, instead of having to opt out all
+        non-empty indexing types besides SlowPutArrayStorage.
+
+        * runtime/IndexingType.h:
+        (JSC::hasSlowPutArrayStorage):
+        (JSC::shouldUseSlowPut):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+
+2017-12-01  JF Bastien  
+
+        WebAssembly: stack trace improvement follow-ups
+        https://bugs.webkit.org/show_bug.cgi?id=180273
+
+        Reviewed by Saam Barati.
+
+        * wasm/WasmIndexOrName.cpp:
+        (JSC::Wasm::makeString):
+        * wasm/WasmIndexOrName.h:
+        (JSC::Wasm::IndexOrName::nameSection const):
+        * wasm/WasmNameSection.h:
+        (JSC::Wasm::NameSection::NameSection):
+        (JSC::Wasm::NameSection::get):
+
+2017-12-01  JF Bastien  
+
+        WebAssembly: restore cached stack limit after out-call
+        https://bugs.webkit.org/show_bug.cgi?id=179106
+        
+
+        Reviewed by Saam Barati.
+
+        We cache the stack limit on the Instance so that we can do fast
+        stack checks where required. In regular usage the stack limit
+        never changes because we always run on the same thread, but in
+        rare cases an API user can totally migrate which thread (and
+        therefore stack) is used for execution between WebAssembly
+        traces. For that reason we set the cached stack limit to
+        UINTPTR_MAX on the outgoing Instance when transitioning back into
+        a different Instance. We usually restore the cached stack limit in
+        Context::store, but this wasn't called on all code paths. We had a
+        bug where an Instance calling into itself indirectly would
+        therefore fail to restore its cached stack limit properly.
+
+        This patch therefore restores the cached stack limit after direct
+        calls which could be to imports (both wasm->wasm and
+        wasm->embedder). We have to do all of them because we have no way
+        of knowing what imports will do (they're known at instantiation
+        time, not compilation time, and different instances can have
+        different imports). To make this efficient we also add a pointer
+        to the canonical location of the stack limit (i.e. the extra
+        indirection we're trying to save by caching the stack limit on the
+        Instance in the first place). This is potentially a small perf hit
+        on imported direct calls.
+
+        It's hard to say what the performance cost will be because we
+        haven't seen much code in the wild which does this. We're adding
+        two dependent loads and a store of the loaded value, which is
+        unlikely to get used soon after. It's more code, but on an
+        out-of-order processor it doesn't contribute to the critical path.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::create):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
+        (JSC::Wasm::Instance::cachedStackLimit const):
+        (JSC::Wasm::Instance::setCachedStackLimit):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2017-11-30  Yusuke Suzuki  
+
+        [JSC] Use JSFixedArray for op_new_array_buffer
+        https://bugs.webkit.org/show_bug.cgi?id=180084
+
+        Reviewed by Saam Barati.
+
+        For op_new_array_buffer, we have a special constant buffer in CodeBlock.
+        But using JSFixedArray is better because,
+
+        1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
+           If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
+
+        2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
+           has JSFixedArray, we can just emit a held JSFixedArray.
+
+        3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
+
+        4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
+
+        5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
+           DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
+           will be introduced in [1].
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
+        (JSC::CodeBlock::addConstantBuffer): Deleted.
+        (JSC::CodeBlock::constantBufferAsVector): Deleted.
+        (JSC::CodeBlock::constantBuffer): Deleted.
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::shrinkToFit):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
+        (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
+        (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
+        (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitNewArray):
+        (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
+        (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
+        (JSC::DFG::ConstantBufferKey::hash const): Deleted.
+        (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
+        (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
+        (JSC::DFG::ConstantBufferKey::index const): Deleted.
+        (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
+        (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGGraph.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasNewArrayBufferData):
+        (JSC::DFG::Node::newArrayBufferData):
+        (JSC::DFG::Node::hasVectorLengthHint):
+        (JSC::DFG::Node::vectorLengthHint):
+        (JSC::DFG::Node::indexingType):
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::OpInfoWrapper::operator=):
+        (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
+        (JSC::DFG::Node::hasConstantBuffer): Deleted.
+        (JSC::DFG::Node::startConstant): Deleted.
+        (JSC::DFG::Node::numConstants): Deleted.
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_array_buffer): Deleted.
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        * runtime/JSFixedArray.cpp:
+        (JSC::JSFixedArray::dumpToStream):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::create):
+        (JSC::JSFixedArray::get const):
+        (JSC::JSFixedArray::set):
+        (JSC::JSFixedArray::buffer const):
+        (JSC::JSFixedArray::values const):
+        (JSC::JSFixedArray::length const):
+        (JSC::JSFixedArray::get): Deleted.
+
+2017-11-30  JF Bastien  
+
+        WebAssembly: improve stack trace
+        https://bugs.webkit.org/show_bug.cgi?id=179343
+
+        Reviewed by Saam Barati.
+
+        Stack traces now include:
+
+          - Module name, if provided by the name section.
+          - Module SHA1 hash if no name was provided
+          - Stub identification, to differentiate from user code
+          - Slightly different naming to match design from:
+              https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
+
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::functionName const):
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::functionName const):
+        (JSC::StackFrame::visitChildren):
+        * wasm/WasmIndexOrName.cpp:
+        (JSC::Wasm::IndexOrName::IndexOrName):
+        (JSC::Wasm::makeString):
+        * wasm/WasmIndexOrName.h:
+        (JSC::Wasm::IndexOrName::nameSection const):
+        * wasm/WasmModuleInformation.cpp:
+        (JSC::Wasm::ModuleInformation::ModuleInformation):
+        * wasm/WasmModuleInformation.h:
+        * wasm/WasmNameSection.h:
+        (JSC::Wasm::NameSection::NameSection):
+        (JSC::Wasm::NameSection::get):
+        * wasm/WasmNameSectionParser.cpp:
+        (JSC::Wasm::NameSectionParser::parse):
+
+2017-11-30  Stephan Szabo  
+
+        Make LegacyCustomProtocolManager optional for network process
+        https://bugs.webkit.org/show_bug.cgi?id=176230
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-30  Yusuke Suzuki  
+
+        [JSC] Remove easy toRemove & map.remove() use in OAS phase
+        https://bugs.webkit.org/show_bug.cgi?id=180208
+
+        Reviewed by Mark Lam.
+
+        In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
+        to optimize this common pattern. This patch only modifies apparent ones.
+        But we can apply this refactoring further to OAS phase in the future.
+
+        One thing we should care is that predicate of removeIf should not touch the
+        removing set itself. In this patch, we apply this change to (1) apparently
+        correct one and (2) things in DFG OAS phase since it is very slow.
+
+        * b3/B3MoveConstants.cpp:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-11-30  Commit Queue  
+
+        Unreviewed, rolling out r225362.
+        https://bugs.webkit.org/show_bug.cgi?id=180225
+
+        removeIf predicate function can touch remove target set
+        (Requested by yusukesuzuki on #webkit).
+
+        Reverted changeset:
+
+        "[JSC] Remove easy toRemove & map.remove() use"
+        https://bugs.webkit.org/show_bug.cgi?id=180208
+        https://trac.webkit.org/changeset/225362
+
+2017-11-30  Yusuke Suzuki  
+
+        [JSC] Use AllocatorIfExists for MaterializeNewObject
+        https://bugs.webkit.org/show_bug.cgi?id=180189
+
+        Reviewed by Filip Pizlo.
+
+        I don't think anyone guarantees this allocator exists at this phase.
+        And nullptr allocator just works here. We change AllocatorForMode
+        to AllocatorIfExists to accept nullptr for allocator.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+
+2017-11-30  Mark Lam  
+
+        Let's scramble MacroAssemblerCodePtr values.
+        https://bugs.webkit.org/show_bug.cgi?id=180169
+        
+
+        Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
+
+        1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
+
+        2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
+           template argument type that will be used to cast the result.  This makes the
+           client code that uses these functions a little less verbose.
+
+        3. Change the code base in general to minimize passing void* code pointers around.
+           We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
+           at the last moment when we need the underlying code pointer.
+
+        4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
+           default.  I'm leaving them in because they are instrumental in finding bugs
+           where not all MacroAssemblerCodePtr values were not scrambled as expected.
+           I expect them to be useful in the near future as we add more scrambling.
+
+        5. Also disable the casting operator on MacroAssemblerCodePtr (except for
+           explicit casts to a boolean).  This ensures that clients will always explicitly
+           use scrambledBits() or executableAddress() to get a value based on which value
+           they actually need.
+
+        5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
+           This was helpful when debugging tests that ran multiple VMs concurrently on
+           different threads.
+
+        MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
+        CLoop).  It is not yet supported in 32-bit and Windows because we don't
+        currently have a way to read a global variable from their LLInt code.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+        (JSC::AbstractMacroAssembler::linkPointer):
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationCommon::instructionAtOffset):
+        (JSC::CodeLocationCommon::labelAtOffset):
+        (JSC::CodeLocationCommon::jumpAtOffset):
+        (JSC::CodeLocationCommon::callAtOffset):
+        (JSC::CodeLocationCommon::nearCallAtOffset):
+        (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+        (JSC::CodeLocationCommon::dataLabel32AtOffset):
+        (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+        (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::link):
+        (JSC::LinkBuffer::patch):
+        * assembler/MacroAssemblerCodeRef.cpp:
+        (JSC::MacroAssemblerCodePtr::initialize):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::value const):
+        (JSC::FunctionPtr::executableAddress const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::ReturnAddressPtr::value const):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr::scrambledPtr const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::operator! const):
+        (JSC::MacroAssemblerCodePtr::operator bool const):
+        (JSC::MacroAssemblerCodePtr::operator== const):
+        (JSC::MacroAssemblerCodePtr::hash const):
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
+        (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpDisassembly):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
+        * dfg/DFGSpeculativeJIT.h:
+        * disassembler/Disassembler.cpp:
+        (JSC::disassemble):
+        * disassembler/UDis86Disassembler.cpp:
+        (JSC::tryToDisassembleWithUDis86):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::executableAddressAtOffset):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::getOpcodeID):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        * jit/JITCode.cpp:
+        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+        (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
+        (JSC::JITCodeWithCodeRef::offsetOf):
+        * jit/JITDisassembler.cpp:
+        (JSC::JITDisassembler::dumpDisassembly):
+        * jit/PCToCodeOriginMap.cpp:
+        (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+        * jit/Repatch.cpp:
+        (JSC::ftlThunkAwareRepatchCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::llint_trace_operand):
+        (JSC::LLInt::llint_trace_value):
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/cloop.rb:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::entrypoint const):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2017-11-30  Yusuke Suzuki  
+
+        [JSC] Remove easy toRemove & map.remove() use
+        https://bugs.webkit.org/show_bug.cgi?id=180208
+
+        Reviewed by Mark Lam.
+
+        In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
+        to optimize this common pattern. This patch only modifies apparent ones.
+        But we can apply this refactoring further to OAS phase in the future.
+
+        * b3/B3MoveConstants.cpp:
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::SignatureInformation::tryCleanup):
+
+2017-11-29  Yusuke Suzuki  
+
+        [JSC] Use getEffectiveAddress more in JSC
+        https://bugs.webkit.org/show_bug.cgi?id=180154
+
+        Reviewed by Mark Lam.
+
+        We can use MacroAssembler::getEffectiveAddress for stack height calculation.
+        And we also add MacroAssembler::negPtr(src, dest) variation.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::negPtr):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::neg32):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::neg32):
+        (JSC::MacroAssemblerARM64::neg64):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::neg32):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::neg32):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::neg32):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::neg64):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        * jit/SetupVarargsFrame.cpp:
+        (JSC::emitSetVarargsFrame):
+
+2017-11-30  Mark Lam  
+
+        jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
+        https://bugs.webkit.org/show_bug.cgi?id=180219
+        
+
+        Reviewed by Filip Pizlo.
+
+        * jsc.cpp:
+        (functionFlashHeapAccess):
+
+2017-11-30  Yusuke Suzuki  
+
+        [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
+        https://bugs.webkit.org/show_bug.cgi?id=180190
+
+        Reviewed by Mark Lam.
+
+        If DFG HasIndexedProperty node observes negative index, it goes to a slow
+        path by calling operationHasIndexedProperty. The problem is that
+        operationHasIndexedProperty does not account negative index. Negative index
+        was used as uint32 array index.
+
+        In this patch we add a path for negative index in operationHasIndexedProperty.
+        And rename it to operationHasIndexedPropertyByInt to make intension clear.
+        We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
+        since it is only used in DFG and FTL.
+
+        While fixing this bug, we found that our op_in does not record OutOfBound feedback.
+        This causes repeated OSR exit and significantly regresses the performance. We opened
+        a bug to track this issue[1].
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
+2017-11-30  Michael Saboff  
+
+        Allow JSC command line tool to accept UTF8
+        https://bugs.webkit.org/show_bug.cgi?id=180205
+
+        Reviewed by Keith Miller.
+
+        This unifies the UTF8 handling of interactive mode with that of source files.
+
+        * jsc.cpp:
+        (runInteractive):
+
+2017-11-30  Yusuke Suzuki  
+
+        REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
+        https://bugs.webkit.org/show_bug.cgi?id=180185
+
+        Reviewed by Carlos Garcia Campos.
+
+        After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
+        But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
+        can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
+        And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
+        DFG node can be emitted if we see untaken path includes String + String code.
+
+        This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
+        As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
+        I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
+        original code used before r225314.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+
+2017-11-28  Filip Pizlo  
+
+        CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
+        https://bugs.webkit.org/show_bug.cgi?id=180108
+
+        Reviewed by Saam Barati.
+        
+        This was creating a vector of things to remove and then removing them. I think I remember writing
+        this code, and I did that because at the time we did not have removeAllMatching, which is
+        definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
+        obvious improvement before I did more fundamental things to this code.
+
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+
+2017-11-29  Filip Pizlo  
+
+        GC should support isoheaps
+        https://bugs.webkit.org/show_bug.cgi?id=179288
+
+        Reviewed by Saam Barati.
+        
+        This expands the power of the Subspace API in JSC:
+        
+        - Everything associated with describing the types of objects is now part of the HeapCellType class.
+          We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
+          HeapCellType; these are orthogonal things.
+        
+        - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
+          any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
+          special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
+          pages but releases the physical pages as part of the respective allocator's scavenging policy
+          (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
+          IsoSubspace).
+        
+        So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
+        for more things.
+        
+        This does not have any effect on JetStream (0.18% faster with p = 0.69).
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        * heap/AlignedMemoryAllocator.cpp:
+        (JSC::AlignedMemoryAllocator::registerAllocator):
+        (JSC::AlignedMemoryAllocator::registerSubspace):
+        * heap/AlignedMemoryAllocator.h:
+        (JSC::AlignedMemoryAllocator::firstAllocator const):
+        * heap/AllocationFailureMode.h: Added.
+        * heap/CompleteSubspace.cpp: Added.
+        (JSC::CompleteSubspace::CompleteSubspace):
+        (JSC::CompleteSubspace::~CompleteSubspace):
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocate):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::allocateSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h: Added.
+        (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/HeapCellType.cpp: Added.
+        (JSC::HeapCellType::HeapCellType):
+        (JSC::HeapCellType::~HeapCellType):
+        (JSC::HeapCellType::finishSweep):
+        (JSC::HeapCellType::destroy):
+        * heap/HeapCellType.h: Added.
+        (JSC::HeapCellType::attributes const):
+        * heap/IsoAlignedMemoryAllocator.cpp: Added.
+        (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+        (JSC::IsoAlignedMemoryAllocator::dump const):
+        * heap/IsoAlignedMemoryAllocator.h: Added.
+        * heap/IsoSubspace.cpp: Added.
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::~IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        (JSC::IsoSubspace::allocate):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h: Added.
+        (JSC::IsoSubspace::size const):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::setSubspace):
+        (JSC::MarkedAllocator::allocateSlowCase):
+        (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
+        (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
+        (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
+        * heap/MarkedAllocatorInlines.h:
+        (JSC::MarkedAllocator::allocate):
+        (JSC::MarkedAllocator::tryAllocate): Deleted.
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
+        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::addMarkedAllocator):
+        * heap/MarkedSpace.h:
+        * heap/Subspace.cpp:
+        (JSC::Subspace::Subspace):
+        (JSC::Subspace::initialize):
+        (JSC::Subspace::finishSweep):
+        (JSC::Subspace::destroy):
+        (JSC::Subspace::prepareForAllocation):
+        (JSC::Subspace::findEmptyBlockToSteal):
+        (): Deleted.
+        (JSC::Subspace::allocate): Deleted.
+        (JSC::Subspace::tryAllocate): Deleted.
+        (JSC::Subspace::allocatorForSlow): Deleted.
+        (JSC::Subspace::allocateSlow): Deleted.
+        (JSC::Subspace::tryAllocateSlow): Deleted.
+        (JSC::Subspace::didAllocate): Deleted.
+        * heap/Subspace.h:
+        (JSC::Subspace::heapCellType const):
+        (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
+        (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
+        (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
+        (JSC::Subspace::allocatorForSizeStep): Deleted.
+        (JSC::Subspace::tryAllocatorFor): Deleted.
+        (JSC::Subspace::allocatorFor): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::subspaceFor):
+        * runtime/DirectEvalExecutable.h:
+        * runtime/EvalExecutable.h:
+        * runtime/ExecutableBase.h:
+        (JSC::ExecutableBase::subspaceFor):
+        * runtime/FunctionExecutable.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        * runtime/IndirectEvalExecutable.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSCell.h:
+        (JSC::subspaceFor):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::subspaceFor):
+        (JSC::tryAllocateCellHelper):
+        (JSC::allocateCell):
+        (JSC::tryAllocateCell):
+        * runtime/JSDestructibleObject.h:
+        (JSC::JSDestructibleObject::subspaceFor):
+        * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
+        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
+        (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
+        (JSC::JSDestructibleObjectHeapCellType::finishSweep):
+        (JSC::JSDestructibleObjectHeapCellType::destroy):
+        (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
+        (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
+        (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
+        (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
+        * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
+        * runtime/JSDestructibleObjectSubspace.cpp: Removed.
+        * runtime/JSDestructibleObjectSubspace.h: Removed.
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::JSLexicalEnvironment::subspaceFor):
+        * runtime/JSSegmentedVariableObject.h:
+        (JSC::JSSegmentedVariableObject::subspaceFor):
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
+        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
+        (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
+        (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
+        (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
+        (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
+        (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
+        * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
+        * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
+        * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
+        * runtime/JSString.h:
+        (JSC::JSString::subspaceFor):
+        * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
+        (JSC::JSStringHeapCellType::JSStringHeapCellType):
+        (JSC::JSStringHeapCellType::~JSStringHeapCellType):
+        (JSC::JSStringHeapCellType::finishSweep):
+        (JSC::JSStringHeapCellType::destroy):
+        (JSC::JSStringSubspace::JSStringSubspace): Deleted.
+        (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
+        (JSC::JSStringSubspace::finishSweep): Deleted.
+        (JSC::JSStringSubspace::destroy): Deleted.
+        * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
+        * runtime/JSStringSubspace.cpp: Removed.
+        * runtime/JSStringSubspace.h: Removed.
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/NativeExecutable.h:
+        * runtime/ProgramExecutable.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
+        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
+        (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
+        * wasm/js/JSWebAssemblyMemory.h:
+        (JSC::JSWebAssemblyMemory::subspaceFor):
+
+2017-11-29  Saam Barati  
+
+        Remove pointer caging for double arrays
+        https://bugs.webkit.org/show_bug.cgi?id=180163
+
+        Reviewed by Mark Lam.
+
+        This patch removes pointer caging from double arrays. Like
+        my previous removals of pointer caging, this is a security vs
+        performance tradeoff. We believe that butterflies being allocated
+        in the cage and with a 32GB runway gives us enough security that
+        pointer caging the butterfly just for double arrays does not add
+        enough security benefit for the performance hit it incurs.
+        
+        This patch also removes the GetButterflyWithoutCaging node and
+        the FixedButterflyAccessUncaging phase. The node is no longer needed
+        because now all GetButterfly nodes are not caged. The phase is removed
+        since we no longer have two nodes.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
+        * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileGetButterfly):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::pointer):
+        (JSC::Butterfly::contiguousDouble):
+        (JSC::Butterfly::caged): Deleted.
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+
+2017-11-29  Stanislav Ocovaj  
+
+        [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=175447
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        This patch allows DFG JIT to be enabled on MIPS platforms.
+
+        * Sources.txt:
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::lastSPRegister):
+        (JSC::MIPSAssembler::numberOfSPRegisters):
+        (JSC::MIPSAssembler::sprName):
+        * assembler/MacroAssemblerMIPS.cpp: Added.
+        (JSC::MacroAssembler::probe):
+        * assembler/ProbeContext.cpp:
+        (JSC::Probe::executeProbe):
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::pc):
+        * assembler/testmasm.cpp:
+        (JSC::isSpecialGPR):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackValues):
+
+2017-11-29  Matt Lewis  
+
+        Unreviewed, rolling out r225286.
+
+        The source files within this patch have been marked as
+        executable.
+
+        Reverted changeset:
+
+        "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
+        https://bugs.webkit.org/show_bug.cgi?id=175447
+        https://trac.webkit.org/changeset/225286
+
+2017-11-29  Alex Christensen  
+
+        Fix Mac CMake build.
+
+        * PlatformMac.cmake:
+
+2017-11-29  Stanislav Ocovaj  
+
+        [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=175447
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        This patch allows DFG JIT to be enabled on MIPS platforms.
+
+        * Sources.txt:
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::lastSPRegister):
+        (JSC::MIPSAssembler::numberOfSPRegisters):
+        (JSC::MIPSAssembler::sprName):
+        * assembler/MacroAssemblerMIPS.cpp: Added.
+        (JSC::MacroAssembler::probe):
+        * assembler/ProbeContext.cpp:
+        (JSC::Probe::executeProbe):
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::pc):
+        * assembler/testmasm.cpp:
+        (JSC::isSpecialGPR):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackValues):
+
+2017-11-28  JF Bastien  
+
+        Strict and sloppy functions shouldn't share structure
+        https://bugs.webkit.org/show_bug.cgi?id=180103
+        
+
+        Reviewed by Saam Barati.
+
+        Sloppy and strict functions don't act the same when it comes to
+        arguments, caller, and callee. Sharing a structure means that
+        anything that is cached gets shared, and that's incorrect.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::create): the second ::create is always strict
+        because it applies to native functions.
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::strictFunctionStructure const):
+        (JSC::JSGlobalObject::sloppyFunctionStructure const):
+        (JSC::JSGlobalObject::nativeStdFunctionStructure const):
+        (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
+        (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
+
+2017-11-29  Yusuke Suzuki  
+
+        [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
+        https://bugs.webkit.org/show_bug.cgi?id=180070
+
+        Reviewed by Saam Barati.
+
+        This patch adds getEffectiveAddress in all JIT platforms.
+        This is abstracted version of x86 lea.
+
+        We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::getEffectiveAddress):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::getEffectiveAddress):
+        (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::getEffectiveAddress):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::getEffectiveAddress):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::getEffectiveAddress):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::getEffectiveAddress):
+        (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
+        * assembler/testmasm.cpp:
+        (JSC::testGetEffectiveAddress):
+        (JSC::run):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayPush):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
+
+2017-11-29  Robin Morisset  
+
+        The recursive tail call optimisation is wrong on closures
+        https://bugs.webkit.org/show_bug.cgi?id=179835
+
+        Reviewed by Saam Barati.
+
+        The problem is that we only check the executable of the callee, not whatever variables might have been captured.
+        As a stopgap measure this patch just does not do the optimisation for closures.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+
+2017-11-28  Joseph Pecoraro  
+
+        Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
+        https://bugs.webkit.org/show_bug.cgi?id=180119
+
+        Reviewed by Devin Rousso.
+
+        * inspector/InjectedScriptManager.h:
+        * inspector/JSGlobalObjectScriptDebugServer.h:
+        * inspector/agents/InspectorHeapAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/agents/InspectorScriptProfilerAgent.h:
+        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
+
+2017-11-28  Joseph Pecoraro  
+
+        ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
+        https://bugs.webkit.org/show_bug.cgi?id=179642
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Network.json:
+        Expose the NetworkAgent for a Service Worker inspector.
+
+ 2017-11-28  Brian Burg  
+
+        [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
+        https://bugs.webkit.org/show_bug.cgi?id=179696
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/scripts/codegen/generate_objc_header.py:
+        (ObjCHeaderGenerator._generate_type_interface):
+        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
+        (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
+        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
+        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
+        * inspector/scripts/codegen/objc_generator.py:
+        (ObjCGenerator.protocol_type_for_raw_name):
+        (ObjCGenerator.objc_protocol_export_expression_for_variable):
+        (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
+        (ObjCGenerator.objc_protocol_import_expression_for_variable):
+        (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
+        (ObjCGenerator.objc_to_protocol_expression_for_member.is):
+        (ObjCGenerator.objc_to_protocol_expression_for_member):
+        (ObjCGenerator.protocol_to_objc_expression_for_member.is):
+        (ObjCGenerator.protocol_to_objc_expression_for_member):
+        (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
+        (ObjCGenerator.objc_setter_method_for_member_internal):
+        (ObjCGenerator.objc_getter_method_for_member_internal):
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+
+2017-11-27  JF Bastien  
+
+        JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
+        https://bugs.webkit.org/show_bug.cgi?id=180051
+        
+
+        Reviewed by Saam Barati.
+
+        Checking for int32 isn't sufficient when uint32 is expected
+        afterwards. While we're here, also use Checked<>.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2017-11-14  Carlos Garcia Campos  
+
+        Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
+        https://bugs.webkit.org/show_bug.cgi?id=173793
+
+        Reviewed by Joseph Pecoraro.
+
+        Based on patch by Brian Burg.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bindings/ScriptValue.cpp:
+        (Inspector::jsToInspectorValue):
+        (Inspector::toInspectorValue):
+        (Deprecated::ScriptValue::toInspectorValue const):
+        * bindings/ScriptValue.h:
+        * inspector/AsyncStackTrace.cpp:
+        * inspector/ConsoleMessage.cpp:
+        * inspector/ContentSearchUtilities.cpp:
+        * inspector/DeprecatedInspectorValues.cpp: Added.
+        * inspector/DeprecatedInspectorValues.h: Added.
+        Keep the old symbols around in JavaScriptCore so that builds with the
+        public iOS SDK continue to work. These older SDKs include a version of
+        WebInspector.framework that expects to find InspectorArray and other
+        symbols in JavaScriptCore.framework.
+
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::getFunctionDetails):
+        (Inspector::InjectedScript::functionDetails):
+        (Inspector::InjectedScript::getPreview):
+        (Inspector::InjectedScript::getProperties):
+        (Inspector::InjectedScript::getDisplayableProperties):
+        (Inspector::InjectedScript::getInternalProperties):
+        (Inspector::InjectedScript::getCollectionEntries):
+        (Inspector::InjectedScript::saveResult):
+        (Inspector::InjectedScript::wrapCallFrames const):
+        (Inspector::InjectedScript::wrapObject const):
+        (Inspector::InjectedScript::wrapTable const):
+        (Inspector::InjectedScript::previewValue const):
+        (Inspector::InjectedScript::setExceptionValue):
+        (Inspector::InjectedScript::clearExceptionValue):
+        (Inspector::InjectedScript::inspectObject):
+        (Inspector::InjectedScript::releaseObject):
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::makeCall):
+        (Inspector::InjectedScriptBase::makeEvalCall):
+        * inspector/InjectedScriptBase.h:
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
+        (Inspector::BackendDispatcher::dispatch):
+        (Inspector::BackendDispatcher::sendResponse):
+        (Inspector::BackendDispatcher::sendPendingErrors):
+        (Inspector::BackendDispatcher::getPropertyValue):
+        (Inspector::castToInteger):
+        (Inspector::castToNumber):
+        (Inspector::BackendDispatcher::getInteger):
+        (Inspector::BackendDispatcher::getDouble):
+        (Inspector::BackendDispatcher::getString):
+        (Inspector::BackendDispatcher::getBoolean):
+        (Inspector::BackendDispatcher::getObject):
+        (Inspector::BackendDispatcher::getArray):
+        (Inspector::BackendDispatcher::getValue):
+        * inspector/InspectorBackendDispatcher.h:
+        We need to keep around the sendResponse() variant with a parameter that
+        has the InspectorObject type, as older WebInspector.framework versions
+        expect this symbol to exist. Introduce a variant with arity 3 that can
+        be used in TOT so as to avoid having two methods with the same name, arity, and
+        different parameter types.
+
+        When system WebInspector.framework is updated, we can remove the legacy
+        method variant that uses the InspectorObject type. At that point, we can
+        transition TOT to use the 2-arity variant, and delete the 3-arity variant
+        when system WebInspector.framework is updated once more to use the 2-arity one.
+
+        * inspector/InspectorProtocolTypes.h:
+        (Inspector::Protocol::Array::openAccessors):
+        (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
+        (Inspector::Protocol::BindingTraits>::runtimeCast):
+        (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType):
+        (Inspector::Protocol::BindingTraits::assertValueHasExpectedType):
+        * inspector/ScriptCallFrame.cpp:
+        * inspector/ScriptCallStack.cpp:
+        * inspector/agents/InspectorAgent.cpp:
+        (Inspector::InspectorAgent::inspect):
+        * inspector/agents/InspectorAgent.h:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::buildAssertPauseReason):
+        (Inspector::buildCSPViolationPauseReason):
+        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
+        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
+        (Inspector::buildObjectForBreakpointCookie):
+        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
+        (Inspector::parseLocation):
+        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
+        (Inspector::InspectorDebuggerAgent::setBreakpoint):
+        (Inspector::InspectorDebuggerAgent::continueToLocation):
+        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
+        (Inspector::InspectorDebuggerAgent::didParseSource):
+        (Inspector::InspectorDebuggerAgent::breakProgram):
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::callFunctionOn):
+        (Inspector::InspectorRuntimeAgent::saveResult):
+        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
+        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator.generate_output):
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
+        (CppFrontendDispatcherHeaderGenerator.generate_output):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
+        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (_generate_unchecked_setter_for_member):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator):
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
+        (ObjCBackendDispatcherImplementationGenerator.generate_output):
+        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
+        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
+        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
+        * inspector/scripts/codegen/generate_objc_internal_header.py:
+        (ObjCInternalHeaderGenerator.generate_output):
+        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
+        (ObjCProtocolTypesImplementationGenerator.generate_output):
+        * inspector/scripts/codegen/generator.py:
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+
+2017-11-28  Robin Morisset  
+
+        Support recursive tail call optimization for polymorphic calls
+        https://bugs.webkit.org/show_bug.cgi?id=178390
+
+        Reviewed by Saam Barati.
+
+        Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
+        eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
+
+        Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::handleCallVariant):
+        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+        (JSC::DFG::ByteCodeParser::getInliningBalance):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
+
+2017-11-27  Saam Barati  
+
+        Spread can escape when CreateRest does not
+        https://bugs.webkit.org/show_bug.cgi?id=180057
+        
+
+        Reviewed by JF Bastien.
+
+        We previously did not handle Spread(PhantomCreateRest) only because I did not
+        think it was possible to generate this IR. I was wrong. We can generate
+        such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
+        This IR is rare to generate since we normally don't PutStack(Spread) because
+        the SetLocal almost always gets eliminated because of how our bytecode generates
+        op_spread. However, there exists a test case showing it is possible. Supporting
+        this IR pattern in FTLLower is trivial. This patch implements it and rewrites
+        the Validation rule for Spread.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::tryCreate):
+
+2017-11-27  Don Olmstead  
+
+        [CMake][Win] Conditionally select DLL CRT or static CRT
+        https://bugs.webkit.org/show_bug.cgi?id=170594
+
+        Reviewed by Alex Christensen.
+
+        * shell/PlatformWin.cmake:
+
+2017-11-27  Saam Barati  
+
+        Having a bad time watchpoint firing during compilation revealed a racy assertion
+        https://bugs.webkit.org/show_bug.cgi?id=180048
+        
+
+        Reviewed by Mark Lam.
+
+        While a DFG compilation is watching the having a bad time watchpoint, it was
+        asserting that the rest parameter structure has indexing type ArrayWithContiguous.
+        However, if the having a bad time watchpoint fires during the compilation,
+        this particular structure will no longer have ArrayWithContiguous indexing type.
+        This patch fixes this racy assertion to be aware that the watchpoint may fire
+        during compilation.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCreateRest):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
+
+2017-11-27  Tim Horton  
+
+        One too many zeroes in macOS version number in FeatureDefines
+        https://bugs.webkit.org/show_bug.cgi?id=180011
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-27  Robin Morisset  
+
+        Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
+        https://bugs.webkit.org/show_bug.cgi?id=179821
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+
+2017-11-21  Yusuke Suzuki  
+
+        [DFG] Add NormalizeMapKey DFG IR
+        https://bugs.webkit.org/show_bug.cgi?id=179912
+
+        Reviewed by Saam Barati.
+
+        This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
+        By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
+        do not need to call normalizeMapKey conservatively in DFG operations.
+        This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        * runtime/HashMapImpl.h:
+
+2017-11-26  Yusuke Suzuki  
+
+        [FTL] Support DeleteById and DeleteByVal
+        https://bugs.webkit.org/show_bug.cgi?id=180022
+
+        Reviewed by Saam Barati.
+
+        We should increase the coverage of FTL. Even if the code includes DeleteById,
+        it does not mean that remaining part of the code should not be optimized in FTL.
+        Right now, even CallEval and `with` scope are handled in FTL.
+
+        This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
+        code including them.
+
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
+
+2017-11-26  Yusuke Suzuki  
+
+        [DFG] Introduce {Set,Map,WeakMap}Fields
+        https://bugs.webkit.org/show_bug.cgi?id=179925
+
+        Reviewed by Saam Barati.
+
+        SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
+        writes readonly MiscFields which is used by various nodes and make optimization
+        conservative.
+
+        We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
+
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasBucketOwnerType):
+
+2017-11-26  Yusuke Suzuki  
+
+        [JSC] Remove JSStringBuilder
+        https://bugs.webkit.org/show_bug.cgi?id=180016
+
+        Reviewed by Saam Barati.
+
+        JSStringBuilder is replaced with WTF::StringBuilder.
+        This patch removes remaning uses and drop JSStringBuilder.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/AsyncFunctionPrototype.cpp:
+        * runtime/AsyncGeneratorFunctionPrototype.cpp:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/FunctionPrototype.cpp:
+        * runtime/GeneratorFunctionPrototype.cpp:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode):
+        (JSC::globalFuncEscape):
+        * runtime/JSStringBuilder.h: Removed.
+        * runtime/JSStringInlines.h:
+        (JSC::jsMakeNontrivialString):
+        * runtime/RegExpPrototype.cpp:
+        * runtime/StringPrototype.cpp:
+
+2017-11-26  Yusuke Suzuki  
+
+        [DFG] Remove GetLocalUnlinked
+        https://bugs.webkit.org/show_bug.cgi?id=180017
+
+        Reviewed by Saam Barati.
+
+        Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
+        This patch just removes it.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGCommon.h:
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasUnlinkedLocal):
+        (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
+        (JSC::DFG::Node::convertToGetLocal): Deleted.
+        (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
+        (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
+        (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+        * dfg/DFGValidate.cpp:
+
+2017-11-26  Yusuke Suzuki  
+
+        Make ArgList::data() private again when we can remove callWasmFunction().
+        https://bugs.webkit.org/show_bug.cgi?id=168582
+
+        Reviewed by JF Bastien.
+
+        Make ArgList::data() private since we already removed callWasmFunction.
+
+        * runtime/ArgList.h:
+
+2016-08-05  Darin Adler  
+
+        Fix some minor problems in the StringImpl header
+        https://bugs.webkit.org/show_bug.cgi?id=160630
+
+        Reviewed by Brent Fulgham.
+
+        * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
+        Yarr namespacing since we use "using namespace" in this file.
+
+2017-11-24  Mark Lam  
+
+        Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
+        https://bugs.webkit.org/show_bug.cgi?id=179936
+        
+
+        Reviewed by Saam Barati.
+
+        This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
+        See https://bugs.webkit.org/show_bug.cgi?id=179684.
+
+        Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
+        was allocating stack space to stash arguments (to be forwarded) and new frame
+        info.  The location of this new stash space happens to lie beyond the top of frame
+        of the tail call caller frame.  After stashing the arguments, the code proceeded
+        to load the callee codeBlock.  This triggered an allocation, which in turn,
+        triggered stack sanitization.  The CLoop stack sanitizer was relying on
+        frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
+        that turned out to be inadequate.  As a result, part of the stashed data was
+        zeroed out, and subsequently led to a crash.
+
+        This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
+        1. JIT builds do stack sanitization in the LLInt code itself (different from the
+           CLoop implementation), and the sanitizer there is aware of the true top of
+           stack value (i.e. the stack pointer).
+        2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
+           parallel stack is one condition necessary for reproducing this issue.
+
+        The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
+        every time before it calls out to native C++ code.  This also brings the CLoop's
+        behavior closer to hardware behavior where we can know where the stack pointer
+        is after calling from JS back into native C++ code, which makes it easier to
+        reason about correctness.       
+
+        Also simplified the various stack boundary calculations (removed the +1 and -1
+        adjustments).  The CLoopStack bounds are now:
+
+            reservationTop(): the lowest reserved address that can be within stack bounds.
+            m_commitTop: the lowest address within stack bounds that has been committed.
+            lowAddress() aka m_end: the lowest stack address that JS code can use.
+            m_lastStackPointer: cache of the last m_currentStackPointer value.
+            m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
+            highAddress(): the highest address just beyond the bounds of the stack.
+
+        Also deleted some unneeded code.
+
+        * interpreter/CLoopStack.cpp:
+        (JSC::CLoopStack::CLoopStack):
+        (JSC::CLoopStack::gatherConservativeRoots):
+        (JSC::CLoopStack::sanitizeStack):
+        (JSC::CLoopStack::setSoftReservedZoneSize):
+        * interpreter/CLoopStack.h:
+        (JSC::CLoopStack::setCurrentStackPointer):
+        (JSC::CLoopStack::lowAddress const):
+
+        (JSC::CLoopStack::baseOfStack const): Deleted.
+        - Not needed after we simplified the code and removed all the +1/-1 adjustments.
+          Now, it has the exact same value as highAddress() and can be removed.
+
+        * interpreter/CLoopStackInlines.h:
+        (JSC::CLoopStack::ensureCapacityFor):
+        (JSC::CLoopStack::currentStackPointer):
+        (JSC::CLoopStack::setCLoopStackLimit):
+
+        (JSC::CLoopStack::topOfFrameFor): Deleted.
+        - Not needed.
+
+        (JSC::CLoopStack::topOfStack): Deleted.
+        - Supplanted by currentStackPointer().
+
+        (JSC::CLoopStack::shrink): Deleted.
+        - This is unused.
+
+        * llint/LowLevelInterpreter.cpp:
+        (JSC::CLoop::execute):
+        - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
+          upon exitting the interpreter loop.
+
+        * offlineasm/cloop.rb:
+        - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
+          call from JS into C++ code.
+
+        * tools/VMInspector.h:
+        - Added some default argument values. These were being used while debugging this
+          issue.
+
+2017-11-24  Yusuke Suzuki  
+
+        [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
+        https://bugs.webkit.org/show_bug.cgi?id=179923
+
+        Reviewed by Darin Adler.
+
+        We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
+        So we can use it as a marker of deleted bucket.
+
+        This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
+        It shrinks the size of HashMapBucket much.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBucket::createSentinel):
+        We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
+        While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
+        flag of sentinel bucket is not used.
+
+        (JSC::HashMapBucket::HashMapBucket):
+        (JSC::HashMapBucket::deleted const):
+        (JSC::HashMapBucket::makeDeleted):
+        (JSC::HashMapImpl::remove):
+        (JSC::HashMapImpl::clear):
+        (JSC::HashMapImpl::setUpHeadAndTail):
+        (JSC::HashMapImpl::addNormalizedInternal):
+        (JSC::HashMapBucket::setDeleted): Deleted.
+        (JSC::HashMapBucket::offsetOfDeleted): Deleted.
+        (): Deleted.
+
+2017-11-24  Mark Lam  
+
+        Move unsafe jsc shell test functions to the $vm object.
+        https://bugs.webkit.org/show_bug.cgi?id=179980
+
+        Reviewed by Yusuke Suzuki.
+
+        Also removed setElementRoot() which was not used.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (WTF::Element::Element): Deleted.
+        (WTF::Element::root const): Deleted.
+        (WTF::Element::setRoot): Deleted.
+        (WTF::Element::create): Deleted.
+        (WTF::Element::visitChildren): Deleted.
+        (WTF::Element::createStructure): Deleted.
+        (WTF::Root::Root): Deleted.
+        (WTF::Root::element): Deleted.
+        (WTF::Root::setElement): Deleted.
+        (WTF::Root::create): Deleted.
+        (WTF::Root::createStructure): Deleted.
+        (WTF::Root::visitChildren): Deleted.
+        (WTF::ImpureGetter::ImpureGetter): Deleted.
+        (WTF::ImpureGetter::createStructure): Deleted.
+        (WTF::ImpureGetter::create): Deleted.
+        (WTF::ImpureGetter::finishCreation): Deleted.
+        (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
+        (WTF::ImpureGetter::visitChildren): Deleted.
+        (WTF::ImpureGetter::setDelegate): Deleted.
+        (WTF::CustomGetter::CustomGetter): Deleted.
+        (WTF::CustomGetter::createStructure): Deleted.
+        (WTF::CustomGetter::create): Deleted.
+        (WTF::CustomGetter::getOwnPropertySlot): Deleted.
+        (WTF::CustomGetter::customGetter): Deleted.
+        (WTF::CustomGetter::customGetterAcessor): Deleted.
+        (WTF::RuntimeArray::create): Deleted.
+        (WTF::RuntimeArray::~RuntimeArray): Deleted.
+        (WTF::RuntimeArray::destroy): Deleted.
+        (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
+        (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
+        (WTF::RuntimeArray::put): Deleted.
+        (WTF::RuntimeArray::deleteProperty): Deleted.
+        (WTF::RuntimeArray::getLength const): Deleted.
+        (WTF::RuntimeArray::createPrototype): Deleted.
+        (WTF::RuntimeArray::createStructure): Deleted.
+        (WTF::RuntimeArray::finishCreation): Deleted.
+        (WTF::RuntimeArray::RuntimeArray): Deleted.
+        (WTF::RuntimeArray::lengthGetter): Deleted.
+        (WTF::SimpleObject::SimpleObject): Deleted.
+        (WTF::SimpleObject::create): Deleted.
+        (WTF::SimpleObject::visitChildren): Deleted.
+        (WTF::SimpleObject::createStructure): Deleted.
+        (WTF::SimpleObject::hiddenValue): Deleted.
+        (WTF::SimpleObject::setHiddenValue): Deleted.
+        (WTF::DOMJITNode::DOMJITNode): Deleted.
+        (WTF::DOMJITNode::createStructure): Deleted.
+        (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
+        (WTF::DOMJITNode::create): Deleted.
+        (WTF::DOMJITNode::value const): Deleted.
+        (WTF::DOMJITNode::offsetOfValue): Deleted.
+        (WTF::DOMJITGetter::DOMJITGetter): Deleted.
+        (WTF::DOMJITGetter::createStructure): Deleted.
+        (WTF::DOMJITGetter::create): Deleted.
+        (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
+        (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
+        (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
+        (WTF::DOMJITGetter::customGetter): Deleted.
+        (WTF::DOMJITGetter::finishCreation): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
+        (WTF::DOMJITGetterComplex::createStructure): Deleted.
+        (WTF::DOMJITGetterComplex::create): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
+        (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
+        (WTF::DOMJITGetterComplex::customGetter): Deleted.
+        (WTF::DOMJITGetterComplex::finishCreation): Deleted.
+        (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
+        (WTF::DOMJITFunctionObject::createStructure): Deleted.
+        (WTF::DOMJITFunctionObject::create): Deleted.
+        (WTF::DOMJITFunctionObject::safeFunction): Deleted.
+        (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
+        (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
+        (WTF::DOMJITFunctionObject::finishCreation): Deleted.
+        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
+        (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
+        (WTF::DOMJITCheckSubClassObject::create): Deleted.
+        (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
+        (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
+        (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::create): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
+        (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
+        (WTF::Element::handleOwner): Deleted.
+        (WTF::Element::finishCreation): Deleted.
+        (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
+        (JSTestCustomGetterSetter::create): Deleted.
+        (JSTestCustomGetterSetter::createStructure): Deleted.
+        (customGetAccessor): Deleted.
+        (customGetValue): Deleted.
+        (customSetAccessor): Deleted.
+        (customSetValue): Deleted.
+        (JSTestCustomGetterSetter::finishCreation): Deleted.
+        (GlobalObject::addConstructableFunction): Deleted.
+        (functionCreateRoot): Deleted.
+        (functionCreateElement): Deleted.
+        (functionGetElement): Deleted.
+        (functionSetElementRoot): Deleted.
+        (functionCreateSimpleObject): Deleted.
+        (functionGetHiddenValue): Deleted.
+        (functionSetHiddenValue): Deleted.
+        (functionCreateProxy): Deleted.
+        (functionCreateRuntimeArray): Deleted.
+        (functionCreateImpureGetter): Deleted.
+        (functionCreateCustomGetterObject): Deleted.
+        (functionCreateDOMJITNodeObject): Deleted.
+        (functionCreateDOMJITGetterObject): Deleted.
+        (functionCreateDOMJITGetterComplexObject): Deleted.
+        (functionCreateDOMJITFunctionObject): Deleted.
+        (functionCreateDOMJITCheckSubClassObject): Deleted.
+        (functionCreateDOMJITGetterBaseJSObject): Deleted.
+        (functionSetImpureGetterDelegate): Deleted.
+        (functionGetGetterSetter): Deleted.
+        (functionShadowChickenFunctionsOnStack): Deleted.
+        (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
+        (functionGlobalObjectForObject): Deleted.
+        (functionLoadGetterFromGetterSetter): Deleted.
+        (functionCreateCustomTestGetterSetter): Deleted.
+        (functionAbort): Deleted.
+        (functionFindTypeForExpression): Deleted.
+        (functionReturnTypeFor): Deleted.
+        (functionDumpBasicBlockExecutionRanges): Deleted.
+        (functionHasBasicBlockExecuted): Deleted.
+        (functionBasicBlockExecutionCount): Deleted.
+        (functionEnableExceptionFuzz): Deleted.
+        (functionCreateBuiltin): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * tools/JSDollarVM.cpp:
+        (WTF::Element::Element):
+        (WTF::Element::root const):
+        (WTF::Element::setRoot):
+        (WTF::Element::create):
+        (WTF::Element::visitChildren):
+        (WTF::Element::createStructure):
+        (WTF::Root::Root):
+        (WTF::Root::element):
+        (WTF::Root::setElement):
+        (WTF::Root::create):
+        (WTF::Root::createStructure):
+        (WTF::Root::visitChildren):
+        (WTF::SimpleObject::SimpleObject):
+        (WTF::SimpleObject::create):
+        (WTF::SimpleObject::visitChildren):
+        (WTF::SimpleObject::createStructure):
+        (WTF::SimpleObject::hiddenValue):
+        (WTF::SimpleObject::setHiddenValue):
+        (WTF::ImpureGetter::ImpureGetter):
+        (WTF::ImpureGetter::createStructure):
+        (WTF::ImpureGetter::create):
+        (WTF::ImpureGetter::finishCreation):
+        (WTF::ImpureGetter::getOwnPropertySlot):
+        (WTF::ImpureGetter::visitChildren):
+        (WTF::ImpureGetter::setDelegate):
+        (WTF::CustomGetter::CustomGetter):
+        (WTF::CustomGetter::createStructure):
+        (WTF::CustomGetter::create):
+        (WTF::CustomGetter::getOwnPropertySlot):
+        (WTF::CustomGetter::customGetter):
+        (WTF::CustomGetter::customGetterAcessor):
+        (WTF::RuntimeArray::create):
+        (WTF::RuntimeArray::~RuntimeArray):
+        (WTF::RuntimeArray::destroy):
+        (WTF::RuntimeArray::getOwnPropertySlot):
+        (WTF::RuntimeArray::getOwnPropertySlotByIndex):
+        (WTF::RuntimeArray::put):
+        (WTF::RuntimeArray::deleteProperty):
+        (WTF::RuntimeArray::getLength const):
+        (WTF::RuntimeArray::createPrototype):
+        (WTF::RuntimeArray::createStructure):
+        (WTF::RuntimeArray::finishCreation):
+        (WTF::RuntimeArray::RuntimeArray):
+        (WTF::RuntimeArray::lengthGetter):
+        (WTF::DOMJITNode::DOMJITNode):
+        (WTF::DOMJITNode::createStructure):
+        (WTF::DOMJITNode::checkSubClassSnippet):
+        (WTF::DOMJITNode::create):
+        (WTF::DOMJITNode::value const):
+        (WTF::DOMJITNode::offsetOfValue):
+        (WTF::DOMJITGetter::DOMJITGetter):
+        (WTF::DOMJITGetter::createStructure):
+        (WTF::DOMJITGetter::create):
+        (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetter::customGetter):
+        (WTF::DOMJITGetter::finishCreation):
+        (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
+        (WTF::DOMJITGetterComplex::createStructure):
+        (WTF::DOMJITGetterComplex::create):
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetterComplex::functionEnableException):
+        (WTF::DOMJITGetterComplex::customGetter):
+        (WTF::DOMJITGetterComplex::finishCreation):
+        (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
+        (WTF::DOMJITFunctionObject::createStructure):
+        (WTF::DOMJITFunctionObject::create):
+        (WTF::DOMJITFunctionObject::safeFunction):
+        (WTF::DOMJITFunctionObject::unsafeFunction):
+        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
+        (WTF::DOMJITFunctionObject::finishCreation):
+        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
+        (WTF::DOMJITCheckSubClassObject::createStructure):
+        (WTF::DOMJITCheckSubClassObject::create):
+        (WTF::DOMJITCheckSubClassObject::safeFunction):
+        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
+        (WTF::DOMJITCheckSubClassObject::finishCreation):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
+        (WTF::DOMJITGetterBaseJSObject::createStructure):
+        (WTF::DOMJITGetterBaseJSObject::create):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetterBaseJSObject::customGetter):
+        (WTF::DOMJITGetterBaseJSObject::finishCreation):
+        (WTF::Message::releaseContents):
+        (WTF::Message::index const):
+        (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
+        (WTF::JSTestCustomGetterSetter::create):
+        (WTF::JSTestCustomGetterSetter::createStructure):
+        (WTF::customGetAccessor):
+        (WTF::customGetValue):
+        (WTF::customSetAccessor):
+        (WTF::customSetValue):
+        (WTF::JSTestCustomGetterSetter::finishCreation):
+        (WTF::Element::handleOwner):
+        (WTF::Element::finishCreation):
+        (JSC::functionCrash):
+        (JSC::functionCreateProxy):
+        (JSC::functionCreateRuntimeArray):
+        (JSC::functionCreateImpureGetter):
+        (JSC::functionCreateCustomGetterObject):
+        (JSC::functionCreateDOMJITNodeObject):
+        (JSC::functionCreateDOMJITGetterObject):
+        (JSC::functionCreateDOMJITGetterComplexObject):
+        (JSC::functionCreateDOMJITFunctionObject):
+        (JSC::functionCreateDOMJITCheckSubClassObject):
+        (JSC::functionCreateDOMJITGetterBaseJSObject):
+        (JSC::functionSetImpureGetterDelegate):
+        (JSC::functionCreateBuiltin):
+        (JSC::functionCreateRoot):
+        (JSC::functionCreateElement):
+        (JSC::functionGetElement):
+        (JSC::functionCreateSimpleObject):
+        (JSC::functionGetHiddenValue):
+        (JSC::functionSetHiddenValue):
+        (JSC::functionShadowChickenFunctionsOnStack):
+        (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
+        (JSC::functionFindTypeForExpression):
+        (JSC::functionReturnTypeFor):
+        (JSC::functionDumpBasicBlockExecutionRanges):
+        (JSC::functionHasBasicBlockExecuted):
+        (JSC::functionBasicBlockExecutionCount):
+        (JSC::functionEnableExceptionFuzz):
+        (JSC::functionGlobalObjectForObject):
+        (JSC::functionGetGetterSetter):
+        (JSC::functionLoadGetterFromGetterSetter):
+        (JSC::functionCreateCustomTestGetterSetter):
+        (JSC::JSDollarVM::finishCreation):
+        (JSC::JSDollarVM::addFunction):
+        (JSC::JSDollarVM::addConstructibleFunction):
+        * tools/JSDollarVM.h:
+        (JSC::JSDollarVM::create):
+
+2017-11-23  Simon Fraser  
+
+        Minor ArrayBufferView cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=179966
+
+        Reviewed by Darin Adler.
+        
+        Use void* for data pointers when we don't need to do offset math. Use const for
+        source pointers.
+        
+        Prefer uint8_t* to char*.
+        
+        Add comments noting that the assertions should not be made release assertions
+        as recommended by the style checker, since the point is to avoid the virtual byteLength()
+        call in release.
+
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::setImpl):
+        (JSC::ArrayBufferView::setRangeImpl):
+        (JSC::ArrayBufferView::getRangeImpl):
+        (JSC::ArrayBufferView::zeroRangeImpl):
+
+2017-11-23  Darin Adler  
+
+        Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
+        https://bugs.webkit.org/show_bug.cgi?id=179907
+
+        Reviewed by Sam Weinig.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
+        defaults to that.
+
+        * runtime/StringPrototype.cpp:
+        (JSC::stringIncludesImpl): Use String::find since there is no overload of
+        String::contains that takes a start offset now that we removed the one that took a
+        caseSensitive boolean. We can add one later if we like, but this should do for now.
+
+        * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
+        the StringImpl.h header because it is only used here.
+
+2017-11-22  Simon Fraser  
+
+        Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
+        because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
+        
+        Also name the argument to zeroRange() to 'count' since it's an item count.
+
+        * runtime/GenericTypedArrayView.h:
+        (JSC::GenericTypedArrayView::zeroRange):
+        (JSC::GenericTypedArrayView::getRange):
+
+2017-11-21  Simon Fraser  
+
+        Allow for more efficient use of GenericTypedArrayView
+        https://bugs.webkit.org/show_bug.cgi?id=179899
+
+        Reviewed by Sam Weinig.
+        
+        Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
+        under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
+        in a length.
+
+        Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
+        byteLength() calls.
+        
+        Renamed 'dataLength' to 'count' in setRange() to be clearer.
+        
+        Added setNative() for callers who don't need clamping of doubles.
+
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::setRangeImpl):
+        (JSC::ArrayBufferView::getRangeImpl):
+        * runtime/GenericTypedArrayView.h:
+        (JSC::GenericTypedArrayView::setRange):
+        (JSC::GenericTypedArrayView::setNative const):
+        (JSC::GenericTypedArrayView::getRange):
+        (JSC::GenericTypedArrayView::checkInboundData const):
+        (JSC::GenericTypedArrayView::internalByteLength const):
+
+2017-11-21  Yusuke Suzuki  
+
+        [DFG][FTL] Support MapSet / SetAdd intrinsics
+        https://bugs.webkit.org/show_bug.cgi?id=179858
+
+        Reviewed by Saam Barati.
+
+        Map.prototype.set and Set.prototype.add uses MapHash value anyway.
+        By handling them as MapSet and SetAdd DFG nodes and decoupling
+        MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
+        remove duplicate MapHash calculation for the same key.
+
+        One story is *set-if-not-exists*.
+
+            if (!map.has(key))
+                map.set(key, value);
+
+        In the above code, both `has` and `set` require hash value for `key`.
+        If we can change `set` to the series of DFG nodes:
+
+            1: MapHash(key)
+            2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
+
+        we can remove duplicate @1 produced by `has` operation.
+
+        This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
+
+                                         baseline                  patched
+
+            map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
+            map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
+
+        Microbenchmarks
+
+            map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSetAdd):
+        (JSC::DFG::SpeculativeJIT::compileMapSet):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
+        * jit/JITOperations.h:
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::addNormalized):
+        (JSC::HashMapImpl::addNormalizedInternal):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
+2017-11-21  Yusuke Suzuki  
+
+        [JSC] Allow poly proto for intrinsic getters
+        https://bugs.webkit.org/show_bug.cgi?id=179550
+
+        Reviewed by Saam Barati.
+
+        This patch allows intrinsic getters to accept poly proto.
+        We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
+        poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
+        code for poly proto case.
+
+        * bytecode/IntrinsicGetterAccessCase.cpp:
+        (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
+        (JSC::IntrinsicGetterAccessCase::create):
+        * bytecode/IntrinsicGetterAccessCase.h:
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+
+2017-11-20  Don Olmstead  
+
+        Detect __declspec within JSBase.h
+        https://bugs.webkit.org/show_bug.cgi?id=179892
+
+        Reviewed by Darin Adler.
+
+        * API/JSBase.h:
+
+2017-11-19  Tim Horton  
+
+        Remove unused TOUCH_ICON_LOADING feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=179873
+
+        Reviewed by Simon Fraser.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-19  Yusuke Suzuki  
+
+        Add CPU(UNKNOWN) to cover all the unknown CPU types
+        https://bugs.webkit.org/show_bug.cgi?id=179243
+
+        Reviewed by JF Bastien.
+
+        * CMakeLists.txt:
+
+2017-11-19  Tim Horton  
+
+        Remove unused LEGACY_VENDOR_PREFIXES feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=179872
+
+        Reviewed by Darin Adler.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-18  Tim Horton  
+
+        Fix typos in closing ENABLE() comments
+        https://bugs.webkit.org/show_bug.cgi?id=179869
+
+        Unreviewed.
+
+        * wasm/WasmMemory.h:
+        * wasm/WasmMemoryMode.h:
+
+2017-11-17  JF Bastien  
+
+        NFC update ClassInfo to C++14
+        https://bugs.webkit.org/show_bug.cgi?id=179783
+
+        Reviewed by Mark Lam.
+
+        Forked from #179734, use `using` instead of `typedef`. It's easier
+        to read.
+
+        * runtime/ClassInfo.h:
+
+2017-11-17  JF Bastien  
+
+        WebAssembly JS API: throw when a promise can't be created
+        https://bugs.webkit.org/show_bug.cgi?id=179826
+        
+
+        Reviewed by Mark Lam.
+
+        Failure *in* a promise causes rejection, but failure to create a
+        promise (because of stack overflow) isn't really spec'd (as all
+        stack things JS). This applies to WebAssembly.compile and
+        WebAssembly.instantiate.
+
+        Dan's current proposal says:
+
+            https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
+
+            Whenever a stack overflow occurs in WebAssembly code, the same
+            class of exception is thrown as for a stack overflow in
+            JavaScript. The particular exception here is
+            implementation-defined in both cases.
+
+            Note: ECMAScript doesn’t specify any sort of behavior on stack
+            overflow; implementations have been observed to throw RangeError,
+            InternalError or Error. Any is valid here.
+
+        This is for general stack overflow within WebAssembly, not
+        specifically for promise creation within JavaScript, but it seems
+        like a stack overflow in promise creation should follow the same
+        rule instead of, say, swallowing the overflow and returning
+        undefined.
+
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::webAssemblyInstantiateFunc):
+
+2017-11-16  Daniel Bates  
+
+        Add feature define for alternative presentation button element
+        https://bugs.webkit.org/show_bug.cgi?id=179692
+        Part of 
+
+        Reviewed by Andy Estes.
+
+        Only enabled on Cocoa platforms by default.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-16  Saam Barati  
+
+        Fix a bug with cpuid in the FTL.
+
+        Rubber stamped by Mark Lam.
+
+        Before uploading the previous patch, I tried to condense the code. I
+        accidentally removed a crucial line saying that CPUID clobbers various
+        registers.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
+
+2017-11-16  Saam Barati  
+
+        Add some X86 intrinsics to $vm to help with some perf testing
+        https://bugs.webkit.org/show_bug.cgi?id=179693
+
+        Reviewed by Mark Lam.
+
+        I've been doing some local perf testing of various ideas and have
+        had these come in handy. I'm going to land them to dollarVM to prevent
+        having to add them to my local build every time I do perf testing.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::mfence):
+        (JSC::MacroAssemblerX86Common::rdtsc):
+        (JSC::MacroAssemblerX86Common::pause):
+        (JSC::MacroAssemblerX86Common::cpuid):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::rdtsc):
+        (JSC::X86Assembler::pause):
+        (JSC::X86Assembler::cpuid):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::intrinsic):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCpuMfence):
+        (JSC::functionCpuRdtsc):
+        (JSC::functionCpuCpuid):
+        (JSC::functionCpuPause):
+        (JSC::functionCpuClflush):
+        (JSC::JSDollarVM::finishCreation):
+
+2017-11-16  JF Bastien  
+
+        It should be easier to reify lazy property names
+        https://bugs.webkit.org/show_bug.cgi?id=179734
+        
+
+        Reviewed by Keith Miller.
+
+        We reify lazy property names in a few different ways, each
+        specific to the JSCell implementation, in put() instead of having
+        a special function to do reification. Let's make that simpler.
+
+        This patch makes it easier to reify property names in a uniform
+        manner, and does so in JSFunction. As a follow up I'll use the
+        same mechanics for:
+
+        ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
+        ErrorConstructor  stackTraceLimit
+        ErrorInstance     line, column, sourceURL, stack
+        GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
+        GetterSetter      RELEASE_ASSERT_NOT_REACHED()
+        JSArray           length
+        RegExpObject      lastIndex
+        StringObject      length
+
+        * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp: `name` and `length` can be reified.
+        (JSC::JSFunction::reifyPropertyNameIfNeeded):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::reifyLength):
+        (JSC::JSFunction::reifyName):
+        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
+        (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
+        (JSC::JSFunction::reifyLazyLengthIfNeeded):
+        (JSC::JSFunction::reifyLazyNameIfNeeded):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::isLazy):
+        (JSC::JSFunction::isReified):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal): do the reification here.
+
+2017-11-16  Robin Morisset  
+
+        Provide a runtime option for disabling the optimization of recursive tail calls
+        https://bugs.webkit.org/show_bug.cgi?id=179765
+
+        Reviewed by Mark Lam.
+
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::getJumpTargetsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnter):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        * runtime/Options.h:
+
+2017-11-16  Robin Morisset  
+
+        Fix null pointer dereference in bytecodeDumper
+        https://bugs.webkit.org/show_bug.cgi?id=179764
+
+        Reviewed by Mark Lam.
+
+        The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCallOp):
+
+2017-11-16  Robin Morisset  
+
+        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
+        https://bugs.webkit.org/show_bug.cgi?id=179763
+        
+
+        Reviewed by Keith Miller.
+
+        Fix null pointer dereference caused by an eliminated tdz_check
+
+        The problem was when doing an OSR entry in DFG while |this| was null
+        (because super() had not yet been called in the constructor of this
+        subclass), it would be marked as non-null, and the tdz_check eliminated.
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+
+2017-11-15  Ryan Haddad  
+
+        Unreviewed, rolling out r224863.
+
+        Introduced LayoutTest crashes on iOS Simulator.
+
+        Reverted changeset:
+
+        "Move JSONValues to WTF and convert uses of InspectorValues.h
+        to JSONValues.h"
+        https://bugs.webkit.org/show_bug.cgi?id=173793
+        https://trac.webkit.org/changeset/224863
+
+2017-11-14  Mark Lam  
+
+        Gardening: CLoop build fix after r224862.
+        https://bugs.webkit.org/show_bug.cgi?id=179699
+
+        Not reviewed..
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
+
+2017-11-14  Carlos Garcia Campos  
+
+        Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
+        https://bugs.webkit.org/show_bug.cgi?id=173793
+
+        Reviewed by Brian Burg.
+
+        Based on patch by Brian Burg.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bindings/ScriptValue.cpp:
+        (Inspector::jsToInspectorValue):
+        (Inspector::toInspectorValue):
+        (Deprecated::ScriptValue::toInspectorValue const):
+        * bindings/ScriptValue.h:
+        * inspector/AsyncStackTrace.cpp:
+        * inspector/ConsoleMessage.cpp:
+        * inspector/ContentSearchUtilities.cpp:
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::getFunctionDetails):
+        (Inspector::InjectedScript::functionDetails):
+        (Inspector::InjectedScript::getPreview):
+        (Inspector::InjectedScript::getProperties):
+        (Inspector::InjectedScript::getDisplayableProperties):
+        (Inspector::InjectedScript::getInternalProperties):
+        (Inspector::InjectedScript::getCollectionEntries):
+        (Inspector::InjectedScript::saveResult):
+        (Inspector::InjectedScript::wrapCallFrames const):
+        (Inspector::InjectedScript::wrapObject const):
+        (Inspector::InjectedScript::wrapTable const):
+        (Inspector::InjectedScript::previewValue const):
+        (Inspector::InjectedScript::setExceptionValue):
+        (Inspector::InjectedScript::clearExceptionValue):
+        (Inspector::InjectedScript::inspectObject):
+        (Inspector::InjectedScript::releaseObject):
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::makeCall):
+        (Inspector::InjectedScriptBase::makeEvalCall):
+        * inspector/InjectedScriptBase.h:
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
+        (Inspector::BackendDispatcher::dispatch):
+        (Inspector::BackendDispatcher::sendResponse):
+        (Inspector::BackendDispatcher::sendPendingErrors):
+        (Inspector::BackendDispatcher::getPropertyValue):
+        (Inspector::castToInteger):
+        (Inspector::castToNumber):
+        (Inspector::BackendDispatcher::getInteger):
+        (Inspector::BackendDispatcher::getDouble):
+        (Inspector::BackendDispatcher::getString):
+        (Inspector::BackendDispatcher::getBoolean):
+        (Inspector::BackendDispatcher::getObject):
+        (Inspector::BackendDispatcher::getArray):
+        (Inspector::BackendDispatcher::getValue):
+        * inspector/InspectorBackendDispatcher.h:
+        * inspector/InspectorProtocolTypes.h:
+        (Inspector::Protocol::Array::openAccessors):
+        (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
+        (Inspector::Protocol::BindingTraits>::runtimeCast):
+        (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType):
+        (Inspector::Protocol::BindingTraits::assertValueHasExpectedType):
+        * inspector/ScriptCallFrame.cpp:
+        * inspector/ScriptCallStack.cpp:
+        * inspector/agents/InspectorAgent.cpp:
+        (Inspector::InspectorAgent::inspect):
+        * inspector/agents/InspectorAgent.h:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::buildAssertPauseReason):
+        (Inspector::buildCSPViolationPauseReason):
+        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
+        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
+        (Inspector::buildObjectForBreakpointCookie):
+        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
+        (Inspector::parseLocation):
+        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
+        (Inspector::InspectorDebuggerAgent::setBreakpoint):
+        (Inspector::InspectorDebuggerAgent::continueToLocation):
+        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
+        (Inspector::InspectorDebuggerAgent::didParseSource):
+        (Inspector::InspectorDebuggerAgent::breakProgram):
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::callFunctionOn):
+        (Inspector::InspectorRuntimeAgent::saveResult):
+        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
+        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator.generate_output):
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
+        (CppFrontendDispatcherHeaderGenerator.generate_output):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
+        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (_generate_unchecked_setter_for_member):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator):
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
+        (ObjCBackendDispatcherImplementationGenerator.generate_output):
+        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
+        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
+        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
+        * inspector/scripts/codegen/generate_objc_internal_header.py:
+        (ObjCInternalHeaderGenerator.generate_output):
+        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
+        (ObjCProtocolTypesImplementationGenerator.generate_output):
+        * inspector/scripts/codegen/generator.py:
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+
+2017-11-14  Mark Lam  
+
+        Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
+        https://bugs.webkit.org/show_bug.cgi?id=179699
+        
+
+        Reviewed by Michael Saboff.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::dumpRegisters):
+        - Need to skip the callee saved registers
+
+2017-11-14  Guillaume Emont  
+
+        REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
+        https://bugs.webkit.org/show_bug.cgi?id=179563
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        When run with BranchIfTruncateSuccessful,
+        branchTruncateDoubleToInt32() should set the destination register
+        before branching.
+        This change also removes branchTruncateDoubleToUInt32() as it is
+        deprecated (see r160205), merges branchOnTruncateResult() into
+        branchTruncateDoubleToInt32() and adds test cases in testmasm.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
+        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
+        Properly set dest before branching.
+        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
+        * assembler/testmasm.cpp:
+        (JSC::testBranchTruncateDoubleToInt32):
+        (JSC::run):
+        Add tests for branchTruncateDoubleToInt32().
+
+2017-11-14  Daniel Bates  
+
+        Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
+        for feature defines
+
+        Following r195498 and r201917 the Visual Studio property files for feature defines have
+        moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
+        Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
+        files.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-14  Mark Lam  
+
+        Remove JSDollarVMPrototype.
+        https://bugs.webkit.org/show_bug.cgi?id=179685
+
+        Reviewed by Saam Barati.
+
+        1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
+
+           This allows us to call these functions during lldb debugging sessions using
+           VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
+           VMInspector provides VM debugging utility methods.  It doesn't make sense to
+           have a JSDollarVMPrototype object provide these methods.
+
+           Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
+
+        2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
+
+           JSDollarVM is a special object used only for debugging purposes.  There's no
+           gain in requiring its methods to be stored in a prototype object other than to
+           conform to typical JS convention.  We can remove this complexity.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * tools/JSDollarVM.cpp:
+        (JSC::JSDollarVM::addFunction):
+        (JSC::functionCrash):
+        (JSC::functionDFGTrue):
+        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
+        (JSC::CallerFrameJITTypeFunctor::operator() const):
+        (JSC::CallerFrameJITTypeFunctor::jitType):
+        (JSC::functionLLintTrue):
+        (JSC::functionJITTrue):
+        (JSC::functionGC):
+        (JSC::functionEdenGC):
+        (JSC::functionCodeBlockForFrame):
+        (JSC::codeBlockFromArg):
+        (JSC::functionCodeBlockFor):
+        (JSC::functionPrintSourceFor):
+        (JSC::functionPrintBytecodeFor):
+        (JSC::functionPrint):
+        (JSC::functionPrintCallFrame):
+        (JSC::functionPrintStack):
+        (JSC::functionValue):
+        (JSC::functionGetPID):
+        (JSC::JSDollarVM::finishCreation):
+        * tools/JSDollarVM.h:
+        (JSC::JSDollarVM::create):
+        * tools/JSDollarVMPrototype.cpp: Removed.
+        * tools/JSDollarVMPrototype.h: Removed.
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::currentThreadOwnsJSLock):
+        (JSC::ensureCurrentThreadOwnsJSLock):
+        (JSC::VMInspector::gc):
+        (JSC::VMInspector::edenGC):
+        (JSC::VMInspector::isInHeap):
+        (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
+        (JSC::CellAddressCheckFunctor::operator() const):
+        (JSC::VMInspector::isValidCell):
+        (JSC::VMInspector::isValidCodeBlock):
+        (JSC::VMInspector::codeBlockForFrame):
+        (JSC::PrintFrameFunctor::PrintFrameFunctor):
+        (JSC::PrintFrameFunctor::operator() const):
+        (JSC::VMInspector::printCallFrame):
+        (JSC::VMInspector::printStack):
+        (JSC::VMInspector::printValue):
+        * tools/VMInspector.h:
+
+2017-11-14  Joseph Pecoraro  
+
+        Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
+        https://bugs.webkit.org/show_bug.cgi?id=179640
+        
+
+        Reviewed by Devin Rousso.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        Gate the ServiceWorker domain on the ENABLE feature flag.
+
+        * inspector/protocol/ServiceWorker.json: Added.
+        New domain to be made available inside of a ServiceWorker target.
+
+2017-11-14  Yusuke Suzuki  
+
+        [DFG][FTL] Support Array::DirectArguments with OutOfBounds
+        https://bugs.webkit.org/show_bug.cgi?id=179594
+
+        Reviewed by Saam Barati.
+
+        Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
+        If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
+        `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
+        to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
+        PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
+
+        This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
+        accept this type, and emit optimized code compared to Array::Generic case.
+
+        We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
+        exit instead of ExoticObjectMode.
+
+        This change significantly improves SixSpeed rest.es5 since it uses OOB access.
+        Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
+
+            rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine const):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+
+2017-11-14  Saam Barati  
+
+        We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
+        https://bugs.webkit.org/show_bug.cgi?id=179639
+        
+
+        Reviewed by JF Bastien.
+
+        Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
+        walk the stack for ShadowChicken (and maybe other things). We weren't updating
+        topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
+        use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
+        this bug by giving Wasm::Instance a lambda that is called when we need to store
+        the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
+        Currently, JSWebAssemblyInstance passes in a lambda that stores to
+        VM.topCallFrame.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::create):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::storeTopCallFrame):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJSException):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::instantiate):
+
+2017-11-13  Saam Barati  
+
+        Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
+        https://bugs.webkit.org/show_bug.cgi?id=179203
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch only removes the pointer caging for the described types in the title.
+        These types still allocate out of the gigacage. This is a just a cost vs benefit
+        tradeoff of performance vs security.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::storage):
+        * runtime/HashMapImpl.cpp:
+        (JSC::HashMapImpl::visitChildren):
+        * runtime/HashMapImpl.h:
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::JSLexicalEnvironment::variables):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::overflowStorage const):
+
+2017-11-08  Keith Miller  
+
+        Async iteration should only fetch the next method once and add feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=179451
+
+        Reviewed by Geoffrey Garen.
+
+        Add feature flag for Async iteration. Also, change async iteration to match
+        the expected behavior of the proposal.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        (globalPrivate.createAsyncFromSyncIterator):
+        (globalPrivate.AsyncFromSyncIteratorConstructor):
+        * builtins/BuiltinNames.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetAsyncIterator):
+        * runtime/Options.h:
+
+2017-11-13  Mark Lam  
+
+        Add more overflow check book-keeping for MarkedArgumentBuffer.
+        https://bugs.webkit.org/show_bug.cgi?id=179634
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::defineProperties):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+
+2017-11-13  Guillaume Emont  
+
+        [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
+        https://bugs.webkit.org/show_bug.cgi?id=179542
+
+        Reviewed by Alex Christensen.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
+
+2017-11-13  Mark Lam  
+
+        Make the jsc shell loadGetterFromGetterSetter() function more robust.
+        https://bugs.webkit.org/show_bug.cgi?id=179619
+        
+
+        Reviewed by Saam Barati.
+
+        * jsc.cpp:
+        (functionLoadGetterFromGetterSetter):
+
+2017-11-12  Darin Adler  
+
+        More is<> and downcast<>, less static_cast<>
+        https://bugs.webkit.org/show_bug.cgi?id=179600
+
+        Reviewed by Chris Dumez.
+
+        * runtime/JSString.h:
+        (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
+        (JSC::jsSubstringOfResolved): Ditto.
+
+2017-11-12  Mark Lam  
+
+        We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
+        https://bugs.webkit.org/show_bug.cgi?id=179562
+        
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
+
+2017-11-11  Devin Rousso  
+
+        Web Inspector: Canvas tab: show detailed status during canvas recording
+        https://bugs.webkit.org/show_bug.cgi?id=178185
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Canvas.json:
+        Add a `recordingProgress` event that is sent to the frontend that contains all the frame
+        payloads since the last Canvas.recordingProgress event and the current buffer usage.
+
+        * inspector/protocol/Recording.json:
+        Remove the required `frames` parameter from the Recording protocol object, as they will be
+        sent in batches via the Canvas.recordingProgress event.
+
+2017-11-10  Joseph Pecoraro  
+
+        Web Inspector: Make http status codes be "integer" instead of "number" in protocol
+        https://bugs.webkit.org/show_bug.cgi?id=179543
+
+        Reviewed by Antoine Quint.
+
+        * inspector/protocol/Network.json:
+        Use a better type for the status code.
+
+2017-11-10  Robin Morisset  
+
+        The memory consumption of DFG::BasicBlock can be easily reduced a bit
+        https://bugs.webkit.org/show_bug.cgi?id=179528
+
+        Reviewed by Saam Barati.
+
+        A few changes here:
+        - Reordering some fields of DFG::BasicBlock to reduce padding
+        - Making the enum fields that are glorified booleans fit into a u8
+        - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
+          This change works because we never increase the number of arguments after allocating an Operands object.
+          It lets us avoid one extra capacity field and one extra pointer field per Operands,
+          and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
+          Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
+          we have a chance to avoid an allocation.
+        - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
+
+        * bytecode/Operands.h:
+        (JSC::Operands::Operands):
+        (JSC::Operands::numberOfArguments const):
+        (JSC::Operands::numberOfLocals const):
+        (JSC::Operands::argument):
+        (JSC::Operands::argument const):
+        (JSC::Operands::local):
+        (JSC::Operands::local const):
+        (JSC::Operands::ensureLocals):
+        (JSC::Operands::setLocal):
+        (JSC::Operands::getLocal):
+        (JSC::Operands::setArgumentFirstTime):
+        (JSC::Operands::setLocalFirstTime):
+        (JSC::Operands::operand):
+        (JSC::Operands::setOperand):
+        (JSC::Operands::size const):
+        (JSC::Operands::at const):
+        (JSC::Operands::at):
+        (JSC::Operands::isArgument const):
+        (JSC::Operands::isVariable const):
+        (JSC::Operands::virtualRegisterForIndex const):
+        (JSC::Operands::fill):
+        (JSC::Operands::operator== const):
+        (JSC::Operands::argumentForIndex const): Deleted.
+        (JSC::Operands::variableForIndex const): Deleted.
+        (JSC::Operands::indexForOperand const): Deleted.
+        * dfg/DFGBasicBlock.cpp:
+        (JSC::DFG::BasicBlock::BasicBlock):
+        * dfg/DFGBasicBlock.h:
+        * dfg/DFGBranchDirection.h:
+        * dfg/DFGStructureClobberState.h:
+
+2017-11-09  Yusuke Suzuki  
+
+        [JSC] Retry module fetching if previous request fails
+        https://bugs.webkit.org/show_bug.cgi?id=178168
+
+        Reviewed by Saam Barati.
+
+        According to the latest spec, the failed fetching operation can be retried if it is requested again.
+        For example,
+
+            
+            
+
+        When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
+        But when loading the second module, we do not use the cached failure result in the first module loading.
+        We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
+        This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
+
+        Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
+        like to cache modules based on their URLs. As a result,
+
+            
+            
+
+        In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
+        instantiation are cached in the module pipeline.
+
+        This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
+        failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
+        if the previous one fails. As an overview of our change,
+
+        1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
+           be unified. But if currently executing one fails, other attempts should retry fetching.
+
+        2. Instantiation should be cached if fetching succeeds.
+
+        3. Satisfying should be cached if it succeeds.
+
+        [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
+
+        * builtins/ModuleLoaderPrototype.js:
+        (requestFetch):
+        (requestInstantiate):
+        (requestSatisfy):
+        (link):
+        (loadModule):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2017-11-09  Devin Rousso  
+
+        Web Inspector: support undo/redo of insertAdjacentHTML
+        https://bugs.webkit.org/show_bug.cgi?id=179283
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOM.json:
+        Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
+        on the given node.
+
+2017-11-09  Joseph Pecoraro  
+
+        Web Inspector: Make domain availability a list of types instead of a single type
+        https://bugs.webkit.org/show_bug.cgi?id=179457
+
+        Reviewed by Brian Burg.
+
+        * inspector/scripts/codegen/generate_js_backend_commands.py:
+        (JSBackendCommandsGenerator.generate_domain):
+        Update output of `InspectorBackend.activateDomain` to include the list.
+
+        * inspector/scripts/codegen/models.py:
+        (Protocol.parse_domain):
+        Parse `availability` as a list and include a new supported value of "service-worker".
+
+        * inspector/protocol/ApplicationCache.json:
+        * inspector/protocol/CSS.json:
+        * inspector/protocol/Canvas.json:
+        * inspector/protocol/DOM.json:
+        * inspector/protocol/DOMDebugger.json:
+        * inspector/protocol/DOMStorage.json:
+        * inspector/protocol/Database.json:
+        * inspector/protocol/IndexedDB.json:
+        * inspector/protocol/LayerTree.json:
+        * inspector/protocol/Memory.json:
+        * inspector/protocol/Network.json:
+        * inspector/protocol/Page.json:
+        * inspector/protocol/Timeline.json:
+        * inspector/protocol/Worker.json:
+        Update `availability` to be a list.
+
+        * inspector/scripts/tests/generic/domain-availability.json:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
+        * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
+        * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
+        * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
+        * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
+        Update tests to include a test for the type and an invalid value.
+
+2017-11-03  Yusuke Suzuki  
+
+        [JSC][JIT] Clean up SlowPathCall stubs
+        https://bugs.webkit.org/show_bug.cgi?id=179247
+
+        Reviewed by Saam Barati.
+
+        We have bunch of duplicate functions that just call a slow path function.
+        This patch cleans up the above duplication.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::emitSlowCaseCall):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitSlow_op_unsigned): Deleted.
+        (JSC::JIT::emitSlow_op_inc): Deleted.
+        (JSC::JIT::emitSlow_op_dec): Deleted.
+        (JSC::JIT::emitSlow_op_bitand): Deleted.
+        (JSC::JIT::emitSlow_op_bitor): Deleted.
+        (JSC::JIT::emitSlow_op_bitxor): Deleted.
+        (JSC::JIT::emitSlow_op_lshift): Deleted.
+        (JSC::JIT::emitSlow_op_rshift): Deleted.
+        (JSC::JIT::emitSlow_op_urshift): Deleted.
+        (JSC::JIT::emitSlow_op_div): Deleted.
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emitSlow_op_unsigned): Deleted.
+        (JSC::JIT::emitSlow_op_inc): Deleted.
+        (JSC::JIT::emitSlow_op_dec): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_create_this): Deleted.
+        (JSC::JIT::emitSlow_op_check_tdz): Deleted.
+        (JSC::JIT::emitSlow_op_to_this): Deleted.
+        (JSC::JIT::emitSlow_op_to_primitive): Deleted.
+        (JSC::JIT::emitSlow_op_not): Deleted.
+        (JSC::JIT::emitSlow_op_stricteq): Deleted.
+        (JSC::JIT::emitSlow_op_nstricteq): Deleted.
+        (JSC::JIT::emitSlow_op_to_number): Deleted.
+        (JSC::JIT::emitSlow_op_to_string): Deleted.
+        (JSC::JIT::emitSlow_op_to_object): Deleted.
+        (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
+        (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emitSlow_op_to_primitive): Deleted.
+        (JSC::JIT::emitSlow_op_not): Deleted.
+        (JSC::JIT::emitSlow_op_stricteq): Deleted.
+        (JSC::JIT::emitSlow_op_nstricteq): Deleted.
+        (JSC::JIT::emitSlow_op_to_number): Deleted.
+        (JSC::JIT::emitSlow_op_to_string): Deleted.
+        (JSC::JIT::emitSlow_op_to_object): Deleted.
+        (JSC::JIT::emitSlow_op_create_this): Deleted.
+        (JSC::JIT::emitSlow_op_to_this): Deleted.
+        (JSC::JIT::emitSlow_op_check_tdz): Deleted.
+        (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_resolve_scope):
+        (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::JITSlowPathCall):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+
+2017-11-09  Guillaume Emont  
+
+        [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
+        https://bugs.webkit.org/show_bug.cgi?id=179446
+
+        Reviewed by Žan Doberšek.
+
+        The trunc.w.d mips instruction should give a 0x7fffffff result when
+        the source value is Infinity, NaN, or rounds to an integer outside the
+        range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
+        branchTruncateDoubleToUInt32() have been relying on. It turns out that
+        this assumption is not true on some CPUs, including on the ci20 on
+        which we run the testbot (we get 0x80000000 instead). We should the
+        invalid operation cause bit instead to check whether the source value
+        could be properly truncated. This requires the addition of the cfc1
+        instruction, as well as the special registers that can be used with it
+        (control registers of CP1).
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::firstSPRegister):
+        (JSC::MIPSAssembler::lastSPRegister):
+        (JSC::MIPSAssembler::numberOfSPRegisters):
+        (JSC::MIPSAssembler::sprName):
+        Added control registers of CP1.
+        (JSC::MIPSAssembler::cfc1):
+        Added.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
+        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
+        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
+        Use fcsr to check if the value could be properly truncated.
+
+2017-11-08  Jeremy Jones  
+
+        HTMLMediaElement should not use element fullscreen on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=179418
+        rdar://problem/35409277
+
+        Reviewed by Eric Carlson.
+
+        Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-08  Joseph Pecoraro  
+
+        Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
+        https://bugs.webkit.org/show_bug.cgi?id=179276
+
+        Reviewed by Andy Estes.
+
+        * inspector/InjectedScriptHost.h:
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        Call through to virtual implementation so that WebCore can provide custom
+        internal properties for Web / DOM objects.
+
+2017-11-08  Saam Barati  
+
+        A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
+        https://bugs.webkit.org/show_bug.cgi?id=177792
+
+        Reviewed by Yusuke Suzuki.
+
+        Before this patch, if a JSFunction's rare data initialized its allocation profile
+        before its backing Executable's poly proto watchpoint was invalidated, that
+        JSFunction would continue to allocate non-poly proto objects until its allocation
+        profile was cleared (which essentially never happens in practice). This patch
+        improves on this pathology. A JSFunction's rare data will now watch the poly
+        proto watchpoint if it's still valid and clear its allocation profile when we
+        detect that we should go poly proto.
+
+        * bytecode/ObjectAllocationProfile.h:
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::initializeObjectAllocationProfile):
+        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
+        * runtime/FunctionRareData.h:
+        (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
+        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
+        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
+
+2017-11-08  Keith Miller  
+
+        Add super sampler begin and end bytecodes.
+        https://bugs.webkit.org/show_bug.cgi?id=179376
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds a way to measure a narrow range of bytecodes for
+        performance. This is done using the same infrastructure as the
+        super sampler. I also added a class that helps do the bytecode
+        checking with RAII. One problem with the current way this is done
+        is that we don't handle decrementing early exits, either from
+        branches or exceptions. So, when using this API users need to
+        ensure that there are no early exits or that those exits don't
+        occur on the measure code.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitSuperSamplerBegin):
+        (JSC::BytecodeGenerator::emitSuperSamplerEnd):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/SuperSamplerBytecodeScope.h: Added.
+        (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
+        (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_super_sampler_begin):
+        (JSC::JIT::emit_op_super_sampler_end):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+
+2017-11-08  Robin Morisset  
+
+        Turn recursive tail calls into loops
+        https://bugs.webkit.org/show_bug.cgi?id=176601
+
+        Reviewed by Saam Barati.
+
+        Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
+
+        We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
+        One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
+        Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
+        We do this part through modifying the computation of the jump targets.
+        Importantly, we only do this splitting for functions that have tail calls.
+        It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
+
+        We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
+        The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::hasTailCalls const):
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::getJumpTargetsForBytecodeOffset):
+        (JSC::computePreciseJumpTargetsInternal):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::hasTailCalls const):
+        (JSC::UnlinkedCodeBlock::setHasTailCalls):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnter):
+        (JSC::BytecodeGenerator::emitCallInTailPosition):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
+        (JSC::DFG::ByteCodeParser::makeBlockTargetable):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2017-11-08  Joseph Pecoraro  
+
+        Web Inspector: Remove unused Page.ScriptIdentifier protocol type
+        https://bugs.webkit.org/show_bug.cgi?id=179407
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Page.json:
+        Remove unused protocol type.
+
+2017-11-08  Carlos Garcia Campos  
+
+        Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
+        https://bugs.webkit.org/show_bug.cgi?id=173619
+
+        Reviewed by Alex Christensen and Brian Burg.
+
+        Eventually all classes used for our JSON-RPC message passing should be outside
+        of the Inspector namespace since the protocol is used outside of Inspector code.
+        This will also allow us to unify the primitive JSON types with parameteric types
+        like Inspector::Protocol::Array and other protocol-related types which don't
+        need to be in the Inspector namespace.
+
+        Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
+        patches, other clients will move to use JSON::Value and friends. When all uses are
+        changed, the actual implementation will be renamed. This patch just focuses on the typedef
+        and making changes in generated protocol code.
+
+        Original patch by Brian Burg, rebased and updated by me.
+
+        * inspector/InspectorValues.cpp:
+        * inspector/InspectorValues.h:
+        * inspector/scripts/codegen/cpp_generator.py:
+        (CppGenerator.cpp_protocol_type_for_type):
+        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
+        (CppGenerator.cpp_type_for_type_with_name):
+        (CppGenerator.cpp_type_for_stack_in_parameter):
+        * inspector/scripts/codegen/cpp_generator_templates.py:
+        (void):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (_generate_class_for_object_declaration):
+        (_generate_forward_declarations_for_binding_traits):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
+        (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+
+2017-11-07  Maciej Stachowiak  
+
+        Get rid of unsightly hex numbers from unified build object files
+        https://bugs.webkit.org/show_bug.cgi?id=179410
+
+        Reviewed by Saam Barati.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
+
+2017-11-07  Saam Barati  
+
+        Only cage double butterfly accesses
+        https://bugs.webkit.org/show_bug.cgi?id=179202
+
+        Reviewed by Mark Lam.
+
+        This patch removes caging from all butterfly accesses except double loads/stores.
+        This is a performance vs security tradeoff. Double loads/stores are the only butterfly
+        loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
+        by caging. The other load/stores we are no longer caging to get back performance on
+        various benchmarks.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCreateRest):
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/AuxiliaryBarrier.h:
+        (JSC::AuxiliaryBarrier::operator-> const):
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::caged):
+        (JSC::Butterfly::contiguousDouble):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::heapSnapshot):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::allocateMoreOutOfLineStorage):
+        * runtime/JSObject.h:
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::butterfly const):
+        (JSC::JSObject::butterfly):
+
+2017-11-07  Mark Lam  
+
+        Introduce a default RegisterSet constructor so that we can use { } notation.
+        https://bugs.webkit.org/show_bug.cgi?id=179389
+
+        Reviewed by Saam Barati.
+
+        I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
+        does not add any code documentation value.
+
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::setRegsInPriorityOrder):
+        * b3/air/AirPrintSpecial.cpp:
+        (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
+        (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
+        * b3/air/testair.cpp:
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
+        (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
+        * jit/JITCode.cpp:
+        (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::reservedHardwareRegisters):
+        (JSC::RegisterSet::runtimeRegisters):
+        (JSC::RegisterSet::macroScratchRegisters):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::RegisterSet):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+
+2017-11-07  Mark Lam  
+
+        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
+        https://bugs.webkit.org/show_bug.cgi?id=179355
+        
+
+        Reviewed by Saam Barati.
+
+        In the Transition case in AccessCase::generateImpl(), we were restoring registers
+        using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
+        where we previously stashed the reallocated butterfly.  If the generated code is
+        under heavy register pressure, scratchGPR could have been from the set of preserved
+        registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
+        As a result, the restoration would trash the butterfly result we stored there.
+        This patch fixes the issue by excluding the scratchGPR in the restoration.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+
+2017-11-06  Robin Morisset  
+
+        CodeBlock::usesOpcode() is dead code
+        https://bugs.webkit.org/show_bug.cgi?id=179316
+
+        Reviewed by Yusuke Suzuki.
+
+        Remove CodeBlock::usesOpcode which is dead code
+
+        * bytecode/CodeBlock.cpp:
+        * bytecode/CodeBlock.h:
+
+2017-11-05  Yusuke Suzuki  
+
+        JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
+        https://bugs.webkit.org/show_bug.cgi?id=144458
+
+        Reviewed by Saam Barati.
+
+        Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
+        InternalFunction calls are not cached and they always go to the slow path. This is not good because
+
+        1. We need to query getCallData/getConstructData every time in the slow path.
+        2. CallLinkInfo tells nothing in the higher tier JITs.
+
+        This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
+        to hold pointers to the functions for call and construct. We have new stubs that can call/construct
+        InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
+
+        This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
+        for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
+        case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
+        nodes for these InternalFunctions since CallLinkInfo tells us nothing.
+
+        Attached microbenchmarks show performance improvement.
+
+                                                           baseline                  patched
+
+        dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
+        dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
+        dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
+        dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
+
+        * API/JSCallbackFunction.cpp:
+        (JSC::JSCallbackFunction::JSCallbackFunction):
+        (JSC::JSCallbackFunction::getCallData): Deleted.
+        * API/JSCallbackFunction.h:
+        (JSC::JSCallbackFunction::createStructure):
+        * API/ObjCCallbackFunction.h:
+        (JSC::ObjCCallbackFunction::createStructure):
+        * API/ObjCCallbackFunction.mm:
+        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
+        (JSC::ObjCCallbackFunction::getCallData): Deleted.
+        (JSC::ObjCCallbackFunction::getConstructData): Deleted.
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCallOp):
+        * bytecode/BytecodeList.json:
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::setCallee):
+        (JSC::CallLinkInfo::callee):
+        (JSC::CallLinkInfo::setLastSeenCallee):
+        (JSC::CallLinkInfo::lastSeenCallee):
+        (JSC::CallLinkInfo::visitWeak):
+        * bytecode/CallLinkInfo.h:
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromCallLinkInfo):
+        * bytecode/LLIntCallLinkInfo.h:
+        * jit/JITOperations.cpp:
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::ctiInternalFunctionCall):
+        (JSC::JITThunks::ctiInternalFunctionConstruct):
+        * jit/JITThunks.h:
+        * jit/Repatch.cpp:
+        (JSC::linkFor):
+        (JSC::linkPolymorphicCall):
+        * jit/Repatch.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::nativeCallGenerator):
+        (JSC::nativeTailCallGenerator):
+        (JSC::nativeTailCallWithoutSavedTagsGenerator):
+        (JSC::nativeConstructGenerator):
+        (JSC::internalFunctionCallGenerator):
+        (JSC::internalFunctionConstructGenerator):
+        * jit/ThunkGenerators.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayConstructor.cpp:
+        (JSC::ArrayConstructor::ArrayConstructor):
+        (JSC::ArrayConstructor::getConstructData): Deleted.
+        (JSC::ArrayConstructor::getCallData): Deleted.
+        * runtime/ArrayConstructor.h:
+        (JSC::ArrayConstructor::createStructure):
+        * runtime/AsyncFunctionConstructor.cpp:
+        (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
+        (JSC::AsyncFunctionConstructor::finishCreation):
+        (JSC::AsyncFunctionConstructor::getCallData): Deleted.
+        (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
+        * runtime/AsyncFunctionConstructor.h:
+        (JSC::AsyncFunctionConstructor::createStructure):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp:
+        (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
+        (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
+        (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
+        (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
+        * runtime/AsyncGeneratorFunctionConstructor.h:
+        (JSC::AsyncGeneratorFunctionConstructor::createStructure):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::callBooleanConstructor):
+        (JSC::BooleanConstructor::BooleanConstructor):
+        (JSC::BooleanConstructor::finishCreation):
+        (JSC::BooleanConstructor::getConstructData): Deleted.
+        (JSC::BooleanConstructor::getCallData): Deleted.
+        * runtime/BooleanConstructor.h:
+        (JSC::BooleanConstructor::createStructure):
+        * runtime/DateConstructor.cpp:
+        (JSC::DateConstructor::DateConstructor):
+        (JSC::DateConstructor::getConstructData): Deleted.
+        (JSC::DateConstructor::getCallData): Deleted.
+        * runtime/DateConstructor.h:
+        (JSC::DateConstructor::createStructure):
+        * runtime/Error.h:
+        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
+        (JSC::StrictModeTypeErrorFunction::createStructure):
+        (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
+        (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::ErrorConstructor):
+        (JSC::ErrorConstructor::getConstructData): Deleted.
+        (JSC::ErrorConstructor::getCallData): Deleted.
+        * runtime/ErrorConstructor.h:
+        (JSC::ErrorConstructor::createStructure):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::FunctionConstructor):
+        (JSC::FunctionConstructor::finishCreation):
+        (JSC::FunctionConstructor::getConstructData): Deleted.
+        (JSC::FunctionConstructor::getCallData): Deleted.
+        * runtime/FunctionConstructor.h:
+        (JSC::FunctionConstructor::createStructure):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::callFunctionPrototype):
+        (JSC::FunctionPrototype::FunctionPrototype):
+        (JSC::FunctionPrototype::getCallData): Deleted.
+        * runtime/FunctionPrototype.h:
+        (JSC::FunctionPrototype::createStructure):
+        * runtime/GeneratorFunctionConstructor.cpp:
+        (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
+        (JSC::GeneratorFunctionConstructor::finishCreation):
+        (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
+        (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
+        * runtime/GeneratorFunctionConstructor.h:
+        (JSC::GeneratorFunctionConstructor::createStructure):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::InternalFunction):
+        (JSC::InternalFunction::finishCreation):
+        (JSC::InternalFunction::getCallData):
+        (JSC::InternalFunction::getConstructData):
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::createStructure):
+        (JSC::InternalFunction::nativeFunctionFor):
+        (JSC::InternalFunction::offsetOfNativeFunctionFor):
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructor::createStructure):
+        (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
+        (JSC::IntlCollatorConstructor::getConstructData): Deleted.
+        (JSC::IntlCollatorConstructor::getCallData): Deleted.
+        * runtime/IntlCollatorConstructor.h:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructor::createStructure):
+        (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
+        (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
+        (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
+        * runtime/IntlDateTimeFormatConstructor.h:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructor::createStructure):
+        (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
+        (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
+        (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
+        * runtime/IntlNumberFormatConstructor.h:
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
+        (JSC::JSArrayBufferConstructor::createStructure):
+        (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
+        (JSC::JSArrayBufferConstructor::getCallData): Deleted.
+        * runtime/JSArrayBufferConstructor.h:
+        * runtime/JSGenericTypedArrayViewConstructor.h:
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::JSGenericTypedArrayViewConstructor::JSGenericTypedArrayViewConstructor):
+        (JSC::JSGenericTypedArrayViewConstructor::createStructure):
+        (JSC::JSGenericTypedArrayViewConstructor::getConstructData): Deleted.
+        (JSC::JSGenericTypedArrayViewConstructor::getCallData): Deleted.
+        * runtime/JSInternalPromiseConstructor.cpp:
+        (JSC::JSInternalPromiseConstructor::createStructure):
+        (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
+        (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
+        (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
+        * runtime/JSInternalPromiseConstructor.h:
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::JSPromiseConstructor::createStructure):
+        (JSC::JSPromiseConstructor::JSPromiseConstructor):
+        (JSC::JSPromiseConstructor::getConstructData): Deleted.
+        (JSC::JSPromiseConstructor::getCallData): Deleted.
+        * runtime/JSPromiseConstructor.h:
+        * runtime/JSType.h:
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
+        (JSC::JSTypedArrayViewConstructor::createStructure):
+        (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
+        (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
+        * runtime/JSTypedArrayViewConstructor.h:
+        * runtime/MapConstructor.cpp:
+        (JSC::MapConstructor::MapConstructor):
+        (JSC::MapConstructor::getConstructData): Deleted.
+        (JSC::MapConstructor::getCallData): Deleted.
+        * runtime/MapConstructor.h:
+        (JSC::MapConstructor::createStructure):
+        (JSC::MapConstructor::MapConstructor): Deleted.
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor::NativeErrorConstructor):
+        (JSC::NativeErrorConstructor::getConstructData): Deleted.
+        (JSC::NativeErrorConstructor::getCallData): Deleted.
+        * runtime/NativeErrorConstructor.h:
+        (JSC::NativeErrorConstructor::createStructure):
+        * runtime/NullGetterFunction.cpp:
+        (JSC::NullGetterFunction::NullGetterFunction):
+        (JSC::NullGetterFunction::getCallData): Deleted.
+        (JSC::NullGetterFunction::getConstructData): Deleted.
+        * runtime/NullGetterFunction.h:
+        (JSC::NullGetterFunction::createStructure):
+        (JSC::NullGetterFunction::NullGetterFunction): Deleted.
+        * runtime/NullSetterFunction.cpp:
+        (JSC::NullSetterFunction::NullSetterFunction):
+        (JSC::NullSetterFunction::getCallData): Deleted.
+        (JSC::NullSetterFunction::getConstructData): Deleted.
+        * runtime/NullSetterFunction.h:
+        (JSC::NullSetterFunction::createStructure):
+        (JSC::NullSetterFunction::NullSetterFunction): Deleted.
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::NumberConstructor):
+        (JSC::constructNumberConstructor):
+        (JSC::constructWithNumberConstructor): Deleted.
+        (JSC::NumberConstructor::getConstructData): Deleted.
+        (JSC::NumberConstructor::getCallData): Deleted.
+        * runtime/NumberConstructor.h:
+        (JSC::NumberConstructor::createStructure):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::ObjectConstructor):
+        (JSC::ObjectConstructor::getConstructData): Deleted.
+        (JSC::ObjectConstructor::getCallData): Deleted.
+        * runtime/ObjectConstructor.h:
+        (JSC::ObjectConstructor::createStructure):
+        * runtime/ProxyConstructor.cpp:
+        (JSC::ProxyConstructor::ProxyConstructor):
+        (JSC::ProxyConstructor::getConstructData): Deleted.
+        (JSC::ProxyConstructor::getCallData): Deleted.
+        * runtime/ProxyConstructor.h:
+        (JSC::ProxyConstructor::createStructure):
+        * runtime/ProxyRevoke.cpp:
+        (JSC::ProxyRevoke::ProxyRevoke):
+        (JSC::ProxyRevoke::getCallData): Deleted.
+        * runtime/ProxyRevoke.h:
+        (JSC::ProxyRevoke::createStructure):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpConstructor::RegExpConstructor):
+        (JSC::RegExpConstructor::getConstructData): Deleted.
+        (JSC::RegExpConstructor::getCallData): Deleted.
+        * runtime/RegExpConstructor.h:
+        (JSC::RegExpConstructor::createStructure):
+        * runtime/SetConstructor.cpp:
+        (JSC::SetConstructor::SetConstructor):
+        (JSC::SetConstructor::getConstructData): Deleted.
+        (JSC::SetConstructor::getCallData): Deleted.
+        * runtime/SetConstructor.h:
+        (JSC::SetConstructor::createStructure):
+        (JSC::SetConstructor::SetConstructor): Deleted.
+        * runtime/StringConstructor.cpp:
+        (JSC::StringConstructor::StringConstructor):
+        (JSC::StringConstructor::getConstructData): Deleted.
+        (JSC::StringConstructor::getCallData): Deleted.
+        * runtime/StringConstructor.h:
+        (JSC::StringConstructor::createStructure):
+        * runtime/SymbolConstructor.cpp:
+        (JSC::SymbolConstructor::SymbolConstructor):
+        (JSC::SymbolConstructor::getConstructData): Deleted.
+        (JSC::SymbolConstructor::getCallData): Deleted.
+        * runtime/SymbolConstructor.h:
+        (JSC::SymbolConstructor::createStructure):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::getCTIInternalFunctionTrampolineFor):
+        * runtime/VM.h:
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::WeakMapConstructor::WeakMapConstructor):
+        (JSC::WeakMapConstructor::getConstructData): Deleted.
+        (JSC::WeakMapConstructor::getCallData): Deleted.
+        * runtime/WeakMapConstructor.h:
+        (JSC::WeakMapConstructor::createStructure):
+        (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::WeakSetConstructor::WeakSetConstructor):
+        (JSC::WeakSetConstructor::getConstructData): Deleted.
+        (JSC::WeakSetConstructor::getCallData): Deleted.
+        * runtime/WeakSetConstructor.h:
+        (JSC::WeakSetConstructor::createStructure):
+        (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::WebAssemblyCompileErrorConstructor::createStructure):
+        (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
+        (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyCompileErrorConstructor.h:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::WebAssemblyInstanceConstructor::createStructure):
+        (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
+        (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyInstanceConstructor.h:
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::WebAssemblyLinkErrorConstructor::createStructure):
+        (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
+        (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyLinkErrorConstructor.h:
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::WebAssemblyMemoryConstructor::createStructure):
+        (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
+        (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyMemoryConstructor.h:
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createStructure):
+        (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
+        (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyModuleConstructor.h:
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
+        (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
+        (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::WebAssemblyTableConstructor::createStructure):
+        (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
+        (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
+        (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
+        * wasm/js/WebAssemblyTableConstructor.h:
+
+2017-11-03  Michael Saboff  
+
+        The Abstract Interpreter needs to change similar to clobberize() in r224366
+        https://bugs.webkit.org/show_bug.cgi?id=179267
+
+        Reviewed by Saam Barati.
+
+        Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
+        cases in the abstract interpreter to match what was done for r224366.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2017-11-03  Keith Miller  
+
+        PutProperytSlot should inform the IC about the property before effects.
+        https://bugs.webkit.org/show_bug.cgi?id=179262
+
+        Reviewed by Mark Lam.
+
+        This patch fixes an issue where we choose to cache setters based on
+        incorrect information. If we did so we might end up OSR exiting
+        more than we would otherwise need to. The new model is that the
+        PutPropertySlot should inform the IC of what the property looked
+        like before any potential side effects might have occurred.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+
+2017-11-03  Mark Lam  
+
+        CachedCall (and its clients) needs overflow checks.
+        https://bugs.webkit.org/show_bug.cgi?id=179185
+
+        Reviewed by JF Bastien.
+
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        (JSC::CachedCall::hasOverflowedArguments):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::clear):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+
+2017-11-03  Devin Rousso  
+
+        Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
+        https://bugs.webkit.org/show_bug.cgi?id=178302
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Recording.json:
+        Add `duration` to each Frame that represents the total time of all the recorded actions.
+
+2017-11-02  Devin Rousso  
+
+        Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
+        https://bugs.webkit.org/show_bug.cgi?id=179070
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Canvas.json:
+        Add `extensionEnabled` event that is fired each time `getExtension` is called with a
+        different string on a WebGL context.
+
+2017-11-02  Joseph Pecoraro  
+
+        Make ServiceWorker a Remote Inspector debuggable target
+        https://bugs.webkit.org/show_bug.cgi?id=179043
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/remote/RemoteControllableTarget.h:
+        * inspector/remote/RemoteInspectionTarget.h:
+        * inspector/remote/RemoteInspectorConstants.h:
+        Include a new ServiceWorker remote inspector target type.
+
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::listingForInspectionTarget const):
+        Implement listing for a ServiceWorker to include a URL like a page.
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::listingForInspectionTarget const):
+        Bail for ServiceWorker support in glib. They will need to implement their support.
+
+2017-11-02  Michael Saboff  
+
+        DFG needs to handle code motion of code in for..in loop bodies
+        https://bugs.webkit.org/show_bug.cgi?id=179212
+
+        Reviewed by Keith Miller.
+
+        The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
+        make calls with side effects.  Updated clobberize() for those nodes to take that into account.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2017-11-02  Joseph Pecoraro  
+
+        Inspector should display service worker served responses properly
+        https://bugs.webkit.org/show_bug.cgi?id=178597
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Network.json:
+        Expose a new "service-worker" response source.
+
+2017-11-02  Filip Pizlo  
+
+        AI does not correctly model the clobber case of ArithClz32
+        https://bugs.webkit.org/show_bug.cgi?id=179188
+
+        Reviewed by Michael Saboff.
+
+        The non-Int32 case clobbers the world because it may call valueOf.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2017-11-02  Yusuke Suzuki  
+
+        Unreviewed, release throw scope
+        https://bugs.webkit.org/show_bug.cgi?id=178726
+
+        * dfg/DFGOperations.cpp:
+
+2017-11-02  Frederic Wang  
+
+        Add references to bug 179167 in FIXME comments
+        https://bugs.webkit.org/show_bug.cgi?id=179168
+
+        Reviewed by Daniel Bates.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-01  Jeremy Jones  
+
+        Implement WKFullscreenWindowController for iOS.
+        https://bugs.webkit.org/show_bug.cgi?id=178924
+        rdar://problem/34697120
+
+        Reviewed by Simon Fraser.
+
+        Enable ENABLE_FULLSCREEN_API for iOS.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-11-01  Mark Lam  
+
+        Add support to throw OOM if MarkedArgumentBuffer may overflow.
+        https://bugs.webkit.org/show_bug.cgi?id=179092
+        
+
+        Reviewed by Saam Barati.
+
+        The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
+        time, which renders it unsuitable for automated tests.  Instead, I've run a
+        test manually to verify that an OutOfMemoryError will be thrown when an overflow
+        occurs.
+
+        The MarkedArgumentBuffer's destructor will now assert that the client has indeed
+        checked for an overflow after invoking methods that may result in an overflow i.e.
+        the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
+        This is only done on debug builds.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeFunction):
+        (JSObjectMakeArray):
+        (JSObjectMakeDate):
+        (JSObjectMakeRegExp):
+        (JSObjectCallAsFunction):
+        (JSObjectCallAsConstructor):
+        * dfg/DFGOperations.cpp:
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::createInjectedScript):
+        * inspector/JSJavaScriptCallFrame.cpp:
+        (Inspector::JSJavaScriptCallFrame::scopeChain const):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        * jsc.cpp:
+        (functionDollarAgentReceiveBroadcast):
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+        (JSC::MarkedArgumentBuffer::slowAppend):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
+        (JSC::MarkedArgumentBuffer::appendWithAction):
+        (JSC::MarkedArgumentBuffer::append):
+        (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
+        (JSC::MarkedArgumentBuffer::hasOverflowed):
+        (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
+        (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
+        * runtime/ArrayPrototype.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/GetterSetter.cpp:
+        (JSC::callSetter):
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorNext):
+        (JSC::iteratorClose):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::boundThisNoArgsFunctionCall):
+        (JSC::boundFunctionCall):
+        (JSC::boundThisNoArgsFunctionConstruct):
+        (JSC::boundFunctionConstruct):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncSlice):
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::haveABadTime):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::createPair):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provideFetch):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::toJSONImpl):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Walker::callReviver):
+        * runtime/JSObject.cpp:
+        (JSC::ordinarySetSlow):
+        (JSC::callToPrimitiveFunction):
+        (JSC::JSObject::hasInstance):
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::initialize):
+        (JSC::JSPromise::resolve):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::newPromiseCapability):
+        (JSC::callFunction):
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::createPair):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::parse):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::defineProperties):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::performPut):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+        (JSC::replaceUsingStringSearch):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+
+2017-11-01  Michael Saboff  
+
+        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
+        https://bugs.webkit.org/show_bug.cgi?id=179140
+
+        Reviewed by Saam Barati.
+
+        Added overflow checks to computation of arg count plus this.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
+
+2017-11-01  Yusuke Suzuki  
+
+        Unreviewed, use weakPointer instead of FTLOutput::weakPointer
+        https://bugs.webkit.org/show_bug.cgi?id=178934
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
+
+2017-11-01  Yusuke Suzuki  
+
+        [JSC] Introduce @toObject
+        https://bugs.webkit.org/show_bug.cgi?id=178726
+
+        Reviewed by Saam Barati.
+
+        This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
+        Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
+        is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
+        ObjectConstructor in LLInt and Baseline.
+
+        We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
+        offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
+
+            if (this === @undefined || this === null)
+                @throwTypeError("error message");
+            var object = @Object(this);
+
+        with
+
+            var object = @toObject(this, "error message");
+
+        And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
+        ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
+        In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
+
+        It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
+
+        * builtins/ArrayConstructor.js:
+        (from):
+        * builtins/ArrayPrototype.js:
+        (values):
+        (keys):
+        (entries):
+        (reduce):
+        (reduceRight):
+        (every):
+        (forEach):
+        (filter):
+        (map):
+        (some):
+        (fill):
+        (find):
+        (findIndex):
+        (includes):
+        (sort):
+        (globalPrivate.concatSlowPath):
+        (copyWithin):
+        * builtins/DatePrototype.js:
+        (toLocaleString.toDateTimeOptionsAnyAll):
+        (toLocaleString):
+        (toLocaleDateString.toDateTimeOptionsDateDate):
+        (toLocaleDateString):
+        (toLocaleTimeString.toDateTimeOptionsTimeTime):
+        (toLocaleTimeString):
+        * builtins/GlobalOperations.js:
+        (globalPrivate.copyDataProperties):
+        (globalPrivate.copyDataPropertiesNoExclusions):
+        * builtins/ObjectConstructor.js:
+        (entries):
+        * builtins/StringConstructor.js:
+        (raw):
+        * builtins/TypedArrayConstructor.js:
+        (from):
+        * builtins/TypedArrayPrototype.js:
+        (map):
+        (filter):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitToObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToObject):
+        (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCallObjectConstructor):
+        (JSC::DFG::Node::convertToNewStringObject):
+        (JSC::DFG::Node::convertToNewObject):
+        (JSC::DFG::Node::hasIdentifier):
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasCellOperand):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
+        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emitSlow_op_to_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emitSlow_op_to_object):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+
+2017-11-01  Fujii Hironori  
+
+        Use LazyNeverDestroyed instead of DEFINE_GLOBAL
+        https://bugs.webkit.org/show_bug.cgi?id=174979
+
+        Reviewed by Yusuke Suzuki.
+
+        * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
+
+2017-10-27  Yusuke Suzuki  
+
+        [DFG][FTL] Introduce StringSlice
+        https://bugs.webkit.org/show_bug.cgi?id=178934
+
+        Reviewed by Saam Barati.
+
+        String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
+        This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
+
+        This patch's StringSlice node optimizes the following things.
+
+        1. Empty string generation is accelerated. It is fully executed inline.
+        2. One char string generation is accelerated. `< 0x100` character is supported right now.
+        It is the same to charAt acceleration.
+        3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
+        operation.
+
+        We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
+        And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
+        in subsequent changes.
+
+        This patch improves ARES-6/Babylon performance by 3% in steady state.
+
+        Baseline:
+            Running... Babylon ( 1  to go)
+            firstIteration:     50.05 +- 13.68 ms
+            averageWorstCase:   16.80 +- 1.27 ms
+            steadyState:        7.53 +- 0.22 ms
+
+        Patched:
+            Running... Babylon ( 1  to go)
+            firstIteration:     50.91 +- 13.41 ms
+            averageWorstCase:   16.12 +- 0.99 ms
+            steadyState:        7.30 +- 0.29 ms
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileStringSlice):
+        (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
+        * jit/JITOperations.h:
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+
+2017-10-31  JF Bastien  
+
+        WebAssembly: Wasm::IndexOrName has a raw pointer to Name
+        https://bugs.webkit.org/show_bug.cgi?id=176644
+
+        Reviewed by Michael Saboff.
+
+        IndexOrName now keeps a RefPtr to its original NameSection, which
+        holds the Name (or references nullptr if Index). Holding onto the
+        entire section seems like the better thing to do, since backtraces
+        probably contain multiple names from the same Module.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * interpreter/Interpreter.cpp:
+        (JSC::GetStackTraceFunctor::operator() const):
+        * interpreter/StackVisitor.h: Frame is no longer POD because of the
+        RefPtr.
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::StackFrame):
+        * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
+        (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
+        (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::Callee::Callee):
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::create):
+        * wasm/WasmFormat.h: Move NameSection to its own header.
+        (JSC::Wasm::isValidNameType):
+        (JSC::Wasm::NameSection::get): Deleted.
+        * wasm/WasmIndexOrName.cpp:
+        (JSC::Wasm::IndexOrName::IndexOrName):
+        (JSC::Wasm::makeString):
+        * wasm/WasmIndexOrName.h:
+        (JSC::Wasm::IndexOrName::IndexOrName):
+        (JSC::Wasm::IndexOrName::isEmpty const):
+        (JSC::Wasm::IndexOrName::isIndex const):
+        * wasm/WasmModuleInformation.cpp:
+        (JSC::Wasm::ModuleInformation::ModuleInformation):
+        * wasm/WasmModuleInformation.h:
+        (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
+        * wasm/WasmNameSection.h:
+        (JSC::Wasm::NameSection::get):
+        (JSC::Wasm::NameSection::create): Deleted.
+        * wasm/WasmNameSectionParser.cpp:
+        (JSC::Wasm::NameSectionParser::parse):
+        * wasm/WasmNameSectionParser.h:
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+
+2017-10-31  Tim Horton  
+
+        Clean up some drag and drop feature flags
+        https://bugs.webkit.org/show_bug.cgi?id=179082
+
+        Reviewed by Simon Fraser.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-10-31  Commit Queue  
+
+        Unreviewed, rolling out r224243, r224246, and r224248.
+        https://bugs.webkit.org/show_bug.cgi?id=179083
+
+        The patch and fix broke the Windows build. (Requested by
+        mlewis13 on #webkit).
+
+        Reverted changesets:
+
+        "StructureStubInfo should have GPRReg members not int8_ts"
+        https://bugs.webkit.org/show_bug.cgi?id=179071
+        https://trac.webkit.org/changeset/224243
+
+        "Make all register enums be backed by uint8_t."
+        https://bugs.webkit.org/show_bug.cgi?id=179074
+        https://trac.webkit.org/changeset/224246
+
+        "Unreviewed, windows build fix."
+        https://trac.webkit.org/changeset/224248
+
+2017-10-31  Tim Horton  
+
+        Fix up some content filtering feature flags
+        https://bugs.webkit.org/show_bug.cgi?id=179079
+
+        Reviewed by Simon Fraser.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-10-31  Keith Miller  
+
+        Unreviewed, windows build fix.
+
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::numberOfRegisters):
+        (JSC::X86Assembler::numberOfSPRegisters):
+        (JSC::X86Assembler::numberOfFPRegisters):
+
+2017-10-31  Keith Miller  
+
+        Make all register enums be backed by uint8_t.
+        https://bugs.webkit.org/show_bug.cgi?id=179074
+
+        Reviewed by Mark Lam.
+
+        * assembler/ARM64Assembler.h:
+        * assembler/ARMAssembler.h:
+        * assembler/ARMv7Assembler.h:
+        * assembler/MIPSAssembler.h:
+        * assembler/MacroAssembler.h:
+        * assembler/X86Assembler.h:
+
+2017-10-31  Keith Miller  
+
+        StructureStubInfo should have GPRReg members not int8_ts
+        https://bugs.webkit.org/show_bug.cgi?id=179071
+
+        Reviewed by Michael Saboff.
+
+        This patch makes the various RegisterID enums be backed by
+        uint8_t. This means that we can remove the old int8_t members in
+        StructureStubInfo and replace them with the correct enum types.
+
+        Also, this fixes an indentation issue in ARMv7Assembler.h.
+
+        * assembler/ARM64Assembler.h:
+        * assembler/ARMAssembler.h:
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMRegisters::asSingle):
+        (JSC::ARMRegisters::asDouble):
+        * assembler/MIPSAssembler.h:
+        * assembler/X86Assembler.h:
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::getScratchRegister):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::valueRegs const):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileIn):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::JITByIdGenerator):
+        (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
+
+2017-10-31  Devin Rousso  
+
+        Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
+        https://bugs.webkit.org/show_bug.cgi?id=179048
+
+        Reviewed by Mark Lam.
+
+        * inspector/ScriptCallStackFactory.h:
+        * inspector/ScriptCallStackFactory.cpp:
+        (createScriptCallStack):
+        (createScriptCallStackForConsole):
+        (createScriptCallStackFromException):
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::autogenerateMetadata):
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::count):
+        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
+        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
+
+2017-10-31  Carlos Garcia Campos  
+
+        Unreviewed. Fix GTK+ make distcheck.
+
+        Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
+
+        * CMakeLists.txt:
+
+2017-10-30  Saam Barati  
+
+        We need a storeStoreFence before storing to the instruction stream's live variable catch data
+        https://bugs.webkit.org/show_bug.cgi?id=178649
+
+        Reviewed by Keith Miller.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
+
+2017-10-30  Michael Catanzaro  
+
+        [WPE] Fix build warnings
+        https://bugs.webkit.org/show_bug.cgi?id=178899
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * PlatformWPE.cmake:
+
+2017-10-30  Zan Dobersek  
+
+        [ARMv7] Fix initial start register support in YarrJIT
+        https://bugs.webkit.org/show_bug.cgi?id=178641
+
+        Reviewed by Saam Barati.
+
+        * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
+        YarrGenerator class. r6 should be avoided since it's already used inside
+        MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
+        can be used as the frame pointer register when targetting ARM Thumb2.
+
+2017-10-30  Zan Dobersek  
+
+        [ARM64][Linux] Re-enable Gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=178130
+
+        Reviewed by Michael Catanzaro.
+
+        Guard the current globaladdr opcode implementation for ARM64 with
+        OS(DARWIN) as it's only usable for Mach-O.
+
+        For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
+        have to be used. The .loh directive can't be used as it's not supported
+        in GCC or the ld linker.
+
+        On every other OS target, a compilation error is thrown.
+
+        * offlineasm/arm64.rb:
+
+2017-10-27  Devin Rousso  
+
+        Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
+        https://bugs.webkit.org/show_bug.cgi?id=178799
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Canvas.json:
+        Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
+
+2017-10-27  Yusuke Suzuki  
+
+        [JSC] Tweak ES6 generator function to allow inlining
+        https://bugs.webkit.org/show_bug.cgi?id=178935
+
+        Reviewed by Saam Barati.
+
+        We optimize builtins' generator helper functions to allow them inlined in the caller side.
+        This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
+        them inlined in DFG.
+
+                                       baseline                  patched
+
+        spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
+        generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
+
+        * builtins/GeneratorPrototype.js:
+        (globalPrivate.generatorResume):
+        (next):
+        (return):
+        (throw):
+
+2017-10-27  Saam Barati  
+
+        Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
+        https://bugs.webkit.org/show_bug.cgi?id=178949
+
+        Reviewed by Keith Miller.
+
+        This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
+        so that we don't need to recompute liveness for the same UnlinkedCodeBlock
+        more than once. To do this, this patch solidifies the invariant that CodeBlock
+        linking can't do anything that would change the result of liveness. For example,
+        it can't introduce new locals. This invariant was met my JSC before, because we
+        didn't do anything in bytecode linking that would change liveness. However, it is
+        now a correctness requirement that we don't do anything that would change the
+        result of running liveness. To support this change, I've refactored BytecodeGraph
+        to not be tied to a CodeBlockType*. Things that perform liveness will pass in
+        CodeBlockType* and the instruction stream as needed. This means that we may
+        compute liveness with one CodeBlock*'s instruction stream, and then perform
+        queries on that analysis with a different CodeBlock*'s instruction stream.
+
+        This seems to be a 2% JSBench progression.
+
+        * bytecode/BytecodeGeneratorification.cpp:
+        (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
+        (JSC::BytecodeGeneratorification::graph):
+        (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
+        (JSC::GeneratorLivenessAnalysis::run):
+        (JSC::BytecodeGeneratorification::run):
+        * bytecode/BytecodeGraph.h:
+        (JSC::BytecodeGraph::BytecodeGraph):
+        (JSC::BytecodeGraph::codeBlock const): Deleted.
+        (JSC::BytecodeGraph::instructions): Deleted.
+        (JSC::BytecodeGraph::BytecodeGraph): Deleted.
+        * bytecode/BytecodeLivenessAnalysis.cpp:
+        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
+        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
+        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
+        (JSC::BytecodeLivenessAnalysis::computeKills):
+        (JSC::BytecodeLivenessAnalysis::dumpResults):
+        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
+        (JSC::BytecodeLivenessAnalysis::compute): Deleted.
+        * bytecode/BytecodeLivenessAnalysis.h:
+        * bytecode/BytecodeLivenessAnalysisInlines.h:
+        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
+        (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
+        (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
+        * bytecode/BytecodeRewriter.cpp:
+        (JSC::BytecodeRewriter::applyModification):
+        (JSC::BytecodeRewriter::execute):
+        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
+        * bytecode/BytecodeRewriter.h:
+        (JSC::BytecodeRewriter::BytecodeRewriter):
+        (JSC::BytecodeRewriter::removeBytecode):
+        (JSC::BytecodeRewriter::graph):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
+        (JSC::CodeBlock::validate):
+        (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::livenessAnalysis):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::applyModification):
+        (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::livenessAnalysis):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::livenessFor):
+        (JSC::DFG::Graph::killsFor):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+
+2017-10-27  Keith Miller  
+
+        Add unified source list files and build scripts to Xcode project navigator
+        https://bugs.webkit.org/show_bug.cgi?id=178959
+
+        Reviewed by Andy Estes.
+
+        Also, Add some extra source files for so new .cpp/.mm files don't cause the build
+        to fail right away. We already do this in WebCore.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * PlatformMac.cmake:
+        * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
+
+2017-10-27  JF Bastien  
+
+        WebAssembly: update arbitrary limits to what browsers use
+        https://bugs.webkit.org/show_bug.cgi?id=178946
+        
+        
+
+        Reviewed by Saam Barati.
+
+        https://github.com/WebAssembly/design/issues/1138 discusses the
+        arbitrary function size limit, which it turns out Chrome and
+        Firefox didn't enforce. We didn't use it because it was
+        ridiculously low and actual programs ran into that limit (bummer
+        for Edge which just shipped it...). Now that we agree on a high
+        arbitrary program limit, let's update it! While I'm doing this
+        there are a few other spots that I polished to use Checked or
+        better check limits overall.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addLocal):
+        * wasm/WasmFormat.cpp:
+        (JSC::Wasm::Segment::create):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parse):
+        * wasm/WasmInstance.cpp:
+        * wasm/WasmLimits.h:
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parseGlobal):
+        (JSC::Wasm::ModuleParser::parseCode):
+        (JSC::Wasm::ModuleParser::parseData):
+        * wasm/WasmSignature.h:
+        (JSC::Wasm::Signature::allocatedSize):
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::Table):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::grow):
+
+2017-10-26  Michael Saboff  
+
+        REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
+        https://bugs.webkit.org/show_bug.cgi?id=178890
+
+        Reviewed by Keith Miller.
+
+        We need to let a contained subpattern backtrack before declaring that the containing
+        parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
+        can check to see if we trying to backtrack below the minimum match count.
+        
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::backtrackParentheses):
+
+2017-10-26  Mark Lam  
+
+        JSRopeString::RopeBuilder::append() should check for overflows.
+        https://bugs.webkit.org/show_bug.cgi?id=178385
+        
+
+        Reviewed by Saam Barati.
+
+        1. Made RopeString check for overflow like the Checked class does.
+        2. Added a missing overflow check in objectProtoFuncToString().
+
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::RopeBuilder::expand):
+        (JSC::JSRopeString::RopeBuilder::expand): Deleted.
+        * runtime/JSString.h:
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncToString):
+        * runtime/Operations.h:
+        (JSC::jsStringFromRegisterArray):
+        (JSC::jsStringFromArguments):
+
+2017-10-26  JF Bastien  
+
+        WebAssembly: no VM / JS version of our implementation
+        https://bugs.webkit.org/show_bug.cgi?id=177472
+
+        Reviewed by Michael Saboff.
+
+        This patch removes all appearances of "JS" and "VM" in the wasm
+        directory. These now only appear in the wasm/js directory, which
+        is only used in a JS embedding of wasm. It should therefore now be
+        possible to create non-JS embeddings of wasm through JSC, though
+        it'll still require:
+
+          - Mild codegen for wasm<->embedder calls;
+          - A strategy for trap handling (no need for full unwind! Could kill).
+          - Creation of the Wasm::* objects.
+          - Calling convention handling to call the embedder.
+          - Handling of multiple embedders (see #177475, this is optional).
+
+        Most of the patch consists in renaming JSWebAssemblyInstance to
+        Instance, and removing temporary copies which I'd added to make
+        this specific patch very simple.
+
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
+        which needs to know about who "owns" the Wasm::Instance. In a JS
+        embedding it's the JSWebAssemblyInstance.
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::getGlobal):
+        (JSC::Wasm::B3IRGenerator::setGlobal):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::Context::load const):
+        (JSC::Wasm::Context::store):
+        * wasm/WasmContext.h:
+        * wasm/WasmEmbedder.h:
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::create):
+        (JSC::Wasm::Instance::extraMemoryAllocated const):
+        * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
+        "tail" import information from JSWebAssemblyInstance over to here.
+        (JSC::Wasm::Instance::finalizeCreation):
+        (JSC::Wasm::Instance::owner const):
+        (JSC::Wasm::Instance::offsetOfOwner):
+        (JSC::Wasm::Instance::context const):
+        (JSC::Wasm::Instance::setMemory):
+        (JSC::Wasm::Instance::setTable):
+        (JSC::Wasm::Instance::offsetOfMemory):
+        (JSC::Wasm::Instance::offsetOfGlobals):
+        (JSC::Wasm::Instance::offsetOfTable):
+        (JSC::Wasm::Instance::offsetOfTail):
+        (JSC::Wasm::Instance::numImportFunctions const):
+        (JSC::Wasm::Instance::importFunctionInfo):
+        (JSC::Wasm::Instance::offsetOfTargetInstance):
+        (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
+        (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
+        (JSC::Wasm::Instance::offsetOfImportFunction):
+        (JSC::Wasm::Instance::importFunction):
+        (JSC::Wasm::Instance::allocationSize):
+        (JSC::Wasm::Instance::create): Deleted.
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::runForIndex):
+        * wasm/WasmOMGPlan.h:
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::setFunction):
+        * wasm/WasmTable.h:
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
+        decides what the import function is. Here we must properly
+        placement-new it to what we've elected (and initialize it later).
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
+        (JSC::JSWebAssemblyInstance::instance):
+        (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
+        (JSC::JSWebAssemblyInstance::setMemory):
+        (JSC::JSWebAssemblyInstance::table):
+        (JSC::JSWebAssemblyInstance::setTable):
+        (JSC::JSWebAssemblyInstance::offsetOfInstance):
+        (JSC::JSWebAssemblyInstance::offsetOfCallee):
+        (JSC::JSWebAssemblyInstance::context const): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
+        (): Deleted.
+        (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
+        (JSC::JSWebAssemblyInstance::importFunction): Deleted.
+        (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
+        (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
+        (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
+        (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
+        (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
+        (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
+        (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        (JSC::Wasm::wasmToJSException):
+        * wasm/js/WasmToJS.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::instantiate):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2017-10-25  Devin Rousso  
+
+        Web Inspector: provide a way to enable/disable event listeners
+        https://bugs.webkit.org/show_bug.cgi?id=177451
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOM.json:
+        Add `setEventListenerDisabled` command that enables/disables a specific event listener
+        during event dispatch. When a disabled event listener is fired, the listener's callback will
+        not be called.
+
+2017-10-25  Commit Queue  
+
+        Unreviewed, rolling out r223691 and r223729.
+        https://bugs.webkit.org/show_bug.cgi?id=178834
+
+        Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
+        by rniwa on #webkit).
+
+        Reverted changesets:
+
+        "Turn recursive tail calls into loops"
+        https://bugs.webkit.org/show_bug.cgi?id=176601
+        https://trac.webkit.org/changeset/223691
+
+        "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
+        comparison is always false due to limited range of data type
+        [-Wtype-limits]"
+        https://bugs.webkit.org/show_bug.cgi?id=178543
+        https://trac.webkit.org/changeset/223729
+
+2017-10-25  Michael Saboff  
+
+        REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
+        https://bugs.webkit.org/show_bug.cgi?id=178825
+
+        Reviewed by Mark Lam.
+
+        Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
+
+        * Configurations/ToolExecutable.xcconfig:
+
+2017-10-25  Keith Miller  
+
+        Fix implicit cast of enum, which seems to break the windows build of unified sources.
+        https://bugs.webkit.org/show_bug.cgi?id=178822
+
+        Reviewed by Saam Barati.
+
+        * bytecode/DFGExitProfile.h:
+        (JSC::DFG::FrequentExitSite::hash const):
+
+2017-10-24  Michael Saboff  
+
+        Allow OjbC Weak References when building TestAPI
+        https://bugs.webkit.org/show_bug.cgi?id=178748
+
+        Reviewed by Dan Bernstein.
+
+        Set TestAPI build flag Weak References in Manual Retain Release to true.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
+        * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
+
+2017-10-24  Eric Carlson  
+
+        Web Inspector: Enable WebKit logging configuration and display
+        https://bugs.webkit.org/show_bug.cgi?id=177027
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
+            Inspector::Protocol::Console::ChannelSource.
+        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
+        (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
+            specific to a JSContext yet, so return an empty channel array.
+        (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
+        * inspector/agents/JSGlobalObjectConsoleAgent.h:
+
+        * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
+            and setLoggingChannelLevel.
+
+        * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+
+        * runtime/ConsoleTypes.h: Add Media and WebRTC.
+
+2017-10-24  Michael Saboff  
+
+        Allow OjbC Weak References when building TestAPI
+        https://bugs.webkit.org/show_bug.cgi?id=178748
+
+        Reviewed by Saam Barati.
+
+        Set TestAPI build flag Weak References in Manual Retain Release to true.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-24  Yusuke Suzuki  
+
+        [FTL] Support NewStringObject
+        https://bugs.webkit.org/show_bug.cgi?id=178737
+
+        Reviewed by Saam Barati.
+
+        FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
+        After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
+
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+
+2017-10-24  Guillaume Emont  
+
+        [mips] fix offsets of branches that have to go over a jump
+        https://bugs.webkit.org/show_bug.cgi?id=153464
+
+        The jump() function creates 8 instructions, but the offsets of branches
+        meant to go over them only account for 6. In most cases, this is not an
+        issue as the last two instructions of jump() would be nops, but in the
+        rarer case where the jump destination is in a different 256 MB segment,
+        MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
+        the last 4 instructions would be a 2 instruction load (lui/ori) into
+        $t9, a "j $t9" and then a nop. The wrong offset will mean that the
+        previous branches meant to go over the whole jump will branch to the
+        "j $t9" instruction, which would jump to whatever is currently in $t9
+        (since lui/ori would not be executed).
+
+        Reviewed by Michael Catanzaro.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchAdd32):
+        (JSC::MacroAssemblerMIPS::branchMul32):
+        (JSC::MacroAssemblerMIPS::branchSub32):
+        Fix the offsets of branches meant to go over code generated by jump().
+
+2017-10-24  JF Bastien  
+
+        WebAssembly: NFC renames of things that aren't JS-specific
+        https://bugs.webkit.org/show_bug.cgi?id=178738
+
+        Reviewed by Saam Barati.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
+        * wasm/WasmFormat.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+
+2017-10-24  Stephan Szabo  
+
+        [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
+        https://bugs.webkit.org/show_bug.cgi?id=177279
+
+        Reviewed by Yusuke Suzuki.
+
+        * shell/PlatformJSCOnly.cmake: Added.
+
+2017-10-15  Yusuke Suzuki  
+
+        [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
+        https://bugs.webkit.org/show_bug.cgi?id=178308
+
+        Reviewed by Mark Lam.
+
+        With the change of the spec[1], we now do not need to remember star resolution modules.
+        We reflect this change to our implementation. Since this change is covered by test262,
+        this patch improves the score of test262.
+
+        We also add logging to ResolveExport to debug it easily.
+
+        [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
+
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::ResolveQuery::dump const):
+        (JSC::AbstractModuleRecord::resolveExportImpl):
+
+2017-10-24  Yusuke Suzuki  
+
+        [JSC] Use emitDumbVirtualCall in 32bit JIT
+        https://bugs.webkit.org/show_bug.cgi?id=178644
+
+        Reviewed by Mark Lam.
+
+        This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
+
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileCallEvalSlowCase):
+
+2017-10-22  Yusuke Suzuki  
+
+        [JSC] Drop ArityCheckData
+        https://bugs.webkit.org/show_bug.cgi?id=178648
+
+        Reviewed by Mark Lam.
+
+        ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
+        However, use of `thunkToCall` is removed in 64bit environment at r189575.
+
+        We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
+        Since we no longer need to have the above pair, we can remove ArityCheckData too.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        (JSC::setupArityCheckData): Deleted.
+        * runtime/CommonSlowPaths.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-10-23  Keith Miller  
+
+        Unreviewed, reland r223866
+
+        Didn't break the windows build...
+
+        Restored changeset:
+
+        "WebAssembly: topEntryFrame on Wasm::Instance"
+        https://bugs.webkit.org/show_bug.cgi?id=178690
+        https://trac.webkit.org/changeset/223866
+
+
+2017-10-23  Commit Queue  
+
+        Unreviewed, rolling out r223866.
+        https://bugs.webkit.org/show_bug.cgi?id=178699
+
+        Probably broke the windows build (Requested by keith_miller on
+        #webkit).
+
+        Reverted changeset:
+
+        "WebAssembly: topEntryFrame on Wasm::Instance"
+        https://bugs.webkit.org/show_bug.cgi?id=178690
+        https://trac.webkit.org/changeset/223866
+
+2017-10-23  Joseph Pecoraro  
+
+        Web Inspector: Remove unused Console.setMonitoringXHREnabled
+        https://bugs.webkit.org/show_bug.cgi?id=178617
+
+        Reviewed by Sam Weinig.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
+        * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
+        * inspector/protocol/Console.json:
+        Removed files and method.
+
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
+        This can use the base ConsoleAgent now.
+
+2017-10-23  JF Bastien  
+
+        WebAssembly: topEntryFrame on Wasm::Instance
+        https://bugs.webkit.org/show_bug.cgi?id=178690
+
+        Reviewed by Saam Barati.
+
+        topEntryFrame is usually on VM, but for a no-VM WebAssembly we
+        need to hold topEntryFrame elsewhere, and generated code cannot
+        hard-code where topEntryFrame live. Do this at creation time of
+        Wasm::Instance, and then generated code will just load from
+        wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
+        embedding this is still from VM, so all of the unwinding machinery
+        stays the same.
+
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
+        The default parameter was never non-defaulted from any of the
+        callers. The new version calls the impl directly because it
+        doesn't have VM and doesn't hard-code the address of
+        topEntryFrame.
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
+        VM because it's not really VM-specific.
+        * jit/RegisterSet.h:
+        * runtime/VM.cpp:
+        (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::getCTIStub):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        * wasm/WasmInstance.h: topEntryFramePointer will eventually live
+        here for real. Right now it's mirrored in JSWebAssemblyInstance
+        because that's the acting Context.
+        (JSC::Wasm::Instance::create):
+        (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
+        (JSC::JSWebAssemblyInstance::offsetOfCallee):
+        (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
+        (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::instantiate):
+
+2017-10-23  Joseph Pecoraro  
+
+        Web Inspector: Please support HAR Export for network traffic
+        https://bugs.webkit.org/show_bug.cgi?id=146692
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Network.json:
+        Add a walltime to each send request.
+
+2017-10-23  Matt Lewis  
+
+        Unreviewed, rolling out r223820.
+
+        This caused a build break on Windows.
+
+        Reverted changeset:
+
+        "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
+        https://bugs.webkit.org/show_bug.cgi?id=178617
+        https://trac.webkit.org/changeset/223820
+
+2017-10-23  Yusuke Suzuki  
+
+        [JSC] Use fastJoin in Array#toString
+        https://bugs.webkit.org/show_bug.cgi?id=178062
+
+        Reviewed by Darin Adler.
+
+        Array#toString()'s fast path uses original join operation.
+        But this should use fastJoin if possible.
+        This patch adds a fast path using fastJoin in Array#toString.
+        And we also extend fastJoin to perform fast joining for int32
+        arrays.
+
+                                             baseline                  patched
+
+        double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
+        int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
+        contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
+
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::fastJoin):
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncToLocaleString):
+        * runtime/JSStringJoiner.h:
+        (JSC::JSStringJoiner::appendWithoutSideEffects):
+        (JSC::JSStringJoiner::appendInt32):
+        (JSC::JSStringJoiner::appendDouble):
+
+2017-10-22  Zan Dobersek  
+
+        [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
+        https://bugs.webkit.org/show_bug.cgi?id=178452
+
+        Reviewed by Yusuke Suzuki.
+
+        * heap/RegisterState.h: Re-enable the custom RegisterState and
+        ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
+        cause any crashes nowadays.
+
+2017-10-22  Yusuke Suzuki  
+
+        [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
+        https://bugs.webkit.org/show_bug.cgi?id=178647
+
+        Reviewed by Saam Barati.
+
+        There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
+        since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
+        which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
+        this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
+
+        * jit/JIT.h:
+        (JSC::JIT::linkAllSlowCases):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitSlow_op_unsigned):
+        (JSC::JIT::emit_compareAndJump):
+        (JSC::JIT::emit_compareAndJumpSlow):
+        (JSC::JIT::emitSlow_op_inc):
+        (JSC::JIT::emitSlow_op_dec):
+        (JSC::JIT::emitSlow_op_mod):
+        (JSC::JIT::emitSlow_op_negate):
+        (JSC::JIT::emitSlow_op_bitand):
+        (JSC::JIT::emitSlow_op_bitor):
+        (JSC::JIT::emitSlow_op_bitxor):
+        (JSC::JIT::emitSlow_op_lshift):
+        (JSC::JIT::emitSlow_op_rshift):
+        (JSC::JIT::emitSlow_op_urshift):
+        (JSC::JIT::emitSlow_op_add):
+        (JSC::JIT::emitSlow_op_div):
+        (JSC::JIT::emitSlow_op_mul):
+        (JSC::JIT::emitSlow_op_sub):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareAndJumpSlow):
+        (JSC::JIT::emitSlow_op_unsigned):
+        (JSC::JIT::emitSlow_op_inc):
+        (JSC::JIT::emitSlow_op_dec):
+        (JSC::JIT::emitSlow_op_mod):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileCallEvalSlowCase):
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileCallEvalSlowCase):
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITInlines.h:
+        (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emitSlow_op_create_this):
+        (JSC::JIT::emitSlow_op_check_tdz):
+        (JSC::JIT::emitSlow_op_to_this):
+        (JSC::JIT::emitSlow_op_to_primitive):
+        (JSC::JIT::emitSlow_op_not):
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::emitSlow_op_neq):
+        (JSC::JIT::emitSlow_op_stricteq):
+        (JSC::JIT::emitSlow_op_nstricteq):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emitSlow_op_to_number):
+        (JSC::JIT::emitSlow_op_to_string):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        (JSC::JIT::emitSlow_op_check_traps):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        (JSC::JIT::emitSlow_op_get_direct_pname):
+        (JSC::JIT::emitSlow_op_has_structure_property):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emitSlow_op_new_object):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emitSlow_op_to_primitive):
+        (JSC::JIT::emitSlow_op_not):
+        (JSC::JIT::emitSlow_op_stricteq):
+        (JSC::JIT::emitSlow_op_nstricteq):
+        (JSC::JIT::emitSlow_op_to_number):
+        (JSC::JIT::emitSlow_op_to_string):
+        (JSC::JIT::emitSlow_op_create_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        (JSC::JIT::emitSlow_op_check_tdz):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        (JSC::JIT::emitSlow_op_get_direct_pname):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_try_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::emitSlow_op_resolve_scope):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        (JSC::JIT::emitSlow_op_put_to_scope):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_try_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::emitSlow_op_resolve_scope):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        (JSC::JIT::emitSlow_op_put_to_scope):
+
+2017-10-22  Yusuke Suzuki  
+
+        [JSC] Clean up baseline slow path
+        https://bugs.webkit.org/show_bug.cgi?id=178646
+
+        Reviewed by Saam Barati.
+
+        If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
+        It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
+        function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
+        code in baseline JIT.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_pow): Deleted.
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emitSlow_op_mod):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_strcat): Deleted.
+        (JSC::JIT::emit_op_push_with_scope): Deleted.
+        (JSC::JIT::emit_op_assert): Deleted.
+        (JSC::JIT::emit_op_create_lexical_environment): Deleted.
+        (JSC::JIT::emit_op_throw_static_error): Deleted.
+        (JSC::JIT::emit_op_new_array_with_spread): Deleted.
+        (JSC::JIT::emit_op_spread): Deleted.
+        (JSC::JIT::emit_op_get_enumerable_length): Deleted.
+        (JSC::JIT::emit_op_has_generic_property): Deleted.
+        (JSC::JIT::emit_op_get_property_enumerator): Deleted.
+        (JSC::JIT::emit_op_to_index_string): Deleted.
+        (JSC::JIT::emit_op_create_direct_arguments): Deleted.
+        (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
+        (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
+        (JSC::JIT::emit_op_create_rest): Deleted.
+        (JSC::JIT::emit_op_unreachable): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_strcat): Deleted.
+        (JSC::JIT::emit_op_push_with_scope): Deleted.
+        (JSC::JIT::emit_op_assert): Deleted.
+        (JSC::JIT::emit_op_create_lexical_environment): Deleted.
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
+        (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
+        (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
+        (JSC::JIT::emit_op_define_data_property): Deleted.
+        (JSC::JIT::emit_op_define_accessor_property): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
+        (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
+        (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
+        (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
+
+2017-10-21  Joseph Pecoraro  
+
+        Web Inspector: Remove unused Console.setMonitoringXHREnabled
+        https://bugs.webkit.org/show_bug.cgi?id=178617
+
+        Reviewed by Sam Weinig.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
+        * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
+        * inspector/protocol/Console.json:
+        Removed files and method.
+
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
+        This can use the base ConsoleAgent now.
+
+2017-10-21  Yusuke Suzuki  
+
+        [JSC] Remove per-host-function CTI stub in 32bit environment
+        https://bugs.webkit.org/show_bug.cgi?id=178581
+
+        Reviewed by Saam Barati.
+
+        JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
+        The only difference is that it embed the address of the host function directly in the generated stub. This means
+        that we have per-host-function CTI stub only in 32bit environment.
+
+        This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::compileCTINativeCall): Deleted.
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileCTINativeCall): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall): Deleted.
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::hostFunctionStub):
+
+2017-10-20  Antoine Quint  
+
+        [Web Animations] Provide basic timeline and animation interfaces
+        https://bugs.webkit.org/show_bug.cgi?id=178526
+
+        Reviewed by Dean Jackson.
+
+        Remove the WEB_ANIMATIONS compile-time flag.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-10-20  Commit Queue  
+
+        Unreviewed, rolling out r223744, r223750, and r223751.
+        https://bugs.webkit.org/show_bug.cgi?id=178594
+
+        These caused consistent failures in test that existed and were
+        added in the patches. (Requested by mlewis13 on #webkit).
+
+        Reverted changesets:
+
+        "[JSC] ScriptFetcher should be notified directly from module
+        pipeline"
+        https://bugs.webkit.org/show_bug.cgi?id=178340
+        https://trac.webkit.org/changeset/223744
+
+        "Unreviewed, fix changed line number in test expect files"
+        https://bugs.webkit.org/show_bug.cgi?id=178340
+        https://trac.webkit.org/changeset/223750
+
+        "Unreviewed, follow up to reflect comments"
+        https://bugs.webkit.org/show_bug.cgi?id=178340
+        https://trac.webkit.org/changeset/223751
+
+2017-10-20  Yusuke Suzuki  
+
+        Unreviewed, follow up to reflect comments
+        https://bugs.webkit.org/show_bug.cgi?id=178340
+
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::notifyCompleted):
+
+2017-10-20  Saam Barati  
+
+        Optimize accesses to how we get the direct prototype
+        https://bugs.webkit.org/show_bug.cgi?id=178548
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch makes JSObject::getPrototypeDirect take VM& as a parameter
+        so it can use the faster version of the structure accessor function.
+        The reason for making this change is that JSObjet::getPrototypeDirect
+        is called on the hot path in property lookup.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetPrototype):
+        * jsc.cpp:
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetterBaseJSObject::customGetter):
+        (functionCreateProxy):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::speciesWatchpointIsValid):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::sanitizedToString):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::lastInPrototypeChain):
+        (JSC::JSGlobalObject::resetPrototype):
+        (JSC::JSGlobalObject::finishCreation):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::objectPrototypeIsSane):
+        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
+        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        (JSC::JSObject::getPrototype):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
+        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
+        (JSC::JSObject::prototypeChainMayInterceptStoreTo):
+        * runtime/JSObject.h:
+        (JSC::JSObject::finishCreation):
+        (JSC::JSObject::getPrototypeDirect const):
+        (JSC::JSObject::getPrototype):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInline):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::setTarget):
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::isValid const):
+
+2017-10-20  Yusuke Suzuki  
+
+        [ARM64] static_cast() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
+        https://bugs.webkit.org/show_bug.cgi?id=178379
+
+        Reviewed by Saam Barati.
+
+        We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
+        in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BinaryOpNode::emitBytecode):
+
+2017-10-20  Yusuke Suzuki  
+
+        [JSC] ScriptFetcher should be notified directly from module pipeline
+        https://bugs.webkit.org/show_bug.cgi?id=178340
+
+        Reviewed by Sam Weinig.
+
+        Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
+        We setup JSStdFunction to the resulted promise of the module pipeline. It is super
+        ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
+        JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
+
+        But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
+        notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
+        from the module pipeline by observer style.
+
+        This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
+        completion/failure notifications from the module pipeline.
+
+        * builtins/ModuleLoaderPrototype.js:
+        (loadModule):
+        (loadAndEvaluateModule):
+        * runtime/Completion.cpp:
+        (JSC::loadModule):
+        * runtime/Completion.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::jsValueToModuleKey):
+        (JSC::JSModuleLoader::notifyCompleted):
+        (JSC::JSModuleLoader::notifyFailed):
+        * runtime/JSModuleLoader.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeNotifyCompleted):
+        (JSC::moduleLoaderPrototypeNotifyFailed):
+        * runtime/ScriptFetcher.h:
+        (JSC::ScriptFetcher::notifyLoadCompleted):
+        (JSC::ScriptFetcher::notifyLoadFailed):
+
+2017-10-19  JF Bastien  
+
+        WebAssembly: no VM / JS version of everything but Instance
+        https://bugs.webkit.org/show_bug.cgi?id=177473
+
+        Reviewed by Filip Pizlo, Saam Barati.
+
+        This change entails cleaning up and splitting a bunch of code which we had
+        intertwined between C++ classes which represent JS objects, and pure C++
+        implementation objects. This specific change goes most of the way towards
+        allowing JSC's WebAssembly to work without VM / JS, up to but excluding
+        JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
+        yet). Because of this we still have a few FIXME identifying places that need to
+        change. A follow-up change will go the rest of the way.
+
+        I went about this change in the simplest way possible: grep the
+        JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
+        sub-directory (which contains the JS implementation of WebAssembly).
+
+        None of this change removes the need for a JIT entitlement to be able to use
+        WebAssembly. We don't have an interpreter, the process therefore still needs to
+        be allowed to JIT to use these pure-C++ APIs.
+
+        Interesting things to note:
+
+          - Remove VM from Plan and associated places. It can just live as a capture in
+            the callback lambda if it's needed.
+          - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
+            collect. We now instead pass two lambdas at construction time for this
+            purpose: one to notify of memory pressure, and the other to ask for
+            syncrhonous memory reclamation. This allows whoever creates the memory to
+            dictate how to react to both these cases, and for a JS embedding that's to
+            call the GC (async or sync, respectively).
+          - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
+            there, with an enum class for failure types.
+          - Exceeding max on memory growth now returns a range error as per spec. This
+            is a (very minor) breaking change: it used to throw OOM error. Update the
+            corresponding test.
+          - When generating the grow_memory opcode, no need to get the VM. Instead,
+            reach directly for Wasm::Memory and grow it.
+          - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
+            ever called from JS (not from grow_memory as before).
+          - Wasm::Memory now takes a callback for successful growth. This allows JS
+            wrappers to register themselves when growth succeeds without Wasm::Memory
+            knowning anything about JS. It'll also allow creating a list of callbacks
+            for when we add thread support (we'll want to notify many wrappers, all
+            under a lock).
+          - Wasm::Memory is now back to being the source of truth about address / size,
+            used directly by generated code instead of JSWebAssemblyMemory.
+          - Move wasmToJS from the general WasmBinding header to its own header under
+            wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
+            and therefore isn't general WebAssembly.
+          - Make Wasm::Context an actual type (just a struct holding a
+            JSWebAssemlyInstance for now) instead of an alias for that. Notably this
+            doesn't add anything to the Context and doesn't change what actually gets
+            passed around in JIT code (fast TLS or registers) because these changes
+            potentially impact performance. The entire purpose of this change is to
+            allow passing Wasm::Context around without having to know about VM. Since VM
+            contains a Wasm::Context the JS embedding is effectively the same, but with
+            this setup a non-JS embedding is much better off.
+          - Move JSWebAssembly into the JS folder.
+          - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
+          - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
+            being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
+            stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
+            called wasm->JS stub. This move means that the embedder must, after creating
+            a Wasm::CodeBlock, somehow create the stubs to call back into the
+            embedder. This removes an indirection in the generated code because
+            the B3 IR generator now reaches into the instance instead of
+            JSWebAssemblyCodeBlock.
+          - Move more CodeBlock things. Compilation completion is now marked by its own
+            atomic flag instead of a nullptr plan: that required using a lock, and
+            was causing a deadlock in stack-trace.js because before my changes
+            JSWebAssemblyCodeBlock did its own completion checking separately from
+            Wasm::CodeBlock, without getting the lock. Now that everything points to
+            Wasm::CodeBlock and there's no cached completion marker, the lock was being
+            acquired in a sanity-check assertion.
+          - Embedder -> Wasm wrappers are now generated through a function that's passed
+            in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
+          - WasmMemory doens't need to know about fault handling thunks. Only the IR
+            generator should know, and should make sure that the exception throwing
+            thunk is generated if any memory is present (note: with signal handling not
+            all of them generate an exception check).
+          - Make exception throwing pluggable: instead of having a hard-coded
+            JS-specific lambda we now have a regular C++ function being called from JIT
+            code when a WebAssembly exception is thrown. This allows any embedder to get
+            called as they wish. For now a process can only have a single of these
+            functions (i.e. only one embedder per process) because the trap handler is a
+            singleton. That can be fixed in in #177475.
+          - Create WasmEmbedder.h where all embedder plugging will live.
+          - Split up JSWebAssemblyTable into Wasm::Table which is
+            refcounted. JSWebAssemblyTable now only contains the JS functions in the
+            table, and Wasm::Table is what's used by the JIT code to lookup where to
+            call and do the instance check (for context switch). Note that this creates
+            an extra allocation for all the instances in Wasm::Table, and in exchange
+            removes an indirection in JIT code because the instance used to be obtained
+            off of the JS function. Also note that it's the embedder than keeps the
+            instances alive, not Wasm::Table (which holds a dumb pointer to the
+            instance), because doing otherwise would cause reference cycles.
+           - Add WasmInstance. It doesn't do much for now, owns globals.
+           - JSWebAssembly instance now doesn't just contain the imported functions as
+             JSObjects, it also has the corresponding import's instance and wasm
+             entrypoint. This triples the space allocated per instance's imported
+             function, but there shouldn't be that many imports. This has two upsides: it
+             creates smaller and faster code, and makes is easier to disassociate
+             embedder-specific things from embedder-neutral things. The small / faster
+             win is in two places: B3 IR generator only needs offsetOfImportFunction for
+             the call opcode (when the called index is an import) to know whether the
+             import is wasm->wasm or wasm->embedder (this isn't known at compile-time
+             because it's dependent on the import object), this is now done by seeing if
+             that import function has an associated target instance (only wasm->wasm
+             does); the other place is wasmBinding which uses offsetOfImportFunction to
+             figure out the wasm->wasm target instance, and then gets
+             WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
+             call. The disassociation comes because the target instance can be
+             Wasm::Instance once we change what the Context is, and
+             WasmEntrypointLoadLocation is already embedder-independent. As a next step I
+             can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
+             and leave importFunction in as an opaque pointer which is embedder-specific,
+             and in JS will remain WriteBarrier.
+           - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
+             around instead of VM. This is a first step in allowing entry frames which
+             aren't stored on VM, but which are instead stored in an embedder-specific
+             location. That change won't really affect JS except through code churn, but
+             will allow WebAssembly to use some machinery in a generic manner without
+             having a VM.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::stepOutOfFunction):
+        (JSC::Debugger::returnEvent):
+        (JSC::Debugger::unwindEvent):
+        (JSC::Debugger::didExecuteProgram):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
+        (JSC::CallFrame::callerFrame):
+        (JSC::CallFrame::unsafeCallerFrame):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::callerFrame const):
+        (JSC::ExecState::callerFrameOrEntryFrame const):
+        (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
+        * interpreter/FrameTracers.h:
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
+        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::operator() const):
+        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
+        (JSC::Interpreter::unwind):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::StackVisitor):
+        (JSC::StackVisitor::gotoNextFrame):
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::Frame::dump const):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::callerIsEntryFrame const):
+        * interpreter/VMEntryRecord.h:
+        (JSC::VMEntryRecord::prevTopEntryFrame):
+        (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
+        (JSC::EntryFrame::vmEntryRecordOffset):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::loadWasmContextInstance):
+        (JSC::AssemblyHelpers::storeWasmContextInstance):
+        (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOperations.cpp:
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::nativeForGenerator):
+        * jsc.cpp:
+        (functionDumpCallFrame):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntThunks.cpp:
+        (JSC::vmEntryRecord):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::FrameWalker):
+        (JSC::FrameWalker::advanceToParentFrame):
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        * runtime/ThrowScope.cpp:
+        (JSC::ThrowScope::~ThrowScope):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+        (JSC::VM::topEntryFrameOffset):
+        * runtime/VMTraps.cpp:
+        (JSC::isSaneFrame):
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        (JSC::VMTraps::invalidateCodeBlocksOnStack):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBBQPlan.h:
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmBinding.h:
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::create):
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        (JSC::Wasm::CodeBlock::compileAsync):
+        (JSC::Wasm::CodeBlock::setCompilationFinished):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::offsetOfImportStubs):
+        (JSC::Wasm::CodeBlock::allocationSize):
+        (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
+        (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
+        (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
+        (JSC::Wasm::CodeBlock::compilationFinished):
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::Context::useFastTLS):
+        (JSC::Wasm::Context::load const):
+        (JSC::Wasm::Context::store):
+        * wasm/WasmContext.h:
+        * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
+        * wasm/WasmFaultSignalHandler.cpp:
+        * wasm/WasmFaultSignalHandler.h:
+        * wasm/WasmFormat.h:
+        * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::~Instance):
+        (JSC::Wasm::Instance::extraMemoryAllocated const):
+        * wasm/WasmInstance.h: Added.
+        (JSC::Wasm::Instance::create):
+        (JSC::Wasm::Instance::finalizeCreation):
+        (JSC::Wasm::Instance::module):
+        (JSC::Wasm::Instance::codeBlock):
+        (JSC::Wasm::Instance::memory):
+        (JSC::Wasm::Instance::table):
+        (JSC::Wasm::Instance::loadI32Global const):
+        (JSC::Wasm::Instance::loadI64Global const):
+        (JSC::Wasm::Instance::loadF32Global const):
+        (JSC::Wasm::Instance::loadF64Global const):
+        (JSC::Wasm::Instance::setGlobal):
+        (JSC::Wasm::Instance::offsetOfCachedStackLimit):
+        (JSC::Wasm::Instance::cachedStackLimit const):
+        (JSC::Wasm::Instance::setCachedStackLimit):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::offsetOfMemory):
+        (JSC::Wasm::Memory::offsetOfSize):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave const):
+        * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        (JSC::Wasm::makeString):
+        * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::makeValidationCallback):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        (JSC::Wasm::Module::getOrCreateCodeBlock):
+        (JSC::Wasm::Module::compileSync):
+        (JSC::Wasm::Module::compileAsync):
+        * wasm/WasmModule.h:
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parseTableHelper):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::OMGPlan):
+        (JSC::Wasm::OMGPlan::runForIndex):
+        * wasm/WasmOMGPlan.h:
+        * wasm/WasmPageCount.h:
+        (JSC::Wasm::PageCount::isValid const):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::runCompletionTasks):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::dontFinalize):
+        * wasm/WasmSignature.cpp:
+        * wasm/WasmSignature.h:
+        * wasm/WasmTable.cpp: Added.
+        (JSC::Wasm::Table::create):
+        (JSC::Wasm::Table::~Table):
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clearFunction):
+        (JSC::Wasm::Table::setFunction):
+        * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
+        (JSC::Wasm::Table::maximum const):
+        (JSC::Wasm::Table::size const):
+        (JSC::Wasm::Table::offsetOfSize):
+        (JSC::Wasm::Table::offsetOfFunctions):
+        (JSC::Wasm::Table::offsetOfInstances):
+        (JSC::Wasm::Table::isValidSize):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        (JSC::Wasm::Thunks::setThrowWasmException):
+        (JSC::Wasm::Thunks::throwWasmException):
+        * wasm/WasmThunks.h:
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::stopAllPlansForContext):
+        * wasm/WasmWorklist.h:
+        * wasm/js/JSToWasm.cpp: Added.
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
+        * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
+        * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::instance):
+        (JSC::JSWebAssemblyInstance::context const):
+        (JSC::JSWebAssemblyInstance::table):
+        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
+        (JSC::JSWebAssemblyInstance::setMemory):
+        (JSC::JSWebAssemblyInstance::offsetOfTail):
+        (JSC::JSWebAssemblyInstance::importFunctionInfo):
+        (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
+        (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
+        (JSC::JSWebAssemblyInstance::importFunction):
+        (JSC::JSWebAssemblyInstance::internalMemory):
+        (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
+        (JSC::JSWebAssemblyInstance::offsetOfCallee):
+        (JSC::JSWebAssemblyInstance::offsetOfGlobals):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
+        (JSC::JSWebAssemblyInstance::cachedStackLimit const):
+        (JSC::JSWebAssemblyInstance::setCachedStackLimit):
+        (JSC::JSWebAssemblyInstance::wasmMemory):
+        (JSC::JSWebAssemblyInstance::wasmModule):
+        (JSC::JSWebAssemblyInstance::allocationSize):
+        (JSC::JSWebAssemblyInstance::module const):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::create):
+        (JSC::JSWebAssemblyMemory::adopt):
+        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
+        (JSC::JSWebAssemblyMemory::grow):
+        (JSC::JSWebAssemblyMemory::growSuccessCallback):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::moduleInformation const):
+        (JSC::JSWebAssemblyModule::exportSymbolTable const):
+        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
+        (JSC::JSWebAssemblyModule::callee const):
+        (JSC::JSWebAssemblyModule::codeBlock):
+        (JSC::JSWebAssemblyModule::module):
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::create):
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::visitChildren):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::getFunction):
+        (JSC::JSWebAssemblyTable::clearFunction):
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/JSWebAssemblyTable.h:
+        (JSC::JSWebAssemblyTable::isValidSize):
+        (JSC::JSWebAssemblyTable::maximum const):
+        (JSC::JSWebAssemblyTable::size const):
+        (JSC::JSWebAssemblyTable::table):
+        * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::wasmToJS):
+        (JSC::Wasm::wasmToJSException):
+        * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::constructJSWebAssemblyMemory):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::webAssemblyMemoryProtoFuncGrow):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::constructJSWebAssemblyModule):
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModuleConstructor.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyValidateFunc):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2017-10-19  Mark Lam  
+
+        Stringifier::appendStringifiedValue() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=178386
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
+2017-10-19  Saam Barati  
+
+        REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
+        https://bugs.webkit.org/show_bug.cgi?id=178543
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+
+2017-10-19  Saam Barati  
+
+        re-inline ObjectAllocationProfile::initializeProfile
+        https://bugs.webkit.org/show_bug.cgi?id=178532
+
+        Rubber stamped by Michael Saboff.
+
+        I un-inlined this function when implementing poly proto.
+        This patch re-inlines it. In my testing, it looks like it
+        might be a 0.5% speedometer progression to inline it.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        * bytecode/ObjectAllocationProfile.cpp: Removed.
+        * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
+        * runtime/FunctionRareData.cpp:
+
+2017-10-19  Michael Saboff  
+
+        Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
+        https://bugs.webkit.org/show_bug.cgi?id=178521
+
+        Reviewed by JF Bastien.
+
+        * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
+        standard version.  The prior version was the draft 6.0 version.
+
+2017-10-19  Saam Barati  
+
+        We should hard code the poly proto offset
+        https://bugs.webkit.org/show_bug.cgi?id=178531
+
+        Reviewed by Filip Pizlo.
+
+        This patch embraces that the poly proto offset is always zero. It's already
+        the case that we would always get the inline offset zero for poly proto just
+        by construction. This just hardcodes this assumption throughout the codebase.
+        This appears to be a 1% speedometer progression in my testing.
+        
+        The downside of this patch is that it may require changing how we do
+        things when we implement poly proto when inheriting from builtin
+        types. I think we can face this problem when we decide to implement
+        that.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::locationForOffset const):
+        (JSC::JSObject::locationForOffset):
+        (JSC::JSObject::getDirect const):
+        * runtime/PropertyOffset.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::create):
+        (JSC::Structure::dump const):
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::storedPrototype const):
+        (JSC::Structure::storedPrototypeObject const):
+
+2017-10-19  Saam Barati  
+
+        Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
+        https://bugs.webkit.org/show_bug.cgi?id=178529
+
+        Reviewed by Mark Lam.
+
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::storedPrototypeObject const):
+        (JSC::Structure::storedPrototypeStructure const):
+        (JSC::Structure::storedPrototype const):
+        (JSC::Structure::prototypeForLookup const):
+        (JSC::Structure::prototypeChain const):
+
+2017-10-19  Saam Barati  
+
+        Turn poly proto back on by default and remove the option
+        https://bugs.webkit.org/show_bug.cgi?id=178525
+
+        Reviewed by Mark Lam.
+
+        I added this option because I thought it'd speed speedometer up because the
+        original poly proto patch slowed speedometer down. It turns out that
+        allocating poly proto objects is not what slows speedometer down. It's
+        other code I added in the runtime that needs to be poly proto aware. I'll
+        be addressing these in follow up patches.
+
+        * runtime/Options.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::shouldConvertToPolyProto):
+
+2017-10-19  Robin Morisset  
+
+        Turn recursive tail calls into loops
+        https://bugs.webkit.org/show_bug.cgi?id=176601
+
+        Reviewed by Saam Barati.
+
+        We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
+        One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
+        Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
+        We do this part through modifying the computation of the jump targets.
+        Importantly, we only do this splitting for functions that have tail calls.
+        It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
+
+        We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
+        The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::hasTailCalls const):
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::getJumpTargetsForBytecodeOffset):
+        (JSC::computePreciseJumpTargetsInternal):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::hasTailCalls const):
+        (JSC::UnlinkedCodeBlock::setHasTailCalls):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnter):
+        (JSC::BytecodeGenerator::emitCallInTailPosition):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
+        (JSC::DFG::ByteCodeParser::makeBlockTargetable):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2017-10-18  Mark Lam  
+
+        RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
+        https://bugs.webkit.org/show_bug.cgi?id=177600
+        
+
+        Reviewed by Saam Barati.
+
+        According to http://www.ecma-international.org/ecma-262/8.0/#sec-validateandapplypropertydescriptor,
+        section 9.1.6.3-7.a.ii, we should only check if the value is the same if the
+        descriptor value is present.
+
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::defineOwnProperty):
+
+2017-10-18  Keith Miller  
+
+        Setup WebCore build to start using unified sources.
+        https://bugs.webkit.org/show_bug.cgi?id=178362
+
+        Reviewed by Tim Horton.
+
+        Change comments in source list files. Also, pass explicit names for build files.
+
+        * CMakeLists.txt:
+        * PlatformGTK.cmake:
+        * PlatformMac.cmake:
+        * Sources.txt:
+        * SourcesGTK.txt:
+        * SourcesMac.txt:
+
+2017-10-18  Commit Queue  
+
+        Unreviewed, rolling out r223321.
+        https://bugs.webkit.org/show_bug.cgi?id=178476
+
+        This protocol change broke some internal builds (Requested by
+        brrian__ on #webkit).
+
+        Reverted changeset:
+
+        "Web Inspector: provide a way to enable/disable event
+        listeners"
+        https://bugs.webkit.org/show_bug.cgi?id=177451
+        https://trac.webkit.org/changeset/223321
+
+2017-10-18  Mark Lam  
+
+        The compiler should always register a structure when it adds its transitionWatchPointSet.
+        https://bugs.webkit.org/show_bug.cgi?id=178420
+        
+
+        Reviewed by Saam Barati and Filip Pizlo.
+
+        Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
+        now invoke Graph::registerAndWatchStructureTransition() on the structure.
+        registerAndWatchStructureTransition() both registers the structure and add its
+        transitionWatchpointSet to the plan desired watchpoints.
+
+        Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
+        except registerAndWatchStructureTransition() adds the structure's
+        transitionWatchpointSet unconditionally.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::registerAndWatchStructureTransition):
+        * dfg/DFGGraph.h:
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        - The second set of addLazily()s is redundant.  This set is executed only when
+          prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
+          only if we've executed the if statement above it.  That preceding if statement
+          already registerAndWatchStructureTransition() the same 2 structures.  Hence,
+          this second set can be deleted.
+
+        * dfg/DFGWatchpointCollectionPhase.cpp:
+        (JSC::DFG::WatchpointCollectionPhase::addLazily):
+        - Deleted an unused function.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+
+2017-10-18  Yusuke Suzuki  
+
+        [JSC] Remove unused private name structure
+        https://bugs.webkit.org/show_bug.cgi?id=178436
+
+        Reviewed by Sam Weinig.
+
+        It is no longer used. This patch just removes it.
+
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::numberObjectStructure const):
+        (JSC::JSGlobalObject::privateNameStructure const): Deleted.
+
+2017-10-18  Ryosuke Niwa  
+
+        Fix macOS and iOS builds after r223594.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-18  Yusuke Suzuki  
+
+        [JSC] __proto__ getter should be fast
+        https://bugs.webkit.org/show_bug.cgi?id=178067
+
+        Reviewed by Saam Barati.
+
+        In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
+        Currently, it is handled as an usual getter call to a generic function. And DFG just emits
+        Call node for this. It is inefficient since typically we know the `prototype` of the given
+        object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
+        If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
+        we can still change this to efficient access to poly proto slot.
+
+        This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
+        the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
+        ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
+        constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
+        This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
+        for ARES-6 ML.
+
+        And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
+
+        Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
+        poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
+        Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
+
+        This patch improves SixSpeed super.es6 by 3.42x.
+
+                                 baseline                  patched
+
+        super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::shouldSpeculateFunction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateFunction):
+        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
+        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITOperations.h:
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::booleanPrototype const):
+        (JSC::JSGlobalObject::numberPrototype const):
+        (JSC::JSGlobalObject::booleanObjectStructure const):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/ObjectConstructor.cpp:
+        * runtime/ReflectObject.cpp:
+
+2017-10-17  Ryan Haddad  
+
+        Unreviewed, rolling out r223523.
+
+        A test for this change is failing on debug JSC bots.
+
+        Reverted changeset:
+
+        "[JSC] __proto__ getter should be fast"
+        https://bugs.webkit.org/show_bug.cgi?id=178067
+        https://trac.webkit.org/changeset/223523
+
+2017-10-17  Youenn Fablet  
+
+        Add preliminary support for fetch event
+        https://bugs.webkit.org/show_bug.cgi?id=178171
+
+        Reviewed by Chris Dumez.
+
+        Adding events
+
+        * runtime/JSPromise.h:
+
+2017-10-10  Yusuke Suzuki  
+
+        [JSC] __proto__ getter should be fast
+        https://bugs.webkit.org/show_bug.cgi?id=178067
+
+        Reviewed by Saam Barati.
+
+        In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
+        Currently, it is handled as an usual getter call to a generic function. And DFG just emits
+        Call node for this. It is inefficient since typically we know the `prototype` of the given
+        object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
+        If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
+        we can still change this to efficient access to poly proto slot.
+
+        This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
+        the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
+        ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
+        constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
+        This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
+        for ARES-6 ML.
+
+        And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
+
+        Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
+        poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
+        Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
+
+        This patch improves SixSpeed super.es6 by 3.42x.
+
+                                 baseline                  patched
+
+        super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::shouldSpeculateFunction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateFunction):
+        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
+        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/ObjectConstructor.cpp:
+        * runtime/ReflectObject.cpp:
+
+2017-10-17  Keith Miller  
+
+        Change WebCore sources to work with unified source builds
+        https://bugs.webkit.org/show_bug.cgi?id=178229
+
+        Rubber stamped by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-10-15  Filip Pizlo  
+
+        Make some asserts into release asserts
+        https://bugs.webkit.org/show_bug.cgi?id=178324
+
+        Reviewed by Saam Barati.
+        
+        These asserts are not on perf critical paths, so they might as well be release asserts.
+
+        * runtime/DataView.h:
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+
+2017-10-16  JF Bastien  
+
+        JSRunLoopTimer: reduce likely race when used improperly
+        https://bugs.webkit.org/show_bug.cgi?id=178298
+        
+
+        Reviewed by Saam Barati.
+
+        If an API user sets a timer on JSRunLoopTimer, and then racily
+        destroys the JSRunLoopTimer while the timer is firing then it's
+        possible for timerDidFire to cause a use-after-free and / or crash
+        because e.g. m_apiLock becomes a nullptr while timerDidFire is
+        executing. That results from an invalid use of JSRunLoopTimer, but
+        we should try to be more resilient for that type of misuse because
+        it's not necessarily easy to catch by inspection.
+
+        With this change the only remaining race is if the timer fires,
+        and then only timerDidFire's prologue executes, but not the load
+        of the m_apiLock pointer from `this`. It's a much smaller race.
+
+        Separately, I'll reach out to API users who are seemingly misusing
+        the API.
+
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::timerDidFire): put m_apiLock on the stack,
+        and checks for nullptr. This prevents loading it twice off of
+        `this` and turns a nullptr deref into "just" a use-after-free.
+        (JSC::JSRunLoopTimer::~JSRunLoopTimer): acquire m_apiLock before
+        calling m_vm->unregisterRunLoopTimer(this), which in turn does
+        CFRunLoopRemoveTimer / CFRunLoopTimerInvalidate. This prevents
+        timerDidFire from doing much while the timers are un-registered.
+        ~JSRunLoopTimer also needs to set m_apiLock to nullptr before
+        releasing the lock, so it needs its own local copy.
+
+2017-10-15  Yusuke Suzuki  
+
+        [JSC] Perform module specifier validation at parsing time
+        https://bugs.webkit.org/show_bug.cgi?id=178256
+
+        Reviewed by Darin Adler.
+
+        This patch make module loader's `resolve` operation synchronous. And we validate
+        module's requested module names when instantiating the module instead of satisfying
+        module's dependencies. This change is not observable to users. But this is precise
+        to the spec and this optimizes & simplifies the current module loader a bit by
+        reducing object allocations.
+
+        Previously, we have an object called pair in the module loader. This is pair of
+        module's name and module's record. And we use it to link one module to dependent
+        modules. Now, it is replaced with module's registry entry.
+
+        We also change our loader functions to take a registry entry instead of a module key.
+        Previous design is due to the consideration that these APIs may be exposed to users
+        in whatwg/loader spec. However, this won't happen. This change removes unnecessary
+        repeatedly hash map lookups.
+
+        * builtins/ModuleLoaderPrototype.js:
+        (globalPrivate.newRegistryEntry):
+        (requestFetch):
+        (requestInstantiate):
+        (requestSatisfy):
+        (link):
+        (moduleEvaluation):
+        (loadModule):
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderResolve):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::finishCreation):
+        (JSC::AbstractModuleRecord::hostResolveImportedModule):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::resolveSync):
+        (JSC::JSModuleLoader::resolve):
+        * runtime/JSModuleLoader.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeResolveSync):
+
+2017-10-14  Devin Rousso  
+
+        Web Inspector: provide a way to enable/disable event listeners
+        https://bugs.webkit.org/show_bug.cgi?id=177451
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOM.json:
+        Add `setEventListenerDisabled` command that enables/disables a specific event listener
+        during event dispatch. When a disabled event listener is fired, the listener's callback will
+        not be called.
+
+2017-10-14  Yusuke Suzuki  
+
+        Reland "Add Above/Below comparisons for UInt32 patterns"
+        https://bugs.webkit.org/show_bug.cgi?id=177281
+
+        Reviewed by Saam Barati.
+
+        We reland this patch without DFGStrengthReduction change to see what causes
+        regression in the iOS bot.
+
+        Sometimes, we would like to have UInt32 operations in JS. While VM does
+        not support UInt32 nicely, VM supports efficient Int32 operations. As long
+        as signedness does not matter, we can just perform Int32 operations instead
+        and recognize its bit pattern as UInt32.
+
+        But of course, some operations respect signedness. The most frequently
+        used one is comparison. Octane/zlib performs UInt32 comparison by performing
+        `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
+        UInt32 in Int32 form. And op_unsigned will generate Double value if
+        the generated Int32 is < 0 (which should be UInt32).
+
+        There is a chance for optimization. The given code pattern is the following.
+
+            op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
+
+        This can be converted to the following.
+
+            op_urshift(@1) below:< op_urshift(@2)
+
+        The above conversion is nice since
+
+        1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
+        this check depends on the value of Int32, dropping this check is not as easy as
+        removing Int32 edge filters.
+
+        2. We can perform unsigned comparison in Int32 form. We do not need to convert
+        them to DoubleRep.
+
+        Since the above comparison exists in Octane/zlib's *super* hot path, dropping
+        op_unsigned offers huge win.
+
+        At first, my patch attempts to convert the above thing in DFG pipeline.
+        However it poses several problems.
+
+        1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
+        2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
+
+            2: UInt32ToNumber(@0)
+            3: MovHint(@2, xxx)
+            4: UInt32ToNumber(@1)
+            5: MovHint(@1, xxx)
+
+        we could drop @5's MovHint. But @3 is difficult since @4 can exit.
+
+        So, instead, we start introducing a simple optimization in the bytecode compiler.
+        It performs pattern matching for op_urshift and comparison to drop op_unsigned.
+        We adds op_below and op_above families to bytecodes. They only accept Int32 and
+        perform unsigned comparison.
+
+        This offers 4% performance improvement in Octane/zlib.
+
+                                    baseline                  patched
+
+        zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCompareJump):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/Opcode.h:
+        (JSC::isBranch):
+        * bytecode/PreciseJumpTargetsInlines.h:
+        (JSC::extractStoredJumpTargetsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BinaryOpNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_below):
+        (JSC::JIT::emit_op_beloweq):
+        (JSC::JIT::emit_op_jbelow):
+        (JSC::JIT::emit_op_jbeloweq):
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isBinaryOpNode const):
+
+2017-10-12  Yusuke Suzuki  
+
+        WebAssembly: Wasm functions should have either JSFunctionType or TypeOfShouldCallGetCallData
+        https://bugs.webkit.org/show_bug.cgi?id=178210
+
+        Reviewed by Saam Barati.
+
+        In Wasm, we have two JS functions exposed to users: WebAssemblyFunction and WebAssemblyWrapperFunction.
+        The former is an exported wasm function and the latter is an imported & exported function. Since they
+        have [[Call]], they should be categorized into "function" in typeof operation.
+
+        However, these functions do not implement our function protocol correctly. They inherit JSFunction.
+        But JSType of WebAssemblyFunction is WebAssemblyFunctionType, and one of WebAssemblyWrapperFunction is
+        ObjectType. Since both do not have TypeOfShouldCallGetCallData, they return "object" when performing
+        typeof operation.
+
+        In this patch, we address the above issue by the following 2 fixes.
+
+        1. We add TypeOfShouldCallGetCallData to WebAssemblyFunction. This is the same way how we implement
+        InternalFunction. Since WebAssemblyFunction requires WebAssemblyFunctionType for fast checking in Wasm
+        implementation, we cannot make this JSFunctionType.
+
+        2. On the other hand, WebAssemblyWrapperFunction does not require a specific JSType. So this patch
+        changes JSType of WebAssemblyWrapperFunction to JSFunctionType. JSFunctionType can be usable for derived
+        classes of JSFunction (e.g. JSCustomGetterSetterFunction).
+
+        * wasm/js/WebAssemblyFunction.h:
+        (JSC::WebAssemblyFunction::signatureIndex const): Deleted.
+        (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation const): Deleted.
+        (JSC::WebAssemblyFunction::callableFunction const): Deleted.
+        (JSC::WebAssemblyFunction::jsEntrypoint): Deleted.
+        (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::createStructure):
+        * wasm/js/WebAssemblyWrapperFunction.h:
+        (JSC::WebAssemblyWrapperFunction::signatureIndex const): Deleted.
+        (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation const): Deleted.
+        (JSC::WebAssemblyWrapperFunction::callableFunction const): Deleted.
+        (JSC::WebAssemblyWrapperFunction::function): Deleted.
+
+2017-10-12  Per Arne Vollan  
+
+        [Win64] JSC compile error.
+        https://bugs.webkit.org/show_bug.cgi?id=178213
+
+        Reviewed by Alex Christensen.
+
+        Add static cast from int64 to uintptr_t.
+
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+
+2017-09-29  Filip Pizlo  
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+
+        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
+        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
+        have Gigacage. So, this teaches ARM64 how to load from global variables.
+        
+        Also, this makes the code handle disabling the gigacage a bit better.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * offlineasm/arm64.rb:
+        * offlineasm/asm.rb:
+        * offlineasm/instructions.rb:
+
+2017-10-11  Sam Weinig  
+
+        Remove out-parameter variants of copyToVector
+        https://bugs.webkit.org/show_bug.cgi?id=178155
+
+        Reviewed by Tim Horton.
+
+        * inspector/ScriptDebugServer.cpp:
+        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
+        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
+        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
+        (Inspector::ScriptDebugServer::dispatchDidParseSource):
+        (Inspector::ScriptDebugServer::dispatchFailedToParseSource):
+        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
+            
+            Replace out-parameter based copyToVector, with one that returns a Vector.
+
+2017-10-12  Yusuke Suzuki  
+
+        Support integrity="" on module scripts
+        https://bugs.webkit.org/show_bug.cgi?id=177959
+
+        Reviewed by Sam Weinig.
+
+        This patch adds Subresource Integrity check for module scripts. Currently,
+        only top-level module can be verified with integrity parameter since there
+        is no way to perform integrity check onto the imported modules.
+
+        In JSC side, we add `parameters` to the entry point of the module loader
+        pipeline. This is fetching parameters and used when fetching modules.
+
+        We separately pass this parameters to the pipeline along with the script fetcher.
+        The script fetcher is only one for module graph since this is the initiator of
+        this module graph loading. On the other hand, this parameters is for each
+        module fetching. While setting "integrity" parameters to this script fetcher is
+        sufficient to pass parameters to top-level-module's fetching, it is not enough
+        for the future extension.
+
+        In the future, we will investigate a way to pass parameters to each non-top-level
+        module. At that time, this `parameters` should be per-module. This is because
+        "integrity" value should be different for each module. For example, we will accept
+        some form of syntax to add parameters to `import`. Some proposed syntax is like
+        https://discourse.wicg.io/t/specifying-nonce-or-integrity-when-importing-modules/1861
+
+        import "./xxx.js" integrity "xxxxxxx"
+
+        In this case, this `parameters` will be passed to "./xxx.js" module fetching. This
+        `parameters` should be different from the one of top-level-module's one. That's why
+        we need per-module `parameters` and why this patch adds `parameters` to the module pipeline.
+
+        On the other hand, we also want to keep script fetcher. This `per-module-graph` thing
+        is important to offer module-graph-wide information. For example, import.meta would
+        have `import.meta.scriptElement`, which is the script element fetching the module graph
+        including this. So, we keep the both, script fetcher and parameters.
+        https://github.com/tc39/proposal-import-meta
+
+        This parameters will be finally used by pipeline's fetch hook, and WebCore side
+        can use this parameters to fetch modules.
+
+        We also further clean up the module pipeline by dropping unnecessary features.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * builtins/ModuleLoaderPrototype.js:
+        (requestFetch):
+        (requestInstantiate):
+        (requestSatisfy):
+        (loadModule):
+        (loadAndEvaluateModule):
+        This loadAndEvaluateModule should be implemented by just calling loadModule and
+        linkAndEvaluateModule. We can drop requestReady and requestLink.
+
+        (requestLink): Deleted.
+        (requestImportModule): Deleted.
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderImportModule):
+        (GlobalObject::moduleLoaderFetch):
+        import and fetch hook takes parameters. Currently, we always pass `undefined` for
+        import hook. When dynamic `import()` is extended to accept additional parameters
+        like integrity, this parameters will be replaced with the actual value.
+
+        (functionLoadModule):
+        (runWithOptions):
+        * runtime/Completion.cpp:
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        (JSC::importModule):
+        * runtime/Completion.h:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncImportModule):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        (JSC::JSModuleLoader::importModule):
+        (JSC::JSModuleLoader::fetch):
+        * runtime/JSModuleLoader.h:
+        * runtime/JSScriptFetchParameters.cpp: Added.
+        (JSC::JSScriptFetchParameters::destroy):
+        * runtime/JSScriptFetchParameters.h: Added.
+        (JSC::JSScriptFetchParameters::createStructure):
+        (JSC::JSScriptFetchParameters::create):
+        (JSC::JSScriptFetchParameters::parameters const):
+        (JSC::JSScriptFetchParameters::JSScriptFetchParameters):
+        Add ScriptFetchParameters' JSCell wrapper, JSScriptFetchParameters.
+        It is used in the module pipeline.
+
+        * runtime/JSType.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeFetch):
+        * runtime/ScriptFetchParameters.h: Added.
+        (JSC::ScriptFetchParameters::~ScriptFetchParameters):
+        Add ScriptFetchParameters. We can define our own custom ScriptFetchParameters
+        by inheriting this class. WebCore creates ModuleFetchParameters by inheriting
+        this.
+
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-10-11  Yusuke Suzuki  
+
+        import.meta should not be assignable
+        https://bugs.webkit.org/show_bug.cgi?id=178202
+
+        Reviewed by Saam Barati.
+
+        `import.meta` cannot be used for LHS. This patch adds MetaPropertyNode
+        and make NewTargetNode and ImportMetaNode as derived classes of MetaPropertyNode.
+        We change the parser not to allow assignments for MetaPropertyNode.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ImportMetaNode::emitBytecode):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createImportMetaExpr):
+        (JSC::ASTBuilder::isMetaProperty):
+        (JSC::ASTBuilder::isImportMeta):
+        * parser/NodeConstructors.h:
+        (JSC::MetaPropertyNode::MetaPropertyNode):
+        (JSC::NewTargetNode::NewTargetNode):
+        (JSC::ImportMetaNode::ImportMetaNode):
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isMetaProperty const):
+        (JSC::ExpressionNode::isImportMeta const):
+        * parser/Parser.cpp:
+        (JSC::Parser::metaPropertyName):
+        (JSC::Parser::parseAssignmentExpression):
+        (JSC::Parser::parseMemberExpression):
+        (JSC::Parser::parseUnaryExpression):
+        * parser/Parser.h:
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createImportMetaExpr):
+        (JSC::SyntaxChecker::isMetaProperty):
+        (JSC::SyntaxChecker::isImportMeta):
+
+2017-10-11  Saam Barati  
+
+        Runtime disable poly proto because it may be a 3-4% Speedometer regression
+        https://bugs.webkit.org/show_bug.cgi?id=178192
+
+        Reviewed by JF Bastien.
+
+        * runtime/Options.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::shouldConvertToPolyProto):
+
+2017-10-11  Commit Queue  
+
+        Unreviewed, rolling out r223113 and r223121.
+        https://bugs.webkit.org/show_bug.cgi?id=178182
+
+        Reintroduced 20% regression on Kraken (Requested by rniwa on
+        #webkit).
+
+        Reverted changesets:
+
+        "Enable gigacage on iOS"
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+        https://trac.webkit.org/changeset/223113
+
+        "Use one virtual allocation for all gigacages and their
+        runways"
+        https://bugs.webkit.org/show_bug.cgi?id=178050
+        https://trac.webkit.org/changeset/223121
+
+2017-10-11  Michael Saboff  
+
+        Update JavaScriptCore/ucd/CaseFolding.txt to Unicode database 10.0
+        https://bugs.webkit.org/show_bug.cgi?id=178106
+
+        Reviewed by Keith Miller.
+
+        * ucd/CaseFolding.txt:
+
+2017-10-11  Caio Lima  
+
+        Object properties are undefined in super.call() but not in this.call()
+        https://bugs.webkit.org/show_bug.cgi?id=177230
+
+        Reviewed by Saam Barati.
+
+        Bytecode generation for "super.call(...)" or "super.apply(...)"
+        shouldn't be considered as CallFunctionCallDotNode or
+        ApplyFunctionCallDotNode because they should be considered as common
+        super property access as any other function. According to spec[1],
+        "super" is not refering to parent constructor.
+
+        [1] - https://tc39.github.io/ecma262/#sec-super-keyword-runtime-semantics-evaluation
+
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::makeFunctionCallNode):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseMemberExpression):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::makeFunctionCallNode):
+
+2017-10-11  Yusuke Suzuki  
+
+        [JSC] Drop Instantiate hook in ES6 module loader
+        https://bugs.webkit.org/show_bug.cgi?id=178162
+
+        Reviewed by Sam Weinig.
+
+        This patch is a part of patch series for module loader refactoring to adopt
+        integrity="" parameters and introduce new whatwg module import mechanism.
+
+        In this patch, we drop instantiate hook in module loader. This hook is originally
+        introduced because it is defined in whatwg/loader spec. But this hook is not
+        used in our implementation, and this hook won't be used since (1) whatwg/loader
+        spec is abandoned, and (2) this type of hooks should be done in Service Workers.
+
+        In addition, this patch applies some cleaning up of our module loader JS code
+        to simplify things. This change paves the way to more efficient loader implementation
+        with great flexibility to adopt integrity="" parameters.
+
+        * builtins/ModuleLoaderPrototype.js:
+        (requestInstantiate):
+        (provideFetch):
+        provide is changed to provideFetch since we only used this function with Fetch stage parameter.
+
+        (fulfillInstantiate): Deleted.
+        (commitInstantiated): Deleted.
+        (instantiation): Deleted.
+        They are merged into requestInstantiate code. This is simpler.
+
+        (provide): Deleted.
+        * jsc.cpp:
+        * runtime/Completion.cpp:
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provideFetch):
+        (JSC::JSModuleLoader::provide): Deleted.
+        Changed to provideFetch.
+
+        (JSC::JSModuleLoader::instantiate): Deleted.
+        Drop this hook.
+
+        * runtime/JSModuleLoader.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeInstantiate): Deleted.
+        Drop this hook.
+
+2017-10-10  Saam Barati  
+
+        Prototype structure transition should be a deferred transition
+        https://bugs.webkit.org/show_bug.cgi?id=177734
+
+        Reviewed by Keith Miller.
+
+        Absence ObjectPropertyConditions work by verifying both that the Structure 
+        does not have a particular property and that its prototype has
+        remained constant. However, the prototype transition was firing
+        the transition watchpoint before setting the object's structure.
+        This meant that isValid for Absence would never return false because
+        the prototype changed. Clearly this is wrong. The reason this didn't
+        break OPCs in general is that we'd also check if we could still watch
+        the OPC. In this case, we can't still watch it because we're inspecting
+        a structure with an invalidated transition watchpoint. To fix
+        this weird quirk of the code, I'm making it so that doing a prototype
+        transition uses the DeferredStructureTransitionWatchpointFire machinery.
+        
+        This patch also fixes some dead code that I left in regarding
+        poly proto in OPC.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeDirect):
+        * runtime/Structure.cpp:
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+
+2017-10-10  Robin Morisset  
+
+        Avoid allocating useless landingBlocks in DFGByteCodeParser::handleInlining()
+        https://bugs.webkit.org/show_bug.cgi?id=177926
+
+        Reviewed by Saam Barati.
+
+        When doing polyvariant inlining, there used to be a landing block for each callee, each of which was then linked to a continuation block.
+        With this change, we allocate the continuation block first, and pass it to the inlining routine so that op_ret in the callee link directly to it.
+        The only subtlety is that when inlining an intrinsic we must do the jump by hand, and also remember to call processSetLocalQueue with nextOffset before it.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2017-10-10  Guillaume Emont  
+
+        Fix compilation when MASM_PROBE (and therefore DFG) are disabled
+        https://bugs.webkit.org/show_bug.cgi?id=178134
+
+        Reviewed by Saam Barati.
+
+        * bytecode/CodeBlock.cpp:
+        * bytecode/CodeBlock.h:
+        Disable some code when building without DFG_JIT.
+
+2017-10-10  Sam Weinig  
+
+        Replace copyKeysToVector/copyValuesToVector with copyToVector(map.keys())/copyToVector(map.values())
+        https://bugs.webkit.org/show_bug.cgi?id=178102
+
+        Reviewed by Tim Horton.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
+
+2017-10-10  Michael Saboff  
+
+        Unreviewed build fix.
+
+        Removed unused lambda capture.
+
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::CharacterClassConstructor::appendInverted):
+
+2017-10-10  Saam Barati  
+
+        The prototype cache should be aware of the Executable it generates a Structure for
+        https://bugs.webkit.org/show_bug.cgi?id=177907
+
+        Reviewed by Filip Pizlo.
+
+        This patch renames PrototypeMap to StructureCache because
+        it is no longer a map of the prototypes in the VM. It's
+        only used to cache Structures during object construction.
+        
+        The main change of this patch is to guarantee that Structures generated
+        by the create_this originating from different two different Executables'
+        bytecode won't hash-cons to the same thing. Previously, we could hash-cons
+        them depending on the JSObject* prototype pointer. This would cause the last
+        thing that hash-consed to overwrite the Structure's poly proto watchpoint. This
+        happened because when we initialize a JSFunction's ObjectAllocationProfile,
+        we set the resulting Structure's poly proto watchpoint. This could cause a Structure
+        generating from some Executable e1 to end up with the poly proto watchpoint
+        for another Executable e2 simply because JSFunctions backed by e1 and e2
+        shared the same prototype. Then, based on profiling information, we may fire the
+        wrong Executable's poly proto watchpoint. This patch fixes this bug by
+        guaranteeing that Structures generating from create_this for different
+        Executables are unique even if they share the same prototype by adding
+        the FunctionExecutable* as another field in PrototypeKey.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+        * bytecode/ObjectAllocationProfile.cpp:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        * runtime/IteratorOperations.cpp:
+        (JSC::createIteratorResultObjectStructure):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::getBoundFunctionStructure):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/ObjectConstructor.h:
+        (JSC::constructEmptyObject):
+        * runtime/PrototypeKey.h:
+        (JSC::PrototypeKey::PrototypeKey):
+        (JSC::PrototypeKey::executable const):
+        (JSC::PrototypeKey::operator== const):
+        (JSC::PrototypeKey::hash const):
+        * runtime/PrototypeMap.cpp: Removed.
+        * runtime/PrototypeMap.h: Removed.
+        * runtime/StructureCache.cpp: Copied from Source/JavaScriptCore/runtime/PrototypeMap.cpp.
+        (JSC::StructureCache::createEmptyStructure):
+        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
+        (JSC::StructureCache::emptyObjectStructureForPrototype):
+        (JSC::PrototypeMap::createEmptyStructure): Deleted.
+        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure): Deleted.
+        (JSC::PrototypeMap::emptyObjectStructureForPrototype): Deleted.
+        * runtime/StructureCache.h: Copied from Source/JavaScriptCore/runtime/PrototypeMap.h.
+        (JSC::StructureCache::StructureCache):
+        (JSC::PrototypeMap::PrototypeMap): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-10-09  Yusuke Suzuki  
+
+        `async` should be able to be used as an imported binding name
+        https://bugs.webkit.org/show_bug.cgi?id=176573
+
+        Reviewed by Saam Barati.
+
+        Previously, we have ASYNC keyword in the parser. This is introduced only for performance,
+        and ECMA262 spec does not categorize "async" to keyword. This makes parser code complicated,
+        since ASYNC should be handled as IDENT. If we missed this ASYNC keyword, we cause a bug.
+        For example, import declaration failed to bind imported binding to the name "async" because
+        the parser considered ASYNC as keyword.
+
+        This patch removes ASYNC keyword from the parser. By carefully handling ASYNC, we can keep
+        the current performance without using this ASYNC keyword.
+
+        We also add `escaped` field to token data since contextual keyword is valid only if it does
+        not contain any escape sequences. We fix bunch of contextual keyword use with this fix too
+        e.g. `of in for-of`. This improves test262 score.
+
+        * parser/Keywords.table:
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseIdentifier):
+        (JSC::Lexer::parseIdentifier):
+        (JSC::Lexer::parseIdentifierSlowCase):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseStatementListItem):
+        (JSC::Parser::parseForStatement):
+        (JSC::Parser::parseStatement):
+        (JSC::Parser::maybeParseAsyncFunctionDeclarationStatement):
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseExportDeclaration):
+        (JSC::Parser::parseAssignmentExpression):
+        (JSC::Parser::parseProperty):
+        (JSC::Parser::parsePrimaryExpression):
+        (JSC::Parser::parseMemberExpression):
+        (JSC::Parser::printUnexpectedTokenText):
+        * parser/Parser.h:
+        (JSC::Parser::matchContextualKeyword):
+        * parser/ParserTokens.h:
+        * runtime/CommonIdentifiers.h:
+
+2017-10-09  Saam Barati  
+
+        We don't need to clearEmptyObjectStructureForPrototype because JSGlobalObject* is part of the cache's key
+        https://bugs.webkit.org/show_bug.cgi?id=177987
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::setTarget):
+        * runtime/PrototypeMap.cpp:
+        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype): Deleted.
+        * runtime/PrototypeMap.h:
+
+2017-10-09  Filip Pizlo  
+
+        JSCell::didBecomePrototype is racy
+        https://bugs.webkit.org/show_bug.cgi?id=178110
+
+        Reviewed by Saam Barati.
+        
+        The indexing type can be modified by any thread using CAS. So, we need to use atomics when
+        modifying it. We don't need to use atomics when reading it though (since it's just one field).
+
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::didBecomePrototype):
+
+2017-09-29  Filip Pizlo  
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+
+        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
+        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
+        have Gigacage. So, this teaches ARM64 how to load from global variables.
+        
+        Also, this makes the code handle disabling the gigacage a bit better.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * offlineasm/arm64.rb:
+        * offlineasm/asm.rb:
+        * offlineasm/instructions.rb:
+
+2017-10-09  Robin Morisset  
+
+        Evaluate the benefit of skipping dead code in the DFGByteCodeParser when a function returns in its first block
+        https://bugs.webkit.org/show_bug.cgi?id=177925
+
+        Reviewed by Saam Barati.
+
+        We used to do a rather weird "optimisation" in the bytecode parser: when a function would return in its first block,
+        the rest of the function was skipped. Since it has no actual impact on any benchmarks from what I could see, I removed
+        that code. It allows some changes to parseBlock(), since it now returns void and no-longer bool (it was returning a boolean that said whether that case happened or not).
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+
+2017-10-09  Robin Morisset  
+
+        Refactor the inliner to simplify block linking
+        https://bugs.webkit.org/show_bug.cgi?id=177922
+
+        Reviewed by Saam Barati.
+
+        The biggest refactor changes the way blocks are linked. In DFGByteCodeParser, most terminals (such as Jump or Branch) jump to nullptr initially, and have
+        some metadata indicating the bytecode index corresponding to their targets. They are later linked to the right basic block using two fields of InlineStackEntry:
+        - m_unlinkedBlocks is just a worklist of blocks with a terminal that needs to be linked
+        - m_linkingTargets is a dictionary from bytecode indices to BasicBlock*
+        Before refactoring, every block was automatically added to both of these fields, for the InlineStackEntry of whatever function allocated it.
+        This created a significant number of corner cases, such as blocks allocated in a caller, with a terminal written by an inlined callee and pointing to a block in the callee,
+        or blocks allocated in an inline callee, with a terminal written by the caller after it returns and pointing to a block in the caller, or blocks with a manually linked
+        terminal that needs to be taken off m_unlinkedBlocks.
+        I changed things so that blocks are only added to m_unlinkedBlocks when their terminal gets written (see the LAST_OPCODE macro) making it a lot easier to be in the "right" InlineStackEntry,
+        that is the one that holds their target in its m_linkingTargets field.
+
+        There are a few much smaller refactors in this patch:
+        - parse() is now of type void insted of bool (it was always returning true)
+        - The 7 and 8 arguments of handleCall were inlined in its 3 arguments version for readability
+        - The 9 argument version was cleaned up and simplified
+        - I made separate allocateBlock routines because the little dance with adoptRef(* new BasicBlock(...)) was being repeated in lots of places, and typos in that were a major source of bugs during other refactorings
+        - Jumps are now created with explicit addJumpTo() functions, providing some sanity checking through asserts and didLink()
+        - Blocks are only added to m_unlinkedBlocks if they end in a terminal that linkBlock works with (see LAST_OPCODE)
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addToGraph):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::refineStatically):
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+        (JSC::DFG::parse):
+        (JSC::DFG::ByteCodeParser::cancelLinkingForBlock): Deleted.
+        * dfg/DFGByteCodeParser.h:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+
+2017-10-09  Michael Saboff  
+
+        Implement RegExp Unicode property escapes
+        https://bugs.webkit.org/show_bug.cgi?id=172069
+
+        Reviewed by JF Bastien.
+
+        Added Unicode Properties by extending the existing CharacterClass processing.
+
+        Introduced a new Python script, generateYarrUnicodePropertyTables.py, that parses
+        Unicode Database files to create character class data.  The result is a set of functions
+        that return character classes, one for each of the required Unicode properties.
+        There are many cases where many properties are handled by one function, primarily due to
+        property aliases, but also due to Script_Extension properties that are the same as the
+        Script property for the same script value.
+
+        Extended the BuiltInCharacterClassID enum so it can be used also for Unicode property
+        character classes.  Unicode properties are the enum value BaseUnicodePropertyID plus a
+        zero based value, that value being the index to the corrensponding character class
+        function.  The generation script also creates static hashing tables similar to what we
+        use for the generated .lut.h lookup table files.  These hashing tables map property
+        names to the function index.  Using these hashing tables, we can lookup a property
+        name and if present convert it to a function index.  We add that index to
+        BaseUnicodePropertyID to create a BuiltInCharacterClassID.
+
+        When we do syntax parsing, we convert the property to its corresponding BuiltInCharacterClassID.
+        When doing real parsing we takes the returned BuiltInCharacterClassID and use it to get
+        the actual character class by calling the corresponding generated function.
+
+        Added a new CharacterClass constructor that can take literal arrays for ranges and matches
+        to make the creation of large static character classes more efficent.
+
+        Since the Unicode character classes typically have more matches and ranges, the character
+        class matching in the interpreter has been updated to use binary searching for matches and
+        ranges with more than 6 entries.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/generateYarrUnicodePropertyTables.py: Added.
+        (openOrExit):
+        (openUCDFileOrExit):
+        (verifyUCDFilesExist):
+        (ceilingToPowerOf2):
+        (Aliases):
+        (Aliases.__init__):
+        (Aliases.parsePropertyAliasesFile):
+        (Aliases.parsePropertyValueAliasesFile):
+        (Aliases.globalAliasesFor):
+        (Aliases.generalCategoryAliasesFor):
+        (Aliases.generalCategoryForAlias):
+        (Aliases.scriptAliasesFor):
+        (Aliases.scriptNameForAlias):
+        (PropertyData):
+        (PropertyData.__init__):
+        (PropertyData.setAliases):
+        (PropertyData.makeCopy):
+        (PropertyData.getIndex):
+        (PropertyData.getCreateFuncName):
+        (PropertyData.addMatch):
+        (PropertyData.addRange):
+        (PropertyData.addMatchUnorderedForMatchesAndRanges):
+        (PropertyData.addRangeUnorderedForMatchesAndRanges):
+        (PropertyData.addMatchUnordered):
+        (PropertyData.addRangeUnordered):
+        (PropertyData.removeMatchFromRanges):
+        (PropertyData.removeMatch):
+        (PropertyData.dumpMatchData):
+        (PropertyData.dump):
+        (PropertyData.dumpAll):
+        (PropertyData.dumpAll.std):
+        (PropertyData.createAndDumpHashTable):
+        (Scripts):
+        (Scripts.__init__):
+        (Scripts.parseScriptsFile):
+        (Scripts.parseScriptExtensionsFile):
+        (Scripts.dump):
+        (GeneralCategory):
+        (GeneralCategory.__init__):
+        (GeneralCategory.createSpecialPropertyData):
+        (GeneralCategory.findPropertyGroupFor):
+        (GeneralCategory.addNextCodePoints):
+        (GeneralCategory.parse):
+        (GeneralCategory.dump):
+        (BinaryProperty):
+        (BinaryProperty.__init__):
+        (BinaryProperty.parsePropertyFile):
+        (BinaryProperty.dump):
+        * Scripts/hasher.py: Added.
+        (stringHash):
+        * Sources.txt:
+        * ucd/DerivedBinaryProperties.txt: Added.
+        * ucd/DerivedCoreProperties.txt: Added.
+        * ucd/DerivedNormalizationProps.txt: Added.
+        * ucd/PropList.txt: Added.
+        * ucd/PropertyAliases.txt: Added.
+        * ucd/PropertyValueAliases.txt: Added.
+        * ucd/ScriptExtensions.txt: Added.
+        * ucd/Scripts.txt: Added.
+        * ucd/UnicodeData.txt: Added.
+        * ucd/emoji-data.txt: Added.
+        * yarr/Yarr.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::testCharacterClass):
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::parseEscape):
+        (JSC::Yarr::Parser::parseTokens):
+        (JSC::Yarr::Parser::isUnicodePropertyValueExpressionChar):
+        (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::CharacterClassConstructor::appendInverted):
+        (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
+        (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
+        (JSC::Yarr::YarrPattern::errorMessage):
+        (JSC::Yarr::PatternTerm::dump):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::CharacterRange::CharacterRange):
+        (JSC::Yarr::CharacterClass::CharacterClass):
+        (JSC::Yarr::YarrPattern::reset):
+        (JSC::Yarr::YarrPattern::unicodeCharacterClassFor):
+        * yarr/YarrUnicodeProperties.cpp: Added.
+        (JSC::Yarr::HashTable::entry const):
+        (JSC::Yarr::unicodeMatchPropertyValue):
+        (JSC::Yarr::unicodeMatchProperty):
+        (JSC::Yarr::createUnicodeCharacterClassFor):
+        * yarr/YarrUnicodeProperties.h: Added.
+
+2017-10-09  Commit Queue  
+
+        Unreviewed, rolling out r223015 and r223025.
+        https://bugs.webkit.org/show_bug.cgi?id=178093
+
+        Regressed Kraken on iOS by 20% (Requested by keith_mi_ on
+        #webkit).
+
+        Reverted changesets:
+
+        "Enable gigacage on iOS"
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+        http://trac.webkit.org/changeset/223015
+
+        "Unreviewed, disable Gigacage on ARM64 Linux"
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+        http://trac.webkit.org/changeset/223025
+
+2017-10-09  Keith Miller  
+
+        Unreviewed, sort unified sources again now that they are numbered numerically rather than lexicographically.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-09  Ryan Haddad  
+
+        Unreviewed, rolling out r223022.
+
+        This change introduced 18 test262 failures.
+
+        Reverted changeset:
+
+        "`async` should be able to be used as an imported binding
+        name"
+        https://bugs.webkit.org/show_bug.cgi?id=176573
+        http://trac.webkit.org/changeset/223022
+
+2017-10-09  Robin Morisset  
+
+        Make the names of the options consistent
+        https://bugs.webkit.org/show_bug.cgi?id=177933
+
+        Reviewed by Saam Barati.
+
+        I added an alias so the old spelling still works.
+        I also fixed a bunch of typos in comments all around the codebase.
+
+        * b3/B3LowerToAir.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSSAConversionPhase.h:
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::prepareForTailCall):
+        * parser/Nodes.h:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseExportDeclaration):
+        * runtime/Options.h:
+
+2017-10-09  Oleksandr Skachkov  
+
+        Safari 10 /11 problem with if (!await get(something)).
+        https://bugs.webkit.org/show_bug.cgi?id=176685
+
+        Reviewed by Saam Barati.
+
+        Using unary operator before `await` lead to count it as identifier.
+        According to spec https://tc39.github.io/ecma262/#sec-async-function-definitions
+        and Note 1 `await` is as AwaitExpression and it is allowed to use unary operator
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parsePrimaryExpression):
+
+2017-10-07  Filip Pizlo  
+
+        direct-construct-arity-mismatch.js can have GCs that take ~70ms if you force poly proto and disable generational GC
+        https://bugs.webkit.org/show_bug.cgi?id=178051
+
+        Reviewed by Saam Barati.
+        
+        After I studied the profile of this test, I found two pathologies in our code relating to
+        prototypes. I think that now that we support poly proto, it's more likely for these pathologies to
+        happen. Also, the fact that we force poly proto in some tests, it's possible for one of our tests
+        to trigger these pathologies.
+        
+        - WeakGCMap::m_prototoypes is the set of all prototypes. That's super dangerous. This patch turns
+          this into a bit in the JSCell header. It uses the last spare bit in indexingTypeAndMisc. Note
+          that we still have 6 spare bits in cellState, but those are a bit more annoying to get at.
+        
+        - WeakGCMap registers itself with GC using a std::function. That means allocating things in the
+          malloc heap. This changes it to a virtual method on WeakGCMap. I don't know for sure that this is
+          a problem area, but there are places where we could allocate a lot of WeakGCMaps, like if we have
+          a lot of transition tables. It's good to reduce the amount of memory those require.
+        
+        Also, I saw a FIXME about turning the std::tuple in PrototypeMap into a struct, so I did that while
+        I was at it. I initially thought that this would have to be part of my solution, but it turned out
+        not to be. I think it's worth landing anyway since it makes the code a lot more clear.
+        
+        This fixes the timeout in that test and probably reduces memory consumption.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOperations.cpp:
+        * heap/Heap.cpp:
+        (JSC::Heap::pruneStaleEntriesFromWeakGCMaps):
+        (JSC::Heap::registerWeakGCMap):
+        (JSC::Heap::unregisterWeakGCMap):
+        * heap/Heap.h:
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
+        * inspector/JSJavaScriptCallFramePrototype.cpp:
+        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
+        * runtime/ArrayIteratorPrototype.cpp:
+        (JSC::ArrayIteratorPrototype::finishCreation):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+        * runtime/AsyncFromSyncIteratorPrototype.cpp:
+        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
+        * runtime/AsyncFunctionPrototype.cpp:
+        (JSC::AsyncFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorFunctionPrototype.cpp:
+        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorPrototype.cpp:
+        (JSC::AsyncGeneratorPrototype::finishCreation):
+        * runtime/AsyncIteratorPrototype.cpp:
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/GeneratorFunctionPrototype.cpp:
+        (JSC::GeneratorFunctionPrototype::finishCreation):
+        * runtime/GeneratorPrototype.cpp:
+        (JSC::GeneratorPrototype::finishCreation):
+        * runtime/IndexingType.h:
+        * runtime/IteratorPrototype.cpp:
+        (JSC::IteratorPrototype::finishCreation):
+        * runtime/JSCInlines.h:
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::mayBePrototype const):
+        (JSC::JSCell::didBecomePrototype):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::setPrototypeDirect):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::setTarget):
+        * runtime/MapIteratorPrototype.cpp:
+        (JSC::MapIteratorPrototype::finishCreation):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::ObjectPrototype::finishCreation):
+        * runtime/PrototypeKey.h: Added.
+        (JSC::PrototypeKey::PrototypeKey):
+        (JSC::PrototypeKey::prototype const):
+        (JSC::PrototypeKey::inlineCapacity const):
+        (JSC::PrototypeKey::classInfo const):
+        (JSC::PrototypeKey::globalObject const):
+        (JSC::PrototypeKey::operator== const):
+        (JSC::PrototypeKey::operator!= const):
+        (JSC::PrototypeKey::operator bool const):
+        (JSC::PrototypeKey::isHashTableDeletedValue const):
+        (JSC::PrototypeKey::hash const):
+        (JSC::PrototypeKeyHash::hash):
+        (JSC::PrototypeKeyHash::equal):
+        * runtime/PrototypeMap.cpp:
+        (JSC::PrototypeMap::createEmptyStructure):
+        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
+        * runtime/PrototypeMap.h:
+        (JSC::PrototypeMap::PrototypeMap):
+        * runtime/PrototypeMapInlines.h: Removed.
+        * runtime/SetIteratorPrototype.cpp:
+        (JSC::SetIteratorPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        * runtime/StringIteratorPrototype.cpp:
+        (JSC::StringIteratorPrototype::finishCreation):
+        * runtime/WeakGCMap.h:
+        (JSC::WeakGCMapBase::~WeakGCMapBase):
+        * runtime/WeakGCMapInlines.h:
+        (JSC::KeyTraitsArg>::WeakGCMap):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::WeakSetPrototype::finishCreation):
+
+2017-10-07  Filip Pizlo  
+
+        Octane/splay can leak memory due to stray pointers on the stack when run from the command line
+        https://bugs.webkit.org/show_bug.cgi?id=178054
+
+        Reviewed by Saam Barati.
+        
+        This throws in a bunch of sanitize calls. It fixes the problem. It's also performance-neutral. In
+        most cases, calling the sanitize function is O(1), because it doesn't have anything to do if the stack
+        height stays relatively constant.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        * ftl/FTLOSREntry.cpp:
+        * heap/Heap.cpp:
+        (JSC::Heap::runCurrentPhase):
+        * heap/MarkedAllocatorInlines.h:
+        (JSC::MarkedAllocator::tryAllocate):
+        (JSC::MarkedAllocator::allocate):
+        * heap/Subspace.cpp:
+        (JSC::Subspace::tryAllocateSlow):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::sanitizeStackInline):
+        * jit/ThunkGenerators.cpp:
+        (JSC::slowPathFor):
+        * runtime/VM.h:
+        (JSC::VM::addressOfLastStackTop):
+
+2017-10-07  Yusuke Suzuki  
+
+        `async` should be able to be used as an imported binding name
+        https://bugs.webkit.org/show_bug.cgi?id=176573
+
+        Reviewed by Darin Adler.
+
+        Previously, we have ASYNC keyword in the parser. This is introduced only for performance,
+        and ECMA262 spec does not categorize "async" to keyword. This makes parser code complicated,
+        since ASYNC should be handled as IDENT. If we missed this ASYNC keyword, we cause a bug.
+        For example, import declaration failed to bind imported binding to the name "async" because
+        the parser considered ASYNC as keyword.
+
+        This patch removes ASYNC keyword from the parser. By carefully handling ASYNC, we can keep
+        the current performance without using this ASYNC keyword.
+
+        * parser/Keywords.table:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseStatementListItem):
+        (JSC::Parser::parseStatement):
+        (JSC::Parser::maybeParseAsyncFunctionDeclarationStatement):
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseExportDeclaration):
+        (JSC::Parser::parseAssignmentExpression):
+        (JSC::Parser::parseProperty):
+        (JSC::Parser::parsePrimaryExpression):
+        (JSC::Parser::parseMemberExpression):
+        (JSC::Parser::printUnexpectedTokenText):
+        * parser/ParserTokens.h:
+        * runtime/CommonIdentifiers.h:
+
+2017-09-29  Filip Pizlo  
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+
+        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
+        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
+        have Gigacage. So, this teaches ARM64 how to load from global variables.
+        
+        Also, this makes the code handle disabling the gigacage a bit better.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * offlineasm/arm64.rb:
+        * offlineasm/asm.rb:
+        * offlineasm/instructions.rb:
+
+2017-10-06  Michael Saboff  
+
+        Enable RegExp JIT for match only Unicode RegExp's
+        https://bugs.webkit.org/show_bug.cgi?id=178033
+
+        Reviewed by JF Bastien.
+
+        I forgot to turn on JIT'ing for match-only Unicode RegExp's in r221052.  Do it now.
+
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compileMatchOnly):
+
+2017-10-06  Alex Christensen  
+
+        Build fix after r223002.
+
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+
+2017-10-06  Commit Queue  
+
+        Unreviewed, rolling out r222791 and r222873.
+        https://bugs.webkit.org/show_bug.cgi?id=178031
+
+        Caused crashes with workers/wasm LayoutTests (Requested by
+        ryanhaddad on #webkit).
+
+        Reverted changesets:
+
+        "WebAssembly: no VM / JS version of everything but Instance"
+        https://bugs.webkit.org/show_bug.cgi?id=177473
+        http://trac.webkit.org/changeset/222791
+
+        "WebAssembly: address no VM / JS follow-ups"
+        https://bugs.webkit.org/show_bug.cgi?id=177887
+        http://trac.webkit.org/changeset/222873
+
+2017-10-06  Robin Morisset  
+
+        Avoid integer overflow in DFGStrengthReduction.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=177944
+
+        Reviewed by Saam Barati.
+
+        The check that we won't do integer overflow by negating INT32_MIN was itself an integer overflow.
+        I think that signed integer overflow is undefined behaviour in C, so I replace it by an explicit check that value != INT32_MIN instead.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
+2017-10-05  Keith Miller  
+
+        JSC generate unified sources doesn't need to run during installhdrs.
+        https://bugs.webkit.org/show_bug.cgi?id=177640
+
+        Reviewed by Dan Bernstein.
+
+        generate unified sources doesn't need to have a xcconfig file
+        since we don't have any feature defines. Also, remove the plist
+        because there's no plist for this...
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-05  Jer Noble  
+
+        [Cocoa] Enable ENABLE_ENCRYPTED_MEDIA build-time setting
+        https://bugs.webkit.org/show_bug.cgi?id=177261
+
+        Reviewed by Eric Carlson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-10-05  Ryan Haddad  
+
+        Unreviewed, rolling out r222929.
+
+        Caused assertion failures during LayoutTests.
+
+        Reverted changeset:
+
+        "Only add prototypes to the PrototypeMap if they're not
+        already present"
+        https://bugs.webkit.org/show_bug.cgi?id=177952
+        http://trac.webkit.org/changeset/222929
+
+2017-10-05  Carlos Alberto Lopez Perez  
+
+        Generate a compile error if release is built without compiler optimizations
+        https://bugs.webkit.org/show_bug.cgi?id=177665
+
+        Reviewed by Brian Burg.
+
+        Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
+        this files are compiled with -O0 for build speed reasons after r195639.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-05  Saam Barati  
+
+        Only add prototypes to the PrototypeMap if they're not already present
+        https://bugs.webkit.org/show_bug.cgi?id=177952
+
+        Reviewed by Michael Saboff and JF Bastien.
+
+        With poly proto, we need to call PrototypeMap::add more frequently since we don't
+        know if the prototype is already in the map or not based solely on Structure.
+        PrototypeMap::add was calling WeakMap::set unconditionally, which would unconditionally
+        allocate a Weak handle. Allocating a Weak handle is expensive. It's at least 8x more
+        expensive than just checking if the prototype is in the map prior to adding it. This
+        patch makes the change to only add the prototype if it's not already in the map. To
+        do this, I've added a WeakMap::add API that just forwards into HashMap's add API.
+        This allows us to both only do a single hash table lookup and also to allocate only
+        a single Weak handle when necessary.
+
+        * runtime/PrototypeMapInlines.h:
+        (JSC::PrototypeMap::addPrototype):
+        * runtime/WeakGCMap.h:
+        (JSC::WeakGCMap::add):
+
+2017-10-05  Saam Barati  
+
+        Unreviewed. Disable probe OSR exit on 32-bit until it's fixed.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2017-10-05  Saam Barati  
+
+        Make sure all prototypes under poly proto get added into the VM's prototype map
+        https://bugs.webkit.org/show_bug.cgi?id=177909
+
+        Reviewed by Keith Miller.
+
+        This is an invariant of prototypes that I broke when doing poly proto. This patch fixes it.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeList.json:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSCInlines.h:
+        * runtime/PrototypeMap.cpp:
+        (JSC::PrototypeMap::addPrototype): Deleted.
+        * runtime/PrototypeMap.h:
+        * runtime/PrototypeMapInlines.h:
+        (JSC::PrototypeMap::isPrototype const):
+        (JSC::PrototypeMap::addPrototype):
+
+2017-09-30  Yusuke Suzuki  
+
+        [JSC] Introduce import.meta
+        https://bugs.webkit.org/show_bug.cgi?id=177703
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds stage 3 `import.meta`[1].
+        We add a new hook function moduleLoaderCreateImportMetaProperties, which creates
+        import meta properties object to this module. And we set this object as @meta
+        private variable in module environments. So module code can access this by accessing
+        @meta private variable.
+
+        [1]: https://github.com/tc39/proposal-import-meta
+
+        * builtins/BuiltinNames.h:
+        * builtins/ModuleLoaderPrototype.js:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderCreateImportMetaProperties):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseModuleSourceElements):
+        (JSC::Parser::parseMemberExpression):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::createImportMetaProperties):
+        * runtime/JSModuleLoader.h:
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::link):
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSModuleRecord.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
+
+2017-10-04  Saam Barati  
+
+        Make pertinent AccessCases watch the poly proto watchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=177765
+
+        Reviewed by Keith Miller.
+
+        This patch makes it so that stubs that encounter a structure with a
+        valid poly proto watchpoint will watch the poly proto watchpoint. This
+        ensures that if the watchpoint is fired, the stub will be cleared
+        and have a chance to regenerate. In an ideal world, this will lead
+        to the stub generating better code since it may never encounter the
+        non-poly proto structure again.
+        
+        This patch also fixes a bug in the original poly proto code where
+        I accidentally had a condition inverted. The bad code caused a
+        stub that continually cached two structures which are structurally
+        equivalent but with different prototype objects to always clear itself.
+        The code should have been written differently. It should have only
+        cleared if the poly proto watchpoint *was not* fired. The code
+        accidentally cleared only if stub *was* fired.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::commit):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::addCases):
+        (WTF::printInternal):
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationResult::shouldResetStubAndFireWatchpoints const):
+        (JSC::AccessGenerationResult::addWatchpointToFire):
+        (JSC::AccessGenerationResult::fireWatchpoints):
+        (JSC::AccessGenerationResult::shouldResetStub const): Deleted.
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::addAccessCase):
+        (JSC::StructureStubInfo::reset):
+        * bytecode/Watchpoint.h:
+        (JSC::InlineWatchpointSet::inflate):
+        * jit/Repatch.cpp:
+        (JSC::fireWatchpointsAndClearStubIfNeeded):
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::tryCacheIn):
+        (JSC::repatchIn):
+        (JSC::tryRepatchIn): Deleted.
+
+2017-10-04  Matt Baker  
+
+        Web Inspector: Improve CanvasManager recording events
+        https://bugs.webkit.org/show_bug.cgi?id=177762
+
+        Reviewed by Devin Rousso.
+
+        * inspector/protocol/Canvas.json:
+        Renamed events for clarity and consistency; made recording data optional.
+
+2017-10-04  JF Bastien  
+
+        WTF: Update std::expected to match current proposal
+        https://bugs.webkit.org/show_bug.cgi?id=177881
+
+        Reviewed by Mark Lam.
+
+        Update API.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::makeValidationResult):
+        * wasm/WasmParser.h:
+        * wasm/WasmValidate.cpp:
+        * wasm/generateWasmValidateInlinesHeader.py:
+        (loadMacro):
+        (storeMacro):
+
+2017-10-04  JF Bastien  
+
+        WebAssembly: address no VM / JS follow-ups
+        https://bugs.webkit.org/show_bug.cgi?id=177887
+
+        Reviewed by Saam Barati.
+
+        All minor fixes, no functional changes.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::Context::store):
+        * wasm/WasmMemoryMode.h:
+        * wasm/WasmTable.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::grow):
+
+2017-10-04  Mark Lam  
+
+        Add support for using Probe DFG OSR Exit behind a runtime flag.
+        https://bugs.webkit.org/show_bug.cgi?id=177844
+        
+
+        Reviewed by Saam Barati.
+
+        This is based on the code originally posted in https://bugs.webkit.org/show_bug.cgi?id=175144
+        (in r221774 and r221832) with some optimizations and bug fixes added.  The probe
+        based DFG OSR Exit is only enabled if Options::useProbeOSRExit() is true.  We're
+        landing this behind an option switch to make it easier to tune performance using
+        the probe based OSR exit.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/ProbeContext.cpp:
+        (JSC::Probe::executeProbe):
+        (JSC::Probe::flushDirtyStackPages):
+        * assembler/ProbeContext.h:
+        (JSC::Probe::Context::Context):
+        (JSC::Probe::Context::arg):
+        * assembler/ProbeFrame.h: Added.
+        (JSC::Probe::Frame::Frame):
+        (JSC::Probe::Frame::argument):
+        (JSC::Probe::Frame::operand):
+        (JSC::Probe::Frame::setArgument):
+        (JSC::Probe::Frame::setOperand):
+        (JSC::Probe::Frame::get):
+        (JSC::Probe::Frame::set):
+        * assembler/ProbeStack.cpp:
+        (JSC::Probe::Page::lowWatermarkFromVisitingDirtyChunks):
+        (JSC::Probe::Stack::Stack):
+        (JSC::Probe::Stack::lowWatermarkFromVisitingDirtyPages):
+        * assembler/ProbeStack.h:
+        (JSC::Probe::Stack::Stack):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::set):
+        (JSC::Probe::Stack::savedStackPointer const):
+        (JSC::Probe::Stack::setSavedStackPointer):
+        (JSC::Probe::Stack::newStackPointer const): Deleted.
+        (JSC::Probe::Stack::setNewStackPointer): Deleted.
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::observeArrayMode):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
+        * bytecode/ExecutionCounter.h:
+        (JSC::ExecutionCounter::hasCrossedThreshold const):
+        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
+        * bytecode/MethodOfGettingAValueProfile.cpp:
+        (JSC::MethodOfGettingAValueProfile::reportValue):
+        * bytecode/MethodOfGettingAValueProfile.h:
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::jsValueFor):
+        (JSC::DFG::restoreCalleeSavesFor):
+        (JSC::DFG::saveCalleeSavesFor):
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::saveOrCopyCalleeSavesFor):
+        (JSC::DFG::createDirectArgumentsDuringExit):
+        (JSC::DFG::createClonedArgumentsDuringExit):
+        (JSC::DFG::emitRestoreArguments):
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::printOSRExit):
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExitState::OSRExitState):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        * dfg/DFGThunks.h:
+        * dfg/DFGVariableEventStream.cpp:
+        (JSC::DFG::tryToSetConstantRecovery):
+        (JSC::DFG::VariableEventStream::reconstruct const):
+        (JSC::DFG::VariableEventStream::tryToSetConstantRecovery const): Deleted.
+        * dfg/DFGVariableEventStream.h:
+        * profiler/ProfilerOSRExit.h:
+        (JSC::Profiler::OSRExit::incCount):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/Options.h:
+
+2017-10-04  Ryan Haddad  
+
+        Unreviewed, rolling out r222840.
+
+        This change breaks internal builds.
+
+        Reverted changeset:
+
+        "Generate a compile error if release is built without compiler
+        optimizations"
+        https://bugs.webkit.org/show_bug.cgi?id=177665
+        http://trac.webkit.org/changeset/222840
+
+2017-10-04  Carlos Alberto Lopez Perez  
+
+        Generate a compile error if release is built without compiler optimizations
+        https://bugs.webkit.org/show_bug.cgi?id=177665
+
+        Reviewed by Michael Catanzaro.
+
+        Pass -DRELEASE_WITHOUT_OPTIMIZATIONS to testair.cpp and testb3.cpp because
+        this files are compiled with -O0 for build speed reasons after r195639.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-10-03  Jon Davis  
+
+        Update WebAssembly to "Supported"
+        https://bugs.webkit.org/show_bug.cgi?id=177831
+
+        Reviewed by Alexey Proskuryakov.
+        
+        Cleaned up Async Iteration and Object rest/spread to use "In Development" 
+        instead of "In development". 
+
+        * features.json: 
+
+2017-10-03  Saam Barati  
+
+        Implement polymorphic prototypes
+        https://bugs.webkit.org/show_bug.cgi?id=176391
+
+        Reviewed by Filip Pizlo.
+
+        This patch changes JSC's object model with respect to where the prototype
+        of an object is stored. Previously, it was always stored as
+        a constant value inside Structure. So an object's structure used to
+        always tell you what its prototype is. Anytime an object changed
+        its prototype, it would do a structure transition. This enables
+        a large class of optimizations: just by doing a structure check,
+        we know what the prototype is.
+        
+        However, this design falls down when you have many objects that
+        have the same shape, but only differ in what their prototype value
+        is. This arises in many JS programs. A simple, and probably common, example
+        is when the program has a constructor inside of a function:
+        ```
+        function foo() {
+            class C {
+                constructor() { this.field1 = 42; ...; this.fieldN = 42; }
+                method1() { doStuffWith(this.field); }
+                method2() { doStuffWith(this.field); }
+            }
+            let c = new C;
+            do things with c;
+            }
+        repeatedly call foo() here.
+        ```
+        
+        Before this patch, in the above program, each time `new C` created an
+        object, it would create an object with a different structure. The
+        reason for this is that each time foo is called, there is a new
+        instance of C.prototype. However, each `new C` that was created
+        with have identical shape sans its prototype value. This would
+        cause all ICs that used `c` to quickly give up on any form of caching
+        because they would see too many structures and give up and permanently
+        divert control flow to the slow path.
+        
+        This patch fixes this issue by expanding the notion of where the prototype
+        of an object is stored. There are now two notions of where the prototype
+        is stored. A Structure can now be in two modes:
+        1. Mono proto mode. This is the same mode as we used to have. It means
+        the structure itself has a constant prototype value.
+        2. Poly proto mode. This means the structure knows nothing about the
+        prototype value itself. Objects with this structure store their prototype
+        in normal object field storage. The structure will tell you the offset of
+        this prototype inside the object's storage. As of today, we only reserve
+        inline slots for the prototype field because poly proto only occurs
+        for JSFinalObject. However, this will be expanded to support out of line
+        offsets in a future patch when we extend poly proto to work when we inherit
+        from builtin types like Map and Array.
+        
+        In this initial patch, we do poly proto style inline caching whenever
+        we see an object that is poly proto or if an object in its prototype lookup
+        chain is poly proto. Poly proto ICs work by verifying the lookup chain
+        at runtime. This essentially boils down to performing structure checks
+        up the prototype chain. In a future patch, we're going to extend object
+        property condition set to work with objects that don't have poly proto bases.
+        
+        Initially, accesses that have poly proto access chains will always turn
+        into GetById/PutById in the DFG. In a future patch, I'm going to teach
+        the DFG how to inline certain accesses that have poly proto in the access
+        chain.
+        
+        One of most interesting parts about this patch is how we decide when to go
+        poly proto. This patch uses a profiling based approach. An IC will inform
+        a watchpoint that it sees an opportunity when two Structure's are structurally
+        the same, sans the base object's prototype. This means that two structures
+        have equivalent shapes all the way up the prototype chain. To support fast
+        structural comparison, we compute a hash for a structure based on the properties
+        it has. We compute this hash as we add properties to the structure. This
+        computation is nearly free since we always add UniquedStringImpl*'s which
+        already have their hashes computed. To compare structural equivalence, we
+        just compare hash values all the way up the prototype chain. This means we
+        can get hash conflicts between two structures, but it's extremely rare. First,
+        it'll be rare for two structures to have the same hash. Secondly, we only
+        consider structures originating from the same executable.
+        
+        How we set up this poly proto watchpoint is crucial to its design. When we create_this
+        an object originating from some executable, that executable will create a Box.
+        Each structure that originates from this executable will get a copy of that
+        Box. As that structure transitions to new structures,
+        they too will get a copy of that Box. Therefore, when
+        invalidating an arbitrary structure's poly proto watchpoint, we will know
+        the next time we create_this from that executable that it had been
+        invalidated, and that we should create an object with a poly proto
+        structure. We also use the pointer value of this Box
+        to determine if two structures originated from the same executable. This
+        pruning will severely limit the chances of getting a hash conflict in practice.
+        
+        This patch is neutral on my MBP on traditional JS benchmarks like Octane/Kraken/Sunspider.
+        It may be a 1-2% ARES-6 progression.
+        
+        This patch is between neutral and a 9x progression on the various tests
+        I added. Most of the microbenchmarks are progressed by at least 50%.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * builtins/BuiltinNames.cpp:
+        * builtins/BuiltinNames.h:
+        (JSC::BuiltinNames::BuiltinNames):
+        (JSC::BuiltinNames::underscoreProtoPrivateName const):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::AccessCase):
+        (JSC::AccessCase::create):
+        (JSC::AccessCase::commit):
+        (JSC::AccessCase::guardedByStructureCheck const):
+        (JSC::AccessCase::canReplace const):
+        (JSC::AccessCase::dump const):
+        (JSC::AccessCase::visitWeak const):
+        (JSC::AccessCase::propagateTransitions const):
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCase.h:
+        (JSC::AccessCase::usesPolyProto const):
+        (JSC::AccessCase::AccessCase):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
+        (JSC::GetterSetterAccessCase::create):
+        * bytecode/GetterSetterAccessCase.h:
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+        * bytecode/IntrinsicGetterAccessCase.cpp:
+        (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
+        * bytecode/IntrinsicGetterAccessCase.h:
+        * bytecode/ModuleNamespaceAccessCase.cpp:
+        (JSC::ModuleNamespaceAccessCase::ModuleNamespaceAccessCase):
+        * bytecode/ObjectAllocationProfile.cpp: Added.
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::clear):
+        (JSC::ObjectAllocationProfile::initialize): Deleted.
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted.
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        * bytecode/PolyProtoAccessChain.cpp: Added.
+        (JSC::PolyProtoAccessChain::create):
+        (JSC::PolyProtoAccessChain::needImpurePropertyWatchpoint const):
+        (JSC::PolyProtoAccessChain::operator== const):
+        (JSC::PolyProtoAccessChain::dump const):
+        * bytecode/PolyProtoAccessChain.h: Added.
+        (JSC::PolyProtoAccessChain::clone):
+        (JSC::PolyProtoAccessChain:: const):
+        (JSC::PolyProtoAccessChain::operator!= const):
+        (JSC::PolyProtoAccessChain::forEach const):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::addCases):
+        (JSC::PolymorphicAccess::regenerate):
+        (WTF::printInternal):
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationResult::shouldResetStub const):
+        (JSC::AccessGenerationState::AccessGenerationState):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        * bytecode/ProxyableAccessCase.cpp:
+        (JSC::ProxyableAccessCase::ProxyableAccessCase):
+        (JSC::ProxyableAccessCase::create):
+        * bytecode/ProxyableAccessCase.h:
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeForStubInfo):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::addAccessCase):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::load):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::canDoFastSpread):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::tryRepatchIn):
+        * jsc.cpp:
+        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
+        (WTF::DOMJITGetterBaseJSObject::createStructure):
+        (WTF::DOMJITGetterBaseJSObject::create):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetterBaseJSObject::customGetter):
+        (WTF::DOMJITGetterBaseJSObject::finishCreation):
+        (GlobalObject::finishCreation):
+        (functionCreateDOMJITGetterBaseJSObject):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::holesMustForwardToPrototype):
+        (JSC::fastJoin):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::moveElements):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        (JSC::ClonedArguments::createWithInlineFrame):
+        (JSC::ClonedArguments::createWithMachineFrame):
+        (JSC::ClonedArguments::createByCopyingFrom):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/FunctionExecutable.h:
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::initializeObjectAllocationProfile):
+        * runtime/FunctionRareData.h:
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::canFastCopy):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpInContextAssumingStructure const):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::prototypeForConstruction):
+        (JSC::JSFunction::allocateAndInitializeRareData):
+        (JSC::JSFunction::initializeRareData):
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSFunction.h:
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSMap::canCloneFastAndNonObservable):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::ensureInt32Slow):
+        (JSC::JSObject::ensureDoubleSlow):
+        (JSC::JSObject::ensureContiguousSlow):
+        (JSC::JSObject::ensureArrayStorageSlow):
+        (JSC::JSObject::setPrototypeDirect):
+        (JSC::JSObject::ordinaryToPrimitive const):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::getEnumerableLength):
+        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
+        (JSC::JSObject::prototypeChainMayInterceptStoreTo):
+        (JSC::JSObject::needsSlowPutIndexing const):
+        (JSC::JSObject::suggestedArrayStorageTransition const):
+        * runtime/JSObject.h:
+        (JSC::JSObject::finishCreation):
+        (JSC::JSObject::getPrototypeDirect const):
+        (JSC::JSObject::getPropertySlot):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+        (JSC::JSObject::putInlineForJSObject):
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSSet::canCloneFastAndNonObservable):
+        * runtime/LazyClassStructure.h:
+        (JSC::LazyClassStructure::prototypeConcurrently const): Deleted.
+        * runtime/Operations.cpp:
+        (JSC::normalizePrototypeChain):
+        * runtime/Operations.h:
+        * runtime/Options.h:
+        * runtime/PrototypeMap.cpp:
+        (JSC::PrototypeMap::createEmptyStructure):
+        (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
+        (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+        (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
+        * runtime/PrototypeMap.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::create):
+        (JSC::Structure::holesMustForwardToPrototype const):
+        (JSC::Structure::changePrototypeTransition):
+        (JSC::Structure::isCheapDuringGC):
+        (JSC::Structure::toStructureShape):
+        (JSC::Structure::dump const):
+        (JSC::Structure::canCachePropertyNameEnumerator const):
+        (JSC::Structure::anyObjectInChainMayInterceptIndexedAccesses const): Deleted.
+        (JSC::Structure::needsSlowPutIndexing const): Deleted.
+        (JSC::Structure::suggestedArrayStorageTransition const): Deleted.
+        (JSC::Structure::prototypeForLookup const): Deleted.
+        (JSC::Structure::prototypeChainMayInterceptStoreTo): Deleted.
+        (JSC::Structure::canUseForAllocationsOf): Deleted.
+        * runtime/Structure.h:
+        * runtime/StructureChain.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::create):
+        (JSC::Structure::storedPrototypeObject const):
+        (JSC::Structure::storedPrototypeStructure const):
+        (JSC::Structure::storedPrototype const):
+        (JSC::prototypeForLookupPrimitiveImpl):
+        (JSC::Structure::prototypeForLookup const):
+        (JSC::Structure::prototypeChain const):
+        (JSC::Structure::isValid const):
+        (JSC::Structure::add):
+        (JSC::Structure::setPropertyTable):
+        (JSC::Structure::shouldConvertToPolyProto):
+        * runtime/StructureRareData.h:
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::processLogEntries):
+        * runtime/TypeSet.cpp:
+        (JSC::TypeSet::addTypeInformation):
+        * runtime/TypeSet.h:
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase::isInt32 const):
+
+2017-10-03  JF Bastien  
+
+        WebAssembly: no VM / JS version of everything but Instance
+        https://bugs.webkit.org/show_bug.cgi?id=177473
+
+        Reviewed by Filip Pizlo.
+
+        This change entails cleaning up and splitting a bunch of code which we had
+        intertwined between C++ classes which represent JS objects, and pure C++
+        implementation objects. This specific change goes most of the way towards
+        allowing JSC's WebAssembly to work without VM / JS, up to but excluding
+        JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
+        yet). Because of this we still have a few FIXME identifying places that need to
+        change. A follow-up change will go the rest of the way.
+
+        I went about this change in the simplest way possible: grep the
+        JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
+        sub-directory (which contains the JS implementation of WebAssembly).
+
+        None of this change removes the need for a JIT entitlement to be able to use
+        WebAssembly. We don't have an interpreter, the process therefore still needs to
+        be allowed to JIT to use these pure-C++ APIs.
+
+        Interesting things to note:
+
+          - Remove VM from Plan and associated places. It can just live as a capture in
+            the callback lambda if it's needed.
+          - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
+            collect. We now instead pass two lambdas at construction time for this
+            purpose: one to notify of memory pressure, and the other to ask for
+            syncrhonous memory reclamation. This allows whoever creates the memory to
+            dictate how to react to both these cases, and for a JS embedding that's to
+            call the GC (async or sync, respectively).
+          - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
+            there, with an enum class for failure types.
+          - Exceeding max on memory growth now returns a range error as per spec. This
+            is a (very minor) breaking change: it used to throw OOM error. Update the
+            corresponding test.
+          - When generating the grow_memory opcode, no need to get the VM. Instead,
+            reach directly for Wasm::Memory and grow it.
+          - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
+            ever called from JS (not from grow_memory as before).
+          - Wasm::Memory now takes a callback for successful growth. This allows JS
+            wrappers to register themselves when growth succeeds without Wasm::Memory
+            knowning anything about JS. It'll also allow creating a list of callbacks
+            for when we add thread support (we'll want to notify many wrappers, all
+            under a lock).
+          - Wasm::Memory is now back to being the source of truth about address / size,
+            used directly by generated code instead of JSWebAssemblyMemory.
+          - Move wasmToJS from the general WasmBinding header to its own header under
+            wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
+            and therefore isn't general WebAssembly.
+          - Make Wasm::Context an actual type (just a struct holding a
+            JSWebAssemlyInstance for now) instead of an alias for that. Notably this
+            doesn't add anything to the Context and doesn't change what actually gets
+            passed around in JIT code (fast TLS or registers) because these changes
+            potentially impact performance. The entire purpose of this change is to
+            allow passing Wasm::Context around without having to know about VM. Since VM
+            contains a Wasm::Context the JS embedding is effectively the same, but with
+            this setup a non-JS embedding is much better off.
+          - Move JSWebAssembly into the JS folder.
+          - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
+          - wasm->JS stubs are now on Wasm::CodeBlock's tail as raw pointers, instead of
+            being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
+            stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
+            called wasm->JS stub. This move means that the embedder must, after creating
+            a Wasm::CodeBlock, somehow create the stubs to call back into the
+            embedder. This isn't adding any indirection to the generated code because
+            the B3 IR generator now reaches for Wasm::CodeBlock instead of
+            JSWebAssemblyCodeBlock.
+          - Move more CodeBlock things. Compilation completion is now marked by its own
+            atomic flag instead of a nullptr plan: that required using a lock, and
+            was causing a deadlock in stack-trace.js because before my changes
+            JSWebAssemblyCodeBlock did its own completion checking separately from
+            Wasm::CodeBlock, without getting the lock. Now that everything points to
+            Wasm::CodeBlock and there's no cached completion marker, the lock was being
+            acquired in a sanity-check assertion.
+          - Embedder -> Wasm wrappers are now generated through a function that's passed
+            in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
+          - WasmMemory doens't need to know about fault handling thunks. Only the IR
+            generator should know, and should make sure that the exception throwing
+            thunk is generated if any memory is present (note: with signal handling not
+            all of them generate an exception check).
+          - Make exception throwing pluggable: instead of having a hard-coded
+            JS-specific lambda we now have a regular C++ function being called from JIT
+            code when a WebAssembly exception is thrown. This allows any embedder to get
+            called as they wish. For now a process can only have a single of these
+            functions (i.e. only one embedder per process) because the trap handler is a
+            singleton. That can be fixed in in #177475.
+          - Create WasmEmbedder.h where all embedder plugging will live.
+          - Split up JSWebAssemblyTable into Wasm::Table which is
+            refcounted. JSWebAssemblyTable now only contains the JS functions in the
+            table, and Wasm::Table is what's used by the JIT code to lookup where to
+            call and do the instance check (for context switch). Note that this creates
+            an extra allocation for all the instances in Wasm::Table, and in exchange
+            removes an indirection in JIT code because the instance used to be obtained
+            off of the JS function. Also note that it's the embedder than keeps the
+            instances alive, not Wasm::Table (which holds a dumb pointer to the
+            instance), because doing otherwise would cause reference cycles.
+          - Add WasmInstance. It doesn't do much for now, owns globals.
+          - JSWebAssembly instance now doesn't just contain the imported functions as
+            JSObjects, it also has the corresponding import's instance and wasm
+            entrypoint. This triples the space allocated per instance's imported
+            function, but there shouldn't be that many imports. This has two upsides: it
+            creates smaller and faster code, and makes is easier to disassociate
+            embedder-specific things from embedder-neutral things. The small / faster
+            win is in two places: B3 IR generator only needs offsetOfImportFunction for
+            the call opcode (when the called index is an import) to know whether the
+            import is wasm->wasm or wasm->embedder (this isn't known at compile-time
+            because it's dependent on the import object), this is now done by seeing if
+            that import function has an associated target instance (only wasm->wasm
+            does); the other place is wasmBinding which uses offsetOfImportFunction to
+            figure out the wasm->wasm target instance, and then gets
+            WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
+            call. The disassociation comes because the target instance can be
+            Wasm::Instance once we change what the Context is, and
+            WasmEntrypointLoadLocation is already embedder-independent. As a next step I
+            can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
+            and leave importFunction in as an opaque pointer which is embedder-specific,
+            and in JS will remain WriteBarrier.
+          - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
+            around instead of VM. This is a first step in allowing entry frames which
+            aren't stored on VM, but which are instead stored in an embedder-specific
+            location. That change won't really affect JS except through code churn, but
+            will allow WebAssembly to use some machinery in a generic manner without
+            having a VM.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::stepOutOfFunction):
+        (JSC::Debugger::returnEvent):
+        (JSC::Debugger::unwindEvent):
+        (JSC::Debugger::didExecuteProgram):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
+        (JSC::CallFrame::callerFrame):
+        (JSC::CallFrame::unsafeCallerFrame):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::callerFrame const):
+        (JSC::ExecState::callerFrameOrEntryFrame const):
+        (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
+        * interpreter/FrameTracers.h:
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
+        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::operator() const):
+        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
+        (JSC::Interpreter::unwind):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::StackVisitor):
+        (JSC::StackVisitor::gotoNextFrame):
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::Frame::dump const):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::callerIsEntryFrame const):
+        * interpreter/VMEntryRecord.h:
+        (JSC::VMEntryRecord::prevTopEntryFrame):
+        (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
+        (JSC::EntryFrame::vmEntryRecordOffset):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::loadWasmContextInstance):
+        (JSC::AssemblyHelpers::storeWasmContextInstance):
+        (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOperations.cpp:
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::nativeForGenerator):
+        * jsc.cpp:
+        (functionDumpCallFrame):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntThunks.cpp:
+        (JSC::vmEntryRecord):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::FrameWalker):
+        (JSC::FrameWalker::advanceToParentFrame):
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        * runtime/ThrowScope.cpp:
+        (JSC::ThrowScope::~ThrowScope):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+        (JSC::VM::topEntryFrameOffset):
+        * runtime/VMTraps.cpp:
+        (JSC::isSaneFrame):
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        (JSC::VMTraps::invalidateCodeBlocksOnStack):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBBQPlan.h:
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmBinding.h:
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::create):
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        (JSC::Wasm::CodeBlock::compileAsync):
+        (JSC::Wasm::CodeBlock::setCompilationFinished):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::offsetOfImportStubs):
+        (JSC::Wasm::CodeBlock::allocationSize):
+        (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
+        (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
+        (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
+        (JSC::Wasm::CodeBlock::compilationFinished):
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::Context::useFastTLS):
+        (JSC::Wasm::Context::load const):
+        (JSC::Wasm::Context::store):
+        * wasm/WasmContext.h:
+        * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
+        * wasm/WasmFaultSignalHandler.cpp:
+        * wasm/WasmFaultSignalHandler.h:
+        * wasm/WasmFormat.h:
+        * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::~Instance):
+        (JSC::Wasm::Instance::extraMemoryAllocated const):
+        * wasm/WasmInstance.h: Added.
+        (JSC::Wasm::Instance::create):
+        (JSC::Wasm::Instance::finalizeCreation):
+        (JSC::Wasm::Instance::module):
+        (JSC::Wasm::Instance::codeBlock):
+        (JSC::Wasm::Instance::memory):
+        (JSC::Wasm::Instance::table):
+        (JSC::Wasm::Instance::loadI32Global const):
+        (JSC::Wasm::Instance::loadI64Global const):
+        (JSC::Wasm::Instance::loadF32Global const):
+        (JSC::Wasm::Instance::loadF64Global const):
+        (JSC::Wasm::Instance::setGlobal):
+        (JSC::Wasm::Instance::offsetOfCachedStackLimit):
+        (JSC::Wasm::Instance::cachedStackLimit const):
+        (JSC::Wasm::Instance::setCachedStackLimit):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::offsetOfMemory):
+        (JSC::Wasm::Memory::offsetOfSize):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave const):
+        * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        (JSC::Wasm::makeString):
+        * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::makeValidationCallback):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        (JSC::Wasm::Module::getOrCreateCodeBlock):
+        (JSC::Wasm::Module::compileSync):
+        (JSC::Wasm::Module::compileAsync):
+        * wasm/WasmModule.h:
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parseTableHelper):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::OMGPlan):
+        (JSC::Wasm::OMGPlan::runForIndex):
+        * wasm/WasmOMGPlan.h:
+        * wasm/WasmPageCount.h:
+        (JSC::Wasm::PageCount::isValid const):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::runCompletionTasks):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::dontFinalize):
+        * wasm/WasmSignature.cpp:
+        * wasm/WasmSignature.h:
+        * wasm/WasmTable.cpp: Added.
+        (JSC::Wasm::Table::create):
+        (JSC::Wasm::Table::~Table):
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clearFunction):
+        (JSC::Wasm::Table::setFunction):
+        * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
+        (JSC::Wasm::Table::maximum const):
+        (JSC::Wasm::Table::size const):
+        (JSC::Wasm::Table::offsetOfSize):
+        (JSC::Wasm::Table::offsetOfFunctions):
+        (JSC::Wasm::Table::offsetOfInstances):
+        (JSC::Wasm::Table::isValidSize):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        (JSC::Wasm::Thunks::setThrowWasmException):
+        (JSC::Wasm::Thunks::throwWasmException):
+        * wasm/WasmThunks.h:
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::stopAllPlansForContext):
+        * wasm/WasmWorklist.h:
+        * wasm/js/JSToWasm.cpp: Added.
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
+        * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
+        * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::instance):
+        (JSC::JSWebAssemblyInstance::context const):
+        (JSC::JSWebAssemblyInstance::table):
+        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
+        (JSC::JSWebAssemblyInstance::setMemory):
+        (JSC::JSWebAssemblyInstance::offsetOfTail):
+        (JSC::JSWebAssemblyInstance::importFunctionInfo):
+        (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
+        (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
+        (JSC::JSWebAssemblyInstance::importFunction):
+        (JSC::JSWebAssemblyInstance::internalMemory):
+        (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
+        (JSC::JSWebAssemblyInstance::offsetOfCallee):
+        (JSC::JSWebAssemblyInstance::offsetOfGlobals):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
+        (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
+        (JSC::JSWebAssemblyInstance::cachedStackLimit const):
+        (JSC::JSWebAssemblyInstance::setCachedStackLimit):
+        (JSC::JSWebAssemblyInstance::wasmMemory):
+        (JSC::JSWebAssemblyInstance::wasmModule):
+        (JSC::JSWebAssemblyInstance::allocationSize):
+        (JSC::JSWebAssemblyInstance::module const):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::create):
+        (JSC::JSWebAssemblyMemory::adopt):
+        (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
+        (JSC::JSWebAssemblyMemory::grow):
+        (JSC::JSWebAssemblyMemory::growSuccessCallback):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::moduleInformation const):
+        (JSC::JSWebAssemblyModule::exportSymbolTable const):
+        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
+        (JSC::JSWebAssemblyModule::callee const):
+        (JSC::JSWebAssemblyModule::codeBlock):
+        (JSC::JSWebAssemblyModule::module):
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::create):
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::visitChildren):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::getFunction):
+        (JSC::JSWebAssemblyTable::clearFunction):
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/JSWebAssemblyTable.h:
+        (JSC::JSWebAssemblyTable::isValidSize):
+        (JSC::JSWebAssemblyTable::maximum const):
+        (JSC::JSWebAssemblyTable::size const):
+        (JSC::JSWebAssemblyTable::table):
+        * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::wasmToJS):
+        (JSC::Wasm::wasmToJSException):
+        * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::constructJSWebAssemblyMemory):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::webAssemblyMemoryProtoFuncGrow):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::constructJSWebAssemblyModule):
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModuleConstructor.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyValidateFunc):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2017-10-02  Keith Miller  
+
+        VMTraps shouldn't crash if it sees an exception it doesn't understand.
+        https://bugs.webkit.org/show_bug.cgi?id=177780
+
+        Reviewed by Mark Lam.
+
+        VMTraps could see a JIT breakpoint (SegV) for any number of
+        reasons it doesn't understand. e.g.  a bug in JIT code, Wasm OOB,
+        etc. This patch makes it handle that case gracefully. It's worth
+        noting that this means there's no way to know if, due to a bug, we
+        didn't accurately track all the VMTraps we installed. I'm not sure
+        if there is a good solution to that problem though.
+
+        * runtime/VMTraps.cpp:
+
+2017-10-02  Saam Barati  
+
+        Unreviewed. Add missing exception check for the custom-get-set-inline-caching-one-level-up-proto-chain.js
+        test that I added. It uncovered a pre-existing missing exception check.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+
+2017-10-02  Joseph Pecoraro  
+
+        Web Inspector: Include Beacon and Ping requests in Network tab
+        https://bugs.webkit.org/show_bug.cgi?id=177641
+        
+
+        Reviewed by Chris Dumez.
+
+        * inspector/protocol/Page.json:
+        Include new "Beacon" and "Ping" resource types.
+
+2017-10-02  Caio Lima  
+
+        ChakraCore/test/Function/apply3.js is resulting wrong result in x86_64
+        https://bugs.webkit.org/show_bug.cgi?id=175642
+
+        Reviewed by Darin Adler.
+
+        According JS spec, the ToLength operation[1] has a range of 0..(2^53)
+        - 1. In Interpreter.cpp::sizeFrameForVarargs, the call to
+        sizeOfVarargs() was being assigned to "unsigned length", forcing a
+        type cast that results in different value among architectures JSC supports.
+        For instance, in x86_64 "4294967295 + 1" results in 0, while in ARMv6 it
+        results 4294967295. This patch is changing "sizeOfVarargs" to clamp the
+        result from "toLength" to unsigned and then get desired behavior for
+        all supported platforms.
+
+        [1] - https://tc39.github.io/ecma262/#sec-tolength
+
+        * interpreter/Interpreter.cpp:
+        (JSC::sizeOfVarargs):
+        * interpreter/Interpreter.h:
+
+2017-10-02  Saam Barati  
+
+        Unreviewed. Fix debug assertion after r222671. 
+
+        JSTestCustomGetterSetter::finishCreation needs to call its base's finishCreation implementation.
+
+        * jsc.cpp:
+        (JSTestCustomGetterSetter::finishCreation):
+
+2017-10-01  Commit Queue  
+
+        Unreviewed, rolling out r222564.
+        https://bugs.webkit.org/show_bug.cgi?id=177720
+
+        "It regressed JetStream by 2% on iOS caused by a 50%
+        regression on the bigfib subtest" (Requested by saamyjoon on
+        #webkit).
+
+        Reverted changeset:
+
+        "Add Above/Below comparisons for UInt32 patterns"
+        https://bugs.webkit.org/show_bug.cgi?id=177281
+        http://trac.webkit.org/changeset/222564
+
+2017-09-29  Yusuke Suzuki  
+
+        [DFG] Support ArrayPush with multiple args
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+
+        Reviewed by Saam Barati.
+
+        Reviewed by Saam Barati.
+
+        This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
+        by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
+        extends ArrayPush to push multiple arguments in a bulk push manner.
+
+        The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
+        of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
+        But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
+        could move elements between registers and memory back and forth.
+
+        This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
+        checks for elements are already done by separately emitted Check nodes.
+
+        We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
+        arrayProtoFuncPush's fast path.
+
+        This patch significantly improves performance of `push(multiple args)`.
+
+                                            baseline                  patched
+            Microbenchmarks:
+                array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
+                array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
+                array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
+                array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
+
+                                            baseline                  patched
+            SixSpeed:
+                spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayPush):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
+        * jit/JITOperations.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncPush):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::push):
+        * runtime/JSArray.h:
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+
+2017-09-29  Saam Barati  
+
+        Custom GetterSetterAccessCase does not use the correct slotBase when making call
+        https://bugs.webkit.org/show_bug.cgi?id=177639
+
+        Reviewed by Geoffrey Garen.
+
+        The bug occurred when you had a custom set value. Custom set/get
+        values are passed the property holder, not the base of the access.
+        If we had an object chain like this:
+        o = {__proto__: thingWithCustomSetValue}
+        
+        We would end up not providing thingWithCustomSetValue as the argument
+        to the PutValueFunc. The reason is, we would use generateConditionsForPrototypePropertyHitCustom
+        for custom sets. This would return to us an empty ConditionSet, because
+        the property holder was only one level up the prototype chain. The reason
+        is, it didn't generate a condition for the slot holder, because the
+        protocol for custom set/get is that if an object responds to a custom
+        setter/getter, it will continue to respond to that getter/setter for
+        the lifetime of that object. Therefore, it's not strictly necessary to
+        generate an OPC for the slot base for custom accesses. However, AccessCase
+        uses !m_conditionSet.isEmtpy() to indicate that the IC is doing a prototype
+        access. With the above object "o", we were doing a prototype access, but we
+        had an empty condition set. This lead us to passing the base instead of
+        the property holder to the custom set value function, which is incorrect.
+        
+        With custom getters, we never called to into the generateConditionsForPrototypePropertyHitCustom
+        API. Gets would always call into generateConditionsForPrototypePropertyHit, which
+        will generate an OPC on the slot base, even if it isn't strictly necessary for custom accessors.
+        This patch simply removes generateConditionsForPrototypePropertyHitCustom
+        and aligns the set case with the get case. It makes us properly detect
+        when we're doing a prototype access with the above object "o". If we find
+        that generateConditionsForPrototypePropertyHitCustom was a worthwhile
+        optimization to have, we can re-introduce it. We'll just need to pipe through
+        a new notion of when we're doing prototype accesses that doesn't rely solely
+        on !m_conditionSet.isEmpty().
+
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForPrototypePropertyHitCustom): Deleted.
+        * bytecode/ObjectPropertyConditionSet.h:
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID):
+        * jsc.cpp:
+        (JSTestCustomGetterSetter::JSTestCustomGetterSetter):
+        (JSTestCustomGetterSetter::create):
+        (JSTestCustomGetterSetter::createStructure):
+        (customGetAccessor):
+        (customGetValue):
+        (customSetAccessor):
+        (customSetValue):
+        (JSTestCustomGetterSetter::finishCreation):
+        (GlobalObject::finishCreation):
+        (functionLoadGetterFromGetterSetter):
+        (functionCreateCustomTestGetterSetter):
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::setCustomGetterSetter):
+
+2017-09-29  Commit Queue  
+
+        Unreviewed, rolling out r222563, r222565, and r222581.
+        https://bugs.webkit.org/show_bug.cgi?id=177675
+
+        "It causes a crash when playing youtube videos" (Requested by
+        saamyjoon on #webkit).
+
+        Reverted changesets:
+
+        "[DFG] Support ArrayPush with multiple args"
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+        http://trac.webkit.org/changeset/222563
+
+        "Unreviewed, build fix after r222563"
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+        http://trac.webkit.org/changeset/222565
+
+        "Unreviewed, fix x86 breaking due to exhausted registers"
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+        http://trac.webkit.org/changeset/222581
+
+2017-09-29  Commit Queue  
+
+        Unreviewed, rolling out r222625.
+        https://bugs.webkit.org/show_bug.cgi?id=177664
+
+        causes crashes on iOS (Requested by pizlo-mbp on #webkit).
+
+        Reverted changeset:
+
+        "Enable gigacage on iOS"
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+        http://trac.webkit.org/changeset/222625
+
+2017-09-28  Mark Lam  
+
+        test262: Unexpected passes after r222617 and r222618.
+        https://bugs.webkit.org/show_bug.cgi?id=177622
+        
+
+        Reviewed by Saam Barati.
+
+        Now that these tests are marked as "normal", we will run them and discover a few
+        missing exception checks.  This patch also adds those missing exception checks.
+
+        * runtime/DatePrototype.cpp:
+        (JSC::fillStructuresUsingDateArgs):
+
+2017-09-28  Mark Lam  
+
+        Add missing exception checks and book-keeping for exception check validation.
+        https://bugs.webkit.org/show_bug.cgi?id=177609
+        
+
+        Reviewed by Keith Miller.
+
+        This resolves exception check validation failures when running test262 tests and
+        a few other tests.
+
+        * API/APIUtils.h:
+        (handleExceptionIfNeeded):
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeFunction):
+        (JSObjectMakeArray):
+        (JSObjectMakeDate):
+        (JSObjectMakeError):
+        (JSObjectMakeRegExp):
+        (JSObjectSetPrototype):
+        (JSObjectGetProperty):
+        (JSObjectSetProperty):
+        (JSObjectGetPropertyAtIndex):
+        (JSObjectSetPropertyAtIndex):
+        (JSObjectDeleteProperty):
+        (JSObjectCallAsFunction):
+        (JSObjectCallAsConstructor):
+        * API/JSTypedArray.cpp:
+        (JSObjectMakeTypedArray):
+        (JSObjectMakeTypedArrayWithBytesNoCopy):
+        (JSObjectMakeTypedArrayWithArrayBuffer):
+        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
+        (JSObjectMakeArrayBufferWithBytesNoCopy):
+        * API/JSValueRef.cpp:
+        (JSValueIsEqual):
+        (JSValueIsInstanceOfConstructor):
+        (JSValueCreateJSONString):
+        (JSValueToNumber):
+        (JSValueToStringCopy):
+        (JSValueToObject):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+        * runtime/DatePrototype.cpp:
+        (JSC::fillStructuresUsingTimeArgs):
+        (JSC::setNewValueFromDateArgs):
+        (JSC::dateProtoFuncSetYear):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::put):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::toStringName):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncCharAt):
+        (JSC::stringProtoFuncCharCodeAt):
+        (JSC::stringProtoFuncIndexOf):
+        (JSC::stringProtoFuncLastIndexOf):
+        (JSC::stringProtoFuncSlice):
+        (JSC::stringProtoFuncSplitFast):
+        (JSC::stringProtoFuncSubstr):
+
+2017-09-27  Michael Saboff  
+
+        REGRESSION(210837): RegExp containing failed non-zero minimum greedy groups incorrectly match
+        https://bugs.webkit.org/show_bug.cgi?id=177570
+
+        Reviewed by Filip Pizlo.
+
+        The change in r210837 neglected to change the check in Interpreter::backtrackParentheses() that
+        greedy parenthesis have backtracked as far as possible.  Prior to r210837, non-zero minimum greedy
+        parenthesis were factored into a fixed component and a zero-based variable component.  After
+        r210837, the variable component is not zero based and the check needs to compare the
+        backTrack->matchAmount with the quantity iminimum count.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::backtrackParentheses):
+
+2017-09-28  Michael Saboff  
+
+        Heap out of bounds read in JSC::Yarr::Parser::peek()
+        https://bugs.webkit.org/show_bug.cgi?id=177423
+
+        Reviewed by Mark Lam.
+
+        Updated fix that restructures that changes the do ... while to a while and adds another
+        atEndOfPattern() check before looking for the first named group identifier character.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::tryConsumeGroupName):
+
+2017-09-27  Mark Lam  
+
+        JSArray::canFastCopy() should fail if the source and destination arrays are the same.
+        https://bugs.webkit.org/show_bug.cgi?id=177584
+        
+
+        Reviewed by Saam Barati.
+
+        If the source and destination arrays are the same, we may be copying overlapping
+        regions.  Hence, we need to take the slow path.
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::canFastCopy):
+
+2017-09-27  Saam Barati  
+
+        Propagate hasBeenFlattenedBefore in Structure's transition constructor and fix our for-in caching to fail when the prototype chain has an object with a dictionary structure
+        https://bugs.webkit.org/show_bug.cgi?id=177523
+
+        Reviewed by Mark Lam.
+
+        There was a bug in Structure's transition constructor where it didn't
+        propagate forward the hasBeenFlattenedBefore bit. In practice, this meant
+        that every time we asked a dictionary structure if it has been flattened
+        before, it would return false. This patch fixes this bug. It also fixes
+        a bug that this uncovers in our for-in implementation. Our implementation
+        would cache the property name enumerator even when the prototype chain
+        included a structure that is as dictionary. This is wrong because that
+        prototype object may add properties without transitioning, and the for-in
+        loop would vend a stale set of prototype properties.
+
+        * jit/JITOperations.cpp:
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::canCachePropertyNameEnumerator const):
+
+2017-09-27  Mark Lam  
+
+        Yarr::Parser::tryConsumeGroupName() should check for the end of the pattern.
+        https://bugs.webkit.org/show_bug.cgi?id=177423
+        
+
+        Reviewed by Keith Miller.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::tryConsumeGroupName):
+
+2017-09-27  Yusuke Suzuki  
+
+        Unreviewed, fix x86 breaking due to exhausted registers
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+
+2017-09-27  Yusuke Suzuki  
+
+        Unreviewed, build fix after r222563
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+
+        * runtime/JSArrayInlines.h:
+
+2017-09-27  Yusuke Suzuki  
+
+        Add Above/Below comparisons for UInt32 patterns
+        https://bugs.webkit.org/show_bug.cgi?id=177281
+
+        Reviewed by Saam Barati.
+
+        Sometimes, we would like to have UInt32 operations in JS. While VM does
+        not support UInt32 nicely, VM supports efficient Int32 operations. As long
+        as signedness does not matter, we can just perform Int32 operations instead
+        and recognize its bit pattern as UInt32.
+
+        But of course, some operations respect signedness. The most frequently
+        used one is comparison. Octane/zlib performs UInt32 comparison by performing
+        `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
+        UInt32 in Int32 form. And op_unsigned will generate Double value if
+        the generated Int32 is < 0 (which should be UInt32).
+
+        There is a chance for optimization. The given code pattern is the following.
+
+            op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
+
+        This can be converted to the following.
+
+            op_urshift(@1) below:< op_urshift(@2)
+
+        The above conversion is nice since
+
+        1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
+        this check depends on the value of Int32, dropping this check is not as easy as
+        removing Int32 edge filters.
+
+        2. We can perform unsigned comparison in Int32 form. We do not need to convert
+        them to DoubleRep.
+
+        Since the above comparison exists in Octane/zlib's *super* hot path, dropping
+        op_unsigned offers huge win.
+
+        At first, my patch attempts to convert the above thing in DFG pipeline.
+        However it poses several problems.
+
+        1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
+        2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
+
+            2: UInt32ToNumber(@0)
+            3: MovHint(@2, xxx)
+            4: UInt32ToNumber(@1)
+            5: MovHint(@1, xxx)
+
+        we could drop @5's MovHint. But @3 is difficult since @4 can exit.
+
+        So, instead, we start introducing a simple optimization in the bytecode compiler.
+        It performs pattern matching for op_urshift and comparison to drop op_unsigned.
+        We adds op_below and op_above families to bytecodes. They only accept Int32 and
+        perform unsigned comparison.
+
+        This offers 4% performance improvement in Octane/zlib.
+
+                                    baseline                  patched
+
+        zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCompareJump):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/Opcode.h:
+        (JSC::isBranch):
+        * bytecode/PreciseJumpTargetsInlines.h:
+        (JSC::extractStoredJumpTargetsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BinaryOpNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_below):
+        (JSC::JIT::emit_op_beloweq):
+        (JSC::JIT::emit_op_jbelow):
+        (JSC::JIT::emit_op_jbeloweq):
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isBinaryOpNode const):
+
+2017-09-25  Yusuke Suzuki  
+
+        [DFG] Support ArrayPush with multiple args
+        https://bugs.webkit.org/show_bug.cgi?id=175823
+
+        Reviewed by Saam Barati.
+
+        This patch implements ArrayPush(with multiple arguments) in DFG and FTL. Previously, they are not handled
+        by ArrayPush. Then they go to generic direct call to Array#push and it does in slow path. This patch
+        extends ArrayPush to push multiple arguments in a bulk push manner.
+
+        The problem of ArrayPush is that we need to perform ArrayPush atomically: If OSR exit occurs in the middle
+        of ArrayPush, we incorrectly push pushed elements twice. Once we start pushing values, we should not exit.
+        But we do not want to iterate elements twice, once for type checks and once for actually pushing it. It
+        could move elements between registers and memory back and forth.
+
+        This patch achieves the above goal by separating type checks from ArrayPush. When starting ArrayPush, type
+        checks for elements are already done by separately emitted Check nodes.
+
+        We also add JSArray::pushInline for DFG operations just calling JSArray::push. And we also use it in
+        arrayProtoFuncPush's fast path.
+
+        This patch significantly improves performance of `push(multiple args)`.
+
+                                            baseline                  patched
+            Microbenchmarks:
+                array-push-0            461.8455+-28.9995    ^    151.3438+-6.5653        ^ definitely 3.0516x faster
+                array-push-1            133.8845+-7.0349     ?    136.1775+-5.8327        ? might be 1.0171x slower
+                array-push-2            675.6555+-13.4645    ^    145.8747+-6.4621        ^ definitely 4.6318x faster
+                array-push-3            849.5284+-15.2540    ^    253.4421+-9.1249        ^ definitely 3.3520x faster
+
+                                            baseline                  patched
+            SixSpeed:
+                spread-literal.es5       90.3482+-6.6514     ^     24.8123+-2.3304        ^ definitely 3.6413x faster
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayPush):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
+        * jit/JITOperations.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncPush):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::push):
+        * runtime/JSArray.h:
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+
+2017-09-26  Joseph Pecoraro  
+
+        Web Inspector: Remove unused parameter of Page.reload
+        https://bugs.webkit.org/show_bug.cgi?id=177522
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Page.json:
+
+2017-09-26  Filip Pizlo  
+
+        Put g_gigacageBasePtr into its own page and make it read-only
+        https://bugs.webkit.org/show_bug.cgi?id=174972
+
+        Reviewed by Michael Saboff.
+        
+        C++ code doesn't have to know about this change. That includes C++ code that generates JIT code.
+        
+        But the offline assembler now needs to know about how to load from offsets of global variables.
+        This turned out to be easy to support by extending the existing expression support.
+
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/ast.rb:
+        * offlineasm/parser.rb:
+        * offlineasm/transform.rb:
+        * offlineasm/x86.rb:
+
+2017-09-26  Commit Queue  
+
+        Unreviewed, rolling out r222518.
+        https://bugs.webkit.org/show_bug.cgi?id=177507
+
+        Break the High Sierra build (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changeset:
+
+        "Add Above/Below comparisons for UInt32 patterns"
+        https://bugs.webkit.org/show_bug.cgi?id=177281
+        http://trac.webkit.org/changeset/222518
+
+2017-09-26  Yusuke Suzuki  
+
+        Add Above/Below comparisons for UInt32 patterns
+        https://bugs.webkit.org/show_bug.cgi?id=177281
+
+        Reviewed by Saam Barati.
+
+        Sometimes, we would like to have UInt32 operations in JS. While VM does
+        not support UInt32 nicely, VM supports efficient Int32 operations. As long
+        as signedness does not matter, we can just perform Int32 operations instead
+        and recognize its bit pattern as UInt32.
+
+        But of course, some operations respect signedness. The most frequently
+        used one is comparison. Octane/zlib performs UInt32 comparison by performing
+        `val >>> 0`. It emits op_urshift and op_unsigned. op_urshift produces
+        UInt32 in Int32 form. And op_unsigned will generate Double value if
+        the generated Int32 is < 0 (which should be UInt32).
+
+        There is a chance for optimization. The given code pattern is the following.
+
+            op_unsigned(op_urshift(@1)) lessThan:< op_unsigned(op_urshift(@2))
+
+        This can be converted to the following.
+
+            op_urshift(@1) below:< op_urshift(@2)
+
+        The above conversion is nice since
+
+        1. We can avoid op_unsigned. This could be unsignedness check in DFG. Since
+        this check depends on the value of Int32, dropping this check is not as easy as
+        removing Int32 edge filters.
+
+        2. We can perform unsigned comparison in Int32 form. We do not need to convert
+        them to DoubleRep.
+
+        Since the above comparison exists in Octane/zlib's *super* hot path, dropping
+        op_unsigned offers huge win.
+
+        At first, my patch attempts to convert the above thing in DFG pipeline.
+        However it poses several problems.
+
+        1. MovHint is not well removed. It makes UInt32ToNumber (which is for op_unsigned) live.
+        2. UInt32ToNumber could cause an OSR exit. So if we have the following nodes,
+
+            2: UInt32ToNumber(@0)
+            3: MovHint(@2, xxx)
+            4: UInt32ToNumber(@1)
+            5: MovHint(@1, xxx)
+
+        we could drop @5's MovHint. But @3 is difficult since @4 can exit.
+
+        So, instead, we start introducing a simple optimization in the bytecode compiler.
+        It performs pattern matching for op_urshift and comparison to drop op_unsigned.
+        We adds op_below and op_above families to bytecodes. They only accept Int32 and
+        perform unsigned comparison.
+
+        This offers 4% performance improvement in Octane/zlib.
+
+                                    baseline                  patched
+
+        zlib           x2     431.07483+-16.28434       414.33407+-9.38375         might be 1.0404x faster
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCompareJump):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/Opcode.h:
+        (JSC::isBranch):
+        * bytecode/PreciseJumpTargetsInlines.h:
+        (JSC::extractStoredJumpTargetsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BinaryOpNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCompareUnsigned):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelow):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareBelowEq):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_below):
+        (JSC::JIT::emit_op_beloweq):
+        (JSC::JIT::emit_op_jbelow):
+        (JSC::JIT::emit_op_jbeloweq):
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareUnsignedAndJump):
+        (JSC::JIT::emit_compareUnsigned):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isBinaryOpNode const):
+
+2017-09-24  Keith Miller  
+
+        JSC build should use unified sources for derived sources
+        https://bugs.webkit.org/show_bug.cgi?id=177421
+
+        Reviewed by JF Bastien.
+
+        This patch make a couple of changes:
+
+        1) Make derived sources added to relevant bundles. I was going to add JSCBuiltins.cpp
+        to runtime but that kept breaking the windows build. I'll get back to it later
+        2) Move the derived location of some sources both for clarity and for ease of use.
+        3) Make auto generator scripts able to create directories if needed.
+        4) Move some scripts from the top level of the JavaScriptCore directory to a
+        more appropriate directory.
+        5) Move some CMake generation commands around for clarity.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/lazywriter.py:
+        (LazyFileWriter.close):
+        * Sources.txt:
+        * inspector/scripts/generate-inspector-protocol-bindings.py:
+        (IncrementalFileWriter.close):
+        * yarr/create_regex_tables: Renamed from Source/JavaScriptCore/create_regex_tables.
+        * yarr/generateYarrCanonicalizeUnicode: Renamed from Source/JavaScriptCore/generateYarrCanonicalizeUnicode.
+
+2017-09-26  Zan Dobersek  
+
+        Support building JavaScriptCore with the Bionic C library
+        https://bugs.webkit.org/show_bug.cgi?id=177427
+
+        Reviewed by Michael Catanzaro.
+
+        When compiling with the Bionic C library, the MachineContext.h header
+        should enable the same code paths that are enabled for the GNU C library.
+
+        The Bionic C library defines the __BIONIC__ macro, but unlike other C
+        libraries that mimic the GNU one, it doesn't define __GLIBC__. So the
+        __BIONIC__ macro checks have to match the __GLIBC__ ones.
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointer):
+        (JSC::MachineContext::framePointer):
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::argumentPointer<1>):
+        (JSC::MachineContext::llintInstructionPointer):
+
+2017-09-25  Devin Rousso  
+
+        Web Inspector: move Console.addInspectedNode to DOM.setInspectedNode
+        https://bugs.webkit.org/show_bug.cgi?id=176827
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/agents/InspectorConsoleAgent.h:
+
+        * inspector/agents/JSGlobalObjectConsoleAgent.h:
+        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
+        (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): Deleted.
+
+        * inspector/protocol/Console.json:
+        * inspector/protocol/DOM.json:
+
+2017-09-25  Ryan Haddad  
+
+        Unreviewed, rebaseline builtins generator tests after r222473.
+
+        * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
+
+2017-09-25  Alex Christensen  
+
+        Make Attribute an enum class
+        https://bugs.webkit.org/show_bug.cgi?id=177414
+
+        Reviewed by Yusuke Suzuki.
+
+        I've had enough of these naming collisions.  This is what enum classes are for.
+        Unfortunately a lot of static_cast is necessary until those functions take
+        an OptionSet instead of an unsigned parameter, but this is a big step
+        towards where we ought to be.
+
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject::getOwnPropertySlot):
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeConstructor):
+        * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
+        (BuiltinsInternalsWrapperImplementationGenerator.property_macro):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        (JSC::GetByIdStatus::computeFor):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::isValidValueForAttributes):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeFor):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::instantiateLexicalVariables):
+        (JSC::BytecodeGenerator::variable):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::Variable::isReadOnly const):
+        (JSC::Variable::setIsReadOnly):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        * create_hash_table:
+        * debugger/DebuggerScope.cpp:
+        (JSC::DebuggerScope::getOwnPropertySlot):
+        * dfg/DFGOperations.cpp:
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
+        * inspector/JSJavaScriptCallFramePrototype.cpp:
+        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        * jsc.cpp:
+        (WTF::CustomGetter::getOwnPropertySlot):
+        (WTF::RuntimeArray::getOwnPropertySlot):
+        (WTF::RuntimeArray::getOwnPropertySlotByIndex):
+        (WTF::DOMJITGetter::finishCreation):
+        (WTF::DOMJITGetterComplex::finishCreation):
+        (WTF::DOMJITFunctionObject::finishCreation):
+        (WTF::DOMJITCheckSubClassObject::finishCreation):
+        (GlobalObject::finishCreation):
+        * runtime/ArrayConstructor.cpp:
+        (JSC::ArrayConstructor::finishCreation):
+        * runtime/ArrayIteratorPrototype.cpp:
+        (JSC::ArrayIteratorPrototype::finishCreation):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+        * runtime/AsyncFromSyncIteratorPrototype.cpp:
+        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
+        * runtime/AsyncFunctionConstructor.cpp:
+        (JSC::AsyncFunctionConstructor::finishCreation):
+        * runtime/AsyncFunctionPrototype.cpp:
+        (JSC::AsyncFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp:
+        (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
+        * runtime/AsyncGeneratorFunctionPrototype.cpp:
+        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorPrototype.cpp:
+        (JSC::AsyncGeneratorPrototype::finishCreation):
+        * runtime/AsyncIteratorPrototype.cpp:
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/AtomicsObject.cpp:
+        (JSC::AtomicsObject::finishCreation):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::BooleanConstructor::finishCreation):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createStructure):
+        (JSC::ClonedArguments::getOwnPropertySlot):
+        (JSC::ClonedArguments::materializeSpecials):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/ConsoleObject.cpp:
+        (JSC::ConsoleObject::finishCreation):
+        * runtime/DateConstructor.cpp:
+        (JSC::DateConstructor::finishCreation):
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/Error.cpp:
+        (JSC::addErrorInfo):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::finishCreation):
+        (JSC::FunctionPrototype::addFunctionProperties):
+        (JSC::FunctionPrototype::initRestrictedProperties):
+        * runtime/GeneratorFunctionConstructor.cpp:
+        (JSC::GeneratorFunctionConstructor::finishCreation):
+        * runtime/GeneratorFunctionPrototype.cpp:
+        (JSC::GeneratorFunctionPrototype::finishCreation):
+        * runtime/GeneratorPrototype.cpp:
+        (JSC::GeneratorPrototype::finishCreation):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::getOwnPropertySlot):
+        (JSC::GenericArguments::getOwnPropertySlotByIndex):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::finishCreation):
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructor::finishCreation):
+        * runtime/IntlObject.cpp:
+        (JSC::IntlObject::finishCreation):
+        * runtime/IteratorPrototype.cpp:
+        (JSC::IteratorPrototype::finishCreation):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::getOwnPropertySlot):
+        (JSC::JSArray::setLengthWithArrayStorage):
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSArrayBufferConstructor::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::JSBoundFunction::finishCreation):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::getOwnPropertySlot):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::JSDataViewPrototype::finishCreation):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        (JSC::JSFunction::getOwnPropertySlot):
+        (JSC::JSFunction::defineOwnProperty):
+        (JSC::JSFunction::reifyLength):
+        (JSC::JSFunction::reifyName):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::JSGenericTypedArrayViewConstructor::finishCreation):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlot):
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex):
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
+        (JSC::JSGenericTypedArrayViewPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::addStaticGlobals):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::JSModuleNamespaceObject::finishCreation):
+        (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
+        * runtime/JSONObject.cpp:
+        (JSC::JSONObject::finishCreation):
+        * runtime/JSObject.cpp:
+        (JSC::getClassPropertyNames):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::ordinarySetSlow):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::putGetter):
+        (JSC::JSObject::putSetter):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::putDirectCustomAccessor):
+        (JSC::JSObject::putDirectNonIndexAccessor):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        (JSC::putDescriptor):
+        (JSC::validateAndApplyPropertyDescriptor):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirect):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectWithoutTransition):
+        (JSC::JSObject::putDirectInternal):
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::JSPromiseConstructor::finishCreation):
+        (JSC::JSPromiseConstructor::addOwnInternalSlots):
+        * runtime/JSPromisePrototype.cpp:
+        (JSC::JSPromisePrototype::finishCreation):
+        (JSC::JSPromisePrototype::addOwnInternalSlots):
+        * runtime/JSString.cpp:
+        (JSC::JSString::getStringPropertyDescriptor):
+        * runtime/JSString.h:
+        (JSC::JSString::getStringPropertySlot):
+        * runtime/JSSymbolTableObject.cpp:
+        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::finishCreation):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/LazyClassStructure.cpp:
+        (JSC::LazyClassStructure::Initializer::setConstructor):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        (JSC::setUpStaticFunctionSlot):
+        * runtime/Lookup.h:
+        (JSC::HashTableValue::intrinsic const):
+        (JSC::HashTableValue::builtinGenerator const):
+        (JSC::HashTableValue::function const):
+        (JSC::HashTableValue::functionLength const):
+        (JSC::HashTableValue::propertyGetter const):
+        (JSC::HashTableValue::propertyPutter const):
+        (JSC::HashTableValue::domJIT const):
+        (JSC::HashTableValue::signature const):
+        (JSC::HashTableValue::accessorGetter const):
+        (JSC::HashTableValue::accessorSetter const):
+        (JSC::HashTableValue::constantInteger const):
+        (JSC::HashTableValue::lazyCellPropertyOffset const):
+        (JSC::HashTableValue::lazyClassStructureOffset const):
+        (JSC::HashTableValue::lazyPropertyCallback const):
+        (JSC::HashTableValue::builtinAccessorGetterGenerator const):
+        (JSC::HashTableValue::builtinAccessorSetterGenerator const):
+        (JSC::getStaticPropertySlotFromTable):
+        (JSC::putEntry):
+        (JSC::reifyStaticProperty):
+        * runtime/MapConstructor.cpp:
+        (JSC::MapConstructor::finishCreation):
+        * runtime/MapIteratorPrototype.cpp:
+        (JSC::MapIteratorPrototype::finishCreation):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/MathObject.cpp:
+        (JSC::MathObject::finishCreation):
+        * runtime/NativeErrorConstructor.cpp:
+        (JSC::NativeErrorConstructor::finishCreation):
+        * runtime/NativeErrorPrototype.cpp:
+        (JSC::NativeErrorPrototype::finishCreation):
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::finishCreation):
+        (JSC::objectConstructorAssign):
+        (JSC::objectConstructorValues):
+        (JSC::objectConstructorDefineProperty):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::ObjectPrototype::finishCreation):
+        (JSC::objectProtoFuncLookupGetter):
+        (JSC::objectProtoFuncLookupSetter):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/PropertyDescriptor.cpp:
+        (JSC::PropertyDescriptor::writable const):
+        (JSC::PropertyDescriptor::enumerable const):
+        (JSC::PropertyDescriptor::configurable const):
+        (JSC::PropertyDescriptor::setUndefined):
+        (JSC::PropertyDescriptor::setDescriptor):
+        (JSC::PropertyDescriptor::setCustomDescriptor):
+        (JSC::PropertyDescriptor::setAccessorDescriptor):
+        (JSC::PropertyDescriptor::setWritable):
+        (JSC::PropertyDescriptor::setEnumerable):
+        (JSC::PropertyDescriptor::setConfigurable):
+        (JSC::PropertyDescriptor::setSetter):
+        (JSC::PropertyDescriptor::setGetter):
+        (JSC::PropertyDescriptor::attributesEqual const):
+        (JSC::PropertyDescriptor::attributesOverridingCurrent const):
+        * runtime/PropertySlot.cpp:
+        (JSC::PropertySlot::customGetter const):
+        * runtime/PropertySlot.h:
+        (JSC::operator| ):
+        (JSC::operator&):
+        (JSC::operator<):
+        (JSC::operator~):
+        (JSC::operator|=):
+        (JSC::PropertySlot::setUndefined):
+        * runtime/ProxyConstructor.cpp:
+        (JSC::makeRevocableProxy):
+        (JSC::ProxyConstructor::finishCreation):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performHasProperty):
+        * runtime/ProxyRevoke.cpp:
+        (JSC::ProxyRevoke::finishCreation):
+        * runtime/ReflectObject.cpp:
+        (JSC::ReflectObject::finishCreation):
+        (JSC::reflectObjectDefineProperty):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpConstructor::finishCreation):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::getOwnPropertySlot):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/ScopedArguments.cpp:
+        (JSC::ScopedArguments::overrideThings):
+        * runtime/SetConstructor.cpp:
+        (JSC::SetConstructor::finishCreation):
+        * runtime/SetIteratorPrototype.cpp:
+        (JSC::SetIteratorPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::putDirect):
+        (JSC::SparseArrayEntry::put):
+        * runtime/StringConstructor.cpp:
+        (JSC::StringConstructor::finishCreation):
+        * runtime/StringIteratorPrototype.cpp:
+        (JSC::StringIteratorPrototype::finishCreation):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        * runtime/Structure.cpp:
+        (JSC::Structure::nonPropertyTransition):
+        (JSC::Structure::isSealed):
+        (JSC::Structure::isFrozen):
+        (JSC::Structure::getPropertyNamesFromStructure):
+        (JSC::Structure::prototypeChainMayInterceptStoreTo):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::add):
+        * runtime/SymbolConstructor.cpp:
+        (JSC::SymbolConstructor::finishCreation):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * runtime/SymbolTable.h:
+        (JSC::SymbolTableEntry::Fast::getAttributes const):
+        (JSC::SymbolTableEntry::SymbolTableEntry):
+        (JSC::SymbolTableEntry::setAttributes):
+        * runtime/TemplateRegistry.cpp:
+        (JSC::TemplateRegistry::getTemplateObject):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::WeakMapConstructor::finishCreation):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::WeakSetConstructor::finishCreation):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::WeakSetPrototype::finishCreation):
+        * tools/JSDollarVMPrototype.cpp:
+        (JSC::JSDollarVMPrototype::finishCreation):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::WebAssemblyInstanceConstructor::finishCreation):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::WebAssemblyMemoryConstructor::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::finishCreation):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::WebAssemblyTableConstructor::finishCreation):
+
+2017-09-23  Oleksandr Skachkov  
+
+        [ESNext] Async iteration - Implement Async Generator - optimization
+        https://bugs.webkit.org/show_bug.cgi?id=175891
+
+        Reviewed by Yusuke Suzuki.
+
+        Add small optimization for async generators:
+        1. merging async generator queue to async generator itself
+        generator.@first / generator.@last is enough, by doing so,
+          we remove one unnecessary object alloc.
+        2. merging request with queue.
+
+        * builtins/AsyncGeneratorPrototype.js:
+        (globalPrivate.asyncGeneratorQueueIsEmpty):
+        (globalPrivate.asyncGeneratorQueueCreateItem):
+        (globalPrivate.asyncGeneratorQueueEnqueue):
+        (globalPrivate.asyncGeneratorQueueDequeue):
+        (globalPrivate.asyncGeneratorDequeue):
+        (globalPrivate.isSuspendYieldState):
+        (globalPrivate.asyncGeneratorEnqueue):
+        * builtins/BuiltinNames.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionNode::emitBytecode):
+
+2017-09-23  Joseph Pecoraro  
+
+        test262: $.agent became $262.agent in test262 update
+        https://bugs.webkit.org/show_bug.cgi?id=177407
+
+        Reviewed by Yusuke Suzuki.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        Alias `$` and `$262` for now.
+
+2017-09-22  Keith Miller  
+
+        Speculatively change iteration protocall to use the same next function
+        https://bugs.webkit.org/show_bug.cgi?id=175653
+
+        Reviewed by Saam Barati.
+
+        This patch speculatively makes a change to the iteration protocall to fetch the next
+        property immediately after calling the Symbol.iterator function. This is, in theory,
+        a breaking change, so we will see if this breaks things (most likely it won't as this
+        is a relatively subtle point).
+
+        See: https://github.com/tc39/ecma262/issues/976
+
+        * builtins/IteratorHelpers.js:
+        (performIteration):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnumeration):
+        (JSC::BytecodeGenerator::emitIteratorNext):
+        (JSC::BytecodeGenerator::emitIteratorNextWithValue):
+        (JSC::BytecodeGenerator::emitDelegateYield):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayPatternNode::bindValue const):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorNext):
+        (JSC::iteratorStep):
+        (JSC::iteratorClose):
+        (JSC::iteratorForIterable):
+        * runtime/IteratorOperations.h:
+        (JSC::forEachInIterable):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        (JSC::constructGenericTypedArrayViewWithArguments):
+
+2017-09-22  Fujii Hironori  
+
+        [Win64] Crashes in Yarr JIT compiled code
+        https://bugs.webkit.org/show_bug.cgi?id=177293
+
+        Reviewed by Yusuke Suzuki.
+
+        In x64 Windows, rcx register is used for the address of allocated
+        space for the return value. But, rcx is used for regT1 since
+        r221052. Save rcx in the stack.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter): Push ecx.
+        (JSC::Yarr::YarrGenerator::generateReturn): Pop ecx.
+
+2017-09-22  Saam Barati  
+
+        Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
+        https://bugs.webkit.org/show_bug.cgi?id=177368
+
+        Reviewed by Keith Miller.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren):
+
+2017-09-22  Yusuke Suzuki  
+
+        [DFG][FTL] Profile array vector length for array allocation
+        https://bugs.webkit.org/show_bug.cgi?id=177051
+
+        Reviewed by Saam Barati.
+
+        Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
+        new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
+        if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
+        the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
+
+            empty array allocation,
+
+            var array = [];
+            array.push(0);
+            array.push(1);
+            array.push(2);
+            array.push(3);
+            array.push(4);
+
+            v.s. new_array_buffer case,
+
+            var array = [0];
+            array.push(1);
+            array.push(2);
+            array.push(3);
+            array.push(4);
+
+        In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
+        we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
+
+        We select 25 to make it fit to one of size classes.
+
+        In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
+        If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
+        is larger than 25, we just use it for allocation as before.
+
+        Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
+
+            new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
+            spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
+
+        * bytecode/ArrayAllocationProfile.cpp:
+        (JSC::ArrayAllocationProfile::updateProfile):
+        (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
+        * bytecode/ArrayAllocationProfile.h:
+        (JSC::ArrayAllocationProfile::selectIndexingType):
+        (JSC::ArrayAllocationProfile::vectorLengthHint):
+        (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateAllArrayPredictions):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::vectorLengthHint):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
+        * runtime/ArrayConventions.h:
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+
+2017-09-22  Commit Queue  
+
+        Unreviewed, rolling out r222380.
+        https://bugs.webkit.org/show_bug.cgi?id=177352
+
+        Octane/box2d shows 8% regression (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changeset:
+
+        "[DFG][FTL] Profile array vector length for array allocation"
+        https://bugs.webkit.org/show_bug.cgi?id=177051
+        http://trac.webkit.org/changeset/222380
+
+2017-09-21  Yusuke Suzuki  
+
+        [DFG][FTL] Profile array vector length for array allocation
+        https://bugs.webkit.org/show_bug.cgi?id=177051
+
+        Reviewed by Saam Barati.
+
+        Currently, NewArrayBuffer allocation is penalized by JSC: While empty array gets 25 vector size (BASE_CONTIGUOUS_VECTOR_LEN),
+        new_array_buffer case gets 3 vector size (BASE_CONTIGUOUS_VECTOR_LEN). Surely, new_array_buffer can get larger vector size
+        if the number of its constant elements is larger than 3. But these created array may be grown by `push()` operation after
+        the allocation. In this case, new_array_buffer is penalized compared to empty array allocation.
+
+            empty array allocation,
+
+            var array = [];
+            array.push(0);
+            array.push(1);
+            array.push(2);
+            array.push(3);
+            array.push(4);
+
+            v.s. new_array_buffer case,
+
+            var array = [0];
+            array.push(1);
+            array.push(2);
+            array.push(3);
+            array.push(4);
+
+        In this case, the latter becomes slow. While we have a chance to reduce memory usage if new_array_buffer is not grown (and a bit likely),
+        we should allocate 3 to 25 vector size if it is likely grown. So we should get profile on the resulted array.
+
+        We select 25 to make it fit to one of size classes.
+
+        In this patch, we extend ArrayAllocationProfile to record vector length. And use this information when allocating array for new_array_buffer.
+        If the number of new_array_buffer constants is <= 25, array vector size would become 3 to 25 based on profiling. If the number of its constants
+        is larger than 25, we just use it for allocation as before.
+
+        Added microbenchmark and SixSpeed spread-literal.es5 shows improvement.
+
+            new-array-buffer-vector-profile       67.4706+-3.7625     ^     28.4249+-1.9025        ^ definitely 2.3736x faster
+            spread-literal.es5                   133.1443+-9.2253     ^     95.2667+-0.5740        ^ definitely 1.3976x faster
+
+        * bytecode/ArrayAllocationProfile.cpp:
+        (JSC::ArrayAllocationProfile::updateProfile):
+        (JSC::ArrayAllocationProfile::updateIndexingType): Deleted.
+        * bytecode/ArrayAllocationProfile.h:
+        (JSC::ArrayAllocationProfile::selectIndexingType):
+        (JSC::ArrayAllocationProfile::vectorLengthHint):
+        (JSC::ArrayAllocationProfile::ArrayAllocationProfile): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateAllArrayPredictions):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::vectorLengthHint):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSize):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArrayInternal):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateUninitializedContiguousJSArray):
+        * runtime/ArrayConventions.h:
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+
+2017-09-21  Joseph Pecoraro  
+
+        Web Inspector: Remove support for CSS Regions
+        https://bugs.webkit.org/show_bug.cgi?id=177287
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/CSS.json:
+        * inspector/protocol/OverlayTypes.json:
+
+2017-09-21  Brian Burg  
+
+        Web Inspector: keyboard shortcut for "Reload page from origin" doesn't match Safari, and doesn't work
+        https://bugs.webkit.org/show_bug.cgi?id=177010
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        Use "reload from origin" nomenclature instead of "reload ignoring cache".
+
+        * inspector/protocol/Page.json: Improve the comment, but don't change the
+        parameter name since this would be a divergence from legacy protocols.
+
+2017-09-21  Joseph Pecoraro  
+
+        test262: test262/test/annexB/built-ins/RegExp/prototype/flags/order-after-compile.js ASSERTs
+        https://bugs.webkit.org/show_bug.cgi?id=177307
+
+        Reviewed by Michael Saboff.
+
+        * runtime/RegExpPrototype.cpp:
+        In r221160 we added support for the new RegExp flag (dotAll).
+        We needed to make space for it in FlagsString.
+
+2017-09-20  Keith Miller  
+
+        JSC should use unified sources for platform specific files.
+        https://bugs.webkit.org/show_bug.cgi?id=177290
+
+        Reviewed by Michael Saboff.
+
+        Add a list of platform specific source files and update the
+        Generate Unified Sources phase of the Xcode build. I skipped WPE
+        since that seems to have failed for some reason that I didn't
+        fully understand. See:
+        https://webkit-queues.webkit.org/results/4611260
+
+        Also, fix duplicate symbols in Glib remote inspector files.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * PlatformGTK.cmake:
+        * PlatformMac.cmake:
+        * SourcesGTK.txt: Added.
+        * SourcesMac.txt: Added.
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::interfaceInfo):
+        (Inspector::RemoteInspectorServer::setTargetList):
+        (Inspector::RemoteInspectorServer::setupInspectorClient):
+        (Inspector::RemoteInspectorServer::setup):
+        (Inspector::RemoteInspectorServer::close):
+        (Inspector::RemoteInspectorServer::connectionClosed):
+        (Inspector::RemoteInspectorServer::sendMessageToBackend):
+        (Inspector::RemoteInspectorServer::sendMessageToFrontend):
+        (Inspector::dbusConnectionCallAsyncReadyCallback): Deleted.
+
+2017-09-20  Stephan Szabo  
+
+        [Win] WTF: Add alias for process id to use in place of direct uses of pid_t
+        https://bugs.webkit.org/show_bug.cgi?id=177017
+
+        Reviewed by Alex Christensen.
+
+        * API/JSRemoteInspector.cpp:
+        (JSRemoteInspectorSetParentProcessInformation):
+        * API/JSRemoteInspector.h:
+        * inspector/remote/RemoteInspector.h:
+
+2017-09-20  Keith Miller  
+
+        Rename source list file to Sources.txt
+        https://bugs.webkit.org/show_bug.cgi?id=177283
+
+        Reviewed by Saam Barati.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt: Renamed from Source/JavaScriptCore/sources.txt.
+
+2017-09-20  Keith Miller  
+
+        Unreviewed, fix string capitalization
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-09-20  Keith Miller  
+
+        JSC Xcode build should use unified sources for platform independent files
+        https://bugs.webkit.org/show_bug.cgi?id=177190
+
+        Reviewed by Saam Barati.
+
+        This patch changes the Xcode build to use unified sources. The
+        main difference from a development perspective is that instead of
+        added source files to Xcode they need to be added to the shared
+        sources.txt. For now, platform specific files are still added
+        to the JavaScriptCore target.
+
+        Because Xcode needs to know about all the files before we generate
+        them all the unified source files need to be added to the
+        JavaScriptCore framework target. As a result, if we run out of
+        bundle files more will need to be added to the project. Currently,
+        there are no spare files. If adding more bundle files becomes
+        problematic we can change this.
+
+        LowLevelInterpreter.cpp can't be added to the unified source list yet
+        due to a clang bug.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * sources.txt: Added.
+
+2017-09-20  Per Arne Vollan  
+
+        [Win] Cannot find script to generate unified sources.
+        https://bugs.webkit.org/show_bug.cgi?id=177014
+
+        Reviewed by Keith Miller.
+
+        The ruby script can now be found in WTF/Scripts in the forwarding headers folder.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.vcxproj/JavaScriptCore.proj:
+
+2017-09-20  Alberto Garcia  
+
+        Fix HPPA and Alpha builds
+        https://bugs.webkit.org/show_bug.cgi?id=177224
+
+        Reviewed by Alex Christensen.
+
+        * CMakeLists.txt:
+
+2017-09-18  Filip Pizlo  
+
+        ErrorInstance and Exception need destroy methods
+        https://bugs.webkit.org/show_bug.cgi?id=177095
+
+        Reviewed by Saam Barati.
+        
+        When I made ErrorInstance and Exception into JSDestructibleObjects, I forgot to make them
+        follow that type's protocol.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::destroy): Implement this to fix leaks.
+        * runtime/ErrorInstance.h:
+        * runtime/Exception.h: Change how this is declared now that this is a DestructibleObject.
+
+2017-09-18  Yusuke Suzuki  
+
+        [JSC] Consider dropping JSObjectSetPrototype feature for JSGlobalObject
+        https://bugs.webkit.org/show_bug.cgi?id=177070
+
+        Reviewed by Saam Barati.
+
+        Due to the security reason, our global object is immutable prototype exotic object.
+        It prevents users from injecting proxies into the prototype chain of the global object[1].
+        But our JSC API does not respect this attribute, and allows users to change [[Prototype]]
+        of the global object after instantiating it.
+
+        This patch removes this feature. Once global object is instantiated, we cannot change [[Prototype]]
+        of the global object. It drops JSGlobalObject::resetPrototype use, which involves GlobalThis
+        edge cases.
+
+        [1]: https://github.com/tc39/ecma262/commit/935dad4283d045bc09c67a259279772d01b3d33d
+
+        * API/JSObjectRef.cpp:
+        (JSObjectSetPrototype):
+        * API/tests/CustomGlobalObjectClassTest.c:
+        (globalObjectSetPrototypeTest):
+
+2017-09-17  Yusuke Suzuki  
+
+        [DFG] Remove ToThis more aggressively
+        https://bugs.webkit.org/show_bug.cgi?id=177056
+
+        Reviewed by Saam Barati.
+
+        The variation of toThis() implementation is limited. So, we attempts to implement common toThis operation in AI.
+        We move scope related toThis to JSScope::toThis. And AI investigates proven value/structure's toThis methods
+        and attempts to fold/convert to efficient nodes.
+
+        We introduces GetGlobalThis, which just loads globalThis from semantic origin's globalObject. Using this,
+        we can implement JSScope::toThis in DFG. This can avoid costly toThis indirect function pointer call.
+
+        Currently, we just emit GetGlobalThis if necessary. We can further convert it to constant if we can put
+        watchpoint to JSGlobalObject's globalThis change. But we leave it for a future patch for now.
+
+        This removes GetGlobalThis from ES6 generators in common cases.
+
+        spread-generator.es6      303.1550+-9.5037          290.9337+-8.3487          might be 1.0420x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::isToThisAnIdentity):
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToGetGlobalThis):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalThis):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetGlobalThis):
+        * runtime/JSGlobalLexicalEnvironment.cpp:
+        (JSC::JSGlobalLexicalEnvironment::toThis): Deleted.
+        * runtime/JSGlobalLexicalEnvironment.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::toThis): Deleted.
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::addressOfGlobalThis):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::toThis): Deleted.
+        * runtime/JSLexicalEnvironment.h:
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::toThis):
+        * runtime/JSScope.h:
+        * runtime/StrictEvalActivation.cpp:
+        (JSC::StrictEvalActivation::toThis): Deleted.
+        * runtime/StrictEvalActivation.h:
+
+2017-09-17  Yusuke Suzuki  
+
+        Merge JSLexicalEnvironment and JSEnvironmentRecord
+        https://bugs.webkit.org/show_bug.cgi?id=175492
+
+        Reviewed by Saam Barati.
+
+        JSEnvironmentRecord is only inherited by JSLexicalEnvironment.
+        We can merge JSEnvironmentRecord and JSLexicalEnvironment.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetClosureVar):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutClosureVar):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitGetClosureVar):
+        (JSC::JIT::emitPutClosureVar):
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitGetClosureVar):
+        (JSC::JIT::emitPutClosureVar):
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSEnvironmentRecord.cpp: Removed.
+        * runtime/JSEnvironmentRecord.h: Removed.
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::visitChildren):
+        (JSC::JSLexicalEnvironment::heapSnapshot):
+        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::JSLexicalEnvironment::subspaceFor):
+        (JSC::JSLexicalEnvironment::variables):
+        (JSC::JSLexicalEnvironment::isValidScopeOffset):
+        (JSC::JSLexicalEnvironment::variableAt):
+        (JSC::JSLexicalEnvironment::offsetOfVariables):
+        (JSC::JSLexicalEnvironment::offsetOfVariable):
+        (JSC::JSLexicalEnvironment::allocationSizeForScopeSize):
+        (JSC::JSLexicalEnvironment::allocationSize):
+        (JSC::JSLexicalEnvironment::finishCreationUninitialized):
+        (JSC::JSLexicalEnvironment::finishCreation):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::create):
+        * runtime/JSObject.h:
+        (JSC::JSObject::isEnvironment const):
+        (JSC::JSObject::isEnvironmentRecord const): Deleted.
+        * runtime/JSSegmentedVariableObject.h:
+        * runtime/StringPrototype.cpp:
+        (JSC::checkObjectCoercible):
+
+2017-09-15  Saam Barati  
+
+        Arity fixup during inlining should do a 2 phase commit so it properly recovers the frame in case of exit
+        https://bugs.webkit.org/show_bug.cgi?id=176981
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch makes inline arity fixup happen in two phases:
+        1. We get all the values we need and MovHint them to the expected locals.
+        2. We SetLocal them inside the callee's CodeOrigin. This way, if we exit, the callee's
+           frame is already set up. If any SetLocal exits, we have a valid exit state.
+           This is required because if we didn't do this in two phases, we may exit in
+           the middle of arity fixup from the caller's CodeOrigin. This is unsound because if
+           we did the SetLocals in the caller's frame, the memcpy may clobber needed parts
+           of the frame right before exiting. For example, consider if we need to pad two args:
+           [arg3][arg2][arg1][arg0]
+           [fix ][fix ][arg3][arg2][arg1][arg0]
+           We memcpy starting from arg0 in the direction of arg3. If we were to exit at a type check
+           for arg3's SetLocal in the caller's CodeOrigin, we'd exit with a frame like so:
+           [arg3][arg2][arg1][arg2][arg1][arg0]
+           And the caller would then just end up thinking its argument are:
+           [arg3][arg2][arg1][arg2]
+           which is incorrect.
+       
+       
+        This patch also fixes a couple of bugs in IdentitiyWithProfile:
+        1. The bytecode generator for this bytecode intrinsic was written incorrectly.
+           It needed to store the result of evaluating its argument in a temporary that
+           it creates. Otherwise, it might try to simply overwrite a constant
+           or a register that it didn't own.
+        2. We weren't eliminating this node in CSE inside the DFG.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        * dfg/DFGCSEPhase.cpp:
+
+2017-09-15  JF Bastien  
+
+        WTF: use Forward.h when appropriate instead of Vector.h
+        https://bugs.webkit.org/show_bug.cgi?id=176984
+
+        Reviewed by Saam Barati.
+
+        There's no need to include Vector.h when Forward.h will suffice. All we need is to move the template default parameters from Vector, and then the forward declaration can be used in so many new places: if a header only takes Vector by reference, rvalue reference, pointer, returns any of these, or has them as members then the header doesn't need to see the definition because the declaration will suffice.
+
+        * bytecode/HandlerInfo.h:
+        * heap/GCIncomingRefCounted.h:
+        * heap/GCSegmentedArray.h:
+        * wasm/js/JSWebAssemblyModule.h:
+
+2017-09-14  Saam Barati  
+
+        We should have a way of preventing a caller from making a tail call and we should use it for ProxyObject instead of using build flags
+        https://bugs.webkit.org/show_bug.cgi?id=176863
+
+        Reviewed by Keith Miller.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::getOwnPropertySlotCommon):
+        (JSC::ProxyObject::performPut):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+
+2017-09-14  Saam Barati  
+
+        Make dumping the graph print when both when exitOK and !exitOK
+        https://bugs.webkit.org/show_bug.cgi?id=176954
+
+        Reviewed by Keith Miller.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+
+2017-09-14  Saam Barati  
+
+        It should be valid to exit before each set when doing arity fixup when inlining
+        https://bugs.webkit.org/show_bug.cgi?id=176948
+
+        Reviewed by Keith Miller.
+
+        This patch makes it so that we can exit before each SetLocal when doing arity
+        fixup during inlining. This is OK because if we exit at any of these SetLocals,
+        we will simply exit to the beginning of the call instruction.
+        
+        Not doing this led to a bug where FixupPhase would insert a ValueRep of
+        a node before the actual node. This is obviously invalid IR. I've added
+        a new validation rule to catch this malformed IR.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        * dfg/DFGValidate.cpp:
+        * runtime/Options.h:
+
+2017-09-14  Mark Lam  
+
+        AddressSanitizer: stack-buffer-underflow in JSC::Probe::Page::Page
+        https://bugs.webkit.org/show_bug.cgi?id=176874
+        
+
+        Reviewed by Saam Barati.
+
+        1. Make Probe::Stack play nice with ASan by:
+
+           a. using a local memcpy implementation that suppresses ASan on ASan builds.
+              We don't want to use std:memcpy() which validates stack memory because
+              we are intentionally copying stack memory beyond the current frame.
+
+           b. changing Stack::s_chunkSize to equal sizeof(uintptr_t) on ASan builds.
+              This ensures that Page::flushWrites() only writes stack memory that was
+              modified by a probe.  The probes should only modify stack memory that
+              belongs to JSC stack data structures.  We don't want to inadvertently
+              modify adjacent words that may belong to ASan (which may happen if
+              s_chunkSize is larger than sizeof(uintptr_t)).
+
+           c. fixing a bug in Page dirtyBits management for when the size of the value to
+              write is greater than s_chunkSize.  The fix in generic, but in practice,
+              this currently only manifests on 32-bit ASan builds because
+              sizeof(uintptr_t) and s_chunkSize are 32-bit, and we may write 64-bit
+              values.
+
+           d. making Page::m_dirtyBits 64 bits always.  This maximizes the number of
+              s_chunksPerPage we can have even on ASan builds.
+
+        2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
+           std::memcpy to avoid strict aliasing issues.
+
+        3. Optimized the implementation of Page::physicalAddressFor().
+
+        4. Optimized the implementation of Stack::set() in the recording of the low
+           watermark.  We just record the lowest raw pointer now, and only compute the
+           alignment to its chuck boundary later when the low watermark is requested.
+
+        5. Changed a value in testmasm to make the test less vulnerable to rounding issues.
+
+        No new test needed because this is already covered by testmasm with ASan enabled.
+
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::gpr const):
+        (JSC::Probe::CPUState::spr const):
+        (JSC::Probe::Context::gpr):
+        (JSC::Probe::Context::spr):
+        (JSC::Probe::Context::fpr):
+        (JSC::Probe::Context::gprName):
+        (JSC::Probe::Context::sprName):
+        (JSC::Probe::Context::fprName):
+        (JSC::Probe::Context::gpr const):
+        (JSC::Probe::Context::spr const):
+        (JSC::Probe::Context::fpr const):
+        (JSC::Probe::Context::pc):
+        (JSC::Probe::Context::fp):
+        (JSC::Probe::Context::sp):
+        (JSC::Probe:: const): Deleted.
+        * assembler/ProbeStack.cpp:
+        (JSC::Probe::copyStackPage):
+        (JSC::Probe::Page::Page):
+        (JSC::Probe::Page::flushWrites):
+        * assembler/ProbeStack.h:
+        (JSC::Probe::Page::get):
+        (JSC::Probe::Page::set):
+        (JSC::Probe::Page::dirtyBitFor):
+        (JSC::Probe::Page::physicalAddressFor):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::get):
+        (JSC::Probe::Stack::set):
+        * assembler/testmasm.cpp:
+        (JSC::testProbeModifiesStackValues):
+
+2017-09-14  Yusuke Suzuki  
+
+        [JSC] Disable Arity Fixup Inlining until crash in facebook.com is fixed
+        https://bugs.webkit.org/show_bug.cgi?id=176917
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        * runtime/Options.h:
+
+2017-09-14  Yusuke Suzuki  
+
+        [JSC] Add PrivateSymbolMode::{Include,Exclude} for PropertyNameArray
+        https://bugs.webkit.org/show_bug.cgi?id=176867
+
+        Reviewed by Sam Weinig.
+
+        We rarely require private symbols when enumerating property names.
+        This patch adds PrivateSymbolMode::{Include,Exclude}. If PrivateSymbolMode::Exclude
+        is specified, PropertyNameArray does not include private symbols.
+        This removes many ad-hoc `Identifier::isPrivateName()` in enumeration operations.
+
+        One additional good thing is that we do not need to filter private symbols out from PropertyNameArray.
+        It allows us to use Object.keys()'s fast path for Object.getOwnPropertySymbols.
+
+        object-get-own-property-symbols                48.6275+-1.0021     ^     38.1846+-1.7934        ^ definitely 1.2735x faster
+
+        * API/JSObjectRef.cpp:
+        (JSObjectCopyPropertyNames):
+        * bindings/ScriptValue.cpp:
+        (Inspector::jsToInspectorValue):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
+        * runtime/EnumerationMode.h:
+        * runtime/IntlObject.cpp:
+        (JSC::supportedLocales):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Stringifier):
+        (JSC::Stringifier::Holder::appendNextProperty):
+        (JSC::Walker::walk):
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::create):
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetOwnPropertyDescriptors):
+        (JSC::objectConstructorAssign):
+        (JSC::objectConstructorValues):
+        (JSC::defineProperties):
+        (JSC::setIntegrityLevel):
+        (JSC::testIntegrityLevel):
+        (JSC::ownPropertyKeys):
+        * runtime/PropertyNameArray.h:
+        (JSC::PropertyNameArray::PropertyNameArray):
+        (JSC::PropertyNameArray::propertyNameMode const):
+        (JSC::PropertyNameArray::privateSymbolMode const):
+        (JSC::PropertyNameArray::addUncheckedInternal):
+        (JSC::PropertyNameArray::addUnchecked):
+        (JSC::PropertyNameArray::add):
+        (JSC::PropertyNameArray::isUidMatchedToTypeMode):
+        (JSC::PropertyNameArray::includeSymbolProperties const):
+        (JSC::PropertyNameArray::includeStringProperties const):
+        (JSC::PropertyNameArray::mode const): Deleted.
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+
+2017-09-13  Mark Lam  
+
+        Rolling out r221832: Regresses Speedometer by ~4% and Dromaeo CSS YUI by ~20%.
+        https://bugs.webkit.org/show_bug.cgi?id=176888
+        
+
+        Not reviewed.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/ProbeContext.h:
+        (JSC::Probe:: const):
+        (JSC::Probe::Context::Context):
+        (JSC::Probe::Context::gpr):
+        (JSC::Probe::Context::spr):
+        (JSC::Probe::Context::fpr):
+        (JSC::Probe::Context::gprName):
+        (JSC::Probe::Context::sprName):
+        (JSC::Probe::Context::fprName):
+        (JSC::Probe::Context::pc):
+        (JSC::Probe::Context::fp):
+        (JSC::Probe::Context::sp):
+        (JSC::Probe::CPUState::gpr const): Deleted.
+        (JSC::Probe::CPUState::spr const): Deleted.
+        (JSC::Probe::Context::arg): Deleted.
+        (JSC::Probe::Context::gpr const): Deleted.
+        (JSC::Probe::Context::spr const): Deleted.
+        (JSC::Probe::Context::fpr const): Deleted.
+        * assembler/ProbeFrame.h: Removed.
+        * assembler/ProbeStack.cpp:
+        (JSC::Probe::Page::Page):
+        * assembler/ProbeStack.h:
+        (JSC::Probe::Page::get):
+        (JSC::Probe::Page::set):
+        (JSC::Probe::Page::physicalAddressFor):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::get):
+        (JSC::Probe::Stack::set):
+        * bytecode/ArithProfile.cpp:
+        * bytecode/ArithProfile.h:
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::observeArrayMode): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addressOfOSRExitCounter):
+        * bytecode/ExecutionCounter.h:
+        (JSC::ExecutionCounter::hasCrossedThreshold const): Deleted.
+        (JSC::ExecutionCounter::setNewThresholdForOSRExit): Deleted.
+        * bytecode/MethodOfGettingAValueProfile.cpp:
+        (JSC::MethodOfGettingAValueProfile::reportValue): Deleted.
+        * bytecode/MethodOfGettingAValueProfile.h:
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::findPC):
+        * dfg/DFGJITCode.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::setPatchableCodeOffset):
+        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const):
+        (JSC::DFG::OSRExit::codeLocationForRepatch const):
+        (JSC::DFG::OSRExit::correctJump):
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
+        (JSC::DFG::jsValueFor): Deleted.
+        (JSC::DFG::restoreCalleeSavesFor): Deleted.
+        (JSC::DFG::saveCalleeSavesFor): Deleted.
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer): Deleted.
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer): Deleted.
+        (JSC::DFG::saveOrCopyCalleeSavesFor): Deleted.
+        (JSC::DFG::createDirectArgumentsDuringExit): Deleted.
+        (JSC::DFG::createClonedArgumentsDuringExit): Deleted.
+        (JSC::DFG::emitRestoreArguments): Deleted.
+        (JSC::DFG::OSRExit::executeOSRExit): Deleted.
+        (JSC::DFG::reifyInlinedCallFrames): Deleted.
+        (JSC::DFG::adjustAndJumpToTarget): Deleted.
+        (JSC::DFG::printOSRExit): Deleted.
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExitState::OSRExitState): Deleted.
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        * dfg/DFGOSRExitCompilerCommon.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrExitThunkGenerator): Deleted.
+        * dfg/DFGThunks.h:
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/AssemblyHelpers.h:
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * profiler/ProfilerOSRExit.h:
+        (JSC::Profiler::OSRExit::incCount): Deleted.
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/VM.h:
+
+2017-09-13  Yusuke Suzuki  
+
+        [JSC] Move class/struct used in other class' member out of anonymous namespace
+        https://bugs.webkit.org/show_bug.cgi?id=176876
+
+        Reviewed by Saam Barati.
+
+        GCC warns if a class has a base or field whose type uses the anonymous namespace
+        and it is defined in an included file. This is because this possibly violates
+        one definition rule (ODR): if an included file has the anonymous namespace, each
+        translation unit creates its private anonymous namespace. Thus, each type
+        inside the anonymous namespace becomes different in each translation unit if
+        the file is included in multiple translation units.
+
+        While the current use in JSC is not violating ODR since these cpp files are included
+        only once for unified sources, specifying `-Wno-subobject-linkage` could miss
+        the actual bugs. So, in this patch, we just move related classes/structs out of
+        the anonymous namespace.
+
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::addition):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::arrayBounds):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator! const):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::hash const):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::operator== const):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKey::dump const):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::RangeKeyAndAddend):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::operator! const):
+        (JSC::DFG::IntegerCheckCombiningPhase::RangeKeyAndAddend::dump const):
+        (JSC::DFG::IntegerCheckCombiningPhase::Range::dump const):
+        * dfg/DFGLICMPhase.cpp:
+
+2017-09-13  Devin Rousso  
+
+        Web Inspector: Event Listeners section does not update when listeners are added/removed
+        https://bugs.webkit.org/show_bug.cgi?id=170570
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOM.json:
+        Add two new events: "didAddEventListener" and "willRemoveEventListener". These events do not
+        contain any information about the event listeners that were added/removed. They serve more
+        as indications that something has changed, and to refetch the data again via `getEventListenersForNode`.
+
+2017-09-13  Yusuke Suzuki  
+
+        [JSC] Fix Array allocation in Object.keys
+        https://bugs.webkit.org/show_bug.cgi?id=176826
+
+        Reviewed by Saam Barati.
+
+        When isHavingABadTime() is true, array allocation does not become ArrayWithContiguous.
+        We check isHavingABadTime() in ownPropertyKeys fast path.
+        And we also ensures that ownPropertyKeys uses putDirect operation instead of put by a test.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownPropertyKeys):
+
+2017-09-12  Yusuke Suzuki  
+
+        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
+        https://bugs.webkit.org/show_bug.cgi?id=176010
+
+        Reviewed by Filip Pizlo.
+
+        It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
+        It is used for meta property for objects (see peekMeta function in Ember.js).
+
+        This patch optimizes WeakMap#get.
+
+        1. We use inlineGet to inline WeakMap#get operation in the native function.
+        Since this native function itself is very small, we should inline HashMap#get
+        entirely in this function.
+
+        2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
+        very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
+        to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
+        ObjectUse, and Int32Use.
+
+        3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
+        calculate hash value for the key's Object and use this hash value to look up value from
+        JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
+        It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
+        But anyway, the current one already optimizes the performance, so we leave this for the subsequent
+        patches.
+
+        We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
+        not used in Ember.js right now.
+
+        This patch optimizes WeakMap#get by 50%.
+
+                                 baseline                  patched
+
+        weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
+
+        * bytecode/DirectEvalCodeCache.h:
+        (JSC::DirectEvalCodeCache::tryGet):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationFromClassInfo):
+        (JSC::speculationFromJSType):
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
+        (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
+        (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
+        * jit/JITOperations.h:
+        * runtime/HashMapImpl.h:
+        (JSC::WeakMapHash::hash):
+        (JSC::WeakMapHash::equal):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSType.h:
+        * runtime/JSWeakMap.h:
+        (JSC::isJSWeakMap):
+        * runtime/JSWeakSet.h:
+        (JSC::isJSWeakSet):
+        * runtime/WeakMapBase.cpp:
+        (JSC::WeakMapBase::get):
+        * runtime/WeakMapBase.h:
+        (JSC::WeakMapBase::HashTranslator::hash):
+        (JSC::WeakMapBase::HashTranslator::equal):
+        (JSC::WeakMapBase::inlineGet):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        (JSC::getWeakMap):
+        (JSC::protoFuncWeakMapGet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::getWeakSet):
+
+2017-09-12  Keith Miller  
+
+        Rename JavaScriptCore CMake unifiable sources list
+        https://bugs.webkit.org/show_bug.cgi?id=176823
+
+        Reviewed by Joseph Pecoraro.
+
+        This patch also changes the error message when the unified source
+        bundler fails to be more accurate.
+
+        * CMakeLists.txt:
+
+2017-09-12  Keith Miller  
+
+        Do unified source builds for JSC
+        https://bugs.webkit.org/show_bug.cgi?id=176076
+
+        Reviewed by Geoffrey Garen.
+
+        This patch switches the CMake JavaScriptCore build to use unified sources.
+        The Xcode build will be upgraded in a follow up patch.
+
+        Most of the source changes in this patch are fixing static
+        variable/functions name collisions. The most common collisions
+        were from our use of "static const bool verbose" and "using
+        namespace ...". I fixed all the verbose cases and fixed the "using
+        namespace" issues that occurred under the current bundling
+        strategy. It's likely that more of the "using namespace" issues
+        will need to be resolved in the future, particularly in the FTL.
+
+        I don't expect either of these problems will apply to other parts
+        of the project nearly as much as in JSC. Using a verbose variable
+        is a JSC idiom and JSC tends use the same, canonical, class name
+        in multiple parts of the engine.
+
+        * CMakeLists.txt:
+        * b3/B3CheckSpecial.cpp:
+        (JSC::B3::CheckSpecial::forEachArg):
+        (JSC::B3::CheckSpecial::generate):
+        (JSC::B3::Air::numB3Args): Deleted.
+        * b3/B3DuplicateTails.cpp:
+        * b3/B3EliminateCommonSubexpressions.cpp:
+        * b3/B3FixSSA.cpp:
+        (JSC::B3::demoteValues):
+        * b3/B3FoldPathConstants.cpp:
+        * b3/B3InferSwitches.cpp:
+        * b3/B3LowerMacrosAfterOptimizations.cpp:
+        (): Deleted.
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::LowerToAir): Deleted.
+        (JSC::B3::Air::LowerToAir::run): Deleted.
+        (JSC::B3::Air::LowerToAir::shouldCopyPropagate): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::ArgPromise): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::swap): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::operator=): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::~ArgPromise): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::setTraps): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::tmp): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::operator bool const): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::kind const): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::peek const): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::consume): Deleted.
+        (JSC::B3::Air::LowerToAir::ArgPromise::inst): Deleted.
+        (JSC::B3::Air::LowerToAir::tmp): Deleted.
+        (JSC::B3::Air::LowerToAir::tmpPromise): Deleted.
+        (JSC::B3::Air::LowerToAir::canBeInternal): Deleted.
+        (JSC::B3::Air::LowerToAir::commitInternal): Deleted.
+        (JSC::B3::Air::LowerToAir::crossesInterference): Deleted.
+        (JSC::B3::Air::LowerToAir::scaleForShl): Deleted.
+        (JSC::B3::Air::LowerToAir::effectiveAddr): Deleted.
+        (JSC::B3::Air::LowerToAir::addr): Deleted.
+        (JSC::B3::Air::LowerToAir::trappingInst): Deleted.
+        (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode): Deleted.
+        (JSC::B3::Air::LowerToAir::loadPromise): Deleted.
+        (JSC::B3::Air::LowerToAir::imm): Deleted.
+        (JSC::B3::Air::LowerToAir::bitImm): Deleted.
+        (JSC::B3::Air::LowerToAir::bitImm64): Deleted.
+        (JSC::B3::Air::LowerToAir::immOrTmp): Deleted.
+        (JSC::B3::Air::LowerToAir::tryOpcodeForType): Deleted.
+        (JSC::B3::Air::LowerToAir::opcodeForType): Deleted.
+        (JSC::B3::Air::LowerToAir::appendUnOp): Deleted.
+        (JSC::B3::Air::LowerToAir::preferRightForResult): Deleted.
+        (JSC::B3::Air::LowerToAir::appendBinOp): Deleted.
+        (JSC::B3::Air::LowerToAir::appendShift): Deleted.
+        (JSC::B3::Air::LowerToAir::tryAppendStoreUnOp): Deleted.
+        (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp): Deleted.
+        (JSC::B3::Air::LowerToAir::createStore): Deleted.
+        (JSC::B3::Air::LowerToAir::storeOpcode): Deleted.
+        (JSC::B3::Air::LowerToAir::appendStore): Deleted.
+        (JSC::B3::Air::LowerToAir::moveForType): Deleted.
+        (JSC::B3::Air::LowerToAir::relaxedMoveForType): Deleted.
+        (JSC::B3::Air::LowerToAir::print): Deleted.
+        (JSC::B3::Air::LowerToAir::append): Deleted.
+        (JSC::B3::Air::LowerToAir::appendTrapping): Deleted.
+        (JSC::B3::Air::LowerToAir::finishAppendingInstructions): Deleted.
+        (JSC::B3::Air::LowerToAir::newBlock): Deleted.
+        (JSC::B3::Air::LowerToAir::splitBlock): Deleted.
+        (JSC::B3::Air::LowerToAir::ensureSpecial): Deleted.
+        (JSC::B3::Air::LowerToAir::ensureCheckSpecial): Deleted.
+        (JSC::B3::Air::LowerToAir::fillStackmap): Deleted.
+        (JSC::B3::Air::LowerToAir::createGenericCompare): Deleted.
+        (JSC::B3::Air::LowerToAir::createBranch): Deleted.
+        (JSC::B3::Air::LowerToAir::createCompare): Deleted.
+        (JSC::B3::Air::LowerToAir::createSelect): Deleted.
+        (JSC::B3::Air::LowerToAir::tryAppendLea): Deleted.
+        (JSC::B3::Air::LowerToAir::appendX86Div): Deleted.
+        (JSC::B3::Air::LowerToAir::appendX86UDiv): Deleted.
+        (JSC::B3::Air::LowerToAir::loadLinkOpcode): Deleted.
+        (JSC::B3::Air::LowerToAir::storeCondOpcode): Deleted.
+        (JSC::B3::Air::LowerToAir::appendCAS): Deleted.
+        (JSC::B3::Air::LowerToAir::appendVoidAtomic): Deleted.
+        (JSC::B3::Air::LowerToAir::appendGeneralAtomic): Deleted.
+        (JSC::B3::Air::LowerToAir::lower): Deleted.
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::generate):
+        * b3/B3ReduceDoubleToFloat.cpp:
+        (JSC::B3::reduceDoubleToFloat):
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3StackmapGenerationParams.cpp:
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::repsImpl):
+        (JSC::B3::StackmapSpecial::repForArg):
+        * b3/air/AirAllocateStackByGraphColoring.cpp:
+        (JSC::B3::Air::allocateStackByGraphColoring):
+        * b3/air/AirEmitShuffle.cpp:
+        (JSC::B3::Air::emitShuffle):
+        * b3/air/AirFixObviousSpills.cpp:
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirStackAllocation.cpp:
+        (JSC::B3::Air::attemptAssignment):
+        (JSC::B3::Air::assign):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeDFGStatuses):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::addCases):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::addAccessCase):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::planLoad):
+        (JSC::DFG::ByteCodeParser::store):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::linkBlock):
+        (JSC::DFG::ByteCodeParser::linkBlocks):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::merge):
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGMovHintRemovalPhase.cpp:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPhantomInsertionPhase.cpp:
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * ftl/FTLAbstractHeap.cpp:
+        (JSC::FTL::AbstractHeap::compute):
+        * ftl/FTLAbstractHeapRepository.cpp:
+        (JSC::FTL::AbstractHeapRepository::decorateMemory):
+        (JSC::FTL::AbstractHeapRepository::decorateCCallRead):
+        (JSC::FTL::AbstractHeapRepository::decorateCCallWrite):
+        (JSC::FTL::AbstractHeapRepository::decoratePatchpointRead):
+        (JSC::FTL::AbstractHeapRepository::decoratePatchpointWrite):
+        (JSC::FTL::AbstractHeapRepository::decorateFenceRead):
+        (JSC::FTL::AbstractHeapRepository::decorateFenceWrite):
+        (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
+        (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * heap/MarkingConstraintSet.cpp:
+        (JSC::MarkingConstraintSet::add):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+        * jit/BinarySwitch.cpp:
+        (JSC::BinarySwitch::BinarySwitch):
+        (JSC::BinarySwitch::build):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::loadStats):
+        (JSC::LLInt::Data::saveStats):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
+        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
+        * runtime/ErrorInstance.cpp:
+        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted.
+        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted.
+        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame const): Deleted.
+        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index const): Deleted.
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        * runtime/TypeProfiler.cpp:
+        (JSC::TypeProfiler::insertNewLocation):
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::processLogEntries):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::protoFuncWeakMapDelete):
+        (JSC::protoFuncWeakMapGet):
+        (JSC::protoFuncWeakMapHas):
+        (JSC::protoFuncWeakMapSet):
+        (JSC::getWeakMapData): Deleted.
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::protoFuncWeakSetDelete):
+        (JSC::protoFuncWeakSetHas):
+        (JSC::protoFuncWeakSetAdd):
+        (JSC::getWeakMapData): Deleted.
+        * testRegExp.cpp:
+        (testOneRegExp):
+        (runFromFiles):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::moveToState):
+        (JSC::Wasm::BBQPlan::parseAndValidateModule):
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::OMGPlan):
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::fail):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::SignatureInformation::adopt):
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::enqueue):
+
+2017-09-12  Michael Saboff  
+
+        String.prototype.replace() puts extra '<' in result when a named capture reference is used without named captures in the RegExp
+        https://bugs.webkit.org/show_bug.cgi?id=176814
+
+        Reviewed by Mark Lam.
+
+        The copy and advance indices where off by one and needed a little fine tuning.
+
+        * runtime/StringPrototype.cpp:
+        (JSC::substituteBackreferencesSlow):
+
+2017-09-11  Mark Lam  
+
+        More exception check book-keeping needed found by 32-bit JSC test failures.
+        https://bugs.webkit.org/show_bug.cgi?id=176742
+
+        Reviewed by Michael Saboff and Keith Miller.
+
+        * dfg/DFGOperations.cpp:
+
+2017-09-11  Mark Lam  
+
+        Make jsc dump the command line if JSC_dumpOption environment variable is set with a non-zero value.
+        https://bugs.webkit.org/show_bug.cgi?id=176722
+
+        Reviewed by Saam Barati.
+
+        For PLATFORM(COCOA), I also dumped the JSC_* environmental variables that are
+        in effect when jsc is invoked.
+
+        * jsc.cpp:
+        (CommandLine::parseArguments):
+
+2017-09-11  Ryan Haddad  
+
+        Unreviewed, rolling out r221854.
+
+        The test added with this change fails on 32-bit JSC bots.
+
+        Reverted changeset:
+
+        "[DFG] Optimize WeakMap::get by adding intrinsic and fixup"
+        https://bugs.webkit.org/show_bug.cgi?id=176010
+        http://trac.webkit.org/changeset/221854
+
+2017-09-03  Yusuke Suzuki  
+
+        [DFG] Optimize WeakMap::get by adding intrinsic and fixup
+        https://bugs.webkit.org/show_bug.cgi?id=176010
+
+        Reviewed by Filip Pizlo.
+
+        It reveals that Ember.js consumes 3.8% of execution time for WeakMap#get.
+        It is used for meta property for objects (see peekMeta function in Ember.js).
+
+        This patch optimizes WeakMap#get.
+
+        1. We use inlineGet to inline WeakMap#get operation in the native function.
+        Since this native function itself is very small, we should inline HashMap#get
+        entirely in this function.
+
+        2. We add JSWeakMapType and JSWeakSetType. This allows us to perform `isJSWeakMap()`
+        very fast. And this patch wires this to DFG and FTL to add WeakMapObjectUse and WeakSetObjectUse
+        to drop unnecessary type checking. We add fixup rules for WeakMapGet DFG node by using WeakMapObjectUse,
+        ObjectUse, and Int32Use.
+
+        3. We add intrinsic for WeakMap#get, and handle it in DFG and FTL. We use MapHash to
+        calculate hash value for the key's Object and use this hash value to look up value from
+        JSWeakMap's HashMap. Currently, we just call the operationWeakMapGet function in DFG and FTL.
+        It is worth considering that implementing this operation entirely in JIT, like GetMapBucket.
+        But anyway, the current one already optimizes the performance, so we leave this for the subsequent
+        patches.
+
+        We currently do not implement any other intrinsics (like, WeakMap#has, WeakSet) because they are
+        not used in Ember.js right now.
+
+        This patch optimizes WeakMap#get by 50%.
+
+                                 baseline                  patched
+
+        weak-map-key         88.6456+-3.9564     ^     59.1502+-2.2406        ^ definitely 1.4987x faster
+
+        * bytecode/DirectEvalCodeCache.h:
+        (JSC::DirectEvalCodeCache::tryGet):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationFromClassInfo):
+        (JSC::speculationFromJSType):
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateWeakMapObject):
+        (JSC::DFG::SpeculativeJIT::speculateWeakSetObject):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
+        (JSC::FTL::DFG::LowerDFGToB3::lowWeakMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::lowWeakSetObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakMapObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateWeakSetObject):
+        * jit/JITOperations.h:
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSType.h:
+        * runtime/JSWeakMap.h:
+        (JSC::isJSWeakMap):
+        * runtime/JSWeakSet.h:
+        (JSC::isJSWeakSet):
+        * runtime/WeakMapBase.cpp:
+        (JSC::WeakMapBase::get):
+        * runtime/WeakMapBase.h:
+        (JSC::WeakMapBase::HashTranslator::hash):
+        (JSC::WeakMapBase::HashTranslator::equal):
+        (JSC::WeakMapBase::inlineGet):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        (JSC::getWeakMap):
+        (JSC::protoFuncWeakMapGet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::getWeakSet):
+
+2017-09-09  Yusuke Suzuki  
+
+        [JSC] Optimize Object.keys by using careful array allocation
+        https://bugs.webkit.org/show_bug.cgi?id=176654
+
+        Reviewed by Darin Adler.
+
+        SixSpeed object-assign.es6 stresses Object.keys. Object.keys is one of frequently used
+        function in JS apps. Luckily Object.keys has several good features.
+
+        1. Once PropertyNameArray is allocated, we know the length of the result array since
+        we do not need to filter out keys listed in PropertyNameArray. The execption is ProxyObject,
+        but it rarely appears. ProxyObject case goes to the generic path.
+
+        2. Object.keys does not need to access object after listing PropertyNameArray. It means
+        that we do not need to worry about enumeration attribute change by touching object.
+
+        This patch adds a fast path for Object.keys's array allocation. We allocate the JSArray
+        with the size and ArrayContiguous indexing shape.
+
+        This further improves SixSpeed object-assign.es5 by 13%.
+
+                                            baseline                  patched
+        Microbenchmarks:
+           object-keys-map-values       73.4324+-2.5397     ^     62.5933+-2.6677        ^ definitely 1.1732x faster
+           object-keys                  40.8828+-1.5851     ^     29.2066+-1.8944        ^ definitely 1.3998x faster
+
+                                            baseline                  patched
+        SixSpeed:
+           object-assign.es5           384.8719+-10.7204    ^    340.2734+-12.0947       ^ definitely 1.1311x faster
+
+        BTW, the further optimization of Object.keys can be considered: introducing own property keys
+        cache which is similar to the current enumeration cache. But this patch is orthogonal to
+        this optimization!
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorValues):
+        (JSC::ownPropertyKeys):
+        * runtime/ObjectConstructor.h:
+
+2017-09-10  Mark Lam  
+
+        Fix all ExceptionScope verification failures in JavaScriptCore.
+        https://bugs.webkit.org/show_bug.cgi?id=176662
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. Introduced EXCEPTION_ASSERT macros so that we can enable exception scope
+           verification for release builds too (though this requires manually setting
+           ENABLE_EXCEPTION_SCOPE_VERIFICATION to 1 in Platform.h).
+
+           This is useful because it allows us to run the tests more quickly to check
+           if any regressions have occurred.  Debug builds run so much slower and not
+           good for a quick turn around.  Debug builds are necessary though to get
+           trace information without inlining by the C++ compiler.  This is necessary to
+           diagnose where the missing exception check is.
+
+        2. Repurposed the JSC_dumpSimulatedThrows=true options to capture and dump the last
+           simulated throw when an exception scope verification fails.
+
+           Previously, this option dumps the stack trace on all simulated throws.  That
+           turned out to not be very useful, and slows down the debugging process.
+           Instead, the new implementation captures the stack trace and only dumps it
+           if we have a verification failure.
+
+        3. Fixed missing exception checks and book-keeping needed to allow the JSC tests
+           to pass with JSC_validateExceptionChecks=true.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        * dfg/DFGOperations.cpp:
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        (JSC::loadVarargs):
+        (JSC::Interpreter::unwind):
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeModuleProgram):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * jsc.cpp:
+        (WTF::CustomGetter::customGetterAcessor):
+        (GlobalObject::moduleLoaderImportModule):
+        (GlobalObject::moduleLoaderResolve):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::getByVal):
+        (JSC::LLInt::setUpCall):
+        * parser/Parser.h:
+        (JSC::Parser::popScopeInternal):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::hostResolveImportedModule):
+        (JSC::AbstractModuleRecord::resolveImport):
+        (JSC::AbstractModuleRecord::resolveExportImpl):
+        (JSC::getExportedNames):
+        (JSC::AbstractModuleRecord::getModuleNamespace):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::getProperty):
+        (JSC::unshift):
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncToLocaleString):
+        (JSC::arrayProtoFuncJoin):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+        (JSC::concatAppendOne):
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        (JSC::arrayProtoPrivateFuncAppendMemcpy):
+        * runtime/CatchScope.h:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/DatePrototype.cpp:
+        (JSC::dateProtoFuncSetTime):
+        (JSC::setNewValueFromTimeArgs):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::length const):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::errorProtoFuncToString):
+        * runtime/ExceptionFuzz.cpp:
+        (JSC::doExceptionFuzzing):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::needExceptionCheck):
+        (JSC::ExceptionScope::assertNoException):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::defineOwnProperty):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::rehash):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::formatToParts):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::defineOwnProperty):
+        (JSC::JSArray::put):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        (JSC::JSValue::putToPrimitiveByIndex):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toIndex const):
+        (JSC::JSValue::get const):
+        (JSC::JSValue::getPropertySlot const):
+        (JSC::JSValue::equalSlowCaseInline):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewFromIterator):
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::set):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::put):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode):
+        (JSC::globalFuncEval):
+        (JSC::globalFuncProtoGetter):
+        (JSC::globalFuncProtoSetter):
+        (JSC::globalFuncImportModule):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSInternalPromiseDeferred.cpp:
+        (JSC::JSInternalPromiseDeferred::create):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnPropertySlot):
+        (JSC::JSModuleEnvironment::put):
+        (JSC::JSModuleEnvironment::deleteProperty):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provide):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::link):
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::stringify):
+        (JSC::Stringifier::toJSON):
+        (JSC::JSONProtoFuncParse):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        (JSC::ordinarySetSlow):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::ordinaryToPrimitive const):
+        (JSC::JSObject::toPrimitive const):
+        (JSC::JSObject::hasInstance):
+        (JSC::JSObject::getPropertyNames):
+        (JSC::JSObject::toNumber const):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::validateAndApplyPropertyDescriptor):
+        (JSC::JSObject::defineOwnNonIndexProperty):
+        (JSC::JSObject::getGenericPropertyNames):
+        * runtime/JSObject.h:
+        (JSC::JSObject::get const):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getPropertySlot const):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+        (JSC::JSObject::putInlineForJSObject):
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::constructPromise):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::JSPromiseDeferred::create):
+        * runtime/JSScope.cpp:
+        (JSC::abstractAccess):
+        (JSC::JSScope::resolve):
+        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
+        (JSC::JSScope::abstractResolve):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::tryJSONPParse):
+        (JSC::LiteralParser::parse):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToString):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSetPrototypeOf):
+        (JSC::objectConstructorGetOwnPropertyDescriptor):
+        (JSC::objectConstructorGetOwnPropertyDescriptors):
+        (JSC::objectConstructorAssign):
+        (JSC::objectConstructorValues):
+        (JSC::toPropertyDescriptor):
+        (JSC::objectConstructorDefineProperty):
+        (JSC::defineProperties):
+        (JSC::objectConstructorDefineProperties):
+        (JSC::ownPropertyKeys):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncHasOwnProperty):
+        (JSC::objectProtoFuncIsPrototypeOf):
+        (JSC::objectProtoFuncLookupGetter):
+        (JSC::objectProtoFuncLookupSetter):
+        (JSC::objectProtoFuncToLocaleString):
+        (JSC::objectProtoFuncToString):
+        * runtime/Options.h:
+        * runtime/ParseInt.h:
+        (JSC::toStringView):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performPut):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectDefineProperty):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::toFlags):
+        (JSC::regExpCreate):
+        (JSC::constructRegExp):
+        * runtime/RegExpObject.cpp:
+        (JSC::collectMatches):
+        * runtime/RegExpObjectInlines.h:
+        (JSC::RegExpObject::execInline):
+        (JSC::RegExpObject::matchInline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncTestFast):
+        (JSC::regExpProtoFuncExec):
+        (JSC::regExpProtoFuncMatchFast):
+        (JSC::regExpProtoFuncToString):
+        (JSC::regExpProtoFuncSplitFast):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::newCodeBlockFor):
+        (JSC::ScriptExecutable::prepareForExecutionImpl):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/ThrowScope.cpp:
+        (JSC::ThrowScope::simulateThrow):
+        * runtime/VM.cpp:
+        (JSC::VM::verifyExceptionCheckNeedIsSatisfied):
+        * runtime/VM.h:
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::protoFuncWeakMapSet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::protoFuncWeakSetAdd):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::reject):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::webAssemblyInstantiateFunc):
+
+2017-09-08  Filip Pizlo  
+
+        Error should compute .stack and friends lazily
+        https://bugs.webkit.org/show_bug.cgi?id=176645
+
+        Reviewed by Saam Barati.
+        
+        Building the string portion of the stack trace after we walk the stack accounts for most of
+        the cost of computing the .stack property. So, this patch makes ErrorInstance hold onto the
+        Vector so that it can build the string only once it's really needed.
+        
+        This is an enormous speed-up for programs that allocate and throw exceptions.
+        
+        It's a 5.6x speed-up for "new Error()" with a stack that is 4 functions deep.
+        
+        It's a 2.2x speed-up for throwing and catching an Error.
+        
+        It's a 1.17x speed-up for the WSL test suite (which throws a lot).
+        
+        It's a significant speed-up on many of our existing try-catch microbenchmarks. For example,
+        delta-blue-try-catch is 1.16x faster.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
+        (JSC::GetStackTraceFunctor::operator() const):
+        (JSC::Interpreter::getStackTrace):
+        * interpreter/Interpreter.h:
+        * runtime/Error.cpp:
+        (JSC::getStackTrace):
+        (JSC::getBytecodeOffset):
+        (JSC::addErrorInfo):
+        (JSC::addErrorInfoAndGetBytecodeOffset): Deleted.
+        * runtime/Error.h:
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::ErrorInstance):
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren):
+        (JSC::ErrorInstance::getOwnPropertySlot):
+        (JSC::ErrorInstance::getOwnNonIndexPropertyNames):
+        (JSC::ErrorInstance::defineOwnProperty):
+        (JSC::ErrorInstance::put):
+        (JSC::ErrorInstance::deleteProperty):
+        * runtime/ErrorInstance.h:
+        * runtime/Exception.cpp:
+        (JSC::Exception::visitChildren):
+        (JSC::Exception::finishCreation):
+        * runtime/Exception.h:
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::visitChildren):
+        * runtime/StackFrame.h:
+        (JSC::StackFrame::StackFrame):
+
+2017-09-09  Mark Lam  
+
+        [Re-landing] Use JIT probes for DFG OSR exit.
+        https://bugs.webkit.org/show_bug.cgi?id=175144
+        
+
+        Not reviewed.  Original patch reviewed by Saam Barati.
+
+        Relanding r221774.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::gpr const):
+        (JSC::Probe::CPUState::spr const):
+        (JSC::Probe::Context::Context):
+        (JSC::Probe::Context::arg):
+        (JSC::Probe::Context::gpr):
+        (JSC::Probe::Context::spr):
+        (JSC::Probe::Context::fpr):
+        (JSC::Probe::Context::gprName):
+        (JSC::Probe::Context::sprName):
+        (JSC::Probe::Context::fprName):
+        (JSC::Probe::Context::gpr const):
+        (JSC::Probe::Context::spr const):
+        (JSC::Probe::Context::fpr const):
+        (JSC::Probe::Context::pc):
+        (JSC::Probe::Context::fp):
+        (JSC::Probe::Context::sp):
+        (JSC::Probe:: const): Deleted.
+        * assembler/ProbeFrame.h: Copied from Source/JavaScriptCore/assembler/ProbeFrame.h.
+        * assembler/ProbeStack.cpp:
+        (JSC::Probe::Page::Page):
+        * assembler/ProbeStack.h:
+        (JSC::Probe::Page::get):
+        (JSC::Probe::Page::set):
+        (JSC::Probe::Page::physicalAddressFor):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::get):
+        (JSC::Probe::Stack::set):
+        * bytecode/ArithProfile.cpp:
+        * bytecode/ArithProfile.h:
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::observeArrayMode):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
+        * bytecode/ExecutionCounter.h:
+        (JSC::ExecutionCounter::hasCrossedThreshold const):
+        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
+        * bytecode/MethodOfGettingAValueProfile.cpp:
+        (JSC::MethodOfGettingAValueProfile::reportValue):
+        * bytecode/MethodOfGettingAValueProfile.h:
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::findPC): Deleted.
+        * dfg/DFGJITCode.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::jsValueFor):
+        (JSC::DFG::restoreCalleeSavesFor):
+        (JSC::DFG::saveCalleeSavesFor):
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::saveOrCopyCalleeSavesFor):
+        (JSC::DFG::createDirectArgumentsDuringExit):
+        (JSC::DFG::createClonedArgumentsDuringExit):
+        (JSC::DFG::OSRExit::OSRExit):
+        (JSC::DFG::emitRestoreArguments):
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::printOSRExit):
+        (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
+        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
+        (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
+        (JSC::DFG::OSRExit::correctJump): Deleted.
+        (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
+        (JSC::DFG::OSRExit::compileOSRExit): Deleted.
+        (JSC::DFG::OSRExit::compileExit): Deleted.
+        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExitState::OSRExitState):
+        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        * dfg/DFGOSRExitCompilerCommon.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
+        * dfg/DFGThunks.h:
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::debugCall): Deleted.
+        * jit/AssemblyHelpers.h:
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * profiler/ProfilerOSRExit.h:
+        (JSC::Profiler::OSRExit::incCount):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/VM.h:
+
+2017-09-09  Ryan Haddad  
+
+        Unreviewed, rolling out r221774.
+
+        This change introduced three debug JSC test timeouts.
+
+        Reverted changeset:
+
+        "Use JIT probes for DFG OSR exit."
+        https://bugs.webkit.org/show_bug.cgi?id=175144
+        http://trac.webkit.org/changeset/221774
+
+2017-09-09  Mark Lam  
+
+        Avoid duplicate computations of ExecState::vm().
+        https://bugs.webkit.org/show_bug.cgi?id=176647
+
+        Reviewed by Saam Barati.
+
+        Because while computing ExecState::vm() is cheap, it is not free.
+
+        This patch also:
+        1. gets rids of some convenience methods in CallFrame that implicitly does a
+           ExecState::vm() computation.  This minimizes the chance of us accidentally
+           computing ExecState::vm() more than necessary.
+        2. passes vm (when available) to methodTable().
+        3. passes vm (when available) to JSLockHolder.
+
+        * API/JSBase.cpp:
+        (JSCheckScriptSyntax):
+        (JSGarbageCollect):
+        (JSReportExtraMemoryCost):
+        (JSSynchronousGarbageCollectForDebugging):
+        (JSSynchronousEdenCollectForDebugging):
+        * API/JSCallbackConstructor.h:
+        (JSC::JSCallbackConstructor::create):
+        * API/JSCallbackObject.h:
+        (JSC::JSCallbackObject::create):
+        * API/JSContext.mm:
+        (-[JSContext setException:]):
+        * API/JSContextRef.cpp:
+        (JSContextGetGlobalObject):
+        (JSContextCreateBacktrace):
+        * API/JSManagedValue.mm:
+        (-[JSManagedValue value]):
+        * API/JSObjectRef.cpp:
+        (JSObjectMake):
+        (JSObjectMakeFunctionWithCallback):
+        (JSObjectMakeConstructor):
+        (JSObjectMakeFunction):
+        (JSObjectSetPrototype):
+        (JSObjectHasProperty):
+        (JSObjectGetProperty):
+        (JSObjectSetProperty):
+        (JSObjectSetPropertyAtIndex):
+        (JSObjectDeleteProperty):
+        (JSObjectGetPrivateProperty):
+        (JSObjectSetPrivateProperty):
+        (JSObjectDeletePrivateProperty):
+        (JSObjectIsFunction):
+        (JSObjectCallAsFunction):
+        (JSObjectCallAsConstructor):
+        (JSObjectCopyPropertyNames):
+        (JSPropertyNameAccumulatorAddName):
+        * API/JSScriptRef.cpp:
+        * API/JSTypedArray.cpp:
+        (JSValueGetTypedArrayType):
+        (JSObjectMakeTypedArrayWithArrayBuffer):
+        (JSObjectMakeTypedArrayWithArrayBufferAndOffset):
+        (JSObjectGetTypedArrayBytesPtr):
+        (JSObjectGetTypedArrayBuffer):
+        (JSObjectMakeArrayBufferWithBytesNoCopy):
+        (JSObjectGetArrayBufferBytesPtr):
+        * API/JSWeakObjectMapRefPrivate.cpp:
+        * API/JSWrapperMap.mm:
+        (constructorHasInstance):
+        (makeWrapper):
+        * API/ObjCCallbackFunction.mm:
+        (objCCallbackFunctionForInvocation):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::jettison):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addConstant):
+        (JSC::CodeBlock::replaceConstant):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeFromLLInt):
+        (JSC::PutByIdStatus::computeFor):
+        * dfg/DFGDesiredWatchpoints.cpp:
+        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::globalThisObjectFor):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationPopulateObjectInOSR):
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * heap/GCAssertions.h:
+        * inspector/InjectedScriptHost.cpp:
+        (Inspector::InjectedScriptHost::wrapper):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::subtype):
+        (Inspector::constructInternalProperty):
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        (Inspector::JSInjectedScriptHost::weakMapEntries):
+        (Inspector::JSInjectedScriptHost::weakSetEntries):
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        * inspector/JSJavaScriptCallFrame.cpp:
+        (Inspector::valueForScopeLocation):
+        (Inspector::JSJavaScriptCallFrame::scopeDescriptions):
+        (Inspector::toJS):
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::extractSourceInformationFromException):
+        (Inspector::createScriptArguments):
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::CachedCall):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::atomicStringTable const): Deleted.
+        (JSC::ExecState::propertyNames const): Deleted.
+        (JSC::ExecState::emptyList const): Deleted.
+        (JSC::ExecState::interpreter): Deleted.
+        (JSC::ExecState::heap): Deleted.
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeModuleProgram):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JITOperations.cpp:
+        * jit/JITWorklist.cpp:
+        (JSC::JITWorklist::compileNow):
+        * jsc.cpp:
+        (WTF::RuntimeArray::create):
+        (WTF::RuntimeArray::getOwnPropertySlot):
+        (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
+        (WTF::DOMJITFunctionObject::unsafeFunction):
+        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
+        (GlobalObject::moduleLoaderFetch):
+        (functionDumpCallFrame):
+        (functionCreateRoot):
+        (functionGetElement):
+        (functionSetElementRoot):
+        (functionCreateSimpleObject):
+        (functionSetHiddenValue):
+        (functionCreateProxy):
+        (functionCreateImpureGetter):
+        (functionCreateCustomGetterObject):
+        (functionCreateDOMJITNodeObject):
+        (functionCreateDOMJITGetterObject):
+        (functionCreateDOMJITGetterComplexObject):
+        (functionCreateDOMJITFunctionObject):
+        (functionCreateDOMJITCheckSubClassObject):
+        (functionGCAndSweep):
+        (functionFullGC):
+        (functionEdenGC):
+        (functionHeapSize):
+        (functionShadowChickenFunctionsOnStack):
+        (functionSetGlobalConstRedeclarationShouldNotThrow):
+        (functionJSCOptions):
+        (functionFailNextNewCodeBlock):
+        (functionMakeMasquerader):
+        (functionDumpTypesForAllVariables):
+        (functionFindTypeForExpression):
+        (functionReturnTypeFor):
+        (functionDumpBasicBlockExecutionRanges):
+        (functionBasicBlockExecutionCount):
+        (functionDrainMicrotasks):
+        (functionGenerateHeapSnapshot):
+        (functionEnsureArrayStorage):
+        (functionStartSamplingProfiler):
+        (runInteractive):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * parser/ModuleAnalyzer.cpp:
+        (JSC::ModuleAnalyzer::ModuleAnalyzer):
+        * profiler/ProfilerBytecode.cpp:
+        (JSC::Profiler::Bytecode::toJS const):
+        * profiler/ProfilerBytecodeSequence.cpp:
+        (JSC::Profiler::BytecodeSequence::addSequenceProperties const):
+        * profiler/ProfilerBytecodes.cpp:
+        (JSC::Profiler::Bytecodes::toJS const):
+        * profiler/ProfilerCompilation.cpp:
+        (JSC::Profiler::Compilation::toJS const):
+        * profiler/ProfilerCompiledBytecode.cpp:
+        (JSC::Profiler::CompiledBytecode::toJS const):
+        * profiler/ProfilerDatabase.cpp:
+        (JSC::Profiler::Database::toJS const):
+        * profiler/ProfilerEvent.cpp:
+        (JSC::Profiler::Event::toJS const):
+        * profiler/ProfilerOSRExit.cpp:
+        (JSC::Profiler::OSRExit::toJS const):
+        * profiler/ProfilerOrigin.cpp:
+        (JSC::Profiler::Origin::toJS const):
+        * profiler/ProfilerProfiledBytecodes.cpp:
+        (JSC::Profiler::ProfiledBytecodes::toJS const):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::identifierToJSValue):
+        (JSC::AbstractModuleRecord::resolveExportImpl):
+        (JSC::getExportedNames):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncToLocaleString):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructBooleanFromImmediateBoolean):
+        * runtime/CallData.cpp:
+        (JSC::call):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
+        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
+        * runtime/Completion.cpp:
+        (JSC::checkSyntax):
+        (JSC::evaluate):
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        (JSC::linkAndEvaluateModule):
+        (JSC::importModule):
+        * runtime/ConstructData.cpp:
+        (JSC::construct):
+        * runtime/DatePrototype.cpp:
+        (JSC::dateProtoFuncToJSON):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::length const):
+        * runtime/DirectEvalExecutable.cpp:
+        (JSC::DirectEvalExecutable::create):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::errorProtoFuncToString):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createUndefinedVariableError):
+        (JSC::errorDescriptionForValue):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunction):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::getOwnPropertyNames):
+        * runtime/IdentifierInlines.h:
+        (JSC::Identifier::add):
+        * runtime/IndirectEvalExecutable.cpp:
+        (JSC::IndirectEvalExecutable::create):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::finishCreation):
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::getOwnPropertySlot):
+        (JSC::JSArray::put):
+        (JSC::JSArray::deleteProperty):
+        (JSC::JSArray::getOwnNonIndexPropertyNames):
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSArray.h:
+        (JSC::JSArray::shiftCountForShift):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpForBacktrace const):
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::getOwnPropertySlot):
+        (JSC::JSDataView::deleteProperty):
+        (JSC::JSDataView::getOwnNonIndexPropertyNames):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnPropertySlot):
+        (JSC::JSFunction::deleteProperty):
+        (JSC::JSFunction::reifyName):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::deleteProperty):
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSMapIterator.h:
+        (JSC::JSMapIterator::advanceIter):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::printableModuleKey):
+        (JSC::JSModuleLoader::provide):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSModuleNamespaceObject.h:
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::evaluate):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Stringifier):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Stringifier::Holder::appendNextProperty):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::ordinaryToPrimitive const):
+        (JSC::JSObject::toPrimitive const):
+        (JSC::JSObject::hasInstance):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::getCustomGetterSetterFunctionForGetterSetter):
+        (JSC::JSObject::getOwnPropertyDescriptor):
+        (JSC::JSObject::getMethod):
+        * runtime/JSObject.h:
+        (JSC::JSObject::createRawObject):
+        (JSC::JSFinalObject::create):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInline):
+        (JSC::JSObject::putInlineForJSObject):
+        (JSC::JSObject::hasOwnProperty const):
+        * runtime/JSScope.cpp:
+        (JSC::isUnscopable):
+        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSSetIterator.h:
+        (JSC::JSSetIterator::advanceIter):
+        * runtime/JSString.cpp:
+        (JSC::JSString::getStringPropertyDescriptor):
+        * runtime/JSString.h:
+        (JSC::JSString::getStringPropertySlot):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::create):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncToLocaleString):
+        * runtime/ProgramExecutable.h:
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::getOwnPropertySlot):
+        (JSC::RegExpObject::deleteProperty):
+        (JSC::RegExpObject::getOwnNonIndexPropertyNames):
+        (JSC::RegExpObject::getPropertyNames):
+        (JSC::RegExpObject::getGenericPropertyNames):
+        (JSC::RegExpObject::put):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::length const):
+        * runtime/StrictEvalActivation.h:
+        (JSC::StrictEvalActivation::create):
+        * runtime/StringObject.cpp:
+        (JSC::isStringOwnProperty):
+        (JSC::StringObject::deleteProperty):
+        (JSC::StringObject::getOwnNonIndexPropertyNames):
+        * tools/JSDollarVMPrototype.cpp:
+        (JSC::JSDollarVMPrototype::gc):
+        (JSC::JSDollarVMPrototype::edenGC):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+
+2017-09-08  Yusuke Suzuki  
+
+        [DFG] NewArrayWithSize(size)'s size does not care negative zero
+        https://bugs.webkit.org/show_bug.cgi?id=176300
+
+        Reviewed by Saam Barati.
+
+        NewArrayWithSize(size)'s size does not care negative zero as
+        is the same to NewTypedArray. We propagate this information
+        in DFGBackwardsPropagationPhase. This removes negative zero
+        check in kraken fft's deinterleave function.
+
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+
+2017-09-08  Yusuke Suzuki  
+
+        [DFG] PutByVal with Array::Generic is too generic
+        https://bugs.webkit.org/show_bug.cgi?id=176345
+
+        Reviewed by Filip Pizlo.
+
+        Our DFG/FTL's PutByVal with Array::Generic is too generic implementation.
+        We could have the case like,
+
+            dst[key] = src[key];
+
+        with string or symbol keys. But they are handled in slow path.
+        This patch adds PutByVal(CellUse, StringUse/SymbolUse, UntypedUse). They go
+        to optimized path that does not have generic checks like (isInt32() / isDouble() etc.).
+
+        This improves SixSpeed object-assign.es5 by 9.1%.
+
+        object-assign.es5             424.3159+-11.0471    ^    388.8771+-10.9239       ^ definitely 1.0911x faster
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::putByVal):
+        (JSC::DFG::putByValInternal):
+        (JSC::DFG::putByValCellInternal):
+        (JSC::DFG::putByValCellStringInternal):
+        (JSC::DFG::operationPutByValInternal): Deleted.
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+        * jit/JITOperations.h:
+
+2017-09-08  Yusuke Suzuki  
+
+        [DFG][FTL] GetByVal(ObjectUse with Array::Generic, StringUse/SymbolUse) should be supported
+        https://bugs.webkit.org/show_bug.cgi?id=176590
+
+        Reviewed by Saam Barati.
+
+        We add fixup edges for GetByVal(Array::Generic) to call faster operation instead of generic operationGetByVal.
+
+                                         baseline                  patched
+
+        object-iterate                5.8531+-0.3029            5.7903+-0.2795          might be 1.0108x faster
+        object-iterate-symbols        7.4099+-0.3993     ^      5.8254+-0.2276        ^ definitely 1.2720x faster
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::getByValObject):
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+
+2017-09-07  Mark Lam  
+
+        Use JIT probes for DFG OSR exit.
+        https://bugs.webkit.org/show_bug.cgi?id=175144
+        
+
+        Reviewed by Saam Barati.
+
+        This patch does the following:
+        1. Replaces osrExitGenerationThunkGenerator() with osrExitThunkGenerator().
+           While osrExitGenerationThunkGenerator() generates a thunk that compiles a
+           unique OSR offramp for each DFG OSR exit site, osrExitThunkGenerator()
+           generates a thunk that just executes the OSR exit.
+
+           The osrExitThunkGenerator() generated thunk works by using a single JIT probe
+           to call OSRExit::executeOSRExit().  The JIT probe takes care of preserving
+           CPU registers, and providing the Probe::Stack mechanism for modifying the
+           stack frame.
+
+           OSRExit::executeOSRExit() replaces OSRExit::compileOSRExit() and
+           OSRExit::compileExit().  It is basically a re-write of those functions to
+           execute the OSR exit work instead of compiling code to execute the work.
+
+           As a result, we get the following savings:
+           a. no more OSR exit ramp compilation time.
+           b. no use of JIT executable memory for storing each unique OSR exit ramp.
+
+           On the negative side, we incur these costs:
+
+           c. the OSRExit::executeOSRExit() ramp may be a little slower than the compiled
+              version of the ramp.  However, OSR exits are rare.  Hence, this small
+              difference should not matter much.  It is also offset by the savings from
+              (a).
+
+           d. the Probe::Stack allocates 1K pages for memory for buffering stack
+              modifcations.  The number of these pages depends on the span of stack memory
+              that the OSR exit ramp reads from and writes to.  Since the OSR exit ramp
+              tends to only modify values in the current DFG frame and the current
+              VMEntryRecord, the number of pages tends to only be 1 or 2.
+
+              Using the jsc tests as a workload, the vast majority of tests that do OSR
+              exit, uses 3 or less 1K pages (with the overwhelming number using just 1 page).
+              A few tests that are pathological uses up to 14 pages, and one particularly
+              bad test (function-apply-many-args.js) uses 513 pages.
+
+           Similar to the old code, the OSR exit ramp still has 2 parts: 1 part that is
+           only executed once to compute some values for the exit site that is used by
+           all exit operations from that site, and a 2nd part to execute the exit.  The
+           1st part is protected by a checking if exit.exitState has already been
+           initialized.  The computed values are cached in exit.exitState.
+
+           Because the OSR exit thunk no longer compiles an OSR exit off-ramp, we no
+           longer need the facility to patch the site that jumps to the OSR exit ramp.
+           The DFG::JITCompiler has been modified to remove this patching code.
+
+        2. Fixed the bottom most Probe::Context and Probe::Stack get/set methods to use
+           std::memcpy to avoid strict aliasing issues.
+
+           Also optimized the implementation of Probe::Stack::physicalAddressFor().
+
+        3. Miscellaneous convenience methods added to make the Probe::Context easier of
+           use.
+
+        4. Added a Probe::Frame class that makes it easier to get/set operands and
+           arguments in a given frame using the deferred write properties of the
+           Probe::Stack.  Probe::Frame makes it easier to do some of the recovery work in
+           the OSR exit ramp.
+
+        5. Cloned or converted some functions needed by the OSR exit ramp.  The original
+           JIT versions of these functions are still left in place because they are still
+           needed for FTL OSR exit.  A FIXME comment has been added to remove them later.
+           These functions include:
+
+           DFGOSRExitCompilerCommon.cpp's handleExitCounts() ==>
+               CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize()
+           DFGOSRExitCompilerCommon.cpp's reifyInlinedCallFrames() ==>
+               DFGOSRExit.cpp's reifyInlinedCallFrames()
+           DFGOSRExitCompilerCommon.cpp's adjustAndJumpToTarget() ==>
+               DFGOSRExit.cpp's adjustAndJumpToTarget()
+
+           MethodOfGettingAValueProfile::emitReportValue() ==>
+               MethodOfGettingAValueProfile::reportValue()
+
+           DFGOperations.cpp's operationCreateDirectArgumentsDuringExit() ==>
+               DFGOSRExit.cpp's createDirectArgumentsDuringExit()
+           DFGOperations.cpp's operationCreateClonedArgumentsDuringExit() ==>
+               DFGOSRExit.cpp's createClonedArgumentsDuringExit()
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::gpr const):
+        (JSC::Probe::CPUState::spr const):
+        (JSC::Probe::Context::Context):
+        (JSC::Probe::Context::arg):
+        (JSC::Probe::Context::gpr):
+        (JSC::Probe::Context::spr):
+        (JSC::Probe::Context::fpr):
+        (JSC::Probe::Context::gprName):
+        (JSC::Probe::Context::sprName):
+        (JSC::Probe::Context::fprName):
+        (JSC::Probe::Context::gpr const):
+        (JSC::Probe::Context::spr const):
+        (JSC::Probe::Context::fpr const):
+        (JSC::Probe::Context::pc):
+        (JSC::Probe::Context::fp):
+        (JSC::Probe::Context::sp):
+        (JSC::Probe:: const): Deleted.
+        * assembler/ProbeFrame.h: Added.
+        (JSC::Probe::Frame::Frame):
+        (JSC::Probe::Frame::getArgument):
+        (JSC::Probe::Frame::getOperand):
+        (JSC::Probe::Frame::get):
+        (JSC::Probe::Frame::setArgument):
+        (JSC::Probe::Frame::setOperand):
+        (JSC::Probe::Frame::set):
+        * assembler/ProbeStack.cpp:
+        (JSC::Probe::Page::Page):
+        * assembler/ProbeStack.h:
+        (JSC::Probe::Page::get):
+        (JSC::Probe::Page::set):
+        (JSC::Probe::Page::physicalAddressFor):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::get):
+        (JSC::Probe::Stack::set):
+        * bytecode/ArithProfile.cpp:
+        * bytecode/ArithProfile.h:
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::observeArrayMode):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addressOfOSRExitCounter): Deleted.
+        * bytecode/ExecutionCounter.h:
+        (JSC::ExecutionCounter::hasCrossedThreshold const):
+        (JSC::ExecutionCounter::setNewThresholdForOSRExit):
+        * bytecode/MethodOfGettingAValueProfile.cpp:
+        (JSC::MethodOfGettingAValueProfile::reportValue):
+        * bytecode/MethodOfGettingAValueProfile.h:
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::findPC): Deleted.
+        * dfg/DFGJITCode.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::jsValueFor):
+        (JSC::DFG::restoreCalleeSavesFor):
+        (JSC::DFG::saveCalleeSavesFor):
+        (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::DFG::saveOrCopyCalleeSavesFor):
+        (JSC::DFG::createDirectArgumentsDuringExit):
+        (JSC::DFG::createClonedArgumentsDuringExit):
+        (JSC::DFG::OSRExit::OSRExit):
+        (JSC::DFG::emitRestoreArguments):
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::printOSRExit):
+        (JSC::DFG::OSRExit::setPatchableCodeOffset): Deleted.
+        (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump const): Deleted.
+        (JSC::DFG::OSRExit::codeLocationForRepatch const): Deleted.
+        (JSC::DFG::OSRExit::correctJump): Deleted.
+        (JSC::DFG::OSRExit::emitRestoreArguments): Deleted.
+        (JSC::DFG::OSRExit::compileOSRExit): Deleted.
+        (JSC::DFG::OSRExit::compileExit): Deleted.
+        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure): Deleted.
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExitState::OSRExitState):
+        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        * dfg/DFGOSRExitCompilerCommon.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator): Deleted.
+        * dfg/DFGThunks.h:
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::debugCall): Deleted.
+        * jit/AssemblyHelpers.h:
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * profiler/ProfilerOSRExit.h:
+        (JSC::Profiler::OSRExit::incCount):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/VM.h:
+
+2017-09-07  Michael Saboff  
+
+        Add support for RegExp named capture groups
+        https://bugs.webkit.org/show_bug.cgi?id=176435
+
+        Reviewed by Filip Pizlo.
+
+        Added parsing for both naming a captured parenthesis as well and using a named group in
+        a back reference.  Also added support for using named groups with String.prototype.replace().
+
+        This patch does not throw Syntax Errors as described in the current spec text for the two
+        cases of malformed back references in String.prototype.replace() as I believe that it
+        is inconsistent with the current semantics for handling of other malformed replacement
+        tokens.  I filed an issue for the requested change to the proposed spec and also filed
+        a FIXME bug https://bugs.webkit.org/show_bug.cgi?id=176434.
+
+        This patch does not implement strength reduction in the optimizing JITs for named capture
+        groups.  Filed https://bugs.webkit.org/show_bug.cgi?id=176464.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * runtime/CommonIdentifiers.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::haveABadTime):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::regExpMatchesArrayWithGroupsStructure const):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::finishCreation):
+        * runtime/RegExp.h:
+        * runtime/RegExpMatchesArray.cpp:
+        (JSC::createStructureImpl):
+        (JSC::createRegExpMatchesArrayWithGroupsStructure):
+        (JSC::createRegExpMatchesArrayWithGroupsSlowPutStructure):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::createRegExpMatchesArray):
+        * runtime/StringPrototype.cpp:
+        (JSC::substituteBackreferencesSlow):
+        (JSC::replaceUsingRegExpSearch):
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
+        (JSC::Yarr::Parser::parseEscape):
+        (JSC::Yarr::Parser::parseParenthesesBegin):
+        (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
+        (JSC::Yarr::Parser::tryConsumeIdentifierCharacter):
+        (JSC::Yarr::Parser::isIdentifierStart):
+        (JSC::Yarr::Parser::isIdentifierPart):
+        (JSC::Yarr::Parser::tryConsumeGroupName):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::atomParenthesesSubpatternBegin):
+        (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
+        (JSC::Yarr::YarrPattern::errorMessage):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::YarrPattern::reset):
+        * yarr/YarrSyntaxChecker.cpp:
+        (JSC::Yarr::SyntaxChecker::atomParenthesesSubpatternBegin):
+        (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
+
+2017-09-07  Myles C. Maxfield  
+
+        [PAL] Unify PlatformUserPreferredLanguages.h with Language.h
+        https://bugs.webkit.org/show_bug.cgi?id=176561
+
+        Reviewed by Brent Fulgham.
+
+        * runtime/IntlObject.cpp:
+        (JSC::defaultLocale):
+
+2017-09-07  Joseph Pecoraro  
+
+        Augmented Inspector: Provide a way to inspect a DOM Node (DOM.inspect)
+        https://bugs.webkit.org/show_bug.cgi?id=176563
+        
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/DOM.json:
+        Add an event that is useful for augmented inspectors to inspect
+        a node. Web pages will still prefer Inspector.inspect.
+
+2017-09-06  Yusuke Suzuki  
+
+        [JSC] Remove "malloc" and "free" from JSC/API
+        https://bugs.webkit.org/show_bug.cgi?id=176331
+
+        Reviewed by Keith Miller.
+
+        Remove "malloc" and "free" manual calls in JSC/API.
+
+        * API/JSValue.mm:
+        (createStructHandlerMap):
+        * API/JSWrapperMap.mm:
+        (parsePropertyAttributes):
+        (makeSetterName):
+        (copyPrototypeProperties):
+        Use RetainPtr to keep NSString. We avoid repeated "char*" to "NSString" conversion.
+
+        * API/ObjcRuntimeExtras.h:
+        (adoptSystem):
+        Add adoptSystem to automate calling system free().
+
+        (protocolImplementsProtocol):
+        (forEachProtocolImplementingProtocol):
+        (forEachMethodInClass):
+        (forEachMethodInProtocol):
+        (forEachPropertyInProtocol):
+        (StringRange::StringRange):
+        (StringRange::operator const char* const):
+        (StringRange::get const):
+        Use CString for backend.
+
+        (StructBuffer::StructBuffer):
+        (StructBuffer::~StructBuffer):
+        (StringRange::~StringRange): Deleted.
+        Use fastAlignedMalloc/astAlignedFree to get aligned memory.
+
+2017-09-06  Mark Lam  
+
+        constructGenericTypedArrayViewWithArguments() is missing an exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=176485
+        
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+
+2017-09-06  Saam Barati  
+
+        Air should have a Vector of prologue generators instead of a HashMap representing an optional prologue generator
+        https://bugs.webkit.org/show_bug.cgi?id=176346
+
+        Reviewed by Mark Lam.
+
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::Procedure):
+        (JSC::B3::Procedure::setNumEntrypoints):
+        * b3/B3Procedure.h:
+        (JSC::B3::Procedure::setNumEntrypoints): Deleted.
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::defaultPrologueGenerator):
+        (JSC::B3::Air::Code::Code):
+        (JSC::B3::Air::Code::setNumEntrypoints):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::setPrologueForEntrypoint):
+        (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
+        (JSC::B3::Air::Code::setEntrypoints):
+        (JSC::B3::Air::Code::setEntrypointLabels):
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::generate):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+
+2017-09-06  Saam Barati  
+
+        ASSERTION FAILED: op() == CheckStructure in Source/JavaScriptCore/dfg/DFGNode.h(443)
+        https://bugs.webkit.org/show_bug.cgi?id=176470
+
+        Reviewed by Mark Lam.
+
+        Update Node::convertToCheckStructureImmediate's assertion to allow
+        the node to either be a CheckStructure or CheckStructureOrEmpty.
+
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCheckStructureImmediate):
+
+2017-09-05  Saam Barati  
+
+        isNotCellSpeculation is wrong with respect to SpecEmpty
+        https://bugs.webkit.org/show_bug.cgi?id=176429
+
+        Reviewed by Michael Saboff.
+
+        The isNotCellSpeculation(SpeculatedType t) function was not taking into account
+        SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
+        the empty value will fail a NotCell check. This bug would cause us to erroneously
+        generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
+
+        * bytecode/SpeculatedType.h:
+        (JSC::isNotCellSpeculation):
+
+2017-09-05  Saam Barati  
+
+        Make the distinction between entrypoints and CFG roots more clear by naming things better
+        https://bugs.webkit.org/show_bug.cgi?id=176336
+
+        Reviewed by Mark Lam and Keith Miller and Michael Saboff.
+
+        This patch does renaming to make the distinction between Graph::m_entrypoints
+        and Graph::m_numberOfEntrypoints more clear. The source of confusion is that
+        Graph::m_entrypoints.size() is not equivalent to Graph::m_numberOfEntrypoints.
+        Graph::m_entrypoints is really just the CFG roots. In CPS, this vector has
+        size >= 1. In SSA, the size is always 1. This patch renames Graph::m_entrypoints
+        to Graph::m_roots. To be consistent, this patch also renames Graph's m_entrypointToArguments
+        field to m_rootToArguments.
+        
+        Graph::m_numberOfEntrypoints retains its name. This field is only used in SSA
+        when compiling with EntrySwitch. It represents the logical number of entrypoints
+        the compilation will end up with. Each EntrySwitch has m_numberOfEntrypoints
+        cases.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGCFG.h:
+        (JSC::DFG::CFG::roots):
+        (JSC::DFG::CPSCFG::CPSCFG):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
+        * dfg/DFGDCEPhase.cpp:
+        (JSC::DFG::DCEPhase::run):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::determineReachability):
+        (JSC::DFG::Graph::blocksInPreOrder):
+        (JSC::DFG::Graph::blocksInPostOrder):
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::isRoot):
+        (JSC::DFG::Graph::isEntrypoint): Deleted.
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
+        (JSC::DFG::createPreHeader):
+        * dfg/DFGMaximalFlushInsertionPhase.cpp:
+        (JSC::DFG::MaximalFlushInsertionPhase::run):
+        (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGPredictionInjectionPhase.cpp:
+        (JSC::DFG::PredictionInjectionPhase::run):
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::run):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+        * dfg/DFGValidate.cpp:
+
+2017-09-05  Joseph Pecoraro  
+
+        test262: Completion values for control flow do not match the spec
+        https://bugs.webkit.org/show_bug.cgi?id=171265
+
+        Reviewed by Saam Barati.
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
+        When we care about having proper completion values (global code
+        in programs, modules, and eval) insert undefined results for
+        control flow statements.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::SourceElements::emitBytecode):
+        Reduce writing a default `undefined` value to the completion result to
+        only once before the last statement we know will produce a value.
+
+        (JSC::IfElseNode::emitBytecode):
+        (JSC::WithNode::emitBytecode):
+        (JSC::WhileNode::emitBytecode):
+        (JSC::ForNode::emitBytecode):
+        (JSC::ForInNode::emitBytecode):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::SwitchNode::emitBytecode):
+        Insert an undefined to handle cases where code may break out of an
+        if/else or with statement (break/continue).
+
+        (JSC::TryNode::emitBytecode):
+        Same handling for break cases. Also, finally block statement completion
+        values are always ignored for the try statement result.
+
+        (JSC::ClassDeclNode::emitBytecode):
+        Class declarations, like function declarations, produce an empty result.
+
+        * parser/Nodes.cpp:
+        (JSC::SourceElements::lastStatement):
+        (JSC::SourceElements::hasCompletionValue):
+        (JSC::SourceElements::hasEarlyBreakOrContinue):
+        (JSC::BlockNode::lastStatement):
+        (JSC::BlockNode::singleStatement):
+        (JSC::BlockNode::hasCompletionValue):
+        (JSC::BlockNode::hasEarlyBreakOrContinue):
+        (JSC::ScopeNode::singleStatement):
+        (JSC::ScopeNode::hasCompletionValue):
+        (JSC::ScopeNode::hasEarlyBreakOrContinue):
+        The only non-trivial cases need to loop through their list of statements
+        to determine if this has a completion value or not. Likewise for
+        determining if there is an early break / continue, meaning a break or
+        continue statement with no preceding statement that has a completion value.
+
+        * parser/Nodes.h:
+        (JSC::StatementNode::next):
+        (JSC::StatementNode::hasCompletionValue):
+        Helper to check if a statement nodes produces a completion value or not.
+
+2017-09-04  Saam Barati  
+
+        typeCheckHoistingPhase may emit a CheckStructure on the empty value which leads to a dereference of zero on 64 bit platforms
+        https://bugs.webkit.org/show_bug.cgi?id=176317
+
+        Reviewed by Keith Miller.
+
+        It turns out that TypeCheckHoistingPhase may hoist a CheckStructure up to 
+        the SetLocal of a particular value where the value is the empty JSValue.
+        On 64-bit platforms, the empty value is zero. This means that the empty value
+        passes a cell check. This will lead to a crash when we dereference null to load
+        the value's structure. This patch teaches TypeCheckHoistingPhase to be conservative
+        in the structure checks it hoists. On 64-bit platforms, instead of emitting a
+        CheckStructure node, we now emit a CheckStructureOrEmpty node. This node allows
+        the empty value to flow through. If the value isn't empty, it'll perform the normal
+        structure check that CheckStructure performs. For now, we only emit CheckStructureOrEmpty
+        on 64-bit platforms since a cell check on 32-bit platforms does not allow the empty
+        value to flow through.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertCheckStructureOrEmptyToCheckStructure):
+        (JSC::DFG::Node::hasStructureSet):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::SafeToExecuteEdge::maySeeEmptyChild):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitStructureCheck):
+        (JSC::DFG::SpeculativeJIT::compileCheckStructure):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckStructureOrEmpty):
+
+2017-09-04  Saam Barati  
+
+        Support compiling catch in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=175396
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements op_catch in the FTL. It extends the DFG implementation
+        by supporting multiple entrypoints in DFG-SSA. This patch implements this
+        by introducing an EntrySwitch node. When converting to SSA, we introduce a new
+        root block with an EntrySwitch that has the previous DFG entrypoints as its
+        successors. By convention, we pick the zeroth entry point index to be the
+        op_enter entrypoint. Like in B3, in DFG-SSA, EntrySwitch just acts like a
+        switch over the entrypoint index argument. DFG::EntrySwitch in the FTL
+        simply lowers to B3::EntrySwitch. The EntrySwitch in the root block that
+        SSAConversion creates can not exit because we would both not know where to exit
+        to in the program: we would not have valid OSR exit state. This design also
+        mandates that anything we hoist above EntrySwitch in the new root block
+        can not exit since they also do not have valid OSR exit state.
+        
+        This patch also adds a new metadata node named InitializeEntrypointArguments.
+        InitializeEntrypointArguments is a metadata node that initializes the flush format for
+        the arguments at a given entrypoint. For a given entrypoint index, this node
+        tells AI and OSRAvailabilityAnalysis what the flush format for each argument
+        is. This allows each individual entrypoint to have an independent set of
+        argument types. Currently, this won't happen in practice because ArgumentPosition
+        unifies flush formats, but this is an implementation detail we probably want
+        to modify in the future. SSAConversion will add InitializeEntrypointArguments
+        to the beginning of each of the original DFG entrypoint blocks.
+        
+        This patch also adds the ability to specify custom prologue code generators in Air.
+        This allows the FTL to specify a custom prologue for catch entrypoints that
+        matches the op_catch OSR entry calling convention that the DFG uses. This way,
+        the baseline JIT code OSR enters into op_catch the same way both in the DFG
+        and the FTL. In the future, we can use this same mechanism to perform stack
+        overflow checks instead of using a patchpoint.
+
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::isEntrypoint):
+        (JSC::B3::Air::Code::entrypointIndex):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::setPrologueForEntrypoint):
+        (JSC::B3::Air::Code::prologueGeneratorForEntrypoint):
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::generate):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGBasicBlock.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGCFG.h:
+        (JSC::DFG::selectCFG):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::shrinkToFit):
+        (JSC::DFG::CommonData::finalizeCatchEntrypoints):
+        * dfg/DFGCommonData.h:
+        (JSC::DFG::CommonData::catchOSREntryDataForBytecodeIndex):
+        (JSC::DFG::CommonData::appendCatchEntrypoint):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::invalidateCFG):
+        (JSC::DFG::Graph::ensureCPSCFG):
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::isEntrypoint):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::shrinkToFit):
+        (JSC::DFG::JITCode::finalizeOSREntrypoints):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex): Deleted.
+        (JSC::DFG::JITCode::appendCatchEntrypoint): Deleted.
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isEntrySwitch):
+        (JSC::DFG::Node::isTerminal):
+        (JSC::DFG::Node::entrySwitchData):
+        (JSC::DFG::Node::numSuccessors):
+        (JSC::DFG::Node::successor):
+        (JSC::DFG::Node::entrypointIndex):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
+        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOSREntry.h:
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
+        (JSC::DFG::SSAConversionPhase::run):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
+        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileExtractCatchLocal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+        (JSC::FTL::DFG::LowerDFGToB3::compileEntrySwitch):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExitDescriptor):
+        (JSC::FTL::DFG::LowerDFGToB3::appendOSRExit):
+        (JSC::FTL::DFG::LowerDFGToB3::blessSpeculation):
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::entrySwitch):
+        * ftl/FTLOutput.h:
+        * jit/JITOperations.cpp:
+
+2017-09-03  Yusuke Suzuki  
+
+        [DFG][FTL] Efficiently execute number#toString()
+        https://bugs.webkit.org/show_bug.cgi?id=170007
+
+        Reviewed by Keith Miller.
+
+        In JS, the natural way to convert number to string with radix is `number.toString(radix)`.
+        However, our IC only cares about cells. If the base value is a number, it always goes to the slow path.
+
+        While extending our IC for number and boolean, the most meaningful use of this IC is calling `number.toString(radix)`.
+        So, in this patch, we first add a fast path for this in DFG by using watchpoint. We set up a watchpoint for
+        Number.prototype.toString. And if this watchpoint is kept alive and GetById(base, "toString")'s base should be
+        speculated as Number, we emit Number related Checks and convert GetById to Number.prototype.toString constant.
+        It removes costly GetById slow path, and makes it non-clobbering node (JSConstant).
+
+        In addition, we add NumberToStringWithValidRadixConstant node. We have NumberToStringWithRadix node, but it may
+        throw an error if the valid value is incorrect (for example, number.toString(2000)). So its clobbering rule is
+        conservatively use read(World)/write(Heap). But in reality, `number.toString` is mostly called with the constant
+        radix, and we can easily figure out this radix is valid (2 <= radix && radix < 32).
+        We add a rule to the constant folding phase to convert NumberToStringWithRadix to NumberToStringWithValidRadixConstant.
+        It ensures that it has valid constant radix. And we relax our clobbering rule for NumberToStringWithValidRadixConstant.
+
+        Added microbenchmarks show performance improvement.
+
+                                                      baseline                  patched
+
+        number-to-string-with-radix-cse           43.8312+-1.3017     ^      7.4930+-0.5105        ^ definitely 5.8496x faster
+        number-to-string-with-radix-10             7.2775+-0.5225     ^      2.1906+-0.1864        ^ definitely 3.3222x faster
+        number-to-string-with-radix               39.7378+-1.4921     ^     16.6137+-0.7776        ^ definitely 2.3919x faster
+        number-to-string-strength-reduction       94.9667+-2.7157     ^      9.3060+-0.7202        ^ definitely 10.2049x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::isWatchingGlobalObjectWatchpoint):
+        (JSC::DFG::Graph::isWatchingArrayIteratorProtocolWatchpoint):
+        (JSC::DFG::Graph::isWatchingNumberToStringWatchpoint):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToNumberToStringWithValidRadixConstant):
+        (JSC::DFG::Node::hasValidRadixConstant):
+        (JSC::DFG::Node::validRadixConstant):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
+        (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant):
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithValidRadixConstant):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::numberToStringWatchpoint):
+        (JSC::JSGlobalObject::numberProtoToStringFunction const):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        (JSC::toStringWithRadixInternal):
+        (JSC::toStringWithRadix):
+        (JSC::int32ToStringInternal):
+        (JSC::numberToStringInternal):
+        * runtime/NumberPrototype.h:
+
+2017-09-04  Yusuke Suzuki  
+
+        [DFG] Consider increasing the number of DFG worklist threads
+        https://bugs.webkit.org/show_bug.cgi?id=176222
+
+        Reviewed by Saam Barati.
+
+        Attempt to add one more thread to DFG worklist. DFG compiler sometimes takes
+        very long time if the target function is very large. However, DFG worklist
+        has only one thread before this patch. Therefore, one function that takes
+        too much time to be compiled can prevent the other functions from being
+        compiled in DFG or upper tiers.
+
+        One example is Octane/zlib. In zlib, compiling "a1" function in DFG takes
+        super long time (447 ms) because of its super large size of the function.
+        While this function never gets compiled in FTL due to its large size,
+        it can be compiled in DFG and takes super long time. Subsequent "a8" function
+        compilation in DFG is blocked by this "a1". As a consequence, the benchmark
+        takes very long time in a1/Baseline code, which is slower than DFG of course.
+
+        While FTL has a bit more threads, DFG worklist has only one thread. This patch
+        adds one more thread to DFG worklist to alleviate the above situation. This
+        change significantly improves Octane/zlib performance.
+
+                                    baseline                  patched
+
+        zlib           x2     482.32825+-6.07640    ^   408.66072+-14.03856      ^ definitely 1.1803x faster
+
+        * runtime/Options.h:
+
+2017-09-04  Sam Weinig  
+
+        [WebIDL] Unify and simplify EnableBySettings with the rest of the runtime settings
+        https://bugs.webkit.org/show_bug.cgi?id=176312
+
+        Reviewed by Darin Adler.
+
+        * runtime/CommonIdentifiers.h:
+
+            Remove WebCore specific identifiers from CommonIdentifiers. They have been moved
+            to WebCoreBuiltinNames in WebCore.
+
+2017-09-03  Yusuke Suzuki  
+
+        Remove "malloc" and "free" use
+        https://bugs.webkit.org/show_bug.cgi?id=176310
+
+        Reviewed by Darin Adler.
+
+        Use Vector instead.
+
+        * API/JSWrapperMap.mm:
+        (selectorToPropertyName):
+
+2017-09-03  Darin Adler  
+
+        Try to fix Windows build.
+
+        * runtime/JSGlobalObjectFunctions.cpp: #include .
+
+2017-09-03  Yusuke Suzuki  
+
+        [WTF] Add C++03 allocator interface for GCC < 6
+        https://bugs.webkit.org/show_bug.cgi?id=176301
+
+        Reviewed by Darin Adler.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-09-03  Chris Dumez  
+
+        Unreviewed, rolling out r221555.
+
+        Did not fix Windows build
+
+        Reverted changeset:
+
+        "Unreviewed attempt to fix Windows build."
+        http://trac.webkit.org/changeset/221555
+
+2017-09-03  Chris Dumez  
+
+        Unreviewed attempt to fix Windows build.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+
+2017-09-03  Chris Dumez  
+
+        Unreviewed, rolling out r221552.
+
+        Broke the build
+
+        Reverted changeset:
+
+        "[WTF] Add C++03 allocator interface for GCC < 6"
+        https://bugs.webkit.org/show_bug.cgi?id=176301
+        http://trac.webkit.org/changeset/221552
+
+2017-09-03  Yusuke Suzuki  
+
+        [WTF] Add C++03 allocator interface for GCC < 6
+        https://bugs.webkit.org/show_bug.cgi?id=176301
+
+        Reviewed by Darin Adler.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-09-03  Yusuke Suzuki  
+
+        [JSC] Clean up BytecodeLivenessAnalysis
+        https://bugs.webkit.org/show_bug.cgi?id=176295
+
+        Reviewed by Saam Barati.
+
+        Previously, computeDefsForBytecodeOffset was a bit customizable.
+        This is used for try-catch handler's liveness analysis. But after
+        careful generatorification implementation, it is now not necessary.
+        This patch drops this customizability.
+
+        * bytecode/BytecodeGeneratorification.cpp:
+        (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
+        (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
+        * bytecode/BytecodeLivenessAnalysis.cpp:
+        (JSC::BytecodeLivenessAnalysis::computeKills):
+        (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
+        (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
+        * bytecode/BytecodeLivenessAnalysis.h:
+        * bytecode/BytecodeLivenessAnalysisInlines.h:
+        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
+        (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
+        (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
+        (JSC::BytecodeLivenessPropagation::stepOverInstruction): Deleted.
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset): Deleted.
+        (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock): Deleted.
+        (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset): Deleted.
+        (JSC::BytecodeLivenessPropagation::runLivenessFixpoint): Deleted.
+
+2017-09-03  Sam Weinig  
+
+        Remove CanvasProxy
+        https://bugs.webkit.org/show_bug.cgi?id=176288
+
+        Reviewed by Yusuke Suzuki.
+
+        CanvasProxy does not appear to be in any current HTML spec
+        and was disabled and unimplemented in our tree. Time to 
+        get rid of it.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-09-02  Oliver Hunt  
+
+        Need an API to get the global context from JSObjectRef
+        https://bugs.webkit.org/show_bug.cgi?id=176291
+
+        Reviewed by Saam Barati.
+
+        Very simple additional API, starting off as SPI on principle.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetGlobalContext):
+        * API/JSObjectRefPrivate.h:
+        * API/tests/testapi.c:
+        (main):
+
+2017-09-02  Yusuke Suzuki  
+
+        [DFG] Relax arity requirement
+        https://bugs.webkit.org/show_bug.cgi?id=175523
+
+        Reviewed by Saam Barati.
+
+        Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
+        It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
+        of the pre-ES6.
+
+        This patch removes the above restriction by performing the arity fixup in DFG.
+
+        SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
+
+                                       baseline                  patched
+
+        defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
+        rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
+        spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
+        generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
+
+        * bytecode/InlineCallFrame.cpp:
+        (JSC::InlineCallFrame::dumpInContext const):
+        * bytecode/InlineCallFrame.h:
+        (JSC::InlineCallFrame::InlineCallFrame):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::argumentsInvolveStackSlot):
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::setLocal):
+        (JSC::DFG::ByteCodeParser::setArgument):
+        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::getArgumentCount):
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::validateReferences):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::isLiveInBytecode):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
+        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitGetLength):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::readInlinedFrame):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::argumentsStart):
+        * jit/SetupVarargsFrame.cpp:
+        (JSC::emitSetupVarargsFrameFastCase):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createWithInlineFrame):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::numberOfExtraSlots):
+        (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
+        (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
+        (JSC::CommonSlowPaths::arityCheckFor):
+        * runtime/StackAlignment.h:
+        (JSC::stackAlignmentBytes):
+        (JSC::stackAlignmentRegisters):
+
+2017-09-01  Yusuke Suzuki  
+
+        [FTL] FTL allocation for async Function is incorrect
+        https://bugs.webkit.org/show_bug.cgi?id=176214
+
+        Reviewed by Saam Barati.
+
+        In FTL, allocating async function / async generator function was incorrectly using
+        JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
+        but it is a bug.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+
+2017-08-31  Yusuke Suzuki  
+
+        [JSC] Fix "name" and "length" of Proxy revoke function
+        https://bugs.webkit.org/show_bug.cgi?id=176155
+
+        Reviewed by Mark Lam.
+
+        ProxyRevoke's length should be configurable. And it does not have
+        its own name. We add NameVisibility enum to InternalFunction to
+        control visibility of the name.
+
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::finishCreation):
+        * runtime/InternalFunction.h:
+        * runtime/ProxyRevoke.cpp:
+        (JSC::ProxyRevoke::finishCreation):
+
+2017-08-31  Saam Barati  
+
+        Throwing an exception in the DFG/FTL should not cause a jettison
+        https://bugs.webkit.org/show_bug.cgi?id=176060
+        
+
+        Reviewed by Keith Miller.
+
+        Throwing an exception is not something that should be a jettison-able
+        OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
+        counts which could cause a CodeBlock to jettison and recompile. This
+        was dumb. Throwing an exception is not a reason to jettison and
+        recompile in the way that a speculation failure is. This patch
+        treats Throw/ThrowStaticError as true terminals in DFG IR.
+
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isTerminal):
+        (JSC::DFG::Node::isPseudoTerminal):
+        (JSC::DFG::Node::errorType):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileThrow):
+        (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
+        (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
+        * jit/JITOperations.h:
+
+2017-08-31  Saam Barati  
+
+        Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
+        https://bugs.webkit.org/show_bug.cgi?id=176206
+
+        Reviewed by Keith Miller.
+
+        Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
+        when he fixed it from overwriting invalid parts of the ArithProfile when the
+        currentNode and the operandNode are from the same bytecode. However, the
+        mechanism used to determine same bytecode was comparing NodeOrigin. That's
+        slightly wrong. We need to compare semantic origin, since two NodeOrigins can
+        have the same semantic origin, but differ only in exitOK. For example,
+        in the below IR, the DoubleRep and the Phi have the same semantic
+        origin, but different NodeOrigins.
+
+        43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
+        58 ExitOK(MustGen, W:SideState, bc#63)
+        51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
+        54 ArithNegate(DoubleRep:Kill:@51, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+
+2017-08-31  Don Olmstead  
+
+        [CMake] Make USE_CF conditional within Windows
+        https://bugs.webkit.org/show_bug.cgi?id=176173
+
+        Reviewed by Alex Christensen.
+
+        * PlatformWin.cmake:
+
+2017-08-31  Saam Barati  
+
+        useSeparatedWXHeap should never be true when not on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=176190
+
+        Reviewed by JF Bastien.
+
+        If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
+        the process insta-crashes. Let's silently ignore that option and set it
+        to false when not on iOS.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2017-08-31  Filip Pizlo  
+
+        Fix debug crashes.
+
+        Rubber stamped by Mark Lam.
+
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+
+2017-08-31  Filip Pizlo  
+
+        All of the different ArrayBuffer::data's should be CagedPtr<>
+        https://bugs.webkit.org/show_bug.cgi?id=175515
+
+        Reviewed by Michael Saboff.
+        
+        This straightforwardly implements what the title says.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
+        (JSC::ArrayBufferContents::destroy):
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::makeShared):
+        (JSC::ArrayBufferContents::copyTo):
+        (JSC::ArrayBuffer::createFromBytes):
+        (JSC::ArrayBuffer::transferTo):
+        * runtime/ArrayBuffer.h:
+        (JSC::SharedArrayBufferContents::data const):
+        (JSC::ArrayBufferContents::data const):
+        (JSC::ArrayBuffer::data):
+        (JSC::ArrayBuffer::data const):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::baseAddress const):
+        * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr is valid.
+        * runtime/DataView.h:
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+        (JSC::JSArrayBufferView::vector const):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::visitChildren):
+
+2017-08-22  Filip Pizlo  
+
+        Strings need to be in some kind of gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174924
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeToAtomicString const):
+        (JSC::JSRopeString::resolveRope const):
+        * runtime/JSString.h:
+        (JSC::JSString::create):
+        (JSC::JSString::createHasOtherOwner):
+        * runtime/JSStringBuilder.h:
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+
+2017-08-31  Yusuke Suzuki  
+
+        [JSC] Use reifying system for "name" property of builtin JSFunction
+        https://bugs.webkit.org/show_bug.cgi?id=175260
+
+        Reviewed by Saam Barati.
+
+        Currently builtin JSFunction uses direct property for "name", which is different
+        from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
+        to apply this reifying mechanism to builtin JSFunction to simplify code and drop
+        JSFunction::createBuiltinFunction.
+
+        We would like to store the "correct" name in FunctionExecutable. For example,
+        we would like to store the name like "get [Symbol.species]" to FunctionExecutable
+        instead of specifying name when creating JSFunction. To do so, we add a new
+        annotations, @getter and @overriddenName. When @getter is specified, the name of
+        the function becomes "get xxx". And when @overriddenName="xxx" is specified,
+        the name of the function becomes "xxx".
+
+        We also treat @xxx as anonymous builtin functions that cannot be achieved in
+        the current JS without privilege.
+
+        * Scripts/builtins/builtins_generate_combined_header.py:
+        (generate_section_for_code_table_macro):
+        * Scripts/builtins/builtins_generate_combined_implementation.py:
+        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_generate_separate_header.py:
+        (generate_section_for_code_table_macro):
+        * Scripts/builtins/builtins_generate_separate_implementation.py:
+        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_model.py:
+        (BuiltinFunction.__init__):
+        (BuiltinFunction.fromString):
+        * Scripts/builtins/builtins_templates.py:
+        * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
+        (overriddenName.string_appeared_here.match):
+        (intrinsic.RegExpTestIntrinsic.test):
+        * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
+        (overriddenName.string_appeared_here.match):
+        (intrinsic.RegExpTestIntrinsic.test):
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        * builtins/AsyncIteratorPrototype.js:
+        (symbolAsyncIteratorGetter): Deleted.
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::BuiltinExecutables):
+        * builtins/BuiltinExecutables.h:
+        * builtins/BuiltinNames.h:
+        * builtins/FunctionPrototype.js:
+        (symbolHasInstance): Deleted.
+        * builtins/GlobalOperations.js:
+        (globalPrivate.speciesGetter): Deleted.
+        * builtins/IteratorPrototype.js:
+        (symbolIteratorGetter): Deleted.
+        * builtins/PromiseConstructor.js:
+        (all.newResolveElement.return.resolve):
+        (all.newResolveElement):
+        (all):
+        * builtins/PromiseOperations.js:
+        (globalPrivate.newPromiseCapability.executor):
+        (globalPrivate.newPromiseCapability):
+        (globalPrivate.createResolvingFunctions.resolve):
+        (globalPrivate.createResolvingFunctions.reject):
+        (globalPrivate.createResolvingFunctions):
+        * builtins/RegExpPrototype.js:
+        (match): Deleted.
+        (replace): Deleted.
+        (search): Deleted.
+        (split): Deleted.
+        * jsc.cpp:
+        (functionCreateBuiltin):
+        * runtime/AsyncIteratorPrototype.cpp:
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        * runtime/IteratorPrototype.cpp:
+        (JSC::IteratorPrototype::finishCreation):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        (JSC::JSFunction::getOwnNonIndexPropertyNames):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        (JSC::JSFunction::createBuiltinFunction): Deleted.
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectBuiltinFunction):
+        (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
+2017-08-30  Ryan Haddad  
+
+        Unreviewed, rolling out r221327.
+
+        This change caused test262 failures.
+
+        Reverted changeset:
+
+        "[JSC] Use reifying system for "name" property of builtin
+        JSFunction"
+        https://bugs.webkit.org/show_bug.cgi?id=175260
+        http://trac.webkit.org/changeset/221327
+
+2017-08-30  Matt Lewis  
+
+        Unreviewed, rolling out r221384.
+
+        This patch caused multiple 32-bit JSC test failures.
+
+        Reverted changeset:
+
+        "Strings need to be in some kind of gigacage"
+        https://bugs.webkit.org/show_bug.cgi?id=174924
+        http://trac.webkit.org/changeset/221384
+
+2017-08-30  Saam Barati  
+
+        semicolon is being interpreted as an = in the LiteralParser
+        https://bugs.webkit.org/show_bug.cgi?id=176114
+
+        Reviewed by Oliver Hunt.
+
+        When lexing a semicolon in the LiteralParser, we were properly
+        setting the TokenType on the current token, however, we were
+        *returning* the wrong TokenType. The lex function both returns
+        the TokenType and sets it on the current token. Semicolon was
+        setting the TokenType to semicolon, but returning the TokenType
+        for '='. This caused programs like `x;123` to be interpreted as
+        `x=123`.
+
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::Lexer::lex):
+        (JSC::LiteralParser::Lexer::next):
+
+2017-08-22  Filip Pizlo  
+
+        Strings need to be in some kind of gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174924
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeToAtomicString const):
+        (JSC::JSRopeString::resolveRope const):
+        * runtime/JSString.h:
+        (JSC::JSString::create):
+        (JSC::JSString::createHasOtherOwner):
+        * runtime/JSStringBuilder.h:
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+
+2017-08-30  Oleksandr Skachkov  
+
+        [ESNext] Async iteration - Implement async iteration statement: for-await-of
+        https://bugs.webkit.org/show_bug.cgi?id=166698
+
+        Reviewed by Yusuke Suzuki.
+
+        Implementation of the for-await-of statement.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnumeration):
+        (JSC::BytecodeGenerator::emitIteratorNext):
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createForOfLoop):
+        * parser/NodeConstructors.h:
+        (JSC::ForOfNode::ForOfNode):
+        * parser/Nodes.h:
+        (JSC::ForOfNode::isForAwait const):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseForStatement):
+        * parser/Parser.h:
+        (JSC::Scope::setSourceParseMode):
+        (JSC::Scope::setIsFunction):
+        (JSC::Scope::setIsAsyncGeneratorFunction):
+        (JSC::Scope::setIsAsyncGeneratorFunctionBody):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createForOfLoop):
+
+2017-08-29  Commit Queue  
+
+        Unreviewed, rolling out r221317.
+        https://bugs.webkit.org/show_bug.cgi?id=176090
+
+        "It broke a testing mode because we will never FTL compile a
+        function that repeatedly throws" (Requested by saamyjoon on
+        #webkit).
+
+        Reverted changeset:
+
+        "Throwing an exception in the DFG/FTL should not be a
+        jettison-able OSR exit"
+        https://bugs.webkit.org/show_bug.cgi?id=176060
+        http://trac.webkit.org/changeset/221317
+
+2017-08-29  Yusuke Suzuki  
+
+        [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
+        https://bugs.webkit.org/show_bug.cgi?id=175895
+
+        Reviewed by Saam Barati.
+
+        We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
+        are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
+        But rather than introducing a special fixup edge (like, NonStringCellUse), converting
+        CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
+        In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
+        if one side of the children is constant non String cell.
+
+        This slightly optimizes map/set iteration.
+
+        set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
+        large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
+        set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
+        map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
+        map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCompareEqPtr):
+
+2017-08-29  Yusuke Suzuki  
+
+        [JSC] Use reifying system for "name" property of builtin JSFunction
+        https://bugs.webkit.org/show_bug.cgi?id=175260
+
+        Reviewed by Saam Barati.
+
+        Currently builtin JSFunction uses direct property for "name", which is different
+        from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
+        to apply this reifying mechanism to builtin JSFunction to simplify code and drop
+        JSFunction::createBuiltinFunction.
+
+        We would like to store the "correct" name in FunctionExecutable. For example,
+        we would like to store the name like "get [Symbol.species]" to FunctionExecutable
+        instead of specifying name when creating JSFunction. To do so, we add a new
+        annotations, @getter and @overriddenName. When @getter is specified, the name of
+        the function becomes "get xxx". And when @overriddenName="xxx" is specified,
+        the name of the function becomes "xxx".
+
+        * Scripts/builtins/builtins_generate_combined_header.py:
+        (generate_section_for_code_table_macro):
+        * Scripts/builtins/builtins_generate_combined_implementation.py:
+        (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_generate_separate_header.py:
+        (generate_section_for_code_table_macro):
+        * Scripts/builtins/builtins_generate_separate_implementation.py:
+        (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
+        * Scripts/builtins/builtins_model.py:
+        (BuiltinFunction.__init__):
+        (BuiltinFunction.fromString):
+        * Scripts/builtins/builtins_templates.py:
+        * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
+        (overriddenName.string_appeared_here.match):
+        (intrinsic.RegExpTestIntrinsic.test):
+        * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
+        (overriddenName.string_appeared_here.match):
+        (intrinsic.RegExpTestIntrinsic.test):
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::BuiltinExecutables):
+        * builtins/BuiltinExecutables.h:
+        * builtins/FunctionPrototype.js:
+        (symbolHasInstance): Deleted.
+        * builtins/GlobalOperations.js:
+        (globalPrivate.speciesGetter): Deleted.
+        * builtins/IteratorPrototype.js:
+        (symbolIteratorGetter): Deleted.
+        * builtins/RegExpPrototype.js:
+        (match): Deleted.
+        (replace): Deleted.
+        (search): Deleted.
+        (split): Deleted.
+        * jsc.cpp:
+        (functionCreateBuiltin):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        * runtime/IteratorPrototype.cpp:
+        (JSC::IteratorPrototype::finishCreation):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnNonIndexPropertyNames):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        (JSC::JSFunction::createBuiltinFunction): Deleted.
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectBuiltinFunction):
+        (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+
+2017-08-29  Saam Barati  
+
+        Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
+        https://bugs.webkit.org/show_bug.cgi?id=176060
+
+        Reviewed by Michael Saboff.
+
+        OSR exitting when we throw an exception is expected behavior. We should
+        not count these exits towards our jettison OSR exit threshold.
+
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString):
+        (JSC::exitKindMayJettison):
+        * bytecode/ExitKind.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
+
+2017-08-29  Chris Dumez  
+
+        Add initial support for dataTransferItem.webkitGetAsEntry()
+        https://bugs.webkit.org/show_bug.cgi?id=176038
+        
+
+        Reviewed by Wenson Hsieh.
+
+        Add CommonIdentifier needed by [EnabledAtRuntime].
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-27  Devin Rousso  
+
+        Web Inspector: Record actions performed on WebGLRenderingContext
+        https://bugs.webkit.org/show_bug.cgi?id=174483
+        
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Recording.json:
+        * inspector/scripts/codegen/generator.py:
+        Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
+
+2017-08-26  Yusuke Suzuki  
+
+        Unreviewed, suppress warnings in GTK port
+
+        The "block" variable hides the argument variable.
+
+        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
+        (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
+
+2017-08-26  Yusuke Suzuki  
+
+        Merge WeakMapData into JSWeakMap and JSWeakSet
+        https://bugs.webkit.org/show_bug.cgi?id=143919
+
+        Reviewed by Darin Adler.
+
+        This patch changes WeakMapData from JSCell to JSDestructibleObject,
+        renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
+        it instead of separately allocating WeakMapData. This reduces memory
+        consumption and allocation times.
+
+        Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
+        field. Since this class is always embedded in WeakMapBase, we can calculate
+        WeakMapBase address from the address of DeadKeyCleaner.
+
+        This patch does not include the optimization changing WeakMapData to Set
+        for JSWeakSet.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::weakMapSize):
+        (Inspector::JSInjectedScriptHost::weakMapEntries):
+        (Inspector::JSInjectedScriptHost::weakSetSize):
+        (Inspector::JSInjectedScriptHost::weakSetEntries):
+        * runtime/JSWeakMap.cpp:
+        (JSC::JSWeakMap::finishCreation): Deleted.
+        (JSC::JSWeakMap::visitChildren): Deleted.
+        * runtime/JSWeakMap.h:
+        (JSC::JSWeakMap::createStructure): Deleted.
+        (JSC::JSWeakMap::create): Deleted.
+        (JSC::JSWeakMap::weakMapData): Deleted.
+        (JSC::JSWeakMap::JSWeakMap): Deleted.
+        * runtime/JSWeakSet.cpp:
+        (JSC::JSWeakSet::finishCreation): Deleted.
+        (JSC::JSWeakSet::visitChildren): Deleted.
+        * runtime/JSWeakSet.h:
+        (JSC::JSWeakSet::createStructure): Deleted.
+        (JSC::JSWeakSet::create): Deleted.
+        (JSC::JSWeakSet::weakMapData): Deleted.
+        (JSC::JSWeakSet::JSWeakSet): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
+        (JSC::WeakMapBase::WeakMapBase):
+        (JSC::WeakMapBase::destroy):
+        (JSC::WeakMapBase::estimatedSize):
+        (JSC::WeakMapBase::visitChildren):
+        (JSC::WeakMapBase::set):
+        (JSC::WeakMapBase::get):
+        (JSC::WeakMapBase::remove):
+        (JSC::WeakMapBase::contains):
+        (JSC::WeakMapBase::clear):
+        (JSC::WeakMapBase::DeadKeyCleaner::target):
+        (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
+        (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
+        * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
+        (JSC::WeakMapBase::size const):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::getWeakMap):
+        (JSC::protoFuncWeakMapDelete):
+        (JSC::protoFuncWeakMapGet):
+        (JSC::protoFuncWeakMapHas):
+        (JSC::protoFuncWeakMapSet):
+        (JSC::getWeakMapData): Deleted.
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::getWeakSet):
+        (JSC::protoFuncWeakSetDelete):
+        (JSC::protoFuncWeakSetHas):
+        (JSC::protoFuncWeakSetAdd):
+        (JSC::getWeakMapData): Deleted.
+
+2017-08-25  Daniel Bates  
+
+        Demarcate code added due to lack of NSDMI for aggregates
+        https://bugs.webkit.org/show_bug.cgi?id=175990
+
+        Reviewed by Andy Estes.
+
+        * domjit/DOMJITEffect.h:
+        (JSC::DOMJIT::Effect::Effect):
+        (JSC::DOMJIT::Effect::forWrite):
+        (JSC::DOMJIT::Effect::forRead):
+        (JSC::DOMJIT::Effect::forReadWrite):
+        (JSC::DOMJIT::Effect::forPure):
+        (JSC::DOMJIT::Effect::forDef):
+        * runtime/HasOwnPropertyCache.h:
+        (JSC::HasOwnPropertyCache::Entry::Entry):
+        (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
+        * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
+        make some comments read well.
+        (JSC::Wasm::CallableFunction::CallableFunction):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::WebAssemblyFunction):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2017-08-25  Saam Barati  
+
+        Unreviewed. Fix 32-bit after r221196
+
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+
+2017-08-25  Chris Dumez  
+
+        Land stubs for File and Directory Entries API interfaces
+        https://bugs.webkit.org/show_bug.cgi?id=175993
+        
+
+        Reviewed by Ryosuke Niwa.
+
+        Add CommonIdentifiers needed for [EnabledAtRuntime].
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-25  Brian Burg  
+
+        Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
+        https://bugs.webkit.org/show_bug.cgi?id=175563
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        Add macros for new capability protocol string names. Let's use a reverse
+        domain name notification for these capabilities so we know whether they are
+        intended for a particular client/port or any WebKit client, and what feature they
+        are related to (i.e., webrtc).
+
+        * inspector/remote/RemoteInspectorConstants.h:
+
+2017-08-24  Brian Burg  
+
+        Web Automation: use automation session configurations to propagate per-session settings
+        https://bugs.webkit.org/show_bug.cgi?id=175562
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        Add a Cocoa-specific code path to forward capabilities when requesting
+        a new session from the remote inspector (i.e., automation) client.
+
+        If other ports want to use this, then we can convert Cocoa types to WebKit types later.
+
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/RemoteInspectorConstants.h:
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
+
+2017-08-25  Saam Barati  
+
+        DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
+        https://bugs.webkit.org/show_bug.cgi?id=175893
+
+        Reviewed by Mark Lam.
+
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::finalizeOSREntrypoints):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+
+2017-08-25  Saam Barati  
+
+        Support compiling catch in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=174590
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
+        into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
+        
+        To implement catch in the DFG, this patch introduces the concept of multiple
+        entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
+        through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
+        patch contains many straight forward changes generalizing the code to handle more than
+        one entrypoint.
+        
+        A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
+        is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
+        that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
+        to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
+        and SSANaturalLoops vs CPSNaturalLoops.
+        
+        The way we compile the catch entrypoint is by bootstrapping the state
+        of the program by loading all live bytecode locals from a buffer. The OSR
+        entry code will store all live values into that buffer before jumping to
+        the entrypoint. The OSR entry code is also responsible for performing type
+        proofs of the arguments before doing an OSR entry. If there is a type
+        mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
+        each catch entrypoint knows the argument type proofs it must perform to enter
+        into the DFG. Currently, all entrypoints' arguments flush format are unified
+        via ArgumentPosition, but this is just an implementation detail. The code is
+        written more generally to assume that each entrypoint may perform its own distinct
+        proof.
+        
+        op_catch now performs value profiling for all live bytecode locals in the
+        LLInt and baseline JIT. This information is then fed into the DFG via the
+        ExtractCatchLocal node in the prediction propagation phase.
+        
+        This patch also changes how we generate op_catch in bytecode. All op_catches
+        are now split out at the end of the program in bytecode. This ensures that
+        no op_catch is inside a try block. This is needed to ensure correctness in
+        the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
+        before SetLocals inside a try block. If an op_catch were in a try block, this
+        would cause the phase to insert a Flush before one of the state bootstrapping
+        SetLocals, which would generate invalid IR. Moving op_catch to be generated on
+        its own at the end of a bytecode stream seemed like the most elegant solution since
+        it better represents that we treat op_catch as an entrypoint. This is true
+        both in the DFG and in the baseline and LLInt: we don't reach an op_catch
+        via normal control flow. Because op_catch cannot throw, this will not break
+        any previous semantics of op_catch. Logically, it'd be valid to split try
+        blocks around any non-throwing bytecode operation.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        (JSC::CodeBlock::validate):
+        * bytecode/CodeBlock.h:
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfile::ValueProfile):
+        (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
+        (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
+        (JSC::ValueProfileAndOperandBuffer::forEach):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitCatch):
+        (JSC::BytecodeGenerator::emitEnumeration):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::TryNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGBackwardsCFG.h:
+        (JSC::DFG::BackwardsCFG::BackwardsCFG):
+        * dfg/DFGBasicBlock.cpp:
+        (JSC::DFG::BasicBlock::BasicBlock):
+        * dfg/DFGBasicBlock.h:
+        (JSC::DFG::BasicBlock::findTerminal const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::setDirect):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGCFG.h:
+        (JSC::DFG::CFG::root):
+        (JSC::DFG::CFG::roots):
+        (JSC::DFG::CPSCFG::CPSCFG):
+        (JSC::DFG::selectCFG):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGControlEquivalenceAnalysis.h:
+        (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
+        * dfg/DFGDCEPhase.cpp:
+        (JSC::DFG::DCEPhase::run):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::createDumpList):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGDominators.h:
+        (JSC::DFG::Dominators::Dominators):
+        (JSC::DFG::ensureDominatorsForCFG):
+        * dfg/DFGEdgeDominates.h:
+        (JSC::DFG::EdgeDominates::EdgeDominates):
+        (JSC::DFG::EdgeDominates::operator()):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupChecksInBlock):
+        * dfg/DFGFlushFormat.h:
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::Graph):
+        (JSC::DFG::unboxLoopNode):
+        (JSC::DFG::Graph::dumpBlockHeader):
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::determineReachability):
+        (JSC::DFG::Graph::invalidateCFG):
+        (JSC::DFG::Graph::blocksInPreOrder):
+        (JSC::DFG::Graph::blocksInPostOrder):
+        (JSC::DFG::Graph::ensureCPSDominators):
+        (JSC::DFG::Graph::ensureSSADominators):
+        (JSC::DFG::Graph::ensureCPSNaturalLoops):
+        (JSC::DFG::Graph::ensureSSANaturalLoops):
+        (JSC::DFG::Graph::ensureBackwardsCFG):
+        (JSC::DFG::Graph::ensureBackwardsDominators):
+        (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        (JSC::DFG::Graph::clearCPSCFGData):
+        (JSC::DFG::Graph::ensureDominators): Deleted.
+        (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
+        (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
+        (JSC::DFG::Graph::isEntrypoint const):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::shrinkToFit):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
+        (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
+        (JSC::DFG::JITCode::appendCatchEntrypoint):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        (JSC::DFG::JITCompiler::noticeOSREntry):
+        (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
+        * dfg/DFGJITCompiler.h:
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
+        (JSC::DFG::LiveCatchVariablePreservationPhase::run):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
+        (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
+        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
+        (JSC::DFG::createPreHeader):
+        (JSC::DFG::LoopPreHeaderCreationPhase::run):
+        * dfg/DFGMaximalFlushInsertionPhase.cpp:
+        (JSC::DFG::MaximalFlushInsertionPhase::run):
+        (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
+        (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNaturalLoops.h:
+        (JSC::DFG::NaturalLoops::NaturalLoops):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isSwitch const):
+        (JSC::DFG::Node::successor):
+        (JSC::DFG::Node::catchOSREntryIndex const):
+        (JSC::DFG::Node::catchLocalPrediction):
+        (JSC::DFG::Node::isSwitch): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOSREntry.h:
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPrePostNumbering.cpp:
+        (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
+        (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
+        (WTF::printInternal): Deleted.
+        * dfg/DFGPrePostNumbering.h:
+        (): Deleted.
+        (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
+        (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
+        (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
+        * dfg/DFGPredictionInjectionPhase.cpp:
+        (JSC::DFG::PredictionInjectionPhase::run):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGSSACalculator.cpp:
+        (JSC::DFG::SSACalculator::nonLocalReachingDef):
+        (JSC::DFG::SSACalculator::reachingDefAtTail):
+        * dfg/DFGSSACalculator.h:
+        (JSC::DFG::SSACalculator::computePhis):
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::run):
+        (JSC::DFG::performSSAConversion):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::createOSREntries):
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
+        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
+        (JSC::FTL::DFG::LowerDFGToB3::isValid):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2017-08-25  Keith Miller  
+
+        Explore increasing max JSString::m_length to UINT_MAX.
+        https://bugs.webkit.org/show_bug.cgi?id=163955
+        
+
+        Reviewed by JF Bastien.
+
+        This can cause us to release assert on some code paths. I don't
+        see a reason to maintain this restriction.
+
+        * runtime/JSString.h:
+        (JSC::JSString::length const):
+        (JSC::JSString::setLength):
+        (JSC::JSString::isValidLength): Deleted.
+        * runtime/JSStringBuilder.h:
+        (JSC::jsMakeNontrivialString):
+
+2017-08-24  Commit Queue  
+
+        Unreviewed, rolling out r221119, r221124, and r221143.
+        https://bugs.webkit.org/show_bug.cgi?id=175973
+
+        "I think it regressed JSBench by 20%" (Requested by saamyjoon
+        on #webkit).
+
+        Reverted changesets:
+
+        "Support compiling catch in the DFG"
+        https://bugs.webkit.org/show_bug.cgi?id=174590
+        http://trac.webkit.org/changeset/221119
+
+        "Unreviewed, build fix in GTK port"
+        https://bugs.webkit.org/show_bug.cgi?id=174590
+        http://trac.webkit.org/changeset/221124
+
+        "DFG::JITCode::osrEntry should get sorted since we perform a
+        binary search on it"
+        https://bugs.webkit.org/show_bug.cgi?id=175893
+        http://trac.webkit.org/changeset/221143
+
+2017-08-24  Michael Saboff  
+
+        Enable moving fixed character class terms after fixed character terms for BMP only character classes
+        https://bugs.webkit.org/show_bug.cgi?id=175958
+
+        Reviewed by Saam Barati.
+
+        Currently we don't perform the reordering optimiaztion of fixed character terms that
+        follow fixed character class terms for Unicode patterns.
+
+        This change allows that reordering when the character class contains only BMP
+        characters.
+
+        This fix is covered by existing tests.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::optimizeAlternative):
+
+2017-08-24  Michael Saboff  
+
+        Add support for RegExp "dotAll" flag
+        https://bugs.webkit.org/show_bug.cgi?id=175924
+
+        Reviewed by Keith Miller.
+
+        The dotAll RegExp flag, 's', changes . to match any character including line terminators.
+        Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
+        Added a new any character CharacterClass that is used to match . terms in a dotAll flags
+        RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
+        used for '.' processing, to DotClassID.  The selection of which builtin character class
+        that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
+        This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
+        the WebCore content extensions code in the PatternParser class.
+
+        As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
+        any character CharacterClass, it merely reads the character.  There is another optimization
+        in our DotStart enclosure processing where a non-capturing regular expression in the form
+        of .*
+
+        Reduce Gigacage sizes
+        https://bugs.webkit.org/show_bug.cgi?id=175920
+
+        Reviewed by Mark Lam.
+
+        Teach all of the code generators to use the right gigacage masks.
+
+        Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
+        we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.h:
+
+2017-08-24  Saam Barati  
+
+        DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
+        https://bugs.webkit.org/show_bug.cgi?id=175893
+
+        Reviewed by Mark Lam.
+
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::finalizeOSREntrypoints):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+
+2017-08-23  Keith Miller  
+
+        Fix Titzer bench on iOS.
+        https://bugs.webkit.org/show_bug.cgi?id=175917
+
+        Reviewed by Ryosuke Niwa.
+
+        Currently, Titzer bench doesn't run on iOS since the benchmark
+        allocates lots of physical pages that it never actually writes
+        to. We limited the total number wasm physical pages to the ram
+        size of the phone, which caused us to fail a memory
+        allocation. This patch changes it so we will allocate up to 3x ram
+        size, which seems to fix the problem.
+
+        * wasm/WasmMemory.cpp:
+
+2017-08-23  Yusuke Suzuki  
+
+        Unreviewed, fix for test262
+        https://bugs.webkit.org/show_bug.cgi?id=175915
+
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
+2017-08-23  Yusuke Suzuki  
+
+        Unreviewed, build fix in GTK port
+        https://bugs.webkit.org/show_bug.cgi?id=174590
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitCatch):
+        * bytecompiler/BytecodeGenerator.h:
+
+2017-08-23  Saam Barati  
+
+        Support compiling catch in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=174590
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
+        into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
+        
+        To implement catch in the DFG, this patch introduces the concept of multiple
+        entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
+        through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
+        patch contains many straight forward changes generalizing the code to handle more than
+        one entrypoint.
+        
+        A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
+        is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
+        that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
+        to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
+        and SSANaturalLoops vs CPSNaturalLoops.
+        
+        The way we compile the catch entrypoint is by bootstrapping the state
+        of the program by loading all live bytecode locals from a buffer. The OSR
+        entry code will store all live values into that buffer before jumping to
+        the entrypoint. The OSR entry code is also responsible for performing type
+        proofs of the arguments before doing an OSR entry. If there is a type
+        mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
+        each catch entrypoint knows the argument type proofs it must perform to enter
+        into the DFG. Currently, all entrypoints' arguments flush format are unified
+        via ArgumentPosition, but this is just an implementation detail. The code is
+        written more generally to assume that each entrypoint may perform its own distinct
+        proof.
+        
+        op_catch now performs value profiling for all live bytecode locals in the
+        LLInt and baseline JIT. This information is then fed into the DFG via the
+        ExtractCatchLocal node in the prediction propagation phase.
+        
+        This patch also changes how we generate op_catch in bytecode. All op_catches
+        are now split out at the end of the program in bytecode. This ensures that
+        no op_catch is inside a try block. This is needed to ensure correctness in
+        the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
+        before SetLocals inside a try block. If an op_catch were in a try block, this
+        would cause the phase to insert a Flush before one of the state bootstrapping
+        SetLocals, which would generate invalid IR. Moving op_catch to be generated on
+        its own at the end of a bytecode stream seemed like the most elegant solution since
+        it better represents that we treat op_catch as an entrypoint. This is true
+        both in the DFG and in the baseline and LLInt: we don't reach an op_catch
+        via normal control flow. Because op_catch cannot throw, this will not break
+        any previous semantics of op_catch. Logically, it'd be valid to split try
+        blocks around any non-throwing bytecode operation.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        (JSC::CodeBlock::validate):
+        * bytecode/CodeBlock.h:
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfile::ValueProfile):
+        (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
+        (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
+        (JSC::ValueProfileAndOperandBuffer::forEach):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitCatch):
+        (JSC::BytecodeGenerator::emitEnumeration):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::TryNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGBackwardsCFG.h:
+        (JSC::DFG::BackwardsCFG::BackwardsCFG):
+        * dfg/DFGBasicBlock.cpp:
+        (JSC::DFG::BasicBlock::BasicBlock):
+        * dfg/DFGBasicBlock.h:
+        (JSC::DFG::BasicBlock::findTerminal const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::setDirect):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGCFG.h:
+        (JSC::DFG::CFG::root):
+        (JSC::DFG::CFG::roots):
+        (JSC::DFG::CPSCFG::CPSCFG):
+        (JSC::DFG::selectCFG):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGControlEquivalenceAnalysis.h:
+        (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
+        * dfg/DFGDCEPhase.cpp:
+        (JSC::DFG::DCEPhase::run):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::createDumpList):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGDominators.h:
+        (JSC::DFG::Dominators::Dominators):
+        (JSC::DFG::ensureDominatorsForCFG):
+        * dfg/DFGEdgeDominates.h:
+        (JSC::DFG::EdgeDominates::EdgeDominates):
+        (JSC::DFG::EdgeDominates::operator()):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupChecksInBlock):
+        * dfg/DFGFlushFormat.h:
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::Graph):
+        (JSC::DFG::unboxLoopNode):
+        (JSC::DFG::Graph::dumpBlockHeader):
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::determineReachability):
+        (JSC::DFG::Graph::invalidateCFG):
+        (JSC::DFG::Graph::blocksInPreOrder):
+        (JSC::DFG::Graph::blocksInPostOrder):
+        (JSC::DFG::Graph::ensureCPSDominators):
+        (JSC::DFG::Graph::ensureSSADominators):
+        (JSC::DFG::Graph::ensureCPSNaturalLoops):
+        (JSC::DFG::Graph::ensureSSANaturalLoops):
+        (JSC::DFG::Graph::ensureBackwardsCFG):
+        (JSC::DFG::Graph::ensureBackwardsDominators):
+        (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        (JSC::DFG::Graph::clearCPSCFGData):
+        (JSC::DFG::Graph::ensureDominators): Deleted.
+        (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
+        (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
+        (JSC::DFG::Graph::isEntrypoint const):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::shrinkToFit):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
+        (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
+        (JSC::DFG::JITCode::appendCatchEntrypoint):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        (JSC::DFG::JITCompiler::noticeOSREntry):
+        (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
+        * dfg/DFGJITCompiler.h:
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
+        (JSC::DFG::LiveCatchVariablePreservationPhase::run):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
+        (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
+        (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
+        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
+        (JSC::DFG::createPreHeader):
+        (JSC::DFG::LoopPreHeaderCreationPhase::run):
+        * dfg/DFGMaximalFlushInsertionPhase.cpp:
+        (JSC::DFG::MaximalFlushInsertionPhase::run):
+        (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
+        (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNaturalLoops.h:
+        (JSC::DFG::NaturalLoops::NaturalLoops):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isSwitch const):
+        (JSC::DFG::Node::successor):
+        (JSC::DFG::Node::catchOSREntryIndex const):
+        (JSC::DFG::Node::catchLocalPrediction):
+        (JSC::DFG::Node::isSwitch): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOSREntry.h:
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPrePostNumbering.cpp:
+        (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
+        (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
+        (WTF::printInternal): Deleted.
+        * dfg/DFGPrePostNumbering.h:
+        (): Deleted.
+        (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
+        (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
+        (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
+        (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
+        * dfg/DFGPredictionInjectionPhase.cpp:
+        (JSC::DFG::PredictionInjectionPhase::run):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGSSACalculator.cpp:
+        (JSC::DFG::SSACalculator::nonLocalReachingDef):
+        (JSC::DFG::SSACalculator::reachingDefAtTail):
+        * dfg/DFGSSACalculator.h:
+        (JSC::DFG::SSACalculator::computePhis):
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::run):
+        (JSC::DFG::performSSAConversion):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::createOSREntries):
+        (JSC::DFG::SpeculativeJIT::linkOSREntries):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
+        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::run):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
+        (JSC::FTL::DFG::LowerDFGToB3::isValid):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2017-08-23  Yusuke Suzuki  
+
+        Unreviewed, debug build fix
+        https://bugs.webkit.org/show_bug.cgi?id=174355
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
+
+2017-08-23  Michael Saboff  
+
+        REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
+        https://bugs.webkit.org/show_bug.cgi?id=175903
+
+        Reviewed by Saam Barati.
+
+        In generateCharacterClassGreedy we were incrementing the "count" register before checking
+        for the end of the input string.  The at-end-of-input check is the final check before
+        knowing that the current character matched.  In this case, the end of input check
+        indicates that we ran out of prechecked characters and therefore should fail the match of
+        the current character.  The backtracking code uses the value in the "count" register as
+        the number of character that successfully matched, which shouldn't include the current
+        character.  Therefore we need to move the incrementing of "count" to after the
+        at end of input check.
+
+        Through code inspection of the expectations of other backtracking code, I determined that 
+        the non greedy character class matching code had a similar issue.  I fixed that as well
+        and added a new test case.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+
+2017-08-23  Yusuke Suzuki  
+
+        [JSC] Optimize Map iteration with intrinsic
+        https://bugs.webkit.org/show_bug.cgi?id=174355
+
+        Reviewed by Saam Barati.
+
+        This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
+        We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
+        directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
+        setIteratorNext functions which should be inlined. This leads significant performance boost
+        when they are inlined in for-of iteration.
+
+        This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
+        Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
+        Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
+        to any hash maps. And its key and value fields are filled with Undefined. By returning this
+        sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
+        code.
+
+        We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
+        in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
+
+        Existing microbenchmarks shows performance improvements.
+
+        large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
+        set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
+        map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
+        map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
+        map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * builtins/ArrayPrototype.js:
+        (globalPrivate.createArrayIterator):
+        * builtins/BuiltinNames.h:
+        * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
+        (globalPrivate.mapIteratorNext):
+        (next):
+        * builtins/MapPrototype.js:
+        (globalPrivate.createMapIterator):
+        (values):
+        (keys):
+        (entries):
+        (forEach):
+        * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
+        (globalPrivate.setIteratorNext):
+        (next):
+        * builtins/SetPrototype.js:
+        (globalPrivate.createSetIterator):
+        (values):
+        (entries):
+        (forEach):
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasBucketOwnerType):
+        (JSC::DFG::Node::bucketOwnerType):
+        (JSC::DFG::Node::OpInfoWrapper::as const):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
+        (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
+        (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
+        (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
+        (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::setStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::subtype):
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        (Inspector::cloneMapIteratorObject):
+        (Inspector::cloneSetIteratorObject):
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBucket::createSentinel):
+        (JSC::HashMapBucket::offsetOfNext):
+        (JSC::HashMapBucket::offsetOfDeleted):
+        (JSC::HashMapImpl::offsetOfHead):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSMap.h:
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::clone): Deleted.
+        * runtime/JSMapIterator.h:
+        (JSC::JSMapIterator::iteratedValue const):
+        * runtime/JSSet.h:
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::clone): Deleted.
+        * runtime/JSSetIterator.h:
+        (JSC::JSSetIterator::iteratedValue const):
+        * runtime/MapConstructor.cpp:
+        (JSC::mapPrivateFuncMapBucketHead):
+        (JSC::mapPrivateFuncMapBucketNext):
+        (JSC::mapPrivateFuncMapBucketKey):
+        (JSC::mapPrivateFuncMapBucketValue):
+        * runtime/MapConstructor.h:
+        * runtime/MapIteratorPrototype.cpp:
+        (JSC::MapIteratorPrototype::finishCreation):
+        (JSC::MapIteratorPrototypeFuncNext): Deleted.
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        (JSC::mapProtoFuncValues): Deleted.
+        (JSC::mapProtoFuncEntries): Deleted.
+        (JSC::mapProtoFuncKeys): Deleted.
+        (JSC::privateFuncMapIterator): Deleted.
+        (JSC::privateFuncMapIteratorNext): Deleted.
+        * runtime/MapPrototype.h:
+        * runtime/SetConstructor.cpp:
+        (JSC::setPrivateFuncSetBucketHead):
+        (JSC::setPrivateFuncSetBucketNext):
+        (JSC::setPrivateFuncSetBucketKey):
+        * runtime/SetConstructor.h:
+        * runtime/SetIteratorPrototype.cpp:
+        (JSC::SetIteratorPrototype::finishCreation):
+        (JSC::SetIteratorPrototypeFuncNext): Deleted.
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        (JSC::setProtoFuncSize):
+        (JSC::setProtoFuncValues): Deleted.
+        (JSC::setProtoFuncEntries): Deleted.
+        (JSC::privateFuncSetIterator): Deleted.
+        (JSC::privateFuncSetIteratorNext): Deleted.
+        * runtime/SetPrototype.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-08-23  David Kilzer  
+
+        Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
+        
+        
+
+        Reviewed by Mark Lam.
+
+        * API/ObjCCallbackFunction.mm:
+        (JSC::objCCallbackFunctionCallAsConstructor): Use
+        const_cast() since JSValueRef is const while
+        JSObjectRef is not.
+        * API/tests/CurrentThisInsideBlockGetterTest.mm:
+        (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
+        const_cast() since JSObjectMake() takes a void*, but
+        CFBridgingRetain() returns const void*.
+
+2017-08-23  Robin Morisset  
+
+        Make GetDynamicVar propagate heap predictions instead of saying HeapTop
+        https://bugs.webkit.org/show_bug.cgi?id=175738
+
+        Reviewed by Saam Barati.
+
+        The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
+        So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
+        is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::makeDynamicVarOpInfo):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::getPutInfo):
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+2017-08-23  Skachkov Oleksandr  
+
+        [ESNext] Async iteration - Implement Async Generator - runtime
+        https://bugs.webkit.org/show_bug.cgi?id=175240
+
+        Reviewed by Yusuke Suzuki.
+
+        Current implementation is draft version of Async Iteration. 
+        Link to spec https://tc39.github.io/proposal-async-iteration/
+       
+        To implement async generator added new states that show reason why async generator was suspended:
+        # yield - return promise with result
+        # await - wait until promise will be resolved and then continue
+       
+        The main difference between async function and async generator is that, 
+        async function returns promise but async generator returns
+        object with methods (next, throw and return) that return promise that 
+        can be resolved with pair of properties value and done.
+        Async generator functions are similar to generator functions, with the following differences:
+        # When called, async generator functions return an object, an async generator 
+        whose methods (next, throw, and return) return promises for { value, done }, 
+        instead of directly returning { value, done }. 
+        This automatically makes the returned async generator objects async iterators.
+        # await expressions and for-await-of statements are allowed.
+        # The behavior of yield* is modified to support 
+          delegation to sync and async iterables
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/AsyncFromSyncIteratorPrototype.js: Added.
+        (next.try):
+        (next):
+        (return.try):
+        (return):
+        (throw.try):
+        (throw):
+        (globalPrivate.createAsyncFromSyncIterator):
+        (globalPrivate.AsyncFromSyncIteratorConstructor):
+        * builtins/AsyncGeneratorPrototype.js: Added.
+        (globalPrivate.createAsyncGeneratorQueue):
+        (globalPrivate.asyncGeneratorQueueIsEmpty):
+        (globalPrivate.asyncGeneratorQueueCreateItem):
+        (globalPrivate.asyncGeneratorQueueEnqueue):
+        (globalPrivate.asyncGeneratorQueueDequeue):
+        (globalPrivate.asyncGeneratorQueueGetFirstValue):
+        (globalPrivate.asyncGeneratorDequeue):
+        (globalPrivate.isExecutionState):
+        (globalPrivate.isSuspendYieldState):
+        (globalPrivate.asyncGeneratorReject):
+        (globalPrivate.asyncGeneratorResolve):
+        (asyncGeneratorYieldAwaited):
+        (globalPrivate.asyncGeneratorYield):
+        (const.onRejected):
+        (globalPrivate.awaitValue):
+        (const.onFulfilled):
+        (globalPrivate.doAsyncGeneratorBodyCall):
+        (globalPrivate.asyncGeneratorResumeNext.):
+        (globalPrivate.asyncGeneratorResumeNext):
+        (globalPrivate.asyncGeneratorEnqueue):
+        (next):
+        (return):
+        (throw):
+        * builtins/AsyncIteratorPrototype.js: Added.
+        (symbolAsyncIteratorGetter):
+        * builtins/BuiltinNames.h:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
+        (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
+        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
+        (JSC::BytecodeGenerator::emitNewFunction):
+        (JSC::BytecodeGenerator::emitIteratorNextWithValue):
+        (JSC::BytecodeGenerator::emitIteratorClose):
+        (JSC::BytecodeGenerator::emitYieldPoint):
+        (JSC::BytecodeGenerator::emitYield):
+        (JSC::BytecodeGenerator::emitCallIterator):
+        (JSC::BytecodeGenerator::emitAwait):
+        (JSC::BytecodeGenerator::emitGetIterator):
+        (JSC::BytecodeGenerator::emitGetAsyncIterator):
+        (JSC::BytecodeGenerator::emitDelegateYield):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ReturnNode::emitBytecode):
+        (JSC::FunctionNode::emitBytecode):
+        (JSC::YieldExprNode::emitBytecode):
+        (JSC::AwaitExprNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToPhantomNewFunction):
+        (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::isFunctionAllocation):
+        (JSC::DFG::Node::isPhantomFunctionAllocation):
+        (JSC::DFG::Node::isPhantomAllocation):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationPopulateObjectInOSR):
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitNewFuncCommon):
+        (JSC::JIT::emit_op_new_async_generator_func):
+        (JSC::JIT::emit_op_new_async_func):
+        (JSC::JIT::emitNewFuncExprCommon):
+        (JSC::JIT::emit_op_new_async_generator_func_exp):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createFunctionMetadata):
+        * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
+        (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
+        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
+        (JSC::AsyncFromSyncIteratorPrototype::create):
+        * runtime/AsyncFromSyncIteratorPrototype.h: Added.
+        (JSC::AsyncFromSyncIteratorPrototype::createStructure):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
+        (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
+        (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
+        (JSC::callAsyncGeneratorFunctionConstructor):
+        (JSC::constructAsyncGeneratorFunctionConstructor):
+        (JSC::AsyncGeneratorFunctionConstructor::getCallData):
+        (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
+        * runtime/AsyncGeneratorFunctionConstructor.h: Added.
+        (JSC::AsyncGeneratorFunctionConstructor::create):
+        (JSC::AsyncGeneratorFunctionConstructor::createStructure):
+        * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
+        (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
+        (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
+        * runtime/AsyncGeneratorFunctionPrototype.h: Added.
+        (JSC::AsyncGeneratorFunctionPrototype::create):
+        (JSC::AsyncGeneratorFunctionPrototype::createStructure):
+        * runtime/AsyncGeneratorPrototype.cpp: Added.
+        (JSC::AsyncGeneratorPrototype::finishCreation):
+        * runtime/AsyncGeneratorPrototype.h: Added.
+        (JSC::AsyncGeneratorPrototype::create):
+        (JSC::AsyncGeneratorPrototype::createStructure):
+        (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
+        * runtime/AsyncIteratorPrototype.cpp: Added.
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/AsyncIteratorPrototype.h: Added.
+        (JSC::AsyncIteratorPrototype::create):
+        (JSC::AsyncIteratorPrototype::createStructure):
+        (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
+        * runtime/CommonIdentifiers.h:
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/FunctionConstructor.h:
+        * runtime/FunctionExecutable.h:
+        * runtime/JSAsyncGeneratorFunction.cpp: Added.
+        (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
+        (JSC::JSAsyncGeneratorFunction::createImpl):
+        (JSC::JSAsyncGeneratorFunction::create):
+        (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSAsyncGeneratorFunction.h: Added.
+        (JSC::JSAsyncGeneratorFunction::allocationSize):
+        (JSC::JSAsyncGeneratorFunction::createStructure):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::asyncIteratorPrototype const):
+        (JSC::JSGlobalObject::asyncGeneratorPrototype const):
+        (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
+        (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
+        * runtime/Options.h:
+
+2017-08-22  Michael Saboff  
+
+        Implement Unicode RegExp support in the YARR JIT
+        https://bugs.webkit.org/show_bug.cgi?id=174646
+
+        Reviewed by Filip Pizlo.
+
+        This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
+        for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
+        register usage to reduce the number of callee save registers used for non-Unicode expressions.
+        For Unicode expressions, there are several more registers used to store constants values for
+        processing surrogate pairs as well as discerning whether a character belongs to the Basic
+        Multilingual Plane (BMP) or one of the Supplemental Planes.
+
+        This implements JIT support for Unicode expressions very similar to how the interpreter works.
+        Just like in the interpreter, backtracking code uses more space on the stack to save positions.
+        Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
+        functions to each of these to simplify how the JIT code reads and writes the structure fields.
+
+        Given that reading surrogate pairs and transforming them into a single code point takes a
+        little processing, the code that implements reading a Unicode character is implemented as a
+        leaf function added to the end of the JIT'ed code.  The calling convention for
+        "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
+        that argument values stay in argument registers for most of the generated code.
+        That helper takes the starting character address in one register, regUnicodeInputAndTrail,
+        and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
+        returned in regT0.  If another return register is requested, we'll create an inline copy of
+        that function.
+
+        Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
+        is used in optimizeAlternative() where we swap the order of a fixed character class term with
+        a fixed character term that immediately follows it.  Since the non-BMP character class may
+        increment "index" when matching, that must be done first before trying to match a fixed
+        character term later in the string.
+
+        Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
+        base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
+        function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
+        on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
+
+        (JSC::MacroAssemblerARM64::load16Unaligned):
+        (JSC::MacroAssemblerARM64::getEffectiveAddress64):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::load16Unaligned):
+        (JSC::MacroAssemblerX86Common::load16):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
+        * create_regex_tables:
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        * yarr/YarrInterpreter.cpp:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::optimizeAlternative):
+        (JSC::Yarr::YarrGenerator::matchCharacterClass):
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
+        (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
+        (JSC::Yarr::YarrGenerator::readCharacter):
+        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
+        (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
+        (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
+        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
+        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
+        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
+        (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
+        (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
+        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrJIT.h:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
+        (JSC::Yarr::CharacterClassConstructor::reset):
+        (JSC::Yarr::CharacterClassConstructor::charClass):
+        (JSC::Yarr::CharacterClassConstructor::addSorted):
+        (JSC::Yarr::CharacterClassConstructor::addSortedRange):
+        (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
+        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::CharacterClass::CharacterClass):
+        (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
+        (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
+        (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
+        (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
+        (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
+        (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
+        (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
+        (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
+        (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
+        (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
+
+2017-08-22  Per Arne Vollan  
+
+        Implement 64-bit MacroAssembler::probe support for Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=175724
+
+        Reviewed by Mark Lam.
+
+        This is needed to enable the DFG. MSVC does no longer support inline assembly
+        for 64-bit, which means we have to put the code in an asm file.
+
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
+        * jit/JITStubsMSVC64.asm:
+
+2017-08-22  Devin Rousso  
+
+        Web Inspector: provide way for ShaderPrograms to be enabled/disabled
+        https://bugs.webkit.org/show_bug.cgi?id=175400
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Canvas.json:
+        Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
+        program to the supplied boolean value. If this value is true, calls to `drawArrays` and
+        `drawElements` when that program is in use will have no effect.
+
+2017-08-22  Keith Miller  
+
+        Unriviewed, fix windows build... for realz.
+
+        * CMakeLists.txt:
+
+2017-08-22  Saam Barati  
+
+        We are using valueProfileForBytecodeOffset when there may not be a value profile
+        https://bugs.webkit.org/show_bug.cgi?id=175812
+
+        Reviewed by Michael Saboff.
+
+        This patch uses the type system to aid the code around CodeBlock's ValueProfile
+        accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
+        so there were callers of this that thought it could return nullptr when there
+        was no such ValueProfile. This was not the case, it always returned a non-null
+        pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
+        and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
+        and does the right thing if there is no such ValueProfile.
+        
+        This patch also changes the other ValueProfile accessors on CodeBlock to
+        return ValueProfile& instead of ValueProfile*. Some callers handled the null
+        case unnecessarily, and using the type system to specify the result can't be
+        null removes these useless branches.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        (JSC::CodeBlock::dumpValueProfiles):
+        (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
+        (JSC::CodeBlock::valueProfileForBytecodeOffset):
+        (JSC::CodeBlock::validate):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::valueProfileForArgument):
+        (JSC::CodeBlock::valueProfile):
+        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
+        (JSC::CodeBlock::getFromAllValueProfiles):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+        * dfg/DFGPredictionInjectionPhase.cpp:
+        (JSC::DFG::PredictionInjectionPhase::run):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::emitValueProfilingSite):
+        * profiler/ProfilerBytecodeSequence.cpp:
+        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::validateJSCell):
+
+2017-08-22  Keith Miller  
+
+        Unreviewed, fix windows build... maybe.
+
+        * CMakeLists.txt:
+
+2017-08-22  Keith Miller  
+
+        Unreviewed, fix cloop build.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-08-22  Per Arne Vollan  
+
+        [Win][Release] Crash when running testmasm executable.
+        https://bugs.webkit.org/show_bug.cgi?id=175772
+
+        Reviewed by Mark Lam.
+
+        We need to save and restore the modified registers in case one or more registers are callee saved
+        on the relevant platforms.
+
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+
+2017-08-21  Mark Lam  
+
+        Change probe code to use static_assert instead of COMPILE_ASSERT.
+        https://bugs.webkit.org/show_bug.cgi?id=175762
+
+        Reviewed by JF Bastien.
+
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe): Deleted.
+        * assembler/MacroAssemblerARMv7.cpp:
+        * assembler/MacroAssemblerX86Common.cpp:
+
+2017-08-21  Keith Miller  
+
+        Make generate_offset_extractor.rb architectures argument more robust
+        https://bugs.webkit.org/show_bug.cgi?id=175809
+
+        Reviewed by Joseph Pecoraro.
+
+        It turns out that some of our builders pass their architectures as
+        space separated lists.  I decided to just make the splitting of
+        our list robust to any reasonable combination of spaces and
+        commas.
+
+        * offlineasm/generate_offset_extractor.rb:
+
+2017-08-21  Keith Miller  
+
+        Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
+        https://bugs.webkit.org/show_bug.cgi?id=175690
+
+        Reviewed by Michael Saboff.
+
+        This should reduce some of the time we spend building offline asm
+        in our builds (except for linux since they already did this).
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * offlineasm/backends.rb:
+        * offlineasm/generate_offset_extractor.rb:
+
+2017-08-20  Mark Lam  
+
+        Gardening: fix CLoop build.
+        https://bugs.webkit.org/show_bug.cgi?id=175688
+        
+
+        Not reviewed.
+
+        Make these files dependent on ENABLE(MASM_PROBE).
+
+        * assembler/ProbeContext.cpp:
+        * assembler/ProbeContext.h:
+        * assembler/ProbeStack.cpp:
+        * assembler/ProbeStack.h:
+
+2017-08-20  Mark Lam  
+
+        Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
+        https://bugs.webkit.org/show_bug.cgi?id=175688
+        
+
+        Reviewed by JF Bastien.
+
+        With this patch, the clients of the MacroAssembler::probe() can now change
+        stack values without having to worry about whether there is enough room in the
+        current stack frame for it or not.  This is done using the Probe::Context's stack
+        member like so:
+
+            jit.probe([] (Probe::Context& context) {
+                auto cpu = context.cpu;
+                auto stack = context.stack();
+                uintptr_t* currentSP = cpu.sp();
+
+                // Get a value at the current stack pointer location.
+                auto value = stack.get(currentSP);
+
+                // Set a value above the current stack pointer (within current frame).
+                stack.set(currentSP + 10, value);
+
+                // Set a value below the current stack pointer (out of current frame).
+                stack.set(currentSP - 10, value);
+
+                // Set the new stack pointer.
+                cpu.sp() = currentSP - 20;
+            });
+
+        What happens behind the scene:
+
+        1. the generated JIT probe code will now call Probe::executeProbe(), and
+           Probe::executeProbe() will in turn call the client's probe function.
+
+           Probe::executeProbe() receives the Probe::State on the machine stack passed
+           to it by the probe trampoline.  Probe::executeProbe() will instantiate a
+           Probe::Context to be passed to the client's probe function.  The client will
+           no longer see the Probe::State directly.
+
+        2. The Probe::Context comes with a Probe::Stack which serves as a manager of
+           stack pages.  Currently, each page is 1K in size.
+           Probe::Context::stack() returns a reference to an instance of Probe::Stack.
+
+        3. Invoking get() of set() on Probe::Stack with an address will lead to the
+           following:
+
+           a. the address will be decoded to a baseAddress that points to the 1K page
+              that contains that address.
+
+           b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
+              If so, go to step (f).  Else, continue with step (c).
+
+           c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
+              for that specified baseAddress to this mirror page.
+
+           d. the mirror page will be added to the ProbeStack's m_pages HashMap,
+              keyed on the baseAddress.
+
+           e. the ProbeStack will also cache the last baseAddress and its corresponding
+              mirror page in use.  With memory accesses tending to be localized, this
+              will save us from having to look up the page in the HashMap.
+
+           f. get() will map the requested address to a physical address in the mirror
+              page, and return the value at that location.
+
+           g. set() will map the requested address to a physical address in the mirror
+              page, and set the value at that location in the mirror page.
+
+              set() will also set a dirty bit corresponding to the "cache line" that
+              was modified in the mirror page.
+
+        4. When the client's probe function returns, Probe::executeProbe() will check if
+           there are stack changes that need to be applied.  If stack changes are needed:
+
+           a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
+              space is available to flush the dirty stack pages.  It will also register a
+              flushStackDirtyPages callback function in the Probe::State.  Thereafter,
+              Probe::executeProbe() returns to the probe trampoline.
+
+           b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
+              a safe place if needed, and then calls the flushStackDirtyPages callback
+              if needed.
+
+           c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
+              HashMap and flush all dirty "cache lines" to the machine stack.
+              Thereafter, flushStackDirtyPages() returns to the probe trampoline.
+
+           d. lastly, the probe trampoline will restore all register values and return
+              to the pc set in the Probe::State.
+
+        To make this patch work, I also had to do the following work:
+
+        5. Refactor MacroAssembler::CPUState into Probe::CPUState.
+           Mainly, this means moving the code over to ProbeContext.h.
+           I also added some convenience accessor methods for spr registers. 
+
+           Moved Probe::Context over to its own file ProbeContext.h/cpp.
+
+        6. Fix all probe trampolines to pass the address of Probe::executeProbe in
+           addition to the client's probe function and arg.
+
+           I also took this opportunity to optimize the generated JIT probe code to
+           minimize the amount of memory stores needed. 
+
+        7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
+           either lr or pc (or neither), but not both at in the same probe invocation.
+           The ARM64 probe trampoline used to have to check for this invariant in the
+           assembly trampoline code.  With the introduction of Probe::executeProbe(),
+           we can now do it there and simplify the trampoline.
+
+        8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
+           changes lr.  That code path never worked before, but has now been fixed.
+
+        9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
+           MacroAssemblerARMv7.
+
+           We can now use move() with TrustedImmPtr, and it does the same thing but in a
+           more generic way.
+
+       10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
+           the same semantics as movs (according to the Thumb spec).  This means these
+           instructions may trash the APSR flags before we have a chance to preserve them.
+
+           This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
+           early on.  This entails adding support for the mrs instruction in the
+           ARMv7Assembler.
+
+       10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
+           the easy way.
+
+           Also fixed testmasm tests which check flag registers to only compare the
+           portions that are modifiable by the client i.e. some masking is applied.
+
+        This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::mrs):
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::CPUState::gprName): Deleted.
+        (JSC::MacroAssembler::CPUState::sprName): Deleted.
+        (JSC::MacroAssembler::CPUState::fprName): Deleted.
+        (JSC::MacroAssembler::CPUState::gpr): Deleted.
+        (JSC::MacroAssembler::CPUState::spr): Deleted.
+        (JSC::MacroAssembler::CPUState::fpr): Deleted.
+        (JSC:: const): Deleted.
+        (JSC::MacroAssembler::CPUState::fpr const): Deleted.
+        (JSC::MacroAssembler::CPUState::pc): Deleted.
+        (JSC::MacroAssembler::CPUState::fp): Deleted.
+        (JSC::MacroAssembler::CPUState::sp): Deleted.
+        (JSC::MacroAssembler::CPUState::pc const): Deleted.
+        (JSC::MacroAssembler::CPUState::fp const): Deleted.
+        (JSC::MacroAssembler::CPUState::sp const): Deleted.
+        (JSC::Probe::State::gpr): Deleted.
+        (JSC::Probe::State::spr): Deleted.
+        (JSC::Probe::State::fpr): Deleted.
+        (JSC::Probe::State::gprName): Deleted.
+        (JSC::Probe::State::sprName): Deleted.
+        (JSC::Probe::State::fprName): Deleted.
+        (JSC::Probe::State::pc): Deleted.
+        (JSC::Probe::State::fp): Deleted.
+        (JSC::Probe::State::sp): Deleted.
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        (JSC::arm64ProbeError): Deleted.
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::armV7Condition):
+        (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/MacroAssemblerPrinter.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::ctiMasmProbeTrampoline):
+        (JSC::MacroAssembler::probe):
+        * assembler/Printer.h:
+        (JSC::Printer::Context::Context):
+        * assembler/ProbeContext.cpp: Added.
+        (JSC::Probe::executeProbe):
+        (JSC::Probe::handleProbeStackInitialization):
+        (JSC::Probe::probeStateForContext):
+        * assembler/ProbeContext.h: Added.
+        (JSC::Probe::CPUState::gprName):
+        (JSC::Probe::CPUState::sprName):
+        (JSC::Probe::CPUState::fprName):
+        (JSC::Probe::CPUState::gpr):
+        (JSC::Probe::CPUState::spr):
+        (JSC::Probe::CPUState::fpr):
+        (JSC::Probe:: const):
+        (JSC::Probe::CPUState::fpr const):
+        (JSC::Probe::CPUState::pc):
+        (JSC::Probe::CPUState::fp):
+        (JSC::Probe::CPUState::sp):
+        (JSC::Probe::CPUState::pc const):
+        (JSC::Probe::CPUState::fp const):
+        (JSC::Probe::CPUState::sp const):
+        (JSC::Probe::Context::Context):
+        (JSC::Probe::Context::gpr):
+        (JSC::Probe::Context::spr):
+        (JSC::Probe::Context::fpr):
+        (JSC::Probe::Context::gprName):
+        (JSC::Probe::Context::sprName):
+        (JSC::Probe::Context::fprName):
+        (JSC::Probe::Context::pc):
+        (JSC::Probe::Context::fp):
+        (JSC::Probe::Context::sp):
+        (JSC::Probe::Context::stack):
+        (JSC::Probe::Context::hasWritesToFlush):
+        (JSC::Probe::Context::releaseStack):
+        * assembler/ProbeStack.cpp: Added.
+        (JSC::Probe::Page::Page):
+        (JSC::Probe::Page::flushWrites):
+        (JSC::Probe::Stack::Stack):
+        (JSC::Probe::Stack::hasWritesToFlush):
+        (JSC::Probe::Stack::flushWrites):
+        (JSC::Probe::Stack::ensurePageFor):
+        * assembler/ProbeStack.h: Added.
+        (JSC::Probe::Page::baseAddressFor):
+        (JSC::Probe::Page::chunkAddressFor):
+        (JSC::Probe::Page::baseAddress):
+        (JSC::Probe::Page::get):
+        (JSC::Probe::Page::set):
+        (JSC::Probe::Page::hasWritesToFlush const):
+        (JSC::Probe::Page::flushWritesIfNeeded):
+        (JSC::Probe::Page::dirtyBitFor):
+        (JSC::Probe::Page::physicalAddressFor):
+        (JSC::Probe::Stack::Stack):
+        (JSC::Probe::Stack::lowWatermark):
+        (JSC::Probe::Stack::get):
+        (JSC::Probe::Stack::set):
+        (JSC::Probe::Stack::newStackPointer const):
+        (JSC::Probe::Stack::setNewStackPointer):
+        (JSC::Probe::Stack::isValid):
+        (JSC::Probe::Stack::pageFor):
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
+        (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::testProbeModifiesStackValues):
+        (JSC::run):
+        (): Deleted.
+        (JSC::fillStack): Deleted.
+        (JSC::testProbeModifiesStackWithCallback): Deleted.
+
+2017-08-19  Andy Estes  
+
+        [Payment Request] Add interface stubs
+        https://bugs.webkit.org/show_bug.cgi?id=175730
+
+        Reviewed by Youenn Fablet.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-18  Per Arne Vollan  
+
+        Implement 32-bit MacroAssembler::probe support for Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=175449
+
+        Reviewed by Mark Lam.
+
+        This is needed to enable the DFG.
+
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/testmasm.cpp:
+        (JSC::run):
+        (dllLauncherEntryPoint):
+        * shell/CMakeLists.txt:
+        * shell/PlatformWin.cmake:
+
+2017-08-18  Mark Lam  
+
+        Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
+        https://bugs.webkit.org/show_bug.cgi?id=175725
+        
+
+        Rubber-stamped by JF Bastien.
+
+        This is purely a refactoring patch (in preparation for the introduction of a
+        Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
+        later).  This patch does not change any semantics / behavior.
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        (JSC::ProbeContext::gpr): Deleted.
+        (JSC::ProbeContext::spr): Deleted.
+        (JSC::ProbeContext::fpr): Deleted.
+        (JSC::ProbeContext::gprName): Deleted.
+        (JSC::ProbeContext::sprName): Deleted.
+        (JSC::ProbeContext::fprName): Deleted.
+        (JSC::ProbeContext::pc): Deleted.
+        (JSC::ProbeContext::fp): Deleted.
+        (JSC::ProbeContext::sp): Deleted.
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::arm64ProbeError):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printCallback):
+        * assembler/MacroAssemblerPrinter.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/Printer.h:
+        (JSC::Printer::Context::Context):
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
+        (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::fillStack):
+        (JSC::testProbeModifiesStackWithCallback):
+        (JSC::run):
+        (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
+
+2017-08-17  JF Bastien  
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        
+
+        Reviewed by Saam Barati.
+
+        64-bit constants in an unreachable context were being decoded as
+        32-bit constants. This is pretty benign because unreachable code
+        shouldn't occur often. The effect is that 64-bit constants which
+        can't be encoded as 32-bit constants would cause the binary to be
+        rejected.
+
+        At the same time, 32-bit integer constants should be decoded as signed.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+
+2017-08-17  Robin Morisset  
+
+        Teach DFGFixupPhase.cpp that the current scope is always a cell
+        https://bugs.webkit.org/show_bug.cgi?id=175610
+
+        Reviewed by Keith Miller.
+
+        Also teach it that the argument to with can usually be speculated to be an object,
+        since toObject() is called on it.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePushWithScope):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
+2017-08-17  Matt Baker  
+
+        Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
+        https://bugs.webkit.org/show_bug.cgi?id=175644
+
+        Reviewed by Brian Burg.
+
+        * inspector/agents/InspectorScriptProfilerAgent.h:
+
+2017-08-17  Mark Lam  
+
+        Only use 16 VFP registers if !CPU(ARM_NEON).
+        https://bugs.webkit.org/show_bug.cgi?id=175514
+
+        Reviewed by JF Bastien.
+
+        Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
+        says that there are only 16 128-bit NEON registers.  This change is merely to
+        correct the code documentation of these registers.  The FPQuadRegisterID are
+        currently unused.
+
+        * assembler/ARMAssembler.h:
+        (JSC::ARMAssembler::lastFPRegister):
+        (JSC::ARMAssembler::fprName):
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::lastFPRegister):
+        (JSC::ARMv7Assembler::fprName):
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARMv7.cpp:
+
+2017-08-17  Andreas Kling  
+
+        Disable CSS regions at compile time
+        https://bugs.webkit.org/show_bug.cgi?id=175630
+
+        Reviewed by Antti Koivisto.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-17  Jacobo Aragunde Pérez  
+
+        [WPE][GTK] Ensure proper casting of data in gvariants
+        https://bugs.webkit.org/show_bug.cgi?id=175667
+
+        Reviewed by Michael Catanzaro.
+
+        g_variant_new requires data to have the correct width for their types, using
+        casting if necessary. Some data of type `unsigned` were being saved to `guint64`
+        types without explicit casting, leading to undefined behavior in some platforms.
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::listingForInspectionTarget const):
+        (Inspector::RemoteInspector::listingForAutomationTarget const):
+        (Inspector::RemoteInspector::sendMessageToRemote):
+
+2017-08-17  Yusuke Suzuki  
+
+        [JSC] Avoid code bloating for iteration if block does not have "break"
+        https://bugs.webkit.org/show_bug.cgi?id=173228
+
+        Reviewed by Keith Miller.
+
+        Currently, we always emit code for breaked path when emitting for-of iteration.
+        But we can know that this breaked path can be used when emitting the bytecode.
+
+        This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
+        the break label may be bound. We emit a breaked path only when it returns
+        true. This reduces bytecode bloating when using for-of iteration.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::Label::setLocation):
+        (JSC::BytecodeGenerator::newLabel):
+        (JSC::BytecodeGenerator::emitLabel):
+        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
+        (JSC::BytecodeGenerator::breakTarget):
+        (JSC::BytecodeGenerator::continueTarget):
+        (JSC::BytecodeGenerator::emitEnumeration):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/Label.h:
+        (JSC::Label::bind const):
+        (JSC::Label::hasOneRef const):
+        (JSC::Label::isBound const):
+        (JSC::Label::Label): Deleted.
+        * bytecompiler/LabelScope.h:
+        (JSC::LabelScope::hasOneRef const):
+        (JSC::LabelScope::breakTargetMayBeBound const):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ContinueNode::trivialTarget):
+        (JSC::ContinueNode::emitBytecode):
+        (JSC::BreakNode::trivialTarget):
+        (JSC::BreakNode::emitBytecode):
+
+2017-08-17  Csaba Osztrogonác  
+
+        ARM build fix after r220807 and r220834.
+        https://bugs.webkit.org/show_bug.cgi?id=175617
+
+        Unreviewed typo fix.
+
+        * assembler/MacroAssemblerARM.cpp:
+
+2017-08-17  Mark Lam  
+
+        Gardening: build fix for ARM_TRADITIONAL after r220807.
+        https://bugs.webkit.org/show_bug.cgi?id=175617
+
+        Not reviewed.
+
+        * assembler/MacroAssemblerARM.cpp:
+
+2017-08-16  Mark Lam  
+
+        Add back the ability to disable MASM_PROBE from the build.
+        https://bugs.webkit.org/show_bug.cgi?id=175656
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        This is needed for ports that the existing MASM_PROBE implementation doesn't work
+        well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
+        default if !ENABLE(MASM_PROBE).
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.cpp:
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARM64.cpp:
+        * assembler/MacroAssemblerARMv7.cpp:
+        * assembler/MacroAssemblerPrinter.cpp:
+        * assembler/MacroAssemblerPrinter.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/testmasm.cpp:
+        (JSC::run):
+        * b3/B3LowerToAir.cpp:
+        * b3/air/AirPrintSpecial.cpp:
+        * b3/air/AirPrintSpecial.h:
+
+2017-08-16  Dan Bernstein  
+
+        [Cocoa] Older-iOS install name symbols are being exported on other platforms
+        https://bugs.webkit.org/show_bug.cgi?id=175654
+
+        Reviewed by Tim Horton.
+
+        * API/JSBase.cpp: Define the symbols only when targeting iOS.
+
+2017-08-16  Matt Baker  
+
+        Web Inspector: capture async stack trace when workers/main context posts a message
+        https://bugs.webkit.org/show_bug.cgi?id=167084
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/agents/InspectorDebuggerAgent.h:
+        Add `PostMessage` async call type.
+
+2017-08-16  Mark Lam  
+
+        Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
+        https://bugs.webkit.org/show_bug.cgi?id=175617
+        
+
+        Reviewed by JF Bastien.
+
+        This patch adds a new feature to MacroAssembler::probe() where the probe function
+        can provide a ProbeFunction callback to fill in stack values after the stack
+        pointer has been adjusted.  The probe function can use this feature as follows:
+
+        1. Set the new sp value in the ProbeContext's CPUState.
+
+        2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
+           which will do the work of filling in the stack values after the probe
+           trampoline has adjusted the machine stack pointer.
+
+        3. Set the ProbeContext's initializeStackArgs to any value that the client wants
+           to pass to the initializeStackFunction callback.
+
+        4. Return from the probe function.
+
+        Upon returning from the probe function, the probe trampoline will adjust the
+        the stack pointer based on the sp value in CPUState.  If initializeStackFunction
+        is not set, the probe trampoline will restore registers and return to its caller.
+
+        If initializeStackFunction is set, the trampoline will move the ProbeContext
+        beyond the range of the stack pointer i.e. it will place the new ProbeContext at
+        an address lower than where CPUState.sp() points.  This ensures that the
+        ProbeContext will not be trashed by the initializeStackFunction when it writes to
+        the stack.  Then, the trampoline will call back to the initializeStackFunction
+        ProbeFunction to let it fill in the stack values as desired.  The
+        initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
+        the new location.
+
+        initializeStackFunction may now write to the stack at addresses greater or
+        equal to CPUState.sp(), but not below that.  initializeStackFunction is also
+        not allowed to change CPUState.sp().  If the initializeStackFunction does not
+        abide by these rules, then behavior is undefined, and bad things may happen.
+
+        For future reference, some implementation details that this patch needed to
+        be mindful of:
+
+        1. When the probe trampoline allocates stack space for the ProbeContext, it
+           should include OUT_SIZE as well.  This ensures that it doesn't have to move
+           the ProbeContext on exit if the probe function didn't change the sp.
+
+        2. If the trampoline has to move the ProbeContext, it needs to point the machine
+           sp to new ProbeContext first before copying over the ProbeContext data.  This
+           protects the new ProbeContext from possibly being trashed by interrupts.
+
+        3. When computing the new address of ProbeContext to move to, we need to make
+           sure that it is properly aligned in accordance with stack ABI requirements
+           (just like we did when we allocated the ProbeContext on entry to the
+           probe trampoline).
+
+        4. When copying the ProbeContext to its new location, the trampoline should
+           always copy words from low addresses to high addresses.  This is because if
+           we're moving the ProbeContext, we'll always be moving it to a lower address.
+
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARM64.cpp:
+        * assembler/MacroAssemblerARMv7.cpp:
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/testmasm.cpp:
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::fillStack):
+        (JSC::testProbeModifiesStackWithCallback):
+        (JSC::run):
+
+2017-08-16  Csaba Osztrogonác  
+
+        Fix JSCOnly ARM buildbots after r220047 and r220184
+        https://bugs.webkit.org/show_bug.cgi?id=174993
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * CMakeLists.txt: Generate only one backend on Linux to save build time.
+
+2017-08-16  Andy Estes  
+
+        [Payment Request] Add an ENABLE flag and an experimental feature preference
+        https://bugs.webkit.org/show_bug.cgi?id=175622
+
+        Reviewed by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-15  Robin Morisset  
+
+        We are too conservative about the effects of PushWithScope
+        https://bugs.webkit.org/show_bug.cgi?id=175584
+
+        Reviewed by Saam Barati.
+
+        PushWithScope converts its argument to an object (this can throw a type error,
+        but has no other observable effect), and allocates a new scope, that it then
+        makes the new current scope. We were a bit too
+        conservative in saying that it clobbers the world.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+2017-08-15  Ryosuke Niwa  
+
+        Make DataTransferItemList work with plain text entries
+        https://bugs.webkit.org/show_bug.cgi?id=175596
+
+        Reviewed by Wenson Hsieh.
+
+        Added DataTransferItem as a common identifier since it's a runtime enabled feature.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-15  Robin Morisset  
+
+        Support the 'with' keyword in FTL
+        https://bugs.webkit.org/show_bug.cgi?id=175585
+
+        Reviewed by Saam Barati.
+
+        Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
+        and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
+        to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
+        that takes its parentScope argument first.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitPushWithScope):
+        * debugger/DebuggerCallFrame.cpp:
+        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePushWithScope):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/Completion.cpp:
+        (JSC::evaluateWithScopeExtension):
+        * runtime/JSWithScope.cpp:
+        (JSC::JSWithScope::create):
+        * runtime/JSWithScope.h:
+
+2017-08-15  Saam Barati  
+
+        Make VM::scratchBufferForSize thread safe
+        https://bugs.webkit.org/show_bug.cgi?id=175604
+
+        Reviewed by Geoffrey Garen and Mark Lam.
+
+        I want to use the VM::scratchBufferForSize in another patch I'm writing.
+        The use case for my other patch is to call it from the compiler thread.
+        When reading the code, I saw that this API was not thread safe. This patch
+        makes it thread safe. It actually turns out we were calling this API from
+        the compiler thread already when we created FTL::State for an FTL OSR entry
+        compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
+        is now correct with this patch.
+
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::gatherConservativeRoots):
+        (JSC::VM::scratchBufferForSize):
+        * runtime/VM.h:
+        (JSC::VM::scratchBufferForSize): Deleted.
+
+2017-08-15  Keith Miller  
+
+        JSC named bytecode offsets should use references rather than pointers
+        https://bugs.webkit.org/show_bug.cgi?id=175601
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+
+2017-08-15  Keith Miller  
+
+        Enable named offsets into JSC bytecodes
+        https://bugs.webkit.org/show_bug.cgi?id=175561
+
+        Reviewed by Mark Lam.
+
+        This patch adds the ability to add named offsets into JSC's
+        bytecodes.  In the bytecode json file, instead of listing a
+        length, you can now list a set of names and their types. Each
+        opcode with an offsets property will have a struct named after the
+        opcode by in our C++ naming style. For example,
+        op_overrides_has_instance would become OpOverridesHasInstance. The
+        struct has the same memory layout as the instruction list has but
+        comes with handy named accessors.
+
+        As a first cut I converted the various instanceof bytecodes to use
+        named offsets.
+
+        As an example op_overrides_has_instance produces the following struct:
+
+        struct OpOverridesHasInstance {
+        public:
+            Opcode& opcode() { return *reinterpret_cast(&m_opcode); }
+            const Opcode& opcode() const { return *reinterpret_cast(&m_opcode); }
+            int& dst() { return *reinterpret_cast(&m_dst); }
+            const int& dst() const { return *reinterpret_cast(&m_dst); }
+            int& constructor() { return *reinterpret_cast(&m_constructor); }
+            const int& constructor() const { return *reinterpret_cast(&m_constructor); }
+            int& hasInstanceValue() { return *reinterpret_cast(&m_hasInstanceValue); }
+            const int& hasInstanceValue() const { return *reinterpret_cast(&m_hasInstanceValue); }
+
+        private:
+            friend class LLIntOffsetsExtractor;
+            std::aligned_storage::type m_opcode;
+            std::aligned_storage::type m_dst;
+            std::aligned_storage::type m_constructor;
+            std::aligned_storage::type m_hasInstanceValue;
+        };
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeList.json:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * generate-bytecode-files:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2017-08-15  Mark Lam  
+
+        Update testmasm to use new CPUState APIs.
+        https://bugs.webkit.org/show_bug.cgi?id=175573
+
+        Reviewed by Keith Miller.
+
+        1. Applied convenience CPUState accessors to minimize casting.
+        2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
+           messages.
+        3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
+           casting is (mostly) no longer an issue.
+        4. Replaced the use of testDoubleWord(id) with bitwise_cast(testWord64(id))
+           to make it clear that we're comparing against the bit values of testWord64(id).
+        5. Added a "Completed N tests" message at the end of running all tests.
+           This makes it easy to tell at a glance that testmasm completed successfully
+           versus when it crashed midway in a test.  The number of tests also serves as
+           a quick checksum to confirm that we ran the number of tests we expected.
+
+        * assembler/testmasm.cpp:
+        (WTF::printInternal):
+        (JSC::testSimple):
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::run):
+
+2017-08-14  Keith Miller  
+
+        Add testing tool to lie to the DFG about profiles
+        https://bugs.webkit.org/show_bug.cgi?id=175487
+
+        Reviewed by Saam Barati.
+
+        This patch adds a new bytecode identity_with_profile that lets
+        us lie to the DFG about what profiles it has seen as the input to
+        another bytecode. Previously, there was no reliable way to force
+        a given profile when we tired up.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitIdWithProfile):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::getForcedPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_identity_with_profile):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_identity_with_profile):
+        * llint/LowLevelInterpreter.asm:
+
+2017-08-14  Simon Fraser  
+
+        Remove Proximity Events and related code
+        https://bugs.webkit.org/show_bug.cgi?id=175545
+
+        Reviewed by Daniel Bates.
+
+        No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
+        and other related code.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-14  Simon Fraser  
+
+        Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
+        https://bugs.webkit.org/show_bug.cgi?id=175504
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-14  Simon Fraser  
+
+        Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
+        https://bugs.webkit.org/show_bug.cgi?id=175557
+
+        Reviewed by Jon Lee.
+
+        No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-14  Robin Morisset  
+
+        Support the 'with' keyword in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=175470
+
+        Reviewed by Saam Barati.
+
+        Not particularly optimized at the moment, the goal is just to avoid
+        the DFG bailing out of any function with this keyword.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePushWithScope):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
+2017-08-14  Mark Lam  
+
+        Add some convenience utility accessor methods to MacroAssembler::CPUState.
+        https://bugs.webkit.org/show_bug.cgi?id=175549
+        
+
+        Reviewed by Saam Barati.
+
+        Previously, in order to read ProbeContext CPUState registers, we used to need to
+        do it this way:
+
+            ExecState* exec = reinterpret_cast(cpu.fp());
+            uint32_t i32 = static_cast(cpu.gpr(GPRInfo::regT0));
+            void* p = reinterpret_cast(cpu.gpr(GPRInfo::regT1));
+            uint64_t u64 = bitwise_cast(cpu.fpr(FPRInfo::fpRegT0));
+
+        With this patch, we can now read them this way instead:
+        
+            ExecState* exec = cpu.fp();
+            uint32_t i32 = cpu.gpr(GPRInfo::regT0);
+            void* p = cpu.gpr(GPRInfo::regT1);
+            uint64_t u64 = cpu.fpr(FPRInfo::fpRegT0);
+
+        * assembler/MacroAssembler.h:
+        (JSC:: const):
+        (JSC::MacroAssembler::CPUState::fpr const):
+        (JSC::MacroAssembler::CPUState::pc const):
+        (JSC::MacroAssembler::CPUState::fp const):
+        (JSC::MacroAssembler::CPUState::sp const):
+        (JSC::ProbeContext::pc):
+        (JSC::ProbeContext::fp):
+        (JSC::ProbeContext::sp):
+
+2017-08-12  Filip Pizlo  
+
+        Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174921
+
+        Reviewed by Mark Lam.
+        
+        Uses CagedUniquePtr<> to cage the ScopeOffset array.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/ScopedArgumentsTable.cpp:
+        (JSC::ScopedArgumentsTable::create):
+        (JSC::ScopedArgumentsTable::setLength):
+        * runtime/ScopedArgumentsTable.h:
+
+2017-08-14  Mark Lam  
+
+        Gardening: fix Windows build.
+        https://bugs.webkit.org/show_bug.cgi?id=175446
+
+        Not reviewed.
+
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::booleanTrueForAvoidingNoReturnDeclaration):
+        (JSC::ctiMasmProbeTrampoline):
+
+2017-08-12  Csaba Osztrogonác  
+
+        [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
+        https://bugs.webkit.org/show_bug.cgi?id=175512
+        
+
+        Reviewed by Mark Lam.
+
+        * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
+        * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
+
+2017-08-12  Csaba Osztrogonác  
+
+        ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
+        https://bugs.webkit.org/show_bug.cgi?id=175513
+
+        Reviewed by Mark Lam.
+
+        * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
+
+2017-08-12  Filip Pizlo  
+
+        FTL's compileGetTypedArrayByteOffset needs to do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175366
+
+        Reviewed by Saam Barati.
+        
+        While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
+        fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
+        * runtime/ArrayBuffer.h:
+        * runtime/ArrayBufferView.h:
+        * runtime/JSArrayBufferView.h:
+
+2017-08-11  Ryosuke Niwa  
+
+        Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
+        https://bugs.webkit.org/show_bug.cgi?id=175474
+        
+
+        Reviewed by Wenson Hsieh.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * runtime/CommonIdentifiers.h:
+
+2017-08-11  Filip Pizlo  
+
+        Caging shouldn't have to use a patchpoint for adding
+        https://bugs.webkit.org/show_bug.cgi?id=175483
+
+        Reviewed by Mark Lam.
+
+        Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
+        constants and associative operations dictate that you always want to sink constants. For example,
+        Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
+        typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
+        we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
+        sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
+        reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
+        constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
+        It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
+        hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
+        our current constant reassociation heuristics are wrong is caging. So, we can get away with some
+        hacks for just stopping B3's reassociation only in this specific case.
+        
+        Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
+        OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
+        the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
+        that if we cage the same pointer in two places, both places will compute the same value.
+        
+        This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
+        if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
+        they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
+        that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
+        up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
+        enough scale to warrant new opcodes.)
+        
+        This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
+        makes the code a bit less ugly.
+
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/B3Opcode.cpp:
+        (WTF::printInternal):
+        * b3/B3Opcode.h:
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3Validate.cpp:
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::effects const):
+        (JSC::B3::Value::key const):
+        (JSC::B3::Value::isFree const):
+        (JSC::B3::Value::typeFor):
+        * b3/B3Value.h:
+        * b3/B3ValueKey.cpp:
+        (JSC::B3::ValueKey::materialize const):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::opaque):
+        * ftl/FTLOutput.h:
+
+2017-08-11  Filip Pizlo  
+
+        ScopedArguments overflow storage needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174923
+
+        Reviewed by Saam Barati.
+        
+        ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
+        object into the JSValue gigacage.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        (JSC::ScopedArguments::overflowStorage const):
+
+2017-08-11  Filip Pizlo  
+
+        JSLexicalEnvironment needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174922
+
+        Reviewed by Michael Saboff.
+        
+        We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
+        the only random accesses use pointer caging.
+        
+        We don't need to do anything to normal lexical environment accesses.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * runtime/JSEnvironmentRecord.h:
+        (JSC::JSEnvironmentRecord::subspaceFor):
+        (JSC::JSEnvironmentRecord::variables):
+
+2017-08-11  Filip Pizlo  
+
+        DirectArguments should be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174920
+
+        Reviewed by Michael Saboff.
+        
+        This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
+        indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
+        because they always operate on a DirectArguments that is pointed to directly from the stack, they are
+        required to use fixed offsets, and you can only store JSValues.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::subspaceFor):
+        (JSC::DirectArguments::storage):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-08-11  Filip Pizlo  
+
+        Unreviewed, add a FIXME.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+
+2017-08-10  Sam Weinig  
+
+        WTF::Function does not allow for reference / non-default constructible return types
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+
+        Reviewed by Chris Dumez.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::transferTo):
+        Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
+        destroy call needed to be a no-op anyway, since the data is being moved.
+
+2017-08-11  Mark Lam  
+
+        Gardening: fix CLoop build.
+        https://bugs.webkit.org/show_bug.cgi?id=175446
+        
+
+        Not reviewed.
+
+        * assembler/MacroAssemblerPrinter.cpp:
+
+2017-08-08  Filip Pizlo  
+
+        DFG should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=174918
+
+        Reviewed by Saam Barati.
+        
+        Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
+        the conditional caging with a watchpoint.
+        
+        This might be a 1% SunSpider slow-down, but it's not clear.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileCreateRest):
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileGetButterfly):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2017-08-11  Yusuke Suzuki  
+
+        Unreviewed, build fix for x86 GTK port
+        https://bugs.webkit.org/show_bug.cgi?id=175446
+
+        Use pushfl/popfl instead of pushfd/popfd.
+
+        * assembler/MacroAssemblerX86Common.cpp:
+
+2017-08-10  Mark Lam  
+
+        Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
+        https://bugs.webkit.org/show_bug.cgi?id=175446
+        
+
+        Reviewed by Saam Barati.
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
+        * assembler/MacroAssemblerPrinter.cpp:
+        * assembler/MacroAssemblerPrinter.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/testmasm.cpp:
+        (JSC::isSpecialGPR):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::run):
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::print):
+        * b3/air/AirPrintSpecial.cpp:
+        * b3/air/AirPrintSpecial.h:
+
+2017-08-10  Mark Lam  
+
+        Apply the UNLIKELY macro to some unlikely things.
+        https://bugs.webkit.org/show_bug.cgi?id=175440
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::~CodeBlock):
+        (JSC::CodeBlock::jettison):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::JITCompiler):
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::disassemble):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalizeCommon):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::Plan):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::compileWithoutLinking):
+        (JSC::JIT::link):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::installCode):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+
+2017-08-09  Yusuke Suzuki  
+
+        [WTF] ThreadSpecific should not introduce additional indirection
+        https://bugs.webkit.org/show_bug.cgi?id=175187
+
+        Reviewed by Mark Lam.
+
+        * runtime/Identifier.cpp:
+
+2017-08-10  Tim Horton  
+
+        Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
+        https://bugs.webkit.org/show_bug.cgi?id=175436
+        
+
+        Reviewed by Simon Fraser.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::Interpreter):
+
+2017-08-10  Michael Catanzaro  
+
+        Remove ENABLE_GAMEPAD_DEPRECATED
+        https://bugs.webkit.org/show_bug.cgi?id=175361
+
+        Reviewed by Carlos Garcia Campos.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-09  Caio Lima  
+
+        [JSC] Create JSSet constructor that accepts it's size as parameter
+        https://bugs.webkit.org/show_bug.cgi?id=173297
+
+        Reviewed by Saam Barati.
+
+        This patch is adding a new constructor to JSSet that gives its
+        expected initial size. It is important to avoid re-hashing and mutiple
+        allocations when we know the final size of JSSet, such as in
+        CodeBlock::setConstantIdentifierSetRegisters.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setConstantIdentifierSetRegisters):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::HashMapImpl):
+        * runtime/JSSet.h:
+
+2017-08-09  Commit Queue  
+
+        Unreviewed, rolling out r220466, r220477, and r220487.
+        https://bugs.webkit.org/show_bug.cgi?id=175411
+
+        This change broke existing API tests and follow up fixes did
+        not resolve all the issues. (Requested by ryanhaddad on
+        #webkit).
+
+        Reverted changesets:
+
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+        http://trac.webkit.org/changeset/220466
+
+        "WTF::Function does not allow for reference / non-default
+        constructible return types"
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+        http://trac.webkit.org/changeset/220477
+
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+        http://trac.webkit.org/changeset/220487
+
+2017-08-09  Caitlin Potter  
+
+        Early error on ANY operator before new.target
+        https://bugs.webkit.org/show_bug.cgi?id=157970
+
+        Reviewed by Saam Barati.
+
+        Instead of throwing if any unary operator precedes new.target, only
+        throw if the unary operator updates the reference.
+
+        The following become legal in JSC:
+
+        ```
+        !new.target
+        ~new.target
+        typeof new.target
+        delete new.target
+        void new.target
+        ```
+
+        All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseUnaryExpression):
+
+2017-08-09  Sam Weinig  
+
+        WTF::Function does not allow for reference / non-default constructible return types
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+
+        Reviewed by Chris Dumez.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::transferTo):
+        Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
+        destroy call needed to be a no-op anyway, since the data is being moved.
+
+2017-08-09  Wenson Hsieh  
+
+        [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
+        https://bugs.webkit.org/show_bug.cgi?id=175392
+        
+
+        Reviewed by Tim Horton and Megan Gardner.
+
+        Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-09  Robin Morisset  
+
+        Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
+        https://bugs.webkit.org/show_bug.cgi?id=175358
+
+        Reviewed by Mark Lam.
+
+        * jit/JITOperations.cpp:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putInlineForJSObject):
+
+2017-08-09  Ryan Haddad  
+
+        Unreviewed, rolling out r220457.
+
+        This change introduced API test failures.
+
+        Reverted changeset:
+
+        "WTF::Function does not allow for reference / non-default
+        constructible return types"
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+        http://trac.webkit.org/changeset/220457
+
+2017-08-09  Sam Weinig  
+
+        WTF::Function does not allow for reference / non-default constructible return types
+        https://bugs.webkit.org/show_bug.cgi?id=175244
+
+        Reviewed by Chris Dumez.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::transferTo):
+        Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
+        destroy call needed to be a no-op anyway, since the data is being moved.
+
+2017-08-09  Oleksandr Skachkov  
+
+        REGRESSION: 2 test262/test/language/statements/async-function failures
+        https://bugs.webkit.org/show_bug.cgi?id=175334
+
+        Reviewed by Yusuke Suzuki.
+
+        Switch off useAsyncIterator by default
+
+        * runtime/Options.h:
+
+2017-08-08  Filip Pizlo  
+
+        ICs should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175295
+
+        Reviewed by Saam Barati.
+        
+        Adds the appropriate cage() calls in our inline caches.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+
+2017-08-08  Devin Rousso  
+
+        Web Inspector: Canvas: support editing WebGL shaders
+        https://bugs.webkit.org/show_bug.cgi?id=124211
+        
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Canvas.json:
+        Add `updateShader` command that will change the given shader's source to the provided string,
+        recompile, and relink it to its associated program.
+        Drive-by: add description to `requestShaderSource` command.
+
+2017-08-08  Robin Morisset  
+
+        Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
+        https://bugs.webkit.org/show_bug.cgi?id=175347
+
+        Reviewed by Saam Barati.
+
+        This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
+        I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
+        negligible considering how much more finishCreation does.
+        This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
+        FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantIdentifierSetRegisters):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/CodeBlock.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::newCodeBlockFor):
+
+2017-08-08  Michael Catanzaro  
+
+        Unreviewed, fix Ubuntu LTS build
+        https://bugs.webkit.org/show_bug.cgi?id=174490
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+
+2017-08-08  Filip Pizlo  
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
+        
+        Also modifies FTL caging to be more defensive when caging is disabled.
+        
+        Relanded with fixed AssemblyHelpers::cageConditionally().
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (jscmain):
+        (primitiveGigacageDisabled): Deleted.
+
+2017-08-08  Ryan Haddad  
+
+        Unreviewed, rolling out r220368.
+
+        This change caused WK1 tests to exit early with crashes.
+
+        Reverted changeset:
+
+        "Baseline JIT should do caging"
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+        http://trac.webkit.org/changeset/220368
+
+2017-08-08  Michael Catanzaro  
+
+        [CMake] Properly test if compiler supports compiler flags
+        https://bugs.webkit.org/show_bug.cgi?id=174490
+
+        Reviewed by Konstantin Tokarev.
+
+        * API/tests/PingPongStackOverflowTest.cpp:
+        (testPingPongStackOverflow):
+        * API/tests/testapi.c:
+        * b3/testb3.cpp:
+        (JSC::B3::testPatchpointLotsOfLateAnys):
+
+2017-08-06  Yusuke Suzuki  
+
+        [Linux] Clear WasmMemory with madvice instead of memset
+        https://bugs.webkit.org/show_bug.cgi?id=175150
+
+        Reviewed by Filip Pizlo.
+
+        In Linux, zeroing pages with memset populates backing store.
+        Instead, we should use madvise with MADV_DONTNEED. It discards
+        pages. And if you access these pages, on-demand-zero-pages will
+        be shown.
+
+        We also commit grown pages in all OSes.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::commitZeroPages):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::grow):
+
+2017-08-07  Robin Morisset  
+
+        GetOwnProperty of TypedArray indexed fields is wrongly configurable
+        https://bugs.webkit.org/show_bug.cgi?id=175307
+
+        Reviewed by Saam Barati.
+
+        ```
+        let a = new Uint8Array(10);
+        let b = Object.getOwnPropertyDescriptor(a, 0);
+        assert(b.configurable === false);
+        ```
+        should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
+        that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
+        that says that typed arrays are integer indexed exotic objects.
+
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex):
+
+2017-08-07  Filip Pizlo  
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
+        
+        Also modifies FTL caging to be more defensive when caging is disabled.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (jscmain):
+        (primitiveGigacageDisabled): Deleted.
+
+2017-08-06  Filip Pizlo  
+
+        Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
+        https://bugs.webkit.org/show_bug.cgi?id=174919
+
+        Reviewed by Keith Miller.
+        
+        This adapts JSC to there being two gigacages.
+        
+        To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
+        singletons. I don't think we were gaining anything by making them be singletons.
+        
+        This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
+        gigacages. We'll have one of those allocators per cage.
+        
+        From there, this change teaches everyone who previously knew about cages that there are two cages.
+        This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
+        easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
+        not so obvious, so this change introduces some helpers to make it easy to define what cage you want
+        to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
+        
+        A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
+        CagedPtr. This removes one layer of "get()" calls from a bunch of places.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * heap/FastMallocAlignedMemoryAllocator.cpp:
+        (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
+        * heap/FastMallocAlignedMemoryAllocator.h:
+        * heap/GigacageAlignedMemoryAllocator.cpp:
+        (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
+        (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
+        (JSC::GigacageAlignedMemoryAllocator::dump const):
+        (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
+        * heap/GigacageAlignedMemoryAllocator.h:
+        * jsc.cpp:
+        (primitiveGigacageDisabled):
+        (jscmain):
+        (gigacageDisabled): Deleted.
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBuffer::createAdopted):
+        (JSC::ArrayBuffer::createFromBytes):
+        * runtime/AuxiliaryBarrier.h:
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/CagedBarrierPtr.h: Added.
+        (JSC::CagedBarrierPtr::CagedBarrierPtr):
+        (JSC::CagedBarrierPtr::clear):
+        (JSC::CagedBarrierPtr::set):
+        (JSC::CagedBarrierPtr::get const):
+        (JSC::CagedBarrierPtr::getMayBeNull const):
+        (JSC::CagedBarrierPtr::operator== const):
+        (JSC::CagedBarrierPtr::operator!= const):
+        (JSC::CagedBarrierPtr::operator bool const):
+        (JSC::CagedBarrierPtr::setWithoutBarrier):
+        (JSC::CagedBarrierPtr::operator* const):
+        (JSC::CagedBarrierPtr::operator-> const):
+        (JSC::CagedBarrierPtr::operator[] const):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::unmapArgument):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::isMappedArgument const):
+        * runtime/GenericArguments.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        (JSC::GenericArguments::setModifiedArgumentDescriptor):
+        (JSC::GenericArguments::isModifiedArgumentDescriptor):
+        * runtime/HashMapImpl.cpp:
+        (JSC::HashMapImpl::visitChildren):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        (JSC::HashMapImpl::buffer const):
+        (JSC::HashMapImpl::rehash):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::finalize):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::heapSnapshot):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::enterDictionaryIndexingMode):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::setIndexQuicklyToUndecided):
+        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::getNewVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::allocateMoreOutOfLineStorage):
+        (JSC::JSObject::getEnumerableLength):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getArrayLength const):
+        (JSC::JSObject::getVectorLength):
+        (JSC::JSObject::putDirectIndex):
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        (JSC::JSObject::hasSparseMap):
+        (JSC::JSObject::inSparseIndexingMode):
+        (JSC::JSObject::butterfly const):
+        (JSC::JSObject::butterfly):
+        (JSC::JSObject::outOfLineStorage const):
+        (JSC::JSObject::outOfLineStorage):
+        (JSC::JSObject::ensureInt32):
+        (JSC::JSObject::ensureDouble):
+        (JSC::JSObject::ensureContiguous):
+        (JSC::JSObject::ensureArrayStorage):
+        (JSC::JSObject::arrayStorage):
+        (JSC::JSObject::arrayStorageOrNull):
+        (JSC::JSObject::ensureLength):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::primitiveGigacageDisabledCallback):
+        (JSC::VM::primitiveGigacageDisabled):
+        (JSC::VM::gigacageDisabledCallback): Deleted.
+        (JSC::VM::gigacageDisabled): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+        (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
+        (JSC::VM::primitiveGigacageEnabled):
+        (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
+        (JSC::VM::gigacageEnabled): Deleted.
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::grow):
+
+2017-08-07  Commit Queue  
+
+        Unreviewed, rolling out r220144.
+        https://bugs.webkit.org/show_bug.cgi?id=175276
+
+        "It did not actually speed things up in the way I expected"
+        (Requested by saamyjoon on #webkit).
+
+        Reverted changeset:
+
+        "On memory-constrained iOS devices, reduce the rate at which
+        the JS heap grows before a GC to try to keep more memory
+        available for the system"
+        https://bugs.webkit.org/show_bug.cgi?id=175041
+        http://trac.webkit.org/changeset/220144
+
+2017-08-07  Ryan Haddad  
+
+        Unreviewed, rolling out r220299.
+
+        This change caused LayoutTest inspector/dom-debugger/dom-
+        breakpoints.html to fail.
+
+        Reverted changeset:
+
+        "Web Inspector: capture async stack trace when workers/main
+        context posts a message"
+        https://bugs.webkit.org/show_bug.cgi?id=167084
+        http://trac.webkit.org/changeset/220299
+
+2017-08-07  Brian Burg  
+
+        Remove CANVAS_PATH compilation guard
+        https://bugs.webkit.org/show_bug.cgi?id=175207
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-07  Keith Miller  
+
+        REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
+        https://bugs.webkit.org/show_bug.cgi?id=175256
+
+        Reviewed by Saam Barati.
+
+        The check in createFromBytes just needed to check that the buffer was not null before
+        calling isCaged.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::createFromBytes):
+
+2017-08-05  Carlos Garcia Campos  
+
+        [GTK][WPE] Add API to provide browser information required by automation
+        https://bugs.webkit.org/show_bug.cgi?id=175130
+
+        Reviewed by Brian Burg.
+
+        Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
+        get them.
+
+        * inspector/remote/RemoteInspector.cpp:
+        (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
+        requested to ensure they are updated before StartAutomationSession reply is sent.
+        * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
+        StartAutomationSession mesasage.
+
+2017-08-06  Yusuke Suzuki  
+
+        Promise resolve and reject function should have length = 1
+        https://bugs.webkit.org/show_bug.cgi?id=175242
+
+        Reviewed by Saam Barati.
+
+        Previously we have separate system for "length" and "name" for builtin functions.
+        The builtin functions do not use lazy reifying system. Instead, they have direct
+        properties when instantiating it. While the function created for properties (like
+        Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
+        these builtin functions are just created by JSFunction::create(). Since it does
+        not set any values for "length", these functions do not have "length" property.
+        So, the resolve and reject functions passed to Promise's executor do not have
+        "length" property.
+
+        This patch make builtin functions use standard lazy reifying system for "length".
+        So, "length" property of the builtin function just works as if the normal functions
+        do.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::createBuiltinFunction):
+        (JSC::JSFunction::getOwnPropertySlot):
+        (JSC::JSFunction::getOwnNonIndexPropertyNames):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::deleteProperty):
+        (JSC::JSFunction::defineOwnProperty):
+        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
+        (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
+        (JSC::JSFunction::reifyLazyLengthIfNeeded):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
+        * runtime/JSFunction.h:
+
+2017-08-06  Oleksandr Skachkov  
+
+        [ESNext] Async iteration - Implement Async Generator - parser
+        https://bugs.webkit.org/show_bug.cgi?id=175210
+
+        Reviewed by Yusuke Suzuki.
+
+        Current implementation is draft version of Async Iteration. 
+        Link to spec https://tc39.github.io/proposal-async-iteration/
+
+        Current patch implement only parser part of the Async generator
+        Runtime part will be in next ptches
+
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createFunctionMetadata):
+        * parser/Parser.cpp:
+        (JSC::getAsynFunctionBodyParseMode):
+        (JSC::Parser::parseInner):
+        (JSC::Parser::parseAsyncFunctionSourceElements):
+        (JSC::Parser::parseAsyncGeneratorFunctionSourceElements):
+        (JSC::stringArticleForFunctionMode):
+        (JSC::stringForFunctionMode):
+        (JSC::Parser::parseFunctionInfo):
+        (JSC::Parser::parseAsyncFunctionDeclaration):
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseProperty):
+        (JSC::Parser::parsePropertyMethod):
+        (JSC::Parser::parseAsyncFunctionExpression):
+        * parser/Parser.h:
+        (JSC::Scope::setSourceParseMode):
+        * parser/ParserModes.h:
+        (JSC::isFunctionParseMode):
+        (JSC::isAsyncFunctionParseMode):
+        (JSC::isAsyncArrowFunctionParseMode):
+        (JSC::isAsyncGeneratorFunctionParseMode):
+        (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
+        (JSC::isAsyncFunctionWrapperParseMode):
+        (JSC::isAsyncFunctionBodyParseMode):
+        (JSC::isGeneratorMethodParseMode):
+        (JSC::isAsyncMethodParseMode):
+        (JSC::isAsyncGeneratorMethodParseMode):
+        (JSC::isMethodParseMode):
+        (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
+        (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
+
+2017-08-05  Filip Pizlo  
+
+        REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
+        https://bugs.webkit.org/show_bug.cgi?id=175083
+
+        Reviewed by Oliver Hunt.
+        
+        This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
+        even if we are using the pop path.
+        
+        Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
+        important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
+        the world just because we changed it.
+        
+        Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
+        easier to debug leaks.
+
+        * bytecode/AccessCase.cpp:
+        * bytecode/PolymorphicAccess.cpp:
+        * heap/HeapCell.cpp:
+        (JSC::HeapCell::isLive):
+        * heap/HeapCellInlines.h:
+        (JSC::HeapCell::isLive): Deleted.
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
+        (JSC::MarkedAllocator::endMarking):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        * jit/AssemblyHelpers.cpp:
+        * jit/Repatch.cpp:
+        * runtime/TestRunnerUtils.h:
+        * runtime/VM.cpp:
+        (JSC::waitForVMDestruction):
+        (JSC::VM::~VM):
+
+2017-08-05  Mark Lam  
+
+        Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
+        https://bugs.webkit.org/show_bug.cgi?id=175228
+        
+
+        Reviewed by Saam Barati.
+
+        Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
+        delete OSRExit32_64.cpp.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGOSRExit32_64.cpp: Removed.
+        * jit/GPRInfo.h:
+        (JSC::JSValueSource::payloadGPR const):
+
+2017-08-04  Youenn Fablet  
+
+        [Cache API] Add Cache and CacheStorage IDL definitions
+        https://bugs.webkit.org/show_bug.cgi?id=175201
+
+        Reviewed by Brady Eidson.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-04  Mark Lam  
+
+        Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
+        https://bugs.webkit.org/show_bug.cgi?id=175230
+        
+
+        Reviewed by Saam Barati.
+
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+
+2017-08-04  Mark Lam  
+
+        Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
+        https://bugs.webkit.org/show_bug.cgi?id=175214
+        
+
+        Rubber-stamped by Michael Saboff.
+
+        Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
+        DFGOSRExitCompiler files.
+
+        Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
+
+        Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
+        used by compileOSRExit(), and will be changed to not be a DFG operation function
+        when we use JIT probes for DFG OSR exits later in
+        https://bugs.webkit.org/show_bug.cgi?id=175144.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGJITCompiler.cpp:
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
+        * dfg/DFGOSRExit.h:
+        * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
+        * dfg/DFGOSRExitCompiler.cpp: Removed.
+        * dfg/DFGOSRExitCompiler.h: Removed.
+        * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
+        * dfg/DFGOSRExitCompiler64.cpp: Removed.
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGThunks.cpp:
+
+2017-08-04  Matt Baker  
+
+        Web Inspector: capture async stack trace when workers/main context posts a message
+        https://bugs.webkit.org/show_bug.cgi?id=167084
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/agents/InspectorDebuggerAgent.h:
+        Add `PostMessage` async call type.
+
+2017-08-04  Mark Lam  
+
+        Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
+        https://bugs.webkit.org/show_bug.cgi?id=175208
+        
+
+        Reviewed by Saam Barati.
+
+        This will minimize the code diff and make it easier to review the patch for
+        https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
+        steps:
+
+        1. Do the code changes to move methods into OSRExit.
+        2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
+        3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
+
+        Splitting this refactoring into these 3 steps also makes it easier to review this
+        patch and understand what is being changed.
+
+        * dfg/DFGOSRExit.h:
+        * dfg/DFGOSRExitCompiler.cpp:
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
+        (): Deleted.
+        * dfg/DFGOSRExitCompiler.h:
+        (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
+        (): Deleted.
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExit::compileExit):
+        (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExit::compileExit):
+        (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+
+2017-08-04  Devin Rousso  
+
+        Web Inspector: add source view for WebGL shader programs
+        https://bugs.webkit.org/show_bug.cgi?id=138593
+        
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Canvas.json:
+         - Add `ShaderType` enum that contains "vertex" and "fragment".
+         - Add `requestShaderSource` command that will return the original source code for a given
+           shader program and shader type.
+
+2017-08-03  Filip Pizlo  
+
+        The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
+        https://bugs.webkit.org/show_bug.cgi?id=175141
+
+        Reviewed by Mark Lam.
+        
+        To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
+        decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
+        to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
+        determined by the AlignedMemoryAllocator object.
+        
+        This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
+        trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
+        Subspaces that both use the same underlying allocator to realize that they can trade blocks with
+        each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
+        they use the same AlignedMemoryAllocator.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/AlignedMemoryAllocator.cpp: Added.
+        (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
+        (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
+        * heap/AlignedMemoryAllocator.h: Added.
+        * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
+        (JSC::FastMallocAlignedMemoryAllocator::singleton):
+        (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
+        (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
+        (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
+        (JSC::FastMallocAlignedMemoryAllocator::dump const):
+        * heap/FastMallocAlignedMemoryAllocator.h: Added.
+        * heap/GigacageAlignedMemoryAllocator.cpp: Added.
+        (JSC::GigacageAlignedMemoryAllocator::singleton):
+        (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
+        (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
+        (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
+        (JSC::GigacageAlignedMemoryAllocator::dump const):
+        * heap/GigacageAlignedMemoryAllocator.h: Added.
+        * heap/GigacageSubspace.cpp: Removed.
+        * heap/GigacageSubspace.h: Removed.
+        * heap/LargeAllocation.cpp:
+        (JSC::LargeAllocation::tryCreate):
+        (JSC::LargeAllocation::destroy):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::tryCreate):
+        (JSC::MarkedBlock::Handle::Handle):
+        (JSC::MarkedBlock::Handle::~Handle):
+        (JSC::MarkedBlock::Handle::didAddToAllocator):
+        (JSC::MarkedBlock::Handle::subspace const):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
+        (JSC::MarkedBlock::Handle::subspace const): Deleted.
+        * heap/Subspace.cpp:
+        (JSC::Subspace::Subspace):
+        (JSC::Subspace::findEmptyBlockToSteal):
+        (JSC::Subspace::canTradeBlocksWith): Deleted.
+        (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
+        (JSC::Subspace::freeAlignedMemory): Deleted.
+        * heap/Subspace.h:
+        (JSC::Subspace::name const):
+        (JSC::Subspace::alignedMemoryAllocator const):
+        * runtime/JSDestructibleObjectSubspace.cpp:
+        (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
+        * runtime/JSDestructibleObjectSubspace.h:
+        * runtime/JSSegmentedVariableObjectSubspace.cpp:
+        (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
+        * runtime/JSSegmentedVariableObjectSubspace.h:
+        * runtime/JSStringSubspace.cpp:
+        (JSC::JSStringSubspace::JSStringSubspace):
+        * runtime/JSStringSubspace.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
+        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
+
+2017-08-04  Oleksandr Skachkov  
+
+        [ESNext] Async iteration - update feature.json
+        https://bugs.webkit.org/show_bug.cgi?id=175197
+
+        Reviewed by Yusuke Suzuki.
+
+        Update feature.json to add status of the Async Iteration
+
+        * features.json:
+
+2017-08-04  Matt Lewis  
+
+        Unreviewed, rolling out r220271.
+
+        Rolling out due to Layout Test failing on iOS Simulator.
+
+        Reverted changeset:
+
+        "Remove STREAMS_API compilation guard"
+        https://bugs.webkit.org/show_bug.cgi?id=175165
+        http://trac.webkit.org/changeset/220271
+
+2017-08-04  Youenn Fablet  
+
+        Remove STREAMS_API compilation guard
+        https://bugs.webkit.org/show_bug.cgi?id=175165
+
+        Reviewed by Darin Adler.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-04  Oleksandr Skachkov  
+
+        [EsNext] Async iteration - Add feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=166694
+
+        Reviewed by Yusuke Suzuki.
+
+        Add feature flag to JSC to switch on/off Async Iterator
+
+        * runtime/Options.h:
+
+2017-08-03  Brian Burg  
+
+        Remove ENABLE(WEB_SOCKET) guards
+        https://bugs.webkit.org/show_bug.cgi?id=167044
+
+        Reviewed by Joseph Pecoraro.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-03  Youenn Fablet  
+
+        Remove FETCH_API compilation guard
+        https://bugs.webkit.org/show_bug.cgi?id=175154
+
+        Reviewed by Chris Dumez.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-08-03  Matt Baker  
+
+        Web Inspector: Instrument WebGLProgram created/deleted
+        https://bugs.webkit.org/show_bug.cgi?id=175059
+
+        Reviewed by Devin Rousso.
+
+        Extend the Canvas protocol with types/events for tracking WebGLPrograms.
+
+        * inspector/protocol/Canvas.json:
+
+2017-08-03  Brady Eidson  
+
+        Add SW IDLs and stub out basic functionality.
+        https://bugs.webkit.org/show_bug.cgi?id=175115
+
+        Reviewed by Chris Dumez.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+        * runtime/CommonIdentifiers.h:
+
+2017-08-03  Mark Lam  
+
+        Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
+        https://bugs.webkit.org/show_bug.cgi?id=175142
+        
+
+        Reviewed by Filip Pizlo.
+
+        The convention in the rest of of JSC for such methods which return the address of
+        a field is to name them "addressOf".  We'll rename
+        ScratchBuffer::activeLengthPtr to be consistent with this convention.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/ScratchRegisterAllocator.cpp:
+        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
+        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
+        * runtime/VM.h:
+        (JSC::ScratchBuffer::addressOfActiveLength):
+        (JSC::ScratchBuffer::activeLengthPtr): Deleted.
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+
+2017-08-02  Devin Rousso  
+
+        Web Inspector: add stack trace information for each RecordingAction
+        https://bugs.webkit.org/show_bug.cgi?id=174663
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/ScriptCallFrame.h:
+        Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
+        with an existing value doesn't need require a functor and can use existing code.
+
+        * interpreter/StackVisitor.h:
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
+
+2017-08-02  Yusuke Suzuki  
+
+        Merge WTFThreadData to Thread::current
+        https://bugs.webkit.org/show_bug.cgi?id=174716
+
+        Reviewed by Mark Lam.
+
+        Use Thread::current() instead.
+
+        * API/JSContext.mm:
+        (+[JSContext currentContext]):
+        (+[JSContext currentThis]):
+        (+[JSContext currentCallee]):
+        (+[JSContext currentArguments]):
+        (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
+        (-[JSContext endCallbackWithData:]):
+        * heap/Heap.cpp:
+        (JSC::Heap::requestCollection):
+        * runtime/Completion.cpp:
+        (JSC::checkSyntax):
+        (JSC::checkModuleSyntax):
+        (JSC::evaluate):
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        (JSC::linkAndEvaluateModule):
+        (JSC::importModule):
+        * runtime/Identifier.cpp:
+        (JSC::Identifier::checkCurrentAtomicStringTable):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        (JSC::JSLock::willReleaseLock):
+        (JSC::JSLock::dropAllLocks):
+        (JSC::JSLock::grabAllLocks):
+        * runtime/JSLock.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::updateStackLimits):
+        (JSC::VM::committedStackByteCount):
+        * runtime/VM.h:
+        (JSC::VM::isSafeToRecurse const):
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
+
+2017-08-02  Filip Pizlo  
+
+        LLInt should do pointer caging
+        https://bugs.webkit.org/show_bug.cgi?id=175036
+
+        Reviewed by Keith Miller.
+
+        Implementing this in the LLInt was challenging because offlineasm did not previously know
+        how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
+        to be where the Gigacage is enabled right now.
+
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/ast.rb:
+        * offlineasm/x86.rb:
+
+2017-08-02  Filip Pizlo  
+
+        Sweeping should only scribble when sweeping to free list
+        https://bugs.webkit.org/show_bug.cgi?id=175105
+
+        Reviewed by Saam Barati.
+        
+        I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
+        can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
+        zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
+        didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
+        path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
+        when it doesn't matter anyway because we're building a free list.
+        
+        This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
+        zap.
+
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::specializedSweep):
+
+2017-08-02  Filip Pizlo  
+
+        All C++ accesses to JSObject::m_butterfly should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175039
+
+        Reviewed by Keith Miller.
+        
+        Makes JSObject::m_butterfly a AuxiliaryBarrier> and adopts the CagedPtr<> API.
+        This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
+        outside the gigacage.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::push):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::heapSnapshot):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::allocateMoreOutOfLineStorage):
+        * runtime/JSObject.h:
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        (JSC::JSObject::butterfly const):
+        (JSC::JSObject::butterfly):
+
+2017-08-02  Filip Pizlo  
+
+        We should be OK with the gigacage being disabled on gmalloc
+        https://bugs.webkit.org/show_bug.cgi?id=175082
+
+        Reviewed by Michael Saboff.
+
+        * jsc.cpp:
+        (jscmain):
+
+2017-08-02  Saam Barati  
+
+        On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
+        https://bugs.webkit.org/show_bug.cgi?id=175041
+        
+
+        Reviewed by Filip Pizlo.
+
+        The testing I have done shows that this new function is a ~10%
+        progression running JetStream on 1GB iOS devices. I've also tried
+        this on a few > 1GB iOS devices, and the testing shows this is either neutral
+        or a regression. Right now, we'll just enable this for <= 1GB devices
+        since it's a win. In the future, we might want to either look into
+        tweaking these parameters or coming up with a new function for > 1GB
+        devices.
+
+        * heap/Heap.cpp:
+        * runtime/Options.h:
+
+2017-08-01  Filip Pizlo  
+
+        Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
+        https://bugs.webkit.org/show_bug.cgi?id=174727
+
+        Reviewed by Mark Lam.
+        
+        This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
+        one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
+        themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
+        
+        This is neutral on JetStream.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3InsertionSet.cpp:
+        (JSC::B3::InsertionSet::execute):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGClobberize.cpp:
+        (JSC::DFG::readsOverlap):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
+        (JSC::DFG::performFixedButterflyAccessUncaging):
+        * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetButterfly):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * heap/GigacageSubspace.cpp: Added.
+        (JSC::GigacageSubspace::GigacageSubspace):
+        (JSC::GigacageSubspace::~GigacageSubspace):
+        (JSC::GigacageSubspace::tryAllocateAlignedMemory):
+        (JSC::GigacageSubspace::freeAlignedMemory):
+        (JSC::GigacageSubspace::canTradeBlocksWith):
+        * heap/GigacageSubspace.h: Added.
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::lastChanceToFinalize):
+        (JSC::Heap::finalize):
+        (JSC::Heap::sweepInFinalize):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::shouldDoFullCollection):
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
+        (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
+        (JSC::Heap::sweepLargeAllocations): Deleted.
+        (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
+        * heap/Heap.h:
+        * heap/LargeAllocation.cpp:
+        (JSC::LargeAllocation::tryCreate):
+        (JSC::LargeAllocation::destroy):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
+        (JSC::MarkedAllocator::tryAllocateBlock):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::tryCreate):
+        (JSC::MarkedBlock::Handle::Handle):
+        (JSC::MarkedBlock::Handle::~Handle):
+        (JSC::MarkedBlock::Handle::didAddToAllocator):
+        (JSC::MarkedBlock::Handle::subspace const): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::subspace const):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::~MarkedSpace):
+        (JSC::MarkedSpace::freeMemory):
+        (JSC::MarkedSpace::prepareForAllocation):
+        (JSC::MarkedSpace::addMarkedAllocator):
+        (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::firstAllocator const):
+        (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
+        * heap/Subspace.cpp:
+        (JSC::Subspace::Subspace):
+        (JSC::Subspace::canTradeBlocksWith):
+        (JSC::Subspace::tryAllocateAlignedMemory):
+        (JSC::Subspace::freeAlignedMemory):
+        (JSC::Subspace::prepareForAllocation):
+        (JSC::Subspace::findEmptyBlockToSteal):
+        * heap/Subspace.h:
+        (JSC::Subspace::didCreateFirstAllocator):
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachAllocator):
+        (JSC::Subspace::forEachMarkedBlock):
+        (JSC::Subspace::forEachNotEmptyMarkedBlock):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (fillBufferWithContentsOfFile):
+        (functionReadFile):
+        (gigacageDisabled):
+        (jscmain):
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBuffer::createAdopted):
+        (JSC::ArrayBuffer::createFromBytes):
+        (JSC::ArrayBuffer::tryCreate):
+        * runtime/IndexingHeader.h:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::finalize):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/JSObject.h:
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::gigacageDisabledCallback):
+        (JSC::VM::gigacageDisabled):
+        * runtime/VM.h:
+        (JSC::VM::fireGigacageEnabledIfNecessary):
+        (JSC::VM::gigacageEnabled):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::isSafeToRun):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::makeString):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::addressIsInActiveFastMemory):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::initializePreallocations): Deleted.
+        (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
+        * wasm/WasmMemory.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::grow):
+        (JSC::JSWebAssemblyMemory::finishCreation):
+        * wasm/js/JSWebAssemblyMemory.h:
+        (JSC::JSWebAssemblyMemory::subspaceFor):
+
+2017-07-31  Mark Lam  
+
+        Added some UNLIKELYs to operationOptimize().
+        https://bugs.webkit.org/show_bug.cgi?id=174976
+
+        Reviewed by JF Bastien.
+
+        * jit/JITOperations.cpp:
+
+2017-07-31  Keith Miller  
+
+        Make more things LLInt constexprs
+        https://bugs.webkit.org/show_bug.cgi?id=174994
+
+        Reviewed by Saam Barati.
+
+        This patch makes more const values in the LLInt constexprs.
+        It also deletes all of the no longer necessary static_asserts in
+        LLIntData.cpp. Finally, it fixes a typo in parser.rb.
+
+        * interpreter/ShadowChicken.h:
+        (JSC::ShadowChicken::Packet::tailMarker):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * offlineasm/generate_offset_extractor.rb:
+        * offlineasm/parser.rb:
+
+2017-07-31  Matt Lewis  
+
+        Unreviewed, rolling out r220060.
+
+        This broke our internal builds. Contact reviewer of patch for
+        more information.
+
+        Reverted changeset:
+
+        "Merge WTFThreadData to Thread::current"
+        https://bugs.webkit.org/show_bug.cgi?id=174716
+        http://trac.webkit.org/changeset/220060
+
+2017-07-31  Yusuke Suzuki  
+
+        [JSC] Support optional catch binding
+        https://bugs.webkit.org/show_bug.cgi?id=174981
+
+        Reviewed by Saam Barati.
+
+        This patch implements optional catch binding proposal[1], which is now stage 3.
+        This proposal adds a new `catch` brace with no error value binding.
+
+            ```
+                try {
+                    ...
+                } catch {
+                    ...
+                }
+            ```
+
+        Sometimes we do not need to get error value actually. For example, the function returns
+        boolean which means whether the function succeeds.
+
+            ```
+            function parse(result) // -> bool
+            {
+                 try {
+                     parseInner(result);
+                 } catch {
+                     return false;
+                 }
+                 return true;
+            }
+            ```
+
+        In the above case, we are not interested in the actual error value. Without this syntax,
+        we always need to introduce a binding for an error value that is just ignored.
+
+        [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::TryNode::emitBytecode):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseTryStatement):
+
+2017-07-31  Yusuke Suzuki  
+
+        Merge WTFThreadData to Thread::current
+        https://bugs.webkit.org/show_bug.cgi?id=174716
+
+        Reviewed by Sam Weinig.
+
+        Use Thread::current() instead.
+
+        * API/JSContext.mm:
+        (+[JSContext currentContext]):
+        (+[JSContext currentThis]):
+        (+[JSContext currentCallee]):
+        (+[JSContext currentArguments]):
+        (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
+        (-[JSContext endCallbackWithData:]):
+        * heap/Heap.cpp:
+        (JSC::Heap::requestCollection):
+        * runtime/Completion.cpp:
+        (JSC::checkSyntax):
+        (JSC::checkModuleSyntax):
+        (JSC::evaluate):
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        (JSC::linkAndEvaluateModule):
+        (JSC::importModule):
+        * runtime/Identifier.cpp:
+        (JSC::Identifier::checkCurrentAtomicStringTable):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        (JSC::JSLock::willReleaseLock):
+        (JSC::JSLock::dropAllLocks):
+        (JSC::JSLock::grabAllLocks):
+        * runtime/JSLock.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::updateStackLimits):
+        (JSC::VM::committedStackByteCount):
+        * runtime/VM.h:
+        (JSC::VM::isSafeToRecurse const):
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
+
+2017-07-30  Yusuke Suzuki  
+
+        [WTF] Introduce Private Symbols
+        https://bugs.webkit.org/show_bug.cgi?id=174935
+
+        Reviewed by Darin Adler.
+
+        Use SymbolImpl::isPrivate().
+
+        * builtins/BuiltinNames.cpp:
+        * builtins/BuiltinNames.h:
+        (JSC::BuiltinNames::isPrivateName): Deleted.
+        * builtins/BuiltinUtils.h:
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        (JSC::BytecodeIntrinsicRegistry::lookup):
+        * runtime/CommonIdentifiers.cpp:
+        (JSC::CommonIdentifiers::isPrivateName): Deleted.
+        * runtime/CommonIdentifiers.h:
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createUndefinedVariableError):
+        * runtime/Identifier.h:
+        (JSC::Identifier::isPrivateName):
+        * runtime/IdentifierInlines.h:
+        (JSC::identifierToSafePublicJSValue):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+        (JSC::defineProperties):
+        (JSC::setIntegrityLevel):
+        (JSC::testIntegrityLevel):
+        (JSC::ownPropertyKeys):
+        * runtime/PrivateName.h:
+        (JSC::PrivateName::PrivateName):
+        * runtime/PropertyName.h:
+        (JSC::PropertyName::isPrivateName):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::performPut):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performDefineOwnProperty):
+
+2017-07-29  Keith Miller  
+
+        LLInt offsets extractor should be able to handle C++ constexprs
+        https://bugs.webkit.org/show_bug.cgi?id=174964
+
+        Reviewed by Saam Barati.
+
+        This patch adds new syntax to the offline asm language. The new keyword,
+        constexpr, takes the subsequent identifier and maps it to a C++ constexpr
+        expression. Additionally, if the value is not an identifier you can wrap it in
+        parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
+        which will get converted into:
+        static_cast(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
+
+        This patch also changes the data format the LLIntOffsetsExtractor
+        binary produces.  Previously, it would produce unsigned values,
+        after this patch every value is an int64_t.  Using an int64_t is
+        useful because it means that we can represent any constant needed.
+        int32_t masks are sign extended then passed then converted to a
+        negative literal sting in the assembler so it will be the constant
+        expected.
+
+        * llint/LLIntOffsetsExtractor.cpp:
+        (JSC::LLIntOffsetsExtractor::dummy):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/asm.rb:
+        * offlineasm/ast.rb:
+        * offlineasm/generate_offset_extractor.rb:
+        * offlineasm/offsets.rb:
+        * offlineasm/parser.rb:
+        * offlineasm/transform.rb:
+
+2017-07-28  Matt Baker  
+
+        Web Inspector: capture an async stack trace when web content calls addEventListener
+        https://bugs.webkit.org/show_bug.cgi?id=174739
+        
+
+        Reviewed by Brian Burg.
+
+        Allow debugger agents to perform custom logic when asynchronous stack
+        trace data is cleared. For example, the PageDebuggerAgent would clear
+        its list of registered listeners for which call stacks have been recorded.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
+        * inspector/agents/InspectorDebuggerAgent.h:
+
+2017-07-28  Mark Lam  
+
+        ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
+        https://bugs.webkit.org/show_bug.cgi?id=174948
+        
+
+        Reviewed by Filip Pizlo.
+
+        ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
+        owner StructureRareData is already known to be dead (in terms of GC liveness) but
+        hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
+        requests to fire this watchpoint.
+
+        If the GC had the chance to sweep the StructureRareData, thereby destructing the
+        ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
+        itself from the WatchpointSet it was on.  Hence, it would not have been fired.
+
+        But since the watchpoint hasn't been destructed yet, it still remains on the
+        WatchpointSet and needs to guard against being fired in this state.  The fix is
+        to simply return early if its owner StructureRareData is not live.  This has the
+        effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
+        not firing as we would expect.
+
+        This patch also removes some cargo cult copying of watchpoint code which
+        instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
+        used.  This patch removes these unnecessary instantiations.
+
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * runtime/StructureRareData.cpp:
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
+        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
+
+2017-07-28  Yusuke Suzuki  
+
+        ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
+        https://bugs.webkit.org/show_bug.cgi?id=174900
+
+        Reviewed by Saam Barati.
+
+        In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
+        Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
+        The problem is that even transforming phase also checks this pseudo terminals.
+
+            BB1
+            1: ForceOSRExit
+            2: CreateDirectArguments
+
+            BB2
+            3: GetButterfly(@2)
+            4: ForceOSRExit
+
+        In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
+
+        In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2017-07-27  Oleksandr Skachkov  
+
+        [ES] Add support finally to Promise
+        https://bugs.webkit.org/show_bug.cgi?id=174503
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support `finally` method to Promise according
+        to the https://bugs.webkit.org/show_bug.cgi?id=174503
+        Current spec on STAGE 3 
+        https://github.com/tc39/proposal-promise-finally
+
+        * builtins/PromisePrototype.js:
+        (finally):
+        (const.valueThunk):
+        (globalPrivate.getThenFinally):
+        (const.thrower):
+        (globalPrivate.getCatchFinally):
+        * runtime/JSPromisePrototype.cpp:
+
+2017-07-27  Yusuke Suzuki  
+
+        Unreviewed, build fix for CLoop
+        https://bugs.webkit.org/show_bug.cgi?id=171637
+
+        * domjit/DOMJITGetterSetter.h:
+
+2017-07-27  Yusuke Suzuki  
+
+        Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
+        https://bugs.webkit.org/show_bug.cgi?id=171637
+
+        Reviewed by Darin Adler.
+
+        Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
+        In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
+
+        We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
+        DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
+
+        In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
+        op_get_by_id_with_this case yet.
+        In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
+
+        And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
+        ClassInfo check.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        * bytecode/GetByIdVariant.cpp:
+        (JSC::GetByIdVariant::GetByIdVariant):
+        (JSC::GetByIdVariant::operator=):
+        (JSC::GetByIdVariant::attemptToMerge):
+        (JSC::GetByIdVariant::dumpInContext):
+        * bytecode/GetByIdVariant.h:
+        (JSC::GetByIdVariant::customAccessorGetter):
+        (JSC::GetByIdVariant::domAttribute):
+        (JSC::GetByIdVariant::domJIT): Deleted.
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::create):
+        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/GetterSetterAccessCase.h:
+        (JSC::GetterSetterAccessCase::domAttribute):
+        (JSC::GetterSetterAccessCase::customAccessor):
+        (JSC::GetterSetterAccessCase::domJIT): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::instantiateLexicalVariables):
+        * create_hash_table:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::blessCallDOMGetter):
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callCustomGetter):
+        * domjit/DOMJITGetterSetter.h:
+        (JSC::DOMJIT::GetterSetter::GetterSetter):
+        (JSC::DOMJIT::GetterSetter::getter):
+        (JSC::DOMJIT::GetterSetter::compiler):
+        (JSC::DOMJIT::GetterSetter::resultType):
+        (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
+        (JSC::DOMJIT::GetterSetter::setter): Deleted.
+        (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        * jsc.cpp:
+        (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetter::customGetter):
+        (WTF::DOMJITGetter::finishCreation):
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
+        (WTF::DOMJITGetterComplex::customGetter):
+        (WTF::DOMJITGetterComplex::finishCreation):
+        (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
+        (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
+        (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
+        (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
+        (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
+        * runtime/CustomGetterSetter.h:
+        (JSC::CustomGetterSetter::create):
+        (JSC::CustomGetterSetter::setter):
+        (JSC::CustomGetterSetter::CustomGetterSetter):
+        (): Deleted.
+        * runtime/DOMAnnotation.h: Added.
+        (JSC::operator==):
+        (JSC::operator!=):
+        * runtime/DOMAttributeGetterSetter.cpp: Added.
+        * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
+        (JSC::isDOMAttributeGetterSetter):
+        * runtime/Error.cpp:
+        (JSC::throwDOMAttributeGetterTypeError):
+        * runtime/Error.h:
+        (JSC::throwVMDOMAttributeGetterTypeError):
+        * runtime/JSCustomGetterSetterFunction.cpp:
+        (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::getOwnStaticPropertySlot):
+        (JSC::JSObject::reifyAllStaticProperties):
+        (JSC::JSObject::fillGetterPropertySlot):
+        (JSC::JSObject::findPropertyHashEntry): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::getOwnNonIndexPropertySlot):
+        (JSC::JSObject::fillCustomGetterPropertySlot):
+        * runtime/Lookup.cpp:
+        (JSC::setUpStaticFunctionSlot):
+        * runtime/Lookup.h:
+        (JSC::HashTableValue::domJIT):
+        (JSC::getStaticPropertySlotFromTable):
+        (JSC::putEntry):
+        (JSC::lookupPut):
+        (JSC::reifyStaticProperty):
+        (JSC::reifyStaticProperties):
+        Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
+        this static property table requires.
+
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/PropertyName.h:
+        * runtime/PropertySlot.cpp:
+        (JSC::PropertySlot::customGetter):
+        (JSC::PropertySlot::customAccessorGetter):
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::domAttribute):
+        (JSC::PropertySlot::setCustom):
+        (JSC::PropertySlot::setCacheableCustom):
+        (JSC::PropertySlot::getValue):
+        (JSC::PropertySlot::domJIT): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-07-26  Devin Rousso  
+
+        Web Inspector: create protocol for recording Canvas contexts
+        https://bugs.webkit.org/show_bug.cgi?id=174481
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+         - Add `requestRecording` command to mark the provided canvas as having requested a recording.
+         - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
+         - Add `recordingFinished` event that is fired once a recording is finished.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * inspector/protocol/Recording.json: Added.
+         - Add `Type` enum that lists the types of recordings
+         - Add `InitialState` type that contains information about the canvas context at the
+           beginning of the recording.
+         - Add `Frame` type that holds a list of actions that were recorded.
+         - Add `Recording` type as the container object of recording data.
+
+        * inspector/scripts/codegen/generate_js_backend_commands.py:
+        (JSBackendCommandsGenerator.generate_domain):
+        Create an agent for domains with no events or commands.
+
+        * inspector/InspectorValues.h:
+        Make Array `get` public so that values can be retrieved if needed.
+
+2017-07-26  Brian Burg  
+
+        Remove WEB_TIMING feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=174795
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-07-26  Mark Lam  
+
+        Add the ability to change sp and pc to the ARM64 JIT probe.
+        https://bugs.webkit.org/show_bug.cgi?id=174697
+        
+
+        Reviewed by JF Bastien.
+
+        This patch implements the following:
+
+        1. The ARM64 probe now supports modifying the pc and sp.
+
+           However, lr is not preserved when modifying the pc because it is used as the
+           scratch register for the indirect jump. Hence, the probe handler function
+           may not modify both lr and pc in the same probe invocation.
+
+        2. Fix probe tests to use bitwise comparison when comparing double register
+           values. Otherwise, equivalent nan values will be interpreted as not equivalent.
+
+        3. Change the minimum offset increment in testProbeModifiesStackPointer to be
+           16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
+           instructions which require 16 byte alignment for their memory access.
+
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::arm64ProbeError):
+        (JSC::MacroAssembler::probe):
+        (JSC::arm64ProbeTrampoline): Deleted.
+        * assembler/testmasm.cpp:
+        (JSC::isSpecialGPR):
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
+        (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
+
+2017-07-25  JF Bastien  
+
+        WebAssembly: generate smaller binaries
+        https://bugs.webkit.org/show_bug.cgi?id=174818
+
+        Reviewed by Filip Pizlo.
+
+        This patch reduces generated code size for WebAssembly in 2 ways:
+
+        1. Use the ZR register when storing zero on ARM64.
+        2. Synthesize wasm context lazily.
+
+        This leads to a modest size reduction on both x86-64 and ARM64 for
+        large WebAssembly games, without any performance loss on WasmBench
+        and TitzerBench.
+
+        The reason this works is that these games, using Emscripten,
+        generate 100k+ tiny functions, and our JIT allocation granule
+        rounds all allocations up to 32 bytes. There are plenty of other
+        simple gains to be had, I've filed a follow-up bug at
+        webkit.org/b/174819
+
+        We should further avoid the per-function cost of tiering, which
+        represents the bulk of code generated for small functions.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::storeZero64):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::storeZero64):
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
+        for x86 because it constrains register reuse and codegen in a way
+        that doesn't affect ARM64 because it has a dedicated zero
+        register.
+        * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::instanceValue):
+        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
+
+2017-07-23  Filip Pizlo  
+
+        B3 should do LICM
+        https://bugs.webkit.org/show_bug.cgi?id=174750
+
+        Reviewed by Keith Miller and Saam Barati.
+        
+        Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
+        convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
+        so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
+        change templatizes DFG::NaturalLoops so that we can just use it.
+        
+        The LICM phase itself is really simple. We are decently precise with our handling of everything except
+        the relationship between control dependence and side exits.
+        
+        Also added a bunch of tests.
+        
+        This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
+        probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
+        so it doesn't hurt to have it.
+        
+        I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
+        handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
+        it's good to have it because LICM is one of those core compiler phases; every compiler has it
+        eventually.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3BackwardsCFG.h: Added.
+        (JSC::B3::BackwardsCFG::BackwardsCFG):
+        * b3/B3BackwardsDominators.h: Added.
+        (JSC::B3::BackwardsDominators::BackwardsDominators):
+        * b3/B3BasicBlock.cpp:
+        (JSC::B3::BasicBlock::appendNonTerminal):
+        * b3/B3Effects.h:
+        * b3/B3EnsureLoopPreHeaders.cpp: Added.
+        (JSC::B3::ensureLoopPreHeaders):
+        * b3/B3EnsureLoopPreHeaders.h: Added.
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir):
+        * b3/B3HoistLoopInvariantValues.cpp: Added.
+        (JSC::B3::hoistLoopInvariantValues):
+        * b3/B3HoistLoopInvariantValues.h: Added.
+        * b3/B3NaturalLoops.h: Added.
+        (JSC::B3::NaturalLoops::NaturalLoops):
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::invalidateCFG):
+        (JSC::B3::Procedure::naturalLoops):
+        (JSC::B3::Procedure::backwardsCFG):
+        (JSC::B3::Procedure::backwardsDominators):
+        * b3/B3Procedure.h:
+        * b3/testb3.cpp:
+        (JSC::B3::generateLoop):
+        (JSC::B3::makeArrayForLoops):
+        (JSC::B3::generateLoopNotBackwardsDominant):
+        (JSC::B3::oneFunction):
+        (JSC::B3::noOpFunction):
+        (JSC::B3::testLICMPure):
+        (JSC::B3::testLICMPureSideExits):
+        (JSC::B3::testLICMPureWritesPinned):
+        (JSC::B3::testLICMPureWrites):
+        (JSC::B3::testLICMReadsLocalState):
+        (JSC::B3::testLICMReadsPinned):
+        (JSC::B3::testLICMReads):
+        (JSC::B3::testLICMPureNotBackwardsDominant):
+        (JSC::B3::testLICMPureFoiledByChild):
+        (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
+        (JSC::B3::testLICMExitsSideways):
+        (JSC::B3::testLICMWritesLocalState):
+        (JSC::B3::testLICMWrites):
+        (JSC::B3::testLICMFence):
+        (JSC::B3::testLICMWritesPinned):
+        (JSC::B3::testLICMControlDependent):
+        (JSC::B3::testLICMControlDependentNotBackwardsDominant):
+        (JSC::B3::testLICMControlDependentSideExits):
+        (JSC::B3::testLICMReadsPinnedWritesPinned):
+        (JSC::B3::testLICMReadsWritesDifferentHeaps):
+        (JSC::B3::testLICMReadsWritesOverlappingHeaps):
+        (JSC::B3::testLICMDefaultCall):
+        (JSC::B3::run):
+        * dfg/DFGBasicBlock.h:
+        * dfg/DFGCFG.h:
+        * dfg/DFGNaturalLoops.cpp: Removed.
+        * dfg/DFGNaturalLoops.h:
+        (JSC::DFG::NaturalLoops::NaturalLoops):
+        (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
+        (JSC::DFG::NaturalLoop::header): Deleted.
+        (JSC::DFG::NaturalLoop::size): Deleted.
+        (JSC::DFG::NaturalLoop::at): Deleted.
+        (JSC::DFG::NaturalLoop::operator[]): Deleted.
+        (JSC::DFG::NaturalLoop::contains): Deleted.
+        (JSC::DFG::NaturalLoop::index): Deleted.
+        (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
+        (JSC::DFG::NaturalLoop::addBlock): Deleted.
+        (JSC::DFG::NaturalLoops::numLoops): Deleted.
+        (JSC::DFG::NaturalLoops::loop): Deleted.
+        (JSC::DFG::NaturalLoops::headerOf): Deleted.
+        (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
+        (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
+        (JSC::DFG::NaturalLoops::belongsTo): Deleted.
+        (JSC::DFG::NaturalLoops::loopDepth): Deleted.
+
+2017-07-24  Filip Pizlo  
+
+        GC should be fine with trading blocks between destructor and non-destructor blocks
+        https://bugs.webkit.org/show_bug.cgi?id=174811
+
+        Reviewed by Mark Lam.
+        
+        Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
+        size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
+        fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
+        This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
+        set.
+        
+        Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
+        is empty if:
+        
+        A) It has no live objects and its a non-destructor block, or
+        B) We just allocated it (so it has no destructors even if it's a destructor block), or
+        C) We just stole it from another allocator (so it also has no destructors), or
+        D) We just swept the block and ran all destructors.
+        
+        Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
+        block that could be stolen.
+
+        Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
+        destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
+        cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
+        and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
+        
+        Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
+        
+        If we tried to enable trading of blocks between allocators without making any changes to how
+        `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
+        live objects in order for those bits to be candidates for trading. But if we do that, then our
+        logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
+        our destructors won't run and we'll leak memory.
+        
+        This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
+        live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
+        as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
+        handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
+        are (empty & ~destructible).
+        
+        Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
+        remove destructor-oriented special-casing of block trading.
+
+        This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
+        so this change is more about clean-up than perf. But, this could reduce memory usage in some
+        pathological cases.
+        
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::findEmptyBlockToSteal):
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
+        (JSC::MarkedAllocator::endMarking):
+        (JSC::MarkedAllocator::shrink):
+        (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
+        * heap/MarkedAllocator.h:
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
+        (JSC::MarkedBlock::Handle::sweep):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
+        (JSC::MarkedBlock::Handle::emptyMode):
+
+2017-07-25  Keith Miller  
+
+        Remove Broken CompareEq constant folding phase.
+        https://bugs.webkit.org/show_bug.cgi?id=174846
+        
+
+        Reviewed by Saam Barati.
+
+        This bug happened when we would get code like the following:
+
+        a: JSConst(Undefined)
+        b: GetLocal(SomeObjectOrUndefined)
+        ...
+        c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
+
+        constant folding will turn this into:
+
+        a: JSConst(Undefined)
+        b: GetLocal(SomeObjectOrUndefined)
+        ...
+        c: CompareEq(Check:ObjectOrOther:b, Other:a)
+
+        But the SpeculativeJIT/FTL lowering will fail to check b
+        properly which leads to an assertion failure in the AI.
+
+        I'll follow up with a more robust fix later. For now, I'll remove the
+        case that generates the code. Removing the code appears to be perf
+        neutral.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2017-07-25  Matt Baker  
+
+        Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
+        https://bugs.webkit.org/show_bug.cgi?id=174738
+
+        Reviewed by Brian Burg.
+
+        Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
+        stack traces. This preserves the call type in JSC, makes the range of
+        possible call types explicit, and is safer than passing ints.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
+        (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
+        (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
+        (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
+        * inspector/agents/InspectorDebuggerAgent.h:
+
+2017-07-25  Mark Lam  
+
+        Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
+        https://bugs.webkit.org/show_bug.cgi?id=174809
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. When the probe handler function changes the sp register to point to the
+           region of stack in the middle of the ProbeContext on the stack, there is a
+           bug where the ProbeContext's register values to be restored can be over-written
+           before they can be restored.  This is now fixed.
+
+        2. Added more robust probe tests for changing the sp register.
+
+        3. Made existing probe tests to ensure that probe handlers were actually called.
+
+        4. Added some verification to testProbePreservesGPRS().
+
+        5. Change all the probe tests to fail early on discovering an error instead of
+           batching till the end of the test.  This helps point a finger to the failing
+           issue earlier.
+
+        This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
+        next in https://bugs.webkit.org/show_bug.cgi?id=174697.
+
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARMv7.cpp:
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
+        (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::run):
+
+2017-07-25  Brian Burg  
+
+        Web Automation: add support for uploading files
+        https://bugs.webkit.org/show_bug.cgi?id=174797
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/scripts/generate-inspector-protocol-bindings.py:
+        (generate_from_specification):
+        Start generating frontend dispatcher code if the target framework is 'WebKit'.
+
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
+        (CppFrontendDispatcherImplementationGenerator.generate_output):
+        Use a framework include for InspectorFrontendRouter.h since this generated code
+        will be compiled outside of WebCore.framework.
+
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+        Rebaseline code generator tests.
+
+2017-07-24  Mark Lam  
+
+        Gardening: fixed C Loop build after r219790.
+        https://bugs.webkit.org/show_bug.cgi?id=174696
+
+        Not reviewed.
+
+        * assembler/testmasm.cpp:
+
+2017-07-23  Mark Lam  
+
+        Create regression tests for the JIT probe.
+        https://bugs.webkit.org/show_bug.cgi?id=174696
+        
+
+        Reviewed by Saam Barati.
+
+        The new testmasm will test the following:
+        1. the probe is able to read the value of CPU registers.
+        2. the probe is able to write the value of CPU registers.
+        3. the probe is able to preserve all CPU registers.
+        4. special case of (2): the probe is able to change the value of the stack pointer.
+        5. special case of (2): the probe is able to change the value of the program counter
+           i.e. the probe can change where the code continues executing upon returning from
+           the probe.
+
+        Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
+        because it does not support changing the sp and pc yet.  The ARM64 probe
+        implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
+        later.
+
+        * Configurations/ToolExecutable.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::CPUState::pc):
+        (JSC::MacroAssembler::CPUState::fp):
+        (JSC::MacroAssembler::CPUState::sp):
+        (JSC::ProbeContext::pc):
+        (JSC::ProbeContext::fp):
+        (JSC::ProbeContext::sp):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::arm64ProbeTrampoline):
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printPCRegister):
+        * assembler/testmasm.cpp: Added.
+        (hiddenTruthBecauseNoReturnIsStupid):
+        (usage):
+        (JSC::nextID):
+        (JSC::isPC):
+        (JSC::isSP):
+        (JSC::isFP):
+        (JSC::compile):
+        (JSC::invoke):
+        (JSC::compileAndRun):
+        (JSC::testSimple):
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        (JSC::testFunctionToTrashRegisters):
+        (JSC::testProbePreservesGPRS):
+        (JSC::testProbeModifiesStackPointer):
+        (JSC::testProbeModifiesProgramCounter):
+        (JSC::run):
+        (run):
+        (main):
+        * b3/air/testair.cpp:
+        (usage):
+        * shell/CMakeLists.txt:
+
+2017-07-14  Filip Pizlo  
+
+        It should be easy to decide how WebKit yields
+        https://bugs.webkit.org/show_bug.cgi?id=174298
+
+        Reviewed by Saam Barati.
+        
+        Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::resumeThePeriphery):
+        * heap/VisitingTimeout.h:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::lockSlow):
+        (JSC::JSCell::unlockSlow):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::lock):
+        (JSC::JSCell::unlock):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::grabAllLocks):
+        * runtime/SamplingProfiler.cpp:
+
+2017-07-21  Mark Lam  
+
+        Refactor MASM probe CPUState to use arrays for register storage.
+        https://bugs.webkit.org/show_bug.cgi?id=174694
+
+        Reviewed by Keith Miller.
+
+        Using arrays for register storage in CPUState allows us to do away with the
+        huge switch statements to decode each register id.  We can now simply index into
+        the arrays.
+
+        With this patch, we now:
+
+        1. Remove the need for macros for defining the list of CPU registers.
+           We can go back to simple enums.  This makes the code easier to read.
+
+        2. Make the assembler the authority on register names.
+           Most of this code is moved into the assembler from GPRInfo and FPRInfo.
+           GPRInfo and FPRInfo now forwards to the assembler.
+
+        3. Make the assembler the authority on the number of registers of each type.
+
+        4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
+           This is inconsistent with how every other CPU architecture implements
+           lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
+           updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::numberOfRegisters):
+        (JSC::ARM64Assembler::firstSPRegister):
+        (JSC::ARM64Assembler::lastSPRegister):
+        (JSC::ARM64Assembler::numberOfSPRegisters):
+        (JSC::ARM64Assembler::numberOfFPRegisters):
+        (JSC::ARM64Assembler::gprName):
+        (JSC::ARM64Assembler::sprName):
+        (JSC::ARM64Assembler::fprName):
+        * assembler/ARMAssembler.h:
+        (JSC::ARMAssembler::numberOfRegisters):
+        (JSC::ARMAssembler::firstSPRegister):
+        (JSC::ARMAssembler::lastSPRegister):
+        (JSC::ARMAssembler::numberOfSPRegisters):
+        (JSC::ARMAssembler::numberOfFPRegisters):
+        (JSC::ARMAssembler::gprName):
+        (JSC::ARMAssembler::sprName):
+        (JSC::ARMAssembler::fprName):
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::lastRegister):
+        (JSC::ARMv7Assembler::numberOfRegisters):
+        (JSC::ARMv7Assembler::firstSPRegister):
+        (JSC::ARMv7Assembler::lastSPRegister):
+        (JSC::ARMv7Assembler::numberOfSPRegisters):
+        (JSC::ARMv7Assembler::numberOfFPRegisters):
+        (JSC::ARMv7Assembler::gprName):
+        (JSC::ARMv7Assembler::sprName):
+        (JSC::ARMv7Assembler::fprName):
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::numberOfRegisters):
+        (JSC::AbstractMacroAssembler::gprName):
+        (JSC::AbstractMacroAssembler::firstSPRegister):
+        (JSC::AbstractMacroAssembler::lastSPRegister):
+        (JSC::AbstractMacroAssembler::numberOfSPRegisters):
+        (JSC::AbstractMacroAssembler::sprName):
+        (JSC::AbstractMacroAssembler::numberOfFPRegisters):
+        (JSC::AbstractMacroAssembler::fprName):
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::numberOfRegisters):
+        (JSC::MIPSAssembler::firstSPRegister):
+        (JSC::MIPSAssembler::lastSPRegister):
+        (JSC::MIPSAssembler::numberOfSPRegisters):
+        (JSC::MIPSAssembler::numberOfFPRegisters):
+        (JSC::MIPSAssembler::gprName):
+        (JSC::MIPSAssembler::sprName):
+        (JSC::MIPSAssembler::fprName):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::CPUState::gprName):
+        (JSC::MacroAssembler::CPUState::sprName):
+        (JSC::MacroAssembler::CPUState::fprName):
+        (JSC::MacroAssembler::CPUState::gpr):
+        (JSC::MacroAssembler::CPUState::spr):
+        (JSC::MacroAssembler::CPUState::fpr):
+        (JSC::MacroAssembler::CPUState::pc):
+        (JSC::MacroAssembler::CPUState::fp):
+        (JSC::MacroAssembler::CPUState::sp):
+        (JSC::ProbeContext::gpr):
+        (JSC::ProbeContext::spr):
+        (JSC::ProbeContext::fpr):
+        (JSC::ProbeContext::gprName):
+        (JSC::ProbeContext::sprName):
+        (JSC::ProbeContext::fprName):
+        (JSC::MacroAssembler::numberOfRegisters): Deleted.
+        (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
+        * assembler/MacroAssemblerARM.cpp:
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::arm64ProbeTrampoline):
+        * assembler/MacroAssemblerARMv7.cpp:
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::nextID):
+        (JSC::Printer::printAllRegisters):
+        (JSC::Printer::printPCRegister):
+        (JSC::Printer::printRegisterID):
+        (JSC::Printer::printAddress):
+        * assembler/MacroAssemblerX86Common.cpp:
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::numberOfRegisters):
+        (JSC::X86Assembler::firstSPRegister):
+        (JSC::X86Assembler::lastSPRegister):
+        (JSC::X86Assembler::numberOfSPRegisters):
+        (JSC::X86Assembler::numberOfFPRegisters):
+        (JSC::X86Assembler::gprName):
+        (JSC::X86Assembler::sprName):
+        (JSC::X86Assembler::fprName):
+        * jit/FPRInfo.h:
+        (JSC::FPRInfo::debugName):
+        * jit/GPRInfo.h:
+        (JSC::GPRInfo::debugName):
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::reservedHardwareRegisters):
+
+2017-07-21  Yusuke Suzuki  
+
+        [JSC] Introduce static symbols
+        https://bugs.webkit.org/show_bug.cgi?id=158863
+
+        Reviewed by Darin Adler.
+
+        We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
+        As a result, we can share the same Symbol values between VMs and threads.
+        And we do not need to allocate Ref for these symbols at runtime.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/BuiltinNames.cpp: Added.
+        Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
+
+        * builtins/BuiltinNames.h:
+        (JSC::BuiltinNames::BuiltinNames):
+        * builtins/BuiltinUtils.h:
+
+2017-07-21  Yusuke Suzuki  
+
+        [FTL] Arguments elimination is suppressed by unreachable blocks
+        https://bugs.webkit.org/show_bug.cgi?id=174352
+
+        Reviewed by Filip Pizlo.
+
+        If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
+        The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
+        Since GetById without information can escape arguments if it is specified, non-executed code including
+        op_get_by_id with arguments can escape arguments.
+
+        For example,
+
+            function test(flag)
+            {
+                if (flag) {
+                    // This is not executed, but emits GetById with arguments.
+                    // It prevents us from eliminating materialization.
+                    return arguments.length;
+                }
+                return arguments.length;
+            }
+            noInline(test);
+            while (true)
+                test(false);
+
+        We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
+        So this GetById exists and escapes arguments.
+
+        To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
+        If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
+        lightweight. But it catches much of typical cases we failed to perform arguments elimination.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isPseudoTerminal):
+        * dfg/DFGValidate.cpp:
+
+2017-07-20  Chris Dumez  
+
+        Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
+        https://bugs.webkit.org/show_bug.cgi?id=174660
+
+        Reviewed by Geoffrey Garen.
+
+        Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
+        This essentially replaces a branch to figure out if the new size is less or greater than the
+        current size by an assertion.
+
+        * b3/B3BasicBlockUtils.h:
+        (JSC::B3::clearPredecessors):
+        * b3/B3InferSwitches.cpp:
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3SparseCollection.h:
+        (JSC::B3::SparseCollection::packIndices):
+        * b3/B3UseCounts.cpp:
+        (JSC::B3::UseCounts::UseCounts):
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
+        * b3/air/AirEmitShuffle.cpp:
+        (JSC::B3::Air::emitShuffle):
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirOptimizeBlockOrder.cpp:
+        (JSC::B3::Air::optimizeBlockOrder):
+        * bytecode/Operands.h:
+        (JSC::Operands::ensureLocals):
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::computePreciseJumpTargetsInternal):
+        * dfg/DFGBlockInsertionSet.cpp:
+        (JSC::DFG::BlockInsertionSet::execute):
+        * dfg/DFGBlockMapInlines.h:
+        (JSC::DFG::BlockMap::BlockMap):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::processSetLocalQueue):
+        (JSC::DFG::ByteCodeParser::clearCaches):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::Disassembler):
+        * dfg/DFGFlowIndexing.cpp:
+        (JSC::DFG::FlowIndexing::recompute):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::registerFrozenValues):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::setLiveValues):
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        * dfg/DFGLivenessAnalysisPhase.cpp:
+        * dfg/DFGNaturalLoops.cpp:
+        (JSC::DFG::NaturalLoops::NaturalLoops):
+        * dfg/DFGStoreBarrierClusteringPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::sweepLargeAllocations):
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findMagicComment):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::shrinkOperandStackBy):
+        * parser/Lexer.h:
+        (JSC::Lexer::setOffset):
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::genericSplit):
+        * yarr/RegularExpression.cpp:
+        (JSC::Yarr::RegularExpression::match):
+
+2017-07-20  Yusuke Suzuki  
+
+        [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
+        https://bugs.webkit.org/show_bug.cgi?id=174678
+
+        Reviewed by Mark Lam.
+
+        Use Thread& instead.
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+
+2017-07-19  Yusuke Suzuki  
+
+        [WTF] Implement WTF::ThreadGroup
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+
+        Reviewed by Mark Lam.
+
+        Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
+        And SamplingProfiler and others interact with WTF::Thread directly.
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThreads):
+        (JSC::captureStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        (JSC::MachineThreads::gatherConservativeRoots):
+        (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
+        (JSC::ActiveMachineThreadsManager::add): Deleted.
+        (JSC::ActiveMachineThreadsManager::remove): Deleted.
+        (JSC::ActiveMachineThreadsManager::contains): Deleted.
+        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
+        (JSC::activeMachineThreadsManager): Deleted.
+        (JSC::MachineThreads::~MachineThreads): Deleted.
+        (JSC::MachineThreads::addCurrentThread): Deleted.
+        (): Deleted.
+        (JSC::MachineThreads::removeThread): Deleted.
+        (JSC::MachineThreads::removeThreadIfFound): Deleted.
+        (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
+        (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
+        (JSC::MachineThreads::MachineThread::captureStack): Deleted.
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::addCurrentThread):
+        (JSC::MachineThreads::getLock):
+        (JSC::MachineThreads::threads):
+        (JSC::MachineThreads::MachineThread::suspend): Deleted.
+        (JSC::MachineThreads::MachineThread::resume): Deleted.
+        (JSC::MachineThreads::MachineThread::threadID): Deleted.
+        (JSC::MachineThreads::MachineThread::stackBase): Deleted.
+        (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
+        (JSC::MachineThreads::threadsListHead): Deleted.
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::isValidFramePointer):
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::takeSample):
+        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
+        * runtime/SamplingProfiler.h:
+        * wasm/WasmMachineThreads.cpp:
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+
+2017-07-18  Andy Estes  
+
+        [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
+        https://bugs.webkit.org/show_bug.cgi?id=174631
+
+        Reviewed by Tim Horton.
+
+        * Configurations/Base.xcconfig:
+        * b3/B3FoldPathConstants.cpp:
+        * b3/B3LowerMacros.cpp:
+        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::check):
+        (JSC::DFG::ByteCodeParser::planLoad):
+
+2017-07-18  Yusuke Suzuki  
+
+        WTF::Thread should have the threads stack bounds.
+        https://bugs.webkit.org/show_bug.cgi?id=173975
+
+        Reviewed by Mark Lam.
+
+        There is a site in JSC that try to walk another thread's stack.
+        Currently, stack bounds are stored in WTFThreadData which is located
+        in TLS. Thus, only the thread itself can access its own WTFThreadData.
+        We workaround this situation by holding StackBounds in MachineThread in JSC,
+        but StackBounds should be put in WTF::Thread instead.
+
+        This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
+        coupled with Thread. Thus putting it in WTF::Thread is natural choice.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThread::MachineThread):
+        (JSC::MachineThreads::MachineThread::captureStack):
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::MachineThread::stackBase):
+        (JSC::MachineThreads::MachineThread::stackEnd):
+        * runtime/VMTraps.cpp:
+
+2017-07-18  Andy Estes  
+
+        [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
+        https://bugs.webkit.org/show_bug.cgi?id=174631
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/Base.xcconfig:
+
+2017-07-18  Joseph Pecoraro  
+
+        Web Inspector: Modernize InjectedScriptSource
+        https://bugs.webkit.org/show_bug.cgi?id=173890
+
+        Reviewed by Brian Burg.
+
+        * inspector/InjectedScript.h:
+        Reorder functions to be slightly better.
+
+        * inspector/InjectedScriptSource.js:
+        - Convert to classes named InjectedScript and RemoteObject
+        - Align InjectedScript's API with the wrapper C++ interfaces
+        - Move some code to RemoteObject where appropriate (subtype, describe)
+        - Move some code to helper functions (isPrimitiveValue, isDefined)
+        - Refactor for readability and modern features
+        - Remove some unused / unnecessary code
+
+2017-07-18  Mark Lam  
+
+        Butterfly storage need not be initialized for indexing type Undecided.
+        https://bugs.webkit.org/show_bug.cgi?id=174516
+
+        Reviewed by Saam Barati.
+
+        While it's not incorrect to initialize the butterfly storage when the
+        indexingType is Undecided, it is inefficient as we'll end up initializing
+        it again later when we convert the storage to a different indexingType.
+        Some of our code already skips initializing Undecided butterflies.
+        This patch makes it the consistent behavior everywhere.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureLengthSlow):
+
+2017-07-18  Saam Barati  
+
+        AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
+        https://bugs.webkit.org/show_bug.cgi?id=174515
+        
+
+        Reviewed by Filip Pizlo.
+
+        AirLowerAfterRegAlloc was computing the set of available scratch
+        registers incorrectly. It was always excluding callee save registers
+        from the set of live registers. It did not guarantee that live callee save
+        registers were not in the set of scratch registers that could
+        get clobbered. That's incorrect as the shuffling code is free
+        to overwrite whatever is in the scratch register it gets passed.
+
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/testb3.cpp:
+        (JSC::B3::functionNineArgs):
+        (JSC::B3::testShuffleDoesntTrashCalleeSaves):
+        (JSC::B3::run):
+        * jit/RegisterSet.h:
+
+2017-07-18  Andy Estes  
+
+        [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
+        https://bugs.webkit.org/show_bug.cgi?id=174631
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+
+2017-07-18  Devin Rousso  
+
+        Web Inspector: Add memoryCost to Inspector Protocol objects
+        https://bugs.webkit.org/show_bug.cgi?id=174478
+
+        Reviewed by Joseph Pecoraro.
+
+        For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
+        plus the memoryCost of the data if it is a string.
+
+        For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
+
+        For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
+        key plus the memoryCost of the InspectorValue for each entry.
+
+        Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
+
+        * inspector/InspectorValues.h:
+        * inspector/InspectorValues.cpp:
+        (Inspector::InspectorValue::memoryCost):
+        (Inspector::InspectorObjectBase::memoryCost):
+        (Inspector::InspectorArrayBase::memoryCost):
+
+2017-07-18  Andy Estes  
+
+        [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
+        https://bugs.webkit.org/show_bug.cgi?id=174631
+
+        Reviewed by Darin Adler.
+
+        * Configurations/Base.xcconfig:
+
+2017-07-18  Michael Saboff  
+
+        [JSC] There should be a debug option to dump a compiled RegExp Pattern
+        https://bugs.webkit.org/show_bug.cgi?id=174601
+
+        Reviewed by Alex Christensen.
+
+        Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
+        objects after a regular expression has been compiled.
+
+        * runtime/Options.h:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPattern::compile):
+        (JSC::Yarr::indentForNestingLevel):
+        (JSC::Yarr::dumpUChar32):
+        (JSC::Yarr::PatternAlternative::dump):
+        (JSC::Yarr::PatternTerm::dumpQuantifier):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::PatternDisjunction::dump):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::YarrPattern::global):
+
+2017-07-17  Darin Adler  
+
+        Improve use of NeverDestroyed
+        https://bugs.webkit.org/show_bug.cgi?id=174348
+
+        Reviewed by Sam Weinig.
+
+        * heap/MachineStackMarker.cpp:
+        * wasm/WasmMemory.cpp:
+        Removed unneeded includes of NeverDestroyed.h in files that do not make use
+        of NeverDestroyed.
+
+2017-07-17  Michael Catanzaro  
+
+        [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
+        https://bugs.webkit.org/show_bug.cgi?id=174547
+
+        Reviewed by Alex Christensen.
+
+        * CMakeLists.txt:
+        * shell/CMakeLists.txt:
+
+2017-07-17  Saam Barati  
+
+        Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
+        https://bugs.webkit.org/show_bug.cgi?id=174584
+
+        Rubber stamped by Keith Miller.
+
+        I used it to diagnose a bug. The bug is now fixed. This custom
+        RELEASE_ASSERT is no longer needed.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-07-17  Michael Catanzaro  
+
+        -Wformat-truncation warning in ConfigFile.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=174506
+
+        Reviewed by Darin Adler.
+
+        Check if the JSC config filename would be truncated due to exceeding max path length. If so,
+        return ParseError.
+
+        * runtime/ConfigFile.cpp:
+        (JSC::ConfigFile::parse):
+
+2017-07-17  Konstantin Tokarev  
+
+        [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
+        https://bugs.webkit.org/show_bug.cgi?id=174557
+
+        Reviewed by Michael Catanzaro.
+
+        * CMakeLists.txt:
+
+2017-07-14  Yusuke Suzuki  
+
+        [WTF] Use std::unique_ptr for StackTrace
+        https://bugs.webkit.org/show_bug.cgi?id=174495
+
+        Reviewed by Alex Christensen.
+
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+
+2017-07-14  Yusuke Suzuki  
+
+        [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
+        https://bugs.webkit.org/show_bug.cgi?id=174423
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGAvailabilityMap.cpp:
+        (JSC::DFG::AvailabilityMap::pruneHeap):
+        (JSC::DFG::AvailabilityMap::pruneByLiveness):
+
+2017-07-13  Michael Catanzaro  
+
+        Fix compiler warnings when building with GCC 7
+        https://bugs.webkit.org/show_bug.cgi?id=174463
+
+        Reviewed by Darin Adler.
+
+        * disassembler/udis86/udis86_decode.c:
+        (decode_operand):
+
+2017-07-13  Michael Catanzaro  
+
+        Incorrect assertion in JSC::CallLinkInfo::callTypeFor
+        https://bugs.webkit.org/show_bug.cgi?id=174467
+
+        Reviewed by Saam Barati.
+
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::callTypeFor):
+
+2017-07-13  Joseph Pecoraro  
+
+        Web Inspector: Remove unused and untested Page domain commands
+        https://bugs.webkit.org/show_bug.cgi?id=174429
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/protocol/Page.json:
+
+2017-07-13  Saam Barati  
+
+        Missing exception check in JSObject::hasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=174455
+        
+
+        Reviewed by Mark Lam.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasInstance):
+
+2017-07-13  Caio Lima  
+
+        [ESnext] Implement Object Spread
+        https://bugs.webkit.org/show_bug.cgi?id=167963
+
+        Reviewed by Saam Barati.
+
+        This patch implements ECMA262 stage 3 Object Spread proposal [1].
+        It's implemented using CopyDataPropertiesNoExclusions to copy
+        all enumerable keys from object being spreaded. The implementation of
+        CopyDataPropertiesNoExclusions follows the CopyDataProperties
+        implementation, however we don't receive excludedNames as parameter.
+
+        [1] - https://github.com/tc39/proposal-object-rest-spread
+
+        * builtins/GlobalOperations.js:
+        (globalPrivate.copyDataPropertiesNoExclusions):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitLoad):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        (JSC::ObjectSpreadExpressionNode::emitBytecode):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createObjectSpreadExpression):
+        (JSC::ASTBuilder::createProperty):
+        * parser/NodeConstructors.h:
+        (JSC::PropertyNode::PropertyNode):
+        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
+        * parser/Nodes.h:
+        (JSC::ObjectSpreadExpressionNode::expression):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseProperty):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createObjectSpreadExpression):
+        (JSC::SyntaxChecker::createProperty):
+
+2017-07-12  Mark Lam  
+
+        Gardening: build fix after r219434.
+        https://bugs.webkit.org/show_bug.cgi?id=174441
+
+        Not reviewed.
+
+        Make public some MacroAssembler functions that are needed by the probe implementationq.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::linkCall):
+
+2017-07-12  Mark Lam  
+
+        Move Probe code from AbstractMacroAssembler to MacroAssembler.
+        https://bugs.webkit.org/show_bug.cgi?id=174441
+
+        Reviewed by Saam Barati.
+
+        This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
+        to MacroAssembler.  There is no code behavior change.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::Address::indexedBy):
+        (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
+        (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
+        (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
+        (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
+        (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::CPUState::gprName):
+        (JSC::MacroAssembler::CPUState::fprName):
+        (JSC::MacroAssembler::CPUState::gpr):
+        (JSC::MacroAssembler::CPUState::fpr):
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssembler::probe):
+        (JSC::MacroAssemblerARM::probe): Deleted.
+        * assembler/MacroAssemblerARM.h:
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        (JSC::MacroAssemblerARM64::probe): Deleted.
+        * assembler/MacroAssemblerARM64.h:
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssembler::probe):
+        (JSC::MacroAssemblerARMv7::probe): Deleted.
+        * assembler/MacroAssemblerARMv7.h:
+        * assembler/MacroAssemblerMIPS.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssembler::probe):
+        (JSC::MacroAssemblerX86Common::probe): Deleted.
+        * assembler/MacroAssemblerX86Common.h:
+
+2017-07-12  Saam Barati  
+
+        GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
+        https://bugs.webkit.org/show_bug.cgi?id=174411
+        
+
+        Reviewed by Mark Lam.
+
+        The code for deleting an argument was incorrectly referencing state
+        when it decided if it should unmap or mark a property as having its
+        descriptor modified. This patch fixes the bug where if we delete a
+        property, we would sometimes not unmap an argument when deleting it.
+
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::getOwnPropertySlot):
+        (JSC::GenericArguments::getOwnPropertySlotByIndex):
+        (JSC::GenericArguments::deleteProperty):
+        (JSC::GenericArguments::deletePropertyByIndex):
+
+2017-07-12  Commit Queue  
+
+        Unreviewed, rolling out r219176.
+        https://bugs.webkit.org/show_bug.cgi?id=174436
+
+        "Can cause infinite recursion on iOS" (Requested by mlam on
+        #webkit).
+
+        Reverted changeset:
+
+        "WTF::Thread should have the threads stack bounds."
+        https://bugs.webkit.org/show_bug.cgi?id=173975
+        http://trac.webkit.org/changeset/219176
+
+2017-07-12  Matt Lewis  
+
+        Unreviewed, rolling out r219401.
+
+        This revision rolled out the previous patch, but after talking
+        with reviewer, a rebaseline is what was needed.Rolling back in
+        before rebaseline.
+
+        Reverted changeset:
+
+        "Unreviewed, rolling out r219379."
+        https://bugs.webkit.org/show_bug.cgi?id=174400
+        http://trac.webkit.org/changeset/219401
+
+2017-07-12  Matt Lewis  
+
+        Unreviewed, rolling out r219379.
+
+        This revision caused a consistent failure in the test
+        fast/dom/Window/property-access-on-cached-window-after-frame-
+        removed.html.
+
+        Reverted changeset:
+
+        "Remove NAVIGATOR_HWCONCURRENCY"
+        https://bugs.webkit.org/show_bug.cgi?id=174400
+        http://trac.webkit.org/changeset/219379
+
+2017-07-12  Tooru Fujisawa [:arai]  
+
+        Wrong radix used in Unicode Escape in invalid character error message
+        https://bugs.webkit.org/show_bug.cgi?id=174419
+
+        Reviewed by Alex Christensen.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::invalidCharacterMessage):
+
+2017-07-11  Dean Jackson  
+
+        Remove NAVIGATOR_HWCONCURRENCY
+        https://bugs.webkit.org/show_bug.cgi?id=174400
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-07-11  Dean Jackson  
+
+        Rolling out r219372.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-07-11  Dean Jackson  
+
+        Remove NAVIGATOR_HWCONCURRENCY
+        https://bugs.webkit.org/show_bug.cgi?id=174400
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-07-11  Saam Barati  
+
+        remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
+        https://bugs.webkit.org/show_bug.cgi?id=174397
+
+        Rubber stamped by David Kilzer.
+
+        * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
+        * wasm/js/WebAssemblyFunctionCell.h: Removed.
+
+2017-07-10  Saam Barati  
+
+        Allocation sinking phase should consider a CheckStructure that would fail as an escape
+        https://bugs.webkit.org/show_bug.cgi?id=174321
+        
+
+        Reviewed by Filip Pizlo.
+
+        When the allocation sinking phase was generating stores to materialize
+        objects in a cycle with each other, it would assume that each materialized
+        object had a valid, non empty, set of structures. This is an OK assumption for
+        the phase to make because how do you materialize an object with no structure?
+        
+        The abstract interpretation part of the phase will model what's in the heap.
+        However, it would sometimes model that a CheckStructure would fail. The phase
+        did nothing special for this; it just stored the empty set of structures for
+        its representation of a particular allocation. However, what the phase proved
+        in such a scenario is that, had the CheckStructure executed, it would have exited.
+        
+        This patch treats such CheckStructures and MultiGetByOffsets as escape points.
+        This will cause the allocation in question to be materialized just before
+        the CheckStructure, and then at execution time, the CheckStructure will exit.
+        
+        I wasn't able to write a test case for this. However, I was able to reproduce
+        this crash by manually editing the IR. I've opened a separate bug to help us
+        create a testing framework for writing tests for hard to reproduce bugs like this:
+        https://bugs.webkit.org/show_bug.cgi?id=174322
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-07-10  Devin Rousso  
+
+        Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
+        https://bugs.webkit.org/show_bug.cgi?id=174279
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/DOM.json:
+        Add `highlightNodeList` command that will highlight each node in the given list.
+
+2017-07-03  Brian Burg  
+
+        Web Replay: remove some unused code
+        https://bugs.webkit.org/show_bug.cgi?id=173903
+
+        Rubber-stamped by Joseph Pecoraro.
+
+        * CMakeLists.txt:
+        * Configurations/FeatureDefines.xcconfig:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/protocol/Replay.json: Removed.
+        * replay/EmptyInputCursor.h: Removed.
+        * replay/EncodedValue.cpp: Removed.
+        * replay/EncodedValue.h: Removed.
+        * replay/InputCursor.h: Removed.
+        * replay/JSInputs.json: Removed.
+        * replay/NondeterministicInput.h: Removed.
+        * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
+        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
+        * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
+        * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
+        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
+        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
+        * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
+        * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
+        * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
+        * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
+        * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
+        * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
+        * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
+        * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
+        * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
+        * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
+        * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
+        * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
+        * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
+        * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
+        * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
+        * replay/scripts/tests/generate-enum-with-guard.json: Removed.
+        * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
+        * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
+        * replay/scripts/tests/generate-input-with-guard.json: Removed.
+        * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
+        * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
+        * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        (JSC::dateNow):
+        (JSC::deterministicCurrentTime): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::setInputCursor): Deleted.
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::inputCursor): Deleted.
+
+2017-07-10  Carlos Garcia Campos  
+
+        Move make-js-file-arrays.py from WebCore to JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=174024
+
+        Reviewed by Michael Catanzaro.
+
+        It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
+        specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
+        Added command line option to pass the namespace to use instead of using WebCore.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
+        (main):
+
+2017-07-09  Yusuke Suzuki  
+
+        [JSC] Drop LineNumberAdder since we no longer treat  (not ) as one line terminator
+        https://bugs.webkit.org/show_bug.cgi?id=174296
+
+        Reviewed by Mark Lam.
+
+        Previously, we treat  as one line terminator. So we increase line number by one.
+        It caused a problem in scanning template literals. While template literals normalize
+         to , we still needed to increase line number by only one.
+        To handle it correctly, LineNumberAdder is introduced.
+
+        As of r219263,  is counted as two line terminators. So we do not need to have
+        LineNumberAdder. Let's just use shiftLineTerminator() instead.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseTemplateLiteral):
+        (JSC::LineNumberAdder::LineNumberAdder): Deleted.
+        (JSC::LineNumberAdder::clear): Deleted.
+        (JSC::LineNumberAdder::add): Deleted.
+
+2017-07-09  Dan Bernstein  
+
+        [Xcode] ICU headers aren’t treated as system headers after r219155
+        https://bugs.webkit.org/show_bug.cgi?id=174299
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
+          C++ compilers.
+
+* runtime/IntlCollator.cpp: Removed documentation warning suppression.
+        * runtime/IntlDateTimeFormat.cpp: Ditto.
+        * runtime/JSGlobalObject.cpp: Ditto.
+        * runtime/StringPrototype.cpp: Ditto.
+
+2017-07-09  Yusuke Suzuki  
+
+        [JSC] Use fastMalloc / fastFree for STL containers
+        https://bugs.webkit.org/show_bug.cgi?id=174297
+
+        Reviewed by Sam Weinig.
+
+        In some places, we intentionally use STL containers over WTF containers.
+        For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
+        because we do not have effective empty / deleted representations in the space of key's value.
+        But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
+
+        We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
+        We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
+
+        This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
+        without compromising memory allocation throughput.
+
+        * dfg/DFGGraph.h:
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
+        * runtime/FunctionHasExecutedCache.h:
+        * runtime/TypeLocationCache.h:
+
+2017-07-08  Yusuke Suzuki  
+
+        Drop NOSNIFF compile flag
+        https://bugs.webkit.org/show_bug.cgi?id=174289
+
+        Reviewed by Michael Catanzaro.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-07-07  AJ Ringer  
+
+        Lower the max_protection for the separated heap
+        https://bugs.webkit.org/show_bug.cgi?id=174281
+
+        Reviewed by Oliver Hunt.
+
+        Switch to vm_protect so we can set maximum page protection.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
+        (JSC::ExecutableAllocator::allocate):
+
+2017-07-07  Devin Rousso  
+
+        Web Inspector: Show all elements currently using a given CSS Canvas
+        https://bugs.webkit.org/show_bug.cgi?id=173965
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+         - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
+           canvas via -webkit-canvas.
+         - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
+           added/removed from the list of -webkit-canvas clients.
+
+2017-07-07  Mark Lam  
+
+        \n\r is not the same as \r\n.
+        https://bugs.webkit.org/show_bug.cgi?id=173053
+
+        Reviewed by Keith Miller.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::shiftLineTerminator):
+        (JSC::LineNumberAdder::add):
+
+2017-07-07  Commit Queue  
+
+        Unreviewed, rolling out r219238, r219239, and r219241.
+        https://bugs.webkit.org/show_bug.cgi?id=174265
+
+        "fast/workers/dedicated-worker-lifecycle.html is flaky"
+        (Requested by yusukesuzuki on #webkit).
+
+        Reverted changesets:
+
+        "[WTF] Implement WTF::ThreadGroup"
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+        http://trac.webkit.org/changeset/219238
+
+        "Unreviewed, build fix after r219238"
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+        http://trac.webkit.org/changeset/219239
+
+        "Unreviewed, CLoop build fix after r219238"
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+        http://trac.webkit.org/changeset/219241
+
+2017-07-06  Yusuke Suzuki  
+
+        Unreviewed, CLoop build fix after r219238
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+
+        * heap/MachineStackMarker.cpp:
+
+2017-07-05  Yusuke Suzuki  
+
+        [WTF] Implement WTF::ThreadGroup
+        https://bugs.webkit.org/show_bug.cgi?id=174081
+
+        Reviewed by Mark Lam.
+
+        Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
+        And SamplingProfiler and others interact with WTF::Thread directly.
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThreads):
+        (JSC::captureStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        (JSC::MachineThreads::gatherConservativeRoots):
+        (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
+        (JSC::ActiveMachineThreadsManager::add): Deleted.
+        (JSC::ActiveMachineThreadsManager::remove): Deleted.
+        (JSC::ActiveMachineThreadsManager::contains): Deleted.
+        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
+        (JSC::activeMachineThreadsManager): Deleted.
+        (JSC::MachineThreads::~MachineThreads): Deleted.
+        (JSC::MachineThreads::addCurrentThread): Deleted.
+        (): Deleted.
+        (JSC::MachineThreads::removeThread): Deleted.
+        (JSC::MachineThreads::removeThreadIfFound): Deleted.
+        (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
+        (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
+        (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
+        (JSC::MachineThreads::MachineThread::captureStack): Deleted.
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::addCurrentThread):
+        (JSC::MachineThreads::getLock):
+        (JSC::MachineThreads::threads):
+        (JSC::MachineThreads::MachineThread::suspend): Deleted.
+        (JSC::MachineThreads::MachineThread::resume): Deleted.
+        (JSC::MachineThreads::MachineThread::threadID): Deleted.
+        (JSC::MachineThreads::MachineThread::stackBase): Deleted.
+        (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
+        (JSC::MachineThreads::threadsListHead): Deleted.
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::isValidFramePointer):
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::takeSample):
+        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
+        * runtime/SamplingProfiler.h:
+        * wasm/WasmMachineThreads.cpp:
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+
+2017-07-06  Saam Barati  
+
+        We are missing places where we invalidate the for-in context
+        https://bugs.webkit.org/show_bug.cgi?id=174184
+
+        Reviewed by Geoffrey Garen.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::EmptyLetExpression::emitBytecode):
+        (JSC::ForInNode::emitLoopHeader):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::BindingNode::bindValue):
+
+2017-07-06  Yusuke Suzuki  
+
+        Unreviewed, suppress warnings in GCC environment
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/StringPrototype.cpp:
+
+2017-07-05  Saam Barati  
+
+        NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
+        https://bugs.webkit.org/show_bug.cgi?id=174188
+        
+
+        Reviewed by Mark Lam.
+
+        We were calling lowJSValue(edge) when we were speculating the
+        edge as double. This isn't allowed. We should have been using
+        lowDouble.
+        
+        This patch also adds a new option, called useArrayAllocationProfiling,
+        which defaults to true. When false, it will make the array allocation
+        profile not actually sample seen arrays. It'll force the allocation
+        profile's predicted indexing type to be ArrayWithUndecided. Adding
+        this option made it trivial to write a test for this bug.
+
+        * bytecode/ArrayAllocationProfile.cpp:
+        (JSC::ArrayAllocationProfile::updateIndexingType):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
+        * runtime/Options.h:
+
+2017-07-05  Yusuke Suzuki  
+
+        WTF::Thread should have the threads stack bounds.
+        https://bugs.webkit.org/show_bug.cgi?id=173975
+
+        Reviewed by Keith Miller.
+
+        There is a site in JSC that try to walk another thread's stack.
+        Currently, stack bounds are stored in WTFThreadData which is located
+        in TLS. Thus, only the thread itself can access its own WTFThreadData.
+        We workaround this situation by holding StackBounds in MachineThread in JSC,
+        but StackBounds should be put in WTF::Thread instead.
+
+        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
+        information is tightly coupled with Thread. Thus putting it in WTF::Thread
+        is natural choice.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThread::MachineThread):
+        (JSC::MachineThreads::MachineThread::captureStack):
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::MachineThread::stackBase):
+        (JSC::MachineThreads::MachineThread::stackEnd):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::updateStackLimits):
+        (JSC::VM::committedStackByteCount):
+        * runtime/VM.h:
+        (JSC::VM::isSafeToRecurse):
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        * runtime/VMTraps.cpp:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
+
+2017-07-05  Keith Miller  
+
+        Crashing with information should have an abort reason
+        https://bugs.webkit.org/show_bug.cgi?id=174185
+
+        Reviewed by Saam Barati.
+
+        Add crash information for the abstract interpreter and add an enum
+        value for object allocation sinking.
+
+        * assembler/AbortReason.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::verifyEdge):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::logDFGAssertionFailure):
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-07-03  Myles C. Maxfield  
+
+        Remove copy of ICU headers from WebKit
+        https://bugs.webkit.org/show_bug.cgi?id=116407
+
+        Reviewed by Alex Christensen.
+
+        Use WTF's copy of ICU headers.
+
+        * Configurations/Base.xcconfig:
+        * icu/unicode/localpointer.h: Removed.
+        * icu/unicode/parseerr.h: Removed.
+        * icu/unicode/platform.h: Removed.
+        * icu/unicode/ptypes.h: Removed.
+        * icu/unicode/putil.h: Removed.
+        * icu/unicode/uchar.h: Removed.
+        * icu/unicode/ucnv.h: Removed.
+        * icu/unicode/ucnv_err.h: Removed.
+        * icu/unicode/ucol.h: Removed.
+        * icu/unicode/uconfig.h: Removed.
+        * icu/unicode/ucurr.h: Removed.
+        * icu/unicode/uenum.h: Removed.
+        * icu/unicode/uiter.h: Removed.
+        * icu/unicode/uloc.h: Removed.
+        * icu/unicode/umachine.h: Removed.
+        * icu/unicode/unorm.h: Removed.
+        * icu/unicode/unorm2.h: Removed.
+        * icu/unicode/urename.h: Removed.
+        * icu/unicode/uscript.h: Removed.
+        * icu/unicode/uset.h: Removed.
+        * icu/unicode/ustring.h: Removed.
+        * icu/unicode/utf.h: Removed.
+        * icu/unicode/utf16.h: Removed.
+        * icu/unicode/utf8.h: Removed.
+        * icu/unicode/utf_old.h: Removed.
+        * icu/unicode/utypes.h: Removed.
+        * icu/unicode/uvernum.h: Removed.
+        * icu/unicode/uversion.h: Removed.
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/StringPrototype.cpp:
+        (JSC::normalize):
+        (JSC::stringProtoFuncNormalize):
+
+2017-07-05  Devin Rousso  
+
+        Web Inspector: Allow users to log any tracked canvas context
+        https://bugs.webkit.org/show_bug.cgi?id=173397
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+        Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
+
+2017-07-05  Jonathan Bedard  
+
+        Add WebKitPrivateFrameworkStubs for iOS 11
+        https://bugs.webkit.org/show_bug.cgi?id=173988
+
+        Reviewed by David Kilzer.
+
+        * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
+        same directory for private framework stubs.
+
+2017-07-05  JF Bastien  
+
+        WebAssembly: implement name section's module name, skip unknown sections
+        https://bugs.webkit.org/show_bug.cgi?id=172008
+
+        Reviewed by Keith Miller.
+
+        Parse the WebAssembly module name properly, and skip unknown
+        sections. This is useful because as toolchains support new types
+        of names we want to keep displaying the information we know about
+        and simply ignore new information. That capability was designed
+        into WebAssembly's name section.
+
+        Failure to commit this patch would mean that WebKit won't display
+        stack trace information, which would make developers sad.
+
+        Module names were added here: https://github.com/WebAssembly/design/pull/1055
+
+        Note that this patch doesn't do anything with the parsed name! Two
+        reasons for this: module names aren't supported in binaryen yet,
+        so I can't write a simple binary test; and using the name is a
+        slightly riskier change because it requires changing StackVisitor
+        + StackFrame (where they print "[wasm code]") which requires
+        figuring out the frame's Module. The latter bit isn't trivial
+        because we only know wasm frames from their tag bits, and
+        CodeBlocks are always nullptr.
+
+        Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
+
+        I filed #174098 to use the module name.
+
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValidNameType):
+        * wasm/WasmNameSectionParser.cpp:
+
+2017-07-04  Joseph Pecoraro  
+
+        Cleanup some StringBuilder use
+        https://bugs.webkit.org/show_bug.cgi?id=174118
+
+        Reviewed by Andreas Kling.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * tools/FunctionOverrides.cpp:
+        (JSC::parseClause):
+        * wasm/WasmOMGPlan.cpp:
+        * wasm/WasmPlan.cpp:
+        * wasm/WasmValidate.cpp:
+
+2017-07-03  Saam Barati  
+
+        LayoutTest workers/bomb.html is a Crash
+        https://bugs.webkit.org/show_bug.cgi?id=167757
+        
+
+        Reviewed by Keith Miller.
+
+        VMTraps::SignalSender was accessing VM fields even after
+        the VM was destroyed. This happened when the SignalSender
+        thread was in the middle of its work() function while VMTraps
+        was notified that the VM was shutting down. The VM would proceed
+        to run its destructor even after the SignalSender thread finished
+        doing its work. This means that the SignalSender thread was accessing
+        VM field eve after VM was destructed (including itself, since it is
+        transitively owned by the VM). The VM must wait for the SignalSender
+        thread to shutdown before it can continue to destruct itself.
+
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::willDestroyVM):
+
+2017-07-03  Saam Barati  
+
+        DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
+        https://bugs.webkit.org/show_bug.cgi?id=174110
+
+        Reviewed by Michael Saboff.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2017-07-03  Saam Barati  
+
+        Add a new assertion to object allocation sinking phase
+        https://bugs.webkit.org/show_bug.cgi?id=174107
+
+        Rubber stamped by Filip Pizlo.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-07-03  Commit Queue  
+
+        Unreviewed, rolling out r219060.
+        https://bugs.webkit.org/show_bug.cgi?id=174108
+
+        crashing constantly when initializing UIWebView (Requested by
+        thorton on #webkit).
+
+        Reverted changeset:
+
+        "WTF::Thread should have the threads stack bounds."
+        https://bugs.webkit.org/show_bug.cgi?id=173975
+        http://trac.webkit.org/changeset/219060
+
+2017-07-03  Matt Lewis  
+
+        Unreviewed, rolling out r219103.
+
+        Caused multiple build failures.
+
+        Reverted changeset:
+
+        "Remove copy of ICU headers from WebKit"
+        https://bugs.webkit.org/show_bug.cgi?id=116407
+        http://trac.webkit.org/changeset/219103
+
+2017-07-03  Myles C. Maxfield  
+
+        Remove copy of ICU headers from WebKit
+        https://bugs.webkit.org/show_bug.cgi?id=116407
+
+        Reviewed by Alex Christensen.
+
+        Use WTF's copy of ICU headers.
+
+        * Configurations/Base.xcconfig:
+        * icu/unicode/localpointer.h: Removed.
+        * icu/unicode/parseerr.h: Removed.
+        * icu/unicode/platform.h: Removed.
+        * icu/unicode/ptypes.h: Removed.
+        * icu/unicode/putil.h: Removed.
+        * icu/unicode/uchar.h: Removed.
+        * icu/unicode/ucnv.h: Removed.
+        * icu/unicode/ucnv_err.h: Removed.
+        * icu/unicode/ucol.h: Removed.
+        * icu/unicode/uconfig.h: Removed.
+        * icu/unicode/ucurr.h: Removed.
+        * icu/unicode/uenum.h: Removed.
+        * icu/unicode/uiter.h: Removed.
+        * icu/unicode/uloc.h: Removed.
+        * icu/unicode/umachine.h: Removed.
+        * icu/unicode/unorm.h: Removed.
+        * icu/unicode/unorm2.h: Removed.
+        * icu/unicode/urename.h: Removed.
+        * icu/unicode/uscript.h: Removed.
+        * icu/unicode/uset.h: Removed.
+        * icu/unicode/ustring.h: Removed.
+        * icu/unicode/utf.h: Removed.
+        * icu/unicode/utf16.h: Removed.
+        * icu/unicode/utf8.h: Removed.
+        * icu/unicode/utf_old.h: Removed.
+        * icu/unicode/utypes.h: Removed.
+        * icu/unicode/uvernum.h: Removed.
+        * icu/unicode/uversion.h: Removed.
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/StringPrototype.cpp:
+
+2017-07-03  Saam Barati  
+
+        Add better crash logging for allocation sinking phase
+        https://bugs.webkit.org/show_bug.cgi?id=174102
+        
+
+        Rubber stamped by Filip Pizlo.
+
+        I'm trying to gather better information from crashlogs about why
+        we're crashing in the allocation sinking phase. I'm adding a allocation
+        sinking specific RELEASE_ASSERT as well as marking a few functions as
+        NEVER_INLINE to have the stack traces in the crash trace contain more
+        actionable information.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2017-07-03  Sam Weinig  
+
+        [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
+        https://bugs.webkit.org/show_bug.cgi?id=174083
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/FeatureDefines.xcconfig:
+        Add ENABLE_NAVIGATOR_STANDALONE.
+
+2017-07-03  Andy Estes  
+
+        [Xcode] Add an experimental setting to build with ccache
+        https://bugs.webkit.org/show_bug.cgi?id=173875
+
+        Reviewed by Tim Horton.
+
+        * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
+
+2017-07-03  Devin Rousso  
+
+        Web Inspector: Support listing WebGL2 and WebGPU contexts
+        https://bugs.webkit.org/show_bug.cgi?id=173396
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+        * inspector/scripts/codegen/generator.py:
+        (Generator.stylized_name_for_enum_value):
+        Add cases for handling new Canvas.ContextType protocol enumerations:
+         - "webgl2" maps to `WebGL2`
+         - "webgpu" maps to `WebGPU`
+
+2017-07-02  Yusuke Suzuki  
+
+        WTF::Thread should have the threads stack bounds.
+        https://bugs.webkit.org/show_bug.cgi?id=173975
+
+        Reviewed by Mark Lam.
+
+        There is a site in JSC that try to walk another thread's stack.
+        Currently, stack bounds are stored in WTFThreadData which is located
+        in TLS. Thus, only the thread itself can access its own WTFThreadData.
+        We workaround this situation by holding StackBounds in MachineThread in JSC,
+        but StackBounds should be put in WTF::Thread instead.
+
+        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
+        information is tightly coupled with Thread. Thus putting it in WTF::Thread
+        is natural choice.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThread::MachineThread):
+        (JSC::MachineThreads::MachineThread::captureStack):
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::MachineThread::stackBase):
+        (JSC::MachineThreads::MachineThread::stackEnd):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::updateStackLimits):
+        (JSC::VM::committedStackByteCount):
+        * runtime/VM.h:
+        (JSC::VM::isSafeToRecurse):
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        * runtime/VMInlines.h:
+        (JSC::VM::ensureStackCapacityFor):
+        * runtime/VMTraps.cpp:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
+
+2017-07-01  Dan Bernstein  
+
+        [iOS] Remove code only needed when building for iOS 9.x
+        https://bugs.webkit.org/show_bug.cgi?id=174068
+
+        Reviewed by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * jit/ExecutableAllocator.cpp:
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2017-07-01  Dan Bernstein  
+
+        [macOS] Remove code only needed when building for OS X Yosemite
+        https://bugs.webkit.org/show_bug.cgi?id=174067
+
+        Reviewed by Tim Horton.
+
+        * API/WebKitAvailability.h:
+        * Configurations/Base.xcconfig:
+        * Configurations/DebugRelease.xcconfig:
+        * Configurations/FeatureDefines.xcconfig:
+        * Configurations/Version.xcconfig:
+
+2017-07-01  Yusuke Suzuki  
+
+        Unreviewed, build fix for GCC
+        https://bugs.webkit.org/show_bug.cgi?id=174034
+
+        * b3/testb3.cpp:
+        (JSC::B3::testDoubleLiteralComparison):
+
+2017-06-30  Keith Miller  
+
+        Force crashWithInfo to be out of line.
+        https://bugs.webkit.org/show_bug.cgi?id=174028
+
+        Reviewed by Filip Pizlo.
+
+        Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::logDFGAssertionFailure):
+        (JSC::DFG::Graph::logAssertionFailure):
+        (JSC::DFG::crash): Deleted.
+        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
+        * dfg/DFGGraph.h:
+
+2017-06-30  Yusuke Suzuki  
+
+        [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
+        https://bugs.webkit.org/show_bug.cgi?id=174053
+
+        Reviewed by Geoffrey Garen.
+
+        We already have AbstractMacroAssembler::random() function. Use it instead.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        (JSC::JIT::compileWithoutLinking):
+        * jit/JIT.h:
+
+2017-06-30  Yusuke Suzuki  
+
+        [WTF] Drop SymbolRegistry::keyForSymbol
+        https://bugs.webkit.org/show_bug.cgi?id=174052
+
+        Reviewed by Sam Weinig.
+
+        * runtime/SymbolConstructor.cpp:
+        (JSC::symbolConstructorKeyFor):
+
+2017-06-30  Saam Barati  
+
+        B3ReduceStrength should reduce EqualOrUnordered over const float input
+        https://bugs.webkit.org/show_bug.cgi?id=174039
+
+        Reviewed by Michael Saboff.
+
+        We perform this folding for ConstDoubleValue. It is simply
+        an oversight that we didn't do it for ConstFloatValue.
+
+        * b3/B3ConstFloatValue.cpp:
+        (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
+        * b3/B3ConstFloatValue.h:
+        * b3/testb3.cpp:
+        (JSC::B3::testFloatEqualOrUnorderedFolding):
+        (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
+        (JSC::B3::testFloatEqualOrUnorderedDontFold):
+        (JSC::B3::run):
+
+2017-06-30  Matt Baker  
+
+        Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
+        https://bugs.webkit.org/show_bug.cgi?id=173840
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        When truncating an asynchronous stack trace, the parent chain is traversed
+        until a locked node is found. The path from this node to the root is shared
+        by more than one stack trace, and cannot be safely modified. Starting at
+        the first locked node, the path is cloned and becomes a new stack trace tree.
+
+        However, the clone operation initialized each new AsyncStackTrace node with
+        the original node's parent. This would increment the child count of the original
+        node. When cloning nodes, new nodes should not have their parent set until the
+        next node up the parent chain is cloned.
+
+        * inspector/AsyncStackTrace.cpp:
+        (Inspector::AsyncStackTrace::truncate):
+
+2017-06-30  Michael Saboff  
+
+        RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
+        https://bugs.webkit.org/show_bug.cgi?id=174044
+
+        Reviewed by Oliver Hunt.
+
+        The .* enclosure optimization didn't respect that we can start matching from a non-zero
+        index.  This optimization treats /.*.*/ by first matching the  and
+        then finding the extent of the match by going back to the beginning of the line and going
+        forward to the end of the line.  The code that went back to the beginning of the line
+        checked for an index of 0 instead of comparing the index to the start position.  This start
+        position is passed as the initial index.
+
+        Added another temporary register to the YARR JIT to contain the start position for
+        platforms that have spare registers.
+
+        * yarr/Yarr.h:
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
+        (JSC::Yarr::Interpreter::Interpreter):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPattern::YarrPattern):
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::YarrPattern::reset):
+
+2017-06-30  Saam Barati  
+
+        B3MoveConstants floatZero() returns the wrong ValueKey
+        https://bugs.webkit.org/show_bug.cgi?id=174040
+
+        Reviewed by Filip Pizlo.
+
+        It had a typo where the ValueKey for floatZero() produces a Double
+        instead of a Float.
+
+        * b3/B3MoveConstants.cpp:
+
+2017-06-30  Saam Barati  
+
+        B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
+        https://bugs.webkit.org/show_bug.cgi?id=174034
+        
+
+        Reviewed by Filip Pizlo.
+
+        B3ReduceDoubleToFloat had a bug in it where it would incorrectly
+        reduce binary operations over double constants into the same binary
+        operation over the double constants casted to floats. This is clearly
+        incorrect as these two things will produce different values. For example:
+        
+        a = DoubleConst(bitwise_cast(0x8000000000000001ull))
+        b = DoubleConst(bitwise_cast(0x0000000000000000ull))
+        c = EqualOrUnordered(@a, @b) // produces 0
+        
+        into:
+        
+        a = FloatConst(static_cast(bitwise_cast(0x8000000000000001ull)))
+        b = FloatConst(static_cast(bitwise_cast(0x0000000000000000ull)))
+        c = EqualOrUnordered(@a, @b) // produces 1
+        
+        Which produces a different value for @c.
+
+        * b3/B3ReduceDoubleToFloat.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::doubleEq):
+        (JSC::B3::doubleNeq):
+        (JSC::B3::doubleGt):
+        (JSC::B3::doubleGte):
+        (JSC::B3::doubleLt):
+        (JSC::B3::doubleLte):
+        (JSC::B3::testDoubleLiteralComparison):
+        (JSC::B3::run):
+
+2017-06-29  Jer Noble  
+
+        Make Legacy EME API controlled by RuntimeEnabled setting.
+        https://bugs.webkit.org/show_bug.cgi?id=173994
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * runtime/CommonIdentifiers.h:
+
+2017-06-30  Ryosuke Niwa  
+
+        Ran sort-Xcode-project-file.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2017-06-30  Matt Lewis  
+
+        Unreviewed, rolling out r218992.
+
+        The patch broke the iOS device builds.
+
+        Reverted changeset:
+
+        "DFG_ASSERT should allow stuffing registers before trapping."
+        https://bugs.webkit.org/show_bug.cgi?id=174005
+        http://trac.webkit.org/changeset/218992
+
+2017-06-30  Filip Pizlo  
+
+        RegExpCachedResult::setInput should reify left and right contexts
+        https://bugs.webkit.org/show_bug.cgi?id=173818
+
+        Reviewed by Keith Miller.
+        
+        If you don't reify them in setInput, then when you later try to reify them, you'll end up
+        using indices into an old input string to create a substring of a new input string. That
+        never goes well.
+
+        * runtime/RegExpCachedResult.cpp:
+        (JSC::RegExpCachedResult::setInput):
+
+2017-06-30  Keith Miller  
+
+        DFG_ASSERT should allow stuffing registers before trapping.
+        https://bugs.webkit.org/show_bug.cgi?id=174005
+
+        Reviewed by Mark Lam.
+
+        DFG_ASSERT currently prints error data to stderr before crashing,
+        which is nice for local development. In the wild, however, we
+        can't see this information in crash logs. This patch enables
+        stuffing some of the most useful information from DFG_ASSERTS into
+        up to five registers right before crashing. The values stuffed
+        should not impact any logging during local development.
+
+        * assembler/AbortReason.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::verifyEdge):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::logForCrash):
+        (JSC::DFG::Graph::logAssertionFailure):
+        (JSC::DFG::crash): Deleted.
+        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
+        * dfg/DFGGraph.h:
+
+2017-06-29  Saam Barati  
+
+        Calculating postCapacity in unshiftCountSlowCase is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=173992
+        
+
+        Reviewed by Keith Miller.
+
+        This patch fixes a bug inside unshiftCountSlowCase where we would use
+        more memory than we allocated. The bug was when deciding how much extra
+        space we have after the vector we've allocated. This area is called the
+        postCapacity. The largest legal postCapacity value we could use is the
+        space we allocated minus the space we need:
+        largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
+        However, the code was calculating the postCapacity as:
+        postCapacity = max(newStorageCapacity - requiredVectorLength, count);
+        
+        where count is how many elements we're appending. Depending on the inputs,
+        count could be larger than (newStorageCapacity - requiredVectorLength). This
+        would cause us to use more memory than we actually allocated.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+
+2017-06-29  Commit Queue  
+
+        Unreviewed, rolling out r218512.
+        https://bugs.webkit.org/show_bug.cgi?id=173981
+
+        "It changes the behavior of the JS API's JSEvaluateScript
+        which breaks TurboTax" (Requested by saamyjoon on #webkit).
+
+        Reverted changeset:
+
+        "test262: Completion values for control flow do not match the
+        spec"
+        https://bugs.webkit.org/show_bug.cgi?id=171265
+        http://trac.webkit.org/changeset/218512
+
+2017-06-29  JF Bastien  
+
+        WebAssembly: disable some APIs under CSP
+        https://bugs.webkit.org/show_bug.cgi?id=173892
+        
+
+        Reviewed by Daniel Bates.
+
+        We should disable parts of WebAssembly under Content Security
+        Policy as discussed here:
+
+        https://github.com/WebAssembly/design/issues/1092
+
+        Exactly what should be disabled isn't super clear, so we may as
+        well be conservative and disable many things if developers already
+        opted into CSP. It's easy to loosen what we disable later.
+
+        This patch disables:
+        - WebAssembly.Instance
+        - WebAssembly.instantiate
+        - WebAssembly.Memory
+        - WebAssembly.Table
+
+        And leaves:
+        - WebAssembly on the global object
+        - WebAssembly.Module
+        - WebAssembly.compile
+        - WebAssembly.CompileError
+        - WebAssembly.LinkError
+
+        Nothing because currently unimplmented:
+        - WebAssembly.compileStreaming
+        - WebAssembly.instantiateStreaming
+
+        That way it won't be possible to call WebAssembly-compiled code,
+        or create memories (which use fancy 4GiB allocations
+        sometimes). Table isn't really useful on its own, and eventually
+        we may make them shareable so without more details it seems benign
+        to disable them (and useless if we don't).
+
+        I haven't done anything with postMessage, so you can still
+        postMessage a WebAssembly.Module cross-CSP, but you can't
+        instantiate it so it's useless. Because of this I elected to leave
+        WebAssembly.Module and friends available.
+
+        I haven't added any new directives. It's still unsafe-eval. We can
+        add something else later, but it seems odd to add a WebAssembly as
+        a new capability and tell developers "you should have been using
+        this directive which we just implemented if you wanted to disable
+        WebAssembly which didn't exist when you adopted CSP". So IMO we
+        should keep unsafe-eval as it currently is, add WebAssembly to
+        what it disables, and later consider having two new directives
+        which do each individually or something.
+
+        In all cases I throw an EvalError *before* other WebAssembly
+        errors would be produced.
+
+        Note that, as for eval, reporting doesn't work and is tracked by
+        https://webkit.org/b/111869
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::webAssemblyEnabled):
+        (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
+        (JSC::JSGlobalObject::setWebAssemblyEnabled):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::create):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::create):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::constructJSWebAssemblyMemory):
+
+2017-06-28  Keith Miller  
+
+        VMTraps has some races
+        https://bugs.webkit.org/show_bug.cgi?id=173941
+
+        Reviewed by Michael Saboff.
+
+        This patch refactors much of the VMTraps API.
+
+        On the message sending side:
+
+        1) No longer uses the Yarr JIT check to determine if we are in
+        RegExp code. That was unsound because RegExp JIT code can be run
+        on compilation threads.  Instead it looks at the current frame's
+        code block slot and checks if it is valid, which is the same as
+        what it did for JIT code previously.
+
+        2) Only have one signal sender thread, previously, there could be
+        many at once, which caused some data races. Additionally, the
+        signal sender thread is an automatic thread so it will deallocate
+        itself when not in use.
+
+        On the VMTraps breakpoint side:
+
+        1) We now have a true mapping of if we hit a breakpoint instead of
+        a JIT assertion. So the exception handler won't eat JIT assertions
+        anymore.
+
+        2) It jettisons all CodeBlocks that have VMTraps breakpoints on
+        them instead of every CodeBlock on the stack. This both prevents
+        us from hitting stale VMTraps breakpoints and also doesn't OSR
+        codeblocks that otherwise don't need to be jettisoned.
+
+        3) The old exception handler could theoretically fail for a couple
+        of reasons then resume execution with a clobbered instruction
+        set. This patch will kill the program if the exception handler
+        would fail.
+
+        This patch also refactors some of the jsc.cpp functions to take the
+        CommandLine options object instead of individual options. Also, there
+        is a new command line option that makes exceptions due to watchdog
+        timeouts an acceptable result.
+
+        * API/tests/testapi.c:
+        (main):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::installVMTrapBreakpoints):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::pcCodeBlockMap):
+        (JSC::DFG::CommonData::invalidate):
+        (JSC::DFG::CommonData::~CommonData):
+        (JSC::DFG::CommonData::installVMTrapBreakpoints):
+        (JSC::DFG::codeBlockForVMTrapPC):
+        * dfg/DFGCommonData.h:
+        * jsc.cpp:
+        (functionDollarAgentStart):
+        (checkUncaughtException):
+        (checkException):
+        (runWithOptions):
+        (printUsageStatement):
+        (CommandLine::parseArguments):
+        (jscmain):
+        (runWithScripts): Deleted.
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/VMTraps.cpp:
+        (JSC::sanitizedTopCallFrame):
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        (JSC::VMTraps::willDestroyVM):
+        (JSC::VMTraps::fireTrap):
+        (JSC::VMTraps::handleTraps):
+        (JSC::VMTraps::VMTraps):
+        (JSC::VMTraps::~VMTraps):
+        (JSC::findActiveVMAndStackBounds): Deleted.
+        (JSC::installSignalHandler): Deleted.
+        (JSC::VMTraps::addSignalSender): Deleted.
+        (JSC::VMTraps::removeSignalSender): Deleted.
+        (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
+        (JSC::VMTraps::SignalSender::send): Deleted.
+        * runtime/VMTraps.h:
+        (JSC::VMTraps::~VMTraps): Deleted.
+        (JSC::VMTraps::SignalSender::SignalSender): Deleted.
+
+2017-06-28  Devin Rousso  
+
+        Web Inspector: Instrument active pixel memory used by canvases
+        https://bugs.webkit.org/show_bug.cgi?id=173087
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+         - Add optional `memoryCost` attribute to the `Canvas` type.
+         - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
+
+2017-06-28  Joseph Pecoraro  
+
+        Web Inspector: Cleanup Protocol JSON files
+        https://bugs.webkit.org/show_bug.cgi?id=173934
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/ApplicationCache.json:
+        * inspector/protocol/CSS.json:
+        * inspector/protocol/Console.json:
+        * inspector/protocol/DOM.json:
+        * inspector/protocol/DOMDebugger.json:
+        * inspector/protocol/Debugger.json:
+        * inspector/protocol/LayerTree.json:
+        * inspector/protocol/Network.json:
+        * inspector/protocol/Page.json:
+        * inspector/protocol/Runtime.json:
+        Be more consistent about placement of `description` property.
+
+2017-06-27  Joseph Pecoraro  
+
+        Web Inspector: Remove unused Inspector domain events
+        https://bugs.webkit.org/show_bug.cgi?id=173905
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Inspector.json:
+
+2017-06-28  JF Bastien  
+
+        Ensure that computed new stack pointer values do not underflow.
+        https://bugs.webkit.org/show_bug.cgi?id=173700
+        
+
+        Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
+
+        Patch by Mark Lam, with the following fix:
+
+        Re-apply this patch, it originally broke the ARM build because the llint code
+        generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
+        be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
+        and operands to emit valid code (because the second operand can be SP).
+
+        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
+           m_numCalleeLocals is sane.
+
+        2. Added underflow checks in LLInt code and VarargsFrame code.
+
+        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
+           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
+           Ensure that Options::softReservedZoneSize() is at least greater than
+           Options::reservedZoneSize() by minimumReservedZoneSize.
+
+        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
+           and only if the max size of the frame is greater than Options::reservedZoneSize().
+
+           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
+           of memory at the bottom (end) of the stack.  This means that, at any time, the
+           frame pointer must be at least Options::reservedZoneSize() bytes away from the
+           end of the stack.  Hence, if the max frame size is less than
+           Options::reservedZoneSize(), there's no way that frame pointer - max
+           frame size can underflow, and we can elide the underflow check.
+
+           Note that we use Options::reservedZoneSize() instead of
+           Options::softReservedZoneSize() for determine if we need an underflow check.
+           This is because the softStackLimit that is used for stack checks can be set
+           based on Options::reservedZoneSize() during error handling (e.g. when creating
+           strings for instantiating the Error object).  Hence, the guaranteed minimum of
+           distance between the frame pointer and the end of the stack is
+           Options::reservedZoneSize() and nor Options::softReservedZoneSize().
+
+           Note also that we ensure that Options::reservedZoneSize() is at least
+           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
+           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
+           instead of minimumReservedZoneSize gives us more chances to elide underflow
+           checks.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::emitStackOverflowCheck):
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        * jit/SetupVarargsFrame.cpp:
+        (JSC::emitSetupVarargsFrameFastCase):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/MinimumReservedZoneSize.h: Added.
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/VM.cpp:
+        (JSC::VM::updateStackLimits):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2017-06-28  Chris Dumez  
+
+        Unreviewed, rolling out r218869.
+
+        Broke the iOS build
+
+        Reverted changeset:
+
+        "Ensure that computed new stack pointer values do not
+        underflow."
+        https://bugs.webkit.org/show_bug.cgi?id=173700
+        http://trac.webkit.org/changeset/218869
+
+2017-06-28  Chris Dumez  
+
+        Unreviewed, rolling out r218873.
+
+        Broke the iOS build
+
+        Reverted changeset:
+
+        "Gardening: CLoop build fix."
+        https://bugs.webkit.org/show_bug.cgi?id=173700
+        http://trac.webkit.org/changeset/218873
+
+2017-06-28  Mark Lam  
+
+        Gardening: CLoop build fix.
+        https://bugs.webkit.org/show_bug.cgi?id=173700
+        
+
+        Not reviewed.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2017-06-28  Mark Lam  
+
+        Ensure that computed new stack pointer values do not underflow.
+        https://bugs.webkit.org/show_bug.cgi?id=173700
+        
+
+        Reviewed by Filip Pizlo and Saam Barati.
+
+        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
+           m_numCalleeLocals is sane.
+
+        2. Added underflow checks in LLInt code and VarargsFrame code.
+
+        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
+           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
+           Ensure that Options::softReservedZoneSize() is at least greater than
+           Options::reservedZoneSize() by minimumReservedZoneSize.
+
+        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
+           and only if the max size of the frame is greater than Options::reservedZoneSize().
+
+           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
+           of memory at the bottom (end) of the stack.  This means that, at any time, the
+           frame pointer must be at least Options::reservedZoneSize() bytes away from the
+           end of the stack.  Hence, if the max frame size is less than
+           Options::reservedZoneSize(), there's no way that frame pointer - max
+           frame size can underflow, and we can elide the underflow check.
+
+           Note that we use Options::reservedZoneSize() instead of
+           Options::softReservedZoneSize() for determine if we need an underflow check.
+           This is because the softStackLimit that is used for stack checks can be set
+           based on Options::reservedZoneSize() during error handling (e.g. when creating
+           strings for instantiating the Error object).  Hence, the guaranteed minimum of
+           distance between the frame pointer and the end of the stack is
+           Options::reservedZoneSize() and nor Options::softReservedZoneSize().
+
+           Note also that we ensure that Options::reservedZoneSize() is at least
+           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
+           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
+           instead of minimumReservedZoneSize gives us more chances to elide underflow
+           checks.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        * jit/SetupVarargsFrame.cpp:
+        (JSC::emitSetupVarargsFrameFastCase):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/MinimumReservedZoneSize.h: Added.
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/VM.cpp:
+        (JSC::VM::updateStackLimits):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2017-06-27  JF Bastien  
+
+        WebAssembly: running out of executable memory should throw OoM
+        https://bugs.webkit.org/show_bug.cgi?id=171537
+        
+
+        Reviewed by Saam Barati.
+
+        Both on first compile with BBQ as well as on tier-up with OMG,
+        running out of X memory shouldn't cause the entire program to
+        terminate. An exception will do when compiling initial code (since
+        we don't have any other fallback at the moment), and refusal to
+        tier up will do as well (it'll just be slower).
+
+        This is useful because programs which generate huge amounts of
+        code simply look like crashes, which developers report to
+        us. Getting a JavaScript exception instead is much clearer.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::ExecutableAllocator::allocate):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::shouldJIT):
+        * runtime/Options.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmBinding.h:
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+
+2017-06-27  Saam Barati  
+
+        JITStubRoutine::passesFilter should use isJITPC
+        https://bugs.webkit.org/show_bug.cgi?id=173906
+
+        Reviewed by JF Bastien.
+
+        This patch makes JITStubRoutine use the isJITPC abstraction defined
+        inside ExecutableAllocator.h. Before, JITStubRoutine was using a
+        hardcoded platform size constant. This means it'd do the wrong thing
+        if Options::jitMemoryReservationSize() was larger than the defined
+        constant for that platform. This patch also removes a bunch of
+        dead code in that file.
+
+        * jit/ExecutableAllocator.cpp:
+        * jit/ExecutableAllocator.h:
+        * jit/JITStubRoutine.h:
+        (JSC::JITStubRoutine::passesFilter):
+        (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
+        (JSC::JITStubRoutine::filteringStartAddress): Deleted.
+        (JSC::JITStubRoutine::filteringExtentSize): Deleted.
+
+2017-06-27  Saam Barati  
+
+        Fix some stale comments in Wasm code base
+        https://bugs.webkit.org/show_bug.cgi?id=173814
+
+        Reviewed by Mark Lam.
+
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::runOMGPlanForIndex):
+
+2017-06-27  Caio Lima  
+
+        [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
+        https://bugs.webkit.org/show_bug.cgi?id=167962
+
+        Reviewed by Saam Barati.
+
+        Object Rest/Spread Destructing proposal is in stage 3[1] and this
+        Patch is a prototype implementation of it. A simple change over the
+        parser was necessary to support the new '...' token on Object Pattern
+        destruction rule. In the bytecode generator side, We changed the
+        bytecode generated on ObjectPatternNode::bindValue to store in an
+        set the identifiers of already destructured properties, following spec draft
+        section[2], and then pass it as excludedNames to CopyDataProperties.
+        The rest destructuring calls copyDataProperties to perform the
+        copy of rest properties in rhs.
+
+        We also implemented CopyDataProperties as private JS global operation
+        on builtins/GlobalOperations.js following it's specification on [3].
+        It is implemented using Set object to verify if a property is on
+        excludedNames to keep this algorithm with O(n + m) complexity, where n
+        = number of source's own properties and m = excludedNames.length.
+
+        In this implementation we aren't using excludeList as constant if
+        destructuring pattern contains computed property, i.e. we can
+        just determine the key to be excluded at runtime. If we can define all
+        identifiers in the pattern in compile time, we then create a
+        constant JSSet. This approach gives a good performance improvement,
+        since we allocate the excludeSet just once, reducing GC pressure.
+
+        [1] - https://github.com/tc39/proposal-object-rest-spread
+        [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
+        [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
+
+        * builtins/BuiltinNames.h:
+        * builtins/GlobalOperations.js:
+        (globalPrivate.copyDataProperties):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ObjectPatternNode::bindValue):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::appendObjectPatternEntry):
+        (JSC::ASTBuilder::appendObjectPatternRestEntry):
+        (JSC::ASTBuilder::setContainsObjectRestElement):
+        * parser/Nodes.h:
+        (JSC::ObjectPatternNode::appendEntry):
+        (JSC::ObjectPatternNode::setContainsRestElement):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseDestructuringPattern):
+        (JSC::Parser::parseProperty):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::operatorStackPop):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::asyncFunctionStructure):
+        (JSC::JSGlobalObject::setStructure): Deleted.
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::privateToObject):
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
+2017-06-27  Yusuke Suzuki  
+
+        [JSC] Do not touch VM after notifying Ready in DFG::Worklist
+        https://bugs.webkit.org/show_bug.cgi?id=173888
+
+        Reviewed by Saam Barati.
+
+        After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
+        Thus, Plan::vm() can return a destroyed VM. Do not touch it.
+        This causes occasional SEGV / assertion failures in workers/bomb test.
+
+        * dfg/DFGWorklist.cpp:
+
+2017-06-27  Saam Barati  
+
+        Remove an inaccurate comment inside DFGClobberize.h
+        https://bugs.webkit.org/show_bug.cgi?id=163874
+
+        Reviewed by Filip Pizlo.
+
+        The comment said that Clobberize may or may not be sound if run prior to
+        doing type inference. This is not correct, though. Clobberize *must* be sound
+        prior do doing type inference since we use it inside the BytecodeParser, which
+        is the very first thing the DFG does.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2017-06-27  Saam Barati  
+
+        Function constructor needs to follow the spec and validate parameters and body independently
+        https://bugs.webkit.org/show_bug.cgi?id=173303
+        
+
+        Reviewed by Keith Miller.
+
+        The Function constructor must check the arguments and body strings
+        independently for syntax errors. People rely on this specified behavior
+        to verify that a particular string is a valid function body. We used
+        to check these things strings concatenated together, instead of
+        independently. For example, this used to be valid: `Function("/*", "*/){")`.
+        However, we should throw a syntax error here since "(/*)" is not a valid
+        parameter list, and "*/){" is not a valid body.
+        
+        To implement the specified behavior, we check the syntax independently of
+        both the body and the parameter list. To check that the parameter list has
+        valid syntax, we check that it is valid if in a function with an empty body.
+        To check that the body has valid syntax, we check it is valid in a function
+        with an empty parameter list.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+
+2017-06-27  Ting-Wei Lan  
+
+        Add missing includes to fix compilation error on FreeBSD
+        https://bugs.webkit.org/show_bug.cgi?id=172919
+
+        Reviewed by Mark Lam.
+
+        * API/JSRemoteInspector.h:
+        * API/tests/GlobalContextWithFinalizerTest.cpp:
+        * API/tests/TypedArrayCTest.cpp:
+
+2017-06-27  Joseph Pecoraro  
+
+        Web Inspector: Crash generating object preview for ArrayIterator
+        https://bugs.webkit.org/show_bug.cgi?id=173754
+        
+
+        Reviewed by Saam Barati.
+
+        When Inspector generates an object preview for an ArrayIterator instance it made
+        a "clone" of the original ArrayIterator instance by constructing a new object with
+        the instance's structure. However, user code could have modified that instance's
+        structure, such as adding / removing properties. The `return` property had special
+        meaning, and our clone did not fill that slot. This approach is brittle in that
+        we weren't satisfying the expectations of an object with a particular Structure,
+        and the original goal of having Web Inspector peek values of built-in Iterators
+        was to avoid observable behavior.
+
+        This tightens Web Inspector's Iterator preview to only peek values if the
+        Iterators would actually be non-observable. It also builds an ArrayIterator
+        clone like a regular object construction.
+
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::cloneArrayIteratorObject):
+        Build up the Object from scratch with a new ArrayIterator prototype.
+
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        Only clone and peek iterators if it would not be observable.
+        Also update iteration to be more in line with IterationOperations, such as when
+        we call iteratorClose.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
+        Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
+
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSMap::canCloneFastAndNonObservable):
+        * runtime/JSMap.h:
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSSet::canCloneFastAndNonObservable):
+        * runtime/JSSet.h:
+        Promote isIteratorProtocolFastAndNonObservable to a method.
+
+        * runtime/JSObject.cpp:
+        (JSC::canDoFastPutDirectIndex):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::isArgumentsType):
+        Helper to detect if an Object is an Arguments type.
+
+2017-06-26  Saam Barati  
+
+        RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
+        https://bugs.webkit.org/show_bug.cgi?id=173740
+
+        Reviewed by Mark Lam.
+
+        The builtin was using for-of iteration to iterate over an internal
+        list in its algorithm. For-of iteration is observable via user code
+        in the global object, so this approach was wrong as it would break if
+        a user changed the Array iteration protocol in some way.
+
+        * builtins/RegExpPrototype.js:
+        (replace):
+
+2017-06-26  Mark Lam  
+
+        Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
+        https://bugs.webkit.org/show_bug.cgi?id=173848
+
+        Reviewed by JF Bastien.
+
+        This functor only dumps the return VirtualPC.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
+        (JSC::Interpreter::dumpRegisters):
+        (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
+        (JSC::DumpRegisterFunctor::operator()): Deleted.
+
+2017-06-26  Saam Barati  
+
+        Crash in JSC::Lexer::setCode
+        https://bugs.webkit.org/show_bug.cgi?id=172754
+
+        Reviewed by Mark Lam.
+
+        The lexer was asking one of its buffers to reserve initial space that
+        was O(text size in bytes). For large sources, this would end up causing
+        the vector to overflow and crash. This patch changes this code be like
+        the Lexer's other buffers and to only reserve a small starting buffer.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::setCode):
+
+2017-06-26  Yusuke Suzuki  
+
+        [WTF] Drop Thread::create(obsolete things) API since we can use lambda
+        https://bugs.webkit.org/show_bug.cgi?id=173825
+
+        Reviewed by Saam Barati.
+
+        * jsc.cpp:
+        (startTimeoutThreadIfNeeded):
+        (timeoutThreadMain): Deleted.
+
+2017-06-26  Konstantin Tokarev  
+
+        Unreviewed, add missing header for CLoop
+
+        * runtime/SymbolTable.cpp:
+
+2017-06-26  Konstantin Tokarev  
+
+        Unreviewed, add missing header icncludes
+
+        * parser/Lexer.h:
+
+2017-06-25  Konstantin Tokarev  
+
+        Remove excessive headers from JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=173812
+
+        Reviewed by Darin Adler.
+
+        * API/APIUtils.h:
+        * assembler/LinkBuffer.cpp:
+        * assembler/MacroAssemblerCodeRef.cpp:
+        * b3/air/AirLiveness.h:
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        * bindings/ScriptValue.cpp:
+        * bindings/ScriptValue.h:
+        * bytecode/AccessCase.cpp:
+        * bytecode/AccessCase.h:
+        * bytecode/ArrayProfile.h:
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        * bytecode/BytecodeKills.h:
+        * bytecode/BytecodeLivenessAnalysis.h:
+        * bytecode/BytecodeUseDef.h:
+        * bytecode/CallLinkStatus.h:
+        * bytecode/CodeBlock.h:
+        * bytecode/CodeOrigin.h:
+        * bytecode/ComplexGetStatus.h:
+        * bytecode/GetByIdStatus.h:
+        * bytecode/GetByIdVariant.h:
+        * bytecode/InlineCallFrame.h:
+        * bytecode/InlineCallFrameSet.h:
+        * bytecode/Instruction.h:
+        * bytecode/InternalFunctionAllocationProfile.h:
+        * bytecode/JumpTable.h:
+        * bytecode/MethodOfGettingAValueProfile.h:
+        * bytecode/ObjectPropertyConditionSet.h:
+        * bytecode/Operands.h:
+        * bytecode/PolymorphicAccess.h:
+        * bytecode/PutByIdStatus.h:
+        * bytecode/SpeculatedType.cpp:
+        * bytecode/StructureSet.h:
+        * bytecode/StructureStubInfo.h:
+        * bytecode/UnlinkedCodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * bytecode/ValueProfile.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/Label.h:
+        * bytecompiler/StaticPropertyAnalysis.h:
+        * debugger/DebuggerCallFrame.cpp:
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAdjacencyList.h:
+        * dfg/DFGArgumentsUtilities.h:
+        * dfg/DFGArrayMode.h:
+        * dfg/DFGArrayifySlowPathGenerator.h:
+        * dfg/DFGBackwardsPropagationPhase.h:
+        * dfg/DFGBasicBlock.h:
+        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
+        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
+        * dfg/DFGCapabilities.h:
+        * dfg/DFGCommon.h:
+        * dfg/DFGCommonData.h:
+        * dfg/DFGDesiredIdentifiers.h:
+        * dfg/DFGDesiredWatchpoints.h:
+        * dfg/DFGDisassembler.cpp:
+        * dfg/DFGDominators.h:
+        * dfg/DFGDriver.cpp:
+        * dfg/DFGDriver.h:
+        * dfg/DFGEdgeDominates.h:
+        * dfg/DFGFinalizer.h:
+        * dfg/DFGGenerationInfo.h:
+        * dfg/DFGJITCompiler.cpp:
+        * dfg/DFGJITCompiler.h:
+        * dfg/DFGJITFinalizer.h:
+        * dfg/DFGLivenessAnalysisPhase.h:
+        * dfg/DFGMinifiedNode.h:
+        * dfg/DFGMultiGetByOffsetData.h:
+        * dfg/DFGNaturalLoops.cpp:
+        * dfg/DFGNaturalLoops.h:
+        * dfg/DFGNode.h:
+        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
+        * dfg/DFGOSRExit.h:
+        * dfg/DFGOSRExitCompilationInfo.h:
+        * dfg/DFGOSRExitCompiler.cpp:
+        * dfg/DFGOSRExitCompiler.h:
+        * dfg/DFGOSRExitJumpPlaceholder.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPlan.h:
+        * dfg/DFGPreciseLocalClobberize.h:
+        * dfg/DFGPromotedHeapLocation.h:
+        * dfg/DFGRegisteredStructure.h:
+        * dfg/DFGRegisteredStructureSet.h:
+        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
+        * dfg/DFGSlowPathGenerator.h:
+        * dfg/DFGSnippetParams.h:
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGToFTLDeferredCompilationCallback.h:
+        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
+        * dfg/DFGValidate.h:
+        * dfg/DFGValueSource.h:
+        * dfg/DFGVariableEvent.h:
+        * dfg/DFGVariableEventStream.h:
+        * dfg/DFGWorklist.h:
+        * domjit/DOMJITCallDOMGetterSnippet.h:
+        * domjit/DOMJITEffect.h:
+        * ftl/FTLLink.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        * ftl/FTLPatchpointExceptionHandle.h:
+        * heap/AllocatorAttributes.h:
+        * heap/CodeBlockSet.h:
+        * heap/DeferGC.h:
+        * heap/GCSegmentedArray.h:
+        * heap/Heap.cpp:
+        * heap/Heap.h:
+        * heap/IncrementalSweeper.h:
+        * heap/ListableHandler.h:
+        * heap/MachineStackMarker.h:
+        * heap/MarkedAllocator.h:
+        * heap/MarkedBlock.cpp:
+        * heap/MarkedBlock.h:
+        * heap/MarkingConstraint.h:
+        * heap/SlotVisitor.cpp:
+        * heap/SlotVisitor.h:
+        * inspector/ConsoleMessage.cpp:
+        * inspector/ConsoleMessage.h:
+        * inspector/InjectedScript.h:
+        * inspector/InjectedScriptHost.h:
+        * inspector/InjectedScriptManager.cpp:
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        * inspector/JavaScriptCallFrame.h:
+        * inspector/ScriptCallStack.h:
+        * inspector/ScriptCallStackFactory.cpp:
+        * inspector/ScriptDebugServer.h:
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/agents/InspectorHeapAgent.cpp:
+        * inspector/agents/InspectorHeapAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/agents/InspectorScriptProfilerAgent.cpp:
+        * inspector/agents/InspectorScriptProfilerAgent.h:
+        * inspector/agents/JSGlobalObjectConsoleAgent.h:
+        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
+        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
+        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
+        * inspector/augmentable/AlternateDispatchableAgent.h:
+        * interpreter/CLoopStack.h:
+        * interpreter/CachedCall.h:
+        * interpreter/CallFrame.h:
+        * interpreter/Interpreter.cpp:
+        * interpreter/Interpreter.h:
+        * jit/AssemblyHelpers.cpp:
+        * jit/AssemblyHelpers.h:
+        * jit/CCallHelpers.h:
+        * jit/CallFrameShuffler.h:
+        * jit/ExecutableAllocator.h:
+        * jit/GCAwareJITStubRoutine.h:
+        * jit/HostCallReturnValue.h:
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        * jit/JIT.h:
+        * jit/JITAddGenerator.h:
+        * jit/JITCall32_64.cpp:
+        * jit/JITCode.h:
+        * jit/JITDisassembler.cpp:
+        * jit/JITExceptions.cpp:
+        * jit/JITMathIC.h:
+        * jit/JITOpcodes.cpp:
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITThunks.cpp:
+        * jit/JITThunks.h:
+        * jit/JSInterfaceJIT.h:
+        * jit/PCToCodeOriginMap.h:
+        * jit/PolymorphicCallStubRoutine.h:
+        * jit/RegisterSet.h:
+        * jit/Repatch.h:
+        * jit/SetupVarargsFrame.h:
+        * jit/Snippet.h:
+        * jit/SnippetParams.h:
+        * jit/ThunkGenerators.h:
+        * jsc.cpp:
+        * llint/LLIntCLoop.h:
+        * llint/LLIntEntrypoint.h:
+        * llint/LLIntExceptions.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntSlowPaths.cpp:
+        * parser/NodeConstructors.h:
+        * parser/Nodes.cpp:
+        * parser/Nodes.h:
+        * parser/Parser.cpp:
+        * parser/Parser.h:
+        * parser/ParserTokens.h:
+        * parser/SourceProviderCacheItem.h:
+        * profiler/ProfilerBytecodeSequence.h:
+        * profiler/ProfilerDatabase.cpp:
+        * profiler/ProfilerDatabase.h:
+        * profiler/ProfilerOrigin.h:
+        * profiler/ProfilerOriginStack.h:
+        * profiler/ProfilerProfiledBytecodes.h:
+        * profiler/ProfilerUID.h:
+        * runtime/AbstractModuleRecord.h:
+        * runtime/ArrayConstructor.h:
+        * runtime/ArrayConventions.h:
+        * runtime/ArrayIteratorPrototype.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/BasicBlockLocation.h:
+        * runtime/Butterfly.h:
+        * runtime/CallData.cpp:
+        * runtime/CodeCache.h:
+        * runtime/CommonSlowPaths.cpp:
+        * runtime/CommonSlowPaths.h:
+        * runtime/CommonSlowPathsExceptions.cpp:
+        * runtime/Completion.cpp:
+        * runtime/ControlFlowProfiler.h:
+        * runtime/DateInstanceCache.h:
+        * runtime/ErrorConstructor.h:
+        * runtime/ErrorInstance.h:
+        * runtime/ExceptionHelpers.cpp:
+        * runtime/ExceptionHelpers.h:
+        * runtime/ExecutableBase.h:
+        * runtime/FunctionExecutable.h:
+        * runtime/HasOwnPropertyCache.h:
+        * runtime/Identifier.h:
+        * runtime/InternalFunction.h:
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlCollatorPrototype.h:
+        * runtime/IntlDateTimeFormatPrototype.h:
+        * runtime/IntlNumberFormat.cpp:
+        * runtime/IntlNumberFormatPrototype.h:
+        * runtime/IteratorOperations.cpp:
+        * runtime/JSArray.h:
+        * runtime/JSArrayBufferPrototype.h:
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp:
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectDebuggable.cpp:
+        * runtime/JSGlobalObjectDebuggable.h:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/JSJob.cpp:
+        * runtime/JSLock.h:
+        * runtime/JSModuleLoader.cpp:
+        * runtime/JSModuleNamespaceObject.h:
+        * runtime/JSModuleRecord.h:
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+        * runtime/JSRunLoopTimer.h:
+        * runtime/JSTemplateRegistryKey.h:
+        * runtime/JSTypedArrayPrototypes.cpp:
+        * runtime/JSTypedArrayPrototypes.h:
+        * runtime/JSTypedArrays.h:
+        * runtime/LiteralParser.h:
+        * runtime/MatchResult.h:
+        * runtime/MemoryStatistics.h:
+        * runtime/PrivateName.h:
+        * runtime/PromiseDeferredTimer.h:
+        * runtime/ProxyObject.h:
+        * runtime/RegExp.h:
+        * runtime/SamplingProfiler.cpp:
+        * runtime/SmallStrings.h:
+        * runtime/StringPrototype.cpp:
+        * runtime/StringRecursionChecker.h:
+        * runtime/Structure.h:
+        * runtime/SymbolConstructor.h:
+        * runtime/SymbolPrototype.cpp:
+        * runtime/SymbolPrototype.h:
+        * runtime/TypeProfiler.h:
+        * runtime/TypeProfilerLog.h:
+        * runtime/TypedArrayType.h:
+        * runtime/VM.cpp:
+        * runtime/VM.h:
+        * runtime/VMEntryScope.h:
+        * runtime/WeakMapData.h:
+        * runtime/WriteBarrier.h:
+        * tools/FunctionOverrides.cpp:
+        * tools/FunctionOverrides.h:
+        * wasm/WasmBinding.cpp:
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        * yarr/Yarr.h:
+        * yarr/YarrJIT.cpp:
+        * yarr/YarrJIT.h:
+        * yarr/YarrParser.h:
+
+2017-06-24  Yusuke Suzuki  
+
+        [JSC] Clean up Object.entries implementation
+        https://bugs.webkit.org/show_bug.cgi?id=173759
+
+        Reviewed by Sam Weinig.
+
+        This patch cleans up Object.entries implementation.
+        We drop unused private functions. And we merge the
+        implementation into Object.entries.
+
+        It slightly speeds up Object.entries speed.
+
+                                     baseline                  patched
+
+            object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
+
+
+        * builtins/BuiltinNames.h:
+        * builtins/ObjectConstructor.js:
+        (entries):
+        (globalPrivate.enumerableOwnProperties): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownEnumerablePropertyKeys): Deleted.
+        * runtime/ObjectConstructor.h:
+
+2017-06-24  Joseph Pecoraro  
+
+        Remove Reflect.enumerate
+        https://bugs.webkit.org/show_bug.cgi?id=173806
+
+        Reviewed by Yusuke Suzuki.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::subtype):
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSPropertyNameIterator.cpp: Removed.
+        * runtime/JSPropertyNameIterator.h: Removed.
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectEnumerate): Deleted.
+
+2017-06-23  Keith Miller  
+
+        Switch VMTraps to use halt instructions rather than breakpoint instructions
+        https://bugs.webkit.org/show_bug.cgi?id=173677
+        
+
+        Reviewed by JF Bastien.
+
+        Using the breakpoint instruction for VMTraps caused issues with lldb.
+        Since we only need some way to stop execution we can, in theory, use
+        any exceptioning instruction we want. I went with the halt instruction
+        on X86 since that is the only one byte instruction that does not
+        breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
+        On ARM we use the data cache clearing instruction with the zero register,
+        which triggers a segmentation fault.
+
+        Also, update the platform code to only use signaling VMTraps
+        on where we have an appropriate instruction (x86 and ARM64).
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (testExecutionTimeLimit):
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::replaceWithVMHalt):
+        (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
+        (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
+        * assembler/ARMAssembler.h:
+        (JSC::ARMAssembler::replaceWithBkpt): Deleted.
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
+        (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::storeFence):
+        (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
+        (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::replaceWithHlt):
+        (JSC::X86Assembler::replaceWithInt3): Deleted.
+        * dfg/DFGJumpReplacement.cpp:
+        (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::installSignalHandler):
+        (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::enableFastMemory):
+
+2017-06-22  Saam Barati  
+
+        The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
+        https://bugs.webkit.org/show_bug.cgi?id=173743
+        
+
+        Reviewed by Mark Lam.
+
+        The code always manually speculates, however, we weren't specifying
+        ManualOperandSpeculation when creating a JSValueOperand. This would
+        fire an assertion in JSValueOperand construction for a node like:
+        Identity(String:@otherNode)
+        
+        I spent about 45 minutes trying to craft a test and came up
+        empty. However, this fixes a debug assertion on an internal
+        Apple website.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2017-06-22  Saam Barati  
+
+        ValueRep(DoubleRep(@v)) can not simply convert to @v
+        https://bugs.webkit.org/show_bug.cgi?id=173687
+        
+
+        Reviewed by Mark Lam.
+
+        Consider this IR:
+         block#x
+          p: Phi() // int32 and double flows into this phi from various control flow
+          d: DoubleRep(@p)
+          some uses of @d here
+          v: ValueRep(DoubleRepUse:@d)
+          a: NewArrayWithSize(Int32:@v)
+          some more nodes here ...
+        
+        Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
+        AI proves that the Int32 check will fail. Constant folding phase removes
+        all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
+        
+        The IR then looks like this:
+        block#x
+          p: Phi() // int32 and double flows into this phi from various control flow
+          d: DoubleRep(@p)
+          some uses of @d here
+          v: ValueRep(DoubleRepUse:@d)
+          a: NewArrayWithSize(Int32:@v)
+          Unreachable
+        
+        However, there was a strength reduction rule that tries eliminate redundant
+        conversions. It used to convert the program to:
+        block#x
+          p: Phi() // int32 and double flows into this phi from various control flow
+          d: DoubleRep(@p)
+          some uses of @d here
+          a: NewArrayWithSize(Int32:@p)
+          Unreachable
+        
+        However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
+        and we'll crash. This patch removes this strength reduction rule since it
+        does not maintain what would have happened if we executed the program before
+        the rule.
+        
+        This rule is also wrong for other types of programs (I'm not sure we'd
+        actually emit this code, but if such IR were generated, we would previously
+        optimize it incorrectly):
+        @a: Constant(JSTrue)
+        @b: DoubleRep(@a)
+        @c: ValueRep(@b)
+        @d: use(@c)
+        
+        However, the strength reduction rule would've transformed this into:
+        @a: Constant(JSTrue)
+        @d: use(@a)
+        
+        And this would be wrong because node @c before the transformation would
+        have produced the JSValue jsNumber(1.0).
+        
+        This patch was neutral in the benchmark run I did.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
+2017-06-22  JF Bastien  
+
+        ARM64: doubled executable memory limit from 32MiB to 64MiB
+        https://bugs.webkit.org/show_bug.cgi?id=173734
+        
+
+        Reviewed by Oliver Hunt.
+
+        Some WebAssembly programs stress the amount of memory we have
+        available, especially when we consider tiering (BBQ never dies,
+        and is bigger that OMG). Tiering to OMG just piles on more memory,
+        and we're also competing with JavaScript.
+
+        * jit/ExecutableAllocator.h:
+
+2017-06-22  Joseph Pecoraro  
+
+        Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
+        https://bugs.webkit.org/show_bug.cgi?id=173698
+
+        Reviewed by Matt Baker.
+
+        When pausing in a deep call stack the majority of the time spent in JavaScriptCore
+        when preparing Inspector pause information is spent generating object previews for
+        the `thisObject` of each of the call frames. In some cases, this could be more
+        than 95% of the time generating pause information. In the common case, only one of
+        these (the top frame) will ever be seen by users. This change avoids eagerly
+        generating object previews up front and let the frontend request previews if they
+        are needed.
+
+        This introduces the `Runtime.getPreview` protocol command. This can be used to:
+
+            - Get a preview for a RemoteObject that did not have a preview but could.
+            - Update a preview for a RemoteObject that had a preview.
+
+        This patch only uses it for the first case, but the second is valid and may be
+        something we want to do in the future.
+
+        * inspector/protocol/Runtime.json:
+        A new command to get an up to date preview for an object.
+
+        * inspector/InjectedScript.h:
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::getPreview):
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::getPreview):
+        * inspector/agents/InspectorRuntimeAgent.h:
+        Plumbing for the new command.
+
+        * inspector/InjectedScriptSource.js:
+        (InjectedScript.prototype.getPreview):
+        Implementation just uses the existing helper.
+
+        (InjectedScript.CallFrameProxy):
+        Do not generate a preview for the this object as it may not be shown.
+        Let the frontend request a preview if it wants or needs one.
+
+2017-06-22  Joseph Pecoraro  
+
+        Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
+        https://bugs.webkit.org/show_bug.cgi?id=173686
+
+        Reviewed by Mark Lam.
+
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::functionDetails):
+        * inspector/InjectedScriptSource.js:
+        (InjectedScript.prototype.functionDetails):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::functionDetails):
+
+2017-06-22  Yusuke Suzuki  
+
+        [JSC] Object.values should be implemented in C++
+        https://bugs.webkit.org/show_bug.cgi?id=173703
+
+        Reviewed by Sam Weinig.
+
+        As the same to Object.assign, Object.values() is also inherently polymorphic.
+        And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
+        result is costly.
+
+        In this patch, we implement Object.values() in C++. It can avoid above allocations.
+        Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
+        non-observable JSObject::get() calls.
+
+        This improves performance by 2.49x. And also now Object.values() beats
+        Object.keys(object).map(key => object[key]) implementation.
+
+                                             baseline                  patched
+
+            object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
+            object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
+
+        * builtins/ObjectConstructor.js:
+        (values): Deleted.
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorValues):
+
+2017-06-21  Saam Barati  
+
+        ArrayPrototype.map builtin declares a var it does not use
+        https://bugs.webkit.org/show_bug.cgi?id=173685
+
+        Reviewed by Keith Miller.
+
+        * builtins/ArrayPrototype.js:
+        (map):
+
+2017-06-21  Saam Barati  
+
+        eval virtual call is incorrect in the baseline JIT
+        https://bugs.webkit.org/show_bug.cgi?id=173587
+        
+
+        Reviewed by Michael Saboff.
+
+        When making a virtual call for call_eval, e.g, when the thing
+        we're calling isn't actually eval, we end up calling the caller
+        instead of the callee. This is clearly wrong. The code ends up
+        issuing a load for the Callee in the callers frame instead of
+        the callee we're calling. The fix is simple, we just need to
+        load the real callee. Only the 32-bit baseline JIT had this bug.
+
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileCallEvalSlowCase):
+
+2017-06-21  Joseph Pecoraro  
+
+        Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
+        https://bugs.webkit.org/show_bug.cgi?id=172432
+        
+
+        Reviewed by Saam Barati.
+
+        Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
+        We will proceed to improve debugging of these cases in the follow-up bugs.
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::exception):
+        Ignore pausing on these errors.
+
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::setStackOverflowError):
+        (JSC::ErrorInstance::isStackOverflowError):
+        (JSC::ErrorInstance::setOutOfMemoryError):
+        (JSC::ErrorInstance::isOutOfMemoryError):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createStackOverflowError):
+        * runtime/Error.cpp:
+        (JSC::createOutOfMemoryError):
+        Mark these kinds of errors.
+
+2017-06-21  Saam Barati  
+
+        Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
+        https://bugs.webkit.org/show_bug.cgi?id=173609
+
+        Reviewed by Keith Miller.
+
+        This patch makes many of the IC generating functions require a locker as
+        a parameter. We do this in other places in JSC to indicate that
+        a particular API is only valid while a particular lock is held.
+        This is the case when generating ICs. This patch just makes it
+        explicit in the IC generating interface.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::addCases):
+        (JSC::PolymorphicAccess::addCase):
+        (JSC::PolymorphicAccess::commit):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PolymorphicAccess.h:
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::addAccessCase):
+        (JSC::StructureStubInfo::initStub): Deleted.
+        * bytecode/StructureStubInfo.h:
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::tryRepatchIn):
+        (JSC::repatchIn):
+
+2017-06-20  Myles C. Maxfield  
+
+        Disable font variations on macOS Sierra and iOS 10
+        https://bugs.webkit.org/show_bug.cgi?id=173618
+        
+
+        Reviewed by Jon Lee.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-06-20  Keith Miller  
+
+        Fix leak of ModuleInformations in BBQPlan constructors.
+        https://bugs.webkit.org/show_bug.cgi?id=173577
+
+        Reviewed by Saam Barati.
+
+        This patch fixes a leak in the BBQPlan constructiors. Previously,
+        the plans were calling makeRef on the newly constructed objects.
+        This patch fixes the issue and uses adoptRef instead. Additionally,
+        an old, incorrect, attempt to fix the leak is removed.
+
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
+        * jit/JITWorklist.cpp:
+        (JSC::JITWorklist::Thread::Thread):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+
+2017-06-20  Devin Rousso  
+
+        Web Inspector: Send context attributes for tracked canvases
+        https://bugs.webkit.org/show_bug.cgi?id=173327
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+        Add ContextAttributes object type that is optionally used for WebGL canvases.
+
+2017-06-20  Konstantin Tokarev  
+
+        Remove excessive include directives from WTF
+        https://bugs.webkit.org/show_bug.cgi?id=173553
+
+        Reviewed by Saam Barati.
+
+        * profiler/ProfilerDatabase.cpp: Added missing include directive.
+        * runtime/SamplingProfiler.cpp: Ditto.
+
+2017-06-20  Oleksandr Skachkov  
+
+        Revert changes in bug#160417 about extending `null` not being a derived class
+        https://bugs.webkit.org/show_bug.cgi?id=169293
+
+        Reviewed by Saam Barati.
+
+        Reverted changes in bug#160417 about extending `null` not being a derived class 
+        according to changes in spec:
+        https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
+
+        * builtins/BuiltinNames.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitReturn):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ClassExprNode::emitBytecode):
+
+2017-06-20  Saam Barati  
+
+        repatchIn needs to lock the CodeBlock's lock
+        https://bugs.webkit.org/show_bug.cgi?id=173573
+
+        Reviewed by Yusuke Suzuki.
+
+        CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
+        lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
+        an IC, we must hold the CodeBlock's to prevent the executing thread from racing
+        with the marking thread. repatchIn was not grabbing the lock. I haven't been
+        able to get it to crash, but this is needed for the same reasons that get and put IC
+        regeneration grab the lock.
+
+        * jit/Repatch.cpp:
+        (JSC::repatchIn):
+
+2017-06-19  Devin Rousso  
+
+        Web Inspector: create canvas content view and details sidebar panel
+        https://bugs.webkit.org/show_bug.cgi?id=138941
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+         - Add an optional `nodeId` attribute to the `Canvas` type.
+         - Add `requestNode` command for getting the node id of the backing canvas element.
+         - Add `requestContent` command for getting the current image content of the canvas.
+
+2017-06-19  Yusuke Suzuki  
+
+        Unreviewed, build fix for ARM
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::internalCompare32):
+
+2017-06-13  Yusuke Suzuki  
+
+        [DFG] More ArrayIndexOf fixups for various types
+        https://bugs.webkit.org/show_bug.cgi?id=173176
+
+        Reviewed by Saam Barati.
+
+        This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
+
+        1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
+        never contains the given search value.
+
+        2. We support Symbol and Other specialization additionally. Especially, Other is
+        useful because null/undefined can be used as a sentinel value.
+
+        One interesting thing is that Array.prototype.indexOf does not consider holes as
+        undefineds. Thus,
+
+            var array = [,,,,,,,];
+            array.indexOf(undefined); // => -1
+
+        This can be trivially achieved in JSC because Empty and Undefined are different values.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupArrayIndexOf):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+        (JSC::DFG::SpeculativeJIT::speculateOther):
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
+
+2017-06-19  Caio Lima  
+
+        [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
+        https://bugs.webkit.org/show_bug.cgi?id=172972
+
+        Reviewed by Mark Lam.
+
+        We are changing internalCompare32 implementation in ARM
+        MacroAssembler to emit "cmp" when the "right.value" is 0.
+        It is generating wrong comparison cases, since the
+        semantics of cmn is opposite of cmp[1]. One case that it's breaking is
+        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
+        resulting in following assembly code:
+
+        ```
+        cmn $r0, #0
+        bhi 

+        ```
+
+        However, as cmn is similar to "adds", it will never take the branch
+        when $r0 > 0. In that case, the correct opcode is "cmp". With this
+        patch we will fix current broken tests that uses
+        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
+        such as ForwardVarargs, Spread and GetRestLength.
+
+        [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::internalCompare32):
+
+2017-06-19  Joseph Pecoraro  
+
+        test262: Completion values for control flow do not match the spec
+        https://bugs.webkit.org/show_bug.cgi?id=171265
+
+        Reviewed by Saam Barati.
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
+        When we care about having proper completion values (global code
+        in programs, modules, and eval) insert undefined results for
+        control flow statements.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::SourceElements::emitBytecode):
+        Reduce writing a default `undefined` value to the completion result to
+        only once before the last statement we know will produce a value.
+
+        (JSC::IfElseNode::emitBytecode):
+        (JSC::WithNode::emitBytecode):
+        (JSC::WhileNode::emitBytecode):
+        (JSC::ForNode::emitBytecode):
+        (JSC::ForInNode::emitBytecode):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::SwitchNode::emitBytecode):
+        Insert an undefined to handle cases where code may break out of an
+        if/else or with statement (break/continue).
+
+        (JSC::TryNode::emitBytecode):
+        Same handling for break cases. Also, finally block statement completion
+        values are always ignored for the try statement result.
+
+        (JSC::ClassDeclNode::emitBytecode):
+        Class declarations, like function declarations, produce an empty result.
+
+        * parser/Nodes.cpp:
+        (JSC::SourceElements::lastStatement):
+        (JSC::SourceElements::hasCompletionValue):
+        (JSC::SourceElements::hasEarlyBreakOrContinue):
+        (JSC::BlockNode::lastStatement):
+        (JSC::BlockNode::singleStatement):
+        (JSC::BlockNode::hasCompletionValue):
+        (JSC::BlockNode::hasEarlyBreakOrContinue):
+        (JSC::ScopeNode::singleStatement):
+        (JSC::ScopeNode::hasCompletionValue):
+        (JSC::ScopeNode::hasEarlyBreakOrContinue):
+        The only non-trivial cases need to loop through their list of statements
+        to determine if this has a completion value or not. Likewise for
+        determining if there is an early break / continue, meaning a break or
+        continue statement with no preceding statement that has a completion value.
+
+        * parser/Nodes.h:
+        (JSC::StatementNode::next):
+        (JSC::StatementNode::hasCompletionValue):
+        Helper to check if a statement nodes produces a completion value or not.
+
+2017-06-19  Adrian Perez de Castro  
+
+        Missing  includes make builds fail with GCC 7.x
+        https://bugs.webkit.org/show_bug.cgi?id=173544
+
+        Unreviewed gardening.
+
+        Fix compilation with GCC 7.
+
+        * API/tests/CompareAndSwapTest.cpp:
+        * runtime/VMEntryScope.h:
+
+2017-06-17  Keith Miller  
+
+        ArrayBuffer constructor needs to create subclass structures before its buffer
+        https://bugs.webkit.org/show_bug.cgi?id=173510
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::constructArrayBuffer):
+
+2017-06-17  Keith Miller  
+
+        ArrayPrototype methods should use JSValue::toLength for non-Arrays.
+        https://bugs.webkit.org/show_bug.cgi?id=173506
+
+        Reviewed by Ryosuke Niwa.
+
+        This patch changes the result of unshift if old length +
+        unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
+        the getLength function, which was always incorrect to use, has
+        been removed. Additionally, some cases where we were using a
+        constant for (2 ** 53) - 1 have been replaced with
+        maxSafeInteger()
+
+        * interpreter/Interpreter.cpp:
+        (JSC::sizeOfVarargs):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncToLocaleString):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSlice):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        (JSC::arrayProtoFuncIndexOf):
+        (JSC::arrayProtoFuncLastIndexOf):
+        * runtime/JSArrayInlines.h:
+        (JSC::getLength): Deleted.
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toLength):
+        * runtime/NumberConstructor.cpp:
+        (JSC::numberConstructorFuncIsSafeInteger):
+
+2017-06-16  Matt Baker  
+
+        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
+        https://bugs.webkit.org/show_bug.cgi?id=172623
+        
+
+        Reviewed by Devin Rousso and Joseph Pecoraro.
+
+        This patch adds a basic Canvas protocol. It includes Canvas and related
+        types and events for monitoring the lifetime of canvases in the page.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * inspector/protocol/Canvas.json: Added.
+
+        * inspector/scripts/codegen/generator.py:
+        (Generator.stylized_name_for_enum_value):
+        Add special handling for Canvas.ContextType protocol enumeration,
+        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
+
+2017-06-16  Wenson Hsieh  
+
+        [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
+        https://bugs.webkit.org/show_bug.cgi?id=173366
+        
+
+        Reviewed by Tim Horton.
+
+        Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-06-16  Yusuke Suzuki  
+
+        [JSC] Add fast path for Object.assign
+        https://bugs.webkit.org/show_bug.cgi?id=173416
+
+        Reviewed by Mark Lam.
+
+        In Object.assign implementation, we need to ensure that given key is still enumerable own key.
+        This seems duplicate look up. And we want to avoid this. However, we still need to perform this
+        check in the face of Proxy. Proxy can observe that this check is done correctly.
+
+        In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
+        In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
+        If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
+        value by calling `slot.getValue()`.
+
+        This further improves performance of Object.assign.
+
+                                        baseline                  patched
+
+            object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+
+2017-06-16  Michael Saboff  
+
+        Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
+        https://bugs.webkit.org/show_bug.cgi?id=173488
+
+        Reviewed by Filip Pizlo.
+
+        ClonedArguments lazily sets its callee and interator properties and it used its own inline
+        code to initialize its butterfly.  This means that these lazily set properties can have
+        bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
+        to create the butterfly as it clears out of line properties.
+
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+
+2017-06-16  Mark Lam  
+
+        Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
+        https://bugs.webkit.org/show_bug.cgi?id=173491
+
+        Reviewed by Keith Miller.
+
+        The implementation are based on static data. There's no need to get the
+        interpreter instance. Hence, we can make these methods static and avoid doing
+        unnecessary work to compute the interpreter this pointer.
+
+        Also removed the unused isCallBytecode method.
+
+        * bytecode/BytecodeBasicBlock.cpp:
+        (JSC::BytecodeBasicBlock::computeImpl):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printGetByIdOp):
+        (JSC::BytecodeDumper::printGetByIdCacheStatus):
+        (JSC::BytecodeDumper::dumpBytecode):
+        (JSC::BytecodeDumper::dumpBlock):
+        * bytecode/BytecodeLivenessAnalysis.cpp:
+        (JSC::BytecodeLivenessAnalysis::dumpResults):
+        * bytecode/BytecodeLivenessAnalysisInlines.h:
+        (JSC::BytecodeLivenessPropagation::stepOverInstruction):
+        * bytecode/BytecodeRewriter.cpp:
+        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromLLInt):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
+        (JSC::CodeBlock::usesOpcode):
+        (JSC::CodeBlock::valueProfileForBytecodeOffset):
+        (JSC::CodeBlock::arithProfileForPC):
+        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::getJumpTargetsForBytecodeOffset):
+        (JSC::computePreciseJumpTargetsInternal):
+        (JSC::findJumpTargetsForBytecodeOffset):
+        * bytecode/PreciseJumpTargetsInlines.h:
+        (JSC::extractStoredJumpTargetsForBytecodeOffset):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::applyModification):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::Interpreter):
+        (JSC::Interpreter::isOpcode):
+        (): Deleted.
+        * interpreter/Interpreter.h:
+        (JSC::Interpreter::getOpcode): Deleted.
+        (JSC::Interpreter::getOpcodeID): Deleted.
+        (JSC::Interpreter::isCallBytecode): Deleted.
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::getOpcode):
+        (JSC::Interpreter::getOpcodeID):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitNewFuncCommon):
+        (JSC::JIT::emitNewFuncExprCommon):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::privateCompilePutByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_put_by_val):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::llint_trace_operand):
+        (JSC::LLInt::llint_trace_value):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * profiler/ProfilerBytecodeSequence.cpp:
+        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
+
+2017-06-16  Matt Lewis  
+
+        Unreviewed, rolling out r218376.
+
+        The patch cause multiple Layout Test Crashes.
+
+        Reverted changeset:
+
+        "Web Inspector: Instrument 2D/WebGL canvas contexts in the
+        backend"
+        https://bugs.webkit.org/show_bug.cgi?id=172623
+        http://trac.webkit.org/changeset/218376
+
+2017-06-16  Konstantin Tokarev  
+
+        REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
+        https://bugs.webkit.org/show_bug.cgi?id=173470
+
+        Reviewed by Joseph Pecoraro.
+
+        ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
+        const char* overload of StringBuilder::append() that assummes Latin1
+        encoding, not UTF8.
+
+        * runtime/ConsoleClient.cpp:
+        (JSC::ConsoleClient::printConsoleMessageWithArguments):
+
+2017-06-15  Mark Lam  
+
+        Add a JSRunLoopTimer registry in VM.
+        https://bugs.webkit.org/show_bug.cgi?id=173429
+        
+
+        Reviewed by Filip Pizlo.
+
+        This way, we can be sure we've got every JSRunLoopTimer instance covered if we
+        need to change their run loop (e.g. when setting to the WebThread's run loop).
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::setRunLoop): Deleted.
+        * heap/Heap.h:
+        (JSC::Heap::runLoop): Deleted.
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::setRunLoop):
+        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::registerRunLoopTimer):
+        (JSC::VM::unregisterRunLoopTimer):
+        (JSC::VM::setRunLoop):
+        * runtime/VM.h:
+        (JSC::VM::runLoop):
+
+2017-06-15  Joseph Pecoraro  
+
+        [Cocoa] Modernize some internal initializers to use instancetype instead of id
+        https://bugs.webkit.org/show_bug.cgi?id=173112
+
+        Reviewed by Wenson Hsieh.
+
+        * API/JSContextInternal.h:
+        * API/JSWrapperMap.h:
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo initForClass:]):
+        (-[JSWrapperMap initWithGlobalContextRef:]):
+
+2017-06-15  Matt Baker  
+
+        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
+        https://bugs.webkit.org/show_bug.cgi?id=172623
+        
+
+        Reviewed by Devin Rousso.
+
+        This patch adds a basic Canvas protocol. It includes Canvas and related
+        types and events for monitoring the lifetime of canvases in the page.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * inspector/protocol/Canvas.json: Added.
+
+        * inspector/scripts/codegen/generator.py:
+        (Generator.stylized_name_for_enum_value):
+        Add special handling for Canvas.ContextType protocol enumeration,
+        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
+
+2017-06-15  Keith Miller  
+
+        Add logging to MachineStackMarker to try to diagnose crashes in the wild
+        https://bugs.webkit.org/show_bug.cgi?id=173427
+
+        Reviewed by Mark Lam.
+
+        This patch adds some logging to the MachineStackMarker constructor
+        to help figure out where we are seeing crashes. Since macOS does
+        not support os_log_info my hope is that if we set all the callee
+        save registers before making any calls in the C++ code we can
+        figure out which calls is the source of the crash. We also, set
+        all the caller save registers before returning in case some
+        weirdness is happening in the Heap constructor.
+
+        This logging should not matter from a performance perspective. We
+        only create MachineStackMarkers when we are creating a new VM,
+        which is already expensive.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThreads):
+
+2017-06-15  Yusuke Suzuki  
+
+        [JSC] Implement Object.assign in C++
+        https://bugs.webkit.org/show_bug.cgi?id=173414
+
+        Reviewed by Saam Barati.
+
+        Implementing Object.assign in JS is not so good compared to C++ version because,
+
+        1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
+        But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
+
+        2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
+        So JS's type profile doesn't help well.
+
+        3. We have a chance to introduce various fast path for Object.assign in C++.
+
+        This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
+
+        We can see 1.65x improvement in SixSpeed object-assign.es6.
+
+                                    baseline                  patched
+
+        object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
+
+        * builtins/ObjectConstructor.js:
+        (entries):
+        (assign): Deleted.
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::putInline):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::putInline):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::put):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putInlineForJSObject):
+        (JSC::JSObject::putInline): Deleted.
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+
+2017-06-14  Dan Bernstein  
+
+        [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
+        https://bugs.webkit.org/show_bug.cgi?id=168578
+
+        Reviewed by Geoff Garen.
+
+        * API/JSWrapperMap.mm:
+        (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
+        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
+        (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
+          it defines conformance to a JSExport-derived protocol and if so, avoid using the
+          superclass as a substitute as we’d normally do.
+
+        * API/ObjcRuntimeExtras.h:
+        (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
+          bail out.
+
+        * API/tests/JSExportTests.mm:
+        (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
+        (runJSExportTests): Run new test.
+
+2017-06-14  Yusuke Suzuki  
+
+        Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+
+2017-06-14  Claudio Saavedra  
+
+        REGRESSION: 15 new jsc failures in WPE and GTK+
+        https://bugs.webkit.org/show_bug.cgi?id=173349
+
+        Reviewed by JF Bastien.
+
+        Recent changes to generateWasm.py are not accounted for from
+        CMake, which leads to WasmOps.h not being regenerated in partial
+        builds. Make generateWasm.py an additional dependency.
+        * CMakeLists.txt:
+
+2017-06-13  Joseph Pecoraro  
+
+        Debugger has unexpected effect on program correctness
+        https://bugs.webkit.org/show_bug.cgi?id=172683
+
+        Reviewed by Saam Barati.
+
+        * inspector/InjectedScriptSource.js:
+        (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
+        (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
+        (BasicCommandLineAPI):
+        Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
+        We still use it for Set / Map iteration which we can eliminate when moving to builtins.
+
+2017-06-13  JF Bastien  
+
+        WebAssembly: fix erroneous signature comment
+        https://bugs.webkit.org/show_bug.cgi?id=173334
+
+        Reviewed by Keith Miller.
+
+        * wasm/WasmSignature.h:
+
+2017-06-13  Michael Saboff  
+
+        Refactor AbsenceOfSetter to AbsenceOfSetEffects
+        https://bugs.webkit.org/show_bug.cgi?id=173322
+
+        Reviewed by Filip Pizlo.
+
+        * bytecode/ObjectPropertyCondition.h:
+        (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
+        (JSC::ObjectPropertyCondition::absenceOfSetEffect):
+        (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
+        (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForPropertySetterMiss):
+        (JSC::generateConditionsForPropertySetterMissConcurrently):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::dumpInContext):
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
+        (JSC::PropertyCondition::isStillValid):
+        (WTF::printInternal):
+        * bytecode/PropertyCondition.h:
+        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
+        (JSC::PropertyCondition::absenceOfSetEffect):
+        (JSC::PropertyCondition::hasPrototype):
+        (JSC::PropertyCondition::hash):
+        (JSC::PropertyCondition::operator==):
+        (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
+        (JSC::PropertyCondition::absenceOfSetter): Deleted.
+
+2017-06-13  JF Bastien  
+
+        WebAssembly: import updated spec tests
+        https://bugs.webkit.org/show_bug.cgi?id=173287
+        
+
+        Reviewed by Saam Barati.
+
+        Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
+        with a few modifications so things work.
+
+        Fix a bunch of bugs found through this process, and punt a few tests (which I
+        marked as blocked by this bug).
+
+        Fixes:
+
+        Fix load / store alignment: r216908 erroneously implemented it as bit alignment
+        instead of byte alignment. It was also missing memory-alignment.js despite it
+        being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
+        pass.
+
+        Tables can be imported or in a section. There can be only one, but sections can
+        be empty. An Elements section can exist if there's no Table, as long as it is
+        also empty.
+
+        Memories can be imported or in a section. There can be only one, but sections
+        can be empty. A Data section can exist if there's no Memory, as long as it is
+        also empty.
+
+        Prototypes: stringify without .prototype. in the string.
+
+        WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
+        not a final size, and throws a RangeError on failure, not a TypeError.
+
+        Fix compile / instantiate so the reject the promise if given an argument of the
+        wrong type (instead of failing instantly).
+
+        Fix async on neuter test.
+
+        Element section shouldn't affect any Table if any of the elements are out of
+        bounds. We need to process it in two passes.
+
+        Segment section shouldn't affect any Data if any of the segments are out of
+        bounds. We need to process it in two passes.
+
+        Empty data segments are valid, but only when there is no memory. Their index
+        still gets validated, and has to be zero.
+
+        Punts:
+
+        Error messages with context, the test seems overly restrictive but this is
+        minor.
+
+        compile/instantiate/validate property descriptors.
+
+        UTF-8 bugs.
+
+        Temporarily disable NaN tests. We need to go back and implement the following
+        semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
+        much as getting all the other tests passing.
+
+        Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
+        no_fold_promote_demote (an interesting corner case which we get wrong). mul by
+        one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
+        0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
+        to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
+        (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
+        why they're not allowed.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmFunctionParser.h:
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmModuleParser.h:
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String):
+        * wasm/generateWasm.py:
+        (memoryLog2Alignment):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::grow):
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyInstantiateFunc):
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::webAssemblyTableProtoFuncGrow):
+
+2017-06-13  Michael Saboff  
+
+        DFG doesn't properly handle a property that is change to read only in a prototype
+        https://bugs.webkit.org/show_bug.cgi?id=173321
+
+        Reviewed by Filip Pizlo.
+
+        We need to check for ReadOnly as well as a not being a Setter when checking
+        an AbsenceOfSetter.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
+
+2017-06-13  Daniel Bates  
+
+        Implement W3C Secure Contexts Draft Specification
+        https://bugs.webkit.org/show_bug.cgi?id=158121
+        
+
+        Reviewed by Brent Fulgham.
+
+        Part 4
+
+        Adds isSecureContext to the list of common identifiers as needed to support
+        toggling its exposure from a runtime enabled feature flag.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-06-13  Don Olmstead  
+
+        [JSC] Remove redundant includes in config.h
+        https://bugs.webkit.org/show_bug.cgi?id=173294
+
+        Reviewed by Alex Christensen.
+
+        * config.h:
+
+2017-06-12  Saam Barati  
+
+        We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
+        https://bugs.webkit.org/show_bug.cgi?id=172957
+        
+
+        Reviewed by Filip Pizlo.
+
+        Consider this program:
+        ```
+        block#1:
+        n: GetClosureVar(..., |this|) // this will load empty JSValue()
+        SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
+        Branch(#2, #3)
+        
+        Block#3:
+        x: GetLocal(locFoo)
+        y: CheckNotEmpty(@x)
+        ```
+        
+        If we claim that a cell check filters out the empty value, we will
+        incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
+        FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
+        
+        On 64 bit platforms:
+        - Cell use kind *now allows* the empty value to pass through.
+        - CellOrOther use kind *now allows* for the empty value to pass through
+        - NotCell use kind *no longer allows* the empty value to pass through.
+
+        * assembler/CPU.h:
+        (JSC::isARMv7IDIVSupported):
+        (JSC::isARM64):
+        (JSC::isX86):
+        (JSC::isX86_64):
+        (JSC::is64Bit):
+        (JSC::is32Bit):
+        (JSC::isMIPS):
+        Make these functions constexpr so we can use them in static variable assignment.
+
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
+        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::speculateCell):
+        (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
+        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+        (JSC::DFG::SpeculativeJIT::speculateString):
+        (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
+        (JSC::DFG::SpeculativeJIT::speculateSymbol):
+        (JSC::DFG::SpeculativeJIT::speculateNotCell):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
+        (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
+        (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
+        (JSC::FTL::DFG::LowerDFGToB3::boolify):
+        (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
+        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+        (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
+        (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
+        (JSC::FTL::DFG::LowerDFGToB3::isCell):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateString):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
+
+2017-06-12  Yusuke Suzuki  
+
+        Unreviewed, suppress invalid register alloation validation assertion in 32 bit
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+
+2017-06-12  Oleksandr Skachkov  
+
+        We incorrectly allow escaped characters in keyword tokens
+        https://bugs.webkit.org/show_bug.cgi?id=171310
+
+        Reviewed by Yusuke Suzuki.
+
+        According spec it is not allow to use escaped characters in 
+        keywords. https://tc39.github.io/ecma262/#sec-reserved-words
+        Current patch implements this requirements.
+
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseIdentifierSlowCase):
+        * parser/Parser.cpp:
+        (JSC::Parser::printUnexpectedTokenText):
+        * parser/ParserTokens.h:
+
+2017-06-12  Yusuke Suzuki  
+
+        Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::branch64):
+        (JSC::MacroAssemblerARM64::branchPtr):
+
+2017-06-12  Commit Queue  
+
+        Unreviewed, rolling out r218093.
+        https://bugs.webkit.org/show_bug.cgi?id=173259
+
+        Break builds (Requested by yusukesuzuki on #webkit).
+
+        Reverted changeset:
+
+        "Unreviewed, build fix for ARM64"
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+        http://trac.webkit.org/changeset/218093
+
+2017-06-12  Yusuke Suzuki  
+
+        Unreviewed, build fix for ARM64
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+
+2017-06-09  Yusuke Suzuki  
+
+        [DFG] Add ArrayIndexOf intrinsic
+        https://bugs.webkit.org/show_bug.cgi?id=172421
+
+        Reviewed by Saam Barati.
+
+        This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
+        We emit array check and go fast path if the array is Array::Int32, Array::Double
+        or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
+        we have inlined fast paths.
+
+        With updated ARES-6 Babylon,
+
+        Before
+            firstIteration:     45.76 +- 3.87 ms
+            averageWorstCase:   24.41 +- 2.17 ms
+            steadyState:        8.01 +- 0.22 ms
+        After
+            firstIteration:     45.64 +- 4.23 ms
+            averageWorstCase:   23.03 +- 3.34 ms
+            steadyState:        7.33 +- 0.34 ms
+
+        In SixSpeed.
+                                         baseline                  patched
+
+            map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
+            map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
+            map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
+        (JSC::DFG::SpeculativeJIT::speculateObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::speculateInt32):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
+        * jit/JITOperations.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+
+2017-06-11  Keith Miller  
+
+        TypedArray constructor with string shouldn't throw
+        https://bugs.webkit.org/show_bug.cgi?id=173181
+
+        Reviewed by JF Bastien.
+
+        We should be coercing primitive arguments to numbers in the various
+        TypedArray constructors.
+
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+
+2017-06-11  Yusuke Suzuki  
+
+        [WTF] Make ThreadMessage portable
+        https://bugs.webkit.org/show_bug.cgi?id=172073
+
+        Reviewed by Keith Miller.
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointer):
+        * tools/CodeProfiling.cpp:
+        (JSC::profilingTimer):
+
+2017-06-11  Yusuke Suzuki  
+
+        [JSC] Shrink Structure size
+        https://bugs.webkit.org/show_bug.cgi?id=173239
+
+        Reviewed by Mark Lam.
+
+        We find that the size of our Structure is slightly enlarged due to paddings.
+        By changing the order of members, we can reduce the size from 120 to 112.
+        This is good because 120 and 112 are categorized into different size classes.
+        For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
+        We now save 16 bytes per Structure for free.
+
+        * runtime/ConcurrentJSLock.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        * runtime/Structure.h:
+
+2017-06-11  Konstantin Tokarev  
+
+        Unreviewed, attempt to fix JSC tests on Win after r217771
+
+        * jsc.cpp:
+        (currentWorkingDirectory): buffer is not NULL-terminated
+
+2017-06-10  Yusuke Suzuki  
+
+        [WTF] Add RegisteredSymbolImpl
+        https://bugs.webkit.org/show_bug.cgi?id=173230
+
+        Reviewed by Mark Lam.
+
+        * runtime/SymbolConstructor.cpp:
+        (JSC::symbolConstructorKeyFor):
+
+2017-06-10  Dan Bernstein  
+
+        Reverted r218056 because it made the IDE reindex constantly.
+
+        * Configurations/DebugRelease.xcconfig:
+
+2017-06-10  Dan Bernstein  
+
+        [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
+        https://bugs.webkit.org/show_bug.cgi?id=173223
+
+        Reviewed by Sam Weinig.
+
+        The rebuilds were happening due to a difference in the compiler options that the IDE and
+        xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
+        xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
+        specify an appropriate path in CLANG_INDEX_STORE_PATH.
+
+        * Configurations/DebugRelease.xcconfig:
+
+2017-06-10  Yusuke Suzuki  
+
+        [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
+        https://bugs.webkit.org/show_bug.cgi?id=173227
+
+        Reviewed by Mark Lam.
+
+        The latest spec introduces slight change to RegExp.prototype.[@@search].
+        This patch applies this change. Basically, this change is done in the slow path of
+        the RegExp.prototype[@@search].
+        https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
+
+        * builtins/RegExpPrototype.js:
+        (search):
+
+2017-06-09  Chris Dumez  
+
+        Update Thread::create() to take in a WTF::Function instead of a std::function
+        https://bugs.webkit.org/show_bug.cgi?id=173175
+
+        Reviewed by Mark Lam.
+
+        * API/tests/CompareAndSwapTest.cpp:
+        (testCompareAndSwap):
+
+2017-06-09  Yusuke Suzuki  
+
+        [DFG] Add verboseDFGOSRExit
+        https://bugs.webkit.org/show_bug.cgi?id=173156
+
+        Reviewed by Saam Barati.
+
+        This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
+
+        * dfg/DFGOSRExitCompiler.cpp:
+        * runtime/Options.h:
+
+2017-06-09  Guillaume Emont  
+
+        [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
+        https://bugs.webkit.org/show_bug.cgi?id=173170
+
+        Reviewed by Yusuke Suzuki.
+
+        MIPS does not build since r217711 because it is missing this
+        implementation. This patch fixes the build.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::xor32):
+
+2017-06-09  Yusuke Suzuki  
+
+        [JSC] FTL does not require dlfcn
+        https://bugs.webkit.org/show_bug.cgi?id=173143
+
+        Reviewed by Darin Adler.
+
+        We no longer use LLVM library. Thus, dlfcn.h is not necessary.
+        Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+
+2017-06-09  Yusuke Suzuki  
+
+        [DFG] Add --verboseDFGFailure
+        https://bugs.webkit.org/show_bug.cgi?id=173155
+
+        Reviewed by Sam Weinig.
+
+        Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
+
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::verboseCapabilities):
+        (JSC::DFG::debugFail):
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+
+2017-06-09  Yusuke Suzuki  
+
+        [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
+        https://bugs.webkit.org/show_bug.cgi?id=173147
+
+        Reviewed by JF Bastien.
+
+        Because this value becomes -1 in non-Darwin environments.
+        Thus, we do not need to use OS(DARWIN) here.
+
+        * wasm/WasmMemory.cpp:
+
+2017-06-09  Daewoong Jang  
+
+        Reduce compiler warnings
+        https://bugs.webkit.org/show_bug.cgi?id=172078
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/IntlDateTimeFormat.h:
+
+2017-06-08  Joseph Pecoraro  
+
+        [Cocoa] JSWrapperMap leaks for all JSContexts
+        https://bugs.webkit.org/show_bug.cgi?id=173110
+        
+
+        Reviewed by Geoffrey Garen.
+
+        * API/JSContext.mm:
+        (-[JSContext ensureWrapperMap]):
+        Ensure this allocation gets released.
+
+2017-06-08  Filip Pizlo  
+
+        REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
+        https://bugs.webkit.org/show_bug.cgi?id=161156
+
+        Reviewed by Saam Barati.
+        
+        Since LLInt does not register impure property watchpoints for self property accesses, it
+        shouldn't try to cache accesses that require a watchpoint.
+        
+        This manifested as a flaky failure because the test would fire the watchpoint after we had
+        usually already tiered up. Without concurrent JIT, we would have always tiered up before
+        getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
+        also adds a test that deterministically failed in LLInt without this change; it does so by just
+        running a lot shorter.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2017-06-08  Keith Miller  
+
+        WebAssembly: We should only create wrappers for functions that can be exported
+        https://bugs.webkit.org/show_bug.cgi?id=173088
+
+        Reviewed by Saam Barati.
+
+        This patch makes it so we only create wrappers for WebAssembly functions that
+        can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
+
+        This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
+        Most of the tests were duplicates of ones in the spec-tests directory. The others I
+        have converted to use the normal API.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (valueWithTypeOfWasmValue): Deleted.
+        (box): Deleted.
+        (callWasmFunction): Deleted.
+        (functionTestWasmModuleFunctions): Deleted.
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBBQPlan.h:
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        * wasm/WasmFormat.h:
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+
+2017-06-07  JF Bastien  
+
+        WebAssembly: test imports and exports with 16-bit characters
+        https://bugs.webkit.org/show_bug.cgi?id=165977
+        
+
+        Reviewed by Saam Barati.
+
+        Add the missing UTF-8 conversions. Improve import failure error
+        messages, otherwise it's hard to figure out which import is wrong.
+
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::finishCreation):
+        (JSC::WebAssemblyModuleRecord::link):
+
+2017-06-07  Devin Rousso  
+
+        Web Inspector: Add ContextMenu item to log WebSocket object to console
+        https://bugs.webkit.org/show_bug.cgi?id=172878
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Network.json:
+        Add resolveWebSocket command.
+
+2017-06-07  Jon Davis  
+
+        Update feature status for features Supported In Preview
+        https://bugs.webkit.org/show_bug.cgi?id=173071
+
+        Reviewed by Darin Adler.
+
+        Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
+        User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
+
+        * features.json:
+
+2017-06-07  Saam Barati  
+
+        Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
+        https://bugs.webkit.org/show_bug.cgi?id=172673
+        
+
+        Reviewed by Mark Lam.
+
+        This patch simply removes this assertion. It's faulty because it
+        races with the main thread when doing concurrent compilation.
+        
+        Consider a program with:
+        - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
+        - Structure S2
+        
+        The DFG IR is like so:
+          a: JSConstant(O) // FrozenValue {O, S1}
+          b: CheckStructure(@a, S2)
+          c: ToThis(@a)
+          d: CheckEq(@c, nullConstant)
+          Branch(@d)
+        
+        The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
+        When running AI, we'll notice that node @b will OSR exit, so nodes after
+        @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
+        Now, when running AI, @a will have Top for its structure set. No longer will
+        we think @b exits.
+        
+        The DFG backend asserts that under such a situation, we should have simplified
+        the CheckEq to false. However, this is a racy thing to assert, since the
+        transition from dfgWatchable() to !dfgWatchable() can happen right before we
+        enter the backend. Hence, this assertion is not valid.
+        
+        (Note, the generated code for the above program will never actually execute.
+        Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
+        S1 not transitioning. S1 transitions, so we won't actually run the code that
+        gets compiled.)
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+
+2017-06-07  Yusuke Suzuki  
+
+        [JSC] has_generic_property never accepts non-String
+        https://bugs.webkit.org/show_bug.cgi?id=173057
+
+        Reviewed by Darin Adler.
+
+        We never pass non-String value to has_generic_property bytecode.
+
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+2017-06-06  Fujii Hironori  
+
+        [Win][x86-64] Some callee saved registers aren't preserved
+        https://bugs.webkit.org/show_bug.cgi?id=171266
+
+        Reviewed by Saam Barati.
+
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
+
+2017-06-06  Mark Lam  
+
+        Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
+        https://bugs.webkit.org/show_bug.cgi?id=173035
+        
+
+        Reviewed by Geoffrey Garen and Filip Pizlo.
+
+        Also added and fixed up some assertions.
+
+        * runtime/ArrayConventions.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureLength):
+        * runtime/RegExpObject.cpp:
+        (JSC::collectMatches):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncSplitFast):
+
+2017-06-06  Saam Barati  
+
+        Make sure we restore SP when doing calls that could be to JS
+        https://bugs.webkit.org/show_bug.cgi?id=172946
+        
+
+        Reviewed by JF Bastien.
+
+        I was worried that there was a bug where we'd call JS, JS would tail call,
+        and we'd end up with a bogus SP. However, this bug does not exist since wasm
+        always calls to JS through a stub, and the stub treats SP as a callee save.
+        
+        I wrote a test for this, and also made a note that this is the needed ABI.
+
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+
+2017-06-06  Keith Miller  
+
+        OMG tier up checks should be a patchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=172944
+
+        Reviewed by Saam Barati.
+
+        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
+        In order to reduce code generated out of line in each function. We generate a single stub
+        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/WasmThunks.h:
+
+2017-06-06  Darin Adler  
+
+        Cut down use of WTF_ARRAY_LENGTH
+        https://bugs.webkit.org/show_bug.cgi?id=172997
+
+        Reviewed by Chris Dumez.
+
+        * parser/Lexer.cpp:
+        (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
+
+2017-06-06  Konstantin Tokarev  
+
+        Add missing  includes
+        https://bugs.webkit.org/show_bug.cgi?id=173017
+
+        Patch by Thiago Macieira 
+        Reviewed by Yusuke Suzuki.
+
+        This patch fixes compilation with GCC 7.
+
+        * inspector/InspectorBackendDispatcher.h:
+
+2017-06-06  Filip Pizlo  
+
+        Unreviewed, fix 32-bit build.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_unreachable):
+
+2017-06-06  Joseph Pecoraro  
+
+        Unreviewed rollout r217807. Caused a test to crash.
+
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::buildSnapshot):
+        (JSC::HeapSnapshotBuilder::json):
+        (): Deleted.
+        * heap/HeapSnapshotBuilder.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+
+2017-06-06  Filip Pizlo  
+
+        index out of bound in bytecodebasicblock
+        https://bugs.webkit.org/show_bug.cgi?id=172963
+
+        Reviewed by Saam Barati and Mark Lam.
+        
+        We were leaving an unterminated basic block when generating CodeForCall for a class
+        constructor. This was mostly benign since that unterminated block was not reachable, but it
+        does cause an ASSERT.
+        
+        This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
+        this really is the cleanest and most idiomatic way to solve this problem, so even though it
+        makes the change bigger it's probabably worth it.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/Opcode.h:
+        (JSC::isTerminal):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::emitUnreachable):
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_unreachable):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+
+2017-06-06  Ryan Haddad  
+
+        Unreviewed, rolling out r217812.
+
+        This change caused test failures on arm64.
+
+        Reverted changeset:
+
+        "OMG tier up checks should be a patchpoint"
+        https://bugs.webkit.org/show_bug.cgi?id=172944
+        http://trac.webkit.org/changeset/217812
+
+2017-06-06  Carlos Garcia Campos  
+
+        [WPE] Enable remote inspector
+        https://bugs.webkit.org/show_bug.cgi?id=172971
+
+        Reviewed by Žan Doberšek.
+
+        We can just build the current glib remote inspector, without adding a frontend implementation and using a
+        WebKitGTK+ browser as frontend for now.
+
+        * PlatformWPE.cmake: Add remote inspector files to compilation.
+        * inspector/remote/glib/RemoteInspectorUtils.cpp:
+        (Inspector::backendCommands): Load the inspector resources library.
+
+2017-06-06  Carlos Garcia Campos  
+
+        [GLIB] Make remote inspector DBus protocol common to all glib based ports
+        https://bugs.webkit.org/show_bug.cgi?id=172970
+
+        Reviewed by Žan Doberšek.
+
+        We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
+        idea that other ports could use their own names. However, the protocol is the same, so we could use the same
+        names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
+        debug WPE, without having to implement the frontend part in WPE yet.
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
+        * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
+
+2017-06-06  Carlos Garcia Campos  
+
+        [GTK] Web Process deadlock when closing the remote inspector frontend
+        https://bugs.webkit.org/show_bug.cgi?id=172973
+
+        Reviewed by Žan Doberšek.
+
+        We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
+        takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
+        PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
+        inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::receivedCloseMessage):
+
+2017-06-05  Saam Barati  
+
+        Try to fix features.json by adding an ESNext section.
+
+        Unreviewed.
+
+        * features.json:
+
+2017-06-05  David Kilzer  
+
+        Follow-up: Update JSC's features.json
+        https://bugs.webkit.org/show_bug.cgi?id=172942
+
+        Rubber-stamped by Jon Davis.
+
+        * features.json: Change "Supported in preview" to
+        "Supported" to try to fix .
+
+2017-06-05  Saam Barati  
+
+        We don't properly parse init_expr when the opcode is an unexpected opcode
+        https://bugs.webkit.org/show_bug.cgi?id=172945
+
+        Reviewed by JF Bastien.
+
+        The bug is a simple typo. It should use the constant
+        `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
+        macro. This failure is already caught by spec tests that fail
+        on arm64 devices.
+
+        * wasm/WasmModuleParser.cpp:
+
+2017-06-05  Keith Miller  
+
+        OMG tier up checks should be a patchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=172944
+
+        Reviewed by Saam Barati.
+
+        Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
+        In order to reduce code generated out of line in each function. We generate a single stub
+        that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/WasmThunks.h:
+
+2017-06-05  Joseph Pecoraro  
+
+        Remove unused VM members
+        https://bugs.webkit.org/show_bug.cgi?id=172941
+
+        Reviewed by Mark Lam.
+
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::selectStructure): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-06-05  Joseph Pecoraro  
+
+        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
+        https://bugs.webkit.org/show_bug.cgi?id=172848
+        
+
+        Reviewed by Saam Barati.
+
+        * heap/HeapSnapshotBuilder.h:
+        * heap/HeapSnapshotBuilder.cpp:
+        Update the snapshot version. Change the node's 0 | 1 internal value
+        to be a 32bit bit flag. This is nice in that it is both compatible
+        with the previous snapshot version and the same size. We can use more
+        flags in the future.
+
+        (JSC::HeapSnapshotBuilder::json):
+        In cases where the classInfo gives us "Object" check for a better
+        class name by checking (o).__proto__.constructor.name. We avoid this
+        check in cases where (o).hasOwnProperty("constructor") which is the
+        case for most Foo.prototype objects. Otherwise this would get the
+        name of the Foo superclass for the Foo.prototype object.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        Handle some possible edge cases that were not handled before. Such
+        as a JSObject without a GlobalObject, and an object which doesn't
+        have a default getPrototype. Try to make the code a little clearer.
+
+2017-06-05  Saam Barati  
+
+        Update JSC's features.json
+        https://bugs.webkit.org/show_bug.cgi?id=172942
+
+        Rubber stamped by Mark Lam.
+
+        * features.json:
+
+2017-06-04  Konstantin Tokarev  
+
+        Fix build of Windows-specific code with ICU 59.1
+        https://bugs.webkit.org/show_bug.cgi?id=172729
+
+        Reviewed by Darin Adler.
+
+        Fix conversions from WTF::String to wchar_t* and vice versa.
+
+        * jsc.cpp:
+        (currentWorkingDirectory):
+        (fetchModuleFromLocalFileSystem):
+        * runtime/DateConversion.cpp:
+        (JSC::formatDateTime):
+
+2017-06-04  Yusuke Suzuki  
+
+        [JSC] Drop unnecessary USE(CF) guard for getenv
+        https://bugs.webkit.org/show_bug.cgi?id=172903
+
+        Reviewed by Sam Weinig.
+
+        getenv is not related to USE(CF) and OS(UNIX). It seems that this
+        ifdef only hits in WinCairo, but WinCairo can use getenv.
+        Moreover, in VM::VM, we already use getenv without any ifdef guard.
+
+        This patch just drops it.
+
+        * runtime/VM.cpp:
+        (JSC::enableAssembler):
+
+2017-06-04  Yusuke Suzuki  
+
+        [JSC] Drop OS(DARWIN) for uintptr_t type conflict
+        https://bugs.webkit.org/show_bug.cgi?id=172904
+
+        Reviewed by Sam Weinig.
+
+        In non-Darwin environment, uintptr_t may have the same type
+        to uint64_t. We avoided the compile error by using OS(DARWIN).
+        But, since it depends on cstdint implementaion rather than OS, it is flaky.
+        Instead, we just use template parameter IntegralType.
+        And we describe the type constraint in a SFINAE manner.
+
+        * dfg/DFGOpInfo.h:
+        (JSC::DFG::OpInfo::OpInfo):
+
+2017-06-03  Csaba Osztrogonác  
+
+        [ARM] Unreviewed buildfix after r217711.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::xor32):
+
+2017-06-02  Yusuke Suzuki  
+
+        ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
+        https://bugs.webkit.org/show_bug.cgi?id=168844
+
+        Reviewed by Saam Barati.
+
+        As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
+
+        * parser/Parser.cpp:
+        (JSC::DepthManager::DepthManager):
+        (JSC::Parser::parseExportDeclaration):
+        * parser/Parser.h:
+        (JSC::Parser::DepthManager::DepthManager): Deleted.
+        (JSC::Parser::DepthManager::~DepthManager): Deleted.
+
+2017-06-02  Keith Miller  
+
+        Defer installing mach breakpoint handler until watchdog is actually called
+        https://bugs.webkit.org/show_bug.cgi?id=172885
+
+        Reviewed by Saam Barati.
+
+        Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
+        This hides the issue, so it won't occur as often.
+
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::SignalSender::send):
+        (JSC::VMTraps::VMTraps): Deleted.
+        * runtime/VMTraps.h:
+
+2017-06-02  Filip Pizlo  
+
+        Atomics.load and Atomics.store need to be fully fenced
+        https://bugs.webkit.org/show_bug.cgi?id=172844
+
+        Reviewed by Keith Miller.
+        
+        Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
+        AtomicXchg(value, ptr) for the store.
+        
+        DFG needed no changes because it implements all atomics using a CAS loop.
+        
+        AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
+        
+        Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
+        is not correct according to my current understanding of the SAB memory model, which requires
+        that atomic operations are SC with respect to everything not just other atomics.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::atomicWeakCAS):
+        * ftl/FTLOutput.h:
+        * runtime/AtomicsObject.cpp:
+
+2017-06-02  Ryan Haddad  
+
+        Unreviewed, attempt to fix the iOS build after r217711.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::xor32):
+        (JSC::MacroAssemblerARM64::xor64):
+
+2017-06-01  Filip Pizlo  
+
+        GC should use scrambled free-lists
+        https://bugs.webkit.org/show_bug.cgi?id=172793
+
+        Reviewed by Mark Lam.
+        
+        Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
+        The linked-list would be threaded through free memory, as is the usual convention.
+        
+        This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
+        this leads to a more natural fast-path structure and saves one register on ARM64.
+        
+        The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
+        every time they do a sweep-to-pop.
+        
+        This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
+        quite a bit. Previously, there were four copies of the allocator fast path: two in
+        MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
+        was obviously different-looking, but the other three were almost identical. This moves all of
+        that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
+        AssemblyHelpers.h.
+        
+        This appears to be just as fast as our previously allocator.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/FreeList.cpp:
+        (JSC::FreeList::FreeList):
+        (JSC::FreeList::~FreeList):
+        (JSC::FreeList::clear):
+        (JSC::FreeList::initializeList):
+        (JSC::FreeList::initializeBump):
+        (JSC::FreeList::contains):
+        (JSC::FreeList::dump):
+        * heap/FreeList.h:
+        (JSC::FreeList::allocationWillFail):
+        (JSC::FreeList::originalSize):
+        (JSC::FreeList::addressOfList):
+        (JSC::FreeList::offsetOfBlock):
+        (JSC::FreeList::offsetOfList):
+        (JSC::FreeList::offsetOfIndex):
+        (JSC::FreeList::offsetOfPayloadEnd):
+        (JSC::FreeList::offsetOfRemaining):
+        (JSC::FreeList::offsetOfOriginalSize):
+        (JSC::FreeList::FreeList): Deleted.
+        (JSC::FreeList::list): Deleted.
+        (JSC::FreeList::bump): Deleted.
+        (JSC::FreeList::operator==): Deleted.
+        (JSC::FreeList::operator!=): Deleted.
+        (JSC::FreeList::operator bool): Deleted.
+        * heap/FreeListInlines.h: Added.
+        (JSC::FreeList::addFreeCell):
+        (JSC::FreeList::allocate):
+        (JSC::FreeList::forEach):
+        (JSC::FreeList::toOffset):
+        (JSC::FreeList::fromOffset):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::MarkedAllocator):
+        (JSC::MarkedAllocator::didConsumeFreeList):
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
+        (JSC::MarkedAllocator::tryAllocateIn):
+        (JSC::MarkedAllocator::allocateSlowCaseImpl):
+        (JSC::MarkedAllocator::stopAllocating):
+        (JSC::MarkedAllocator::prepareForAllocation):
+        (JSC::MarkedAllocator::resumeAllocating):
+        (JSC::MarkedAllocator::sweep):
+        (JSC::MarkedAllocator::setFreeList): Deleted.
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::freeList):
+        (JSC::MarkedAllocator::isFreeListedCell): Deleted.
+        * heap/MarkedAllocatorInlines.h:
+        (JSC::MarkedAllocator::isFreeListedCell):
+        (JSC::MarkedAllocator::tryAllocate):
+        (JSC::MarkedAllocator::allocate):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
+        (JSC::MarkedBlock::Handle::resumeAllocating):
+        (JSC::MarkedBlock::Handle::zap):
+        (JSC::MarkedBlock::Handle::sweep):
+        (JSC::MarkedBlock::Handle::isFreeListedCell):
+        (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
+        (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
+        * heap/Subspace.cpp:
+        (JSC::Subspace::finishSweep):
+        * heap/Subspace.h:
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        * runtime/JSDestructibleObjectSubspace.cpp:
+        (JSC::JSDestructibleObjectSubspace::finishSweep):
+        * runtime/JSDestructibleObjectSubspace.h:
+        * runtime/JSSegmentedVariableObjectSubspace.cpp:
+        (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
+        * runtime/JSSegmentedVariableObjectSubspace.h:
+        * runtime/JSStringSubspace.cpp:
+        (JSC::JSStringSubspace::finishSweep):
+        * runtime/JSStringSubspace.h:
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
+        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
+
+2017-06-02  Yusuke Suzuki  
+
+        [JSC] Use @globalPrivate for concatSlowPath
+        https://bugs.webkit.org/show_bug.cgi?id=172802
+
+        Reviewed by Darin Adler.
+
+        Use @globalPrivate instead of manually putting it to JSGlobalObject.
+
+        * builtins/ArrayPrototype.js:
+        (concatSlowPath): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2017-06-01  Andy Estes  
+
+        REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
+        https://bugs.webkit.org/show_bug.cgi?id=172828
+
+        Reviewed by Beth Dakin.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-06-01  Keith Miller  
+
+        Undo rollout in r217638 with bug fix
+        https://bugs.webkit.org/show_bug.cgi?id=172824
+
+        Unreviewed, reland patch with unused set_state code removed.
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (dispatchTermitateCallback):
+        (testExecutionTimeLimit):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        (JSC::Options::initialize):
+        * runtime/Options.h:
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
+        (JSC::installSignalHandler):
+        (JSC::VMTraps::SignalSender::send):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        (JSC::Wasm::enableFastMemory):
+        * wasm/WasmMachineThreads.cpp:
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+
+2017-06-01  Guillaume Emont  
+
+        [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
+        https://bugs.webkit.org/show_bug.cgi?id=172800
+
+        Reviewed by Saam Barati.
+
+        This fixes a static_cast by making it a cast to int64_t
+        instead, which looks like the original intent. This fixes the
+        sampling-profiler tests in JSTests/stress.
+
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::timerLoop):
+
+2017-06-01  Tomas Popela  , Mark Lam  
+
+        RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
+        https://bugs.webkit.org/show_bug.cgi?id=170945
+
+        Reviewed by Mark Lam.
+
+        Re-define PutByIdFlags as a int32_t enum explicitly because it is
+        stored as an int32_t value in UnlinkedInstruction.  This prevents
+        a bug on 64-bit big endian architectures where the word order is
+        inverted (when we convert the UnlinkedInstruction into a CodeBlock
+        Instruction), resulting in the PutByIdFlags value not being stored in
+        the 32-bit word that the rest of the code expects it to be in.
+
+        * bytecode/PutByIdFlags.h:
+
+2017-05-31  Yusuke Suzuki  
+
+        [JSC] Implement String.prototype.concat in JS builtins
+        https://bugs.webkit.org/show_bug.cgi?id=172798
+
+        Reviewed by Sam Weinig.
+
+        Since we have highly effective + operation for strings,
+        implementing String.prototype.concat in JS simplifies the
+        implementation and improves performance by using speculated
+        types.
+
+        Added microbenchmarks show performance improvement.
+
+        string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
+        string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
+        string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
+        string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
+
+        * builtins/StringPrototype.js:
+        (globalPrivate.stringConcatSlowPath):
+        (concat):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        (JSC::stringProtoFuncConcat): Deleted.
+
+2017-05-31  Mark Lam  
+
+        Remove overrides of visitChildren() that do not add any functionality.
+        https://bugs.webkit.org/show_bug.cgi?id=172789
+        
+
+        Reviewed by Andreas Kling.
+
+        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+        (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
+        * bytecode/UnlinkedModuleProgramCodeBlock.h:
+        * bytecode/UnlinkedProgramCodeBlock.cpp:
+        (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
+        * bytecode/UnlinkedProgramCodeBlock.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::visitChildren): Deleted.
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
+        * wasm/js/WebAssemblyInstanceConstructor.h:
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
+        * wasm/js/WebAssemblyMemoryConstructor.h:
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
+        * wasm/js/WebAssemblyModuleConstructor.h:
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
+        * wasm/js/WebAssemblyTableConstructor.h:
+
+2017-05-31  Commit Queue  
+
+        Unreviewed, rolling out r217611 and r217631.
+        https://bugs.webkit.org/show_bug.cgi?id=172785
+
+        "caused wasm-hashset-many.html to become flaky." (Requested by
+        keith_miller on #webkit).
+
+        Reverted changesets:
+
+        "Reland r216808, underlying lldb bug has been fixed."
+        https://bugs.webkit.org/show_bug.cgi?id=172759
+        http://trac.webkit.org/changeset/217611
+
+        "Use dispatch queues for mach exceptions"
+        https://bugs.webkit.org/show_bug.cgi?id=172775
+        http://trac.webkit.org/changeset/217631
+
+2017-05-31  Oleksandr Skachkov  
+
+        Rolling out: Prevent async methods named 'function'
+        https://bugs.webkit.org/show_bug.cgi?id=172776
+
+        Reviewed by Mark Lam.
+
+        Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
+        https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
+        PR to spec was closed, so changes need to roll out. See
+        https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parsePropertyMethod):
+
+2017-05-31  Andy Estes  
+
+        Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
+        https://bugs.webkit.org/show_bug.cgi?id=172366
+
+        Reviewed by Daniel Bates.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-05-31  Keith Miller  
+
+        Reland r216808, underlying lldb bug has been fixed.
+        https://bugs.webkit.org/show_bug.cgi?id=172759
+
+
+        Unreviewed, relanding old patch. See: rdar://problem/31183352
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (dispatchTermitateCallback):
+        (testExecutionTimeLimit):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        (JSC::Options::initialize):
+        * runtime/Options.h:
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
+        (JSC::installSignalHandler):
+        (JSC::VMTraps::SignalSender::send):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        (JSC::Wasm::enableFastMemory):
+        * wasm/WasmMachineThreads.cpp:
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+
+2017-05-31  Keith Miller  
+
+        Fix leak in PromiseDeferredTimer
+        https://bugs.webkit.org/show_bug.cgi?id=172755
+
+        Reviewed by JF Bastien.
+
+        We were not properly freeing the list of dependencies if we were already tracking the promise before.
+        This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
+        where we were already tracking the promise we append the provided dependency list to the existing list.
+        Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
+        contents.
+
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+
+2017-05-30  Oleksandr Skachkov  
+
+        Prevent async methods named 'function' in Object literal
+        https://bugs.webkit.org/show_bug.cgi?id=172660
+
+        Reviewed by Saam Barati.
+
+        Prevent async method named 'function' in object.
+        https://github.com/tc39/ecma262/pull/884
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parsePropertyMethod):
+
+2017-05-30  Oleksandr Skachkov  
+
+        ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
+        https://bugs.webkit.org/show_bug.cgi?id=171274
+
+        Reviewed by Saam Barati.
+
+        Current patch allow to use async arrow function within constructor,
+        and allow to access to `this`. Current patch force load 'this' from 
+        virtual scope each time as we access to `this` in async arrow function
+        within constructor it is neccessary because async function can be 
+        suspended and `superCall` can be called and async function resumed. 
+   
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitPutGeneratorFields):
+        (JSC::BytecodeGenerator::ensureThis):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::makeFunction):
+
+2017-05-30  Ali Juma  
+
+        [CredentialManagement] Incorporate IDL updates from latest spec
+        https://bugs.webkit.org/show_bug.cgi?id=172011
+
+        Reviewed by Daniel Bates.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-05-30  Alex Christensen  
+
+        Update libwebrtc configuration
+        https://bugs.webkit.org/show_bug.cgi?id=172727
+
+        Reviewed by Geoffrey Garen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-05-28  Dan Bernstein  
+
+        [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
+        https://bugs.webkit.org/show_bug.cgi?id=172691
+
+        Reviewed by Tim Horton.
+
+        * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
+        * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
+
+2017-05-28  Yusuke Suzuki  
+
+        [JSC] Provide better type information of toLength and tighten bytecode
+        https://bugs.webkit.org/show_bug.cgi?id=172690
+
+        Reviewed by Sam Weinig.
+
+        In this patch, we carefully leverage operator + in order to
+
+        1. tighten bytecode
+
+        operator+ emits to_number bytecode. What this bytecode does is the same
+        to @Number() call. It is more efficient, and it is smaller bytecode
+        than @Number() call (load global variable @Number, set up arguments, and
+        call it).
+
+        2. offer better type prediction data
+
+        Now, we have code like
+
+            length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
+
+        This is not good because DFG prediction propagation phase predicts as Double
+        since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
+        Usually, the result becomes Int32. This patch leverages to_number in a bit
+        interesting way: to_number has value profiling to offer better type prediction.
+        This value profiling can offer a chance to change the prediction to Int32 efficiently.
+        It is a bit tricky. But it is worth doing to speed up our builtin functions,
+        which should leverage all the JSC's tricky things to be optimized.
+
+        Related microbenchmarks show performance improvement.
+
+                                                  baseline                  patched
+
+            array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
+            array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
+            array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
+            array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
+            array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
+            array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
+
+
+        * builtins/GlobalOperations.js:
+        (globalPrivate.toInteger):
+        (globalPrivate.toLength):
+
+2017-05-28  Sam Weinig  
+
+        [WebIDL] @@iterator should only be accessed once when disambiguating a union type
+        https://bugs.webkit.org/show_bug.cgi?id=172684
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorMethod):
+        (JSC::iteratorForIterable):
+        * runtime/IteratorOperations.h:
+        (JSC::forEachInIterable):
+        Add additional iterator helpers to allow union + sequence conversion code
+        to check for iterability by getting the iterator method, and iterate using
+        that method later on.
+
+2017-05-28  Yusuke Suzuki  
+
+        Unreviewed, build fix for Windows
+        https://bugs.webkit.org/show_bug.cgi?id=172413
+
+        Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
+
+        * runtime/JSMap.h:
+        (JSC::isJSMap):
+        (JSC::jsDynamicCast): Deleted.
+        (JSC::>): Deleted.
+        * runtime/JSSet.h:
+        (JSC::isJSSet):
+        (JSC::jsDynamicCast): Deleted.
+        (JSC::>): Deleted.
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+
+2017-05-28  Mark Lam  
+
+        Implement a faster Interpreter::getOpcodeID().
+        https://bugs.webkit.org/show_bug.cgi?id=172669
+
+        Reviewed by Saam Barati.
+
+        We can implement Interpreter::getOpcodeID() without a hash table lookup by always
+        embedding the OpcodeID in the 32-bit word just before the start of the LLInt
+        handler code that executes each opcode.  getOpcodeID() can therefore just read
+        the 32-bits before the opcode address to get its OpcodeID.
+
+        This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
+        CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
+        well, but I'll let the Linux folks turn that on after they have verified that it
+        works on linux too.
+
+        I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
+        1. we only need to initialize it once per process, not once per VM / interpreter
+           instance.
+        2. we can initialize it in the Interpreter constructor instead of requiring a
+           separate call to an initialize() function.
+
+        On debug builds, the Interpreter constructor will also verify that getOpcodeID()
+        is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
+
+        * bytecode/BytecodeList.json:
+        * generate-bytecode-files:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::Interpreter):
+        (JSC::Interpreter::opcodeIDTable):
+        (JSC::Interpreter::initialize): Deleted.
+        * interpreter/Interpreter.h:
+        (JSC::Interpreter::getOpcode):
+        (JSC::Interpreter::getOpcodeID):
+        * llint/LowLevelInterpreter.cpp:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+
+2017-05-27  Yusuke Suzuki  
+
+        [JSC] Map and Set constructors should have fast path for cloning
+        https://bugs.webkit.org/show_bug.cgi?id=172413
+
+        Reviewed by Saam Barati.
+
+        In this patch, we add a fast path for cloning in Set and Map constructors.
+
+        In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
+        At that time, our generic path just iterates the given set object and add
+        it to the newly created one. It is quite slow because we need to follow
+        the iterator protocol inside C++ and we need to call set.add() repeatedly
+        while the given set guarantees the elements are unique.
+
+        This patch implements clone() function to JSMap and JSSet. Cloning JSMap
+        and JSSet are done really fast without invoking any observable JS functions.
+        To check whether we can use this clone() function in Set and Map constructors,
+        we set several watchpoints.
+
+        In the case of Set,
+
+        1. Set.prototype[Symbol.iterator] is not changed.
+        2. SetIterator.prototype.next is not changed.
+        3. Set.prototype.add is not changed.
+        4. The given Set does not have [Symbol.iterator] function in its instance.
+        5. The given Set's [[Prototype]] is Set.prototype.
+        6. Newly created set's [[Prototype]] is Set.prototype.
+
+        If the above requirements are met, cloning the given Set is not observable to users.
+        Thus we can take a fast path.
+
+        Currently, we do not integrate this optimization into DFG and FTL.
+        And we do not optimize other iterables. For example, we can optimize Set
+        constructor taking Int32 Array. And we should optimize generic iterator cases too.
+        They are planned as part of a separate bug[1].
+
+        This change improves ARES-6 Air by 5.3% in steady state.
+
+        Baseline:
+            Running... Air ( 1  to go)
+            firstIteration:     76.41 +- 15.60 ms
+            averageWorstCase:   40.63 +- 7.54 ms
+            steadyState:        9.13 +- 0.51 ms
+
+
+        Patched:
+            Running... Air ( 1  to go)
+            firstIteration:     75.00 +- 22.54 ms
+            averageWorstCase:   39.18 +- 8.45 ms
+            steadyState:        8.67 +- 0.28 ms
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBucket::extractValue):
+        (JSC::HashMapImpl::finishCreation):
+        (JSC::HashMapImpl::add):
+        (JSC::HashMapImpl::setUpHeadAndTail):
+        (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
+        (JSC::HashMapImpl::addNormalizedInternal):
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        (JSC::InternalFunction::createSubclassStructure): Deleted.
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::createSubclassStructure):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
+        (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
+        (JSC::JSGlobalObject::mapSetWatchpoint):
+        (JSC::JSGlobalObject::setAddWatchpoint):
+        (JSC::JSGlobalObject::mapPrototype):
+        (JSC::JSGlobalObject::jsSetPrototype):
+        (JSC::JSGlobalObject::setStructure):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
+        (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
+        (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
+        (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::clone):
+        (JSC::JSMap::canCloneFastAndNonObservable):
+        * runtime/JSMap.h:
+        (JSC::jsDynamicCast):
+        (JSC::>):
+        (JSC::JSMap::createStructure): Deleted.
+        (JSC::JSMap::create): Deleted.
+        (JSC::JSMap::set): Deleted.
+        (JSC::JSMap::JSMap): Deleted.
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::clone):
+        (JSC::JSSet::canCloneFastAndNonObservable):
+        * runtime/JSSet.h:
+        (JSC::jsDynamicCast):
+        (JSC::>):
+        (JSC::JSSet::createStructure): Deleted.
+        (JSC::JSSet::create): Deleted.
+        (JSC::JSSet::JSSet): Deleted.
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
+        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+
+2017-05-27  Yusuke Suzuki  
+
+        [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
+        https://bugs.webkit.org/show_bug.cgi?id=172260
+
+        Reviewed by Filip Pizlo.
+
+        DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
+        to be used as a general-purpose injectable compiler over all the JIT tiers.
+
+        We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
+        * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
+        (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::blessCallDOMGetter):
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.h:
+        * dfg/DFGNode.h:
+        * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
+        * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
+        (JSC::DFG::SnippetParams::SnippetParams):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::allocateTemporaryRegistersForSnippet):
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
+        * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
+        (JSC::DOMJIT::CallDOMGetterSnippet::create):
+        * domjit/DOMJITGetterSetter.h:
+        * domjit/DOMJITSignature.h:
+        * domjit/DOMJITValue.h: Removed.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+        * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
+        * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
+        (JSC::FTL::SnippetParams::SnippetParams):
+        * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
+        (JSC::Snippet::create):
+        (JSC::Snippet::setGenerator):
+        (JSC::Snippet::generator):
+        * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
+        (JSC::SnippetParams::~SnippetParams):
+        (JSC::SnippetParams::Value::Value):
+        (JSC::SnippetParams::Value::isGPR):
+        (JSC::SnippetParams::Value::isFPR):
+        (JSC::SnippetParams::Value::isJSValueRegs):
+        (JSC::SnippetParams::Value::gpr):
+        (JSC::SnippetParams::Value::fpr):
+        (JSC::SnippetParams::Value::jsValueRegs):
+        (JSC::SnippetParams::Value::reg):
+        (JSC::SnippetParams::Value::value):
+        (JSC::SnippetParams::SnippetParams):
+        * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
+        (JSC::SnippetReg::SnippetReg):
+        * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
+        * jsc.cpp:
+        (WTF::DOMJITNode::checkSubClassSnippet):
+        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
+        (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
+        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
+        * runtime/ClassInfo.h:
+
+2017-05-26  Keith Miller  
+
+        REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
+        https://bugs.webkit.org/show_bug.cgi?id=172654
+
+        Reviewed by Mark Lam.
+
+        The test's intent is to assert that an exception has not been
+        thrown (as indicated by the message string), but the test was
+        erroneously checking for ! the right condition. This is now fixed.
+
+        * API/tests/JSExportTests.mm:
+        (wrapperForNSObjectisObject):
+
+2017-05-26  Joseph Pecoraro  
+
+        JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
+        https://bugs.webkit.org/show_bug.cgi?id=172664
+        
+
+        Reviewed by Matt Baker.
+
+        Automatically pause on connection was triggering a pause before the
+        frontend may have initialized. Often during frontend initialization
+        the frontend may perform an action that clears the pause state requested
+        by the developer. This change defers the pause until after the frontend
+        has initialized, right before returning to the application's code.
+
+        * inspector/remote/RemoteControllableTarget.h:
+        * inspector/remote/RemoteInspectionTarget.h:
+        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
+        (Inspector::RemoteConnectionToTarget::setup):
+        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
+        (Inspector::RemoteConnectionToTarget::setup):
+        * runtime/JSGlobalObjectDebuggable.cpp:
+        (JSC::JSGlobalObjectDebuggable::connect):
+        (JSC::JSGlobalObjectDebuggable::pause): Deleted.
+        * runtime/JSGlobalObjectDebuggable.h:
+        Pass an immediatelyPause boolean on to the controller. Remove
+        the current path that invokes a pause before initialization.
+
+        * inspector/JSGlobalObjectInspectorController.h:
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
+        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
+        Manage should immediately pause state.
+
+        (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
+        (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
+        When initialized, trigger a pause if requested.
+
+2017-05-26  Mark Lam  
+
+        Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
+        https://bugs.webkit.org/show_bug.cgi?id=172655
+
+        Reviewed by Saam Barati.
+
+        * API/tests/JSExportTests.mm:
+        (wrapperForNSObjectisObject):
+
+2017-05-26  Mark Lam  
+
+        REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
+        https://bugs.webkit.org/show_bug.cgi?id=172651
+
+        Reviewed by Saam Barati.
+
+        This is because the assertion utility functions used in testCFStrings() expects
+        to get the JSGlobalContextRef from the global context variable.  However,
+        testCFStrings() creates its own JSGlobalContextRef but does not set the global
+        context variable to it.
+
+        The fix is to make testCFStrings() initialize the global context variable properly.
+
+        * API/tests/testapi.c:
+        (testCFStrings):
+
+2017-05-26  Yusuke Suzuki  
+
+        Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
+        https://bugs.webkit.org/show_bug.cgi?id=167805
+
+        Reviewed by Saam Barati.
+
+        Since ModuleProgramExecutable is executed only once, we can skip compiling
+        code unreachable from the current program count. This can skip massive
+        initialization code.
+
+        We already do this for global code in bug#167725. This patch extends it to
+        module code.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeModuleProgram):
+        * interpreter/Interpreter.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::evaluate):
+        * runtime/JSModuleRecord.h:
+        (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
+
+2017-05-26  Oleksandr Skachkov  
+
+        Prevent async methods named 'function'
+        https://bugs.webkit.org/show_bug.cgi?id=172598
+
+        Reviewed by Mark Lam.
+
+        Prevent async method named 'function' in class.
+        Link to change in ecma262 specification
+        https://github.com/tc39/ecma262/pull/884
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseClass):
+
+2017-05-25  Yusuke Suzuki  
+
+        Unreviewed, build fix for GCC
+
+        std::tuple does not have implicit constructor.
+        Thus, we cannot use implicit construction with initializer brace.
+        We should specify the name like `GetInst { }`.
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::StructureForInContext::addGetInst):
+
+2017-05-25  Keith Miller  
+
+        Cleanup tests after r217240
+        https://bugs.webkit.org/show_bug.cgi?id=172466
+
+        Reviewed by Mark Lam.
+
+        I forgot to make my test an actual test. Also, remove second call runJSExportTests()
+
+        * API/tests/JSExportTests.mm:
+        (wrapperForNSObjectisObject):
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+
+2017-05-25  Michael Saboff  
+
+        The default setting of Option::criticalGCMemoryThreshold is too high for iOS
+        https://bugs.webkit.org/show_bug.cgi?id=172617
+
+        Reviewed by Mark Lam.
+
+        Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
+        when tested running JetStream.
+
+        * runtime/Options.h:
+
+2017-05-25  Saam Barati  
+
+        Our for-in optimization in the bytecode generator does its static analysis incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=172532
+        
+
+        Reviewed by Mark Lam.
+
+        Our static analysis for when a for-in induction variable
+        is written to tried to its analysis as we generate
+        bytecode. This has issues, since it does not account for
+        the dynamic execution path of the program. Let's consider
+        a program where our old analysis worked:
+        
+        ```
+        for (let p in o) {
+            o[p]; // We can transform this into a fast get_direct_pname
+            p = 20;
+            o[p]; // We cannot transform this since p has been changed.
+        }
+        ```
+        
+        However, our static analysis did not account for loops, which exist
+        in JavaScript. e.g, it would incorrectly compile this program as:
+        ```
+        for (let p in o) {
+            for (let i = 0; i < 20; ++i) {
+                o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
+                p = 20;
+                o[p]; // We correctly do not transform this.
+            } 
+        }
+        ```
+        
+        Because of this flaw, I've made the optimization more conservative.
+        We now optimistically emit code for the optimized access. However,
+        if a for-in context is *ever* invalidated, before we pop it off
+        the stack, we rewrite the program's optimized accesses to no longer
+        be optimized. To do this, each context keeps track of its optimized
+        accesses.
+        
+        This patch also adds a new bytecode, op_nop, which is just a no-op.
+        It was helpful to add this because reverting get_direct_pname to get_by_val
+        will leave us with an extra instruction word because get_direct_pname is
+        has a length of 7 where get_by_val has a length of 6. This leaves us with
+        an extra slot that we fill with an op_nop.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetByVal):
+        (JSC::BytecodeGenerator::popIndexedForInScope):
+        (JSC::BytecodeGenerator::popStructureForInScope):
+        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
+        (JSC::StructureForInContext::pop):
+        (JSC::IndexedForInContext::pop):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::StructureForInContext::addGetInst):
+        (JSC::IndexedForInContext::addGetInst):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_nop):
+        * llint/LowLevelInterpreter.asm:
+
+2017-05-25  Mark Lam  
+
+        ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
+        https://bugs.webkit.org/show_bug.cgi?id=172548
+        
+
+        Reviewed by Filip Pizlo.
+
+        Consider the following scenario:
+
+        1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
+           structure transitions, e.g. structure S2 transitioning to structure S3.
+           In this case, O1 would be installed in S2's watchpoint set.
+        2. When the structure transition happens, structure S2 will fire watchpoint O1.
+        3. O1's handler will normally re-install itself in the watchpoint set of the new
+           "transitioned to" structure S3.
+        4. "Installation" here requires writing into the StructureRareData SD3 of the new
+           structure S3.  If SD3 does not exist yet, the installation process will trigger
+           the allocation of StructureRareData SD3.
+        5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
+           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
+           by the GC, and therefore will be collected soon.
+        6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
+           SD1.  This, in turn, triggers the deletion of the
+           ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
+
+        After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
+        AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
+        structure S3's watchpoint set.  This is obviously incorrect because O1 is already
+        deleted.  The result is that badness happens later when S3's watchpoint set fires
+        its watchpoints and accesses the deleted O1.
+
+        The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
+        check if "this" is still valid before proceeding to re-install itself or to
+        invoke its handleFire() method.
+
+        ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
+        AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
+        and return false its owner StructureRareData is no longer reachable by the GC.
+        This ensures that it won't be deleted while it's installed to any watchpoint set.
+
+        Additional considerations and notes:
+        1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
+           being installed in watchpoint sets.  What actually happens is that
+           ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
+           (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
+           watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
+           not itself a Watchpoint object.
+
+           But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
+           instead of its Watchpoint members.  The description of the issue is still
+           accurate given the life-cycle of the Watchpoint members are embedded in the
+           enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
+           hence, they share the same life-cycle.
+
+        2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
+           m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
+           watchpoint sets.  This is safe to do even if the owner StructureRareData is no
+           longer reachable by the GC.
+
+           This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
+           is if its Watchpoint members are still installed in some watchpoint set that
+           fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
+           instance has not been deleted yet, because its destructor will automatically
+           remove the Watchpoint members from any watchpoint sets.
+
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
+        * heap/FreeList.cpp:
+        (JSC::FreeList::contains):
+        * heap/FreeList.h:
+        * heap/HeapCell.h:
+        * heap/HeapCellInlines.h:
+        (JSC::HeapCell::isLive):
+        * heap/MarkedAllocator.h:
+        (JSC::MarkedAllocator::isFreeListedCell):
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::isFreeListedCell):
+        * runtime/StructureRareData.cpp:
+        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
+
+2017-05-23  Saam Barati  
+
+        We should not mmap zero bytes for a memory in Wasm
+        https://bugs.webkit.org/show_bug.cgi?id=172528
+        
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bug where we would call into mmap with zero bytes
+        when creating a slow WasmMemory with zero initial page size. This fix
+        is simple: if we don't have any initial bytes, we just call the constructor
+        in WasmMemory that's meant to handle this case.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::create):
+
+2017-05-23  Brian Burg  
+
+        REGRESSION(r217051): Automation sessions fail to complete bootstrap
+        https://bugs.webkit.org/show_bug.cgi?id=172513
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        The changes to be more strict about typechecking messages were too strict.
+
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
+        into an NSDictionary as NSNull if the key isn't present in a forwarded command.
+        We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
+        [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
+
+2017-05-23  Myles C. Maxfield  
+
+        Remove dead ENABLE(FONT_LOAD_EVENTS) code
+        https://bugs.webkit.org/show_bug.cgi?id=172517
+
+        Rubber-stamped by Simon Fraser.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-05-23  Saam Barati  
+
+        CFGSimplificationPhase should not merge a block with itself
+        https://bugs.webkit.org/show_bug.cgi?id=172508
+        
+
+        Reviewed by Keith Miller.
+
+        CFGSimplificationPhase can run into or create IR that ends up with a
+        block that has a Jump to itself, and no other predecessors. It should
+        gracefully handle such IR. Before this patch, it would not. The only criteria
+        for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
+        The code is written in such a way that if we merge a block with itself, we
+        will infinite loop until we run out of memory.
+        
+        Merging a block with itself does not make sense for a few reasons. First,
+        we're joining the contents of two blocks. What is the definition of joining
+        a block with itself? I suppose we could simply unroll this self loop
+        one level, but that would not be wise because this self loop is by definition
+        unreachable unless it's the root block in the graph (which I think is
+        invalid IR since we'd never generate bytecode that would do this).
+        
+        This patch employs an easy fix: we can't merge a block with itself.
+
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
+        (JSC::DFG::CFGSimplificationPhase::run):
+        (JSC::DFG::CFGSimplificationPhase::convertToJump):
+        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+
+2017-05-22  Brian Burg  
+
+        Web Inspector: webkit reload policy should match default behavior
+        https://bugs.webkit.org/show_bug.cgi?id=171385
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        Add a new option to Page.reload that allows the test harness
+        to reload its test page using the old reload behavior.
+
+        The new behavior of revalidating expired cached subresources only
+        is the current default, since only the test harness needs the old behavior.
+
+        * inspector/protocol/Page.json:
+
+2017-05-22  Keith Miller  
+
+        [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
+        https://bugs.webkit.org/show_bug.cgi?id=167708
+
+        Reviewed by Geoffrey Garen.
+
+        This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
+        class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
+
+        Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
+        creating a wrapper for NSObject.
+
+        * API/APICast.h:
+        (toJSGlobalObject):
+        * API/JSContext.mm:
+        (-[JSContext ensureWrapperMap]):
+        (-[JSContext initWithVirtualMachine:]):
+        (-[JSContext dealloc]):
+        (-[JSContext wrapperMap]):
+        (-[JSContext initWithGlobalContextRef:]):
+        (-[JSContext wrapperForObjCObject:]):
+        (-[JSContext wrapperForJSObject:]):
+        * API/JSWrapperMap.h:
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo initForClass:]):
+        (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
+        (-[JSObjCClassInfo wrapperForObject:inContext:]):
+        (-[JSObjCClassInfo constructorInContext:]):
+        (-[JSObjCClassInfo prototypeInContext:]):
+        (-[JSWrapperMap initWithGlobalContextRef:]):
+        (-[JSWrapperMap classInfoForClass:]):
+        (-[JSWrapperMap jsWrapperForObject:inContext:]):
+        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
+        (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
+        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
+        (-[JSObjCClassInfo wrapperForObject:]): Deleted.
+        (-[JSObjCClassInfo constructor]): Deleted.
+        (-[JSObjCClassInfo prototype]): Deleted.
+        (-[JSWrapperMap initWithContext:]): Deleted.
+        (-[JSWrapperMap jsWrapperForObject:]): Deleted.
+        (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
+        * API/tests/JSExportTests.mm:
+        (wrapperLifetimeIsTiedToGlobalObject):
+        (runJSExportTests):
+        * API/tests/testapi.mm:
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::wrapperMap):
+        (JSC::JSGlobalObject::setWrapperMap):
+
+2017-05-22  Filip Pizlo  
+
+        FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
+        https://bugs.webkit.org/show_bug.cgi?id=172455
+
+        Reviewed by Mark Lam.
+        
+        The FTL needs to run B3's callee-save register restoration before it runs the exception
+        handler's callee-save register restoration.  This exposes B3's callee-save register
+        algorithm in AssemblyHelpers so that the FTL can call it.
+
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::generate):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
+        * heap/Subspace.cpp: Added some debugging support.
+        (JSC::Subspace::allocate):
+        (JSC::Subspace::tryAllocate):
+        (JSC::Subspace::didAllocate):
+        * heap/Subspace.h:
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::addressFor):
+        (JSC::AssemblyHelpers::emitSave):
+        (JSC::AssemblyHelpers::emitRestore):
+
+2017-05-20  Yusuke Suzuki  
+
+        [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=172216
+
+        Reviewed by Saam Barati.
+
+        This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
+        To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
+        ArrayStorage and SlowPutArrayStorage, then it produces vector length.
+        CheckInBounds uses this vector length to perform bound checking for ArrayStorage
+        and SlowPutArrayStorage.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::permitsBoundsCheckLowering):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSSALoweringPhase.cpp:
+        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        (JSC::FTL::AbstractHeapRepository::forIndexingType):
+        (JSC::FTL::AbstractHeapRepository::forArrayType):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitArrayStoragePutByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitArrayStoragePutByVal):
+
+2017-05-21  Saam Barati  
+
+        We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
+        https://bugs.webkit.org/show_bug.cgi?id=171041
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        We were treating a for-loop variable declaration potentially as a top
+        level statement, e.g, in a program like this:
+        ```
+        function foo() {
+            for (let variable of expr) { }
+        }
+        ```
+        But we should not be. This had the consequence of making this type of program
+        throw a syntax error:
+        ```
+        function foo(arg) {
+            for (let arg of expr) { }
+        }
+        ```
+        even though it should not. The fix is simple, we just need to increment the
+        statement depth before parsing anything inside the for loop.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseForStatement):
+
+2017-05-19  Yusuke Suzuki  
+
+        [JSC] Make get_by_val & string "499" to number 499
+        https://bugs.webkit.org/show_bug.cgi?id=172225
+
+        Reviewed by Saam Barati.
+
+        Property subscript will be converted by ToString. So JS code is not aware of
+        the original type of the subscript value. But our get_by_val can leverage
+        information if the given subscript is number. Thus, passing number instead of
+        string can improve the performance of get_by_val in all the tiers.
+
+        In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
+        convert the given value to Int32 index constant if the given value is a string
+        that can be converted to Int32.
+
+        This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
+        appear in some code like accessing the result of JSON.
+
+            map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitNodeForProperty):
+        (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::TaggedTemplateNode::emitBytecode):
+        (JSC::BracketAccessorNode::emitBytecode):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
+        (JSC::FunctionCallBracketNode::emitBytecode):
+        (JSC::PostfixNode::emitBracket):
+        (JSC::PrefixNode::emitBracket):
+        (JSC::AssignBracketNode::emitBytecode):
+        (JSC::ReadModifyBracketNode::emitBytecode):
+        (JSC::ForInNode::emitLoopHeader):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::ObjectPatternNode::bindValue):
+        (JSC::AssignmentElementNode::bindValue):
+
+2017-05-21  Saam Barati  
+
+        We overwrite the callee save space on the stack when throwing stack overflow from wasm
+        https://bugs.webkit.org/show_bug.cgi?id=172316
+
+        Reviewed by Mark Lam.
+
+        When throwing a stack overflow exception, the overflow
+        thunk would do the following:
+          move fp, sp
+          populate argument registers
+          call C code
+        
+        However, the C function is allowed to clobber our spilled
+        callee saves that live below fp. The reason I did this move is that
+        when we jump to this code, we've proven that sp is out of bounds on
+        the stack. So we're not allowed to just use its value or keep growing
+        the stack from that point. However, this patch revises this approach
+        to be the same in spirit, but actually correct. We conservatively assume
+        the B3 function we're coming from could have saved all callee saves.
+        So we emit code like this now:
+          add -maxNumCalleeSaveSpace, fp, sp
+          populate argument registers
+          call C code
+        
+        This ensures our callee saves will not be overwritten. Note
+        that fp is still in a valid stack range here, since the thing
+        calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
+        is less than our redzone size, so it's safe to decrement sp by 
+        this amount.
+        
+        The previously added wasm stack overflow test is an instance crash
+        without this change on arm64. It also appears that this test crashed
+        on some other x86 devices.
+
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+
+2017-05-20  Chris Dumez  
+
+        Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
+        https://bugs.webkit.org/show_bug.cgi?id=172418
+
+        Reviewed by Youenn Fablet.
+
+        Add CommonIdentifiers that are now needed.
+
+        * runtime/CommonIdentifiers.h:
+
+2017-05-20  Yusuke Suzuki  
+
+        Unreviewed, add scope.release() to propertyIsEnumerable functions.
+        https://bugs.webkit.org/show_bug.cgi?id=172411
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncPropertyIsEnumerable):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncPropertyIsEnumerable):
+
+2017-05-20  Yusuke Suzuki  
+
+        [JSC] Drop MapBase
+        https://bugs.webkit.org/show_bug.cgi?id=172417
+
+        Reviewed by Sam Weinig.
+
+        MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
+        Thus MapBase is unnecessary. This patch drops it.
+        It is good because we can eliminate one indirection when accessing to map implementation.
+        Moreover, we can drop one unnecessary allocation per Map and Set.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        * runtime/HashMapImpl.cpp:
+        (JSC::HashMapImpl::estimatedSize):
+        (JSC::getHashMapImplKeyClassInfo): Deleted.
+        (JSC::getHashMapImplKeyValueClassInfo): Deleted.
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::finishCreation):
+        (JSC::HashMapImpl::get):
+        (JSC::HashMapImpl::info): Deleted.
+        (JSC::HashMapImpl::createStructure): Deleted.
+        (JSC::HashMapImpl::create): Deleted.
+        * runtime/JSMap.h:
+        (JSC::JSMap::set):
+        (JSC::JSMap::get): Deleted.
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::finishCreation):
+        * runtime/JSSet.h:
+        (JSC::JSSet::add): Deleted.
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::finishCreation):
+        * runtime/MapBase.cpp: Removed.
+        * runtime/MapBase.h: Removed.
+        * runtime/MapPrototype.cpp:
+        (JSC::mapProtoFuncSize):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/SetPrototype.cpp:
+        (JSC::setProtoFuncSize):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+
+2017-05-20  Yusuke Suzuki  
+
+        [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
+        https://bugs.webkit.org/show_bug.cgi?id=172411
+
+        Reviewed by Sam Weinig.
+
+        We use @Reflect.@getOwnPropertyDescriptor() to check
+
+        1. the descriptor exists,
+        2. and the descriptor.enumrable is true
+
+        But Object::propertyIsEnumerable does the completely same thing without
+        allocating a new object for property descriptor.
+
+        In this patch, we add a new private function @propertyIsEnumerable, and
+        use it in Object.assign implementation. It does not allocate unnecessary
+        objects. It is good for GC-pressure and performance.
+
+        This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
+        does not introduce a fast path for objects that do not have accessors,
+        and it could speed up things further, this patch can speed up the common
+        slow path cases that is the current implementation of Object.assign.
+
+            object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
+
+        * builtins/BuiltinNames.h:
+        * builtins/ObjectConstructor.js:
+        (globalPrivate.enumerableOwnProperties):
+        (assign):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncPropertyIsEnumerable):
+        * runtime/JSGlobalObjectFunctions.h:
+
+2017-05-19  Yusuke Suzuki  
+
+        [JSC] Enable testapi on Mac CMake build
+        https://bugs.webkit.org/show_bug.cgi?id=172354
+
+        Reviewed by Alex Christensen.
+
+        This patch makes testapi buildable and runnable for Mac CMake port.
+
+        * API/tests/DateTests.mm:
+        (+[DateTests JSDateToNSDateTest]):
+        (+[DateTests roundTripThroughJSDateTest]):
+        This test only works with the en_US locale.
+
+        * shell/CMakeLists.txt:
+        * shell/PlatformMac.cmake:
+        Some of tests rely on ARC. We enable ARC for those files.
+
+        * shell/PlatformWin.cmake:
+        Clean up.
+
+2017-05-19  Mark Lam  
+
+        [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
+        https://bugs.webkit.org/show_bug.cgi?id=172383
+        
+
+        Reviewed by Filip Pizlo.
+
+        pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
+        available as a scratch register.  This assumption is wrong if this canTrample
+        register is used for a silentFill() after an operation that returns a result in
+        regT0 or regT1.
+
+        Turns out the only reason we need the canTrample register is for
+        SetDoubleConstant.  We can remove the need for this canTrample register by
+        introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
+        job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
+        ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
+
+        Update for re-landing: Changed ARM64 to use scratchRegister() as well.
+        scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
+        as a scratch register.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::moveDouble):
+        * dfg/DFGArrayifySlowPathGenerator.h:
+        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
+        (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
+        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
+        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
+        * dfg/DFGSlowPathGenerator.h:
+        (JSC::DFG::CallSlowPathGenerator::tearDown):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
+        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
+        (JSC::DFG::SpeculativeJIT::compileArithDiv):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
+        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
+        (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::convertAnyInt):
+
+2017-05-19  Ryan Haddad  
+
+        Unreviewed, rolling out r217156.
+
+        This change broke the iOS build.
+
+        Reverted changeset:
+
+        "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
+        result registers."
+        https://bugs.webkit.org/show_bug.cgi?id=172383
+        http://trac.webkit.org/changeset/217156
+
+2017-05-19  Mark Lam  
+
+        Add missing exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=172346
+        
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasInstance):
+
+2017-05-19  Mark Lam  
+
+        DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
+        https://bugs.webkit.org/show_bug.cgi?id=172383
+        
+
+        Reviewed by Filip Pizlo.
+
+        pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
+        available as a scratch register.  This assumption is wrong if this canTrample
+        register is used for a silentFill() after an operation that returns a result in
+        regT0 or regT1.
+
+        Turns out the only reason we need the canTrample register is for
+        SetDoubleConstant.  We can remove the need for this canTrample register by
+        introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
+        job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
+        ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::moveDouble):
+        * dfg/DFGArrayifySlowPathGenerator.h:
+        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
+        (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
+        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
+        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
+        * dfg/DFGSlowPathGenerator.h:
+        (JSC::DFG::CallSlowPathGenerator::tearDown):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
+        (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
+        (JSC::DFG::SpeculativeJIT::compileArithDiv):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
+        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
+        (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::convertAnyInt):
+
+2017-05-19  Filip Pizlo  
+
+        Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
+        https://bugs.webkit.org/show_bug.cgi?id=172382
+
+        Reviewed by Saam Barati.
+        
+        This is just a small clean-up - my last patch here created some unnecessary code duplication.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+
+2017-05-19  Filip Pizlo  
+
+        arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
+        https://bugs.webkit.org/show_bug.cgi?id=172369
+
+        Reviewed by Mark Lam.
+
+        * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
+        (JSC::Subspace::allocate):
+        (JSC::Subspace::tryAllocate):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
+        * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
+        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+
+2017-05-18  Filip Pizlo  
+
+        B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
+        https://bugs.webkit.org/show_bug.cgi?id=172306
+
+        Reviewed by Michael Saboff.
+        
+        This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
+        fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
+        normal store instructions for fenced stores. That's wrong because then you get reorderings
+        that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
+        with respect for each other.
+        
+        This is imprecise. If you really just wanted a store-release, then every X86 store does this.
+        But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
+        respect to all other fences. If we ever did want to say that something is a store release in
+        the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
+        range without the fence flag would mean the traditional store-release, which lowers to a
+        normal store on x86. But to my knowledge, that traditional store-release is only useful for
+        unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
+        and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
+        an ARM-style store-release on x86 using xchg.
+        
+        The implication of this change is that the FTL no longer violates the SAB memory model.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::xchg8):
+        (JSC::MacroAssemblerX86Common::xchg16):
+        (JSC::MacroAssemblerX86Common::xchg32):
+        (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
+        (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
+        (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
+        (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
+        (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
+        (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
+        (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
+        (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::xchg64):
+        (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
+        (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::ArgPromise::inst):
+        (JSC::B3::Air::LowerToAir::trappingInst):
+        (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
+        (JSC::B3::Air::LowerToAir::createStore):
+        (JSC::B3::Air::LowerToAir::storeOpcode):
+        (JSC::B3::Air::LowerToAir::appendStore):
+        (JSC::B3::Air::LowerToAir::append):
+        (JSC::B3::Air::LowerToAir::appendTrapping):
+        (JSC::B3::Air::LowerToAir::fillStackmap):
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/air/AirKind.cpp:
+        (JSC::B3::Air::Kind::dump):
+        * b3/air/AirKind.h:
+        (JSC::B3::Air::Kind::Kind):
+        (JSC::B3::Air::Kind::operator==):
+        (JSC::B3::Air::Kind::hash):
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirLowerMacros.cpp:
+        (JSC::B3::Air::lowerMacros):
+        * b3/air/AirOpcode.opcodes:
+        * b3/air/AirValidate.cpp:
+        * b3/air/opcode_generator.rb:
+        * b3/testb3.cpp:
+        (JSC::B3::correctSqrt):
+        (JSC::B3::testSqrtArg):
+        (JSC::B3::testSqrtImm):
+        (JSC::B3::testSqrtMem):
+        (JSC::B3::testSqrtArgWithUselessDoubleConversion):
+        (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
+        (JSC::B3::testStoreRelAddLoadAcq32):
+        (JSC::B3::testTrappingLoad):
+        (JSC::B3::testTrappingStore):
+        (JSC::B3::testTrappingLoadAddStore):
+        (JSC::B3::testTrappingLoadDCE):
+
+2017-05-19  Don Olmstead  
+
+        [JSC] Remove PLATFORM(WIN) references
+        https://bugs.webkit.org/show_bug.cgi?id=172294
+
+        Reviewed by Yusuke Suzuki.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::removeThread):
+        * llint/LLIntOfflineAsmConfig.h:
+        * runtime/ConfigFile.h:
+        * runtime/VM.cpp:
+        (JSC::VM::updateStackLimits):
+
+2017-05-19  Yusuke Suzuki  
+
+        [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+
+        Reviewed by Saam Barati.
+
+        In this patch, we generalize CheckDOM to CheckSubClass.
+        It can accept any ClassInfo and perform ClassInfo check
+        in DFG / FTL. Now, we add a new function pointer to ClassInfo,
+        checkSubClassPatchpoint. It can create DOMJIT patchpoint
+        for that ClassInfo. It it natural that ClassInfo holds the
+        way to emit DOMJIT::Patchpoint to perform CheckSubClass
+        rather than having it in each DOMJIT getter / function
+        signature annotation.
+
+        One problem is that it enlarges the size of ClassInfo.
+        But this is the best place to put this function pointer.
+        By doing so, we can add a patchpoint for CheckSubClass
+        in an non-intrusive manner: WebCore can inject patchpoints
+        without interactive JSC.
+
+        We still have a way to reduce the size of ClassInfo if
+        we move ArrayBuffer related methods out to the other places.
+
+        This patch touches many files because we add a new function
+        pointer to ClassInfo. But they are basically mechanical change.
+
+        * API/JSAPIWrapperObject.mm:
+        * API/JSCallbackConstructor.cpp:
+        * API/JSCallbackFunction.cpp:
+        * API/JSCallbackObject.cpp:
+        * API/ObjCCallbackFunction.mm:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        * bytecode/DOMJITAccessCasePatchpointParams.h:
+        (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
+        * bytecode/EvalCodeBlock.cpp:
+        * bytecode/FunctionCodeBlock.cpp:
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/ModuleProgramCodeBlock.cpp:
+        * bytecode/ProgramCodeBlock.cpp:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        * bytecode/UnlinkedEvalCodeBlock.cpp:
+        * bytecode/UnlinkedFunctionCodeBlock.cpp:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+        * bytecode/UnlinkedProgramCodeBlock.cpp:
+        * debugger/DebuggerScope.cpp:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDOMJITPatchpointParams.h:
+        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
+        (JSC::DFG::FixupPhase::fixupCheckSubClass):
+        (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasClassInfo):
+        (JSC::DFG::Node::classInfo):
+        (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
+        (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::vm):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * domjit/DOMJITGetterSetter.h:
+        * domjit/DOMJITPatchpointParams.h:
+        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
+        (JSC::DOMJIT::PatchpointParams::vm):
+        * domjit/DOMJITSignature.h:
+        (JSC::DOMJIT::Signature::Signature):
+        (JSC::DOMJIT::Signature::checkDOM): Deleted.
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLDOMJITPatchpointParams.h:
+        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
+        * inspector/JSInjectedScriptHost.cpp:
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        * inspector/JSJavaScriptCallFrame.cpp:
+        * inspector/JSJavaScriptCallFramePrototype.cpp:
+        * jsc.cpp:
+        (WTF::DOMJITNode::checkSubClassPatchpoint):
+        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
+        (WTF::DOMJITFunctionObject::finishCreation):
+        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
+        (WTF::DOMJITCheckSubClassObject::createStructure):
+        (WTF::DOMJITCheckSubClassObject::create):
+        (WTF::DOMJITCheckSubClassObject::safeFunction):
+        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
+        (WTF::DOMJITCheckSubClassObject::finishCreation):
+        (GlobalObject::finishCreation):
+        (functionCreateDOMJITCheckSubClassObject):
+        (WTF::DOMJITNode::checkDOMJITNode): Deleted.
+        (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
+        * runtime/AbstractModuleRecord.cpp:
+        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
+        * runtime/ArrayConstructor.cpp:
+        * runtime/ArrayIteratorPrototype.cpp:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/AsyncFunctionConstructor.cpp:
+        * runtime/AsyncFunctionPrototype.cpp:
+        * runtime/AtomicsObject.cpp:
+        * runtime/BooleanConstructor.cpp:
+        * runtime/BooleanObject.cpp:
+        * runtime/BooleanPrototype.cpp:
+        * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
+        (JSC::ClassInfo::dump):
+        * runtime/ClassInfo.h:
+        (JSC::ClassInfo::offsetOfParentClass):
+        * runtime/ClonedArguments.cpp:
+        * runtime/ConsoleObject.cpp:
+        * runtime/CustomGetterSetter.cpp:
+        * runtime/DateConstructor.cpp:
+        * runtime/DateInstance.cpp:
+        * runtime/DatePrototype.cpp:
+        * runtime/DirectArguments.cpp:
+        * runtime/Error.cpp:
+        * runtime/ErrorConstructor.cpp:
+        * runtime/ErrorInstance.cpp:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/EvalExecutable.cpp:
+        * runtime/Exception.cpp:
+        * runtime/ExceptionHelpers.cpp:
+        * runtime/ExecutableBase.cpp:
+        * runtime/FunctionConstructor.cpp:
+        * runtime/FunctionExecutable.cpp:
+        * runtime/FunctionPrototype.cpp:
+        * runtime/FunctionRareData.cpp:
+        * runtime/GeneratorFunctionConstructor.cpp:
+        * runtime/GeneratorFunctionPrototype.cpp:
+        * runtime/GeneratorPrototype.cpp:
+        * runtime/GetterSetter.cpp:
+        * runtime/HashMapImpl.cpp:
+        * runtime/HashMapImpl.h:
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::create):
+        * runtime/InferredTypeTable.cpp:
+        * runtime/InferredValue.cpp:
+        * runtime/InspectorInstrumentationObject.cpp:
+        * runtime/InternalFunction.cpp:
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlCollatorConstructor.cpp:
+        * runtime/IntlCollatorPrototype.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        * runtime/IntlNumberFormat.cpp:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        * runtime/IntlObject.cpp:
+        * runtime/IteratorPrototype.cpp:
+        * runtime/JSAPIValueWrapper.cpp:
+        * runtime/JSArray.cpp:
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBufferConstructor.cpp:
+        * runtime/JSArrayBufferPrototype.cpp:
+        * runtime/JSArrayBufferView.cpp:
+        * runtime/JSAsyncFunction.cpp:
+        * runtime/JSBoundFunction.cpp:
+        * runtime/JSCallee.cpp:
+        * runtime/JSCustomGetterSetterFunction.cpp:
+        * runtime/JSDataView.cpp:
+        * runtime/JSDataViewPrototype.cpp:
+        * runtime/JSEnvironmentRecord.cpp:
+        * runtime/JSFixedArray.cpp:
+        * runtime/JSFunction.cpp:
+        * runtime/JSGeneratorFunction.cpp:
+        * runtime/JSGlobalLexicalEnvironment.cpp:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSInternalPromise.cpp:
+        * runtime/JSInternalPromiseConstructor.cpp:
+        * runtime/JSInternalPromiseDeferred.cpp:
+        * runtime/JSInternalPromisePrototype.cpp:
+        * runtime/JSLexicalEnvironment.cpp:
+        * runtime/JSMap.cpp:
+        * runtime/JSMapIterator.cpp:
+        * runtime/JSModuleEnvironment.cpp:
+        * runtime/JSModuleLoader.cpp:
+        * runtime/JSModuleNamespaceObject.cpp:
+        * runtime/JSModuleRecord.cpp:
+        * runtime/JSNativeStdFunction.cpp:
+        * runtime/JSONObject.cpp:
+        * runtime/JSObject.cpp:
+        * runtime/JSPromise.cpp:
+        * runtime/JSPromiseConstructor.cpp:
+        * runtime/JSPromiseDeferred.cpp:
+        * runtime/JSPromisePrototype.cpp:
+        * runtime/JSPropertyNameEnumerator.cpp:
+        * runtime/JSPropertyNameIterator.cpp:
+        * runtime/JSProxy.cpp:
+        * runtime/JSScriptFetcher.cpp:
+        * runtime/JSSet.cpp:
+        * runtime/JSSetIterator.cpp:
+        * runtime/JSSourceCode.cpp:
+        * runtime/JSString.cpp:
+        * runtime/JSStringIterator.cpp:
+        * runtime/JSSymbolTableObject.cpp:
+        * runtime/JSTemplateRegistryKey.cpp:
+        * runtime/JSTypedArrayConstructors.cpp:
+        * runtime/JSTypedArrayPrototypes.cpp:
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        * runtime/JSTypedArrays.cpp:
+        * runtime/JSWeakMap.cpp:
+        * runtime/JSWeakSet.cpp:
+        * runtime/JSWithScope.cpp:
+        * runtime/MapConstructor.cpp:
+        * runtime/MapIteratorPrototype.cpp:
+        * runtime/MapPrototype.cpp:
+        * runtime/MathObject.cpp:
+        * runtime/ModuleLoaderPrototype.cpp:
+        * runtime/ModuleProgramExecutable.cpp:
+        * runtime/NativeErrorConstructor.cpp:
+        * runtime/NativeExecutable.cpp:
+        * runtime/NativeStdFunctionCell.cpp:
+        * runtime/NullGetterFunction.cpp:
+        * runtime/NullSetterFunction.cpp:
+        * runtime/NumberConstructor.cpp:
+        * runtime/NumberObject.cpp:
+        * runtime/NumberPrototype.cpp:
+        * runtime/ObjectConstructor.cpp:
+        * runtime/ObjectPrototype.cpp:
+        * runtime/ProgramExecutable.cpp:
+        * runtime/PropertyTable.cpp:
+        * runtime/ProxyConstructor.cpp:
+        * runtime/ProxyObject.cpp:
+        * runtime/ProxyRevoke.cpp:
+        * runtime/ReflectObject.cpp:
+        * runtime/RegExp.cpp:
+        * runtime/RegExpConstructor.cpp:
+        * runtime/RegExpObject.cpp:
+        * runtime/RegExpPrototype.cpp:
+        * runtime/ScopedArguments.cpp:
+        * runtime/ScopedArgumentsTable.cpp:
+        * runtime/ScriptExecutable.cpp:
+        * runtime/SetConstructor.cpp:
+        * runtime/SetIteratorPrototype.cpp:
+        * runtime/SetPrototype.cpp:
+        * runtime/SparseArrayValueMap.cpp:
+        * runtime/StrictEvalActivation.cpp:
+        * runtime/StringConstructor.cpp:
+        * runtime/StringIteratorPrototype.cpp:
+        * runtime/StringObject.cpp:
+        * runtime/StringPrototype.cpp:
+        * runtime/Structure.cpp:
+        * runtime/StructureChain.cpp:
+        * runtime/StructureRareData.cpp:
+        * runtime/Symbol.cpp:
+        * runtime/SymbolConstructor.cpp:
+        * runtime/SymbolObject.cpp:
+        * runtime/SymbolPrototype.cpp:
+        * runtime/SymbolTable.cpp:
+        * runtime/WeakMapConstructor.cpp:
+        * runtime/WeakMapData.cpp:
+        * runtime/WeakMapPrototype.cpp:
+        * runtime/WeakSetConstructor.cpp:
+        * runtime/WeakSetPrototype.cpp:
+        * testRegExp.cpp:
+        * tools/JSDollarVM.cpp:
+        * tools/JSDollarVMPrototype.cpp:
+        * wasm/JSWebAssembly.cpp:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        * wasm/js/JSWebAssemblyCompileError.cpp:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        * wasm/js/JSWebAssemblyLinkError.cpp:
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        * wasm/js/JSWebAssemblyModule.cpp:
+        * wasm/js/JSWebAssemblyRuntimeError.cpp:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        * wasm/js/WebAssemblyFunction.cpp:
+        * wasm/js/WebAssemblyFunctionBase.cpp:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+
+2017-05-18  JF Bastien  
+
+        WebAssembly: exports is a getter
+        https://bugs.webkit.org/show_bug.cgi?id=172129
+
+        Reviewed by Saam Barati.
+
+        As updated here: https://github.com/WebAssembly/design/pull/1062
+
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
+        * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
+        * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
+        (JSC::getInstance): helper, as in surrounding files
+        (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
+        * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
+        (JSC::getMemory):
+        (JSC::webAssemblyMemoryProtoFuncGrow):
+        (JSC::webAssemblyMemoryProtoFuncBuffer):
+        * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
+        (JSC::webAssemblyTableProtoFuncLength):
+        (JSC::webAssemblyTableProtoFuncGrow):
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+
+2017-05-18  Saam Barati  
+
+        Proxy's [[Get]] passes incorrect receiver
+        https://bugs.webkit.org/show_bug.cgi?id=164849
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+
+2017-05-18  Andy Estes  
+
+        ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
+        https://bugs.webkit.org/show_bug.cgi?id=172305
+
+        Reviewed by Anders Carlsson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-05-18  Saam Barati  
+
+        We need to destroy worker threads in jsc.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=170751
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes a bug where a $ agent worker would still
+        have compilation threads running after the thread the worker
+        was created on dies. This manifested itself inside DFG AI where
+        we would notice a string constant is atomic, then the worker
+        thread would die, destroying its atomic string table, then
+        we'd notice the same string is no longer atomic, and we'd crash
+        because we'd fail to see the same speculated type for the same
+        JSValue.
+        
+        This patch makes it so that $ agent workers destroy their VM when
+        they're done executing. Before a VM gets destroyed, it ensures that
+        all its compilation threads finish.
+
+        * jsc.cpp:
+        (functionDollarAgentStart):
+        (runJSC):
+        (jscmain):
+
+2017-05-18  Michael Saboff  
+
+        Add FTL whitelist debugging option
+        https://bugs.webkit.org/show_bug.cgi?id=172321
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::ensureGlobalFTLWhitelist):
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        * runtime/Options.h:
+        * tools/FunctionWhitelist.cpp:
+        (JSC::FunctionWhitelist::contains):
+
+2017-05-18  Filip Pizlo  
+
+        Constructor calls set this too early
+        https://bugs.webkit.org/show_bug.cgi?id=172302
+
+        Reviewed by Saam Barati.
+        
+        We were setting this before evaluating the arguments, so this code:
+        
+            var x = 42;
+            new x(x = function() { });
+        
+        Would crash because we would pass 42 as this, and create_this would treat it as a cell.
+        Dereferencing a non-cell is guaranteed to crash.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitConstruct):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::NewExprNode::emitBytecode):
+        (JSC::FunctionCallValueNode::emitBytecode):
+
+2017-05-18  Saam Barati  
+
+        WebAssembly: perform stack checks
+        https://bugs.webkit.org/show_bug.cgi?id=165546
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds stack checks to wasm. It implements it by storing the stack
+        bounds on the Context.
+        
+        Stack checking works as normal, except we do a small optimization for terminal
+        nodes in the call tree (nodes that don't make any calls). These nodes will
+        only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
+        it's assumed the parent that called them did their stack check for them.
+        This is because all things that make calls make sure to do an extra 1024
+        bytes whenever doing a stack check.
+        
+        We also take into account stack size for potential JS calls when doing
+        stack checks since our JS stubs don't do this on their own. Each frame
+        will ensure it does a stack check large enough for any potential JS call
+        stubs it'll execute.
+        
+        Surprisingly, this patch is neutral on WasmBench and TitzerBench.
+
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/Error.cpp:
+        (JSC::createRangeError):
+        (JSC::addErrorInfoAndGetBytecodeOffset):
+        I fixed a bug here where we assumed that the first frame that has line
+        and column info would be in our stack trace. This is not correct
+        since we limit our stack trace size. If everything in our limited
+        size stack trace is Wasm, then we won't have any frames with line
+        and column info.
+        * runtime/Error.h:
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createStackOverflowError):
+        * runtime/ExceptionHelpers.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::webAssemblyToJSCalleeStructure):
+        * runtime/JSType.h:
+        * runtime/Options.h: I've added a new option that controls
+        whether or not we use fast TLS for the wasm context.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::loadContext):
+        (JSC::Wasm::storeContext):
+        * wasm/WasmContext.h:
+        (JSC::Wasm::useFastTLSForContext):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::Thunks::stub):
+        * wasm/WasmThunks.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit):
+        (JSC::JSWebAssemblyInstance::cachedStackLimit):
+        (JSC::JSWebAssemblyInstance::setCachedStackLimit):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::finishCreation):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyToJSCallee.cpp: Make this a descendent of object.
+        This is needed for correctness because we may call into JS,
+        and then the first JS frame could stack overflow. When it stack
+        overflows, it rolls back one frame to the wasm->js call stub with
+        the wasm->js callee. It gets the lexical global object from this
+        frame, meaning it gets the global object from the callee. Therefore,
+        we must make it an object since all objects have global objects.
+        (JSC::WebAssemblyToJSCallee::create):
+        * wasm/js/WebAssemblyToJSCallee.h:
+
+2017-05-18  Keith Miller  
+
+        WebAssembly API: test with neutered inputs
+        https://bugs.webkit.org/show_bug.cgi?id=163899
+
+        Reviewed by JF Bastien.
+
+        Add tests to check that we properly throw a type error when
+        we get a transferred ArrayBuffer. Also, we should make sure
+        we cannot post message a wasm memory's ArrayBuffer.
+
+        * API/JSTypedArray.cpp:
+        (JSObjectGetArrayBufferBytesPtr):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::makeShared):
+        (JSC::ArrayBuffer::makeWasmMemory):
+        (JSC::ArrayBuffer::transferTo):
+        (JSC::ArrayBuffer::neuter):
+        (JSC::ArrayBuffer::notifyIncommingReferencesOfTransfer):
+        (JSC::errorMesasgeForTransfer):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::isLocked):
+        (JSC::ArrayBuffer::isWasmMemory):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::buffer):
+        (JSC::JSWebAssemblyMemory::grow):
+
+2017-05-18  Joseph Pecoraro  
+
+        Remote Inspector: Be stricter about checking message types
+        https://bugs.webkit.org/show_bug.cgi?id=172259
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        (Inspector::RemoteInspector::receivedDataMessage):
+        (Inspector::RemoteInspector::receivedDidCloseMessage):
+        (Inspector::RemoteInspector::receivedIndicateMessage):
+        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
+        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
+        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
+        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
+        (Inspector::RemoteInspectorXPCConnection::handleEvent):
+        (Inspector::RemoteInspectorXPCConnection::sendMessage):
+        Bail if we don't receive the expected types for message data.
+
+2017-05-18  Filip Pizlo  
+
+        DFG inlining should be hardened for the no-result case
+        https://bugs.webkit.org/show_bug.cgi?id=172290
+
+        Reviewed by Saam Barati.
+        
+        Previously, if we were inlining a setter call, we might have a bad time because the setter's
+        result register is the invalid VirtualRegister(), and much of the intrinsic handling code
+        assumes that the result register is valid.
+        
+        This doesn't usually cause problems because people don't usually point a setter at something
+        that we recognize as an intrinsic.
+        
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Fix a comment.
+        * dfg/DFGByteCodeParser.cpp: Make RELEASE_ASSERT give accurate stacks. I was getting an absurd stack from the assert I added in DelayedSetLocal.
+        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal): Assert so we catch the problem sooner.
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall): Fix the bug.
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): Fix the bug if constant internal functions were setter-inlineable (they ain't, because the bytecode parser doesn't fold GetSetter).
+        * runtime/Intrinsic.cpp: Added. I needed this to debug.
+        (JSC::intrinsicName):
+        (WTF::printInternal):
+        * runtime/Intrinsic.h:
+
+2017-05-18  Commit Queue  
+
+        Unreviewed, rolling out r217031, r217032, and r217037.
+        https://bugs.webkit.org/show_bug.cgi?id=172293
+
+        cause linking errors in Windows (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changesets:
+
+        "[JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass"
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+        http://trac.webkit.org/changeset/217031
+
+        "Unreviewed, rebaseline for newly added ClassInfo"
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+        http://trac.webkit.org/changeset/217032
+
+        "Unreviewed, fix debug and non-JIT build"
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+        http://trac.webkit.org/changeset/217037
+
+2017-05-17  Yusuke Suzuki  
+
+        Unreviewed, fix debug and non-JIT build
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+
+        * jsc.cpp:
+        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
+
+2017-05-17  Yusuke Suzuki  
+
+        Unreviewed, rebaseline for newly added ClassInfo
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+
+        * wasm/js/WebAssemblyFunctionBase.cpp:
+
+2017-05-16  Yusuke Suzuki  
+
+        [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
+        https://bugs.webkit.org/show_bug.cgi?id=172098
+
+        Reviewed by Saam Barati.
+
+        In this patch, we generalize CheckDOM to CheckSubClass.
+        It can accept any ClassInfo and perform ClassInfo check
+        in DFG / FTL. Now, we add a new function pointer to ClassInfo,
+        checkSubClassPatchpoint. It can create DOMJIT patchpoint
+        for that ClassInfo. It it natural that ClassInfo holds the
+        way to emit DOMJIT::Patchpoint to perform CheckSubClass
+        rather than having it in each DOMJIT getter / function
+        signature annotation.
+
+        One problem is that it enlarges the size of ClassInfo.
+        But this is the best place to put this function pointer.
+        By doing so, we can add a patchpoint for CheckSubClass
+        in an non-intrusive manner: WebCore can inject patchpoints
+        without interactive JSC.
+
+        We still have a way to reduce the size of ClassInfo if
+        we move ArrayBuffer related methods out to the other places.
+
+        This patch touches many files because we add a new function
+        pointer to ClassInfo. But they are basically mechanical change.
+
+        * API/JSAPIWrapperObject.mm:
+        * API/JSCallbackConstructor.cpp:
+        * API/JSCallbackFunction.cpp:
+        * API/JSCallbackObject.cpp:
+        * API/ObjCCallbackFunction.mm:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        * bytecode/DOMJITAccessCasePatchpointParams.h:
+        (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
+        * bytecode/EvalCodeBlock.cpp:
+        * bytecode/FunctionCodeBlock.cpp:
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/ModuleProgramCodeBlock.cpp:
+        * bytecode/ProgramCodeBlock.cpp:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        * bytecode/UnlinkedEvalCodeBlock.cpp:
+        * bytecode/UnlinkedFunctionCodeBlock.cpp:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
+        * bytecode/UnlinkedProgramCodeBlock.cpp:
+        * debugger/DebuggerScope.cpp:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDOMJITPatchpointParams.h:
+        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
+        (JSC::DFG::FixupPhase::fixupCheckSubClass):
+        (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasClassInfo):
+        (JSC::DFG::Node::classInfo):
+        (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
+        (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::vm):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        In DFG, we rename CheckDOM to CheckSubClass. It just holds ClassInfo.
+        And ClassInfo knows how to perform CheckSubClass efficiently.
+        If ClassInfo does not have a way to perform CheckSubClass efficiently,
+        we just perform jsDynamicCast thing in ASM.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * domjit/DOMJITGetterSetter.h:
+        * domjit/DOMJITPatchpointParams.h:
+        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
+        (JSC::DOMJIT::PatchpointParams::vm):
+        * domjit/DOMJITSignature.h:
+        (JSC::DOMJIT::Signature::Signature):
+        (JSC::DOMJIT::Signature::checkDOM): Deleted.
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLDOMJITPatchpointParams.h:
+        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
+        * inspector/JSInjectedScriptHost.cpp:
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        * inspector/JSJavaScriptCallFrame.cpp:
+        * inspector/JSJavaScriptCallFramePrototype.cpp:
+        * jsc.cpp:
+        (WTF::DOMJITNode::checkSubClassPatchpoint):
+        (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
+        (WTF::DOMJITFunctionObject::finishCreation):
+        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
+        (WTF::DOMJITCheckSubClassObject::createStructure):
+        (WTF::DOMJITCheckSubClassObject::create):
+        (WTF::DOMJITCheckSubClassObject::safeFunction):
+        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
+        (WTF::DOMJITCheckSubClassObject::finishCreation):
+        (GlobalObject::finishCreation):
+        (functionCreateDOMJITCheckSubClassObject):
+        (WTF::DOMJITNode::checkDOMJITNode): Deleted.
+        (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
+        * runtime/AbstractModuleRecord.cpp:
+        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
+        * runtime/ArrayConstructor.cpp:
+        * runtime/ArrayIteratorPrototype.cpp:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/AsyncFunctionConstructor.cpp:
+        * runtime/AsyncFunctionPrototype.cpp:
+        * runtime/AtomicsObject.cpp:
+        * runtime/BooleanConstructor.cpp:
+        * runtime/BooleanObject.cpp:
+        * runtime/BooleanPrototype.cpp:
+        * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
+        (JSC::ClassInfo::dump):
+        * runtime/ClassInfo.h:
+        (JSC::ClassInfo::offsetOfParentClass):
+        * runtime/ClonedArguments.cpp:
+        * runtime/ConsoleObject.cpp:
+        * runtime/CustomGetterSetter.cpp:
+        * runtime/DateConstructor.cpp:
+        * runtime/DateInstance.cpp:
+        * runtime/DatePrototype.cpp:
+        * runtime/DirectArguments.cpp:
+        * runtime/Error.cpp:
+        * runtime/ErrorConstructor.cpp:
+        * runtime/ErrorInstance.cpp:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/EvalExecutable.cpp:
+        * runtime/Exception.cpp:
+        * runtime/ExceptionHelpers.cpp:
+        * runtime/ExecutableBase.cpp:
+        * runtime/FunctionConstructor.cpp:
+        * runtime/FunctionExecutable.cpp:
+        * runtime/FunctionPrototype.cpp:
+        * runtime/FunctionRareData.cpp:
+        * runtime/GeneratorFunctionConstructor.cpp:
+        * runtime/GeneratorFunctionPrototype.cpp:
+        * runtime/GeneratorPrototype.cpp:
+        * runtime/GetterSetter.cpp:
+        * runtime/HashMapImpl.cpp:
+        * runtime/HashMapImpl.h:
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::create):
+        * runtime/InferredTypeTable.cpp:
+        * runtime/InferredValue.cpp:
+        * runtime/InspectorInstrumentationObject.cpp:
+        * runtime/InternalFunction.cpp:
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlCollatorConstructor.cpp:
+        * runtime/IntlCollatorPrototype.cpp:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        * runtime/IntlNumberFormat.cpp:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        * runtime/IntlObject.cpp:
+        * runtime/IteratorPrototype.cpp:
+        * runtime/JSAPIValueWrapper.cpp:
+        * runtime/JSArray.cpp:
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBufferConstructor.cpp:
+        * runtime/JSArrayBufferPrototype.cpp:
+        * runtime/JSArrayBufferView.cpp:
+        * runtime/JSAsyncFunction.cpp:
+        * runtime/JSBoundFunction.cpp:
+        * runtime/JSCallee.cpp:
+        * runtime/JSCustomGetterSetterFunction.cpp:
+        * runtime/JSDataView.cpp:
+        * runtime/JSDataViewPrototype.cpp:
+        * runtime/JSEnvironmentRecord.cpp:
+        * runtime/JSFixedArray.cpp:
+        * runtime/JSFunction.cpp:
+        * runtime/JSGeneratorFunction.cpp:
+        * runtime/JSGlobalLexicalEnvironment.cpp:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSInternalPromise.cpp:
+        * runtime/JSInternalPromiseConstructor.cpp:
+        * runtime/JSInternalPromiseDeferred.cpp:
+        * runtime/JSInternalPromisePrototype.cpp:
+        * runtime/JSLexicalEnvironment.cpp:
+        * runtime/JSMap.cpp:
+        * runtime/JSMapIterator.cpp:
+        * runtime/JSModuleEnvironment.cpp:
+        * runtime/JSModuleLoader.cpp:
+        * runtime/JSModuleNamespaceObject.cpp:
+        * runtime/JSModuleRecord.cpp:
+        * runtime/JSNativeStdFunction.cpp:
+        * runtime/JSONObject.cpp:
+        * runtime/JSObject.cpp:
+        * runtime/JSPromise.cpp:
+        * runtime/JSPromiseConstructor.cpp:
+        * runtime/JSPromiseDeferred.cpp:
+        * runtime/JSPromisePrototype.cpp:
+        * runtime/JSPropertyNameEnumerator.cpp:
+        * runtime/JSPropertyNameIterator.cpp:
+        * runtime/JSProxy.cpp:
+        * runtime/JSScriptFetcher.cpp:
+        * runtime/JSSet.cpp:
+        * runtime/JSSetIterator.cpp:
+        * runtime/JSSourceCode.cpp:
+        * runtime/JSString.cpp:
+        * runtime/JSStringIterator.cpp:
+        * runtime/JSSymbolTableObject.cpp:
+        * runtime/JSTemplateRegistryKey.cpp:
+        * runtime/JSTypedArrayConstructors.cpp:
+        * runtime/JSTypedArrayPrototypes.cpp:
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        * runtime/JSTypedArrays.cpp:
+        * runtime/JSWeakMap.cpp:
+        * runtime/JSWeakSet.cpp:
+        * runtime/JSWithScope.cpp:
+        * runtime/MapConstructor.cpp:
+        * runtime/MapIteratorPrototype.cpp:
+        * runtime/MapPrototype.cpp:
+        * runtime/MathObject.cpp:
+        * runtime/ModuleLoaderPrototype.cpp:
+        * runtime/ModuleProgramExecutable.cpp:
+        * runtime/NativeErrorConstructor.cpp:
+        * runtime/NativeExecutable.cpp:
+        * runtime/NativeStdFunctionCell.cpp:
+        * runtime/NullGetterFunction.cpp:
+        * runtime/NullSetterFunction.cpp:
+        * runtime/NumberConstructor.cpp:
+        * runtime/NumberObject.cpp:
+        * runtime/NumberPrototype.cpp:
+        * runtime/ObjectConstructor.cpp:
+        * runtime/ObjectPrototype.cpp:
+        * runtime/ProgramExecutable.cpp:
+        * runtime/PropertyTable.cpp:
+        * runtime/ProxyConstructor.cpp:
+        * runtime/ProxyObject.cpp:
+        * runtime/ProxyRevoke.cpp:
+        * runtime/ReflectObject.cpp:
+        * runtime/RegExp.cpp:
+        * runtime/RegExpConstructor.cpp:
+        * runtime/RegExpObject.cpp:
+        * runtime/RegExpPrototype.cpp:
+        * runtime/ScopedArguments.cpp:
+        * runtime/ScopedArgumentsTable.cpp:
+        * runtime/ScriptExecutable.cpp:
+        * runtime/SetConstructor.cpp:
+        * runtime/SetIteratorPrototype.cpp:
+        * runtime/SetPrototype.cpp:
+        * runtime/SparseArrayValueMap.cpp:
+        * runtime/StrictEvalActivation.cpp:
+        * runtime/StringConstructor.cpp:
+        * runtime/StringIteratorPrototype.cpp:
+        * runtime/StringObject.cpp:
+        * runtime/StringPrototype.cpp:
+        * runtime/Structure.cpp:
+        * runtime/StructureChain.cpp:
+        * runtime/StructureRareData.cpp:
+        * runtime/Symbol.cpp:
+        * runtime/SymbolConstructor.cpp:
+        * runtime/SymbolObject.cpp:
+        * runtime/SymbolPrototype.cpp:
+        * runtime/SymbolTable.cpp:
+        * runtime/WeakMapConstructor.cpp:
+        * runtime/WeakMapData.cpp:
+        * runtime/WeakMapPrototype.cpp:
+        * runtime/WeakSetConstructor.cpp:
+        * runtime/WeakSetPrototype.cpp:
+        * testRegExp.cpp:
+        * tools/JSDollarVM.cpp:
+        * tools/JSDollarVMPrototype.cpp:
+        * wasm/JSWebAssembly.cpp:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        * wasm/js/JSWebAssemblyCompileError.cpp:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        * wasm/js/JSWebAssemblyLinkError.cpp:
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        * wasm/js/JSWebAssemblyModule.cpp:
+        * wasm/js/JSWebAssemblyRuntimeError.cpp:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        * wasm/js/WebAssemblyFunction.cpp:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+
+2017-05-17  Saam Barati  
+
+        We don't do context switches for Wasm->Wasm call indirect
+        https://bugs.webkit.org/show_bug.cgi?id=172188
+        
+
+        Reviewed by Keith Miller.
+
+        We did not do a context switch when doing an indirect call. 
+        This is clearly wrong, since the thing we're making an indirect
+        call to could be from another instance. This patch fixes this
+        oversight by doing a very simple context switch. I've also opened
+        a bug to make indirect calls fast: https://bugs.webkit.org/show_bug.cgi?id=172197
+        since this patch adds yet another branch to the indirect call path.
+        I've also added tests that either throw or crash before this change.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/js/JSWebAssemblyTable.h:
+        (JSC::JSWebAssemblyTable::offsetOfJSFunctions):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::visitChildren):
+        (JSC::WebAssemblyFunction::finishCreation): Deleted.
+        * wasm/js/WebAssemblyFunction.h:
+        (JSC::WebAssemblyFunction::instance): Deleted.
+        (JSC::WebAssemblyFunction::offsetOfInstance): Deleted.
+        * wasm/js/WebAssemblyFunctionBase.cpp: Added.
+        (JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
+        (JSC::WebAssemblyFunctionBase::visitChildren):
+        (JSC::WebAssemblyFunctionBase::finishCreation):
+        * wasm/js/WebAssemblyFunctionBase.h: Added.
+        (JSC::WebAssemblyFunctionBase::instance):
+        (JSC::WebAssemblyFunctionBase::offsetOfInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+        (JSC::WebAssemblyWrapperFunction::finishCreation):
+        (JSC::WebAssemblyWrapperFunction::visitChildren):
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2017-05-17  Filip Pizlo  
+
+        JSC: Incorrect LoadVarargs handling in ArgumentsEliminationPhase::transform
+        https://bugs.webkit.org/show_bug.cgi?id=172208
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2017-05-17  Don Olmstead  
+
+        [Win] Support $vm.getpid()
+        https://bugs.webkit.org/show_bug.cgi?id=172248
+
+        Reviewed by Mark Lam.
+
+        * tools/JSDollarVMPrototype.cpp:
+        (JSC::functionGetPID):
+        (JSC::JSDollarVMPrototype::finishCreation):
+
+2017-05-17  Michael Saboff  
+
+        [iOS] The Garbage Collector shouldn't rely on the bmalloc scavenger for up to date memory footprint info
+        https://bugs.webkit.org/show_bug.cgi?id=172186
+
+        Reviewed by Geoffrey Garen.
+
+        The calls to bmalloc::api::memoryFootprint() and ::percentAvailableMemoryInUse() now call
+        the OS to get up to date values.  In overCriticalMemoryThreshold(), we get the current value every
+        100th call and use a cached value the rest of the time.  When colleciton is done, we start with
+        a new overCriticalMemoryThreshold value for the next cycle.
+
+        The choice of 1 out of 100 calls was validated by using JetStream and verifying that it didn't impact
+        performance and still provides timely memory footprint data.  With additional debug logging, I
+        determined that we call overCriticalMemoryThreshold() over 20,000 times/second running JetStream.
+        Other logging showed that there were over 1700 calls to overCriticalMemoryThreshold() on average per
+        GC cycle.  Dividing both of these numbers by 100 seems reasonable.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::overCriticalMemoryThreshold):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::shouldDoFullCollection):
+        * heap/Heap.h:
+
+2017-05-17  Saam Barati  
+
+        PinnedRegisters should be better modeled in IRC/Briggs
+        https://bugs.webkit.org/show_bug.cgi?id=171955
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes a bug in Briggs/IRC with respect to pinned registers.
+        Pinned registers were not part of the assignable register file in IRC/Briggs,
+        and this would lead to an asymmetry because they were modeled in the
+        interference graph. The bug is that we use registerCount() to move various
+        Tmps between various lists in the different allocators, and if a Tmp
+        interfered with a pinned register (usually via a Patchpoint's clobbered set),
+        we'd have an interference edge modeled in the degree for that Tmp, but the registerCount()
+        would make us think that this particular Tmp is not assignable. This would
+        lead us to fail to color a colorable graph. Specifically, this happened in
+        our various patchpoint tests that stress the register allocator by forcing
+        the entire register file into arguments for the patchpoint and then doing
+        interesting things with the result, arguments, etc.
+        
+        This patch fixes the bug by coming up with an more natural way to model pinned
+        registers. Pinned registers are now part of the register file. However,
+        pinned registers are live at every point in the program (this is a defining
+        property of a pinned register). In practice, this means that the only Tmps 
+        that can be assigned to pinned registers are ones that are coalescing
+        candidates. This means the program has some number of defs for a Tmp T like:
+        MoveType pinnedReg, T
+        
+        Note, if any other defs for T happen, like:
+        Add32, t1, t2, T
+        T will have an interference edge with pinnedReg, since pinnedReg is live
+        at every point in the program. Modeling pinned registers this way allows
+        IRC/Briggs to have no special casing for them. It treats it like any other
+        precolored Tmp. This allows us to do coalescing, biased coloring, etc, which
+        could all lead to a Tmp being assigned to a pinned register.
+        
+        Interestingly, we used to have special handling for the frame pointer
+        register, which in many ways, acts like a pinned register, since FP is
+        always live, and we wanted it to take place in coalescing. The allocator
+        had a side-table interference graph with FP. Interestingly, we didn't even
+        handle this properly everywhere since we could rely on a patchpoint never
+        claiming to clobber FP (this would be illegal). So the code only handled
+        the pseudo-pinned register properties of FP in various places. This patch
+        drops this special casing and pins FP since all pinned registers can take
+        part in coalescing.
+
+        * b3/B3PatchpointSpecial.h:
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::mutableGPRs):
+        (JSC::B3::Procedure::mutableFPRs):
+        * b3/B3Procedure.h:
+        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::Code):
+        (JSC::B3::Air::Code::pinRegister):
+        (JSC::B3::Air::Code::mutableGPRs):
+        (JSC::B3::Air::Code::mutableFPRs):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::pinnedRegisters):
+        * b3/air/AirSpecial.h:
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
+        (JSC::B3::testSpillDefSmallerThanUse):
+        (JSC::B3::testLateRegister):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
+        (JSC::B3::testMoveConstants):
+
+2017-05-16  Yusuke Suzuki  
+
+        [DFG] Constant Folding Phase should convert MakeRope("", String) => Identity(String)
+        https://bugs.webkit.org/show_bug.cgi?id=172115
+
+        Reviewed by Saam Barati.
+
+        In Fixup phase, we attempt to fold MakeRope to Identity (or reduce arguments) by dropping
+        empty strings. However, when we are in Fixup phase, we do not have much information about
+        constant values.
+
+        In ARES-6 Babylon, we find that we can constant-fold MakeRope by using constants figured
+        out by CFA. Without it, Babylon repeatedly produces rope strings. To fix this, we introduce
+        MakeRope handling in constant folding phase.
+
+        It shows 7.5% performance improvement in ARES-6 Babylon steadyState.
+
+            Before:
+
+            firstIteration:     50.02 +- 14.56 ms
+            averageWorstCase:   26.52 +- 4.52 ms
+            steadyState:        8.15 +- 0.23 ms
+
+            After:
+
+            firstIteration:     49.08 +- 12.90 ms
+            averageWorstCase:   25.16 +- 3.82 ms
+            steadyState:        7.58 +- 0.21 ms
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2017-05-16  Yusuke Suzuki  
+
+        Unreviewed, add Objective C files to CMake Mac port
+        https://bugs.webkit.org/show_bug.cgi?id=172103
+
+        * shell/PlatformMac.cmake: Added.
+
+2017-05-16  JF Bastien  
+
+        WebAssembly: enforce size limits
+        https://bugs.webkit.org/show_bug.cgi?id=165833
+        
+
+        Reviewed by Keith Miller.
+
+        Use the same limits as V8.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * wasm/WasmLimits.h: Added.
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String):
+
+2017-05-15  Yusuke Suzuki  
+
+        [JSC] Build testapi in non Apple ports
+        https://bugs.webkit.org/show_bug.cgi?id=172103
+
+        Reviewed by Filip Pizlo.
+
+        This patch makes JSC testapi buildable in non-Apple ports.
+        We isolate CF related tests in testapi.c. If we do not use
+        CF, we include JavaScript.h instead of JavaScriptCore.h.
+
+        By running the testapi in Linux, we found that contraints
+        test have a bug: If constraint marker runs after WeakRefs
+        are destroyed, it accesses destroyed WeakRef. This patch
+        also fixes it.
+
+        * API/tests/CurrentThisInsideBlockGetterTest.h:
+        * API/tests/CustomGlobalObjectClassTest.c:
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        * API/tests/FunctionOverridesTest.cpp:
+        * API/tests/GlobalContextWithFinalizerTest.cpp:
+        * API/tests/JSObjectGetProxyTargetTest.cpp:
+        * API/tests/MultithreadedMultiVMExecutionTest.cpp:
+        * API/tests/PingPongStackOverflowTest.cpp:
+        * API/tests/TypedArrayCTest.cpp:
+        * API/tests/testapi.c:
+        (assertEqualsAsCharactersPtr):
+        (markingConstraint):
+        (testMarkingConstraintsAndHeapFinalizers):
+        (testCFStrings):
+        (main):
+        * shell/CMakeLists.txt:
+
+2017-05-16  JF Bastien  
+
+        WebAssembly: report Memory usage to GC
+        https://bugs.webkit.org/show_bug.cgi?id=170690
+        
+
+        Reviewed by Keith Miller.
+
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::grow):
+        (JSC::JSWebAssemblyMemory::finishCreation):
+        (JSC::JSWebAssemblyMemory::visitChildren):
+
+2017-05-16  JF Bastien  
+
+        WebAssembly: validate load / store alignment
+        https://bugs.webkit.org/show_bug.cgi?id=168836
+        
+
+        Reviewed by Keith Miller.
+
+        * wasm/WasmFunctionParser.h: check the alignment
+        * wasm/generateWasm.py: generate the log2 alignment helper
+        (Wasm):
+        (isSimple):
+        (memoryLog2Alignment):
+        * wasm/generateWasmOpsHeader.py:
+        (memoryLog2AlignmentGenerator):
+        * wasm/wasm.json: fix formatting
+
+2017-05-15  Mark Lam  
+
+        Rolling out r214038 and r213697: Crashes when using computed properties with rest destructuring and object spread.
+        https://bugs.webkit.org/show_bug.cgi?id=172147
+
+        Rubber-stamped by Saam Barati.
+
+        I rolled out every thing in those 2 patches except for the change to make
+        CodeBlock::finishCreation() return a bool plus its clients that depend on this.
+        I made this exception because r214931 relies on this change, and this part of
+        the change looks correct.
+
+        * builtins/BuiltinNames.h:
+        * builtins/GlobalOperations.js:
+        (globalPrivate.speciesConstructor):
+        (globalPrivate.copyDataProperties): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantIdentifierSetRegisters): Deleted.
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::addBitVector):
+        (JSC::UnlinkedCodeBlock::constantRegisters):
+        (JSC::UnlinkedCodeBlock::addSetConstant): Deleted.
+        (JSC::UnlinkedCodeBlock::constantIdentifierSets): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        (JSC::ObjectPatternNode::bindValue):
+        (JSC::ObjectSpreadExpressionNode::emitBytecode): Deleted.
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createProperty):
+        (JSC::ASTBuilder::appendObjectPatternEntry):
+        (JSC::ASTBuilder::createObjectSpreadExpression): Deleted.
+        (JSC::ASTBuilder::appendObjectPatternRestEntry): Deleted.
+        (JSC::ASTBuilder::setContainsObjectRestElement): Deleted.
+        * parser/NodeConstructors.h:
+        (JSC::PropertyNode::PropertyNode):
+        (JSC::SpreadExpressionNode::SpreadExpressionNode):
+        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode): Deleted.
+        * parser/Nodes.h:
+        (JSC::ObjectPatternNode::appendEntry):
+        (JSC::ObjectSpreadExpressionNode::expression): Deleted.
+        (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
+        * parser/Parser.cpp:
+        (JSC::Parser::parseDestructuringPattern):
+        (JSC::Parser::parseProperty):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createSpreadExpression):
+        (JSC::SyntaxChecker::createProperty):
+        (JSC::SyntaxChecker::operatorStackPop):
+        (JSC::SyntaxChecker::createObjectSpreadExpression): Deleted.
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+
+2017-05-15  David Kilzer  
+
+        JSEnvironmentRecord::allocationSizeForScopeSize() and offsetOfVariable(ScopeOffset) should used checked arithmetic
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSEnvironmentRecord.h:
+        (JSC::JSEnvironmentRecord::offsetOfVariable): Change to return
+        size_t and use checked arithmetic.
+        (JSC::JSEnvironmentRecord::allocationSizeForScopeSize): Change
+        to use checked arithmetic.
+
+2017-05-15  Mark Lam  
+
+        WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        
+
+        Reviewed by Filip Pizlo.
+
+        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
+        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
+        for our debugging needs.
+
+        Also added VM::throwingThread() to track which thread an exception was thrown in.
+        This may be useful if the client is entering the VM from different threads.
+
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::exception):
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/Options.h:
+        - Added the unexpectedExceptionStackTraceLimit option.
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::throwingThread):
+        (JSC::VM::clearException):
+
+2017-05-13  David Kilzer  
+
+        Unused lambda capture in JSContextGroupAddMarkingConstraint()
+        
+
+        Reviewed by Saam Barati.
+
+        Fixes the following warning with newer clang:
+
+            Source/JavaScriptCore/API/JSMarkingConstraintPrivate.cpp:78:11: error: lambda capture 'vm' is not used [-Werror,-Wunused-lambda-capture]
+                    [&vm, constraintCallback, userData]
+                      ^
+
+        * API/JSMarkingConstraintPrivate.cpp:
+        (JSContextGroupAddMarkingConstraint): Remove unused lambda
+        capture for '&vm'.
+
+2017-05-13  David Kilzer  
+
+        [JSC] config.rb fails when checking some clang versions
+        
+
+        Reviewed by Mark Lam.
+
+        * offlineasm/config.rb:
+        - Add support for quad-dotted version of Apple clang (800.0.12.1).
+        - Add support for checking open source clang version (5.0.0).
+
+2017-05-13  Commit Queue  
+
+        Unreviewed, rolling out r216808.
+        https://bugs.webkit.org/show_bug.cgi?id=172075
+
+        caused lldb to hang when debugging (Requested by smfr on
+        #webkit).
+
+        Reverted changeset:
+
+        "Use Mach exceptions instead of signals where possible"
+        https://bugs.webkit.org/show_bug.cgi?id=171865
+        http://trac.webkit.org/changeset/216808
+
+2017-05-13  Commit Queue  
+
+        Unreviewed, rolling out r216801.
+        https://bugs.webkit.org/show_bug.cgi?id=172072
+
+        Many memory corruption crashes on worker threads (Requested by
+        ap on #webkit).
+
+        Reverted changeset:
+
+        "WorkerRunLoop::Task::performTask() should check
+        !scriptController->isTerminatingExecution()."
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        http://trac.webkit.org/changeset/216801
+
+2017-05-12  Geoffrey Garen  
+
+        [JSC] DFG::Node should not have its own allocator
+        https://bugs.webkit.org/show_bug.cgi?id=160098
+
+        Reviewed by Saam Barati.
+
+        I just rebased the patch from .
+
+        I ran Octane and JetStream locally on a MacBook Air and I wasn't able to
+        reproduce a regression. Let's land this again and see what the bots say.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3SparseCollection.h:
+        (JSC::B3::SparseCollection::packIndices):
+        * dfg/DFGAllocator.h: Removed.
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::Graph):
+        (JSC::DFG::Graph::~Graph):
+        (JSC::DFG::Graph::deleteNode):
+        (JSC::DFG::Graph::packNodeIndices):
+        (JSC::DFG::Graph::addNodeToMapByIndex): Deleted.
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::addNode):
+        (JSC::DFG::Graph::maxNodeCount):
+        (JSC::DFG::Graph::nodeAt):
+        * dfg/DFGLongLivedState.cpp: Removed.
+        * dfg/DFGLongLivedState.h: Removed.
+        * dfg/DFGNode.h:
+        * dfg/DFGNodeAllocator.h:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThread):
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPlan.h:
+        * dfg/DFGWorklist.cpp:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2017-05-12  Keith Miller  
+
+        Use Mach exceptions instead of signals where possible
+        https://bugs.webkit.org/show_bug.cgi?id=171865
+
+        Reviewed by Mark Lam.
+
+        This patch adds some new JSC options. The first is an option that
+        enables or disables web assembly tier up. The second controls
+        whether or not we use mach exceptions (where available).
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (dispatchTermitateCallback):
+        (testExecutionTimeLimit):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        (JSC::Options::initialize):
+        * runtime/Options.h:
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
+        (JSC::installSignalHandler):
+        (JSC::VMTraps::SignalSender::send):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        (JSC::Wasm::enableFastMemory):
+        * wasm/WasmMachineThreads.cpp:
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+
+2017-05-12  Mark Lam  
+
+        WorkerRunLoop::Task::performTask() should check !scriptController->isTerminatingExecution().
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        
+
+        Reviewed by Saam Barati.
+
+        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
+        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
+        for our debugging needs.
+
+        Also added VM::throwingThread() to track which thread an exception was thrown in.
+        This may be useful if the client is entering the VM from different threads.
+
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::exception):
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/Options.h:
+        - Added the unexpectedExceptionStackTraceLimit option.
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::throwingThread):
+        (JSC::VM::clearException):
+
+2017-05-12  Daniel Bates  
+
+        Cleanup: Make QueueTaskToEventLoopFunctionPtr take JSGlobalObject&
+        https://bugs.webkit.org/show_bug.cgi?id=172021
+
+        Reviewed by Mark Lam.
+
+        Change the function alias for QueueTaskToEventLoopFunctionPtr to take JSGlobalObject&
+        instead of a const JSGlobalObject* as all implementations expect to be passed a non-
+        const, non-null JSGlobalObject object.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::queueMicrotask):
+        * runtime/JSGlobalObject.h:
+        * runtime/VM.cpp:
+        (JSC::VM::queueMicrotask):
+        * runtime/VM.h: Remove JS_EXPORT_PRIVATE annotation from queueMicrotask() as
+        it is only called from JavaScriptCore code.
+
+2017-05-12  Michael Saboff  
+
+        [iOS] Use memory footprint to dynamically adjust behavior of allocators
+        https://bugs.webkit.org/show_bug.cgi?id=171944
+
+        Reviewed by Filip Pizlo.
+
+        This change is iOS only.
+
+        Added the ability to react to when memory usage is critical.  This is defined as memory
+        usage being above the newly added option criticalGCMemoryThreshold.  When we are in this
+        critical state, all collections are Full and we limit the amount of memory we allocate
+        between collections to 1/4th the memory above the critical threshold.
+
+        Changed the calculation of proportionalHeapSize to be based on process memory footprint
+        and not how big the heap is.  Also, the values of Options::smallHeapRAMFraction and
+        Options::mediumHeapRAMFraction are overriden so that most of the heap growth is happens
+        using the more agressive Options::smallHeapGrowthFactor.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::overCriticalMemoryThreshold):
+        (JSC::Heap::shouldDoFullCollection):
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        * heap/Heap.h:
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        (JSC::Options::initialize):
+        * runtime/Options.h:
+
+2017-05-11  Saam Barati  
+
+        Computing optionalDefArgWidth in CheckSpecial should not consider Scratch roles
+        https://bugs.webkit.org/show_bug.cgi?id=171962
+
+        Reviewed by Filip Pizlo.
+
+        The purpose of getting the result width is to get the width of
+        the result of the arithmetic. It does not care about that the
+        Check happens to define scratches.
+
+        * b3/B3CheckSpecial.cpp:
+        (JSC::B3::CheckSpecial::forEachArg):
+        * b3/testb3.cpp:
+        (JSC::B3::testCheckMul):
+        (JSC::B3::testCheckMulMemory):
+        (JSC::B3::testCheckMul64):
+        (JSC::B3::testCheckMulFold):
+        (JSC::B3::testCheckMulFoldFail):
+        (JSC::B3::testCheckMulArgumentAliasing64):
+        (JSC::B3::testCheckMulArgumentAliasing32):
+        (JSC::B3::testCheckMul64SShr):
+
+2017-05-11  Saam Barati  
+
+        isValidForm for SimpleAddr should use ptr() instead of tmp()
+        https://bugs.webkit.org/show_bug.cgi?id=171992
+
+        Reviewed by Filip Pizlo.
+
+        Arg::tmp() asserts that its kind is Tmp. Inst::isValidForm for
+        SimpleAddr was using Arg::tmp() instead of ptr() to check
+        if the address Tmp isGP(). It should be using Arg::ptr() instead
+        of Arg::tmp() since Arg::ptr() is designed for SimpleAddr.
+        
+        This patch also fixes an incorrect assertion in the ARM64
+        macro assembler. We were asserting various atomic ops were
+        only over 32/64 bit operations. However, the code was properly handling
+        8/16/32/64 bit ops. I changed the assertion to reflect what is
+        actually going on.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::ldar):
+        (JSC::ARM64Assembler::ldxr):
+        (JSC::ARM64Assembler::ldaxr):
+        (JSC::ARM64Assembler::stxr):
+        (JSC::ARM64Assembler::stlr):
+        (JSC::ARM64Assembler::stlxr):
+        * b3/air/opcode_generator.rb:
+        * b3/testb3.cpp:
+        (JSC::B3::testLoadAcq42):
+        (JSC::B3::testStoreRelAddLoadAcq32):
+        (JSC::B3::testStoreRelAddLoadAcq8):
+        (JSC::B3::testStoreRelAddFenceLoadAcq8):
+        (JSC::B3::testStoreRelAddLoadAcq16):
+        (JSC::B3::testStoreRelAddLoadAcq64):
+        (JSC::B3::testAtomicWeakCAS):
+        (JSC::B3::testAtomicStrongCAS):
+        (JSC::B3::testAtomicXchg):
+
+2017-05-11  Matt Lewis  
+
+        Unreviewed, rolling out r216677.
+
+        Patch caused layout test crashes.
+
+        Reverted changeset:
+
+        "WorkerThread::stop() should call
+        scheduleExecutionTermination() last."
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        http://trac.webkit.org/changeset/216677
+
+2017-05-11  Don Olmstead  
+
+        [CMake] Add HAVE check for regex.h
+        https://bugs.webkit.org/show_bug.cgi?id=171950
+
+        Reviewed by Michael Catanzaro.
+
+        * runtime/ConfigFile.cpp:
+        (JSC::ConfigFile::parse):
+
+2017-05-11  Filip Pizlo  
+
+        Callers of JSString::unsafeView() should check exceptions
+        https://bugs.webkit.org/show_bug.cgi?id=171995
+
+        Reviewed by Mark Lam.
+        
+        unsafeView() can throw OOME. So, callers of unsafeView() should check for exceptions before trying
+        to access the view.
+
+        Also, I made the functions surrounding unsafeView() take ExecState* not ExecState&, to comply with
+        the rest of JSC.
+
+        * dfg/DFGOperations.cpp:
+        * jsc.cpp:
+        (printInternal):
+        (functionDebug):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncJoin):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorFuncCompare):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncJoin):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncParseFloat):
+        * runtime/JSONObject.cpp:
+        (JSC::JSONProtoFuncParse):
+        * runtime/JSString.cpp:
+        (JSC::JSString::getPrimitiveNumber):
+        (JSC::JSString::toNumber):
+        * runtime/JSString.h:
+        (JSC::JSString::getIndex):
+        (JSC::JSRopeString::unsafeView):
+        (JSC::JSRopeString::viewWithUnderlyingString):
+        (JSC::JSString::unsafeView):
+        (JSC::JSString::viewWithUnderlyingString):
+        * runtime/JSStringJoiner.h:
+        (JSC::JSStringJoiner::appendWithoutSideEffects):
+        (JSC::JSStringJoiner::append):
+        * runtime/ParseInt.h:
+        (JSC::toStringView):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncRepeatCharacter):
+        (JSC::stringProtoFuncCharAt):
+        (JSC::stringProtoFuncCharCodeAt):
+        (JSC::stringProtoFuncIndexOf):
+        (JSC::stringProtoFuncNormalize):
+
+2017-05-11  Filip Pizlo  
+
+        Offer SPI to notify clients that GC has happened
+        https://bugs.webkit.org/show_bug.cgi?id=171980
+
+        Reviewed by Geoffrey Garen.
+        
+        Sometimes when you're programming with weak references, it's most convenient if the GC tells
+        you when it finishes. This adds exactly such an API. This API is called at the *flip*: the
+        moment when the GC knows for sure which objects are dead and has definitely not allocated any
+        new objects or executed any JS code. The finalization part of the flip, which is where this
+        callback gets called, runs on the "main" thread - i.e. some thread that is attempting to
+        execute JS code and holds the JS lock. This will usually run as a side-effect of some
+        allocation or from the runloop.
+        
+        This means, for example, that if you implemented a vector of weak references and registered a
+        callback to prune the vector of null weak references, then aside from the callback, nobody
+        would ever see a null weak reference in the vector.
+
+        * API/JSHeapFinalizerPrivate.cpp: Added.
+        (JSContextGroupAddHeapFinalizer):
+        (JSContextGroupRemoveHeapFinalizer):
+        * API/JSHeapFinalizerPrivate.h: Added.
+        * API/tests/testapi.c:
+        (heapFinalizer):
+        (testMarkingConstraintsAndHeapFinalizers):
+        (main):
+        (testMarkingConstraints): Deleted.
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalize):
+        (JSC::Heap::addHeapFinalizerCallback):
+        (JSC::Heap::removeHeapFinalizerCallback):
+        * heap/Heap.h:
+        * heap/HeapFinalizerCallback.cpp: Added.
+        (JSC::HeapFinalizerCallback::dump):
+        * heap/HeapFinalizerCallback.h: Added.
+        (JSC::HeapFinalizerCallback::HeapFinalizerCallback):
+        (JSC::HeapFinalizerCallback::operator==):
+        (JSC::HeapFinalizerCallback::operator!=):
+        (JSC::HeapFinalizerCallback::operator bool):
+        (JSC::HeapFinalizerCallback::run):
+
+2017-05-11  Filip Pizlo  
+
+        JSWeakCreate/Retain/Release should take a JSContextGroupRef and not a JSContextRef
+        https://bugs.webkit.org/show_bug.cgi?id=171979
+
+        Reviewed by Mark Lam.
+        
+        Functions that don't execute arbitrary JS but just need access to the VM should take a
+        JSContextGroupRef, not a JSContextRef.
+
+        * API/JSWeakPrivate.cpp:
+        (JSWeakCreate):
+        (JSWeakRetain):
+        (JSWeakRelease):
+        * API/JSWeakPrivate.h:
+        * API/tests/testapi.c:
+        (testMarkingConstraints):
+
+2017-05-11  Mark Lam  
+
+        WorkerThread::stop() should call scheduleExecutionTermination() last.
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        
+
+        Reviewed by Geoffrey Garen.
+
+        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
+        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
+        for our debugging needs.
+
+        Also added VM::throwingThread() to track which thread an exception was thrown in.
+        This may be useful if the client is entering the VM from different threads.
+
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::exception):
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::throwingThread):
+        (JSC::VM::clearException):
+
+2017-05-11  JF Bastien  
+
+        WebAssembly: stop supporting 0xD
+        https://bugs.webkit.org/show_bug.cgi?id=168788
+        
+
+        Reviewed by Saam Barati.
+
+        Only version 1 is supported by other browsers, and there shouldn't
+        be any 0xD binaries in the wild anymore.
+
+        * wasm/WasmModuleParser.cpp:
+
+2017-05-09  Sam Weinig  
+
+        Remove support for legacy Notifications
+        https://bugs.webkit.org/show_bug.cgi?id=171487
+
+        Reviewed by Jon Lee.
+
+        * Configurations/FeatureDefines.xcconfig:
+        Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
+
+2017-05-10  Commit Queue  
+
+        Unreviewed, rolling out r216635.
+        https://bugs.webkit.org/show_bug.cgi?id=171953
+
+        "Some worker tests are failing". (Requested by mlam on #webkit).
+
+        Reverted changeset:
+
+        "WorkerThread::stop() should call
+        scheduleExecutionTermination() last."
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        http://trac.webkit.org/changeset/216635
+
+2017-05-10  Mark Lam  
+
+        Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
+        https://bugs.webkit.org/show_bug.cgi?id=160337
+        
+
+        Not reviewed.
+
+        Updated a comment per Geoff's suggestion.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::tryCopyOtherThreadStack):
+
+2017-05-10  Mark Lam  
+
+        WorkerThread::stop() should call scheduleExecutionTermination() last.
+        https://bugs.webkit.org/show_bug.cgi?id=171775
+        
+
+        Reviewed by Geoffrey Garen.
+
+        Increased the number of frames captured in VM::nativeStackTraceOfLastThrow()
+        from 25 to 100.  From experience, I found that 25 is sometimes not sufficient
+        for our debugging needs.
+
+        Also added VM::throwingThread() to track which thread an exception was thrown in.
+        This may be useful if the client is entering the VM from different threads.
+
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        (JSC::ExceptionScope::releaseAssertIsTerminatedExecutionException):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::exception):
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::throwingThread):
+        (JSC::VM::clearException):
+
+2017-05-10  Mark Lam  
+
+        Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
+        https://bugs.webkit.org/show_bug.cgi?id=160337
+        
+
+        Reviewed by Filip Pizlo and Geoffrey Garen.
+
+        This is a workaround for . During thread initialization,
+        for some target platforms, thread state is momentarily set to 0 before being
+        filled in with the target thread's real register values. As a result, there's
+        a race condition that may result in us getting a null stackPointer during a GC scan.
+        This issue may manifest with workqueue threads where the OS may choose to recycle
+        a thread for an expired task.
+
+        The workaround is simply to indicate that there's nothing to copy and return.
+        This is correct because we will only ever observe a null pointer during thread
+        initialization. Hence, by definition, there's nothing there that we need to scan
+        yet, and therefore, nothing that needs to be copied.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::tryCopyOtherThreadStack):
+
+2017-05-10  JF Bastien  
+
+        WebAssembly: support name section
+
+        https://bugs.webkit.org/show_bug.cgi?id=171263
+
+        Reviewed by Keith Miller.
+
+        The name section is an optional custom section in the WebAssembly
+        spec. At least when debugging, developers expect to be able to use
+        this section to obtain intelligible stack traces, otherwise we
+        just number the wasm functions which is somewhat painful.
+
+        This patch parses this section, dropping its content eagerly on
+        error, and if there is a name section then backtraces use their
+        value instead of numbers. Otherwise we stick to numbers as before.
+
+        Note that the format of name sections changed in mid-February:
+          https://github.com/WebAssembly/design/pull/984
+        And binaryen was only updated in early March:
+          https://github.com/WebAssembly/binaryen/pull/933
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * interpreter/Interpreter.cpp:
+        (JSC::GetStackTraceFunctor::operator()):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::Frame::functionName):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::wasmFunctionIndexOrName):
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::functionName):
+        * runtime/StackFrame.h:
+        (JSC::StackFrame::StackFrame):
+        (JSC::StackFrame::wasm):
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::Callee::Callee):
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::create):
+        (JSC::Wasm::Callee::indexOrName):
+        * wasm/WasmFormat.cpp:
+        (JSC::Wasm::makeString):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValidExternalKind):
+        (JSC::Wasm::isValidNameType):
+        (JSC::Wasm::NameSection::get):
+        * wasm/WasmIndexOrName.cpp: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
+        (JSC::Wasm::IndexOrName::IndexOrName):
+        (JSC::Wasm::makeString):
+        * wasm/WasmIndexOrName.h: Copied from Source/JavaScriptCore/wasm/WasmFormat.cpp.
+        * wasm/WasmModuleInformation.h:
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmName.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
+        * wasm/WasmNameSectionParser.cpp: Added.
+        * wasm/WasmNameSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.cpp.
+        (JSC::Wasm::NameSectionParser::NameSectionParser):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String):
+
+2017-05-10  Filip Pizlo  
+
+        Null pointer dereference in WTF::RefPtr::operator!() under slow_path_get_direct_pname
+        https://bugs.webkit.org/show_bug.cgi?id=171801
+
+        Reviewed by Michael Saboff.
+        
+        This was a goofy oversight. The for-in optimization relies on the bytecode generator
+        to detect when the loop's index variable gets mutated. We forgot to have the hooks for
+        detecting this in prefix and postfix operations (++i and i++).
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PostfixNode::emitResolve):
+        (JSC::PrefixNode::emitResolve):
+
+2017-05-10  Michael Catanzaro  
+
+        [GTK] -Wmissing-field-initializers triggered by RemoteInspectorServer.cpp:128
+        https://bugs.webkit.org/show_bug.cgi?id=171273
+
+        Reviewed by Carlos Garcia Campos.
+
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+
+2017-05-10  Adrian Perez de Castro  
+
+        Remove some last remnants of the EFL port
+        https://bugs.webkit.org/show_bug.cgi?id=171922
+
+        Reviewed by Antonio Gomes.
+
+        The EFL port is no more.
+
+        * PlatformEfl.cmake: Removed.
+        * shell/PlatformEfl.cmake: Removed.
+
+2017-05-09  Filip Pizlo  
+
+        JSInjectedScriptHost should get a copy of the boundArgs
+        https://bugs.webkit.org/show_bug.cgi?id=171897
+
+        Reviewed by Joseph Pecoraro.
+        
+        The boundArgs array is very special - it cannot be mutated in any way. So, it makes sense
+        for the inspector to get a copy of it.
+
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::JSBoundFunction::boundArgsCopy):
+        * runtime/JSBoundFunction.h:
+        (JSC::JSBoundFunction::boundArgs):
+
+2017-05-09  Mark Lam  
+
+        Unindent some code in Watchdog::shouldTerminate().
+        https://bugs.webkit.org/show_bug.cgi?id=171896
+
+        Rubber stamped by Keith Miller.
+
+        I should have done this before I landed r213107, but I forgot.  Unindenting it now.
+
+        * runtime/Watchdog.cpp:
+        (JSC::Watchdog::shouldTerminate):
+
+2017-05-09  Michael Saboff  
+
+        Cap the number of FTL compilation threads on iOS to 2
+        https://bugs.webkit.org/show_bug.cgi?id=171887
+
+        Reviewed by Filip Pizlo.
+
+        Set an iOS specific max of 2 threads.
+
+        * runtime/Options.h:
+
+2017-05-09  Filip Pizlo  
+
+        Heap::heap() should behave gracefully for null pointers
+        https://bugs.webkit.org/show_bug.cgi?id=171888
+        
+
+        Reviewed by Mark Lam.
+        
+        Some callers of Heap::heap() can pass a null cell and they will behave gracefully if we
+        return a null Heap. So, let's do that.
+        
+        This fixes a crash and it does not hurt performance. I'm seeing a possible 0.5% regression
+        with 74% probability. That's a neutral result by our usual 95% standard.
+
+        * heap/HeapInlines.h:
+        (JSC::Heap::heap):
+
+2017-05-09  Yusuke Suzuki  
+
+        Handle IDLPromise<> properly
+        https://bugs.webkit.org/show_bug.cgi?id=166752
+
+        Reviewed by Youenn Fablet.
+
+        Add JSPromise::resolve static function.
+        This applies `Promise.resolve()` conversion to a given value.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::promiseResolveFunction):
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::resolve):
+        * runtime/JSPromise.h:
+
+2017-05-09  Zan Dobersek  
+
+        Upstream the WPE port
+        https://bugs.webkit.org/show_bug.cgi?id=171110
+
+        Reviewed by Alex Christensen.
+
+        * PlatformWPE.cmake: Added.
+        * shell/PlatformWPE.cmake: Added.
+
+2017-05-09  Saam Barati  
+
+        CallLinkInfos belonging to Wasm->JS stubs need to be informed when we clearCode() from all Executables
+        https://bugs.webkit.org/show_bug.cgi?id=171707
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes a bug where a Wasm->JS IC call stub would go stale
+        and point into a CodeBlock no longer owned by any executable. The
+        problematic scenario is this:
+
+        1. We generate the call IC which has a branch on a callee check. This
+           callee owns the Executable in question. If the branch succeeds, it
+           will call code belonging to a particular CodeBlock associated with
+           that Executable.
+
+        2. Heap::deleteAllCodeBlocks is called. This leads the Executable to clear
+           its various CodeBlock references.
+
+        3. Wasm has no idea this happened, so now it has stale ICs that point into
+           code from a CodeBlock no longer belonging to an Executable.
+
+        This patch fixes the bug by informing all JSWebAssemblyCodeBlocks to unlink
+        their CallLinkInfo when Heap::deleteAllCodeBlocks is called.
+
+        We track all JSWebAssemblyCodeBlocks by creating a new subspace for them.
+        This allows us to quickly iterate over the live JSWebAssemblyCodeBlocks in the
+        heap.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.cpp:
+        (JSC::Heap::deleteAllCodeBlocks):
+        * heap/Subspace.h:
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachLiveCell):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::clearJSCallICs):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::createStructure): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::functionImportCount): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::module): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::codeBlock): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::allocationSize): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Added.
+        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
+        (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace):
+        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
+        (JSC::JSWebAssemblyCodeBlockSubspace::destroy):
+        * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Added.
+
+2017-05-08  Saam Barati  
+
+        testWasmBoundsCheck and testCallFunctionWithHellaArguments is broken in testb3
+        https://bugs.webkit.org/show_bug.cgi?id=171392
+        
+
+        Reviewed by Keith Miller.
+
+        This patch fixes two bugs. The first one is:
+        Inside testb3, we were using the wrong WasmBoundsCheckValue constructor.
+        Everything compiled OK because of implicit casting in C. I've changed one
+        of the constructors to take arguments in a different order so we don't
+        run into this problem again.
+        
+        The second bug was that Air::ShufflePair::inst was assuming that a move
+        from BigImm to its destination is always valid. This is not the case.
+        For example, the store, `Move BigImm, Addr` is not allowed. I refactored
+        the code to be correct by emitting more than one instruction when needeed.
+        
+        When testing my changes, I ran ARM64 testb3 both in debug and
+        release. I ran into many pre-existing failures. I've opened
+        a new bug to fix those here: https://bugs.webkit.org/show_bug.cgi?id=171826
+
+        * b3/B3WasmBoundsCheckValue.cpp:
+        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
+        * b3/B3WasmBoundsCheckValue.h:
+        * b3/air/AirEmitShuffle.cpp:
+        (JSC::B3::Air::ShufflePair::insts):
+        (JSC::B3::Air::ShufflePair::inst): Deleted.
+        * b3/air/AirEmitShuffle.h:
+        * b3/air/AirLowerMacros.cpp:
+        (JSC::B3::Air::lowerMacros):
+        * b3/testb3.cpp:
+        (JSC::B3::testLoadAcq42):
+        (JSC::B3::testStoreRelAddLoadAcq32):
+        (JSC::B3::testStoreRelAddLoadAcq8):
+        (JSC::B3::testStoreRelAddFenceLoadAcq8):
+        (JSC::B3::testStoreRelAddLoadAcq16):
+        (JSC::B3::testStoreRelAddLoadAcq64):
+        (JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
+        (JSC::B3::testCheckMul):
+        (JSC::B3::testCheckMulMemory):
+        (JSC::B3::testCheckMul64):
+        (JSC::B3::testCheckMulFold):
+        (JSC::B3::testCheckMulFoldFail):
+        (JSC::B3::testCheckMulArgumentAliasing64):
+        (JSC::B3::testCheckMulArgumentAliasing32):
+        (JSC::B3::testCheckMul64SShr):
+        (JSC::B3::testCallFunctionWithHellaArguments):
+        (JSC::B3::functionWithHellaArguments2):
+        (JSC::B3::testCallFunctionWithHellaArguments2):
+        (JSC::B3::functionWithHellaArguments3):
+        (JSC::B3::testCallFunctionWithHellaArguments3):
+        (JSC::B3::testSpillDefSmallerThanUse):
+        (JSC::B3::testLateRegister):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
+        (JSC::B3::testMoveConstants):
+        (JSC::B3::testAtomicWeakCAS):
+        (JSC::B3::testAtomicStrongCAS):
+        (JSC::B3::testAtomicXchg):
+        (JSC::B3::testWasmBoundsCheck):
+        (JSC::B3::run):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+
+2017-05-08  Filip Pizlo  
+
+        Expose a function to get proxy targets
+        https://bugs.webkit.org/show_bug.cgi?id=171797
+        
+
+        Reviewed by Mark Lam.
+        
+        This exposes a new private API function, JSObjectGetProxyTarget(), that gets the target of a
+        proxy. It works with both ProxyObject and JSProxy, but it's primarily intended for use with
+        JSProxy.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetProxyTarget):
+        * API/JSObjectRefPrivate.h:
+        * API/tests/JSObjectGetProxyTargetTest.cpp: Added.
+        (testJSObjectGetProxyTarget):
+        * API/tests/JSObjectGetProxyTargetTest.h: Added.
+        * API/tests/testapi.c:
+        (main):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/ProxyObject.h:
+        * shell/PlatformWin.cmake: 
+
+2017-05-08  Mark Lam  
+
+        op_throw_static_error's use of its first operand should be reflected in DFG BytecodeUseDef as well.
+        https://bugs.webkit.org/show_bug.cgi?id=171786
+        
+
+        Reviewed by Saam Barati.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        - Fix BytecodeDumper to dump op_throw_static_error correctly.  Previously,
+          it was expecting op1 to always be a constant.  r206870 changed it to take a
+          variable string as well.
+
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        - Fix the bug.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        - Move the Phantom of op1 after the ThrowStaticError node, because technically,
+          the ThrowStaticError represents op_throw_static_error, and op_throw_static_error
+          uses op1.  In practice, this probably doesn't matter, but let's have the code
+          accurately communicate the behavior we're expecting.
+
+2017-05-08  JF Bastien  
+
+        WebAssembly: don't just emit extended offset adds for patch
+        https://bugs.webkit.org/show_bug.cgi?id=171799
+
+        Reviewed by Mark Lam.
+
+        It isn't necessary to restrict.
+
+        * b3/air/AirLowerStackArgs.cpp:
+        (JSC::B3::Air::lowerStackArgs):
+
+2017-05-08  Mark Lam  
+
+        Introduce ExceptionScope::assertNoException() and releaseAssertNoException().
+        https://bugs.webkit.org/show_bug.cgi?id=171776
+
+        Reviewed by Keith Miller.
+
+        Instead of ASSERT(!scope.exception()), we can now do scope.assertNoException().
+        Ditto for RELEASE_ASSERT and scope.releaseAssertNoException().  
+
+        The advantage of using ExceptionScope::assertNoException() and
+        releaseAssertNoException() is that if the assertion fails, these utility
+        functions will print the stack trace for where the unexpected exception is
+        detected as well as where the unexpected exception was thrown from.  This makes
+        it much easier to debug the source of unhandled exceptions.
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::pauseIfNeeded):
+        * dfg/DFGOperations.cpp:
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        (JSC::notifyDebuggerOfUnwinding):
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::debug):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::functionsOnStack):
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderResolve):
+        (GlobalObject::moduleLoaderFetch):
+        (functionGenerateHeapSnapshot):
+        (functionSamplingProfilerStackTraces):
+        (box):
+        (runWithScripts):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::finishCreation):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
+        * runtime/Completion.cpp:
+        (JSC::rejectPromise):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::sanitizedToString):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createError):
+        * runtime/ExceptionScope.cpp:
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/ExceptionScope.h:
+        (JSC::ExceptionScope::assertNoException):
+        (JSC::ExceptionScope::releaseAssertNoException):
+        (JSC::ExceptionScope::unexpectedExceptionMessage):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::defineOwnProperty):
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::createCollator):
+        (JSC::IntlCollator::resolvedOptions):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::resolvedOptions):
+        (JSC::IntlDateTimeFormat::format):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::createNumberFormat):
+        (JSC::IntlNumberFormat::resolvedOptions):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitiveByIndex):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncIncludes):
+        (JSC::genericTypedArrayViewProtoFuncIndexOf):
+        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncHostPromiseRejectionTracker):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnPropertySlot):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::finishCreation):
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::JSModuleNamespaceObject::finishCreation):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::toJSON):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ordinaryToPrimitive):
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetOwnPropertyDescriptors):
+        (JSC::objectConstructorDefineProperty):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncHasOwnProperty):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectDefineProperty):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncRepeatCharacter):
+        * runtime/TemplateRegistry.cpp:
+        (JSC::TemplateRegistry::getTemplateObject):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        (JSC::VM::nativeStackTraceOfLastThrow):
+        (JSC::VM::clearException):
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+
+2017-05-06  Bill Ming  
+
+        Fix 32bit Windows build by giving correct parameters to MASM
+        https://bugs.webkit.org/show_bug.cgi?id=170833
+
+        Reviewed by Alex Christensen.
+
+        * CMakeLists.txt:
+
+2017-05-06  Oleksandr Skachkov  
+
+        [ES6] Arrow function. Issue in access to this after eval('super()') within constructor
+        https://bugs.webkit.org/show_bug.cgi?id=171543
+
+        Reviewed by Saam Barati.
+
+        Current patch force to use 'this' within arrow function or eval 
+        from virtual scope each time, instead of using thisRegister.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::ensureThis):
+
+2017-05-05  Keith Miller  
+
+        Put does not properly consult the prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=171754
+
+        Reviewed by Saam Barati.
+
+        We should do a follow up that cleans up the rest of put. See:
+        https://bugs.webkit.org/show_bug.cgi?id=171759
+
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInline):
+
+2017-05-05  JF Bastien  
+
+        WebAssembly: Air::Inst::generate crashes on large binary on A64
+        https://bugs.webkit.org/show_bug.cgi?id=170215
+
+        Reviewed by Filip Pizlo.
+
+        ARM can't encode all offsets in a single instruction. We usualy
+        handle this type of detail early, or the macro assembler uses a
+        scratch register to take care of the large immediate. After
+        register allocation we assumed that we would never get large
+        offsets, and asserted this was the case. That was a fine
+        assumption with JavaScript, but WebAssembly ends up generating
+        stack frames which are too big to encode.
+
+        There are two places that needed to be fixed:
+            1. AirGenerate
+            2. AirLowerStackArgs
+
+        We now unconditionally pin the dataTempRegister on ARM64, and use
+        it when immediates don't fit.
+
+        Number 1. is easy: we're just incrementing SP, make sure we can
+        use a scratch register when that happens.
+
+        Number 2. is more complex: not all Inst can receive a stack
+        argument whose base register isn't SP or FP. Specifically,
+        Patchpoints and Stackmaps get very sad because they just want to
+        know the offset value, but when we materialize the offset as
+        follows:
+
+            Move (spill337), (spill201), %r0, @8735
+
+        Becomes (where %r16 is dataTempRegister):
+            Move $1404, %r16, @8736
+            Add64 %sp, %r16, @8736
+            Move (%r16), 2032(%sp), %r0, @8736
+
+        The code currently doesn't see through our little dance. To work
+        around this issue we introduce a new Air Arg kind:
+        ExtendedOffsetAddr. This is the same as a regular Addr, but with
+        an offset which may be too big to encode. Opcodes then declare
+        whether their arguments can handle such inputs, and if so we
+        generate them, otherwise we generate Addr as shown above.
+
+        None of this affects x86 because it can always encode large
+        immediates.
+
+        This patch also drive-by converts some uses of `override` to
+        `final`. It makes the code easier to grok, and maybe helps the
+        optimizer sometimes but really that doens't matter.
+
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM64.h:
+        * b3/B3CheckSpecial.cpp:
+        (JSC::B3::CheckSpecial::admitsExtendedOffsetAddr):
+        * b3/B3CheckSpecial.h:
+        * b3/B3Common.cpp:
+        (JSC::B3::pinnedExtendedOffsetAddrRegister): keep the CPU-specific
+        pinning information in a cpp file
+        * b3/B3Common.h:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsExtendedOffsetAddr):
+        * b3/B3PatchpointSpecial.h:
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        (JSC::B3::StackmapSpecial::repForArg):
+        * b3/B3StackmapSpecial.h:
+        * b3/air/AirArg.cpp:
+        (JSC::B3::Air::Arg::isStackMemory):
+        (JSC::B3::Air::Arg::jsHash):
+        (JSC::B3::Air::Arg::dump):
+        (WTF::printInternal):
+        (JSC::B3::Air::Arg::stackAddrImpl): Deleted. There was only one
+        use of this (in AirLowerStackArgs) and it was now confusing to
+        split the logic up between these two. Inline the code that used to
+        be here into its one usepoint instead.
+        * b3/air/AirArg.h:
+        (JSC::B3::Air::Arg::extendedOffsetAddr):
+        (JSC::B3::Air::Arg::isExtendedOffsetAddr):
+        (JSC::B3::Air::Arg::isMemory):
+        (JSC::B3::Air::Arg::base):
+        (JSC::B3::Air::Arg::offset):
+        (JSC::B3::Air::Arg::isGP):
+        (JSC::B3::Air::Arg::isFP):
+        (JSC::B3::Air::Arg::isValidForm):
+        (JSC::B3::Air::Arg::forEachTmpFast):
+        (JSC::B3::Air::Arg::forEachTmp):
+        (JSC::B3::Air::Arg::asAddress):
+        (JSC::B3::Air::Arg::stackAddr): Deleted.
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::isValid):
+        (JSC::B3::Air::CCallSpecial::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::CCallSpecial::generate):
+        * b3/air/AirCCallSpecial.h:
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::Code):
+        (JSC::B3::Air::Code::pinRegister): Check that the register wasn't
+        pinned before pinning it. It's likely a bug to pin the same
+        register twice.
+        * b3/air/AirCustom.h:
+        (JSC::B3::Air::PatchCustom::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::CCallCustom::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::ShuffleCustom::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::EntrySwitchCustom::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::WasmBoundsCheckCustom::admitsExtendedOffsetAddr):
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::generate):
+        * b3/air/AirInst.h:
+        * b3/air/AirInstInlines.h:
+        (JSC::B3::Air::Inst::admitsExtendedOffsetAddr):
+        * b3/air/AirLowerStackArgs.cpp:
+        (JSC::B3::Air::lowerStackArgs):
+        * b3/air/AirPrintSpecial.cpp:
+        (JSC::B3::Air::PrintSpecial::admitsExtendedOffsetAddr):
+        (JSC::B3::Air::PrintSpecial::generate):
+        * b3/air/AirPrintSpecial.h:
+        * b3/air/AirSpecial.h:
+        * b3/air/opcode_generator.rb:
+
+2017-05-05  Oliver Hunt  
+
+        Move trivial String prototype functions to JS builtins
+        https://bugs.webkit.org/show_bug.cgi?id=171737
+
+        Reviewed by Saam Barati.
+
+        Super simple change to migrate all of the old school
+        html-ifying string operations to builtin JS.
+
+        Core implementation is basically a 1-for-1 match to the spec.
+
+        * builtins/StringPrototype.js:
+        (globalPrivate.createHTML):
+        (anchor):
+        (big):
+        (blink):
+        (bold):
+        (fixed):
+        (fontcolor):
+        (fontsize):
+        (italics):
+        (link):
+        (small):
+        (strike):
+        (sub):
+        (sup):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        (JSC::stringProtoFuncBig): Deleted.
+        (JSC::stringProtoFuncSmall): Deleted.
+        (JSC::stringProtoFuncBlink): Deleted.
+        (JSC::stringProtoFuncBold): Deleted.
+        (JSC::stringProtoFuncFixed): Deleted.
+        (JSC::stringProtoFuncItalics): Deleted.
+        (JSC::stringProtoFuncStrike): Deleted.
+        (JSC::stringProtoFuncSub): Deleted.
+        (JSC::stringProtoFuncSup): Deleted.
+        (JSC::stringProtoFuncFontcolor): Deleted.
+        (JSC::stringProtoFuncFontsize): Deleted.
+        (JSC::stringProtoFuncAnchor): Deleted.
+        (JSC::stringProtoFuncLink): Deleted.
+
+2017-05-05  Don Olmstead  
+
+        [JSC] Remove export from Intrinsic
+        https://bugs.webkit.org/show_bug.cgi?id=171752
+
+        Reviewed by Alexey Proskuryakov.
+
+        * runtime/Intrinsic.h:
+
+2017-05-05  Saam Barati  
+
+        putDirectIndex does not properly do defineOwnProperty
+        https://bugs.webkit.org/show_bug.cgi?id=171591
+        
+
+        Reviewed by Geoffrey Garen.
+
+        This patch fixes putDirectIndex and its JIT implementations to be
+        compatible with the ES6 spec. I think our code became out of date
+        when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
+        return arbitrary objects. We perform putDirectIndex on that arbitrary
+        object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
+        However, we weren't doing this. putDirectIndex assumed it could just splat
+        data into any descendent of JSObject's butterfly. For example, this means
+        we'd just splat into the butterfly of a typed array, even though a typed
+        array doesn't use its butterfly to store its indexed properties in the usual
+        way. Also, typed array properties are non-configurable, so this operation
+        should throw. This also means if we saw a ProxyObject, we'd just splat
+        into its butterfly, but this is obviously wrong because ProxyObject should
+        intercept the defineProperty operation.
+        
+        This patch fixes this issue by adding a whitelist of cell types that can
+        go down putDirectIndex's fast path. Anything not in that whitelist will
+        simply call into defineOwnProperty.
+
+        * bytecode/ByValInfo.h:
+        (JSC::jitArrayModePermitsPutDirect):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine):
+        * jit/JITOperations.cpp:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createStructure):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::defineOwnProperty):
+        * runtime/JSObject.cpp:
+        (JSC::canDoFastPutDirectIndex):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectIndex):
+        (JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
+        * runtime/JSType.h:
+
+2017-05-05  Guillaume Emont  
+
+        [JSC] include JSCInlines.h in ObjectInitializationScope.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=171744
+
+        Reviewed by Mark Lam.
+
+        * runtime/ObjectInitializationScope.cpp:
+
+
+2017-05-05  Carlos Garcia Campos  
+
+        [GTK] Assertion failure in Inspector::RemoteInspector::setRemoteInspectorClient when disposing WebKitWebContext
+        https://bugs.webkit.org/show_bug.cgi?id=171644
+
+        Reviewed by Michael Catanzaro.
+
+        Fix ASSERT that requires given client to be a valid pointer, since it's valid to pass nullptr to unset the
+        client. The ASSERT now ensures that client is set or unset. I also renamed the function to setClient because
+        setRemoteInspectorClient is redundant for a class named RemoteInspector. And added a getter too, to check if the
+        remote inspector has a client.
+
+        * inspector/remote/RemoteInspector.cpp:
+        (Inspector::RemoteInspector::setClient):
+        * inspector/remote/RemoteInspector.h:
+
+2017-05-04  Commit Queue  
+
+        Unreviewed, rolling out r216206.
+        https://bugs.webkit.org/show_bug.cgi?id=171714
+
+        Multiple LayoutTests crashing in Document::page() (Requested
+        by ap on #webkit).
+
+        Reverted changeset:
+
+        "Remove support for legacy Notifications"
+        https://bugs.webkit.org/show_bug.cgi?id=171487
+        http://trac.webkit.org/changeset/216206
+
+2017-05-04  Don Olmstead  
+
+        [Win] Remove redundant macros that are set in the CMake config
+        https://bugs.webkit.org/show_bug.cgi?id=171571
+
+        Reviewed by Brent Fulgham.
+
+        * config.h:
+
+2017-05-04  Mark Lam  
+
+        Gardening: Build fix for Windows after r216217.
+        https://bugs.webkit.org/show_bug.cgi?id=171586
+
+        Not reviewed.
+
+        * shell/PlatformWin.cmake:
+
+2017-05-04  Filip Pizlo  
+
+        JSC::Heap should expose a richer API for requesting GCs
+        https://bugs.webkit.org/show_bug.cgi?id=171690
+
+        Reviewed by Geoffrey Garen.
+        
+        I want to stop WebCore from requesting synchronous GCs. But various parts of that work
+        may cause regressions, so I'd like to land it separately from the functionality that is
+        needed on the JSC side. This change is mostly a JSC-side refactoring that does not
+        change behavior. In the future I'll land the behavior changes (i.e. not requesting sync
+        GCs).
+        
+        This change allows you to enumerate over synchronousness, so that we can make all APIs
+        take synchronousness as an argument. It replaces the collectAllGarbage API with a
+        collectNow(Synchronousness, GCRequest) API. GCRequest is a new concept, which subsumes
+        std::optional and gives us the ability to register callbacks along
+        with a GC. So, you can ask for an async GC and get a callback when it's done.
+        
+        Also adds ability to request that fastMalloc memory be released after the incremental
+        sweeper finishes.
+        
+        * API/JSBase.cpp:
+        (JSSynchronousGarbageCollectForDebugging):
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::doCollection):
+        * heap/FullGCActivityCallback.h:
+        * heap/GCRequest.cpp: Added.
+        (JSC::GCRequest::subsumedBy):
+        (JSC::GCRequest::dump):
+        * heap/GCRequest.h: Added.
+        (JSC::GCRequest::GCRequest):
+        * heap/Heap.cpp:
+        (JSC::Heap::collect):
+        (JSC::Heap::collectNow):
+        (JSC::Heap::collectAsync):
+        (JSC::Heap::collectSync):
+        (JSC::Heap::runBeginPhase):
+        (JSC::Heap::runEndPhase):
+        (JSC::Heap::requestCollection):
+        (JSC::Heap::willStartCollection):
+        (JSC::Heap::sweeper):
+        (JSC::Heap::collectNowFullIfNotDoneRecently):
+        (JSC::Heap::shouldDoFullCollection):
+        (JSC::Heap::collectAllGarbage): Deleted.
+        (JSC::Heap::collectAllGarbageIfNotDoneRecently): Deleted.
+        * heap/Heap.h:
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::buildSnapshot):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::doSweep):
+        * heap/IncrementalSweeper.h:
+        (JSC::IncrementalSweeper::freeFastMallocMemoryAfterSweeping):
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::sweep):
+        * heap/Synchronousness.cpp: Added.
+        (WTF::printInternal):
+        * heap/Synchronousness.h: Added.
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::InspectorHeapAgent::gc):
+        * jsc.cpp:
+        (functionGCAndSweep):
+        (runJSC):
+        * tools/JSDollarVMPrototype.cpp:
+        (JSC::JSDollarVMPrototype::gc):
+        * wasm/WasmMemory.cpp:
+
+2017-05-04  Mark Lam  
+
+        NeverDestroyed(ASCIILiteral(...)) is not thread safe.
+        https://bugs.webkit.org/show_bug.cgi?id=171586
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        JavaScriptCore allows multiple VMs to be instantiated, and each of these should
+        be able to run concurrently on different threads.  There is code in the VM that
+        allocates NeverDestroyed(ASCIILiteral(...)) to defined immortal strings
+        meant to be shared by all VMs.
+
+        However, NeverDestroyed(ASCIILiteral(...)) is not thread-safe because
+        each thread will ref and deref the underlying StringImpl.  Since this ref and
+        deref is not done in a thread-safe way, the NeverDestroyed may get
+        destroyed due to the ref/deref races.  Additionally, each thread may modify the
+        StringImpl by setting its hash and also twiddling its flags.
+
+        The fix is to use the StaticStringImpl class which is safe for ref/derefing
+        concurrently from different threads.  StaticStringImpl is also pre-set with a
+        hash on construction, and its flags are set in such a way as to prevent twiddling
+        at runtime.  Hence, we will be able to share a NeverDestroyed between
+        VMs, as long as it is backed by a StaticStringImpl.
+
+        An alternative solution would be to change all the uses of NeverDestroyed
+        to use per-VM strings.  However, this solution is cumbersome, and makes it harder
+        to allocate the intended shared string.  It also uses more memory and takes more
+        CPU time because it requires allocating the same string for each VM instance.
+        The StaticStringImpl solution wins out because it is more efficient and is easier
+        to use.
+
+        The StaticStringImpl solution also can be used in WTF without a layer violation.
+        See Source/WTF/wtf/text/icu/TextBreakIteratorICU.h for an example.
+
+        Also added the MultithreadedMultiVMExecutionTest which runs multiple VMs in
+        multiple threads, all banging on the BuiltinExecutable's baseConstructorCode
+        NeverDestroyed.  The test will manifest the issue reliably (before this
+        fix) if run on an ASAN build.
+
+        * API/tests/MultithreadedMultiVMExecutionTest.cpp: Added.
+        (threadsList):
+        (startMultithreadedMultiVMExecutionTest):
+        (finalizeMultithreadedMultiVMExecutionTest):
+        * API/tests/MultithreadedMultiVMExecutionTest.h: Added.
+        * API/tests/testapi.c:
+        (main):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::createDefaultConstructor):
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::objectGroupForBreakpointAction):
+        * replay/scripts/CodeGeneratorReplayInputsTemplates.py:
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        (JSC::InputTraits::type):
+        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
+        (JSC::InputTraits::type):
+        (JSC::InputTraits::type):
+        * runtime/IntlObject.cpp:
+        (JSC::numberingSystemsForLocale):
+
+2017-05-04  Sam Weinig  
+
+        Remove support for legacy Notifications
+        https://bugs.webkit.org/show_bug.cgi?id=171487
+
+        Reviewed by Jon Lee.
+
+        * Configurations/FeatureDefines.xcconfig:
+        Remove definition of ENABLE_LEGACY_NOTIFICATIONS.
+
+2017-05-04  Konstantin Tokarev  
+
+        Fix compilation with ICU 59.1
+        https://bugs.webkit.org/show_bug.cgi?id=171612
+
+        Reviewed by Mark Lam.
+
+        ICU 59.1 has broken source compatibility. Now it defines UChar as
+        char16_t, which does not allow automatic type conversion from unsigned
+        short in C++ code.
+
+        * API/JSStringRef.cpp:
+        (JSStringCreateWithCharacters):
+        (JSStringCreateWithCharactersNoCopy):
+        (JSStringGetCharactersPtr):
+        * runtime/DateConversion.cpp:
+        (JSC::formatDateTime):
+
+2017-05-04  Saam Barati  
+
+        stress/call-apply-exponential-bytecode-size.js.no-llint failing on 32-bit debug for OOM on executable memory
+        https://bugs.webkit.org/show_bug.cgi?id=171008
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch lowers the threshold for .call/.apply recursion
+        in an attempt to emit less code and not impact perf.
+        We're currently failing tests on x86-32 by running out
+        of executable memory. If perf gets impacted because of this,
+        then I'll apply a stricter change just to 32-bit platforms.
+        However, if this doesn't negatively impact perf, it's all around
+        better than all platforms emit less bytecode.
+
+        * bytecompiler/NodesCodegen.cpp:
+
+2017-05-04  Yusuke Suzuki  
+
+        [JSC] Math unary functions should be handled by DFG
+        https://bugs.webkit.org/show_bug.cgi?id=171269
+
+        Reviewed by Saam Barati.
+
+        ArithSin, ArithCos, and ArithLog are just calling a C runtime function.
+        While handling them in DFG is not very effective for performance, they
+        can drop some type checks & value conversions and mark them as pure
+        operations. It is effective if they are involved in some complex
+        optimization phase. Actually, ArithLog is effective in kraken.
+
+        While a few of Math functions have DFG nodes, basically math functions
+        are pure. And large part of these functions are just calling a C runtime
+        function. This patch generalizes these nodes in DFG as ArithUnary. And
+        we annotate many unary math functions with Intrinsics and convert them
+        to ArithUnary in DFG. It also cleans up duplicate code in ArithSin,
+        ArithCos, and ArithLog. If your math function has some good DFG / FTL
+        optimization rather than calling a C runtime function, you should add
+        a specialized DFG node, like ArithSqrt.
+
+        We also create a new namespace JSC::Math. Inside it, we collect math functions.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArithMode.cpp:
+        (JSC::DFG::arithUnaryFunction):
+        (JSC::DFG::arithUnaryOperation):
+        (WTF::printInternal):
+        * dfg/DFGArithMode.h:
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArithUnaryType):
+        (JSC::DFG::Node::arithUnaryType):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithUnary):
+        (JSC::DFG::SpeculativeJIT::compileArithCos): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithTan): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithSin): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithLog): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithUnary):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithSin): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithCos): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithTan): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithLog): Deleted.
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::doubleUnary):
+        (JSC::FTL::Output::doubleSin): Deleted.
+        (JSC::FTL::Output::doubleCos): Deleted.
+        (JSC::FTL::Output::doubleTan): Deleted.
+        (JSC::FTL::Output::doubleLog): Deleted.
+        * ftl/FTLOutput.h:
+        * runtime/Intrinsic.h:
+        * runtime/MathCommon.cpp:
+        (JSC::Math::log1p):
+        * runtime/MathCommon.h:
+        * runtime/MathObject.cpp:
+        (JSC::MathObject::finishCreation):
+        (JSC::mathProtoFuncACos):
+        (JSC::mathProtoFuncASin):
+        (JSC::mathProtoFuncATan):
+        (JSC::mathProtoFuncCos):
+        (JSC::mathProtoFuncExp):
+        (JSC::mathProtoFuncLog):
+        (JSC::mathProtoFuncSin):
+        (JSC::mathProtoFuncTan):
+        (JSC::mathProtoFuncACosh):
+        (JSC::mathProtoFuncASinh):
+        (JSC::mathProtoFuncATanh):
+        (JSC::mathProtoFuncCbrt):
+        (JSC::mathProtoFuncCosh):
+        (JSC::mathProtoFuncExpm1):
+        (JSC::mathProtoFuncLog1p):
+        (JSC::mathProtoFuncLog10):
+        (JSC::mathProtoFuncLog2):
+        (JSC::mathProtoFuncSinh):
+        (JSC::mathProtoFuncTanh):
+
+2017-05-03  Saam Barati  
+
+        How we build polymorphic cases is wrong when making a call from Wasm
+        https://bugs.webkit.org/show_bug.cgi?id=171527
+
+        Reviewed by JF Bastien.
+
+        This patches fixes a bug when we emit a polymorphic call IC from
+        Wasm. We were incorrectly assuming that if we made a call *from wasm*,
+        then the thing we are *calling to* does not have a CodeBlock. This
+        is obviously wrong. This patch fixes the incorrect assumption.
+        
+        This patch also does two more things:
+        1. Add a new option that makes us make calls to JS using a
+        slow path instead of using a call IC.
+        2. Fixes a potential GC bug where we didn't populate JSWebAssemblyCodeBlock's
+        JSWebAssemblyModule pointer.
+
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * runtime/Options.h:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::finishCreation):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+
+2017-05-03  Keith Miller  
+
+        Array.prototype.sort should also allow a null comparator
+        https://bugs.webkit.org/show_bug.cgi?id=171621
+        
+
+        Reviewed by Michael Saboff.
+
+        It looks like sort not accepting a null comparator
+        causes some pages to stop working. Those pages work in
+        Chrome/Firefox so we should try to match them.
+
+        * builtins/ArrayPrototype.js:
+        (sort):
+
+2017-05-03  Mark Lam  
+
+        Use the CLoop for CPU(ARM64E).
+        https://bugs.webkit.org/show_bug.cgi?id=171620
+        
+
+        Reviewed by Geoffrey Garen.
+
+        * llint/LLIntOfflineAsmConfig.h:
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SigillCrashAnalyzer::dumpCodeBlock):
+
+2017-05-03  Keith Miller  
+
+        Different behaviour with the .sort(callback) method (unlike Firefox & Chrome)
+        https://bugs.webkit.org/show_bug.cgi?id=47825
+
+        Reviewed by Saam Barati.
+
+        This patch makes our sort function match the behavior of Firefox
+        and Chrome when the result of the comparison function is a
+        boolean. When we first switched to using merge sort, it regressed
+        JQuery sorting of DOM nodes by 30%. The regression was do to the
+        fact that JQuery was using compareDocumentPosition to compare the
+        locations of objects. Since one of the benchmarks would pass a
+        reverse sorted list to the sort function we would end up walking
+        the entire DOM to do comparisons. The solution to this was to
+        merge based on comparison(right, left) rather than
+        comparison(left, right). Although, in practice this does nothing
+        since sort could just as easily receive an already sorted list and
+        we're back in the same spot.
+
+        The downside of sorting with comparison(right, left) is that to
+        maintain stability when sorting, you only want to merge from right
+        when the comparison function returns a negative value. This is
+        where the problem with booleans comes in. Since booleans toNumber
+        false to 0 and true to 1 both values are "equal". This patch fixes
+        this by special casing boolean return values.
+
+
+        * builtins/ArrayPrototype.js:
+        (sort.merge):
+
+2017-05-03  Andy VanWagoner  
+
+        [INTL] Support dashed values in unicode locale extensions
+        https://bugs.webkit.org/show_bug.cgi?id=171480
+
+        Reviewed by JF Bastien.
+
+        Implements the UnicodeExtensionSubtags operation and updates the ResolveLocale operation to use it.
+        This fixes locale extensions with values that include '-'. The following calendars work now:
+        ethiopic-amete-alem
+        islamic-umalqura
+        islamic-tbla
+        islamic-civil
+        islamic-rgsa
+
+        While updating IntlObject, the comments containing spec text were replaced with a single url at the
+        top of each function pointing to the relevant part of ECMA-402.
+
+        * runtime/IntlObject.cpp:
+        (JSC::unicodeExtensionSubTags): Added.
+        (JSC::resolveLocale): Updated to latest standard.
+
+2017-05-02  Don Olmstead  
+
+        Build fix after r216078
+        https://bugs.webkit.org/show_bug.cgi?id=171554
+
+        Reviewed by Saam Barati.
+
+        * API/tests/testapi.c:
+
+2017-05-02  Filip Pizlo  
+
+        Unreviewed, fix pedantic C compilers.
+
+        * API/tests/testapi.c:
+        (markingConstraint):
+        (testMarkingConstraints):
+
+2017-05-02  Filip Pizlo  
+
+        Unreviewed, fix cmake build.
+
+        * CMakeLists.txt:
+
+2017-05-02  Filip Pizlo  
+
+        JSC C API should expose GC marking constraints and weak references
+        https://bugs.webkit.org/show_bug.cgi?id=171554
+
+        Reviewed by Geoffrey Garen.
+        
+        This exposes an API that lets you participate in the GC's fixpoint. You can ask the GC
+        what is marked and you can tell the GC to mark things. The constraint callback cannot
+        do a whole lot, but it can query marking state and it can dereference weak references.
+        
+        Additionally, this exposes a very simple weak reference API in C.
+
+        * API/JSMarkingConstraintPrivate.cpp: Added.
+        (JSC::isMarked):
+        (JSC::mark):
+        (JSContextGroupRegisterMarkingConstraint):
+        * API/JSMarkingConstraintPrivate.h: Added.
+        * API/JSWeakPrivate.cpp: Added.
+        (OpaqueJSWeak::OpaqueJSWeak):
+        (JSWeakCreate):
+        (JSWeakRetain):
+        (JSWeakRelease):
+        (JSWeakGetObject):
+        * API/JSWeakPrivate.h: Added.
+        * API/tests/testapi.c:
+        (markingConstraint):
+        (testMarkingConstraints):
+        (main):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/SlotVisitor.h:
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::appendHiddenUnbarriered):
+        (JSC::SlotVisitor::appendHidden):
+
+2017-05-02  Mark Lam  
+
+        JSFixedArray::allocationSize() should not allow for allocation failure.
+        https://bugs.webkit.org/show_bug.cgi?id=171516
+
+        Reviewed by Geoffrey Garen.
+
+        Since JSFixedArray::createFromArray() now handles allocation failures by throwing
+        OutOfMemoryErrors, its helper function allocationSize() (which computes the buffer
+        size to allocate) should also allow for allocation failure on overflow.
+
+        This issue is covered by the stress/js-fixed-array-out-of-memory.js test when
+        run on 32-bit builds.
+
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::tryCreate):
+        (JSC::JSFixedArray::allocationSize):
+
+2017-05-01  Zan Dobersek  
+
+        [aarch64][Linux] m_allowScratchRegister assert hit in MacroAssemblerARM64 under B3::Air::CCallSpecial::generate()
+        https://bugs.webkit.org/show_bug.cgi?id=170672
+
+        Reviewed by Filip Pizlo.
+
+        In Air::CCallSpecial::admitsStack() we reject admitting the callee argument on
+        the stack for ARM64 because that can lead to disallowed usage of the scratch
+        register in MacroAssemblerARM64 when generating a call with an address Arg
+        in Air::CCallSpecial::generate().
+
+        The testLinearScanWithCalleeOnStack test is added to testb3. It reproduces the
+        original issue by force-spilling everything on the stack and enforcing the use
+        of the linear scan register allocation by using an optimization level of 1.
+
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::admitsStack):
+        * b3/testb3.cpp:
+        (JSC::B3::testLinearScanWithCalleeOnStack):
+        (JSC::B3::run):
+
+2017-05-01  David Kilzer  
+
+        Stop using sprintf() in JavaScriptCore debugger
+        
+
+        Reviewed by Keith Miller.
+
+        * disassembler/udis86/udis86.c:
+        (ud_insn_hex): Switch from sprintf() to snprintf().
+
+2017-04-21  Filip Pizlo  
+
+        Air::fixObviousSpills should remove totally redundant instructions
+        https://bugs.webkit.org/show_bug.cgi?id=171131
+
+        Reviewed by Saam Barati.
+        
+        This is a modest compile-time-neutral improvement to fixObviousSpills. That phase
+        builds up a classic alias analysis data structure over spills and registers and then
+        uses it to remove the most common spill pathologies we encounter. For example, if you
+        use a spill but the spill is aliased to a register or constant, then we can replace the
+        use of the spill with a use of the register or constant.
+        
+        But that phase was missing perhaps one of the most obvious fixups that its analysis
+        allows us to do: if any instruction creates an alias we already know about, then the
+        instruction is redundant. This turned out to be super important for
+        https://bugs.webkit.org/show_bug.cgi?id=171075. That patch didn't work out, but this
+        kind of optimization might be a good clean-up for many other kinds of optimizations.
+
+        * b3/air/AirFixObviousSpills.cpp:
+
+2017-04-30  Oleksandr Skachkov  
+
+        We initialize functions too early in an eval
+        https://bugs.webkit.org/show_bug.cgi?id=161099
+
+        Reviewed by Saam Barati.
+
+        Current patch allow to fix problem with scope in function that is 
+        declared within eval. Before scope was set inside Interpretator.cpp and it
+        was scope where eval is executed, but in this case function would not 
+        see let/const variables and classes declated in eval.
+        This patch devide declaration and binding in two operation, first just declare
+        variable with function name, and second bind variable to function with correct 
+        scope
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * bytecompiler/BytecodeGenerator.h:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+
+2017-04-30  Oleksandr Skachkov  
+
+        [ES6]. Implement Annex B.3.3 function hoisting rules for eval
+        https://bugs.webkit.org/show_bug.cgi?id=163208
+
+        Reviewed by Saam Barati.
+
+        Current patch implements Annex B.3.3 that is related to 
+        hoisting of function declaration in eval. 
+        https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
+        Function declaration in eval should create variable with 
+        function name in function scope where eval is invoked 
+        or bind to variable if it declared outside of the eval. 
+        If variable is created it can be removed by 'delete a;' command. 
+        If eval is invoke in block scope that contains let/const 
+        variable with the same name as function declaration 
+        we do not bind. This patch leads to the following behavior: 
+        '''
+        function foo() {
+           {
+             print(boo); // undefined
+             eval('{ function boo() {}}');
+             print(boo); // function boo() {}
+           }
+           print(boo); // function boo() {}
+        }
+
+        function foobar() {
+          { 
+            let boo = 10;
+            print(boo); // 10;
+            eval('{ function boo() {}}');
+            print(boo); // 10;
+          }
+          print(boo) // 10
+        }
+
+        function bar() {
+           {
+              var boo = 10;
+              print(boo); // 10
+              eval('{ function boo() {} }'); 
+              print(boo); // function boo() {}
+           }
+           print(boo); // function boo() {}
+        }       
+        
+        function bas() {
+            {
+                 let boo = 10;
+                 eval(' { function boo() {} } ');
+                 print(boo); // 10
+            }
+            print(boo); //Reference Error
+        }
+        '''
+
+        Current implementation relies on already implemented 
+        'hoist function in sloppy mode' feature, with small changes.
+        In short it works in following way: during hoisting of function 
+        with name S in eval, we are looking for first scope that 
+        contains space for variable with name S and if this scope 
+        has var type we bind function there
+
+        To implement this feature was added bytecode ops:
+        op_resolve_scope_for_hoisting_func_decl_in_eval - get variable scope 
+        or return undefined if variable can't be binded there.
+
+        There is a corner case, hoist function in eval within catch block,
+        that is not covered by this patch, and will be fixed in 
+        https://bugs.webkit.org/show_bug.cgi?id=168184
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/EvalCodeBlock.h:
+        (JSC::EvalCodeBlock::functionHoistingCandidate):
+        (JSC::EvalCodeBlock::numFunctionHoistingCandidates):
+        * bytecode/UnlinkedEvalCodeBlock.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
+        (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasIdentifier):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
+        * llint/LowLevelInterpreter.asm:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseFunctionDeclarationStatement):
+        * parser/Parser.h:
+        (JSC::Scope::getSloppyModeHoistedFunctions):
+        (JSC::Parser::declareFunction):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::numFunctionHoistingCandidates):
+        (JSC::EvalExecutable::numTopLevelFunctionDecls):
+        (JSC::EvalExecutable::numberOfFunctionDecls): Deleted.
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::resolve):
+        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
+        * runtime/JSScope.h:
+
+2017-04-29  Oleksandr Skachkov  
+
+        Deep nesting is leading to ReferenceError for hoisted function
+        https://bugs.webkit.org/show_bug.cgi?id=171456
+
+        Reviewed by Yusuke Suzuki.
+
+        Current patch fix error that appears during hoisting of the function 
+        in block scope. Error happens only when exist some deep scope that lead
+        to increase scope stack, after which list of the hosted candidates do not 
+        copied to updated scope stack.
+
+        * parser/Parser.h:
+        (JSC::Scope::Scope):
+
+2017-04-29  Yusuke Suzuki  
+
+        [JSC] LabelScopePtr is not necessary
+        https://bugs.webkit.org/show_bug.cgi?id=171474
+
+        Reviewed by Geoffrey Garen.
+
+        Originally, LabelScopePtr is introduced because LabelScopes uses Vector<> instead of SegmentedVector<>.
+        LabelScopePtr holds the pointer to the vector owner and index instead of the pointer to LabelScope directly
+        since Vector<> can relocate LocalScopes inside it.
+        The reason why LabelScopes use Vector instead is that there is code copying this vector. SegmentedVector<>
+        prohibits copying since it is so costly. So, we used Vector<> here instead of SegmentedVector<>.
+
+        But the latest code does not have copying code for LabelScopes. Thus, we can take the same design to Label and
+        RegisterID. Just use SegmentedVector<> and Ref<>/RefPtr<>. This patch removes LabelScopePtr since it is no
+        longer necessary. And use SegmentedVector for LabelScopes.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::reclaim):
+        (JSC::BytecodeGenerator::reclaimFreeRegisters):
+        (JSC::BytecodeGenerator::newLabelScope):
+        (JSC::BytecodeGenerator::newLabel):
+        (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
+        (JSC::BytecodeGenerator::breakTarget):
+        (JSC::BytecodeGenerator::continueTarget):
+        (JSC::BytecodeGenerator::emitEnumeration):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/LabelScope.h:
+        (JSC::LabelScope::LabelScope):
+        (JSC::LabelScope::breakTarget):
+        (JSC::LabelScope::continueTarget):
+        (JSC::LabelScope::type):
+        (JSC::LabelScope::name):
+        (JSC::LabelScope::scopeDepth):
+        (JSC::LabelScope::ref):
+        (JSC::LabelScope::deref):
+        (JSC::LabelScope::refCount):
+        (JSC::LabelScopePtr::LabelScopePtr): Deleted.
+        (JSC::LabelScopePtr::operator=): Deleted.
+        (JSC::LabelScopePtr::~LabelScopePtr): Deleted.
+        (JSC::LabelScopePtr::operator!): Deleted.
+        (JSC::LabelScopePtr::operator*): Deleted.
+        (JSC::LabelScopePtr::operator->): Deleted.
+        (JSC::LabelScopePtr::null): Deleted.
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::DoWhileNode::emitBytecode):
+        (JSC::WhileNode::emitBytecode):
+        (JSC::ForNode::emitBytecode):
+        (JSC::ForInNode::emitBytecode):
+        (JSC::ContinueNode::trivialTarget):
+        (JSC::ContinueNode::emitBytecode):
+        (JSC::BreakNode::trivialTarget):
+        (JSC::BreakNode::emitBytecode):
+        (JSC::SwitchNode::emitBytecode):
+        (JSC::LabelNode::emitBytecode):
+
+2017-04-28  Mark Lam  
+
+        Revert instrumentation from https://bugs.webkit.org/show_bug.cgi?id=170086 that is no longer needed.
+        https://bugs.webkit.org/show_bug.cgi?id=170094
+
+        Reviewed by JF Bastien and Keith Miller.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::resumeThePeriphery):
+
+2017-04-27  Andy VanWagoner  
+
+        [INTL] Implement the caseFirst option for Intl.Collator
+        https://bugs.webkit.org/show_bug.cgi?id=158188
+
+        Reviewed by Geoffrey Garen.
+
+        Implements the caseFirst option and unicode locale extension.
+        The caseFirst option explicitly determines whether upper or lower case comes first.
+
+        * runtime/IntlCollator.cpp:
+        (JSC::sortLocaleData): Added kf data.
+        (JSC::searchLocaleData): Added kf data.
+        (JSC::IntlCollator::initializeCollator): Set caseFirst option.
+        (JSC::IntlCollator::createCollator): Set new attributes on ICU collator.
+        (JSC::IntlCollator::caseFirstString): Added.
+        (JSC::IntlCollator::resolvedOptions): Added caseFirst property.
+        * runtime/IntlCollator.h:
+
+2017-04-27  Mark Lam  
+
+        Fix some RELEASE_ASSERT failures caused by OutOfMemoryErrors.
+        https://bugs.webkit.org/show_bug.cgi?id=171404
+        
+
+        Reviewed by Saam Barati.
+
+        1. Added some tryAllocate() functions in JSCellInlines.h.
+        2. Consolidated the implementations of allocateCell() template functions into a
+           single tryAllocateCellHelper() to reduce redundancy and eliminate needing to
+           copy-paste for variations of allocateCell and tryAllocateCell.
+        3. Changed JSFixedArray::createFromArray() and constructEmptyArray() to check for
+           allocation failure and throw an OutOfMemoryError.  It was already possible to
+           throw errors from these functions for other reasons.  So, their clients are
+           already ready to handle OOMEs.
+
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * runtime/JSCInlines.h:
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        (JSC::allocateCell):
+        (JSC::tryAllocateCell):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::createFromArray):
+        (JSC::JSFixedArray::tryCreate):
+        (JSC::JSFixedArray::create): Deleted.
+        * runtime/JSGlobalObject.h:
+        (JSC::constructEmptyArray):
+
+2017-04-27  Joseph Pecoraro  
+
+        Support for promise rejection events (unhandledrejection)
+        https://bugs.webkit.org/show_bug.cgi?id=150358
+        
+
+        Reviewed by Saam Barati.
+
+        Patch by Joseph Pecoraro and Yusuke Suzuki.
+
+        Implement support for promise.[[PromiseIsHandled]] and the
+        HostPromiseRejectionTracker hook for HTML to track promise rejections:
+        https://tc39.github.io/ecma262/#sec-host-promise-rejection-tracker
+        https://html.spec.whatwg.org/multipage/webappapis.html#unhandled-promise-rejections
+
+        * builtins/BuiltinNames.h:
+        New private symbols.
+
+        * builtins/PromiseOperations.js:
+        (globalPrivate.newHandledRejectedPromise):
+        Utility to create a rejected promise with [[PromiseIsHandled]] to true.
+
+        (globalPrivate.rejectPromise):
+        (globalPrivate.initializePromise):
+        * builtins/PromisePrototype.js:
+        (then):
+        Implement standard behavior of [[PromiseIsHandled]] and the host hook.
+
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::isHandled):
+        * runtime/JSPromise.h:
+        C++ accessors for the [[PromiseIsHandled]] state.
+
+        * bytecode/BytecodeIntrinsicRegistry.cpp:
+        (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        Expose private values for the Reject / Handle enum values in built-ins.
+
+        * jsc.cpp:
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::promiseResolveFunction):
+        Add a new GlobalObjectMethodTable hook matching the promise rejection hook.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncHostPromiseRejectionTracker):
+        * runtime/JSGlobalObjectFunctions.h:
+        Plumb the builtin hook through to the optional GlobalObjectMethodTable hook.
+
+        * inspector/InjectedScriptSource.js:
+        (InjectedScript.prototype.createFakeValueDescriptor):
+        Silence possible rejected promises created internally via Web Inspector.
+
+2017-04-27  Saam Barati  
+
+        B3::FoldPathConstants does not consider the fall through case for Switch
+        https://bugs.webkit.org/show_bug.cgi?id=171390
+
+        Reviewed by Filip Pizlo.
+
+        foldPathConstants was not taking into account a Switch's default
+        case when it tried to constant propagate the switch's operand value.
+        e.g, we incorrectly transformed this code:
+        
+        ```
+        x = argumentGPR0;
+        switch (x) {
+        case 10: return 20;
+        
+        case 0:
+        default: return x == 0;
+        }
+        ```
+        
+        into:
+        ```
+        x = argumentGPR0;
+        switch (x) {
+        case 10: return 20;
+        
+        case 0:
+        default: return 1;
+        }
+        ```
+        
+        Because we didn't take into account the default case, we incorrectly
+        optimized the code as if case 0's block was only reachable if x is
+        equal to zero. This is obviously not true, since it's the same block
+        as the default case.
+        
+        This fix ensures that we can run the WebAssembly Tanks demo even when
+        we set webAssemblyBBQOptimizationLevel=2.
+
+        * b3/B3FoldPathConstants.cpp:
+        * b3/B3SwitchValue.cpp:
+        (JSC::B3::SwitchValue::fallThrough):
+        (JSC::B3::SwitchValue::removeCase): Deleted.
+        * b3/B3SwitchValue.h:
+        * b3/testb3.cpp:
+        (JSC::B3::testCallFunctionWithHellaArguments):
+        (JSC::B3::testSwitchSameCaseAsDefault):
+        (JSC::B3::testWasmBoundsCheck):
+        (JSC::B3::run):
+
+2017-04-27  Keith Miller  
+
+        WebAssembly: Don't tier up the same function twice
+        https://bugs.webkit.org/show_bug.cgi?id=171397
+
+        Reviewed by Filip Pizlo.
+
+        Because we don't CAS the tier up count on function entry/loop backedge and we use the least significant to indicate whether or not tier up has already started we could see the following:
+
+        Threads A and B are running count in memory is (0):
+
+        A: load tier up count (0)
+        B: load tier up count (0)
+        A: decrement count to -2 and see we need to check for tier up (0)
+        A: store -2 to count (-2)
+        A: exchangeOr(1) to tier up count (-1)
+        B: decrement count to -2 and see we need to check for tier up (-1)
+        B: store -2 to count (-2)
+        B: exchangeOr(1) to tier up count (-1)
+
+        This would cause us to tier up the same function twice, which we would rather avoid.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        * wasm/WasmTierUpCount.h:
+        (JSC::Wasm::TierUpCount::TierUpCount):
+        (JSC::Wasm::TierUpCount::loopDecrement):
+        (JSC::Wasm::TierUpCount::functionEntryDecrement):
+        (JSC::Wasm::TierUpCount::shouldStartTierUp):
+
+2017-04-27  Keith Miller  
+
+        REGRESSION (r215843): ASSERTION FAILED: !m_completionTasks[0].first in  JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast(JSC::VM &)
+        https://bugs.webkit.org/show_bug.cgi?id=171380
+
+        Reviewed by JF Bastien.
+
+        This patch fixes the association of VMs to Wasm::Plans. For validation
+        we want all the completion tasks to be associate with a VM. For BBQ,
+        we want the main task to not be associated with any VM.
+
+        * jsc.cpp:
+        (functionTestWasmModuleFunctions):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        * wasm/WasmBBQPlan.h:
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        (JSC::Wasm::CodeBlock::compileAsync):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::create):
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::makeValidationCallback):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        (JSC::Wasm::Module::getOrCreateCodeBlock):
+        (JSC::Wasm::Module::compileSync):
+        (JSC::Wasm::Module::compileAsync):
+        * wasm/WasmModule.h:
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::OMGPlan):
+        (JSC::Wasm::runOMGPlanForIndex):
+        * wasm/WasmOMGPlan.h:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::runCompletionTasks):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::dontFinalize):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyValidateFunc):
+
+2017-04-27  Saam Barati  
+
+        Restore some caching functionality that got accidentally removed when doing Wasm PIC patches
+        https://bugs.webkit.org/show_bug.cgi?id=171382
+
+        Reviewed by Keith Miller.
+
+        When I created Wasm::CodeBlock, I accidentally removed caching
+        the creation of JSWebAssemblyCodeBlocks. This patch restores it.
+        It's worth keeping JSWebAssemblyModule's JSWebAssemblyCodeBlock
+        cache because creating a JSWebAssemblyCodeBlock does non trivial
+        work by creating the various IC call stubs.
+
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::codeBlock):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyModule.h:
+
+2017-04-27  Mark Lam  
+
+        Audit and fix incorrect uses of JSArray::tryCreateForInitializationPrivate().
+        https://bugs.webkit.org/show_bug.cgi?id=171344
+        
+
+        Reviewed by Filip Pizlo.
+
+        JSArray::tryCreateForInitializationPrivate() should only be used in performance
+        critical paths, and should always be used with care because it creates an
+        uninitialized object that needs to be initialized by its client before the object
+        can be released into the system.  Before the object is fully initialized:
+        a. the client should not re-enter the VM to execute JS code, and
+        b. GC should not run.
+
+        This is because until the object is fully initialized, it is an inconsistent
+        state that the GC and JS code will not be happy about.
+
+        In this patch, we do the following:
+
+        1. Renamed JSArray::tryCreateForInitializationPrivate() to
+           JSArray::tryCreateUninitializedRestricted() because "private" is a bit ambiguous
+           and can be confused with APIs that are called freely within WebKit but are
+           not meant for clients of WebKit.  In this case, we intend for use of this API
+           to be restricted to only a few carefully considered and crafted cases.
+
+        2. Introduce the ObjectInitializationScope RAII object which covers the period
+           when the uninitialized object is created and gets initialized.
+
+           ObjectInitializationScope will asserts that either the object is created
+           fully initialized (in the case where the object structure is not an "original"
+           structure) or if created uninitialized, is fully initialized at the end of
+           the scope.
+
+           If the object is created uninitialized, the ObjectInitializationScope also
+           ensures that we do not GC nor re-enter the VM to execute JS code.  This is
+           achieved by enabling DisallowGC and DisallowVMReentry scopes.
+
+           tryCreateUninitializedRestricted() and initializeIndex() now requires an
+           ObjectInitializationScope instance.  The ObjectInitializationScope replaces
+           the VM& argument because it can be used to pass the VM& itself.  This is a
+           small optimization that makes passing the ObjectInitializationScope free even
+           on release builds.
+
+        3. Factored a DisallowScope out of DisallowGC, and make DisallowGC extend it.
+           Introduce a DisallowVMReentry class that extends DisallowScope.
+
+        4. Fixed a bug found by the ObjectInitializationScope.  The bug is that there are
+           scenarios where the structure passed to tryCreateUninitializedRestricted()
+           that may not be an "original" structure.  As a result, initializeIndex() would
+           end up allocating new structures, and therefore trigger a GC.
+
+           The fix is to detect that the structure passed to tryCreateUninitializedRestricted()
+           is not an "original" one, and pre-initialize the array with 0s.
+
+           This bug was detected by existing tests. Hence, no new test needed.
+
+        5. Replaced all inappropriate uses of tryCreateUninitializedRestricted() with
+           tryCreate().  Inappropriate uses here means code that is not in performance
+           critical paths.
+
+           Similarly, replaced accompanying uses of initializeIndex() with putDirectIndex().
+
+           This patch is performance neutral (according to the JSC command line benchmarks).
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * heap/DeferGC.cpp:
+        * heap/DeferGC.h:
+        (JSC::DisallowGC::DisallowGC):
+        (JSC::DisallowGC::initialize):
+        (JSC::DisallowGC::scopeReentryCount):
+        (JSC::DisallowGC::setScopeReentryCount):
+        (JSC::DisallowGC::~DisallowGC): Deleted.
+        (JSC::DisallowGC::isGCDisallowedOnCurrentThread): Deleted.
+        * heap/GCDeferralContextInlines.h:
+        (JSC::GCDeferralContext::~GCDeferralContext):
+        * heap/Heap.cpp:
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createWithInlineFrame):
+        (JSC::ClonedArguments::createByCopyingFrom):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/DisallowScope.h: Added.
+        (JSC::DisallowScope::DisallowScope):
+        (JSC::DisallowScope::~DisallowScope):
+        (JSC::DisallowScope::isInEffectOnCurrentThread):
+        (JSC::DisallowScope::enable):
+        (JSC::DisallowScope::enterScope):
+        (JSC::DisallowScope::exitScope):
+        * runtime/DisallowVMReentry.cpp: Added.
+        * runtime/DisallowVMReentry.h: Added.
+        (JSC::DisallowVMReentry::DisallowVMReentry):
+        (JSC::DisallowVMReentry::initialize):
+        (JSC::DisallowVMReentry::scopeReentryCount):
+        (JSC::DisallowVMReentry::setScopeReentryCount):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::tryCreate):
+        (JSC::constructArray):
+        (JSC::constructArrayNegativeIndexed):
+        (JSC::JSArray::tryCreateForInitializationPrivate): Deleted.
+        (JSC::createArrayButterfly): Deleted.
+        * runtime/JSCellInlines.h:
+        (JSC::allocateCell):
+        * runtime/JSObject.h:
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        * runtime/ObjectInitializationScope.cpp: Added.
+        (JSC::ObjectInitializationScope::ObjectInitializationScope):
+        (JSC::ObjectInitializationScope::~ObjectInitializationScope):
+        (JSC::ObjectInitializationScope::notifyAllocated):
+        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+        * runtime/ObjectInitializationScope.h: Added.
+        (JSC::ObjectInitializationScope::ObjectInitializationScope):
+        (JSC::ObjectInitializationScope::vm):
+        (JSC::ObjectInitializationScope::notifyAllocated):
+        * runtime/Operations.h:
+        (JSC::isScribbledValue):
+        (JSC::scribble):
+        * runtime/RegExpMatchesArray.cpp:
+        (JSC::createEmptyRegExpMatchesArray):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        (JSC::createRegExpMatchesArray):
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+
+2017-04-27  Carlos Garcia Campos  
+
+        [GTK] Remote inspector should support inspecting targets with previous version of backend commands
+        https://bugs.webkit.org/show_bug.cgi?id=171267
+
+        Reviewed by Michael Catanzaro.
+
+        Rename GetTargetList DBus method as SetupInspectorClient since this method is actually called only once by
+        client right after connecting to the server. The method now receives the client backend commands hash as
+        argument and returns the contents of the backend commands file in case the hash doesn't match with the local
+        version.
+
+        * PlatformGTK.cmake: Add RemoteInspectorUtils to compilation.
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::setupInspectorClient):
+        * inspector/remote/glib/RemoteInspectorServer.h:
+        * inspector/remote/glib/RemoteInspectorUtils.cpp: Added.
+        (Inspector::backendCommands):
+        (Inspector::backendCommandsHash):
+        * inspector/remote/glib/RemoteInspectorUtils.h: Added.
+
+2017-04-27  Yusuke Suzuki  
+
+        [JSC] Handle PhantomSpread in LoadVarargs as the same to the others
+        https://bugs.webkit.org/show_bug.cgi?id=171262
+
+        Reviewed by Saam Barati.
+
+        This is follow-up patch after r215720. In that patch, accidentally
+        we did not apply the same change to LoadVarargs in argument elimination
+        phase. This patch just does the same rewriting to handle PhantomSpread
+        correctly.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2017-04-26  Joseph Pecoraro  
+
+        Web Inspector: Uint8ClampedArray should be treated like an array, not an object
+        https://bugs.webkit.org/show_bug.cgi?id=171364
+        
+
+        Reviewed by Sam Weinig.
+
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::subtype):
+        Treat Uint8ClampedArray (like other Typed Arrays) as an array.
+
+2017-04-26  Saam Barati  
+
+        Print Wasm function index in stack trace
+        https://bugs.webkit.org/show_bug.cgi?id=171349
+
+        Reviewed by JF Bastien.
+
+        This patch prints a Callee's index in the function index
+        space in Error.stack.
+
+        This will lead to stack traces that have lines of text like:
+        wasm function index: 4@[wasm code]
+
+        We don't ascribe indices to everything in wasm. Specifically, the
+        Wasm->JS call stub callee does not get a name, and neither does
+        the JS -> Wasm entrypoint.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::GetStackTraceFunctor::operator()):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::Frame::functionName):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::wasmFunctionIndex):
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::functionName):
+        * runtime/StackFrame.h:
+        (JSC::StackFrame::StackFrame):
+        (JSC::StackFrame::wasm):
+        (JSC::StackFrame::hasBytecodeOffset):
+        (JSC::StackFrame::bytecodeOffset):
+        * wasm/WasmBBQPlanInlines.h:
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::Callee::Callee):
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::create):
+        (JSC::Wasm::Callee::index):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+
+2017-04-26  Keith Miller  
+
+        Follow up to r215843
+        https://bugs.webkit.org/show_bug.cgi?id=171361
+
+        Reviewed by Saam Barati.
+
+        This patch fixes some style comments Saam didn't get a chance to
+        request before I landed: https://bugs.webkit.org/show_bug.cgi?id=170134.
+
+        It renames Wasm::CodeBlock::m_wasmEntrypoints to
+        m_wasmIndirectCallEntrypoints, as well as fixes some copyrights and
+        indentation.
+
+        * wasm/WasmBBQPlan.cpp:
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmTierUpCount.h:
+        (JSC::Wasm::TierUpCount::TierUpCount):
+        (JSC::Wasm::TierUpCount::loopDecrement):
+        (JSC::Wasm::TierUpCount::functionEntryDecrement):
+        (JSC::Wasm::TierUpCount::shouldStartTierUp):
+        (JSC::Wasm::TierUpCount::count):
+
+2017-04-26  Saam Barati  
+
+        ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
+        https://bugs.webkit.org/show_bug.cgi?id=170924
+        
+
+        Reviewed by Mark Lam.
+
+        The error message handler for "in" was searching for the literal
+        string "in". However, our parser incorrectly allows escaped characters
+        to be part of keywords. So this is parsed as "in" in JSC: "i\u006E".
+        It should not be parsed that way. I opened https://bugs.webkit.org/show_bug.cgi?id=171310
+        to address this issue.
+        
+        Regardless, the error message handlers should handle unexpected text gracefully.
+        All functions that try to augment error messages with the goal of
+        providing a more textual context for the error message should use
+        the original error message instead of crashing when they detect
+        unexpected text.
+        
+        This patch also changes the already buggy code that tries to find
+        the base of a function call. That could would fail for code like this:
+        "zoo.bar("/abc\)*/");". See https://bugs.webkit.org/show_bug.cgi?id=146304
+        It would think that the base is "z". However, the algorithm that tries
+        to find the base can often tell when it fails, and when it does, it should
+        happily return the approximate text error message instead of thinking
+        that the base is "z".
+
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::functionCallBase):
+        (JSC::notAFunctionSourceAppender):
+        (JSC::invalidParameterInSourceAppender):
+
+2017-04-26  Keith Miller  
+
+        WebAssembly: Implement tier up
+        https://bugs.webkit.org/show_bug.cgi?id=170134
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements tier up for wasm functions. Unlike with JS
+        code, wasm code needs to be able to tier up concurrently with the
+        running code.  Since JS code is synchronous we can always link on
+        the running thread, wasm, however, can run the same code on more
+        than one thread. In order to make patching work correctly, we need
+        to ensure that all patches of callsites are aligned. On ARM we get
+        this for free since every call is a near call. On X86 we ensure
+        that the 32-bit relative offset is 32-bit aligned.
+
+        This patch also modifies how Wasm::Plan works. Now Plan is a
+        abstract super class and there are two subclasses, which
+        correspond to the different tiers of our wasm engine.  The first,
+        Build Bytecode Quickly (BBQ) tier, roughly does what the old plan
+        code did before.  The new tier, Optimized Machine code Generation
+        (OMG), can be called at any point by BBQ code and compiles exactly
+        one function. Once an OMGPlan finishes it will link it's code
+        internally then reset the instruction cache of all running wasm
+        threads, via, a ThreadMessage. Once the instruction caches have
+        been reset all the other functions will be patched to call the new
+        code.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::ensureCacheLineSpace):
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationThreadSafeNearCall::CodeLocationThreadSafeNearCall):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::threadSafePatchableNearCall):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::threadSafeNearCall):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::threadSafePatchableNearCall):
+        * b3/air/AirEmitShuffle.cpp:
+        (JSC::B3::Air::ShufflePair::inst):
+        (JSC::B3::Air::ShufflePair::opcode): Deleted.
+        * b3/air/AirEmitShuffle.h:
+        * jsc.cpp:
+        (functionTestWasmModuleFunctions):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::constant):
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        (JSC::Wasm::B3IRGenerator::addTopLevel):
+        (JSC::Wasm::B3IRGenerator::addBlock):
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBBQPlan.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlan.cpp.
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        (JSC::Wasm::BBQPlan::stateString):
+        (JSC::Wasm::BBQPlan::moveToState):
+        (JSC::Wasm::BBQPlan::parseAndValidateModule):
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::ThreadCountHolder::ThreadCountHolder):
+        (JSC::Wasm::BBQPlan::ThreadCountHolder::~ThreadCountHolder):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        (JSC::Wasm::BBQPlan::work):
+        * wasm/WasmBBQPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlan.h.
+        * wasm/WasmBBQPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
+        (JSC::Wasm::BBQPlan::initializeCallees):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::entrypoint):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::tierUpCount):
+        (JSC::Wasm::CodeBlock::mode):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::CallableFunction::CallableFunction):
+        (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation):
+        * wasm/WasmMachineThreads.cpp: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
+        (JSC::Wasm::wasmThreads):
+        (JSC::Wasm::startTrackingCurrentThread):
+        (JSC::Wasm::resetInstructionCacheOnAllThreads):
+        * wasm/WasmMachineThreads.h: Copied from Source/JavaScriptCore/wasm/WasmCallee.h.
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::makeValidationResult):
+        (JSC::Wasm::makeValidationCallback):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        * wasm/WasmModule.h:
+        (JSC::Wasm::Module::codeBlockFor):
+        * wasm/WasmOMGPlan.cpp: Added.
+        (JSC::Wasm::OMGPlan::OMGPlan):
+        (JSC::Wasm::OMGPlan::work):
+        (JSC::Wasm::runOMGPlanForIndex):
+        * wasm/WasmOMGPlan.h: Copied from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::runCompletionTasks):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::waitForCompletion):
+        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
+        (JSC::Wasm::Plan::fail):
+        (JSC::Wasm::Plan::stateString): Deleted.
+        (JSC::Wasm::Plan::moveToState): Deleted.
+        (JSC::Wasm::Plan::parseAndValidateModule): Deleted.
+        (JSC::Wasm::Plan::prepare): Deleted.
+        (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder): Deleted.
+        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder): Deleted.
+        (JSC::Wasm::Plan::compileFunctions): Deleted.
+        (JSC::Wasm::Plan::complete): Deleted.
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::exports): Deleted.
+        (JSC::Wasm::Plan::internalFunctionCount): Deleted.
+        (JSC::Wasm::Plan::takeModuleInformation): Deleted.
+        (JSC::Wasm::Plan::takeCallLinkInfos): Deleted.
+        (JSC::Wasm::Plan::takeWasmToWasmExitStubs): Deleted.
+        (JSC::Wasm::Plan::hasWork): Deleted.
+        (JSC::Wasm::Plan::hasBeenPrepared): Deleted.
+        * wasm/WasmTierUpCount.h: Renamed from Source/JavaScriptCore/wasm/WasmPlanInlines.h.
+        (JSC::Wasm::TierUpCount::TierUpCount):
+        (JSC::Wasm::TierUpCount::loopDecrement):
+        (JSC::Wasm::TierUpCount::functionEntryDecrement):
+        (JSC::Wasm::TierUpCount::shouldStartTierUp):
+        (JSC::Wasm::TierUpCount::count):
+        * wasm/WasmWorklist.cpp:
+        * wasm/WasmWorklist.h:
+        (JSC::Wasm::Worklist::nextTicket):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
+        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace): Deleted.
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::create):
+        (JSC::WebAssemblyFunction::WebAssemblyFunction):
+        * wasm/js/WebAssemblyFunction.h:
+        (JSC::WebAssemblyFunction::signatureIndex):
+        (JSC::WebAssemblyFunction::wasmEntrypointLoadLocation):
+        (JSC::WebAssemblyFunction::callableFunction):
+        (JSC::WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation):
+        (JSC::WebAssemblyFunction::wasmEntrypoint): Deleted.
+        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint): Deleted.
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyValidateFunc):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
+        (JSC::WebAssemblyWrapperFunction::create):
+        * wasm/js/WebAssemblyWrapperFunction.h:
+        (JSC::WebAssemblyWrapperFunction::signatureIndex):
+        (JSC::WebAssemblyWrapperFunction::wasmEntrypointLoadLocation):
+        (JSC::WebAssemblyWrapperFunction::callableFunction):
+        (JSC::WebAssemblyWrapperFunction::wasmEntrypoint): Deleted.
+
+2017-04-26  Caitlin Potter  
+
+        [JSC] fix RETURN_IF_EXCEPTION() placement in ownPropertyKeys()
+        https://bugs.webkit.org/show_bug.cgi?id=171330
+
+        Reviewed by Mark Lam.
+
+        Ensure RETURN_IF_EXCEPTION() following invokation of the
+        filterPropertyIfNeeded() lambda.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownPropertyKeys):
+
+2017-04-26  Caitlin Potter  
+
+        [JSC] Object.keys() must discard property names with no PropertyDescriptor
+        https://bugs.webkit.org/show_bug.cgi?id=171291
+
+        Reviewed by Yusuke Suzuki.
+
+        Proxy objects can produce an arbitrary list of property names from the
+        "ownKeys" trap, however the Object.keys() algorithm is required to
+        discard names which do not have a PropertyDescriptor. This also
+        applies to other uses of the EnumerableOwnProperties() algorithm
+        (https://tc39.github.io/ecma262/#sec-enumerableownproperties)
+
+        Related to https://bugs.chromium.org/p/v8/issues/detail?id=6290
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ownPropertyKeys):
+
+2017-04-25  Andy VanWagoner  
+
+        Unhandled enumeration values in IntlDateTimeFormat.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=171241
+
+        Reviewed by JF Bastien.
+
+        Added some missing cases of the UDateFormatField to partTypeString,
+        and made them conditional to the ICU version that added them.
+        This should remove the warnings that appear on platform builds using the
+        newer system ICU headers.
+
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString):
+
+2017-04-25  Commit Queue  
+
+        Unreviewed, rolling out r215476.
+        https://bugs.webkit.org/show_bug.cgi?id=171304
+
+        "It broke JSBench" (Requested by saamyjoon on #webkit).
+
+        Reverted changeset:
+
+        "[ES6]. Implement Annex B.3.3 function hoisting rules for
+        eval"
+        https://bugs.webkit.org/show_bug.cgi?id=163208
+        http://trac.webkit.org/changeset/215476
+
+2017-04-25  Saam Barati  
+
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
+        https://bugs.webkit.org/show_bug.cgi?id=171150
+        
+
+        Reviewed by Sam Weinig.
+
+        This patch fixes a huge oversight from the patch that introduced
+        op_spread/Spread. The original patch did not account for the
+        base object having Symbol.iterator or getters that could
+        change the iterator protocol. This patch fixes the oversight both
+        in the C code, as well as the DFG/FTL backends. We only perform
+        the memcpy version of spread if we've proven that it's guaranteed
+        to be side-effect free (no indexed getters), and if the iterator
+        protocol is guaranteed to be the original protocol. To do this, we
+        must prove that:
+        1. The protocol on Array.prototype hasn't changed (this is the same as the
+        introductory patch for op_spread).
+        2. The base object's __proto__ is Array.prototype
+        3. The base object does not have indexed getters
+        4. The base object does not have Symbol.iterator property.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::canDoFastSpread):
+        * dfg/DFGGraph.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSArray.h:
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable): Deleted.
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
+        (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable): Deleted.
+
+2017-04-25  Mark Lam  
+
+        Array.prototype.slice() should ensure that end >= begin.
+        https://bugs.webkit.org/show_bug.cgi?id=170989
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSlice):
+
+2017-04-25  Don Olmstead  
+
+        [Win] Use Clang's __has_declspec_attribute for export macros
+        https://bugs.webkit.org/show_bug.cgi?id=171240
+
+        Reviewed by Alex Christensen.
+
+        * runtime/JSExportMacros.h:
+
+2017-04-25  Saam Barati  
+
+        Unreviewed. Attempt armv7k build fix after r215720
+
+        I think we're just missing an include for the definition of ExecState::r().
+
+        * runtime/JSFixedArray.cpp:
+
+2017-04-25  Daniel Bates  
+
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        
+
+        Reviewed by Brent Fulgham.
+
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-25  Mark Lam  
+
+        Local CSE wrongly CSEs array accesses with different result types.
+        https://bugs.webkit.org/show_bug.cgi?id=170990
+        
+
+        Reviewed by Saam Barati.
+
+        The fix is to use different LocationKind enums for the different type of array
+        result types.  This makes the HeapLocation values different based on the result
+        types, and allows CSE to discern between them.
+
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        (JSC::DFG::indexedPropertyLocForResultType):
+
+2017-04-25  Mark Lam  
+
+        Make DFG SpeculatedType dumps easier to read.
+        https://bugs.webkit.org/show_bug.cgi?id=171280
+
+        Reviewed by Saam Barati.
+
+        Adding a pretty printer to insert |s between each type string and changing the
+        dumped strings to match the SpeculatedType names case-wise.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::PrettyPrinter::PrettyPrinter):
+        (JSC::PrettyPrinter::print):
+        (JSC::dumpSpeculation):
+        * bytecode/SpeculatedType.h:
+
+2017-04-25  JF Bastien  
+
+        lowerStackArgs: check Arg::addr.isValidForm when falling back to SP offsets
+        https://bugs.webkit.org/show_bug.cgi?id=171278
+
+        Reviewed by Filip Pizlo.
+
+        lowerStackArgs checked that the FP offsets it tries to generate
+        are valid form, but didn't check that the fallback was valid
+        form. This lead to stackAddr's assertion being dead, and the
+        MaroAssembler asserting way later on move / add when handed a huge
+        immediate.
+
+        * b3/air/AirArg.cpp:
+        (JSC::B3::Air::Arg::stackAddrImpl):
+
+2017-04-25  Zan Dobersek  
+
+        [aarch64] moveConditionally32(), moveConditionallyTest32() should move from/to 64-bit registers
+        https://bugs.webkit.org/show_bug.cgi?id=170891
+
+        Reviewed by Saam Barati.
+
+        moveConditionally32() and moveConditionallyTest32() operations in
+        MacroAssemblerARM64 properly perform comparisons and tests on 32-bit
+        values, but end up performing the moves from and to 32-bit registers.
+
+        Move operations should instead be done on 64-bit registers, just like
+        on the X86_64 platform. This is achieved by specifying 64 as the data
+        size for the csel instructions.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::moveConditionally32):
+        (JSC::MacroAssemblerARM64::moveConditionallyTest32):
+
+2017-04-24  Joseph Pecoraro  
+
+        test262: test262/test/language/expressions/object/method-definition/early-errors-object-method-duplicate-parameters.js
+        https://bugs.webkit.org/show_bug.cgi?id=171190
+
+        Reviewed by Saam Barati.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
+        (JSC::BytecodeGenerator::emitNewFunction):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionNode::emitBytecode):
+        (JSC::Scope::setSourceParseMode):
+        * parser/ParserModes.h:
+        (JSC::isFunctionParseMode):
+        (JSC::isMethodParseMode):
+        (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
+        (JSC::isGeneratorParseMode):
+        (JSC::isGeneratorWrapperParseMode):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnPropertySlot):
+        Add a new GeneratorWrapperMethodMode parse mode. The other function types
+        (async, arrow) already have a FunctionMode and a MethodMode. Give
+        generators one as well. This lets isMethodParseMode actually be accurate.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseInner):
+        (JSC::Parser::isArrowFunctionParameters):
+        (JSC::Parser::parseFormalParameters):
+        (JSC::stringForFunctionMode):
+        (JSC::Parser::parseFunctionParameters):
+        (JSC::Parser::parseFunctionInfo):
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parsePropertyMethod):
+        * parser/Parser.h:
+        Add a duplicate parameter failure if there are duplicate parameters
+        in method syntax.
+
+2017-04-24  Andy VanWagoner  
+
+        Clean up ICU headers
+        https://bugs.webkit.org/show_bug.cgi?id=170997
+
+        Reviewed by JF Bastien.
+
+        Update all icu headers to 55.1
+
+        * icu/LICENSE: Update copyright
+        * icu/README: Explain ICU headers for OS X better
+        * icu/unicode/localpointer.h:
+        (LocalPointer::LocalPointer):
+        (LocalPointer::adoptInsteadAndCheckErrorCode):
+        * icu/unicode/platform.h:
+        * icu/unicode/putil.h:
+        * icu/unicode/ucal.h:
+        * icu/unicode/uchar.h:
+        * icu/unicode/ucnv.h:
+        * icu/unicode/ucol.h:
+        * icu/unicode/uconfig.h:
+        * icu/unicode/ucurr.h:
+        * icu/unicode/udatpg.h:
+        * icu/unicode/udisplaycontext.h:
+        * icu/unicode/uformattable.h:
+        * icu/unicode/uloc.h:
+        * icu/unicode/umachine.h:
+        * icu/unicode/unum.h:
+        * icu/unicode/unumsys.h:
+        * icu/unicode/urename.h:
+        * icu/unicode/uscript.h:
+        * icu/unicode/uset.h:
+        * icu/unicode/ustring.h:
+        * icu/unicode/utf8.h:
+        * icu/unicode/utypes.h:
+
+2017-04-24  Yusuke Suzuki  
+
+        [JSC] Use JSFixedArray directly when using call_varargs
+        https://bugs.webkit.org/show_bug.cgi?id=171057
+
+        Reviewed by Saam Barati.
+
+        Previously we always emit new_array_with_spread when calling call(...args).
+        But this array is unnecessary if varargs operation can handle Spread directly.
+
+        This patch implements a peep-hole optimization in the bytecode compiler layer
+        to omit new_array_with_spread. This is very simple and effective because this
+        peep-hole optimization is quite common when using (...args) style calls and
+        this optimization works all the tiers. While we can implement the phase to
+        omit this NewArrayWithSpread in argument elimination phase, it only works
+        for FTL. While such an optimization can work with complex data flow, this
+        peep-hole optimization can optimize a common case easily.
+
+        For now, Spread and PhantomSpread can be directly drained by CallVarargs
+        and LoadVarargs related operations. We modify DFG and FTL to handle this correctly.
+
+        This shows six-speed improvement.
+
+            spread.es6                 89.4300+-2.0236     ^     69.6015+-1.7278        ^ definitely 1.2849x faster
+            spread-generator.es6      344.7879+-5.9147     ^    331.2712+-6.8610        ^ definitely 1.0408x faster
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitCall):
+        (JSC::BytecodeGenerator::emitConstruct):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
+        * interpreter/Interpreter.cpp:
+        (JSC::sizeOfVarargs):
+        (JSC::loadVarargs):
+        * parser/Nodes.h:
+        (JSC::ArrayNode::elements):
+        * runtime/JSFixedArray.cpp:
+        (JSC::JSFixedArray::copyToArguments):
+        * runtime/JSFixedArray.h:
+
+2017-04-24  Yusuke Suzuki  
+
+        [WTF] Move JSC tools/StackTrace to WTF and unify stack trace dump code
+        https://bugs.webkit.org/show_bug.cgi?id=171199
+
+        Reviewed by Mark Lam.
+
+        This patch adds a utility method to produce demangled names with dladdr.
+        It fixes several memory leaks because the result of abi::__cxa_demangle()
+        needs to be `free`-ed.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::StackFrame::displayName):
+        * tools/CellProfile.h:
+        * tools/CodeProfile.cpp:
+        (JSC::CodeProfile::report):
+        (JSC::symbolName): Deleted.
+
+2017-04-24  Joseph Pecoraro  
+
+        Web Inspector: ObjC RWIProtocol codegen should better handle optional members
+        https://bugs.webkit.org/show_bug.cgi?id=171251
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
+        (ObjCProtocolTypesImplementationGenerator._generate_getter_for_member):
+        * inspector/scripts/codegen/objc_generator.py:
+        (ObjCGenerator.protocol_to_objc_expression_for_member):
+        (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
+        Always be safe and nil check object property accesses, optional or not.
+
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        Rebaselined inspector generator tests.
+
+2017-04-24  Saam Barati  
+
+        ASSERTION FAILED: m_table seen with workers/wasm-hashset LayoutTests
+        https://bugs.webkit.org/show_bug.cgi?id=171119
+        
+
+        Reviewed by Keith Miller.
+
+        The HashSet of timer set notification callbacks can be accessed
+        and augmented simultaneously from different threads. e.g, the worker
+        thread can augment it while the wasm compilation thread will
+        access it. Therefore, accesses must be guarded by a lock.
+
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::scheduleTimer):
+        (JSC::JSRunLoopTimer::addTimerSetNotification):
+        (JSC::JSRunLoopTimer::removeTimerSetNotification):
+        * runtime/JSRunLoopTimer.h:
+
+2017-04-24  Joseph Pecoraro  
+
+        test262: test262/test/language/computed-property-names/class/static/getter-prototype.js
+        https://bugs.webkit.org/show_bug.cgi?id=170897
+
+        Reviewed by Saam Barati.
+
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createArguments):
+        (JSC::ASTBuilder::createArgumentsList):
+        Reorder so all the createProperty methods are grouped together.
+
+        * parser/Parser.h:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseProperty):
+        (JSC::Parser::parseGetterSetter):
+        Refine the conditions for syntax errors for getter/setter
+        properties names. "prototype" is not allowed as a static
+        and "constructor" is not all when non-static.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putGetter):
+        (JSC::JSObject::putSetter):
+        Throw exceptions. These methods are only used by this path
+        via op_put_getter_by_val / op_put_setter_by_val.
+
+2017-04-24  Joseph Pecoraro  
+
+        test262: test262/test/language/statements/for-of/dstr-array-elem-init-fn-name-arrow.js
+        https://bugs.webkit.org/show_bug.cgi?id=171160
+
+        Reviewed by JF Bastien.
+
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::tryInferNameInPattern):
+        (JSC::ASTBuilder::tryInferNameInPatternWithIdentifier):
+        We supported getting the name from a BindingNode.
+        We extend this to support getting the name from a
+        ResolveNode inside of an AssignmentElementNode.
+
+        * parser/Nodes.h:
+        (JSC::DestructuringPatternNode::isAssignmentElementNode):
+        (JSC::AssignmentElementNode::isAssignmentElementNode):
+        Make it possible to identify an assignment element node.
+
+2017-04-24  Alex Christensen  
+
+        Reduce copies and allocations in SharedBuffer::append
+        https://bugs.webkit.org/show_bug.cgi?id=170956
+
+        Reviewed by Andreas Kling.
+
+        * runtime/ArrayBuffer.h:
+
+2017-04-24  Carlos Garcia Campos  
+
+        [GTK] Switch to use ENABLE_REMOTE_INSPECTOR instead of ENABLE_INSPECTOR_SERVER for the remote inspector
+        https://bugs.webkit.org/show_bug.cgi?id=166680
+
+        Reviewed by Michael Catanzaro.
+
+        Add GTK+ port implementation of RemoteInspector.
+
+        * PlatformGTK.cmake:
+        * inspector/remote/RemoteConnectionToTarget.h:
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp: Added.
+        (Inspector::RemoteConnectionToTarget::RemoteConnectionToTarget):
+        (Inspector::RemoteConnectionToTarget::~RemoteConnectionToTarget):
+        (Inspector::RemoteConnectionToTarget::setup):
+        (Inspector::RemoteConnectionToTarget::sendMessageToTarget):
+        (Inspector::RemoteConnectionToTarget::close):
+        (Inspector::RemoteConnectionToTarget::targetClosed):
+        (Inspector::RemoteConnectionToTarget::targetIdentifier):
+        (Inspector::RemoteConnectionToTarget::sendMessageToFrontend):
+        * inspector/remote/glib/RemoteInspectorGlib.cpp: Added.
+        (Inspector::RemoteInspector::singleton):
+        (Inspector::RemoteInspector::RemoteInspector):
+        (Inspector::RemoteInspector::start):
+        (Inspector::RemoteInspector::stopInternal):
+        (Inspector::RemoteInspector::setupConnection):
+        (Inspector::dbusConnectionCallAsyncReadyCallback):
+        (Inspector::RemoteInspector::listingForInspectionTarget):
+        (Inspector::RemoteInspector::listingForAutomationTarget):
+        (Inspector::RemoteInspector::pushListingsNow):
+        (Inspector::RemoteInspector::pushListingsSoon):
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
+        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
+        (Inspector::RemoteInspector::sendMessageToRemote):
+        (Inspector::RemoteInspector::receivedGetTargetListMessage):
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        (Inspector::RemoteInspector::receivedDataMessage):
+        (Inspector::RemoteInspector::receivedCloseMessage):
+        (Inspector::RemoteInspector::setup):
+        (Inspector::RemoteInspector::sendMessageToTarget):
+        (Inspector::RemoteInspector::requestAutomationSession):
+        * inspector/remote/glib/RemoteInspectorServer.cpp: Added.
+        (Inspector::generateConnectionID):
+        (Inspector::RemoteInspectorServer::singleton):
+        (Inspector::RemoteInspectorServer::~RemoteInspectorServer):
+        (Inspector::RemoteInspectorServer::interfaceInfo):
+        (Inspector::RemoteInspectorServer::start):
+        (Inspector::RemoteInspectorServer::newConnectionCallback):
+        (Inspector::RemoteInspectorServer::connectionClosedCallback):
+        (Inspector::RemoteInspectorServer::newConnection):
+        (Inspector::dbusConnectionCallAsyncReadyCallback):
+        (Inspector::RemoteInspectorServer::setTargetList):
+        (Inspector::RemoteInspectorServer::clientConnectionClosedCallback):
+        (Inspector::RemoteInspectorServer::getTargetList):
+        (Inspector::RemoteInspectorServer::setup):
+        (Inspector::RemoteInspectorServer::close):
+        (Inspector::RemoteInspectorServer::clientConnectionClosed):
+        (Inspector::RemoteInspectorServer::connectionClosed):
+        (Inspector::RemoteInspectorServer::sendMessageToBackend):
+        (Inspector::RemoteInspectorServer::sendMessageToFrontend):
+        (Inspector::RemoteInspectorServer::startAutomationSession):
+        * inspector/remote/glib/RemoteInspectorServer.h: Added.
+        (Inspector::RemoteInspectorServer::isRunning):
+
+2017-04-24  Joseph Pecoraro  
+
+        test262: test262/test/language/expressions/generators/yield-as-label.js
+        https://bugs.webkit.org/show_bug.cgi?id=170979
+
+        Reviewed by Saam Barati.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseVariableDeclarationList):
+        (JSC::Parser::parseDestructuringPattern):
+        (JSC::Parser::parseFormalParameters):
+        Converge on "Cannot" instead of "Can't" in error messages.
+
+        (JSC::Parser::parseFunctionInfo):
+        Disallow "yield" as the generator function name in function expressions.
+        This refers to the difference between Declaration and Expression, where
+        only GeneratorExpression explicitly has [+Yield] disallowing yield for
+        the generator name:
+
+            GeneratorDeclaration[Yield, Await, Default]:
+                function * BindingIdentifier[?Yield, ?Await] ...
+
+            GeneratorExpression:
+                function * BindingIdentifier[+Yield, ~Await]opt ...
+
+        (JSC::Parser::parseExpressionOrLabelStatement):
+        Disallow "yield" as a label name in strict mode or inside a generator.
+
+        (JSC::Parser::parseProperty):
+        Disallow "yield" or any keyword in object literal shorthands.
+
+        * parser/Parser.h:
+        (JSC::Parser::getToken):
+        (JSC::Parser::isDisallowedIdentifierLet):
+        (JSC::Parser::isDisallowedIdentifierYield):
+        (JSC::Parser::disallowedIdentifierLetReason):
+        (JSC::Parser::disallowedIdentifierYieldReason):
+        Follow pattern for improved error messages based on context.
+
+2017-04-23  Commit Queue  
+
+        Unreviewed, rolling out r215674.
+        https://bugs.webkit.org/show_bug.cgi?id=171212
+
+        Possible unintended commit. This patch was on the wrong bug.
+        (Requested by JoePeck on #webkit).
+
+        Reverted changeset:
+
+        "test262: test262/test/language/expressions/generators/yield-
+        as-label.js"
+        https://bugs.webkit.org/show_bug.cgi?id=170979
+        http://trac.webkit.org/changeset/215674
+
+2017-04-23  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Number/prototype/toPrecision/nan.js
+        https://bugs.webkit.org/show_bug.cgi?id=171197
+
+        Reviewed by Saam Barati.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToExponential):
+        (JSC::numberProtoFuncToFixed):
+        (JSC::numberProtoFuncToPrecision):
+        Refine the order of operations to match the spec.
+
+2017-04-23  Joseph Pecoraro  
+
+        test262: test262/test/language/expressions/generators/yield-as-label.js
+        https://bugs.webkit.org/show_bug.cgi?id=170979
+
+        Reviewed by Saam Barati.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseVariableDeclarationList):
+        (JSC::Parser::parseDestructuringPattern):
+        (JSC::Parser::parseFormalParameters):
+        Converge on "Cannot" instead of "Can't" in error messages.
+
+        (JSC::Parser::parseFunctionInfo):
+        Disallow "yield" as the generator function name in function expressions.
+        This refers to the difference between Declaration and Expression, where
+        only GeneratorExpression explicitly has [+Yield] disallowing yield for
+        the generator name:
+
+            GeneratorDeclaration[Yield, Await, Default]:
+                function * BindingIdentifier[?Yield, ?Await] ...
+
+            GeneratorExpression:
+                function * BindingIdentifier[+Yield, ~Await]opt ...
+
+        (JSC::Parser::parseExpressionOrLabelStatement):
+        Disallow "yield" as a label name in strict mode or inside a generator.
+
+        (JSC::Parser::parseProperty):
+        Disallow "yield" or any keyword in object literal shorthands.
+
+        * parser/Parser.h:
+        (JSC::Parser::getToken):
+        (JSC::Parser::isDisallowedIdentifierLet):
+        (JSC::Parser::isDisallowedIdentifierYield):
+        (JSC::Parser::disallowedIdentifierLetReason):
+        (JSC::Parser::disallowedIdentifierYieldReason):
+        Follow pattern for improved error messages based on context.
+
+2017-04-23  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Number/parseFloat.js
+        https://bugs.webkit.org/show_bug.cgi?id=171193
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/CommonIdentifiers.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::parseFloatFunction):
+        Expose parseFloat on the global object to be shared with Number constructor.
+
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        parseFloat uses the same value as the global parseFloat.
+
+2017-04-22  Yusuke Suzuki  
+
+        [JSC] Use DoublyLinkedList for MachineThread
+        https://bugs.webkit.org/show_bug.cgi?id=171171
+
+        Reviewed by Mark Lam.
+
+        MachineThread can use WTF::DoublyLinkedList to simplify
+        its implementation. We should not use Vector<> etc. since
+        we do not want to call allocations during suspending and
+        resuming threads.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThreads):
+        (JSC::MachineThreads::~MachineThreads):
+        (JSC::MachineThreads::addCurrentThread):
+        (JSC::MachineThreads::removeThreadIfFound):
+        (JSC::MachineThreads::MachineThread::MachineThread):
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::threadsListHead):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::isValidFramePointer):
+        * runtime/VMTraps.cpp:
+        (JSC::findActiveVMAndStackBounds):
+
+2017-04-22  JF Bastien  
+
+        WebAssembly: Module.exports, Module.imports, Module.customSections are wrong
+        https://bugs.webkit.org/show_bug.cgi?id=171078
+
+        Reviewed by Saam Barati.
+
+        They're static properties of Module, not instance properties of a module.
+        https://github.com/WebAssembly/design/blob/master/JS.md#webassemblymoduleexports
+
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::webAssemblyModuleCustomSections):
+        (JSC::webAssemblyModuleImports):
+        (JSC::webAssemblyModuleExports):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::webAssemblyModuleProtoCustomSections): Deleted.
+        (JSC::webAssemblyModuleProtoImports): Deleted.
+        (JSC::webAssemblyModuleProtoExports): Deleted.
+
+2017-04-21  Saam Barati  
+
+        SharedArrayBuffer-opt.js fails with Briggs
+        https://bugs.webkit.org/show_bug.cgi?id=170948
+        
+
+        Reviewed by Michael Saboff.
+
+        The bug was not actually with Briggs, but instead was with
+        our X86-64 MacroAssembler. Michael fixed the bug here:
+        https://trac.webkit.org/changeset/215618/webkit
+        
+        The issue was we weren't adding the REX byte for AtomicXchg8,
+        leading to the incorrect encoding for the result register depending
+        on which register it was. If you look at this code, you'll see the issue:
+
+          Int32 @38 = AtomicXchg(@59, @64, width = 8, range = 0, fenceRange = 0, ControlDependent|Fence|Writes:0|Reads:0, DFG:@49)
+              AtomicXchg8 %rsi, (%rax,%rdx), @38
+                  0x2dcb5bc0015e: lock xchg %dh, (%rax,%rdx)
+          Int32 @66 = Const32(255, DFG:@49)
+          Int32 @67 = BitAnd(@38, $255(@66), DFG:@49)
+              ZeroExtend8To32 %rsi, %rax, @67
+                  0x2dcb5bc00162: movzx %sil, %eax
+
+        Air thought the result was in the lower 8 bits of %rsi,
+        however, the code we emitted stored it in the [8-15] bits
+        of %rdx. Since this issue is fixed, I'm turning Briggs back
+        on.
+
+        * b3/air/AirAllocateRegistersByGraphColoring.h:
+        (JSC::B3::Air::useIRC):
+
+2017-04-20  Mark Lam  
+
+        Refactor MASM probe to allow printing of custom types.
+        https://bugs.webkit.org/show_bug.cgi?id=171101
+
+        Reviewed by JF Bastien.
+
+        For example, this allows us to add MASM printing of CodeBlock* and Air::Args.
+
+        In general, MASM print can be used like dataLog, except that it generates JITted
+        code for doing the dataLogging later when the JITted code runs.  MASM print can
+        print any value type that a specialized Printer template or a setPrinter()
+        function implemented for that type.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/MacroAssembler.h:
+
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printAllRegisters):
+        (JSC::Printer::printPCRegister):
+        (JSC::Printer::printRegisterID):
+        (JSC::Printer::printFPRegisterID):
+        (JSC::Printer::printAddress):
+        (JSC::Printer::printMemory):
+        (JSC::Printer::printCallback):
+        (JSC::printIndent): Deleted.
+        (JSC::printCPU): Deleted.
+        (JSC::printCPURegisters): Deleted.
+        (JSC::printPC): Deleted.
+        (JSC::printRegister): Deleted.
+        (JSC::printMemory): Deleted.
+        (JSC::MacroAssemblerPrinter::printCallback): Deleted.
+        * assembler/MacroAssemblerPrinter.h:
+        (JSC::AllRegisters::AllRegisters):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer>::Printer):
+        (JSC::MacroAssembler::print):
+        (JSC::MacroAssemblerPrinter::print): Deleted.
+        (JSC::MacroAssemblerPrinter::PrintArg::PrintArg): Deleted.
+        (JSC::MacroAssemblerPrinter::appendPrintArg): Deleted.
+        - Refactored to move the underlying PrintRecord (and associated data structures)
+          out to Printer.cpp/h.
+        - MacroAssemblerPrinter.cpp/h now only add custom Printers for MASM types like
+          RegisterID and Memory.  It also defines the implementation of
+          MacroAssembler::print().
+
+          As before, JIT code that wishes to use MacroAssembler::print() needs to
+          #include "MacroAssemblerPrinter.h".
+
+        - Also added the ability to specify an optional indentation (in number of chars)
+          when MASM printing AllRegisters.  This is useful because AllRegisters prints
+          a block of data unlike other printers which print inline.
+
+        * assembler/Printer.cpp: Added.
+        (JSC::Printer::printConstCharString):
+        (JSC::Printer::printIntptr):
+        (JSC::Printer::printUintptr):
+        (JSC::Printer::printPointer):
+        (JSC::Printer::setPrinter):
+        * assembler/Printer.h: Added.
+        (JSC::Printer::Context::Context):
+        (JSC::Printer::PrintRecord::PrintRecord):
+        (JSC::Printer::appendPrinter):
+        (JSC::Printer::makePrintRecordList):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::setPrinter):
+        (JSC::Printer::Printer::Printer):
+        - Data structures for creating a list of PrintRecords.  Classes which wish to
+          add custom support for MASM printing can #include "Printer.h" and implement
+          either:
+          1. a specialized Printer template, or
+          2. a setPrinter() function.
+
+          See Printer and Printer in AirPrintSpecial.h for examples of
+          (1).  See CodeBlock's setPrinter() for an example of (2).
+
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::print):
+        * b3/air/AirPrintSpecial.cpp: Added.
+        (JSC::B3::Air::PrintSpecial::PrintSpecial):
+        (JSC::B3::Air::PrintSpecial::~PrintSpecial):
+        (JSC::B3::Air::PrintSpecial::forEachArg):
+        (JSC::B3::Air::PrintSpecial::isValid):
+        (JSC::B3::Air::PrintSpecial::admitsStack):
+        (JSC::B3::Air::PrintSpecial::reportUsedRegisters):
+        (JSC::B3::Air::PrintSpecial::generate):
+        (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
+        (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
+        (JSC::B3::Air::PrintSpecial::dumpImpl):
+        (JSC::B3::Air::PrintSpecial::deepDumpImpl):
+        (JSC::Printer::printAirArg):
+        * b3/air/AirPrintSpecial.h: Added.
+        (JSC::Printer::appendAirArg):
+        (JSC::Printer::appendAirArgs):
+        (JSC::Printer::Printer::Printer):
+        (JSC::Printer::Printer::Printer):
+        - Add the print() operation for use in LowerToAir.  print() will emit a
+          PrintSpecial that will ultimately emit a MASM print to print what we want.
+        - LowerToAir's print() adds the ability to print Air::Args.
+        - Unlike in the baseline JIT and the DFG, LowerToAir's print() can perturb the
+          usage of registers.  This is because PrintSpecial is a patch point, and it
+          prevents certain optimizations.  If not used carefully, an attempt to print()
+          an Arg by taking a Tmp, can force the B3 Value into a Tmp earlier than it would
+          otherwise do so.  So, use LowerToAir's print() with care.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::setPrinter):
+        - Now we can MASM print CodeBlock*.
+        (WTF::printInternal):
+        - Now we can dataLog CodeBlock* (including null CodeBlock pointers).
+
+        * bytecode/CodeBlock.h:
+
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        - Use the new ability to dataLog CodeBlock*.  No need to do an explicit null
+          check before printing anymore.
+
+2017-04-21  Keith Miller  
+
+        Unreviewed, rolling out r215634.
+
+        underlying build issues should have been fixed
+
+        Reverted changeset:
+
+        "Unreviewed, rolling out r215620 and r215623."
+        https://bugs.webkit.org/show_bug.cgi?id=171139
+        http://trac.webkit.org/changeset/215634
+
+2017-04-21  Commit Queue  
+
+        Unreviewed, rolling out r215620 and r215623.
+        https://bugs.webkit.org/show_bug.cgi?id=171139
+
+        broke arm64 build (Requested by keith_miller on #webkit).
+
+        Reverted changesets:
+
+        "Add signaling API"
+        https://bugs.webkit.org/show_bug.cgi?id=170976
+        http://trac.webkit.org/changeset/215620
+
+        "Unreviewed, fix Cloop build."
+        http://trac.webkit.org/changeset/215623
+
+2017-04-21  Keith Miller  
+
+        Remove LL/SC from Atomics
+        https://bugs.webkit.org/show_bug.cgi?id=171141
+
+        Reviewed by Saam Barati.
+
+        Adding load link and store conditionally was not an actual progression
+        and the existing code is causing problems for users of Atomics. So let's
+        get rid of it.
+
+        * heap/LargeAllocation.h:
+        (JSC::LargeAllocation::testAndSetMarked):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::testAndSetMarked):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
+
+2017-04-21  Keith Miller  
+
+        Unreviewed, fix Cloop build.
+
+        * jit/ExecutableAllocator.h:
+        (JSC::isJITPC):
+
+2017-04-20  Keith Miller  
+
+        Add signaling API
+        https://bugs.webkit.org/show_bug.cgi?id=170976
+
+        Reviewed by Filip Pizlo.
+
+        Update various uses of sigaction to use the new signaling API.
+        Also switch VMTraps to use the thread message system instead of
+        rolling it's own.
+
+        * jit/ExecutableAllocator.h:
+        (JSC::isJITPC):
+        * runtime/VMTraps.cpp:
+        (JSC::installSignalHandler):
+        (JSC::VMTraps::VMTraps):
+        (JSC::VMTraps::SignalSender::send):
+        (JSC::handleSigusr1): Deleted.
+        (JSC::handleSigtrap): Deleted.
+        (JSC::installSignalHandlers): Deleted.
+        * runtime/VMTraps.h:
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::installCrashHandler):
+        (JSC::handleCrash): Deleted.
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        (JSC::Wasm::enableFastMemory):
+
+2017-04-21  Michael Saboff  
+
+        X86-64 Assembler doesn't handle xchg with byte register src
+        https://bugs.webkit.org/show_bug.cgi?id=171118
+
+        Reviewed by Saam Barati.
+
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::xchgb_rm): Use oneByteOp8() since these are 8 bit opcodes.
+
+2017-04-21  Andy VanWagoner  
+
+        [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
+        https://bugs.webkit.org/show_bug.cgi?id=169458
+
+        Reviewed by JF Bastien.
+
+        Use udat_formatForFields to iterate through the parts of a formatted date string.
+        Make formatToParts and related functions dependent on ICU version >= 55.
+
+        * icu/unicode/udat.h: Update to 55.1.
+        * icu/unicode/ufieldpositer.h: Added from 55.1.
+        * icu/unicode/uvernum.h: Update to 55.1
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
+        (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
+
+2017-04-20  Konstantin Tokarev  
+
+        [cmake] Define FORWARDING_HEADERS_DIR in WebKitFS and use it everywhere
+        https://bugs.webkit.org/show_bug.cgi?id=171071
+
+        Reviewed by Michael Catanzaro.
+
+        "${DERIVED_SOURCES_DIR}/ForwardingHeaders" path occurs very often in the
+        build system files. GTK-specifc FORWARDING_HEADERS_DIR variable should
+        be available for all ports.
+
+        * CMakeLists.txt:
+        * PlatformWin.cmake:
+
+2017-04-20  Konstantin Tokarev  
+
+        Remove unused lamda captures
+        https://bugs.webkit.org/show_bug.cgi?id=171098
+
+        Reviewed by Yusuke Suzuki.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        * ftl/FTLState.cpp:
+        (JSC::FTL::State::State):
+        * wasm/WasmB3IRGenerator.cpp:
+
+2017-04-20  Yusuke Suzuki  
+
+        [JSC][FTL] FTL should support Arrayify
+        https://bugs.webkit.org/show_bug.cgi?id=169596
+
+        Reviewed by Saam Barati.
+
+        This patch simply expands the coverage of FTL by supporting Arrayify.
+        While ArrayifyToStructure is already supported, Arrayify is not supported
+        in FTL. While supporting Arrayify in FTL itself does not offer so much
+        performance difference from DFG's one, no FTL support for Arrayify
+        prevents us applying FTL to the code including Arrayify.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::toIndexingShape):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayify):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckArray):
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayifyToStructure): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayType): Deleted.
+
+2017-04-20  Mark Lam  
+
+        virtualThunkFor() needs to materialize its of tagMaskRegister for tail calls.
+        https://bugs.webkit.org/show_bug.cgi?id=171079
+        
+
+        Reviewed by Saam Barati.
+
+        This is needed because tail calls would restore callee saved registers (and
+        therefore, potentially clobber the tag registers) before jumping to the thunk.
+
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+
+2017-04-20  Mark Lam  
+
+        Build fix after r215592.
+        https://bugs.webkit.org/show_bug.cgi?id=171088
+
+        Not reviewed.
+
+        * assembler/MacroAssemblerPrinter.h:
+
+2017-04-20  Mark Lam  
+
+        Update the MASM probe to only take 1 arg instead of 2 (in addition to the callback function).
+        https://bugs.webkit.org/show_bug.cgi?id=171088
+
+        Reviewed by Michael Saboff and Saam Barati.
+
+        Experience shows that we never use the 2nd arg.  So, let's remove it to reduce
+        the footprint at each probe site.
+
+        Also fix the MacroAssembler::print() function so that it is a no-op when
+        !ENABLE(MASM_PROBE).  This will allow us to have print() statements in JIT code
+        without a lot of #if ENABLE(MASM_PROBE)s later.
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssemblerARM::probe):
+        * assembler/MacroAssemblerARM.h:
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssemblerARM64::probe):
+        * assembler/MacroAssemblerARM64.h:
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssemblerARMv7::probe):
+        * assembler/MacroAssemblerARMv7.h:
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::MacroAssemblerPrinter::printCallback):
+        * assembler/MacroAssemblerPrinter.h:
+        (JSC::MacroAssemblerPrinter::print):
+        (JSC::MacroAssembler::print):
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssemblerX86Common::probe):
+        * assembler/MacroAssemblerX86Common.h:
+
+2017-04-20  Matt Baker  
+
+        Web Inspector: Add regular expression support to XHR breakpoints
+        https://bugs.webkit.org/show_bug.cgi?id=170099
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOMDebugger.json:
+        New optional `isRegex` parameter denotes whether `url` contains
+        a regular expression.
+
+2017-04-15  Filip Pizlo  
+
+        Optimize SharedArrayBuffer in the DFG+FTL
+        https://bugs.webkit.org/show_bug.cgi?id=164108
+
+        Reviewed by Saam Barati.
+        
+        This adds atomics intrinsics to the DFG and wires them through to the DFG and FTL backends. This
+        was super easy in the FTL since B3 already has comprehensive atomic intrinsics, which are more
+        powerful than what we need right now. In the DFG backend, I went with an easy-to-write
+        implementation that just reduces everything to a weak CAS loop. It's very inefficient with
+        registers (it needs ~8) but it's the DFG backend, so it's not obvious how much we care.
+        
+        To make the rare cases easy to handle, I refactored AtomicsObject.cpp so that the operations for
+        the slow paths can share code with the native functions.
+        
+        This also fixes register handling in the X86 implementations of CAS, in the case that
+        expectedAndResult is not %rax. This also fixes the ARM64 implementation of branchWeakCAS.
+        
+        I adapted the CascadeLock from WTF/benchmarks/ToyLocks.h as a microbenchmark of lock performance.
+        This benchmark performs 2.5x faster, in both the contended and uncontended case, thanks to this
+        change. It's still about 3x slower than native. I investigated this only a bit. I suspect that
+        the story will be different in asm.js code, which will get constant-folding of the typed array
+        backing store by virtue of how it uses lexically scoped variables as pointers to the heap arrays.
+        It's worth noting that the native lock I was comparing against, the very nicely-tuned
+        CascadeLock, is at the very high end of lock throughput under virtually all conditions
+        (uncontended, microcontended, held for a long time). I also compared to WTF::Lock and others, and
+        the only ones that performed better in this microbenchmark were spinlocks. I don't recommend
+        using those. So, when I say this is 3x slower than native, I really mean that it's 3x slower than
+        the fastest native lock that I have in my arsenal.
+        
+        Also worth noting is that I experimented with exposing Atomics.yield(), which uses sched_yield,
+        as a way of testing if adding a yield loop to the JS cascadeLock would help. It does not help. I
+        did not investigate why.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::JumpList::append):
+        * assembler/CPU.h:
+        (JSC::is64Bit):
+        (JSC::is32Bit):
+        * b3/B3Common.h:
+        (JSC::B3::is64Bit): Deleted.
+        (JSC::B3::is32Bit): Deleted.
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::appendTrapping):
+        (JSC::B3::Air::LowerToAir::appendCAS):
+        (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGNodeType.h:
+        (JSC::DFG::isAtomicsIntrinsic):
+        (JSC::DFG::numExtraAtomicsArgs):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSSALoweringPhase.cpp:
+        (JSC::DFG::SSALoweringPhase::handleNode):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::getIntTypedArrayStoreOperand):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLAbstractHeapRepository.cpp:
+        (JSC::FTL::AbstractHeapRepository::decorateFencedAccess):
+        (JSC::FTL::AbstractHeapRepository::computeRangesAndDecorateInstructions):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsIsLockFree):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::loadFromIntTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::storeType):
+        (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
+        (JSC::FTL::DFG::LowerDFGToB3::getIntTypedArrayStoreOperand):
+        (JSC::FTL::DFG::LowerDFGToB3::vmCall):
+        * ftl/FTLOutput.cpp:
+        (JSC::FTL::Output::store):
+        (JSC::FTL::Output::store32As8):
+        (JSC::FTL::Output::store32As16):
+        (JSC::FTL::Output::atomicXchgAdd):
+        (JSC::FTL::Output::atomicXchgAnd):
+        (JSC::FTL::Output::atomicXchgOr):
+        (JSC::FTL::Output::atomicXchgSub):
+        (JSC::FTL::Output::atomicXchgXor):
+        (JSC::FTL::Output::atomicXchg):
+        (JSC::FTL::Output::atomicStrongCAS):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::store32):
+        (JSC::FTL::Output::store64):
+        (JSC::FTL::Output::storePtr):
+        (JSC::FTL::Output::storeFloat):
+        (JSC::FTL::Output::storeDouble):
+        * jit/JITOperations.h:
+        * runtime/AtomicsObject.cpp:
+        (JSC::atomicsFuncAdd):
+        (JSC::atomicsFuncAnd):
+        (JSC::atomicsFuncCompareExchange):
+        (JSC::atomicsFuncExchange):
+        (JSC::atomicsFuncIsLockFree):
+        (JSC::atomicsFuncLoad):
+        (JSC::atomicsFuncOr):
+        (JSC::atomicsFuncStore):
+        (JSC::atomicsFuncSub):
+        (JSC::atomicsFuncWait):
+        (JSC::atomicsFuncWake):
+        (JSC::atomicsFuncXor):
+        (JSC::operationAtomicsAdd):
+        (JSC::operationAtomicsAnd):
+        (JSC::operationAtomicsCompareExchange):
+        (JSC::operationAtomicsExchange):
+        (JSC::operationAtomicsIsLockFree):
+        (JSC::operationAtomicsLoad):
+        (JSC::operationAtomicsOr):
+        (JSC::operationAtomicsStore):
+        (JSC::operationAtomicsSub):
+        (JSC::operationAtomicsXor):
+        * runtime/AtomicsObject.h:
+
+2017-04-19  Youenn Fablet  
+
+        [Mac] Allow customizing H264 encoder
+        https://bugs.webkit.org/show_bug.cgi?id=170829
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-19  Michael Saboff  
+
+        Tune GC related JSC options for iOS
+        https://bugs.webkit.org/show_bug.cgi?id=171019
+
+        Reviewed by Mark Lam.
+
+        Always set these GC options on iOS.
+
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+
+2017-04-19  JF Bastien  
+
+        WebAssembly: fast memory cleanups
+        https://bugs.webkit.org/show_bug.cgi?id=170909
+
+        Reviewed by Saam Barati.
+
+        * b3/B3LowerToAir.cpp: correct comment, and make wasm-independent
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/B3Procedure.h:
+        * b3/B3Validate.cpp:
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::effects):
+        * b3/B3WasmBoundsCheckValue.cpp: have the creator pass in a
+        maximum, so we don't have to know so much about wasm here
+        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
+        (JSC::B3::WasmBoundsCheckValue::cloneImpl):
+        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
+        * b3/B3WasmBoundsCheckValue.h:
+        (JSC::B3::WasmBoundsCheckValue::boundsType):
+        (JSC::B3::WasmBoundsCheckValue::bounds):
+        * b3/air/AirCode.h:
+        * b3/air/AirCustom.h:
+        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
+        * b3/testb3.cpp:
+        (JSC::B3::testWasmBoundsCheck):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::createJSToWasmWrapper): remove dead code
+        * wasm/WasmMemory.cpp: don't GC if no memory could possibly be free'd
+        (JSC::Wasm::Memory::initializePreallocations): verbose-only code,
+        and copy-pasta bug
+
+2017-04-19  Mark Lam  
+
+        B3StackmapSpecial should handle when stackmap values are not recoverable from a Def'ed arg.
+        https://bugs.webkit.org/show_bug.cgi?id=170973
+        
+
+        Reviewed by Filip Pizlo.
+
+        In the event of an arithmetic overflow on a binary sub instruction (where the
+        result register is same as one of the operand registers), the CheckSub FTL
+        operation will try to recover the original value in the clobbered result register.
+
+        This recover is done by adding the other operand value to the result register.
+        However, this recovery method only works if the width of the original value in
+        the result register is less or equal to the width of the expected result.  If the
+        width of the original operand value (e.g. a JSInt32) is wider than the result
+        (e.g. a machine Int32), then the sub operation would have zero extended the
+        result and cleared the upper 32-bits of the result register.  Recovery by adding
+        back the other operand will not restore the JSValue tag in the upper word.
+
+        This poses a problem if the stackmap value for the operand relies on that same
+        clobbered register.
+
+        The fix is to detect this potential scenario (i.e. width of the Def's arg < width
+        of a stackmap value).  If this condition is detected, we'll declare the stackmap
+        value to be LateColdUse to ensure that the register allocator gives it a
+        different register if needed so that it's not dependent on the clobbered register.
+
+        * b3/B3CheckSpecial.cpp:
+        (JSC::B3::CheckSpecial::forEachArg):
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::forEachArg):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        * b3/B3StackmapSpecial.h:
+
+2017-04-19  JF Bastien  
+
+        Unreviewed, rolling out r215520.
+
+        Broke Debian 8
+
+        Reverted changeset:
+
+        "[INTL] Implement Intl.DateTimeFormat.prototype.formatToParts"
+        https://bugs.webkit.org/show_bug.cgi?id=169458
+        http://trac.webkit.org/changeset/215520
+
+2017-04-19  JF Bastien  
+
+        WebAssembly: limit slow memories
+        https://bugs.webkit.org/show_bug.cgi?id=170825
+
+        Reviewed by Saam Barati.
+
+        We limits the number of fast memories, partly because ASLR. The
+        code then falls back to slow memories. It first tries to virtually
+        allocated any declared maximum (and in there, physically the
+        initial), and if that fails it tries to physically allocate the
+        initial without any extra.
+
+        This can still be used to cause a bunch of virtual
+        allocation. This patch imposes soft limit on slow memories as
+        well. The total virtual maximum for slow memories is set at the
+        same (theoretical) value as that for fast memories.
+
+        Anything exceeding that limit causes allocation/grow to fail.
+
+        * wasm/WasmMemory.cpp:
+
+2017-04-19  JF Bastien  
+
+        Cannot compile JavaScriptCore/runtime/VMTraps.cpp on FreeBSD because std::pair has a non-trivial copy constructor
+        https://bugs.webkit.org/show_bug.cgi?id=170875
+
+        Reviewed by Mark Lam.
+
+        WTF::ExpectedDetail::ConstexprBase doesn't have a user-defined
+        copy constructor, and its implicitly-defined copy constructor is
+        deleted because the default std::pair implementation on FreeBSD
+        has a non-trivial copy constructor. /usr/include/c++/v1/__config
+        says _LIBCPP_TRIVIAL_PAIR_COPY_CTOR is disabled in order to keep
+        ABI compatibility:
+        https://svnweb.freebsd.org/changeset/base/261801.
+
+        That's a huge bummer, and I'm not a fan of broken stdlibs, but in
+        this case it's pretty nice to have a custom named type anyways and
+        costs nothing.
+
+        * runtime/VMTraps.cpp:
+        (JSC::findActiveVMAndStackBounds):
+        (JSC::handleSigusr1):
+        (JSC::handleSigtrap):
+
+2017-04-19  Andy VanWagoner  
+
+        [INTL] Implement Intl.DateTimeFormat.prototype.formatToParts
+        https://bugs.webkit.org/show_bug.cgi?id=169458
+
+        Reviewed by JF Bastien.
+
+        Use udat_formatForFields to iterate through the parts of a formatted date string.
+
+        * icu/unicode/udat.h: Update to 55.1.
+        * icu/unicode/ufieldpositer.h: Added from 55.1.
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString): Convert UDateFormatField to string.
+        (JSC::IntlDateTimeFormat::formatToParts): Return parts of formatted date string.
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts): Add prototype function formatToParts.
+
+2017-04-19  JF Bastien  
+
+        WebAssembly: don't expose any WebAssembly JS object if JIT is off
+        https://bugs.webkit.org/show_bug.cgi?id=170782
+
+        Reviewed by Saam Barati.
+
+        It's unexpected that we expose the global WebAssembly object if no
+        JIT is present because it can't be used to compile or
+        instantiate. Other APIs such as Memory should also be Inaccessible
+        in those circumstances.
+
+        Also ensure that we don't pre-allocate fast memories if
+        WebAssembly won't be used, and don't mark our intention to use a
+        fast TLS slot for WebAssembly.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2017-04-19  Yusuke Suzuki  
+
+        r211670 broke double to int conversion.
+        https://bugs.webkit.org/show_bug.cgi?id=170961
+
+        Reviewed by Mark Lam.
+
+        In this patch, we take a template parameter way.
+        While it reduces duplicate code, it effectively produces
+        optimized code for operationToInt32SensibleSlow,
+        and fixes kraken pbkdf2 regression on Linux.
+
+        And this patch also fixes undefined behavior by changing
+        int32_t to uint32_t. If exp is 31, missingOne is 1 << 31,
+        INT32_MIN. Thus missingOne - 1 will cause int32_t overflow,
+        and it is an undefined behavior.
+
+        * runtime/MathCommon.cpp:
+        (JSC::operationToInt32SensibleSlow):
+        * runtime/MathCommon.h:
+        (JSC::toInt32Internal):
+        (JSC::toInt32):
+
+2017-04-18  Mark Lam  
+
+        r211670 broke double to int conversion.
+        https://bugs.webkit.org/show_bug.cgi?id=170961
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        This is because operationToInt32SensibleSlow() assumes that left shifts of greater
+        than 31 bits on an 31-bit value will produce a 0.  However, the spec says that
+        "if the value of the right operand is negative or is greater or equal to the
+        number of bits in the promoted left operand, the behavior is undefined."
+        See http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators.
+
+        This patch fixes this by restoring the check to prevent a shift of greater than
+        31 bits.  It also consolidates the optimization in operationToInt32SensibleSlow()
+        back into toInt32() so that we don't have 2 copies of the same code with only a
+        slight variation.
+
+        JSC benchmarks shows that performance is neutral with this patch.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):
+        * runtime/MathCommon.cpp:
+        (JSC::operationToInt32SensibleSlow): Deleted.
+        * runtime/MathCommon.h:
+        (JSC::toInt32):
+
+2017-04-18  Oleksandr Skachkov  
+
+        [ES6]. Implement Annex B.3.3 function hoisting rules for eval
+        https://bugs.webkit.org/show_bug.cgi?id=163208
+
+        Reviewed by Saam Barati.
+
+        Current patch implements Annex B.3.3 that is related to 
+        hoisting of function declaration in eval. 
+        https://tc39.github.io/ecma262/#sec-web-compat-evaldeclarationinstantiation
+        Function declaration in eval should create variable with 
+        function name in function scope where eval is invoked 
+        or bind to variable if it declared outside of the eval. 
+        If variable is created it can be removed by 'delete a;' command. 
+        If eval is invoke in block scope that contains let/const 
+        variable with the same name as function declaration 
+        we do not bind. This patch leads to the following behavior: 
+        '''
+        function foo() {
+           {
+             print(boo); // undefined
+             eval('{ function boo() {}}');
+             print(boo); // function boo() {}
+           }
+           print(boo); // function boo() {}
+        }
+
+        function foobar() {
+          { 
+            let boo = 10;
+            print(boo); // 10;
+            eval('{ function boo() {}}');
+            print(boo); // 10;
+          }
+          print(boo) // 10
+        }
+
+        function bar() {
+           {
+              var boo = 10;
+              print(boo); // 10
+              eval('{ function boo() {} }'); 
+              print(boo); // function boo() {}
+           }
+           print(boo); // function boo() {}
+        }       
+        
+        function bas() {
+            {
+                 let boo = 10;
+                 eval(' { function boo() {} } ');
+                 print(boo); // 10
+            }
+            print(boo); //Reference Error
+        }
+        '''
+
+        Current implementation relies on already implemented 
+        'hoist function in sloppy mode' feature, with small changes.
+        In short it works in following way: during hoisting of function 
+        with name S in eval, we are looking for first scope that 
+        contains space for variable with name S and if this scope 
+        has var type we bind function there
+
+        To implement this feature was added bytecode ops:
+        op_resolve_scope_for_hoisting_func_decl_in_eval - get variable scope 
+        or return undefined if variable can't be binded there.
+
+        There is a corner case, hoist function in eval within catch block,
+        that is not covered by this patch, and will be fixed in 
+        https://bugs.webkit.org/show_bug.cgi?id=168184
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/EvalCodeBlock.h:
+        (JSC::EvalCodeBlock::functionHoistingCandidate):
+        (JSC::EvalCodeBlock::numFunctionHoistingCandidates):
+        * bytecode/UnlinkedEvalCodeBlock.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::hoistSloppyModeFunctionIfNecessary):
+        (JSC::BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval):
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasIdentifier):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileResolveScopeForHoistingFuncDeclInEval):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval):
+        * llint/LowLevelInterpreter.asm:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseFunctionDeclarationStatement):
+        * parser/Parser.h:
+        (JSC::Scope::getSloppyModeHoistedFunctions):
+        (JSC::Parser::declareFunction):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::numFunctionHoistingCandidates):
+        (JSC::EvalExecutable::numTopLevelFunctionDecls):
+        (JSC::EvalExecutable::numberOfFunctionDecls): Deleted.
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::resolve):
+        (JSC::JSScope::resolveScopeForHoistingFuncDeclInEval):
+        * runtime/JSScope.h:
+
+2017-04-18  Saam Barati  
+
+        Follow up to address Mark's comments after r215453
+
+        Rubber stamped by Mark Lam.
+
+        This patch chooses better names for things, adhering to Mark's suggestions
+        in https://bugs.webkit.org/show_bug.cgi?id=139847
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::CallFunctionCallDotNode::emitBytecode):
+        (JSC::ApplyFunctionCallDotNode::emitBytecode):
+        * parser/NodeConstructors.h:
+        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
+        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
+        * parser/Nodes.h:
+        * parser/Parser.cpp:
+        (JSC::recordCallOrApplyDepth):
+        (JSC::Parser::parseMemberExpression):
+        * parser/Parser.h:
+        (JSC::Parser::CallOrApplyDepthScope::CallOrApplyDepthScope):
+        (JSC::Parser::CallOrApplyDepthScope::distanceToInnermostChild):
+        (JSC::Parser::CallOrApplyDepthScope::~CallOrApplyDepthScope):
+        (JSC::Parser::CallOrApplyDepth::CallOrApplyDepth): Deleted.
+        (JSC::Parser::CallOrApplyDepth::maxChildDepth): Deleted.
+        (JSC::Parser::CallOrApplyDepth::~CallOrApplyDepth): Deleted.
+
+2017-04-18  Yusuke Suzuki  
+
+        [DFG] Convert ValueAdd(Int32, String) => MakeRope(ToString(Int32), String)
+        https://bugs.webkit.org/show_bug.cgi?id=170943
+
+        Reviewed by Geoffrey Garen.
+
+        This patch converts ValueAdd(Int32, String) to MakeRope(ToString(Int32), String).
+        This has 2 great features.
+
+        1. MakeRope(ToString(Int32), String) is less clobbering.
+
+        While ValueAdd ends up calling functions, VM knows much about MakeRope(ToString(Int32), String)
+        and VM knows it is less clobbering. It encourages LICM and other operations that is conservatively
+        executed because of ValueAdd's clobbering.
+
+        2. Simply, MakeRope(ToString(Int32), String) is faster than ValueAdd.
+
+        While ValueAdd ends up calling a generic function, our ToString(Int32) calls well-optimized toString
+        operation. And later, MakeRope can fall into the fast path that just takes a string from a free list.
+        It is simply faster than ValueAdd.
+
+        We ensure that this patch shows performance improvement in attached benchmarks.
+
+                                                        baseline                  patched
+
+            number-to-string-with-add-empty         16.2763+-3.3930     ^     10.3142+-1.0967        ^ definitely 1.5780x faster
+            number-to-string-with-add-in-loop      168.7621+-10.9738    ^     15.5307+-3.3179        ^ definitely 10.8664x faster
+            number-to-string-with-add               18.8557+-4.8292           11.6901+-2.5650          might be 1.6130x faster
+
+        In SixSpeed,
+
+                                               baseline                  patched
+
+            template_string_tag.es5       200.1027+-20.6871    ^     25.7925+-11.4052       ^ definitely 7.7582x faster
+            template_string_tag.es6       331.3913+-12.1750    ^    286.6958+-26.0441       ^ definitely 1.1559x faster
+            for-of-array.es5              412.4344+-23.2517    ^    272.8707+-47.2118       ^ definitely 1.5115x faster
+            for-of-array.es6              504.0082+-65.5045    ^    300.3277+-12.8193       ^ definitely 1.6782x faster
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::createToString):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+2017-04-18  Michael Saboff  
+
+        REGRESSION(215272): microbenchmark/seal-and-do-work and microbenchmark/freeze-and-do-work are 27x slower
+        https://bugs.webkit.org/show_bug.cgi?id=170881
+
+        Reviewed by Saam Barati.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        Restored fast paths for final objects that don't have indexed properties.
+
+2017-04-18  Yusuke Suzuki  
+
+        [DFG] Use Phantom for base instead of getter when inlining intrinsic getter
+        https://bugs.webkit.org/show_bug.cgi?id=170947
+
+        Reviewed by Saam Barati.
+
+        getter does not need to be live after OSR Exit.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleGetById):
+
+2017-04-18  Yusuke Suzuki  
+
+        Unreviewed, follow-up patch after r215459
+        https://bugs.webkit.org/show_bug.cgi?id=170940
+
+        Reviewed by Filip Pizlo.
+
+        CheckCell can cause OSRExit. Thus Phantom should be placed after CheckCell.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+
+2017-04-18  Yusuke Suzuki  
+
+        [DFG] Drop unknown use of CheckCell's child2 to work ObjectAllocationSinking for Array iterator object
+        https://bugs.webkit.org/show_bug.cgi?id=170940
+
+        Reviewed by Filip Pizlo.
+
+        The second argument of CheckCell is not used in meaningful way. It is just *use* the node.
+        The problem is that it effectively *use* the child2 in ObjectAllocationSinking phase, and
+        prevent us from eliminating object allocations. Actually, it materializes Array iterator
+        when inlining `next()`. Instead, we should use Phantom in such a case.
+
+        It improves destructuring.es6 in SixSpeed 2.5x.
+
+        destructuring.es6      308.5184+-25.3490    ^    119.5680+-15.0520       ^ definitely 2.5803x faster
+
+        Note that SixSpeed tested in arewefastyet executes all the tests in one process while our SixSpeed
+        tests each one in isolated way.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+
+2017-04-18  Yusuke Suzuki  
+
+        [JSC][GTK] glib RunLoop does not accept negative start interval
+        https://bugs.webkit.org/show_bug.cgi?id=170775
+
+        Reviewed by Saam Barati.
+
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::scheduleTimer):
+
+2017-04-17  Saam Barati  
+
+        BytecodeGenerator ".call" and ".apply" is exponential in nesting depth
+        https://bugs.webkit.org/show_bug.cgi?id=139847
+        
+
+        Reviewed by Oliver Hunt.
+
+        The BytecodeGenerator's .apply(...) and .call(...) code would
+        emit bytecode for the evaluation of its arguments twice. This
+        is exponential, specifically, 2^n, where n is the nesting depth of
+        .call(...) or .apply(...) inside other .call(...) or .apply(...).
+        
+        The reason we emit code for the arguments twice is that we try
+        to emit efficient code for when .call or .apply is Function.prototype.call
+        or Function.prototype.apply. Because of this, we compare .call/.apply to
+        Function.prototype.call/.apply, and if they're the same, we emit a specialized
+        function call in bytecode. Otherwise, we emit the generalized version.
+        
+        This patch makes it so that each .call(...) and .apply(...) records
+        its max inner nesting depth. Then, we only perform the optimization
+        for the bottom k (where k = 6) layers of the nesting tree. The reason we
+        apply the optimization to the bottom k layers instead of top k layers
+        is that we'll produce less code this way.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::CallFunctionCallDotNode::emitBytecode):
+        (JSC::ApplyFunctionCallDotNode::emitBytecode):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::makeFunctionCallNode):
+        * parser/NodeConstructors.h:
+        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
+        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
+        * parser/Nodes.h:
+        * parser/Parser.cpp:
+        (JSC::recordCallOrApplyDepth):
+        (JSC::Parser::parseMemberExpression):
+        * parser/Parser.h:
+        (JSC::Parser::CallOrApplyDepth::CallOrApplyDepth):
+        (JSC::Parser::CallOrApplyDepth::maxChildDepth):
+        (JSC::Parser::CallOrApplyDepth::~CallOrApplyDepth):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::makeFunctionCallNode):
+
+2017-04-17  Mark Lam  
+
+        JSArray::appendMemcpy() needs to handle copying from Undecided indexing type too.
+        https://bugs.webkit.org/show_bug.cgi?id=170896
+        
+
+        Reviewed by JF Bastien and Keith Miller.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+
+2017-04-17  Joseph Pecoraro  
+
+        Web Inspector: Doesn't show size of compressed content correctly
+        https://bugs.webkit.org/show_bug.cgi?id=155112
+        
+
+        Reviewed by Alex Christensen and Timothy Hatcher.
+
+        * inspector/protocol/Network.json:
+        New, exact size metrics, available after the load completes.
+
+2017-04-17  Youenn Fablet  
+
+        Disable outdated WritableStream API
+        https://bugs.webkit.org/show_bug.cgi?id=170749
+        
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-17  Yusuke Suzuki  
+
+        [JSCOnly] Fix build failures in macOS
+        https://bugs.webkit.org/show_bug.cgi?id=170887
+
+        Reviewed by Alex Christensen.
+
+        Align ICU header configuration to MacCMake port.
+
+        * PlatformJSCOnly.cmake:
+
+2017-04-17  JF Bastien  
+
+        B3: don't allow unsigned offsets in Value
+        https://bugs.webkit.org/show_bug.cgi?id=170692
+
+        Reviewed by Filip Pizlo.
+
+        MemoryValue and similar B3 opcode classes always expects a signed
+        offset. Giving it an out-of-bounds unsigned offset causes
+        implementation-defined behavior, which can cause badness as I just
+        fixed in WebAssembly.  This patch makes it impossible to create a
+        Value opcodes with an unsigned value, or with an overly-large
+        value.
+
+        * b3/B3AtomicValue.cpp:
+        (JSC::B3::AtomicValue::AtomicValue):
+        * b3/B3AtomicValue.h:
+        * b3/B3Common.h:
+        (JSC::B3::isRepresentableAs):
+        * b3/B3EliminateCommonSubexpressions.cpp:
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::scaleForShl):
+        (JSC::B3::Air::LowerToAir::effectiveAddr):
+        (JSC::B3::Air::LowerToAir::addr):
+        (JSC::B3::Air::LowerToAir::tryAppendLea):
+        * b3/B3MemoryValue.cpp:
+        (JSC::B3::MemoryValue::isLegalOffsetImpl):
+        (JSC::B3::MemoryValue::MemoryValue):
+        * b3/B3MemoryValue.h:
+        * b3/B3MemoryValueInlines.h:
+        (JSC::B3::MemoryValue::isLegalOffsetImpl):
+        * b3/B3MoveConstants.cpp:
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::repForArg):
+        * b3/B3Value.h:
+        * b3/air/AirArg.cpp:
+        (JSC::B3::Air::Arg::stackAddrImpl):
+        * b3/air/AirArg.h:
+        (JSC::B3::Air::Arg::addr):
+        (JSC::B3::Air::Arg::stack):
+        (JSC::B3::Air::Arg::callArg):
+        (JSC::B3::Air::Arg::stackAddr):
+        (JSC::B3::Air::Arg::index):
+        (JSC::B3::Air::Arg::offset):
+        (JSC::B3::Air::Arg::isValidAddrForm):
+        (JSC::B3::Air::Arg::isValidIndexForm):
+        (JSC::B3::Air::Arg::asTrustedImm32):
+        (JSC::B3::Air::Arg::asAddress):
+        (JSC::B3::Air::Arg::asBaseIndex):
+        * b3/air/AirLowerStackArgs.cpp:
+        (JSC::B3::Air::lowerStackArgs):
+        * b3/testb3.cpp:
+        (JSC::B3::testMulArgStore):
+        (JSC::B3::testStore32):
+        (JSC::B3::testStoreConstant):
+        (JSC::B3::testStoreConstantPtr):
+        (JSC::B3::testStoreAddLoad32):
+        (JSC::B3::testStoreAddLoadImm32):
+        (JSC::B3::testStoreAddLoad8):
+        (JSC::B3::testStoreAddLoadImm8):
+        (JSC::B3::testStoreAddLoad16):
+        (JSC::B3::testStoreAddLoadImm16):
+        (JSC::B3::testStoreAddLoad64):
+        (JSC::B3::testStoreAddLoadImm64):
+        (JSC::B3::testStoreAddLoad32Index):
+        (JSC::B3::testStoreAddLoadImm32Index):
+        (JSC::B3::testStoreAddLoad64Index):
+        (JSC::B3::testStoreAddLoadImm64Index):
+        (JSC::B3::testStoreSubLoad):
+        (JSC::B3::testStoreAddLoadInterference):
+        (JSC::B3::testStoreAddAndLoad):
+        (JSC::B3::testStoreNegLoad32):
+        (JSC::B3::testStoreNegLoadPtr):
+        (JSC::B3::testLoadOffset):
+        (JSC::B3::testLoadOffsetNotConstant):
+        (JSC::B3::testLoadOffsetUsingAdd):
+        (JSC::B3::testLoadOffsetUsingAddInterference):
+        (JSC::B3::testLoadOffsetUsingAddNotConstant):
+        (JSC::B3::testStoreLoadStackSlot):
+        (JSC::B3::testLoad):
+        (JSC::B3::testInterpreter):
+        (JSC::B3::testTrappingStore):
+        (JSC::B3::testTrappingLoadAddStore):
+        (JSC::B3::testWasmAddress):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::emitLoadOp):
+        (JSC::Wasm::B3IRGenerator::emitStoreOp):
+
+2017-04-16  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Object/prototype/toLocaleString/primitive_this_value.js
+        https://bugs.webkit.org/show_bug.cgi?id=170882
+
+        Reviewed by Saam Barati.
+
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncToLocaleString):
+        We should be using the this value without ToObject conversion both when
+        getting the potential accessor and calling it. In strict mode, the this
+        value will remain its simple value, in non-strict it is still converted.
+
+2017-04-16  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/isNaN/toprimitive-not-callable-throws.js
+        https://bugs.webkit.org/show_bug.cgi?id=170888
+
+        Reviewed by Saam Barati.
+
+        * runtime/ExceptionHelpers.h:
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createInvalidInstanceofParameterErrorHasInstanceValueNotFunction):
+        Fix up this function name.
+
+        * runtime/JSObject.cpp:
+        (JSC::callToPrimitiveFunction):
+        When called with @@isPrimitive, bail on undefined or null and
+        throw a type error if the value is not callable.
+
+        (JSC::JSObject::toPrimitive):
+        Use throw scope to check for exception.
+
+2017-04-16  Joseph Pecoraro  
+
+        test262: test262/test/language/expressions/tagged-template/template-object.js
+        https://bugs.webkit.org/show_bug.cgi?id=170878
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::put):
+        The fast path for setting an Array's length should check if length is
+        writable before checking for and possibly throwing a RangeError.
+
+2017-04-16  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Object/getOwnPropertyNames/15.2.3.4-4-44.js
+        https://bugs.webkit.org/show_bug.cgi?id=170879
+
+        Reviewed by Saam Barati.
+
+        * runtime/StringObject.h:
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::getOwnPropertyNames):
+        (JSC::StringObject::getOwnNonIndexPropertyNames):
+        Ensure 'length' comes after all indexed properties by moving
+        it out to the getOwnNonIndexPropertyNames method which is called
+        inside of getOwnPropertyNames after JSObject handles indices.
+
+2017-04-16  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Date/prototype/Symbol.toPrimitive/name.js
+        https://bugs.webkit.org/show_bug.cgi?id=170884
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        Give symbol property functions proper function names.
+        This addresses function.name but not function.toString().
+
+2017-04-15  Joseph Pecoraro  
+
+        test262: test262/test/language/global-code/new.target-arrow.js
+        https://bugs.webkit.org/show_bug.cgi?id=170872
+
+        Reviewed by Saam Barati.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::Parser):
+        Mark the global code scope.
+
+        (JSC::Parser::parseMemberExpression):
+        If new.target is detected in an arrow function defined in global scope
+        throw a SyntaxError.
+
+        * parser/Parser.h:
+        (JSC::Scope::Scope):
+        (JSC::Scope::setIsGlobalCodeScope):
+        (JSC::Scope::isGlobalCodeScope):
+        Marker for a global code scope.
+
+        * parser/ParserModes.h:
+        (JSC::isModuleParseMode):
+        (JSC::isProgramParseMode):
+        (JSC::isProgramOrModuleParseMode):
+        Helper for detecting global code based on parse mode.
+
+2017-04-14  Nikita Vasilyev  
+
+        Web Inspector: WebSockets: messages with non-latin letters are displayed incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=170760
+
+        Reviewed by Joseph Pecoraro.
+
+        Add payloadLength property, which is used to display size. When payloadLength is unavailable,
+        it is calculated from payloadData by Web Inspector frontend.
+
+        This fixes  Web Inspector: WebSockets: Transferred size is incorrect.
+
+        * inspector/protocol/Network.json:
+
+2017-04-14  Saam Barati  
+
+        ParseInt intrinsic in DFG backend doesn't properly flush its operands
+        https://bugs.webkit.org/show_bug.cgi?id=170865
+
+        Reviewed by Mark Lam and Geoffrey Garen.
+
+        The DFG backend code needed to first call .gpr()/.jsValueRegs()
+        before calling flushRegisters(), or the input JSValueOperand would
+        not be flushed.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileParseInt):
+
+2017-04-14  Mark Lam  
+
+        Update architectures in xcconfig files.
+        https://bugs.webkit.org/show_bug.cgi?id=170867
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * Configurations/Base.xcconfig:
+        * Configurations/FeatureDefines.xcconfig:
+        * Configurations/JavaScriptCore.xcconfig:
+        * Configurations/ToolExecutable.xcconfig:
+
+2017-04-14  Keith Miller  
+
+        WebAssembly: B3IRGenerator should use phis for result types
+        https://bugs.webkit.org/show_bug.cgi?id=170863
+
+        Reviewed by Filip Pizlo.
+
+        Currently, we use variables for the result types of control flow in
+        Wasm. We did this originally since we weren't sure that the phis we
+        generated would be optimal. Since then, we have verified that the edges
+        in wasm control flow ensure that each upsilon will dominate its phi
+        so we don't need to use variables.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
+        (JSC::Wasm::B3IRGenerator::addTopLevel):
+        (JSC::Wasm::B3IRGenerator::addBlock):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        (JSC::Wasm::B3IRGenerator::unify):
+
+2017-04-14  Alex Christensen  
+
+        Fix Windows build after r215368.
+        https://bugs.webkit.org/show_bug.cgi?id=170641
+
+        * CMakeLists.txt:
+        Add new directory containing files needed in WebCore.
+
+2017-04-14  Caitlin Potter  
+
+        [JSC] use ExpressionErrorClassifier for AwaitExpression operand
+        https://bugs.webkit.org/show_bug.cgi?id=170844
+
+        Reviewed by Saam Barati.
+
+        In parseAssignmentExpression(), several cover grammars are handled, and
+        use ExpressionErrorClassifier to record hints about which grammars to
+        try.
+
+        In parseAwaitExpression(), the hints recorded during parsing of the
+        operand need to be discarded, because if they propagate to the outer
+        parseAssignmentExpression(), the hints will lead the parser down invalid
+        branches that should be skipped.
+
+        This change adds an additional ExpressionErrorClassifier to
+        parseAwaitExpression(), in order to discard hints recorded trying to
+        parse the operand.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseAwaitExpression):
+
+2017-04-14  Saam Barati  
+
+        WebAssembly: There is a short window of time where a CodeBlock could be destroyed before all of its async compilation callbacks are called
+        https://bugs.webkit.org/show_bug.cgi?id=170641
+
+        Reviewed by Keith Miller.
+
+        There is an unlikely race when a CodeBlock compilation fails,
+        the module compiles a new CodeBlock for that memory mode, all while
+        the CodeBlock is notifying its callbacks that it has finished.
+        There is a chance that the Module could deref its failed CodeBlock 
+        at that point, destroying it, before the callbacks were able to
+        grab a Ref to the CodeBlock. This patch fixes the race by having the
+        callbacks ref the CodeBlock.
+
+        This patch also has the Plan clear out all of its callbacks
+        once it gets completed. This adds an extra defense to anybody
+        that grabs refs to the Plan in the callback.
+
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        (JSC::Wasm::CodeBlock::compileAsync):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::complete):
+
+2017-04-13  Filip Pizlo  
+
+        Air::RegLiveness should be constraint-based
+        https://bugs.webkit.org/show_bug.cgi?id=170817
+
+        Reviewed by Saam Barati.
+        
+        Previously, I changed the Air liveness analyses based on Air::Liveness<> to be
+        constraint-based and this was a significant speed-up. Now I'm adding the same
+        functionality to RegLiveness.
+        
+        This is a 1% speed-up on wasm B3 -O1 compile times.
+        
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
+        * b3/air/AirLivenessAdapter.h:
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
+        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
+        (JSC::B3::Air::LivenessAdapter::actionsAt):
+        * b3/air/AirRegLiveness.cpp:
+        (JSC::B3::Air::RegLiveness::RegLiveness):
+        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::LocalCalcForUnifiedTmpLiveness):
+        (JSC::B3::Air::RegLiveness::LocalCalcForUnifiedTmpLiveness::execute):
+        (JSC::B3::Air::RegLiveness::LocalCalc::execute): Deleted.
+        * b3/air/AirRegLiveness.h:
+        (JSC::B3::Air::RegLiveness::Actions::Actions):
+        (JSC::B3::Air::RegLiveness::LocalCalcBase::LocalCalcBase):
+        (JSC::B3::Air::RegLiveness::LocalCalcBase::live):
+        (JSC::B3::Air::RegLiveness::LocalCalcBase::isLive):
+        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
+        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
+        (JSC::B3::Air::RegLiveness::LocalCalc::live): Deleted.
+        (JSC::B3::Air::RegLiveness::LocalCalc::isLive): Deleted.
+
+2017-04-13  JF Bastien  
+
+        WebAssembly: fix windows build
+        https://bugs.webkit.org/show_bug.cgi?id=170832
+
+        Reviewed by Mark Lam.
+
+        My previous patch re-declared isIOS which AssemblerCommon.h
+        already provided, and which was already included by Options.cpp.
+
+        * runtime/Options.cpp:
+
+2017-04-13  Saam Barati  
+
+        WebAssembly: We should be able to postMessage a JSWebAssemblyModule
+        https://bugs.webkit.org/show_bug.cgi?id=170573
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds a callback to JSRunLoopTimer to notify
+        clients that a timer has been set. This is used inside
+        WorkerRunLoop in WebCore so that its RunLoop can perform
+        an iteration when it sees that a timer got set.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::scheduleTimer):
+        (JSC::JSRunLoopTimer::addTimerSetNotification):
+        (JSC::JSRunLoopTimer::removeTimerSetNotification):
+        * runtime/JSRunLoopTimer.h:
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::~CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::Module::~Module):
+        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
+        (JSC::Wasm::makeValidationCallback):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        (JSC::Wasm::Module::validateSyncImpl): Deleted.
+        (JSC::Wasm::Module::makeValidationCallback): Deleted.
+        * wasm/WasmModule.h:
+        (JSC::Wasm::Module::validateSync): Deleted.
+        (JSC::Wasm::Module::validateAsync): Deleted.
+        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace): Deleted.
+        (JSC::Wasm::Module::nonNullCodeBlock): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::create): Deleted.
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::source):
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::source): Deleted.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+
+2017-04-13  Mark Lam  
+
+        Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
+        https://bugs.webkit.org/show_bug.cgi?id=170661
+        
+
+        Reviewed by Filip Pizlo.
+
+        Previously, we were using flush() to flush the outermost frame's scopeRegister.
+        This is incorrect because flush() expects the VirtualRegister value passed to
+        it to be that of the top most inlined frame.  In the event that we reach a
+        terminal condition while inside an inlined frame, flush() will end up flushing
+        the wrong register.  The fix is simply to use flushDirect() instead.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flush):
+
+2017-04-13  Andy VanWagoner  
+
+        Change Intl prototypes to plain objects
+        https://bugs.webkit.org/show_bug.cgi?id=168178
+
+        Reviewed by JF Bastien.
+
+        * builtins/StringPrototype.js:
+        (localeCompare): Create default Collator once instead of using prototype.
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::IntlCollatorPrototype):
+        * runtime/IntlCollatorPrototype.h:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::IntlDateTimeFormatPrototype):
+        * runtime/IntlDateTimeFormatPrototype.h:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::IntlNumberFormatPrototype):
+        * runtime/IntlNumberFormatPrototype.h:
+        * runtime/IntlObject.cpp:
+        (JSC::IntlObject::finishCreation): Don't set constructor on each prototype.
+
+2017-04-13  Oliver Hunt  
+
+        allocationSize should use safe arithmetic by default
+        https://bugs.webkit.org/show_bug.cgi?id=170804
+
+        Reviewed by JF Bastien.
+
+        Make all allocationSize() functions work in terms
+        of Checked
+
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::offsetOfSlot):
+        (JSC::DirectArguments::allocationSize):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::allocationSize):
+        * runtime/JSArray.h:
+        (JSC::JSArray::allocationSize):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::allocationSize):
+        * runtime/JSAsyncFunction.h:
+        (JSC::JSAsyncFunction::allocationSize):
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::allocationSize):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::allocationSize):
+        * runtime/JSGeneratorFunction.h:
+        (JSC::JSGeneratorFunction::allocationSize):
+        * runtime/JSModuleNamespaceObject.h:
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::allocationSize):
+        * runtime/JSWrapperObject.h:
+        (JSC::JSWrapperObject::allocationSize):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::allocationSize):
+        * runtime/VM.h:
+        (JSC::ScratchBuffer::allocationSize):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
+        (JSC::JSWebAssemblyCodeBlock::allocationSize):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::allocationSize):
+
+2017-04-13  JF Bastien  
+
+        WebAssembly: manage memory better
+        https://bugs.webkit.org/show_bug.cgi?id=170628
+
+        Reviewed by Keith Miller, Michael Saboff.
+
+        WebAssembly fast memories weren't managed very well. This patch
+        refactors it and puts us in a good position to further improve our
+        fast memory handling in the future.
+
+        We now cache fast memories at a process granularity, but make sure
+        that they don't consume dirty pages. We add a cap to the total
+        number of allocated fast memories to avoid ASLR degradation.
+
+        We teach the GC about memories as a kind of resource it should
+        care about because it didn't have visibility into the amount of
+        memory each represented. This allows benchmarks which allocate
+        memories back-to-back to reliably get fast memories 100% of the
+        time, even on a system under load, which wasn't the case
+        before. This reliability yields roughly 8% perf bump on x86-64
+        WasmBench.
+
+        The GC heuristic is as follows: each time we allocate a fast
+        memory we notify the GC, which then keeps track of the total
+        number of fast memories allocated since it last GC'd. We
+        separately keep track of the total number of fast memories which
+        have ever existed at any point in time (cached + allocated). This
+        is a monotonically-increasing high watermark. The GC will force a
+        full collection if, since it last ran, half or more of the high
+        watermark of fast memories was allocated.
+
+        At the same time, if we fail obtaining a fast memory from the
+        cache we do a GC to try to find one. If that fails we'll allocate
+        a new one (this can also fail, then we go to slow memory). This
+        can also be improved, but it's a good start.
+
+        This currently disables fast memories on iOS because getting fast
+        memories isn't a guaranteed thing. Rather, we get quite a few of
+        them and achieve significant speedups, but benchmarks which
+        allocate memories back-to-back end up falling behind because the
+        GC can conservatively hold onto memories, which then yields a perf
+        cliff. That cliff isn't reliable, WasmBench gets roughly 10 of 18
+        fast memories when in theory it should get all of them fast (as
+        MacOS does). The patch significantly improves the state of iOS
+        though, and in a follow-up we could re-enable fast memories.
+
+        Part of this good positioning is a facility to pre-allocate fast
+        memories very early at startup, before any fragmentation
+        occurs. This is currently disabled but worked extremely reliably
+        on iOS. Once we fix the above issues we'll want to re-visit and
+        turn on pre-allocation.
+
+        We also avoid locking for fast memory identification when
+        performing signal handling. I'm very nervous about acquiring locks
+        in a signal handler because in general signals can happen when
+        we've messed up. This isn't the case with fast memories: we're
+        raising a signal on purpose and handling it. However this doesn't
+        mean we won't mess up elsewhere! This will get more complicated
+        once we add support for multiple threads sharing memories and
+        being able to grow their memories. One example: the code calls
+        CRASH(), which executes the following code in release:
+
+            *(int *)(uintptr_t)0xbbadbeef = 0;
+
+        This is a segfault, which our fast memory signal handler tries to
+        handle. It does so by first figuring out whether 0xbbadbeef is in
+        a fast memory region, reqiring a lock. If we CRASH() while holding
+        the lock then our thread self-deadlocks, giving us no crash report
+        and a bad user experience.
+
+        Avoiding a lock therefore it's not about speed or reduced
+        contention. In fact, I'd use something else than a FIFO if these
+        were a concern. We're also doing syscalls, which dwarf any locking
+        cost.
+
+        We now only allocate 4GiB + redzone of 64k * 128 for fast memories
+        instead of 8GiB. This patch reuses the logic from
+        B3::WasmBoundsCheck to perform bounds checks when accesses could
+        exceed the redzone. We'll therefore benefit from CSE goodness when
+        it reaches WasmBoundsCheck. See bug #163469.
+
+        * b3/B3LowerToAir.cpp: fix a baaaaddd bug where unsigned->signed
+        conversion allowed out-of-bounds reads by -2GiB. I'll follow-up in
+        bug #170692 to prevent this type of bug once and for all.
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/B3Validate.cpp: update WasmBoundsCheck validation.
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::effects): update WasmBoundsCheck effects.
+        * b3/B3WasmBoundsCheckValue.cpp:
+        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
+        (JSC::B3::WasmBoundsCheckValue::redzoneLimit):
+        (JSC::B3::WasmBoundsCheckValue::dumpMeta):
+        * b3/B3WasmBoundsCheckValue.h:
+        (JSC::B3::WasmBoundsCheckValue::maximum):
+        * b3/air/AirCustom.cpp:
+        (JSC::B3::Air::WasmBoundsCheckCustom::isValidForm):
+        * b3/testb3.cpp:
+        (JSC::B3::testWasmBoundsCheck):
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::reportWebAssemblyFastMemoriesAllocated):
+        (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::didAllocateWebAssemblyFastMemories):
+        (JSC::Heap::shouldDoFullCollection):
+        (JSC::Heap::collectIfNecessaryOrDefer):
+        * heap/Heap.h:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/Options.cpp:
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::fixupPointerPlusOffset):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::emitLoadOp):
+        (JSC::Wasm::B3IRGenerator::emitStoreOp):
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/WasmMemory.cpp: Rewrite.
+        (JSC::Wasm::makeString):
+        (JSC::Wasm::Memory::initializePreallocations):
+        (JSC::Wasm::Memory::createImpl):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::fastMappedRedzoneBytes):
+        (JSC::Wasm::Memory::fastMappedBytes):
+        (JSC::Wasm::Memory::maxFastMemoryCount):
+        (JSC::Wasm::Memory::addressIsInActiveFastMemory):
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (Memory::maxFastMemoryCount):
+        (Memory::addressIsInActiveFastMemory):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::globalMemoryByteSize):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::grow):
+        (JSC::JSWebAssemblyMemory::finishCreation):
+        (JSC::JSWebAssemblyMemory::visitChildren):
+
+2017-04-13  Yusuke Suzuki  
+
+        [JSC] Use proper ifdef guard for code using MachineContext
+        https://bugs.webkit.org/show_bug.cgi?id=170800
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        This patch drops MachineContext use if it is not available.
+        This situation can be considered like, building WebKit with musl.
+        In that case, we simply disable features that rely on MachineContext.
+        Examples are wasm fast memory, sampling profiler, and code profiling.
+
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        * tools/CodeProfiling.cpp:
+        (JSC::CodeProfiling::begin):
+        (JSC::CodeProfiling::end):
+        Previously, PLATFORM(GTK) is excluded. But it is not obvious why it is excluded.
+        This patch just includes such platforms.
+
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::enableFastMemory):
+
+2017-04-12  Dan Bernstein  
+
+        [Mac] Future-proof .xcconfig files
+        https://bugs.webkit.org/show_bug.cgi?id=170802
+
+        Reviewed by Tim Horton.
+
+        * Configurations/Base.xcconfig:
+        * Configurations/DebugRelease.xcconfig:
+        * Configurations/FeatureDefines.xcconfig:
+        * Configurations/Version.xcconfig:
+
+2017-04-12  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/NativeErrors/EvalError/proto.js
+        https://bugs.webkit.org/show_bug.cgi?id=170668
+
+        Reviewed by Keith Miller.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        The [[Prototype]] of NativeError Constructor's should be the %Error%.
+        https://tc39.github.io/ecma262/#sec-properties-of-the-nativeerror-constructors
+
+2017-04-12  Joseph Pecoraro  
+
+        test262: test262/test/language/literals/regexp/u-dec-esc.js
+        https://bugs.webkit.org/show_bug.cgi?id=170687
+
+        Reviewed by Michael Saboff.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::parseEscape):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPattern::errorMessage):
+        (JSC::Yarr::YarrPattern::compile):
+        * yarr/YarrPattern.h:
+        In unicoe patterns, invalid backreferences are an error.
+
+2017-04-12  Filip Pizlo  
+
+        Move common stack allocation utilities out of AirAllocateStackByGraphColoring.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=170799
+
+        Reviewed by Michael Saboff and Keith Miller.
+        
+        When I added stack allocation to allocateRegistersByLinearScan, I reused a handful of
+        utility functions from AirAllocateStackByGraphColoring.cpp. I accomplished this by
+        putting their declarations in AirAllocateStackByGraphColoring.h.
+        
+        That was pretty weird.
+        
+        This patch moves a family of stack allocation helper functions out of
+        AirAllocateStackByGraphColoring.cpp and into the new AirStackAllocation.h|cpp. The
+        linear scan stack allocator no longer has to include the other stack allocator's
+        header, which addresses my OCD.
+        
+        I moved the functions transitively reachable from the two functions that the linear
+        scan allocator needed. This forced me to give them better names (i.e. no "fooBarImpl")
+        and short descriptive comments. I think that such comments are useful in code that is
+        doing a convoluted version of some theoretical concept.
+        
+        No behavior change.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
+        * b3/air/AirAllocateStackByGraphColoring.cpp:
+        (JSC::B3::Air::allocateStackByGraphColoring):
+        (JSC::B3::Air::allocateEscapedStackSlots): Deleted.
+        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots): Deleted.
+        * b3/air/AirAllocateStackByGraphColoring.h:
+        * b3/air/AirStackAllocation.cpp: Added.
+        (JSC::B3::Air::attemptAssignment):
+        (JSC::B3::Air::assign):
+        (JSC::B3::Air::allocateAndGetEscapedStackSlotsWithoutChangingFrameSize):
+        (JSC::B3::Air::allocateEscapedStackSlots):
+        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
+        * b3/air/AirStackAllocation.h: Added.
+
+2017-04-12  Filip Pizlo  
+
+        B3 -O1 should not allocateStackByGraphColoring
+        https://bugs.webkit.org/show_bug.cgi?id=170742
+
+        Reviewed by Keith Miller.
+        
+        One of B3 -O1's longest running phases is allocateStackByGraphColoring. One approach to
+        this would be to make that phase cheaper. But it's weird that this phase reruns
+        liveness after register allocation already ran liveness. If only it could reuse the
+        liveness computed by register allocation then it would run a lot faster. At -O2, we do
+        not want this, since we run phases between register allocation and stack allocation,
+        and those phases are free to change the liveness of spill slots (in fact,
+        fixObviousSpills will both shorten and lengthen live ranges because of load and store
+        elimination, respectively). But at -O1, we don't really need to run any phases between
+        register and stack allocation.
+        
+        This changes Air's backend in the following ways:
+        
+        - Linear scan does stack allocation. This means that we don't need to run
+          allocateStackByGraphColoring at all. In reality, we reuse some of its innards, but
+          we don't run the expensive part of it (liveness->interference->coalescing->coloring).
+          This is a speed-up because we only run liveness once and reuse it for both register
+          and stack allocation.
+        
+        - Phases that previously ran between register and stack allocation are taken care of,
+          each in its own special way:
+          
+          -> handleCalleSaves: this is now a utility function called by both
+             allocateStackByGraphColoring and allocateRegistersAndStackByLinearScan.
+          
+          -> fixObviousSpills: we didn't run this at -O1, so nothing needs to be done.
+          
+          -> lowerAfterRegAlloc: this needed to be able to run before stack allocation because
+             it could change register usage (vis a vis callee saves) and it could introduce
+             spill slots. I changed this phase to have a secondary mode for when it runs after
+             stack allocation.
+        
+        - The part of allocateStackByGraphColoring that lowered stack addresses and took care
+          of the call arg area is now a separate phase called lowerStackArgs. We run this phase
+          regardless of optimization level. It's a cheap and general lowering.
+        
+        This also removes spillEverything, because we never use that phase, we never test it,
+        and it got in the way in this refactoring.
+        
+        This is a 21% speed-up on wasm -O1 compile times. This does not significantly change
+        -O1 throughput. We had already disabled allocateStack's most important optimization
+        (spill coalescing). This probably regresses average stack frame size, but I didn't
+        measure by how much. Stack frame size is really not that important. The algorithm in
+        allocateStackByGraphColoring is about much more than optimal frame size; it also
+        tries to avoid having to zero-extend 32-bit spills, it kills dead code, and of course
+        it coalesces.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::calleeSaveRegisterAtOffsetList):
+        (JSC::B3::Procedure::calleeSaveRegisters): Deleted.
+        * b3/B3Procedure.h:
+        * b3/B3StackmapGenerationParams.cpp:
+        (JSC::B3::StackmapGenerationParams::unavailableRegisters):
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.cpp.
+        (JSC::B3::Air::allocateRegistersAndStackByLinearScan):
+        (JSC::B3::Air::allocateRegistersByLinearScan): Deleted.
+        * b3/air/AirAllocateRegistersAndStackByLinearScan.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateRegistersByLinearScan.h.
+        * b3/air/AirAllocateRegistersByLinearScan.cpp: Removed.
+        * b3/air/AirAllocateRegistersByLinearScan.h: Removed.
+        * b3/air/AirAllocateStackByGraphColoring.cpp:
+        (JSC::B3::Air::allocateEscapedStackSlots):
+        (JSC::B3::Air::updateFrameSizeBasedOnStackSlots):
+        (JSC::B3::Air::allocateStackByGraphColoring):
+        * b3/air/AirAllocateStackByGraphColoring.h:
+        * b3/air/AirArg.cpp:
+        (JSC::B3::Air::Arg::stackAddr):
+        * b3/air/AirArg.h:
+        (JSC::B3::Air::Arg::stackAddr): Deleted.
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::addStackSlot):
+        (JSC::B3::Air::Code::setCalleeSaveRegisterAtOffsetList):
+        (JSC::B3::Air::Code::calleeSaveRegisterAtOffsetList):
+        (JSC::B3::Air::Code::dump):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::setStackIsAllocated):
+        (JSC::B3::Air::Code::stackIsAllocated):
+        (JSC::B3::Air::Code::calleeSaveRegisters):
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::prepareForGeneration):
+        (JSC::B3::Air::generate):
+        * b3/air/AirHandleCalleeSaves.cpp:
+        (JSC::B3::Air::handleCalleeSaves):
+        * b3/air/AirHandleCalleeSaves.h:
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirLowerStackArgs.cpp: Added.
+        (JSC::B3::Air::lowerStackArgs):
+        * b3/air/AirLowerStackArgs.h: Added.
+        * b3/testb3.cpp:
+        (JSC::B3::testPinRegisters):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * jit/RegisterAtOffsetList.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+
+2017-04-12  Michael Saboff  
+
+        Implement Object.isFrozen() and Object.isSealed() per ECMA spec
+        https://bugs.webkit.org/show_bug.cgi?id=170753
+
+        Reviewed by Mark Lam.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::testIntegrityLevel): Added local helper as described in the ECMA standard.
+
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        Eliminated incomplete special handling of JSFinalObjects.
+
+        (JSC::objectConstructorIsSealed):
+        (JSC::objectConstructorIsFrozen):
+        Refactored to use the new testIntegrityLevel() helper.
+
+2017-04-12  Yusuke Suzuki  
+
+        Use HAVE(MACHINE_CONTEXT) instead of USE(MACHINE_CONTEXT)
+        https://bugs.webkit.org/show_bug.cgi?id=170770
+
+        Rubber stamped by Mark Lam.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThread::Registers::framePointer):
+        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
+        (JSC::MachineThreads::MachineThread::Registers::llintPC):
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointer):
+        (JSC::MachineContext::framePointer):
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::argumentPointer<1>):
+        (JSC::MachineContext::llintInstructionPointer):
+
+2017-04-12  Yusuke Suzuki  
+
+        [JSC] Clean up heap/MachineStackMarker by introducing USE(MACHINE_CONTEXT)
+        https://bugs.webkit.org/show_bug.cgi?id=170770
+
+        Reviewed by Mark Lam.
+
+        We use USE(MACHINE_CONTEXT) to clean up runtime/MachineContext.h. And
+        we clean up heap/MachineStackMarker.cpp by using MachineContext functions.
+
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
+        (JSC::MachineThreads::MachineThread::Registers::framePointer):
+        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
+        (JSC::MachineThreads::MachineThread::Registers::llintPC):
+        * heap/MachineStackMarker.h:
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointer):
+        (JSC::MachineContext::framePointer):
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::argumentPointer<1>):
+        (JSC::MachineContext::llintInstructionPointer):
+
+2017-04-12  Yusuke Suzuki  
+
+        [WTF] Introduce Thread class and use RefPtr and align Windows Threading implementation semantics to Pthread one
+        https://bugs.webkit.org/show_bug.cgi?id=170502
+
+        Reviewed by Mark Lam.
+
+        * API/tests/CompareAndSwapTest.cpp:
+        (testCompareAndSwap):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::run):
+        * bytecode/SuperSampler.cpp:
+        (JSC::initializeSuperSampler):
+        * dfg/DFGWorklist.cpp:
+        * disassembler/Disassembler.cpp:
+        * heap/Heap.cpp:
+        (JSC::Heap::lastChanceToFinalize):
+        (JSC::Heap::notifyIsSafeToCollect):
+        * heap/Heap.h:
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::~MachineThreads):
+        (JSC::MachineThreads::addCurrentThread):
+        (JSC::MachineThreads::removeThread):
+        (JSC::MachineThreads::removeThreadIfFound):
+        (JSC::MachineThreads::MachineThread::MachineThread):
+        (JSC::MachineThreads::MachineThread::getRegisters):
+        (JSC::MachineThreads::MachineThread::Registers::stackPointer):
+        (JSC::MachineThreads::MachineThread::Registers::framePointer):
+        (JSC::MachineThreads::MachineThread::Registers::instructionPointer):
+        (JSC::MachineThreads::MachineThread::Registers::llintPC):
+        (JSC::MachineThreads::MachineThread::captureStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStack):
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        (pthreadSignalHandlerSuspendResume): Deleted.
+        (JSC::threadData): Deleted.
+        (JSC::MachineThreads::Thread::Thread): Deleted.
+        (JSC::MachineThreads::Thread::createForCurrentThread): Deleted.
+        (JSC::MachineThreads::Thread::operator==): Deleted.
+        (JSC::MachineThreads::machineThreadForCurrentThread): Deleted.
+        (JSC::MachineThreads::ThreadData::ThreadData): Deleted.
+        (JSC::MachineThreads::ThreadData::~ThreadData): Deleted.
+        (JSC::MachineThreads::ThreadData::suspend): Deleted.
+        (JSC::MachineThreads::ThreadData::resume): Deleted.
+        (JSC::MachineThreads::ThreadData::getRegisters): Deleted.
+        (JSC::MachineThreads::ThreadData::Registers::stackPointer): Deleted.
+        (JSC::MachineThreads::ThreadData::Registers::framePointer): Deleted.
+        (JSC::MachineThreads::ThreadData::Registers::instructionPointer): Deleted.
+        (JSC::MachineThreads::ThreadData::Registers::llintPC): Deleted.
+        (JSC::MachineThreads::ThreadData::freeRegisters): Deleted.
+        (JSC::MachineThreads::ThreadData::captureStack): Deleted.
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::MachineThread::suspend):
+        (JSC::MachineThreads::MachineThread::resume):
+        (JSC::MachineThreads::MachineThread::threadID):
+        (JSC::MachineThreads::MachineThread::stackBase):
+        (JSC::MachineThreads::MachineThread::stackEnd):
+        (JSC::MachineThreads::threadsListHead):
+        (JSC::MachineThreads::Thread::operator!=): Deleted.
+        (JSC::MachineThreads::Thread::suspend): Deleted.
+        (JSC::MachineThreads::Thread::resume): Deleted.
+        (JSC::MachineThreads::Thread::getRegisters): Deleted.
+        (JSC::MachineThreads::Thread::freeRegisters): Deleted.
+        (JSC::MachineThreads::Thread::captureStack): Deleted.
+        (JSC::MachineThreads::Thread::platformThread): Deleted.
+        (JSC::MachineThreads::Thread::stackBase): Deleted.
+        (JSC::MachineThreads::Thread::stackEnd): Deleted.
+        * jit/ICStats.cpp:
+        (JSC::ICStats::ICStats):
+        (JSC::ICStats::~ICStats):
+        * jit/ICStats.h:
+        * jsc.cpp:
+        (functionDollarAgentStart):
+        (startTimeoutThreadIfNeeded):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::lock):
+        * runtime/JSLock.h:
+        (JSC::JSLock::ownerThread):
+        (JSC::JSLock::currentThreadIsHoldingLock):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::isValidFramePointer):
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::createThreadIfNecessary):
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/SamplingProfiler.h:
+        * runtime/VM.h:
+        (JSC::VM::ownerThread):
+        * runtime/VMTraps.cpp:
+        (JSC::findActiveVMAndStackBounds):
+        (JSC::VMTraps::SignalSender::send):
+        (JSC::VMTraps::fireTrap):
+
+2017-04-11  Dean Jackson  
+
+        Disable outdated WritableStream API
+        https://bugs.webkit.org/show_bug.cgi?id=170749
+        
+
+        Reviewed by Tim Horton.
+
+        The API we implement is no longer accurate. Disable it until we
+        are compatible with the new specification
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-11  Yusuke Suzuki  
+
+        Unreviewed, build fix for CF ports after r215241
+        https://bugs.webkit.org/show_bug.cgi?id=170725
+
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::nextFireTime):
+
+2017-04-11  Yusuke Suzuki  
+
+        [WebCore][JSC] ResourceUsageData.{timeOfNextEdenCollection,timeOfNextFullCollection} should be MonotonicTime
+        https://bugs.webkit.org/show_bug.cgi?id=170725
+
+        Reviewed by Sam Weinig.
+
+        This patch makes GCActivityCallback return MonotonicTime instead of raw double value.
+
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::nextFireTime):
+        * heap/GCActivityCallback.h:
+
+2017-04-11  Guillaume Emont  
+
+        [jsc] Add missing MacroAssemblerMIPS::or32() implementation
+        https://bugs.webkit.org/show_bug.cgi?id=169714
+
+        Reviewed by Michael Catanzaro.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::or32):
+        Added or32(TrustedImm32, Address).
+
+2017-04-11  Joseph Pecoraro  
+
+        test262: test262/test/annexB/language/comments/multi-line-html-close.js
+        https://bugs.webkit.org/show_bug.cgi?id=170648
+
+        Reviewed by Keith Miller.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::lex):
+        A multi-line comment that contains a line terminator is itself treated
+        like a line terminator. An HTML Close Comment that comes after it can
+        therefore treat it like it is at the start of a line, because it was
+        immediately preceeded by the equivalent of a line terminator.
+
+2017-04-11  Joseph Pecoraro  
+
+        test262: test262/test/built-ins/Array/S15.4.3_A2.2.js
+        https://bugs.webkit.org/show_bug.cgi?id=170652
+
+        Reviewed by Michael Saboff.
+
+        * runtime/ArrayConstructor.cpp:
+        (JSC::ArrayConstructor::finishCreation):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::BooleanConstructor::finishCreation):
+        * runtime/DateConstructor.cpp:
+        (JSC::DateConstructor::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSArrayBufferConstructor::finishCreation):
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructor::finishCreation):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpConstructor::finishCreation):
+        * runtime/StringConstructor.cpp:
+        (JSC::StringConstructor::finishCreation):
+        * runtime/SymbolConstructor.cpp:
+        (JSC::SymbolConstructor::finishCreation):
+        Ensure the "length" property on these native constructors is configurable (deletable).
+
+2017-04-11  Yusuke Suzuki  
+
+        Unreviewed, build fix for Windows after r215228 part 2
+        https://bugs.webkit.org/show_bug.cgi?id=170723
+
+        Since GCActivityCallback class is annotated exported, we do not need to annotate each member.
+
+        * heap/GCActivityCallback.h:
+
+2017-04-11  Yusuke Suzuki  
+
+        [JSC][GTK] Use RunLoop::Timer in GTK port
+        https://bugs.webkit.org/show_bug.cgi?id=170723
+
+        Reviewed by Carlos Garcia Campos.
+
+        This patch makes GTK port use RunLoop::Timer for JSRunLoopTimer.
+        Only Cocoa-based ports use platform-specific Timer because it
+        has additional feature that changes RunLoop to the WebThread one.
+
+        And we enable Heap timers in all the ports including JSCOnly port.
+
+        * heap/EdenGCActivityCallback.cpp:
+        (JSC::EdenGCActivityCallback::lastGCLength):
+        * heap/EdenGCActivityCallback.h:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::lastGCLength):
+        * heap/FullGCActivityCallback.h:
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::GCActivityCallback):
+        (JSC::GCActivityCallback::doWork):
+        (JSC::GCActivityCallback::scheduleTimer):
+        (JSC::GCActivityCallback::cancelTimer):
+        (JSC::GCActivityCallback::nextFireTime):
+        (JSC::GCActivityCallback::didAllocate):
+        * heap/GCActivityCallback.h:
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::doWork):
+        (JSC::IncrementalSweeper::doSweep):
+        * heap/IncrementalSweeper.h:
+        * heap/StopIfNecessaryTimer.cpp:
+        (JSC::StopIfNecessaryTimer::scheduleSoon):
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::setRunLoop):
+        (JSC::JSRunLoopTimer::scheduleTimer):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::timerDidFireCallback):
+        * runtime/JSRunLoopTimer.h:
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+
+2017-04-11  Guillaume Emont  
+
+        [jsc][mips] Add missing MacroAssembler functions after r214187
+        https://bugs.webkit.org/show_bug.cgi?id=170089
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::loadFloat): Added.
+        (JSC::MacroAssemblerMIPS::storeFloat): Added.
+
+2017-04-11  Yusuke Suzuki  
+
+        [JSC] Enable JSRunLoopTimer for JSCOnly and Windows
+        https://bugs.webkit.org/show_bug.cgi?id=170655
+
+        Reviewed by Carlos Garcia Campos.
+
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::scheduleTimer):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        * runtime/JSRunLoopTimer.h:
+
+2017-04-10  Alex Christensen  
+
+        Revert r215217
+        https://bugs.webkit.org/show_bug.cgi?id=170703
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-10  Alex Christensen  
+
+        Continue enabling WebRTC
+        https://bugs.webkit.org/show_bug.cgi?id=170703
+
+        Reviewed by Youenn Fablet.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-10  Mark Lam  
+
+        Move ProbeContext and ProbeFunction out of AbstractMacroAssembler.
+        https://bugs.webkit.org/show_bug.cgi?id=170681
+
+        Reviewed by Michael Saboff.
+
+        This is a refactoring step towards enabling custom probe printers the way printInternal() works for dataLog.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::ProbeContext::gpr): Deleted.
+        (JSC::AbstractMacroAssembler::ProbeContext::fpr): Deleted.
+        (JSC::AbstractMacroAssembler::ProbeContext::gprName): Deleted.
+        (JSC::AbstractMacroAssembler::ProbeContext::fprName): Deleted.
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        (JSC::ProbeContext::gpr):
+        (JSC::ProbeContext::fpr):
+        (JSC::ProbeContext::gprName):
+        (JSC::ProbeContext::fprName):
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssemblerARM::probe):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::arm64ProbeTrampoline):
+        (JSC::MacroAssemblerARM64::probe):
+        * assembler/MacroAssemblerARMv7.cpp:
+        (JSC::MacroAssemblerARMv7::probe):
+        * assembler/MacroAssemblerPrinter.cpp:
+        * assembler/MacroAssemblerPrinter.h:
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssemblerX86Common::probe):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::abstractStructure):
+        (JSC::FTL::DFG::LowerDFGToB3::probe): Deleted.
+        - Deleted because this became a useless place-holder after the transition to B3.
+
+2017-04-10  Keith Miller  
+
+        WebAssembly: Fix B3IRGenerator for BrTable
+        https://bugs.webkit.org/show_bug.cgi?id=170685
+
+        Reviewed by JF Bastien.
+
+        For some reason this didn't get included in r215141.
+
+        This fixes an issue with BrTable and loops where we would use the loop's return type
+        as the branch target type.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::ControlData::resultForBranch):
+        (JSC::Wasm::B3IRGenerator::unifyValuesWithBlock):
+
+2017-04-08  Oliver Hunt  
+
+        Remove use of strcpy from JSC
+        https://bugs.webkit.org/show_bug.cgi?id=170646
+
+        Reviewed by Mark Lam.
+
+        Replace the use of strcpy with memcpy as strcpy keeps
+        on tripping various analyser warnings even though its
+        trivially safe in this case.
+
+        Essentially code hygiene, no change in behaviour, no
+        perf impact.
+
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpDisassembly):
+
+2017-04-09  Joseph Pecoraro  
+
+        test262: test262/test/annexB/language/expressions/object/__proto__-fn-name.js
+        https://bugs.webkit.org/show_bug.cgi?id=170650
+
+        Reviewed by Saam Barati.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseProperty):
+        There needs to be special handling of:
+        
+          PropertyDefinition :  PropertyName ':' AssignmentExpression
+         
+        When the property name is __proto__. In this case the
+        SetFunctionName path does not happen, so the name "__proto__"
+        is not inferred on any anonymous function. See:
+        https://tc39.github.io/ecma262/#sec-__proto__-property-names-in-object-initializers
+
+        * parser/Parser.h:
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createProperty):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createProperty):
+        Add an extra parameter to see if inferring / setting names are allowed.
+
+2017-04-09  Joseph Pecoraro  
+
+        test262: test262/test/annexB/language/literals/regexp/identity-escape.js
+        https://bugs.webkit.org/show_bug.cgi?id=170651
+
+        Reviewed by Saam Barati.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::parseEscape):
+        For \8 and \9 match just the number "8" or "9" instead of both "\\" and the number.
+        See: https://tc39.github.io/ecma262/#sec-decimalescape
+
+2017-04-08  Youenn Fablet  
+
+        WebRTC tests gardening
+        https://bugs.webkit.org/show_bug.cgi?id=170508
+
+        Reviewed by Eric Carlson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-07  Keith Miller  
+
+        WebAssembly: Fix issue with BrTable targeting a Loop
+        https://bugs.webkit.org/show_bug.cgi?id=170638
+
+        Reviewed by Saam Barati.
+
+        This fixes the same issue V8 had in: https://github.com/WebAssembly/spec/pull/456#event-1033547537
+
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::ControlData::branchTargetSignature):
+
+2017-04-07  Keith Miller  
+
+        Add a PriorityQueue class
+        https://bugs.webkit.org/show_bug.cgi?id=170579
+
+        Reviewed by Saam Barati.
+
+        Update Wasm::Worklist to use WTF::PriorityQueue.
+
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::enqueue):
+        (JSC::Wasm::Worklist::completePlanSynchronously):
+        (JSC::Wasm::Worklist::stopAllPlansForVM):
+        (JSC::Wasm::Worklist::~Worklist):
+        (JSC::Wasm::Worklist::iterate): Deleted.
+        * wasm/WasmWorklist.h:
+        (JSC::Wasm::Worklist::isHigherPriority):
+        (JSC::Wasm::Worklist::Comparator::operator()): Deleted.
+
+2017-04-07  Yuichiro Kikura  
+
+        WebGPU: implement ComputeCommandEncoder and related components
+        https://bugs.webkit.org/show_bug.cgi?id=170444
+
+        Reviewed by Alex Christensen.
+
+        I added some identifiers related with WebGPUComputeCommandEncoder based on the proposal.
+        https://webkit.org/wp-content/uploads/webgpu-api-proposal.html
+
+        * runtime/CommonIdentifiers.h:
+
+2017-04-07  Saam Barati  
+
+        WebAssembly: Module::getOrCreateCodeBlock is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=170612
+
+        Reviewed by Keith Miller.
+
+        When we were getting a module's CodeBlock, we were checking if !runnable(),
+        and if !runnable(), we were re-creating the CodeBlock. This is wrong, since
+        !runnable() is true while the CodeBlock is compiling. Instead, we should check
+        if we've finished compiling, and if so, if that compilation failed.
+
+        * wasm/WasmModule.cpp:
+        (JSC::Wasm::Module::getOrCreateCodeBlock):
+
+2017-04-07  Saam Barati  
+
+        WebAssembly: Make to a compilation API that allows for multi-VM concurrent compilations of Wasm Modules
+        https://bugs.webkit.org/show_bug.cgi?id=170488
+
+        Reviewed by JF Bastien.
+
+        This patch adds a class called Wasm::Module. It contains the bits from
+        JSWebAssemblyModule that were not VM specific. JSWebAssemblyModule
+        now has a Ref. Similarly, there is now a Wasm::CodeBlock,
+        which owns the non-VM-specific bits that JSWebAssemblyCodeBlock used
+        to own.
+        
+        This patch also simplifies how we verify and compile code. Wasm::Module
+        now has an API for both sync/async validation and compilation. This
+        API abstracts away how Wasm::Plan works.
+        
+        This is hopefully the last patch needed before we can implement
+        window.postMessage for a JSWebAssemblyModule. I think all that's
+        needed now to implement postMessage is simply creating a new
+        JSWebAssemblyModule with the underlying Wasm::Module.
+        
+        This patch is neutral on WasmBench.
+        
+        Finally, this patch changes the promise deferred timer to
+        allow for new tasks to be added while we're executing
+        a task. Before, we'd deadlock if this happened.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * jsc.cpp:
+        (functionTestWasmModuleFunctions):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+        * runtime/PromiseDeferredTimer.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        (JSC::Wasm::wasmToWasm):
+        (JSC::Wasm::exitStubGenerator): Deleted.
+        * wasm/WasmBinding.h:
+        * wasm/WasmCodeBlock.cpp: Added.
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        (JSC::Wasm::CodeBlock::waitUntilFinished):
+        (JSC::Wasm::CodeBlock::compileAsync):
+        (JSC::Wasm::CodeBlock::isSafeToRun):
+        * wasm/WasmCodeBlock.h: Added.
+        (JSC::Wasm::CodeBlock::create):
+        (JSC::Wasm::CodeBlock::compilationFinished):
+        (JSC::Wasm::CodeBlock::runnable):
+        (JSC::Wasm::CodeBlock::errorMessage):
+        (JSC::Wasm::CodeBlock::functionImportCount):
+        (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        * wasm/WasmModule.cpp: Added.
+        (JSC::Wasm::Module::Module):
+        (JSC::Wasm::makeValidationResult):
+        (JSC::Wasm::Module::validateSyncImpl):
+        (JSC::Wasm::Module::getOrCreateCodeBlock):
+        (JSC::Wasm::Module::compileSync):
+        (JSC::Wasm::Module::makeValidationCallback):
+        (JSC::Wasm::Module::compileAsync):
+        * wasm/WasmModule.h: Added.
+        (JSC::Wasm::Module::create):
+        (JSC::Wasm::Module::validateSync):
+        (JSC::Wasm::Module::validateAsync):
+        (JSC::Wasm::Module::signatureIndexFromFunctionIndexSpace):
+        (JSC::Wasm::Module::moduleInformation):
+        (JSC::Wasm::Module::nonNullCodeBlock):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::prepare):
+        (JSC::Wasm::Plan::compileFunctions):
+        (JSC::Wasm::Plan::complete):
+        (JSC::Wasm::Plan::tryRemoveVMAndCancelIfLast):
+        (JSC::Wasm::Plan::cancel): Deleted.
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::dontFinalize):
+        (JSC::Wasm::Plan::takeWasmToWasmExitStubs):
+        (JSC::Wasm::Plan::mode):
+        (JSC::Wasm::Plan::takeWasmExitStubs): Deleted.
+        (JSC::Wasm::Plan::vm): Deleted.
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::stopAllPlansForVM):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
+        (JSC::JSWebAssemblyCodeBlock::initialize): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::functionImportCount):
+        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
+        (JSC::JSWebAssemblyCodeBlock::mode): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::initialized): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::plan): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::runnable): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::errorMessage): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee): Deleted.
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock): Deleted.
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::initialized): Deleted.
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::createStub):
+        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
+        (JSC::JSWebAssemblyModule::finishCreation):
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::moduleInformation):
+        (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyModule::module):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::create):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::reject):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyValidateFunc):
+
+2017-04-07  Carlos Garcia Campos  
+
+        [GTK] Update the priorities used in glib main loop sources
+        https://bugs.webkit.org/show_bug.cgi?id=170457
+
+        Reviewed by Žan Doberšek.
+
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+
+2017-04-06  Filip Pizlo  
+
+        Rename allocateStack to allocateStackByGraphColoring.
+
+        Rubber stamped by Saam Barati.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirAllocateStack.cpp: Removed.
+        * b3/air/AirAllocateStack.h: Removed.
+        * b3/air/AirAllocateStackByGraphColoring.cpp: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.cpp.
+        (JSC::B3::Air::allocateStackByGraphColoring):
+        (JSC::B3::Air::allocateStack): Deleted.
+        * b3/air/AirAllocateStackByGraphColoring.h: Copied from Source/JavaScriptCore/b3/air/AirAllocateStack.h.
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::prepareForGeneration):
+
+2017-04-06  Michael Saboff  
+
+        Cannot Object.seal() or Object.freeze() global "this"
+        https://bugs.webkit.org/show_bug.cgi?id=170549
+
+        Reviewed by Mark Lam.
+
+        Needed to implement JSProxy::isExtensible() which returns the results of calling
+        the same on wrapped object.
+
+        Implemented step 11 of Runtime Semantics: EvalDeclarationInstantiation from the ECMAScript
+        spec to properly return a TypeError object when attempting to add properties to a
+        non-extensible global object.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::isExtensible):
+        * runtime/JSProxy.h:
+
+2017-04-06  Filip Pizlo  
+
+        Linear scan should run liveness only once
+        https://bugs.webkit.org/show_bug.cgi?id=170569
+
+        Reviewed by Keith Miller.
+        
+        Air has a longstanding design bug that Tmps from different banks are indexed independently. This
+        means that all of our analyses over Tmps do separate GP and FP passes. This does have some
+        marginal benefits (the rest of the algorithm is specialized for Bank) but it's probably net bad.
+        However, I don't want to think about solving that general problem.
+        
+        Instead, this just makes linear scan use a UnifiedTmpLiveness that uses a single "linear"
+        indexing for GP and FP. This lets me avoid the much larger refactoring (which would involve
+        substantial changes in graph coloring) while getting the bulk of the benefit (liveness runs once,
+        instead of twice, for linear scan).
+        
+        This patch implements a lot of plumbing to make it possible for Liveness<> to view Tmps as having
+        a unified indexing scheme. Tmp calls this LinearlyIndexed (to match the naming convention of
+        AbsolutelyIndexed and Indexed), while AirLiveness calls this UnifiedTmpLiveness. With this
+        change, -O1 never does any liveness analysis that uses separate GP and FP passes. I think this
+        eliminates any urgency from the larger Tmp indexing bug. We can probably live with graph coloring
+        doing separate passes.
+        
+        This is a ~6% speed-up for wasm -O1 compile times. I think this means that linear scan is no
+        longer the longest pole in the tent.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3VariableLiveness.h:
+        (JSC::B3::VariableLivenessAdapter::prepareToCompute):
+        * b3/air/AirAllocateRegistersByLinearScan.cpp:
+        (JSC::B3::Air::allocateRegistersByLinearScan):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::forEachTmp):
+        * b3/air/AirLiveness.h:
+        * b3/air/AirLivenessAdapter.h:
+        (JSC::B3::Air::LivenessAdapter::Actions::Actions):
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
+        (JSC::B3::Air::LivenessAdapter::adapter):
+        (JSC::B3::Air::LivenessAdapter::prepareToCompute):
+        (JSC::B3::Air::LivenessAdapter::actionsAt):
+        (JSC::B3::Air::LivenessAdapter::forEachUse):
+        (JSC::B3::Air::LivenessAdapter::forEachDef):
+        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::UnifiedTmpLivenessAdapter):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::numIndices):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsBank):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::acceptsRole):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::valueToIndex):
+        (JSC::B3::Air::UnifiedTmpLivenessAdapter::indexToValue):
+        * b3/air/AirLivenessConstraints.h: Removed.
+        * b3/air/AirRegLiveness.h:
+        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
+        * b3/air/AirTmp.cpp:
+        * b3/air/AirTmp.h:
+        * b3/air/AirTmpInlines.h:
+        (JSC::B3::Air::Tmp::LinearlyIndexed::LinearlyIndexed):
+        (JSC::B3::Air::Tmp::LinearlyIndexed::index):
+        (JSC::B3::Air::Tmp::linearlyIndexed):
+        (JSC::B3::Air::Tmp::indexEnd):
+        (JSC::B3::Air::Tmp::absoluteIndexEnd):
+        (JSC::B3::Air::Tmp::linearIndexEnd):
+        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
+        (JSC::B3::Air::Tmp::tmpForLinearIndex):
+        * b3/air/AirTmpMap.h: Added.
+        (JSC::B3::Air::TmpMap::TmpMap):
+        (JSC::B3::Air::TmpMap::resize):
+        (JSC::B3::Air::TmpMap::clear):
+        (JSC::B3::Air::TmpMap::operator[]):
+        (JSC::B3::Air::TmpMap::append):
+
+2017-04-06  Ryan Haddad  
+
+        Unreviewed, rolling out r215046.
+
+        This change broke internal builds.
+
+        Reverted changeset:
+
+        "WebRTC tests gardening"
+        https://bugs.webkit.org/show_bug.cgi?id=170508
+        http://trac.webkit.org/changeset/215046
+
+2017-04-06  Joseph Pecoraro  
+
+        Web Inspector: Show all headers in the Request Headers section of the Resource details sidebar
+        https://bugs.webkit.org/show_bug.cgi?id=16531
+        
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/protocol/Network.json:
+        Optional refined list of request headers in Metrics.
+
+2017-04-06  Filip Pizlo  
+
+        B3 -O1 should generate better code than -O0
+        https://bugs.webkit.org/show_bug.cgi?id=170563
+
+        Reviewed by Michael Saboff.
+        
+        Prior to this change, code generated by -O1 ran slower than code generated by -O0. This turned
+        out to be because of reduceStrength optimizations that increase live ranges and create register
+        pressure, which then creates problems for linear scan.
+        
+        It seemed obvious that canonicalizations that help isel, constant folding, and one-for-one
+        strength reductions should stay. It also seemed obvious that SSA and CFG simplification are fast
+        and harmless. So, I focused on removing:
+        
+        - CSE, which increases live ranges. This is a risky optimization when we know that we've chosen
+          to use a bad register allocator.
+        
+        - Sophisticated strength reductions that create more code, like the insane division optimization.
+        
+        - Anything that inserts basic blocks.
+        
+        CSE appeared to be the cause of half of the throughput regression of -O1 but none of the compile
+        time. This change also reduces the running time of reduceStrength by making it not a fixpoint at
+        optLevel<2.
+        
+        This makes wasm -O1 compile 17% faster. This makes wasm -O1 run 19% faster. This makes -O1 code
+        run 3% faster than -O0, and compile about 4% slower than -O0. We may yet end up choosing to use
+        -O0, but at least now -O1 isn't totally useless.
+
+        * b3/B3ReduceStrength.cpp:
+
+2017-04-06  Jon Davis  
+
+        Updates feature status for recently shipped features
+        https://bugs.webkit.org/show_bug.cgi?id=170359
+
+        Reviewed by Brian Burg.
+
+        Changed "Done" status to "Supported".
+
+        * features.json:
+
+2017-04-06  Youenn Fablet  
+
+        WebRTC tests gardening
+        https://bugs.webkit.org/show_bug.cgi?id=170508
+
+        Reviewed by Eric Carlson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2017-04-06  Guillaume Emont  
+
+        [JSC][MIPS][DFG] Use x86 generic HasOwnProperty
+        https://bugs.webkit.org/show_bug.cgi?id=170222
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        use the X86 special version for HasOwnProperty on MIPS too.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        use the X86 special version for HasOwnProperty on MIPS too.
+
+2017-04-05  Saam Barati  
+
+        REGRESSION fix bad isWasm() test by ensuring proper Wasm callee bit pattern
+        https://bugs.webkit.org/show_bug.cgi?id=170494
+        
+
+        Reviewed by Yusuke Suzuki and Mark Lam.
+
+        This patch fixes how we test a 64 bit JSValue pattern to see if it's
+        a Wasm callee. We now tag Wasm::Callee's with 0b011 in their lower 3 bits.
+        The new test is for a Wasm Callee is as follows:
+        isWasm(uint64_t x)
+        {
+            return x & 0xffff000000000007 == 3;
+        }
+        
+        This test works because the lower 3 bits of the non-number immediate values are as follows:
+        undefined: 0b010
+        null:      0b010
+        true:      0b111
+        false:     0b110
+        The test rejects all of these because none have just the value 3 in their lower 3 bits.
+        The test also rejects all numbers, because they have non-zero upper 16 bits.
+        The test also rejects normal cells because they won't have the number 3 as
+        their lower 3 bits. Note, this bit pattern also allows the normal JSValue isCell(), etc,
+        predicates to work on a Wasm::Callee because the various tests will fail if you
+        bit casted a boxed Wasm::Callee* to a JSValue. isCell() would fail since it sees
+        TagBitTypeOther. The other tests also trivially fail, since it won't be a number,
+        and it won't be equal to null, undefined, true, or false. The isBoolean() predicate
+        will fail because we won't have TagBitBool set.
+
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::guaranteedJSValueCallee):
+        (JSC::ExecState::calleeAsValue): Deleted.
+        * interpreter/CalleeBits.h:
+        (JSC::CalleeBits::boxWasm):
+        (JSC::CalleeBits::isWasm):
+        (JSC::CalleeBits::asWasmCallee):
+        * jit/JITOperations.cpp:
+        * runtime/JSCJSValue.h:
+
+2017-04-05  Keith Miller  
+
+        WebAssembly: Plans should be able to have more than one completion task.
+        https://bugs.webkit.org/show_bug.cgi?id=170516
+
+        Reviewed by Saam Barati.
+
+        This patch also eliminates the need for blocked tasks on the
+        PromiseDeferredTimer and pendingPromise on Wasm::Plan.
+
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        (JSC::PromiseDeferredTimer::scheduleBlockedTask): Deleted.
+        * runtime/PromiseDeferredTimer.h:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::addCompletionTask):
+        (JSC::Wasm::Plan::complete):
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::setMode):
+        (JSC::Wasm::Plan::mode):
+        (JSC::Wasm::Plan::setModeAndPromise): Deleted.
+        (JSC::Wasm::Plan::pendingPromise): Deleted.
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::Worklist::enqueue):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::instantiate):
+
+2017-04-05  Guilherme Iscaro  
+
+        Do not use BLX for immediates (ARM-32)
+
+        https://bugs.webkit.org/show_bug.cgi?id=170351
+
+        Reviewed by Mark Lam.
+
+        Currently the offline asm generator for 32-bit ARM code translates the
+        'call' meta-instruction (which may be found in LowLevelInterpreter.asm
+        and friends) to the ARM's BLX instrunction. The BLX instruction may be
+        used for labels (immediates) and registers and one side effect of BLX
+        is that it may switch the processor's instruction set.
+        A 'BLX register' instruction will change/remain the processor state to
+        ARM if the  register_bit[0] is set to 0 or change/remain to Thumb if
+        register_bit[0] is set to 1. However, a 'BLX label' instruction will
+        always switch the processor state. It switches ARM to thumb and vice-versa.
+        This behaviour is unwanted, since the C++ code and the offlineasm generated code
+        are both compiled using the same instruction set, thus a instruction
+        set change will likely produce a crash. In order to fix the problem the
+        BL instruction can be used for labels. It will branch just like BLX,
+        but it won't change the instruction set. It's important to note that
+        Darwin is not affected by this problem, thus to minimize the impact of
+        this change the BL instruction will only be used on non-darwin targets.
+
+        BLX reference: http://infocenter.arm.com/help/topic/com.arm.doc.dui0489i/CIHBJCDC.html?resultof=%22%62%6c%78%22%20
+
+        * offlineasm/arm.rb:
+
+2017-04-05  Keith Miller  
+
+        WebAssembly: We shouldn't need to pin size registers if we have a fast memory.
+        https://bugs.webkit.org/show_bug.cgi?id=170504
+
+        Reviewed by Mark Lam.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave):
+
+2017-04-05  Yusuke Suzuki  
+
+        [JSC] Suppress warnings in GCC
+        https://bugs.webkit.org/show_bug.cgi?id=170501
+
+        Reviewed by Keith Miller.
+
+        Should use ASSERT_NOT_REACHED since return-type pragma is only
+        enabled under ASSERT_DISABLED environment. We shoud use
+        ASSERT_NOTREACHED to emit assertions in debug build. It effectively
+        catches bugs while keeping performance in release build.
+
+        * b3/B3Opcode.cpp:
+        (JSC::B3::storeOpcode):
+        * b3/B3Width.h:
+        (JSC::B3::mask):
+        * runtime/Options.cpp:
+        (JSC::parse):
+        * wasm/WasmSections.h:
+        (JSC::Wasm::makeString):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::SignatureInformation::tryCleanup):
+        * wasm/generateWasmValidateInlinesHeader.py:
+
+2017-04-05  Carlos Garcia Campos  
+
+        Implement PromiseDeferredTimer for non CF based ports
+        https://bugs.webkit.org/show_bug.cgi?id=170391
+
+        Reviewed by Yusuke Suzuki.
+
+        RunLoop handling is only implemented for CF causing several wasm tests to fail for other ports.
+
+        * jsc.cpp:
+        (runJSC): Remove CF ifdefs.
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork): Add non CF implementation using WTF RunLoop.
+        (JSC::PromiseDeferredTimer::runRunLoop): Ditto.
+        * runtime/PromiseDeferredTimer.h:
+
+2017-04-05  Carlos Garcia Campos  
+
+        WebAssembly: several tests added in r214504 crash when building with GCC
+        https://bugs.webkit.org/show_bug.cgi?id=170390
+
+        Reviewed by Saam Barati.
+
+        The pattern foo->bar([f = WTFMove(foo)]{}); crashes when building with GCC, I assume the move happens before the
+        foo is used to invoke the function.
+
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc): Use p.vm() instead of plan->vm(), because plan is moved by the lambda.
+        (JSC::instantiate): Ditto.
+        (JSC::compileAndInstantiate): Ditto.
+
+2017-03-16  Yusuke Suzuki  
+
+        [JSC] Generate TemplateObjects at linking time
+        https://bugs.webkit.org/show_bug.cgi?id=169743
+
+        Reviewed by Keith Miller.
+
+        Currently, the code calls getTemplateObject to get appropriate template objects at runtime.
+        But this template object is constant value and never changed. So instead of creating it
+        at runtime, we should create it at linking time and store it in the constant registers.
+
+        * builtins/BuiltinNames.h:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::shrinkToFit):
+        * bytecode/UnlinkedCodeBlock.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::TaggedTemplateNode::emitBytecode):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::getTemplateObject): Deleted.
+        * runtime/JSTemplateRegistryKey.cpp:
+        * runtime/JSTemplateRegistryKey.h:
+        (JSC::isTemplateRegistryKey):
+
+2017-04-04  Mark Lam  
+
+        On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
+        https://bugs.webkit.org/show_bug.cgi?id=170473
+        
+
+        Reviewed by Saam Barati.
+
+        In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
+        divisor is 0, we want it to return 0.  The result is expected to be of
+        DataFormatIn32.
+
+        The ARM implementation just returns the value in the divisor register.  However,
+        the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
+        divisor register yields the wrong result format because the same register also
+        holds the upper 32-bit of the JSValue encoding.  The fix is to return an
+        immediate 0 instead.
+
+        Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
+        disabled may have contributed to this bug going unnoticed all this time.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithMod):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::jitAssertIsInt32):
+
+2017-04-04  Filip Pizlo  
+
+        Air::eliminateDeadCode should not repeatedly process the same live instructions
+        https://bugs.webkit.org/show_bug.cgi?id=170490
+
+        Reviewed by Keith Miller.
+        
+        This makes the eliminateDeadCode() fixpoint somewhat worklist-based: we track the set
+        of Insts that might be dead. Every time we detect that one is live, we remove it from
+        the set. This is a big (>2x) speed-up because lots of Insts are immediately found to
+        be live.
+        
+        This is a ~1% wasm -O1 compile time progression.
+
+        * b3/air/AirEliminateDeadCode.cpp:
+        (JSC::B3::Air::eliminateDeadCode):
+
+2017-04-04  Filip Pizlo  
+
+        Air::eliminateDeadCode() should not use a HashSet
+        https://bugs.webkit.org/show_bug.cgi?id=170487
+
+        Reviewed by Saam Barati.
+        
+        Introduce TmpSet, which is like a HashSet. Use this to make eliminateDeadCode()
+        about 50% faster, resulting in a 1% wasm -O1 compile time progression.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirEliminateDeadCode.cpp:
+        (JSC::B3::Air::eliminateDeadCode):
+        * b3/air/AirTmpSet.h: Added.
+        (JSC::B3::Air::TmpSet::TmpSet):
+        (JSC::B3::Air::TmpSet::add):
+        (JSC::B3::Air::TmpSet::remove):
+        (JSC::B3::Air::TmpSet::contains):
+        (JSC::B3::Air::TmpSet::size):
+        (JSC::B3::Air::TmpSet::isEmpty):
+        (JSC::B3::Air::TmpSet::iterator::iterator):
+        (JSC::B3::Air::TmpSet::iterator::operator*):
+        (JSC::B3::Air::TmpSet::iterator::operator++):
+        (JSC::B3::Air::TmpSet::iterator::operator==):
+        (JSC::B3::Air::TmpSet::iterator::operator!=):
+        (JSC::B3::Air::TmpSet::begin):
+        (JSC::B3::Air::TmpSet::end):
+
+2017-04-04  Keith Miller  
+
+        WebAssembly: ModuleInformation should be a ref counted thing that can be shared across threads.
+        https://bugs.webkit.org/show_bug.cgi?id=170478
+
+        Reviewed by Saam Barati.
+
+        ModuleInformation has been moved to its own file and is now
+        ThreadSafeRefCounted.  All the Strings we used to keep in the
+        ModuleInformation have been switched to Vector this has the
+        advantage that it can be passed across threads. However, this does
+        mean that we need to decode the utf8 strings in each thread. This
+        is likely not a problem because:
+
+        1) most modules have few imports/exports/custom sections.
+        2) most of the time they are ascii so the conversion is cheap.
+        3) we only have to do it once per thread, and there shouldn't be too many.
+
+        This patch also removes
+        moduleSignatureIndicesToUniquedSignatureIndices since that
+        information can already be recovered from the
+        SignatureInformation.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * jsc.cpp:
+        (functionTestWasmModuleFunctions):
+        * runtime/Identifier.h:
+        (JSC::Identifier::fromString):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmFormat.cpp:
+        (JSC::Wasm::makeString):
+        (JSC::Wasm::ModuleInformation::~ModuleInformation): Deleted.
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::makeString):
+        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize): Deleted.
+        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace): Deleted.
+        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace): Deleted.
+        (JSC::Wasm::ModuleInformation::importFunctionCount): Deleted.
+        (JSC::Wasm::ModuleInformation::internalFunctionCount): Deleted.
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::FunctionParser):
+        * wasm/WasmModuleInformation.cpp: Copied from Source/JavaScriptCore/wasm/WasmValidate.h.
+        (JSC::Wasm::ModuleInformation::~ModuleInformation):
+        * wasm/WasmModuleInformation.h: Added.
+        (JSC::Wasm::ModuleInformation::functionIndexSpaceSize):
+        (JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace):
+        (JSC::Wasm::ModuleInformation::signatureIndexFromFunctionIndexSpace):
+        (JSC::Wasm::ModuleInformation::importFunctionCount):
+        (JSC::Wasm::ModuleInformation::internalFunctionCount):
+        (JSC::Wasm::ModuleInformation::ModuleInformation):
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmModuleParser.h:
+        (JSC::Wasm::ModuleParser::ModuleParser):
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::parseAndValidateModule):
+        (JSC::Wasm::Plan::prepare):
+        (JSC::Wasm::Plan::compileFunctions):
+        (JSC::Wasm::Plan::complete):
+        (JSC::Wasm::Plan::cancel):
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::internalFunctionCount):
+        (JSC::Wasm::Plan::takeModuleInformation):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::SignatureInformation::get):
+        * wasm/WasmSignature.h:
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::validateFunction):
+        * wasm/WasmValidate.h:
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::createStub):
+        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
+        (JSC::JSWebAssemblyModule::finishCreation):
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::moduleInformation):
+        (JSC::JSWebAssemblyModule::source):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::webAssemblyModuleProtoCustomSections):
+        (JSC::webAssemblyModuleProtoImports):
+        (JSC::webAssemblyModuleProtoExports):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyCompileFunc):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+
+2017-04-04  Filip Pizlo  
+
+        B3::fixSSA() needs a tune-up
+        https://bugs.webkit.org/show_bug.cgi?id=170485
+
+        Reviewed by Saam Barati.
+        
+        After the various optimizations to liveness, register allocation, and other phases, the
+        fixSSA() phase now looks like one of the top offenders. This includes a bunch of
+        changes to make this phase run faster. This is a ~7% wasm -O1 compile time progression.
+        
+        Here's what I did:
+        
+        - We now use IndexSparseSet instead of IndexMap for tracking variable values. This
+          makes it cheaper to chew through small blocks while there is a non-trivial number of
+          total variables.
+        
+        - We now do a "local SSA conversion" pass before anything else. This eliminates
+          obvious Get's. If we were using temporary Variables, it would eliminate many of
+          those. That's useful for when we use demoteValues() and duplciateTails(). For wasm
+          -O1, we mainly care about the fact that it makes a bunch of Set's dead.
+        
+        - We now do a Set DCE pass after the local SSA but before SSA conversion. This ensures
+          that any block-local live intervals of Variables disappear and don't need further
+          consideration.
+        
+        - We now cache the reaching defs calculation.
+        
+        - We now perform the reaching defs calculation lazily.
+
+        * b3/B3FixSSA.cpp:
+        (JSC::B3::demoteValues):
+        (JSC::B3::fixSSA):
+        * b3/B3SSACalculator.cpp:
+        (JSC::B3::SSACalculator::reachingDefAtTail):
+        * b3/B3VariableLiveness.cpp:
+        (JSC::B3::VariableLiveness::VariableLiveness):
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::Liveness::Liveness):
+        * dfg/DFGLivenessAnalysisPhase.cpp:
+        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase): Deleted.
+        (JSC::DFG::LivenessAnalysisPhase::run): Deleted.
+        (JSC::DFG::LivenessAnalysisPhase::processBlock): Deleted.
+
+2017-04-04  Joseph Pecoraro  
+
+        Remove stale LLVM Header Path includes from JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=170483
+
+        Reviewed by Mark Lam.
+
+        * Configurations/Base.xcconfig:
+
+2017-04-04  Filip Pizlo  
+
+        B3::LowerToAir incorrectly selects BitXor(AtomicStrongCAS(...), $1)
+        https://bugs.webkit.org/show_bug.cgi?id=169867
+
+        Reviewed by Saam Barati.
+        
+        The BitXor(AtomicWeakCAS(...), $1) optimization makes a lot of sense because we an fold the
+        BitXor into the CAS condition read-out. But there is no version of this that is profitable or
+        correct for AtomicStrongCAS. The inversion case is handled by Equal(AtomicStrongCAS(...), ...)
+        becoming NotEqual(AtomicStrongCAS(...), ...), and we alraedy handle that separately.
+        
+        So, the fix here is to make the BitXor CAS pattern only recognize AtomicWeakCAS.
+
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::lower):
+        * b3/testb3.cpp:
+        (JSC::B3::testAtomicStrongCAS):
+
+2017-04-04  Saam Barati  
+
+        WebAssembly: JSWebAssemblyCallee should not be a JSCell
+        https://bugs.webkit.org/show_bug.cgi?id=170135
+
+        Reviewed by Michael Saboff.
+
+        This patch is perhaps the last big change to the design of fundamental
+        Wasm API to allow for PIC. It changes JSWebAssemblyCallee into a thing
+        called Wasm::Callee. It serves the same purpose as before, except
+        Wasm::Callee is not a JSCell. I had to refactor the various parts of the
+        runtime that will see CallFrame's with Wasm::Callee's in the callee slot.
+        Thankfully, the parts of the runtime that Wasm touches are limited. The
+        main refactoring is changing the exception handling code, such as taking
+        a stack trace, to be friendly to seeing a non JSCell callee.
+        
+        The callee() function on ExecState now returns a class I added in this
+        patch called CalleeBits. CalleeBits will tell you if the callee is a
+        JSCell or a Wasm::Callee. We tag Wasm::Callee's with a 1 in their lower
+        bit so we can easily tell what is and isn't a Wasm::Callee.
+        
+        The stub that calls out from Wasm to JS still puts a JSCell callee
+        into the call frame, even though the callee logically represents a
+        Wasm frame. The reason for this is that we use the call IC infrastructure
+        to make a call out to JS code, and the code that writes the IC expects
+        a JSCell as the callee. This is knowingly part of our design. When we
+        do structured cloning of Wasm Modules, we'll need to regenerate these
+        JS call stubs.
+
+        * API/JSContextRef.cpp:
+        (BacktraceFunctor::operator()):
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::pauseIfNeeded):
+        (JSC::Debugger::currentDebuggerCallFrame):
+        * debugger/DebuggerCallFrame.cpp:
+        (JSC::DebuggerCallFrame::create):
+        (JSC::DebuggerCallFrame::DebuggerCallFrame):
+        (JSC::DebuggerCallFrame::currentPosition):
+        (JSC::DebuggerCallFrame::positionForCallFrame):
+        * debugger/DebuggerCallFrame.h:
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::vmEntryGlobalObject):
+        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
+        (JSC::CallFrame::isAnyWasmCallee):
+        (JSC::CallFrame::callerSourceOrigin):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::calleeAsValue):
+        (JSC::ExecState::jsCallee):
+        (JSC::ExecState::callee):
+        (JSC::ExecState::unsafeCallee):
+        (JSC::ExecState::scope):
+        (JSC::ExecState::iterate):
+        * interpreter/CalleeBits.h: Added.
+        (JSC::CalleeBits::CalleeBits):
+        (JSC::CalleeBits::operator=):
+        (JSC::CalleeBits::boxWasm):
+        (JSC::CalleeBits::isWasm):
+        (JSC::CalleeBits::isCell):
+        (JSC::CalleeBits::asCell):
+        (JSC::CalleeBits::asWasmCallee):
+        (JSC::CalleeBits::rawPtr):
+        * interpreter/Interpreter.cpp:
+        (JSC::GetStackTraceFunctor::operator()):
+        (JSC::Interpreter::getStackTrace):
+        (JSC::notifyDebuggerOfUnwinding):
+        (JSC::UnwindFunctor::UnwindFunctor):
+        (JSC::UnwindFunctor::operator()):
+        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::Interpreter::unwind):
+        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
+        * interpreter/Interpreter.h:
+        * interpreter/Register.h:
+        (JSC::Register::pointer):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+        * interpreter/ShadowChickenInlines.h:
+        (JSC::ShadowChicken::iterate):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::StackVisitor):
+        (JSC::StackVisitor::readFrame):
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::readInlinedFrame):
+        (JSC::StackVisitor::Frame::calleeSaveRegisters):
+        (JSC::StackVisitor::Frame::functionName):
+        (JSC::StackVisitor::Frame::dump):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::callee):
+        (JSC::StackVisitor::visit):
+        * jit/Repatch.cpp:
+        (JSC::linkFor):
+        (JSC::linkPolymorphicCall):
+        * jsc.cpp:
+        (callWasmFunction):
+        (functionTestWasmModuleFunctions):
+        * runtime/ArrayPrototype.cpp:
+        * runtime/Error.cpp:
+        (JSC::addErrorInfoAndGetBytecodeOffset):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::isAnyWasmCallee): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::ExecState::vm):
+        * runtime/JSFunction.cpp:
+        (JSC::RetrieveArgumentsFunctor::operator()):
+        (JSC::RetrieveCallerFunctionFunctor::operator()):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::FrameWalker::recordJSFrame):
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        * runtime/SamplingProfiler.h:
+        (JSC::SamplingProfiler::UnprocessedStackFrame::UnprocessedStackFrame):
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::sourceURL):
+        (JSC::StackFrame::functionName):
+        * runtime/StackFrame.h:
+        (JSC::StackFrame::wasm):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        * wasm/JSWebAssembly.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmCallee.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
+        (JSC::Wasm::Callee::Callee):
+        (JSC::JSWebAssemblyCallee::JSWebAssemblyCallee): Deleted.
+        (JSC::JSWebAssemblyCallee::finishCreation): Deleted.
+        (JSC::JSWebAssemblyCallee::destroy): Deleted.
+        * wasm/WasmCallee.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.h.
+        (JSC::Wasm::Callee::create):
+        (JSC::JSWebAssemblyCallee::create): Deleted.
+        (JSC::JSWebAssemblyCallee::createStructure): Deleted.
+        (JSC::JSWebAssemblyCallee::entrypoint): Deleted.
+        (JSC::JSWebAssemblyCallee::calleeSaveRegisters): Deleted.
+        * wasm/WasmContext.h:
+        * wasm/WasmPlan.cpp:
+        * wasm/WasmPlan.h:
+        * wasm/WasmPlanInlines.h:
+        (JSC::Wasm::Plan::initializeCallees):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        * wasm/js/JSWebAssemblyCallee.cpp: Removed.
+        * wasm/js/JSWebAssemblyCallee.h: Removed.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::initialize):
+        (JSC::JSWebAssemblyCodeBlock::visitChildren):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
+        (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
+        (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
+        (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportStubs):
+        (JSC::JSWebAssemblyCodeBlock::allocationSize):
+        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
+        (JSC::JSWebAssemblyCodeBlock::callees): Deleted.
+        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees): Deleted.
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::create):
+        (JSC::WebAssemblyFunction::WebAssemblyFunction):
+        (JSC::WebAssemblyFunction::visitChildren):
+        (JSC::WebAssemblyFunction::finishCreation):
+        * wasm/js/WebAssemblyFunction.h:
+        (JSC::WebAssemblyFunction::wasmEntrypoint):
+        (JSC::WebAssemblyFunction::jsEntrypoint):
+        (JSC::WebAssemblyFunction::offsetOfWasmEntrypoint):
+        (JSC::WebAssemblyFunction::offsetOfWasmEntryPointCode): Deleted.
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+
+2017-04-04  Keith Miller  
+
+        WasmBench asserts in debug jsc
+        https://bugs.webkit.org/show_bug.cgi?id=170462
+
+        Reviewed by Saam Barati.
+
+        The assertion should have been an if.
+
+        * wasm/WasmWorklist.cpp:
+
+2017-04-04  Filip Pizlo  
+
+        Air::lowerAfterRegAlloc should bail early if it finds no Shuffles or ColdCCalls
+        https://bugs.webkit.org/show_bug.cgi?id=170305
+
+        Reviewed by Saam Barati.
+        
+        This reduces and sometimes completely eliminates the need to run lowerAfterRegAlloc().
+        
+        This lowers the Shuffle for the arguments of a CCall before register allocation unless
+        the CCall arguments require a real shuffle (like if the CCall arguments were argument
+        registers). This lowers a ColdCCall like a CCall for optLevel<2.
+        
+        Finally, lowerAfterRegAlloc() now checks if there are any Shuffles or CCalls before it
+        does anything else. For wasm at -O1, this means that the phase doesn't run at all. This
+        is a ~3% wasm -O1 compile time progression.
+        
+        To make this easy, I changed optLevel into a property of Procedure and Code rather than
+        an argument we thread through everything. I like how Procedure and Code are dumping
+        ground classes. This does not bother me. Note that I cloned optLevel into Procedure and
+        Code so that it's cheap to query inside Air phases.
+
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/B3Compile.h:
+        * b3/B3Generate.cpp:
+        (JSC::B3::prepareForGeneration):
+        (JSC::B3::generateToAir):
+        * b3/B3Generate.h:
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::setOptLevel):
+        * b3/B3Procedure.h:
+        (JSC::B3::Procedure::optLevel):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::isPinned):
+        (JSC::B3::Air::Code::setOptLevel):
+        (JSC::B3::Air::Code::optLevel):
+        * b3/air/AirEmitShuffle.cpp:
+        (JSC::B3::Air::ShufflePair::bank):
+        (JSC::B3::Air::ShufflePair::opcode):
+        (JSC::B3::Air::ShufflePair::inst):
+        (JSC::B3::Air::emitShuffle):
+        * b3/air/AirEmitShuffle.h:
+        (JSC::B3::Air::moveFor):
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::prepareForGeneration):
+        * b3/air/AirGenerate.h:
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirLowerMacros.cpp:
+        (JSC::B3::Air::lowerMacros):
+        * b3/testb3.cpp:
+        (JSC::B3::compileProc):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+
+2017-04-04  Filip Pizlo  
+
+        Don't need to Air::reportUsedRegisters for wasm at -O1
+        https://bugs.webkit.org/show_bug.cgi?id=170459
+
+        Reviewed by Saam Barati.
+        
+        I did some refactorings to Liveness<> to try to understand its performance. Based on
+        this I concluded that the bigger immediate issue is just removing unnecessary phases
+        from -O1.
+        
+        This removes Air::reportUsedRegisters() from -O1 if the user has indicated that he is
+        not interested in StackmapGenerationParams::usedRegisters(). The logic here is a bit
+        weird because of how Air does spill code generation. The register allocator's spiller
+        will emit spill code using identifiable spill slots, which allows subsequent phases to
+        register-allocate the spill slots. We do this by a forward flow CSE phase called
+        fixObviousSpills (which is a terrible name since there is no longer anything obvious
+        about some of the spills that this phase can fix!). As is most natural for CSEs over
+        3AC, it rewires the uses of redundant computations rather than removing the redundant
+        computations. This means that if a spill got "fixed", there may be either or both of
+        the following:
+        
+        - Dead loads from the stack.
+        - Dead stores to the stack.
+        
+        We know that a load from the stack is dead if the register is dead at the point of the
+        load. We know that a store to the stack is dead if the spill slot is dead at the point
+        of the store.
+        
+        Unfortunately, liveness analysis - over either registers or spill slots - is expensive.
+        
+        Fortunately, allocateStack() already does liveness analysis over spill slots. So, we
+        baked elimination of stores to the stack into that phase. That aspect of clean-up after
+        the spill CSE comes for free.
+        
+        Also fortunately for the FTL, we have to do reportUsedRegisters() anyway. This is a
+        phase that enables StackmapGenerationParams::usedRegisters() to work, which then
+        enables the FTL's patchpoints to do crazy slow-path live range splitting. So, Air's
+        strategy for the load fix-up after spill CSE is to do it as part of
+        reportUsedRegisters().
+        
+        This patch introduces the Procedure::setNeedsUsedRegisters() API. But if you set
+        needsUsedRegisters to false then we will still run reportUsedRegisters() at -O2 as an
+        optimization - it removes dead loads from the stack that are left behind from
+        fixObviousSpills().
+        
+        This is a ~6% compile time progression at -O1.
+
+        * b3/B3Procedure.h:
+        (JSC::B3::Procedure::setNeedsUsedRegisters):
+        (JSC::B3::Procedure::needsUsedRegisters):
+        * b3/B3StackmapGenerationParams.h:
+        * b3/B3VariableLiveness.cpp:
+        (JSC::B3::VariableLiveness::VariableLiveness):
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::needsUsedRegisters):
+        * b3/air/AirCode.h:
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::prepareForGeneration):
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::Liveness::Liveness):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+
+2017-04-03  Filip Pizlo  
+
+        Air liveness should build constraints and solve them rather than repeatedly parsing IR
+        https://bugs.webkit.org/show_bug.cgi?id=170421
+
+        Reviewed by Saam Barati.
+        
+        Inst::forEach<> is expensive. The LivenessAdapter uses forEach with a particularly
+        gnarly lambda that has many extra checks. Therefore, a lot of the time spent in
+        liveness analysis is just recomputing forEach<> and that lambda to get uses and defs.
+        
+        This introduces LivenessConstraints<>, which is a liveness constraint system based on
+        Adapter. It basically caches the results of doing forEach. It'll give you the uses and
+        defs at each instruction boundary.
+        
+        This is a ~5% compile time progression at optLevel=1. It's also a ~3% compile time
+        progression at optLevel=2.
+        
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirLivenessAdapter.h:
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
+        (JSC::B3::Air::LivenessAdapter::forEachUse):
+        (JSC::B3::Air::LivenessAdapter::forEachDef):
+        * b3/air/AirLivenessConstraints.h: Added.
+        (JSC::B3::Air::LivenessConstraints::Actions::Actions):
+        (JSC::B3::Air::LivenessConstraints::LivenessConstraints):
+        (JSC::B3::Air::LivenessConstraints::at):
+
+2017-04-03  Mark Lam  
+
+        Fix incorrect capacity delta calculation reported in SparseArrayValueMap::add().
+        https://bugs.webkit.org/show_bug.cgi?id=170412
+        
+
+        Reviewed by Filip Pizlo.
+
+        Here's an example of code that will trigger underflow in the "deprecatedExtraMemory"
+        reported by SparseArrayValueMap::add() that is added to Heap::m_deprecatedExtraMemorySize:
+        
+            arr = new Array;
+            Object.defineProperty(arr, 18, ({writable: true, configurable: true}));
+            for (var i = 0; i < 3; ++i) {
+                Array.prototype.push.apply(arr, ["", () => {}, {}]);
+                Array.prototype.sort.apply(arr, [() => {}, []]);
+            }
+
+        However, Heap::m_deprecatedExtraMemorySize is only 1 of 3 values that are added
+        up to form the result of Heap::extraMemorySize().  Heap::m_extraMemorySize and
+        Heap::m_arrayBuffers.size() are the other 2.
+
+        While Heap::m_arrayBuffers.size() is bounded by actual allocated memory, both
+        Heap::m_deprecatedExtraMemorySize and Heap::m_extraMemorySize are added to
+        without any bounds checks, and they are only reset to 0 at the start of a full
+        GC.  As a result, if we have a long sequence of eden GCs with a lot of additions
+        to Heap::m_extraMemorySize and/or Heap::m_deprecatedExtraMemorySize, then these
+        values could theoretically overflow.  Coupling this with the underflow from
+        SparseArrayValueMap::add(), the result for Heap::extraMemorySize() can easily
+        overflow.  Note: Heap::extraMemorySize() is used to compute the value
+        currentHeapSize.
+
+        If multiple conditions line up just right, the above overflows can result in this
+        debug assertion failure during an eden GC:
+
+            ASSERT(currentHeapSize >= m_sizeAfterLastCollect);
+
+        Otherwise, the effects of the overflows will only result in the computed
+        currentHeapSize not being representative of actual memory usage, and therefore,
+        a full GC may be triggered earlier or later than is ideal.
+
+        This patch ensures that SparseArrayValueMap::add() cannot underflow
+        Heap::m_deprecatedExtraMemorySize.  It also adds overflows checks in the
+        calculations of Heap::m_deprecatedExtraMemorySize, Heap::m_extraMemorySize, and
+        Heap::extraMemorySize() so that their values are saturated appropriately to
+        ensure that GC collections are triggered based on representative memory usage.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::deprecatedReportExtraMemorySlowCase):
+        (JSC::Heap::extraMemorySize):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::reportExtraMemoryVisited):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::add):
+
+2017-04-03  Filip Pizlo  
+
+        Move the Liveness<> adapters from AirLiveness.h to AirLivenessAdapter.h.
+
+        Rubber stamped by Keith Miller.
+        
+        This will make it easier to write other code that uses those adapters.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter): Deleted.
+        (JSC::B3::Air::LivenessAdapter::blockSize): Deleted.
+        (JSC::B3::Air::LivenessAdapter::forEachUse): Deleted.
+        (JSC::B3::Air::LivenessAdapter::forEachDef): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::numIndices): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex): Deleted.
+        (JSC::B3::Air::TmpLivenessAdapter::indexToValue): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex): Deleted.
+        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue): Deleted.
+        * b3/air/AirLivenessAdapter.h: Added.
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
+        (JSC::B3::Air::LivenessAdapter::blockSize):
+        (JSC::B3::Air::LivenessAdapter::forEachUse):
+        (JSC::B3::Air::LivenessAdapter::forEachDef):
+        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
+        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
+        (JSC::B3::Air::TmpLivenessAdapter::acceptsBank):
+        (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
+        (JSC::B3::Air::TmpLivenessAdapter::valueToIndex):
+        (JSC::B3::Air::TmpLivenessAdapter::indexToValue):
+        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
+        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
+        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsBank):
+        (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
+        (JSC::B3::Air::StackSlotLivenessAdapter::valueToIndex):
+        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
+
+2017-04-03  Filip Pizlo  
+
+        WTF::Liveness should have an API that focuses on actions at instruction boundaries
+        https://bugs.webkit.org/show_bug.cgi?id=170407
+
+        Reviewed by Keith Miller.
+        
+        Adopt changes to the WTF::Liveness<> API. Instead of having separate functions for the
+        early/late versions of uses and defs, we now have just a use/def API. Those
+        automatically take care of eary/late issues as needed.
+        
+        This reduces the API surface between WTF::Liveness<> and its clients, which makes it
+        easier to implement some other optimizations I'm thinking about.
+
+        * b3/B3VariableLiveness.h:
+        (JSC::B3::VariableLivenessAdapter::forEachUse):
+        (JSC::B3::VariableLivenessAdapter::forEachDef):
+        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse): Deleted.
+        (JSC::B3::VariableLivenessAdapter::forEachLateUse): Deleted.
+        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef): Deleted.
+        (JSC::B3::VariableLivenessAdapter::forEachLateDef): Deleted.
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::LivenessAdapter::blockSize):
+        (JSC::B3::Air::LivenessAdapter::forEachUse):
+        (JSC::B3::Air::LivenessAdapter::forEachDef):
+        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse): Deleted.
+        (JSC::B3::Air::LivenessAdapter::forEachLateUse): Deleted.
+        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef): Deleted.
+        (JSC::B3::Air::LivenessAdapter::forEachLateDef): Deleted.
+
+2017-04-03  Filip Pizlo  
+
+        Inst::forEachArg could compile to more compact code
+        https://bugs.webkit.org/show_bug.cgi?id=170406
+
+        Reviewed by Sam Weinig.
+        
+        Prior to this change, Inst::forEachArg compiled to a ginormous ALWAYS_INLINE switch statement.
+        It had one case for each opcode, and then each of those cases would have a switch statement over
+        the number of operands. Then the cases of that switch statement would have a sequence of calls to
+        the passed lambda. This meant that every user of forEachArg would generate an insane amount of
+        code. It also meant that the inlining achieved nothing, since the lambda would surely then not
+        be inlined - and if it was, then the icache pressure due to code bloat would surely negate any
+        benefits.
+        
+        This replaces that code with a loop over a compact look-up table. We use the opcode and number of
+        operands as keys into that look-up table. The table only takes about 20KB. It has one byte for
+        each argument in each overload of each opcode.
+        
+        I can't measure any reproducible change in performance, but the JavaScriptCore framework binary
+        shrinks by 2.7 MB. This is a 15% reduction in JavaScriptCore binary size.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3Width.h:
+        * b3/air/AirCustom.h:
+        (JSC::B3::Air::PatchCustom::forEachArg):
+        * b3/air/AirFormTable.h: Added.
+        (JSC::B3::Air::decodeFormRole):
+        (JSC::B3::Air::decodeFormBank):
+        (JSC::B3::Air::decodeFormWidth):
+        * b3/air/AirInst.h:
+        * b3/air/opcode_generator.rb:
+
+2017-04-03  Keith Miller  
+
+        WebAssembly: remove lastAllocatedMode from Memory
+        https://bugs.webkit.org/show_bug.cgi?id=170405
+
+        Reviewed by Mark Lam.
+
+        It's not used anymore so there isn't any point in keeping it around.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::createImpl):
+        (JSC::Wasm::Memory::lastAllocatedMode): Deleted.
+        * wasm/WasmMemory.h:
+
+2017-04-03  Zan Dobersek  
+
+        [jsc] Add patchableJumpSize() for MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=169716
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::patchableJumpSize): Added.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::patchableJumpSize): Added.
+
+2017-04-03  Guillaume Emont  
+
+        [jsc] implement MIPSAssembler::relinkJumpToNop()
+        https://bugs.webkit.org/show_bug.cgi?id=169720
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::relinkJumpToNop): Added.
+
+2017-04-02  Carlos Garcia Campos  
+
+        Share implementation of JSRunLoopTimer::timerDidFire
+        https://bugs.webkit.org/show_bug.cgi?id=170392
+
+        Reviewed by Michael Catanzaro.
+
+        The code is cross-platform but it's duplicated in CF and GLib implementations, it could be shared instead.
+
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::JSRunLoopTimer::timerDidFire): Move common implementation here.
+        (JSC::JSRunLoopTimer::setRunLoop): Use timerDidFireCallback.
+        (JSC::JSRunLoopTimer::timerDidFireCallback): Call JSRunLoopTimer::timerDidFire().
+        * runtime/JSRunLoopTimer.h:
+
+2017-04-01  Oleksandr Skachkov  
+
+        Object with numerical keys with gaps gets filled by NaN values
+        https://bugs.webkit.org/show_bug.cgi?id=164412
+
+        Reviewed by Mark Lam.
+
+        This patch fixes issue when object have two properties 
+        with name as number. The issue appears when during invoking 
+        convertDoubleToArrayStorage, array is filled by pNaN and 
+        method converting it to real NaN. This happeneds because a 
+        pNaN in a Double array is a hole, and Double arrays cannot 
+        have NaN values. To fix issue we need to check value and 
+        clear it if it pNaN.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertDoubleToArrayStorage):
+
+2017-03-31  Saam Barati  
+
+        WebAssembly: Make our calls out to JS PIC friendly
+        https://bugs.webkit.org/show_bug.cgi?id=170261
+
+        Reviewed by Keith Miller.
+
+        This patch removes a direct call from the module to the Wasm to JS stub.
+        Instead, we do an indirect call to the stub by loading the stub's executable
+        address off of the CodeBlock. This is to make the code we emit for comply with
+        requirements needed for PIC.
+        
+        Adding this indirection is not ideal. Although this patch is neutral on
+        WasmBench, we really want to get back to a world where we have an IC
+        call infrastructure. This patch is obviously a regression on some
+        types of programs. I've filed this bug to make sure we implement a
+        PIC compliant Wasm to JS call IC:
+        https://bugs.webkit.org/show_bug.cgi?id=170375
+
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmFormat.h:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::complete):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::initialize):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::offsetOfImportWasmToJSStub):
+        (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
+        (JSC::JSWebAssemblyCodeBlock::allocationSize):
+        (JSC::JSWebAssemblyCodeBlock::importWasmToJSStub):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfCodeBlock):
+
+2017-03-31  Keith Miller  
+
+        WebAssembly: webAssemblyB3OptimizationLevel should use defaultB3OptLevel by default
+        https://bugs.webkit.org/show_bug.cgi?id=170378
+
+        Reviewed by Saam Barati.
+
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.h:
+
+2017-03-31  Keith Miller  
+
+        WebAssembly: Add compilation level option
+        https://bugs.webkit.org/show_bug.cgi?id=170374
+
+        Reviewed by Mark Lam.
+
+        This patch adds an option, webAssemblyB3OptimizationLevel, which
+        changes the optimization mode wasm passes to B3.
+
+        * runtime/Options.h:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::compileFunctions):
+
+2017-03-31  Saam Barati  
+
+        WebAssembly: Strip WasmParser and WasmFunctionParser from knowing about VM
+        https://bugs.webkit.org/show_bug.cgi?id=170312
+
+        Reviewed by Mark Lam.
+
+        This is another step towards PIC-ifying Wasm. This patch removes
+        the VM field that is no longer used.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::FunctionParser):
+        * wasm/WasmModuleParser.h:
+        (JSC::Wasm::ModuleParser::ModuleParser):
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::Parser):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::parseAndValidateModule):
+        (JSC::Wasm::Plan::compileFunctions):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::validateFunction):
+        * wasm/WasmValidate.h:
+
+2017-03-31  Saam Barati  
+
+        WebAssembly: Ref count Signature and SignatureInformation should not care about VM
+        https://bugs.webkit.org/show_bug.cgi?id=170316
+
+        Reviewed by Keith Miller.
+
+        This is yet again another step towards PIC-ifying Wasm.
+        Signature should be ref counted so we can tell when
+        no code is holding onto a Signature. This makes it easy
+        to free unused Signatures. Also, this patch rids SignatureInfo
+        of any VM knowledge. Now, there is just a single SignatureInfo that
+        lives in a process.
+
+        * runtime/VM.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConvention::loadArguments):
+        * wasm/WasmFormat.h:
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::FunctionParser):
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::parseAndValidateModule):
+        (JSC::Wasm::Plan::compileFunctions):
+        (JSC::Wasm::Plan::complete):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::Signature::hash):
+        (JSC::Wasm::Signature::tryCreate):
+        (JSC::Wasm::SignatureInformation::SignatureInformation):
+        (JSC::Wasm::SignatureInformation::singleton):
+        (JSC::Wasm::SignatureInformation::adopt):
+        (JSC::Wasm::SignatureInformation::get):
+        (JSC::Wasm::SignatureInformation::tryCleanup):
+        (JSC::Wasm::Signature::create): Deleted.
+        (JSC::Wasm::Signature::createInvalid): Deleted.
+        (JSC::Wasm::Signature::destroy): Deleted.
+        (JSC::Wasm::SignatureInformation::~SignatureInformation): Deleted.
+        * wasm/WasmSignature.h:
+        (JSC::Wasm::Signature::allocatedSize):
+        (JSC::Wasm::Signature::operator==):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::validateFunction):
+        * wasm/WasmValidate.h:
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::destroy):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2017-03-31  Mark Lam  
+
+        Array.prototype.splice() should not be using JSArray::tryCreateForInitializationPrivate().
+        https://bugs.webkit.org/show_bug.cgi?id=170303
+        
+
+        Reviewed by Filip Pizlo.
+
+        This is because it needs to call getProperty() later to get the values for
+        initializing the array.  getProperty() can execute arbitrary code and potentially
+        trigger the GC.  This is not allowed for clients of JSArray::tryCreateForInitializationPrivate().
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSplice):
+        (JSC::copySplicedArrayElements): Deleted.
+
+2017-03-31  Oleksandr Skachkov  
+
+        String.prototype.replace incorrectly applies "special replacement parameters" when passed a function
+        https://bugs.webkit.org/show_bug.cgi?id=170151
+
+        Reviewed by Saam Barati.
+
+        This patch fixes issue for String.prototype.replace when passed a function 
+        with special symbols "$$". It happeneds because substituteBackreferences applies 
+        unconditionally, but according to the spec it should be applied only for text 
+        21.1.3.16.8 https://tc39.github.io/ecma262/#sec-string.prototype.replace
+
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingStringSearch):
+
+2017-03-30  Saam Barati  
+
+        WebAssembly: When Wasm calls to C, it should use Wasm::Context* instead of ExecState* to get VM
+        https://bugs.webkit.org/show_bug.cgi?id=170185
+
+        Reviewed by Michael Saboff.
+
+        This is one more step in the direction of PIC-ified Wasm.
+        When we lift WasmCallee above VM, we will no longer be
+        able to get VM from ExecState*. This patch ensures that
+        we don't do that from within the Wasm runtime. Instead,
+        we use the Wasm::Context* to get the VM.
+
+        This patch also adds a new class, Wasm::Thunks. There
+        is a single Wasm::Thunks that lives in the process. It
+        is responsible for generating a thunk that Wasm relies on.
+        The only such thunk right now is the exception throwing
+        thunk.
+
+        This patch also rids WasmFaultSignalHandler from any knowledge
+        of VM. Previously, it relied on VM to get the exception handling
+        thunk.
+
+        The only part of the Wasm runtime that will be allowed
+        to get VM& from ExecState will be WasmBinding. In the
+        future, we plan to keep the calls out to JS to keep
+        a JSCell as the callee.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * interpreter/Interpreter.cpp:
+        (JSC::UnwindFunctor::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBufferImpl):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromWasmThunkGenerator): Deleted.
+        * jit/ThunkGenerators.h:
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::getAllCalleeSaveRegisterOffsets):
+        * runtime/VM.h:
+        (JSC::VM::topVMEntryFrameOffset):
+        (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::tryGetFastMemory):
+        * wasm/WasmThunks.cpp: Added.
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::Thunks::initialize):
+        (JSC::Wasm::Thunks::singleton):
+        (JSC::Wasm::Thunks::stub):
+        (JSC::Wasm::Thunks::existingStub):
+        * wasm/WasmThunks.h: Added.
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfVM):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::grow):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::webAssemblyMemoryProtoFuncGrow):
+
+2017-03-30  Mark Lam  
+
+        IntlObject should not be using JSArray::initializeIndex().
+        https://bugs.webkit.org/show_bug.cgi?id=170302
+        
+
+        Reviewed by Saam Barati.
+
+        JSArray::initializeIndex() is only meant to be used with arrays created using
+        JSArray::tryCreateForInitializationPrivate() under very constrained conditions.
+
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLocaleList):
+        (JSC::intlObjectFuncGetCanonicalLocales):
+
+2017-03-30  Filip Pizlo  
+
+        Air should support linear scan for optLevel<2
+        https://bugs.webkit.org/show_bug.cgi?id=170161
+
+        Reviewed by Saam Barati.
+        
+        This changes the default opt level of B3 to 2. It makes the other opt levels useful by adding a
+        new register allocator. This new linear scan allocator will produce significantly worse code.
+        But it will produce that code a lot faster than IRC or Briggs.
+        
+        The opt levels are:
+            0: no optimizations, linear scan
+            1: some optimizations, linear scan
+            2: full optimizations, graph coloring (IRC or Briggs based on CPU)
+        
+        What we used to call optLevel=1 is not called optLevel=2, or better yet,
+        optLevel=B3::defaultOptLevel(). We no longer have anything like the old optLevel=0 (which did no
+        optimizations but ran graph coloring).
+        
+        allocateRegistersByLinearScan() faithfully implements Massimiliano Poletto and Vivek Sarkar's
+        famous algorithm. It uses the variant that handles clobbered registers by avoiding assigning
+        ranges to those registers if the range overlaps a clobber. It's engineered to allocate registers
+        very quickly and generate inefficient code without falling off a cliff.
+        
+        The new optLevel=1 speeds up B3 by a factor of 2, and results in a 80% throughput regression.
+        Linear scan runs 4.7x faster than graph coloring on average.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3BasicBlockUtils.h:
+        (JSC::B3::blocksInPreOrder):
+        (JSC::B3::blocksInPostOrder):
+        * b3/B3BlockWorklist.h:
+        * b3/B3CFG.h:
+        (JSC::B3::CFG::newMap):
+        * b3/B3Common.h:
+        (JSC::B3::defaultOptLevel):
+        * b3/B3Compile.h:
+        * b3/B3DuplicateTails.cpp:
+        * b3/B3EliminateCommonSubexpressions.cpp:
+        * b3/B3FixSSA.cpp:
+        (JSC::B3::demoteValues):
+        (JSC::B3::fixSSA):
+        * b3/B3FixSSA.h:
+        * b3/B3Generate.cpp:
+        (JSC::B3::prepareForGeneration):
+        (JSC::B3::generateToAir):
+        * b3/B3Generate.h:
+        * b3/B3HeapRange.cpp: Removed.
+        * b3/B3HeapRange.h:
+        (JSC::B3::HeapRange::HeapRange): Deleted.
+        (JSC::B3::HeapRange::top): Deleted.
+        (JSC::B3::HeapRange::operator==): Deleted.
+        (JSC::B3::HeapRange::operator!=): Deleted.
+        (JSC::B3::HeapRange::operator|): Deleted.
+        (JSC::B3::HeapRange::operator bool): Deleted.
+        (JSC::B3::HeapRange::begin): Deleted.
+        (JSC::B3::HeapRange::end): Deleted.
+        (JSC::B3::HeapRange::overlaps): Deleted.
+        * b3/B3LowerToAir.cpp:
+        * b3/B3MoveConstants.cpp:
+        * b3/B3PhiChildren.h:
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::dump):
+        (JSC::B3::Procedure::deleteOrphans):
+        (JSC::B3::Procedure::setBlockOrderImpl):
+        * b3/B3ReduceDoubleToFloat.cpp:
+        * b3/B3ReduceStrength.cpp:
+        * b3/B3SSACalculator.h:
+        * b3/B3UseCounts.h:
+        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
+        * b3/air/AirAllocateRegistersByLinearScan.cpp: Added.
+        (JSC::B3::Air::allocateRegistersByLinearScan):
+        * b3/air/AirAllocateRegistersByLinearScan.h: Added.
+        * b3/air/AirAllocateStack.cpp:
+        (JSC::B3::Air::allocateStack):
+        * b3/air/AirArg.cpp:
+        (WTF::printInternal):
+        * b3/air/AirArg.h:
+        (JSC::B3::Air::Arg::activeAt):
+        (JSC::B3::Air::Arg::timing):
+        (JSC::B3::Air::Arg::forEachPhase):
+        * b3/air/AirBasicBlock.h:
+        * b3/air/AirBlockWorklist.h:
+        * b3/air/AirCFG.h:
+        (JSC::B3::Air::CFG::newMap):
+        * b3/air/AirEliminateDeadCode.cpp:
+        (JSC::B3::Air::eliminateDeadCode):
+        * b3/air/AirFixObviousSpills.cpp:
+        * b3/air/AirFixPartialRegisterStalls.cpp:
+        (JSC::B3::Air::fixPartialRegisterStalls):
+        * b3/air/AirFixSpillsAfterTerminals.cpp: Added.
+        (JSC::B3::Air::fixSpillsAfterTerminals):
+        * b3/air/AirFixSpillsAfterTerminals.h: Added.
+        * b3/air/AirGenerate.cpp:
+        (JSC::B3::Air::prepareForGeneration):
+        (JSC::B3::Air::generate):
+        * b3/air/AirGenerate.h:
+        * b3/air/AirGenerationContext.h:
+        * b3/air/AirInsertionSet.h:
+        * b3/air/AirInst.cpp:
+        (JSC::B3::Air::Inst::needsPadding):
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        (JSC::B3::Air::lowerAfterRegAlloc):
+        * b3/air/AirLowerEntrySwitch.cpp:
+        (JSC::B3::Air::lowerEntrySwitch):
+        * b3/air/AirOpcode.opcodes:
+        * b3/air/AirPhaseInsertionSet.cpp: Added.
+        (JSC::B3::Air::PhaseInsertionSet::execute):
+        * b3/air/AirPhaseInsertionSet.h: Added.
+        (JSC::B3::Air::PhaseInsertion::PhaseInsertion):
+        (JSC::B3::Air::PhaseInsertion::phase):
+        (JSC::B3::Air::PhaseInsertion::operator<):
+        (JSC::B3::Air::PhaseInsertionSet::PhaseInsertionSet):
+        (JSC::B3::Air::PhaseInsertionSet::appendInsertion):
+        (JSC::B3::Air::PhaseInsertionSet::insertInst):
+        (JSC::B3::Air::PhaseInsertionSet::insert):
+        * b3/air/AirRegLiveness.h:
+        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
+        * b3/air/AirSpillEverything.cpp:
+        (JSC::B3::Air::spillEverything):
+        * b3/air/AirTmp.cpp:
+        * b3/air/AirTmp.h:
+        (JSC::B3::Air::Tmp::tmpForIndex):
+        * b3/air/AirTmpInlines.h:
+        (JSC::B3::Air::Tmp::Indexed::Indexed):
+        (JSC::B3::Air::Tmp::Indexed::index):
+        (JSC::B3::Air::Tmp::AbsolutelyIndexed::AbsolutelyIndexed):
+        (JSC::B3::Air::Tmp::AbsolutelyIndexed::index):
+        (JSC::B3::Air::Tmp::indexed):
+        (JSC::B3::Air::Tmp::absolutelyIndexed):
+        (JSC::B3::Air::Tmp::tmpForAbsoluteIndex):
+        * b3/testb3.cpp:
+        (JSC::B3::compile):
+        (JSC::B3::testMulLoadTwice):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::add):
+        (JSC::RegisterSet::remove):
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.h:
+
+2017-03-30  Youenn Fablet  
+
+        Clean up RTCDataChannel
+        https://bugs.webkit.org/show_bug.cgi?id=169732
+
+        Reviewed by Chris Dumez.
+
+        * runtime/CommonIdentifiers.h: Adding RTCDataChannelEvent.
+
+2017-03-30  Saam Barati  
+
+        WebAssembly: pass Wasm::Context* to vmEntryToWasm when not using fast TLS
+        https://bugs.webkit.org/show_bug.cgi?id=170182
+
+        Reviewed by Mark Lam.
+
+        This is one more step in the direction of PIC-ified Wasm.
+        I'm removing assumptions that a wasm callee is a cell. We used to use
+        the callee to get the WasmContext off the callee's VM. Instead,
+        this patch makes it so that we pass in the context as a parameter
+        to the JS entrypoint.
+
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::offsetOfVM): Deleted.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::loadWasmContext):
+        (JSC::AssemblyHelpers::storeWasmContext):
+        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
+        * jsc.cpp:
+        (functionTestWasmModuleFunctions):
+        * runtime/VM.h:
+        (JSC::VM::wasmContextOffset): Deleted.
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
+        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/WasmContext.cpp:
+        (JSC::Wasm::loadContext):
+        (JSC::Wasm::storeContext):
+        (JSC::loadWasmContext): Deleted.
+        (JSC::storeWasmContext): Deleted.
+        * wasm/WasmContext.h:
+        (JSC::Wasm::useFastTLS):
+        (JSC::Wasm::useFastTLSForContext):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::useFastTLS): Deleted.
+        (JSC::Wasm::useFastTLSForWasmContext): Deleted.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2017-03-30  JF Bastien  
+
+        WebAssembly: fix misc JS API implementation inconsistencies
+        https://bugs.webkit.org/show_bug.cgi?id=170187
+
+        Reviewed by Keith Miller.
+
+        Auto-generate lookup tables.
+        Methods should be on prototype.
+        Exception returns should be idiomatic.
+
+        * wasm/JSWebAssembly.cpp: validate / compile / instantiate should
+        be on the prototype
+        (JSC::JSWebAssembly::create):
+        (JSC::JSWebAssembly::finishCreation):
+        (JSC::reject): Deleted.
+        (JSC::webAssemblyCompileFunc): Deleted.
+        (JSC::resolve): Deleted.
+        (JSC::instantiate): Deleted.
+        (JSC::compileAndInstantiate): Deleted.
+        (JSC::webAssemblyInstantiateFunc): Deleted.
+        (JSC::webAssemblyValidateFunc): Deleted.
+        * wasm/JSWebAssembly.h:
+        * wasm/js/WebAssemblyMemoryPrototype.cpp: move from JSWebAssembly.cpp
+        (JSC::webAssemblyMemoryProtoFuncBuffer):
+        (JSC::WebAssemblyMemoryPrototype::create):
+        (JSC::WebAssemblyMemoryPrototype::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::reject):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyValidateFunc):
+        (JSC::webAssemblyFunctionValidate): Deleted.
+        (JSC::webAssemblyFunctionCompile): Deleted.
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::webAssemblyTableProtoFuncGrow):
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+        (JSC::WebAssemblyTablePrototype::create):
+        (JSC::WebAssemblyTablePrototype::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.h:
+
+2017-03-29  Keith Miller  
+
+        Unreviewed, fix the build, again. Hopefully for the last time, again!
+
+        * runtime/Options.cpp:
+
+2017-03-29  Keith Miller  
+
+        Unreviewed, fix the build, again. Hopefully for the last time!
+
+        * runtime/Options.cpp:
+        (JSC::parse):
+
+2017-03-29  Keith Miller  
+
+        Unreviewed, windows build fix.
+
+        * runtime/Options.cpp:
+        (JSC::parse):
+
+2017-03-29  Keith Miller  
+
+        WebAssembly: B3IRGenerator should pool constants
+        https://bugs.webkit.org/show_bug.cgi?id=170266
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds a HashMap to B3IRGenerator that contains all the constants used in a function.
+        B3IRGenerator then uses an InsertionSet to add all those constants to the root BB. This doesn't
+        appear to be a compile time improvement but it could be valuable in the future.
+
+        * b3/B3Opcode.h:
+        (JSC::B3::opcodeForConstant):
+        * b3/B3Procedure.cpp:
+        (JSC::B3::Procedure::addConstant):
+        * b3/B3Procedure.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::constant):
+        (JSC::Wasm::B3IRGenerator::insertConstants):
+        (JSC::Wasm::B3IRGenerator::addConstant):
+        (JSC::Wasm::B3IRGenerator::dump):
+        (JSC::Wasm::parseAndCompile):
+        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
+        (JSC::Wasm::B3IRGenerator::zeroForType): Deleted.
+        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
+        (generateConstCode):
+
+2017-03-29  Saam Barati  
+
+        LinkBuffer and ExecutableAllocator shouldn't have anything to do with VM
+        https://bugs.webkit.org/show_bug.cgi?id=170210
+
+        Reviewed by Mark Lam.
+
+        This is one more step in the direction of PIC-ified Wasm.
+        LinkBuffer and ExecutableAllocator have no business knowing about VM.
+
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::allocate):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::LinkBuffer):
+        (JSC::LinkBuffer::vm): Deleted.
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/B3Compile.h:
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::compileProc):
+        (JSC::B3::compileAndRun):
+        (JSC::B3::testLoadAcq42):
+        (JSC::B3::testAddArgZeroImmZDef):
+        (JSC::B3::testAddLoadTwice):
+        (JSC::B3::testMulLoadTwice):
+        (JSC::B3::testMulAddArgsLeft):
+        (JSC::B3::testMulAddArgsRight):
+        (JSC::B3::testMulAddArgsLeft32):
+        (JSC::B3::testMulAddArgsRight32):
+        (JSC::B3::testMulSubArgsLeft):
+        (JSC::B3::testMulSubArgsRight):
+        (JSC::B3::testMulSubArgsLeft32):
+        (JSC::B3::testMulSubArgsRight32):
+        (JSC::B3::testMulNegArgs):
+        (JSC::B3::testMulNegArgs32):
+        (JSC::B3::testCompareFloatToDoubleThroughPhi):
+        (JSC::B3::testDoubleToFloatThroughPhi):
+        (JSC::B3::testReduceFloatToDoubleValidates):
+        (JSC::B3::testDoubleProducerPhiToFloatConversion):
+        (JSC::B3::testDoubleProducerPhiToFloatConversionWithDoubleConsumer):
+        (JSC::B3::testDoubleProducerPhiWithNonFloatConst):
+        (JSC::B3::testIToD64Arg):
+        (JSC::B3::testIToF64Arg):
+        (JSC::B3::testIToD32Arg):
+        (JSC::B3::testIToF32Arg):
+        (JSC::B3::testIToD64Mem):
+        (JSC::B3::testIToF64Mem):
+        (JSC::B3::testIToD32Mem):
+        (JSC::B3::testIToF32Mem):
+        (JSC::B3::testIToDReducedToIToF64Arg):
+        (JSC::B3::testIToDReducedToIToF32Arg):
+        (JSC::B3::testStoreRelAddLoadAcq32):
+        (JSC::B3::testStoreRelAddLoadAcq8):
+        (JSC::B3::testStoreRelAddFenceLoadAcq8):
+        (JSC::B3::testStoreRelAddLoadAcq16):
+        (JSC::B3::testStoreRelAddLoadAcq64):
+        (JSC::B3::testBranch):
+        (JSC::B3::testBranchPtr):
+        (JSC::B3::testDiamond):
+        (JSC::B3::testBranchNotEqual):
+        (JSC::B3::testBranchNotEqualCommute):
+        (JSC::B3::testBranchNotEqualNotEqual):
+        (JSC::B3::testBranchEqual):
+        (JSC::B3::testBranchEqualEqual):
+        (JSC::B3::testBranchEqualCommute):
+        (JSC::B3::testBranchEqualEqual1):
+        (JSC::B3::testBranchLoadPtr):
+        (JSC::B3::testBranchLoad32):
+        (JSC::B3::testBranchLoad8S):
+        (JSC::B3::testBranchLoad8Z):
+        (JSC::B3::testBranchLoad16S):
+        (JSC::B3::testBranchLoad16Z):
+        (JSC::B3::testBranch8WithLoad8ZIndex):
+        (JSC::B3::testComplex):
+        (JSC::B3::testSimpleCheck):
+        (JSC::B3::testCheckFalse):
+        (JSC::B3::testCheckTrue):
+        (JSC::B3::testCheckLessThan):
+        (JSC::B3::testCheckMegaCombo):
+        (JSC::B3::testCheckTrickyMegaCombo):
+        (JSC::B3::testCheckTwoMegaCombos):
+        (JSC::B3::testCheckTwoNonRedundantMegaCombos):
+        (JSC::B3::testCheckAddImm):
+        (JSC::B3::testCheckAddImmCommute):
+        (JSC::B3::testCheckAddImmSomeRegister):
+        (JSC::B3::testCheckAdd):
+        (JSC::B3::testCheckAdd64):
+        (JSC::B3::testCheckAddFold):
+        (JSC::B3::testCheckAddFoldFail):
+        (JSC::B3::testCheckAddSelfOverflow64):
+        (JSC::B3::testCheckAddSelfOverflow32):
+        (JSC::B3::testCheckSubImm):
+        (JSC::B3::testCheckSubBadImm):
+        (JSC::B3::testCheckSub):
+        (JSC::B3::testCheckSub64):
+        (JSC::B3::testCheckSubFold):
+        (JSC::B3::testCheckSubFoldFail):
+        (JSC::B3::testCheckNeg):
+        (JSC::B3::testCheckNeg64):
+        (JSC::B3::testCheckMul):
+        (JSC::B3::testCheckMulMemory):
+        (JSC::B3::testCheckMul2):
+        (JSC::B3::testCheckMul64):
+        (JSC::B3::testCheckMulFold):
+        (JSC::B3::testCheckMulFoldFail):
+        (JSC::B3::testCheckMul64SShr):
+        (JSC::B3::testSwitch):
+        (JSC::B3::testSwitchChillDiv):
+        (JSC::B3::testSwitchTargettingSameBlock):
+        (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
+        (JSC::B3::testBasicSelect):
+        (JSC::B3::testSelectTest):
+        (JSC::B3::testSelectCompareDouble):
+        (JSC::B3::testSelectDouble):
+        (JSC::B3::testSelectDoubleTest):
+        (JSC::B3::testSelectDoubleCompareDouble):
+        (JSC::B3::testSelectFloatCompareFloat):
+        (JSC::B3::testSelectFold):
+        (JSC::B3::testSelectInvert):
+        (JSC::B3::testCheckSelect):
+        (JSC::B3::testCheckSelectCheckSelect):
+        (JSC::B3::testCheckSelectAndCSE):
+        (JSC::B3::testTrivialInfiniteLoop):
+        (JSC::B3::testFoldPathEqual):
+        (JSC::B3::testLShiftSelf32):
+        (JSC::B3::testRShiftSelf32):
+        (JSC::B3::testURShiftSelf32):
+        (JSC::B3::testLShiftSelf64):
+        (JSC::B3::testRShiftSelf64):
+        (JSC::B3::testURShiftSelf64):
+        (JSC::B3::testPatchpointDoubleRegs):
+        (JSC::B3::testSpillDefSmallerThanUse):
+        (JSC::B3::testSpillUseLargerThanDef):
+        (JSC::B3::testLateRegister):
+        (JSC::B3::testInterpreter):
+        (JSC::B3::testEntrySwitchSimple):
+        (JSC::B3::testEntrySwitchNoEntrySwitch):
+        (JSC::B3::testEntrySwitchWithCommonPaths):
+        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
+        (JSC::B3::testEntrySwitchLoop):
+        (JSC::B3::testSomeEarlyRegister):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled):
+        (JSC::B3::testTerminalPatchpointThatNeedsToBeSpilled2):
+        (JSC::B3::testPatchpointTerminalReturnValue):
+        (JSC::B3::testMemoryFence):
+        (JSC::B3::testStoreFence):
+        (JSC::B3::testLoadFence):
+        (JSC::B3::testPCOriginMapDoesntInsertNops):
+        (JSC::B3::testPinRegisters):
+        (JSC::B3::testX86LeaAddAddShlLeft):
+        (JSC::B3::testX86LeaAddAddShlRight):
+        (JSC::B3::testX86LeaAddAdd):
+        (JSC::B3::testX86LeaAddShlRight):
+        (JSC::B3::testX86LeaAddShlLeftScale1):
+        (JSC::B3::testX86LeaAddShlLeftScale2):
+        (JSC::B3::testX86LeaAddShlLeftScale4):
+        (JSC::B3::testX86LeaAddShlLeftScale8):
+        (JSC::B3::testAddShl32):
+        (JSC::B3::testAddShl64):
+        (JSC::B3::testAddShl65):
+        (JSC::B3::testLoadBaseIndexShift2):
+        (JSC::B3::testLoadBaseIndexShift32):
+        (JSC::B3::testOptimizeMaterialization):
+        (JSC::B3::testAtomicWeakCAS):
+        (JSC::B3::testAtomicStrongCAS):
+        (JSC::B3::testAtomicXchg):
+        (JSC::B3::testDepend32):
+        (JSC::B3::testDepend64):
+        (JSC::B3::testWasmBoundsCheck):
+        (JSC::B3::testWasmAddress):
+        (JSC::B3::run):
+        (JSC::B3::compile): Deleted.
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGLazyJSValue.cpp:
+        (JSC::DFG::LazyJSValue::emit):
+        * dfg/DFGOSRExitCompiler.cpp:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * ftl/FTLOSRExitHandle.cpp:
+        (JSC::FTL::OSRExitHandle::emitExitThunk):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLSlowPathCall.h:
+        (JSC::FTL::callOperation):
+        * ftl/FTLState.h:
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * ftl/FTLThunks.h:
+        (JSC::FTL::generateIfNecessary):
+        (JSC::FTL::Thunks::getSlowPathCallThunk):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDumbVirtualCall):
+        * jit/AssemblyHelpers.h:
+        * jit/ExecutableAllocator.cpp:
+        (JSC::ExecutableAllocator::initializeAllocator):
+        (JSC::ExecutableAllocator::singleton):
+        (JSC::ExecutableAllocator::ExecutableAllocator):
+        (JSC::ExecutableAllocator::allocate):
+        * jit/ExecutableAllocator.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileCallEvalSlowCase):
+        * jit/JITMathIC.h:
+        (JSC::JITMathIC::generateOutOfLine):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        * jit/JITStubRoutine.h:
+        * jit/Repatch.cpp:
+        (JSC::ftlThunkAwareRepatchCall):
+        (JSC::linkPolymorphicCall):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::arityFixupGenerator):
+        (JSC::unreachableGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        (JSC::throwExceptionFromWasmThunkGenerator):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        * tools/VMInspector.cpp:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        (JSC::Wasm::wasmToWasm):
+        (JSC::Wasm::exitStubGenerator):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::complete):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::jitCompile):
+
+2017-03-29  Keith Miller  
+
+        WebAssembly: Worklist should periodically check in to see if there are higher priority jobs to do.
+        https://bugs.webkit.org/show_bug.cgi?id=170204
+
+        Reviewed by Saam Barati.
+
+        This patch makes it so that Wasm::Plan's compileFunctions method can return periodically
+        to its caller. The main use for this is if a user asynchronously compiles a wasm module
+        then later synchronously compiles another module. In this case we want to be able to pause
+        compilation of other worklists.
+
+        This patch also adds support for size_t Options.
+
+        * runtime/Options.cpp:
+        (JSC::parse):
+        (JSC::Option::dump):
+        (JSC::Option::operator==):
+        * runtime/Options.h:
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::moveToState):
+        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
+        (JSC::Wasm::Plan::compileFunctions):
+        * wasm/WasmPlan.h:
+        * wasm/WasmWorklist.cpp:
+
+2017-03-29  Mark Lam  
+
+        Remove obsolete references to HeapTimer in JavaScriptCore.order.
+        https://bugs.webkit.org/show_bug.cgi?id=170252
+
+        Reviewed by Saam Barati.
+
+        The HeapTimer was renamed to JSRunLoopTimer back in r214504.  These HeapTimer
+        entries are now no longer meaningful.
+
+        * JavaScriptCore.order:
+
+2017-03-29  JF Bastien  
+
+        WebAssembly: add shell-only Memory mode helper
+        https://bugs.webkit.org/show_bug.cgi?id=170227
+
+        Reviewed by Mark Lam.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionWebAssemblyMemoryMode):
+        * wasm/WasmMemory.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/JSWebAssemblyMemory.h:
+
+2017-03-29  Keith Miller  
+
+        WebAssembly: pack OpcodeOrigin to fit in a pointer
+        https://bugs.webkit.org/show_bug.cgi?id=170244
+
+        Reviewed by Michael Saboff.
+
+        This patch makes it so we don't have to have allocate the OpcodeOrigin and can just
+        pack all the data into the pointer B3::Origin already has.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmOpcodeOrigin.cpp:
+        (JSC::Wasm::OpcodeOrigin::dump):
+        * wasm/WasmOpcodeOrigin.h:
+        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
+        (JSC::Wasm::OpcodeOrigin::opcode):
+        (JSC::Wasm::OpcodeOrigin::location):
+
+2017-03-29  JF Bastien  
+
+        WebAssembly: NFC s/goto/lambda/g
+        https://bugs.webkit.org/show_bug.cgi?id=170242
+
+        Reviewed by Mark Lam.
+
+        Lambdas are more in-style than the goto I just used.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::tryGetFastMemory):
+
+2017-03-28  Saam Barati  
+
+        AssemblyHelpers should not have a VM field
+        https://bugs.webkit.org/show_bug.cgi?id=170207
+
+        Reviewed by Yusuke Suzuki.
+
+        APIs that need VM should take one as a parameter. When doing position
+        independent code for Wasm, we can't tie code generation to a VM.
+
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testEntrySwitchSimple):
+        (JSC::B3::testEntrySwitchNoEntrySwitch):
+        (JSC::B3::testEntrySwitchWithCommonPaths):
+        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
+        (JSC::B3::testEntrySwitchLoop):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/DOMJITAccessCasePatchpointParams.cpp:
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/InlineAccess.h:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationState::AccessGenerationState):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::JITCompiler):
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::exceptionCheck):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
+        (JSC::DFG::JITCompiler::fastExceptionCheck):
+        (JSC::DFG::JITCompiler::vm):
+        * dfg/DFGOSRExitCompiler.cpp:
+        * dfg/DFGOSRExitCompiler.h:
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateVariableSizedJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLJITFinalizer.h:
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLLazySlowPathCall.h:
+        (JSC::FTL::createLazyCallGenerator):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNotifyWrite):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsObjectOrNull):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * ftl/FTLSlowPathCall.h:
+        (JSC::FTL::callOperation):
+        * ftl/FTLState.h:
+        (JSC::FTL::State::vm):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::jitReleaseAssertNoException):
+        (JSC::AssemblyHelpers::callExceptionFuzz):
+        (JSC::AssemblyHelpers::emitJumpIfException):
+        (JSC::AssemblyHelpers::emitExceptionCheck):
+        (JSC::AssemblyHelpers::emitNonPatchableExceptionCheck):
+        (JSC::AssemblyHelpers::emitLoadStructure):
+        (JSC::AssemblyHelpers::emitRandomThunk):
+        (JSC::AssemblyHelpers::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::AssemblyHelpers):
+        (JSC::AssemblyHelpers::codeBlock):
+        (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToVMEntryFrameCalleeSavesBuffer):
+        (JSC::AssemblyHelpers::barrierBranch):
+        (JSC::AssemblyHelpers::barrierStoreLoadFence):
+        (JSC::AssemblyHelpers::mutatorFence):
+        (JSC::AssemblyHelpers::storeButterfly):
+        (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
+        (JSC::AssemblyHelpers::jumpIfMutatorFenceNotNeeded):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        (JSC::AssemblyHelpers::vm): Deleted.
+        (JSC::AssemblyHelpers::debugCall): Deleted.
+        * jit/CCallHelpers.cpp:
+        (JSC::CCallHelpers::ensureShadowChickenPacket):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::CCallHelpers):
+        (JSC::CCallHelpers::jumpToExceptionHandler):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        (JSC::JIT::exceptionCheck):
+        (JSC::JIT::exceptionCheckWithCallFrameRollback):
+        * jit/JITMathIC.h:
+        (JSC::JITMathIC::generateOutOfLine):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_jfalse):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_jtrue):
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
+        (JSC::JIT::emit_op_log_shadow_chicken_tail):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_jfalse):
+        (JSC::JIT::emit_op_jtrue):
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emit_op_log_shadow_chicken_prologue):
+        (JSC::JIT::emit_op_log_shadow_chicken_tail):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitWriteBarrier):
+        * jit/JSInterfaceJIT.h:
+        (JSC::JSInterfaceJIT::JSInterfaceJIT):
+        (JSC::JSInterfaceJIT::vm):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::linkPolymorphicCall):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        * jit/SetupVarargsFrame.cpp:
+        (JSC::emitSetupVarargsFrameFastCase):
+        * jit/SetupVarargsFrame.h:
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::randomThunkGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        (JSC::throwExceptionFromWasmThunkGenerator):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        (JSC::Wasm::wasmToWasm):
+
+2017-03-28  Keith Miller  
+
+        WebAssembly: We should have Origins
+        https://bugs.webkit.org/show_bug.cgi?id=170217
+
+        Reviewed by Mark Lam.
+
+        This patch adds wasm origins for B3::Values, called OpcodeOrigin. Currently,
+        OpcodeOrigin just tracks the original opcode and the location of that opcode.
+
+        Here's a sample:
+
+        BB#0: ; frequency = 1.000000
+            Int64 @4 = Patchpoint(generator = 0x10f487fa8, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister)
+            Int64 @5 = FramePointer()
+            Void @8 = Store(@4, @5, offset = 24, ControlDependent|Writes:Top)
+            Int64 @10 = Const64(0)
+            Void @12 = Store($0(@10), @5, offset = 16, ControlDependent|Writes:Top)
+            Int64 @13 = Patchpoint(generator = 0x10f4be7f0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraint = SomeRegister, ExitsSideways|ControlDependent|WritesPinned|ReadsPinned|Fence|Writes:Top|Reads:Top)
+            Int64 @16 = ArgumentReg(%rdi)
+            Int64 @18 = ArgumentReg(%rsi)
+            Int32 @22 = Trunc(@18, Wasm: {opcode: I64Rotl, location: 5})
+            Int64 @23 = RotL(@16, @22, Wasm: {opcode: I64Rotl, location: 5})
+            Void @27 = Return(@23, Terminal, Wasm: {opcode: End, location: 6})
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::deepDump):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::setParser):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::emitLoadOp):
+        (JSC::Wasm::B3IRGenerator::emitStoreOp):
+        (JSC::Wasm::B3IRGenerator::addConstant):
+        (JSC::Wasm::B3IRGenerator::addLoop):
+        (JSC::Wasm::B3IRGenerator::unify):
+        (JSC::Wasm::parseAndCompile):
+        (JSC::Wasm::B3IRGenerator::emitChecksForModOrDiv):
+        (JSC::Wasm::getMemoryBaseAndSize): Deleted.
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::currentOpcode):
+        (JSC::Wasm::FunctionParser::currentOpcodeStartingOffset):
+        (JSC::Wasm::FunctionParser::FunctionParser):
+        * wasm/WasmOpcodeOrigin.cpp: Added.
+        (JSC::Wasm::OpcodeOrigin::dump):
+        * wasm/WasmOpcodeOrigin.h: Added.
+        (JSC::Wasm::OpcodeOrigin::OpcodeOrigin):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::setParser):
+        * wasm/generateWasmB3IRGeneratorInlinesHeader.py:
+        (CodeGenerator.generate):
+        (generateB3OpCode):
+        (generateConstCode):
+
+2017-03-28  JF Bastien  
+
+        WebAssembly: option to crash if no fast memory is available
+        https://bugs.webkit.org/show_bug.cgi?id=170219
+
+        Reviewed by Mark Lam.
+
+        * runtime/Options.h:
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::webAssemblyCouldntGetFastMemory):
+        (JSC::Wasm::tryGetFastMemory):
+
+2017-03-28  Mark Lam  
+
+        The Mutator should not be able to steal the conn if the Collector hasn't reached the NotRunning phase yet.
+        https://bugs.webkit.org/show_bug.cgi?id=170213
+        
+
+        Reviewed by Filip Pizlo.
+
+        The current condition for stealing the conn isn't tight enough.  Restricting the
+        stealing to when m_currentPhase == NotRunning ensures that the Collector is
+        really done running.
+
+        No test because this issue only manifests with a race condition that is difficult
+        to reproduce on demand.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::requestCollection):
+
+2017-03-28  Keith Miller  
+
+        WebAssembly: Make WebAssembly.instantiate/compile truly asynchronous
+        https://bugs.webkit.org/show_bug.cgi?id=169187
+
+        Reviewed by Saam Barati.
+
+        This patch allows WebAssembly compilations to happen asynchronously.
+        To do so, it refactors how much of the compilation happens and adds
+        new infrastructure for async promises.
+
+        First, there is a new class, PromiseDeferredTimer that lives on
+        the VM.  PromiseDeferredTimer will manage the life-cycle of async
+        pending promises and any dependencies that promise
+        needs. PromiseDeferredTimer automagically releases the pending
+        promise and dependencies once the JSPromiseDeferred is resolved or
+        rejected. Additionally, PromiseDeferredTimer provides a mechanism
+        to poll the run-loop whenever the async task needs to synchronize
+        with the JS thread. Normally, that will be whenever the async task
+        finishes. In the case of Web Assembly we also use this feature for
+        the compile + instantiate case, where we might have more work
+        after the first async task completes (more on that later).
+
+        The next class is Wasm::Worklist, which is used to manage Wasm
+        compilation tasks. The worklist class works similarly to the
+        DFG/FTL Worklists. It has a pool of threads that it manages. One
+        interesting aspect of Wasm Worklist is that it can synchronously
+        compile a plan that is already potentially running
+        asynchronously. This can occur if a user calls
+        WebAssembly.instantiate() then new WebAssembly.instantiate() on
+        the same module. In that case the Wasm Worklist will bump the
+        priority of the running pending Plan and block the JS thread.
+
+        This patch also makes some of the Wasm Plan code cleaner. Since we
+        now defer all compilation to instantiation time, we no longer need
+        to guess at which memory we are going to get. Also, Wasm Plans now
+        track the work they have done with a state enum.
+
+        Finally, this patch makes renamed HeapTimer to JSRunLoopTimer. It
+        also adds changes test262AsyncTest to a more generic testing
+        infrastructure. Now, in addition to the old functionality, you can
+        call asyncTest() with the number of tests you expect. When the jsc
+        CLI exits, it will guarantee that asyncTestPassed() is called that
+        many times.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/GCActivityCallback.h:
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::scheduleTimer):
+        (JSC::IncrementalSweeper::IncrementalSweeper):
+        * heap/IncrementalSweeper.h:
+        * heap/StopIfNecessaryTimer.cpp:
+        (JSC::StopIfNecessaryTimer::StopIfNecessaryTimer):
+        * heap/StopIfNecessaryTimer.h:
+        * heap/StrongInlines.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (printInternal):
+        (functionAsyncTestStart):
+        (functionAsyncTestPassed):
+        (functionTestWasmModuleFunctions):
+        (CommandLine::parseArguments):
+        (runJSC):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::JSPromiseDeferred::resolve):
+        (JSC::JSPromiseDeferred::reject):
+        * runtime/JSPromiseDeferred.h:
+        (JSC::JSPromiseDeferred::promiseAsyncPending):
+        * runtime/JSRunLoopTimer.cpp: Renamed from Source/JavaScriptCore/heap/HeapTimer.cpp.
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::setRunLoop):
+        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::timerDidFire):
+        (JSC::JSRunLoopTimer::scheduleTimer):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        (JSC::JSRunLoopTimer::invalidate):
+        * runtime/JSRunLoopTimer.h: Copied from Source/JavaScriptCore/heap/HeapTimer.h.
+        * runtime/Options.h:
+        * runtime/PromiseDeferredTimer.cpp: Added.
+        (JSC::PromiseDeferredTimer::PromiseDeferredTimer):
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::runRunLoop):
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+        (JSC::PromiseDeferredTimer::scheduleBlockedTask):
+        * runtime/PromiseDeferredTimer.h: Renamed from Source/JavaScriptCore/heap/HeapTimer.h.
+        (JSC::PromiseDeferredTimer::stopRunningTasks):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+        * wasm/JSWebAssembly.cpp:
+        (JSC::reject):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyValidateFunc):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::memoryKind):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmB3IRGenerator.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::ModuleInformation::internalFunctionCount):
+        * wasm/WasmFunctionParser.h:
+        * wasm/WasmMemory.h:
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::MemoryInformation::MemoryInformation):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::MemoryInformation::maximum):
+        (JSC::Wasm::MemoryInformation::hasReservedMemory): Deleted.
+        (JSC::Wasm::MemoryInformation::takeReservedMemory): Deleted.
+        (JSC::Wasm::MemoryInformation::mode): Deleted.
+        * wasm/WasmModuleParser.cpp:
+        * wasm/WasmModuleParser.h:
+        (JSC::Wasm::ModuleParser::ModuleParser):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        (JSC::Wasm::Plan::stateString):
+        (JSC::Wasm::Plan::moveToState):
+        (JSC::Wasm::Plan::fail):
+        (JSC::Wasm::Plan::parseAndValidateModule):
+        (JSC::Wasm::Plan::prepare):
+        (JSC::Wasm::Plan::ThreadCountHolder::ThreadCountHolder):
+        (JSC::Wasm::Plan::ThreadCountHolder::~ThreadCountHolder):
+        (JSC::Wasm::Plan::compileFunctions):
+        (JSC::Wasm::Plan::complete):
+        (JSC::Wasm::Plan::waitForCompletion):
+        (JSC::Wasm::Plan::cancel):
+        (JSC::Wasm::Plan::run): Deleted.
+        (JSC::Wasm::Plan::initializeCallees): Deleted.
+        * wasm/WasmPlan.h:
+        (JSC::Wasm::Plan::dontFinalize):
+        (JSC::Wasm::Plan::exports):
+        (JSC::Wasm::Plan::internalFunctionCount):
+        (JSC::Wasm::Plan::takeModuleInformation):
+        (JSC::Wasm::Plan::takeCallLinkInfos):
+        (JSC::Wasm::Plan::takeWasmExitStubs):
+        (JSC::Wasm::Plan::setModeAndPromise):
+        (JSC::Wasm::Plan::mode):
+        (JSC::Wasm::Plan::pendingPromise):
+        (JSC::Wasm::Plan::vm):
+        (JSC::Wasm::Plan::errorMessage):
+        (JSC::Wasm::Plan::failed):
+        (JSC::Wasm::Plan::hasWork):
+        (JSC::Wasm::Plan::hasBeenPrepared):
+        * wasm/WasmPlanInlines.h: Copied from Source/JavaScriptCore/wasm/WasmB3IRGenerator.h.
+        (JSC::Wasm::Plan::initializeCallees):
+        * wasm/WasmValidate.cpp:
+        * wasm/WasmWorklist.cpp: Added.
+        (JSC::Wasm::Worklist::priorityString):
+        (JSC::Wasm::Worklist::QueueElement::setToNextPriority):
+        (JSC::Wasm::Worklist::iterate):
+        (JSC::Wasm::Worklist::enqueue):
+        (JSC::Wasm::Worklist::completePlanSynchronously):
+        (JSC::Wasm::Worklist::stopAllPlansForVM):
+        (JSC::Wasm::Worklist::Worklist):
+        (JSC::Wasm::Worklist::~Worklist):
+        (JSC::Wasm::existingWorklistOrNull):
+        (JSC::Wasm::ensureWorklist):
+        * wasm/WasmWorklist.h: Added.
+        (JSC::Wasm::Worklist::nextTicket):
+        (JSC::Wasm::Worklist::Comparator::operator()):
+        * wasm/js/JSWebAssemblyCallee.h:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::initialize):
+        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        (JSC::JSWebAssemblyCodeBlock::create):
+        (JSC::JSWebAssemblyCodeBlock::initialized):
+        (JSC::JSWebAssemblyCodeBlock::plan):
+        (JSC::JSWebAssemblyCodeBlock::runnable):
+        (JSC::JSWebAssemblyCodeBlock::errorMessage):
+        (JSC::JSWebAssemblyCodeBlock::callees):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::addUnitializedCodeBlock):
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        (JSC::JSWebAssemblyInstance::setMemory): Deleted.
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::codeBlock):
+        (JSC::JSWebAssemblyInstance::initialized):
+        (JSC::JSWebAssemblyInstance::module):
+        (JSC::JSWebAssemblyInstance::importFunction):
+        (JSC::JSWebAssemblyInstance::setMemory):
+        (JSC::JSWebAssemblyInstance::table):
+        (JSC::JSWebAssemblyInstance::importFunctions):
+        (JSC::JSWebAssemblyInstance::setImportFunction): Deleted.
+        (JSC::JSWebAssemblyInstance::setTable): Deleted.
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::createStub):
+        (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
+        (JSC::JSWebAssemblyModule::finishCreation):
+        (JSC::JSWebAssemblyModule::setCodeBlock):
+        (JSC::JSWebAssemblyModule::buildCodeBlock): Deleted.
+        (JSC::JSWebAssemblyModule::create): Deleted.
+        (JSC::JSWebAssemblyModule::codeBlock): Deleted.
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::moduleInformation):
+        (JSC::JSWebAssemblyModule::codeBlock):
+        (JSC::JSWebAssemblyModule::source):
+        (JSC::JSWebAssemblyModule::takeReservedMemory): Deleted.
+        (JSC::JSWebAssemblyModule::codeBlockFor): Deleted.
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        (JSC::WebAssemblyInstanceConstructor::createInstance): Deleted.
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::WebAssemblyModuleConstructor::createModule):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::webAssemblyModuleProtoImports):
+        (JSC::webAssemblyModuleProtoExports):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::finishCreation):
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyModuleRecord.h:
+
+2017-03-28  Yusuke Suzuki  
+
+        WebAssembly: add fallback to use pinned register to load/store state
+        https://bugs.webkit.org/show_bug.cgi?id=169773
+
+        Reviewed by Saam Barati.
+
+        This patch adds a new pinned register to hold JSWebAssemblyInstance,
+        which is used to represent the context of running Wasm code.
+        While we use fast TLS to hold the context in macOS, we do not have
+        any system reserved fast TLS slot in the other systems. This pinned
+        register approach is used in these systems. These changes decouple
+        VM from Wasm module to make Wasm module position independent code.
+
+        While using fast TLS could be beneficial in x64 systems which number of
+        registers is relatively small, pinned register approach could be
+        beneficial in ARM64 which has plenty of registers. In macOS, we can
+        switch the implementation with the runtime flag. Thus macOS port can
+        compare the performance and decide which implementation is used after
+        landing this patch.
+
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::offsetOfVM):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::loadWasmContext):
+        (JSC::AssemblyHelpers::storeWasmContext):
+        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::loadWasmContext): Deleted.
+        (JSC::AssemblyHelpers::storeWasmContext): Deleted.
+        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister): Deleted.
+        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister): Deleted.
+        * jit/Repatch.cpp:
+        (JSC::webAssemblyOwner):
+        (JSC::linkFor):
+        (JSC::linkPolymorphicCall):
+        (JSC::isWebAssemblyToJSCallee): Deleted.
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromWasmThunkGenerator):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::isAnyWasmCallee):
+        * runtime/JSCellInlines.h:
+        (JSC::isWebAssemblyToJSCallee):
+        * runtime/JSType.h:
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::functionName):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::wasmContextOffset):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::materializeWasmContext):
+        (JSC::Wasm::B3IRGenerator::restoreWasmContext):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::getMemoryBaseAndSize):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::loadWasmContext): Deleted.
+        (JSC::Wasm::storeWasmContext): Deleted.
+        (JSC::Wasm::restoreWebAssemblyGlobalState): Deleted.
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs):
+        * wasm/WasmContext.cpp:
+        (JSC::loadWasmContext):
+        (JSC::storeWasmContext):
+        * wasm/WasmContext.h:
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::getPinnedRegisters):
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave):
+        (JSC::Wasm::useFastTLS):
+        (JSC::Wasm::useFastTLSForWasmContext):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfCallee):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::finishCreation):
+        (JSC::JSWebAssemblyModule::visitChildren):
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::callee):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::create):
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        (JSC::WebAssemblyToJSCallee::create):
+        (JSC::WebAssemblyToJSCallee::createStructure):
+        (JSC::WebAssemblyToJSCallee::finishCreation):
+        (JSC::WebAssemblyToJSCallee::visitChildren):
+        (JSC::WebAssemblyToJSCallee::destroy): Deleted.
+        * wasm/js/WebAssemblyToJSCallee.h:
+
+2017-03-28  Brian Burg  
+
+        Web Inspector: Add "Disable Caches" option that only applies to the inspected page while Web Inspector is open
+        https://bugs.webkit.org/show_bug.cgi?id=169865
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Network.json:
+        Rename the command for disabling resource caching to match the WebCore::Page
+        flag. This also removes the possibility that this could be confused for the old,
+        buggy command that this patch rips out.
+
+2017-03-25  Yusuke Suzuki  
+
+        [JSC] Move platformThreadSignal to WTF
+        https://bugs.webkit.org/show_bug.cgi?id=170097
+
+        Reviewed by Mark Lam.
+
+        It is a small clean up towards https://bugs.webkit.org/show_bug.cgi?id=170027.
+        platformThreadSignal uses PlatformThread in JSC, but it can be implemented in
+        WTF ThreadIdentifier.
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::lock):
+        * runtime/JSLock.h:
+        (JSC::JSLock::ownerThread):
+        (JSC::JSLock::currentThreadIsHoldingLock):
+        * runtime/PlatformThread.h:
+        (JSC::platformThreadSignal): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::ownerThread):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::SignalSender::send):
+
+2017-03-28  JF Bastien  
+
+        WebAssembly: implement Module imports/exports
+        https://bugs.webkit.org/show_bug.cgi?id=166982
+
+        Reviewed by Saam Barati.
+
+        As defined in: https://github.com/WebAssembly/design/commit/18cbacb90cd3584dd5c9aa3d392e4e55f66af6ab
+
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::makeString): use uppercase instead, it was only used
+        for diagnostic but is now used for the expected JS property's
+        capitalization
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::webAssemblyModuleProtoImports):
+        (JSC::webAssemblyModuleProtoExports):
+
+2017-03-27  JF Bastien  
+
+        WebAssembly: JSWebAssemblyCodeBlock.h belongs in JavaScriptCore/wasm/js not JavaScriptCore/wasm
+        https://bugs.webkit.org/show_bug.cgi?id=170160
+
+        Reviewed by Mark Lam.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * wasm/js/JSWebAssemblyCodeBlock.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssemblyCodeBlock.h.
+
+2017-03-27  JF Bastien  
+
+        WebAssembly: misc memory testing
+        https://bugs.webkit.org/show_bug.cgi?id=170137
+
+        Reviewed by Keith Miller.
+
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::WebAssemblyInstanceConstructor::createInstance): improve error messages
+
+2017-03-27  Michael Saboff  
+
+        Add ARM64 system instructions to disassembler
+        https://bugs.webkit.org/show_bug.cgi?id=170084
+
+        Reviewed by Saam Barati.
+
+        This changes adds support for MRS and MSR instructions, and refactors the DMB
+        disassembly to handle all of the barrier instructions.
+
+        * disassembler/ARM64/A64DOpcode.cpp:
+        (JSC::ARM64Disassembler::A64DOpcodeMSRImmediate::format):
+        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::format):
+        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::format):
+        (JSC::ARM64Disassembler::A64DOpcodeDmb::format): Deleted.
+        * disassembler/ARM64/A64DOpcode.h:
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::lBit):
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::op0):
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::op1):
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::crN):
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::crM):
+        (JSC::ARM64Disassembler::A64DOpcodeSystem::op2):
+        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::opName):
+        (JSC::ARM64Disassembler::A64DOpcodeMSROrMRSRegister::systemRegister):
+        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::opName):
+        (JSC::ARM64Disassembler::A64DOpcodeSystemSync::option):
+        (JSC::ARM64Disassembler::A64DOpcodeDmb::opName): Deleted.
+        (JSC::ARM64Disassembler::A64DOpcodeDmb::option): Deleted.
+        (JSC::ARM64Disassembler::A64DOpcodeDmb::crM): Deleted.
+
+2017-03-26  Filip Pizlo  
+
+        B3::fixSSA should do liveness pruning
+        https://bugs.webkit.org/show_bug.cgi?id=170111
+
+        Reviewed by Saam Barati.
+        
+        This moves all of the logic of Air::Liveness<> to WTF::Liveness<> and then uses that to
+        create B3::VariableLiveness. Then this uses VariableLiveness::LiveAtHead to prune Phi
+        construction.
+        
+        This makes B3::fixSSA run twice as fast. This is a 13% progression on WasmBench compile
+        times.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3BasicBlock.h:
+        (JSC::B3::BasicBlock::get):
+        * b3/B3FixSSA.cpp:
+        (JSC::B3::fixSSA):
+        * b3/B3VariableLiveness.cpp: Added.
+        (JSC::B3::VariableLiveness::VariableLiveness):
+        (JSC::B3::VariableLiveness::~VariableLiveness):
+        * b3/B3VariableLiveness.h: Added.
+        (JSC::B3::VariableLivenessAdapter::VariableLivenessAdapter):
+        (JSC::B3::VariableLivenessAdapter::numIndices):
+        (JSC::B3::VariableLivenessAdapter::valueToIndex):
+        (JSC::B3::VariableLivenessAdapter::indexToValue):
+        (JSC::B3::VariableLivenessAdapter::blockSize):
+        (JSC::B3::VariableLivenessAdapter::forEachEarlyUse):
+        (JSC::B3::VariableLivenessAdapter::forEachLateUse):
+        (JSC::B3::VariableLivenessAdapter::forEachEarlyDef):
+        (JSC::B3::VariableLivenessAdapter::forEachLateDef):
+        * b3/air/AirCFG.h: Added.
+        (JSC::B3::Air::CFG::CFG):
+        (JSC::B3::Air::CFG::root):
+        (JSC::B3::Air::CFG::newMap):
+        (JSC::B3::Air::CFG::successors):
+        (JSC::B3::Air::CFG::predecessors):
+        (JSC::B3::Air::CFG::index):
+        (JSC::B3::Air::CFG::node):
+        (JSC::B3::Air::CFG::numNodes):
+        (JSC::B3::Air::CFG::dump):
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::Code):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::cfg):
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::LivenessAdapter::LivenessAdapter):
+        (JSC::B3::Air::LivenessAdapter::blockSize):
+        (JSC::B3::Air::LivenessAdapter::forEachEarlyUse):
+        (JSC::B3::Air::LivenessAdapter::forEachLateUse):
+        (JSC::B3::Air::LivenessAdapter::forEachEarlyDef):
+        (JSC::B3::Air::LivenessAdapter::forEachLateDef):
+        (JSC::B3::Air::TmpLivenessAdapter::TmpLivenessAdapter):
+        (JSC::B3::Air::TmpLivenessAdapter::numIndices):
+        (JSC::B3::Air::StackSlotLivenessAdapter::StackSlotLivenessAdapter):
+        (JSC::B3::Air::StackSlotLivenessAdapter::numIndices):
+        (JSC::B3::Air::StackSlotLivenessAdapter::indexToValue):
+        (JSC::B3::Air::Liveness::Liveness):
+        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::contains): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::live): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::isLive): Deleted.
+        (JSC::B3::Air::Liveness::LocalCalc::execute): Deleted.
+        (JSC::B3::Air::Liveness::rawLiveAtHead): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::Iterable): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::iterator::iterator): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::iterator::operator*): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::iterator::operator++): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::iterator::operator==): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::iterator::operator!=): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::begin): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::end): Deleted.
+        (JSC::B3::Air::Liveness::Iterable::contains): Deleted.
+        (JSC::B3::Air::Liveness::liveAtHead): Deleted.
+        (JSC::B3::Air::Liveness::liveAtTail): Deleted.
+        (JSC::B3::Air::Liveness::workset): Deleted.
+
+2017-03-25  Filip Pizlo  
+
+        Air::Liveness shouldn't need HashSets
+        https://bugs.webkit.org/show_bug.cgi?id=170102
+
+        Reviewed by Yusuke Suzuki.
+        
+        This converts Air::Liveness<> to no longer use HashSets or BitVectors. This turns out to be
+        easy because it's cheap enough to do a sorted merge of the things being added to liveAtHead and
+        the things in the predecessors' liveAtTail. This turns out to be faster - it's a 2% overall
+        compile time progression on WasmBench.
+        
+        * b3/B3LowerToAir.cpp:
+        (JSC::B3::Air::LowerToAir::lower): Add a FIXME unrelated to this patch.
+        * b3/air/AirLiveness.h:
+        (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc):
+        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead):
+        (JSC::B3::Air::AbstractLiveness::liveAtHead):
+        (JSC::B3::Air::AbstractLiveness::liveAtTail):
+        * b3/air/AirTmp.h:
+        (JSC::B3::Air::Tmp::bank):
+        (JSC::B3::Air::Tmp::tmpIndex):
+        * dfg/DFGStoreBarrierClusteringPhase.cpp:
+
+2017-03-26  Filip Pizlo  
+
+        Air should use RegisterSet for RegLiveness
+        https://bugs.webkit.org/show_bug.cgi?id=170108
+
+        Reviewed by Yusuke Suzuki.
+        
+        The biggest change here is the introduction of the new RegLiveness class. This is a
+        drop-in replacement for the old RegLiveness, which was a specialization of
+        AbstractLiveness<>, but it's about 30% faster. It gets its speed boost from just using
+        sets everywhere, which is efficient for registers since RegisterSet is just two (on
+        x86-64) or three 32-bit (on ARM64) statically allocated words. This looks like a 1%
+        compile time progression on WasmBench.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3TimingScope.cpp: Records phase timing totals.
+        (JSC::B3::TimingScope::TimingScope):
+        (JSC::B3::TimingScope::~TimingScope):
+        * b3/B3TimingScope.h:
+        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
+        (JSC::B3::Air::allocateRegistersByGraphColoring):
+        * b3/air/AirLiveness.h: Move code around and rename a bit to make it more like RegLiveness; in particular we want the `iterator` to be called `iterator` not `Iterator`, and we want it to be internal to its iterable. Also rename this template to Liveness, to match the header filename.
+        (JSC::B3::Air::Liveness::Liveness):
+        (JSC::B3::Air::Liveness::LocalCalc::LocalCalc):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::Iterable):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::iterator):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator++):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator*):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator==):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::iterator::operator!=):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::begin):
+        (JSC::B3::Air::Liveness::LocalCalc::Iterable::end):
+        (JSC::B3::Air::Liveness::Iterable::Iterable):
+        (JSC::B3::Air::Liveness::Iterable::iterator::iterator):
+        (JSC::B3::Air::RegLivenessAdapter::RegLivenessAdapter): Deleted.
+        (JSC::B3::Air::RegLivenessAdapter::numIndices): Deleted.
+        (JSC::B3::Air::RegLivenessAdapter::acceptsBank): Deleted.
+        (JSC::B3::Air::RegLivenessAdapter::acceptsRole): Deleted.
+        (JSC::B3::Air::RegLivenessAdapter::valueToIndex): Deleted.
+        (JSC::B3::Air::RegLivenessAdapter::indexToValue): Deleted.
+        (JSC::B3::Air::AbstractLiveness::AbstractLiveness): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::LocalCalc): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::Iterator): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator++): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator*): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator==): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterator::operator!=): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::Iterable): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::begin): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::end): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::Iterable::contains): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::live): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::isLive): Deleted.
+        (JSC::B3::Air::AbstractLiveness::LocalCalc::execute): Deleted.
+        (JSC::B3::Air::AbstractLiveness::rawLiveAtHead): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::Iterable): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::iterator): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator*): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator++): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator==): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::iterator::operator!=): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::begin): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::end): Deleted.
+        (JSC::B3::Air::AbstractLiveness::Iterable::contains): Deleted.
+        (JSC::B3::Air::AbstractLiveness::liveAtHead): Deleted.
+        (JSC::B3::Air::AbstractLiveness::liveAtTail): Deleted.
+        (JSC::B3::Air::AbstractLiveness::workset): Deleted.
+        * b3/air/AirLogRegisterPressure.cpp:
+        * b3/air/AirLowerAfterRegAlloc.cpp:
+        * b3/air/AirRegLiveness.cpp: Added.
+        (JSC::B3::Air::RegLiveness::RegLiveness):
+        (JSC::B3::Air::RegLiveness::~RegLiveness):
+        (JSC::B3::Air::RegLiveness::LocalCalc::execute):
+        * b3/air/AirRegLiveness.h: Added.
+        (JSC::B3::Air::RegLiveness::LocalCalc::LocalCalc):
+        (JSC::B3::Air::RegLiveness::LocalCalc::live):
+        (JSC::B3::Air::RegLiveness::LocalCalc::isLive):
+        (JSC::B3::Air::RegLiveness::liveAtHead):
+        (JSC::B3::Air::RegLiveness::liveAtTail):
+        * b3/air/AirReportUsedRegisters.cpp:
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::add):
+        (JSC::RegisterSet::remove):
+        (JSC::RegisterSet::contains):
+        (JSC::RegisterSet::subsumes):
+        (JSC::RegisterSet::iterator::iterator):
+        (JSC::RegisterSet::iterator::operator*):
+        (JSC::RegisterSet::iterator::operator++):
+        (JSC::RegisterSet::iterator::operator==):
+        (JSC::RegisterSet::iterator::operator!=):
+        (JSC::RegisterSet::begin):
+        (JSC::RegisterSet::end):
+
+2017-03-25  Filip Pizlo  
+
+        Fix wasm by returning after we do TLS.
+
+        Rubber stamped by Keith Miller.
+
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::storeWasmContext):
+
+2017-03-24  Mark Lam  
+
+        Add some instrumentation in Heap::resumeThePeriphery() to help debug an issue.
+        https://bugs.webkit.org/show_bug.cgi?id=170086
+        
+
+        Reviewed by Saam Barati.
+
+        Adding some instrumentation in Heap::resumeThePeriphery() to dump some Heap state
+        just before we RELEASE_ASSERT_NOT_REACHED.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::resumeThePeriphery):
+
+2017-03-24  JF Bastien  
+
+        WebAssembly: store state in TLS instead of on VM
+        https://bugs.webkit.org/show_bug.cgi?id=169611
+
+        Reviewed by Filip Pizlo.
+
+        Using thread-local storage instead of VM makes code more position
+        independent. We used to store the WebAssembly top Instance (the
+        latest one in the call stack) on VM, now we instead store it in
+        TLS. This top Instance is used to access a bunch of state such as
+        Memory location, size, table (for call_indirect), etc.
+
+        Instead of calling it "top", which is confusing, we now just call
+        it WasmContext.
+
+        Making the code PIC means future patches will be able to
+        postMessage and structured clone into IDB without having to
+        recompile the code. This wasn't possible before because we
+        hard-coded the address of VM at compilation time. That doesn't
+        work between workers, and doesn't work across reloads (which IDB
+        is intended to do).
+
+        It'll also potentially make code faster once we start tuning
+        what's in TLS, what's in which of the 4 free slots, and what's in
+        pinned registers. I'm leaving this tuning for later because
+        there's lower lying fruit for us to pick.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/AllowMacroScratchRegisterUsageIf.h: Copied from assembler/AllowMacroScratchRegisterUsage.h.
+        (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
+        (JSC::AllowMacroScratchRegisterUsageIf::~AllowMacroScratchRegisterUsageIf):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::storeToTLSPtr): we previously didn't have
+        the code required to store to TLS, only to load
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::loadFromTLSPtrNeedsMacroScratchRegister):
+        (JSC::MacroAssemblerARM64::storeToTLS32):
+        (JSC::MacroAssemblerARM64::storeToTLS64):
+        (JSC::MacroAssemblerARM64::storeToTLSPtrNeedsMacroScratchRegister):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::loadFromTLSPtrNeedsMacroScratchRegister):
+        (JSC::MacroAssemblerX86Common::storeToTLS32):
+        (JSC::MacroAssemblerX86Common::storeToTLSPtrNeedsMacroScratchRegister):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::loadFromTLS64): was loading 32-bit instead of 64-bit
+        (JSC::MacroAssemblerX86_64::storeToTLS64):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movl_rm):
+        (JSC::X86Assembler::movq_rm):
+        * b3/testb3.cpp:
+        (JSC::B3::testFastTLSLoad):
+        (JSC::B3::testFastTLSStore):
+        (JSC::B3::run):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::loadWasmContext):
+        (JSC::AssemblyHelpers::storeWasmContext):
+        (JSC::AssemblyHelpers::loadWasmContextNeedsMacroScratchRegister):
+        (JSC::AssemblyHelpers::storeWasmContextNeedsMacroScratchRegister):
+        * jit/Repatch.cpp:
+        (JSC::webAssemblyOwner):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromWasmThunkGenerator):
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::loadWasmContext):
+        (JSC::Wasm::storeWasmContext):
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::getMemoryBaseAndSize):
+        (JSC::Wasm::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::createJSToWasmWrapper):
+        (JSC::Wasm::parseAndCompile):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::wasmToJs):
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmContext.cpp: Added.
+        (JSC::loadWasmContext):
+        (JSC::storeWasmContext):
+        * wasm/WasmContext.h: Added. Replaces "top" JSWebAssemblyInstance.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyInstanceConstructor.h:
+
+2017-03-24  JF Bastien  
+
+        WebAssembly: spec-tests/memory.wast.js fails in debug
+        https://bugs.webkit.org/show_bug.cgi?id=169794
+
+        Reviewed by Keith Miller.
+
+        The failure was due to empty memories (with maximum size 0). Those
+        only occur in tests and in code that's trying to trip us. This
+        patch adds memory mode "none" which represents no memory. It can
+        work with either bounds checked or signaling code because it never
+        contains loads and stores.
+
+        The spec tests which were failing did the following:
+            > (module (memory (data)) (func (export "memsize") (result i32) (current_memory)))
+            > (assert_return (invoke "memsize") (i32.const 0))
+            > (module (memory (data "")) (func (export "memsize") (result i32) (current_memory)))
+            > (assert_return (invoke "memsize") (i32.const 0))
+            > (module (memory (data "x")) (func (export "memsize") (result i32) (current_memory)))
+            > (assert_return (invoke "memsize") (i32.const 1))
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::memoryKind):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::tryGetFastMemory):
+        (JSC::Wasm::releaseFastMemory):
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::createImpl):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::makeString):
+        * wasm/WasmMemory.h:
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::MemoryInformation::MemoryInformation):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::codeBlock):
+        (JSC::JSWebAssemblyModule::finishCreation):
+        * wasm/js/JSWebAssemblyModule.h:
+        (JSC::JSWebAssemblyModule::codeBlock):
+        (JSC::JSWebAssemblyModule::codeBlockFor):
+
+2017-03-24  Mark Lam  
+
+        Array memcpy'ing fast paths should check if we're having a bad time if they cannot handle it.
+        https://bugs.webkit.org/show_bug.cgi?id=170064
+        
+
+        Reviewed by Geoffrey Garen.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::fastSlice):
+
+2017-03-23  Yusuke Suzuki  
+
+        [JSC] Use jsNontrivialString agressively for ToString(Int52)
+        https://bugs.webkit.org/show_bug.cgi?id=170002
+
+        Reviewed by Sam Weinig.
+
+        We use the same logic used for Int32 to use jsNontvirialString.
+        After single character check, produced string is always longer than 1.
+        Thus, we can use jsNontrivialString.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::int52ToString):
+
+2017-03-23  Yusuke Suzuki  
+
+        [JSC] Use WeakRandom for SamplingProfiler interval fluctuation
+        https://bugs.webkit.org/show_bug.cgi?id=170045
+
+        Reviewed by Mark Lam.
+
+        It is unnecessary to use cryptographicallyRandomNumber for SamplingProfiler
+        interval fluctuation. Use WeakRandom instead.
+
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::timerLoop):
+        * runtime/SamplingProfiler.h:
+
+2017-03-23  Mark Lam  
+
+        Array.prototype.splice behaves incorrectly when the VM is "having a bad time".
+        https://bugs.webkit.org/show_bug.cgi?id=170025
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::copySplicedArrayElements):
+        (JSC::arrayProtoFuncSplice):
+
+2017-03-23  Yusuke Suzuki  
+
+        [JSC][DFG] Make addShouldSpeculateAnyInt more conservative to avoid regression caused by Double <-> Int52 conversions
+        https://bugs.webkit.org/show_bug.cgi?id=169998
+
+        Reviewed by Saam Barati.
+
+        Double <-> Int52 and JSValue <-> Int52 conversions are not so cheap. Thus, Int52Rep is super carefully emitted.
+        We make addShouldSpeculateAnyInt more conservative to avoid regressions caused by the above conversions.
+        We select ArithAdd(Int52, Int52) only when this calculation is beneficial compared to added Int52Rep conversions.
+
+        This patch tighten the conditions of addShouldSpeculateAnyInt.
+
+        1. Honor DoubleConstant.
+
+        When executing imaging-darkroom, we have a thing like that,
+
+            132:< 2:loc36> DoubleConstant(Double|UseAsOther, AnyIntAsDouble, Double: 4607182418800017408, 1.000000, bc#114)
+            1320:< 1:loc38>        Int52Rep(Check:Int32:@82, Int52|PureInt, Int32, Exits, bc#114)
+            1321:< 1:loc39>        Int52Constant(Int52|PureInt, Boolint32Nonboolint32Int52, Double: 4607182418800017408, 1.000000, bc#114)
+            133: ArithSub(Int52Rep:@1320, Int52Rep:@1321, Int52|MustGen, Int52, CheckOverflow, Exits, bc#114)
+
+        The LHS of ArithSub says predicting Boolint32, and the rhs says AnyIntAsDouble. Thus we select ArithSub(Int52, Int52) instead
+        of ArithSub(Double, Double). However, it soon causes OSR exits. In imaging-darkroom, LHS's Int32 prediction will be broken.
+        While speculating Int32 in the above situation is reasonable approach since the given LHS says predicting Int32, this causes
+        severe performance regression.
+
+        Previously, we always select ArithSub(Double, Double). So accidentally, we do not encounter this misprediction issue.
+
+        One thing can be found that we have DoubleConstant in the RHS. It means that we have `1.0` instead of `1` in the code.
+        We can see the code like `lhs - 1.0` instead of `lhs - 1` in imaging-darkroom. It offers good information that lhs and
+        the resulting value would be double. Handling the above ArithSub in double seems more appropriate rather than handling
+        it in Int52.
+
+        So, in this patch, we honor DoubleConstant. If we find DoubleConstant on one operand, we give up selecting
+        Arith[Sub,Add](Int52, Int52). This change removes OSR exits occurr in imaging-darkroom right now.
+
+        2. Two Int52Rep(Double) conversions are not desirable.
+
+        We allow AnyInt ArithAdd only when the one operand of the binary operation should be speculated AnyInt. It is a bit conservative
+        decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
+        rather hurt the performance. If the one operand of the operation is already Int52, the cost for constructing ArithAdd becomes
+        cheap since only one Double to Int52 conversion could be required.
+        This recovers some regression in assorted tests while keeping kraken crypto improvements.
+
+        3. Avoid frequent Int52 to JSValue conversions.
+
+        Int52 to JSValue conversion is not so cheap. Thus, we would like to avoid such situations. So, in this patch, we allow
+        Arith(Int52, Int52) with AnyIntAsDouble operand only when the node is used as number. By doing so, we avoid the case like,
+        converting Int52, performing ArithAdd, and soon converting back to JSValue.
+
+        The above 3 changes recover the regression measured in microbenchmarks/int52-back-and-forth.js and assorted benchmarks.
+        And still it keeps kraken crypto improvements.
+
+                                                   baseline                  patched
+
+        imaging-darkroom                       201.112+-3.192      ^     189.532+-2.883         ^ definitely 1.0611x faster
+        stanford-crypto-pbkdf2                 103.953+-2.325            100.926+-2.396           might be 1.0300x faster
+        stanford-crypto-sha256-iterative        35.103+-1.071      ?      36.049+-1.143         ? might be 1.0270x slower
+
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::addShouldSpeculateAnyInt):
+
+== Rolled over to ChangeLog-2017-03-23 ==
diff --git a/ChangeLog-2018-09-11 b/ChangeLog-2018-09-11
new file mode 100644
index 0000000..3112ae4
--- /dev/null
+++ b/ChangeLog-2018-09-11
@@ -0,0 +1,30211 @@
+2018-09-10  Michael Saboff  
+
+        Test262 failure with Named Capture Groups - using a reference before the group is defined
+        https://bugs.webkit.org/show_bug.cgi?id=189407
+
+        Reviewed by Alex Christensen.
+
+        Added code to save the named forward references we see during parsing and validating that
+        they are all present when parsing the RegExp is complete.  If there are unnamed references,
+        we reparse with some variation of behavior.  Just like for numeric references, the
+        behavior is different depending on whether or not the unicode (u flag) is present.  
+        For non-unicode patterns, we treat the \k<...> as a literal pattern.  For a unicode 
+        pattern we throw an exception.
+
+        Did some refactoring, renaming YarrPattern::reset() and YarrPatternConstructor::reset()
+        resetForReparsing() as that is the only use for those methods.  Also changed
+        all the delegate methods that take a String to take a const String& to eliminate
+        copy churn.
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedBackReference):
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::isValidNamedForwardReference):
+        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomNamedForwardReference):
+        (JSC::Yarr::Parser::parseEscape):
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::resetForReparsing):
+        (JSC::Yarr::YarrPatternConstructor::saveUnmatchedNamedForwardReferences):
+        (JSC::Yarr::YarrPatternConstructor::atomNamedBackReference):
+        (JSC::Yarr::YarrPatternConstructor::isValidNamedForwardReference):
+        (JSC::Yarr::YarrPatternConstructor::atomNamedForwardReference):
+        (JSC::Yarr::YarrPattern::compile):
+        (JSC::Yarr::YarrPatternConstructor::reset): Deleted.
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::YarrPattern::resetForReparsing):
+        (JSC::Yarr::YarrPattern::containsIllegalNamedForwardReferences):
+        (JSC::Yarr::YarrPattern::reset): Deleted.
+        * yarr/YarrSyntaxChecker.cpp:
+        (JSC::Yarr::SyntaxChecker::atomNamedBackReference):
+        (JSC::Yarr::SyntaxChecker::isValidNamedForwardReference):
+        (JSC::Yarr::SyntaxChecker::atomNamedForwardReference):
+
+2018-09-08  Yusuke Suzuki  
+
+        [JSC] Remove loadModule function in jsc.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=184808
+
+        Reviewed by Darin Adler.
+
+        Since we have `import`, we do not need to have `loadModule` function for testing purpose.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionLoadModule): Deleted.
+
+2018-09-07  Mark Lam  
+
+        Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
+        https://bugs.webkit.org/show_bug.cgi?id=189317
+        
+
+        Reviewed by Filip Pizlo.
+
+        handleIntrinsicCall() is normally used for checking if an op_call is a call to
+        an intrinsic function, and inlining it if it's a match.
+
+        However, getter and setter functions also does calls, and uses handleCall()
+        to implement the call.  handleCall() eventually calls handleIntrinsicCall() to
+        check for intrinsics.  This results in a bug because handleIntrinsicCall()
+        sometimes relies on the ArrayProfile* of the instruction, and is always assuming
+        that the instruction is op_call shaped.  This turns out to be not true: getters
+        and setters can get there with op_get_by_val and op_put_by_val instead.
+
+        Since the intrinsic functions handled by handleIntrinsicCall() are never
+        intended to be used as getter / setter functions anyway, we can prevent this
+        whole class of bugs by having handleIntrinsicCall() fail early if the
+        instruction is not op_call shaped.
+
+        To implement this fix, we did the following:
+
+        1. Introduced the OpcodeShape enum.
+        2. Introduced isOpcodeShape() for testing if a instruction of the
+           shape of the specified OpcodeShape.
+        3. Introduced arrayProfileFor() for fetching the ArrayProfile* from
+           the instruction given the OpcodeShape.
+
+           Using this arrayProfileFor template has the following benefits:
+           1. Centralizes the definition of which instructions has an ArrayProfile* operand.
+           2. Centralizes the definition of which operand is the ArrayProfile*.
+           3. Asserts that the instruction is of the expected shape when retrieving the
+              ArrayProfile*.
+
+        4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
+           in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
+           indeed does point to an ArrayProfile.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/ArrayProfile.cpp:
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::isValid const):
+        * bytecode/OpcodeInlines.h: Added.
+        (JSC::isOpcodeShape):
+        (JSC::arrayProfileFor):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_has_indexed_property):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_has_indexed_property):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::getByVal):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+2018-09-06  Yusuke Suzuki  
+
+        [DFG] DFG should handle String#toString
+        https://bugs.webkit.org/show_bug.cgi?id=189151
+
+        Reviewed by Saam Barati.
+
+        We handle String#toString and String#valueOf in DFG by introducing StringValueOf node.
+        In the fixup phase, we attempt to lower StringValueOf to the existing ToString or Identity
+        nodes. If we fail to lower it, we have StringValueOf(UntypedUse), which may raise an error
+        if an argument is neither String nor StringObject. The error message in String#toString and
+        String#valueOf is poor, which will be handled in a separate bug[1].
+
+        It improves simple microbenchmarks by 53.4 - 67.6%.
+
+                                              baseline                  patched
+
+            string-object-to-string       21.7308+-3.3147     ^     12.9655+-0.0527        ^ definitely 1.6760x faster
+            string-object-value-of        20.1122+-0.0691     ^     13.1134+-0.2482        ^ definitely 1.5337x faster
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=189357
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupStringValueOf):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToToString):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf):
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor): Deleted.
+
+2018-09-07  Yusuke Suzuki  
+
+        [WebAssembly] Optimize JS to Wasm call by using pointer of Signature as SignatureIndex
+        https://bugs.webkit.org/show_bug.cgi?id=189401
+
+        Reviewed by Mark Lam.
+
+        SignatureInformation is a global repository for Signature to make Signature atomic.
+        It takes Ref&& and generates SignatureIndex. And we get const Signature&
+        by using this SignatureIndex. However, converting SignatureIndex to const Signature&
+        always looks up a hash table. This is costly since JS to Wasm calls always use
+        Signature& to check types of arguments.
+
+        Instead of using this hash table, this patch uses a pointer of Signature as SignatureIndex.
+        This allows us to convert SignatureIndex to Signature by just casting it.
+
+        We also optimize SignatureInformation::singleton by making an accessor function inlined.
+        And we move ProtoCallFrame::init to the header since it's just setting values.
+
+        This change significantly optimizes JS to wasm calls (1e7 times) from 600ms to 320ms.
+
+        In the future, we can remove SignatureIndex by directly handling Ref: adding
+        deref() of Signature which unregisters itself from SignatureInformation carefully. Or we can
+        make SignatureIndex uint32_t by introducing a mechanism similar to StructureID.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * interpreter/ProtoCallFrame.h:
+        (JSC::ProtoCallFrame::init):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBBQPlan.cpp:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::WasmToWasmImportableFunction::offsetOfSignatureIndex):
+        * wasm/WasmFunctionParser.h:
+        * wasm/WasmModule.h:
+        * wasm/WasmOMGPlan.cpp:
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseType):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::SignatureInformation::adopt):
+        (JSC::Wasm::SignatureInformation::tryCleanup):
+        (JSC::Wasm::SignatureInformation::singleton): Deleted.
+        (JSC::Wasm::SignatureInformation::get): Deleted.
+        * wasm/WasmSignature.h:
+        (JSC::Wasm::Signature::index const):
+        (JSC::Wasm::SignatureHash::SignatureHash):
+        (JSC::Wasm::SignatureHash::hash):
+        (JSC::Wasm::SignatureHash::isHashTableDeletedValue const):
+        (JSC::Wasm::SignatureHash::empty): Deleted.
+        (JSC::Wasm::SignatureHash::deleted): Deleted.
+        * wasm/WasmSignatureInlines.h: Renamed from Source/JavaScriptCore/interpreter/ProtoCallFrame.cpp.
+        (JSC::Wasm::SignatureInformation::singleton):
+        (JSC::Wasm::SignatureInformation::get):
+        * wasm/js/JSToWasm.cpp:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+
+2018-09-07  Yusuke Suzuki  
+
+        [JSC] Put .throwStackOverflow code after the fast path in LLInt doVMEntry
+        https://bugs.webkit.org/show_bug.cgi?id=189410
+
+        Reviewed by Mark Lam.
+
+        Put .throwStackOverflow code after the fast path in LLInt doVMEntry to
+        make doVMEntry code tight.
+
+        * llint/LLIntThunks.cpp:
+        (JSC::vmEntryToWasm): Deleted.
+        * llint/LLIntThunks.h:
+        (JSC::vmEntryToWasm):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-09-06  Yusuke Suzuki  
+
+        [WebAssembly] Optimize JS to Wasm call by removing Vector allocation
+        https://bugs.webkit.org/show_bug.cgi?id=189353
+
+        Reviewed by Mark Lam.
+
+        JS to Wasm call always allocates Vector for the arguments. This is really costly if the wasm function is small.
+        This patch adds an initial size parameter to the Vector to avoid allocations for small sized arguments.
+
+        * runtime/ArgList.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2018-08-31  Yusuke Suzuki  
+
+        [JSC] Clean up StructureStubClearingWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=189156
+
+        Reviewed by Saam Barati.
+
+        Cleaning up StructureStubClearingWatchpoint by holding StructureStubClearingWatchpoint in Bag
+        in WatchpointsOnStructureStubInfo. This removes hacky linked list code for StructureStubClearingWatchpoint.
+
+        * bytecode/StructureStubClearingWatchpoint.cpp:
+        (JSC::WatchpointsOnStructureStubInfo::addWatchpoint):
+        (JSC::StructureStubClearingWatchpoint::~StructureStubClearingWatchpoint): Deleted.
+        (JSC::StructureStubClearingWatchpoint::push): Deleted.
+        (JSC::WatchpointsOnStructureStubInfo::~WatchpointsOnStructureStubInfo): Deleted.
+        * bytecode/StructureStubClearingWatchpoint.h:
+        (JSC::StructureStubClearingWatchpoint::StructureStubClearingWatchpoint):
+
+2018-09-06  Michael Saboff  
+
+        Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=189380
+
+        Reviewed by Saam Barati.
+
+        Account for the case where in Math.pow(NaN, y) where y could be 0.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::typeOfDoublePow):
+
+2018-09-06  Mark Lam  
+
+        Gardening: only visit m_cachedStructureID if it's not null.
+        https://bugs.webkit.org/show_bug.cgi?id=189124
+        
+
+        Not reviewed.
+
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::visitChildren):
+
+2018-09-06  Tomas Popela  
+
+        [JSC] Build broken after r234975 on s390x, ppc64le, armv7hl
+        https://bugs.webkit.org/show_bug.cgi?id=189078
+
+        Reviewed by Mark Lam.
+
+        Caused by the GCC bug - https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70124.
+        Using the ternary operator instead of std::max() fixes it.
+
+        * heap/RegisterState.h:
+
+2018-09-05  Mark Lam  
+
+        JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+        https://bugs.webkit.org/show_bug.cgi?id=189124
+        
+
+        Reviewed by Filip Pizlo.
+
+        It is assumed that the Structure for the m_cachedStructureID will remain alive
+        while the m_cachedStructureID is in use.  This prevents the structureID from being
+        re-used for a different Structure.
+
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::visitChildren):
+
+2018-09-05  Ross Kirsling  
+
+        [ESNext] Symbol.prototype.description
+        https://bugs.webkit.org/show_bug.cgi?id=186686
+
+        Reviewed by Keith Miller.
+
+        Symbol.prototype.description was implemented in r232404, but has one small bug:
+        It should return undefined for a null symbol.
+
+        * runtime/Symbol.cpp:
+        (JSC::Symbol::description const):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::symbolProtoGetterDescription):
+        Address the null symbol case.
+
+2018-09-04  Keith Miller  
+
+        RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83
+        https://bugs.webkit.org/show_bug.cgi?id=188917
+
+        Reviewed by Mark Lam.
+
+        Our allocators should be able to handle allocating a zero-sized object.
+        Zero-sized objects will be allocated into the smallest size class.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::sizeClassToIndex):
+        (JSC::MarkedSpace::indexToSizeClass):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+
+2018-09-05  Mark Lam  
+
+        Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
+        https://bugs.webkit.org/show_bug.cgi?id=189300
+        
+
+        Reviewed by Saam Barati.
+
+        At the time a DeferredSourceDump is instantiated, it captures a CodeOrigin value
+        which points to a InlineCallFrame in the DFG::Plan's m_inlineCallFrames set.  The
+        DeferredSourceDump is later used to dump source even if the compilation fails.
+        This is intentional so that we can use this tool to see what source fails to
+        compile as well.
+
+        The DFG::Plan may have been destructed by then, and since the compilation failed,
+        the InlineCallFrame is also destructed.  This means DeferredSourceDump::dump()
+        may be end up accessing freed memory.
+
+        DeferredSourceDump doesn't really need a CodeOrigin.  All it wants is the caller
+        bytecodeIndex for the call to an inlined function.  Hence, we can fix this issue
+        by changing DeferredSourceDump to capture the caller bytecodeIndex instead.
+
+        In this patch, we also change DeferredSourceDump's m_codeBlock and m_rootCodeBlock
+        to be Strong references to ensure that the CodeBlocks are kept alive until they
+        can be dumped.
+
+        * bytecode/DeferredCompilationCallback.cpp:
+        (JSC::DeferredCompilationCallback::dumpCompiledSourcesIfNeeded):
+        * bytecode/DeferredSourceDump.cpp:
+        (JSC::DeferredSourceDump::DeferredSourceDump):
+        (JSC::DeferredSourceDump::dump):
+        * bytecode/DeferredSourceDump.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+
+2018-09-05  David Kilzer  
+
+        REGRESSION (r235419): DFGCFG.h is missing from JavaScriptCore Xcode project
+
+        Found using `tidy-Xcode-project-file --missing` (see Bug
+        188754).  Fix was made manually.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        (dfg/DFGCFG.h): Revert accidental change in r235419 by restoring
+        `name` and `path` values to file reference.
+
+2018-09-05  Mark Lam  
+
+        isAsyncGeneratorMethodParseMode() should check for SourceParseMode::AsyncGeneratorWrapperMethodMode.
+        https://bugs.webkit.org/show_bug.cgi?id=189292
+        
+
+        Reviewed by Saam Barati.
+
+        Previously, isAsyncGeneratorMethodParseMode() was checking for AsyncGeneratorWrapperFunctionMode
+        instead of AsyncGeneratorWrapperMethodMode.  This patch fixes it
+        to check for AsyncGeneratorWrapperMethodMode (to match what is expected as indicated
+        in the name isAsyncGeneratorMethodParseMode).
+
+        * parser/ParserModes.h:
+        (JSC::isAsyncGeneratorMethodParseMode):
+
+2018-09-04  Michael Saboff  
+
+        Unreviewed indentations change.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::matchBackreference):
+
+2018-09-04  Michael Saboff  
+
+        JSC Build error when changing CPU type: offlineasm: No magic values found. Skipping assembly file generation
+        https://bugs.webkit.org/show_bug.cgi?id=189274
+
+        Reviewed by Saam Barati.
+
+        Put the derived file LLIntDesiredOffsets.h in an architecture specific subdirectory to make them unique.
+
+        Some I got this change mixed up with the change for r235636.  The changes to JavaScriptCore.xcodeproj/project.pbxproj
+        where landed there.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-09-04  Michael Saboff  
+
+        YARR: JIT RegExps with back references
+        https://bugs.webkit.org/show_bug.cgi?id=180874
+
+        Reviewed by Filip Pizlo.
+
+        Implemented JIT'ed back references for all counted types.  The only type of back references
+        not handled in the JIT are 16bit matches that ignore case.  Such support would require the
+        canonicalization that is currently handled in the Yarr interpreter via a C funtion call.
+        The back reference processing for surrogate pairs is implemented by individually comparing
+        each surrogate ala memcmp.
+
+        Added a generated canonicalization table for the LChar (8bit) domain to process case
+        ignored back references.
+
+        Added macro assembler load16(ExtendedAddress) for indexed access to the canonicalization table.
+
+        Added a new JIT failure reason for forward references as the check to JIT expressions with
+        forward references we're handled synonimously those containing back references.
+
+        This change is only enabled for 64 bit platforms.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::load16):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::load16):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * yarr/YarrCanonicalize.h:
+        * yarr/YarrCanonicalizeUCS2.cpp:
+        * yarr/YarrCanonicalizeUCS2.js:
+        (set characters.hex.set string_appeared_here):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::checkNotEnoughInput):
+        (JSC::Yarr::YarrGenerator::readCharacterDontDecodeSurrogates):
+        (JSC::Yarr::YarrGenerator::matchBackreference):
+        (JSC::Yarr::YarrGenerator::generateBackReference):
+        (JSC::Yarr::YarrGenerator::backtrackBackReference):
+        (JSC::Yarr::YarrGenerator::generateTerm):
+        (JSC::Yarr::YarrGenerator::backtrackTerm):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::dumpCompileFailure):
+        * yarr/YarrJIT.h:
+        * yarr/YarrPattern.h:
+        (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
+        (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
+
+2018-09-04  Mark Lam  
+
+        Make the jsc shell print, printErr, and debug functions more robust.
+        https://bugs.webkit.org/show_bug.cgi?id=189268
+        
+
+        Reviewed by Keith Miller.
+
+        We'll now check for UTF8 conversion errors.
+
+        * jsc.cpp:
+        (cStringFromViewWithString):
+        (printInternal):
+        (functionDebug):
+
+2018-09-04  Michael Catanzaro  
+
+        [WPE][GTK] Add more unused result warnings to JSC API
+        https://bugs.webkit.org/show_bug.cgi?id=189243
+
+        Reviewed by Carlos Garcia Campos.
+
+        The jsc_context_evaluate() family of functions has a (transfer full) return value, but the
+        caller may be tempted to not inspect it if uninterested in the return value. This would be
+        an error, because it must be freed.
+
+        * API/glib/JSCContext.h:
+
+2018-09-03  Mark Lam  
+
+        The watchdog sometimes fails to terminate a script.
+        https://bugs.webkit.org/show_bug.cgi?id=189227
+        
+
+        Reviewed by Saam Barati.
+
+        Consider the following scenario:
+
+        1. We have an infinite loop bytecode sequence as follows:
+
+            [  13] loop_hint
+            [  14] check_traps
+            [  15] jmp               -2(->13)
+
+        2. The VM tiers up from LLInt -> BaselineJIT -> DFG -> FTL.
+
+           Note that op_check_traps is represented as a CheckTraps node in the DFG and FTL.
+           When we're not using pollingTraps (JSC_usePollingTraps is false by default),
+           we emit no code for CheckTraps, but only record an InvalidationPoint there.
+
+        3. The watchdog fires, and invalidates all InvalidationPoints in the FTL CodeBlock.
+
+           InvalidationPoints OSR exits to the next instruction by design.  In this case,
+           that means the VM will resumes executing at the op_jmp, which jumps to the
+           op_loop_hint opcode.  At the loop_hint, the VM discovers that the function is
+           already hot, and attempts to tier up.  It immediately discovers that a replacement
+           CodeBlock is available because we still haven't jettisoned the DFG CodeBlock
+           nor the FTL CodeBlock that was previously compiled for this function.
+
+           Note that jettisoning a CodeBlock necessarily means the VM will invalidate
+           its InvalidationPoints (if the CodeBlock is DFG/FTL).  However, the reverse
+           is not true: merely invalidating the InvalidationPoints does not necessarily
+           mean that the CodeBlock is jettisoned.
+
+           VMTraps::tryInstallTrapBreakpoints() runs from a separate thread.  Hence,
+           it is only safe for it to invalidate a CodeBlock's InvalidationPoints.  It
+           is not safe for the CodeBlock to be jettisoned from another thread.  Instead,
+           the VMTraps mechanism relies on the script thread running to an op_check_traps
+           in the baseline JIT code where it will do the necessary jettisoning of optimized
+           CodeBlocks.
+
+        Since the op_check_traps never get executed, the VM will perpetually tier up in
+        the op_loop_hint, OSR exit to the op_jmp, jump to the op_loop_hint, and repeat.
+        Consequently, the watchdog fails to terminate this script.
+
+        In this patch, we fix this by making the DFG BytecodeParser emit an InvalidationPoint
+        node directly (when the VM is not configured to use polling traps).  This ensures
+        that the check traps invalidation point will OSR exit to the op_check_traps opcode
+        in the baseline JIT.
+
+        In this patch, we also change VMTraps::tryInstallTrapBreakpoints() to use
+        CallFrame::unsafeCodeBlock() instead of CallFrame::codeBlock().  This is because
+        we don't really know if the frame is properly set up.  We're just conservatively
+        probing the stack.  ASAN does not like this probing.  Using unsafeCodeBlock() here
+        will suppress the false positive ASAN complaint.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckTraps):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+
+2018-09-03  Mark Lam  
+
+        CallFrame::unsafeCallee() should use an ASAN suppressed Register::asanUnsafePointer().
+        https://bugs.webkit.org/show_bug.cgi?id=189247
+
+        Reviewed by Saam Barati.
+
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::unsafeCallee const):
+        * interpreter/Register.h:
+        (JSC::Register::asanUnsafePointer const):
+        (JSC::Register::unsafePayload const):
+
+2018-09-02  Yusuke Suzuki  
+
+        Implement Object.fromEntries
+        https://bugs.webkit.org/show_bug.cgi?id=188481
+
+        Reviewed by Darin Adler.
+
+        Object.fromEntries becomes stage 3[1]. This patch implements it by using builtin JS.
+
+        [1]: https://tc39.github.io/proposal-object-from-entries/
+
+        * builtins/ObjectConstructor.js:
+        (fromEntries):
+        * runtime/ObjectConstructor.cpp:
+
+2018-08-24  Yusuke Suzuki  
+
+        Function object should convert params to string before throw a parsing error
+        https://bugs.webkit.org/show_bug.cgi?id=188874
+
+        Reviewed by Darin Adler.
+
+        ToString operation onto the `body` of the Function constructor should be performed
+        before checking syntax correctness of the parameters.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+
+2018-08-31  Mark Lam  
+
+        Fix exception check accounting in constructJSWebAssemblyCompileError().
+        https://bugs.webkit.org/show_bug.cgi?id=189185
+        
+
+        Reviewed by Michael Saboff.
+
+        Also add an exception check in JSWebAssemblyModule::createStub() so that we don't
+        inadvertently overwrite a pre-existing exception (if present).
+
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::createStub):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyCompileError):
+
+2018-08-31  Mark Lam  
+
+        Gardening: ARMv7 build fix.
+        https://bugs.webkit.org/show_bug.cgi?id=158911
+
+        Not reviewed.
+
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::patchableBranch8):
+
+2018-08-31  Mark Lam  
+
+        Fix exception check accounting in JSDataView::defineOwnProperty().
+        https://bugs.webkit.org/show_bug.cgi?id=189186
+        
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::defineOwnProperty):
+
+2018-08-31  Mark Lam  
+
+        Add missing exception check in arrayProtoFuncLastIndexOf().
+        https://bugs.webkit.org/show_bug.cgi?id=189184
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncLastIndexOf):
+
+2018-08-31  Saam barati  
+
+        convertToRegExpMatchFastGlobal must use KnownString as the child use kind
+        https://bugs.webkit.org/show_bug.cgi?id=189173
+        
+
+        Reviewed by Michael Saboff.
+
+        We were crashing during validation because mayExit returned true
+        at a point in the program when we weren't allowed to exit.
+        
+        The issue was is in StrengthReduction: we end up emitting code that
+        had a StringUse on an edge after a node that did side effects and before
+        an ExitOK/bytecode number transition. However, StrenghReduction did the
+        right thing here and also emitted the type checks before the node with
+        side effects. It just did bad bookkeeping. The node we convert to needs
+        to use KnownStringUse instead of StringUse for the child edge.
+
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
+        (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
+        (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
+        (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
+        * dfg/DFGNode.h:
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
+2018-08-30  Saam barati  
+
+        Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
+        https://bugs.webkit.org/show_bug.cgi?id=189166
+
+        Reviewed by Mark Lam.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/InlineAccess.cpp:
+        (JSC::getScratchRegister):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::valueRegs const):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::JITByIdGenerator):
+        (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
+        (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
+
+2018-08-30  Saam barati  
+
+        InlineAccess should do StringLength
+        https://bugs.webkit.org/show_bug.cgi?id=158911
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch extends InlineAccess to support StringLength. This patch also
+        fixes AccessCase::fromStructureStubInfo to support ArrayLength and StringLength.
+        I forgot to implement this for ArrayLength in the initial InlineAccess
+        implementation.  Supporting StringLength is a natural extension of the
+        InlineAccess machinery.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::patchableBranch8):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::patchableBranch8):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::fromStructureStubInfo):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printGetByIdCacheStatus):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::getScratchRegister):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+        (JSC::InlineAccess::generateSelfInAccess):
+        (JSC::InlineAccess::generateStringLength):
+        * bytecode/InlineAccess.h:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::initStringLength):
+        (JSC::StructureStubInfo::deref):
+        (JSC::StructureStubInfo::aboutToDie):
+        (JSC::StructureStubInfo::propagateTransitions):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::baseGPR const):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+
+2018-08-30  Saam barati  
+
+        CSE DataViewGet* DFG nodes
+        https://bugs.webkit.org/show_bug.cgi?id=188768
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch makes it so that we CSE DataViewGet* accesses. To do this,
+        I needed to add a third descriptor to HeapLocation to represent the
+        isLittleEndian child. This patch is neutral on compile time benchmarks,
+        and is a 50% speedup on a trivial CSE microbenchmark that I added.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        (JSC::DFG::HeapLocation::HeapLocation):
+        (JSC::DFG::HeapLocation::hash const):
+        (JSC::DFG::HeapLocation::operator== const):
+        (JSC::DFG::indexedPropertyLocForResultType):
+
+2018-08-30  Yusuke Suzuki  
+
+        output of toString() of Generator is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=188952
+
+        Reviewed by Saam Barati.
+
+        Function#toString does not respect generator and async generator.
+        This patch fixes them and supports all the function types.
+
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncToString):
+
+2018-08-29  Mark Lam  
+
+        Add some missing exception checks in JSRopeString::resolveRopeToAtomicString().
+        https://bugs.webkit.org/show_bug.cgi?id=189132
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toPropertyKey const):
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeToAtomicString const):
+
+2018-08-29  Commit Queue  
+
+        Unreviewed, rolling out r235432 and r235436.
+        https://bugs.webkit.org/show_bug.cgi?id=189086
+
+        Is a Swift source breaking change. (Requested by keith_miller
+        on #webkit).
+
+        Reverted changesets:
+
+        "Add nullablity attributes to JSValue"
+        https://bugs.webkit.org/show_bug.cgi?id=189047
+        https://trac.webkit.org/changeset/235432
+
+        "Add nullablity attributes to JSValue"
+        https://bugs.webkit.org/show_bug.cgi?id=189047
+        https://trac.webkit.org/changeset/235436
+
+2018-08-28  Mark Lam  
+
+        Fix bit-rotted Interpreter::dumpRegisters() and move it to the VMInspector.
+        https://bugs.webkit.org/show_bug.cgi?id=189059
+        
+
+        Reviewed by Saam Barati.
+
+        1. Moved Interpreter::dumpRegisters() to VMInspector::dumpRegisters().
+        2. Added $vm.dumpRegisters().
+
+            Usage: $vm.dumpRegisters(N) // dump the registers of the Nth CallFrame.
+            Usage: $vm.dumpRegisters() // dump the registers of the current CallFrame.
+
+           Note: Currently, $vm.dumpRegisters() only dump registers in the physical frame.
+           It will treat inlined frames content as registers in the bounding physical frame.
+
+           Here's an example of such a dump on a DFG frame:
+
+                Register frame: 
+
+                -----------------------------------------------------------------------------
+                            use            |   address  |                value               
+                -----------------------------------------------------------------------------
+                [r 12 arguments[  7]]      | 0x7ffeefbfd330 | 0xa                Undefined
+                [r 11 arguments[  6]]      | 0x7ffeefbfd328 | 0x10bbb3e80        Object: 0x10bbb3e80 with butterfly 0x0 (Structure 0x10bbf20d0:[Object, {}, NonArray, Proto:0x10bbb4000]), StructureID: 76
+                [r 10 arguments[  5]]      | 0x7ffeefbfd320 | 0xa                Undefined
+                [r  9 arguments[  4]]      | 0x7ffeefbfd318 | 0xa                Undefined
+                [r  8 arguments[  3]]      | 0x7ffeefbfd310 | 0xa                Undefined
+                [r  7 arguments[  2]]      | 0x7ffeefbfd308 | 0xffff0000000a5eaa Int32: 679594
+                [r  6 arguments[  1]]      | 0x7ffeefbfd300 | 0x10bbd00f0        Object: 0x10bbd00f0 with butterfly 0x8000f8248 (Structure 0x10bba4700:[Function, {name:100, prototype:101, length:102, Symbol.species:103, isArray:104}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 160
+                [r  5           this]      | 0x7ffeefbfd2f8 | 0x10bbe0000        Object: 0x10bbe0000 with butterfly 0x8000d8808 (Structure 0x10bb35340:[global, {parseInt:100, parseFloat:101, Object:102, Function:103, Array:104, RegExp:105, RangeError:106, TypeError:107, PrivateSymbol.Object:108, PrivateSymbol.Array:109, ArrayBuffer:110, String:111, Symbol:112, Number:113, Boolean:114, Error:115, Map:116, Set:117, Promise:118, eval:119, Reflect:121, $vm:122, WebAssembly:123, debug:124, describe:125, describeArray:126, print:127, printErr:128, quit:129, gc:130, fullGC:131, edenGC:132, forceGCSlowPaths:133, gcHeapSize:134, addressOf:135, version:136, run:137, runString:138, load:139, loadString:140, readFile:141, read:142, checkSyntax:143, sleepSeconds:144, jscStack:145, readline:146, preciseTime:147, neverInlineFunction:148, noInline:149, noDFG:150, noFTL:151, numberOfDFGCompiles:153, jscOptions:154, optimizeNextInvocation:155, reoptimizationRetryCount:156, transferArrayBuffer:157, failNextNewCodeBlock:158, OSRExit:159, isFinalTier:160, predictInt32:161, isInt32:162, isPureNaN:163, fiatInt52:164, effectful42:165, makeMasquerader:166, hasCustomProperties:167, createGlobalObject:168, dumpTypesForAllVariables:169, drainMicrotasks:170, getRandomSeed:171, setRandomSeed:172, isRope:173, callerSourceOrigin:174, is32BitPlatform:175, loadModule:176, checkModuleSyntax:177, platformSupportsSamplingProfiler:178, generateHeapSnapshot:179, resetSuperSamplerState:180, ensureArrayStorage:181, startSamplingProfiler:182, samplingProfilerStackTraces:183, maxArguments:184, asyncTestStart:185, asyncTestPassed:186, WebAssemblyMemoryMode:187, console:188, $:189, $262:190, waitForReport:191, heapCapacity:192, flashHeapAccess:193, disableRichSourceInfo:194, mallocInALoop:195, totalCompileTime:196, Proxy:197, uneval:198, WScript:199, failWithMessage:200, triggerAssertFalse:201, isNaN:202, isFinite:203, escape:204, unescape:205, decodeURI:206, decodeURIComponent:207, encodeURI:208, encodeURIComponent:209, EvalError:210, ReferenceError:211, SyntaxError:212, URIError:213, JSON:214, Math:215, Int8Array:216, PrivateSymbol.Int8Array:217, Int16Array:218, PrivateSymbol.Int16Array:219, Int32Array:220, PrivateSymbol.Int32Array:221, Uint8Array:222, PrivateSymbol.Uint8Array:223, Uint8ClampedArray:224, PrivateSymbol.Uint8ClampedArray:225, Uint16Array:226, PrivateSymbol.Uint16Array:227, Uint32Array:228, PrivateSymbol.Uint32Array:229, Float32Array:230, PrivateSymbol.Float32Array:231, Float64Array:232, PrivateSymbol.Float64Array:233, DataView:234, Date:235, WeakMap:236, WeakSet:237, Intl:120, desc:238}, NonArray, Proto:0x10bbb4000, UncacheableDictionary, Leaf]), StructureID: 474
+                -----------------------------------------------------------------------------
+                [ArgumentCount]            | 0x7ffeefbfd2f0 | 7 
+                [ReturnVPC]                | 0x7ffeefbfd2f0 | 164 (line 57)
+                [Callee]                   | 0x7ffeefbfd2e8 | 0x10bb68db0        Object: 0x10bb68db0 with butterfly 0x0 (Structure 0x10bbf1c00:[Function, {}, NonArray, Proto:0x10bbd0000, Shady leaf]), StructureID: 65
+                [CodeBlock]                | 0x7ffeefbfd2e0 | 0x10bb2f8e0        __callRandomFunction#DmVXnv:[0x10bb2f8e0->0x10bbfd1e0, LLIntFunctionCall, 253]
+                [ReturnPC]                 | 0x7ffeefbfd2d8 | 0x10064d14c 
+                [CallerFrame]              | 0x7ffeefbfd2d0 | 0x7ffeefbfd380 
+                -----------------------------------------------------------------------------
+                [r -1  CalleeSaveReg]      | 0x7ffeefbfd2c8 | 0xffff000000000002 Int32: 2
+                [r -2  CalleeSaveReg]      | 0x7ffeefbfd2c0 | 0xffff000000000000 Int32: 0
+                [r -3  CalleeSaveReg]      | 0x7ffeefbfd2b8 | 0x10baf1608        
+                [r -4               ]      | 0x7ffeefbfd2b0 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
+                [r -5               ]      | 0x7ffeefbfd2a8 | 0x10bbcc000        Object: 0x10bbcc000 with butterfly 0x0 (Structure 0x10bbf1960:[JSGlobalLexicalEnvironment, {}, NonArray, Leaf]), StructureID: 59
+                [r -6               ]      | 0x7ffeefbfd2a0 | 0xa                Undefined
+                -----------------------------------------------------------------------------
+                [r -7]                     | 0x7ffeefbfd298 | 0x10bb6fdc0        String (atomic) (identifier): length, StructureID: 4
+                [r -8]                     | 0x7ffeefbfd290 | 0x10bbb7ec0        Object: 0x10bbb7ec0 with butterfly 0x8000e0008 (Structure 0x10bbf2ae0:[Array, {}, ArrayWithContiguous, Proto:0x10bbc8080]), StructureID: 99
+                [r -9]                     | 0x7ffeefbfd288 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
+                [r-10]                     | 0x7ffeefbfd280 | 0xffff000000000004 Int32: 4
+                [r-11]                     | 0x7ffeefbfd278 | 0x10bbb4290        Object: 0x10bbb4290 with butterfly 0x8000e8408 (Structure 0x10bb74850:[DollarVM, {abort:100, crash:101, breakpoint:102, dfgTrue:103, ftlTrue:104, cpuMfence:105, cpuRdtsc:106, cpuCpuid:107, cpuPause:108, cpuClflush:109, llintTrue:110, jitTrue:111, noInline:112, gc:113, edenGC:114, callFrame:115, codeBlockFor:116, codeBlockForFrame:117, dumpSourceFor:118, dumpBytecodeFor:119, dataLog:120, print:121, dumpCallFrame:122, dumpStack:123, dumpRegisters:124, dumpCell:125, indexingMode:126, inlineCapacity:127, value:128, getpid:129, createProxy:130, createRuntimeArray:131, createImpureGetter:132, createCustomGetterObject:133, createDOMJITNodeObject:134, createDOMJITGetterObject:135, createDOMJITGetterComplexObject:136, createDOMJITFunctionObject:137, createDOMJITCheckSubClassObject:138, createDOMJITGetterBaseJSObject:139, createBuiltin:140, getPrivateProperty:141, setImpureGetterDelegate:142, Root:143, Element:144, getElement:145, SimpleObject:146, getHiddenValue:147, setHiddenValue:148, shadowChickenFunctionsOnStack:149, setGlobalConstRedeclarationShouldNotThrow:150, findTypeForExpression:151, returnTypeFor:152, flattenDictionaryObject:153, dumpBasicBlockExecutionRanges:154, hasBasicBlockExecuted:155, basicBlockExecutionCount:156, enableDebuggerModeWhenIdle:158, disableDebuggerModeWhenIdle:159, globalObjectCount:160, globalObjectForObject:161, getGetterSetter:162, loadGetterFromGetterSetter:163, createCustomTestGetterSetter:164, deltaBetweenButterflies:165, totalGCTime:166}, NonArray, Proto:0x10bbb4000, Dictionary, Leaf]), StructureID: 306
+                [r-12]                     | 0x7ffeefbfd270 | 0x100000001        
+                [r-13]                     | 0x7ffeefbfd268 | 0x10bbc33f0        Object: 0x10bbc33f0 with butterfly 0x8000fdda8 (Structure 0x10bbf1dc0:[Function, {name:100, length:101}, NonArray, Proto:0x10bbd0000, Leaf]), StructureID: 69
+                [r-14]                     | 0x7ffeefbfd260 | 0x0                
+                [r-15]                     | 0x7ffeefbfd258 | 0x10064d14c        
+                [r-16]                     | 0x7ffeefbfd250 | 0x7ffeefbfd2d0     
+                [r-17]                     | 0x7ffeefbfd248 | 0x67ec87ee177      INVALID
+                [r-18]                     | 0x7ffeefbfd240 | 0x7ffeefbfd250     
+                -----------------------------------------------------------------------------
+
+        3. Removed dumpCallFrame() from the jsc shell.  We have the following tools that
+           we can use in its place:
+
+            $vm.dumpCallFrame()
+            $vm.dumpBytecodeFor()
+            $vm.dumpRegisters()     // Just added in this patch.
+
+        4. Also fixed a bug in BytecodeDumper: it should only access
+           CallLinkInfo::haveLastSeenCallee() only if CallLinkInfo::isDirect() is false.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printCallOp):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::dumpCallFrame): Deleted.
+        (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor): Deleted.
+        (JSC::DumpReturnVirtualPCFunctor::operator() const): Deleted.
+        (JSC::Interpreter::dumpRegisters): Deleted.
+        * interpreter/Interpreter.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionDumpCallFrame): Deleted.
+        * tools/JSDollarVM.cpp:
+        (JSC::functionDumpRegisters):
+        (JSC::JSDollarVM::finishCreation):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::dumpRegisters):
+        * tools/VMInspector.h:
+
+2018-08-28  Keith Miller  
+
+        Add nullablity attributes to JSValue
+        https://bugs.webkit.org/show_bug.cgi?id=189047
+
+        Reviewed by Dan Bernstein.
+
+        Switch to using NS_ASSUME_NONNULL_BEGIN/END.
+
+        * API/JSValue.h:
+
+2018-08-28  Keith Miller  
+
+        Add nullablity attributes to JSValue
+        https://bugs.webkit.org/show_bug.cgi?id=189047
+
+        Reviewed by Geoffrey Garen.
+
+        * API/JSValue.h:
+
+2018-08-27  Yusuke Suzuki  
+
+        [WebAssembly] Parse wasm modules in a streaming fashion
+        https://bugs.webkit.org/show_bug.cgi?id=188943
+
+        Reviewed by Mark Lam.
+
+        This patch adds Wasm::StreamingParser, which parses wasm binary in a streaming fashion.
+        Currently, this StreamingParser is not enabled and integrated. In subsequent patches,
+        we start integrating it into BBQPlan and dropping the old ModuleParser.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * tools/JSDollarVM.cpp:
+        (WTF::WasmStreamingParser::WasmStreamingParser):
+        (WTF::WasmStreamingParser::create):
+        (WTF::WasmStreamingParser::createStructure):
+        (WTF::WasmStreamingParser::streamingParser):
+        (WTF::WasmStreamingParser::finishCreation):
+        (WTF::functionWasmStreamingParserAddBytes):
+        (WTF::functionWasmStreamingParserFinalize):
+        (JSC::functionCreateWasmStreamingParser):
+        (JSC::JSDollarVM::finishCreation):
+        The $vm Wasm::StreamingParser object is introduced for testing purpose. Added new stress test uses
+        this interface to test streaming parser in the JSC shell.
+
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::BBQPlan):
+        (JSC::Wasm::BBQPlan::parseAndValidateModule):
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        (JSC::Wasm::BBQPlan::complete):
+        (JSC::Wasm::BBQPlan::work):
+        * wasm/WasmBBQPlan.h:
+        BBQPlan has m_source, but once ModuleInformation is parsed, it is no longer necessary.
+        In subsequent patches, we will remove this, and stream the data into the BBQPlan.
+
+        * wasm/WasmFormat.h:
+        * wasm/WasmModuleInformation.cpp:
+        (JSC::Wasm::ModuleInformation::ModuleInformation):
+        * wasm/WasmModuleInformation.h:
+        One of the largest change in this patch is that ModuleInformation no longer holds source bytes,
+        since source bytes can be added in a streaming fashion. Instead of holding all the source bytes
+        in ModuleInformation, each function (ModuleInformation::functions, FunctionData) should have
+        Vector for its data. This data is eventually filled by StreamingParser, and compiling
+        a function with this data can be done concurrently with StreamingParser.
+
+        (JSC::Wasm::ModuleInformation::create):
+        (JSC::Wasm::ModuleInformation::memoryCount const):
+        (JSC::Wasm::ModuleInformation::tableCount const):
+        memoryCount and tableCount should be recorded in ModuleInformation.
+
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parse):
+        (JSC::Wasm::makeI32InitExpr): Deleted.
+        (JSC::Wasm::ModuleParser::parseType): Deleted.
+        (JSC::Wasm::ModuleParser::parseImport): Deleted.
+        (JSC::Wasm::ModuleParser::parseFunction): Deleted.
+        (JSC::Wasm::ModuleParser::parseResizableLimits): Deleted.
+        (JSC::Wasm::ModuleParser::parseTableHelper): Deleted.
+        (JSC::Wasm::ModuleParser::parseTable): Deleted.
+        (JSC::Wasm::ModuleParser::parseMemoryHelper): Deleted.
+        (JSC::Wasm::ModuleParser::parseMemory): Deleted.
+        (JSC::Wasm::ModuleParser::parseGlobal): Deleted.
+        (JSC::Wasm::ModuleParser::parseExport): Deleted.
+        (JSC::Wasm::ModuleParser::parseStart): Deleted.
+        (JSC::Wasm::ModuleParser::parseElement): Deleted.
+        (JSC::Wasm::ModuleParser::parseCode): Deleted.
+        (JSC::Wasm::ModuleParser::parseInitExpr): Deleted.
+        (JSC::Wasm::ModuleParser::parseGlobalType): Deleted.
+        (JSC::Wasm::ModuleParser::parseData): Deleted.
+        (JSC::Wasm::ModuleParser::parseCustom): Deleted.
+        Extract section parsing code out from ModuleParser. We create SectionParser and ModuleParser uses it.
+        SectionParser is also used by StreamingParser.
+
+        * wasm/WasmModuleParser.h:
+        (): Deleted.
+        * wasm/WasmNameSection.h:
+        (JSC::Wasm::NameSection::NameSection):
+        (JSC::Wasm::NameSection::create):
+        (JSC::Wasm::NameSection::setHash):
+        Hash calculation is deferred since all the source is not available in streaming parsing.
+
+        * wasm/WasmNameSectionParser.cpp:
+        (JSC::Wasm::NameSectionParser::parse):
+        * wasm/WasmNameSectionParser.h:
+        Use Ref.
+
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        Wasm::Plan no longer have m_source since data will be eventually filled in a streaming fashion.
+        OMGPlan can get data of the function by using ModuleInformation::functions.
+
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::source const):
+        (JSC::Wasm::Parser::length const):
+        (JSC::Wasm::Parser::offset const):
+        (JSC::Wasm::Parser::fail const):
+        (JSC::Wasm::makeI32InitExpr):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        Wasm::Plan should not have all the source apriori. Streamed data will be pumped from the provider.
+
+        * wasm/WasmPlan.h:
+        * wasm/WasmSectionParser.cpp: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.cpp.
+        SectionParser is extracted from ModuleParser. And it is used by both the old (currently working)
+        ModuleParser and the new StreamingParser.
+
+        (JSC::Wasm::SectionParser::parseType):
+        (JSC::Wasm::SectionParser::parseImport):
+        (JSC::Wasm::SectionParser::parseFunction):
+        (JSC::Wasm::SectionParser::parseResizableLimits):
+        (JSC::Wasm::SectionParser::parseTableHelper):
+        (JSC::Wasm::SectionParser::parseTable):
+        (JSC::Wasm::SectionParser::parseMemoryHelper):
+        (JSC::Wasm::SectionParser::parseMemory):
+        (JSC::Wasm::SectionParser::parseGlobal):
+        (JSC::Wasm::SectionParser::parseExport):
+        (JSC::Wasm::SectionParser::parseStart):
+        (JSC::Wasm::SectionParser::parseElement):
+        (JSC::Wasm::SectionParser::parseCode):
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        (JSC::Wasm::SectionParser::parseGlobalType):
+        (JSC::Wasm::SectionParser::parseData):
+        (JSC::Wasm::SectionParser::parseCustom):
+        * wasm/WasmSectionParser.h: Copied from Source/JavaScriptCore/wasm/WasmModuleParser.h.
+        * wasm/WasmStreamingParser.cpp: Added.
+        (JSC::Wasm::parseUInt7):
+        (JSC::Wasm::StreamingParser::fail):
+        (JSC::Wasm::StreamingParser::StreamingParser):
+        (JSC::Wasm::StreamingParser::parseModuleHeader):
+        (JSC::Wasm::StreamingParser::parseSectionID):
+        (JSC::Wasm::StreamingParser::parseSectionSize):
+        (JSC::Wasm::StreamingParser::parseCodeSectionSize):
+        Code section in Wasm binary is specially handled compared with the other sections since it includes
+        a bunch of functions. StreamingParser extracts each function in a streaming fashion and enable
+        streaming validation / compilation of Wasm functions.
+
+        (JSC::Wasm::StreamingParser::parseFunctionSize):
+        (JSC::Wasm::StreamingParser::parseFunctionPayload):
+        (JSC::Wasm::StreamingParser::parseSectionPayload):
+        (JSC::Wasm::StreamingParser::consume):
+        (JSC::Wasm::StreamingParser::consumeVarUInt32):
+        (JSC::Wasm::StreamingParser::addBytes):
+        (JSC::Wasm::StreamingParser::failOnState):
+        (JSC::Wasm::StreamingParser::finalize):
+        * wasm/WasmStreamingParser.h: Added.
+        (JSC::Wasm::StreamingParser::addBytes):
+        (JSC::Wasm::StreamingParser::errorMessage const):
+        This is our new StreamingParser implementation. StreamingParser::consumeXXX functions get data, and
+        StreamingParser::parseXXX functions parse consumed data. The user of StreamingParser calls
+        StreamingParser::addBytes() to pump the bytes stream into the parser. And once all the data is pumped,
+        the user calls StreamingParser::finalize. StreamingParser is a state machine which feeds on the
+        incoming byte stream.
+
+        * wasm/js/JSWebAssemblyModule.cpp:
+        (JSC::JSWebAssemblyModule::source const): Deleted.
+        All the source should not be held.
+
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyValidateFunc):
+
+2018-08-27  Mark Lam  
+
+        Fix exception throwing code so that topCallFrame and topEntryFrame stay true to their names.
+        https://bugs.webkit.org/show_bug.cgi?id=188577
+        
+
+        Reviewed by Saam Barati.
+
+        1. Introduced CallFrame::convertToStackOverflowFrame() which converts the current
+           (top) CallFrame (which may not have a valid callee) into a StackOverflowFrame.
+
+           The StackOverflowFrame is a sentinel frame that the low level code (exception
+           throwing code, stack visitor, and stack unwinding code) will know to skip
+           over.  The StackOverflowFrame will also have a valid JSCallee so that client
+           code can compute the globalObject or VM from this frame.
+
+           As a result, client code that throws StackOverflowErrors no longer need to
+           compute the caller frame to throw from: it just converts the top frame into
+           a StackOverflowFrame and everything should *Just Work*.
+
+        2. NativeCallFrameTracerWithRestore is now obsolete.
+
+           Instead, client code should always call convertToStackOverflowFrame() on the
+           frame before instantiating a NativeCallFrameTracer with it.
+
+           This means that topCallFrame will always point to the top CallFrame (which
+           may be a StackOverflowFrame), and topEntryFrame will always point to the top
+           EntryFrame.  We'll never temporarily point them to the previous EntryFrame
+           (which we used to do with NativeCallFrameTracerWithRestore).
+
+        3. genericUnwind() and Interpreter::unwind() will now always unwind from the top
+           CallFrame, and will know how to handle a StackOverflowFrame if they see one.
+
+           This obsoletes the UnwindStart flag.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::pauseIfNeeded):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::callerFrame const):
+        (JSC::CallFrame::unsafeCallerFrame const):
+        (JSC::CallFrame::convertToStackOverflowFrame):
+        (JSC::CallFrame::callerFrame): Deleted.
+        (JSC::CallFrame::unsafeCallerFrame): Deleted.
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::iterate):
+        * interpreter/CallFrameInlines.h: Added.
+        (JSC::CallFrame::isStackOverflowFrame const):
+        (JSC::CallFrame::isWasmFrame const):
+        * interpreter/EntryFrame.h: Added.
+        (JSC::EntryFrame::vmEntryRecordOffset):
+        (JSC::EntryFrame::calleeSaveRegistersBufferOffset):
+        * interpreter/FrameTracers.h:
+        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): Deleted.
+        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): Deleted.
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::unwind):
+        * interpreter/Interpreter.h:
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::StackVisitor):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::visit):
+        (JSC::StackVisitor::topEntryFrameIsEmpty const):
+        * interpreter/VMEntryRecord.h:
+        (JSC::VMEntryRecord::callee const):
+        (JSC::EntryFrame::vmEntryRecordOffset): Deleted.
+        (JSC::EntryFrame::calleeSaveRegistersBufferOffset): Deleted.
+        * jit/AssemblyHelpers.h:
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITExceptions.h:
+        * jit/JITOperations.cpp:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CallData.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::throwArityCheckStackOverflowError):
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPathsExceptions.cpp: Removed.
+        * runtime/CommonSlowPathsExceptions.h: Removed.
+        * runtime/Completion.cpp:
+        (JSC::evaluateWithScopeExtension):
+        * runtime/JSGeneratorFunction.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::stackOverflowFrameCallee const):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        * runtime/VM.h:
+        * runtime/VMInlines.h:
+        (JSC::VM::topJSCallFrame const):
+
+2018-08-27  Keith Rollin  
+
+        Unreviewed build fix -- disable LTO for production builds
+
+        * Configurations/Base.xcconfig:
+
+2018-08-27  Aditya Keerthi  
+
+        Consolidate ENABLE_INPUT_TYPE_COLOR and ENABLE_INPUT_TYPE_COLOR_POPOVER
+        https://bugs.webkit.org/show_bug.cgi?id=188931
+
+        Reviewed by Wenson Hsieh.
+
+        * Configurations/FeatureDefines.xcconfig: Removed ENABLE_INPUT_TYPE_COLOR_POPOVER.
+
+2018-08-27  Devin Rousso  
+
+        Web Inspector: provide autocompletion for event breakpoints
+        https://bugs.webkit.org/show_bug.cgi?id=188717
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/DOM.json:
+        Add `getSupportedEventNames` command.
+
+2018-08-27  Keith Rollin  
+
+        Build system support for LTO
+        https://bugs.webkit.org/show_bug.cgi?id=187785
+        
+
+        Reviewed by Dan Bernstein.
+
+        Update Base.xcconfig and DebugRelease.xcconfig to optionally enable
+        LTO.
+
+        * Configurations/Base.xcconfig:
+        * Configurations/DebugRelease.xcconfig:
+
+2018-08-27  Patrick Griffis  
+
+        [GTK][JSC] Add warn_unused_result attribute to some APIs
+        https://bugs.webkit.org/show_bug.cgi?id=188983
+
+        Reviewed by Michael Catanzaro.
+
+        * API/glib/JSCValue.h:
+
+2018-08-24  Yusuke Suzuki  
+
+        [JSC] Array.prototype.reverse modifies JSImmutableButterfly
+        https://bugs.webkit.org/show_bug.cgi?id=188794
+
+        Reviewed by Saam Barati.
+
+        While Array.prototype.reverse modifies the butterfly of the given Array,
+        it does not account JSImmutableButterfly case. So it accidentally modifies
+        the content of JSImmutableButterfly.
+        This patch converts CoW arrays to writable arrays before reversing.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncReverse):
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureWritable):
+
+2018-08-24  Michael Saboff  
+
+        YARR: Update UCS canonicalization tables for Unicode 11
+        https://bugs.webkit.org/show_bug.cgi?id=188928
+
+        Reviewed by Mark Lam.
+
+        Generated YarrCanonicalizeUCS2.cpp from YarrCanonicalizeUCS2.js.
+
+        This passes JavaScriptCore and test262 tests.
+
+        * yarr/YarrCanonicalizeUCS2.cpp:
+        * yarr/YarrCanonicalizeUCS2.js:
+        (printHeader):
+
+2018-08-24  Michael Saboff  
+
+        YARR: JIT RegExps with non-greedy parenthesized sub patterns
+        https://bugs.webkit.org/show_bug.cgi?id=180876
+
+        Reviewed by Filip Pizlo.
+
+        Implemented the non-greedy nested parenthesis based on the prior greedy nested parenthesis work.
+        For the matching code, the greedy path was correct except that we don't try matching for the
+        non-greedy case.  Added a jump out to the term after the parenthesis and a label to perform the
+        first / next match when we backtrack.  The backtracking code needs to check to see if we have
+        tried the first match or if we can do another match.
+
+        Updated the disassembly annotations to include parenthesis capturing info, quantifier type and
+        count.  Did other minor cleanup as well.
+
+        Fixed function name typo, added missing 't' in "setUsesPaternContextBuffer()".
+
+        Updated the text in some comments, both for this change as well as accuracy for existing code.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::dumpCompileFailure):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::setUsesPatternContextBuffer):
+        (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer): Deleted.
+
+2018-08-23  Simon Fraser  
+
+        Add support for dumping GC heap snapshots, and a viewer
+        https://bugs.webkit.org/show_bug.cgi?id=186416
+
+        Reviewed by Joseph Pecoraro.
+
+        Make a way to dump information about the GC heap that is useful for looking for leaked
+        or abandoned objects. This dump is obtained (on Apple platforms) via:
+            notifyutil -p com.apple.WebKit.dumpGCHeap
+        which writes a JSON file to /tmp which can then be loaded into the viewer in Tools/GCHeapInspector.
+        
+        This leverages the heap snapshot used by Web Inspector, adding an alternate format for
+        the snapshot JSON that adds additional data about objects and why they are GC roots.
+
+        SlotVisitor maintains a RootMarkReason (via SetRootMarkReasonScope) that allows
+        the HeapSnapshotBuilder to keep track of why a JSCell was treated as a GC root. For
+        objects visited via opaque roots, we record the reason why via a new out param to
+        isReachableFromOpaqueRoots().
+
+        HeapSnapshotBuilder is enhanced to produce GCDebuggingSnapshot JSON output. This contains
+        additional information including the address of the JSCell* and the wrapped object (for
+        JSDOMWrappers), the root reasons, and for some objects like JSDocument a label which can
+        be the document URL.
+
+        GCDebuggingSnapshots are always full snapshots (previous snapshots are not kept around).
+
+        * API/JSAPIWrapperObject.mm:
+        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
+        * API/JSManagedValue.mm:
+        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots):
+        * API/glib/JSAPIWrapperObjectGLib.cpp:
+        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
+        * CMakeLists.txt:
+        * heap/ConservativeRoots.h:
+        (JSC::ConservativeRoots::size const):
+        (JSC::ConservativeRoots::size): Deleted.
+        * heap/Heap.cpp:
+        (JSC::Heap::addCoreConstraints):
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::getNextObjectIdentifier):
+        (JSC::HeapSnapshotBuilder::HeapSnapshotBuilder):
+        (JSC::HeapSnapshotBuilder::~HeapSnapshotBuilder):
+        (JSC::HeapSnapshotBuilder::buildSnapshot):
+        (JSC::HeapSnapshotBuilder::appendNode):
+        (JSC::HeapSnapshotBuilder::appendEdge):
+        (JSC::HeapSnapshotBuilder::setOpaqueRootReachabilityReasonForCell):
+        (JSC::HeapSnapshotBuilder::setWrappedObjectForCell):
+        (JSC::HeapSnapshotBuilder::previousSnapshotHasNodeForCell):
+        (JSC::snapshotTypeToString):
+        (JSC::rootTypeToString):
+        (JSC::HeapSnapshotBuilder::setLabelForCell):
+        (JSC::HeapSnapshotBuilder::descriptionForCell const):
+        (JSC::HeapSnapshotBuilder::json):
+        (JSC::HeapSnapshotBuilder::hasExistingNodeForCell): Deleted.
+        * heap/HeapSnapshotBuilder.h:
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::appendSlow):
+        * heap/SlotVisitor.h:
+        (JSC::SlotVisitor::heapSnapshotBuilder const):
+        (JSC::SlotVisitor::rootMarkReason const):
+        (JSC::SlotVisitor::setRootMarkReason):
+        (JSC::SetRootMarkReasonScope::SetRootMarkReasonScope):
+        (JSC::SetRootMarkReasonScope::~SetRootMarkReasonScope):
+        * heap/WeakBlock.cpp:
+        (JSC::WeakBlock::specializedVisit):
+        * heap/WeakHandleOwner.cpp:
+        (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
+        * heap/WeakHandleOwner.h:
+        * runtime/SimpleTypedArrayController.cpp:
+        (JSC::SimpleTypedArrayController::JSArrayBufferOwner::isReachableFromOpaqueRoots):
+        * runtime/SimpleTypedArrayController.h:
+        * tools/JSDollarVM.cpp:
+
+2018-08-23  Saam barati  
+
+        JSRunLoopTimer may run part of a member function after it's destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=188426
+
+        Reviewed by Mark Lam.
+
+        When I was reading the JSRunLoopTimer code, I noticed that it is possible
+        to end up running timer code after the class had been destroyed.
+        
+        The issue I spotted was in this function:
+        ```
+        void JSRunLoopTimer::timerDidFire()
+        {
+            JSLock* apiLock = m_apiLock.get();
+            if (!apiLock) {
+                // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
+                return;
+            }
+            // HERE
+            std::lock_guard lock(*apiLock);
+            RefPtr vm = apiLock->vm();
+            if (!vm) {
+                // The VM has been destroyed, so we should just give up.
+                return;
+            }
+        
+            doWork();
+        }
+        ```
+        
+        Look at the comment 'HERE'. Let's say that the timer callback thread gets context
+        switched before grabbing the API lock. Then, some other thread destroys the VM.
+        And let's say that the VM owns (perhaps transitively) this timer. Then, the
+        timer would run code and access member variables after it was destroyed.
+        
+        This patch fixes this issue by introducing a new timer manager class. 
+        This class manages timers on a per VM basis. When a timer is scheduled,
+        this class refs the timer. It also calls the timer callback while actively
+        maintaining a +1 ref to it. So, it's no longer possible to call the timer
+        callback after the timer has been destroyed. However, calling a timer callback
+        can still race with the VM being destroyed. We continue to detect this case and
+        bail out of the callback early.
+        
+        This patch also removes a lot of duplicate code between GCActivityCallback
+        and JSRunLoopTimer.
+
+        * heap/EdenGCActivityCallback.cpp:
+        (JSC::EdenGCActivityCallback::doCollection):
+        (JSC::EdenGCActivityCallback::lastGCLength):
+        (JSC::EdenGCActivityCallback::deathRate):
+        * heap/EdenGCActivityCallback.h:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::doCollection):
+        (JSC::FullGCActivityCallback::lastGCLength):
+        (JSC::FullGCActivityCallback::deathRate):
+        * heap/FullGCActivityCallback.h:
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::doWork):
+        (JSC::GCActivityCallback::scheduleTimer):
+        (JSC::GCActivityCallback::didAllocate):
+        (JSC::GCActivityCallback::willCollect):
+        (JSC::GCActivityCallback::cancel):
+        (JSC::GCActivityCallback::cancelTimer): Deleted.
+        (JSC::GCActivityCallback::nextFireTime): Deleted.
+        * heap/GCActivityCallback.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::reportAbandonedObjectGraph):
+        (JSC::Heap::notifyIncrementalSweeper):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::didAllocate):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::scheduleTimer):
+        (JSC::IncrementalSweeper::doWork):
+        (JSC::IncrementalSweeper::doSweep):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::stopSweeping):
+        * heap/IncrementalSweeper.h:
+        * heap/StopIfNecessaryTimer.cpp:
+        (JSC::StopIfNecessaryTimer::doWork):
+        (JSC::StopIfNecessaryTimer::scheduleSoon):
+        * heap/StopIfNecessaryTimer.h:
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::epochTime):
+        (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
+        (JSC::JSRunLoopTimer::Manager::timerDidFire):
+        (JSC::JSRunLoopTimer::Manager::shared):
+        (JSC::JSRunLoopTimer::Manager::registerVM):
+        (JSC::JSRunLoopTimer::Manager::unregisterVM):
+        (JSC::JSRunLoopTimer::Manager::scheduleTimer):
+        (JSC::JSRunLoopTimer::Manager::cancelTimer):
+        (JSC::JSRunLoopTimer::Manager::timeUntilFire):
+        (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
+        (JSC::JSRunLoopTimer::timerDidFire):
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::timeUntilFire):
+        (JSC::JSRunLoopTimer::setTimeUntilFire):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        (JSC::JSRunLoopTimer::setRunLoop): Deleted.
+        (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
+        (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
+        * runtime/JSRunLoopTimer.h:
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::runRunLoop):
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        (JSC::PromiseDeferredTimer::hasPendingPromise):
+        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+        * runtime/PromiseDeferredTimer.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::setRunLoop):
+        (JSC::VM::registerRunLoopTimer): Deleted.
+        (JSC::VM::unregisterRunLoopTimer): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::runLoop const):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyModuleValidateAsyncInternal):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyModuleInstantinateAsyncInternal):
+        (JSC::webAssemblyCompileStreamingInternal):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+
+2018-08-23  Mark Lam  
+
+        Move vmEntryGlobalObject() to VM from CallFrame.
+        https://bugs.webkit.org/show_bug.cgi?id=188900
+        
+
+        Reviewed by Michael Saboff.
+
+        Also introduced CallFrame::isGlobalExec() which makes use of one property of
+        GlobalExecs to identify them i.e. GlobalExecs have null callerFrame and returnPCs.
+        CallFrame::initGlobalExec() ensures this.
+
+        In contrast, normal CallFrames always have a callerFrame (because they must at
+        least be preceded by a VM EntryFrame) and a returnPC (at least return to the
+        VM entry glue).
+
+        * API/APIUtils.h:
+        (handleExceptionIfNeeded):
+        (setException):
+        * API/JSBase.cpp:
+        (JSEvaluateScript):
+        (JSCheckScriptSyntax):
+        * API/JSContextRef.cpp:
+        (JSGlobalContextRetain):
+        (JSGlobalContextRelease):
+        (JSGlobalContextCopyName):
+        (JSGlobalContextSetName):
+        (JSGlobalContextGetRemoteInspectionEnabled):
+        (JSGlobalContextSetRemoteInspectionEnabled):
+        (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
+        (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
+        (JSGlobalContextGetDebuggerRunLoop):
+        (JSGlobalContextSetDebuggerRunLoop):
+        (JSGlobalContextGetAugmentableInspectorController):
+        * API/JSValue.mm:
+        (reportExceptionToInspector):
+        * API/glib/JSCClass.cpp:
+        (jscContextForObject):
+        * API/glib/JSCContext.cpp:
+        (jsc_context_evaluate_in_object):
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::pauseIfNeeded):
+        * debugger/DebuggerCallFrame.cpp:
+        (JSC::DebuggerCallFrame::vmEntryGlobalObject const):
+        (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::vmEntryGlobalObject): Deleted.
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::scope const):
+        (JSC::ExecState::noCaller):
+        (JSC::ExecState::isGlobalExec const):
+        * interpreter/Interpreter.cpp:
+        (JSC::notifyDebuggerOfUnwinding):
+        (JSC::Interpreter::notifyDebuggerOfExceptionToBeThrown):
+        (JSC::Interpreter::debug):
+        * runtime/CallData.cpp:
+        (JSC::profiledCall):
+        * runtime/Completion.cpp:
+        (JSC::evaluate):
+        (JSC::profiledEvaluate):
+        (JSC::evaluateWithScopeExtension):
+        (JSC::loadAndEvaluateModule):
+        (JSC::loadModule):
+        (JSC::linkAndEvaluateModule):
+        (JSC::importModule):
+        * runtime/ConstructData.cpp:
+        (JSC::profiledConstruct):
+        * runtime/Error.cpp:
+        (JSC::getStackTrace):
+        * runtime/VM.cpp:
+        (JSC::VM::throwException):
+        (JSC::VM::vmEntryGlobalObject const):
+        * runtime/VM.h:
+
+2018-08-23  Andy Estes  
+
+        [Apple Pay] Introduce Apple Pay JS v4 on iOS 12 and macOS Mojave
+        https://bugs.webkit.org/show_bug.cgi?id=188829
+
+        Reviewed by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-08-23  Devin Rousso  
+
+        Web Inspector: support breakpoints for timers and animation-frame events
+        https://bugs.webkit.org/show_bug.cgi?id=188778
+
+        Reviewed by Brian Burg.
+
+        * inspector/protocol/Debugger.json:
+        Add `AnimationFrame` and `Timer` types to the list of pause reasons.
+
+        * inspector/protocol/DOMDebugger.json:
+        Introduced `setEventBreakpoint` and `removeEventBreakpoint` to replace the more specific:
+         - `setEventListenerBreakpoint`
+         - `removeEventListenerBreakpoint`
+         - `setInstrumentationBreakpoint`
+         - `removeInstrumentationBreakpoint`
+        Also created an `EventBreakpointType` to enumerate the available types of event breakpoints.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (CppProtocolTypesHeaderGenerator.generate_output):
+        (CppProtocolTypesHeaderGenerator._generate_forward_declarations_for_binding_traits):
+        (CppProtocolTypesHeaderGenerator._generate_declarations_for_enum_conversion_methods):
+        (CppProtocolTypesHeaderGenerator._generate_hash_declarations): Added.
+        Generate `DefaultHash` for all `enum class` used by inspector protocols.
+
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+
+2018-08-23  Michael Saboff  
+
+        YARR: Need to JIT compile a RegExp before using containsNestedSubpatterns flag
+        https://bugs.webkit.org/show_bug.cgi?id=188895
+
+        Reviewed by Mark Lam.
+
+        Found while working on another change.  This will allow processing of nested
+        parenthesis that require saved ParenContext structures.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::compile):
+
+2018-08-22  Michael Saboff  
+
+        https://bugs.webkit.org/show_bug.cgi?id=188859
+        Eliminate dead code operationThrowDivideError() and operationThrowOutOfBoundsAccessError()
+
+        Rubber-stamped by Saam Barati.
+
+        Deleted these two functions.
+
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
+2018-08-22  Mark Lam  
+
+        The DFG CFGSimplification phase shouldn’t jettison a block when it’s the target of both branch directions.
+        https://bugs.webkit.org/show_bug.cgi?id=188298
+        
+
+        Reviewed by Saam Barati.
+
+        In the event that both targets of a Branch is the same block, then even if we'll
+        always take one path of the branch, the other target is not unreachable because
+        it is the same target as the one in the taken path.  Hence, it should not be
+        jettisoned.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        - Added DFGCFG.h which is in use and should have been added to the project.
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::run):
+
+2018-08-20  Yusuke Suzuki  
+
+        [JSC] HeapUtil should care about pointer overflow
+        https://bugs.webkit.org/show_bug.cgi?id=188740
+
+        Reviewed by Saam Barati.
+
+        `pointer - sizeof(IndexingHeader) - 1` causes an undefined behavior if a pointer overflows.
+        For example, if `pointer` is nullptr, it causes pointer overflow. Instead of calculating this
+        with `char*` pointer, we cast it to `uintptr_t` temporarily. This issue is found by UBSan.
+
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+
+2018-08-19  Yusuke Suzuki  
+
+        [JSC] Should not rotate constant with 64
+        https://bugs.webkit.org/show_bug.cgi?id=188556
+
+        Reviewed by Saam Barati.
+
+        To defend against JIT splaying, we rotate a constant with a randomly generated seed.
+        But if a seed becomes 64 or 0, the following code performs `value << 64` or `value >> 64`
+        where value's type is uint64_t, and they cause undefined behaviors (UBs). This patch limits
+        the seed in the range of [1, 63] not to generate code causing UBs. This is found by UBSan.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::generateRotationSeed):
+        (JSC::MacroAssembler::rotationBlindConstant):
+
+2018-08-21  Commit Queue  
+
+        Unreviewed, rolling out r235107.
+        https://bugs.webkit.org/show_bug.cgi?id=188832
+
+        "It revealed bugs in Blob code as well as regressed JS
+        performance tests" (Requested by saamyjoon on #webkit).
+
+        Reverted changeset:
+
+        "JSRunLoopTimer may run part of a member function after it's
+        destroyed"
+        https://bugs.webkit.org/show_bug.cgi?id=188426
+        https://trac.webkit.org/changeset/235107
+
+2018-08-21  Saam barati  
+
+        JSRunLoopTimer may run part of a member function after it's destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=188426
+
+        Reviewed by Mark Lam.
+
+        When I was reading the JSRunLoopTimer code, I noticed that it is possible
+        to end up running timer code after the class had been destroyed.
+        
+        The issue I spotted was in this function:
+        ```
+        void JSRunLoopTimer::timerDidFire()
+        {
+            JSLock* apiLock = m_apiLock.get();
+            if (!apiLock) {
+                // Likely a buggy usage: the timer fired while JSRunLoopTimer was being destroyed.
+                return;
+            }
+            // HERE
+            std::lock_guard lock(*apiLock);
+            RefPtr vm = apiLock->vm();
+            if (!vm) {
+                // The VM has been destroyed, so we should just give up.
+                return;
+            }
+        
+            doWork();
+        }
+        ```
+        
+        Look at the comment 'HERE'. Let's say that the timer callback thread gets context
+        switched before grabbing the API lock. Then, some other thread destroys the VM.
+        And let's say that the VM owns (perhaps transitively) this timer. Then, the
+        timer would run code and access member variables after it was destroyed.
+        
+        This patch fixes this issue by introducing a new timer manager class. 
+        This class manages timers on a per VM basis. When a timer is scheduled,
+        this class refs the timer. It also calls the timer callback while actively
+        maintaining a +1 ref to it. So, it's no longer possible to call the timer
+        callback after the timer has been destroyed. However, calling a timer callback
+        can still race with the VM being destroyed. We continue to detect this case and
+        bail out of the callback early.
+        
+        This patch also removes a lot of duplicate code between GCActivityCallback
+        and JSRunLoopTimer.
+
+        * heap/EdenGCActivityCallback.cpp:
+        (JSC::EdenGCActivityCallback::doCollection):
+        (JSC::EdenGCActivityCallback::lastGCLength):
+        (JSC::EdenGCActivityCallback::deathRate):
+        * heap/EdenGCActivityCallback.h:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::doCollection):
+        (JSC::FullGCActivityCallback::lastGCLength):
+        (JSC::FullGCActivityCallback::deathRate):
+        * heap/FullGCActivityCallback.h:
+        * heap/GCActivityCallback.cpp:
+        (JSC::GCActivityCallback::doWork):
+        (JSC::GCActivityCallback::scheduleTimer):
+        (JSC::GCActivityCallback::didAllocate):
+        (JSC::GCActivityCallback::willCollect):
+        (JSC::GCActivityCallback::cancel):
+        (JSC::GCActivityCallback::cancelTimer): Deleted.
+        (JSC::GCActivityCallback::nextFireTime): Deleted.
+        * heap/GCActivityCallback.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::reportAbandonedObjectGraph):
+        (JSC::Heap::notifyIncrementalSweeper):
+        (JSC::Heap::updateAllocationLimits):
+        (JSC::Heap::didAllocate):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::scheduleTimer):
+        (JSC::IncrementalSweeper::doWork):
+        (JSC::IncrementalSweeper::doSweep):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::stopSweeping):
+        * heap/IncrementalSweeper.h:
+        * heap/StopIfNecessaryTimer.cpp:
+        (JSC::StopIfNecessaryTimer::doWork):
+        (JSC::StopIfNecessaryTimer::scheduleSoon):
+        * heap/StopIfNecessaryTimer.h:
+        * runtime/JSRunLoopTimer.cpp:
+        (JSC::epochTime):
+        (JSC::JSRunLoopTimer::Manager::timerDidFireCallback):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::setRunLoop):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        (JSC::JSRunLoopTimer::Manager::PerVMData::~PerVMData):
+        (JSC::JSRunLoopTimer::Manager::timerDidFire):
+        (JSC::JSRunLoopTimer::Manager::shared):
+        (JSC::JSRunLoopTimer::Manager::registerVM):
+        (JSC::JSRunLoopTimer::Manager::unregisterVM):
+        (JSC::JSRunLoopTimer::Manager::scheduleTimer):
+        (JSC::JSRunLoopTimer::Manager::cancelTimer):
+        (JSC::JSRunLoopTimer::Manager::timeUntilFire):
+        (JSC::JSRunLoopTimer::Manager::didChangeRunLoop):
+        (JSC::JSRunLoopTimer::timerDidFire):
+        (JSC::JSRunLoopTimer::JSRunLoopTimer):
+        (JSC::JSRunLoopTimer::timeUntilFire):
+        (JSC::JSRunLoopTimer::setTimeUntilFire):
+        (JSC::JSRunLoopTimer::cancelTimer):
+        (JSC::JSRunLoopTimer::setRunLoop): Deleted.
+        (JSC::JSRunLoopTimer::timerDidFireCallback): Deleted.
+        (JSC::JSRunLoopTimer::scheduleTimer): Deleted.
+        * runtime/JSRunLoopTimer.h:
+        (JSC::JSRunLoopTimer::Manager::PerVMData::PerVMData):
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::doWork):
+        (JSC::PromiseDeferredTimer::runRunLoop):
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+        (JSC::PromiseDeferredTimer::hasPendingPromise):
+        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
+        (JSC::PromiseDeferredTimer::cancelPendingPromise):
+        (JSC::PromiseDeferredTimer::scheduleWorkSoon):
+        * runtime/PromiseDeferredTimer.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        (JSC::VM::setRunLoop):
+        (JSC::VM::registerRunLoopTimer): Deleted.
+        (JSC::VM::unregisterRunLoopTimer): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::runLoop const):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyModuleValidateAsyncInternal):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::webAssemblyModuleInstantinateAsyncInternal):
+        (JSC::webAssemblyCompileStreamingInternal):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+
+2018-08-20  Saam barati  
+
+        Inline DataView accesses into DFG/FTL
+        https://bugs.webkit.org/show_bug.cgi?id=188573
+        
+
+        Reviewed by Michael Saboff.
+
+        This patch teaches the DFG/FTL to inline DataView accesses. The approach is
+        straight forward. We inline the various get*/set* operations as intrinsics.
+        
+        This patch takes the most obvious approach for now. We OSR exit when:
+        - An isLittleEndian argument is provided, and is not a boolean.
+        - The index isn't an integer.
+        - The |this| isn't a DataView.
+        - We do an OOB access (or see a neutered array)
+        
+        To implement this change in a performant way, this patch teaches the macro
+        assembler how to emit byte swap operations. The semantics of the added functions
+        are byteSwap + zero extend. This means for the 16bit byte swaps, we need
+        to actually emit zero extend instructions. For the 32/64bit byte swaps,
+        the instructions already have these semantics.
+        
+        This patch is just a lightweight initial implementation. There are some easy
+        extensions we can do in future changes:
+        - Teach B3 how to byte swap: https://bugs.webkit.org/show_bug.cgi?id=188759
+        - CSE DataViewGet* nodes: https://bugs.webkit.org/show_bug.cgi?id=188768
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::byteSwap16):
+        (JSC::MacroAssemblerARM64::byteSwap32):
+        (JSC::MacroAssemblerARM64::byteSwap64):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::byteSwap32):
+        (JSC::MacroAssemblerX86Common::byteSwap16):
+        (JSC::MacroAssemblerX86Common::byteSwap64):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::bswapl_r):
+        (JSC::X86Assembler::bswapq_r):
+        (JSC::X86Assembler::shiftInstruction16):
+        (JSC::X86Assembler::rolw_i8r):
+        (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
+        * assembler/testmasm.cpp:
+        (JSC::testByteSwap):
+        (JSC::run):
+        * bytecode/DataFormat.h:
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationFromClassInfo):
+        (JSC::speculationFromJSType):
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::dataViewData):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateDataViewObject):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::byteSwap32):
+        (JSC::FTL::DFG::LowerDFGToB3::byteSwap64):
+        (JSC::FTL::DFG::LowerDFGToB3::emitCodeBasedOnEndiannessBranch):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
+        (JSC::FTL::DFG::LowerDFGToB3::lowDataViewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateDataViewObject):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSDataViewPrototype.cpp:
+
+2018-08-20  Yusuke Suzuki  
+
+        [YARR] Extend size of fixed characters bulk matching in 64bit platform
+        https://bugs.webkit.org/show_bug.cgi?id=181989
+
+        Reviewed by Michael Saboff.
+
+        This patch extends bulk matching style for fixed-sized characters.
+        In 64bit environment, the GPR can hold up to 8 characters. This change
+        reduces the code size since we can fuse multiple `mov` operations into one.
+
+        * assembler/LinkBuffer.h:
+        * runtime/Options.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
+        (JSC::Yarr::YarrGenerator::compile):
+
+2018-08-20  Devin Rousso  
+
+        Web Inspector: allow breakpoints to be set for specific event listeners
+        https://bugs.webkit.org/show_bug.cgi?id=183138
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/DOM.json:
+        Add `setBreakpointForEventListener` and `removeBreakpointForEventListener`, each of which
+        takes an `eventListenerId` and toggles whether that specific usage of that event listener
+        should have a breakpoint and pause before running.
+
+2018-08-20  Mark Lam  
+
+        Fix the LLInt so that btjs shows vmEntryToJavaScript instead of llintPCRangeStart for the entry frame.
+        https://bugs.webkit.org/show_bug.cgi?id=188769
+
+        Reviewed by Michael Saboff.
+
+        * llint/LowLevelInterpreter.asm:
+        - Just put an unused instruction between llintPCRangeStart and vmEntryToJavaScript
+          so that libunwind doesn't get confused by the 2 labels pointing to the same
+          code address.
+
+2018-08-19  Carlos Garcia Campos  
+
+        [GLIB] Add API to throw exceptions using printf formatted strings
+        https://bugs.webkit.org/show_bug.cgi?id=188698
+
+        Reviewed by Michael Catanzaro.
+
+        Add jsc_context_throw_printf() and jsc_context_throw_with_name_printf(). Also add new public constructors of
+        JSCException using printf formatted string.
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_throw_printf):
+        (jsc_context_throw_with_name_printf):
+        * API/glib/JSCContext.h:
+        * API/glib/JSCException.cpp:
+        (jsc_exception_new_printf):
+        (jsc_exception_new_vprintf):
+        (jsc_exception_new_with_name_printf):
+        (jsc_exception_new_with_name_vprintf):
+        * API/glib/JSCException.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-08-19  Carlos Garcia Campos  
+
+        [GLIB] Complete the JSCException API
+        https://bugs.webkit.org/show_bug.cgi?id=188695
+
+        Reviewed by Michael Catanzaro.
+
+        Add more API to JSCException:
+         - New function to get the column number
+         - New function get exception as string (toString())
+         - Add the possibility to create exceptions with a custom error name.
+         - New function to get the exception error name
+         - New function to get the exception backtrace.
+         - New convenience function to report a exception by returning a formatted string with all the exception
+           details, to be shown as a user error message.
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_throw_with_name):
+        * API/glib/JSCContext.h:
+        * API/glib/JSCException.cpp:
+        (jscExceptionEnsureProperties):
+        (jsc_exception_new):
+        (jsc_exception_new_with_name):
+        (jsc_exception_get_name):
+        (jsc_exception_get_column_number):
+        (jsc_exception_get_back_trace_string):
+        (jsc_exception_to_string):
+        (jsc_exception_report):
+        * API/glib/JSCException.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-08-19  Commit Queue  
+
+        Unreviewed, rolling out r234852.
+        https://bugs.webkit.org/show_bug.cgi?id=188736
+
+        Workaround is not correct (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changeset:
+
+        "[JSC] Should not rotate constant with 64"
+        https://bugs.webkit.org/show_bug.cgi?id=188556
+        https://trac.webkit.org/changeset/234852
+
+2018-08-19  Yusuke Suzuki  
+
+        [WTF] Add WTF::unalignedLoad and WTF::unalignedStore
+        https://bugs.webkit.org/show_bug.cgi?id=188716
+
+        Reviewed by Darin Adler.
+
+        Use WTF::unalignedLoad and WTF::unalignedStore to avoid undefined behavior.
+        The compiler can emit appropriate mov operations in x86 even if we use these
+        helper functions.
+
+        * assembler/AssemblerBuffer.h:
+        (JSC::AssemblerBuffer::LocalWriter::putIntegralUnchecked):
+        (JSC::AssemblerBuffer::putIntegral):
+        (JSC::AssemblerBuffer::putIntegralUnchecked):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::readCallTarget):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::linkJump):
+        (JSC::X86Assembler::readPointer):
+        (JSC::X86Assembler::replaceWithHlt):
+        (JSC::X86Assembler::replaceWithJump):
+        (JSC::X86Assembler::setPointer):
+        (JSC::X86Assembler::setInt32):
+        (JSC::X86Assembler::setInt8):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::getOpcodeID): Embedded opcode may be misaligned. Actually UBSan detects misaligned accesses here.
+
+2018-08-17  Saam barati  
+
+        intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
+        https://bugs.webkit.org/show_bug.cgi?id=188707
+        
+
+        Reviewed by Mark Lam.
+
+        We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
+        OSR enter at the head of a block. We verify it's safe to OSR enter by checking
+        that each incoming value is compatible with its corresponding AbstractValue.
+        
+        The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
+        with abstract values that were clobbererd. This meant that the value we're
+        verifying with at OSR entry effectively has an infinite structure set because
+        it's clobbered. So, imagine we have code like this:
+        ```
+        ---> We OSR enter here, and we're clobbered here
+        InvalidationPoint
+        GetByOffset(@base)
+        ```
+        
+        The abstract value for @base inside intersectionOfPastValuesAtHead has a
+        clobberred structure set, so we'd allow an incoming object with any
+        structure. However, this is wrong because the invalidation point is no
+        longer fulfilling its promise that it filters the structure that @base has.
+        
+        We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
+        as if the incoming value may be live past an InvalidationPoint.
+        This places a stricter requirement that to safely OSR enter at any basic
+        block, all incoming values must be compatible as if they lived past
+        the execution of an invalidation point.
+
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::run):
+
+2018-08-17  Yusuke Suzuki   and Fujii Hironori  
+
+        [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
+        https://bugs.webkit.org/show_bug.cgi?id=188589
+
+        Reviewed by Mark Lam.
+        And reviewed by Yusuke Suzuki for Hironori's change.
+
+        Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
+        UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
+
+        - We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
+        - We make GPRReg and FPRReg int8_t enums.
+        - We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
+        - We add operator+/- definition for RegisterIDs as a MSVC workaround. MSVC fails to resolve operator+ and operator-
+          if `enum : int8_t` is used instead of `enum`.
+
+        * assembler/ARM64Assembler.h:
+        * assembler/ARMAssembler.h:
+        * assembler/ARMv7Assembler.h:
+        * assembler/MIPSAssembler.h:
+        * assembler/MacroAssembler.h:
+        * assembler/X86Assembler.h:
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::clampArrayToSize):
+        * jit/FPRInfo.h:
+        * jit/GPRInfo.h:
+        (JSC::JSValueRegs::JSValueRegs):
+        (JSC::JSValueRegs::tagGPR const):
+        (JSC::JSValueRegs::payloadGPR const):
+        (JSC::JSValueSource::JSValueSource):
+        (JSC::JSValueSource::unboxedCell):
+        (JSC::JSValueSource::operator bool const):
+        (JSC::JSValueSource::base const):
+        (JSC::JSValueSource::tagGPR const):
+        (JSC::JSValueSource::payloadGPR const):
+        (JSC::JSValueSource::hasKnownTag const):
+
+2018-08-16  Yusuke Suzuki  
+
+        [JSC] alignas for RegisterState should respect alignof(RegisterState) too
+        https://bugs.webkit.org/show_bug.cgi?id=188686
+
+        Reviewed by Saam Barati.
+
+        RegisterState would have larger alignment than `alignof(void*)`. We use the larger alignment value
+        for `alignof` for RegisterState.
+
+        * heap/RegisterState.h:
+
+2018-08-14  Yusuke Suzuki  
+
+        [YARR] Align allocation size in BumpPointerAllocator with sizeof(void*)
+        https://bugs.webkit.org/show_bug.cgi?id=188571
+
+        Reviewed by Saam Barati.
+
+        UBSan finds YarrInterpreter performs misaligned accesses. This is because YarrInterpreter
+        allocates DisjunctionContext and ParenthesesDisjunctionContext from BumpPointerAllocator
+        without considering alignment of them. This patch adds DisjunctionContext::allocationSize
+        and ParenthesesDisjunctionContext::allocationSize to calculate allocation sizes for them.
+        The size is always rounded to `sizeof(void*)` so that these classes are always allocated
+        with `sizeof(void*)` alignment. We also ensure the alignments of both classes are less
+        than or equal to `sizeof(void*)` by `static_assert`.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::Interpreter::DisjunctionContext::allocationSize):
+        (JSC::Yarr::Interpreter::allocDisjunctionContext):
+        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
+        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::getDisjunctionContext):
+        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::allocationSize):
+        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext):
+        (JSC::Yarr::Interpreter::Interpreter):
+        (JSC::Yarr::Interpreter::DisjunctionContext::DisjunctionContext): Deleted.
+
+2018-08-15  Keith Miller  
+
+        Remove evernote hacks
+        https://bugs.webkit.org/show_bug.cgi?id=188591
+
+        Reviewed by Joseph Pecoraro.
+
+        The hack was added in 2012 and the evernote app seems to work now.
+        It's probably not needed anymore.
+
+        * API/JSValueRef.cpp:
+        (JSValueUnprotect):
+        (evernoteHackNeeded): Deleted.
+
+2018-08-14  Fujii Hironori  
+
+        Unreviewed, rolling out r234874 and r234876.
+
+        WinCairo port can't compile
+
+        Reverted changesets:
+
+        "[JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg"
+        https://bugs.webkit.org/show_bug.cgi?id=188589
+        https://trac.webkit.org/changeset/234874
+
+        "Unreviewed, attempt to fix CLoop build"
+        https://bugs.webkit.org/show_bug.cgi?id=188589
+        https://trac.webkit.org/changeset/234876
+
+2018-08-14  Saam barati  
+
+        HashMap, V> asserts when V is not zero for its empty value
+        https://bugs.webkit.org/show_bug.cgi?id=188582
+
+        Reviewed by Sam Weinig.
+
+        * runtime/SparseArrayValueMap.h:
+
+2018-08-14  Yusuke Suzuki  
+
+        Unreviewed, attempt to fix CLoop build
+        https://bugs.webkit.org/show_bug.cgi?id=188589
+
+        * assembler/MacroAssembler.h:
+
+2018-08-14  Yusuke Suzuki  
+
+        [JSC] Add GPRReg::InvalidGPRReg and FPRReg::InvalidFPRReg
+        https://bugs.webkit.org/show_bug.cgi?id=188589
+
+        Reviewed by Mark Lam.
+
+        Since GPRReg(RegisterID) and FPRReg(FPRegisterID) do not include -1 in their enum values,
+        UBSan dumps bunch of warnings "runtime error: load of value 4294967295, which is not a valid value for type 'RegisterID'".
+
+        1. We add InvalidGPRReg and InvalidFPRReg to enum values of GPRReg and FPRReg to suppress the above warnings.
+        2. We make GPRReg and FPRReg int8_t enums.
+        3. We replace `#define InvalidGPRReg ((JSC::GPRReg)-1)` to `static constexpr GPRReg InvalidGPRReg { GPRReg::InvalidGPRReg };`.
+
+        * assembler/ARM64Assembler.h:
+        * assembler/ARMAssembler.h:
+        * assembler/ARMv7Assembler.h:
+        * assembler/MIPSAssembler.h:
+        * assembler/X86Assembler.h:
+        * jit/FPRInfo.h:
+        * jit/GPRInfo.h:
+        (JSC::JSValueRegs::JSValueRegs):
+        (JSC::JSValueRegs::tagGPR const):
+        (JSC::JSValueRegs::payloadGPR const):
+        (JSC::JSValueSource::JSValueSource):
+        (JSC::JSValueSource::unboxedCell):
+        (JSC::JSValueSource::operator bool const):
+        (JSC::JSValueSource::base const):
+        (JSC::JSValueSource::tagGPR const):
+        (JSC::JSValueSource::payloadGPR const):
+        (JSC::JSValueSource::hasKnownTag const):
+
+2018-08-14  Keith Miller  
+
+        Add missing availability macro.
+        https://bugs.webkit.org/show_bug.cgi?id=188563
+
+        Reviewed by Mark Lam.
+
+        * API/JSValueRef.h:
+
+2018-08-14  Yusuke Suzuki  
+
+        [JSC] GetByIdStatus::m_wasSeenInJIT is touched in GetByIdStatus::slowVersion
+        https://bugs.webkit.org/show_bug.cgi?id=188560
+
+        Reviewed by Keith Miller.
+
+        While GetByIdStatus() / GetByIdStatus(status) constructors do not set m_wasSeenInJIT,
+        it is loaded unconditionally in GetByIdStatus::slowVersion. This access to the
+        uninitialized member field is caught in UBSan. This patch fixes it by adding an initializer
+        `m_wasSeenInJIT { false }`.
+
+        * bytecode/GetByIdStatus.h:
+
+2018-08-14  Yusuke Suzuki  
+
+        [DFG] DFGPredictionPropagation should set PrimaryPass when processing invariants
+        https://bugs.webkit.org/show_bug.cgi?id=188557
+
+        Reviewed by Mark Lam.
+
+        DFGPredictionPropagationPhase should set PrimaryPass before processing invariants since
+        processing for ArithRound etc.'s invariants requires `m_pass` load. This issue is found
+        in UBSan's result.
+
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+2018-08-14  Yusuke Suzuki  
+
+        [JSC] Should not rotate constant with 64
+        https://bugs.webkit.org/show_bug.cgi?id=188556
+
+        Reviewed by Mark Lam.
+
+        To defend against JIT splaying, we rotate a constant with a randomly generated seed.
+        But if a seed becomes 64, the following code performs `value << 64` where value's type
+        is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
+        range of [0, 64) not to generate code causing UBs. This is found by UBSan.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::generateRotationSeed):
+        (JSC::MacroAssembler::rotationBlindConstant):
+
+2018-08-12  Karo Gyoker  
+
+        Disable JIT on IA-32 without SSE2
+        https://bugs.webkit.org/show_bug.cgi?id=188476
+
+        Reviewed by Michael Catanzaro.
+
+        Including missing header (MacroAssembler.h) in case of other
+        operating systems than Windows too.
+
+        * runtime/Options.cpp:
+
+2018-08-11  Karo Gyoker  
+
+        Disable JIT on IA-32 without SSE2
+        https://bugs.webkit.org/show_bug.cgi?id=188476
+
+        Reviewed by Yusuke Suzuki.
+
+        On IA-32 CPUs without SSE2 most of the webpages cannot load
+        if the JIT is turned on.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2018-08-10  Joseph Pecoraro  
+
+        Web Inspector: console.log fires getters for deep properties
+        https://bugs.webkit.org/show_bug.cgi?id=187542
+        
+
+        Reviewed by Saam Barati.
+
+        * inspector/InjectedScriptSource.js:
+        (RemoteObject.prototype._isPreviewableObject):
+        Avoid getters/setters when checking for simple properties to preview.
+        Here we avoid invoking `object[property]` if it could be a user getter.
+
+2018-08-10  Keith Miller  
+
+        Slicing an ArrayBuffer with a long number returns an ArrayBuffer with byteLength zero
+        https://bugs.webkit.org/show_bug.cgi?id=185127
+
+        Reviewed by Saam Barati.
+
+        Previously, we would truncate the indicies passed to slice to an
+        int. This meant that the value was not getting properly clamped
+        later.
+
+        This patch also removes a non-spec compliant check that slice was
+        passed at least one argument.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::clampValue):
+        (JSC::ArrayBuffer::clampIndex const):
+        (JSC::ArrayBuffer::slice const):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::clampValue): Deleted.
+        (JSC::ArrayBuffer::clampIndex const): Deleted.
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferProtoFuncSlice):
+
+2018-08-10  Yusuke Suzuki  
+
+        Date.UTC should not return NaN with only Year param
+        https://bugs.webkit.org/show_bug.cgi?id=188378
+
+        Reviewed by Keith Miller.
+
+        Date.UTC requires one argument for |year|. But the other ones are optional.
+        This patch fix this handling.
+
+        * runtime/DateConstructor.cpp:
+        (JSC::millisecondsFromComponents):
+
+2018-08-08  Keith Miller  
+
+        Array.prototype.sort should call @toLength instead of ">>> 0"
+        https://bugs.webkit.org/show_bug.cgi?id=188430
+
+        Reviewed by Saam Barati.
+
+        Also add a new function to $vm that will fetch a private
+        property. This can be useful for running builtin helper functions.
+
+        * builtins/ArrayPrototype.js:
+        (sort):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionGetPrivateProperty):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-08-08  Keith Miller  
+
+        Array.prototype.sort should throw TypeError if param is a not callable object
+        https://bugs.webkit.org/show_bug.cgi?id=188382
+
+        Reviewed by Saam Barati.
+
+        Improve spec compatability by checking if the Array.prototype.sort comparator is a function
+        before doing anything else.
+
+        Also, refactor the various helper functions to use let instead of var.
+
+        * builtins/ArrayPrototype.js:
+        (sort.stringComparator):
+        (sort.compactSparse):
+        (sort.compactSlow):
+        (sort.compact):
+        (sort.merge):
+        (sort.mergeSort):
+        (sort.bucketSort):
+        (sort.comparatorSort):
+        (sort.stringSort):
+        (sort):
+
+2018-08-08  Michael Saboff  
+
+        Yarr JIT should include annotations with dumpDisassembly=true
+        https://bugs.webkit.org/show_bug.cgi?id=188415
+
+        Reviewed by Yusuke Suzuki.
+
+        Created a YarrDisassembler class that handles annotations similar to the baseline JIT.
+        Given that the Yarr creates matching code bu going through the YarrPattern ops forward and
+        then the backtracking code through the YarrPattern ops in reverse order, the disassembler
+        needs to do the same think.
+
+        Restructured some of the logging code in YarrPattern to eliminate redundent code and factor
+        out simple methods for what was needed by the YarrDisassembler.
+
+        Here is abbreviated sample output after this change.
+
+        Generated JIT code for 8-bit regular expression /ab*c/:
+            Code at [0x469561c03720, 0x469561c03840):
+                0x469561c03720: push %rbp
+                0x469561c03721: mov %rsp, %rbp
+                ...
+                0x469561c03762: sub $0x40, %rsp
+             == Matching ==
+           0:OpBodyAlternativeBegin minimum size 2
+                0x469561c03766: add $0x2, %esi
+                0x469561c03769: cmp %edx, %esi
+                0x469561c0376b: ja 0x469561c037fa
+           1:OpTerm TypePatternCharacter 'a'
+                0x469561c03771: movzx -0x2(%rdi,%rsi), %eax
+                0x469561c03776: cmp $0x61, %eax
+                0x469561c03779: jnz 0x469561c037e9
+           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
+                0x469561c0377f: xor %r9d, %r9d
+                0x469561c03782: cmp %edx, %esi
+                0x469561c03784: jz 0x469561c037a2
+                ...
+                0x469561c0379d: jmp 0x469561c03782
+                0x469561c037a2: mov %r9, 0x8(%rsp)
+           3:OpTerm TypePatternCharacter 'c'
+                0x469561c037a7: movzx -0x1(%rdi,%rsi), %eax
+                0x469561c037ac: cmp $0x63, %eax
+                0x469561c037af: jnz 0x469561c037d1
+           4:OpBodyAlternativeEnd
+                0x469561c037b5: add $0x40, %rsp
+                ...
+                0x469561c037cf: pop %rbp
+                0x469561c037d0: ret
+             == Backtracking ==
+           4:OpBodyAlternativeEnd
+           3:OpTerm TypePatternCharacter 'c'
+           2:OpTerm TypePatternCharacter 'b' {0,...} greedy
+                0x469561c037d1: mov 0x8(%rsp), %r9
+                ...
+                0x469561c037e4: jmp 0x469561c037a2
+           1:OpTerm TypePatternCharacter 'a'
+           0:OpBodyAlternativeBegin minimum size 2
+                0x469561c037e9: mov %rsi, %rax
+                ...
+                0x469561c0382f: pop %rbp
+                0x469561c03830: ret
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * yarr/YarrDisassembler.cpp: Added.
+        (JSC::Yarr::YarrDisassembler::indentString):
+        (JSC::Yarr::YarrDisassembler::YarrDisassembler):
+        (JSC::Yarr::YarrDisassembler::~YarrDisassembler):
+        (JSC::Yarr::YarrDisassembler::dump):
+        (JSC::Yarr::YarrDisassembler::dumpHeader):
+        (JSC::Yarr::YarrDisassembler::dumpVectorForInstructions):
+        (JSC::Yarr::YarrDisassembler::dumpForInstructions):
+        (JSC::Yarr::YarrDisassembler::dumpDisassembly):
+        * yarr/YarrDisassembler.h: Added.
+        (JSC::Yarr::YarrJITInfo::~YarrJITInfo):
+        (JSC::Yarr::YarrDisassembler::setStartOfCode):
+        (JSC::Yarr::YarrDisassembler::setForGenerate):
+        (JSC::Yarr::YarrDisassembler::setForBacktrack):
+        (JSC::Yarr::YarrDisassembler::setEndOfGenerate):
+        (JSC::Yarr::YarrDisassembler::setEndOfBacktrack):
+        (JSC::Yarr::YarrDisassembler::setEndOfCode):
+        (JSC::Yarr::YarrDisassembler::indentString):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::dumpCharacterClass):
+        (JSC::Yarr::PatternTerm::dump):
+        (JSC::Yarr::YarrPattern::dumpPatternString):
+        (JSC::Yarr::YarrPattern::dumpPattern):
+        * yarr/YarrPattern.h:
+
+2018-08-05  Darin Adler  
+
+        [Cocoa] More tweaks and refactoring to prepare for ARC
+        https://bugs.webkit.org/show_bug.cgi?id=188245
+
+        Reviewed by Dan Bernstein.
+
+        * API/JSValue.mm: Use __unsafe_unretained.
+        (JSContainerConvertor::convert): Use auto for compatibility with the above.
+        * API/JSWrapperMap.mm:
+        (allocateConstructorForCustomClass): Use CFTypeRef instead of Protocol *.
+        (-[JSWrapperMap initWithGlobalContextRef:]): Use __unsafe_unretained.
+
+        * heap/Heap.cpp: Updated include for rename: FoundationSPI.h -> objcSPI.h.
+
+2018-08-07  Yusuke Suzuki  
+
+        Shrink size of PropertyCondition by packing UniquedStringImpl* and Kind
+        https://bugs.webkit.org/show_bug.cgi?id=188328
+
+        Reviewed by Saam Barati.
+
+        Shrinking the size of PropertyCondition can improve memory consumption by a lot.
+        For example, cnn.com can show 7000 persistent StructureStubClearingWatchpoint
+        and 6000 LLIntPrototypeLoadAdaptiveStructureWatchpoint which have PropertyCondition
+        as a member field.
+
+        This patch shrinks the size of PropertyCondition by packing UniquedStringImpl* and
+        PropertyCondition::Kind into uint64_t data in 64bit architecture. Since our address
+        are within 48bit, we can put PropertyCondition::Kind in this unused bits.
+        To make it easy, we add WTF::CompactPointerTuple, which automatically
+        folds a pointer and 1byte type into 64bit data.
+
+        This change shrinks PropertyCondition from 24bytes to 16bytes.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::dumpInContext const):
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::isStillValid const):
+        (JSC::PropertyCondition::isWatchableWhenValid const):
+        * bytecode/PropertyCondition.h:
+        (JSC::PropertyCondition::PropertyCondition):
+        (JSC::PropertyCondition::presenceWithoutBarrier):
+        (JSC::PropertyCondition::absenceWithoutBarrier):
+        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
+        (JSC::PropertyCondition::equivalenceWithoutBarrier):
+        (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
+        (JSC::PropertyCondition::operator bool const):
+        (JSC::PropertyCondition::kind const):
+        (JSC::PropertyCondition::uid const):
+        (JSC::PropertyCondition::hasOffset const):
+        (JSC::PropertyCondition::hasAttributes const):
+        (JSC::PropertyCondition::hasPrototype const):
+        (JSC::PropertyCondition::hasRequiredValue const):
+        (JSC::PropertyCondition::hash const):
+        (JSC::PropertyCondition::operator== const):
+        (JSC::PropertyCondition::isHashTableDeletedValue const):
+        (JSC::PropertyCondition::watchingRequiresReplacementWatchpoint const):
+
+2018-08-07  Mark Lam  
+
+        Use a more specific PtrTag for PlatformRegisters PC and LR.
+        https://bugs.webkit.org/show_bug.cgi?id=188366
+        
+
+        Reviewed by Keith Miller.
+
+        Also fixed a bug in linkRegister(), which was previously returning the PC instead
+        of LR.  It now returns LR.
+
+        * runtime/JSCPtrTag.h:
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::linkRegister):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+
+2018-08-07  Karo Gyoker  
+
+        Hardcoded LFENCE instruction
+        https://bugs.webkit.org/show_bug.cgi?id=188145
+
+        Reviewed by Filip Pizlo.
+
+        Remove lfence instruction because it is crashing systems without SSE2 and
+        this is not the way how WebKit mitigates Spectre.
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        (JSC::JSLock::willReleaseLock):
+
+2018-08-04  David Kilzer  
+
+        REGRESSION (r208953): TemplateObjectDescriptor constructor calculates m_hash on use-after-move variable
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/TemplateObjectDescriptor.h:
+        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
+        Use `m_rawstrings` instead of `rawStrings` to calculate hash.
+
+2018-08-03  Saam Barati  
+
+        Give the `jsc` shell the JIT entitlement
+        https://bugs.webkit.org/show_bug.cgi?id=188324
+        
+
+        Reviewed by Dan Bernstein.
+
+        This should help us in ensuring the system jsc is able to JIT.
+
+        * Configurations/JSC.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * allow-jit-macOS.entitlements: Added.
+
+2018-08-03  Alex Christensen  
+
+        Fix spelling of "overridden"
+        https://bugs.webkit.org/show_bug.cgi?id=188315
+
+        Reviewed by Darin Adler.
+
+        * API/JSExport.h:
+        * inspector/InjectedScriptSource.js:
+
+2018-08-02  Saam Barati  
+
+        Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
+        https://bugs.webkit.org/show_bug.cgi?id=188271
+        
+
+        Reviewed by Michael Saboff.
+
+        This patch defends against the instructionPointer containing garbage bits.
+        See radar for details.
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::tryCreate):
+        * tools/CodeProfiling.cpp:
+        (JSC::profilingTimer):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::SignalContext::tryCreate):
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+
+2018-08-02  David Fenton  
+
+        Unreviewed, rolling out r234489.
+
+        Caused 50+ crashes and 60+ API failures on iOS
+
+        Reverted changeset:
+
+        "[WTF] Rename String::format to String::deprecatedFormat"
+        https://bugs.webkit.org/show_bug.cgi?id=188191
+        https://trac.webkit.org/changeset/234489
+
+2018-08-01  Yusuke Suzuki  
+
+        Add self.queueMicrotask(f) on DOMWindow
+        https://bugs.webkit.org/show_bug.cgi?id=188212
+
+        Reviewed by Ryosuke Niwa.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::enqueueJob):
+        * runtime/JSMicrotask.cpp: Renamed from Source/JavaScriptCore/runtime/JSJob.cpp.
+        (JSC::createJSMicrotask):
+        Export them to WebCore.
+
+        (JSC::JSMicrotask::run):
+        * runtime/JSMicrotask.h: Renamed from Source/JavaScriptCore/runtime/JSJob.h.
+        Add another version of JSMicrotask which does not have arguments.
+
+2018-08-01  Tomas Popela  
+
+        [WTF] Rename String::format to String::deprecatedFormat
+        https://bugs.webkit.org/show_bug.cgi?id=188191
+
+        Reviewed by Darin Adler.
+
+        It should be replaced with string concatenation.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::nameForRegister):
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::makeCall):
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::getPropertyValue):
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::enable):
+        (Inspector::InspectorConsoleAgent::stopTiming):
+        * jsc.cpp:
+        (FunctionJSCStackFunctor::operator() const):
+        * parser/Lexer.cpp:
+        (JSC::Lexer::invalidCharacterMessage const):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLocaleList):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::Lexer::lex):
+        (JSC::LiteralParser::Lexer::lexStringSlow):
+        (JSC::LiteralParser::parse):
+        * runtime/LiteralParser.h:
+        (JSC::LiteralParser::getErrorMessage):
+
+2018-08-01  Andy VanWagoner  
+
+        [INTL] Allow "unknown" formatToParts types
+        https://bugs.webkit.org/show_bug.cgi?id=188176
+
+        Reviewed by Darin Adler.
+
+        Originally extra unexpected field types were marked as "literal", since
+        the spec did not account for these. The ECMA 402 spec has since been updated
+        to specify "unknown" should be used in these cases.
+
+        Currently there is no known way to reach these cases, so no tests can
+        account for them. Theoretically they shoudn't exist, but they are specified,
+        just to be safe. Marking them as "unknown" instead of "literal" hopefully
+        will make such cases easy to identify if they ever happen.
+
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::partTypeString):
+
+2018-08-01  Andy VanWagoner  
+
+        [INTL] Implement hourCycle in DateTimeFormat
+        https://bugs.webkit.org/show_bug.cgi?id=188006
+
+        Reviewed by Darin Adler.
+
+        Implemented hourCycle, updating both the skeleton and the final pattern.
+        Changed resolveLocale to assume undefined options are not given and null
+        strings actually mean null, which removes the tag extension.
+
+        * runtime/CommonIdentifiers.h:
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDTFInternal::localeData):
+        (JSC::IntlDateTimeFormat::setFormatsFromPattern):
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        (JSC::IntlDateTimeFormat::resolvedOptions):
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlObject.cpp:
+        (JSC::resolveLocale):
+
+2018-08-01  Keith Miller  
+
+        JSArrayBuffer should have its own JSType
+        https://bugs.webkit.org/show_bug.cgi?id=188231
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::createStructure):
+        * runtime/JSCast.h:
+        * runtime/JSType.h:
+
+2018-07-31  Keith Miller  
+
+        Unreviewed 32-bit build fix...
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+
+2018-07-31  Keith Miller  
+
+        Long compiling JSC files should not be unified
+        https://bugs.webkit.org/show_bug.cgi?id=188205
+
+        Reviewed by Saam Barati.
+
+        The DFGSpeculativeJIT and FTLLowerDFGToB3 files take a long time
+        to compile. Unifying them means touching anything in the same
+        bundle as those files takes a long time to incrementally build.
+        This patch separates those files so they build standalone.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGSpeculativeJIT64.cpp:
+
+2018-07-31  Yusuke Suzuki  
+
+        [JSC] Remove unnecessary cellLock() in JSObject's GC marking if IndexingType is contiguous
+        https://bugs.webkit.org/show_bug.cgi?id=188201
+
+        Reviewed by Keith Miller.
+
+        We do not reuse the existing butterfly with Contiguous shape for new ArrayStorage butterfly.
+        When converting the butterfly with Contiguous shape to ArrayStorage, we always allocate a
+        new one. So this cellLock() is unnecessary for contiguous shape since contigous shaped butterfly
+        never becomes broken state. This patch removes unnecessary locking.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitButterflyImpl):
+
+2018-07-31  Guillaume Emont  
+
+        [JSC] Remove gcc warnings for 32-bit platforms
+        https://bugs.webkit.org/show_bug.cgi?id=187803
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MacroAssemblerPrinter.cpp:
+        (JSC::Printer::printPCRegister):
+        (JSC::Printer::printRegisterID):
+        (JSC::Printer::printAddress):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateNumber):
+        (JSC::DFG::SpeculativeJIT::speculateMisc):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::calculatePokeOffset):
+        * runtime/Options.cpp:
+        (JSC::parse):
+
+2018-07-30  Wenson Hsieh  
+
+        watchOS engineering build is broken after r234227
+        https://bugs.webkit.org/show_bug.cgi?id=188180
+
+        Reviewed by Keith Miller.
+
+        In the case where we're building with a `PLATFORM_NAME` of neither "macosx" nor "iphone*",
+        postprocess-headers.sh attempts to delete any usage of the JSC availability macros. However,
+        `JSC_MAC_VERSION_TBA` and `JSC_IOS_VERSION_TBA` still remain, and JSValue.h's usage of
+        `JSC_IOS_VERSION_TBA` causes engineering watchOS builds to fail.
+
+        To fix this, simply allow the fallback path to remove these macros from JavaScriptCore headers
+        entirely, since there's no relevant version to replace them with.
+
+        * postprocess-headers.sh:
+
+2018-07-30  Keith Miller  
+
+        Clarify conversion rules for JSValue property access API
+        https://bugs.webkit.org/show_bug.cgi?id=188179
+
+        Reviewed by Geoffrey Garen.
+
+        * API/JSValue.h:
+
+2018-07-30  Keith Miller  
+
+        Rename some JSC API functions/types.
+        https://bugs.webkit.org/show_bug.cgi?id=188173
+
+        Reviewed by Saam Barati.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectHasPropertyForKey):
+        (JSObjectGetPropertyForKey):
+        (JSObjectSetPropertyForKey):
+        (JSObjectDeletePropertyForKey):
+        (JSObjectHasPropertyKey): Deleted.
+        (JSObjectGetPropertyKey): Deleted.
+        (JSObjectSetPropertyKey): Deleted.
+        (JSObjectDeletePropertyKey): Deleted.
+        * API/JSObjectRef.h:
+        * API/JSValue.h:
+        * API/JSValue.mm:
+        (-[JSValue valueForProperty:]):
+        (-[JSValue setValue:forProperty:]):
+        (-[JSValue deleteProperty:]):
+        (-[JSValue hasProperty:]):
+        (-[JSValue defineProperty:descriptor:]):
+        * API/tests/testapi.cpp:
+        (TestAPI::run):
+
+2018-07-30  Mark Lam  
+
+        Add a debugging utility to dump the memory layout of a JSCell.
+        https://bugs.webkit.org/show_bug.cgi?id=188157
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch adds $vm.dumpCell() and VMInspector::dumpCellMemory() to allow us to
+        dump the memory contents of a cell and if present, its butterfly for debugging
+        purposes.
+
+        Example usage for JS code when JSC_useDollarVM=true:
+
+            $vm.dumpCell(obj);
+
+        Example usage from C++ code or from lldb: 
+
+            (lldb) p JSC::VMInspector::dumpCellMemory(obj)
+
+        Some examples of dumps:
+
+            <0x104bc8260, Object>
+              [0] 0x104bc8260 : 0x010016000000016c header
+                structureID 364 0x16c structure 0x104b721b0
+                indexingTypeAndMisc 0 0x0 NonArray
+                type 22 0x16
+                flags 0 0x0
+                cellState 1
+              [1] 0x104bc8268 : 0x0000000000000000 butterfly
+              [2] 0x104bc8270 : 0xffff000000000007
+              [3] 0x104bc8278 : 0xffff000000000008
+
+            <0x104bb4360, Array>
+              [0] 0x104bb4360 : 0x0108210b00000171 header
+                structureID 369 0x171 structure 0x104b723e0
+                indexingTypeAndMisc 11 0xb ArrayWithArrayStorage
+                type 33 0x21
+                flags 8 0x8
+                cellState 1
+              [1] 0x104bb4368 : 0x00000008000f4718 butterfly
+                base 0x8000f46e0
+                hasIndexingHeader YES hasAnyArrayStorage YES
+                publicLength 4 vectorLength 7 indexBias 2
+                preCapacity 2 propertyCapacity 4
+                  <--- preCapacity
+                  [0] 0x8000f46e0 : 0x0000000000000000
+                  [1] 0x8000f46e8 : 0x0000000000000000
+                  <--- propertyCapacity
+                  [2] 0x8000f46f0 : 0x0000000000000000
+                  [3] 0x8000f46f8 : 0x0000000000000000
+                  [4] 0x8000f4700 : 0xffff00000000000d
+                  [5] 0x8000f4708 : 0xffff00000000000c
+                  <--- indexingHeader
+                  [6] 0x8000f4710 : 0x0000000700000004
+                  <--- butterfly
+                  <--- arrayStorage
+                  [7] 0x8000f4718 : 0x0000000000000000
+                  [8] 0x8000f4720 : 0x0000000400000002
+                  <--- indexedProperties
+                  [9] 0x8000f4728 : 0xffff000000000008
+                  [10] 0x8000f4730 : 0xffff000000000009
+                  [11] 0x8000f4738 : 0xffff000000000005
+                  [12] 0x8000f4740 : 0xffff000000000006
+                  [13] 0x8000f4748 : 0x0000000000000000
+                  [14] 0x8000f4750 : 0x0000000000000000
+                  [15] 0x8000f4758 : 0x0000000000000000
+                  <--- unallocated capacity
+                  [16] 0x8000f4760 : 0x0000000000000000
+                  [17] 0x8000f4768 : 0x0000000000000000
+                  [18] 0x8000f4770 : 0x0000000000000000
+                  [19] 0x8000f4778 : 0x0000000000000000
+
+        * runtime/JSObject.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionDumpCell):
+        (JSC::JSDollarVM::finishCreation):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::dumpCellMemory):
+        (JSC::IndentationScope::IndentationScope):
+        (JSC::IndentationScope::~IndentationScope):
+        (JSC::VMInspector::dumpCellMemoryToStream):
+        * tools/VMInspector.h:
+
+2018-07-27  Mark Lam  
+
+        Add some crash info to Heap::checkConn() RELEASE_ASSERTs.
+        https://bugs.webkit.org/show_bug.cgi?id=188123
+        
+
+        Reviewed by Keith Miller.
+
+        1. Add VM::m_id and Heap::m_lastPhase fields.  Both of these fit within existing
+           padding space in VM and Heap, and should not cost any measurable perf to
+           initialize and update.
+
+        2. Add some crash info to the RELEASE_ASSERTs in Heap::checkConn():
+
+           worldState tells us the value we failed the assertion on.
+
+           m_lastPhase, m_currentPhase, and m_nextPhase tells us the GC phase transition
+           that led us here.
+
+           VM::id(), and VM::numberOfIDs() tells us how many VMs may be in play.
+
+           VM::isEntered() tells us if the current VM is currently executing JS code.
+
+           Some of this data may be redundant, but the redundancy is intentional so that
+           we can double check what is really happening at the time of crash.
+
+        * heap/Heap.cpp:
+        (JSC::asInt):
+        (JSC::Heap::checkConn):
+        (JSC::Heap::changePhase):
+        * heap/Heap.h:
+        * runtime/VM.cpp:
+        (JSC::VM::nextID):
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::numberOfIDs):
+        (JSC::VM::id const):
+        (JSC::VM::isEntered const):
+
+2018-07-25  Yusuke Suzuki  
+
+        [JSC] Record CoW status in ArrayProfile correctly
+        https://bugs.webkit.org/show_bug.cgi?id=187949
+
+        Reviewed by Saam Barati.
+
+        In this patch, we simplify asArrayModes: just shifting the value with IndexingMode.
+        This is important since our OSR exit compiler records m_observedArrayModes by calculating
+        ArrayModes with shifting. Since ArrayModes for CoW arrays are incorrectly calculated,
+        our OSR exit compiler records incorrect results in ArrayProfile. And it leads to
+        Array::Generic DFG nodes.
+
+        * bytecode/ArrayProfile.h:
+        (JSC::asArrayModes):
+        (JSC::ArrayProfile::ArrayProfile):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileExit):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * runtime/IndexingType.h:
+
+2018-07-26  Andy VanWagoner  
+
+        [INTL] Remove INTL sub-feature compile flags
+        https://bugs.webkit.org/show_bug.cgi?id=188081
+
+        Reviewed by Michael Catanzaro.
+
+        Removed ENABLE_INTL_NUMBER_FORMAT_TO_PARTS and ENABLE_INTL_PLURAL_RULES flags.
+        The runtime flags are still present, and should be relied on instead.
+        The defines for ICU features have also been updated to match HAVE() style.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * runtime/IntlPluralRules.cpp:
+        (JSC::IntlPluralRules::resolvedOptions):
+        (JSC::IntlPluralRules::select):
+        * runtime/IntlPluralRules.h:
+        * runtime/Options.h:
+
+2018-07-26  Yusuke Suzuki  
+
+        [JSC] Dump IndexingMode in Structure
+        https://bugs.webkit.org/show_bug.cgi?id=188085
+
+        Reviewed by Keith Miller.
+
+        Dump IndexingMode instead of IndexingType.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::dump const):
+
+2018-07-26  Ross Kirsling  
+
+        String(View) should have a splitAllowingEmptyEntries function instead of a flag parameter
+        https://bugs.webkit.org/show_bug.cgi?id=187963
+
+        Reviewed by Alex Christensen.
+
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::dispatch):
+        * jsc.cpp:
+        (ModuleName::ModuleName):
+        (resolvePath):
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLanguageTag):
+        (JSC::removeUnicodeLocaleExtension):
+        Update split/splitAllowingEmptyEntries usage.
+
+2018-07-26  Commit Queue  
+
+        Unreviewed, rolling out r234181 and r234189.
+        https://bugs.webkit.org/show_bug.cgi?id=188075
+
+        These are not needed right now (Requested by thorton on
+        #webkit).
+
+        Reverted changesets:
+
+        "Enable Web Content Filtering on watchOS"
+        https://bugs.webkit.org/show_bug.cgi?id=187979
+        https://trac.webkit.org/changeset/234181
+
+        "HAVE(PARENTAL_CONTROLS) should be true on watchOS"
+        https://bugs.webkit.org/show_bug.cgi?id=187985
+        https://trac.webkit.org/changeset/234189
+
+2018-07-26  Mark Lam  
+
+        arrayProtoPrivateFuncConcatMemcpy() should handle copying from an Undecided type array.
+        https://bugs.webkit.org/show_bug.cgi?id=188065
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::clearElement):
+        (JSC::copyElements):
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+
+2018-07-26  Andy VanWagoner  
+
+        JSC: Intl API should ignore encoding when parsing BCP 47 language tag from ISO 15897 locale string (passed via LANG)
+        https://bugs.webkit.org/show_bug.cgi?id=167991
+
+        Reviewed by Michael Catanzaro.
+
+        Improved the conversion of ICU locales to BCP47 tags, using their preferred method.
+        Checked locale.isEmpty() before returning it from defaultLocale, so there should be
+        no more cases where you might have an invalid locale come back from resolveLocale.
+
+        * runtime/IntlObject.cpp:
+        (JSC::convertICULocaleToBCP47LanguageTag):
+        (JSC::defaultLocale):
+        (JSC::lookupMatcher):
+        * runtime/IntlObject.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::intlCollatorAvailableLocales):
+        (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
+        (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
+        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
+
+2018-07-26  Fujii Hironori  
+
+        REGRESSION(r234248) [Win] testapi.c: nonstandard extension used: non-constant aggregate initializer
+        https://bugs.webkit.org/show_bug.cgi?id=188040
+
+        Unreviewed build fix for AppleWin port.
+
+        * API/tests/testapi.c: Disabled warning C4204.
+        (testMarkingConstraintsAndHeapFinalizers): Added an explicit void* cast for weakRefs.
+
+2018-07-26  Fujii Hironori  
+
+        [JSC API] We should support the symbol type in our C/Obj-C API
+        https://bugs.webkit.org/show_bug.cgi?id=175836
+
+        Unreviewed build fix for Windows port.
+
+        r234227 introduced a compilation error unresolved external symbol
+        "int __cdecl testCAPIViaCpp(void)" in testapi for Windows ports.
+
+        Windows ports are compiling testapi.c as C++ by using /TP switch.
+
+        * API/tests/testapi.c:
+        (main): Removed `::` prefix of ::SetErrorMode Windows API.
+        (dllLauncherEntryPoint): Converted into C style.
+        * shell/PlatformWin.cmake: Do not use /TP switch for testapi.c
+
+2018-07-25  Keith Miller  
+
+        [JSC API] We should support the symbol type in our C/Obj-C API
+        https://bugs.webkit.org/show_bug.cgi?id=175836
+
+        Reviewed by Filip Pizlo.
+
+        This patch makes the following API additions:
+        1) Test if a JSValue/JSValueRef is a symbol via any of the methods API are able to test for the types of other JSValues.
+        2) Create a symbol on both APIs.
+        3) Get/Set/Delete/Define property now take ids in the Obj-C API.
+        4) Add Get/Set/Delete in the C API.
+
+        We can do 3 because it is both binary and source compatable with
+        the existing API. I added (4) because the current property access
+        APIs only have the ability to get Strings. It was possible to
+        merge symbols into JSStringRef but that felt confusing and exposes
+        implementation details of our engine. The new functions match the
+        same meaning that they have in JS, thus should be forward
+        compatible with any future language extensions.
+
+        Lastly, this patch adds the same availability preproccessing phase
+        in WebCore to JavaScriptCore, which enables TBA features for
+        testing on previous releases.
+
+        * API/APICast.h:
+        * API/JSBasePrivate.h:
+        * API/JSContext.h:
+        * API/JSContextPrivate.h:
+        * API/JSContextRef.h:
+        * API/JSContextRefInternal.h:
+        * API/JSContextRefPrivate.h:
+        * API/JSManagedValue.h:
+        * API/JSObjectRef.cpp:
+        (JSObjectHasPropertyKey):
+        (JSObjectGetPropertyKey):
+        (JSObjectSetPropertyKey):
+        (JSObjectDeletePropertyKey):
+        * API/JSObjectRef.h:
+        * API/JSRemoteInspector.h:
+        * API/JSTypedArray.h:
+        * API/JSValue.h:
+        * API/JSValue.mm:
+        (+[JSValue valueWithNewSymbolFromDescription:inContext:]):
+        (performPropertyOperation):
+        (-[JSValue valueForProperty:valueForProperty:]):
+        (-[JSValue setValue:forProperty:setValue:forProperty:]):
+        (-[JSValue deleteProperty:deleteProperty:]):
+        (-[JSValue hasProperty:hasProperty:]):
+        (-[JSValue defineProperty:descriptor:defineProperty:descriptor:]):
+        (-[JSValue isSymbol]):
+        (-[JSValue objectForKeyedSubscript:]):
+        (-[JSValue setObject:forKeyedSubscript:]):
+        (-[JSValue valueForProperty:]): Deleted.
+        (-[JSValue setValue:forProperty:]): Deleted.
+        (-[JSValue deleteProperty:]): Deleted.
+        (-[JSValue hasProperty:]): Deleted.
+        (-[JSValue defineProperty:descriptor:]): Deleted.
+        * API/JSValueRef.cpp:
+        (JSValueGetType):
+        (JSValueIsSymbol):
+        (JSValueMakeSymbol):
+        * API/JSValueRef.h:
+        * API/WebKitAvailability.h:
+        * API/tests/CurrentThisInsideBlockGetterTest.mm:
+        * API/tests/CustomGlobalObjectClassTest.c:
+        * API/tests/DateTests.mm:
+        * API/tests/JSExportTests.mm:
+        * API/tests/JSNode.c:
+        * API/tests/JSNodeList.c:
+        * API/tests/Node.c:
+        * API/tests/NodeList.c:
+        * API/tests/minidom.c:
+        * API/tests/testapi.c:
+        (main):
+        * API/tests/testapi.cpp: Added.
+        (APIString::APIString):
+        (APIString::~APIString):
+        (APIString::operator JSStringRef):
+        (APIContext::APIContext):
+        (APIContext::~APIContext):
+        (APIContext::operator JSGlobalContextRef):
+        (APIVector::APIVector):
+        (APIVector::~APIVector):
+        (APIVector::append):
+        (testCAPIViaCpp):
+        (TestAPI::evaluateScript):
+        (TestAPI::callFunction):
+        (TestAPI::functionReturnsTrue):
+        (TestAPI::check):
+        (TestAPI::checkJSAndAPIMatch):
+        (TestAPI::interestingObjects):
+        (TestAPI::interestingKeys):
+        (TestAPI::run):
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * config.h:
+        * postprocess-headers.sh:
+        * shell/CMakeLists.txt:
+        * testmem/testmem.mm:
+
+2018-07-25  Andy VanWagoner  
+
+        [INTL] Call Typed Array elements toLocaleString with locale and options
+        https://bugs.webkit.org/show_bug.cgi?id=185796
+
+        Reviewed by Keith Miller.
+
+        Improve ECMA 402 compliance of typed array toLocaleString, passing along
+        the locale and options to element toLocaleString calls.
+
+        * builtins/TypedArrayPrototype.js:
+        (toLocaleString):
+
+2018-07-25  Andy VanWagoner  
+
+        [INTL] Intl constructor lengths should be configurable
+        https://bugs.webkit.org/show_bug.cgi?id=187960
+
+        Reviewed by Saam Barati.
+
+        Removed DontDelete from Intl constructor lengths.
+        Fixed DateTimeFormat formatToParts length.
+
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructor::finishCreation):
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::IntlPluralRulesConstructor::finishCreation):
+
+2018-07-24  Fujii Hironori  
+
+        runJITThreadLimitTests is failing
+        https://bugs.webkit.org/show_bug.cgi?id=187886
+        
+
+        Unreviewed build fix for MSVC.
+
+        MSVC doen't support ternary operator without second operand.
+
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::getNumberOfDFGCompilerThreads):
+        (JSC::DFG::getNumberOfFTLCompilerThreads):
+
+2018-07-24  Commit Queue  
+
+        Unreviewed, rolling out r234183.
+        https://bugs.webkit.org/show_bug.cgi?id=187983
+
+        cause regression in Kraken gaussian blur and desaturate
+        (Requested by yusukesuzuki on #webkit).
+
+        Reverted changeset:
+
+        "[JSC] Record CoW status in ArrayProfile"
+        https://bugs.webkit.org/show_bug.cgi?id=187949
+        https://trac.webkit.org/changeset/234183
+
+2018-07-24  Yusuke Suzuki  
+
+        [JSC] Record CoW status in ArrayProfile
+        https://bugs.webkit.org/show_bug.cgi?id=187949
+
+        Reviewed by Saam Barati.
+
+        Once CoW array is converted to non-CoW array, subsequent operations are done for this non-CoW array.
+        Even though these operations are performed onto both CoW and non-CoW arrays in the code, array profiles
+        in these code typically record only non-CoW arrays since array profiles hold only one StructureID recently
+        seen. This results emitting CheckStructure for non-CoW arrays in DFG, and it soon causes OSR exits due to
+        CoW arrays.
+
+        In this patch, we record CoW status in ArrayProfile separately to construct more appropriate DFG::ArrayMode
+        speculation. To do so efficiently, we store union of seen IndexingMode in ArrayProfile.
+
+        This patch removes one of Kraken/stanford-crypto-aes's OSR exit reason, and improves the performance by 6-7%.
+
+                                      baseline                  patched
+
+        stanford-crypto-aes        60.893+-1.346      ^      57.412+-1.298         ^ definitely 1.0606x faster
+        stanford-crypto-ccm        62.124+-1.992             58.921+-1.844           might be 1.0544x faster
+
+        * bytecode/ArrayProfile.cpp:
+        (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
+        * bytecode/ArrayProfile.h:
+        (JSC::asArrayModes):
+        We simplify asArrayModes instead of giving up Int8ArrayMode - Float64ArrayMode contiguous sequence.
+
+        (JSC::ArrayProfile::ArrayProfile):
+        (JSC::ArrayProfile::addressOfObservedIndexingModes):
+        (JSC::ArrayProfile::observedIndexingModes const):
+        Currently, our macro assembler and offlineasm only support `or32` / `ori` operation onto addresses.
+        So storing the union of seen IndexingMode in `unsigned` instead.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::fromObserved):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::withProfile const):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitArrayProfilingSiteWithCell):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-07-24  Tim Horton  
+
+        Enable Web Content Filtering on watchOS
+        https://bugs.webkit.org/show_bug.cgi?id=187979
+        
+
+        Reviewed by Wenson Hsieh.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-07-24  Tadeu Zagallo  
+
+        Don't modify Options when setting JIT thread limits
+        https://bugs.webkit.org/show_bug.cgi?id=187886
+
+        Reviewed by Filip Pizlo.
+
+        Previously, when setting the JIT thread limit prior to the worklist
+        initialization, it'd be set via Options, which didn't work if Options
+        hadn't been initialized yet. Change it to use a static variable in the
+        Worklist instead.
+
+        * API/JSVirtualMachine.mm:
+        (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
+        (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::getNumberOfDFGCompilerThreads):
+        (JSC::DFG::getNumberOfFTLCompilerThreads):
+        (JSC::DFG::setNumberOfDFGCompilerThreads):
+        (JSC::DFG::setNumberOfFTLCompilerThreads):
+        (JSC::DFG::ensureGlobalDFGWorklist):
+        (JSC::DFG::ensureGlobalFTLWorklist):
+        * dfg/DFGWorklist.h:
+
+2018-07-24  Mark Lam  
+
+        Refactoring: make DFG::Plan a class.
+        https://bugs.webkit.org/show_bug.cgi?id=187968
+
+        Reviewed by Saam Barati.
+
+        This patch makes all the DFG::Plan fields private, and provide accessor methods
+        for them.  This makes it easier to reason about how these fields are used and
+        modified.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::run):
+        (JSC::DFG::CFAPhase::injectOSR):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::notifyCompilingStructureTransition):
+        * dfg/DFGCommonData.h:
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGFinalizer.h:
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::Graph):
+        (JSC::DFG::Graph::watchCondition):
+        (JSC::DFG::Graph::inferredTypeFor):
+        (JSC::DFG::Graph::requiredRegisterCountForExit):
+        (JSC::DFG::Graph::registerFrozenValues):
+        (JSC::DFG::Graph::registerStructure):
+        (JSC::DFG::Graph::registerAndWatchStructureTransition):
+        (JSC::DFG::Graph::assertIsRegistered):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::compilation):
+        (JSC::DFG::Graph::identifiers):
+        (JSC::DFG::Graph::watchpoints):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::JITCompiler):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::disassemble):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addWeakReference):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        (JSC::DFG::JITFinalizer::finalizeCommon):
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGPhase.cpp:
+        (JSC::DFG::Phase::beginPhase):
+        * dfg/DFGPhase.h:
+        (JSC::DFG::runAndLog):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::Plan):
+        (JSC::DFG::Plan::computeCompileTimes const):
+        (JSC::DFG::Plan::reportCompileTimes const):
+        (JSC::DFG::Plan::compileInThread):
+        (JSC::DFG::Plan::compileInThreadImpl):
+        (JSC::DFG::Plan::isStillValid):
+        (JSC::DFG::Plan::reallyAdd):
+        (JSC::DFG::Plan::notifyCompiling):
+        (JSC::DFG::Plan::notifyReady):
+        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+        (JSC::DFG::Plan::finalizeAndNotifyCallback):
+        (JSC::DFG::Plan::key):
+        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
+        (JSC::DFG::Plan::finalizeInGC):
+        (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
+        (JSC::DFG::Plan::cancel):
+        (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
+        * dfg/DFGPlan.h:
+        (JSC::DFG::Plan::canTierUpAndOSREnter const):
+        (JSC::DFG::Plan::vm const):
+        (JSC::DFG::Plan::codeBlock):
+        (JSC::DFG::Plan::mode const):
+        (JSC::DFG::Plan::osrEntryBytecodeIndex const):
+        (JSC::DFG::Plan::mustHandleValues const):
+        (JSC::DFG::Plan::threadData const):
+        (JSC::DFG::Plan::compilation const):
+        (JSC::DFG::Plan::finalizer const):
+        (JSC::DFG::Plan::setFinalizer):
+        (JSC::DFG::Plan::inlineCallFrames const):
+        (JSC::DFG::Plan::watchpoints):
+        (JSC::DFG::Plan::identifiers):
+        (JSC::DFG::Plan::weakReferences):
+        (JSC::DFG::Plan::transitions):
+        (JSC::DFG::Plan::recordedStatuses):
+        (JSC::DFG::Plan::willTryToTierUp const):
+        (JSC::DFG::Plan::setWillTryToTierUp):
+        (JSC::DFG::Plan::tierUpInLoopHierarchy):
+        (JSC::DFG::Plan::tierUpAndOSREnterBytecodes):
+        (JSC::DFG::Plan::stage const):
+        (JSC::DFG::Plan::callback const):
+        (JSC::DFG::Plan::setCallback):
+        * dfg/DFGPlanInlines.h:
+        (JSC::DFG::Plan::iterateCodeBlocksForGC):
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+        * dfg/DFGPredictionInjectionPhase.cpp:
+        (JSC::DFG::PredictionInjectionPhase::run):
+        * dfg/DFGSafepoint.cpp:
+        (JSC::DFG::Safepoint::Safepoint):
+        (JSC::DFG::Safepoint::~Safepoint):
+        (JSC::DFG::Safepoint::begin):
+        * dfg/DFGSafepoint.h:
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::Worklist::isActiveForVM const):
+        (JSC::DFG::Worklist::compilationState):
+        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
+        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
+        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
+        (JSC::DFG::Worklist::visitWeakReferences):
+        (JSC::DFG::Worklist::removeDeadPlans):
+        (JSC::DFG::Worklist::removeNonCompilingPlansForVM):
+        * dfg/DFGWorklistInlines.h:
+        (JSC::DFG::Worklist::iterateCodeBlocksForGC):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLFail.cpp:
+        (JSC::FTL::fail):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::addWeakReference):
+        * ftl/FTLState.cpp:
+        (JSC::FTL::State::State):
+
+2018-07-24  Saam Barati  
+
+        Make VM::canUseJIT an inlined function
+        https://bugs.webkit.org/show_bug.cgi?id=187583
+
+        Reviewed by Mark Lam.
+
+        We know the answer to this query in initializeThreading after initializing
+        the executable allocator. This patch makes it so that we just hold this value
+        in a static variable and have an inlined function that just returns the value
+        of that static variable.
+
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+        * runtime/VM.cpp:
+        (JSC::VM::computeCanUseJIT):
+        (JSC::VM::canUseJIT): Deleted.
+        * runtime/VM.h:
+        (JSC::VM::canUseJIT):
+
+2018-07-24  Mark Lam  
+
+        Placate exception check verification after recent changes.
+        https://bugs.webkit.org/show_bug.cgi?id=187961
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/IntlObject.cpp:
+        (JSC::intlNumberOption):
+
+2018-07-23  Saam Barati  
+
+        need to didFoldClobberWorld when we constant fold GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=187917
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2018-07-23  Andy VanWagoner  
+
+        [INTL] Language tags are not canonicalized
+        https://bugs.webkit.org/show_bug.cgi?id=185836
+
+        Reviewed by Keith Miller.
+
+        Canonicalize language tags, replacing deprecated tag parts with the
+        preferred values. Remove broken support for algorithmic numbering systems,
+        that can cause an error in icu, and are not supported in other engines.
+
+        Generate the lookup functions from the language-subtag-registry.
+
+        Also initialize the UNumberFormat in initializeNumberFormat so any
+        failures are thrown immediately instead of failing to format later.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/generateIntlCanonicalizeLanguage.py: Added.
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+        (JSC::IntlNumberFormat::formatNumber):
+        (JSC::IntlNumberFormat::formatToParts):
+        (JSC::IntlNumberFormat::createNumberFormat): Deleted.
+        * runtime/IntlNumberFormat.h:
+        * runtime/IntlObject.cpp:
+        (JSC::intlNumberOption):
+        (JSC::intlDefaultNumberOption):
+        (JSC::preferredLanguage):
+        (JSC::preferredRegion):
+        (JSC::canonicalLangTag):
+        (JSC::canonicalizeLanguageTag):
+        (JSC::defaultLocale):
+        (JSC::removeUnicodeLocaleExtension):
+        (JSC::numberingSystemsForLocale):
+        (JSC::grandfatheredLangTag): Deleted.
+        * runtime/IntlObject.h:
+        * runtime/IntlPluralRules.cpp:
+        (JSC::IntlPluralRules::initializePluralRules):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::addMissingScriptLocales):
+        (JSC::JSGlobalObject::intlCollatorAvailableLocales):
+        (JSC::JSGlobalObject::intlDateTimeFormatAvailableLocales):
+        (JSC::JSGlobalObject::intlNumberFormatAvailableLocales):
+        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
+        * ucd/language-subtag-registry.txt: Added.
+
+2018-07-23  Mark Lam  
+
+        Add some asserts to help diagnose a crash.
+        https://bugs.webkit.org/show_bug.cgi?id=187915
+        
+
+        Reviewed by Michael Saboff.
+
+        Add some asserts to verify that an CodeBlock alternative should always have a
+        non-null jitCode.  Also change a RELEASE_ASSERT_NOT_REACHED() in
+        CodeBlock::setOptimizationThresholdBasedOnCompilationResult() to a RELEASE_ASSERT()
+        so that we'll retain the state of the variables that failed the assertion (again
+        to help with diagnosis).
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setAlternative):
+        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::Plan):
+
+2018-07-23  Filip Pizlo  
+
+        Unreviewed, fix no-JIT build.
+
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFor):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeUnconditionally):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFor):
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        * bytecode/InByIdStatus.cpp:
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeForStubInfo):
+
+2018-07-22  Yusuke Suzuki  
+
+        [JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
+        https://bugs.webkit.org/show_bug.cgi?id=187891
+
+        Reviewed by Saam Barati.
+
+        When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
+        two variants are mergeable but they have "Miss" status. We make merging failed if
+        the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
+        if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
+        which patch have more chances to merge variants.
+
+        This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
+        is not related since it does not use this check in Transition case.
+
+        * bytecode/GetByIdVariant.cpp:
+        (JSC::GetByIdVariant::attemptToMerge):
+        * bytecode/InByIdVariant.cpp:
+        (JSC::InByIdVariant::attemptToMerge):
+
+2018-07-22  Yusuke Suzuki  
+
+        [DFG] Fold GetByVal if the indexed value is non configurable and non writable
+        https://bugs.webkit.org/show_bug.cgi?id=186462
+
+        Reviewed by Saam Barati.
+
+        Non-special DontDelete | ReadOnly properties mean that it won't be changed. If DFG AI can retrieve this
+        property, AI can fold it into a constant. This type of property can be seen when we use ES6 tagged templates.
+        Tagged templates' callsite includes indexed properties whose attributes are DontDelete | ReadOnly.
+
+        This patch attempts to fold such properties into constant in DFG AI. The challenge is that DFG AI runs
+        concurrently with the mutator thread. In this patch, we insert WTF::storeStoreFence between value setting
+        and attributes setting. The attributes must be set after the corresponding value is set. If the loaded
+        attributes (with WTF::loadLoadFence) include DontDelete | ReadOnly, it means the given value won't be
+        changed and we can safely use it. We arrange our existing code to use this protocol.
+
+        Since GetByVal folding requires the correct Structure & Butterfly pairs, it is only enabled in x86 architecture
+        since it is TSO. So, our WTF::storeStoreFence in SparseArrayValueMap is also emitted only in x86.
+
+        This patch improves SixSpeed/template_string_tag.es6.
+
+                                          baseline                  patched
+
+        template_string_tag.es6      237.0301+-4.8374     ^      9.8779+-0.3628        ^ definitely 23.9960x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLengthWithArrayStorage):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::putIndexedDescriptor): Deleted.
+        * runtime/JSObject.h:
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::SparseArrayValueMap):
+        (JSC::SparseArrayValueMap::add):
+        (JSC::SparseArrayValueMap::putDirect):
+        (JSC::SparseArrayValueMap::getConcurrently):
+        (JSC::SparseArrayEntry::get const):
+        (JSC::SparseArrayEntry::getConcurrently const):
+        (JSC::SparseArrayEntry::put):
+        (JSC::SparseArrayEntry::getNonSparseMode const):
+        (JSC::SparseArrayValueMap::visitChildren):
+        (JSC::SparseArrayValueMap::~SparseArrayValueMap): Deleted.
+        * runtime/SparseArrayValueMap.h:
+        (JSC::SparseArrayEntry::SparseArrayEntry):
+        (JSC::SparseArrayEntry::attributes const):
+        (JSC::SparseArrayEntry::forceSet):
+        (JSC::SparseArrayEntry::asValue):
+
+2018-06-02  Filip Pizlo  
+
+        We should support CreateThis in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=164904
+
+        Reviewed by Yusuke Suzuki.
+        
+        This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
+        inference adventure.
+        
+        CreateThis in the FTL was a massive regression in raytrace because it disturbed that
+        benchmark's extremely perverse way of winning at type inference:
+        
+        - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
+          the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
+          benchmark was falling back to other mechanisms...
+        
+        - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
+          see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
+          GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
+          that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
+          The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
+          is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
+          
+          Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
+          into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
+          baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
+          helper because it had a CreateThis.
+        
+        - Compilations that inlined the construction helper would have gotten super lucky with
+          parse-time constant folding, so they knew what structure the input to the get_by_id would
+          have at parse time. This is only profitable if the get_by_id parsing computed a
+          GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
+          the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
+          cases, we would indeed get a finite number of cases. The parser would then prune those
+          cases to just one - based on its knowledge of the structure - and that would result in that
+          get_by_id being folded at parse time to a constant.
+        
+        - The subsequent op_call would inline based on parse-time knowledge of that constant.
+        
+        This patch comprehensively fixes these issues, as well as other issues that come up along the
+        way. The short version is that raytrace was revealing sloppiness in our use of profiling for
+        type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
+        i.e. the profiling that considers call context. I was encouraged to do this by the fact that
+        even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
+        Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
+        attack raytrace's problem as a shortcoming of polyvariant profiling.
+        
+        - Polyvariant profiling now consults every DFG or FTL code block that participated in any
+          subset of the inline stack that includes the IC we're profiling. For example, if we have
+          an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
+          compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
+          up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
+          a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
+          polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
+          from polyvariant profling. Previously, the polyvariant profiler would only look at the
+          previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
+          had inlined bar and then baz. It may not have done that, because those calls could have
+          required polyvariant profiling that was only available in the FTL.
+          
+        - A particularly interesting case is when some IC in foo-baseline is also available in
+          foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
+          In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
+          the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
+          find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
+          merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
+          because it warns us of historical polymorphism. Historical polymorphism usually means
+          future polymorphism. IC status code already had some merging functionality, but I needed to
+          beef it up a lot to make this work right.
+        
+        - Inlining an inline cache now preserves as much information as profiling. One challenge of
+          polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
+          inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
+          (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
+          say "I don't have such an IC". At this point the DFG compilation that included that IC that
+          gave us the information that we used to inline the IC is no longer alive. To keep us from
+          losing the information we learned about the IC, there is now a RecordedStatuses data
+          structure that preserves the statuses we use for inlining ICs. We also filter those
+          statuses according to things we learn from AI. This further reduces the risk of information
+          about an IC being forgotten.
+        
+        - Exit profiling now considers whether or not an exit happened from inline code. This
+          protects us in the case where the not-inlined version of an IC exited a lot because of
+          polymorphism that doesn't exist in the inlined version. So, when using polyvariant
+          profiling data, we consider only inlined exits.
+        
+        - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
+          would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
+          surprising that we've had this bug.
+        
+        Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
+        microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
+        Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
+        prototype access folding in the bytecode parser and constant folder. That would require some
+        significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
+        have a test that captures raytrace's behavior in the case that the parser cannot fold the
+        get_by_id.
+        
+        This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
+        recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
+        compile time regression anytime we fill in FTL coverage.
+        
+        This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
+        speeds up and that raytrace slows down, but these changes balance out and don't affect the
+        overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
+        or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
+        0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
+        see a significant difference. In all three cases the difference is <0.5% with a high p value,
+        with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
+        an insignificant infinitesimal slow-down.
+        
+        Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
+        eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
+        flow in a polymorphic constructor while having a bad time, and we'll still compile it.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ByValInfo.h:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printGetByIdCacheStatus):
+        (JSC::BytecodeDumper::printPutByIdCacheStatus):
+        (JSC::BytecodeDumper::printInByIdCacheStatus):
+        (JSC::BytecodeDumper::dumpCallLinkStatus):
+        (JSC::BytecodeDumper::dumpCallLinkStatus):
+        (JSC::BytecodeDumper::printCallOp):
+        (JSC::BytecodeDumper::dumpBytecode):
+        (JSC::BytecodeDumper::dumpBlock):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/CallLinkInfo.h:
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFor):
+        (JSC::CallLinkStatus::computeExitSiteData):
+        (JSC::CallLinkStatus::computeFromCallLinkInfo):
+        (JSC::CallLinkStatus::accountForExits):
+        (JSC::CallLinkStatus::finalize):
+        (JSC::CallLinkStatus::filter):
+        (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
+        * bytecode/CallLinkStatus.h:
+        (JSC::CallLinkStatus::operator bool const):
+        (JSC::CallLinkStatus::operator! const): Deleted.
+        * bytecode/CallVariant.cpp:
+        (JSC::CallVariant::finalize):
+        (JSC::CallVariant::filter):
+        * bytecode/CallVariant.h:
+        (JSC::CallVariant::operator bool const):
+        (JSC::CallVariant::operator! const): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::getICStatusMap):
+        (JSC::CodeBlock::resetJITData):
+        (JSC::CodeBlock::getStubInfoMap): Deleted.
+        (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
+        (JSC::CodeBlock::getByValInfoMap): Deleted.
+        * bytecode/CodeBlock.h:
+        * bytecode/CodeOrigin.cpp:
+        (JSC::CodeOrigin::isApproximatelyEqualTo const):
+        (JSC::CodeOrigin::approximateHash const):
+        * bytecode/CodeOrigin.h:
+        (JSC::CodeOrigin::exitingInlineKind const):
+        * bytecode/DFGExitProfile.cpp:
+        (JSC::DFG::FrequentExitSite::dump const):
+        (JSC::DFG::ExitProfile::add):
+        * bytecode/DFGExitProfile.h:
+        (JSC::DFG::FrequentExitSite::FrequentExitSite):
+        (JSC::DFG::FrequentExitSite::operator== const):
+        (JSC::DFG::FrequentExitSite::subsumes const):
+        (JSC::DFG::FrequentExitSite::hash const):
+        (JSC::DFG::FrequentExitSite::inlineKind const):
+        (JSC::DFG::FrequentExitSite::withInlineKind const):
+        (JSC::DFG::QueryableExitProfile::hasExitSite const):
+        (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
+        (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
+        * bytecode/ExitFlag.cpp: Added.
+        (JSC::ExitFlag::dump const):
+        * bytecode/ExitFlag.h: Added.
+        (JSC::ExitFlag::ExitFlag):
+        (JSC::ExitFlag::operator| const):
+        (JSC::ExitFlag::operator|=):
+        (JSC::ExitFlag::operator& const):
+        (JSC::ExitFlag::operator&=):
+        (JSC::ExitFlag::operator bool const):
+        (JSC::ExitFlag::isSet const):
+        * bytecode/ExitingInlineKind.cpp: Added.
+        (WTF::printInternal):
+        * bytecode/ExitingInlineKind.h: Added.
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFor):
+        (JSC::GetByIdStatus::computeForStubInfo):
+        (JSC::GetByIdStatus::slowVersion const):
+        (JSC::GetByIdStatus::markIfCheap):
+        (JSC::GetByIdStatus::finalize):
+        (JSC::GetByIdStatus::hasExitSite): Deleted.
+        * bytecode/GetByIdStatus.h:
+        * bytecode/GetByIdVariant.cpp:
+        (JSC::GetByIdVariant::markIfCheap):
+        (JSC::GetByIdVariant::finalize):
+        * bytecode/GetByIdVariant.h:
+        * bytecode/ICStatusMap.cpp: Added.
+        (JSC::ICStatusContext::get const):
+        (JSC::ICStatusContext::isInlined const):
+        (JSC::ICStatusContext::inlineKind const):
+        * bytecode/ICStatusMap.h: Added.
+        * bytecode/ICStatusUtils.cpp: Added.
+        (JSC::hasBadCacheExitSite):
+        * bytecode/ICStatusUtils.h:
+        * bytecode/InstanceOfStatus.cpp:
+        (JSC::InstanceOfStatus::computeFor):
+        * bytecode/InstanceOfStatus.h:
+        * bytecode/PolyProtoAccessChain.h:
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::hasExitSite):
+        (JSC::PutByIdStatus::computeFor):
+        (JSC::PutByIdStatus::slowVersion const):
+        (JSC::PutByIdStatus::markIfCheap):
+        (JSC::PutByIdStatus::finalize):
+        (JSC::PutByIdStatus::filter):
+        * bytecode/PutByIdStatus.h:
+        * bytecode/PutByIdVariant.cpp:
+        (JSC::PutByIdVariant::markIfCheap):
+        (JSC::PutByIdVariant::finalize):
+        * bytecode/PutByIdVariant.h:
+        (JSC::PutByIdVariant::structureSet const):
+        * bytecode/RecordedStatuses.cpp: Added.
+        (JSC::RecordedStatuses::operator=):
+        (JSC::RecordedStatuses::RecordedStatuses):
+        (JSC::RecordedStatuses::addCallLinkStatus):
+        (JSC::RecordedStatuses::addGetByIdStatus):
+        (JSC::RecordedStatuses::addPutByIdStatus):
+        (JSC::RecordedStatuses::markIfCheap):
+        (JSC::RecordedStatuses::finalizeWithoutDeleting):
+        (JSC::RecordedStatuses::finalize):
+        (JSC::RecordedStatuses::shrinkToFit):
+        * bytecode/RecordedStatuses.h: Added.
+        (JSC::RecordedStatuses::RecordedStatuses):
+        (JSC::RecordedStatuses::forEachVector):
+        * bytecode/StructureSet.cpp:
+        (JSC::StructureSet::markIfCheap const):
+        (JSC::StructureSet::isStillAlive const):
+        * bytecode/StructureSet.h:
+        * bytecode/TerminatedCodeOrigin.h: Added.
+        (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
+        (JSC::TerminatedCodeOriginHashTranslator::hash):
+        (JSC::TerminatedCodeOriginHashTranslator::equal):
+        * bytecode/Watchpoint.cpp:
+        (WTF::printInternal):
+        * bytecode/Watchpoint.h:
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        (JSC::DFG::AbstractInterpreter::filterICStatus):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
+        (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGCommonData.h:
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDesiredWatchpoints.h:
+        (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasCallLinkStatus):
+        (JSC::DFG::Node::callLinkStatus):
+        (JSC::DFG::Node::hasGetByIdStatus):
+        (JSC::DFG::Node::getByIdStatus):
+        (JSC::DFG::Node::hasPutByIdStatus):
+        (JSC::DFG::Node::putByIdStatus):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRExitBase.cpp:
+        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::reallyAdd):
+        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
+        (JSC::DFG::Plan::finalizeInGC):
+        * dfg/DFGPlan.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::Worklist::removeDeadPlans):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
+        (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallStubRoutine::hasEdges const):
+        (JSC::PolymorphicCallStubRoutine::edges const):
+        * jit/PolymorphicCallStubRoutine.h:
+        * profiler/ProfilerBytecodeSequence.cpp:
+        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::initializeObjectAllocationProfile):
+        * runtime/Options.h:
+
+2018-07-21  Yusuke Suzuki  
+
+        [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
+        https://bugs.webkit.org/show_bug.cgi?id=187472
+
+        Reviewed by Mark Lam.
+
+        std::function allocates memory from standard malloc instead of bmalloc. Instead of
+        using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
+
+        This patch attempts to replace std::function with the above WTF function types.
+        If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
+        is really efficient. Otherwise, we should use WTF::Function.
+        For recurring use cases, we can use RecursableLambda.
+
+        * assembler/MacroAssembler.cpp:
+        (JSC::stdFunctionCallback):
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssembler.h:
+        * b3/air/AirDisassembler.cpp:
+        (JSC::B3::Air::Disassembler::dump):
+        * b3/air/AirDisassembler.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
+        (JSC::BytecodeGenerator::emitEnumeration):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        (JSC::ApplyFunctionCallDotNode::emitBytecode):
+        (JSC::ForOfNode::emitBytecode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
+        (JSC::DFG::SpeculativeJIT::compileMathIC):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::json):
+        * heap/HeapSnapshotBuilder.h:
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::dump const):
+        * interpreter/StackVisitor.h:
+        * runtime/PromiseDeferredTimer.h:
+        * runtime/VM.cpp:
+        (JSC::VM::whenIdle):
+        (JSC::enableProfilerWithRespectToCount):
+        (JSC::disableProfilerWithRespectToCount):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::addDidPopListener):
+        * runtime/VMEntryScope.h:
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::verifyCellList):
+        (JSC::HeapVerifier::validateCell):
+        (JSC::HeapVerifier::validateJSCell):
+        * tools/HeapVerifier.h:
+
+2018-07-20  Michael Saboff  
+
+        DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+        https://bugs.webkit.org/show_bug.cgi?id=187827
+        rdar://problem/42146858
+
+        Reviewed by Saam Barati.
+
+        When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+        that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+        We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
+        InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+        putByIndex() path that doesn't change the shape.
+
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
+2018-07-20  Yusuke Suzuki  
+
+        [DFG] Fold GetByVal if Array is CoW
+        https://bugs.webkit.org/show_bug.cgi?id=186459
+
+        Reviewed by Saam Barati.
+
+        CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
+        fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
+        is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
+
+        This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
+        to these constant arrays can be folded into an actual constant by this patch.
+
+                                           baseline                  patched
+
+        template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
+        template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2018-07-20  Yusuke Suzuki  
+
+        [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=186602
+
+        Reviewed by Saam Barati.
+
+        JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
+        change the part of the butterfly, length etc. We prove that our procedure is safe, and
+        drop the cellLock() here.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertContiguousToArrayStorage):
+
+2018-07-20  Saam Barati  
+
+        CompareEq should be using KnownOtherUse instead of OtherUse
+        https://bugs.webkit.org/show_bug.cgi?id=186814
+        
+
+        Reviewed by Filip Pizlo.
+
+        CompareEq in fixup phase was doing this:
+        insertCheck(child, OtherUse)
+        setUseKind(child, OtherUse)
+        And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
+        lead to edge verification crashing because a phase may optimize the check out
+        by removing the node. However, AI may not be privy to that optimization, and
+        AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
+        backend to actually emit a check here, but it does not.
+        
+        This exact pattern is why we have KnownXYZ use kinds. This patch introduces
+        KnownOtherUse and changes the above pattern to be:
+        insertCheck(child, OtherUse)
+        setUseKind(child, KnownOtherUse)
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::shouldNotHaveTypeCheck):
+        (JSC::DFG::checkMayCrashIfInputIsEmpty):
+        * dfg/DFGWatchpointCollectionPhase.cpp:
+        (JSC::DFG::WatchpointCollectionPhase::handle):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+
+2018-07-20  Yusuke Suzuki  
+
+        [JSC] A bit performance improvement for Object.assign by cleaning up code
+        https://bugs.webkit.org/show_bug.cgi?id=187852
+
+        Reviewed by Saam Barati.
+
+        We clean up Object.assign code a bit.
+
+        1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
+        2. canDoFastPath is not necessary. Restructuring the code to clean up things.
+
+        It improves the performance a bit.
+
+                                    baseline                  patched
+
+        object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+
+2018-07-19  Carlos Garcia Campos  
+
+        [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
+        https://bugs.webkit.org/show_bug.cgi?id=187798
+
+        Reviewed by Michael Catanzaro.
+
+        Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
+        jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
+        functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
+        patch adds JSAPIWrapperGlobalObject or that.
+
+        * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
+        (jsAPIWrapperGlobalObjectHandleOwner):
+        (JSAPIWrapperGlobalObjectHandleOwner::finalize):
+        (JSC::JSCallbackObject::createStructure):
+        (JSC::JSCallbackObject::create):
+        (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
+        (JSC::JSAPIWrapperGlobalObject::finishCreation):
+        (JSC::JSAPIWrapperGlobalObject::visitChildren):
+        * API/glib/JSAPIWrapperGlobalObject.h: Added.
+        (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
+        (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
+        * API/glib/JSCClass.cpp:
+        (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
+        (wrappedObjectClass): Return the class of a wrapped object.
+        (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
+        scope extension global object is used instead.
+        (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
+        (setProperty): Ditto.
+        (hasProperty): Ditto.
+        (deleteProperty): Ditto.
+        (getPropertyNames): Ditto.
+        (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
+        * API/glib/JSCClassPrivate.h:
+        * API/glib/JSCContext.cpp:
+        (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
+        (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
+        * API/glib/JSCContext.h:
+        * API/glib/JSCContextPrivate.h:
+        * API/glib/JSCWrapperMap.cpp:
+        (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
+        when a JSCClass is used to create the JSAPIWrapperGlobalObject.
+        (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
+        * API/glib/JSCWrapperMap.h:
+        * GLib.cmake:
+
+2018-07-19  Saam Barati  
+
+        Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
+        https://bugs.webkit.org/show_bug.cgi?id=187836
+        
+
+        Reviewed by Mark Lam.
+
+        We have crash reports that we're crashing on source->getDirect in Object.assign's
+        fast path. Mark investigated this and determined we end up with a nullptr for
+        butterfly. This is curious, because source's Structure indicated that it has
+        out of line properties. My leading hypothesis for this at the moment is a bit
+        handwavy, but it's essentially:
+        - We end up firing a watchpoint when assigning to the target (this can happen
+        if a watchpoint was set up for storing to that particular field)
+        - When we fire that watchpoint, we end up doing some kind work on the source,
+        perhaps causing it to flattenDictionaryStructure. Therefore, we end up
+        mutating source.
+        
+        I'm not super convinced this is what we're running into, but just by reading
+        the code, I think it needs to be something similar to this. Seeing if this change
+        fixes the crasher will give us good data to determine if something like this is
+        happening or if the bug is something else entirely.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+
+2018-07-19  Commit Queue  
+
+        Unreviewed, rolling out r233998.
+        https://bugs.webkit.org/show_bug.cgi?id=187815
+
+        Not needed. (Requested by mlam|a on #webkit).
+
+        Reverted changeset:
+
+        "Temporarily mitigate a bug where a source provider is null
+        when it shouldn't be."
+        https://bugs.webkit.org/show_bug.cgi?id=187812
+        https://trac.webkit.org/changeset/233998
+
+2018-07-19  Mark Lam  
+
+        Temporarily mitigate a bug where a source provider is null when it shouldn't be.
+        https://bugs.webkit.org/show_bug.cgi?id=187812
+        
+
+        Reviewed by Michael Saboff.
+
+        Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
+
+        * runtime/Error.cpp:
+        (JSC::addErrorInfo):
+
+2018-07-19  Keith Rollin  
+
+        Adjust WEBCORE_EXPORT annotations for LTO
+        https://bugs.webkit.org/show_bug.cgi?id=187781
+        
+
+        Reviewed by Alex Christensen.
+
+        Continuation of Bug 186944. This bug addresses issues not caught
+        during the first pass of adjustments. The initial work focussed on
+        macOS; this one addresses issues found when building for iOS. From
+        186944:
+
+        Adjust a number of places that result in WebKit's
+        'check-for-weak-vtables-and-externals' script reporting weak external
+        symbols:
+
+            ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
+            ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
+            ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
+            ...
+
+        These cases are caused by inline methods being marked with WTF_EXPORT
+        (or related macro) or with an inline function being in a class marked
+        as such, and when enabling LTO builds.
+
+        For the most part, address these by removing the WEBCORE_EXPORT
+        annotation from inline methods. In some cases, move the implementation
+        out-of-line because it's the class that has the WEBCORE_EXPORT on it
+        and removing the annotation from the class would be too disruptive.
+        Finally, in other cases, move the implementation out-of-line because
+        check-for-weak-vtables-and-externals still complains when keeping the
+        implementation inline and removing the annotation; this seems to
+        typically (but not always) happen with destructors.
+
+        * inspector/remote/RemoteAutomationTarget.cpp:
+        (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
+        * inspector/remote/RemoteAutomationTarget.h:
+        * inspector/remote/RemoteInspector.cpp:
+        (Inspector::RemoteInspector::Client::~Client):
+        * inspector/remote/RemoteInspector.h:
+
+2018-07-19  Yusuke Suzuki  
+
+        Unreviewed, check scope after performing getPropertySlot in JSON.stringify
+        https://bugs.webkit.org/show_bug.cgi?id=187807
+
+        Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
+        that we know that exception occurrence and handle it well.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Holder::appendNextProperty):
+
+2018-07-18  Yusuke Suzuki  
+
+        [JSC] Reduce size of AST nodes
+        https://bugs.webkit.org/show_bug.cgi?id=187689
+
+        Reviewed by Mark Lam.
+
+        We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
+        of ParserArena at peak state.
+
+        1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
+        devirtualize a call to the function which are implemented in a final class.
+
+        2. Use default member initializers more.
+
+        3. And use `nullptr` instead of `0`.
+
+        4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
+        of classes in multiple inheritance. In particular, StatementNode is decreased from 48
+        to 40. This decreases the sizes of all the derived Statement nodes.
+
+        * parser/NodeConstructors.h:
+        (JSC::Node::Node):
+        (JSC::StatementNode::StatementNode):
+        (JSC::ElementNode::ElementNode):
+        (JSC::ArrayNode::ArrayNode):
+        (JSC::PropertyListNode::PropertyListNode):
+        (JSC::ObjectLiteralNode::ObjectLiteralNode):
+        (JSC::ArgumentListNode::ArgumentListNode):
+        (JSC::ArgumentsNode::ArgumentsNode):
+        (JSC::NewExprNode::NewExprNode):
+        (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
+        (JSC::BinaryOpNode::BinaryOpNode):
+        (JSC::LogicalOpNode::LogicalOpNode):
+        (JSC::CommaNode::CommaNode):
+        (JSC::SourceElements::SourceElements):
+        (JSC::ClauseListNode::ClauseListNode):
+        * parser/Nodes.cpp:
+        (JSC::FunctionMetadataNode::FunctionMetadataNode):
+        (JSC::FunctionMetadataNode::operator== const):
+        (JSC::FunctionMetadataNode::dump const):
+        * parser/Nodes.h:
+        (JSC::BooleanNode::value): Deleted.
+        (JSC::StringNode::value): Deleted.
+        (JSC::TemplateExpressionListNode::value): Deleted.
+        (JSC::TemplateExpressionListNode::next): Deleted.
+        (JSC::TemplateStringNode::cooked): Deleted.
+        (JSC::TemplateStringNode::raw): Deleted.
+        (JSC::TemplateStringListNode::value): Deleted.
+        (JSC::TemplateStringListNode::next): Deleted.
+        (JSC::TemplateLiteralNode::templateStrings const): Deleted.
+        (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
+        (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
+        (JSC::ResolveNode::identifier const): Deleted.
+        (JSC::ElementNode::elision const): Deleted.
+        (JSC::ElementNode::value): Deleted.
+        (JSC::ElementNode::next): Deleted.
+        (JSC::ArrayNode::elements const): Deleted.
+        (JSC::PropertyNode::expressionName const): Deleted.
+        (JSC::PropertyNode::name const): Deleted.
+        (JSC::PropertyNode::type const): Deleted.
+        (JSC::PropertyNode::needsSuperBinding const): Deleted.
+        (JSC::PropertyNode::isClassProperty const): Deleted.
+        (JSC::PropertyNode::isStaticClassProperty const): Deleted.
+        (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
+        (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
+        (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
+        (JSC::PropertyNode::putType const): Deleted.
+        (JSC::BracketAccessorNode::base const): Deleted.
+        (JSC::BracketAccessorNode::subscript const): Deleted.
+        (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
+        (JSC::DotAccessorNode::base const): Deleted.
+        (JSC::DotAccessorNode::identifier const): Deleted.
+        (JSC::SpreadExpressionNode::expression const): Deleted.
+        (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
+        (JSC::BytecodeIntrinsicNode::type const): Deleted.
+        (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
+        (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
+        (JSC::TypeOfResolveNode::identifier const): Deleted.
+        (JSC::BitwiseNotNode::expr): Deleted.
+        (JSC::BitwiseNotNode::expr const): Deleted.
+        (JSC::AssignResolveNode::identifier const): Deleted.
+        (JSC::ExprStatementNode::expr const): Deleted.
+        (JSC::ForOfNode::isForAwait const): Deleted.
+        (JSC::ReturnNode::value): Deleted.
+        (JSC::ProgramNode::startColumn const): Deleted.
+        (JSC::ProgramNode::endColumn const): Deleted.
+        (JSC::EvalNode::startColumn const): Deleted.
+        (JSC::EvalNode::endColumn const): Deleted.
+        (JSC::ModuleProgramNode::startColumn const): Deleted.
+        (JSC::ModuleProgramNode::endColumn const): Deleted.
+        (JSC::ModuleProgramNode::moduleScopeData): Deleted.
+        (JSC::ModuleNameNode::moduleName): Deleted.
+        (JSC::ImportSpecifierNode::importedName): Deleted.
+        (JSC::ImportSpecifierNode::localName): Deleted.
+        (JSC::ImportSpecifierListNode::specifiers const): Deleted.
+        (JSC::ImportSpecifierListNode::append): Deleted.
+        (JSC::ImportDeclarationNode::specifierList const): Deleted.
+        (JSC::ImportDeclarationNode::moduleName const): Deleted.
+        (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
+        (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
+        (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
+        (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
+        (JSC::ExportSpecifierNode::exportedName): Deleted.
+        (JSC::ExportSpecifierNode::localName): Deleted.
+        (JSC::ExportSpecifierListNode::specifiers const): Deleted.
+        (JSC::ExportSpecifierListNode::append): Deleted.
+        (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
+        (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
+        (JSC::ArrayPatternNode::appendIndex): Deleted.
+        (JSC::ObjectPatternNode::appendEntry): Deleted.
+        (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
+        (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
+        (JSC::DestructuringAssignmentNode::bindings): Deleted.
+        (JSC::FunctionParameters::size const): Deleted.
+        (JSC::FunctionParameters::append): Deleted.
+        (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
+        (JSC::FuncDeclNode::metadata): Deleted.
+        (JSC::CaseClauseNode::expr const): Deleted.
+        (JSC::CaseClauseNode::setStartOffset): Deleted.
+        (JSC::ClauseListNode::getClause const): Deleted.
+        (JSC::ClauseListNode::getNext const): Deleted.
+        * runtime/ExceptionHelpers.cpp:
+        * runtime/JSObject.cpp:
+
+2018-07-18  Yusuke Suzuki  
+
+        JSON.stringify should emit non own properties if second array argument includes
+        https://bugs.webkit.org/show_bug.cgi?id=187724
+
+        Reviewed by Mark Lam.
+
+        According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
+        instead of [[GetOwnProperty]]. It means that we would look up a properties defined
+        in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
+        by using EnumerableOwnPropertyNames typically, we can pass replacer array including
+        property names which does not reside in the own properties. Or we can modify the
+        own properties by deleting properties while JSON.stringify is calling a getter. So,
+        using [[Get]] instead of [[GetOwnProperty]] is user-visible.
+
+        This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
+        The performance of Kraken/json-stringify-tinderbox is neutral.
+
+        [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::toJSON):
+        (JSC::Stringifier::toJSONImpl):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Stringifier::Holder::Holder):
+        (JSC::Stringifier::Holder::appendNextProperty):
+
+2018-07-18  Yusuke Suzuki  
+
+        [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
+        https://bugs.webkit.org/show_bug.cgi?id=187755
+
+        Reviewed by Mark Lam.
+
+        JSON.stringify used `inherits(vm)` to determine whether the given replacer is an array replacer.
+        But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
+        makes one test262 test failed.
+
+        This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
+        to align these checks to the spec's order.
+
+        [1]: https://tc39.github.io/ecma262/#sec-json.stringify
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Stringifier):
+
+2018-07-18  Yusuke Suzuki  
+
+        [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
+        https://bugs.webkit.org/show_bug.cgi?id=187752
+
+        Reviewed by Mark Lam.
+
+        JSON.stringify has an implicit root wrapper object since we would like to call replacer
+        with a wrapper object and a property name. While we always create this wrapper object,
+        it is unnecessary if the given replacer is not callable.
+
+        This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
+        allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
+
+                                           baseline                  patched
+
+        json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::isCallableReplacer const):
+        (JSC::Stringifier::Stringifier):
+        (JSC::Stringifier::stringify):
+        (JSC::Stringifier::appendStringifiedValue):
+
+2018-07-18  Carlos Garcia Campos  
+
+        [GLIB] Add jsc_context_check_syntax() to GLib API
+        https://bugs.webkit.org/show_bug.cgi?id=187694
+
+        Reviewed by Yusuke Suzuki.
+
+        A new function to be able to check for syntax errors without actually evaluating the code.
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_check_syntax):
+        * API/glib/JSCContext.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-07-17  Keith Miller  
+
+        Revert r233630 since it broke internal wasm benchmarks
+        https://bugs.webkit.org/show_bug.cgi?id=187746
+
+        Unreviewed revert.
+
+        This patch seems to have broken internal Wasm benchmarks. This
+        issue is likely due to an underlying bug but let's rollout while
+        we investigate.
+
+        * bytecode/CodeType.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::codeType const):
+        (JSC::UnlinkedCodeBlock::didOptimize const):
+        (JSC::UnlinkedCodeBlock::setDidOptimize):
+        * bytecode/VirtualRegister.h:
+        (JSC::VirtualRegister::VirtualRegister):
+        (): Deleted.
+
+2018-07-17  Mark Lam  
+
+        CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
+        https://bugs.webkit.org/show_bug.cgi?id=187736
+        
+
+        Reviewed by Michael Saboff.
+
+        CodeBlock::baselineVersion() currently checks for a null replacement but does not
+        account for the fact that that the replacement can also be null due to the
+        executable having being purged of its codeBlocks due to a memory event (see
+        ExecutableBase::clearCode()).  This patch adds code to account for this.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::baselineVersion):
+
+2018-07-16  Yusuke Suzuki  
+
+        [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
+        https://bugs.webkit.org/show_bug.cgi?id=187709
+
+        Reviewed by Mark Lam.
+
+        UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
+
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::shrinkToFit):
+
+2018-07-16  Yusuke Suzuki  
+
+        [JSC] Make SourceParseMode small
+        https://bugs.webkit.org/show_bug.cgi?id=187705
+
+        Reviewed by Mark Lam.
+
+        Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
+        Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
+        But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
+        within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
+
+        * parser/ParserModes.h:
+        (JSC::SourceParseModeSet::SourceParseModeSet):
+        (JSC::SourceParseModeSet::contains):
+        (JSC::SourceParseModeSet::mergeSourceParseModes):
+
+2018-07-12  Yusuke Suzuki  
+
+        [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
+        https://bugs.webkit.org/show_bug.cgi?id=187585
+
+        Reviewed by Darin Adler.
+
+        This patch fixes Generator and AsyncGenerator's prototype issues.
+
+        1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
+        We fix this by changing JSFunction::prototypeForConstruction.
+
+        2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
+        to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
+        to fix `prototype` issues for AsyncGeneratorMethod.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
+        (JSC::BytecodeGenerator::emitNewFunction):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionNode::emitBytecode):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createFunctionMetadata):
+        * parser/Parser.cpp:
+        (JSC::getAsynFunctionBodyParseMode):
+        (JSC::Parser::parseInner):
+        (JSC::Parser::parseAsyncGeneratorFunctionSourceElements):
+        * parser/ParserModes.h:
+        (JSC::isAsyncGeneratorParseMode):
+        (JSC::isAsyncGeneratorWrapperParseMode):
+        (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
+        * runtime/FunctionExecutable.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::prototypeForConstruction):
+        (JSC::JSFunction::getOwnPropertySlot):
+
+2018-07-16  Mark Lam  
+
+        jsc shell's noFTL utility test function should be more robust.
+        https://bugs.webkit.org/show_bug.cgi?id=187704
+        
+
+        Reviewed by Michael Saboff and Keith Miller.
+
+        * jsc.cpp:
+        (functionNoFTL):
+        - only setNeverFTLOptimize() if the function is actually a JS function.
+
+2018-07-15  Carlos Garcia Campos  
+
+        [GLIB] Add API to evaluate code using a given object to store global symbols
+        https://bugs.webkit.org/show_bug.cgi?id=187639
+
+        Reviewed by Michael Catanzaro.
+
+        Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
+        evaluated script are added as properties to the new object instead of to the context global object. This is
+        similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
+        scope for assignments, so we have to create a new context and get its global object. This patch also updates
+        jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
+        jsc_context_evaluate_in_object().
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
+        (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
+        (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
+        (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
+        scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
+        * API/glib/JSCContext.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-07-13  Yusuke Suzuki  
+
+        [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
+        https://bugs.webkit.org/show_bug.cgi?id=187561
+
+        Reviewed by Darin Adler.
+
+        This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
+        We clean up 32bit put_by_val code.
+
+        1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
+        aligns 32bit implementation to 64bit implementation.
+
+        2. We add CoW array checking, which is done in 64bit implementation.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+
+2018-07-12  Mark Lam  
+
+        Need to handle CodeBlock::replacement() being null.
+        https://bugs.webkit.org/show_bug.cgi?id=187569
+        
+
+        Reviewed by Saam Barati.
+
+        CodeBlock::replacement() may return a nullptr.  Some of our code already checks
+        for this while others do not.  We should add null checks in all the places that
+        need it.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::hasOptimizedReplacement):
+        (JSC::CodeBlock::jettison):
+        (JSC::CodeBlock::numberOfDFGCompiles):
+        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
+        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
+        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
+        * jit/JITOperations.cpp:
+
+2018-07-12  Yusuke Suzuki  
+
+        [JSC] Thread VM& to JSCell::methodTable(VM&)
+        https://bugs.webkit.org/show_bug.cgi?id=187548
+
+        Reviewed by Saam Barati.
+
+        This patch threads VM& to methodTable(VM&) and remove methodTable().
+        We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
+
+        * API/APICast.h:
+        (toJS):
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject::className):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::estimatedSize):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::estimatedSize):
+        * bytecode/UnlinkedCodeBlock.h:
+        * debugger/DebuggerScope.cpp:
+        (JSC::DebuggerScope::className):
+        * debugger/DebuggerScope.h:
+        * heap/Heap.cpp:
+        (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
+        (JSC::GatherHeapSnapshotData::operator() const):
+        (JSC::Heap::gatherExtraHeapSnapshotData):
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::json):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncToString):
+        * runtime/ClassInfo.h:
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::estimatedSize):
+        * runtime/DirectArguments.h:
+        * runtime/HashMapImpl.cpp:
+        (JSC::HashMapImpl::estimatedSize):
+        * runtime/HashMapImpl.h:
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::estimatedSize):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::estimatedSize):
+        * runtime/JSBigInt.h:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::dump const):
+        (JSC::JSCell::estimatedSizeInBytes const):
+        (JSC::JSCell::estimatedSize):
+        (JSC::JSCell::className):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::estimatedSize):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::estimatedSize):
+        (JSC::JSObject::className):
+        (JSC::JSObject::toStringName):
+        (JSC::JSObject::calculatedClassName):
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::className):
+        * runtime/JSProxy.h:
+        * runtime/JSString.cpp:
+        (JSC::JSString::estimatedSize):
+        * runtime/JSString.h:
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::estimatedSize):
+        * runtime/RegExp.h:
+        * runtime/WeakMapImpl.cpp:
+        (JSC::WeakMapImpl::estimatedSize):
+        * runtime/WeakMapImpl.h:
+
+2018-07-11  Commit Queue  
+
+        Unreviewed, rolling out r233714.
+        https://bugs.webkit.org/show_bug.cgi?id=187579
+
+        it made tests time out (Requested by pizlo on #webkit).
+
+        Reverted changeset:
+
+        "Change the reoptimization backoff base to 1.3 from 2"
+        https://bugs.webkit.org/show_bug.cgi?id=187540
+        https://trac.webkit.org/changeset/233714
+
+2018-07-11  Carlos Garcia Campos  
+
+        [GLIB] Add API to allow creating variadic functions
+        https://bugs.webkit.org/show_bug.cgi?id=187517
+
+        Reviewed by Michael Catanzaro.
+
+        Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
+        jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
+
+        * API/glib/JSCCallbackFunction.cpp:
+        (JSC::JSCCallbackFunction::create): Make the parameters optional.
+        (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
+        (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
+        JSCValue for the arguments.
+        (JSC::JSCCallbackFunction::construct): Ditto.
+        * API/glib/JSCCallbackFunction.h:
+        * API/glib/JSCClass.cpp:
+        (jscClassCreateConstructor): Make the parameters optional.
+        (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
+        (jscClassAddMethod): Make the parameters optional.
+        (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
+        * API/glib/JSCClass.h:
+        * API/glib/JSCValue.cpp:
+        (jsc_value_object_define_property_accessor): Update now that parameters are optional.
+        (jscValueFunctionCreate): Make the parameters optional.
+        (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
+        * API/glib/JSCValue.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-07-11  Carlos Garcia Campos  
+
+        [GLIB] Add jsc_context_get_global_object() to GLib API
+        https://bugs.webkit.org/show_bug.cgi?id=187515
+
+        Reviewed by Michael Catanzaro.
+
+        This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
+        object. However, getting the global object could be useful in some cases, for example to give it a well known
+        name like 'window' in browsers and GJS.
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_get_global_object):
+        * API/glib/JSCContext.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-07-11  Carlos Garcia Campos  
+
+        [GLIB] Handle G_TYPE_STRV in glib API
+        https://bugs.webkit.org/show_bug.cgi?id=187512
+
+        Reviewed by Michael Catanzaro.
+
+        Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
+
+        * API/glib/JSCContext.cpp:
+        (jscContextGValueToJSValue):
+        (jscContextJSValueToGValue):
+        * API/glib/JSCValue.cpp:
+        (jsc_value_new_array_from_strv):
+        * API/glib/JSCValue.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-07-11  Yusuke Suzuki  
+
+        Iterator of Array.keys() returns object in wrong order
+        https://bugs.webkit.org/show_bug.cgi?id=185197
+
+        Reviewed by Keith Miller.
+
+        * builtins/ArrayIteratorPrototype.js:
+        (globalPrivate.arrayIteratorValueNext):
+        (globalPrivate.arrayIteratorKeyNext):
+        (globalPrivate.arrayIteratorKeyValueNext):
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        * builtins/AsyncGeneratorPrototype.js:
+        (globalPrivate.asyncGeneratorResolve):
+        * builtins/GeneratorPrototype.js:
+        (globalPrivate.generatorResume):
+        * builtins/MapIteratorPrototype.js:
+        (globalPrivate.mapIteratorNext):
+        * builtins/SetIteratorPrototype.js:
+        (globalPrivate.setIteratorNext):
+        * builtins/StringIteratorPrototype.js:
+        (next):
+        * runtime/IteratorOperations.cpp:
+        (JSC::createIteratorResultObjectStructure):
+        (JSC::createIteratorResultObject):
+
+2018-07-10  Mark Lam  
+
+        constructArray() should always allocate the requested length.
+        https://bugs.webkit.org/show_bug.cgi?id=187543
+        
+
+        Reviewed by Saam Barati.
+
+        Currently, it does not when we're having a bad time.  We fix this by switching
+        back to using tryCreateUninitializedRestricted() exclusively in constructArray().
+        If we detect that a structure transition is possible before we can initialize
+        the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
+        We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
+
+        Also enhanced the DisallowScope and ObjectInitializationScope to support this
+        eager initialization when needed.
+
+        * dfg/DFGOperations.cpp:
+        - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
+          the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
+          it clearer that we encountered an OutOfMemory condition instead of failing in FTL
+          generated code, which will appear as a generic null pointer dereference.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::concatAppendOne):
+        - the code here clearly wants to check for an allocation failure.  Switched to
+          using JSArray::tryCreate() instead of JSArray::create().
+
+        * runtime/DisallowScope.h:
+        (JSC::DisallowScope::disable):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::eagerlyInitializeButterfly):
+        (JSC::constructArray):
+        * runtime/JSArray.h:
+        * runtime/ObjectInitializationScope.cpp:
+        (JSC::ObjectInitializationScope::notifyInitialized):
+        * runtime/ObjectInitializationScope.h:
+        (JSC::ObjectInitializationScope::notifyInitialized):
+
+2018-07-05  Yusuke Suzuki  
+
+        [JSC] Remove getTypedArrayImpl
+        https://bugs.webkit.org/show_bug.cgi?id=187338
+
+        Reviewed by Mark Lam.
+
+        getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
+        are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
+        This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
+
+        * runtime/ClassInfo.h:
+        * runtime/GenericTypedArrayView.h:
+        (JSC::GenericTypedArrayView::data const): Deleted.
+        (JSC::GenericTypedArrayView::set): Deleted.
+        (JSC::GenericTypedArrayView::setRange): Deleted.
+        (JSC::GenericTypedArrayView::zeroRange): Deleted.
+        (JSC::GenericTypedArrayView::zeroFill): Deleted.
+        (JSC::GenericTypedArrayView::length const): Deleted.
+        (JSC::GenericTypedArrayView::item const): Deleted.
+        (JSC::GenericTypedArrayView::set const): Deleted.
+        (JSC::GenericTypedArrayView::setNative const): Deleted.
+        (JSC::GenericTypedArrayView::getRange): Deleted.
+        (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
+        (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::possiblySharedImpl):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::getTypedArrayImpl): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::getTypedArrayImpl): Deleted.
+        * runtime/JSDataView.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getTypedArrayImpl): Deleted.
+
+2018-07-10  Keith Miller  
+
+        hasOwnProperty returns true for out of bounds property index on TypedArray
+        https://bugs.webkit.org/show_bug.cgi?id=187520
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlot):
+
+2018-07-10  Michael Saboff  
+
+        DFG JIT: compileMathIC produces incorrect machine code
+        https://bugs.webkit.org/show_bug.cgi?id=187537
+
+        Reviewed by Saam Barati.
+
+        Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
+        fall back to the fast path generator which handles such cases.
+
+        * jit/JITMulGenerator.cpp:
+        (JSC::JITMulGenerator::generateInline):
+
+2018-07-10  Filip Pizlo  
+
+        Change the reoptimization backoff base to 1.3 from 2
+        https://bugs.webkit.org/show_bug.cgi?id=187540
+
+        Reviewed by Saam Barati.
+        
+        I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
+        
+        I also have data that hints that a backoff base of 1 might be even better, but I think that
+        we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::reoptimizationRetryCounter const):
+        (JSC::CodeBlock::countReoptimization):
+        (JSC::CodeBlock::adjustedCounterValue):
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+
+2018-07-10  Mark Lam  
+
+        [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
+        https://bugs.webkit.org/show_bug.cgi?id=187362
+        
+
+        Reviewed by Saam Barati.
+
+        On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
+        value to use for initializing unused properties.  Updated an assertion to account
+        for this.
+
+        * runtime/ObjectInitializationScope.cpp:
+        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+
+2018-07-10  Michael Saboff  
+
+        YARR: . doesn't match non-BMP Unicode characters in some cases
+        https://bugs.webkit.org/show_bug.cgi?id=187248
+
+        Reviewed by Geoffrey Garen.
+
+        The safety check in optimizeAlternative() for moving character classes that only consist of BMP
+        characters did not take into account that the character class is inverted.  In this case, we
+        represent '.' as "not a newline" using the newline character class with an inverted check.
+        Clearly that includes non-BMP characters.
+
+        The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
+        inverted use of that character class.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::optimizeAlternative):
+
+2018-07-09  Mark Lam  
+
+        Add --traceLLIntExecution and --traceLLIntSlowPath options.
+        https://bugs.webkit.org/show_bug.cgi?id=187479
+
+        Reviewed by Yusuke Suzuki and Saam Barati.
+
+        These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
+
+        The details:
+        1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
+        2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
+           This makes it such that enabling LLINT_TRACING doesn't means that we'll
+           continually spammed with logging until we rebuild.
+        3. Fixed slow path LLINT tracing to work with exception check validation.
+
+        * llint/LLIntCommon.h:
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::returnToThrow):
+        (JSC::LLInt::callToThrow):
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::slowPathLog):
+        (JSC::LLInt::slowPathLn):
+        (JSC::LLInt::slowPathLogF):
+        (JSC::LLInt::slowPathLogLn):
+        (JSC::LLInt::llint_trace_operand):
+        (JSC::LLInt::llint_trace_value):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::traceFunctionPrologue):
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CommonSlowPathsExceptions.cpp:
+        (JSC::CommonSlowPaths::interpreterThrowInCaller):
+        * runtime/Options.cpp:
+        (JSC::Options::isAvailable):
+        * runtime/Options.h:
+
+2018-07-09  Yusuke Suzuki  
+
+        [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
+        https://bugs.webkit.org/show_bug.cgi?id=187477
+
+        Reviewed by Mark Lam.
+
+        Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
+        However, it is not necessary since JSCells can be reside in a constant buffer.
+        This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
+        vector from RareData.
+
+        We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        (JSC::BytecodeDumper::dumpBlock):
+        (JSC::regexpToSourceString): Deleted.
+        (JSC::regexpName): Deleted.
+        (JSC::BytecodeDumper::dumpRegExps): Deleted.
+        * bytecode/BytecodeDumper.h:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::regexp const): Deleted.
+        (JSC::CodeBlock::numberOfRegExps const): Deleted.
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::visitChildren):
+        (JSC::UnlinkedCodeBlock::shrinkToFit):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
+        (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
+        (JSC::UnlinkedCodeBlock::regexp const): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitNewRegExp):
+        (JSC::BytecodeGenerator::addRegExp): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_regexp):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpInContextAssumingStructure const):
+        * runtime/RegExp.cpp:
+        (JSC::regexpToSourceString):
+        (JSC::RegExp::dumpToStream):
+        * runtime/RegExp.h:
+
+2018-07-09  Brian Burg  
+
+        REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
+        https://bugs.webkit.org/show_bug.cgi?id=187350
+        
+
+        Reviewed by Matt Baker.
+
+        Add a new command that toggles whether or not to blackbox internal scripts.
+        If blackboxed, the scripts will not be shown to the frontend and the debugger will
+        not pause in source frames from blackboxed scripts. Sometimes we want to break into
+        those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
+        that injects scripts.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
+        (Inspector::InspectorDebuggerAgent::didParseSource):
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/protocol/Debugger.json:
+
+2018-07-09  Yusuke Suzuki  
+
+        [JSC] Make some data members of UnlinkedCodeBlock private
+        https://bugs.webkit.org/show_bug.cgi?id=187467
+
+        Reviewed by Mark Lam.
+
+        This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
+        We also remove m_numCapturedVars since it is no longer used.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+
+2018-07-09  Yusuke Suzuki  
+
+        [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
+        https://bugs.webkit.org/show_bug.cgi?id=187465
+
+        Reviewed by Keith Miller.
+
+        ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
+        of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
+
+        This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
+        in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
+        of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
+        from 104 to 96 since it inherits ProxyableAccessCase.
+
+        * bytecode/AccessCase.h:
+        (JSC::AccessCase::viaProxy const):
+        (JSC::AccessCase::AccessCase):
+        * bytecode/ProxyableAccessCase.cpp:
+        (JSC::ProxyableAccessCase::ProxyableAccessCase):
+        * bytecode/ProxyableAccessCase.h:
+
+2018-07-08  Yusuke Suzuki  
+
+        Unreviewed, build fix for debug builds after r233630
+        https://bugs.webkit.org/show_bug.cgi?id=187441
+
+        * jit/JIT.cpp:
+        (JSC::JIT::frameRegisterCountFor):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::frameRegisterCountFor):
+
+2018-07-08  Yusuke Suzuki  
+
+        [JSC] Optimize layout of CodeBlock to reduce padding
+        https://bugs.webkit.org/show_bug.cgi?id=187441
+
+        Reviewed by Mark Lam.
+
+        Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
+        We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
+        Vector m_constantsSourceCodeRepresentation.
+
+        We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBlock):
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::numVars const):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::numVars const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
+        * dfg/DFGOSREntrypointCreationPhase.cpp:
+        (JSC::DFG::OSREntrypointCreationPhase::run):
+        * dfg/DFGVariableEventStream.cpp:
+        (JSC::DFG::VariableEventStream::reconstruct const):
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+        * ftl/FTLState.cpp:
+        (JSC::FTL::State::State):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::dumpRegisters):
+        * jit/JIT.cpp:
+        (JSC::JIT::frameRegisterCountFor):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_enter):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_enter):
+        * jit/JITOperations.cpp:
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::frameRegisterCountFor):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::traceFunctionPrologue):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/JSCJSValue.h:
+
+2018-07-08  Yusuke Suzuki  
+
+        [JSC] Optimize padding of UnlinkedCodeBlock to shrink
+        https://bugs.webkit.org/show_bug.cgi?id=187448
+
+        Reviewed by Saam Barati.
+
+        We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
+        These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
+
+        * bytecode/CodeType.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::codeType const):
+        (JSC::UnlinkedCodeBlock::didOptimize const):
+        (JSC::UnlinkedCodeBlock::setDidOptimize):
+        * bytecode/VirtualRegister.h:
+
+2018-07-08  Yusuke Suzuki  
+
+        [JSC] Optimize padding of InferredTypeTable by using cellLock
+        https://bugs.webkit.org/show_bug.cgi?id=187447
+
+        Reviewed by Mark Lam.
+
+        Use cellLock() in InferredTypeTable to guard changes of internal structures.
+        This is the same usage to SparseArrayValueMap. By using cellLock(), we can
+        reduce the size of InferredTypeTable from 40 to 32.
+
+        * runtime/InferredTypeTable.cpp:
+        (JSC::InferredTypeTable::visitChildren):
+        (JSC::InferredTypeTable::get):
+        (JSC::InferredTypeTable::willStoreValue):
+        (JSC::InferredTypeTable::makeTop):
+        * runtime/InferredTypeTable.h:
+        Using enum class and using. And remove `isEmpty()` since it is not used.
+
+        * runtime/Structure.h:
+
+2018-07-07  Yusuke Suzuki  
+
+        [JSC] Optimize layout of SourceProvider to reduce padding
+        https://bugs.webkit.org/show_bug.cgi?id=187440
+
+        Reviewed by Mark Lam.
+
+        Arrange members of SourceProvider to reduce the size from 80 to 72.
+
+        * parser/SourceProvider.cpp:
+        (JSC::SourceProvider::SourceProvider):
+        * parser/SourceProvider.h:
+
+2018-07-08  Mark Lam  
+
+        PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
+        https://bugs.webkit.org/show_bug.cgi?id=187444
+        
+
+        Reviewed by Saam Barati.
+
+        PropertyTable supports C++ iteration by offering begin() and end() methods, and
+        an iterator class.  The begin() methods and the iterator operator++() method uses
+        PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
+        However, PropertyTable::skipDeletedEntries() does not prevent the iteration
+        pointer from being incremented past the end of the table.  As a result, we can
+        iterate past the end of the table.  Note that the C++ iteration protocol tests
+        for the iterator not being equal to the end() value.  It does not do a <= test.
+        If the iterator ever shoots past end, the loop will effectively not terminate.
+
+        This issue can manifest if and only if the last entry in the table is a deleted
+        one, and the key field of the PropertyMapEntry shaped space at the end of the
+        table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
+        value.
+
+        No test because manifesting this issue requires uncontrollable happenstance where
+        memory just beyond the end of the table looks like a deleted entry.
+
+        * runtime/PropertyMapHashTable.h:
+        (JSC::PropertyTable::begin):
+        (JSC::PropertyTable::end):
+        (JSC::PropertyTable::begin const):
+        (JSC::PropertyTable::end const):
+        (JSC::PropertyTable::skipDeletedEntries):
+
+2018-07-07  Yusuke Suzuki  
+
+        [JSC] Optimize layout of SymbolTable to reduce padding
+        https://bugs.webkit.org/show_bug.cgi?id=187437
+
+        Reviewed by Mark Lam.
+
+        Arrange the layout of SymbolTable to reduce the size from 88 to 72.
+
+        * runtime/SymbolTable.h:
+
+2018-07-07  Yusuke Suzuki  
+
+        [JSC] Optimize layout of RegExp to reduce padding
+        https://bugs.webkit.org/show_bug.cgi?id=187438
+
+        Reviewed by Mark Lam.
+
+        Reduce the size of RegExp from 168 to 144.
+
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::RegExp):
+        * runtime/RegExp.h:
+        * runtime/RegExpKey.h:
+        * yarr/YarrErrorCode.h:
+
+2018-07-07  Yusuke Suzuki  
+
+        [JSC] Optimize layout of ValueProfile to reduce padding
+        https://bugs.webkit.org/show_bug.cgi?id=187439
+
+        Reviewed by Mark Lam.
+
+        Reduce the size of ValueProfile from 40 to 32 by reordering members.
+
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfileBase::ValueProfileBase):
+
+2018-07-05  Saam Barati  
+
+        ProgramExecutable may be collected as we checkSyntax on it
+        https://bugs.webkit.org/show_bug.cgi?id=187359
+        
+
+        Reviewed by Mark Lam.
+
+        The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
+        the ProgramExecutable itself may be collected. The fix here is to make a copy
+        of the field instead of passing in a reference inside of ParserError::toErrorObject.
+        
+        No new tests here as this was already caught by our iOS JSC testers.
+
+        * parser/ParserError.h:
+        (JSC::ParserError::toErrorObject):
+
+2018-07-04  Tim Horton  
+
+        Introduce PLATFORM(IOSMAC)
+        https://bugs.webkit.org/show_bug.cgi?id=187315
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-07-03  Mark Lam  
+
+        [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
+        https://bugs.webkit.org/show_bug.cgi?id=187255
+        
+
+        Reviewed by Saam Barati.
+
+        The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
+        too: basically, do what the 64-bit code is doing.  At present, this change only
+        serves to pacify an assertion.  It is not needed for correctness because the
+        concurrent GC is not used on 32-bit builds.
+
+        This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
+        test.
+
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_create_this):
+
+2018-07-03  Yusuke Suzuki  
+
+        [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
+        https://bugs.webkit.org/show_bug.cgi?id=187290
+
+        Reviewed by Saam Barati.
+
+        slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
+        we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
+        is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
+        easily calculated from JSType.
+        This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
+
+        * runtime/ClassInfo.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::elementSize):
+        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::possiblySharedBuffer):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::slowDownAndWasteMemory): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
+        * runtime/JSDataView.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory): Deleted.
+
+2018-07-02  Sukolsak Sakshuwong  
+
+        Regular expressions with ".?" expressions at the start and the end match the entire string
+        https://bugs.webkit.org/show_bug.cgi?id=119191
+
+        Reviewed by Michael Saboff.
+
+        r90962 optimized regular expressions in the form of /.*abc.*/ by looking
+        for "abc" first and then processing the leading and trailing dot stars
+        to find the beginning and the end of the match. However, it erroneously
+        enabled this optimization for regular expressions whose leading or
+        trailing dots had quantifiers that were not of arbitrary length, e.g.,
+        /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
+        match the entire string when it shouldn't. This patch disables the
+        optimization for those cases.
+
+        * yarr/YarrPattern.cpp:
+        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
+
+2018-07-02  Sukolsak Sakshuwong  
+
+        RegExp.exec returns wrong value with a long integer quantifier
+        https://bugs.webkit.org/show_bug.cgi?id=187042
+
+        Reviewed by Saam Barati.
+
+        Prior to this patch, the Yarr parser checked for integer overflow when
+        parsing quantifiers in regular expressions by adding one digit at a time
+        to a number and checking if the result got larger. This is wrong;
+        The parser would fail to detect overflow when parsing, for example,
+        10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
+
+        Another issue was that once it detected overflow, it stopped consuming
+        the remaining digits. Since it didn't find the closing bracket, it
+        parsed the quantifier as a normal string instead.
+
+        This patch fixes these issues by reading all the digits and checking for
+        overflow with Checked. If it overflows, it
+        returns the largest possible value (quantifyInfinite in this case). This
+        matches Chrome [1], Firefox [2], and Edge [3].
+
+        [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
+        [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
+        [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
+
+        * yarr/YarrParser.h:
+        (JSC::Yarr::Parser::consumeNumber):
+
+2018-07-02  Keith Miller  
+
+        InstanceOf IC should do generic if the prototype is not an object.
+        https://bugs.webkit.org/show_bug.cgi?id=187250
+
+        Reviewed by Mark Lam.
+
+        The old code was wrong for two reasons. First, the AccessCase expected that
+        the prototype value would be non-null. Second, we would end up returning
+        false instead of throwing an exception.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCacheInstanceOf):
+
+2018-07-01  Mark Lam  
+
+        Builtins and host functions should get their own structures.
+        https://bugs.webkit.org/show_bug.cgi?id=187211
+        
+
+        Reviewed by Saam Barati.
+
+        JSFunctions do lazy reification of properties, but ordinary functions applies
+        different rules of property reification than builtin and host functions.  Hence,
+        we should give builtins and host functions their own structures.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::selectStructureForNewFuncExp):
+        (JSC::JSFunction::create):
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::hostFunctionStructure const):
+        (JSC::JSGlobalObject::arrowFunctionStructure const):
+        (JSC::JSGlobalObject::sloppyFunctionStructure const):
+        (JSC::JSGlobalObject::strictFunctionStructure const):
+
+2018-07-01  David Kilzer  
+
+        JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
+        
+
+        Reviewed by Mark Lam.
+
+        * b3/air/AirEliminateDeadCode.cpp:
+        (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
+        * parser/ParserTokens.h:
+        (JSC::JSTextPosition::JSTextPosition): Add struct member
+        initialization. Simplify default constructor.
+        (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
+        union to the beginning to make it easy to zero out all fields.
+        (JSC::JSTokenLocation::JSTokenLocation): Add struct member
+        initialization.  Simplify default constructor.  Note that
+        `endOffset` was not being initialized previously.
+        (JSC::JSTextPosition::JSToken): Add struct member initialization
+        where necessary.
+        * runtime/IntlObject.cpp:
+        (JSC::MatcherResult): Add struct member initialization.
+
+2018-06-23  Darin Adler  
+
+        [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=186973
+
+        Reviewed by Dan Bernstein.
+
+        * API/JSContext.mm:
+        (WeakContextRef::WeakContextRef): Deleted.
+        (WeakContextRef::~WeakContextRef): Deleted.
+        (WeakContextRef::get): Deleted.
+        (WeakContextRef::set): Deleted.
+
+        * API/JSContextInternal.h: Removed unneeded header guards since this is
+        an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
+        of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
+        since neither is used outside the class implementation.
+
+        * API/JSManagedValue.mm:
+        (-[JSManagedValue initWithValue:]): Use a bridging cast.
+        (-[JSManagedValue dealloc]): Ditto.
+        (-[JSManagedValue didAddOwner:]): Ditto.
+        (-[JSManagedValue didRemoveOwner:]): Ditto.
+        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
+        (JSManagedValueHandleOwner::finalize): Ditto.
+        * API/JSValue.mm:
+        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
+        (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
+        (-[JSValue valueForProperty:]): Ditto.
+        (-[JSValue setValue:forProperty:]): Ditto.
+        (-[JSValue deleteProperty:]): Ditto.
+        (-[JSValue hasProperty:]): Ditto.
+        (-[JSValue invokeMethod:withArguments:]): Ditto.
+        (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
+        (valueToArray): Ditto.
+        (valueToDictionary): Ditto.
+        (objectToValueWithoutCopy): Ditto.
+        (objectToValue): Ditto.
+        * API/JSVirtualMachine.mm:
+        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
+        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
+        (-[JSVirtualMachine isOldExternalObject:]): Ditto.
+        (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
+        (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
+        (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
+        (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
+        (scanExternalObjectGraph): Ditto.
+        (scanExternalRememberedSet): Ditto.
+        * API/JSWrapperMap.mm:
+        (makeWrapper): Ditto.
+        (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
+        (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
+        (tryUnwrapObjcObject): Ditto.
+        * API/ObjCCallbackFunction.mm:
+        (blockSignatureContainsClass): Ditto.
+        (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
+        sure we will be keeping this the same way under ARC.
+        (objCCallbackFunctionForBlock): Use a bridging cast.
+
+        * API/ObjcRuntimeExtras.h:
+        (protocolImplementsProtocol): Use a more specific type that includes the
+        explicit __unsafe_unretained for copied protocol lists.
+        (forEachProtocolImplementingProtocol): Ditto.
+
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
+        (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
+
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
+        CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
+        (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
+        (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
+        (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
+
+2018-06-30  Adam Barth  
+
+        Port JavaScriptCore to OS(FUCHSIA)
+        https://bugs.webkit.org/show_bug.cgi?id=187223
+
+        Reviewed by Daniel Bates.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
+        * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
+        (JSC::MachineContext::stackPointerImpl):
+        (JSC::MachineContext::framePointerImpl):
+        (JSC::MachineContext::instructionPointerImpl):
+        (JSC::MachineContext::argumentPointer<1>):
+        (JSC::MachineContext::llintInstructionPointer):
+
+2018-06-30  David Kilzer  
+
+        Fix clang static analyzer warnings: Garbage return value
+        
+
+        Reviewed by Eric Carlson.
+
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
+        - Use brace initialization for local variables.
+        * debugger/DebuggerCallFrame.cpp:
+        (class JSC::LineAndColumnFunctor):
+        - Use class member initialization for member variables.
+
+2018-06-29  Saam Barati  
+
+        Unreviewed. Try to fix Windows build after r233377
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::createExecutable):
+
+2018-06-29  Saam Barati  
+
+        Don't use tracePoints in JS/Wasm entry
+        https://bugs.webkit.org/show_bug.cgi?id=187196
+
+        Reviewed by Mark Lam.
+
+        This puts VM entry and Wasm entry tracePoints behind a runtime
+        option. This is a ~4x speedup on a soon to be released Wasm
+        benchmark. tracePoints should basically never run more than 50
+        times a second. Entering the VM and entering Wasm are user controlled,
+        and can happen hundreds of thousands of times in a second. Depending
+        on how the Wasm/JS code is structured, this can be disastrous for
+        performance.
+
+        * runtime/Options.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        (JSC::VMEntryScope::~VMEntryScope):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+
+2018-06-29  Saam Barati  
+
+        We shouldn't recurse into the parser when gathering metadata about various function offsets
+        https://bugs.webkit.org/show_bug.cgi?id=184074
+        
+
+        Reviewed by Mark Lam.
+
+        Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
+        for that builtin. This required calling into the parser. However, the parser
+        may throw a stack overflow. We were not able to recover from that. The only
+        reason we called into the parser here is that we were gathering text offsets
+        and various metadata for things in the builtin function. This patch writes a
+        mini parser that figures this information out without calling into the full
+        parser. (I've also added a debug assert that verifies the mini parser stays in
+        sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
+        always succeeds.
+
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        (globalPrivate.createAsyncFromSyncIterator):
+        (globalPrivate.AsyncFromSyncIteratorConstructor):
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::createExecutable):
+        * builtins/GlobalOperations.js:
+        (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
+        (globalPrivate.speciesConstructor):
+        (globalPrivate.copyDataProperties):
+        (globalPrivate.copyDataPropertiesNoExclusions):
+        * builtins/PromiseOperations.js:
+        (globalPrivate.newHandledRejectedPromise):
+        * builtins/RegExpPrototype.js:
+        (globalPrivate.hasObservableSideEffectsForRegExpMatch):
+        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
+        * builtins/StringPrototype.js:
+        (globalPrivate.hasObservableSideEffectsForStringReplace):
+        (globalPrivate.getDefaultCollator):
+        * parser/Nodes.cpp:
+        (JSC::FunctionMetadataNode::FunctionMetadataNode):
+        (JSC::FunctionMetadataNode::operator== const):
+        (JSC::FunctionMetadataNode::dump const):
+        * parser/Nodes.h:
+        * parser/Parser.h:
+        (JSC::parse):
+        * parser/ParserError.h:
+        (JSC::ParserError::type const):
+        * parser/ParserTokens.h:
+        (JSC::JSTextPosition::operator== const):
+        (JSC::JSTextPosition::operator!= const):
+        * parser/SourceCode.h:
+        (JSC::SourceCode::operator== const):
+        (JSC::SourceCode::operator!= const):
+        (JSC::SourceCode::subExpression const):
+        (JSC::SourceCode::subExpression): Deleted.
+
+2018-06-28  Michael Saboff  
+  
+        IsoCellSet::sweepToFreeList() not safe when Full GC in process
+        https://bugs.webkit.org/show_bug.cgi?id=187157
+
+        Reviewed by Mark Lam.
+
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
+        is in MarkedBlock::Handle::specializedSweep where it takes into account whether
+        or not we are in the process of marking during a full GC.
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
+
+2018-06-27  Saam Barati  
+
+        Add some more register state information when we crash in repatchPutById
+        https://bugs.webkit.org/show_bug.cgi?id=187112
+
+        Reviewed by Mark Lam.
+
+        This will help us gather info when we end up seeing a ObjectPropertyConditionSet
+        with an offset that is different than what the put tells us.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID):
+
+2018-06-27  Mark Lam  
+
+        Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
+        https://bugs.webkit.org/show_bug.cgi?id=187119
+
+        Reviewed by Keith Miller.
+
+        $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
+        should be checking for codeBlock instead of !codeBlock
+        before using the codeBlock.
+
+        I also renamed some other "print" functions to use "dump" instead
+        to match their underlying C++ code that they will call e.g.
+        CodeBlock::dumpSource().
+
+        * tools/JSDollarVM.cpp:
+        (WTF::JSDollarVMCallFrame::finishCreation):
+        (JSC::functionDumpSourceFor):
+        (JSC::functionDumpBytecodeFor):
+        (JSC::doPrint):
+        (JSC::functionDataLog):
+        (JSC::functionPrint):
+        (JSC::functionDumpCallFrame):
+        (JSC::functionDumpStack):
+        (JSC::JSDollarVM::finishCreation):
+        (JSC::functionPrintSourceFor): Deleted.
+        (JSC::functionPrintBytecodeFor): Deleted.
+        (JSC::doPrintln): Deleted.
+        (JSC::functionPrintln): Deleted.
+        (JSC::functionPrintCallFrame): Deleted.
+        (JSC::functionPrintStack): Deleted.
+        * tools/VMInspector.cpp:
+        (JSC::DumpFrameFunctor::DumpFrameFunctor):
+        (JSC::DumpFrameFunctor::operator() const):
+        (JSC::VMInspector::dumpCallFrame):
+        (JSC::VMInspector::dumpStack):
+        (JSC::VMInspector::dumpValue):
+        (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
+        (JSC::PrintFrameFunctor::operator() const): Deleted.
+        (JSC::VMInspector::printCallFrame): Deleted.
+        (JSC::VMInspector::printStack): Deleted.
+        (JSC::VMInspector::printValue): Deleted.
+        * tools/VMInspector.h:
+
+2018-06-27  Keith Miller  
+
+        Add logging to try to diagnose where we get a null structure.
+        https://bugs.webkit.org/show_bug.cgi?id=187106
+
+        Reviewed by Mark Lam.
+
+        Add a logging to JSObject::toPrimitive to help diagnose a nullptr
+        structure crash.
+
+        This code should be removed when we fix 
+
+        * runtime/JSObject.cpp:
+        (JSC::callToPrimitiveFunction):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getPropertySlot):
+
+2018-06-27  Mark Lam  
+
+        DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
+        https://bugs.webkit.org/show_bug.cgi?id=187091
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
+        take their slow paths, the slow path would jump back to the fast path right after
+        the emitted code which clears the unused property values.  As a result, the
+        unused properties are not initialized.  We've fixed this by adding the slow path
+        generators before we emit the code to clear the unused properties.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+
+2018-06-27  Yusuke Suzuki  
+
+        [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
+        https://bugs.webkit.org/show_bug.cgi?id=185943
+
+        Reviewed by Mark Lam.
+
+        ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
+        the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
+        the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
+        This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
+
+        ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
+        but it should be done in a separate patch since it would be performance sensitive.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayPatternNode::emitDirectBinding):
+
+2018-06-26  Yusuke Suzuki  
+
+        [JSC] Pass VM& to functions more
+        https://bugs.webkit.org/show_bug.cgi?id=186241
+
+        Reviewed by Mark Lam.
+
+        This patch threads VM& to functions requiring VM& more.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectIsConstructor):
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
+        (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
+        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
+        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
+        * bytecode/CodeBlockJettisoningWatchpoint.h:
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
+        * bytecode/StructureStubClearingWatchpoint.cpp:
+        (JSC::StructureStubClearingWatchpoint::fireInternal):
+        * bytecode/StructureStubClearingWatchpoint.h:
+        * bytecode/Watchpoint.cpp:
+        (JSC::Watchpoint::fire):
+        (JSC::WatchpointSet::fireAllWatchpoints):
+        * bytecode/Watchpoint.h:
+        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
+        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
+        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
+        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
+        (JSC::DFG::AdaptiveStructureWatchpoint::install):
+        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
+        * dfg/DFGAdaptiveStructureWatchpoint.h:
+        * dfg/DFGDesiredWatchpoints.cpp:
+        (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
+        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
+        * runtime/ECMAScriptSpecInternalFunctions.cpp:
+        (JSC::esSpecIsConstructor):
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
+        * runtime/FunctionRareData.h:
+        * runtime/InferredStructureWatchpoint.cpp:
+        (JSC::InferredStructureWatchpoint::fireInternal):
+        * runtime/InferredStructureWatchpoint.h:
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::createSubclassStructureSlow):
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::createSubclassStructure):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::isConstructor const):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::isConstructor):
+        (JSC::JSCell::methodTable const):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
+        (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::finishCreation):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+        * runtime/StructureRareData.cpp:
+        (JSC::StructureRareData::setObjectToStringValue):
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
+        (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
+
+2018-06-26  Mark Lam  
+
+        eval() is wrong about the LiteralParser never throwing any exceptions.
+        https://bugs.webkit.org/show_bug.cgi?id=187074
+        
+
+        Reviewed by Saam Barati.
+
+        Added the missing exception check, and removed an erroneous assertion.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+
+2018-06-26  Saam Barati  
+
+        JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
+        https://bugs.webkit.org/show_bug.cgi?id=186878
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
+        our stress GC bots. Before this patch, JSImmutableButterfly was allocated
+        with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
+        be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
+        called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
+        conservative scan knows to treat it like a butterfly in when we we may be
+        pointing into the middle of it.
+        
+        The way we were crashing on the stress GC bots is that our conservative marking
+        won't do cell visiting for things that are Auxiliary. This meant that if the
+        stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
+        that JSImmutableButterfly would not be visited. This is now fixed.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        * debugger/Debugger.cpp:
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+        * heap/Heap.cpp:
+        (JSC::GatherHeapSnapshotData::operator() const):
+        (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
+        (JSC::Heap::globalObjectCount):
+        (JSC::Heap::objectTypeCounts):
+        (JSC::Heap::deleteAllCodeBlocks):
+        * heap/HeapCell.cpp:
+        (WTF::printInternal):
+        * heap/HeapCell.h:
+        (JSC::isJSCellKind):
+        (JSC::hasInteriorPointers):
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+        (JSC::HeapUtil::isPointerGCObjectJSCell):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSImmutableButterfly.h:
+        (JSC::JSImmutableButterfly::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * tools/CellProfile.h:
+        (JSC::CellProfile::CellProfile):
+        (JSC::CellProfile::isJSCell const):
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::validateCell):
+
+2018-06-26  Mark Lam  
+
+        Skip some unnecessary work in Interpreter::getStackTrace().
+        https://bugs.webkit.org/show_bug.cgi?id=187070
+
+        Reviewed by Michael Saboff.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::getStackTrace):
+
+2018-06-26  Mark Lam  
+
+        ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
+        https://bugs.webkit.org/show_bug.cgi?id=187060
+        
+
+        Reviewed by Keith Miller.
+
+        JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
+        write conversion.  Hence, we can return early after the conversion if the vector
+        length is already sufficient to cover the requested length.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureLengthSlow):
+
+2018-06-26  Commit Queue  
+
+        Unreviewed, rolling out r233184.
+        https://bugs.webkit.org/show_bug.cgi?id=187059
+
+        "It regressed JetStream between 5-8%" (Requested by saamyjoon
+        on #webkit).
+
+        Reverted changeset:
+
+        "JSImmutableButterfly can't be allocated from a subspace with
+        HeapCell::Kind::Auxiliary"
+        https://bugs.webkit.org/show_bug.cgi?id=186878
+        https://trac.webkit.org/changeset/233184
+
+2018-06-26  Carlos Alberto Lopez Perez  
+
+        REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
+        https://bugs.webkit.org/show_bug.cgi?id=187051
+
+        Reviewed by Mark Lam.
+
+        Revert r233065 changes over UnlinkedCodeBlock.h to allow
+        clang-3.8 to be able to compile this back (with libstdc++5)
+
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
+
+2018-06-26  Tadeu Zagallo  
+
+        Fix testapi build when DFG_JIT is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=187038
+
+        Reviewed by Mark Lam.
+
+        r233158 added a new API and tests for configuring the number of JIT threads, but
+        the API is only available when DFG_JIT is enabled and so should the tests.
+
+        * API/tests/testapi.mm:
+        (runJITThreadLimitTests):
+
+2018-06-25  Saam Barati  
+
+        JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
+        https://bugs.webkit.org/show_bug.cgi?id=186878
+        
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
+        our stress GC bots. Before this patch, JSImmutableButterfly was allocated
+        with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
+        allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
+        bots is that our conservative marking won't do cell marking for things that
+        are Auxiliary. This means that if the stack is the only thing pointing to a
+        JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
+        not be visited. This patch fixes this bug. This patch also extends our conservative
+        marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+        * runtime/JSImmutableButterfly.h:
+        (JSC::JSImmutableButterfly::subspaceFor):
+
+2018-06-25  Mark Lam  
+
+        constructArray() should set m_numValuesInVector to the specified length.
+        https://bugs.webkit.org/show_bug.cgi?id=187010
+        
+
+        Reviewed by Filip Pizlo.
+
+        Its client will fill in the storage vector with some values using initializeIndex()
+        and expects m_numValuesInVector to be set to the length i.e. the number of values
+        to be initialized.
+
+        * runtime/JSArray.cpp:
+        (JSC::constructArray):
+
+2018-06-25  Mark Lam  
+
+        Add missing exception check in RegExpObjectInlines.h's collectMatches.
+        https://bugs.webkit.org/show_bug.cgi?id=187006
+        
+
+        Reviewed by Keith Miller.
+
+        * runtime/RegExpObjectInlines.h:
+        (JSC::collectMatches):
+
+2018-06-25  Tadeu Zagallo  
+
+        Add API for configuring the number of threads used by DFG and FTL
+        https://bugs.webkit.org/show_bug.cgi?id=186859
+        
+
+        Reviewed by Filip Pizlo.
+
+        Add new private APIs for limiting the number of threads to be used by
+        the DFG and FTL compilers. It was already possible to configure the
+        limit through JSC Options, but now it can be changed at runtime, even
+        in the case when the VM is already running.
+
+        Add a test for both cases: when trying to configure the limit before
+        and after the Worklist has been created, but in order to simulate the
+        first scenario, we must guarantee that the test runs at the very
+        beginning, so I also added a check for that.
+
+        * API/JSVirtualMachine.mm:
+        (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
+        (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
+        * API/JSVirtualMachinePrivate.h:
+        * API/tests/testapi.mm:
+        (runJITThreadLimitTests):
+        (testObjectiveCAPIMain):
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::Worklist::finishCreation):
+        (JSC::DFG::Worklist::createNewThread):
+        (JSC::DFG::Worklist::setNumberOfThreads):
+        * dfg/DFGWorklist.h:
+
+2018-06-25  Yusuke Suzuki  
+
+        [JSC] Remove unnecessary PLATFORM guards
+        https://bugs.webkit.org/show_bug.cgi?id=186995
+
+        Reviewed by Mark Lam.
+
+        * assembler/AssemblerCommon.h:
+        (JSC::isIOS):
+        Add constexpr.
+
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
+        StackFrame works in all the platforms. If StackFrame::demangle failed,
+        it just returns std::nullopt. And it is correctly handled in this code.
+
+2018-06-23  Mark Lam  
+
+        Add more debugging features to $vm.
+        https://bugs.webkit.org/show_bug.cgi?id=186947
+
+        Reviewed by Keith Miller.
+
+        Adding the following features:
+
+            // We now have println in addition to print.
+            // println automatically adds a '\n' at the end.
+            $vm.println("Hello");
+
+            // We can now capture some info about a stack frame.
+            var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
+            var callerCallerFrame = $vm.callFrame(2);
+
+            // We can inspect the following values associated with the frame:
+            if (currentFrame.valid) {
+                $vm.println("name is ", currentFrame.name));
+
+                // Note: For a WASM frame, all of these will be undefined.
+                $vm.println("callee is ", $vm.value(currentFrame.callee));
+                $vm.println("codeBlock is ", currentFrame.codeBlock);
+                $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
+                $vm.println("executable is ", currentFrame.executable);
+            }
+
+            // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
+            // to dataLog its JSValue instead of its toString() result.
+
+            // Note that $vm.println() (and $vm.print()) can now print internal JSCells
+            // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
+            // toString on a non-object.
+
+            // Does what it says about enabling/disabling debugger mode.
+            $vm.enableDebuggerModeWhenIdle();
+            $vm.disableDebuggerModeWhenIdle();
+
+        * tools/JSDollarVM.cpp:
+        (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
+        (WTF::JSDollarVMCallFrame::createStructure):
+        (WTF::JSDollarVMCallFrame::create):
+        (WTF::JSDollarVMCallFrame::finishCreation):
+        (WTF::JSDollarVMCallFrame::addProperty):
+        (JSC::functionCallFrame):
+        (JSC::functionCodeBlockForFrame):
+        (JSC::codeBlockFromArg):
+        (JSC::doPrintln):
+        (JSC::functionPrint):
+        (JSC::functionPrintln):
+        (JSC::changeDebuggerModeWhenIdle):
+        (JSC::functionEnableDebuggerModeWhenIdle):
+        (JSC::functionDisableDebuggerModeWhenIdle):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-06-22  Keith Miller  
+
+        We need to have a getDirectConcurrently for use in the compilers
+        https://bugs.webkit.org/show_bug.cgi?id=186954
+
+        Reviewed by Mark Lam.
+
+        It used to be that the propertyStorage of an object never shrunk
+        so if you called getDirect with some offset it would never be an
+        OOB read. However, this property storage can shrink when calling
+        flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
+        holds the Structure's ConcurrentJSLock while shrinking. This patch,
+        adds a getDirectConcurrently that will safely try to load from the
+        butterfly.
+
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::tryGetConstantProperty):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getDirectConcurrently const):
+
+2018-06-22  Yusuke Suzuki  
+
+        [WTF] Use Ref<> for the result type of non-failing factory functions
+        https://bugs.webkit.org/show_bug.cgi?id=186920
+
+        Reviewed by Darin Adler.
+
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::Worklist::ThreadBody::ThreadBody):
+        (JSC::DFG::Worklist::finishCreation):
+        * dfg/DFGWorklist.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::Thread::Thread):
+        * heap/Heap.h:
+        * jit/JITWorklist.cpp:
+        (JSC::JITWorklist::Thread::Thread):
+        * jit/JITWorklist.h:
+        * runtime/VMTraps.cpp:
+        * runtime/VMTraps.h:
+        * wasm/WasmWorklist.cpp:
+        * wasm/WasmWorklist.h:
+
+2018-06-23  Yusuke Suzuki  
+
+        [WTF] Add user-defined literal for ASCIILiteral
+        https://bugs.webkit.org/show_bug.cgi?id=186839
+
+        Reviewed by Darin Adler.
+
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject::staticFunctionGetter):
+        (JSC::JSCallbackObject::callbackGetter):
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeFunctionWithCallback):
+        * API/JSTypedArray.cpp:
+        (JSObjectGetArrayBufferBytesPtr):
+        * API/JSValue.mm:
+        (valueToArray):
+        (valueToDictionary):
+        * API/ObjCCallbackFunction.mm:
+        (JSC::objCCallbackFunctionCallAsFunction):
+        (JSC::objCCallbackFunctionCallAsConstructor):
+        (JSC::ObjCCallbackFunctionImpl::call):
+        * API/glib/JSCCallbackFunction.cpp:
+        (JSC::JSCCallbackFunction::call):
+        (JSC::JSCCallbackFunction::construct):
+        * API/glib/JSCContext.cpp:
+        (jscContextJSValueToGValue):
+        * API/glib/JSCValue.cpp:
+        (jsc_value_object_define_property_accessor):
+        (jscValueFunctionCreate):
+        * builtins/BuiltinUtils.h:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::nameForRegister):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitEnumeration):
+        (JSC::BytecodeGenerator::emitIteratorNext):
+        (JSC::BytecodeGenerator::emitIteratorClose):
+        (JSC::BytecodeGenerator::emitDelegateYield):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionCallValueNode::emitBytecode):
+        (JSC::PostfixNode::emitBytecode):
+        (JSC::PrefixNode::emitBytecode):
+        (JSC::AssignErrorNode::emitBytecode):
+        (JSC::ForInNode::emitBytecode):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::ClassExprNode::emitBytecode):
+        (JSC::ObjectPatternNode::bindValue const):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithSize):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::addToFrontend):
+        (Inspector::ConsoleMessage::clear):
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
+        * inspector/InjectedScript.cpp:
+        (Inspector::InjectedScript::InjectedScript):
+        (Inspector::InjectedScript::evaluate):
+        (Inspector::InjectedScript::callFunctionOn):
+        (Inspector::InjectedScript::evaluateOnCallFrame):
+        (Inspector::InjectedScript::getFunctionDetails):
+        (Inspector::InjectedScript::functionDetails):
+        (Inspector::InjectedScript::getPreview):
+        (Inspector::InjectedScript::getProperties):
+        (Inspector::InjectedScript::getDisplayableProperties):
+        (Inspector::InjectedScript::getInternalProperties):
+        (Inspector::InjectedScript::getCollectionEntries):
+        (Inspector::InjectedScript::saveResult):
+        (Inspector::InjectedScript::wrapCallFrames const):
+        (Inspector::InjectedScript::wrapObject const):
+        (Inspector::InjectedScript::wrapJSONString const):
+        (Inspector::InjectedScript::wrapTable const):
+        (Inspector::InjectedScript::previewValue const):
+        (Inspector::InjectedScript::setExceptionValue):
+        (Inspector::InjectedScript::clearExceptionValue):
+        (Inspector::InjectedScript::findObjectById const):
+        (Inspector::InjectedScript::inspectObject):
+        (Inspector::InjectedScript::releaseObject):
+        (Inspector::InjectedScript::releaseObjectGroup):
+        * inspector/InjectedScriptBase.cpp:
+        (Inspector::InjectedScriptBase::makeEvalCall):
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
+        * inspector/InjectedScriptModule.cpp:
+        (Inspector::InjectedScriptModule::ensureInjected):
+        * inspector/InspectorBackendDispatcher.cpp:
+        (Inspector::BackendDispatcher::dispatch):
+        (Inspector::BackendDispatcher::sendResponse):
+        (Inspector::BackendDispatcher::sendPendingErrors):
+        * inspector/JSGlobalObjectConsoleClient.cpp:
+        (Inspector::JSGlobalObjectConsoleClient::profile):
+        (Inspector::JSGlobalObjectConsoleClient::profileEnd):
+        (Inspector::JSGlobalObjectConsoleClient::timeStamp):
+        * inspector/JSGlobalObjectInspectorController.cpp:
+        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
+        (Inspector::JSInjectedScriptHost::subtype):
+        (Inspector::JSInjectedScriptHost::getInternalProperties):
+        * inspector/JSJavaScriptCallFrame.cpp:
+        (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
+        (Inspector::JSJavaScriptCallFrame::type const):
+        * inspector/ScriptArguments.cpp:
+        (Inspector::ScriptArguments::getFirstArgumentAsString):
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::extractSourceInformationFromException):
+        * inspector/agents/InspectorAgent.cpp:
+        (Inspector::InspectorAgent::InspectorAgent):
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
+        (Inspector::InspectorConsoleAgent::clearMessages):
+        (Inspector::InspectorConsoleAgent::count):
+        (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
+        (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
+        (Inspector::buildObjectForBreakpointCookie):
+        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
+        (Inspector::parseLocation):
+        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
+        (Inspector::InspectorDebuggerAgent::setBreakpoint):
+        (Inspector::InspectorDebuggerAgent::continueToLocation):
+        (Inspector::InspectorDebuggerAgent::searchInContent):
+        (Inspector::InspectorDebuggerAgent::getScriptSource):
+        (Inspector::InspectorDebuggerAgent::getFunctionDetails):
+        (Inspector::InspectorDebuggerAgent::resume):
+        (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
+        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
+        (Inspector::InspectorDebuggerAgent::didParseSource):
+        (Inspector::InspectorDebuggerAgent::assertPaused):
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::InspectorHeapAgent::InspectorHeapAgent):
+        (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
+        (Inspector::InspectorHeapAgent::getPreview):
+        (Inspector::InspectorHeapAgent::getRemoteObject):
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
+        (Inspector::InspectorRuntimeAgent::callFunctionOn):
+        (Inspector::InspectorRuntimeAgent::getPreview):
+        (Inspector::InspectorRuntimeAgent::getProperties):
+        (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
+        (Inspector::InspectorRuntimeAgent::getCollectionEntries):
+        (Inspector::InspectorRuntimeAgent::saveResult):
+        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+        (Inspector::InspectorRuntimeAgent::getBasicBlocks):
+        * inspector/agents/InspectorScriptProfilerAgent.cpp:
+        (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
+        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
+        (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
+        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
+        (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
+        * inspector/scripts/codegen/cpp_generator_templates.py:
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
+        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator):
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
+        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
+        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
+        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
+        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
+        * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
+        (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
+        * inspector/scripts/codegen/objc_generator_templates.py:
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::friendlyFunctionName):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::functionName const):
+        (JSC::StackVisitor::Frame::sourceURL const):
+        * jit/JIT.cpp:
+        (JSC::JIT::doMainThreadPreparationBeforeCompile):
+        * jit/JITOperations.cpp:
+        * jsc.cpp:
+        (resolvePath):
+        (GlobalObject::moduleLoaderImportModule):
+        (GlobalObject::moduleLoaderResolve):
+        (functionDescribeArray):
+        (functionRun):
+        (functionLoad):
+        (functionCheckSyntax):
+        (functionDollarEvalScript):
+        (functionDollarAgentStart):
+        (functionDollarAgentReceiveBroadcast):
+        (functionDollarAgentBroadcast):
+        (functionTransferArrayBuffer):
+        (functionLoadModule):
+        (functionSamplingProfilerStackTraces):
+        (functionAsyncTestStart):
+        (functionWebAssemblyMemoryMode):
+        (runWithOptions):
+        * parser/Lexer.cpp:
+        (JSC::Lexer::invalidCharacterMessage const):
+        (JSC::Lexer::parseString):
+        (JSC::Lexer::parseComplexEscape):
+        (JSC::Lexer::parseStringSlowCase):
+        (JSC::Lexer::parseTemplateLiteral):
+        (JSC::Lexer::lex):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseInner):
+        * parser/Parser.h:
+        (JSC::Parser::setErrorMessage):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::finishCreation):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::errorMesasgeForTransfer):
+        * runtime/ArrayBufferSharingMode.h:
+        (JSC::arrayBufferSharingModeName):
+        * runtime/ArrayConstructor.cpp:
+        (JSC::constructArrayWithSizeQuirk):
+        (JSC::isArraySlowInline):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::setLength):
+        (JSC::shift):
+        (JSC::unshift):
+        (JSC::arrayProtoFuncPop):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncUnShift):
+        * runtime/AtomicsObject.cpp:
+        (JSC::atomicsFuncWait):
+        (JSC::atomicsFuncWake):
+        * runtime/BigIntConstructor.cpp:
+        (JSC::BigIntConstructor::finishCreation):
+        (JSC::toBigInt):
+        (JSC::callBigIntConstructor):
+        * runtime/BigIntObject.cpp:
+        (JSC::BigIntObject::toStringName):
+        * runtime/BigIntPrototype.cpp:
+        (JSC::bigIntProtoFuncToString):
+        (JSC::bigIntProtoFuncValueOf):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/ConsoleClient.cpp:
+        (JSC::ConsoleClient::printConsoleMessageWithArguments):
+        * runtime/ConsoleObject.cpp:
+        (JSC::valueOrDefaultLabelString):
+        (JSC::consoleProtoFuncTime):
+        (JSC::consoleProtoFuncTimeEnd):
+        * runtime/DatePrototype.cpp:
+        (JSC::formatLocaleDate):
+        (JSC::formateDateInstance):
+        (JSC::DatePrototype::finishCreation):
+        (JSC::dateProtoFuncToISOString):
+        (JSC::dateProtoFuncToJSON):
+        * runtime/Error.cpp:
+        (JSC::createNotEnoughArgumentsError):
+        (JSC::throwSyntaxError):
+        (JSC::createTypeError):
+        (JSC::createOutOfMemoryError):
+        * runtime/Error.h:
+        (JSC::throwVMError):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::sanitizedToString):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        (JSC::errorProtoFuncToString):
+        * runtime/ExceptionFuzz.cpp:
+        (JSC::doExceptionFuzzing):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::TerminatedExecutionError::defaultValue):
+        (JSC::createStackOverflowError):
+        (JSC::createNotAConstructorError):
+        (JSC::createNotAFunctionError):
+        (JSC::createNotAnObjectError):
+        * runtime/GetterSetter.cpp:
+        (JSC::callSetter):
+        * runtime/IntlCollator.cpp:
+        (JSC::sortLocaleData):
+        (JSC::searchLocaleData):
+        (JSC::IntlCollator::initializeCollator):
+        (JSC::IntlCollator::compareStrings):
+        (JSC::IntlCollator::usageString):
+        (JSC::IntlCollator::sensitivityString):
+        (JSC::IntlCollator::caseFirstString):
+        (JSC::IntlCollator::resolvedOptions):
+        * runtime/IntlCollator.h:
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructor::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototypeGetterCompare):
+        (JSC::IntlCollatorPrototypeFuncResolvedOptions):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::defaultTimeZone):
+        (JSC::canonicalizeTimeZoneName):
+        (JSC::IntlDTFInternal::localeData):
+        (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        (JSC::IntlDateTimeFormat::weekdayString):
+        (JSC::IntlDateTimeFormat::eraString):
+        (JSC::IntlDateTimeFormat::yearString):
+        (JSC::IntlDateTimeFormat::monthString):
+        (JSC::IntlDateTimeFormat::dayString):
+        (JSC::IntlDateTimeFormat::hourString):
+        (JSC::IntlDateTimeFormat::minuteString):
+        (JSC::IntlDateTimeFormat::secondString):
+        (JSC::IntlDateTimeFormat::timeZoneNameString):
+        (JSC::IntlDateTimeFormat::resolvedOptions):
+        (JSC::IntlDateTimeFormat::format):
+        (JSC::IntlDateTimeFormat::partTypeString):
+        (JSC::IntlDateTimeFormat::formatToParts):
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
+        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
+        (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+        (JSC::IntlNumberFormat::formatNumber):
+        (JSC::IntlNumberFormat::styleString):
+        (JSC::IntlNumberFormat::currencyDisplayString):
+        (JSC::IntlNumberFormat::resolvedOptions):
+        (JSC::IntlNumberFormat::partTypeString):
+        (JSC::IntlNumberFormat::formatToParts):
+        * runtime/IntlNumberFormat.h:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructor::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototypeGetterFormat):
+        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
+        (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
+        * runtime/IntlObject.cpp:
+        (JSC::grandfatheredLangTag):
+        (JSC::canonicalizeLocaleList):
+        (JSC::resolveLocale):
+        (JSC::supportedLocales):
+        * runtime/IntlPluralRules.cpp:
+        (JSC::IntlPluralRules::initializePluralRules):
+        (JSC::IntlPluralRules::resolvedOptions):
+        (JSC::IntlPluralRules::select):
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::IntlPluralRulesConstructor::finishCreation):
+        * runtime/IntlPluralRulesPrototype.cpp:
+        (JSC::IntlPluralRulesPrototypeFuncSelect):
+        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorNext):
+        (JSC::iteratorClose):
+        (JSC::hasIteratorMethod):
+        (JSC::iteratorMethod):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::defineOwnProperty):
+        (JSC::JSArray::put):
+        (JSC::JSArray::setLengthWithArrayStorage):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::pop):
+        * runtime/JSArray.h:
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSArrayBufferConstructor::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferProtoFuncSlice):
+        (JSC::arrayBufferProtoGetterFuncByteLength):
+        (JSC::sharedArrayBufferProtoGetterFuncByteLength):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::toStringName):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::remainder):
+        (JSC::JSBigInt::toNumber const):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        (JSC::JSValue::putToPrimitiveByIndex):
+        (JSC::JSValue::toStringSlowCase const):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::toPreferredPrimitiveType):
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::create):
+        (JSC::JSDataView::put):
+        (JSC::JSDataView::defineOwnProperty):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::getData):
+        (JSC::setData):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::callerGetter):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::defineOwnProperty):
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::deleteProperty):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::speciesConstruct):
+        (JSC::genericTypedArrayViewProtoFuncSet):
+        (JSC::genericTypedArrayViewProtoFuncIndexOf):
+        (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectDebuggable.cpp:
+        (JSC::JSGlobalObjectDebuggable::name const):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::encode):
+        (JSC::decode):
+        (JSC::globalFuncProtoSetter):
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::toStringName):
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::put):
+        * runtime/JSModuleNamespaceObject.cpp:
+        (JSC::JSModuleNamespaceObject::put):
+        (JSC::JSModuleNamespaceObject::putByIndex):
+        (JSC::JSModuleNamespaceObject::defineOwnProperty):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::JSONProtoFuncParse):
+        (JSC::JSONProtoFuncStringify):
+        * runtime/JSObject.cpp:
+        (JSC::getClassPropertyNames):
+        (JSC::JSObject::calculatedClassName):
+        (JSC::ordinarySetSlow):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        (JSC::callToPrimitiveFunction):
+        (JSC::JSObject::ordinaryToPrimitive const):
+        (JSC::JSObject::defaultHasInstance):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::validateAndApplyPropertyDescriptor):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putInlineForJSObject):
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::JSPromiseConstructor::finishCreation):
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::toStringName):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTablePut):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::constructTypedArrayView):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::typedArrayViewPrivateFuncLength):
+        (JSC::typedArrayViewProtoFuncSet):
+        (JSC::typedArrayViewProtoFuncCopyWithin):
+        (JSC::typedArrayViewProtoFuncLastIndexOf):
+        (JSC::typedArrayViewProtoFuncIndexOf):
+        (JSC::typedArrayViewProtoFuncJoin):
+        (JSC::typedArrayViewProtoGetterFuncBuffer):
+        (JSC::typedArrayViewProtoGetterFuncLength):
+        (JSC::typedArrayViewProtoGetterFuncByteLength):
+        (JSC::typedArrayViewProtoGetterFuncByteOffset):
+        (JSC::typedArrayViewProtoFuncReverse):
+        (JSC::typedArrayViewPrivateFuncSubarrayCreate):
+        (JSC::typedArrayViewProtoFuncSlice):
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/JSWeakMap.cpp:
+        (JSC::JSWeakMap::toStringName):
+        * runtime/JSWeakSet.cpp:
+        (JSC::JSWeakSet::toStringName):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::Lexer::lex):
+        (JSC::LiteralParser::Lexer::lexStringSlow):
+        (JSC::LiteralParser::Lexer::lexNumber):
+        (JSC::LiteralParser::parse):
+        * runtime/LiteralParser.h:
+        (JSC::LiteralParser::getErrorMessage):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+        * runtime/MapPrototype.cpp:
+        (JSC::getMap):
+        * runtime/NullSetterFunction.cpp:
+        (JSC::NullSetterFunctionInternal::callReturnUndefined):
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToExponential):
+        (JSC::numberProtoFuncToFixed):
+        (JSC::numberProtoFuncToPrecision):
+        (JSC::extractToStringRadixArgument):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSetPrototypeOf):
+        (JSC::objectConstructorAssign):
+        (JSC::objectConstructorValues):
+        (JSC::toPropertyDescriptor):
+        (JSC::objectConstructorDefineProperty):
+        (JSC::objectConstructorDefineProperties):
+        (JSC::objectConstructorCreate):
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncDefineGetter):
+        (JSC::objectProtoFuncDefineSetter):
+        * runtime/Operations.cpp:
+        (JSC::jsAddSlowCase):
+        * runtime/Operations.h:
+        (JSC::jsSub):
+        (JSC::jsMul):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/ProxyConstructor.cpp:
+        (JSC::makeRevocableProxy):
+        (JSC::proxyRevocableConstructorThrowError):
+        (JSC::ProxyConstructor::finishCreation):
+        (JSC::constructProxyObject):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::toStringName):
+        (JSC::ProxyObject::finishCreation):
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+        (JSC::ProxyObject::performHasProperty):
+        (JSC::ProxyObject::performPut):
+        (JSC::performProxyCall):
+        (JSC::performProxyConstruct):
+        (JSC::ProxyObject::performDelete):
+        (JSC::ProxyObject::performPreventExtensions):
+        (JSC::ProxyObject::performIsExtensible):
+        (JSC::ProxyObject::performDefineOwnProperty):
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        (JSC::ProxyObject::performSetPrototype):
+        (JSC::ProxyObject::performGetPrototype):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+        (JSC::reflectObjectDefineProperty):
+        (JSC::reflectObjectGet):
+        (JSC::reflectObjectGetOwnPropertyDescriptor):
+        (JSC::reflectObjectGetPrototypeOf):
+        (JSC::reflectObjectIsExtensible):
+        (JSC::reflectObjectOwnKeys):
+        (JSC::reflectObjectPreventExtensions):
+        (JSC::reflectObjectSet):
+        (JSC::reflectObjectSetPrototypeOf):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpConstructor::finishCreation):
+        (JSC::toFlags):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::defineOwnProperty):
+        * runtime/RegExpObject.h:
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncCompile):
+        (JSC::regExpProtoGetterGlobal):
+        (JSC::regExpProtoGetterIgnoreCase):
+        (JSC::regExpProtoGetterMultiline):
+        (JSC::regExpProtoGetterDotAll):
+        (JSC::regExpProtoGetterSticky):
+        (JSC::regExpProtoGetterUnicode):
+        (JSC::regExpProtoGetterFlags):
+        (JSC::regExpProtoGetterSourceInternal):
+        (JSC::regExpProtoGetterSource):
+        * runtime/RuntimeType.cpp:
+        (JSC::runtimeTypeAsString):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::StackFrame::displayName):
+        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::prepareForExecutionImpl):
+        * runtime/SetPrototype.cpp:
+        (JSC::getSet):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::putEntry):
+        (JSC::SparseArrayValueMap::putDirect):
+        (JSC::SparseArrayEntry::put):
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::sourceURL const):
+        (JSC::StackFrame::functionName const):
+        * runtime/StringConstructor.cpp:
+        (JSC::stringFromCodePoint):
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::put):
+        (JSC::StringObject::putByIndex):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        (JSC::toLocaleCase):
+        (JSC::stringProtoFuncNormalize):
+        * runtime/Symbol.cpp:
+        (JSC::Symbol::toNumber const):
+        * runtime/SymbolConstructor.cpp:
+        (JSC::symbolConstructorKeyFor):
+        * runtime/SymbolObject.cpp:
+        (JSC::SymbolObject::toStringName):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * runtime/TypeSet.cpp:
+        (JSC::TypeSet::dumpTypes const):
+        (JSC::TypeSet::displayName const):
+        (JSC::StructureShape::leastCommonAncestor):
+        * runtime/TypeSet.h:
+        (JSC::StructureShape::setConstructorName):
+        * runtime/VM.cpp:
+        (JSC::VM::dumpTypeProfilerData):
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::getWeakMap):
+        (JSC::protoFuncWeakMapSet):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::getWeakSet):
+        (JSC::protoFuncWeakSetAdd):
+        * tools/JSDollarVM.cpp:
+        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
+        (WTF::DOMJITGetterComplex::customGetter):
+        (JSC::functionSetImpureGetterDelegate):
+        (JSC::functionCreateElement):
+        (JSC::functionGetHiddenValue):
+        (JSC::functionSetHiddenValue):
+        (JSC::functionFindTypeForExpression):
+        (JSC::functionReturnTypeFor):
+        (JSC::functionLoadGetterFromGetterSetter):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::fail const):
+        * wasm/WasmIndexOrName.cpp:
+        (JSC::Wasm::makeString):
+        * wasm/WasmParser.h:
+        (JSC::Wasm::FailureHelper::makeString):
+        (JSC::Wasm::Parser::fail const):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::fail const):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::toNonWrappingUint32):
+        (JSC::getWasmBufferFromValue):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::grow):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        (JSC::WebAssemblyInstanceConstructor::finishCreation):
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        (JSC::getInstance):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::constructJSWebAssemblyMemory):
+        (JSC::WebAssemblyMemoryConstructor::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::getMemory):
+        * wasm/js/WebAssemblyModuleConstructor.cpp:
+        (JSC::webAssemblyModuleCustomSections):
+        (JSC::webAssemblyModuleImports):
+        (JSC::webAssemblyModuleExports):
+        (JSC::WebAssemblyModuleConstructor::finishCreation):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::dataSegmentFail):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::resolve):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        (JSC::WebAssemblyTableConstructor::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::getTable):
+        (JSC::webAssemblyTableProtoFuncGrow):
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+
+2018-06-22  Keith Miller  
+
+        unshift should zero unused property storage
+        https://bugs.webkit.org/show_bug.cgi?id=186960
+
+        Reviewed by Saam Barati.
+
+        Also, this patch adds the zeroed unused property storage assertion
+        to one more place it was missing.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+
+2018-06-22  Mark Lam  
+
+        PropertyCondition::isValidValueForAttributes() should also consider deleted values.
+        https://bugs.webkit.org/show_bug.cgi?id=186943
+        
+
+        Reviewed by Saam Barati.
+
+        PropertyCondition::isValidValueForAttributes() should check if the passed in value
+        is a deleted one before it does a jsDynamicCast on it.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isValidValueForAttributes):
+        * runtime/JSCJSValueInlines.h:
+        - removed an unnecessary #if.
+
+2018-06-22  Keith Miller  
+
+        performProxyCall should toThis the value passed to its handler
+        https://bugs.webkit.org/show_bug.cgi?id=186951
+
+        Reviewed by Mark Lam.
+
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyCall):
+
+2018-06-22  Saam Barati  
+
+        ensureWritableX should only convert away from CoW when it will succeed
+        https://bugs.webkit.org/show_bug.cgi?id=186898
+
+        Reviewed by Keith Miller.
+
+        Otherwise, when we OSR exit, we'll end up profiling the array after
+        it has been converted away from CoW. It's better for the ArrayProfile
+        to see the array as it's still in CoW mode.
+        
+        This patch also renames ensureWritableX to tryMakeWritableX since these
+        were never really "ensure" operations -- they may fail and return null.
+
+        * dfg/DFGOperations.cpp:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::tryMakeWritableInt32Slow):
+        (JSC::JSObject::tryMakeWritableDoubleSlow):
+        (JSC::JSObject::tryMakeWritableContiguousSlow):
+        (JSC::JSObject::ensureWritableInt32Slow): Deleted.
+        (JSC::JSObject::ensureWritableDoubleSlow): Deleted.
+        (JSC::JSObject::ensureWritableContiguousSlow): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::tryMakeWritableInt32):
+        (JSC::JSObject::tryMakeWritableDouble):
+        (JSC::JSObject::tryMakeWritableContiguous):
+        (JSC::JSObject::ensureWritableInt32): Deleted.
+        (JSC::JSObject::ensureWritableDouble): Deleted.
+        (JSC::JSObject::ensureWritableContiguous): Deleted.
+
+2018-06-22  Keith Miller  
+
+        We should call visitChildren on Base not the exact typename
+        https://bugs.webkit.org/show_bug.cgi?id=186928
+
+        Reviewed by Mark Lam.
+
+        A lot of places were not properly calling visitChildren on their
+        superclass. For most of them it didn't matter because they had
+        immortal structures. If code changed in the future this might
+        break things however.
+
+        Also, block off more of the MethodTable for GetterSetter objects.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitChildren):
+        * bytecode/ExecutableToCodeBlockEdge.cpp:
+        (JSC::ExecutableToCodeBlockEdge::visitChildren):
+        * debugger/DebuggerScope.cpp:
+        (JSC::DebuggerScope::visitChildren):
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::visitChildren):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::visitChildren):
+        * runtime/GetterSetter.cpp:
+        (JSC::GetterSetter::visitChildren):
+        * runtime/GetterSetter.h:
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::visitChildren):
+        * runtime/InferredTypeTable.cpp:
+        (JSC::InferredTypeTable::visitChildren):
+        * runtime/InferredValue.cpp:
+        (JSC::InferredValue::visitChildren):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::visitChildren):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ScopedArguments.cpp:
+        (JSC::ScopedArguments::visitChildren):
+        * runtime/ScopedArguments.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::visitChildren):
+        * runtime/StructureRareData.cpp:
+        (JSC::StructureRareData::visitChildren):
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTable::visitChildren):
+
+2018-06-20  Darin Adler  
+
+        [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity
+        https://bugs.webkit.org/show_bug.cgi?id=186875
+
+        Reviewed by Anders Carlsson.
+
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain): Use isDirectory:NO when creating a URL for a JavaScript file.
+
+2018-06-22  Carlos Garcia Campos  
+
+        [GTK] WebDriver: use a dictionary for session capabilities in StartAutomationSession message
+        https://bugs.webkit.org/show_bug.cgi?id=186915
+
+        Reviewed by Žan Doberšek.
+
+        Update StartAutomationSession message handling to receive a dictionary of session capabilities.
+
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+        (Inspector::processSessionCapabilities): Helper method to process the session capabilities.
+
+2018-06-21  Mark Lam  
+
+        WebKit (JavaScriptCore) compilation error with Clang ≥ 6.
+        https://bugs.webkit.org/show_bug.cgi?id=185947
+        
+
+        Reviewed by Saam Barati.
+
+        Newer Clang versions (due to C++17 support) is not happy with how I implemented
+        conversions between CodeLocation types.  We'll fix this by adding a conversion
+        operator for converting between CodeLocation types.
+
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationCommon::operator T):
+
+2018-06-21  Saam Barati  
+
+        Do some CoW cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=186896
+
+        Reviewed by Mark Lam.
+
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
+        We don't need to WTFMove() ints
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        remove a TODO.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndex):
+        We were checking for isCopyOnWrite even after we converted away
+        from CoW in above code.
+        (JSC::JSObject::ensureWritableInt32Slow):
+        Model this in the same way the other ensureWritableXSlow are modeled.
+
+2018-06-20  Keith Miller  
+
+        flattenDictionaryStruture needs to zero inline storage.
+        https://bugs.webkit.org/show_bug.cgi?id=186869
+
+        Reviewed by Saam Barati.
+
+        This patch also adds the assetion that unused property storage is
+        zero or JSValue() to putDirectInternal. Additionally, functions
+        have been added to $vm that flatten dictionary objects and return
+        the inline capacity of an object.
+
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionInlineCapacity):
+        (JSC::functionFlattenDictionaryObject):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-06-21  Mark Lam  
+
+        Use IsoCellSets to track Executables with clearable code.
+        https://bugs.webkit.org/show_bug.cgi?id=186877
+
+        Reviewed by Filip Pizlo.
+
+        Here’s an example of the results that this fix may yield: 
+        1. The workload: load cnn.com, wait for it to fully load, scroll down and up.
+        2. Statistics on memory touched and memory freed by VM::deleteAllCode():
+
+           Visiting Executables:
+                                                        Old             New
+           Number of objects visited:                   70897           14264
+           Number of objects with deletable code:       14264 (20.1%)   14264 (100%)
+           Number of memory pages visited:              3224            1602
+           Number of memory pages with deletable code:  1602 (49.7%)    1602 (100%)
+
+           Visitng UnlinkedFunctionExecutables:
+                                                        Old             New
+           Number of objects visited:                   105454          17231
+           Number of objects with deletable code:       42319 (20.1%)   17231 (100%) **
+           Number of memory pages visited:              4796            1349
+           Number of memory pages with deletable code:  4013 (83.7%)    1349 (100%)
+
+        ** The number of objects differ because the old code only visit unlinked
+           executables indirectly via linked executables, whereas the new behavior visit
+           all unlinked executables with deletable code directly.  This means:
+
+           a. we used to not visit unlinked executables that have not been linked yet
+              i.e. deleteAllCode() may not delete all code (especially code that is not
+              used).
+           b. we had to visit all linked executables to check if they of type
+              FunctionExecutable, before going on to visit their unlinked executable, and
+              this includes the ones that do not have deletable code.  This means that we
+              would touch more memory in the process.
+
+           Both of these these issues are now fixed with the new code.
+
+        This code was tested with manually inserted instrumentation to track the above
+        statistics.  It is not feasible to write an automated test for this without
+        leaving a lot of invasive instrumentation in the code.
+
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * heap/CodeBlockSetInlines.h:
+        (JSC::CodeBlockSet::iterateViaSubspaces):
+        * heap/Heap.cpp:
+        (JSC::Heap::deleteAllCodeBlocks):
+        (JSC::Heap::deleteAllUnlinkedCodeBlocks):
+        (JSC::Heap::deleteUnmarkedCompiledCode):
+        (JSC::Heap::clearUnmarkedExecutables): Deleted.
+        (JSC::Heap::addExecutable): Deleted.
+        * heap/Heap.h:
+        * runtime/DirectEvalExecutable.h:
+
+        * runtime/ExecutableBase.cpp:
+        (JSC::ExecutableBase::hasClearableCode const):
+        - this is written based on the implementation of ExecutableBase::clearCode().
+
+        * runtime/ExecutableBase.h:
+        * runtime/FunctionExecutable.h:
+        * runtime/IndirectEvalExecutable.h:
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::clearCode):
+        (JSC::ScriptExecutable::installCode):
+        * runtime/ScriptExecutable.h:
+        (JSC::ScriptExecutable::finishCreation):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet):
+        (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor):
+        (JSC::VM::forEachScriptExecutableSpace):
+        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet):
+        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor):
+
+2018-06-21  Zan Dobersek  
+
+        [GTK] WebDriver: allow applying host-specific TLS certificates for automated sessions
+        https://bugs.webkit.org/show_bug.cgi?id=186884
+
+        Reviewed by Carlos Garcia Campos.
+
+        Add a tuple array input parameter to the StartAutomationSession DBus
+        message, representing a list of host-and-certificate pairs that have to
+        be allowed for a given session. This array is then unpacked and used to
+        fill out the certificates Vector object in the SessionCapabilities
+        struct.
+
+        * inspector/remote/RemoteInspector.h: Add a GLib-specific Vector of
+        String pairs representing hosts and the certificate file paths.
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+
+2018-06-20  Keith Miller  
+
+        Expand concurrent GC assertion to accept JSValue() or 0
+        https://bugs.webkit.org/show_bug.cgi?id=186855
+
+        Reviewed by Mark Lam.
+
+        We tend to set unused property slots to either JSValue() or 0
+        depending on the context. On 64-bit these are the same but on
+        32-bit JSValue() has a NaN tag. This patch makes it so we
+        the accept either JSValue() or 0.
+
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+
+2018-06-20  Guillaume Emont  
+
+        [Armv7] Linkbuffer: executableOffsetFor() fails for location 2
+        https://bugs.webkit.org/show_bug.cgi?id=186765
+
+        Reviewed by Michael Saboff.
+
+        This widens the check for 0 so that we handle that case more correctly.
+
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::executableOffsetFor):
+
+2018-06-19  Keith Miller  
+
+        Fix broken assertion on 32-bit
+        https://bugs.webkit.org/show_bug.cgi?id=186830
+
+        Reviewed by Mark Lam.
+
+        The assertion was intended to catch concurrent GC issues. We don't
+        run them on 32-bit so we don't need this assertion there. The
+        assertion was broken because zero is not JSValue() on 32-bit.
+
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+
+2018-06-19  Keith Miller  
+
+        flattenDictionaryStructure needs to zero properties that have been compressed away
+        https://bugs.webkit.org/show_bug.cgi?id=186828
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bunch of crashing Mozilla tests on the bots.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2018-06-19  Saam Barati  
+
+        DirectArguments::create needs to initialize to undefined instead of the empty value
+        https://bugs.webkit.org/show_bug.cgi?id=186818
+        
+
+        Reviewed by Filip Pizlo.
+
+        The bug here is that we will emit code that just loads from DirectArguments as
+        long as the index is within the known capacity of the arguments object (op_get_from_arguments).
+        The arguments object has at least enough capacity to hold the declared parameters.
+        When we materialized this object in OSR exit, we initialized up to to the capacity
+        with JSValue(). In OSR exit, though, we only filled up to the length of the
+        object with actual values. So we'd end up with a DirectArguments object with
+        capacity minus length slots of JSValue(). To fix this, we need initialize up to
+        capacity with jsUndefined during construction. The invariant of this object is
+        that the capacity minus length slots at the end are filled in with jsUndefined.
+
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::create):
+
+2018-06-19  Michael Saboff  
+
+        Crash in sanitizeStackForVMImpl sometimes when switching threads with same VM
+        https://bugs.webkit.org/show_bug.cgi?id=186827
+
+        Reviewed by Saam Barati.
+
+        Need to set VM::lastStackTop before any possible calls to sanitizeStack().
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+
+2018-06-19  Tadeu Zagallo  
+
+        ShadowChicken crashes with stack overflow in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=186540
+        
+
+        Reviewed by Saam Barati.
+
+        Stack overflows in the LLInt were crashing in ShadowChicken when compiling
+        with debug opcodes because it was accessing the scope of the incomplete top
+        frame, which hadn't been set yet. Check that we have moved past the first
+        opcode (enter) and that the scope is not undefined (enter will
+        initialize it to undefined).
+
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+
+2018-06-19  Keith Miller  
+
+        constructArray variants should take the slow path for subclasses of Array
+        https://bugs.webkit.org/show_bug.cgi?id=186812
+
+        Reviewed by Saam Barati and Mark Lam.
+
+        This patch fixes a crashing test in ObjectInitializationScope where we would
+        allocate a new structure for an indexing type change while initializing
+        a subclass of Array. Since the new array hasn't been fully initialized
+        if the GC ran it would see garbage and we might crash.
+
+        * runtime/JSArray.cpp:
+        (JSC::constructArray):
+        (JSC::constructArrayNegativeIndexed):
+        * runtime/JSArray.h:
+        (JSC::constructArray): Deleted.
+        (JSC::constructArrayNegativeIndexed): Deleted.
+
+2018-06-19  Saam Barati  
+
+        Wasm: Any function argument of type Void should be a validation error
+        https://bugs.webkit.org/show_bug.cgi?id=186794
+        
+
+        Reviewed by Keith Miller.
+
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parseType):
+
+2018-06-18  Keith Miller  
+
+        JSImmutableButterfly should assert m_header is adjacent to the data
+        https://bugs.webkit.org/show_bug.cgi?id=186795
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSImmutableButterfly.cpp:
+        * runtime/JSImmutableButterfly.h:
+
+2018-06-18  Keith Miller  
+
+        Unreviewed, fix the build...
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+
+2018-06-18  Keith Miller  
+
+        Unreviewed, remove bad assertion.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+
+2018-06-18  Keith Miller  
+
+        Properly zero unused property storage offsets
+        https://bugs.webkit.org/show_bug.cgi?id=186692
+
+        Reviewed by Filip Pizlo.
+
+        Since the concurrent GC might see a property slot before the mutator has actually
+        stored the value there, we need to ensure that slot doesn't have garbage in it.
+
+        Right now when calling constructConvertedArrayStorageWithoutCopyingElements
+        or creating a RegExp matches array, we never cleared the unused
+        property storage. ObjectIntializationScope has also been upgraded
+        to look for our invariants around property storage. Additionally,
+        a new assertion has been added to check for JSValue() when adding
+        a new property.
+
+        We used to put undefined into deleted property offsets. To
+        make things simpler, this patch causes us to store JSValue() there
+        instead.
+
+        Lastly, this patch fixes an issue where we would initialize the
+        array storage of RegExpMatchesArray twice. First with 0 and
+        secondly with the actual result. Now we only zero memory between
+        vector length and public length.
+
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::offsetOfVectorLength):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::tryCreateUninitialized):
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::create):
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        (JSC::Butterfly::createOrGrowArrayRight):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::resizeArray):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
+        * runtime/JSArray.h:
+        (JSC::tryCreateArrayButterfly):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createArrayStorageButterfly):
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+        * runtime/ObjectInitializationScope.cpp:
+        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+        * runtime/ObjectInitializationScope.h:
+        (JSC::ObjectInitializationScope::release):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        (JSC::createRegExpMatchesArray):
+
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::offsetOfVectorLength):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::tryCreateUninitialized):
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::create):
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        (JSC::Butterfly::createOrGrowArrayRight):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::resizeArray):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::createArrayButterflyInDictionaryIndexingMode): Deleted.
+        * runtime/JSArray.h:
+        (JSC::tryCreateArrayButterfly):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::createArrayStorageButterfly):
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+        * runtime/ObjectInitializationScope.cpp:
+        (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
+        * runtime/RegExpMatchesArray.cpp:
+        (JSC::createEmptyRegExpMatchesArray):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        (JSC::createRegExpMatchesArray):
+
+2018-06-18  Tadeu Zagallo  
+
+        Share structure across instances of classes exported through the ObjC API
+        https://bugs.webkit.org/show_bug.cgi?id=186579
+        
+
+        Reviewed by Saam Barati.
+
+        A new structure was being created for each instance of exported ObjC
+        classes due to setting the prototype in the structure for every object,
+        since prototype transitions are not cached by the structure. Cache the
+        Structure in the JSObjcClassInfo to avoid the transition.
+
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo wrapperForObject:inContext:]):
+        (-[JSObjCClassInfo structureInContext:]):
+        * API/tests/JSWrapperMapTests.h: Added.
+        * API/tests/JSWrapperMapTests.mm: Added.
+        (+[JSWrapperMapTests testStructureIdentity]):
+        (runJSWrapperMapTests):
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-06-18  Michael Saboff  
+
+        Support Unicode 11 in RegExp
+        https://bugs.webkit.org/show_bug.cgi?id=186685
+
+        Reviewed by Mark Lam.
+
+        Updated the UCD tables used to generate RegExp property tables to version 11.0.
+
+        * Scripts/generateYarrUnicodePropertyTables.py:
+        * ucd/CaseFolding.txt:
+        * ucd/DerivedBinaryProperties.txt:
+        * ucd/DerivedCoreProperties.txt:
+        * ucd/DerivedNormalizationProps.txt:
+        * ucd/PropList.txt:
+        * ucd/PropertyAliases.txt:
+        * ucd/PropertyValueAliases.txt:
+        * ucd/ScriptExtensions.txt:
+        * ucd/Scripts.txt:
+        * ucd/UnicodeData.txt:
+        * ucd/emoji-data.txt:
+
+2018-06-18  Carlos Alberto Lopez Perez  
+
+        [WTF] Remove workarounds needed to support libstdc++-4
+        https://bugs.webkit.org/show_bug.cgi?id=186762
+
+        Reviewed by Michael Catanzaro.
+
+        Revert r226299, r226300 r226301 and r226302.
+
+        * API/tests/TypedArrayCTest.cpp:
+        (assertEqualsAsNumber):
+
+2018-06-16  Michael Catanzaro  
+
+        REGRESSION(r227717): Hardcoded page size causing JSC crashes on platforms with page size bigger than 16 KB
+        https://bugs.webkit.org/show_bug.cgi?id=182923
+
+        Reviewed by Mark Lam.
+
+        The blockSize used by MarkedBlock is incorrect on platforms with pages larger than 16 KB.
+        Upstream Fedora's patch to use a safer 64 KB default. This fixes PowerPC and s390x.
+
+        * heap/MarkedBlock.h:
+
+2018-06-16  Yusuke Suzuki  
+
+        [JSC] Inline JSArray::pushInline and Structure::nonPropertyTransition
+        https://bugs.webkit.org/show_bug.cgi?id=186723
+
+        Reviewed by Mark Lam.
+
+        Now, CoW -> non-CoW transition is heavy path. We inline the part of Structure::nonPropertyTransition
+        to catch the major path. And we also inline JSArray::pushInline well to spread this in operationArrayPushMultiple.
+
+        This patch improves SixSpeed/spread-literal.es5.
+
+                                     baseline                  patched
+
+        spread-literal.es5      114.4140+-4.5146     ^    104.5475+-3.6157        ^ definitely 1.0944x faster
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/Structure.cpp:
+        (JSC::Structure::nonPropertyTransitionSlow):
+        (JSC::Structure::nonPropertyTransition): Deleted.
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::nonPropertyTransition):
+
+2018-06-16  Yusuke Suzuki  
+
+        [DFG] Reduce OSRExit for Kraken/crypto-aes due to CoW array
+        https://bugs.webkit.org/show_bug.cgi?id=186721
+
+        Reviewed by Keith Miller.
+
+        We still have several other OSRExits, but this patch reduces that.
+
+        1. While ArraySlice code accepts CoW arrays, it always emits CheckStructure without CoW Array structures.
+        So DFG emits ArraySlice onto CoW arrays, and always performs OSRExits.
+
+        2. The CoW patch removed ArrayAllocationProfile updates. This makes allocated JSImmutableButterfly
+        non-appropriate.
+
+        These changes a bit fix Kraken/crypto-aes regression.
+
+                                      baseline                  patched
+
+        stanford-crypto-aes        63.718+-2.312      ^      56.140+-0.966         ^ definitely 1.1350x faster
+
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+2018-06-15  Yusuke Suzuki  
+
+        [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
+        https://bugs.webkit.org/show_bug.cgi?id=186460
+
+        Reviewed by Saam Barati.
+
+        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
+        We should return JSFixedArray for Spread. This patch adds a code generating
+        a JSFixedArray from JSImmutableButterfly.
+
+        Merging JSFixedArray into JSImmutableButterfly is possible future extension.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        * runtime/JSFixedArray.h:
+
+2018-06-15  Saam Barati  
+
+        Annotate shrinkFootprintWhenIdle with NS_AVAILABLE
+        https://bugs.webkit.org/show_bug.cgi?id=186687
+        
+
+        Reviewed by Keith Miller.
+
+        * API/JSVirtualMachinePrivate.h:
+
+2018-06-15  Saam Barati  
+
+        Make ForceOSRExit CFG pruning in bytecode parser more aggressive by making the original block to ignore be the plan's osrEntryBytecodeIndex
+        https://bugs.webkit.org/show_bug.cgi?id=186648
+
+        Reviewed by Michael Saboff.
+
+        This patch is neutral on SunSpider/bitops-bitwise-and. That test originally
+        regressed with my first version of ForceOSRExit CFG pruning. This patch makes
+        ForceOSRExit CFG pruning more aggressive by not ignoring everything that
+        can reach any loop_hint, but only ignoring blocks that can reach a loop_hint
+        if it's the plan's osr entry bytecode target. The goal is to get a speedometer
+        2 speedup with this change on iOS.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parse):
+
+2018-06-15  Michael Catanzaro  
+
+        Unreviewed, rolling out r232816.
+
+        Suggested by Caitlin:
+        "this patch clearly does get some things wrong, and it's not
+        easy to find what those things are"
+
+        Reverted changeset:
+
+        "[LLInt] use loadp consistently for
+        get_from_scope/put_to_scope"
+        https://bugs.webkit.org/show_bug.cgi?id=132333
+        https://trac.webkit.org/changeset/232816
+
+2018-06-14  Michael Saboff  
+
+        REGRESSION(232741): Crash running ARES-6
+        https://bugs.webkit.org/show_bug.cgi?id=186630
+
+        Reviewed by Saam Barati.
+
+        The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
+        treated edges between identical predecessor->successor pairs independently.
+        This fixes the issue by handling such edges once, using the added intermediate
+        pad for all instances of the edges between the same pairs.
+
+        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
+        (JSC::DFG::CriticalEdgeBreakingPhase::run):
+        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
+
+2018-06-14  Carlos Garcia Campos  
+
+        [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
+        https://bugs.webkit.org/show_bug.cgi?id=186560
+
+        Reviewed by Brian Burg.
+
+        Add SessionCapabilities struct to Client class and unify requestAutomationSession() methods into a single one
+        that always receives the session capabilities.
+
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/RemoteInspectorConstants.h:
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage): Move the parsing of mac capabilities from
+        WebKit here and fill the SessionCapabilities instead.
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::requestAutomationSession): Pass SessionCapabilities to the client.
+        * inspector/remote/glib/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::startAutomationSession): Process SessionCapabilities.
+        * inspector/remote/glib/RemoteInspectorServer.h:
+
+2018-06-13  Adrian Perez de Castro  
+
+        [WPE] Trying to access the remote inspector hits an assertion in the UIProcess
+        https://bugs.webkit.org/show_bug.cgi?id=186588
+
+        Reviewed by Carlos Garcia Campos.
+
+        Make both the WPE and GTK+ ports use /org/webkit/inspector as base prefix
+        for resource paths, which avoids needing a switcheroo depending on the port.
+
+        * inspector/remote/glib/RemoteInspectorUtils.cpp:
+
+2018-06-13  Caitlin Potter  
+
+        [LLInt] use loadp consistently for get_from_scope/put_to_scope
+        https://bugs.webkit.org/show_bug.cgi?id=132333
+
+        Reviewed by Mark Lam.
+
+        Using `loadis` for register indexes and `loadp` for constant scopes /
+        symboltables makes sense, but is problematic for big-endian
+        architectures.
+
+        Consistently treating the operand as a pointer simplifies determining
+        how to access the operand, and helps avoid bad accesses and crashes on
+        big-endian ports.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/Instruction.h:
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
+        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
+
+2018-06-13  Keith Miller  
+
+        AutomaticThread should have a way to provide a thread name
+        https://bugs.webkit.org/show_bug.cgi?id=186604
+
+        Reviewed by Filip Pizlo.
+
+        Add names for JSC's automatic threads.
+
+        * dfg/DFGWorklist.cpp:
+        * heap/Heap.cpp:
+        * jit/JITWorklist.cpp:
+        * runtime/VMTraps.cpp:
+        * wasm/WasmWorklist.cpp:
+
+2018-06-13  Saam Barati  
+
+        CFGSimplificationPhase should de-dupe jettisonedBlocks
+        https://bugs.webkit.org/show_bug.cgi?id=186583
+
+        Reviewed by Filip Pizlo.
+
+        When making the predecessors list unique in r232741, it revealed a bug inside
+        of CFG simplification, where we try to remove the same predecessor more than
+        once from a blocks predecessors list. We built the list of blocks to remove
+        from the list of successors, which is not unique, causing us to try to remove
+        the same predecessor more than once. The solution here is to just add to this
+        list of blocks to remove only if the block is not already in the list.
+
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::run):
+
+2018-06-13  Yusuke Suzuki  
+
+        [JSC] Always use Nuke & Set procedure for x86
+        https://bugs.webkit.org/show_bug.cgi?id=186592
+
+        Reviewed by Keith Miller.
+
+        We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86.
+        By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector
+        threads.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::convertContiguousToArrayStorage):
+
+2018-06-12  Saam Barati  
+
+        Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle
+        https://bugs.webkit.org/show_bug.cgi?id=186071
+
+        Reviewed by Mark Lam.
+
+        * API/JSVirtualMachine.mm:
+        (-[JSVirtualMachine shrinkFootprint]): Deleted.
+        * API/JSVirtualMachinePrivate.h:
+
+2018-06-11  Saam Barati  
+
+        Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
+        https://bugs.webkit.org/show_bug.cgi?id=181409
+        
+
+        Reviewed by Keith Miller.
+
+        This patch is me redoing r226655. This is a patch I wrote when
+        profiling Speedometer. Fil rolled this change out in r230928. He
+        showed this slowed down a sunspider tests by ~2x. This sunspider
+        regression revealed a real performance bug in the original change:
+        we would kill blocks that reached OSR entry targets, sometimes leading
+        us to not do OSR entry into the DFG, since we could end up deleting
+        entire loops from the CFG. The reason for this is that code that has run
+        ~once and that reaches loops often has ForceOSRExits inside of it. The
+        solution to this is to not perform this optimization on blocks that can
+        reach OSR entry targets.
+        
+        The reason I'm redoing this patch is that it turns out Fil rolling
+        out the change was a Speedometer 2 regression.
+        
+        This is a modified version of the original ChangeLog I wrote in r226655:
+        
+        When I was looking at profiler data for Speedometer, I noticed that one of
+        the hottest functions in Speedometer is around 1100 bytecode operations long.
+        Only about 100 of those bytecode ops ever execute. However, we ended up
+        spending a lot of time compiling basic blocks that never executed. We often
+        plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
+        This is the case when such a node never executes.
+        
+        This patch makes it so that anytime a block has a ForceOSRExit, and that block
+        can not reach an OSR entry target, we replace its terminal node with an Unreachable
+        node, and remove all nodes after the ForceOSRExit. This cuts down the graph
+        size since it removes control flow edges from the CFG. This allows us to get
+        rid of huge chunks of the CFG in certain programs. When doing this transformation,
+        we also insert Flushes/PhantomLocals to ensure we can recover values that are bytecode
+        live-in to the ForceOSRExit.
+        
+        Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
+        does not get rid of all the CFG that it could. If we decide it's worth
+        it, we could use additional inputs into this mechanism. For example, we could
+        profile if a basic block ever executes inside the LLInt/Baseline, and
+        remove parts of the CFG based on that.
+        
+        When running Speedometer with the concurrent JIT turned off, this patch
+        improves DFG/FTL compile times by around 5%.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addToGraph):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::blocksInPostOrder):
+
+2018-06-11  Saam Barati  
+
+        The NaturalLoops algorithm only works when the list of blocks in a loop is de-duplicated
+        https://bugs.webkit.org/show_bug.cgi?id=184829
+
+        Reviewed by Michael Saboff.
+
+        This patch codifies that a BasicBlock's list of predecessors is de-duplicated.
+        In B3/Air, this just meant writing a validation rule. In DFG, this meant
+        ensuring this property when building up the predecessors list, and also adding
+        a validation rule. The NaturalLoops algorithm relies on this property.
+
+        * b3/B3Validate.cpp:
+        * b3/air/AirValidate.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testLoopWithMultipleHeaderEdges):
+        (JSC::B3::run):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::handleSuccessor):
+        * dfg/DFGValidate.cpp:
+
+2018-06-11  Keith Miller  
+
+        Loading cnn.com in MiniBrowser hits Structure::dump() under DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire  which churns 65KB of memory
+        https://bugs.webkit.org/show_bug.cgi?id=186467
+
+        Reviewed by Simon Fraser.
+
+        This patch adds a LazyFireDetail that wraps ScopedLambda so that
+        we don't actually malloc any strings for firing unless those
+        Strings are actually going to be printed.
+
+        * bytecode/Watchpoint.h:
+        (JSC::LazyFireDetail::LazyFireDetail):
+        * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
+        (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
+        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
+        (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
+
+2018-06-11  Mark Lam  
+
+        Add support for webkit-test-runner jscOptions in DumpRenderTree and WebKitTestRunner.
+        https://bugs.webkit.org/show_bug.cgi?id=186451
+        
+
+        Reviewed by Tim Horton.
+
+        Enhance setOptions() to be able to take a comma separated options string in
+        addition to white space separated options strings.
+
+        * runtime/Options.cpp:
+        (JSC::isSeparator):
+        (JSC::Options::setOptions):
+
+2018-06-11  Michael Saboff  
+
+        JavaScriptCore: Disable 32-bit JIT on Windows
+        https://bugs.webkit.org/show_bug.cgi?id=185989
+
+        Reviewed by Mark Lam.
+
+        Fixed the CLOOP so it can work when COMPUTED_GOTOs are not supported.
+
+        * llint/LLIntData.h:
+        (JSC::LLInt::getCodePtr): Used a reinterpret_cast since Opcode could be an int.
+        * llint/LowLevelInterpreter.cpp: Changed the definition of OFFLINE_ASM_GLOBAL_LABEL to not
+        have a case label because these aren't opcodes.
+        * runtime/Options.cpp: Made assembler related Windows conditional code also conditional
+        on the JIT being enabled.
+        (JSC::recomputeDependentOptions):
+
+2018-06-11  Michael Saboff  
+
+        Test js/regexp-zero-length-alternatives.html fails when RegExpJIT is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=186477
+
+        Reviewed by Filip Pizlo.
+
+        Fixed bug where we were using the wrong frame size for TypeParenthesesSubpatternTerminalBegin
+        YARR interpreter nodes.  This caused us to overwrite other frame information.
+
+        Added frame offset debugging code to YARR interpreter.
+
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::emitDisjunction):
+        (JSC::Yarr::ByteCompiler::dumpDisjunction):
+
+2018-06-10  Yusuke Suzuki  
+
+        [JSC] Array.prototype.sort should rejects null comparator
+        https://bugs.webkit.org/show_bug.cgi?id=186458
+
+        Reviewed by Keith Miller.
+
+        This relaxed behavior is once introduced in r216169 to fix some pages by aligning
+        the behavior to Chrome and Firefox.
+
+        However, now Chrome, Firefox and Edge reject a null comparator. So only JavaScriptCore
+        accepts it. This patch reverts r216169 to align JSC to the other engines and fix
+        the spec issue.
+
+        * builtins/ArrayPrototype.js:
+        (sort):
+
+2018-06-09  Dan Bernstein  
+
+        [Xcode] Clean up and modernize some build setting definitions
+        https://bugs.webkit.org/show_bug.cgi?id=186463
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/Base.xcconfig: Removed definition for macOS 10.11. Simplified the
+          definition of WK_PRIVATE_FRAMEWORK_STUBS_DIR now that WK_XCODE_SUPPORTS_TEXT_BASED_STUBS
+          is true for all supported Xcode versions.
+        * Configurations/DebugRelease.xcconfig: Removed definition for macOS 10.11.
+        * Configurations/FeatureDefines.xcconfig: Simplified the definitions of ENABLE_APPLE_PAY and
+          ENABLE_VIDEO_PRESENTATION_MODE now macOS 10.12 is the earliest supported version.
+        * Configurations/Version.xcconfig: Removed definition for macOS 10.11.
+        * Configurations/WebKitTargetConditionals.xcconfig: Removed definitions for macOS 10.11.
+
+2018-06-09  Dan Bernstein  
+
+        Added missing file references to the Configuration group.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-06-08  Darin Adler  
+
+        [Cocoa] Remove all uses of NSAutoreleasePool as part of preparation for ARC
+        https://bugs.webkit.org/show_bug.cgi?id=186436
+
+        Reviewed by Anders Carlsson.
+
+        * heap/Heap.cpp: Include FoundationSPI.h rather than directly including
+        objc-internal.h and explicitly declaring the alternative.
+
+2018-06-08  Wenson Hsieh  
+
+        [WebKit on watchOS] Upstream watchOS source additions to OpenSource (Part 1)
+        https://bugs.webkit.org/show_bug.cgi?id=186442
+        
+
+        Reviewed by Tim Horton.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-06-08  Tadeu Zagallo  
+
+        jumpTrueOrFalse only takes the fast path for boolean false on 64bit LLInt 
+        https://bugs.webkit.org/show_bug.cgi?id=186446
+        
+
+        Reviewed by Mark Lam.
+
+        On 64bit LLInt, jumpTrueOrFalse did a mask check to take the fast path for
+        boolean literals, but it would only work for false. Change it so that it
+        takes the fast path for true, false, null and undefined.
+
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-06-08  Brian Burg  
+
+        [Cocoa] Web Automation: include browser name and version in listing for automation targets
+        https://bugs.webkit.org/show_bug.cgi?id=186204
+        
+
+        Reviewed by Darin Adler.
+
+        Ask the client what the reported browser name and version should be, then
+        send this as part of the listing for an automation target.
+
+        * inspector/remote/RemoteInspectorConstants.h:
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::listingForAutomationTarget const):
+
+2018-06-07  Chris Dumez  
+
+        Add base class to get WeakPtrFactory member and avoid some boilerplate code
+        https://bugs.webkit.org/show_bug.cgi?id=186407
+
+        Reviewed by Brent Fulgham.
+
+        Add CanMakeWeakPtr base class to get WeakPtrFactory member and its getter, in
+        order to avoid some boilerplate code in every class needing a WeakPtrFactory.
+        This also gets rid of old-style createWeakPtr() methods in favor of the newer
+        makeWeakPtr().
+
+        * wasm/WasmInstance.h:
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::registerInstance):
+
+2018-06-07  Tadeu Zagallo  
+
+        Don't try to allocate JIT memory if we don't have the JIT entitlement
+        https://bugs.webkit.org/show_bug.cgi?id=182605
+        
+
+        Reviewed by Mark Lam.
+
+        Check that the current process has the correct entitlements before
+        trying to allocate JIT memory to silence warnings.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::allowJIT): Helper that checks entitlements on iOS and returns true in other platforms
+        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): check allowJIT before trying to allocate
+
+2018-06-07  Saam Barati  
+
+        TierUpCheckInjectionPhase systematically never puts the outer-most loop in an inner loop's vector of outer loops
+        https://bugs.webkit.org/show_bug.cgi?id=186386
+
+        Reviewed by Filip Pizlo.
+
+        This looks like an 8% speedup on Kraken's imaging-gaussian-blur subtest.
+
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+
+2018-06-02  Filip Pizlo  
+
+        FunctionRareData::m_objectAllocationProfileWatchpoint is racy
+        https://bugs.webkit.org/show_bug.cgi?id=186237
+
+        Reviewed by Saam Barati.
+
+        We initialize it blind and let it go into auto-watch mode once the DFG adds a watchpoint, but
+        that means that we never notice that it fired if it fires between when the DFG decides to
+        watch it and when it actually adds the watchpoint.
+        
+        Most watchpoints are initialized watched for this purpose. This one had a somewhat good
+        reason for being initialized blind: that's how we knew to ignore changes to the prototype
+        before the first allocation. However, that functionality also arose out of the fact that the
+        rare data is created lazily and usually won't exist until the first allocation.
+        
+        The fix here is to make the watchpoint go into watched mode as soon as we initialize the
+        object allocation profile.
+        
+        It's hard to repro this race, however it started causing spurious test failures for me after
+        bug 164904.
+
+        * runtime/FunctionRareData.cpp:
+        (JSC::FunctionRareData::FunctionRareData):
+        (JSC::FunctionRareData::initializeObjectAllocationProfile):
+
+2018-06-07  Saam Barati  
+
+        Make DFG to FTL OSR entry code more sane by removing bad RELEASE_ASSERTS and making it trigger compiles in outer loops before inner ones
+        https://bugs.webkit.org/show_bug.cgi?id=186218
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch makes tierUpCommon a tad bit more sane. There are a few things
+        that I did:
+        - There were a few release asserts that were crashing. Those release asserts
+        were incorrect. They were making assumptions about how the code and data
+        structures were ordered that were wrong. This patch removes them. The code
+        was using the loop hierarchy vector to make assumptions about which loop we
+        were currently executing in, which is incorrect. The only information that
+        can be used about where we're currently executing is the bytecode index we're
+        at.
+        - This makes it so that we go back to trying to compile outer loops before
+        inner loops. JF accidentally reverted this behavior that Ben implemented.
+        JF made it so that we just compiled the inner most loop. I make this
+        functionality work by first triggering a compile for the outer most loop
+        that the code is currently executing in and that can perform OSR entry.
+        However, some programs can get stuck in inner loops. The code works by
+        progressively asking inner loops to compile if program execution has not
+        yet reached an outer loop.
+
+        * dfg/DFGOperations.cpp:
+
+2018-06-06  Guillaume Emont  
+
+        ArityFixup should adjust SP first on 32-bit platforms too
+        https://bugs.webkit.org/show_bug.cgi?id=186351
+
+        Reviewed by Yusuke Suzuki.
+
+        * jit/ThunkGenerators.cpp:
+        (JSC::arityFixupGenerator):
+
+2018-06-06  Yusuke Suzuki  
+
+        [DFG] Compare operations do not respect negative zeros
+        https://bugs.webkit.org/show_bug.cgi?id=183729
+
+        Reviewed by Saam Barati.
+
+        Compare operations do not respect negative zeros. So propagating this can
+        reduce the size of the produced code for negative zero case. This pattern
+        can be seen in Kraken stanford-crypto-aes.
+
+        This also causes an existing bug which converts CompareEq(Int32Only, NonIntAsdouble) to false.
+        However, NonIntAsdouble includes negative zero, which can be equal to Int32 positive zero.
+        This issue is covered by fold-based-on-int32-proof-mul-branch.js, and we fix this.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
+        SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0.
+        To emphasize this, we use SpecAnyIntAsDouble | SpecNonIntAsDouble directly instead of
+        SpecDoubleReal.
+
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+
+2018-06-06  Saam Barati  
+
+        generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
+        https://bugs.webkit.org/show_bug.cgi?id=186363
+
+        Rubber-stamped by Filip Pizlo.
+
+        The code was assuming that the object it was creating an OPC for always
+        had a non-poly-proto structure. However, this assumption was wrong. For
+        example, an object in the prototype chain could be poly proto. That type 
+        of object graph would cause a crash in this code. This patch makes it so
+        that we fail to generate an ObjectPropertyConditionSet if we see a poly proto
+        object as we traverse the prototype chain.
+
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForInstanceOf):
+
+2018-06-05  Brent Fulgham  
+
+        Adjust compile and runtime flags to match shippable state of features
+        https://bugs.webkit.org/show_bug.cgi?id=186319
+        
+
+        Reviewed by Maciej Stachowiak, Jon Lee, and others.
+
+        This patch revises the compile time and runtime state for various features to match their
+        suitability for end-user releases.
+
+        * Configurations/DebugRelease.xcconfig: Update to match WebKit definition of
+        WK_RELOCATABLE_FRAMEWORKS so that ENABLE(EXPERIMENTAL_FEATURES) is defined properly for
+        Cocoa builds.
+        * Configurations/FeatureDefines.xcconfig: Don't build ENABLE_INPUT_TYPE_COLOR
+        or ENABLE_INPUT_TYPE_COLOR_POPOVER.
+        * runtime/Options.h: Only enable INTL_NUMBER_FORMAT_TO_PARTS and INTL_PLURAL_RULES
+        at runtime for non-production builds.
+
+2018-06-05  Brent Fulgham  
+
+        Revise DEFAULT_EXPERIMENTAL_FEATURES_ENABLED to work properly on Apple builds
+        https://bugs.webkit.org/show_bug.cgi?id=186286
+        
+
+        Reviewed by Dan Bernstein.
+
+        Use the WK_RELOCATABLE_FRAMEWORKS flag (which is always defined for non-production builds)
+        to define ENABLE(EXPERIMENTAL_FEATURES) so that we do not need to manually
+        change this flag when preparing for a production release.
+
+        * Configurations/FeatureDefines.xcconfig: Use WK_RELOCATABLE_FRAMEWORKS to determine
+        whether experimental features should be enabled, and use it to properly define the
+        feature flag.
+
+2018-06-05  Darin Adler  
+
+        [Cocoa] Update some JavaScriptCore code to be more ready for ARC
+        https://bugs.webkit.org/show_bug.cgi?id=186301
+
+        Reviewed by Anders Carlsson.
+
+        * API/JSContext.mm:
+        (-[JSContext evaluateScript:withSourceURL:]): Use __bridge for typecast.
+        (-[JSContext setName:]): Removed unnecessary call to copy, since the
+        JSStringCreateWithCFString function already reads the characters out
+        of the string and does not retain the string, so there is no need to
+        make an immutable copy. And used __bridge for typecast.
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
+        Ditto.
+
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
+        Use CFBridgingRelease instead of autorelease for a CF dictionary that
+        we return as an NSDictionary.
+
+2018-06-04  Keith Miller  
+
+        Remove missing files from JavaScriptCore Xcode project
+        https://bugs.webkit.org/show_bug.cgi?id=186297
+
+        Reviewed by Saam Barati.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-06-04  Keith Miller  
+
+        Add test for CoW conversions in the DFG/FTL
+        https://bugs.webkit.org/show_bug.cgi?id=186295
+
+        Reviewed by Saam Barati.
+
+        Add a function to $vm that returns a JSString containing the
+        dataLog dump of the indexingMode of an Object.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::functionIndexingMode):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-06-04  Saam Barati  
+
+        Set the activeLength of all ScratchBuffers to zero when exiting the VM
+        https://bugs.webkit.org/show_bug.cgi?id=186284
+        
+
+        Reviewed by Keith Miller.
+
+        Simon recently found instances where we leak global objects from the
+        ScratchBuffer. Yusuke found that we forgot to set the active length
+        back to zero when doing catch OSR entry in the DFG/FTL. His solution
+        to this was adding a node that cleared the active length. This is
+        a good node to have, but it's not a complete solution: the DFG/FTL
+        could OSR exit before that node executes, which would cause us to leak
+        the data in it.
+        
+        This patch makes it so that we set each scratch buffer's active length
+        to zero on VM exit. This helps prevent leaks for JS code that eventually
+        exits the VM (which is essentially all code on the web and all API users).
+
+        * runtime/VM.cpp:
+        (JSC::VM::clearScratchBuffers):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::~VMEntryScope):
+
+2018-06-04  Keith Miller  
+
+        JSLock should clear last exception when releasing the lock
+        https://bugs.webkit.org/show_bug.cgi?id=186277
+
+        Reviewed by Mark Lam.
+
+        If we don't clear the last exception we essentially leak the
+        object and everything referenced by it until another exception is
+        thrown.
+
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::willReleaseLock):
+
+2018-06-04  Yusuke Suzuki  
+
+        Get rid of UnconditionalFinalizers and WeakReferenceHarvesters
+        https://bugs.webkit.org/show_bug.cgi?id=180248
+
+        Reviewed by Sam Weinig.
+
+        As a final step, this patch removes ListableHandler from JSC.
+        Nobody uses UnconditionalFinalizers and WeakReferenceHarvesters now.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.h:
+        * heap/ListableHandler.h: Removed.
+
+2018-06-03  Yusuke Suzuki  
+
+        LayoutTests/fast/css/parsing-css-matches-7.html always abandons its Document (disabling JIT fixes it)
+        https://bugs.webkit.org/show_bug.cgi?id=186223
+
+        Reviewed by Keith Miller.
+
+        After preparing catchOSREntryBuffer, we do not clear the active length of this scratch buffer.
+        It makes this buffer conservative GC root, and allows it to hold GC objects unnecessarily long.
+
+        This patch introduces DFG ClearCatchLocals node, which clears catchOSREntryBuffer's active length.
+        We model ExtractCatchLocal and ClearCatchLocals appropriately in DFG clobberize too to make
+        this ClearCatchLocals valid.
+
+        The existing tests for ExtractCatchLocal just pass.
+
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileClearCatchLocals):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileClearCatchLocals):
+
+2018-06-02  Darin Adler  
+
+        [Cocoa] Update some code to be more ARC-compatible to prepare for future ARC adoption
+        https://bugs.webkit.org/show_bug.cgi?id=186227
+
+        Reviewed by Dan Bernstein.
+
+        * API/JSContext.mm:
+        (-[JSContext name]): Use CFBridgingRelease instead of autorelease.
+        * API/JSValue.mm:
+        (valueToObjectWithoutCopy): Use CFBridgingRelease instead of autorelease.
+        (containerValueToObject): Use adoptCF instead of autorelease. This is not only more
+        ARC-compatible, but more efficient.
+        (valueToString): Use CFBridgingRelease instead of autorelease.
+
+2018-06-02  Caio Lima  
+
+        [ESNext][BigInt] Implement support for addition operations
+        https://bugs.webkit.org/show_bug.cgi?id=179002
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is implementing support to BigInt Operands into binary "+"
+        and binary "-" operators. Right now, we have limited support to DFG
+        and FTL JIT layers, but we plan to fix this support in future
+        patches.
+
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::stringToBigInt):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::remainder):
+        (JSC::JSBigInt::add):
+        (JSC::JSBigInt::sub):
+        (JSC::JSBigInt::absoluteAdd):
+        (JSC::JSBigInt::absoluteSub):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::toNumber const):
+        (JSC::JSBigInt::getPrimitiveNumber const):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/Operations.cpp:
+        (JSC::jsAddSlowCase):
+        * runtime/Operations.h:
+        (JSC::jsSub):
+
+2018-06-02  Commit Queue  
+
+        Unreviewed, rolling out r232439.
+        https://bugs.webkit.org/show_bug.cgi?id=186238
+
+        It breaks gtk-linux-32-release (Requested by caiolima on
+        #webkit).
+
+        Reverted changeset:
+
+        "[ESNext][BigInt] Implement support for addition operations"
+        https://bugs.webkit.org/show_bug.cgi?id=179002
+        https://trac.webkit.org/changeset/232439
+
+2018-06-01  Yusuke Suzuki  
+
+        Baseline op_jtrue emits an insane amount of code
+        https://bugs.webkit.org/show_bug.cgi?id=185708
+
+        Reviewed by Filip Pizlo.
+
+        op_jtrue / op_jfalse bloats massive amount of code. This patch attempts to reduce the size of this code by,
+
+        1. op_jtrue / op_jfalse immediately jumps if the condition met. We add AssemblyHelpers::branchIf{Truthy,Falsey}
+           to jump directly. This tightens the code.
+
+        2. Align our emitConvertValueToBoolean implementation to FTL's boolify function. It emits less code.
+
+        This reduces the code size of op_jtrue in x64 from 220 bytes to 164 bytes.
+
+        [  12] jtrue             arg1, 6(->18)
+              0x7f233170162c: mov 0x30(%rbp), %rax
+              0x7f2331701630: mov %rax, %rsi
+              0x7f2331701633: xor $0x6, %rsi
+              0x7f2331701637: test $0xfffffffffffffffe, %rsi
+              0x7f233170163e: jnz 0x7f2331701654
+              0x7f2331701644: cmp $0x7, %eax
+              0x7f2331701647: setz %sil
+              0x7f233170164b: movzx %sil, %esi
+              0x7f233170164f: jmp 0x7f2331701705
+              0x7f2331701654: test %rax, %r14
+              0x7f2331701657: jz 0x7f233170169c
+              0x7f233170165d: cmp %r14, %rax
+              0x7f2331701660: jb 0x7f2331701675
+              0x7f2331701666: test %eax, %eax
+              0x7f2331701668: setnz %sil
+              0x7f233170166c: movzx %sil, %esi
+              0x7f2331701670: jmp 0x7f2331701705
+              0x7f2331701675: lea (%r14,%rax), %rsi
+              0x7f2331701679: movq %rsi, %xmm0
+              0x7f233170167e: xorps %xmm1, %xmm1
+              0x7f2331701681: ucomisd %xmm1, %xmm0
+              0x7f2331701685: jz 0x7f2331701695
+              0x7f233170168b: mov $0x1, %esi
+              0x7f2331701690: jmp 0x7f2331701705
+              0x7f2331701695: xor %esi, %esi
+              0x7f2331701697: jmp 0x7f2331701705
+              0x7f233170169c: test %rax, %r15
+              0x7f233170169f: jnz 0x7f2331701703
+              0x7f23317016a5: cmp $0x1, 0x5(%rax)
+              0x7f23317016a9: jnz 0x7f23317016c1
+              0x7f23317016af: mov 0x8(%rax), %esi
+              0x7f23317016b2: test %esi, %esi
+              0x7f23317016b4: setnz %sil
+              0x7f23317016b8: movzx %sil, %esi
+              0x7f23317016bc: jmp 0x7f2331701705
+              0x7f23317016c1: test $0x1, 0x6(%rax)
+              0x7f23317016c5: jz 0x7f23317016f9
+              0x7f23317016cb: mov (%rax), %esi
+              0x7f23317016cd: mov $0x7f23315000c8, %rdx
+              0x7f23317016d7: mov (%rdx), %rdx
+              0x7f23317016da: mov (%rdx,%rsi,8), %rsi
+              0x7f23317016de: mov $0x7f2330de0000, %rdx
+              0x7f23317016e8: cmp %rdx, 0x18(%rsi)
+              0x7f23317016ec: jnz 0x7f23317016f9
+              0x7f23317016f2: xor %esi, %esi
+              0x7f23317016f4: jmp 0x7f2331701705
+              0x7f23317016f9: mov $0x1, %esi
+              0x7f23317016fe: jmp 0x7f2331701705
+              0x7f2331701703: xor %esi, %esi
+              0x7f2331701705: test %esi, %esi
+              0x7f2331701707: jnz 0x7f233170171b
+
+        [  12] jtrue             arg1, 6(->18)
+              0x7f6c8710156c: mov 0x30(%rbp), %rax
+              0x7f6c87101570: test %rax, %r15
+              0x7f6c87101573: jnz 0x7f6c871015c8
+              0x7f6c87101579: cmp $0x1, 0x5(%rax)
+              0x7f6c8710157d: jnz 0x7f6c87101592
+              0x7f6c87101583: cmp $0x0, 0x8(%rax)
+              0x7f6c87101587: jnz 0x7f6c87101623
+              0x7f6c8710158d: jmp 0x7f6c87101615
+              0x7f6c87101592: test $0x1, 0x6(%rax)
+              0x7f6c87101596: jz 0x7f6c87101623
+              0x7f6c8710159c: mov (%rax), %esi
+              0x7f6c8710159e: mov $0x7f6c86f000e0, %rdx
+              0x7f6c871015a8: mov (%rdx), %rdx
+              0x7f6c871015ab: mov (%rdx,%rsi,8), %rsi
+              0x7f6c871015af: mov $0x7f6c867e0000, %rdx
+              0x7f6c871015b9: cmp %rdx, 0x18(%rsi)
+              0x7f6c871015bd: jnz 0x7f6c87101623
+              0x7f6c871015c3: jmp 0x7f6c87101615
+              0x7f6c871015c8: cmp %r14, %rax
+              0x7f6c871015cb: jb 0x7f6c871015de
+              0x7f6c871015d1: test %eax, %eax
+              0x7f6c871015d3: jnz 0x7f6c87101623
+              0x7f6c871015d9: jmp 0x7f6c87101615
+              0x7f6c871015de: test %rax, %r14
+              0x7f6c871015e1: jz 0x7f6c87101602
+              0x7f6c871015e7: lea (%r14,%rax), %rsi
+              0x7f6c871015eb: movq %rsi, %xmm0
+              0x7f6c871015f0: xorps %xmm1, %xmm1
+              0x7f6c871015f3: ucomisd %xmm1, %xmm0
+              0x7f6c871015f7: jz 0x7f6c87101615
+              0x7f6c871015fd: jmp 0x7f6c87101623
+              0x7f6c87101602: mov $0x7, %r11
+              0x7f6c8710160c: cmp %r11, %rax
+              0x7f6c8710160f: jz 0x7f6c87101623
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+        (JSC::AssemblyHelpers::branchIfValue):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfTruthy):
+        (JSC::AssemblyHelpers::branchIfFalsey):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::addJump):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_jfalse):
+        (JSC::JIT::emit_op_jtrue):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_jfalse):
+        (JSC::JIT::emit_op_jtrue):
+
+2018-06-02  Yusuke Suzuki  
+
+        [JSC] Remove WeakReferenceHarvester
+        https://bugs.webkit.org/show_bug.cgi?id=186102
+
+        Reviewed by Filip Pizlo.
+
+        After several cleanups, now JSWeakMap becomes the last user of WeakReferenceHarvester.
+        Since JSWeakMap is already managed in IsoSubspace, we can iterate marked JSWeakMap
+        by using output constraints & Subspace iteration.
+
+        This patch removes WeakReferenceHarvester. Instead of managing this linked-list, our
+        output constraint set iterates marked JSWeakMap by using Subspace.
+
+        And we also add locking for JSWeakMap's rehash and output constraint visiting.
+
+        Attached microbenchmark does not show any regression.
+
+        * API/JSAPIWrapperObject.h:
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/Heap.cpp:
+        (JSC::Heap::endMarking):
+        (JSC::Heap::addCoreConstraints):
+        * heap/Heap.h:
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::addWeakReferenceHarvester): Deleted.
+        * heap/SlotVisitor.h:
+        * heap/WeakReferenceHarvester.h: Removed.
+        * runtime/WeakMapImpl.cpp:
+        (JSC::WeakMapImpl::visitChildren):
+        (JSC::WeakMapImpl>::visitOutputConstraints):
+        (JSC::WeakMapImpl>::visitOutputConstraints):
+        (JSC::WeakMapImpl>::visitWeakReferences): Deleted.
+        (JSC::WeakMapImpl>::visitWeakReferences): Deleted.
+        * runtime/WeakMapImpl.h:
+        (JSC::WeakMapImpl::WeakMapImpl):
+        (JSC::WeakMapImpl::finishCreation):
+        (JSC::WeakMapImpl::rehash):
+        (JSC::WeakMapImpl::makeAndSetNewBuffer):
+        (JSC::WeakMapImpl::DeadKeyCleaner::target): Deleted.
+
+2018-06-02  Yusuke Suzuki  
+
+        [JSC] Object.create should have intrinsic
+        https://bugs.webkit.org/show_bug.cgi?id=186200
+
+        Reviewed by Filip Pizlo.
+
+        Object.create is used in various JS code. `Object.create(null)` is particularly used
+        to create empty plain object with null [[Prototype]]. We can find `Object.create(null)`
+        call in ARES-6/Babylon code.
+
+        This patch adds ObjectCreateIntrinsic to JSC. DFG recognizes it and produces ObjectCreate
+        DFG node. DFG AI and constant folding attempt to convert it to NewObject when prototype
+        object is null. It offers significant performance boost for `Object.create(null)`.
+
+                                                         baseline                  patched
+
+        object-create-null                           53.7940+-1.5297     ^     19.8846+-0.6584        ^ definitely 2.7053x faster
+        object-create-unknown-object-prototype       38.9977+-1.1364     ^     37.2207+-0.6143        ^ definitely 1.0477x faster
+        object-create-untyped-prototype              22.5632+-0.6917           22.2539+-0.6876          might be 1.0139x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToNewObject):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectCreate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileObjectCreate):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::nullPrototypeObjectStructure const):
+        * runtime/ObjectConstructor.cpp:
+
+2018-06-02  Caio Lima  
+
+        [ESNext][BigInt] Implement support for addition operations
+        https://bugs.webkit.org/show_bug.cgi?id=179002
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is implementing support to BigInt Operands into binary "+"
+        and binary "-" operators. Right now, we have limited support to DFG
+        and FTL JIT layers, but we plan to fix this support in future
+        patches.
+
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::stringToBigInt):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::remainder):
+        (JSC::JSBigInt::add):
+        (JSC::JSBigInt::sub):
+        (JSC::JSBigInt::absoluteAdd):
+        (JSC::JSBigInt::absoluteSub):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::toNumber const):
+        (JSC::JSBigInt::getPrimitiveNumber const):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValueInlines.h:
+        * runtime/Operations.cpp:
+        (JSC::jsAddSlowCase):
+        * runtime/Operations.h:
+        (JSC::jsSub):
+
+2018-06-01  Wenson Hsieh  
+
+        Fix the watchOS build after r232385
+        https://bugs.webkit.org/show_bug.cgi?id=186203
+
+        Reviewed by Keith Miller.
+
+        Add a missing header include for JSImmutableButterfly.
+
+        * runtime/ArrayPrototype.cpp:
+
+2018-05-29  Yusuke Suzuki  
+
+        [JSC] Add Symbol.prototype.description getter
+        https://bugs.webkit.org/show_bug.cgi?id=186053
+
+        Reviewed by Keith Miller.
+
+        Symbol.prototype.description accessor  is now stage 3[1].
+        This adds a getter to retrieve [[Description]] value from Symbol.
+        Previously, Symbol#toString() returns `Symbol(${description})` value.
+        So users need to extract `description` part if they want it.
+
+        [1]: https://tc39.github.io/proposal-Symbol-description/
+
+        * runtime/Symbol.cpp:
+        (JSC::Symbol::description const):
+        * runtime/Symbol.h:
+        * runtime/SymbolPrototype.cpp:
+        (JSC::tryExtractSymbol):
+        (JSC::symbolProtoGetterDescription):
+        (JSC::symbolProtoFuncToString):
+        (JSC::symbolProtoFuncValueOf):
+
+2018-06-01  Yusuke Suzuki  
+
+        [JSC] Correct values and members of JSBigInt appropriately
+        https://bugs.webkit.org/show_bug.cgi?id=186196
+
+        Reviewed by Darin Adler.
+
+        This patch cleans up a bit to select more appropriate values and members of JSBigInt.
+
+        1. JSBigInt's structure should be StructureIsImmortal.
+        2. JSBigInt::allocationSize should be annotated with `inline`.
+        3. Remove JSBigInt::visitChildren since it is completely the same to JSCell::visitChildren.
+        4. Remove JSBigInt::finishCreation since it is completely the same to JSCell::finishCreation.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::compareToDouble):
+        (JSC::JSBigInt::visitChildren): Deleted.
+        (JSC::JSBigInt::finishCreation): Deleted.
+        * runtime/JSBigInt.h:
+
+2018-05-30  Yusuke Suzuki  
+
+        [DFG] InById should be converted to MatchStructure
+        https://bugs.webkit.org/show_bug.cgi?id=185803
+
+        Reviewed by Keith Miller.
+
+        MatchStructure is introduced for instanceof optimization. But this node
+        is also useful for InById node. This patch converts InById to MatchStructure
+        node with CheckStructures if possible by using InByIdStatus.
+
+        Added microbenchmarks show improvements.
+
+                                   baseline                  patched
+
+        in-by-id-removed       18.1196+-0.8108     ^     16.1702+-0.9773        ^ definitely 1.1206x faster
+        in-by-id-match         16.3912+-0.2608     ^     15.2736+-0.8173        ^ definitely 1.0732x faster
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/InByIdStatus.cpp: Added.
+        (JSC::InByIdStatus::appendVariant):
+        (JSC::InByIdStatus::computeFor):
+        (JSC::InByIdStatus::hasExitSite):
+        (JSC::InByIdStatus::computeForStubInfo):
+        (JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        (JSC::InByIdStatus::filter):
+        (JSC::InByIdStatus::dump const):
+        * bytecode/InByIdStatus.h: Added.
+        (JSC::InByIdStatus::InByIdStatus):
+        (JSC::InByIdStatus::state const):
+        (JSC::InByIdStatus::isSet const):
+        (JSC::InByIdStatus::operator bool const):
+        (JSC::InByIdStatus::isSimple const):
+        (JSC::InByIdStatus::numVariants const):
+        (JSC::InByIdStatus::variants const):
+        (JSC::InByIdStatus::at const):
+        (JSC::InByIdStatus::operator[] const):
+        (JSC::InByIdStatus::takesSlowPath const):
+        * bytecode/InByIdVariant.cpp: Added.
+        (JSC::InByIdVariant::InByIdVariant):
+        (JSC::InByIdVariant::attemptToMerge):
+        (JSC::InByIdVariant::dump const):
+        (JSC::InByIdVariant::dumpInContext const):
+        * bytecode/InByIdVariant.h: Added.
+        (JSC::InByIdVariant::isSet const):
+        (JSC::InByIdVariant::operator bool const):
+        (JSC::InByIdVariant::structureSet const):
+        (JSC::InByIdVariant::structureSet):
+        (JSC::InByIdVariant::conditionSet const):
+        (JSC::InByIdVariant::offset const):
+        (JSC::InByIdVariant::isHit const):
+        * bytecode/PolyProtoAccessChain.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2018-06-01  Keith Miller  
+
+        move should only emit the move if it's actually needed
+        https://bugs.webkit.org/show_bug.cgi?id=186123
+
+        Reviewed by Saam Barati.
+
+        This patch relpaces move with moveToDestinationIfNeeded. This
+        will prevent us from emiting moves to the same location. The old
+        move, has been renamed to emitMove and made private.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitMove):
+        (JSC::BytecodeGenerator::emitGetGlobalPrivate):
+        (JSC::BytecodeGenerator::emitGetAsyncIterator):
+        (JSC::BytecodeGenerator::move): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::move):
+        (JSC::BytecodeGenerator::moveToDestinationIfNeeded): Deleted.
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ThisNode::emitBytecode):
+        (JSC::SuperNode::emitBytecode):
+        (JSC::NewTargetNode::emitBytecode):
+        (JSC::ResolveNode::emitBytecode):
+        (JSC::TaggedTemplateNode::emitBytecode):
+        (JSC::ArrayNode::emitBytecode):
+        (JSC::ObjectLiteralNode::emitBytecode):
+        (JSC::EvalFunctionCallNode::emitBytecode):
+        (JSC::FunctionCallResolveNode::emitBytecode):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toNumber):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isJSArray):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isProxyObject):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isRegExpObject):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isObject):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isDerivedArray):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isMap):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_isSet):
+        (JSC::CallFunctionCallDotNode::emitBytecode):
+        (JSC::ApplyFunctionCallDotNode::emitBytecode):
+        (JSC::emitPostIncOrDec):
+        (JSC::PostfixNode::emitBracket):
+        (JSC::PostfixNode::emitDot):
+        (JSC::PrefixNode::emitResolve):
+        (JSC::PrefixNode::emitBracket):
+        (JSC::PrefixNode::emitDot):
+        (JSC::LogicalOpNode::emitBytecode):
+        (JSC::ReadModifyResolveNode::emitBytecode):
+        (JSC::AssignResolveNode::emitBytecode):
+        (JSC::AssignDotNode::emitBytecode):
+        (JSC::AssignBracketNode::emitBytecode):
+        (JSC::FunctionNode::emitBytecode):
+        (JSC::ClassExprNode::emitBytecode):
+        (JSC::DestructuringAssignmentNode::emitBytecode):
+        (JSC::ArrayPatternNode::emitDirectBinding):
+        (JSC::ObjectPatternNode::bindValue const):
+        (JSC::AssignmentElementNode::bindValue const):
+        (JSC::ObjectSpreadExpressionNode::emitBytecode):
+
+2018-05-31  Yusuke Suzuki  
+
+        [Baseline] Store constant directly in emit_op_mov
+        https://bugs.webkit.org/show_bug.cgi?id=186182
+
+        Reviewed by Saam Barati.
+
+        In the old code, we first move a constant to a register and store it to the specified address.
+        But in 64bit JSC, we can directly store a constant to the specified address. This reduces the
+        generated code size. Since the old code was emitting a constant in a code anyway, this change
+        never increases the size of the generated code.
+
+        * jit/JITInlines.h:
+        (JSC::JIT::emitGetVirtualRegister):
+        We remove this obsolete comment. Our OSR relies on the fact that values are stored and loaded
+        from the stack. If we transfer values in registers without loading values from the stack, it
+        breaks this assumption.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_mov):
+
+2018-05-31  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "=<" and ">=" relational operation
+        https://bugs.webkit.org/show_bug.cgi?id=185929
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is introducing support to BigInt operands into ">=" and
+        "<=" operators.
+        Here we introduce ```bigIntCompareResult``` that is a helper function
+        to reuse code between "less than" and "less than or equal" operators.
+
+        * runtime/JSBigInt.h:
+        * runtime/Operations.h:
+        (JSC::bigIntCompareResult):
+        (JSC::bigIntCompare):
+        (JSC::jsLess):
+        (JSC::jsLessEq):
+        (JSC::bigIntCompareLess): Deleted.
+
+2018-05-31  Saam Barati  
+
+        Cache toString results for CoW arrays
+        https://bugs.webkit.org/show_bug.cgi?id=186160
+
+        Reviewed by Keith Miller.
+
+        This patch makes it so that we cache the result of toString on
+        arrays with a CoW butterfly. This cache lives on Heap and is
+        cleared after every GC. We only cache the toString result when
+        the CoW butterfly doesn't have a hole (currently, all CoW arrays
+        have a hole, but this isn't an invariant we want to rely on). The
+        reason for this is that if there is a hole, the value may be loaded
+        from the prototype, and the cache may produce a stale result.
+        
+        This is a ~4% speedup on the ML subtest in ARES. And is a ~1% overall
+        progression on ARES.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::finalize):
+        (JSC::Heap::addCoreConstraints):
+        * heap/Heap.h:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::canUseFastJoin):
+        (JSC::holesMustForwardToPrototype):
+        (JSC::isHole):
+        (JSC::containsHole):
+        (JSC::fastJoin):
+        (JSC::arrayProtoFuncToString):
+
+2018-05-31  Saam Barati  
+
+        PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
+        https://bugs.webkit.org/show_bug.cgi?id=186169
+
+        Reviewed by Mark Lam.
+
+        If we don't do this, the CFA validation rule about StructureID being
+        clobbered but AI not clobbering or folding a clobber will cause us
+        to crash. Simon was running into this yesterday on arstechnica.com.
+        I couldn't come up with a test case for this, but it's obvious
+        what the issue is by looking at the IR dump at the time of the crash.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2018-05-31  Saam Barati  
+
+        JSImmutableButterfly should align its variable storage
+        https://bugs.webkit.org/show_bug.cgi?id=186159
+
+        Reviewed by Mark Lam.
+
+        I'm also making the use of reinterpret_cast and bitwise_cast consistent
+        inside of JSImmutableButterfly. I switched everything to use bitwise_cast.
+
+        * runtime/JSImmutableButterfly.h:
+        (JSC::JSImmutableButterfly::toButterfly const):
+        (JSC::JSImmutableButterfly::fromButterfly):
+        (JSC::JSImmutableButterfly::offsetOfData):
+        (JSC::JSImmutableButterfly::allocationSize):
+
+2018-05-31  Keith Miller  
+
+        DFGArrayModes needs to know more about CoW arrays
+        https://bugs.webkit.org/show_bug.cgi?id=186162
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes two issues in DFGArrayMode.
+
+        1) fromObserved was missing switch cases for when the only observed ArrayModes are CopyOnWrite.
+        2) DFGArrayModes needs to track if the ArrayClass is an OriginalCopyOnWriteArray in order
+        to vend an accurate original structure.
+
+        Additionally, this patch fixes some places in Bytecode parsing where we told the array mode
+        we were doing a read but actually doing a write. Also, DFGArrayMode will now print the
+        action it is expecting when being dumped.
+
+        * bytecode/ArrayProfile.h:
+        (JSC::hasSeenWritableArray):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::fromObserved):
+        (JSC::DFG::ArrayMode::refine const):
+        (JSC::DFG::ArrayMode::originalArrayStructure const):
+        (JSC::DFG::arrayActionToString):
+        (JSC::DFG::arrayClassToString):
+        (JSC::DFG::ArrayMode::dump const):
+        (WTF::printInternal):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::withProfile const):
+        (JSC::DFG::ArrayMode::isJSArray const):
+        (JSC::DFG::ArrayMode::isJSArrayWithOriginalStructure const):
+        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+
+2018-05-30  Yusuke Suzuki  
+
+        [JSC] Pass VM& parameter as much as possible
+        https://bugs.webkit.org/show_bug.cgi?id=186085
+
+        Reviewed by Saam Barati.
+
+        JSCell::vm() is slow compared to ExecState::vm(). That's why we have bunch of functions in JSCell/JSObject that take VM& as a parameter.
+        For example, we have JSCell::structure() and JSCell::structure(VM&), the former retrieves VM& from the cell and invokes structure(VM&).
+        If we can get VM& from ExecState* or the other place, it reduces the inlined code size.
+        This patch attempts to pass VM& parameter to such functions as much as possible.
+
+        * API/APICast.h:
+        (toJS):
+        (toJSForGC):
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject::getOwnPropertySlotByIndex):
+        (JSC::JSCallbackObject::deletePropertyByIndex):
+        (JSC::JSCallbackObject::staticFunctionGetter):
+        * API/JSObjectRef.cpp:
+        (JSObjectIsConstructor):
+        * API/JSTypedArray.cpp:
+        (JSObjectGetTypedArrayBuffer):
+        * API/JSValueRef.cpp:
+        (JSValueIsInstanceOfConstructor):
+        * bindings/ScriptFunctionCall.cpp:
+        (Deprecated::ScriptFunctionCall::call):
+        * bindings/ScriptValue.cpp:
+        (Inspector::jsToInspectorValue):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForInstanceOf):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isWatchableWhenValid const):
+        (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
+        * bytecode/StructureStubClearingWatchpoint.cpp:
+        (JSC::StructureStubClearingWatchpoint::fireInternal):
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::detach):
+        * debugger/DebuggerScope.cpp:
+        (JSC::DebuggerScope::create):
+        (JSC::DebuggerScope::put):
+        (JSC::DebuggerScope::deleteProperty):
+        (JSC::DebuggerScope::getOwnPropertyNames):
+        (JSC::DebuggerScope::defineOwnProperty):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::mergeOSREntryValue):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::check):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::tryGetConstantProperty):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationPopulateObjectInOSR):
+        * inspector/InjectedScriptManager.cpp:
+        (Inspector::InjectedScriptManager::createInjectedScript):
+        * inspector/JSJavaScriptCallFrame.cpp:
+        (Inspector::JSJavaScriptCallFrame::caller const):
+        (Inspector::JSJavaScriptCallFrame::scopeChain const):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::wasmAwareLexicalGlobalObject):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeModuleProgram):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheInByID):
+        * jsc.cpp:
+        (functionDollarAgentReceiveBroadcast):
+        (functionHasCustomProperties):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+        (JSC::LLInt::getByVal):
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::llint_throw_stack_overflow_error):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::finishCreation):
+        * runtime/ArrayConstructor.cpp:
+        (JSC::constructArrayWithSizeQuirk):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::speciesWatchpointIsValid):
+        (JSC::arrayProtoFuncToString):
+        (JSC::arrayProtoFuncToLocaleString):
+        (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
+        * runtime/AsyncFunctionConstructor.cpp:
+        (JSC::callAsyncFunctionConstructor):
+        (JSC::constructAsyncFunctionConstructor):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp:
+        (JSC::callAsyncGeneratorFunctionConstructor):
+        (JSC::constructAsyncGeneratorFunctionConstructor):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructWithBooleanConstructor):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        (JSC::ClonedArguments::createWithInlineFrame):
+        (JSC::ClonedArguments::createWithMachineFrame):
+        (JSC::ClonedArguments::createByCopyingFrom):
+        (JSC::ClonedArguments::getOwnPropertySlot):
+        (JSC::ClonedArguments::materializeSpecials):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
+        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
+        (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
+        * runtime/ConstructData.cpp:
+        (JSC::construct):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructWithDateConstructor):
+        * runtime/DatePrototype.cpp:
+        (JSC::dateProtoFuncToJSON):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/Error.cpp:
+        (JSC::getStackTrace):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::Interpreter::constructWithErrorConstructor):
+        (JSC::Interpreter::callErrorConstructor):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructWithFunctionConstructor):
+        (JSC::callFunctionConstructor):
+        * runtime/GeneratorFunctionConstructor.cpp:
+        (JSC::callGeneratorFunctionConstructor):
+        (JSC::constructGeneratorFunctionConstructor):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::getOwnPropertySlot):
+        * runtime/InferredStructureWatchpoint.cpp:
+        (JSC::InferredStructureWatchpoint::fireInternal):
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::removeStructure):
+        * runtime/InferredType.h:
+        * runtime/InferredTypeInlines.h:
+        (JSC::InferredType::finalizeUnconditionally):
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructorFuncSupportedLocalesOf):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototypeGetterCompare):
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
+        (JSC::IntlDateTimeFormat::formatToParts):
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructorFuncSupportedLocalesOf):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+        (JSC::IntlNumberFormat::formatToParts):
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructorFuncSupportedLocalesOf):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototypeGetterFormat):
+        * runtime/IntlObject.cpp:
+        (JSC::canonicalizeLocaleList):
+        (JSC::defaultLocale):
+        (JSC::lookupSupportedLocales):
+        (JSC::intlObjectFuncGetCanonicalLocales):
+        * runtime/IntlPluralRules.cpp:
+        (JSC::IntlPluralRules::initializePluralRules):
+        (JSC::IntlPluralRules::resolvedOptions):
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
+        * runtime/IteratorOperations.cpp:
+        (JSC::iteratorNext):
+        (JSC::iteratorClose):
+        (JSC::iteratorForIterable):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSArrayBufferConstructor.cpp:
+        (JSC::JSArrayBufferConstructor::finishCreation):
+        (JSC::constructArrayBuffer):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferProtoFuncSlice):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::unsharedJSBuffer):
+        (JSC::JSArrayBufferView::possiblySharedJSBuffer):
+        * runtime/JSAsyncFunction.cpp:
+        (JSC::JSAsyncFunction::createImpl):
+        (JSC::JSAsyncFunction::create):
+        (JSC::JSAsyncFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSAsyncGeneratorFunction.cpp:
+        (JSC::JSAsyncGeneratorFunction::createImpl):
+        (JSC::JSAsyncGeneratorFunction::create):
+        (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::boundThisNoArgsFunctionCall):
+        (JSC::boundFunctionCall):
+        (JSC::boundThisNoArgsFunctionConstruct):
+        (JSC::boundFunctionConstruct):
+        (JSC::getBoundFunctionStructure):
+        (JSC::JSBoundFunction::create):
+        (JSC::JSBoundFunction::boundArgsCopy):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::setStructure):
+        (JSC::JSCell::methodTable const):
+        (JSC::JSCell::toBoolean const):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::createImpl):
+        * runtime/JSGeneratorFunction.cpp:
+        (JSC::JSGeneratorFunction::createImpl):
+        (JSC::JSGeneratorFunction::create):
+        (JSC::JSGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayViewWithArguments):
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex):
+        (JSC::JSGenericTypedArrayView::putByIndex):
+        (JSC::JSGenericTypedArrayView::deletePropertyByIndex):
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
+        (JSC::genericTypedArrayViewProtoFuncSlice):
+        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::exposeDollarVM):
+        (JSC::JSGlobalObject::finishCreation):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval):
+        * runtime/JSInternalPromise.cpp:
+        (JSC::JSInternalPromise::then):
+        * runtime/JSInternalPromiseConstructor.cpp:
+        (JSC::constructPromise):
+        * runtime/JSJob.cpp:
+        (JSC::JSJobMicrotask::run):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
+        (JSC::JSLexicalEnvironment::put):
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSMapIterator.cpp:
+        (JSC::JSMapIterator::createPair):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::provideFetch):
+        (JSC::JSModuleLoader::loadAndEvaluateModule):
+        (JSC::JSModuleLoader::loadModule):
+        (JSC::JSModuleLoader::linkAndEvaluateModule):
+        (JSC::JSModuleLoader::requestImportModule):
+        * runtime/JSONObject.cpp:
+        (JSC::JSONProtoFuncParse):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::convertFromCopyOnWrite):
+        (JSC::JSObject::ensureWritableInt32Slow):
+        (JSC::JSObject::ensureWritableDoubleSlow):
+        (JSC::JSObject::ensureWritableContiguousSlow):
+        (JSC::JSObject::ensureArrayStorageSlow):
+        (JSC::JSObject::setPrototypeDirect):
+        (JSC::JSObject::deleteProperty):
+        (JSC::callToPrimitiveFunction):
+        (JSC::JSObject::hasInstance):
+        (JSC::JSObject::getOwnNonIndexPropertyNames):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::isExtensible):
+        (JSC::JSObject::reifyAllStaticProperties):
+        (JSC::JSObject::fillGetterPropertySlot):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        (JSC::JSObject::getNewVectorLength):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
+        (JSC::JSObject::prototypeChainMayInterceptStoreTo):
+        (JSC::JSObject::needsSlowPutIndexing const):
+        (JSC::JSObject::suggestedArrayStorageTransition const):
+        * runtime/JSObject.h:
+        (JSC::JSObject::mayInterceptIndexedAccesses):
+        (JSC::JSObject::hasIndexingHeader const):
+        (JSC::JSObject::hasCustomProperties):
+        (JSC::JSObject::hasGetterSetterProperties):
+        (JSC::JSObject::hasCustomGetterSetterProperties):
+        (JSC::JSObject::isExtensibleImpl):
+        (JSC::JSObject::isStructureExtensible):
+        (JSC::JSObject::indexingShouldBeSparse):
+        (JSC::JSObject::staticPropertiesReified):
+        (JSC::JSObject::globalObject const):
+        (JSC::JSObject::finishCreation):
+        (JSC::JSNonFinalObject::finishCreation):
+        (JSC::getCallData):
+        (JSC::getConstructData):
+        (JSC::JSObject::getOwnNonIndexPropertySlot):
+        (JSC::JSObject::putOwnDataProperty):
+        (JSC::JSObject::putOwnDataPropertyMayBeIndex):
+        (JSC::JSObject::butterflyPreCapacity):
+        (JSC::JSObject::butterflyTotalSize):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::initialize):
+        (JSC::JSPromise::resolve):
+        * runtime/JSPromiseConstructor.cpp:
+        (JSC::constructPromise):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::newPromiseCapability):
+        (JSC::callFunction):
+        * runtime/JSScope.cpp:
+        (JSC::abstractAccess):
+        * runtime/JSScope.h:
+        (JSC::JSScope::globalObject): Deleted.
+        Remove this JSScope::globalObject function since it is completely the same to JSObject::globalObject().
+
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSSetIterator.cpp:
+        (JSC::JSSetIterator::createPair):
+        * runtime/JSStringIterator.cpp:
+        (JSC::JSStringIterator::clone):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        (JSC::setUpStaticFunctionSlot):
+        * runtime/Lookup.h:
+        (JSC::getStaticPropertySlotFromTable):
+        (JSC::replaceStaticPropertySlot):
+        (JSC::reifyStaticProperty):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::constructObject):
+        (JSC::objectConstructorAssign):
+        (JSC::toPropertyDescriptor):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncDefineGetter):
+        (JSC::objectProtoFuncDefineSetter):
+        (JSC::objectProtoFuncToLocaleString):
+        * runtime/Operations.cpp:
+        (JSC::jsIsFunctionType): Deleted.
+        Replace it with JSValue::isFunction(VM&).
+
+        * runtime/Operations.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::constructWithRegExpConstructor):
+        (JSC::callRegExpConstructor):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
+        * runtime/ScopedArguments.cpp:
+        (JSC::ScopedArguments::overrideThings):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::newCodeBlockFor):
+        (JSC::ScriptExecutable::prepareForExecutionImpl):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::putEntry):
+        (JSC::SparseArrayValueMap::putDirect):
+        * runtime/StringConstructor.cpp:
+        (JSC::constructWithStringConstructor):
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+        (JSC::replaceUsingStringSearch):
+        (JSC::stringProtoFuncIterator):
+        * runtime/Structure.cpp:
+        (JSC::Structure::materializePropertyTable):
+        (JSC::Structure::willStoreValueSlow):
+        * runtime/StructureCache.cpp:
+        (JSC::StructureCache::emptyStructureForPrototypeFromBaseStructure):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::get):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::reportCell):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionGlobalObjectForObject):
+        (JSC::JSDollarVM::finishCreation):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJSException):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyCompileError):
+        (JSC::callJSWebAssemblyCompileError):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyLinkError):
+        (JSC::callJSWebAssemblyLinkError):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::instantiate):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyRuntimeError):
+        (JSC::callJSWebAssemblyRuntimeError):
+        * wasm/js/WebAssemblyToJSCallee.cpp:
+        (JSC::WebAssemblyToJSCallee::create):
+
+2018-05-30  Saam Barati  
+
+        DFG combined liveness needs to say that the machine CodeBlock's arguments are live
+        https://bugs.webkit.org/show_bug.cgi?id=186121
+        
+
+        Reviewed by Keith Miller.
+
+        DFG's combined liveness was reporting that the machine CodeBlock's |this|
+        argument was dead at certain points in the program. However, a CodeBlock's
+        arguments are considered live for the entire function. This fixes a bug
+        where object allocation sinking phase skipped materializing an allocation
+        because it thought that the argument it was associated with, |this|, was dead.
+
+        * dfg/DFGCombinedLiveness.cpp:
+        (JSC::DFG::liveNodesAtHead):
+
+2018-05-30  Daniel Bates  
+
+        Web Inspector: Annotate Same-Site cookies
+        https://bugs.webkit.org/show_bug.cgi?id=184897
+        
+
+        Reviewed by Brian Burg.
+
+        Update protocol to include cookie Same-Site policy.
+
+        * inspector/protocol/Page.json:
+
+2018-05-29  Keith Miller  
+
+        Error instances should not strongly hold onto StackFrames
+        https://bugs.webkit.org/show_bug.cgi?id=185996
+
+        Reviewed by Mark Lam.
+
+        Previously, we would hold onto all the StackFrames until the the user
+        looked at one of the properties on the Error object. This patch makes us
+        only weakly retain the StackFrames and collect all the information
+        if we are about to collect any frame.
+
+        This patch also adds a method to $vm that returns the heaps count
+        of live global objects.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::stackTraceAsString):
+        * interpreter/Interpreter.h:
+        * runtime/Error.cpp:
+        (JSC::addErrorInfo):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finalizeUnconditionally):
+        (JSC::ErrorInstance::computeErrorInfo):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren): Deleted.
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::subspaceFor):
+        * runtime/JSFunction.cpp:
+        (JSC::getCalculatedDisplayName):
+        * runtime/StackFrame.h:
+        (JSC::StackFrame::isMarked const):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionGlobalObjectCount):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-05-30  Keith Miller  
+
+        LLInt get_by_id prototype caching doesn't properly handle changes
+        https://bugs.webkit.org/show_bug.cgi?id=186112
+
+        Reviewed by Filip Pizlo.
+
+        The caching would sometimes fail to track that a prototype had changed
+        and wouldn't update its set of watchpoints.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/CodeBlock.h:
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::key const):
+        * bytecode/ObjectPropertyConditionSet.h:
+        (JSC::ObjectPropertyConditionSet::size const):
+        * bytecode/Watchpoint.h:
+        (JSC::Watchpoint::Watchpoint): Deleted.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+
+2018-05-30  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "%" operation
+        https://bugs.webkit.org/show_bug.cgi?id=184327
+
+        Reviewed by Yusuke Suzuki.
+
+        We are introducing the support of BigInt into remainder (a.k.a mod)
+        operation.
+
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::remainder):
+        (JSC::JSBigInt::rightTrim):
+        * runtime/JSBigInt.h:
+
+2018-05-30  Saam Barati  
+
+        AI for Atomics.load() is too conservative in always clobbering world
+        https://bugs.webkit.org/show_bug.cgi?id=185738
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        It fails the assertion that Fil added for catching disagreements between
+        AI and clobberize. This patch fixes that. You'd run into this if you
+        manually enabled SAB in a build and ran any SAB tests.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+2018-05-30  Michael Saboff  
+
+        REGRESSION(r232212): Broke Win32 Builds
+        https://bugs.webkit.org/show_bug.cgi?id=186061
+
+        Reviewed by Yusuke Suzuki.
+
+        Changed Windows builds with the JIT disabled to generate and use LLIntAssembly.h
+        instead of LowLevelInterpreterWin.asm.
+
+        * CMakeLists.txt:
+
+2018-05-30  Dominik Infuehr  
+
+        [MIPS] Fix build on MIPS32r1
+        https://bugs.webkit.org/show_bug.cgi?id=185944
+
+        Reviewed by Yusuke Suzuki.
+
+        Only use instructions on MIPS32r2 or later. mthc1 and mfhc1 are not supported
+        on MIPS32r1.
+
+        * offlineasm/mips.rb:
+
+2018-05-29  Saam Barati  
+
+        Add a version of JSVirtualMachine shrinkFootprint that runs when the VM goes idle
+        https://bugs.webkit.org/show_bug.cgi?id=186064
+
+        Reviewed by Mark Lam.
+
+        shrinkFootprint was implemented as:
+        ```
+        sanitizeStackForVM(this);
+        deleteAllCode(DeleteAllCodeIfNotCollecting);
+        heap.collectNow(Synchronousness::Sync);
+        WTF::releaseFastMallocFreeMemory();
+        ```
+        
+        However, for correctness reasons, deleteAllCode is implemented to do
+        work when the VM is idle: no JS is running on the stack. This means
+        that if shrinkFootprint is called when JS is running on the stack, it
+        ends up freeing less memory than it could have if it waited to run until
+        the VM goes idle.
+        
+        This patch makes it so we wait until idle before doing work. I'm seeing a
+        10% footprint progression when testing this against a client of the JSC SPI.
+        
+        Because this is a semantic change in how the SPI works, this patch
+        adds new SPI named shrinkFootprintWhenIdle. The plan is to move
+        all clients of the shrinkFootprint SPI to shrinkFootprintWhenIdle.
+        Once that happens, we will delete shrinkFootprint. Until then,
+        we make shrinkFootprint do exactly what shrinkFootprintWhenIdle does.
+
+        * API/JSVirtualMachine.mm:
+        (-[JSVirtualMachine shrinkFootprint]):
+        (-[JSVirtualMachine shrinkFootprintWhenIdle]):
+        * API/JSVirtualMachinePrivate.h:
+        * runtime/VM.cpp:
+        (JSC::VM::shrinkFootprintWhenIdle):
+        (JSC::VM::shrinkFootprint): Deleted.
+        * runtime/VM.h:
+
+2018-05-29  Saam Barati  
+
+        shrinkFootprint needs to request a full collection
+        https://bugs.webkit.org/show_bug.cgi?id=186069
+
+        Reviewed by Mark Lam.
+
+        * runtime/VM.cpp:
+        (JSC::VM::shrinkFootprint):
+
+2018-05-29  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "<" and ">" relational operation
+        https://bugs.webkit.org/show_bug.cgi?id=185379
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is changing the ``jsLess``` operation to follow the
+        semantics of Abstract Relational Comparison[1] that supports BigInt.
+        For that, we create 2 new helper functions ```bigIntCompareLess``` and
+        ```toPrimitiveNumeric``` that considers BigInt as a valid type to be
+        compared.
+
+        [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-relational-comparison
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::unequalSign):
+        (JSC::JSBigInt::absoluteGreater):
+        (JSC::JSBigInt::absoluteLess):
+        (JSC::JSBigInt::compare):
+        (JSC::JSBigInt::absoluteCompare):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::isPrimitive const):
+        * runtime/Operations.h:
+        (JSC::bigIntCompareLess):
+        (JSC::toPrimitiveNumeric):
+        (JSC::jsLess):
+
+2018-05-29  Yusuke Suzuki  
+
+        [Baseline] Merge loading functionalities
+        https://bugs.webkit.org/show_bug.cgi?id=185907
+
+        Reviewed by Saam Barati.
+
+        This patch unifies emitXXXLoad functions in 32bit and 64bit.
+
+        * jit/JITInlines.h:
+        (JSC::JIT::emitDoubleGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        Define register usage first, and share the same code in 32bit and 64bit.
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_put_by_val):
+        Now C-stack is always enabled in JIT platform and temporary registers increases from 5 to 6 in x86.
+        We can remove this special handling.
+
+        (JSC::JIT::emitContiguousLoad): Deleted.
+        (JSC::JIT::emitDoubleLoad): Deleted.
+        (JSC::JIT::emitArrayStorageLoad): Deleted.
+
+2018-05-29  Saam Barati  
+
+        JSC should put bmalloc's scavenger into mini mode
+        https://bugs.webkit.org/show_bug.cgi?id=185988
+
+        Reviewed by Michael Saboff.
+
+        When we InitializeThreading, we'll now enable bmalloc's mini mode
+        if the VM is in mini mode. This is an 8-10% progression on the footprint
+        at end score in run-testmem, making it a 4-5% memory score progression.
+        It's between a 0-1% regression in its time score.
+
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+
+2018-05-29  Caitlin Potter  
+
+        [JSC] Fix Array.prototype.concat fast case when single argument is Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=184267
+
+        Reviewed by Saam Barati.
+
+        Before this patch, the fast case for Array.prototype.concat was taken if
+        there was a single argument passed to the function, which is either a
+        non-JSCell, or an ObjectType JSCell not marked as concat-spreadable.
+        This incorrectly prevented Proxy objects from being spread when
+        they were the only argument passed to A.prototype.concat(), violating ECMA-262.
+
+        * builtins/ArrayPrototype.js:
+        (concat):
+
+2018-05-27  Yusuke Suzuki  
+
+        [JSC] JSBigInt::digitDiv has undefined behavior which causes test failures
+        https://bugs.webkit.org/show_bug.cgi?id=186022
+
+        Reviewed by Darin Adler.
+
+        digitDiv performs Value64Bit >> 64 / Value32Bit >> 32, which is undefined behavior. And zero mask
+        creation has an issue (`s` should be casted to signed one before negating). They cause test failures
+        in non x86 / x86_64 environments. x86 and x86_64 work well since they have a fast path written
+        in asm.
+
+        This patch fixes digitDiv by carefully avoiding undefined behaviors. We mask the left value of the
+        rshift with `digitBits - 1`, which makes `digitBits` 0 while it keeps 0 <= n < digitBits values.
+        This makes the target rshift well-defined in C++. While produced value by the rshift covers 0 <= `s` < 64 (32
+        in 32bit envirnoment) cases, this rshift does not shift if `s` is 0. sZeroMask clears the value
+        if `s` is 0, so that `s == 0` case is also covered. Note that `s == 64` never happens since `divisor`
+        is never 0 here. We add assertion for that. We also fixes `sZeroMask` calculation.
+
+        This patch also fixes naming convention for constant values.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::digitMul):
+        (JSC::JSBigInt::digitDiv):
+        * runtime/JSBigInt.h:
+
+2018-05-27  Yusuke Suzuki  
+
+        [WTF] Add clz32 / clz64 for MSVC
+        https://bugs.webkit.org/show_bug.cgi?id=186023
+
+        Reviewed by Daniel Bates.
+
+        Move clz32 and clz64 to WTF.
+
+        * runtime/MathCommon.h:
+        (JSC::clz32): Deleted.
+        (JSC::clz64): Deleted.
+
+2018-05-27  Caio Lima  
+
+        [ESNext][BigInt] Implement "+" and "-" unary operation
+        https://bugs.webkit.org/show_bug.cgi?id=182214
+
+        Reviewed by Yusuke Suzuki.
+
+        This Patch is implementing support to "-" unary operation on BigInt.
+        It is also changing the logic of ASTBuilder::makeNegateNode to
+        calculate BigInt literals with properly sign, avoiding
+        unecessary operation. It required a refactoring into
+        JSBigInt::parseInt to consider the sign as parameter.
+
+        We are also introducing a new DFG Node called ValueNegate to handle BigInt negate
+        operations. With the introduction of BigInt, it is not true
+        that every negate operation returns a Number. As ArithNegate is a
+        node that considers its result is always a Number, like all other
+        Arith, we decided to keep this consistency and use ValueNegate when
+        speculation indicates that the operand is a BigInt.
+        This design is following the same distinction between ArithAdd and
+        ValueAdd. Also, this new node will make simpler the introduction of
+        optimizations when we create speculation paths for BigInt in future
+        patches.
+
+        In the case of "+" unary operation on BigInt, the current semantic we already have
+        is correctly, since it needs to throw TypeError because of ToNumber call[1].
+        In such case, we are adding tests to verify other edge cases.
+
+        [1] - https://tc39.github.io/proposal-bigint/#sec-unary-plus-operator
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addBigIntConstant):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BigIntNode::jsValue const):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::makeSafe):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::arithNodeFlags):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueNegate):
+        (JSC::DFG::SpeculativeJIT::compileArithNegate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
+        * jit/JITOperations.cpp:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createBigIntWithSign):
+        (JSC::ASTBuilder::createBigIntFromUnaryOperation):
+        (JSC::ASTBuilder::makeNegateNode):
+        * parser/NodeConstructors.h:
+        (JSC::BigIntNode::BigIntNode):
+        * parser/Nodes.h:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::updateArithProfileForUnaryArithOp):
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::parseInt):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::strictEqualSlowCaseInline):
+
+2018-05-27  Dan Bernstein  
+
+        Tried to fix the 32-bit !ASSERT_DISABLED build after r232211.
+
+        * jit/JITOperations.cpp:
+
+2018-05-26  Yusuke Suzuki  
+
+        [JSC] Rename Array#flatten to flat
+        https://bugs.webkit.org/show_bug.cgi?id=186012
+
+        Reviewed by Saam Barati.
+
+        Rename Array#flatten to Array#flat. This rename is done in TC39 since flatten
+        conflicts with the mootools' function name.
+
+        * builtins/ArrayPrototype.js:
+        (globalPrivate.flatIntoArray):
+        (flat):
+        (globalPrivate.flatIntoArrayWithCallback):
+        (flatMap):
+        (globalPrivate.flattenIntoArray): Deleted.
+        (flatten): Deleted.
+        (globalPrivate.flattenIntoArrayWithCallback): Deleted.
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+
+2018-05-25  Mark Lam  
+
+        for-in loops should preserve and restore the TDZ stack for each of its internal loops.
+        https://bugs.webkit.org/show_bug.cgi?id=185995
+        
+
+        Reviewed by Saam Barati.
+
+        This is because there's no guarantee that any of the loop bodies will be
+        executed.  Hence, there's no guarantee that the TDZ variables will have been
+        initialized after each loop body.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::preserveTDZStack):
+        (JSC::BytecodeGenerator::restoreTDZStack):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ForInNode::emitBytecode):
+
+2018-05-25  Mark Lam  
+
+        MachineContext's instructionPointer() should handle null PCs correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=186004
+        
+
+        Reviewed by Saam Barati.
+
+        instructionPointer() returns a MacroAssemblerCodePtr.  However,
+        MacroAssemblerCodePtr's constructor does not accept a null pointer value and will
+        assert accordingly with a debug ASSERT.  This is inconsequential for release
+        builds, but to avoid this assertion failure, we should check for a null PC and
+        return MacroAssemblerCodePtr(nullptr) instead (which uses the
+        MacroAssemblerCodePtr(std::nullptr_t) version of the constructor instead).
+
+        Alternatively, we can change all of MacroAssemblerCodePtr's constructors to check
+        for null pointers, but I rather not do that yet.  In general,
+        MacroAssemblerCodePtrs are constructed with non-null pointers, and I prefer to
+        leave it that way for now.
+
+        Note: this assertion failure only manifests when we have signal traps enabled,
+        and encounter a null pointer deref.
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+
+2018-05-25  Mark Lam  
+
+        Enforce invariant that GetterSetter objects are invariant.
+        https://bugs.webkit.org/show_bug.cgi?id=185968
+        
+
+        Reviewed by Saam Barati.
+
+        The code already assumes the invariant that GetterSetter objects are immutable.
+        For example, the use of @tryGetById in builtins expect this invariant to be true.
+        The existing code mostly enforces this except for one case: JSObject's
+        validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter
+        object.
+
+        This patch enforces this invariant by removing the setGetter and setSetter methods
+        of GetterSetter, and requiring the getter/setter callback functions to be
+        specified at construction time.
+
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/GetterSetter.cpp:
+        (JSC::GetterSetter::withGetter): Deleted.
+        (JSC::GetterSetter::withSetter): Deleted.
+        * runtime/GetterSetter.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::putDirectNativeIntrinsicGetter):
+        (JSC::putDescriptor):
+        (JSC::validateAndApplyPropertyDescriptor):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        * runtime/PropertyDescriptor.cpp:
+        (JSC::PropertyDescriptor::slowGetterSetter):
+
+2018-05-25  Saam Barati  
+
+        Make JSC have a mini mode that kicks in when the JIT is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=185931
+
+        Reviewed by Mark Lam.
+
+        This patch makes JSC have a mini VM mode. This currently only kicks in
+        when the process can't JIT. Mini VM now means a few things:
+        - We always use a 1.27x heap growth factor. This number was the best tradeoff
+          between memory use progression and time regression in run-testmem. We may
+          want to tune this more in the future as we make other mini VM changes.
+        - We always sweep synchronously.
+        - We disable generational GC.
+        
+        I'm going to continue to extend what mini VM mode means in future changes.
+        
+        This patch is a 50% memory progression and an ~8-9% time regression
+        on run-testmem when running in mini VM mode with the JIT disabled.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::collectNow):
+        (JSC::Heap::finalize):
+        (JSC::Heap::useGenerationalGC):
+        (JSC::Heap::shouldSweepSynchronously):
+        (JSC::Heap::shouldDoFullCollection):
+        * heap/Heap.h:
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::isInMiniMode):
+        * runtime/VM.h:
+
+2018-05-25  Saam Barati  
+
+        Have a memory test where we can validate JSCs mini memory mode
+        https://bugs.webkit.org/show_bug.cgi?id=185932
+
+        Reviewed by Mark Lam.
+
+        This patch adds the testmem CLI. It takes as input a file to run
+        and the number of iterations to run it (by default it runs it
+        20 times). Each iteration runs in a new JSContext. Each JSContext
+        belongs to a VM that is created once. When finished, the CLI dumps
+        out the peak memory usage of the process, the memory usage at the end
+        of running all the iterations of the process, and the total time it
+        took to run all the iterations.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * testmem: Added.
+        * testmem/testmem.mm: Added.
+        (description):
+        (Footprint::now):
+        (main):
+
+2018-05-25  David Kilzer  
+
+        Fix issues with -dealloc methods found by clang static analyzer
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * API/JSValue.mm:
+        (-[JSValue dealloc]):
+        (-[JSValue description]):
+        - Move method implementations from (Internal) category to the
+          main category since these are public API.  This fixes the
+          false positive warning about a missing -dealloc method.
+
+2018-05-24  Yusuke Suzuki  
+
+        [Baseline] Remove a hack for DCE removal of NewFunction
+        https://bugs.webkit.org/show_bug.cgi?id=185945
+
+        Reviewed by Saam Barati.
+
+        This `undefined` check in baseline is originally introduced in r177871. The problem was,
+        when NewFunction is removed in DFG DCE, its referencing scope DFG node  is also removed.
+        While op_new_func_xxx want to have scope for function creation, DFG OSR exit cannot
+        retrieve this into the stack since the scope is not referenced from anywhere.
+
+        In r177871, we fixed this by accepting `undefined` scope in the baseline op_new_func_xxx
+        implementation. But rather than that, just emitting `Phantom` for this scope is clean
+        and consistent to the other DFG nodes like GetClosureVar.
+
+        This patch emits Phantom instead, and removes unnecessary `undefined` check in baseline.
+        While we emit Phantom, it is not testable since NewFunction is guarded by MovHint which
+        is not removed in DFG. And in FTL, NewFunction will be converted to PhantomNewFunction
+        if it is not referenced. And scope node is kept by PutHint. But emitting Phantom is nice
+        since it conservatively guards the scope, and it does not introduce any additional overhead
+        compared to the current status.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitNewFuncExprCommon):
+
+2018-05-23  Keith Miller  
+
+        Expose $vm if window.internals is exposed
+        https://bugs.webkit.org/show_bug.cgi?id=185900
+
+        Reviewed by Mark Lam.
+
+        This is useful for testing vm internals when running LayoutTests.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        (JSC::JSGlobalObject::exposeDollarVM):
+        * runtime/JSGlobalObject.h:
+
+2018-05-23  Keith Miller  
+
+        Define length on CoW array should properly convert to writable
+        https://bugs.webkit.org/show_bug.cgi?id=185927
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+
+2018-05-23  Keith Miller  
+
+        InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format
+        https://bugs.webkit.org/show_bug.cgi?id=185923
+
+        Reviewed by Saam Barati.
+
+        Previously, we could confuse AI by overly broadening a type. This happens when a block in a
+        loop has a local mutated following a GetLocal but never SetLocaled to the stack. For example,
+
+        Block 1:
+        @1: GetLocal(loc42, FlushedInt32);
+        @2: PutStructure(Check: Cell: @1);
+        @3: Jump(Block 1);
+
+        Would cause us to claim that loc42 could be either an int32 or a some cell. However,
+        the type of an local cannot change without writing to it.
+
+        This fixes a crash in destructuring-rest-element.js
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
+
+2018-05-23  Filip Pizlo  
+
+        Speed up JetStream/base64
+        https://bugs.webkit.org/show_bug.cgi?id=185914
+
+        Reviewed by Michael Saboff.
+        
+        Make allocation fast paths ALWAYS_INLINE.
+        
+        This is a 1% speed-up on SunSpider, mostly because of base64. It also speeds up pdfjs by
+        ~6%.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/AllocatorInlines.h:
+        (JSC::Allocator::allocate const):
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::allocateNonVirtual): Deleted.
+        * heap/CompleteSubspace.h:
+        * heap/CompleteSubspaceInlines.h: Added.
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        * heap/FreeListInlines.h:
+        (JSC::FreeList::allocate):
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::allocateNonVirtual): Deleted.
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/IsoSubspaceInlines.h: Added.
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * runtime/JSCellInlines.h:
+        * runtime/VM.h:
+
+2018-05-23  Rick Waldron  
+
+        Conversion misspelled "Convertion" in error message string
+        https://bugs.webkit.org/show_bug.cgi?id=185436
+
+        Reviewed by Saam Barati, Michael Saboff
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::toNumber const):
+
+2018-05-22  Yusuke Suzuki  
+
+        [JSC] Clean up stringGetByValStubGenerator
+        https://bugs.webkit.org/show_bug.cgi?id=185864
+
+        Reviewed by Saam Barati.
+
+        We clean up stringGetByValStubGenerator.
+
+        1. Unify 32bit and 64bit implementations.
+        2. Rename stringGetByValStubGenerator to stringGetByValGenerator, move it to ThunkGenerators.cpp.
+        3. Remove string type check since this code is invoked only when we know regT0 is JSString*.
+        4. Do not tag Cell in stringGetByValGenerator side. 32bit code stores Cell with tag in JITPropertyAccess32_64 side.
+        5. Fix invalid use of loadPtr for StringImpl::flags. Should use load32.
+
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::stringGetByValStubGenerator): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::stringGetByValStubGenerator): Deleted.
+        * jit/ThunkGenerators.cpp:
+        (JSC::stringGetByValGenerator):
+        * jit/ThunkGenerators.h:
+
+2018-05-22  Yusuke Suzuki  
+
+        [JSC] Use branchIfString/branchIfNotString instead of structure checkings
+        https://bugs.webkit.org/show_bug.cgi?id=185810
+
+        Reviewed by Saam Barati.
+
+        Let's use branchIfString/branchIfNotString helper functions instead of
+        checking structure with jsString's structure. It's easy to read. And
+        it emits less code since we do not need to embed string structure's
+        raw pointer in 32bit environment.
+
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::emitLoadCharacterString):
+        (JSC::JIT::checkStructure): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::compileOpEqJumpSlow):
+        (JSC::JIT::emitSlow_op_neq):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitByValIdentifierCheck):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        * jit/JSInterfaceJIT.h:
+        (JSC::ThunkHelpers::jsStringLengthOffset): Deleted.
+        (JSC::ThunkHelpers::jsStringValueOffset): Deleted.
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadJSStringArgument):
+        * jit/ThunkGenerators.cpp:
+        (JSC::stringCharLoad):
+        (JSC::charCodeAtThunkGenerator):
+        (JSC::charAtThunkGenerator):
+        * runtime/JSString.h:
+
+2018-05-22  Mark Lam  
+
+        BytecodeGeneratorification shouldn't add a ValueProfile if the JIT is disabled.
+        https://bugs.webkit.org/show_bug.cgi?id=185896
+        
+
+        Reviewed by Saam Barati.
+
+        * bytecode/BytecodeGeneratorification.cpp:
+        (JSC::BytecodeGeneratorification::run):
+
+2018-05-22  Yusuke Suzuki  
+
+        [JSC] Fix CachedCall's argument count if RegExp has named captures
+        https://bugs.webkit.org/show_bug.cgi?id=185587
+
+        Reviewed by Mark Lam.
+
+        If the given RegExp has named captures, the argument count of CachedCall in String#replace
+        should be increased by one. This causes crash with assertion in test262. This patch corrects
+        the argument count.
+
+        This patch also unifies source.is8Bit()/!source.is8Bit() code since they are now completely
+        the same.
+
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+
+2018-05-22  Mark Lam  
+
+        StringImpl utf8 conversion should not fail silently.
+        https://bugs.webkit.org/show_bug.cgi?id=185888
+        
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGLazyJSValue.cpp:
+        (JSC::DFG::LazyJSValue::dumpInContext const):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        (JSC::dateParse):
+        * runtime/JSDateMath.cpp:
+        (JSC::parseDate):
+        * runtime/JSDateMath.h:
+
+2018-05-22  Keith Miller  
+
+        Remove the UnconditionalFinalizer class
+        https://bugs.webkit.org/show_bug.cgi?id=185881
+
+        Reviewed by Filip Pizlo.
+
+        The only remaining user of this API is
+        JSWebAssemblyCodeBlock. This patch changes, JSWebAssemblyCodeBlock
+        to use the newer template based API and removes the old class.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * heap/Heap.h:
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
+        * heap/SlotVisitor.h:
+        * heap/UnconditionalFinalizer.h: Removed.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::visitChildren):
+        (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
+        (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyModule.h:
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * heap/Heap.h:
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::addUnconditionalFinalizer): Deleted.
+        * heap/SlotVisitor.h:
+        * heap/UnconditionalFinalizer.h: Removed.
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::visitChildren):
+        (JSC::JSWebAssemblyCodeBlock::finalizeUnconditionally):
+        (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyModule.h:
+
+2018-05-22  Keith Miller  
+
+        Unreviewed, fix internal build.
+
+        * runtime/JSImmutableButterfly.cpp:
+
+2018-05-22  Saam Barati  
+
+        DFG::LICMPhase should attempt to hoist edge type checks if hoisting the whole node fails
+        https://bugs.webkit.org/show_bug.cgi?id=144525
+
+        Reviewed by Filip Pizlo.
+
+        This patch teaches LICM to fall back to hoisting a node's type checks when
+        hoisting the entire node fails.
+        
+        This patch follow the same principles we use when deciding to hoist nodes in general:
+        - If the pre header is control equivalent to where the current check is, we
+        go ahead and hoist the check.
+        - Otherwise, if hoisting hasn't failed before, we go ahead and gamble and
+        hoist the check. If hoisting failed in the past, we will not hoist the check.
+
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::checkMayCrashIfInputIsEmpty):
+
+2018-05-21  Filip Pizlo  
+
+        Get rid of TLCs
+        https://bugs.webkit.org/show_bug.cgi?id=185846
+
+        Rubber stamped by Geoffrey Garen.
+        
+        This removes support for thread-local caches from the GC in order to speed up allocation a
+        bit.
+        
+        We added TLCs as part of Spectre mitigations, which we have since removed.
+        
+        We will want some kind of TLCs eventually, since they allow us to:
+        
+        - have a global GC, which may be a perf optimization at some point.
+        - allocate objects from JIT threads, which we've been wanting to do for a while.
+        
+        This change keeps the most interesting aspect of TLCs, which is the
+        LocalAllocator/BlockDirectory separation. This means that it ought to be easy to implement
+        TLCs again in the future if we wanted this feature.
+        
+        This change removes the part of TLCs that causes a perf regression, namely that Allocator is
+        an offset that requires a bounds check and lookup that makes the rest of the allocation fast
+        path dependent on the load of the TLC. Now, Allocator is really just a LocalAllocator*, so
+        you can directly use it to allocate. This removes two loads and a check from the allocation
+        fast path. In hindsight, I probably could have made that whole thing more efficient, had I
+        allowed us to have a statically known set of LocalAllocators. This would have removed the
+        bounds check (one load and one branch) and it would have made it possible to CSE the load of
+        the TLC data structure, since that would no longer resize. But that's a harder change that
+        this patch, and we don't need it right now.
+        
+        While reviewing the allocation hot paths, I found that CreateThis had an unnecessary branch
+        to check if the allocator is null. I removed that check. AssemblyHelpers::emitAllocate() does
+        that check already. Previously, the TLC bounds check doubled as this check.
+        
+        This is a 1% speed-up on Octane and a 2.3% speed-up on TailBench. However, the Octane
+        speed-up on my machine includes an 8% regexp speed-up. I've found that sometimes regexp
+        speeds up or slows down by 8% depending on which path I build JSC from. Without that 8%, this
+        is still an Octane speed-up due to 2-4% speed-ups in earley, boyer, raytrace, and splay.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        * heap/Allocator.cpp:
+        (JSC::Allocator::cellSize const):
+        * heap/Allocator.h:
+        (JSC::Allocator::Allocator):
+        (JSC::Allocator::localAllocator const):
+        (JSC::Allocator::operator== const):
+        (JSC::Allocator::offset const): Deleted.
+        * heap/AllocatorInlines.h:
+        (JSC::Allocator::allocate const):
+        (JSC::Allocator::tryAllocate const): Deleted.
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::BlockDirectory):
+        (JSC::BlockDirectory::~BlockDirectory):
+        * heap/BlockDirectory.h:
+        (JSC::BlockDirectory::allocator const): Deleted.
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        * heap/Heap.h:
+        (JSC::Heap::threadLocalCacheLayout): Deleted.
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/LocalAllocator.cpp:
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::~LocalAllocator):
+        * heap/LocalAllocator.h:
+        (JSC::LocalAllocator::cellSize const):
+        (JSC::LocalAllocator::tlc const): Deleted.
+        * heap/ThreadLocalCache.cpp: Removed.
+        * heap/ThreadLocalCache.h: Removed.
+        * heap/ThreadLocalCacheInlines.h: Removed.
+        * heap/ThreadLocalCacheLayout.cpp: Removed.
+        * heap/ThreadLocalCacheLayout.h: Removed.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::~VMEntryScope):
+        * runtime/VMEntryScope.h:
+
+2018-05-22  Keith Miller  
+
+        We should have a CoW storage for NewArrayBuffer arrays.
+        https://bugs.webkit.org/show_bug.cgi?id=185003
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds copy on write storage for new array buffers. In
+        order to do this there needed to be significant changes to the
+        layout of IndexingType. The new indexing type has the following
+        shape:
+
+        struct IndexingTypeAndMisc {
+            struct IndexingModeIncludingHistory {
+                struct IndexingMode {
+                    struct IndexingType {
+                        uint8_t isArray:1;          // bit 0
+                        uint8_t shape:3;            // bit 1 - 3
+                    };
+                    uint8_t copyOnWrite:1;          // bit 4
+                };
+                uint8_t mayHaveIndexedAccessors:1;  // bit 5
+            };
+            uint8_t cellLockBits:2;                 // bit 6 - 7
+        };
+
+        For simplicity ArrayStorage shapes cannot be CoW. So the only
+        valid CoW indexing shapes are ArrayWithInt32, ArrayWithDouble, and
+        ArrayWithContiguous.
+
+        The backing store for a CoW array is a new class
+        JSImmutableButterfly, which looks exactly the same as a normal
+        butterfly except that it has a JSCell header. Like other
+        butterflies, JSImmutableButterfies are allocated out of the
+        Auxiliary Gigacage and are pointed to by JSCells in the same
+        way. However, when marking JSImmutableButterflies they are marked
+        as if they were a property.
+
+        With CoW arrays, the new_array_buffer bytecode will reallocate the
+        shared JSImmutableButterfly if it sees from the allocation profile
+        that the last array it allocated has transitioned to a different
+        indexing type. From then on, all arrays created by that
+        new_array_buffer bytecode will have the promoted indexing
+        type. This is more or less the same as what we used to do. The
+        only difference is that we don't promote all the way to array
+        storage even if we have seen it before.
+
+        Transitioning from a CoW indexing mode occurs whenever someone
+        tries to store to an element, grow the array, or add properties.
+        Storing or growing the array will call into code that does the
+        stupid thing of copying the butterfly then continue into the old
+        code. This doesn't end up costing us as future allocations will
+        use any upgraded indexing shape.  We get adding properties for
+        free by just changing the indexing mode on transition (our C++
+        code always updates the indexing mode).
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ArrayAllocationProfile.cpp:
+        (JSC::ArrayAllocationProfile::updateProfile):
+        * bytecode/ArrayAllocationProfile.h:
+        (JSC::ArrayAllocationProfile::initializeIndexingMode):
+        * bytecode/ArrayProfile.cpp:
+        (JSC::dumpArrayModes):
+        (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
+        * bytecode/ArrayProfile.h:
+        (JSC::asArrayModes):
+        (JSC::arrayModeFromStructure):
+        (JSC::arrayModesInclude):
+        (JSC::hasSeenCopyOnWriteArray):
+        * bytecode/BytecodeList.json:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::generateArrayLength):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::addArrayAllocationProfile):
+        (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::newArrayAllocationProfile):
+        (JSC::BytecodeGenerator::emitNewArrayBuffer):
+        (JSC::BytecodeGenerator::emitNewArray):
+        (JSC::BytecodeGenerator::emitNewArrayWithSize):
+        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        (JSC::ArrayPatternNode::bindValue const):
+        (JSC::ArrayPatternNode::emitDirectBinding):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::fromObserved):
+        (JSC::DFG::ArrayMode::refine const):
+        (JSC::DFG::ArrayMode::alreadyChecked const):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::ArrayMode):
+        (JSC::DFG::ArrayMode::action const):
+        (JSC::DFG::ArrayMode::withSpeculation const):
+        (JSC::DFG::ArrayMode::withArrayClass const):
+        (JSC::DFG::ArrayMode::withType const):
+        (JSC::DFG::ArrayMode::withConversion const):
+        (JSC::DFG::ArrayMode::withTypeAndConversion const):
+        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
+        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::indexingType):
+        (JSC::DFG::Node::indexingMode):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+        (JSC::DFG::SpeculativeJIT::arrayify):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        (JSC::DFG::SpeculativeJIT::compileCreateRest):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutStructure):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::storeStructure):
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * generate-bytecode-files:
+        * interpreter/Interpreter.cpp:
+        (JSC::sizeOfVarargs):
+        (JSC::loadVarargs):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Butterfly.h:
+        (JSC::ContiguousData::Data::Data):
+        (JSC::ContiguousData::Data::operator bool const):
+        (JSC::ContiguousData::Data::operator=):
+        (JSC::ContiguousData::Data::operator const T& const):
+        (JSC::ContiguousData::Data::set):
+        (JSC::ContiguousData::Data::setWithoutWriteBarrier):
+        (JSC::ContiguousData::Data::clear):
+        (JSC::ContiguousData::Data::get const):
+        (JSC::ContiguousData::atUnsafe):
+        (JSC::ContiguousData::at const): Deleted.
+        (JSC::ContiguousData::at): Deleted.
+        * runtime/ButterflyInlines.h:
+        (JSC::ContiguousData::at const):
+        (JSC::ContiguousData::at):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::allocateNewArrayBuffer):
+        * runtime/IndexingType.cpp:
+        (JSC::leastUpperBoundOfIndexingTypeAndType):
+        (JSC::leastUpperBoundOfIndexingTypeAndValue):
+        (JSC::dumpIndexingType):
+        * runtime/IndexingType.h:
+        (JSC::hasIndexedProperties):
+        (JSC::hasUndecided):
+        (JSC::hasInt32):
+        (JSC::hasDouble):
+        (JSC::hasContiguous):
+        (JSC::hasArrayStorage):
+        (JSC::hasAnyArrayStorage):
+        (JSC::hasSlowPutArrayStorage):
+        (JSC::shouldUseSlowPut):
+        (JSC::isCopyOnWrite):
+        (JSC::arrayIndexFromIndexingType):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::put):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::JSCell):
+        (JSC::JSCell::finishCreation):
+        (JSC::JSCell::indexingType const):
+        (JSC::JSCell::indexingMode const):
+        (JSC::JSCell::setStructure):
+        * runtime/JSFixedArray.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::haveABadTime):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::originalArrayStructureForIndexingType const):
+        (JSC::JSGlobalObject::arrayStructureForIndexingTypeDuringAllocation const):
+        (JSC::JSGlobalObject::isOriginalArrayStructure):
+        * runtime/JSImmutableButterfly.cpp: Added.
+        (JSC::JSImmutableButterfly::visitChildren):
+        (JSC::JSImmutableButterfly::copyToArguments):
+        * runtime/JSImmutableButterfly.h: Added.
+        (JSC::JSImmutableButterfly::createStructure):
+        (JSC::JSImmutableButterfly::tryCreate):
+        (JSC::JSImmutableButterfly::create):
+        (JSC::JSImmutableButterfly::publicLength const):
+        (JSC::JSImmutableButterfly::vectorLength const):
+        (JSC::JSImmutableButterfly::length const):
+        (JSC::JSImmutableButterfly::toButterfly const):
+        (JSC::JSImmutableButterfly::fromButterfly):
+        (JSC::JSImmutableButterfly::get const):
+        (JSC::JSImmutableButterfly::subspaceFor):
+        (JSC::JSImmutableButterfly::setIndex):
+        (JSC::JSImmutableButterfly::allocationSize):
+        (JSC::JSImmutableButterfly::JSImmutableButterfly):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::markAuxiliaryAndVisitOutOfLineProperties):
+        (JSC::JSObject::visitButterflyImpl):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::createInitialForValueAndSet):
+        (JSC::JSObject::convertInt32ForValue):
+        (JSC::JSObject::convertFromCopyOnWrite):
+        (JSC::JSObject::ensureWritableInt32Slow):
+        (JSC::JSObject::ensureWritableDoubleSlow):
+        (JSC::JSObject::ensureWritableContiguousSlow):
+        (JSC::JSObject::ensureArrayStorageSlow):
+        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::canDoFastPutDirectIndex):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+        (JSC::JSObject::countElements):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::getEnumerableLength):
+        (JSC::JSObject::ensureInt32Slow): Deleted.
+        (JSC::JSObject::ensureDoubleSlow): Deleted.
+        (JSC::JSObject::ensureContiguousSlow): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectIndex):
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::canSetIndexQuickly):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        (JSC::JSObject::ensureWritableInt32):
+        (JSC::JSObject::ensureWritableDouble):
+        (JSC::JSObject::ensureWritableContiguous):
+        (JSC::JSObject::ensureLength):
+        (JSC::JSObject::ensureInt32): Deleted.
+        (JSC::JSObject::ensureDouble): Deleted.
+        (JSC::JSObject::ensureContiguous): Deleted.
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+        * runtime/JSType.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::Structure::addNewPropertyTransition):
+        (JSC::Structure::nonPropertyTransition):
+        * runtime/Structure.h:
+        * runtime/StructureIDBlob.h:
+        (JSC::StructureIDBlob::StructureIDBlob):
+        (JSC::StructureIDBlob::indexingModeIncludingHistory const):
+        (JSC::StructureIDBlob::setIndexingModeIncludingHistory):
+        (JSC::StructureIDBlob::indexingModeIncludingHistoryOffset):
+        (JSC::StructureIDBlob::indexingTypeIncludingHistory const): Deleted.
+        (JSC::StructureIDBlob::setIndexingTypeIncludingHistory): Deleted.
+        (JSC::StructureIDBlob::indexingTypeIncludingHistoryOffset): Deleted.
+        * runtime/StructureTransitionTable.h:
+        (JSC::newIndexingType):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-05-22  Ryan Haddad  
+
+        Unreviewed, rolling out r232052.
+
+        Breaks internal builds.
+
+        Reverted changeset:
+
+        "Use more C++17"
+        https://bugs.webkit.org/show_bug.cgi?id=185176
+        https://trac.webkit.org/changeset/232052
+
+2018-05-22  Alberto Garcia  
+
+        [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
+        https://bugs.webkit.org/show_bug.cgi?id=182622
+        
+
+        Reviewed by Michael Catanzaro.
+
+        We were linking JavaScriptCore against libatomic in MIPS because
+        in that architecture __atomic_fetch_add_8() is not a compiler
+        intrinsic and is provided by that library instead. However other
+        architectures (e.g armel) are in the same situation, so we need a
+        generic test.
+
+        That test already exists in WebKit/CMakeLists.txt, so we just have
+        to move it to a common file (WebKitCompilerFlags.cmake) and use
+        its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
+
+        * CMakeLists.txt:
+
+2018-05-22  Michael Catanzaro  
+
+        Unreviewed, rolling out r231843.
+
+        Broke cross build
+
+        Reverted changeset:
+
+        "[CMake] Properly detect compiler flags, needed libs, and
+        fallbacks for usage of 64-bit atomic operations"
+        https://bugs.webkit.org/show_bug.cgi?id=182622
+        https://trac.webkit.org/changeset/231843
+
+2018-05-21  Yusuke Suzuki  
+
+        Use more C++17
+        https://bugs.webkit.org/show_bug.cgi?id=185176
+
+        Reviewed by JF Bastien.
+
+        * Configurations/Base.xcconfig:
+
+2018-05-21  Yusuke Suzuki  
+
+        [JSC] Remove duplicate methods in JSInterfaceJIT
+        https://bugs.webkit.org/show_bug.cgi?id=185813
+
+        Reviewed by Saam Barati.
+
+        Some methods of JSInterfaceJIT are duplicate with AssemblyHelpers' ones.
+        This patch removes these ones and use AssemblyHelpers' ones instead.
+
+        This patch also a bit cleans up ThunkGenerators' unnecessary ifdefs.
+
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::tagFor):
+        (JSC::AssemblyHelpers::payloadFor):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_unsigned):
+        (JSC::JIT::emit_compareUnsigned):
+        (JSC::JIT::emit_op_inc):
+        (JSC::JIT::emit_op_dec):
+        (JSC::JIT::emit_op_mod):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitPutIntToCallFrameHeader):
+        (JSC::JIT::updateTopCallFrame):
+        (JSC::JIT::emitInitRegister):
+        (JSC::JIT::emitLoad):
+        (JSC::JIT::emitStore):
+        (JSC::JIT::emitStoreInt32):
+        (JSC::JIT::emitStoreCell):
+        (JSC::JIT::emitStoreBool):
+        (JSC::JIT::emitGetVirtualRegister):
+        (JSC::JIT::emitPutVirtualRegister):
+        (JSC::JIT::emitTagBool): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_is_empty):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_is_boolean):
+        (JSC::JIT::emit_op_is_number):
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emit_op_is_object):
+        (JSC::JIT::emit_op_eq):
+        (JSC::JIT::emit_op_neq):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::emitSlow_op_neq):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emitNewFuncExprCommon):
+        * jit/JSInterfaceJIT.h:
+        (JSC::JSInterfaceJIT::emitLoadInt32):
+        (JSC::JSInterfaceJIT::emitLoadDouble):
+        (JSC::JSInterfaceJIT::emitPutToCallFrameHeader):
+        (JSC::JSInterfaceJIT::emitPutCellToCallFrameHeader):
+        (JSC::JSInterfaceJIT::tagFor): Deleted.
+        (JSC::JSInterfaceJIT::payloadFor): Deleted.
+        (JSC::JSInterfaceJIT::intPayloadFor): Deleted.
+        (JSC::JSInterfaceJIT::intTagFor): Deleted.
+        (JSC::JSInterfaceJIT::emitTagInt): Deleted.
+        (JSC::JSInterfaceJIT::addressFor): Deleted.
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::returnDouble):
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        (JSC::arityFixupGenerator):
+
+2018-05-21  Yusuke Suzuki  
+
+        Unreviewed, reland InById cache
+        https://bugs.webkit.org/show_bug.cgi?id=185682
+
+        Includes Dominik's 32bit fix.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::fromStructureStubInfo):
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printInByIdCacheStatus):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::generateSelfInAccess):
+        * bytecode/InlineAccess.h:
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::initInByIdSelf):
+        (JSC::StructureStubInfo::deref):
+        (JSC::StructureStubInfo::aboutToDie):
+        (JSC::StructureStubInfo::reset):
+        (JSC::StructureStubInfo::visitWeakReferences):
+        (JSC::StructureStubInfo::propagateTransitions):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::patchableJump):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitInByVal):
+        (JSC::BytecodeGenerator::emitInById):
+        (JSC::BytecodeGenerator::emitIn): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::InNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addInById):
+        (JSC::DFG::InRecord::InRecord): Deleted.
+        (JSC::DFG::JITCompiler::addIn): Deleted.
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToInById):
+        (JSC::DFG::Node::hasIdentifier):
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInById):
+        (JSC::DFG::SpeculativeJIT::compileInByVal):
+        (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::boxBoolean):
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        * jit/JIT.h:
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITInByIdGenerator::JITInByIdGenerator):
+        (JSC::JITInByIdGenerator::generateFastPath):
+        * jit/JITInlineCacheGenerator.h:
+        (JSC::JITInByIdGenerator::JITInByIdGenerator):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_in_by_id):
+        (JSC::JIT::emitSlow_op_in_by_id):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_in_by_id):
+        (JSC::JIT::emitSlow_op_in_by_id):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheInByID):
+        (JSC::repatchInByID):
+        (JSC::resetInByID):
+        (JSC::tryCacheIn): Deleted.
+        (JSC::repatchIn): Deleted.
+        (JSC::resetIn): Deleted.
+        * jit/Repatch.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/NodeConstructors.h:
+        (JSC::InNode::InNode):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::opInByVal):
+        (JSC::CommonSlowPaths::opIn): Deleted.
+
+2018-05-21  Commit Queue  
+
+        Unreviewed, rolling out r231998 and r232017.
+        https://bugs.webkit.org/show_bug.cgi?id=185842
+
+        causes crashes on 32 JSC bot (Requested by realdawei on
+        #webkit).
+
+        Reverted changesets:
+
+        "[JSC] JSC should have consistent InById IC"
+        https://bugs.webkit.org/show_bug.cgi?id=185682
+        https://trac.webkit.org/changeset/231998
+
+        "Unreviewed, fix 32bit and scope release"
+        https://bugs.webkit.org/show_bug.cgi?id=185682
+        https://trac.webkit.org/changeset/232017
+
+2018-05-21  Jer Noble  
+
+        Complete fix for enabling modern EME by default
+        https://bugs.webkit.org/show_bug.cgi?id=185770
+        
+
+        Reviewed by Eric Carlson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-05-21  Yusuke Suzuki  
+
+        Unreviewed, fix 32bit and scope release
+        https://bugs.webkit.org/show_bug.cgi?id=185682
+
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_in_by_id):
+
+2018-05-20  Filip Pizlo  
+
+        Revert the B3 compiler pipeline's treatment of taildup
+        https://bugs.webkit.org/show_bug.cgi?id=185808
+
+        Reviewed by Yusuke Suzuki.
+        
+        While trying to implement path specialization (bug 185060), I reorganized the B3 pass pipeline.
+        But then path specialization turned out to be a negative result. This reverts the pipeline to the
+        way it was before that work.
+        
+        1.5% progression on V8Spider-CompileTime.
+
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir):
+
+2018-05-20  Yusuke Suzuki  
+
+        [DFG] CheckTypeInfoFlags should say `eliminated` if it is removed in constant folding phase
+        https://bugs.webkit.org/show_bug.cgi?id=185802
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2018-05-18  Filip Pizlo  
+
+        DFG should inline InstanceOf ICs
+        https://bugs.webkit.org/show_bug.cgi?id=185695
+
+        Reviewed by Yusuke Suzuki.
+        
+        This teaches the DFG how to inline InstanceOf ICs into a MatchStructure node. This can then
+        be folded to a CheckStructure + JSConstant.
+        
+        In the process of testing this, I found a bug where LICM was not hoisting things that
+        depended on ExtraOSREntryLocal because that might return SpecEmpty. I fixed that by teaching
+        LICM how to materialize CheckNotEmpty on demand whenever !HoistingFailed.
+        
+        This is a ~5% speed-up on boyer.
+        
+        ~2x speed-up on the instanceof-always-hit-one, instanceof-always-hit-two, and
+        instanceof-sometimes-hit microbenchmarks.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::appendVariant):
+        (JSC::GetByIdStatus::filter):
+        * bytecode/GetByIdStatus.h:
+        (JSC::GetByIdStatus::operator bool const):
+        (JSC::GetByIdStatus::operator! const): Deleted.
+        * bytecode/GetByIdVariant.h:
+        (JSC::GetByIdVariant::operator bool const):
+        (JSC::GetByIdVariant::operator! const): Deleted.
+        * bytecode/ICStatusUtils.h: Added.
+        (JSC::appendICStatusVariant):
+        (JSC::filterICStatusVariants):
+        * bytecode/InstanceOfStatus.cpp: Added.
+        (JSC::InstanceOfStatus::appendVariant):
+        (JSC::InstanceOfStatus::computeFor):
+        (JSC::InstanceOfStatus::computeForStubInfo):
+        (JSC::InstanceOfStatus::commonPrototype const):
+        (JSC::InstanceOfStatus::filter):
+        * bytecode/InstanceOfStatus.h: Added.
+        (JSC::InstanceOfStatus::InstanceOfStatus):
+        (JSC::InstanceOfStatus::state const):
+        (JSC::InstanceOfStatus::isSet const):
+        (JSC::InstanceOfStatus::operator bool const):
+        (JSC::InstanceOfStatus::isSimple const):
+        (JSC::InstanceOfStatus::takesSlowPath const):
+        (JSC::InstanceOfStatus::numVariants const):
+        (JSC::InstanceOfStatus::variants const):
+        (JSC::InstanceOfStatus::at const):
+        (JSC::InstanceOfStatus::operator[] const):
+        * bytecode/InstanceOfVariant.cpp: Added.
+        (JSC::InstanceOfVariant::InstanceOfVariant):
+        (JSC::InstanceOfVariant::attemptToMerge):
+        (JSC::InstanceOfVariant::dump const):
+        (JSC::InstanceOfVariant::dumpInContext const):
+        * bytecode/InstanceOfVariant.h: Added.
+        (JSC::InstanceOfVariant::InstanceOfVariant):
+        (JSC::InstanceOfVariant::operator bool const):
+        (JSC::InstanceOfVariant::structureSet const):
+        (JSC::InstanceOfVariant::structureSet):
+        (JSC::InstanceOfVariant::conditionSet const):
+        (JSC::InstanceOfVariant::prototype const):
+        (JSC::InstanceOfVariant::isHit const):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::StructureStubInfo):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::considerCaching):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGGraph.h:
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::remove):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasMatchStructureData):
+        (JSC::DFG::Node::matchStructureData):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMatchStructure):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMatchStructure):
+
+2018-05-19  Yusuke Suzuki  
+
+        [JSC] JSC should have consistent InById IC
+        https://bugs.webkit.org/show_bug.cgi?id=185682
+
+        Reviewed by Filip Pizlo.
+
+        Current our op_in IC is adhoc: It is only emitted in DFG and FTL layers,
+        when we found that DFG::In's parameter is constant string. We should
+        align this IC to the other ById ICs to clean up and remove adhoc code
+        in DFG and FTL.
+
+        This patch cleans up our "In" IC by aligning it to the other ById ICs.
+        We split op_in bytecode to op_in_by_id and op_in_by_val. op_in_by_val
+        is the same to the original op_in. For op_in_by_id, we use JITInByIdGenerator
+        to emit InById IC code. In addition, our JITInByIdGenerator and op_in_by_id
+        has a inline access cache for own property case, which is the same to
+        JITGetByIdGenerator.
+
+        And we split DFG::In to DFG::InById and DFG::InByVal. InByVal is the same
+        to the original In DFG node. DFG AI attempts to lower InByVal to InById
+        if AI figured out that the property name is a constant string. And in
+        InById node, we use JITInByIdGenerator code.
+
+        This patch cleans up DFG and FTL's adhoc In IC code.
+
+        In a subsequent patch, we should introduce InByIdStatus to optimize
+        InById in DFG and FTL. We would like to have a new InByIdStatus instead of
+        reusing GetByIdStatus since GetByIdStatus becomes too complicated, and
+        AccessCase::Types are different from them (AccessCase::InHit / InMiss).
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::fromStructureStubInfo):
+        (JSC::AccessCase::generateWithGuard):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printInByIdCacheStatus):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeDumper.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::generateSelfInAccess):
+        * bytecode/InlineAccess.h:
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::initInByIdSelf):
+        (JSC::StructureStubInfo::deref):
+        (JSC::StructureStubInfo::aboutToDie):
+        (JSC::StructureStubInfo::reset):
+        (JSC::StructureStubInfo::visitWeakReferences):
+        (JSC::StructureStubInfo::propagateTransitions):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::patchableJump):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitInByVal):
+        (JSC::BytecodeGenerator::emitInById):
+        (JSC::BytecodeGenerator::emitIn): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::InNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addInById):
+        (JSC::DFG::InRecord::InRecord): Deleted.
+        (JSC::DFG::JITCompiler::addIn): Deleted.
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToInById):
+        (JSC::DFG::Node::hasIdentifier):
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInById):
+        (JSC::DFG::SpeculativeJIT::compileInByVal):
+        (JSC::DFG::SpeculativeJIT::compileIn): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn): Deleted.
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        * jit/JIT.h:
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITInByIdGenerator::JITInByIdGenerator):
+        (JSC::JITInByIdGenerator::generateFastPath):
+        * jit/JITInlineCacheGenerator.h:
+        (JSC::JITInByIdGenerator::JITInByIdGenerator):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_in_by_id):
+        (JSC::JIT::emitSlow_op_in_by_id):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_in_by_id):
+        (JSC::JIT::emitSlow_op_in_by_id):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheInByID):
+        (JSC::repatchInByID):
+        (JSC::resetInByID):
+        (JSC::tryCacheIn): Deleted.
+        (JSC::repatchIn): Deleted.
+        (JSC::resetIn): Deleted.
+        * jit/Repatch.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/NodeConstructors.h:
+        (JSC::InNode::InNode):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::opInByVal):
+        (JSC::CommonSlowPaths::opIn): Deleted.
+
+2018-05-18  Commit Queue  
+
+        Unreviewed, rolling out r231982.
+        https://bugs.webkit.org/show_bug.cgi?id=185793
+
+        Caused layout test failures (Requested by realdawei on
+        #webkit).
+
+        Reverted changeset:
+
+        "Complete fix for enabling modern EME by default"
+        https://bugs.webkit.org/show_bug.cgi?id=185770
+        https://trac.webkit.org/changeset/231982
+
+2018-05-18  Keith Miller  
+
+        op_in should mark if it sees out of bounds accesses
+        https://bugs.webkit.org/show_bug.cgi?id=185792
+
+        Reviewed by Filip Pizlo.
+
+        This would used to cause us to OSR loop since we would always speculate
+        we were in bounds in HasIndexedProperty.
+
+        * bytecode/ArrayProfile.cpp:
+        (JSC::ArrayProfile::observeIndexedRead):
+        * bytecode/ArrayProfile.h:
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::opIn):
+
+2018-05-18  Mark Lam  
+
+        Add missing exception check.
+        https://bugs.webkit.org/show_bug.cgi?id=185786
+        
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+
+2018-05-18  Jer Noble  
+
+        Complete fix for enabling modern EME by default
+        https://bugs.webkit.org/show_bug.cgi?id=185770
+        
+
+        Reviewed by Eric Carlson.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-05-18  Yusuke Suzuki  
+
+        Unreviewed, fix exception checking, part 2
+        https://bugs.webkit.org/show_bug.cgi?id=185350
+
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::putByValInternal):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::putDirectAccessorWithReify):
+
+2018-05-16  Filip Pizlo  
+
+        JSC should have InstanceOf inline caching
+        https://bugs.webkit.org/show_bug.cgi?id=185652
+
+        Reviewed by Saam Barati.
+        
+        This adds a polymorphic inline cache for instanceof. It caches hits and misses. It uses the
+        existing PolymorphicAccess IC machinery along with all of its heuristics. If we ever generate
+        too many cases, we emit the generic instanceof implementation instead.
+        
+        All of the JIT tiers use the same InstanceOf IC. It uses the existing JITInlineCacheGenerator
+        abstraction.
+        
+        This is a ~40% speed-up on instanceof microbenchmarks. It's a *tiny* (~1%) speed-up on
+        Octane/boyer. I think I can make that speed-up bigger by inlining the inline cache.
+
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * b3/B3Effects.h:
+        (JSC::B3::Effects::forReadOnlyCall):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::guardedByStructureCheck const):
+        (JSC::AccessCase::canReplace const):
+        (JSC::AccessCase::visitWeak const):
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCase.h:
+        * bytecode/InstanceOfAccessCase.cpp: Added.
+        (JSC::InstanceOfAccessCase::create):
+        (JSC::InstanceOfAccessCase::dumpImpl const):
+        (JSC::InstanceOfAccessCase::clone const):
+        (JSC::InstanceOfAccessCase::~InstanceOfAccessCase):
+        (JSC::InstanceOfAccessCase::InstanceOfAccessCase):
+        * bytecode/InstanceOfAccessCase.h: Added.
+        (JSC::InstanceOfAccessCase::prototype const):
+        * bytecode/ObjectPropertyCondition.h:
+        (JSC::ObjectPropertyCondition::hasPrototypeWithoutBarrier):
+        (JSC::ObjectPropertyCondition::hasPrototype):
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForInstanceOf):
+        * bytecode/ObjectPropertyConditionSet.h:
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::addCases):
+        (JSC::PolymorphicAccess::regenerate):
+        (WTF::printInternal):
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::dumpInContext const):
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
+        (JSC::PropertyCondition::validityRequiresImpurePropertyWatchpoint const):
+        (WTF::printInternal):
+        * bytecode/PropertyCondition.h:
+        (JSC::PropertyCondition::absenceWithoutBarrier):
+        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
+        (JSC::PropertyCondition::hasPrototypeWithoutBarrier):
+        (JSC::PropertyCondition::hasPrototype):
+        (JSC::PropertyCondition::hasPrototype const):
+        (JSC::PropertyCondition::prototype const):
+        (JSC::PropertyCondition::hash const):
+        (JSC::PropertyCondition::operator== const):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::StructureStubInfo):
+        (JSC::StructureStubInfo::reset):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::considerCaching):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGInlineCacheWrapper.h:
+        * dfg/DFGInlineCacheWrapperInlines.h:
+        (JSC::DFG::InlineCacheWrapper::finalize):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addInstanceOf):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::usedRegisters):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        (JSC::FTL::DFG::LowerDFGToB3::getById):
+        (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        * jit/JIT.h:
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
+        (JSC::JITInlineCacheGenerator::finalize):
+        (JSC::JITByIdGenerator::JITByIdGenerator):
+        (JSC::JITByIdGenerator::finalize):
+        (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
+        (JSC::JITInstanceOfGenerator::generateFastPath):
+        (JSC::JITInstanceOfGenerator::finalize):
+        * jit/JITInlineCacheGenerator.h:
+        (JSC::JITInlineCacheGenerator::reportSlowPathCall):
+        (JSC::JITInlineCacheGenerator::slowPathBegin const):
+        (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
+        (JSC::finalizeInlineCaches):
+        (JSC::JITByIdGenerator::reportSlowPathCall): Deleted.
+        (JSC::JITByIdGenerator::slowPathBegin const): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/RegisterSet.cpp:
+        (JSC::RegisterSet::stubUnavailableRegisters):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheIn):
+        (JSC::tryCacheInstanceOf):
+        (JSC::repatchInstanceOf):
+        (JSC::resetPatchableJump):
+        (JSC::resetIn):
+        (JSC::resetInstanceOf):
+        * jit/Repatch.h:
+        * runtime/Options.h:
+        * runtime/Structure.h:
+
+2018-05-18  Yusuke Suzuki  
+
+        Unreviewed, fix exception checking
+        https://bugs.webkit.org/show_bug.cgi?id=185350
+
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::putDirectWithReify):
+        (JSC::CommonSlowPaths::putDirectAccessorWithReify):
+
+2018-05-17  Michael Saboff  
+
+        We don't throw SyntaxErrors for runtime generated regular expressions with errors
+        https://bugs.webkit.org/show_bug.cgi?id=185755
+
+        Reviewed by Keith Miller.
+
+        Added a new helper that creates the correct exception to throw for each type of error when
+        compiling a RegExp.  Using that new helper, added missing checks for RegExp for the cases
+        where we create a new RegExp from an existing one.  Also refactored other places that we
+        throw SyntaxErrors after a failed RegExp compile to use the new helper.
+
+        * runtime/RegExp.h:
+        * runtime/RegExpConstructor.cpp:
+        (JSC::regExpCreate):
+        (JSC::constructRegExp):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncCompile):
+        * yarr/YarrErrorCode.cpp:
+        (JSC::Yarr::errorToThrow):
+        * yarr/YarrErrorCode.h:
+
+2018-05-17  Saam Barati  
+
+        Remove shrinkFootprint test from apitests since it's flaky
+        https://bugs.webkit.org/show_bug.cgi?id=185754
+
+        Reviewed by Mark Lam.
+
+        This test is flaky as it keeps failing on certain people's machines.
+        Having a test about OS footprint seems like it'll forever be doomed
+        to being flaky.
+
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+
+2018-05-17  Saam Barati  
+
+        defaultConstructorSourceCode needs to makeSource every time it's called
+        https://bugs.webkit.org/show_bug.cgi?id=185753
+
+        Rubber-stamped by Mark Lam.
+
+        The bug here is multiple VMs can be running concurrently to one another
+        in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
+        if we copy a static SourceCode. instead, we create a new one each time
+        this function is called.
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
+
+2018-05-17  Yusuke Suzuki  
+
+        [JSC] Use AssemblyHelpers' type checking functions as much as possible
+        https://bugs.webkit.org/show_bug.cgi?id=185730
+
+        Reviewed by Saam Barati.
+
+        Let's use AssemblyHelpers' type checking functions as much as possible. This hides the complex
+        bit and register operations for type tagging of JSValue. It is really useful when we would like
+        to tweak type tagging representation since the code is collected into AssemblyHelpers. And
+        the named function is more readable than some branching operations.
+
+        We also remove unnecessary branching functions in JIT / JSInterfaceJIT. Some of them are duplicate
+        to AssemblyHelpers' one.
+
+        We add several new type checking functions to AssemblyHelpers. Moreover, we add branchIfXXX(GPRReg)
+        functions even for 32bit environment. In 32bit environment, this function takes tag register. This
+        semantics is aligned to the existing branchIfCell / branchIfNotCell.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
+        (JSC::DFG::SpeculativeJIT::speculateCellType):
+        (JSC::DFG::SpeculativeJIT::speculateNumber):
+        (JSC::DFG::SpeculativeJIT::speculateMisc):
+        (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::convertAnyInt):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfInt32):
+        (JSC::AssemblyHelpers::branchIfNotInt32):
+        (JSC::AssemblyHelpers::branchIfNumber):
+        (JSC::AssemblyHelpers::branchIfNotNumber):
+        (JSC::AssemblyHelpers::branchIfBoolean):
+        (JSC::AssemblyHelpers::branchIfNotBoolean):
+        (JSC::AssemblyHelpers::branchIfEmpty):
+        (JSC::AssemblyHelpers::branchIfNotEmpty):
+        (JSC::AssemblyHelpers::branchIfUndefined):
+        (JSC::AssemblyHelpers::branchIfNotUndefined):
+        (JSC::AssemblyHelpers::branchIfNull):
+        (JSC::AssemblyHelpers::branchIfNotNull):
+        * jit/JIT.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_compareAndJump):
+        (JSC::JIT::emit_compareAndJumpSlow):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareAndJump):
+        (JSC::JIT::emit_op_unsigned):
+        (JSC::JIT::emit_op_inc):
+        (JSC::JIT::emit_op_dec):
+        (JSC::JIT::emitBinaryDoubleOp):
+        (JSC::JIT::emit_op_mod):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileCallEval):
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileCallEval):
+        (JSC::JIT::compileOpCall):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
+        (JSC::JIT::emitJumpIfBothJSCells):
+        (JSC::JIT::emitJumpSlowCaseIfJSCell):
+        (JSC::JIT::emitJumpIfNotInt):
+        (JSC::JIT::emitJumpSlowCaseIfNotInt):
+        (JSC::JIT::emitJumpSlowCaseIfNotNumber):
+        (JSC::JIT::emitJumpIfCellObject): Deleted.
+        (JSC::JIT::emitJumpIfCellNotObject): Deleted.
+        (JSC::JIT::emitJumpIfJSCell): Deleted.
+        (JSC::JIT::emitJumpIfInt): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emit_op_is_object):
+        (JSC::JIT::emit_op_to_primitive):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::compileOpStrictEqJump):
+        (JSC::JIT::emit_op_to_number):
+        (JSC::JIT::emit_op_to_string):
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emit_op_check_tdz):
+        (JSC::JIT::emitNewFuncExprCommon):
+        (JSC::JIT::emit_op_profile_type):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_is_cell_with_type):
+        (JSC::JIT::emit_op_is_object):
+        (JSC::JIT::emit_op_to_primitive):
+        (JSC::JIT::emit_op_not):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_jneq_ptr):
+        (JSC::JIT::emit_op_eq):
+        (JSC::JIT::emit_op_jeq):
+        (JSC::JIT::emit_op_neq):
+        (JSC::JIT::emit_op_jneq):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::compileOpStrictEqJump):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        (JSC::JIT::emit_op_to_number):
+        (JSC::JIT::emit_op_to_string):
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emit_op_check_tdz):
+        (JSC::JIT::emit_op_profile_type):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitPutByValWithCachedId):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitWriteBarrier):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitPutByValWithCachedId):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        * jit/JSInterfaceJIT.h:
+        (JSC::JSInterfaceJIT::emitLoadJSCell):
+        (JSC::JSInterfaceJIT::emitLoadInt32):
+        (JSC::JSInterfaceJIT::emitLoadDouble):
+        (JSC::JSInterfaceJIT::emitJumpIfNumber): Deleted.
+        (JSC::JSInterfaceJIT::emitJumpIfNotNumber): Deleted.
+        (JSC::JSInterfaceJIT::emitJumpIfNotType): Deleted.
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::absThunkGenerator):
+        * tools/JSDollarVM.cpp:
+        (WTF::DOMJITNode::checkSubClassSnippet):
+        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
+
+2018-05-17  Saam Barati  
+
+        Unreviewed. Fix the build after my attempted build fix broke the build.
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
+        (JSC::BuiltinExecutables::createDefaultConstructor):
+        * builtins/BuiltinExecutables.h:
+
+2018-05-17  Yusuke Suzuki  
+
+        [JSC] Remove reifyPropertyNameIfNeeded
+        https://bugs.webkit.org/show_bug.cgi?id=185350
+
+        Reviewed by Saam Barati.
+
+        reifyPropertyNameIfNeeded is in the middle of putDirectInternal, which is super critical path.
+        This is a virtual call, and it is only used by JSFunction right now. Since this causes too much
+        cost, we should remove this from the critical path.
+
+        This patch removes this function call from the critical path. And in our slow paths, we call
+        helper functions which calls reifyLazyPropertyIfNeeded if the given value is a JSFunction.
+        While putDirect is a bit raw API, our slow paths just call it. This helper wraps this calls
+        and care the edge cases. The other callsites of putDirect should know the type of the given
+        object and the name of the property (And avoid these edge cases).
+
+        This improves SixSpeed/object-assign.es6 by ~4% on MacBook Pro. And this patch does not cause
+        regressions of the existing tests.
+
+                                           baseline                  patched
+        Kraken:
+            json-parse-financial        35.522+-0.069      ^      34.708+-0.097         ^ definitely 1.0234x faster
+
+        SixSpeed:
+            object-assign.es6         145.8779+-0.2838     ^    140.1019+-0.8007        ^ definitely 1.0412x faster
+
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::putByValInternal):
+        (JSC::DFG::putByValCellInternal):
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/ClassInfo.h:
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::putDirectWithReify):
+        (JSC::CommonSlowPaths::putDirectAccessorWithReify):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::reifyPropertyNameIfNeeded): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::reifyPropertyNameIfNeeded): Deleted.
+        * runtime/JSFunction.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::putDirectNonIndexAccessor):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+
+2018-05-17  Saam Barati  
+
+        Unreviewed. Try to fix windows build.
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
+
+2018-05-16  Saam Barati  
+
+        UnlinkedFunctionExecutable doesn't need a parent source override field since it's only used for default class constructors
+        https://bugs.webkit.org/show_bug.cgi?id=185637
+
+        Reviewed by Keith Miller.
+
+        We had this general mechanism for overriding an UnlinkedFunctionExecutable's parent
+        source code. However, we were only using this for default class constructors. There
+        are only two types of default class constructors. This patch makes it so that
+        we just store this information inside of a single bit, and ask for the source
+        code as needed instead of holding it in a nullable field that is 24 bytes in size.
+        
+        This brings UnlinkedFunctionExecutable's size down from 184 bytes to 160 bytes.
+        This has the consequence of making it allocated out of a 160 byte size class
+        instead of a 224 byte size class. This should bring down its memory footprint
+        by ~40%.
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
+        (JSC::BuiltinExecutables::createDefaultConstructor):
+        (JSC::BuiltinExecutables::createExecutable):
+        * builtins/BuiltinExecutables.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        (JSC::UnlinkedFunctionExecutable::link):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+
+2018-05-16  Saam Barati  
+
+        VM::shrinkFootprint should call collectNow(Sync) instead of collectSync so it also eagerly sweeps
+        https://bugs.webkit.org/show_bug.cgi?id=185707
+
+        Reviewed by Mark Lam.
+
+        * runtime/VM.cpp:
+        (JSC::VM::shrinkFootprint):
+
+2018-05-16  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "/" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183996
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is introducing the support for BigInt into divide
+        operation int LLInt and JIT layers.
+
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::copy):
+        (JSC::JSBigInt::unaryMinus):
+        (JSC::JSBigInt::absoluteCompare):
+        (JSC::JSBigInt::absoluteDivLarge):
+        (JSC::JSBigInt::productGreaterThan):
+        (JSC::JSBigInt::inplaceAdd):
+        (JSC::JSBigInt::inplaceSub):
+        (JSC::JSBigInt::inplaceRightShift):
+        (JSC::JSBigInt::specialLeftShift):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+
+2018-05-16  Saam Barati  
+
+        Constant fold CheckTypeInfoFlags on ImplementsDefaultHasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=185670
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch makes it so that we constant fold CheckTypeInfoFlags for
+        ImplementsDefaultHasInstance inside of AI/constant folding. We constant
+        fold in three ways:
+        - When the incoming value is a constant, we just look at its inline type
+        flags. Since those flags never change after an object is created, this
+        is sound.
+        - Based on the incoming value having a finite structure set. We just iterate
+        all structures and ensure they have the bit set.
+        - Based on speculated type. To do this, I split up SpecFunction into two
+        subheaps where one is for functions that have the bit set, and one for
+        functions that don't have the bit set. The latter is currently only comprised
+        of JSBoundFunctions. To constant fold, we check that the incoming
+        value only has the SpecFunction type with ImplementsDefaultHasInstance set.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromClassInfo):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::JSFunction):
+        (JSC::JSFunction::assertTypeInfoFlagInvariants):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::assertTypeInfoFlagInvariants):
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::JSFunction):
+
+2018-05-16  Devin Rousso  
+
+        Web Inspector: create a navigation item for toggling the overlay rulers/guides
+        https://bugs.webkit.org/show_bug.cgi?id=185644
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/OverlayTypes.json:
+        * inspector/protocol/Page.json:
+
+2018-05-16  Commit Queue  
+
+        Unreviewed, rolling out r231845.
+        https://bugs.webkit.org/show_bug.cgi?id=185702
+
+        it is breaking Apple High Sierra 32-bit JSC bot (Requested by
+        caiolima on #webkit).
+
+        Reverted changeset:
+
+        "[ESNext][BigInt] Implement support for "/" operation"
+        https://bugs.webkit.org/show_bug.cgi?id=183996
+        https://trac.webkit.org/changeset/231845
+
+2018-05-16  Filip Pizlo  
+
+        DFG models InstanceOf incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=185694
+
+        Reviewed by Keith Miller.
+        
+        Proxies mean that InstanceOf can have effects. Exceptions mean that it's illegal to DCE it or
+        hoist it.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNodeType.h:
+
+2018-05-16  Andy VanWagoner  
+
+        Add support for Intl NumberFormat formatToParts
+        https://bugs.webkit.org/show_bug.cgi?id=185375
+
+        Reviewed by Yusuke Suzuki.
+
+        Add flag for NumberFormat formatToParts. Implement formatToParts using
+        unum_formatDoubleForFields. Because the fields are nested and come back
+        in no guaranteed order, the simple algorithm to convert them to the
+        desired format is roughly O(n^2). However, even with Number.MAX_VALUE
+        it appears to perform well enough for the initial implementation. Another
+        issue has been created to improve this algorithm.
+
+        This requires ICU v59+ for unum_formatDoubleForFields, so it is disabled
+        on macOS, since only v57 is available.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::UFieldPositionIteratorDeleter::operator() const):
+        (JSC::IntlNumberFormat::partTypeString):
+        (JSC::IntlNumberFormat::formatToParts):
+        * runtime/IntlNumberFormat.h:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::create):
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
+        * runtime/IntlNumberFormatPrototype.h:
+        * runtime/Options.h:
+
+2018-05-16  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "/" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183996
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is introducing the support for BigInt into divide
+        operation int LLInt and JIT layers.
+
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::divide):
+        (JSC::JSBigInt::copy):
+        (JSC::JSBigInt::unaryMinus):
+        (JSC::JSBigInt::absoluteCompare):
+        (JSC::JSBigInt::absoluteDivLarge):
+        (JSC::JSBigInt::productGreaterThan):
+        (JSC::JSBigInt::inplaceAdd):
+        (JSC::JSBigInt::inplaceSub):
+        (JSC::JSBigInt::inplaceRightShift):
+        (JSC::JSBigInt::specialLeftShift):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+
+2018-05-16  Alberto Garcia  
+
+        [CMake] Properly detect compiler flags, needed libs, and fallbacks for usage of 64-bit atomic operations
+        https://bugs.webkit.org/show_bug.cgi?id=182622
+
+        Reviewed by Michael Catanzaro.
+
+        We were linking JavaScriptCore against libatomic in MIPS because
+        in that architecture __atomic_fetch_add_8() is not a compiler
+        intrinsic and is provided by that library instead. However other
+        architectures (e.g armel) are in the same situation, so we need a
+        generic test.
+
+        That test already exists in WebKit/CMakeLists.txt, so we just have
+        to move it to a common file (WebKitCompilerFlags.cmake) and use
+        its result (ATOMIC_INT64_REQUIRES_LIBATOMIC) here.
+
+        * CMakeLists.txt:
+
+2018-05-15  Yusuke Suzuki  
+
+        [JSC] Check TypeInfo first before calling getCallData when we would like to check whether given object is a function
+        https://bugs.webkit.org/show_bug.cgi?id=185601
+
+        Reviewed by Saam Barati.
+
+        Rename TypeOfShouldCallGetCallData to OverridesGetCallData. And check OverridesGetCallData
+        before calling getCallData when we would like to check whether a given object is callable
+        since getCallData is a virtual call. When we call the object anyway, directly calling getCallData
+        is fine. But if we would like to check whether the object is callable, we can have non
+        callable objects frequently. In that case, we should not call getCallData if we can avoid it.
+
+        To do this cleanly, we refactor JSValue::{isFunction,isCallable}. We add JSCell::{isFunction,isCallable}
+        and JSValue ones call into these functions. Inside JSCell::{isFunction,isCallable}, we perform
+        OverridesGetCallData checking before calling getCallData.
+
+        We found that this virtual call exists in JSON.stringify's critial path. Checking
+        OverridesGetCallData improves Kraken/json-stringify-tinderbox by 2-4%.
+
+                                               baseline                  patched
+
+            json-stringify-tinderbox        38.807+-0.350      ^      37.216+-0.337         ^ definitely 1.0427x faster
+
+        In addition to that, we also add OverridesGetCallData flag to JSFunction while we keep JSFunctionType checking fast path
+        since major cases are covered by this fast JSFunctionType checking.
+
+        * API/JSCallbackObject.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull):
+        (JSC::DFG::SpeculativeJIT::compileIsFunction):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::isExoticForTypeof):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitTypeOf):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::createError):
+        (JSC::createInvalidFunctionApplyParameterError):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncToString):
+        * runtime/InternalFunction.h:
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::isFunction const):
+        (JSC::JSValue::isCallable const):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::isFunction):
+        ALWAYS_INLINE works well for my environment.
+        (JSC::JSCell::isCallable):
+        * runtime/JSFunction.h:
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::toJSON):
+        (JSC::Stringifier::toJSONImpl):
+        (JSC::Stringifier::appendStringifiedValue):
+        * runtime/JSObjectInlines.h:
+        (JSC::createListFromArrayLike):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::overridesGetCallData const):
+        (JSC::TypeInfo::typeOfShouldCallGetCallData const): Deleted.
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC::jsIsObjectTypeOrNull):
+        * runtime/ProxyObject.h:
+        * runtime/RuntimeType.cpp:
+        (JSC::runtimeTypeForValue):
+        * runtime/RuntimeType.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::TypeProfilerLog):
+        (JSC::TypeProfilerLog::processLogEntries):
+        * runtime/TypeProfilerLog.h:
+        * runtime/VM.cpp:
+        (JSC::VM::enableTypeProfiler):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionFindTypeForExpression):
+        (JSC::functionReturnTypeFor):
+        (JSC::functionHasBasicBlockExecuted):
+        (JSC::functionBasicBlockExecutionCount):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::getWasmBufferFromValue):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::finishCreation):
+
+2018-05-15  Devin Rousso  
+
+        Web Inspector: Add rulers and guides
+        https://bugs.webkit.org/show_bug.cgi?id=32263
+        
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/OverlayTypes.json:
+
+2018-05-14  Keith Miller  
+
+        Remove butterflyMask from DFGAbstractHeap
+        https://bugs.webkit.org/show_bug.cgi?id=185640
+
+        Reviewed by Saam Barati.
+
+        We don't have a butterfly indexing mask anymore so we don't need
+        the abstract heap information for it anymore.
+
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-05-14  Andy VanWagoner  
+
+        [INTL] Handle error in defineProperty for supported locales length
+        https://bugs.webkit.org/show_bug.cgi?id=185623
+
+        Reviewed by Saam Barati.
+
+        Adds the missing RETURN_IF_EXCEPTION after defineOwnProperty for the
+        length of the supported locales array.
+
+        * runtime/IntlObject.cpp:
+        (JSC::supportedLocales):
+
+2018-05-14  Yusuke Suzuki  
+
+        [JSC] Tweak LiteralParser to improve lexing performance
+        https://bugs.webkit.org/show_bug.cgi?id=185541
+
+        Reviewed by Saam Barati.
+
+        This patch attemps to improve LiteralParser performance.
+
+        This patch improves Kraken/json-parse-financial by roughly ~10%.
+                                           baseline                  patched
+
+            json-parse-financial        65.810+-1.591      ^      59.943+-1.784         ^ definitely 1.0979x faster
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::Lexer):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::takeLast):
+        Add takeLast() for idiomatic last() + removeLast() calls.
+
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::Lexer::lex):
+        Do not have mode in its template parameter. While lex function is large, this mode is not used in a critical path.
+        We should not include this mode in its template parameter to reduce the code size.
+        And we do not use template parameter for a terminator since duplicating ' and " code for lexString is not good.
+        Also, we construct TokenType table to remove bunch of unnecessary switch cases.
+
+        (JSC::LiteralParser::Lexer::next):
+        (JSC::isSafeStringCharacter):
+        Take mode in its template parameter. But do not take terminator character in its template parameter.
+
+        (JSC::LiteralParser::Lexer::lexString):
+        (JSC::LiteralParser::Lexer::lexStringSlow):
+        Duplicate while statements manually since this is a critical path.
+
+        (JSC::LiteralParser::parse):
+        Use takeLast().
+
+        * runtime/LiteralParser.h:
+
+2018-05-14  Dominik Infuehr  
+
+        [MIPS] Use btpz to compare against 0 instead of bpeq
+        https://bugs.webkit.org/show_bug.cgi?id=185607
+
+        Reviewed by Yusuke Suzuki.
+
+        Fixes build on MIPS since MIPS doesn't have an instruction to
+        compare a register against an immediate. Since the immediate is just 0
+        in this case the simplest solution is just to use btpz instead of bpeq
+        to compare to 0.
+
+        * llint/LowLevelInterpreter.asm:
+
+2018-05-12  Filip Pizlo  
+
+        CachedCall::call() should be faster
+        https://bugs.webkit.org/show_bug.cgi?id=185583
+
+        Reviewed by Yusuke Suzuki.
+        
+        CachedCall is an optimization for String.prototype.replace(r, f) where f is a function.
+        Unfortunately, because of a combination of abstraction and assertions, this code path had a
+        lot of overhead. This patch reduces this overhead by:
+        
+        - Turning off some assertions. These assertions don't look to have security value; they're
+          mostly for sanity. I turned off stack alignment checks and VM state checks having to do
+          with whether the JSLock is held. The JSLock checks are not relevant when doing a cached
+          call, considering that the caller would have already been strongly assuming that the JSLock
+          is held.
+        
+        - Making more things inlineable.
+        
+        This looks like a small (4% ish) speed-up on SunSpider/string-unpack-code.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * interpreter/CachedCall.h:
+        (JSC::CachedCall::call):
+        * interpreter/Interpreter.cpp:
+        (JSC::checkedReturn): Deleted.
+        * interpreter/Interpreter.h:
+        (JSC::Interpreter::checkedReturn):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::execute):
+        * jit/JITCode.cpp:
+        (JSC::JITCode::execute): Deleted.
+        * jit/JITCodeInlines.h: Added.
+        (JSC::JITCode::execute):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/StringPrototype.cpp:
+
+2018-05-13  Andy VanWagoner  
+
+        [INTL] Improve spec & test262 compliance for Intl APIs
+        https://bugs.webkit.org/show_bug.cgi?id=185578
+
+        Reviewed by Yusuke Suzuki.
+
+        Use putDirectIndex over push for lists to arrays.
+        Update default options to construct with a null prototype.
+        Define constructor and toStringTag on prototypes.
+        Add proper time clipping.
+        Remove some outdated comment spec text, use url instead.
+
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlCollatorConstructor.cpp:
+        (JSC::IntlCollatorConstructor::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::finishCreation):
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        (JSC::IntlDateTimeFormatConstructor::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        (JSC::IntlDateTimeFormatFuncFormatDateTime):
+        (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+        * runtime/IntlNumberFormatConstructor.cpp:
+        (JSC::IntlNumberFormatConstructor::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlObject.cpp:
+        (JSC::lookupSupportedLocales):
+        (JSC::supportedLocales):
+        (JSC::intlObjectFuncGetCanonicalLocales):
+        * runtime/IntlPluralRules.cpp:
+        (JSC::IntlPluralRules::resolvedOptions):
+        * runtime/IntlPluralRulesConstructor.cpp:
+        (JSC::IntlPluralRulesConstructor::finishCreation):
+
+2018-05-11  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "*" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+
+        Reviewed by Yusuke Suzuki.
+
+        Added BigInt support into times binary operator into LLInt and on
+        JITOperations profiledMul and unprofiledMul. We are also replacing all
+        uses of int to unsigned when there is no negative values for
+        variables.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::JSBigInt):
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::createWithLength):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::internalMultiplyAdd):
+        (JSC::JSBigInt::multiplyAccumulate):
+        (JSC::JSBigInt::equals):
+        (JSC::JSBigInt::absoluteDivSmall):
+        (JSC::JSBigInt::calculateMaximumCharactersRequired):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toNumeric const):
+        * runtime/Operations.h:
+        (JSC::jsMul):
+
+2018-05-11  Commit Queue  
+
+        Unreviewed, rolling out r231316 and r231332.
+        https://bugs.webkit.org/show_bug.cgi?id=185564
+
+        Appears to be a Speedometer2/MotionMark regression (Requested
+        by keith_miller on #webkit).
+
+        Reverted changesets:
+
+        "Remove the prototype caching for get_by_id in the LLInt"
+        https://bugs.webkit.org/show_bug.cgi?id=185226
+        https://trac.webkit.org/changeset/231316
+
+        "Unreviewed, fix 32-bit profile offset for change in bytecode"
+        https://trac.webkit.org/changeset/231332
+
+2018-05-11  Michael Saboff  
+
+        [DFG] Compiler uses incorrect output register for NumberIsInteger operation
+        https://bugs.webkit.org/show_bug.cgi?id=185328
+
+        Reviewed by Keith Miller.
+
+        Fixed a typo from when this code was added in r228968 where resultGPR
+        was assigned the input register instead of the result.gpr().
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2018-05-11  Saam Barati  
+
+        Don't use inferred types when the JIT is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=185539
+
+        Reviewed by Yusuke Suzuki.
+
+        There are many JSC API clients that run with the JIT disabled. They were
+        all allocating and tracking inferred types for no benefit. Inferred types
+        only benefit programs when they make it to the DFG/FTL. I was seeing cases
+        where the inferred type machinery used ~0.5MB. This patch makes is so we
+        don't allocate that machinery when the JIT is disabled.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::willStoreValueSlow):
+        * runtime/Structure.h:
+
+2018-05-11  Saam Barati  
+
+        Don't allocate value profiles when the JIT is disabled
+        https://bugs.webkit.org/show_bug.cgi?id=185525
+
+        Reviewed by Michael Saboff.
+
+        There are many JSC API clients that run with the JIT disabled. We were
+        still allocating a ton of value profiles in this use case even though
+        these clients get no benefit from doing value profiling. This patch makes
+        it so that we don't allocate value profiles or argument value profiles
+        when we're not using the JIT. We now just make all value profiles in
+        the instruction stream point to a global value profile that the VM owns.
+        And we make the argument value profile array have zero length and teach
+        the LLInt how to handle that. Heap clears the global value profile on each GC.
+
+        In an app that I'm testing this against, this saves ~1MB of memory.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setNumParameters):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::numberOfArgumentValueProfiles):
+        (JSC::CodeBlock::valueProfileForArgument):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitProfiledOpcode):
+        * heap/Heap.cpp:
+        (JSC::Heap::runEndPhase):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-05-10  Carlos Garcia Campos  
+
+        [JSC][GLIB] Add introspectable alternatives to functions using vargars
+        https://bugs.webkit.org/show_bug.cgi?id=185508
+
+        Reviewed by Michael Catanzaro.
+
+        * API/glib/JSCClass.cpp:
+        (jscClassCreateConstructor):
+        (jsc_class_add_constructor):
+        (jsc_class_add_constructorv):
+        (jscClassAddMethod):
+        (jsc_class_add_method):
+        (jsc_class_add_methodv):
+        * API/glib/JSCClass.h:
+        * API/glib/JSCValue.cpp:
+        (jsObjectCall):
+        (jscValueCallFunction):
+        (jsc_value_object_invoke_methodv):
+        (jscValueFunctionCreate):
+        (jsc_value_new_function):
+        (jsc_value_new_functionv):
+        (jsc_value_function_callv):
+        (jsc_value_constructor_callv):
+        * API/glib/JSCValue.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-05-10  Yusuke Suzuki  
+
+        [JSC] Make return types of construction functions tight
+        https://bugs.webkit.org/show_bug.cgi?id=185509
+
+        Reviewed by Saam Barati.
+
+        Array and Object construction functions should return strict types instead of returning JSObject*/JSValue.
+
+        * runtime/ArrayConstructor.cpp:
+        (JSC::constructArrayWithSizeQuirk):
+        * runtime/ArrayConstructor.h:
+        * runtime/ObjectConstructor.h:
+        (JSC::constructEmptyObject):
+
+2018-05-09  Yusuke Suzuki  
+
+        [JSC] Object.assign for final objects should be faster
+        https://bugs.webkit.org/show_bug.cgi?id=185348
+
+        Reviewed by Saam Barati.
+
+        Object.assign is so heavily used to clone an object. For example, speedometer react-redux can be significantly
+        improved if Object.assign becomes fast. It is worth adding a complex fast path to accelerate the major use cases.
+
+        If enumerating properties of source objects and putting properties to target object are non observable,
+        we can avoid hash table looking up of source object properties. We can enumerate object property entries,
+        and put them to target object. This patch adds this fast path to Object.assign implementation.
+
+        When enumerating properties, we need to ensure that the given |source| object does not include "__proto__"
+        property since we cannot perform fast [[Put]] for the |target| object. We add a new flag
+        "HasUnderscoreProtoPropertyExcludingOriginalProto" to Structure to track this state.
+
+        This improves object-assign.es6 by 1.85x.
+
+                                        baseline                  patched
+
+            object-assign.es6      368.6132+-8.3508     ^    198.8775+-4.9042        ^ definitely 1.8535x faster
+
+        And Speedometer2.0 React-Redux-TodoMVC's total time is improved from 490ms to 431ms.
+
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInlineExcludingProto):
+        (JSC::JSObject::canPerformFastPutInline):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::forEachProperty):
+        (JSC::Structure::add):
+
+2018-05-10  Filip Pizlo  
+
+        DFG CFA should pick the right time to inject OSR entry data
+        https://bugs.webkit.org/show_bug.cgi?id=185530
+
+        Reviewed by Saam Barati.
+        
+        Previously, we would do a bonus run of CFA to inject OSR entry data. This patch makes us inject
+        OSR entry data as part of the normal flow of CFA, which reduces the total number of CFA
+        reexecutions while minimizing the likelihood that we have CFA execute constants in paths that
+        would eventually LUB to non-constant.
+        
+        This looks like almost a 1% speed-up on SunSpider-CompileTime. All of the logic for preventing
+        execution over constants is for V8Spider-CompileTime/regexp, which would otherwise do a lot of
+        useless regexp/string execution in the compiler.
+
+        * dfg/DFGBlockSet.h:
+        (JSC::DFG::BlockSet::remove):
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::run):
+        (JSC::DFG::CFAPhase::injectOSR):
+        (JSC::DFG::CFAPhase::performBlockCFA):
+
+2018-05-09  Filip Pizlo  
+
+        InPlaceAbstractState::beginBasicBlock shouldn't copy all m_variables every time
+        https://bugs.webkit.org/show_bug.cgi?id=185452
+
+        Reviewed by Michael Saboff.
+        
+        We were spending a lot of time in beginBasicBlock() just copying the state of all variables
+        from the block head to InPlaceAbstractState::m_variables. It is necessary for
+        InPlaceAbstractState to have its own copy since we need to mutate it separately from
+        block->valuesAtHead. But most variables are untouched by most basic blocks, so this was a lot
+        of superfluous work.
+        
+        This change adds a bitvector called m_activeVariables that tracks which variables have been
+        copied. We lazily copy the variables on first use. Variables that were never copied also have
+        a simplified merging path, which just needs to consider if the variable got clobbered between
+        head and tail.
+        
+        This is a 1.5% speed-up on SunSpider-CompileTime and a 1.7% speed-up on V8Spider-CompileTime.
+
+        * bytecode/Operands.h:
+        (JSC::Operands::argumentIndex const):
+        (JSC::Operands::localIndex const):
+        (JSC::Operands::argument):
+        (JSC::Operands::argument const):
+        (JSC::Operands::local):
+        (JSC::Operands::local const):
+        (JSC::Operands::operandIndex const):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::fastForwardFromTo):
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::performForwardCFA):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
+        (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
+        (JSC::DFG::InPlaceAbstractState::activateAllVariables):
+        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
+        (JSC::DFG::InPlaceAbstractState::activateVariable):
+        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): Deleted.
+        * dfg/DFGInPlaceAbstractState.h:
+        (JSC::DFG::InPlaceAbstractState::variableAt):
+        (JSC::DFG::InPlaceAbstractState::operand):
+        (JSC::DFG::InPlaceAbstractState::local):
+        (JSC::DFG::InPlaceAbstractState::argument):
+        (JSC::DFG::InPlaceAbstractState::activateVariableIfNecessary):
+        (JSC::DFG::InPlaceAbstractState::variablesForDebugging): Deleted.
+
+2018-05-09  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "==" operation
+        https://bugs.webkit.org/show_bug.cgi?id=184474
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is implementing support of BigInt for equals operator
+        following the spec semantics[1].
+
+        [1] - https://tc39.github.io/proposal-bigint/#sec-abstract-equality-comparison
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::stringToBigInt):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::setDigit):
+        (JSC::JSBigInt::equalsToNumber):
+        (JSC::JSBigInt::compareToDouble):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::equalSlowCaseInline):
+
+2018-05-09  Filip Pizlo  
+
+        Speed up AbstractInterpreter::executeEdges
+        https://bugs.webkit.org/show_bug.cgi?id=185457
+
+        Reviewed by Saam Barati.
+
+        This patch started out with the desire to make executeEdges() faster by making filtering faster.
+        However, when I studied the disassembly, I found that there are many opportunities for
+        improvement and I implemented all of them:
+        
+        - Filtering itself now has an inline fast path for when the filtering didn't change the value or
+          for non-cells.
+        
+        - Edge execution doesn't fast-forward anything if the filtering fast path would have succeeded,
+          since fast-forwarding is only interesting for cells and only if we have a clobbered value.
+        
+        - Similarly, edge verification doesn't need to fast-forward in the common case.
+        
+        - A bunch of stuff related to Graph::doToChildren is now inlined properly.
+        
+        - The edge doesn't even have to be considered for execution if it's UntypedUse.
+        
+        That last bit was the trickiest. We had gotten into a bad habit of using SpecFullNumber in the
+        abstract interpreter. It's not correct to use SpecFullNumber in the abstract interpreter, because
+        it means proving that the value could either be formatted as a double (with impure NaN values),
+        or as any JSValue, or as an Int52. There is no value that could possibly hold all of those
+        states. This "worked" before because UntypedUse would filter this down to SpecBytecodeNumber. To
+        make it work again, I needed to fix all of those uses of SpecFullNumber. In the future, we need
+        to be careful about picking either SpecFullDouble (if returning a DoubleRep) or
+        SpecBytecodeNumber (if returning a JSValueRep).
+        
+        But that fix revealed an amazing timeout in
+        stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js. We were getting
+        stuck in an OSR loop (baseline->DFG->FTL->baseline), all involving the same bytecode, without
+        ever realizing that we should jettison something. The problem was with how
+        triggerReoptimizationNow was getting the optimizedCodeBlock. It was trying to guess it by using
+        baselineCodeBlock->replacement(), but that's wrong for FTL-for-OSR-entry code blocks.
+        
+        This is a 1% improvement in V8Spider-CompileTime.
+
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindMayJettison):
+        * dfg/DFGAbstractInterpreter.h:
+        (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
+        (JSC::DFG::AbstractInterpreter::filterByType): Deleted.
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::AbstractInterpreterExecuteEdgesFunc):
+        (JSC::DFG::AbstractInterpreterExecuteEdgesFunc::operator() const):
+        (JSC::DFG::AbstractInterpreter::executeEdges):
+        (JSC::DFG::AbstractInterpreter::filterByType):
+        (JSC::DFG::AbstractInterpreter::verifyEdge):
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        (JSC::DFG::AbstractInterpreter::executeDoubleUnaryOpEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::filterSlow):
+        (JSC::DFG::AbstractValue::fastForwardToAndFilterSlow):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::filter):
+        (JSC::DFG::AbstractValue::fastForwardToAndFilter):
+        (JSC::DFG::AbstractValue::fastForwardToAndFilterUnproven):
+        (JSC::DFG::AbstractValue::makeTop):
+        * dfg/DFGAtTailAbstractState.h:
+        (JSC::DFG::AtTailAbstractState::fastForward):
+        (JSC::DFG::AtTailAbstractState::forNodeWithoutFastForward):
+        (JSC::DFG::AtTailAbstractState::fastForwardAndFilterUnproven):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::doToChildren):
+        * dfg/DFGInPlaceAbstractState.h:
+        (JSC::DFG::InPlaceAbstractState::fastForward):
+        (JSC::DFG::InPlaceAbstractState::fastForwardAndFilterUnproven):
+        (JSC::DFG::InPlaceAbstractState::forNodeWithoutFastForward):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+
+2018-05-09  Saam Barati  
+
+        Add JSVirtualMachine SPI to shrink the memory footprint of the VM
+        https://bugs.webkit.org/show_bug.cgi?id=185441
+        
+
+        Reviewed by Keith Miller.
+
+        This patch adds JSVirtualMachine SPI to release as much memory as possible.
+        The SPI does:
+        - Deletes all code caches.
+        - Synchronous GC.
+        - Run the scavenger.
+
+        * API/JSVirtualMachine.mm:
+        (-[JSVirtualMachine shrinkFootprint]):
+        * API/JSVirtualMachinePrivate.h: Added.
+        * API/tests/testapi.mm:
+        (testObjectiveCAPIMain):
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/VM.cpp:
+        (JSC::VM::shrinkFootprint):
+        * runtime/VM.h:
+
+2018-05-09  Leo Balter  
+
+        [JSC] Fix ArraySpeciesCreate to return a new Array when the given object is not an array
+        Error found in the following Test262 tests:
+
+        - test/built-ins/Array/prototype/slice/create-non-array-invalid-len.js
+        - test/built-ins/Array/prototype/slice/create-proxied-array-invalid-len.js
+        - test/built-ins/Array/prototype/splice/create-species-undef-invalid-len.js
+
+        The ArraySpeciesCreate should throw a RangeError with non-Array custom objects
+        presenting a length > 2**32-1
+        https://bugs.webkit.org/show_bug.cgi?id=185476
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/ArrayPrototype.cpp:
+
+2018-05-09  Michael Catanzaro  
+
+        [WPE] Build cleanly with GCC 8 and ICU 60
+        https://bugs.webkit.org/show_bug.cgi?id=185462
+
+        Reviewed by Carlos Alberto Lopez Perez.
+
+        * API/glib/JSCClass.cpp: Silence many -Wcast-function-type warnings.
+        (jsc_class_add_constructor):
+        (jsc_class_add_method):
+        * API/glib/JSCValue.cpp: Silence many -Wcast-function-type warnings.
+        (jsc_value_object_define_property_accessor):
+        (jsc_value_new_function):
+        * CMakeLists.txt: Build BuiltinNames.cpp with -fno-var-tracking-assignments. This was a
+        problem with GCC 7 too, but might as well fix it now.
+        * assembler/ProbeContext.h:
+        (JSC::Probe::CPUState::gpr const): Silence a -Wclass-memaccess warning.
+        (JSC::Probe::CPUState::spr const): Ditto. Assume std::remove_const is safe to clobber.
+        * b3/air/AirArg.h:
+        (JSC::B3::Air::Arg::isRepresentableAs): Silence -Wfallthrough warning.
+        * builtins/BuiltinNames.cpp:
+        (JSC::BuiltinNames::BuiltinNames): Moved from BuiltinNames.h so we can use a special flag.
+        * builtins/BuiltinNames.h:
+        (JSC::BuiltinNames::BuiltinNames): Moved to BuiltinNames.cpp.
+        * dfg/DFGDoubleFormatState.h:
+        (JSC::DFG::mergeDoubleFormatStates): Silence -Wfallthrough warnings.
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType): Silence -Wfallthrough warnings.
+        * runtime/ConfigFile.cpp:
+        (JSC::ConfigFile::canonicalizePaths): Here GCC found a genuine mistake, strncat is called
+        with the wrong length parameter and the result is not null-terminated. Also, silence a
+        -Wstringop-truncation warning as we intentionally truncate filenames that exceed PATH_MAX.
+        * runtime/IntlDateTimeFormat.cpp:
+        (JSC::IntlDateTimeFormat::partTypeString): Avoid an ICU deprecation warning.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init): We were unconditionally running some BigInt code by accident.
+        (JSC::JSGlobalObject::visitChildren): Probably a serious bug? Fixed.
+
+2018-05-09  Yusuke Suzuki  
+
+        [ARMv7] Drop ARMv7 disassembler in favor of capstone
+        https://bugs.webkit.org/show_bug.cgi?id=185423
+
+        Reviewed by Michael Catanzaro.
+
+        This patch removes ARMv7Disassembler in our tree.
+        We already adopted Capstone, and it is already used in ARMv7 JIT environments.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * disassembler/ARMv7/ARMv7DOpcode.cpp: Removed.
+        * disassembler/ARMv7/ARMv7DOpcode.h: Removed.
+        * disassembler/ARMv7Disassembler.cpp: Removed.
+
+2018-05-09  Srdjan Lazarevic  
+
+        [MIPS] Optimize generated JIT code using r2
+        https://bugs.webkit.org/show_bug.cgi?id=184584
+
+        Reviewed by Yusuke Suzuki.
+
+        EXT and MFHC1 instructions from MIPSR2 implemented and used where it is possible.
+        Also, done some code size optimizations that were discovered in meantime.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::ext):
+        (JSC::MIPSAssembler::mfhc1):
+        * assembler/MacroAssemblerMIPS.cpp:
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::isPowerOf2):
+        (JSC::MacroAssemblerMIPS::bitPosition):
+        (JSC::MacroAssemblerMIPS::loadAddress):
+        (JSC::MacroAssemblerMIPS::getEffectiveAddress):
+        (JSC::MacroAssemblerMIPS::load8):
+        (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
+        (JSC::MacroAssemblerMIPS::load32):
+        (JSC::MacroAssemblerMIPS::load16Unaligned):
+        (JSC::MacroAssemblerMIPS::load32WithUnalignedHalfWords):
+        (JSC::MacroAssemblerMIPS::load16):
+        (JSC::MacroAssemblerMIPS::load16SignedExtendTo32):
+        (JSC::MacroAssemblerMIPS::store8):
+        (JSC::MacroAssemblerMIPS::store16):
+        (JSC::MacroAssemblerMIPS::store32):
+        (JSC::MacroAssemblerMIPS::branchTest32):
+        (JSC::MacroAssemblerMIPS::loadFloat):
+        (JSC::MacroAssemblerMIPS::loadDouble):
+        (JSC::MacroAssemblerMIPS::storeFloat):
+        (JSC::MacroAssemblerMIPS::storeDouble):
+
+2018-05-06  Yusuke Suzuki  
+
+        [JSC][GTK][JSCONLY] Use capstone disassembler
+        https://bugs.webkit.org/show_bug.cgi?id=185283
+
+        Reviewed by Michael Catanzaro.
+
+        Instead of adding MIPS disassembler baked by ourselves, we import capstone disassembler.
+        And use capstone disassembler for MIPS, ARM, and ARMv7 in GTK, WPE, WinCairo and JSCOnly ports.
+
+        And we remove ARM LLVM disassembler.
+
+        Capstone is licensed under 3-clause BSD, which is acceptable in WebKit tree.
+
+        * CMakeLists.txt:
+        * Sources.txt:
+        * disassembler/ARMLLVMDisassembler.cpp: Removed.
+        * disassembler/CapstoneDisassembler.cpp: Added.
+        (JSC::tryToDisassemble):
+
+2018-05-09  Dominik Infuehr  
+
+        [MIPS] Use mfhc1 and mthc1 to fix assembler error
+        https://bugs.webkit.org/show_bug.cgi?id=185464
+
+        Reviewed by Yusuke Suzuki.
+
+        The binutils-assembler started to report failures for copying words between
+        GP and FP registers for odd FP register indices. Use mfhc1 and mthc1 instead
+        of mfc1 and mtc1 for conversion.
+
+        * offlineasm/mips.rb:
+
+2018-05-08  Dominik Infuehr  
+
+        [MIPS] Collect callee-saved register using inline assembly
+        https://bugs.webkit.org/show_bug.cgi?id=185428
+
+        Reviewed by Yusuke Suzuki.
+
+        MIPS used setjmp instead of collecting registers with inline assembly like
+        other architectures.
+
+        * heap/RegisterState.h:
+
+2018-05-07  Yusuke Suzuki  
+
+        [BigInt] Simplifying JSBigInt by using bool addition
+        https://bugs.webkit.org/show_bug.cgi?id=185374
+
+        Reviewed by Alex Christensen.
+
+        Since using TWO_DIGIT does not produce good code, we remove this part from digitAdd and digitSub.
+        Just adding overflow flag to carry/borrow produces setb + add in x86.
+
+        Also we annotate small helper functions and accessors with `inline` not to call these functions
+        inside internalMultiplyAdd loop.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::isZero):
+        (JSC::JSBigInt::inplaceMultiplyAdd):
+        (JSC::JSBigInt::digitAdd):
+        (JSC::JSBigInt::digitSub):
+        (JSC::JSBigInt::digitMul):
+        (JSC::JSBigInt::digitPow):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::offsetOfData):
+        (JSC::JSBigInt::dataStorage):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+
+2018-05-08  Michael Saboff  
+
+        Replace multiple Watchpoint Set fireAll() methods with templates
+        https://bugs.webkit.org/show_bug.cgi?id=185456
+
+        Reviewed by Saam Barati.
+
+        Refactored to minimize duplicate code.
+
+        * bytecode/Watchpoint.h:
+        (JSC::WatchpointSet::fireAll):
+        (JSC::InlineWatchpointSet::fireAll):
+
+2018-05-08  Filip Pizlo  
+
+        DFG::FlowMap::resize() shouldn't resize the shadow map unless we're in SSA
+        https://bugs.webkit.org/show_bug.cgi?id=185453
+
+        Reviewed by Michael Saboff.
+        
+        Tiny improvement for compile times.
+
+        * dfg/DFGFlowMap.h:
+        (JSC::DFG::FlowMap::resize): Remove one Vector::resize() when we're not in SSA.
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::beginBasicBlock): Record some data about how long we spend in different parts of this and add a FIXME linking bug 185452.
+
+2018-05-08  Michael Saboff  
+
+        Deferred firing of structure transition watchpoints is racy
+        https://bugs.webkit.org/show_bug.cgi?id=185438
+
+        Reviewed by Saam Barati.
+
+        Changed DeferredStructureTransitionWatchpointFire to take the watchpoints to fire
+        and fire them in the destructor.  When the watchpoints are taken from the
+        original WatchpointSet, that WatchpointSet if marked invalid.
+
+        * bytecode/Watchpoint.cpp:
+        (JSC::WatchpointSet::fireAllSlow):
+        (JSC::WatchpointSet::take):
+        (JSC::DeferredWatchpointFire::DeferredWatchpointFire):
+        (JSC::DeferredWatchpointFire::~DeferredWatchpointFire):
+        (JSC::DeferredWatchpointFire::fireAll):
+        (JSC::DeferredWatchpointFire::takeWatchpointsToFire):
+        * bytecode/Watchpoint.h:
+        (JSC::WatchpointSet::fireAll):
+        (JSC::InlineWatchpointSet::fireAll):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeDirect):
+        (JSC::JSObject::convertToDictionary):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        (JSC::DeferredStructureTransitionWatchpointFire::DeferredStructureTransitionWatchpointFire):
+        (JSC::DeferredStructureTransitionWatchpointFire::~DeferredStructureTransitionWatchpointFire):
+        (JSC::DeferredStructureTransitionWatchpointFire::dump const):
+        (JSC::Structure::didTransitionFromThisStructure const):
+        (JSC::DeferredStructureTransitionWatchpointFire::add): Deleted.
+        * runtime/Structure.h:
+        (JSC::DeferredStructureTransitionWatchpointFire::structure const):
+
+2018-05-08  Eric Carlson  
+
+        Consecutive messages logged as JSON are coalesced
+        https://bugs.webkit.org/show_bug.cgi?id=185432
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::isEqual const): Messages with JSON arguments are not equal.
+
+2018-05-06  Filip Pizlo  
+
+        InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
+        https://bugs.webkit.org/show_bug.cgi?id=185365
+
+        Reviewed by Saam Barati.
+        
+        This patch does three things to improve compile times:
+        
+        - Fixes some inlining goofs.
+        
+        - Adds the ability to measure compile times with run-jsc-benchmarks.
+        
+        - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
+          code that clears abstract values. It turns out that on constant folding "needed" this, in the
+          sense that this was the only thing protecting it from loading the abstract value of a no-result
+          node and then concluding that because it had a non-empty m_value, it could be constant-folded.
+          Any node that produces a result will explicitly set its abstract value, so this problem can
+          also be guarded by just having constant folding check if the node it wants to fold returns any
+          result.
+        
+        Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
+        
+        Rolling back in after fixing cloop build.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::set):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::merge):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::doToChildrenWithNode):
+        (JSC::DFG::Graph::doToChildren):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
+        * jit/JIT.cpp:
+        (JSC::JIT::totalCompileTime):
+        * jit/JIT.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionTotalCompileTime):
+
+2018-05-08  Ryan Haddad  
+
+        Unreviewed, rolling out r231468.
+
+        Broke the CLoop build
+
+        Reverted changeset:
+
+        "InPlaceAbstractState::beginBasicBlock shouldn't have to clear
+        any abstract values"
+        https://bugs.webkit.org/show_bug.cgi?id=185365
+        https://trac.webkit.org/changeset/231468
+
+2018-05-07  Daniel Bates  
+
+        Check X-Frame-Options and CSP frame-ancestors in network process
+        https://bugs.webkit.org/show_bug.cgi?id=185410
+        
+
+        Reviewed by Ryosuke Niwa.
+
+        Add enum traits for MessageSource and MessageLevel so that we can encode and decode them for IPC.
+
+        * runtime/ConsoleTypes.h:
+
+2018-05-07  Saam Barati  
+
+        Make a compact version of VariableEnvironment that UnlinkedFunctionExecutable stores and hash-cons these compact environments as we make them
+        https://bugs.webkit.org/show_bug.cgi?id=185329
+        
+
+        Reviewed by Michael Saboff.
+
+        I was made aware of a memory goof inside of JSC where we would inefficiently
+        use space to represent an UnlinkedFunctionExecutable's parent TDZ variables.
+        
+        We did two things badly:
+        1. We used a HashMap instead of a Vector to represent the environment. Having
+        a HashMap is useful when looking things up when generating bytecode, but it's
+        space inefficient. Because UnlinkedFunctionExecutables live a long time because
+        of the code cache, we should have them store this information efficiently
+        inside of a Vector.
+        
+        2. We didn't hash-cons these environments together. If you think about how
+        some programs are structured, hash-consing these together is hugely profitable.
+        Consider some code like this:
+        ```
+        const/let V_1 = ...;
+        const/let V_2 = ...;
+        ...
+        const/let V_n = ...;
+        
+        function f_1() { ... };
+        function f_2() { ... };
+        ...
+        function f_n() { ... };
+        ```
+        
+        Each f_i would store an identical hash map for its parent TDZ variables
+        consisting of {V_1, ..., V_n}. This was incredibly dumb. With hash-consing,
+        each f_i just holds onto a reference to the environment.
+        
+        I benchmarked this change against an app that made heavy use of the
+        above code pattern and it reduced its peak memory footprint from ~220MB
+        to ~160MB.
+
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::generateUnlinkedFunctionCodeBlock):
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * parser/VariableEnvironment.cpp:
+        (JSC::CompactVariableEnvironment::CompactVariableEnvironment):
+        (JSC::CompactVariableEnvironment::operator== const):
+        (JSC::CompactVariableEnvironment::toVariableEnvironment const):
+        (JSC::CompactVariableMap::get):
+        (JSC::CompactVariableMap::Handle::~Handle):
+        * parser/VariableEnvironment.h:
+        (JSC::VariableEnvironmentEntry::bits const):
+        (JSC::VariableEnvironmentEntry::operator== const):
+        (JSC::VariableEnvironment::isEverythingCaptured const):
+        (JSC::CompactVariableEnvironment::hash const):
+        (JSC::CompactVariableMapKey::CompactVariableMapKey):
+        (JSC::CompactVariableMapKey::hash):
+        (JSC::CompactVariableMapKey::equal):
+        (JSC::CompactVariableMapKey::makeDeletedValue):
+        (JSC::CompactVariableMapKey::isHashTableDeletedValue const):
+        (JSC::CompactVariableMapKey::isHashTableEmptyValue const):
+        (JSC::CompactVariableMapKey::environment):
+        (WTF::HashTraits::emptyValue):
+        (WTF::HashTraits::isEmptyValue):
+        (WTF::HashTraits::constructDeletedValue):
+        (WTF::HashTraits::isDeletedValue):
+        (JSC::CompactVariableMap::Handle::Handle):
+        (JSC::CompactVariableMap::Handle::environment const):
+        (JSC::VariableEnvironment::VariableEnvironment): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-05-06  Yusuke Suzuki  
+
+        [DFG][MIPS] Simplify DFG code by increasing MIPS temporary registers
+        https://bugs.webkit.org/show_bug.cgi?id=185371
+
+        Reviewed by Mark Lam.
+
+        Since MIPS GPRInfo claims it has only 7 registers, some of DFG code exhausts registers.
+        As a result, we need to maintain separated code for MIPS. This increases DFG maintenance burden,
+        but actually MIPS have much more registers.
+
+        This patch adds $a0 - $a3 to temporary registers. This is OK since our temporary registers can be overlapped with
+        argument registers (see ARM, X86 implementations). These registers are caller-save ones, so we do not need to
+        have extra mechanism.
+
+        Then, we remove several unnecessary MIPS code in our JIT infrastructure.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/CCallHelpers.h:
+        * jit/GPRInfo.h:
+        (JSC::GPRInfo::toRegister):
+        (JSC::GPRInfo::toIndex):
+        * offlineasm/mips.rb:
+
+2018-05-05  Filip Pizlo  
+
+        DFG AI should have O(1) clobbering
+        https://bugs.webkit.org/show_bug.cgi?id=185287
+
+        Reviewed by Saam Barati.
+        
+        This fixes an old scalability probem in AI. Previously, if we did clobberWorld(), then we
+        would traverse all of the state available to the AI at that time and clobber it.
+        
+        This changes clobberWorld() to be O(1). It just does some math to a clobber epoch.
+        
+        This is a ~1% speed-up for compile times.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGAbstractInterpreter.h:
+        (JSC::DFG::AbstractInterpreter::forNode):
+        (JSC::DFG::AbstractInterpreter::setForNode):
+        (JSC::DFG::AbstractInterpreter::clearForNode):
+        (JSC::DFG::AbstractInterpreter::variables): Deleted.
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        (JSC::DFG::AbstractInterpreter::clobberWorld):
+        (JSC::DFG::AbstractInterpreter::forAllValues):
+        (JSC::DFG::AbstractInterpreter::clobberStructures):
+        (JSC::DFG::AbstractInterpreter::executeDoubleUnaryOpEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::fastForwardToSlow):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::fastForwardTo):
+        (JSC::DFG::AbstractValue::clobberStructuresFor): Deleted.
+        (JSC::DFG::AbstractValue::observeInvalidationPoint): Deleted.
+        (JSC::DFG::AbstractValue::observeInvalidationPointFor): Deleted.
+        * dfg/DFGAbstractValueClobberEpoch.cpp: Added.
+        (JSC::DFG::AbstractValueClobberEpoch::dump const):
+        * dfg/DFGAbstractValueClobberEpoch.h: Added.
+        (JSC::DFG::AbstractValueClobberEpoch::AbstractValueClobberEpoch):
+        (JSC::DFG::AbstractValueClobberEpoch::first):
+        (JSC::DFG::AbstractValueClobberEpoch::clobber):
+        (JSC::DFG::AbstractValueClobberEpoch::observeInvalidationPoint):
+        (JSC::DFG::AbstractValueClobberEpoch::operator== const):
+        (JSC::DFG::AbstractValueClobberEpoch::operator!= const):
+        (JSC::DFG::AbstractValueClobberEpoch::structureClobberState const):
+        (JSC::DFG::AbstractValueClobberEpoch::clobberEpoch const):
+        * dfg/DFGAtTailAbstractState.h:
+        (JSC::DFG::AtTailAbstractState::setForNode):
+        (JSC::DFG::AtTailAbstractState::clearForNode):
+        (JSC::DFG::AtTailAbstractState::numberOfArguments const):
+        (JSC::DFG::AtTailAbstractState::numberOfLocals const):
+        (JSC::DFG::AtTailAbstractState::operand):
+        (JSC::DFG::AtTailAbstractState::local):
+        (JSC::DFG::AtTailAbstractState::argument):
+        (JSC::DFG::AtTailAbstractState::clobberStructures):
+        (JSC::DFG::AtTailAbstractState::observeInvalidationPoint):
+        (JSC::DFG::AtTailAbstractState::variables): Deleted.
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::performBlockCFA):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFlowMap.h:
+        (JSC::DFG::FlowMap::at):
+        (JSC::DFG::FlowMap::atShadow):
+        (JSC::DFG::FlowMap::at const):
+        (JSC::DFG::FlowMap::atShadow const):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
+        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
+        * dfg/DFGInPlaceAbstractState.h:
+        (JSC::DFG::InPlaceAbstractState::forNode):
+        (JSC::DFG::InPlaceAbstractState::setForNode):
+        (JSC::DFG::InPlaceAbstractState::clearForNode):
+        (JSC::DFG::InPlaceAbstractState::variablesForDebugging):
+        (JSC::DFG::InPlaceAbstractState::numberOfArguments const):
+        (JSC::DFG::InPlaceAbstractState::numberOfLocals const):
+        (JSC::DFG::InPlaceAbstractState::operand):
+        (JSC::DFG::InPlaceAbstractState::local):
+        (JSC::DFG::InPlaceAbstractState::argument):
+        (JSC::DFG::InPlaceAbstractState::variableAt):
+        (JSC::DFG::InPlaceAbstractState::clobberStructures):
+        (JSC::DFG::InPlaceAbstractState::observeInvalidationPoint):
+        (JSC::DFG::InPlaceAbstractState::fastForward):
+        (JSC::DFG::InPlaceAbstractState::variables): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+
+2018-05-06  Filip Pizlo  
+
+        InPlaceAbstractState::beginBasicBlock shouldn't have to clear any abstract values
+        https://bugs.webkit.org/show_bug.cgi?id=185365
+
+        Reviewed by Saam Barati.
+        
+        This patch does three things to improve compile times:
+        
+        - Fixes some inlining goofs.
+        
+        - Adds the ability to measure compile times with run-jsc-benchmarks.
+        
+        - Dramatically improves the performance of InPlaceAbstractState::beginBasicBlock by removing the
+          code that clears abstract values. It turns out that on constant folding "needed" this, in the
+          sense that this was the only thing protecting it from loading the abstract value of a no-result
+          node and then concluding that because it had a non-empty m_value, it could be constant-folded.
+          Any node that produces a result will explicitly set its abstract value, so this problem can
+          also be guarded by just having constant folding check if the node it wants to fold returns any
+          result.
+        
+        Solid 0.96% compile time speed-up across SunSpider-CompileTime and V8Spider-CompileTime.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::set):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::merge):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::doToChildrenWithNode):
+        (JSC::DFG::Graph::doToChildren):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
+        * jit/JIT.cpp:
+        (JSC::JIT::totalCompileTime):
+        * jit/JIT.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionTotalCompileTime):
+
+2018-05-05  Filip Pizlo  
+
+        DFG AI doesn't need to merge valuesAtTail - it can just assign them
+        https://bugs.webkit.org/show_bug.cgi?id=185355
+
+        Reviewed by Mark Lam.
+        
+        This is a further attempt to improve compile times. Assigning AbstractValue ought to always
+        be faster than merging. There's no need to merge valuesAtTail. In most cases, assigning and
+        merging will get the same answer because the value computed this time will be either the same
+        as or more general than the value computed last time. If the value does change for some
+        reason, then valuesAtHead are already merged, which ensures monotonicity. Also, if the value
+        changes, then we have no reason to believe that this new value is less right than the last
+        one we computed. Finally, the one client of valuesAtTail (AtTailAbstractState) doesn't care
+        if it's getting the merged valuesAtTail or just some correct answer for valuesAtTail.
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
+
+2018-05-07  Andy VanWagoner  
+
+        Remove defunct email address
+        https://bugs.webkit.org/show_bug.cgi?id=185396
+
+        Reviewed by Mark Lam.
+
+        The email address thetalecrafter@gmail.com is no longer valid, as the
+        associated google account has been closed. This updates the email
+        address so questions about these Intl contributions go to the right
+        place.
+
+        * builtins/DatePrototype.js:
+        * builtins/NumberPrototype.js:
+        * builtins/StringPrototype.js:
+        * runtime/IntlCollator.cpp:
+        * runtime/IntlCollator.h:
+        * runtime/IntlCollatorConstructor.cpp:
+        * runtime/IntlCollatorConstructor.h:
+        * runtime/IntlCollatorPrototype.cpp:
+        * runtime/IntlCollatorPrototype.h:
+        * runtime/IntlDateTimeFormat.cpp:
+        * runtime/IntlDateTimeFormat.h:
+        * runtime/IntlDateTimeFormatConstructor.cpp:
+        * runtime/IntlDateTimeFormatConstructor.h:
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        * runtime/IntlDateTimeFormatPrototype.h:
+        * runtime/IntlNumberFormat.cpp:
+        * runtime/IntlNumberFormat.h:
+        * runtime/IntlNumberFormatConstructor.cpp:
+        * runtime/IntlNumberFormatConstructor.h:
+        * runtime/IntlNumberFormatPrototype.cpp:
+        * runtime/IntlNumberFormatPrototype.h:
+        * runtime/IntlObject.cpp:
+        * runtime/IntlObject.h:
+        * runtime/IntlPluralRules.cpp:
+        * runtime/IntlPluralRules.h:
+        * runtime/IntlPluralRulesConstructor.cpp:
+        * runtime/IntlPluralRulesConstructor.h:
+        * runtime/IntlPluralRulesPrototype.cpp:
+        * runtime/IntlPluralRulesPrototype.h:
+
+2018-05-06  Yusuke Suzuki  
+
+        [JSC] Remove "using namespace std;" from JSC, bmalloc, WTF
+        https://bugs.webkit.org/show_bug.cgi?id=185362
+
+        Reviewed by Sam Weinig.
+
+        "namespace std" may include many names. It can conflict with names defined by our code,
+        and the other platform provided headers. For example, std::byte conflicts with Windows'
+        ::byte.
+        This patch removes "using namespace std;" from JSC and bmalloc.
+
+        * API/JSClassRef.cpp:
+        (OpaqueJSClass::create):
+        * bytecode/Opcode.cpp:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::newRegister):
+        * heap/Heap.cpp:
+        (JSC::Heap::updateAllocationLimits):
+        * interpreter/Interpreter.cpp:
+        * jit/JIT.cpp:
+        * parser/Parser.cpp:
+        * runtime/JSArray.cpp:
+        * runtime/JSLexicalEnvironment.cpp:
+        * runtime/JSModuleEnvironment.cpp:
+        * runtime/Structure.cpp:
+        * shell/DLLLauncherMain.cpp:
+        (getStringValue):
+        (applePathFromRegistry):
+        (appleApplicationSupportDirectory):
+        (copyEnvironmentVariable):
+        (prependPath):
+        (fatalError):
+        (directoryExists):
+        (modifyPath):
+        (getLastErrorString):
+        (wWinMain):
+
+2018-05-05  Filip Pizlo  
+
+        DFG CFA phase should only do clobber asserts in debug
+        https://bugs.webkit.org/show_bug.cgi?id=185354
+
+        Reviewed by Saam Barati.
+        
+        Clobber asserts are responsible for 1% of compile time. That's too much. This disables them
+        unless asserts are enabled.
+
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::performBlockCFA):
+
+2018-05-04  Keith Miller  
+
+        isCacheableArrayLength should return true for undecided arrays
+        https://bugs.webkit.org/show_bug.cgi?id=185309
+
+        Reviewed by Michael Saboff.
+
+        Undecided arrays have butterflies so there is no reason why we
+        should not be able to cache their length.
+
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::isCacheableArrayLength):
+
+2018-05-03  Yusuke Suzuki  
+
+        Remove std::random_shuffle
+        https://bugs.webkit.org/show_bug.cgi?id=185292
+
+        Reviewed by Darin Adler.
+
+        std::random_shuffle is deprecated in C++14 and removed in C++17,
+        since std::random_shuffle relies on rand and srand.
+        Use std::shuffle instead.
+
+        * jit/BinarySwitch.cpp:
+        (JSC::RandomNumberGenerator::RandomNumberGenerator):
+        (JSC::RandomNumberGenerator::operator()):
+        (JSC::RandomNumberGenerator::min):
+        (JSC::RandomNumberGenerator::max):
+        (JSC::BinarySwitch::build):
+
+2018-05-03  Saam Barati  
+
+        Don't prevent CreateThis being folded to NewObject when the structure is poly proto
+        https://bugs.webkit.org/show_bug.cgi?id=185177
+
+        Reviewed by Filip Pizlo.
+
+        This patch teaches the DFG/FTL how to constant fold CreateThis with
+        a known poly proto Structure to NewObject. We do it by emitting a NewObject
+        followed by a PutByOffset for the prototype value.
+        
+        We make it so that ObjectAllocationProfile holds the prototype value.
+        This is sound because JSFunction clears that profile when its 'prototype'
+        field changes.
+        
+        This patch also renames underscoreProtoPrivateName to polyProtoName since
+        that name was nonsensical: it was only used for poly proto.
+        
+        This is a 2x speedup on the get_callee_polymorphic microbenchmark. I had
+        regressed that benchmark when I first introduced poly proto.
+
+        * builtins/BuiltinNames.cpp:
+        * builtins/BuiltinNames.h:
+        (JSC::BuiltinNames::BuiltinNames):
+        (JSC::BuiltinNames::polyProtoName const):
+        (JSC::BuiltinNames::underscoreProtoPrivateName const): Deleted.
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::prototype):
+        (JSC::ObjectAllocationProfile::clear):
+        (JSC::ObjectAllocationProfile::visitAggregate):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/FunctionRareData.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::create):
+
+2018-05-03  Michael Saboff  
+
+        OSR entry pruning of Program Bytecodes doesn't take into account try/catch
+        https://bugs.webkit.org/show_bug.cgi?id=185281
+
+        Reviewed by Saam Barati.
+
+        When we compute bytecode block reachability, we need to take into account blocks
+        containing try/catch.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+
+2018-05-03  Dominik Infuehr  
+
+        ARM: Wrong offset for operand rt in disassembler
+        https://bugs.webkit.org/show_bug.cgi?id=184083
+
+        Reviewed by Yusuke Suzuki.
+
+        * disassembler/ARMv7/ARMv7DOpcode.h:
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
+
+2018-05-03  Dominik Infuehr  
+
+        ARM: Support vstr in disassembler
+        https://bugs.webkit.org/show_bug.cgi?id=184084
+
+        Reviewed by Yusuke Suzuki.
+
+        * disassembler/ARMv7/ARMv7DOpcode.cpp:
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::format):
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): Deleted.
+        * disassembler/ARMv7/ARMv7DOpcode.h:
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDRSTR::opName):
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): Deleted.
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): Deleted.
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): Deleted.
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): Deleted.
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): Deleted.
+        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): Deleted.
+
+2018-05-03  Dominik Infuehr  
+
+        Invoke ensureArrayStorage for all arguments
+        https://bugs.webkit.org/show_bug.cgi?id=185247
+
+        Reviewed by Yusuke Suzuki.
+
+        ensureArrayStorage was only invoked for first argument in each loop iteration.
+
+        * jsc.cpp:
+        (functionEnsureArrayStorage):
+
+2018-05-03  Filip Pizlo  
+
+        Make it easy to log compile times for all optimizing tiers
+        https://bugs.webkit.org/show_bug.cgi?id=185270
+
+        Reviewed by Keith Miller.
+        
+        This makes --logPhaseTimes=true enable logging of phase times for DFG and B3 using a common
+        helper class, CompilerTimingScope. This used to be called B3::TimingScope and only B3 used
+        it.
+        
+        This should help us reduce compile times by telling us where to look. So, far, it looks like
+        CFA is the worst.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * b3/B3Common.cpp:
+        (JSC::B3::shouldMeasurePhaseTiming): Deleted.
+        * b3/B3Common.h:
+        * b3/B3TimingScope.cpp: Removed.
+        * b3/B3TimingScope.h:
+        (JSC::B3::TimingScope::TimingScope):
+        * dfg/DFGPhase.h:
+        (JSC::DFG::runAndLog):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThread):
+        * tools/CompilerTimingScope.cpp: Added.
+        (JSC::CompilerTimingScope::CompilerTimingScope):
+        (JSC::CompilerTimingScope::~CompilerTimingScope):
+        * tools/CompilerTimingScope.h: Added.
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+
+2018-05-03  Filip Pizlo  
+
+        Strings should not be allocated in a gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=185218
+
+        Reviewed by Saam Barati.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::toStringGeneric):
+        * runtime/JSString.cpp:
+        (JSC::JSRopeString::resolveRopeToAtomicString const):
+        (JSC::JSRopeString::resolveRope const):
+        * runtime/JSString.h:
+        (JSC::JSString::create):
+        (JSC::JSString::createHasOtherOwner):
+        * runtime/VM.h:
+        (JSC::VM::gigacageAuxiliarySpace):
+
+2018-05-03  Keith Miller  
+
+        Unreviewed, fix 32-bit profile offset for change in bytecode
+        length of the get_by_id and get_array_length opcodes.
+
+        * llint/LowLevelInterpreter32_64.asm:
+
+2018-05-03  Michael Saboff  
+
+        WebContent crash loading page on seas.upenn.edu @ JavaScriptCore: vmEntryToJavaScript
+        https://bugs.webkit.org/show_bug.cgi?id=185231
+
+        Reviewed by Saam Barati.
+
+        We weren't clearing the scratch register cache when switching back and forth between 
+        allowing scratch register usage.  We disallow scratch register usage when we are in
+        code that will freely allocate and use any register.  Such usage can change the
+        contents of scratch registers.  For ARM64, where we cache the contents of scratch
+        registers to reuse some or all of the contained values, we need to invalidate these
+        caches.  We do this when re-enabling scratch register usage, that is when we transition
+        from disallow to allow scratch register usage.
+
+        Added a new Air regression test.
+
+        * assembler/AllowMacroScratchRegisterUsage.h:
+        (JSC::AllowMacroScratchRegisterUsage::AllowMacroScratchRegisterUsage):
+        * assembler/AllowMacroScratchRegisterUsageIf.h:
+        (JSC::AllowMacroScratchRegisterUsageIf::AllowMacroScratchRegisterUsageIf):
+        * assembler/DisallowMacroScratchRegisterUsage.h:
+        (JSC::DisallowMacroScratchRegisterUsage::~DisallowMacroScratchRegisterUsage):
+        * b3/air/testair.cpp:
+
+2018-05-03  Keith Miller  
+
+        Remove the prototype caching for get_by_id in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=185226
+
+        Reviewed by Michael Saboff.
+
+        There is no evidence that this is actually a speedup and we keep
+        getting bugs with it. At this point it seems like we should just
+        remove this code.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::printGetByIdOp):
+        (JSC::BytecodeDumper::printGetByIdCacheStatus):
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetById):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.h:
+
+2018-05-03  Ryan Haddad  
+
+        Unreviewed, rolling out r231197.
+
+        The test added with this change crashes on the 32-bit JSC bot.
+
+        Reverted changeset:
+
+        "Correctly detect string overflow when using the 'Function'
+        constructor"
+        https://bugs.webkit.org/show_bug.cgi?id=184883
+        https://trac.webkit.org/changeset/231197
+
+2018-05-03  Dominik Infuehr  
+
+        Disable usage of fused multiply-add instructions for JSC with compiler flag
+        https://bugs.webkit.org/show_bug.cgi?id=184909
+
+        Reviewed by Yusuke Suzuki.
+
+        Adds -ffp-contract as compiler flag for building JSC. This ensures that functions
+        like parseInt() do not return slightly different results depending on whether the
+        compiler was able to use fused multiply-add instructions or not.
+
+        * CMakeLists.txt:
+
+2018-05-02  Yusuke Suzuki  
+
+        Unreviewed, fix build failure in ARM, ARMv7 and MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=185192
+
+        compareDouble relies on MacroAssembler::invert function.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::compareDouble):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::compareDouble): Deleted.
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::compareDouble): Deleted.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::compareDouble): Deleted.
+
+2018-05-02  Yusuke Suzuki  
+
+        [JSC] Add MacroAssembler::and16 and store16
+        https://bugs.webkit.org/show_bug.cgi?id=185188
+
+        Reviewed by Mark Lam.
+
+        r231129 requires and16(ImplicitAddress, RegisterID) and store16(RegisterID, ImplicitAddress) implementations.
+        This patch adds these methods for ARM.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::and16):
+        (JSC::MacroAssemblerARM::store16):
+
+2018-05-02  Yusuke Suzuki  
+
+        [DFG] Unify compare related code in 32bit and 64bit
+        https://bugs.webkit.org/show_bug.cgi?id=185189
+
+        Reviewed by Mark Lam.
+
+        This patch unifies some part of compare related code in 32bit and 64bit
+        to reduce the size of 32bit specific DFG code.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInt32Compare):
+        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
+
+2018-05-02  Yusuke Suzuki  
+
+        [JSC] Add compareDouble and compareFloat for ARM64, X86, and X86_64
+        https://bugs.webkit.org/show_bug.cgi?id=185192
+
+        Reviewed by Mark Lam.
+
+        Now Object.is starts using compareDouble. So we would like to have
+        efficient implementation for compareDouble and compareFloat for
+        major architectures, ARM64, X86, and X86_64.
+
+        This patch adds compareDouble and compareFloat implementations for
+        these architectures. And generic implementation is moved to each
+        architecture's MacroAssembler implementation.
+
+        We also add tests for them in testmasm. To implement this test
+        easily, we also add loadFloat(TrustedImmPtr, FPRegisterID) for the
+        major architectures.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::compareDouble): Deleted.
+        (JSC::MacroAssembler::compareFloat): Deleted.
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::compareDouble):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::compareDouble):
+        (JSC::MacroAssemblerARM64::compareFloat):
+        (JSC::MacroAssemblerARM64::loadFloat):
+        (JSC::MacroAssemblerARM64::floatingPointCompare):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::compareDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::compareDouble):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::loadFloat):
+        (JSC::MacroAssemblerX86Common::compareDouble):
+        (JSC::MacroAssemblerX86Common::compareFloat):
+        (JSC::MacroAssemblerX86Common::floatingPointCompare):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movss_mr):
+        (JSC::X86Assembler::movss_rm):
+        * assembler/testmasm.cpp:
+        (JSC::floatOperands):
+        (JSC::testCompareFloat):
+        (JSC::run):
+
+2018-05-02  Yusuke Suzuki  
+
+        Unreviewed, fix 32bit DFG code
+        https://bugs.webkit.org/show_bug.cgi?id=185065
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSameValue):
+
+2018-05-02  Filip Pizlo  
+
+        JSC should know how to cache custom getter accesses on the prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=185213
+
+        Reviewed by Keith Miller.
+
+        This was a simple fix after the work I did for bug 185174. >4x speed-up on the new get-custom-getter.js test.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+
+2018-05-01  Filip Pizlo  
+
+        JSC should be able to cache custom setter calls on the prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=185174
+
+        Reviewed by Saam Barati.
+
+        We broke custom-setter-on-the-prototype-chain caching when we fixed a bug involving the conditionSet.isEmpty()
+        condition being used to determine if we have an alternateBase. The fix in r222671 incorrectly tried to add
+        impossible-to-validate conditions to the conditionSet by calling generateConditionsForPrototypePropertyHit() instead
+        of generateConditionsForPrototypePropertyHitCustom(). The problem is that the former function will always fail for
+        custom accessors because it won't find the custom property in the structure.
+
+        The fix is to add a virtual hasAlternateBase() function and use that instead of conditionSet.isEmpty().
+
+        This is a 4x speed-up on assign-custom-setter.js.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::hasAlternateBase const):
+        (JSC::AccessCase::alternateBase const):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCase.h:
+        (JSC::AccessCase::alternateBase const): Deleted.
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::hasAlternateBase const):
+        (JSC::GetterSetterAccessCase::alternateBase const):
+        * bytecode/GetterSetterAccessCase.h:
+        * bytecode/ObjectPropertyConditionSet.cpp:
+        (JSC::generateConditionsForPrototypePropertyHitCustom):
+        * bytecode/ObjectPropertyConditionSet.h:
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::tryCachePutByID):
+
+2018-05-02  Dominik Infuehr  
+
+        [MIPS] Implement and16 and store16 for MacroAssemblerMIPS
+        https://bugs.webkit.org/show_bug.cgi?id=185195
+
+        Reviewed by Mark Lam.
+
+        This implements the given function for MIPS, such that it builds again.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::and16):
+        (JSC::MacroAssemblerMIPS::store16):
+
+2018-05-02  Rick Waldron  
+
+        Expose "$262.agent.monotonicNow()" for use in testing Atomic operation timeouts
+        https://bugs.webkit.org/show_bug.cgi?id=185043
+
+        Reviewed by Filip Pizlo.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionDollarAgentMonotonicNow):
+
+2018-05-02  Dominik Infuehr  
+
+        [ARM] Implement and16 and store16 for MacroAssemblerARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=185196
+
+        Reviewed by Mark Lam.
+
+        This implements and16 and store16 for MacroAssemblerARMv7 such that JSC builds again.
+
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::and16):
+        (JSC::MacroAssemblerARMv7::store16):
+
+2018-05-02  Robin Morisset  
+
+        emitCodeToGetArgumentsArrayLength should not crash on PhantomNewArrayWithSpread
+        https://bugs.webkit.org/show_bug.cgi?id=183172
+
+        Reviewed by Filip Pizlo.
+
+        DFGArgumentsEliminationPhase.cpp currently believes that allocations of NewArrayWithSpread can be deleted if they are only used by GetArrayLength,
+        but when it then calls emitCodeToGetArgumentsArrayLength, the latter has no idea what to do with GetArrayLength.
+
+        I fix the problem by teaching emitCodeToGetArgumentsArrayLength how to deal with GetArrayLength.
+        Because this requires emitting an Add that can overflow and thus exit, we also tell DFGArgumentsEliminationPhase to give up on eliminating
+        a NewArrayWithSpread when it is used by a GetArrayLength that is not allowed to exit.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+
+2018-05-02  Yusuke Suzuki  
+
+        Unreviewed, stackPointer signature is different from declaration
+        https://bugs.webkit.org/show_bug.cgi?id=184790
+
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointer):
+
+2018-05-01  Yusuke Suzuki  
+
+        [JSC] Add SameValue DFG node
+        https://bugs.webkit.org/show_bug.cgi?id=185065
+
+        Reviewed by Saam Barati.
+
+        This patch adds Object.is handling in DFG and FTL. Object.is is converted to SameValue DFG node.
+        And DFG fixup phase attempts to convert SameValue node to CompareStrictEq with type filter edges
+        if possible. Since SameValue(Untyped, Untyped) and SameValue(Double, Double) have different semantics
+        from CompareStrictEq, we do not convert SameValue to CompareStrictEq for them. DFG and FTL have
+        implementations for these SameValue nodes.
+
+        This old MacroAssemblerX86Common::compareDouble was dead code since the derived class, "MacroAssembler"
+        has a generalized compareDouble, which just uses branchDouble. Since this was not used, this function
+        was broken. This patch fixes issues and move compareDouble to MacroAssemblerX86Common, and remove a
+        generalized compareDouble for x86 arch to use this specialized efficient version instead. The fixes are
+        correctly using set32 to zero-extending the result, and setting the initial value of `dest` register
+        correctly for DoubleEqual and DoubleNotEqualOrUnordered cases.
+
+        Added microbenchmark shows performance improvement.
+
+            object-is           651.0053+-38.8204    ^    241.3467+-15.8753       ^ definitely 2.6974x faster
+
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::compareDouble):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::compareDouble): Deleted.
+        * assembler/testmasm.cpp:
+        (JSC::doubleOperands):
+        (JSC::testCompareDouble):
+        (JSC::run):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSameValue):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSameValue):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/ObjectConstructor.cpp:
+
+2018-04-30  Filip Pizlo  
+
+        B3::demoteValues should be able to handle patchpoint terminals
+        https://bugs.webkit.org/show_bug.cgi?id=185151
+
+        Reviewed by Saam Barati.
+        
+        If we try to demote a patchpoint terminal then prior to this change we would append a Set to
+        the basic block that the patchpoint terminated. That's wrong because then the terminal is no
+        longer the last thing in the block.
+        
+        Air encounters this problem in spilling and solves it by doing a fixup afterwards. We can't
+        really do that because demotion happens as a prerequisite to other transformations.
+        
+        One solution might have been to make demoteValues insert a basic block whenever it encounters
+        this problem. But that would break clients that do CFG analysis before demoteValues and use
+        the results of the CFG analysis after demoteValues. Taildup does this. Fortunately, taildup
+        also runs breakCriticalEdges. Probably anyone using demoteValues will use breakCriticalEdges,
+        so it's not bad to introduce that requirement.
+        
+        So, this patch solves the problem by ensuring that breakCriticalEdges treats any patchpoint
+        terminal as if it had multiple successors. This means that a patchpoint terminal's successors
+        will only have it as their predecessor. Then, demoteValues just prepends the Set to the
+        successors of the patchpoint terminal.
+        
+        This was probably asymptomatic. It's hard to write a JS test that triggers this, so I added
+        a unit test in testb3.
+
+        * b3/B3BreakCriticalEdges.cpp:
+        (JSC::B3::breakCriticalEdges):
+        * b3/B3BreakCriticalEdges.h:
+        * b3/B3FixSSA.cpp:
+        (JSC::B3::demoteValues):
+        (JSC::B3::fixSSA):
+        * b3/B3FixSSA.h:
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::foldIdentity const):
+        (JSC::B3::Value::performSubstitution):
+        * b3/B3Value.h:
+        * b3/testb3.cpp:
+        (JSC::B3::testDemotePatchpointTerminal):
+        (JSC::B3::run):
+
+2018-05-01  Robin Morisset  
+
+        Use CheckedArithmetic for length computation in JSArray::unshiftCountWithAnyIndexingType
+        https://bugs.webkit.org/show_bug.cgi?id=184772
+        
+
+        Reviewed by Filip Pizlo.
+
+        Related to https://bugs.webkit.org/show_bug.cgi?id=183657 (
+
+        Correctly detect string overflow when using the 'Function' constructor
+        https://bugs.webkit.org/show_bug.cgi?id=184883
+        
+
+        Reviewed by Filip Pizlo.
+
+        The 'Function' constructor creates a string containing the source code of the new function through repeated string concatenation.
+        Because there was no way for the string concatenation routines in WTF to return an error, they just crashed in that case.
+
+        I added new tryAppend methods alongside the old append methods, that return a boolean (true means success, false means an overflow happened).
+        In this way, it becomes possible for the Function constructor to just throw a proper JS exception when asked to create a string > 4GB.
+        I made new methods instead of just adapting the existing ones (and reverted such a change on appendQuotedJSONString) so that callers that rely on the old behaviour (a hard CRASH() on overflow) don't silently start failing.
+
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructFunctionSkippingEvalEnabledCheck):
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
+2018-05-01  Robin Morisset  
+
+        IntlObject.cpp::removeUnicodeLocaleExtension() should not touch locales that end in '-u'
+        https://bugs.webkit.org/show_bug.cgi?id=185162
+
+        Reviewed by Filip Pizlo.
+
+        * runtime/IntlObject.cpp:
+        (JSC::removeUnicodeLocaleExtension):
+
+2018-05-01  Dominik Infuehr  
+
+        Add SetCallee as DFG-Operation
+        https://bugs.webkit.org/show_bug.cgi?id=184582
+
+        Reviewed by Filip Pizlo.
+
+        For recursive tail calls not only the argument count can change but also the
+        callee. Add SetCallee to DFG that sets the callee slot in the current call frame.
+        Also update the callee when optimizing a recursive tail call.
+        Enable recursive tail call optimization also for closures.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        (JSC::DFG::ByteCodeParser::handleCallVariant):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSetCallee):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSetCallee):
+
+2018-05-01  Oleksandr Skachkov  
+
+        WebAssembly: add support for stream APIs - JavaScript API
+        https://bugs.webkit.org/show_bug.cgi?id=183442
+
+        Reviewed by Yusuke Suzuki and JF Bastien.
+
+        Add WebAssembly stream API. Current patch only add functions
+        WebAssembly.compileStreaming and WebAssembly.instantiateStreaming but,
+        does not add streaming way of the implementation. So in current version it
+        only wait for load whole module, than start to parse.
+
+        * CMakeLists.txt:
+        * Configurations/FeatureDefines.xcconfig:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/BuiltinNames.h:
+        * builtins/WebAssemblyPrototype.js: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
+        (compileStreaming):
+        (instantiateStreaming):
+        * jsc.cpp:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        * runtime/Options.h:
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::hasPendingPromise):
+        (JSC::PromiseDeferredTimer::hasDependancyInPendingPromise):
+        * runtime/PromiseDeferredTimer.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyModuleValidateAsyncInternal):
+        (JSC::webAssemblyCompileFunc):
+        (JSC::WebAssemblyPrototype::webAssemblyModuleValidateAsync):
+        (JSC::webAssemblyModuleInstantinateAsyncInternal):
+        (JSC::WebAssemblyPrototype::webAssemblyModuleInstantinateAsync):
+        (JSC::webAssemblyCompileStreamingInternal):
+        (JSC::webAssemblyInstantiateStreamingInternal):
+        (JSC::WebAssemblyPrototype::create):
+        (JSC::WebAssemblyPrototype::finishCreation):
+        * wasm/js/WebAssemblyPrototype.h:
+
+2018-04-30  Saam Barati  
+
+        ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
+        https://bugs.webkit.org/show_bug.cgi?id=185149
+        
+
+        Reviewed by Filip Pizlo.
+
+        The bug was that we were deleting checks that we shouldn't have deleted.
+        This patch makes a helper inside strength reduction that converts to
+        a LazyJSConstant while maintaining checks, and switches users of the
+        node API inside strength reduction to instead call the helper function.
+        
+        This patch also fixes a potential bug where StringReplace and
+        StringReplaceRegExp may not preserve all their checks.
+
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        (JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):
+
+2018-04-29  Filip Pizlo  
+
+        LICM shouldn't hoist nodes if hoisted nodes exited in that code block
+        https://bugs.webkit.org/show_bug.cgi?id=185126
+
+        Reviewed by Saam Barati.
+        
+        This change is just restoring functionality that we've already had for a while. It had been
+        accidentally broken due to an unrelated CodeBlock refactoring.
+
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+
+2018-04-30  Mark Lam  
+
+        Apply PtrTags to the MetaAllocator and friends.
+        https://bugs.webkit.org/show_bug.cgi?id=185110
+        
+
+        Reviewed by Saam Barati.
+
+        1. LinkBuffer now takes a MacroAssemblerCodePtr instead of a void* pointer.
+        2. Apply pointer tagging to the boundary pointers of the FixedExecutableMemoryPool,
+           and add a sanity check to verify that allocated code buffers are within those
+           bounds.
+
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
+        (JSC::LinkBuffer::copyCompactAndLinkCode):
+        (JSC::LinkBuffer::linkCode):
+        (JSC::LinkBuffer::allocate):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::LinkBuffer):
+        (JSC::LinkBuffer::debugAddress):
+        (JSC::LinkBuffer::code):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
+        * bytecode/InlineAccess.cpp:
+        (JSC::linkCodeInline):
+        (JSC::InlineAccess::rewireStubAsJump):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::findPC):
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::findPC):
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
+        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
+        (JSC::ExecutableAllocator::allocate):
+        * jit/ExecutableAllocator.h:
+        (JSC::isJITPC):
+        (JSC::performJITMemcpy):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * runtime/JSCPtrTag.h:
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::Callee::Callee):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+
+2018-04-30  Keith Miller  
+
+        Move the MayBePrototype JSCell header bit to InlineTypeFlags
+        https://bugs.webkit.org/show_bug.cgi?id=185143
+
+        Reviewed by Mark Lam.
+
+        * runtime/IndexingType.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::setStructure):
+        (JSC::JSCell::mayBePrototype const):
+        (JSC::JSCell::didBecomePrototype):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::mayBePrototype):
+        (JSC::TypeInfo::mergeInlineTypeFlags):
+
+2018-04-30  Keith Miller  
+
+        Remove unneeded exception check from String.fromCharCode
+        https://bugs.webkit.org/show_bug.cgi?id=185083
+
+        Reviewed by Mark Lam.
+
+        * runtime/StringConstructor.cpp:
+        (JSC::stringFromCharCode):
+
+2018-04-30  Keith Miller  
+
+        Move StructureIsImmortal to out of line flags.
+        https://bugs.webkit.org/show_bug.cgi?id=185101
+
+        Reviewed by Saam Barati.
+
+        This will free up a bit in the inline flags where we can move the
+        isPrototype bit to. This will, in turn, free a bit for use in
+        implementing copy on write butterflies.
+
+        Also, this patch removes an assertion from Structure::typeInfo()
+        that inadvertently makes the function invalid to call while
+        cleaning up the vm.
+
+        * heap/HeapCellType.cpp:
+        (JSC::DefaultDestroyFunc::operator() const):
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::callDestructor): Deleted.
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::hasStaticPropertyTable):
+        (JSC::TypeInfo::structureIsImmortal const):
+        * runtime/Structure.h:
+
+2018-04-30  Yusuke Suzuki  
+
+        [JSC] Remove arity fixup check if the number of parameters is 1
+        https://bugs.webkit.org/show_bug.cgi?id=183984
+
+        Reviewed by Mark Lam.
+
+        If the number of parameters is one (|this|), we never hit arity fixup check.
+        We do not need to emit arity fixup check code.
+
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+
+2018-04-30  Yusuke Suzuki  
+
+        Use WordLock instead of std::mutex for Threading
+        https://bugs.webkit.org/show_bug.cgi?id=185121
+
+        Reviewed by Geoffrey Garen.
+
+        ThreadGroup starts using WordLock.
+
+        * heap/MachineStackMarker.h:
+        (JSC::MachineThreads::getLock):
+
+2018-04-29  Filip Pizlo  
+
+        B3 should run tail duplication at the bitter end
+        https://bugs.webkit.org/show_bug.cgi?id=185123
+
+        Reviewed by Geoffrey Garen.
+        
+        Also added an option to disable taildup. This appears to be a 1% AsmBench speed-up. It's neutral
+        everywhere else.
+        
+        The goal of this change is to allow us to run path specialization after switch lowering but
+        before tail duplication.
+
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir):
+        * runtime/Options.h:
+
+2018-04-29  Commit Queue  
+
+        Unreviewed, rolling out r231137.
+        https://bugs.webkit.org/show_bug.cgi?id=185118
+
+        It is breaking Test262 language/expressions/multiplication
+        /order-of-evaluation.js (Requested by caiolima on #webkit).
+
+        Reverted changeset:
+
+        "[ESNext][BigInt] Implement support for "*" operation"
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+        https://trac.webkit.org/changeset/231137
+
+2018-04-28  Saam Barati  
+
+        We don't model regexp effects properly
+        https://bugs.webkit.org/show_bug.cgi?id=185059
+        
+
+        Reviewed by Filip Pizlo.
+
+        RegExp exec/test can do arbitrary effects when toNumbering the lastIndex if
+        the regexp is global.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-04-28  Rick Waldron  
+
+        Token misspelled "tocken" in error message string
+        https://bugs.webkit.org/show_bug.cgi?id=185030
+
+        Reviewed by Saam Barati.
+
+        * parser/Parser.cpp: Fix typo "tocken" => "token" in SyntaxError message string
+        (JSC::Parser::Parser):
+        (JSC::Parser::didFinishParsing):
+        (JSC::Parser::parseSourceElements):
+        (JSC::Parser::parseAsyncGeneratorFunctionSourceElements):
+        (JSC::Parser::parseVariableDeclaration):
+        (JSC::Parser::parseWhileStatement):
+        (JSC::Parser::parseVariableDeclarationList):
+        (JSC::Parser::createBindingPattern):
+        (JSC::Parser::parseArrowFunctionSingleExpressionBodySourceElements):
+        (JSC::Parser::parseObjectRestElement):
+        (JSC::Parser::parseDestructuringPattern):
+        (JSC::Parser::parseForStatement):
+        (JSC::Parser::parseBreakStatement):
+        (JSC::Parser::parseContinueStatement):
+        (JSC::Parser::parseThrowStatement):
+        (JSC::Parser::parseWithStatement):
+        (JSC::Parser::parseSwitchStatement):
+        (JSC::Parser::parseSwitchClauses):
+        (JSC::Parser::parseTryStatement):
+        (JSC::Parser::parseBlockStatement):
+        (JSC::Parser::parseFormalParameters):
+        (JSC::Parser::parseFunctionParameters):
+        (JSC::Parser::parseFunctionInfo):
+        (JSC::Parser::parseExpressionOrLabelStatement):
+        (JSC::Parser::parseExpressionStatement):
+        (JSC::Parser::parseIfStatement):
+        (JSC::Parser::parseAssignmentExpression):
+        (JSC::Parser::parseConditionalExpression):
+        (JSC::Parser::parseBinaryExpression):
+        (JSC::Parser::parseObjectLiteral):
+        (JSC::Parser::parseStrictObjectLiteral):
+        (JSC::Parser::parseArrayLiteral):
+        (JSC::Parser::parseArguments):
+        (JSC::Parser::parseMemberExpression):
+        (JSC::operatorString):
+        (JSC::Parser::parseUnaryExpression):
+        (JSC::Parser::printUnexpectedTokenText):
+
+2018-04-28  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "*" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+
+        Reviewed by Saam Barati.
+
+        Added BigInt support into times binary operator into LLInt and on
+        JITOperations profiledMul and unprofiledMul. We are also replacing all
+        uses of int to unsigned when there is no negative values for
+        variables.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::JSBigInt):
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::createWithLength):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::internalMultiplyAdd):
+        (JSC::JSBigInt::multiplyAccumulate):
+        (JSC::JSBigInt::equals):
+        (JSC::JSBigInt::absoluteDivSmall):
+        (JSC::JSBigInt::calculateMaximumCharactersRequired):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+        * runtime/Operations.h:
+        (JSC::jsMul):
+
+2018-04-28  Commit Queue  
+
+        Unreviewed, rolling out r231131.
+        https://bugs.webkit.org/show_bug.cgi?id=185112
+
+        It is breaking Debug build due to unchecked exception
+        (Requested by caiolima on #webkit).
+
+        Reverted changeset:
+
+        "[ESNext][BigInt] Implement support for "*" operation"
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+        https://trac.webkit.org/changeset/231131
+
+2018-04-27  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "*" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+
+        Reviewed by Saam Barati.
+
+        Added BigInt support into times binary operator into LLInt and on
+        JITOperations profiledMul and unprofiledMul. We are also replacing all
+        uses of int to unsigned when there is no negative values for
+        variables.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::JSBigInt):
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::createWithLength):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::internalMultiplyAdd):
+        (JSC::JSBigInt::multiplyAccumulate):
+        (JSC::JSBigInt::equals):
+        (JSC::JSBigInt::absoluteDivSmall):
+        (JSC::JSBigInt::calculateMaximumCharactersRequired):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+        * runtime/Operations.h:
+        (JSC::jsMul):
+
+2018-04-27  JF Bastien  
+
+        Make the first 64 bits of JSString look like a double JSValue
+        https://bugs.webkit.org/show_bug.cgi?id=185081
+
+        Reviewed by Filip Pizlo.
+
+        We can be clever about how we lay out JSString so that, were it
+        reinterpreted as a JSValue, it would look like a double.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::and16):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::andw_mr):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::store32As8):
+        (JSC::FTL::Output::store32As16):
+        * runtime/JSString.h:
+        (JSC::JSString::JSString):
+
+2018-04-27  Yusuke Suzuki  
+
+        [JSC][ARM64][Linux] Add collectCPUFeatures using auxiliary vector
+        https://bugs.webkit.org/show_bug.cgi?id=185055
+
+        Reviewed by JF Bastien.
+
+        This patch is paving the way to emitting jscvt instruction if possible.
+        To do that, we need to determine jscvt instruction is supported in the
+        given CPU.
+
+        We add a function collectCPUFeatures, which is responsible to collect
+        CPU features if necessary. In Linux, we can use auxiliary vector to get
+        the information without parsing /proc/cpuinfo.
+
+        Currently, nobody calls this function. It is later called when we emit
+        jscvt instruction. To make it possible, we also need to add disassembler
+        support too.
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssemblerARM64::collectCPUFeatures):
+        * assembler/MacroAssemblerARM64.h:
+        * assembler/MacroAssemblerX86Common.h:
+
+2018-04-26  Filip Pizlo  
+
+        Also run foldPathConstants before mussing up SSA
+        https://bugs.webkit.org/show_bug.cgi?id=185069
+
+        Reviewed by Saam Barati.
+        
+        This isn't needed now, but will be once I implement the phase in bug 185060.
+        
+        This could be a speed-up, or a slow-down, independent of that phase. Most likely it's neutral.
+        Local testing seems to suggest that it's neutral. Anyway, whatever it ends up being, I want it to
+        be landed separately and measured separately from that phase.
+        
+        It's probably nice for sanity to have this and reduceStrength run before tail duplication and
+        another round of reduceStrength, since that make for something that is closer to a fixpoint. But
+        it will increase FTL compile times. So, there's no way to guess if this change is good, bad, or
+        neutral. It all depends on what programs typically look like.
+
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir):
+
+2018-04-27  Ryan Haddad  
+
+        Unreviewed, rolling out r231086.
+
+        Caused JSC test failures due to an unchecked exception.
+
+        Reverted changeset:
+
+        "[ESNext][BigInt] Implement support for "*" operation"
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+        https://trac.webkit.org/changeset/231086
+
+2018-04-26  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "*" operation
+        https://bugs.webkit.org/show_bug.cgi?id=183721
+
+        Reviewed by Saam Barati.
+
+        Added BigInt support into times binary operator into LLInt and on
+        JITOperations profiledMul and unprofiledMul. We are also replacing all
+        uses of int to unsigned when there is no negative values for
+        variables.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * jit/JITOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::JSBigInt):
+        (JSC::JSBigInt::allocationSize):
+        (JSC::JSBigInt::createWithLength):
+        (JSC::JSBigInt::toString):
+        (JSC::JSBigInt::multiply):
+        (JSC::JSBigInt::digitDiv):
+        (JSC::JSBigInt::internalMultiplyAdd):
+        (JSC::JSBigInt::multiplyAccumulate):
+        (JSC::JSBigInt::equals):
+        (JSC::JSBigInt::absoluteDivSmall):
+        (JSC::JSBigInt::calculateMaximumCharactersRequired):
+        (JSC::JSBigInt::toStringGeneric):
+        (JSC::JSBigInt::rightTrim):
+        (JSC::JSBigInt::allocateFor):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::digit):
+        (JSC::JSBigInt::setDigit):
+        * runtime/JSBigInt.h:
+        * runtime/Operations.h:
+        (JSC::jsMul):
+
+2018-04-26  Mark Lam  
+
+        Gardening: Speculative build fix for Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=184976
+        
+
+        Not reviewed.
+
+        * runtime/JSCPtrTag.h:
+
+2018-04-26  Mark Lam  
+
+        Gardening: Windows build fix.
+
+        Not reviewed.
+
+        * runtime/Options.cpp:
+
+2018-04-26  Jer Noble  
+
+        WK_COCOA_TOUCH all the things.
+        https://bugs.webkit.org/show_bug.cgi?id=185006
+        
+
+        Reviewed by Tim Horton.
+
+        * Configurations/Base.xcconfig:
+
+2018-04-26  Per Arne Vollan  
+
+        Disable content filtering in minimal simulator mode
+        https://bugs.webkit.org/show_bug.cgi?id=185027
+        
+
+        Reviewed by Jer Noble.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-04-26  Andy VanWagoner  
+
+        [INTL] Implement Intl.PluralRules
+        https://bugs.webkit.org/show_bug.cgi?id=184312
+
+        Reviewed by JF Bastien.
+
+        Use UNumberFormat to enforce formatting, and then UPluralRules to find
+        the correct plural rule for the given number. Relies on ICU v59+ for
+        resolvedOptions().pluralCategories and trailing 0 detection.
+        Behind the useIntlPluralRules option and INTL_PLURAL_RULES flag.
+
+        * CMakeLists.txt:
+        * Configurations/FeatureDefines.xcconfig:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * builtins/BuiltinNames.h:
+        * runtime/BigIntObject.cpp:
+        (JSC::BigIntObject::create): Moved to ensure complete JSGlobalObject definition.
+        * runtime/BigIntObject.h:
+        * runtime/CommonIdentifiers.h:
+        * runtime/IntlObject.cpp:
+        (JSC::IntlObject::finishCreation):
+        * runtime/IntlObject.h:
+        * runtime/IntlPluralRules.cpp: Added.
+        (JSC::IntlPluralRules::UPluralRulesDeleter::operator() const):
+        (JSC::IntlPluralRules::UNumberFormatDeleter::operator() const):
+        (JSC::UEnumerationDeleter::operator() const):
+        (JSC::IntlPluralRules::create):
+        (JSC::IntlPluralRules::createStructure):
+        (JSC::IntlPluralRules::IntlPluralRules):
+        (JSC::IntlPluralRules::finishCreation):
+        (JSC::IntlPluralRules::destroy):
+        (JSC::IntlPluralRules::visitChildren):
+        (JSC::IntlPRInternal::localeData):
+        (JSC::IntlPluralRules::initializePluralRules):
+        (JSC::IntlPluralRules::resolvedOptions):
+        (JSC::IntlPluralRules::select):
+        * runtime/IntlPluralRules.h: Added.
+        * runtime/IntlPluralRulesConstructor.cpp: Added.
+        (JSC::IntlPluralRulesConstructor::create):
+        (JSC::IntlPluralRulesConstructor::createStructure):
+        (JSC::IntlPluralRulesConstructor::IntlPluralRulesConstructor):
+        (JSC::IntlPluralRulesConstructor::finishCreation):
+        (JSC::constructIntlPluralRules):
+        (JSC::callIntlPluralRules):
+        (JSC::IntlPluralRulesConstructorFuncSupportedLocalesOf):
+        (JSC::IntlPluralRulesConstructor::visitChildren):
+        * runtime/IntlPluralRulesConstructor.h: Added.
+        * runtime/IntlPluralRulesPrototype.cpp: Added.
+        (JSC::IntlPluralRulesPrototype::create):
+        (JSC::IntlPluralRulesPrototype::createStructure):
+        (JSC::IntlPluralRulesPrototype::IntlPluralRulesPrototype):
+        (JSC::IntlPluralRulesPrototype::finishCreation):
+        (JSC::IntlPluralRulesPrototypeFuncSelect):
+        (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
+        * runtime/IntlPluralRulesPrototype.h: Added.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::intlPluralRulesAvailableLocales):
+        * runtime/JSGlobalObject.h:
+        * runtime/Options.h:
+        * runtime/RegExpPrototype.cpp: Added inlines header.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-04-26  Dominik Infuehr  
+
+        [MIPS] Fix branch offsets in branchNeg32
+        https://bugs.webkit.org/show_bug.cgi?id=185025
+
+        Reviewed by Yusuke Suzuki.
+
+        Two nops were removed in branch(Not)Equal in #183130 but the offset wasn't adjusted.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchNeg32):
+
+2018-04-25  Robin Morisset  
+
+        In FTLLowerDFGToB3.cpp::compileCreateRest, always use a contiguous array as the indexing type when under isWatchingHavingABadTimeWatchpoint
+        https://bugs.webkit.org/show_bug.cgi?id=184773
+        
+
+        Reviewed by Filip Pizlo.
+
+        We were calling restParameterStructure(), which returns arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous).
+        arrayStructureForIndexingTypeDuringAllocation uses m_arrayStructureForIndexingShapeDuringAllocation, which is set to SlowPutArrayStorage when we are 'having a bad time'.
+        This is problematic, because the structure is then passed to allocateUninitializedContiguousJSArray, which ASSERTs that the indexing type is contiguous (or int32).
+        We solve the problem by using originalArrayStructureForIndexingType which always returns a structure with the right indexing type (contiguous), even if we are having a bad time.
+        This is safe, as we are under isWatchingHavingABadTimeWatchpoint, so if we have a bad time, the code we generate will never be installed.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateRest):
+
+2018-04-25  Mark Lam  
+
+        Push the definition of PtrTag down to the WTF layer.
+        https://bugs.webkit.org/show_bug.cgi?id=184976
+        
+
+        Reviewed by Saam Barati.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/ARM64Assembler.h:
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/MacroAssemblerCodeRef.cpp:
+        * assembler/MacroAssemblerCodeRef.h:
+        * b3/B3MathExtras.cpp:
+        * bytecode/LLIntCallLinkInfo.h:
+        * disassembler/Disassembler.h:
+        * ftl/FTLJITCode.cpp:
+        * interpreter/InterpreterInlines.h:
+        * jit/ExecutableAllocator.h:
+        * jit/JITOperations.cpp:
+        * jit/ThunkGenerator.h:
+        * jit/ThunkGenerators.h:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LLIntPCRanges.h:
+        * runtime/JSCPtrTag.h: Added.
+        * runtime/NativeFunction.h:
+        * runtime/PtrTag.h: Removed.
+        * runtime/VMTraps.cpp:
+
+2018-04-25  Keith Miller  
+
+        getUnlinkedGlobalFunctionExecutable should only save things to the code cache if the option is set
+        https://bugs.webkit.org/show_bug.cgi?id=184998
+
+        Reviewed by Saam Barati.
+
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+
+2018-04-25  Keith Miller  
+
+        Add missing scope release to functionProtoFuncToString
+        https://bugs.webkit.org/show_bug.cgi?id=184995
+
+        Reviewed by Saam Barati.
+
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncToString):
+
+2018-04-25  Yusuke Suzuki  
+
+        REGRESSION(r230748) [GTK][ARM] no matching function for call to 'JSC::CCallHelpers::swap(JSC::ARMRegisters::FPRegisterID&, JSC::ARMRegisters::FPRegisterID&)'
+        https://bugs.webkit.org/show_bug.cgi?id=184730
+
+        Reviewed by Mark Lam.
+
+        Add swap(FPRegisterID, FPRegisterID) implementation using ARMRegisters::SD0 (temporary register in MacroAssemblerARM).
+        And we now use dataTempRegister, addressTempRegister, and fpTempRegister instead of using S0, S1, and SD0.
+
+        We also change swap(RegisterID, RegisterID) implementation to use moves and temporaries simply. This is aligned to
+        ARMv7 implementation.
+
+        * assembler/ARMAssembler.h:
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::add32):
+        (JSC::MacroAssemblerARM::and32):
+        (JSC::MacroAssemblerARM::lshift32):
+        (JSC::MacroAssemblerARM::mul32):
+        (JSC::MacroAssemblerARM::or32):
+        (JSC::MacroAssemblerARM::rshift32):
+        (JSC::MacroAssemblerARM::urshift32):
+        (JSC::MacroAssemblerARM::sub32):
+        (JSC::MacroAssemblerARM::xor32):
+        (JSC::MacroAssemblerARM::load8):
+        (JSC::MacroAssemblerARM::abortWithReason):
+        (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM::store8):
+        (JSC::MacroAssemblerARM::store32):
+        (JSC::MacroAssemblerARM::push):
+        (JSC::MacroAssemblerARM::swap):
+        (JSC::MacroAssemblerARM::branch8):
+        (JSC::MacroAssemblerARM::branchPtr):
+        (JSC::MacroAssemblerARM::branch32):
+        (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
+        (JSC::MacroAssemblerARM::branchTest8):
+        (JSC::MacroAssemblerARM::branchTest32):
+        (JSC::MacroAssemblerARM::jump):
+        (JSC::MacroAssemblerARM::branchAdd32):
+        (JSC::MacroAssemblerARM::mull32):
+        (JSC::MacroAssemblerARM::branchMul32):
+        (JSC::MacroAssemblerARM::patchableBranch32):
+        (JSC::MacroAssemblerARM::nearCall):
+        (JSC::MacroAssemblerARM::compare32):
+        (JSC::MacroAssemblerARM::compare8):
+        (JSC::MacroAssemblerARM::test32):
+        (JSC::MacroAssemblerARM::test8):
+        (JSC::MacroAssemblerARM::add64):
+        (JSC::MacroAssemblerARM::load32):
+        (JSC::MacroAssemblerARM::call):
+        (JSC::MacroAssemblerARM::branchPtrWithPatch):
+        (JSC::MacroAssemblerARM::branch32WithPatch):
+        (JSC::MacroAssemblerARM::storePtrWithPatch):
+        (JSC::MacroAssemblerARM::loadDouble):
+        (JSC::MacroAssemblerARM::storeDouble):
+        (JSC::MacroAssemblerARM::addDouble):
+        (JSC::MacroAssemblerARM::divDouble):
+        (JSC::MacroAssemblerARM::subDouble):
+        (JSC::MacroAssemblerARM::mulDouble):
+        (JSC::MacroAssemblerARM::convertInt32ToDouble):
+        (JSC::MacroAssemblerARM::branchDouble):
+        (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
+        (JSC::MacroAssemblerARM::truncateDoubleToInt32):
+        (JSC::MacroAssemblerARM::truncateDoubleToUint32):
+        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
+        (JSC::MacroAssemblerARM::branchDoubleNonZero):
+        (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
+        (JSC::MacroAssemblerARM::call32):
+        (JSC::MacroAssemblerARM::internalCompare32):
+
+2018-04-25  Ross Kirsling  
+
+        [WinCairo] Fix js/regexp-unicode.html crash.
+        https://bugs.webkit.org/show_bug.cgi?id=184891
+
+        Reviewed by Yusuke Suzuki.
+
+        On Win64, register RDI is "considered nonvolatile and must be saved and restored by a function that uses [it]".
+        RDI is being used as a scratch register for JIT_UNICODE_EXPRESSIONS, not just YARR_JIT_ALL_PARENS_EXPRESSIONS.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        Unconditionally save and restore RDI on 64-bit Windows.
+
+2018-04-25  Michael Catanzaro  
+
+        [GTK] Miscellaneous build cleanups
+        https://bugs.webkit.org/show_bug.cgi?id=184399
+
+        Reviewed by Žan Doberšek.
+
+        * PlatformGTK.cmake:
+
+2018-04-24  Keith Miller  
+
+        fromCharCode is missing some exception checks
+        https://bugs.webkit.org/show_bug.cgi?id=184952
+
+        Reviewed by Saam Barati.
+
+        I also removed the pointless slow path function and moved it into the
+        main function.
+
+        * runtime/StringConstructor.cpp:
+        (JSC::stringFromCharCode):
+        (JSC::stringFromCharCodeSlowCase): Deleted.
+
+2018-04-24  Filip Pizlo  
+
+        MultiByOffset should emit one fewer branches in the case that the set of structures is proved already
+        https://bugs.webkit.org/show_bug.cgi?id=184923
+
+        Reviewed by Saam Barati.
+        
+        If we have a MultiGetByOffset or MultiPutByOffset over a structure set that we've already proved
+        (i.e. we know that the object has one of those structures), then previously we would still emit a
+        switch with a case per structure along with a default case. That would mean one extra redundant
+        branch to check that whatever structure we wound up with belongs to the set. In that case, we
+        were already making the default case be an Oops.
+        
+        One possible solution would be to say that the default case being Oops means that B3 doesn't need
+        to emit the extra branch. But that would require having B3 exploit the fact that Oops is known to
+        be unreachable. Although B3 IR semantics (webkit.org/docs/b3/intermediate-representation.html)
+        seem to allow this, I don't particularly like that style of optimization. I like Oops to mean
+        trap.
+        
+        So, this patch makes FTL lowering turn one of the cases into the default, explicitly removing the
+        extra branch.
+        
+        This is not a speed-up. But it makes the B3 IR for MultiByOffset a lot simpler, which should make
+        it easier to implement B3-level optimizations for MultiByOffset. It also makes the IR easier to
+        read.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMultiGetByOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::emitSwitchForMultiByOffset):
+
+2018-04-24  Filip Pizlo  
+
+        DFG CSE should know how to decay a MultiGetByOffset
+        https://bugs.webkit.org/show_bug.cgi?id=159859
+
+        Reviewed by Keith Miller.
+        
+        This teaches Node::remove() how to decay a MultiGetByOffset to a CheckStructure, so that
+        clobberize() can report a def() for MultiGetByOffset.
+        
+        This is a slight improvement to codegen in splay because splay is a heavy user of
+        MultiGetByOffset. It uses it redundantly in one of its hot functions (the function called
+        "splay_"). I don't see a net speed-up in the benchmark. However, this is just a first step to
+        removing MultiXByOffset-related redundancies, which by my estimates account for 16% of
+        splay's time.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::remove):
+        (JSC::DFG::Node::removeWithoutChecks):
+        (JSC::DFG::Node::replaceWith):
+        (JSC::DFG::Node::replaceWithWithoutChecks):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToMultiGetByOffset):
+        (JSC::DFG::Node::replaceWith): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2018-04-24  Keith Miller  
+
+        Update API docs with information on which run loop the VM will use
+        https://bugs.webkit.org/show_bug.cgi?id=184900
+        
+
+        Reviewed by Mark Lam.
+
+        * API/JSContextRef.h:
+        * API/JSVirtualMachine.h:
+
+2018-04-24  Filip Pizlo  
+
+        $vm.totalGCTime() should be a thing
+        https://bugs.webkit.org/show_bug.cgi?id=184916
+
+        Reviewed by Sam Weinig.
+        
+        When debugging regressions in tests that are GC heavy, it's nice to be able to query the total
+        time spent in GC to determine if the regression is because the GC got slower.
+        
+        This adds $vm.totalGCTime(), which tells you the total time spent in GC, in seconds.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::runEndPhase):
+        * heap/Heap.h:
+        (JSC::Heap::totalGCTime const):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionTotalGCTime):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-04-23  Zalan Bujtas  
+
+        [LayoutFormattingContext] Initial commit.
+        https://bugs.webkit.org/show_bug.cgi?id=184896
+
+        Reviewed by Antti Koivisto.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-04-23  Filip Pizlo  
+
+        Unreviewed, revert accidental change to verbose flag.
+
+        * dfg/DFGByteCodeParser.cpp:
+
+2018-04-23  Filip Pizlo  
+
+        Roll out r226655 because it broke OSR entry when the pre-header is inadequately profiled.
+
+        Rubber stamped by Saam Barati.
+        
+        This is a >2x speed-up in SunSpider/bitops-bitwise-and. We don't really care about SunSpider
+        anymore, but r226655 didn't result in any benchmark wins and just regressed this test by a lot.
+        Seems sensible to just roll it out.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addToGraph):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2018-04-22  Yusuke Suzuki  
+
+        [JSC] Remove ModuleLoaderPrototype
+        https://bugs.webkit.org/show_bug.cgi?id=184784
+
+        Reviewed by Mark Lam.
+
+        When we introduce ModuleLoaderPrototype, ModuleLoader may be created by users and exposed to users.
+        However, the loader spec is abandoned. So we do not need to have ModuleLoaderPrototype and JSModuleLoader.
+        This patch merges ModuleLoaderPrototype's functionality into JSModuleLoader.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * builtins/ModuleLoader.js: Renamed from Source/JavaScriptCore/builtins/ModuleLoaderPrototype.js.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::proxyRevokeStructure const):
+        (JSC::JSGlobalObject::moduleLoaderStructure const): Deleted.
+        * runtime/JSModuleLoader.cpp:
+        (JSC::moduleLoaderParseModule):
+        (JSC::moduleLoaderRequestedModules):
+        (JSC::moduleLoaderModuleDeclarationInstantiation):
+        (JSC::moduleLoaderResolve):
+        (JSC::moduleLoaderResolveSync):
+        (JSC::moduleLoaderFetch):
+        (JSC::moduleLoaderGetModuleNamespaceObject):
+        (JSC::moduleLoaderEvaluate):
+        * runtime/JSModuleLoader.h:
+        * runtime/ModuleLoaderPrototype.cpp: Removed.
+        * runtime/ModuleLoaderPrototype.h: Removed.
+
+2018-04-20  Carlos Garcia Campos  
+
+        [GLIB] All API tests fail in debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=184813
+
+        Reviewed by Mark Lam.
+
+        This is because of a conflict of ExceptionHandler class used in tests and ExceptionHandler struct defined in
+        JSCContext.cpp. This patch renames the ExceptionHandler struct as JSCContextExceptionHandler.
+
+        * API/glib/JSCContext.cpp:
+        (JSCContextExceptionHandler::JSCContextExceptionHandler):
+        (JSCContextExceptionHandler::~JSCContextExceptionHandler):
+        (jscContextConstructed):
+        (ExceptionHandler::ExceptionHandler): Deleted.
+        (ExceptionHandler::~ExceptionHandler): Deleted.
+
+2018-04-20  Tim Horton  
+
+        Adjust geolocation feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=184856
+
+        Reviewed by Wenson Hsieh.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-04-20  Brian Burg  
+
+        Web Inspector: remove some dead code in IdentifiersFactory
+        https://bugs.webkit.org/show_bug.cgi?id=184839
+
+        Reviewed by Timothy Hatcher.
+
+        This was never used on non-Chrome ports, so the identifier always has a
+        prefix of '0.'. We may change this in the future, but for now remove this.
+        Using a PID for this purpose is problematic anyway.
+
+        * inspector/IdentifiersFactory.cpp:
+        (Inspector::addPrefixToIdentifier):
+        (Inspector::IdentifiersFactory::createIdentifier):
+        (Inspector::IdentifiersFactory::requestId):
+        (Inspector::IdentifiersFactory::addProcessIdPrefixTo): Deleted.
+        * inspector/IdentifiersFactory.h:
+
+2018-04-20  Mark Lam  
+
+        Add the ability to use a hash for setting PtrTag enum values.
+        https://bugs.webkit.org/show_bug.cgi?id=184852
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/PtrTag.h:
+
+2018-04-20  Mark Lam  
+
+        Some JSEntryPtrTags should actually be JSInternalPtrTags.
+        https://bugs.webkit.org/show_bug.cgi?id=184712
+        
+
+        Reviewed by Michael Saboff.
+
+        1. Convert some uses of JSEntryPtrTag into JSInternalPtrTags.
+        2. Tag all LLInt bytecodes consistently with BytecodePtrTag now and retag them
+           only when needed.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ByValInfo.h:
+        (JSC::ByValInfo::ByValInfo):
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::callReturnLocation):
+        (JSC::CallLinkInfo::patchableJump):
+        (JSC::CallLinkInfo::hotPathBegin):
+        (JSC::CallLinkInfo::slowPathStart):
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::setCallLocations):
+        (JSC::CallLinkInfo::hotPathOther):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::doneLocation):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::initialize):
+        * ftl/FTLLazySlowPath.h:
+        (JSC::FTL::LazySlowPath::done const):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        (JSC::LLInt::getCodePtr):
+        (JSC::LLInt::getExecutableAddress): Deleted.
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::callToThrow):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+
+2018-04-18  Jer Noble  
+
+        Don't put build products into WK_ALTERNATE_WEBKIT_SDK_PATH for engineering builds
+        https://bugs.webkit.org/show_bug.cgi?id=184762
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-04-20  Daniel Bates  
+
+        Remove code for compilers that did not support NSDMI for aggregates
+        https://bugs.webkit.org/show_bug.cgi?id=184599
+
+        Reviewed by Per Arne Vollan.
+
+        Remove workaround for earlier Visual Studio versions that did not support non-static data
+        member initializers (NSDMI) for aggregates. We have since updated all the build.webkit.org
+        and EWS bots to a newer version that supports this feature.
+
+        * domjit/DOMJITEffect.h:
+        (JSC::DOMJIT::Effect::Effect): Deleted.
+        * runtime/HasOwnPropertyCache.h:
+        (JSC::HasOwnPropertyCache::Entry::Entry): Deleted.
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction): Deleted.
+
+2018-04-20  Mark Lam  
+
+        Build fix for internal builds after r230826.
+        https://bugs.webkit.org/show_bug.cgi?id=184790
+        
+
+        Not reviewed.
+
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::dump):
+
+2018-04-19  Tadeu Zagallo  
+
+        REGRESSION(r227340): ArrayBuffers were not being serialized when sent via MessagePorts
+        https://bugs.webkit.org/show_bug.cgi?id=184254
+        
+
+        Reviewed by Daniel Bates.
+
+        Expose an extra constructor of ArrayBufferContents in order to be able to decode SerializedScriptValues.
+
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBufferContents::ArrayBufferContents):
+
+2018-04-19  Mark Lam  
+
+        Apply pointer profiling to Signal pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=184790
+        
+
+        Reviewed by Michael Saboff.
+
+        1. Change stackPointer, framePointer, and instructionPointer accessors to
+           be a pair of getter/setter functions.
+        2. Add support for USE(PLATFORM_REGISTERS_WITH_PROFILE) to allow use of a
+           a pointer profiling variants of these accessors.
+        3. Also add a linkRegister accessor only for ARM64 on OS(DARWIN).
+
+        * JavaScriptCorePrefix.h:
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::stackPointerImpl):
+        (JSC::MachineContext::stackPointer):
+        (JSC::MachineContext::setStackPointer):
+        (JSC::MachineContext::framePointerImpl):
+        (JSC::MachineContext::framePointer):
+        (JSC::MachineContext::setFramePointer):
+        (JSC::MachineContext::instructionPointerImpl):
+        (JSC::MachineContext::instructionPointer):
+        (JSC::MachineContext::setInstructionPointer):
+        (JSC::MachineContext::linkRegisterImpl):
+        (JSC::MachineContext::linkRegister):
+        (JSC::MachineContext::setLinkRegister):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        * tools/CodeProfiling.cpp:
+        (JSC::profilingTimer):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::SignalContext::dump):
+        (JSC::installCrashHandler):
+        (JSC::SigillCrashAnalyzer::analyze):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+
+2018-04-19  David Kilzer  
+
+        Enable Objective-C weak references
+        
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+        (CLANG_ENABLE_OBJC_WEAK): Enable.
+        * Configurations/ToolExecutable.xcconfig:
+        (CLANG_ENABLE_OBJC_ARC): Simplify.
+
+2018-04-17  Filip Pizlo  
+
+        The InternalFunction hierarchy should be in IsoSubspaces
+        https://bugs.webkit.org/show_bug.cgi?id=184721
+
+        Reviewed by Saam Barati.
+        
+        This moves InternalFunction into a IsoSubspace. It also moves all subclasses into IsoSubspaces,
+        but subclasses that are the same size as InternalFunction share its subspace. I did this
+        because the subclasses appear to just override methods, which are called dynamically via the
+        structure or class of the object. So, I don't see a type confusion risk if UAF is used to
+        allocate one kind of InternalFunction over another.
+
+        * API/JSBase.h:
+        * API/JSCallbackFunction.h:
+        * API/ObjCCallbackFunction.h:
+        (JSC::ObjCCallbackFunction::subspaceFor):
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/IsoSubspacePerVM.cpp: Added.
+        (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
+        (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::~AutoremovingIsoSubspace):
+        (JSC::IsoSubspacePerVM::IsoSubspacePerVM):
+        (JSC::IsoSubspacePerVM::~IsoSubspacePerVM):
+        (JSC::IsoSubspacePerVM::forVM):
+        * heap/IsoSubspacePerVM.h: Added.
+        (JSC::IsoSubspacePerVM::SubspaceParameters::SubspaceParameters):
+        * runtime/Error.h:
+        * runtime/ErrorConstructor.h:
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::subspaceFor):
+        * runtime/IntlCollatorConstructor.h:
+        * runtime/IntlDateTimeFormatConstructor.h:
+        * runtime/IntlNumberFormatConstructor.h:
+        * runtime/JSArrayBufferConstructor.h:
+        * runtime/NativeErrorConstructor.h:
+        * runtime/ProxyRevoke.h:
+        * runtime/RegExpConstructor.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-04-19  Yusuke Suzuki  
+
+        Unreviewed, Fix jsc shell
+        https://bugs.webkit.org/show_bug.cgi?id=184600
+
+        WebAssembly module loading does not finish with drainMicrotasks().
+        So JSNativeStdFunction's capturing variables become invalid.
+        This patch fixes this issue.
+
+        * jsc.cpp:
+        (functionDollarAgentStart):
+        (runWithOptions):
+        (runJSC):
+        (jscmain):
+
+2018-04-18  Ross Kirsling  
+
+        REGRESSION(r230748) [WinCairo] 'JSC::JIT::appendCallWithSlowPathReturnType': function does not take 1 arguments
+        https://bugs.webkit.org/show_bug.cgi?id=184725
+
+        Reviewed by Mark Lam.
+
+        * jit/JIT.h:
+
+2018-04-18  Yusuke Suzuki  
+
+        [WebAssembly][Modules] Import tables in wasm modules
+        https://bugs.webkit.org/show_bug.cgi?id=184738
+
+        Reviewed by JF Bastien.
+
+        This patch simply allows wasm modules to import table from wasm modules / js re-exporting.
+        Basically moving JSWebAssemblyInstance's table linking code to WebAssemblyModuleRecord::link
+        just works.
+
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+
+2018-04-18  Dominik Infuehr  
+
+        [ARM] Fix build error and crash after PtrTag change
+        https://bugs.webkit.org/show_bug.cgi?id=184732
+
+        Reviewed by Mark Lam.
+
+        Do not pass NoPtrTag in callOperation and fix misspelled JSEntryPtrTag. Use
+        MacroAssemblerCodePtr::createFromExecutableAddress to avoid tagging a pointer
+        twice with ARM-Thumb2.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_put_by_val):
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+
+2018-04-18  Yusuke Suzuki  
+
+        [WebAssembly][Modules] Import globals from wasm modules
+        https://bugs.webkit.org/show_bug.cgi?id=184736
+
+        Reviewed by JF Bastien.
+
+        This patch implements a feature importing globals to/from wasm modules.
+        Since we are not supporting mutable globals now, we can just copy the
+        global data when importing. Currently we do not support importing/exporting
+        i64 globals. This will be supported once (1) mutable global bindings are
+        specified and (2) BigInt based i64 importing/exporting is specified.
+
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+
+2018-04-18  Tomas Popela  
+
+        Unreviewed, fix build on ARM
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::readCallTarget):
+
+2018-04-18  Tomas Popela  
+
+        Unreviewed, fix build with GCC
+
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+
+2018-04-18  Yusuke Suzuki  
+
+        Unreviewed, reland r230697, r230720, and r230724.
+        https://bugs.webkit.org/show_bug.cgi?id=184600
+
+        With CatchScope check.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * builtins/ModuleLoaderPrototype.js:
+        (globalPrivate.newRegistryEntry):
+        (requestInstantiate):
+        (link):
+        * jsc.cpp:
+        (convertShebangToJSComment):
+        (fillBufferWithContentsOfFile):
+        (fetchModuleFromLocalFileSystem):
+        (GlobalObject::moduleLoaderFetch):
+        (functionDollarAgentStart):
+        (checkException):
+        (runWithOptions):
+        * parser/NodesAnalyzeModule.cpp:
+        (JSC::ImportDeclarationNode::analyzeModule):
+        * parser/SourceProvider.h:
+        (JSC::WebAssemblySourceProvider::create):
+        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::hostResolveImportedModule):
+        (JSC::AbstractModuleRecord::resolveImport):
+        (JSC::AbstractModuleRecord::link):
+        (JSC::AbstractModuleRecord::evaluate):
+        (JSC::identifierToJSValue): Deleted.
+        * runtime/AbstractModuleRecord.h:
+        (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
+        (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::evaluate):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::link):
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSModuleRecord.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeParseModule):
+        (JSC::moduleLoaderPrototypeRequestedModules):
+        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
+        * wasm/WasmCreationMode.h: Copied from Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.h.
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::getWasmBufferFromValue):
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::prepareLink):
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::WebAssemblyPrototype::instantiate):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyValidateFunc):
+        * wasm/js/WebAssemblyPrototype.h:
+
+2018-04-17  Carlos Garcia Campos  
+
+        [GLIB] Make it possible to handle JSCClass external properties not added to the prototype
+        https://bugs.webkit.org/show_bug.cgi?id=184687
+
+        Reviewed by Michael Catanzaro.
+
+        Add JSCClassVTable that can be optionally passed to jsc_context_register_class() to provide implmentations for
+        JSClassDefinition. This is required to implement dynamic properties that can't be added with
+        jsc_class_add_property() for example to implement something like imports object in seed/gjs.
+
+        * API/glib/JSCClass.cpp:
+        (VTableExceptionHandler::VTableExceptionHandler): Helper class to handle the exceptions in vtable functions that
+        can throw exceptions.
+        (VTableExceptionHandler::~VTableExceptionHandler):
+        (getProperty): Iterate the class chain to call get_property function.
+        (setProperty): Iterate the class chain to call set_property function.
+        (hasProperty): Iterate the class chain to call has_property function.
+        (deleteProperty): Iterate the class chain to call delete_property function.
+        (getPropertyNames): Iterate the class chain to call enumerate_properties function.
+        (jsc_class_class_init): Remove constructed implementation, since we need to initialize the JSClassDefinition in
+        jscClassCreate now.
+        (jscClassCreate): Receive an optional JSCClassVTable that is used to initialize the JSClassDefinition.
+        * API/glib/JSCClass.h:
+        * API/glib/JSCClassPrivate.h:
+        * API/glib/JSCContext.cpp:
+        (jscContextGetRegisteredClass): Helper to get the JSCClass for a given JSClassRef.
+        (jsc_context_register_class): Add JSCClassVTable parameter.
+        * API/glib/JSCContext.h:
+        * API/glib/JSCContextPrivate.h:
+        * API/glib/JSCWrapperMap.cpp:
+        (JSC::WrapperMap::registeredClass const): Get the JSCClass for a given JSClassRef.
+        * API/glib/JSCWrapperMap.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt: Add new symbols.
+
+2018-04-17  Mark Lam  
+
+        Templatize CodePtr/Refs/FunctionPtrs with PtrTags.
+        https://bugs.webkit.org/show_bug.cgi?id=184702
+        
+
+        Reviewed by Filip Pizlo and Saam Barati.
+
+        1. Templatized MacroAssemblerCodePtr/Ref, FunctionPtr, and CodeLocation variants
+           to take a PtrTag template argument.
+        2. Replaced some uses of raw pointers with the equivalent CodePtr / FunctionPtr.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
+        (JSC::AbstractMacroAssembler::linkJump):
+        (JSC::AbstractMacroAssembler::linkPointer):
+        (JSC::AbstractMacroAssembler::getLinkerAddress):
+        (JSC::AbstractMacroAssembler::repatchJump):
+        (JSC::AbstractMacroAssembler::repatchJumpToNop):
+        (JSC::AbstractMacroAssembler::repatchNearCall):
+        (JSC::AbstractMacroAssembler::repatchCompact):
+        (JSC::AbstractMacroAssembler::repatchInt32):
+        (JSC::AbstractMacroAssembler::repatchPointer):
+        (JSC::AbstractMacroAssembler::readPointer):
+        (JSC::AbstractMacroAssembler::replaceWithLoad):
+        (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationCommon:: const):
+        (JSC::CodeLocationCommon::CodeLocationCommon):
+        (JSC::CodeLocationInstruction::CodeLocationInstruction):
+        (JSC::CodeLocationLabel::CodeLocationLabel):
+        (JSC::CodeLocationLabel::retagged):
+        (JSC::CodeLocationLabel:: const):
+        (JSC::CodeLocationJump::CodeLocationJump):
+        (JSC::CodeLocationJump::retagged):
+        (JSC::CodeLocationCall::CodeLocationCall):
+        (JSC::CodeLocationCall::retagged):
+        (JSC::CodeLocationNearCall::CodeLocationNearCall):
+        (JSC::CodeLocationDataLabel32::CodeLocationDataLabel32):
+        (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
+        (JSC::CodeLocationDataLabelPtr::CodeLocationDataLabelPtr):
+        (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
+        (JSC::CodeLocationCommon::instructionAtOffset):
+        (JSC::CodeLocationCommon::labelAtOffset):
+        (JSC::CodeLocationCommon::jumpAtOffset):
+        (JSC::CodeLocationCommon::callAtOffset):
+        (JSC::CodeLocationCommon::nearCallAtOffset):
+        (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
+        (JSC::CodeLocationCommon::dataLabel32AtOffset):
+        (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
+        (JSC::CodeLocationCommon::convertibleLoadAtOffset):
+        (JSC::CodeLocationCommon::instructionAtOffset): Deleted.
+        (JSC::CodeLocationCommon::labelAtOffset): Deleted.
+        (JSC::CodeLocationCommon::jumpAtOffset): Deleted.
+        (JSC::CodeLocationCommon::callAtOffset): Deleted.
+        (JSC::CodeLocationCommon::nearCallAtOffset): Deleted.
+        (JSC::CodeLocationCommon::dataLabelPtrAtOffset): Deleted.
+        (JSC::CodeLocationCommon::dataLabel32AtOffset): Deleted.
+        (JSC::CodeLocationCommon::dataLabelCompactAtOffset): Deleted.
+        (JSC::CodeLocationCommon::convertibleLoadAtOffset): Deleted.
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::finalizeCodeWithoutDisassemblyImpl):
+        (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
+        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly): Deleted.
+        (JSC::LinkBuffer::finalizeCodeWithDisassembly): Deleted.
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::link):
+        (JSC::LinkBuffer::patch):
+        (JSC::LinkBuffer::entrypoint):
+        (JSC::LinkBuffer::locationOf):
+        (JSC::LinkBuffer::locationOfNearCall):
+        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
+        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+        (JSC::LinkBuffer::trampolineAt):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::readCallTarget):
+        (JSC::MacroAssemblerARM::replaceWithJump):
+        (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerARM::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerARM::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerARM::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerARM::repatchCall):
+        (JSC::MacroAssemblerARM::linkCall):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::readCallTarget):
+        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
+        (JSC::MacroAssemblerARM64::replaceWithJump):
+        (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerARM64::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerARM64::repatchCall):
+        (JSC::MacroAssemblerARM64::linkCall):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::replaceWithJump):
+        (JSC::MacroAssemblerARMv7::readCallTarget):
+        (JSC::MacroAssemblerARMv7::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerARMv7::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerARMv7::repatchCall):
+        (JSC::MacroAssemblerARMv7::linkCall):
+        * assembler/MacroAssemblerCodeRef.cpp:
+        (JSC::MacroAssemblerCodePtrBase::dumpWithName):
+        (JSC::MacroAssemblerCodeRefBase::tryToDisassemble):
+        (JSC::MacroAssemblerCodeRefBase::disassembly):
+        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): Deleted.
+        (JSC::MacroAssemblerCodePtr::dumpWithName const): Deleted.
+        (JSC::MacroAssemblerCodePtr::dump const): Deleted.
+        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): Deleted.
+        (JSC::MacroAssemblerCodeRef::tryToDisassemble const): Deleted.
+        (JSC::MacroAssemblerCodeRef::disassembly const): Deleted.
+        (JSC::MacroAssemblerCodeRef::dump const): Deleted.
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::retagged const):
+        (JSC::FunctionPtr::retaggedExecutableAddress const):
+        (JSC::FunctionPtr::operator== const):
+        (JSC::FunctionPtr::operator!= const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        (JSC::MacroAssemblerCodePtr::retagged const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodePtr::dumpWithName const):
+        (JSC::MacroAssemblerCodePtr::dump const):
+        (JSC::MacroAssemblerCodePtrHash::hash):
+        (JSC::MacroAssemblerCodePtrHash::equal):
+        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
+        (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
+        (JSC::MacroAssemblerCodeRef::code const):
+        (JSC::MacroAssemblerCodeRef::retaggedCode const):
+        (JSC::MacroAssemblerCodeRef::retagged const):
+        (JSC::MacroAssemblerCodeRef::tryToDisassemble const):
+        (JSC::MacroAssemblerCodeRef::disassembly const):
+        (JSC::MacroAssemblerCodeRef::dump const):
+        (JSC::FunctionPtr::FunctionPtr):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::readCallTarget):
+        (JSC::MacroAssemblerMIPS::replaceWithJump):
+        (JSC::MacroAssemblerMIPS::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerMIPS::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerMIPS::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerMIPS::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerMIPS::repatchCall):
+        (JSC::MacroAssemblerMIPS::linkCall):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::readCallTarget):
+        (JSC::MacroAssemblerX86::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerX86::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerX86::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerX86::repatchCall):
+        (JSC::MacroAssemblerX86::linkCall):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::repatchCompact):
+        (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
+        (JSC::MacroAssemblerX86Common::replaceWithJump):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::readCallTarget):
+        (JSC::MacroAssemblerX86_64::startOfBranchPtrWithPatchOnRegister):
+        (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
+        (JSC::MacroAssemblerX86_64::startOfPatchableBranchPtrWithPatchOnAddress):
+        (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
+        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
+        (JSC::MacroAssemblerX86_64::revertJumpReplacementToBranchPtrWithPatch):
+        (JSC::MacroAssemblerX86_64::repatchCall):
+        (JSC::MacroAssemblerX86_64::linkCall):
+        * assembler/testmasm.cpp:
+        (JSC::compile):
+        (JSC::invoke):
+        (JSC::testProbeModifiesProgramCounter):
+        * b3/B3Compilation.cpp:
+        (JSC::B3::Compilation::Compilation):
+        * b3/B3Compilation.h:
+        (JSC::B3::Compilation::code const):
+        (JSC::B3::Compilation::codeRef const):
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/B3LowerMacros.cpp:
+        * b3/air/AirDisassembler.cpp:
+        (JSC::B3::Air::Disassembler::dump):
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::invoke):
+        (JSC::B3::testInterpreter):
+        (JSC::B3::testEntrySwitchSimple):
+        (JSC::B3::testEntrySwitchNoEntrySwitch):
+        (JSC::B3::testEntrySwitchWithCommonPaths):
+        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
+        (JSC::B3::testEntrySwitchLoop):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCaseSnippetParams.cpp:
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        * bytecode/ByValInfo.h:
+        (JSC::ByValInfo::ByValInfo):
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::callReturnLocation):
+        (JSC::CallLinkInfo::patchableJump):
+        (JSC::CallLinkInfo::hotPathBegin):
+        (JSC::CallLinkInfo::slowPathStart):
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::setCallLocations):
+        (JSC::CallLinkInfo::hotPathOther):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        * bytecode/GetByIdVariant.cpp:
+        (JSC::GetByIdVariant::GetByIdVariant):
+        (JSC::GetByIdVariant::dumpInContext const):
+        * bytecode/GetByIdVariant.h:
+        (JSC::GetByIdVariant::customAccessorGetter const):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::create):
+        (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
+        (JSC::GetterSetterAccessCase::dumpImpl const):
+        * bytecode/GetterSetterAccessCase.h:
+        (JSC::GetterSetterAccessCase::customAccessor const):
+        (): Deleted.
+        * bytecode/HandlerInfo.h:
+        (JSC::HandlerInfo::initialize):
+        * bytecode/InlineAccess.cpp:
+        (JSC::linkCodeInline):
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/InlineAccess.h:
+        * bytecode/JumpTable.h:
+        (JSC::StringJumpTable::ctiForValue):
+        (JSC::SimpleJumpTable::ctiForValue):
+        * bytecode/LLIntCallLinkInfo.h:
+        (JSC::LLIntCallLinkInfo::unlink):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/PolymorphicAccess.h:
+        (JSC::AccessGenerationResult::AccessGenerationResult):
+        (JSC::AccessGenerationResult::code const):
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::slowPathCallLocation):
+        (JSC::StructureStubInfo::doneLocation):
+        (JSC::StructureStubInfo::slowPathStartLocation):
+        (JSC::StructureStubInfo::patchableJumpForIn):
+        * dfg/DFGCommonData.h:
+        (JSC::DFG::CommonData::appendCatchEntrypoint):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpDisassembly):
+        * dfg/DFGDriver.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::CallLinkRecord::CallLinkRecord):
+        (JSC::DFG::JITCompiler::appendCall):
+        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
+        (JSC::DFG::JITCompiler::JSDirectCallRecord::JSDirectCallRecord):
+        (JSC::DFG::JITCompiler::JSDirectTailCallRecord::JSDirectTailCallRecord):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::JITFinalizer):
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGJITFinalizer.h:
+        * dfg/DFGJumpReplacement.h:
+        (JSC::DFG::JumpReplacement::JumpReplacement):
+        * dfg/DFGNode.h:
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOSREntry.h:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::OSRExit::codeLocationForRepatch const):
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExit.h:
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::osrWriteBarrier):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSlowPathGenerator.h:
+        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
+        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
+        (JSC::DFG::slowPathCall):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMathIC):
+        (JSC::DFG::SpeculativeJIT::compileCallDOM):
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (JSC::DFG::SpeculativeJIT::appendCall):
+        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
+        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
+        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrEntryThunkGenerator):
+        * dfg/DFGThunks.h:
+        * disassembler/ARM64Disassembler.cpp:
+        (JSC::tryToDisassemble):
+        * disassembler/ARMv7Disassembler.cpp:
+        (JSC::tryToDisassemble):
+        * disassembler/Disassembler.cpp:
+        (JSC::disassemble):
+        (JSC::disassembleAsynchronously):
+        * disassembler/Disassembler.h:
+        (JSC::tryToDisassemble):
+        * disassembler/UDis86Disassembler.cpp:
+        (JSC::tryToDisassembleWithUDis86):
+        * disassembler/UDis86Disassembler.h:
+        (JSC::tryToDisassembleWithUDis86):
+        * disassembler/X86Disassembler.cpp:
+        (JSC::tryToDisassemble):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLExceptionTarget.cpp:
+        (JSC::FTL::ExceptionTarget::label):
+        (JSC::FTL::ExceptionTarget::jumps):
+        * ftl/FTLExceptionTarget.h:
+        * ftl/FTLGeneratedFunction.h:
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::initializeB3Code):
+        (JSC::FTL::JITCode::initializeAddressForCall):
+        (JSC::FTL::JITCode::initializeArityCheckEntrypoint):
+        (JSC::FTL::JITCode::addressForCall):
+        (JSC::FTL::JITCode::executableAddressAtOffset):
+        * ftl/FTLJITCode.h:
+        (JSC::FTL::JITCode::b3Code const):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::initialize):
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLLazySlowPath.h:
+        (JSC::FTL::LazySlowPath::patchableJump const):
+        (JSC::FTL::LazySlowPath::done const):
+        (JSC::FTL::LazySlowPath::stub const):
+        * ftl/FTLLazySlowPathCall.h:
+        (JSC::FTL::createLazyCallGenerator):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInvalidationPoint):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
+        * ftl/FTLOSRExit.cpp:
+        (JSC::FTL::OSRExit::codeLocationForRepatch const):
+        * ftl/FTLOSRExit.h:
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLOSRExitHandle.cpp:
+        (JSC::FTL::OSRExitHandle::emitExitThunk):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::compileFTLLazySlowPath):
+        * ftl/FTLPatchpointExceptionHandle.cpp:
+        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::keyWithTarget const):
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLSlowPathCall.h:
+        (JSC::FTL::callOperation):
+        * ftl/FTLSlowPathCallKey.cpp:
+        (JSC::FTL::SlowPathCallKey::dump const):
+        * ftl/FTLSlowPathCallKey.h:
+        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
+        (JSC::FTL::SlowPathCallKey::callTarget const):
+        (JSC::FTL::SlowPathCallKey::withCallTarget):
+        (JSC::FTL::SlowPathCallKey::hash const):
+        (JSC::FTL::SlowPathCallKey::callPtrTag const): Deleted.
+        * ftl/FTLState.cpp:
+        (JSC::FTL::State::State):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * ftl/FTLThunks.h:
+        (JSC::FTL::generateIfNecessary):
+        (JSC::FTL::keyForThunk):
+        (JSC::FTL::Thunks::getSlowPathCallThunk):
+        (JSC::FTL::Thunks::keyForSlowPathCallThunk):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::getOpcodeID):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::callExceptionFuzz):
+        (JSC::AssemblyHelpers::emitDumbVirtualCall):
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/CCallHelpers.cpp:
+        (JSC::CCallHelpers::ensureShadowChickenPacket):
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
+        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
+        * jit/ExecutableAllocator.h:
+        (JSC::performJITMemcpy):
+        * jit/GCAwareJITStubRoutine.cpp:
+        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
+        (JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
+        (JSC::createJITStubRoutine):
+        * jit/GCAwareJITStubRoutine.h:
+        (JSC::createJITStubRoutine):
+        * jit/JIT.cpp:
+        (JSC::ctiPatchCallByReturnAddress):
+        (JSC::JIT::compileWithoutLinking):
+        (JSC::JIT::link):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        (JSC::CallRecord::CallRecord):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITCode.cpp:
+        (JSC::JITCodeWithCodeRef::JITCodeWithCodeRef):
+        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+        (JSC::DirectJITCode::DirectJITCode):
+        (JSC::DirectJITCode::initializeCodeRef):
+        (JSC::DirectJITCode::addressForCall):
+        (JSC::NativeJITCode::NativeJITCode):
+        (JSC::NativeJITCode::initializeCodeRef):
+        (JSC::NativeJITCode::addressForCall):
+        * jit/JITCode.h:
+        * jit/JITCodeMap.h:
+        (JSC::JITCodeMap::Entry::Entry):
+        (JSC::JITCodeMap::Entry::codeLocation):
+        (JSC::JITCodeMap::append):
+        (JSC::JITCodeMap::find const):
+        * jit/JITDisassembler.cpp:
+        (JSC::JITDisassembler::dumpDisassembly):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::finalize):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitNakedCall):
+        (JSC::JIT::emitNakedTailCall):
+        (JSC::JIT::appendCallWithExceptionCheck):
+        (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
+        (JSC::JIT::appendCallWithCallFrameRollbackOnException):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_switch_imm):
+        (JSC::JIT::emit_op_switch_char):
+        (JSC::JIT::emit_op_switch_string):
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitPutByValWithCachedId):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitSlow_op_try_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_direct):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        * jit/JITStubRoutine.h:
+        (JSC::JITStubRoutine::JITStubRoutine):
+        (JSC::JITStubRoutine::createSelfManagedRoutine):
+        (JSC::JITStubRoutine::code const):
+        (JSC::JITStubRoutine::asCodePtr):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::ctiNativeCall):
+        (JSC::JITThunks::ctiNativeConstruct):
+        (JSC::JITThunks::ctiNativeTailCall):
+        (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
+        (JSC::JITThunks::ctiInternalFunctionCall):
+        (JSC::JITThunks::ctiInternalFunctionConstruct):
+        (JSC::JITThunks::ctiStub):
+        (JSC::JITThunks::existingCTIStub):
+        (JSC::JITThunks::hostFunctionStub):
+        * jit/JITThunks.h:
+        * jit/PCToCodeOriginMap.cpp:
+        (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
+        * jit/PCToCodeOriginMap.h:
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
+        * jit/PolymorphicCallStubRoutine.h:
+        * jit/Repatch.cpp:
+        (JSC::readPutICCallTarget):
+        (JSC::ftlThunkAwareRepatchCall):
+        (JSC::appropriateOptimizingGetByIdFunction):
+        (JSC::appropriateGetByIdFunction):
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::tryCacheIn):
+        (JSC::repatchIn):
+        (JSC::linkSlowFor):
+        (JSC::linkFor):
+        (JSC::linkDirectFor):
+        (JSC::revertCall):
+        (JSC::unlinkFor):
+        (JSC::linkVirtualFor):
+        (JSC::linkPolymorphicCall):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        * jit/Repatch.h:
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::call):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        (JSC::SpecializedThunkJIT::callDoubleToDouble):
+        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
+        * jit/ThunkGenerator.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::slowPathFor):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::nativeCallGenerator):
+        (JSC::nativeTailCallGenerator):
+        (JSC::nativeTailCallWithoutSavedTagsGenerator):
+        (JSC::nativeConstructGenerator):
+        (JSC::internalFunctionCallGenerator):
+        (JSC::internalFunctionConstructGenerator):
+        (JSC::arityFixupGenerator):
+        (JSC::unreachableGenerator):
+        (JSC::charCodeAtThunkGenerator):
+        (JSC::charAtThunkGenerator):
+        (JSC::fromCharCodeThunkGenerator):
+        (JSC::clz32ThunkGenerator):
+        (JSC::sqrtThunkGenerator):
+        (JSC::floorThunkGenerator):
+        (JSC::ceilThunkGenerator):
+        (JSC::truncThunkGenerator):
+        (JSC::roundThunkGenerator):
+        (JSC::expThunkGenerator):
+        (JSC::logThunkGenerator):
+        (JSC::absThunkGenerator):
+        (JSC::imulThunkGenerator):
+        (JSC::randomThunkGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * jit/ThunkGenerators.h:
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        (JSC::LLInt::getExecutableAddress):
+        (JSC::LLInt::getCodePtr):
+        (JSC::LLInt::getCodeRef):
+        (JSC::LLInt::getCodeFunctionPtr):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::setFunctionEntrypoint):
+        (JSC::LLInt::setEvalEntrypoint):
+        (JSC::LLInt::setProgramEntrypoint):
+        (JSC::LLInt::setModuleProgramEntrypoint):
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::callToThrow):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setUpCall):
+        * llint/LLIntThunks.cpp:
+        (JSC::vmEntryToWasm):
+        (JSC::LLInt::generateThunkWithJumpTo):
+        (JSC::LLInt::functionForCallEntryThunkGenerator):
+        (JSC::LLInt::functionForConstructEntryThunkGenerator):
+        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
+        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
+        (JSC::LLInt::evalEntryThunkGenerator):
+        (JSC::LLInt::programEntryThunkGenerator):
+        (JSC::LLInt::moduleProgramEntryThunkGenerator):
+        * llint/LLIntThunks.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * profiler/ProfilerCompilation.cpp:
+        (JSC::Profiler::Compilation::addOSRExitSite):
+        * profiler/ProfilerCompilation.h:
+        * profiler/ProfilerOSRExitSite.cpp:
+        (JSC::Profiler::OSRExitSite::toJS const):
+        * profiler/ProfilerOSRExitSite.h:
+        (JSC::Profiler::OSRExitSite::OSRExitSite):
+        (JSC::Profiler::OSRExitSite::codeAddress const):
+        (JSC::Profiler::OSRExitSite:: const): Deleted.
+        * runtime/ExecutableBase.cpp:
+        (JSC::ExecutableBase::clearCode):
+        * runtime/ExecutableBase.h:
+        (JSC::ExecutableBase::entrypointFor):
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::finishCreation):
+        * runtime/NativeFunction.h:
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+        (JSC::TaggedNativeFunction::operator NativeFunction):
+        * runtime/PtrTag.h:
+        (JSC::tagCodePtr):
+        (JSC::untagCodePtr):
+        (JSC::retagCodePtr):
+        (JSC::tagCFunctionPtr):
+        (JSC::untagCFunctionPtr):
+        (JSC::nextPtrTagID): Deleted.
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::PutPropertySlot):
+        (JSC::PutPropertySlot::setCustomValue):
+        (JSC::PutPropertySlot::setCustomAccessor):
+        (JSC::PutPropertySlot::customSetter const):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::installCode):
+        * runtime/VM.cpp:
+        (JSC::VM::getHostFunction):
+        (JSC::VM::getCTIInternalFunctionTrampolineFor):
+        * runtime/VM.h:
+        (JSC::VM::getCTIStub):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::emitExceptionCheck):
+        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBBQPlan.h:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmBinding.h:
+        * wasm/WasmCallee.h:
+        (JSC::Wasm::Callee::entrypoint const):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConvention::setupFrameInPrologue const):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/WasmFormat.h:
+        * wasm/WasmInstance.h:
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        (JSC::Wasm::Thunks::stub):
+        (JSC::Wasm::Thunks::existingStub):
+        * wasm/WasmThunks.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WasmToJS.h:
+        * wasm/js/WebAssemblyFunction.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
+        (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::set8BitCode):
+        (JSC::Yarr::YarrCodeBlock::set16BitCode):
+        (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
+        (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
+        (JSC::Yarr::YarrCodeBlock::execute):
+        (JSC::Yarr::YarrCodeBlock::clear):
+
+2018-04-17  Commit Queue  
+
+        Unreviewed, rolling out r230697, r230720, and r230724.
+        https://bugs.webkit.org/show_bug.cgi?id=184717
+
+        These caused multiple failures on the Test262 testers.
+        (Requested by mlewis13 on #webkit).
+
+        Reverted changesets:
+
+        "[WebAssembly][Modules] Prototype wasm import"
+        https://bugs.webkit.org/show_bug.cgi?id=184600
+        https://trac.webkit.org/changeset/230697
+
+        "[WebAssembly][Modules] Implement function import from wasm
+        modules"
+        https://bugs.webkit.org/show_bug.cgi?id=184689
+        https://trac.webkit.org/changeset/230720
+
+        "[JSC] Rename runWebAssembly to runWebAssemblySuite"
+        https://bugs.webkit.org/show_bug.cgi?id=184703
+        https://trac.webkit.org/changeset/230724
+
+2018-04-17  JF Bastien  
+
+        A put is not an ExistingProperty put when we transition a structure because of an attributes change
+        https://bugs.webkit.org/show_bug.cgi?id=184706
+        
+
+        Reviewed by Saam Barati.
+
+        When putting a property on a structure and the slot is a different
+        type, the slot can't be said to have already been existing.
+
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::putDirectInternal):
+
+2018-04-17  Filip Pizlo  
+
+        JSGenericTypedArrayView<>::visitChildren has a race condition reading m_mode and m_vector
+        https://bugs.webkit.org/show_bug.cgi?id=184705
+
+        Reviewed by Michael Saboff.
+        
+        My old multisocket Mac Pro is amazing at catching race conditions in the GC. Earlier today
+        while testing an unrelated patch, a concurrent GC thread crashed inside
+        JSGenericTypedArrayView<>::visitChildren() calling markAuxiliary(). I'm pretty sure it's
+        because a typed array became wasteful concurrently to the GC. So, visitChildren() read one
+        mode and another vector.
+        
+        The fix is to lock inside visitChildren and anyone who changes those fields.
+        
+        I'm not even going to try to write a test. I think it's super lucky that my Mac Pro caught
+        this.
+
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::neuter):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+
+2018-04-16  Filip Pizlo  
+
+        PutStackSinkingPhase should know that KillStack means ConflictingFlush
+        https://bugs.webkit.org/show_bug.cgi?id=184672
+
+        Reviewed by Michael Saboff.
+
+        We've had a long history of KillStack and PutStackSinkingPhase having problems. We kept changing the meaning of
+        KillStack, and at some point we removed reasoning about KillStack from PutStackSinkingPhase. I tried doing some
+        archeology - but I'm still not sure why that phase ignores KillStack entirely. Maybe it's an oversight or maybe it's
+        intentional - I don't know.
+
+        Whatever the history, it's clear from the attached test case that ignoring KillStack is not correct. The outcome of
+        doing so is that we will sometimes sink a PutStack below a KillStack. That's wrong because then, OSR exit will use
+        the value from the PutStack instead of using the value from the MovHint that is associated with the KillStack. So,
+        KillStack must be seen as a special kind of clobber of the stack slot. OSRAvailabiity uses ConflictingFlush. I think
+        that's correct here, too. If we used DeadFlush and that was merged with another control flow path that had a
+        specific flush format, then we would think that we could sink the flush from that path. That's not right, since that
+        could still lead to sinking a PutStack past the KillStack in the sense that a PutStack will appear after the
+        KillStack along one path through the CFG. Also, the definition of DeadFlush and ConflictingFlush in the comment
+        inside PutStackSinkingPhase seems to suggest that KillStack is a ConflictingFlush, since DeadFlush means that we
+        have done some PutStack and their values are still valid. KillStack is not a PutStack and it means that previous
+        values are not valid. The definition of ConflictingFlush is that "we know, via forward flow, that there isn't any
+        value in the given local that anyone should have been relying on" - which exactly matches KillStack's definition.
+
+        This also means that we cannot eliminate arguments allocations that are live over KillStacks, since if we eliminated
+        them then we would have a GetStack after a KillStack. One easy way to fix this is to say that KillStack writes to
+        its stack slot for the purpose of clobberize.
+
+        * dfg/DFGClobberize.h: KillStack "writes" to its stack slot.
+        * dfg/DFGPutStackSinkingPhase.cpp: Fix the bug.
+        * ftl/FTLLowerDFGToB3.cpp: Add better assertion failure.
+        (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments):
+
+2018-04-17  Filip Pizlo  
+
+        JSWebAssemblyCodeBlock should be in an IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=184704
+
+        Reviewed by Mark Lam.
+        
+        Previously it was in a CompleteSubspace, which is pretty good, but also quite wasteful.
+        CompleteSubspace means about 4KB of data to track the size-allocator mapping. IsoSubspace
+        shortcircuits this. Also, IsoSubspace uses the iso allocator, so it provides stronger UAF
+        protection.
+
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+
+2018-04-17  Jer Noble  
+
+        Only enable useSeparatedWXHeap on ARM64.
+        https://bugs.webkit.org/show_bug.cgi?id=184697
+
+        Reviewed by Saam Barati.
+
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2018-04-17  Yusuke Suzuki  
+
+        [WebAssembly][Modules] Implement function import from wasm modules
+        https://bugs.webkit.org/show_bug.cgi?id=184689
+
+        Reviewed by JF Bastien.
+
+        This patch implements function import from wasm modules. We move function importing part
+        from JSWebAssemblyInstance's creation function to WebAssemblyModuleRecord::link. This
+        is because linking these functions requires that all the dependent modules are created.
+        While we want to move all the linking functionality from JSWebAssemblyInstance to
+        WebAssemblyModuleRecord::link, we do not that in this patch.  In this patch, we move only
+        function importing part because efficient compilation of WebAssembly needs to know
+        the type of WebAssemblyMemory (signaling or bound checking). This needs to know imported
+        or attached WebAssembly memory object. So we cannot defer this linking to
+        WebAssemblyModuleRecord::link now.
+
+        The largest difference from JS module linking is that WebAssembly module linking links
+        function from the module by snapshotting. When you have a cyclic module graph like this,
+
+        -> JS1 (export "fun") -> Wasm1 (import "fun from JS1) -+
+            ^                                                  |
+            +--------------------------------------------------+
+
+        we fail to link this since "fun" is not instantiated when Wasm1 is first linked. This behavior
+        is described in [1], and tested in this patch.
+
+        [1]: https://github.com/WebAssembly/esm-integration/tree/master/proposals/esm-integration#js---wasm-cycle-where-js-is-higher-in-the-module-graph
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * jsc.cpp:
+        (functionDollarAgentStart):
+        (checkException):
+        (runWithOptions):
+        Small fixes for wasm module loading.
+
+        * parser/NodesAnalyzeModule.cpp:
+        (JSC::ImportDeclarationNode::analyzeModule):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::resolveImport):
+        (JSC::AbstractModuleRecord::link):
+        * runtime/AbstractModuleRecord.h:
+        (JSC::AbstractModuleRecord::moduleEnvironmentMayBeNull):
+        (JSC::AbstractModuleRecord::ImportEntry::isNamespace const): Deleted.
+        Now, wasm modules can have import which is named "*". So this function does not work.
+        Since wasm modules never have namespace importing, we check this in JS's module analyzer.
+
+        * runtime/JSModuleEnvironment.cpp:
+        (JSC::JSModuleEnvironment::getOwnNonIndexPropertyNames):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * wasm/WasmCreationMode.h: Added.
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::WebAssemblyPrototype::instantiate):
+        (JSC::webAssemblyInstantiateFunc):
+
+2018-04-17  Dominik Infuehr  
+
+        Implement setupArgumentsImpl for ARM and MIPS
+        https://bugs.webkit.org/show_bug.cgi?id=183786
+
+        Reviewed by Yusuke Suzuki.
+
+        Implement setupArgumentsImpl for ARM (hardfp and softfp) and MIPS calling convention. Added
+        numCrossSources and extraGPRArgs to ArgCollection to keep track of extra
+        registers used for 64-bit values on 32-bit architectures. numCrossSources
+        keeps track of assignments from FPR to GPR registers as happens e.g. on MIPS.
+
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::moveDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::moveDouble):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupStubCrossArgs):
+        (JSC::CCallHelpers::ArgCollection::ArgCollection):
+        (JSC::CCallHelpers::ArgCollection::pushRegArg):
+        (JSC::CCallHelpers::ArgCollection::pushExtraRegArg):
+        (JSC::CCallHelpers::ArgCollection::addGPRArg):
+        (JSC::CCallHelpers::ArgCollection::addGPRExtraArg):
+        (JSC::CCallHelpers::ArgCollection::addStackArg):
+        (JSC::CCallHelpers::ArgCollection::addPoke):
+        (JSC::CCallHelpers::ArgCollection::argCount):
+        (JSC::CCallHelpers::calculatePokeOffset):
+        (JSC::CCallHelpers::pokeForArgument):
+        (JSC::CCallHelpers::stackAligned):
+        (JSC::CCallHelpers::marshallArgumentRegister):
+        (JSC::CCallHelpers::setupArgumentsImpl):
+        (JSC::CCallHelpers::pokeArgumentsAligned):
+        (JSC::CCallHelpers::std::is_integral::value):
+        (JSC::CCallHelpers::std::is_pointer::value):
+        (JSC::CCallHelpers::setupArguments):
+        * jit/FPRInfo.h:
+        (JSC::FPRInfo::toArgumentRegister):
+
+2018-04-17  Saam Barati  
+
+        Add system trace points for process launch and for initializeWebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184669
+
+        Reviewed by Simon Fraser.
+
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        (JSC::VMEntryScope::~VMEntryScope):
+
+2018-04-17  Jer Noble  
+
+        Fix duplicate symbol errors when building JavaScriptCore with non-empty WK_ALTERNATE_WEBKIT_SDK_PATH
+        https://bugs.webkit.org/show_bug.cgi?id=184602
+
+        Reviewed by Beth Dakin.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-04-17  Carlos Garcia Campos  
+
+        [GLIB] Add API to clear JSCContext uncaught exception
+        https://bugs.webkit.org/show_bug.cgi?id=184685
+
+        Reviewed by Žan Doberšek.
+
+        Add jsc_context_clear_exception() to clear any possible uncaught exception in a JSCContext.
+
+        * API/glib/JSCContext.cpp:
+        (jsc_context_clear_exception):
+        * API/glib/JSCContext.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-04-17  Carlos Garcia Campos  
+
+        [GLIB] Add API to query, delete and enumerate properties
+        https://bugs.webkit.org/show_bug.cgi?id=184647
+
+        Reviewed by Michael Catanzaro.
+
+        Add jsc_value_object_has_property(), jsc_value_object_delete_property() and jsc_value_object_enumerate_properties().
+
+        * API/glib/JSCValue.cpp:
+        (jsc_value_object_has_property):
+        (jsc_value_object_delete_property):
+        (jsc_value_object_enumerate_properties):
+        * API/glib/JSCValue.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-04-16  Yusuke Suzuki  
+
+        [WebAssembly][Modules] Prototype wasm import
+        https://bugs.webkit.org/show_bug.cgi?id=184600
+
+        Reviewed by JF Bastien.
+
+        This patch is an initial attempt to implement Wasm loading in module pipeline.
+        Currently,
+
+        1. We only support Wasm loading in the JSC shell. Once loading mechanism is specified
+           in whatwg HTML, we should integrate this into WebCore.
+
+        2. We only support exporting values from Wasm. Wasm module cannot import anything from
+           the other modules now.
+
+        When loading a file, JSC shell checks wasm magic. If the wasm magic is found, JSC shell
+        loads the file with WebAssemblySourceProvider. It is wrapped into JSSourceCode and
+        module loader pipeline just handles it as the same to JS. When parsing a module, we
+        checks the type of JSSourceCode. If the source code is Wasm source code, we create a
+        WebAssemblyModuleRecord instead of JSModuleRecord. Our module pipeline handles
+        AbstractModuleRecord and Wasm module is instantiated, linked, and evaluated.
+
+        * builtins/ModuleLoaderPrototype.js:
+        (globalPrivate.newRegistryEntry):
+        (requestInstantiate):
+        (link):
+        * jsc.cpp:
+        (convertShebangToJSComment):
+        (fillBufferWithContentsOfFile):
+        (fetchModuleFromLocalFileSystem):
+        (GlobalObject::moduleLoaderFetch):
+        * parser/SourceProvider.h:
+        (JSC::WebAssemblySourceProvider::create):
+        (JSC::WebAssemblySourceProvider::WebAssemblySourceProvider):
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::hostResolveImportedModule):
+        (JSC::AbstractModuleRecord::link):
+        (JSC::AbstractModuleRecord::evaluate):
+        (JSC::identifierToJSValue): Deleted.
+        * runtime/AbstractModuleRecord.h:
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::evaluate):
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::link):
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSModuleRecord.h:
+        * runtime/ModuleLoaderPrototype.cpp:
+        (JSC::moduleLoaderPrototypeParseModule):
+        (JSC::moduleLoaderPrototypeRequestedModules):
+        (JSC::moduleLoaderPrototypeModuleDeclarationInstantiation):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::getWasmBufferFromValue):
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::createPrivateModuleKey):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/WebAssemblyInstanceConstructor.cpp:
+        (JSC::constructJSWebAssemblyInstance):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::prepareLink):
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::resolve):
+        (JSC::instantiate):
+        (JSC::compileAndInstantiate):
+        (JSC::WebAssemblyPrototype::instantiate):
+        (JSC::webAssemblyInstantiateFunc):
+        (JSC::webAssemblyValidateFunc):
+        * wasm/js/WebAssemblyPrototype.h:
+
+2018-04-14  Filip Pizlo  
+
+        Function.prototype.caller shouldn't return generator bodies
+        https://bugs.webkit.org/show_bug.cgi?id=184630
+
+        Reviewed by Yusuke Suzuki.
+        
+        Function.prototype.caller no longer returns generator bodies. Those are meant to be
+        private.
+        
+        Also added some builtin debugging tools so that it's easier to do the investigation that I
+        did.
+
+        * builtins/BuiltinNames.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::callerGetter):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncBuiltinDescribe):
+        * runtime/JSGlobalObjectFunctions.h:
+
+2018-04-13  Yusuke Suzuki  
+
+        [DFG] Remove duplicate 32bit ProfileType implementation
+        https://bugs.webkit.org/show_bug.cgi?id=184536
+
+        Reviewed by Saam Barati.
+
+        This patch removes duplicate 32bit ProfileType implementation by unifying 32/64 implementations.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileProfileType):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfUndefined):
+        (JSC::AssemblyHelpers::branchIfNull):
+
+2018-04-12  Mark Lam  
+
+        Consolidate some PtrTags.
+        https://bugs.webkit.org/show_bug.cgi?id=184552
+        
+
+        Reviewed by Filip Pizlo.
+
+        Consolidate CodeEntryPtrTag and CodeEntryWithArityCheckPtrTag into CodePtrTag.
+        Consolidate NearCallPtrTag and NearJumpPtrTag into NearCodePtrTag.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::repatchNearCall):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::readCallTarget):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::readCallTarget):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::readCallTarget):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::readCallTarget):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::readCallTarget):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::executableAddressAtOffset):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLOSRExitHandle.cpp:
+        (JSC::FTL::OSRExitHandle::emitExitThunk):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDumbVirtualCall):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        (JSC::JIT::link):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITCode.cpp:
+        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+        (JSC::NativeJITCode::addressForCall):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitNakedCall):
+        (JSC::JIT::emitNakedTailCall):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::hostFunctionStub):
+        * jit/Repatch.cpp:
+        (JSC::linkSlowFor):
+        (JSC::linkFor):
+        (JSC::linkPolymorphicCall):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::setEvalEntrypoint):
+        (JSC::LLInt::setProgramEntrypoint):
+        (JSC::LLInt::setModuleProgramEntrypoint):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setUpCall):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        (JSC::LLInt::functionForCallEntryThunkGenerator):
+        (JSC::LLInt::functionForConstructEntryThunkGenerator):
+        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
+        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
+        (JSC::LLInt::evalEntryThunkGenerator):
+        (JSC::LLInt::programEntryThunkGenerator):
+        (JSC::LLInt::moduleProgramEntryThunkGenerator):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::finishCreation):
+        * runtime/NativeFunction.h:
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+        (JSC::TaggedNativeFunction::operator NativeFunction):
+        * runtime/PtrTag.h:
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::compile):
+
+2018-04-12  Michael Catanzaro  
+
+        [WPE] Move libWPEWebInspectorResources.so to pkglibdir
+        https://bugs.webkit.org/show_bug.cgi?id=184379
+
+        Reviewed by Žan Doberšek.
+
+        Load the module from the new location.
+
+        * PlatformWPE.cmake:
+        * inspector/remote/glib/RemoteInspectorUtils.cpp:
+        (Inspector::backendCommands):
+
+2018-04-12  Yusuke Suzuki  
+
+        [DFG] Remove compileBigIntEquality in DFG 32bit
+        https://bugs.webkit.org/show_bug.cgi?id=184535
+
+        Reviewed by Saam Barati.
+
+        We can have the unified implementation for compileBigIntEquality.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality): Deleted.
+
+2018-04-12  Michael Catanzaro  
+
+        [WPE] Improve include hierarchy
+        https://bugs.webkit.org/show_bug.cgi?id=184376
+
+        Reviewed by Žan Doberšek.
+
+        Install JSC headers under /usr/include/wpe-webkit-0.1/jsc instead of
+        /usr/include/wpe-0.1/WPE/jsc.
+
+        * PlatformWPE.cmake:
+
+2018-04-11  Carlos Garcia Campos  
+
+        [GLIB] Handle strings containing null characters
+        https://bugs.webkit.org/show_bug.cgi?id=184450
+
+        Reviewed by Michael Catanzaro.
+
+        We should be able to evaluate scripts containing null characters and to handle strings that contains them
+        too. In JavaScript strings are not null-terminated, they can contain null characters. This patch adds a length
+        parameter to jsc_context_valuate() to pass the script length (or -1 if it's null terminated), and new functions
+        jsc_value_new_string_from_bytes() and jsc_value_to_string_as_bytes() using GBytes to store strings that might
+        contain null characters.
+
+        * API/OpaqueJSString.cpp:
+        (OpaqueJSString::create): Add a create constructor that takes the String.
+        * API/OpaqueJSString.h:
+        (OpaqueJSString::OpaqueJSString): Add a constructor that takes the String.
+        * API/glib/JSCContext.cpp:
+        (jsc_context_evaluate): Add length parameter.
+        (jsc_context_evaluate_with_source_uri): Ditto.
+        * API/glib/JSCContext.h:
+        * API/glib/JSCValue.cpp:
+        (jsc_value_new_string_from_bytes):
+        (jsc_value_to_string):
+        (jsc_value_to_string_as_bytes):
+        (jsc_value_object_is_instance_of): Pass length to evaluate.
+        * API/glib/JSCValue.h:
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+
+2018-04-11  Yusuke Suzuki  
+
+        [JSC] Add CCallHelpers::CellValue to wrap JSCell GPR to convert it to EncodedJSValue
+        https://bugs.webkit.org/show_bug.cgi?id=184500
+
+        Reviewed by Mark Lam.
+
+        Instead of passing JSValue::JSCellTag to callOperation meta-program to convert
+        JSCell GPR to EncodedJSValue in 32bit code, we add CallHelpers::CellValue.
+        It is a wrapper for GPRReg, like TrustedImmPtr for pointer value. When poking
+        CellValue, 32bit code emits JSValue::CellTag automatically. In 64bit, we just
+        poke held GPR. The benefit from this CellValue is that we can use the same code
+        for 32bit and 64bit. This patch removes several ifdefs.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::CellValue::CellValue):
+        (JSC::CCallHelpers::CellValue::gpr const):
+        (JSC::CCallHelpers::setupArgumentsImpl):
+
+2018-04-11  Mark Lam  
+
+        [Build fix] Replace CompactJITCodeMap with JITCodeMap.
+        https://bugs.webkit.org/show_bug.cgi?id=184512
+        
+
+        Not reviewed.
+
+        * bytecode/CodeBlock.h:
+        * jit/JITCodeMap.h:
+
+2018-04-11  Mark Lam  
+
+        Replace CompactJITCodeMap with JITCodeMap.
+        https://bugs.webkit.org/show_bug.cgi?id=184512
+        
+
+        Reviewed by Filip Pizlo.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setJITCodeMap):
+        (JSC::CodeBlock::jitCodeMap const):
+        (JSC::CodeBlock::jitCodeMap): Deleted.
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::adjustAndJumpToTarget):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::decodedCodeMapFor): Deleted.
+        * jit/AssemblyHelpers.h:
+        * jit/CompactJITCodeMap.h: Removed.
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITCodeMap.h: Added.
+        (JSC::JITCodeMap::Entry::Entry):
+        (JSC::JITCodeMap::Entry::bytecodeIndex const):
+        (JSC::JITCodeMap::Entry::codeLocation):
+        (JSC::JITCodeMap::append):
+        (JSC::JITCodeMap::finish):
+        (JSC::JITCodeMap::find const):
+        (JSC::JITCodeMap::operator bool const):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2018-04-11  Yusuke Suzuki  
+
+        [DFG] Remove CompareSlowPathGenerator
+        https://bugs.webkit.org/show_bug.cgi?id=184492
+
+        Reviewed by Mark Lam.
+
+        Now CompareSlowPathGenerator is just calling a specified function.
+        This can be altered with slowPathCall. This patch removes CompareSlowPathGenerator.
+
+        We also remove some of unnecessary USE(JSVALUE32_64) / USE(JSVALUE64) ifdefs by
+        introducing a new constructor for GPRTemporary.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGCompareSlowPathGenerator.h: Removed.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::GPRTemporary::GPRTemporary):
+        (JSC::DFG::SpeculativeJIT::compileIsCellWithType):
+        (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
+        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
+        (JSC::DFG::SpeculativeJIT::compileIsObject):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::GPRTemporary::GPRTemporary):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+
+2018-04-11  Yusuke Suzuki  
+
+        Unreviewed, build fix for 32bit
+        https://bugs.webkit.org/show_bug.cgi?id=184236
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
+
+2018-04-11  Yusuke Suzuki  
+
+        [DFG] Remove duplicate 32bit code more
+        https://bugs.webkit.org/show_bug.cgi?id=184236
+
+        Reviewed by Mark Lam.
+
+        Remove duplicate 32bit code more aggressively part 2.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGCompareSlowPathGenerator.h: Added.
+        (JSC::DFG::CompareSlowPathGenerator::CompareSlowPathGenerator):
+        Drop boxing part. Use unblessedBooleanResult in DFGSpeculativeJIT side instead.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance):
+        (JSC::DFG::SpeculativeJIT::compileLoadVarargs):
+        (JSC::DFG::SpeculativeJIT::compileIsObject):
+        (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty):
+        (JSC::DFG::SpeculativeJIT::compilePutByIdFlush):
+        (JSC::DFG::SpeculativeJIT::compilePutById):
+        (JSC::DFG::SpeculativeJIT::compilePutByIdDirect):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
+        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
+        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+        (JSC::DFG::SpeculativeJIT::compileGetDirectPname):
+        (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::selectScratchGPR): Deleted.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
+        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
+        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal): Deleted.
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
+        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator): Deleted.
+        (): Deleted.
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+        operationHasIndexedPropertyByInt starts returning unblessed boolean with size_t.
+
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::loadValue):
+        (JSC::AssemblyHelpers::selectScratchGPR):
+        (JSC::AssemblyHelpers::constructRegisterSet):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::setAny):
+        Clean up selectScratchGPR code to pass JSValueRegs.
+
+2018-04-10  Caio Lima  
+
+        [ESNext][BigInt] Add support for BigInt in SpeculatedType
+        https://bugs.webkit.org/show_bug.cgi?id=182470
+
+        Reviewed by Saam Barati.
+
+        This patch introduces the SpecBigInt type to DFG to enable BigInt
+        speculation into DFG and FTL.
+
+        With SpecBigInt introduction, we can then specialize "===" operations
+        to BigInts. As we are doing for some cells, we first check if operands
+        are pointing to the same JSCell, and if it is false, we
+        fallback to "operationCompareStrictEqCell". The idea in further
+        patches is to implement BigInt equality check directly in
+        assembly.
+
+        We are also adding support for BigInt constant folding into
+        TypeOf operation.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationFromClassInfo):
+        (JSC::speculationFromStructure):
+        (JSC::speculationFromJSType):
+        (JSC::speculationFromString):
+        * bytecode/SpeculatedType.h:
+        (JSC::isBigIntSpeculation):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::set):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToThis):
+        (JSC::DFG::FixupPhase::observeUseKindOnNode):
+        * dfg/DFGInferredTypeCheck.cpp:
+        (JSC::DFG::insertInferredTypeCheck):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::shouldSpeculateBigInt):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileStrictEq):
+        (JSC::DFG::SpeculativeJIT::speculateBigInt):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileBigIntEquality):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        (JSC::DFG::isCell):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+        (JSC::FTL::DFG::LowerDFGToB3::checkInferredType):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::branchIfNotType):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfBigInt):
+        (JSC::AssemblyHelpers::branchIfNotBigInt):
+        * runtime/InferredType.cpp:
+        (JSC::InferredType::Descriptor::forValue):
+        (JSC::InferredType::Descriptor::putByIdFlags const):
+        (JSC::InferredType::Descriptor::merge):
+        (WTF::printInternal):
+        * runtime/InferredType.h:
+        * runtime/JSBigInt.h:
+
+2018-04-10  Filip Pizlo  
+
+        Unreviewed, fix cloop build.
+
+        * dfg/DFGAbstractInterpreterClobberState.cpp:
+
+2018-04-10  Mark Lam  
+
+        Make the ASSERT in MarkedSpace::sizeClassToIndex() a RELEASE_ASSERT.
+        https://bugs.webkit.org/show_bug.cgi?id=184464
+        
+
+        Reviewed by Saam Barati.
+
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::sizeClassToIndex):
+
+2018-04-09  Filip Pizlo  
+
+        DFG AI and clobberize should agree with each other
+        https://bugs.webkit.org/show_bug.cgi?id=184440
+
+        Reviewed by Saam Barati.
+        
+        One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
+        agree with each other. That's what this patch does: it adds an assertion that AI's structure
+        state tracking must be equivalent to JSCell_structureID being clobbered.
+        
+        One subtlety is that AI sometimes folds away structure clobbering using information that
+        clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
+        ObservedTransitions).
+        
+        This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
+        clobberize missing a write(Heap).
+        
+        This also makes some cases more precise in order to appease the assertion. Making things more
+        precise might make things faster, but I didn't measure it because that wasn't the goal.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
+        (WTF::printInternal):
+        * dfg/DFGAbstractInterpreterClobberState.h: Added.
+        (JSC::DFG::mergeClobberStates):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::startExecuting):
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        (JSC::DFG::AbstractInterpreter::didFoldClobberWorld):
+        (JSC::DFG::AbstractInterpreter::clobberStructures):
+        (JSC::DFG::AbstractInterpreter::didFoldClobberStructures):
+        (JSC::DFG::AbstractInterpreter::observeTransition):
+        (JSC::DFG::AbstractInterpreter::observeTransitions):
+        (JSC::DFG::AbstractInterpreter::setDidClobber): Deleted.
+        * dfg/DFGAtTailAbstractState.h:
+        (JSC::DFG::AtTailAbstractState::setClobberState):
+        (JSC::DFG::AtTailAbstractState::mergeClobberState):
+        (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::performBlockCFA):
+        * dfg/DFGClobberSet.cpp:
+        (JSC::DFG::writeSet):
+        * dfg/DFGClobberSet.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGInPlaceAbstractState.h:
+        (JSC::DFG::InPlaceAbstractState::clobberState const):
+        (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
+        (JSC::DFG::InPlaceAbstractState::didClobber const):
+        (JSC::DFG::InPlaceAbstractState::setClobberState):
+        (JSC::DFG::InPlaceAbstractState::mergeClobberState):
+        (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
+
+2018-04-10  Filip Pizlo  
+
+        ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
+        https://bugs.webkit.org/show_bug.cgi?id=184460
+        
+
+        Reviewed by Mark Lam.
+
+        * bytecode/ExecutableToCodeBlockEdge.cpp:
+        (JSC::ExecutableToCodeBlockEdge::visitChildren):
+
+2018-04-10  Filip Pizlo  
+
+        REGRESSION(r227341 and r227742): AI and clobberize should be precise and consistent about the effectfulness of CompareEq
+        https://bugs.webkit.org/show_bug.cgi?id=184455
+
+        Reviewed by Michael Saboff.
+        
+        LICM is sort of an assertion that AI is as precise as clobberize about effects. If clobberize
+        says that something is not effectful, then LICM will try to hoist it. But LICM's AI hack
+        (AtTailAbstractState) cannot handle hoisting of things that have effects. So, if AI thinks that
+        the thing being hoisted does have effects, then we get a crash.
+        
+        In r227341, we incorrectly told AI that CompareEq(Untyped:, _) is effectful. In fact, only
+        ComapreEq(Untyped:, Untyped:) is effectful, and clobberize knew this already. As a result, LICM
+        would blow up if we hoisted CompareEq(Untyped:, Other:), which clobberize knew wasn't
+        effectful.
+        
+        Instead of fixing this by making AI precise, in r227742 we made matters worse by then breaking
+        clobberize to also think that CompareEq(Untyped:, _) is effectful.
+        
+        This fixes the whole situation by teaching both clobberize and AI that the only effectful form
+        of CompareEq is ComapreEq(Untyped:, Untyped:).
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-04-09  Filip Pizlo  
+
+        Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
+        https://bugs.webkit.org/show_bug.cgi?id=184372
+
+        Reviewed by Saam Barati.
+        
+        We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
+        have already proved, using techniques that are more precise than AI, that the edge has type
+        Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
+        because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
+        other than a check - so we think we can call those just because we should have already
+        bailed. It's better to think of them as the result of folding a check. Therefore, we should
+        only do it if there had been a check to begin with.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
+        (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
+        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
+        (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
+
+2018-04-08  Yusuke Suzuki  
+
+        [JSC] Introduce @putByIdDirectPrivate
+        https://bugs.webkit.org/show_bug.cgi?id=184400
+
+        Reviewed by Saam Barati.
+
+        This patch adds @putByIdDirectPrivate() to use it for builtin JS.
+        @getByIdDirectPrivate and @putByIdDirectPrivate are pair of intrinsics
+        accessing to ECMAScript internal fields.
+
+        This change removes accidental [[Put]] operation to an object whose [[Prototype]]
+        has internal fields (not direct properties). By using @getByIdDirectPrivate() and
+        @putByIdDirectPrivate(), we strongly keep the semantics of the ECMAScript internal
+        fields that accessing to the internal fields does not traverse prototype chains.
+
+        * builtins/ArrayIteratorPrototype.js:
+        (globalPrivate.arrayIteratorValueNext):
+        (globalPrivate.arrayIteratorKeyNext):
+        (globalPrivate.arrayIteratorKeyValueNext):
+        * builtins/ArrayPrototype.js:
+        (globalPrivate.createArrayIterator):
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        (globalPrivate.AsyncFromSyncIteratorConstructor):
+        * builtins/AsyncFunctionPrototype.js:
+        (globalPrivate.asyncFunctionResume):
+        * builtins/AsyncGeneratorPrototype.js:
+        (globalPrivate.asyncGeneratorQueueEnqueue):
+        (globalPrivate.asyncGeneratorQueueDequeue):
+        (asyncGeneratorYieldAwaited):
+        (globalPrivate.asyncGeneratorYield):
+        (globalPrivate.doAsyncGeneratorBodyCall):
+        (globalPrivate.asyncGeneratorResumeNext):
+        * builtins/GeneratorPrototype.js:
+        (globalPrivate.generatorResume):
+        * builtins/MapIteratorPrototype.js:
+        (globalPrivate.mapIteratorNext):
+        * builtins/MapPrototype.js:
+        (globalPrivate.createMapIterator):
+        * builtins/ModuleLoaderPrototype.js:
+        (forceFulfillPromise):
+        * builtins/PromiseOperations.js:
+        (globalPrivate.newHandledRejectedPromise):
+        (globalPrivate.rejectPromise):
+        (globalPrivate.fulfillPromise):
+        (globalPrivate.initializePromise):
+        * builtins/PromisePrototype.js:
+        (then):
+        * builtins/SetIteratorPrototype.js:
+        (globalPrivate.setIteratorNext):
+        * builtins/SetPrototype.js:
+        (globalPrivate.createSetIterator):
+        * builtins/StringIteratorPrototype.js:
+        (next):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirect):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
+
+2018-04-09  Mark Lam  
+
+        Decorate method table entries to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=184430
+        
+
+        Reviewed by Saam Barati.
+
+        * runtime/ClassInfo.h:
+
+2018-04-09  Michael Catanzaro  
+
+        [WPE] Don't install JSC C API headers
+        https://bugs.webkit.org/show_bug.cgi?id=184375
+
+        Reviewed by Žan Doberšek.
+
+        None of the functions declared in these headers are exported in WPE. Use the new jsc API
+        instead.
+
+        * PlatformWPE.cmake:
+
+2018-04-08  Mark Lam  
+
+        Add pointer profiling to the FTL and supporting code.
+        https://bugs.webkit.org/show_bug.cgi?id=184395
+        
+
+        Reviewed by Michael Saboff and Filip Pizlo.
+
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationLabel::retagged):
+        (JSC::CodeLocationJump::retagged):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::locationOf):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLExceptionTarget.cpp:
+        (JSC::FTL::ExceptionTarget::label):
+        (JSC::FTL::ExceptionTarget::jumps):
+        * ftl/FTLExceptionTarget.h:
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::executableAddressAtOffset):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::~LazySlowPath):
+        (JSC::FTL::LazySlowPath::initialize):
+        (JSC::FTL::LazySlowPath::generate):
+        (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
+        * ftl/FTLLazySlowPath.h:
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLOSRExitHandle.cpp:
+        (JSC::FTL::OSRExitHandle::emitExitThunk):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::compileFTLLazySlowPath):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::callWithoutSideEffects):
+        (JSC::FTL::Output::operation):
+        * ftl/FTLPatchpointExceptionHandle.cpp:
+        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLSlowPathCallKey.h:
+        (JSC::FTL::SlowPathCallKey::withCallTarget):
+        (JSC::FTL::SlowPathCallKey::callPtrTag const):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/Repatch.cpp:
+        (JSC::readPutICCallTarget):
+        (JSC::ftlThunkAwareRepatchCall):
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::repatchIn):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        (JSC::readCallTarget): Deleted.
+        * jit/Repatch.h:
+        * runtime/PtrTag.h:
+
+2018-04-08  Yusuke Suzuki  
+
+        Unreviewed, attempt to fix Windows build
+        https://bugs.webkit.org/show_bug.cgi?id=183508
+
+        * jit/JIT.h:
+
+2018-04-08  Yusuke Suzuki  
+
+        Unreviewed, build fix for Windows by suppressing padding warning for JIT
+        https://bugs.webkit.org/show_bug.cgi?id=183508
+
+        * jit/JIT.h:
+
+2018-04-08  Yusuke Suzuki  
+
+        Use alignas instead of compiler-specific attributes
+        https://bugs.webkit.org/show_bug.cgi?id=183508
+
+        Reviewed by Mark Lam.
+
+        Use C++11 alignas specifier. It is portable compared to compiler-specific aligned attributes.
+
+        * heap/RegisterState.h:
+        * jit/JIT.h:
+        (JSC::JIT::compile): Deleted.
+        (JSC::JIT::compileGetByVal): Deleted.
+        (JSC::JIT::compileGetByValWithCachedId): Deleted.
+        (JSC::JIT::compilePutByVal): Deleted.
+        (JSC::JIT::compileDirectPutByVal): Deleted.
+        (JSC::JIT::compilePutByValWithCachedId): Deleted.
+        (JSC::JIT::compileHasIndexedProperty): Deleted.
+        (JSC::JIT::appendCall): Deleted.
+        (JSC::JIT::appendCallWithSlowPathReturnType): Deleted.
+        (JSC::JIT::exceptionCheck): Deleted.
+        (JSC::JIT::exceptionCheckWithCallFrameRollback): Deleted.
+        (JSC::JIT::emitInt32Load): Deleted.
+        (JSC::JIT::emitInt32GetByVal): Deleted.
+        (JSC::JIT::emitInt32PutByVal): Deleted.
+        (JSC::JIT::emitDoublePutByVal): Deleted.
+        (JSC::JIT::emitContiguousPutByVal): Deleted.
+        (JSC::JIT::emitStoreCell): Deleted.
+        (JSC::JIT::getSlowCase): Deleted.
+        (JSC::JIT::linkSlowCase): Deleted.
+        (JSC::JIT::linkDummySlowCase): Deleted.
+        (JSC::JIT::linkAllSlowCases): Deleted.
+        (JSC::JIT::callOperation): Deleted.
+        (JSC::JIT::callOperationWithProfile): Deleted.
+        (JSC::JIT::callOperationWithResult): Deleted.
+        (JSC::JIT::callOperationNoExceptionCheck): Deleted.
+        (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
+        (JSC::JIT::emitEnterOptimizationCheck): Deleted.
+        (JSC::JIT::sampleCodeBlock): Deleted.
+        (JSC::JIT::canBeOptimized): Deleted.
+        (JSC::JIT::canBeOptimizedOrInlined): Deleted.
+        (JSC::JIT::shouldEmitProfiling): Deleted.
+        * runtime/VM.h:
+
+2018-04-08  Yusuke Suzuki  
+
+        Unreviewed, follow-up patch for DFG 32bit
+        https://bugs.webkit.org/show_bug.cgi?id=183970
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+
+2018-04-08  Yusuke Suzuki  
+
+        [JSC] Fix incorrect assertion for VM's regexp buffer lock
+        https://bugs.webkit.org/show_bug.cgi?id=184398
+
+        Reviewed by Mark Lam.
+
+        isLocked check before taking a lock is incorrect.
+
+        * runtime/VM.cpp:
+        (JSC::VM::acquireRegExpPatternContexBuffer):
+
+2018-04-08  Yusuke Suzuki  
+
+        [JSC] Introduce op_get_by_id_direct
+        https://bugs.webkit.org/show_bug.cgi?id=183970
+
+        Reviewed by Filip Pizlo.
+
+        This patch introduces op_get_by_id_direct bytecode. This is super similar to op_get_by_id.
+        But it just performs [[GetOwnProperty]] operation instead of [[Get]]. We support this
+        in all the tiers, so using this opcode does not lead to inefficiency.
+
+        Main purpose of this op_get_by_id_direct is using it for private properties. We are using
+        properties indexed with private symbols to implement ECMAScript internal fields. Before this
+        patch, we just use get and put operations. However, it is not the correct semantics: accessing
+        to the internal fields should not traverse prototype chain, which is specified in the spec.
+        We use op_get_by_id_direct to access to properties which are used internal fields, so that
+        prototype chains are not traversed.
+
+        To emit op_get_by_id_direct, we introduce a new bytecode intrinsic @getByIdDirectPrivate().
+        When you write `@getByIdDirectPrivate(object, "name")`, the bytecode generator emits the
+        bytecode `op_get_by_id_direct, object, @name`.
+
+        * builtins/ArrayIteratorPrototype.js:
+        (next):
+        (globalPrivate.arrayIteratorValueNext):
+        (globalPrivate.arrayIteratorKeyNext):
+        (globalPrivate.arrayIteratorKeyValueNext):
+        * builtins/AsyncFromSyncIteratorPrototype.js:
+        * builtins/AsyncFunctionPrototype.js:
+        (globalPrivate.asyncFunctionResume):
+        * builtins/AsyncGeneratorPrototype.js:
+        (globalPrivate.asyncGeneratorQueueIsEmpty):
+        (globalPrivate.asyncGeneratorQueueEnqueue):
+        (globalPrivate.asyncGeneratorQueueDequeue):
+        (globalPrivate.asyncGeneratorDequeue):
+        (globalPrivate.isExecutionState):
+        (globalPrivate.isSuspendYieldState):
+        (globalPrivate.asyncGeneratorReject):
+        (globalPrivate.asyncGeneratorResolve):
+        (globalPrivate.doAsyncGeneratorBodyCall):
+        (globalPrivate.asyncGeneratorEnqueue):
+        * builtins/GeneratorPrototype.js:
+        (globalPrivate.generatorResume):
+        (next):
+        (return):
+        (throw):
+        * builtins/MapIteratorPrototype.js:
+        (next):
+        * builtins/PromiseOperations.js:
+        (globalPrivate.isPromise):
+        (globalPrivate.rejectPromise):
+        (globalPrivate.fulfillPromise):
+        * builtins/PromisePrototype.js:
+        (then):
+        * builtins/SetIteratorPrototype.js:
+        (next):
+        * builtins/StringIteratorPrototype.js:
+        (next):
+        * builtins/TypedArrayConstructor.js:
+        (of):
+        (from):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        (JSC::GetByIdStatus::computeFor):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::reset):
+        * bytecode/StructureStubInfo.h:
+        (JSC::appropriateOptimizingGetByIdFunction):
+        (JSC::appropriateGenericGetByIdFunction):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitDirectGetById):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirect):
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToGetByOffset):
+        (JSC::DFG::Node::convertToMultiGetByOffset):
+        (JSC::DFG::Node::hasIdentifier):
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetById):
+        (JSC::DFG::SpeculativeJIT::compileGetByIdFlush):
+        (JSC::DFG::SpeculativeJIT::compileTryGetById): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
+        (JSC::FTL::DFG::LowerDFGToB3::getById):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_id_direct):
+        (JSC::JIT::emitSlow_op_get_by_id_direct):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_id_direct):
+        (JSC::JIT::emitSlow_op_get_by_id_direct):
+        * jit/Repatch.cpp:
+        (JSC::appropriateOptimizingGetByIdFunction):
+        (JSC::appropriateGetByIdFunction):
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::appropriateGenericGetByIdFunction): Deleted.
+        * jit/Repatch.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::getOwnPropertySlot const):
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getOwnPropertySlotInline):
+
+2018-04-07  Yusuke Suzuki  
+
+        [JSC] Remove several asXXX functions
+        https://bugs.webkit.org/show_bug.cgi?id=184355
+
+        Reviewed by JF Bastien.
+
+        Remove asActivation, asInternalFunction, and asGetterSetter.
+        Use jsCast<> / jsDynamicCast<> consistently.
+
+        * runtime/ArrayConstructor.cpp:
+        (JSC::constructArrayWithSizeQuirk):
+        * runtime/AsyncFunctionConstructor.cpp:
+        (JSC::callAsyncFunctionConstructor):
+        (JSC::constructAsyncFunctionConstructor):
+        * runtime/AsyncGeneratorFunctionConstructor.cpp:
+        (JSC::callAsyncGeneratorFunctionConstructor):
+        (JSC::constructAsyncGeneratorFunctionConstructor):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructWithBooleanConstructor):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructWithDateConstructor):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::Interpreter::constructWithErrorConstructor):
+        (JSC::Interpreter::callErrorConstructor):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructWithFunctionConstructor):
+        (JSC::callFunctionConstructor):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncToString):
+        * runtime/GeneratorFunctionConstructor.cpp:
+        (JSC::callGeneratorFunctionConstructor):
+        (JSC::constructGeneratorFunctionConstructor):
+        * runtime/GetterSetter.h:
+        (JSC::asGetterSetter): Deleted.
+        * runtime/InternalFunction.h:
+        (JSC::asInternalFunction): Deleted.
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::asActivation): Deleted.
+        * runtime/JSObject.cpp:
+        (JSC::validateAndApplyPropertyDescriptor):
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        * runtime/PropertyDescriptor.cpp:
+        (JSC::PropertyDescriptor::setDescriptor):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::constructWithRegExpConstructor):
+        (JSC::callRegExpConstructor):
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        * runtime/StringConstructor.cpp:
+        (JSC::constructWithStringConstructor):
+        * runtime/WeakMapConstructor.cpp:
+        (JSC::constructWeakMap):
+        * runtime/WeakSetConstructor.cpp:
+        (JSC::constructWeakSet):
+        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyCompileError):
+        (JSC::callJSWebAssemblyCompileError):
+        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyLinkError):
+        (JSC::callJSWebAssemblyLinkError):
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
+        (JSC::constructJSWebAssemblyRuntimeError):
+        (JSC::callJSWebAssemblyRuntimeError):
+
+2018-04-05  Mark Lam  
+
+        MacroAssemblerCodePtr::retagged() should not re-decorate the pointer on ARMv7.
+        https://bugs.webkit.org/show_bug.cgi?id=184347
+        
+
+        Reviewed by Michael Saboff.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::retagged const):
+
+2018-04-05  Stanislav Ocovaj  
+
+        [MIPS] Optimize generated JIT code for branches
+        https://bugs.webkit.org/show_bug.cgi?id=183130
+
+        Reviewed by Yusuke Suzuki.
+
+        The patch https://bugs.webkit.org/show_bug.cgi?id=101328 added two nop instructions to
+        branchEqual() and branchNotEqual() in order to allow the code generated by branchPtrWithPatch()
+        to be reverted back to branchPtrWithPatch after replacing it with a 4-instruction jump.
+        However, this adds a significant overhead for all other types of branches. Since these nop's
+        protect the code that is generated by branchPtrWithPatch, this function seems like a better
+        place to add them.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::repatchInt32):
+        (JSC::MIPSAssembler::revertJumpToMove):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchAdd32):
+        (JSC::MacroAssemblerMIPS::branchMul32):
+        (JSC::MacroAssemblerMIPS::branchSub32):
+        (JSC::MacroAssemblerMIPS::branchNeg32):
+        (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
+        (JSC::MacroAssemblerMIPS::branchEqual):
+        (JSC::MacroAssemblerMIPS::branchNotEqual):
+
+2018-04-05  Yusuke Suzuki  
+
+        [WTF] Remove StaticLock
+        https://bugs.webkit.org/show_bug.cgi?id=184332
+
+        Reviewed by Mark Lam.
+
+        * API/JSValue.mm:
+        (handerForStructTag):
+        * API/JSVirtualMachine.mm:
+        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
+        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
+        * API/glib/JSCVirtualMachine.cpp:
+        (addWrapper):
+        (removeWrapper):
+        * assembler/testmasm.cpp:
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        * bytecode/SuperSampler.cpp:
+        * dfg/DFGCommon.cpp:
+        * dfg/DFGCommonData.cpp:
+        * dynbench.cpp:
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::tryCopyOtherThreadStacks):
+        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
+        (Inspector::RemoteTargetHandleRunSourceGlobal):
+        (Inspector::RemoteTargetQueueTaskOnGlobalQueue):
+        * interpreter/CLoopStack.cpp:
+        * parser/SourceProvider.cpp:
+        * profiler/ProfilerDatabase.cpp:
+        * profiler/ProfilerUID.cpp:
+        (JSC::Profiler::UID::create):
+        * runtime/IntlObject.cpp:
+        (JSC::numberingSystemsForLocale):
+        * runtime/JSLock.cpp:
+        * runtime/JSLock.h:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::registerForReportAtExit):
+        * runtime/VM.cpp:
+        * wasm/WasmFaultSignalHandler.cpp:
+
+2018-04-04  Mark Lam  
+
+        Add pointer profiling support to the DFG and supporting files.
+        https://bugs.webkit.org/show_bug.cgi?id=184316
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. Profile lots of pointers with PtrTags.
+
+        2. Remove PtrTag.cpp and make ptrTagName() into an inline function.  It's only
+           used for debugging anyway, and not normally called in the code.  Making it
+           an inline function prevents it from taking up code space in builds when not in
+           use.
+
+        3. Change the call to the the arityFixupThunk in DFG code to be a near call.
+           It doesn't need to be a far call.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/testmasm.cpp:
+        (JSC::testProbeModifiesProgramCounter):
+        * b3/B3LowerMacros.cpp:
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::generate):
+        * b3/air/AirCCallSpecial.h:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/HandlerInfo.h:
+        (JSC::HandlerInfo::initialize):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::appendCall):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::osrWriteBarrier):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSlowPathGenerator.h:
+        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::CallResultAndArgumentsSlowPathGenerator):
+        (JSC::DFG::CallResultAndArgumentsSlowPathGenerator::unpackAndGenerate):
+        (JSC::DFG::slowPathCall):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileMathIC):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (JSC::DFG::SpeculativeJIT::appendCall):
+        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrEntryThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDumbVirtualCall):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::compileWithoutLinking):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCallSlowCase):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        * jit/JITOperations.cpp:
+        * jit/Repatch.cpp:
+        (JSC::linkSlowFor):
+        (JSC::linkFor):
+        (JSC::revertCall):
+        (JSC::unlinkFor):
+        (JSC::linkVirtualFor):
+        (JSC::linkPolymorphicCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::arityFixupGenerator):
+        (JSC::unreachableGenerator):
+        * runtime/PtrTag.cpp: Removed.
+        * runtime/PtrTag.h:
+        (JSC::ptrTagName):
+        * runtime/VMEntryScope.cpp:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+
+2018-04-04  Filip Pizlo  
+
+        REGRESSION(r222563): removed DoubleReal type check causes tons of crashes because CSE has never known how to handle SaneChain
+        https://bugs.webkit.org/show_bug.cgi?id=184319
+
+        Reviewed by Saam Barati.
+
+        In r222581, we replaced type checks about DoubleReal in ArrayPush in the DFG/FTL backends with
+        assertions. That's correct because FixupPhase was emitting those checks as Check(DoubleRealRep:) before
+        the ArrayPush.
+
+        But this revealed a longstanding CSE bug: CSE will happily match a SaneChain GetByVal with a InBounds
+        GetByVal. SaneChain can return NaN while InBounds cannot. This means that if we first use AI to
+        eliminate the Check(DoubleRealRep:) based on the input being a GetByVal(InBounds) but then replace that
+        with a GetByVal(SaneChain), then we will hit the assertion.
+
+        This teaches CSE to not replace GetByVal(InBounds) with GetByVal(SaneChain) and vice versa. That gets
+        tricky because PutByVal can match either. So, we use the fact that it's legal for a store to def() more
+        than once: PutByVal now defs() a HeapLocation for InBounds and a HeapLocation for SaneChain.
+
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArrayPush):
+
+2018-04-04  Filip Pizlo  
+
+        Remove poisoning of typed array vector
+        https://bugs.webkit.org/show_bug.cgi?id=184313
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::checkArray):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/x86.rb:
+        * runtime/CagedBarrierPtr.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finalize):
+        (JSC::JSArrayBufferView::neuter):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::vector const):
+        (JSC::JSArrayBufferView::offsetOfVector):
+        (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
+        (JSC::JSArrayBufferView::poisonFor): Deleted.
+        (JSC::JSArrayBufferView::Poison::key): Deleted.
+        * runtime/JSCPoison.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoison.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::estimatedSize):
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+        * runtime/JSObject.h:
+
+2018-04-03  Filip Pizlo  
+
+        Don't do index masking or poisoning for DirectArguments
+        https://bugs.webkit.org/show_bug.cgi?id=184280
+
+        Reviewed by Saam Barati.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
+        (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
+        * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Removed.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
+        (JSC::DFG::SpeculativeJIT::compilePutToArguments):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell): Deleted.
+        * heap/SecurityKind.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_from_arguments):
+        (JSC::JIT::emit_op_put_to_arguments):
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_from_arguments):
+        (JSC::JIT::emit_op_put_to_arguments):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::DirectArguments):
+        (JSC::DirectArguments::createUninitialized):
+        (JSC::DirectArguments::create):
+        (JSC::DirectArguments::createByCopying):
+        (JSC::DirectArguments::estimatedSize):
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::copyToArguments):
+        (JSC::DirectArguments::mappedArgumentsSize):
+        * runtime/DirectArguments.h:
+        * runtime/JSCPoison.h:
+        * runtime/JSLexicalEnvironment.h:
+        * runtime/JSSymbolTableObject.h:
+
+2018-04-03  Filip Pizlo  
+
+        JSArray::appendMemcpy seems to be missing a barrier
+        https://bugs.webkit.org/show_bug.cgi?id=184290
+
+        Reviewed by Mark Lam.
+        
+        If you write to an array that may contain pointers and you didn't just allocate it, then you need to
+        barrier right after.
+        
+        I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
+        obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+
+2018-04-03  Filip Pizlo  
+
+        GC shouldn't do object distancing
+        https://bugs.webkit.org/show_bug.cgi?id=184195
+
+        Reviewed by Saam Barati.
+        
+        This rolls out SecurityKind/SecurityOriginToken, but keeps the TLC infrastructure. It seems
+        to be a small speed-up.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::addBlock):
+        * heap/BlockDirectory.h:
+        * heap/CellAttributes.cpp:
+        (JSC::CellAttributes::dump const):
+        * heap/CellAttributes.h:
+        (JSC::CellAttributes::CellAttributes):
+        * heap/LocalAllocator.cpp:
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::securityOriginToken const): Deleted.
+        * heap/SecurityKind.cpp: Removed.
+        * heap/SecurityKind.h: Removed.
+        * heap/SecurityOriginToken.cpp: Removed.
+        * heap/SecurityOriginToken.h: Removed.
+        * heap/ThreadLocalCache.cpp:
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        * heap/ThreadLocalCache.h:
+        (JSC::ThreadLocalCache::securityOriginToken const): Deleted.
+        * runtime/JSDestructibleObjectHeapCellType.cpp:
+        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache const): Deleted.
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
+        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
+        * runtime/JSStringHeapCellType.cpp:
+        (JSC::JSStringHeapCellType::JSStringHeapCellType):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
+
+2018-04-02  Saam Barati  
+
+        bmalloc should compute its own estimate of its footprint
+        https://bugs.webkit.org/show_bug.cgi?id=184121
+
+        Reviewed by Filip Pizlo.
+
+        * heap/IsoAlignedMemoryAllocator.cpp:
+        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
+        (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
+        (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
+
+2018-04-02  Mark Lam  
+
+        We should not trash the stack pointer on OSR entry.
+        https://bugs.webkit.org/show_bug.cgi?id=184243
+        
+
+        Reviewed by Filip Pizlo.
+
+        In the DFG OSR entry path, we momentarily over-write the stack pointer with
+        returnValueGPR2.  returnValueGPR2 contains a pointer to a side buffer we malloc'ed.
+        Hence, this assignment is wrong, and it turns out to be unnecessary as well.
+        The stack pointer does get corrected later in the thunk (generated by
+        osrEntryThunkGenerator()) that we jump to.  This is why we don't see ill-effects
+        so far.
+
+        This bug only poses an issue if interrupts use the user stack for their stack
+        frame (e.g. linux), and when we do stack alignment tests during debugging.
+
+        The fix is simply to remove the assignment.
+
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+
+2018-04-02  Stanislav Ocovaj  
+
+        [MIPS] Optimize JIT code generated by methods with TrustedImm32 operand
+        https://bugs.webkit.org/show_bug.cgi?id=183740
+
+        Reviewed by Yusuke Suzuki.
+
+        In many macro assembler methods with TrustedImm32 operand a move imm, immTemp (pseudo)instruction is
+        first generated and a register operand variant of the same method is called to generate the rest
+        of the code. If the immediate value can fit in 16 bits then we can skip the move instruction and
+        generate more efficient code using MIPS instructions with immediate operand.
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::slti):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::lshift32):
+        (JSC::MacroAssemblerMIPS::xor32):
+        (JSC::MacroAssemblerMIPS::branch8):
+        (JSC::MacroAssemblerMIPS::compare8):
+        (JSC::MacroAssemblerMIPS::branch32):
+        (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
+        (JSC::MacroAssemblerMIPS::branchTest32):
+        (JSC::MacroAssemblerMIPS::mask8OnTest):
+        (JSC::MacroAssemblerMIPS::branchTest8):
+        (JSC::MacroAssemblerMIPS::branchAdd32):
+        (JSC::MacroAssemblerMIPS::branchNeg32):
+        (JSC::MacroAssemblerMIPS::compare32):
+        (JSC::MacroAssemblerMIPS::test8):
+
+2018-04-02  Yusuke Suzuki  
+
+        [DFG] More aggressive removal of duplicate 32bit DFG code
+        https://bugs.webkit.org/show_bug.cgi?id=184089
+
+        Reviewed by Saam Barati.
+
+        This patch more aggressively removes duplicate 32bit DFG code
+        by leveraging JSValueRegs and meta-programmed callOperation.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValWithThis):
+        (JSC::DFG::SpeculativeJIT::compileArithMinMax):
+        (JSC::DFG::SpeculativeJIT::compileNewArray):
+        (JSC::DFG::SpeculativeJIT::compileCheckCell):
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable):
+        (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable):
+        (JSC::DFG::SpeculativeJIT::compileGetClosureVar):
+        (JSC::DFG::SpeculativeJIT::compilePutClosureVar):
+        (JSC::DFG::SpeculativeJIT::compileGetByOffset):
+        (JSC::DFG::SpeculativeJIT::compilePutByOffset):
+        (JSC::DFG::SpeculativeJIT::compileGetExecutable):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+        (JSC::DFG::SpeculativeJIT::compileToThis):
+        (JSC::DFG::SpeculativeJIT::compileIdentity):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2018-04-01  Filip Pizlo  
+
+        Raise the for-call inlining threshold to 190 to fix JetStream/richards regression
+        https://bugs.webkit.org/show_bug.cgi?id=184228
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/Options.h:
+
+2018-03-31  Filip Pizlo  
+
+        JSObject shouldn't do index masking
+        https://bugs.webkit.org/show_bug.cgi?id=184194
+
+        Reviewed by Yusuke Suzuki.
+        
+        Remove index masking, because it's not the way we'll mitigate Spectre.
+
+        * API/tests/JSObjectGetProxyTargetTest.cpp:
+        (testJSObjectGetProxyTarget):
+        * b3/B3LowerToAir.cpp:
+        * b3/B3Validate.cpp:
+        * b3/B3WasmBoundsCheckValue.cpp:
+        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
+        (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
+        * b3/B3WasmBoundsCheckValue.h:
+        (JSC::B3::WasmBoundsCheckValue::bounds const):
+        (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const): Deleted.
+        * b3/testb3.cpp:
+        (JSC::B3::testWasmBoundsCheck):
+        (JSC::B3::run):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSSALoweringPhase.cpp:
+        (JSC::DFG::SSALoweringPhase::handleNode):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
+        (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Butterfly.h:
+        (JSC::ContiguousData::at const):
+        (JSC::ContiguousData::at):
+        (JSC::Butterfly::computeIndexingMask const): Deleted.
+        * runtime/ButterflyInlines.h:
+        (JSC::ContiguousData::at const): Deleted.
+        (JSC::ContiguousData::at): Deleted.
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::setLength):
+        (JSC::JSArray::pop):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        (JSC::JSArray::fillArgList):
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSFixedArray.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::createInitialForValueAndSet):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::countElements):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        (JSC::JSObject::reallocateAndShrinkButterfly):
+        (JSC::JSObject::getEnumerableLength):
+        * runtime/JSObject.h:
+        (JSC::JSObject::canGetIndexQuickly):
+        (JSC::JSObject::getIndexQuickly):
+        (JSC::JSObject::tryGetIndexQuickly const):
+        (JSC::JSObject::setIndexQuickly):
+        (JSC::JSObject::initializeIndex):
+        (JSC::JSObject::initializeIndexWithoutBarrier):
+        (JSC::JSObject::butterflyOffset):
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::nukeStructureAndSetButterfly):
+        (JSC::JSObject::JSObject):
+        (JSC::JSObject::butterflyIndexingMaskOffset): Deleted.
+        (JSC::JSObject::butterflyIndexingMask const): Deleted.
+        (JSC::JSObject::setButterflyWithIndexingMask): Deleted.
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::prepareToPutDirectWithoutTransition):
+        (JSC::JSObject::putDirectInternal):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::load):
+        (JSC::Wasm::B3IRGenerator::store):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::updateCachedMemory):
+        (JSC::Wasm::Instance::offsetOfCachedMemorySize):
+        (JSC::Wasm::Instance::offsetOfCachedIndexingMask): Deleted.
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::size const):
+        (JSC::Wasm::Memory::offsetOfSize):
+        (JSC::Wasm::Memory::indexingMask): Deleted.
+        (JSC::Wasm::Memory::offsetOfIndexingMask): Deleted.
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave const):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+
+2018-03-31  Filip Pizlo  
+
+        JSC crash in JIT code with for-of loop and Array/Set iterators
+        https://bugs.webkit.org/show_bug.cgi?id=183174
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute): Fix the bug by making GetByOffset and friends verify that they are getting the type proof they want at the desired hoisting site.
+
+2018-03-30  Filip Pizlo  
+
+        Strings and Vectors shouldn't do index masking
+        https://bugs.webkit.org/show_bug.cgi?id=184193
+
+        Reviewed by Mark Lam.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
+        * jit/ThunkGenerators.cpp:
+        (JSC::stringCharLoad):
+
+2018-03-30  Mark Lam  
+
+        Add pointer profiling support in baseline JIT and supporting files.
+        https://bugs.webkit.org/show_bug.cgi?id=184200
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. To simplify pointer profiling support, vmEntryToJavaScript() now always enters
+           the code via the arity check entry.
+        2. To accommodate (1), all JITCode must now populate their arity check entry code
+           pointers as well.  For native code, programs, evals, and modules that don't
+           do arity check, we set the normal entry as the arity check entry (though with
+           the CodeEntryWithArityCheckPtrTag profile instead).
+
+        * assembler/AbstractMacroAssembler.h:
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::locationOfNearCall):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::readCallTarget):
+        (JSC::MacroAssemblerARM64::linkCall):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCaseSnippetParams.cpp:
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::addJITAddIC):
+        (JSC::CodeBlock::addJITMulIC):
+        (JSC::CodeBlock::addJITSubIC):
+        (JSC::CodeBlock::addJITNegIC):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addMathIC):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/LLIntCallLinkInfo.h:
+        (JSC::LLIntCallLinkInfo::unlink):
+        (): Deleted.
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueAdd):
+        (JSC::DFG::SpeculativeJIT::compileArithSub):
+        (JSC::DFG::SpeculativeJIT::compileArithNegate):
+        (JSC::DFG::SpeculativeJIT::compileArithMul):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        * disassembler/ARM64Disassembler.cpp:
+        (JSC::tryToDisassemble):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
+        * heap/JITStubRoutineSet.h:
+        (JSC::JITStubRoutineSet::mark):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::callExceptionFuzz):
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitFunctionPrologue):
+        * jit/CCallHelpers.cpp:
+        (JSC::CCallHelpers::ensureShadowChickenPacket):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::prepareForTailCallSlow):
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::prepareForTailCall):
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
+        * jit/ExecutableAllocator.h:
+        (JSC::performJITMemcpy):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        (JSC::JIT::link):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_negate):
+        (JSC::JIT::emit_op_add):
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        (JSC::JIT::emit_op_mul):
+        (JSC::JIT::emit_op_sub):
+        * jit/JITCode.cpp:
+        (JSC::JITCode::execute):
+        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+        (JSC::DirectJITCode::DirectJITCode):
+        (JSC::DirectJITCode::initializeCodeRef):
+        (JSC::NativeJITCode::addressForCall):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        (JSC::JITBinaryMathIC::JITBinaryMathIC):
+        (JSC::JITUnaryMathIC::JITUnaryMathIC):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_switch_imm):
+        (JSC::JIT::emit_op_switch_char):
+        (JSC::JIT::emit_op_switch_string):
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        (JSC::tryGetByValOptimize):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitPutByValWithCachedId):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitSlow_op_try_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::hostFunctionStub):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::appropriateOptimizingPutByIdFunction):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::linkFor):
+        (JSC::revertCall):
+        (JSC::linkPolymorphicCall):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        * jit/Repatch.h:
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        (JSC::SpecializedThunkJIT::callDoubleToDouble):
+        * jit/ThunkGenerators.cpp:
+        (JSC::emitPointerValidation):
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::slowPathFor):
+        (JSC::linkCallThunkGenerator): Deleted.
+        (JSC::linkPolymorphicCallThunkGenerator): Deleted.
+        (JSC::virtualThunkFor): Deleted.
+        (JSC::nativeForGenerator): Deleted.
+        (JSC::nativeCallGenerator): Deleted.
+        (JSC::nativeTailCallGenerator): Deleted.
+        (JSC::nativeTailCallWithoutSavedTagsGenerator): Deleted.
+        (JSC::nativeConstructGenerator): Deleted.
+        (JSC::internalFunctionCallGenerator): Deleted.
+        (JSC::internalFunctionConstructGenerator): Deleted.
+        (JSC::arityFixupGenerator): Deleted.
+        (JSC::unreachableGenerator): Deleted.
+        (JSC::stringCharLoad): Deleted.
+        (JSC::charToString): Deleted.
+        (JSC::charCodeAtThunkGenerator): Deleted.
+        (JSC::charAtThunkGenerator): Deleted.
+        (JSC::fromCharCodeThunkGenerator): Deleted.
+        (JSC::clz32ThunkGenerator): Deleted.
+        (JSC::sqrtThunkGenerator): Deleted.
+        (JSC::floorThunkGenerator): Deleted.
+        (JSC::ceilThunkGenerator): Deleted.
+        (JSC::truncThunkGenerator): Deleted.
+        (JSC::roundThunkGenerator): Deleted.
+        (JSC::expThunkGenerator): Deleted.
+        (JSC::logThunkGenerator): Deleted.
+        (JSC::absThunkGenerator): Deleted.
+        (JSC::imulThunkGenerator): Deleted.
+        (JSC::randomThunkGenerator): Deleted.
+        (JSC::boundThisNoArgsFunctionCallGenerator): Deleted.
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        (JSC::LLInt::getCodePtr):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::setEvalEntrypoint):
+        (JSC::LLInt::setProgramEntrypoint):
+        (JSC::LLInt::setModuleProgramEntrypoint):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setUpCall):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ExecutableBase.h:
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::finishCreation):
+        * runtime/NativeFunction.h:
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+        (JSC::TaggedNativeFunction::operator NativeFunction):
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::setCustom):
+        (JSC::PropertySlot::setCacheableCustom):
+        * runtime/PtrTag.h:
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::setCustomValue):
+        (JSC::PutPropertySlot::setCustomAccessor):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/VMTraps.cpp:
+        (JSC::SignalContext::SignalContext):
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        * tools/SigillCrashAnalyzer.cpp:
+        (JSC::installCrashHandler):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+
+2018-03-30  Devin Rousso  
+
+        Web Inspector: tint all pixels drawn by shader program when hovering ShaderProgramTreeElement
+        https://bugs.webkit.org/show_bug.cgi?id=175223
+
+        Reviewed by Matt Baker.
+
+        * inspector/protocol/Canvas.json:
+        Add `setShaderProgramHighlighted` command that will cause a blend to be applied to the
+        canvas if the given shader program is active immediately before `drawArrays` or `drawElements`
+        is called. The blend is removed and the previous value is applied once the draw is complete.
+
+2018-03-30  JF Bastien  
+
+        WebAssembly: support DataView compilation
+        https://bugs.webkit.org/show_bug.cgi?id=183342
+
+        Reviewed by Mark Lam.
+
+        Compiling a module from a DataView was incorrectly dealing with
+        DataView's offset.
+
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parse):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::getWasmBufferFromValue):
+        (JSC::createSourceBufferFromValue):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::webAssemblyValidateFunc):
+
+2018-03-30  Filip Pizlo  
+
+        Bytecode generator should not get_from_scope something that may be a hole into a variable that is already live
+        https://bugs.webkit.org/show_bug.cgi?id=184189
+
+        Reviewed by JF Bastien.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ResolveNode::emitBytecode):
+
+2018-03-30  Mark Lam  
+
+        Add pointer profiling support to Wasm.
+        https://bugs.webkit.org/show_bug.cgi?id=184175
+        
+
+        Reviewed by JF Bastien.
+
+        * runtime/PtrTag.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addGrowMemory):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        (JSC::Wasm::B3IRGenerator::addOp):
+        (JSC::Wasm::B3IRGenerator::addOp):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::prepare):
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmBinding.h:
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        * wasm/js/WebAssemblyFunction.h:
+
+2018-03-30  Ryan Haddad  
+
+        Unreviewed, rolling out r230102.
+
+        Caused assertion failures on JSC bots.
+
+        Reverted changeset:
+
+        "A stack overflow in the parsing of a builtin (called by
+        createExecutable) cause a crash instead of a catchable js
+        exception"
+        https://bugs.webkit.org/show_bug.cgi?id=184074
+        https://trac.webkit.org/changeset/230102
+
+2018-03-30  Robin Morisset  
+
+        Inlining of a function that ends in op_unreachable in a non-tail position triggers an ASSERT
+        https://bugs.webkit.org/show_bug.cgi?id=183812
+
+        Reviewed by Keith Miller.
+
+        The fix I landed for https://bugs.webkit.org/show_bug.cgi?id=181027 was flawed: I tried setting the bytecodeIndex for the new block on line 1679 (at the end of inlineCall), but it is going to be reset on line 6612 (in parseCodeBlock).
+        The fix is simply to make the block untargetable by default, and let parseCodeBlock make it targetable afterwards if it is a jump target.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+
+2018-03-30  Robin Morisset  
+
+        A stack overflow in the parsing of a builtin (called by createExecutable) cause a crash instead of a catchable js exception
+        https://bugs.webkit.org/show_bug.cgi?id=184074
+        
+
+        Reviewed by Keith Miller.
+
+        Fixing this requires getting the ParserError (with information about the failure) and an ExecState* (to throw an exception) in the same place.
+        It is surprisingly painful, with quite a long call stack between the last function with an access to an ExecState* and the first function with the ParserError.
+        Even worse, many of these functions are generated by macros, themselves generated by a maze of python scripts.
+        As a result, this patch is grotesquely large, while all it does is adding enough plumbing to throw a proper exception in this specific case.
+
+        There are now bare calls to '.value()' on several paths that may crash. It is not a problem in my opinion, since we previously crashed in every case regardless of the path that took us to createExecutable when encountering a stack overflow.
+        If we ever find an example that can cause these calls to fail, it should be doable to throw a proper exception there too.
+
+        Two other minor changes:
+        - I removed BuiltinExecutableCreator.{cpp, h} as it was nearly empty, and only used in one place. That place now includes BuiltinExecutables.h directly instead.
+        - I moved code from ParserError.h into a newly created ParserError.cpp, as I see no need to inline functions that are only used when encountering a parser error, and ParserError.h is now included in quite a few places.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Scripts/builtins/builtins_generate_combined_header.py:
+        (BuiltinsCombinedHeaderGenerator.generate_forward_declarations):
+        (ParserError):
+        (generate_section_for_object): Deleted.
+        (generate_externs_for_object): Deleted.
+        (generate_macros_for_object): Deleted.
+        (generate_section_for_code_table_macro): Deleted.
+        (generate_section_for_code_name_macro): Deleted.
+        (generate_section_for_global_private_code_name_macro): Deleted.
+        * Scripts/builtins/builtins_generate_separate_header.py:
+        (generate_secondary_header_includes):
+        * Scripts/builtins/builtins_templates.py:
+        * Sources.txt:
+        * builtins/BuiltinExecutableCreator.cpp: Removed.
+        * builtins/BuiltinExecutableCreator.h: Removed.
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::createDefaultConstructor):
+        (JSC::BuiltinExecutables::createBuiltinExecutable):
+        (JSC::createBuiltinExecutable):
+        (JSC::BuiltinExecutables::createExecutableOrCrash):
+        (JSC::BuiltinExecutables::createExecutable):
+        * builtins/BuiltinExecutables.h:
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/ParserError.cpp: Added.
+        (JSC::ParserError::toErrorObject):
+        (JSC::ParserError::throwStackOverflowOrOutOfMemory):
+        (WTF::printInternal):
+        * parser/ParserError.h:
+        (JSC::ParserError::toErrorObject): Deleted.
+        (WTF::printInternal): Deleted.
+        * runtime/AsyncIteratorPrototype.cpp:
+        (JSC::AsyncIteratorPrototype::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnStaticPropertySlot):
+        (JSC::JSObject::reifyAllStaticProperties):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getOwnNonIndexPropertySlot):
+        (JSC::JSObject::getOwnPropertySlot):
+        (JSC::JSObject::getPropertySlot):
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getNonIndexPropertySlot):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/Lookup.cpp:
+        (JSC::reifyStaticAccessor):
+        (JSC::setUpStaticFunctionSlot):
+        * runtime/Lookup.h:
+        (JSC::getStaticPropertySlotFromTable):
+        (JSC::reifyStaticProperty):
+        * runtime/MapPrototype.cpp:
+        (JSC::MapPrototype::finishCreation):
+        * runtime/SetPrototype.cpp:
+        (JSC::SetPrototype::finishCreation):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCreateBuiltin):
+
+2018-03-30  Robin Morisset  
+
+        Out-of-bounds accesses due to a missing check for MAX_STORAGE_VECTOR_LENGTH in unshiftCountForAnyIndexingType
+        https://bugs.webkit.org/show_bug.cgi?id=183657
+        
+
+        Reviewed by Keith Miller.
+
+        There was just a missing check in unshiftCountForIndexingType.
+        I've also replaced 'return false' by 'return true' in the case of an 'out-of-memory' exception, because 'return false' means 'please continue to the slow path',
+        and the slow path has an assert that there is no unhandled exception (line 360 of ArrayPrototype.cpp).
+        Finally, I made the assert in ensureLength a release assert as it would have caught this bug and prevented it from being a security risk.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::unshift):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountWithAnyIndexingType):
+        * runtime/JSObject.h:
+        (JSC::JSObject::ensureLength):
+
+2018-03-29  Mark Lam  
+
+        Add some pointer profiling support to B3 and Air.
+        https://bugs.webkit.org/show_bug.cgi?id=184165
+        
+
+        Reviewed by JF Bastien.
+
+        * b3/B3LowerMacros.cpp:
+        * b3/B3LowerMacrosAfterOptimizations.cpp:
+        * b3/B3MathExtras.cpp:
+        * b3/B3ReduceStrength.cpp:
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::generate):
+        * b3/air/AirCCallSpecial.h:
+        * b3/testb3.cpp:
+        (JSC::B3::testCallSimple):
+        (JSC::B3::testCallRare):
+        (JSC::B3::testCallRareLive):
+        (JSC::B3::testCallSimplePure):
+        (JSC::B3::testCallFunctionWithHellaArguments):
+        (JSC::B3::testCallFunctionWithHellaArguments2):
+        (JSC::B3::testCallFunctionWithHellaArguments3):
+        (JSC::B3::testCallSimpleDouble):
+        (JSC::B3::testCallSimpleFloat):
+        (JSC::B3::testCallFunctionWithHellaDoubleArguments):
+        (JSC::B3::testCallFunctionWithHellaFloatArguments):
+        (JSC::B3::testLinearScanWithCalleeOnStack):
+        (JSC::B3::testInterpreter):
+        (JSC::B3::testLICMPure):
+        (JSC::B3::testLICMPureSideExits):
+        (JSC::B3::testLICMPureWritesPinned):
+        (JSC::B3::testLICMPureWrites):
+        (JSC::B3::testLICMReadsLocalState):
+        (JSC::B3::testLICMReadsPinned):
+        (JSC::B3::testLICMReads):
+        (JSC::B3::testLICMPureNotBackwardsDominant):
+        (JSC::B3::testLICMPureFoiledByChild):
+        (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
+        (JSC::B3::testLICMExitsSideways):
+        (JSC::B3::testLICMWritesLocalState):
+        (JSC::B3::testLICMWrites):
+        (JSC::B3::testLICMFence):
+        (JSC::B3::testLICMWritesPinned):
+        (JSC::B3::testLICMControlDependent):
+        (JSC::B3::testLICMControlDependentNotBackwardsDominant):
+        (JSC::B3::testLICMControlDependentSideExits):
+        (JSC::B3::testLICMReadsPinnedWritesPinned):
+        (JSC::B3::testLICMReadsWritesDifferentHeaps):
+        (JSC::B3::testLICMReadsWritesOverlappingHeaps):
+        (JSC::B3::testLICMDefaultCall):
+        (JSC::B3::testShuffleDoesntTrashCalleeSaves):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        * jit/GPRInfo.h:
+        * runtime/PtrTag.h:
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+
+2018-03-29  JF Bastien  
+
+        Use Forward.h instead of forward-declaring WTF::String
+        https://bugs.webkit.org/show_bug.cgi?id=184172
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        As part of #184164 I'm changing WTF::String, and the forward
+        declarations are just wrong because I'm making it templated. We
+        should use Forward.h anyways, so do that instead.
+
+        * runtime/DateConversion.h:
+
+2018-03-29  Mark Lam  
+
+        Use MacroAssemblerCodePtr in Wasm code for code pointers instead of void*.
+        https://bugs.webkit.org/show_bug.cgi?id=184163
+        
+
+        Reviewed by JF Bastien.
+
+        With the use of MacroAssemblerCodePtr, we now get poisoning for Wasm code pointers.
+
+        Also renamed some structs, methods, and variable names to be more accurate.
+        Previously, there is some confusion between a code pointer and the address of a
+        code pointer (sometimes referred to in the code as a "LoadLocation").  We now name
+        the LoadLocation variables appropriately to distinguish them from code pointers.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmCodeBlock.cpp:
+        (JSC::Wasm::CodeBlock::CodeBlock):
+        * wasm/WasmCodeBlock.h:
+        (JSC::Wasm::CodeBlock::entrypointLoadLocationFromFunctionIndexSpace):
+        (JSC::Wasm::CodeBlock::wasmEntrypointLoadLocationFromFunctionIndexSpace): Deleted.
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::WasmToWasmImportableFunction::WasmToWasmImportableFunction):
+        (JSC::Wasm::WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation):
+        (JSC::Wasm::CallableFunction::CallableFunction): Deleted.
+        (JSC::Wasm::CallableFunction::offsetOfWasmEntrypointLoadLocation): Deleted.
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::offsetOfWasmEntrypointLoadLocation):
+        (JSC::Wasm::Instance::offsetOfWasmToEmbedderStub):
+        (JSC::Wasm::Instance::offsetOfWasmEntrypoint): Deleted.
+        (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clearFunction):
+        (JSC::Wasm::Table::setFunction):
+        * wasm/WasmTable.h:
+        (JSC::Wasm::Table::offsetOfFunctions):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::finalizeCreation):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::create):
+        (JSC::WebAssemblyFunction::WebAssemblyFunction):
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
+        (JSC::WebAssemblyWrapperFunction::create):
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-03-29  Yusuke Suzuki  
+
+        Remove WTF_EXPORTDATA and JS_EXPORTDATA
+        https://bugs.webkit.org/show_bug.cgi?id=184170
+
+        Reviewed by JF Bastien.
+
+        Replace WTF_EXPORTDATA and JS_EXPORTDATA with
+        WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE respectively.
+
+        * heap/WriteBarrierSupport.h:
+        * jit/ExecutableAllocator.cpp:
+        * jit/ExecutableAllocator.h:
+        * runtime/JSCPoison.h:
+        * runtime/JSCell.h:
+        * runtime/JSExportMacros.h:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSObject.h:
+        * runtime/Options.h:
+        * runtime/PropertyDescriptor.h:
+        * runtime/PropertyMapHashTable.h:
+        * runtime/SamplingCounter.h:
+
+2018-03-29  Ross Kirsling  
+
+        MSVC __forceinline slows down JSC release build fivefold after r229391
+        https://bugs.webkit.org/show_bug.cgi?id=184062
+
+        Reviewed by Alex Christensen.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::marshallArgumentRegister):
+        Exempt MSVC from a single forced inline used within recursive templates.
+
+2018-03-29  Keith Miller  
+
+        ArrayMode should not try to get the DFG to think it can convert TypedArrays
+        https://bugs.webkit.org/show_bug.cgi?id=184137
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::fromObserved):
+
+2018-03-29  Commit Queue  
+
+        Unreviewed, rolling out r230062.
+        https://bugs.webkit.org/show_bug.cgi?id=184128
+
+        Broke mac port. web content process crashes while loading any
+        web page (Requested by rniwa on #webkit).
+
+        Reverted changeset:
+
+        "MSVC __forceinline slows down JSC release build fivefold
+        after r229391"
+        https://bugs.webkit.org/show_bug.cgi?id=184062
+        https://trac.webkit.org/changeset/230062
+
+2018-03-28  Ross Kirsling  
+
+        MSVC __forceinline slows down JSC release build fivefold after r229391
+        https://bugs.webkit.org/show_bug.cgi?id=184062
+
+        Reviewed by Alex Christensen.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::marshallArgumentRegister):
+        Exempt MSVC from a single forced inline used within recursive templates.
+
+2018-03-28  Mark Lam  
+
+        Enhance ARM64 probe to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=184069
+        
+
+        Reviewed by JF Bastien.
+
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::popPair):
+        (JSC::MacroAssemblerX86Common::pushPair):
+        * assembler/testmasm.cpp:
+        (JSC::testProbeReadsArgumentRegisters):
+        (JSC::testProbeWritesArgumentRegisters):
+        * runtime/PtrTag.h:
+        (JSC::tagForPtr):
+
+2018-03-28  Robin Morisset  
+
+        appendQuotedJSONString stops on arithmetic overflow instead of propagating it upwards
+        https://bugs.webkit.org/show_bug.cgi?id=183894
+
+        Reviewed by Saam Barati.
+
+        Use the return value of appendQuotedJSONString to fail more gracefully when given a string that is too large to handle.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue):
+
+2018-03-28  Carlos Garcia Campos  
+
+        [JSC] Move WeakValueRef class to its own file and use it from Objc and GLib
+        https://bugs.webkit.org/show_bug.cgi?id=184073
+
+        Reviewed by Yusuke Suzuki.
+
+        We currently have duplicated code in Obj and GLib implementations.
+
+        * API/JSManagedValue.mm:
+        (managedValueHandleOwner):
+        (-[JSManagedValue initWithValue:]):
+        * API/JSWeakValue.cpp: Added.
+        (JSC::JSWeakValue::~JSWeakValue):
+        (JSC::JSWeakValue::clear):
+        (JSC::JSWeakValue::isClear const):
+        (JSC::JSWeakValue::setPrimitive):
+        (JSC::JSWeakValue::setObject):
+        (JSC::JSWeakValue::setString):
+        * API/JSWeakValue.h: Added.
+        (JSC::JSWeakValue::isSet const):
+        (JSC::JSWeakValue::isPrimitive const):
+        (JSC::JSWeakValue::isObject const):
+        (JSC::JSWeakValue::isString const):
+        (JSC::JSWeakValue::object const):
+        (JSC::JSWeakValue::primitive const):
+        (JSC::JSWeakValue::string const):
+        * API/glib/JSCWeakValue.cpp:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+
+2018-03-27  Carlos Garcia Campos  
+
+        [GLIB] Add JSCWeakValue to JavaScriptCore GLib API
+        https://bugs.webkit.org/show_bug.cgi?id=184041
+
+        Reviewed by Michael Catanzaro.
+
+        This allows to keep a reference to a JavaSCript value without protecting it, and without having a strong
+        reference of the context. When the value is cleared the JSCWeakValue::cleared signal is emitted and
+        jsc_weak_value_get_value() will always return nullptr.
+
+        * API/glib/JSCWeakValue.cpp: Added.
+        (WeakValueRef::~WeakValueRef):
+        (WeakValueRef::clear):
+        (WeakValueRef::isClear const):
+        (WeakValueRef::isSet const):
+        (WeakValueRef::isPrimitive const):
+        (WeakValueRef::isObject const):
+        (WeakValueRef::isString const):
+        (WeakValueRef::setPrimitive):
+        (WeakValueRef::setObject):
+        (WeakValueRef::setString):
+        (WeakValueRef::object const):
+        (WeakValueRef::primitive const):
+        (WeakValueRef::string const):
+        (weakValueHandleOwner):
+        (jscWeakValueInitialize):
+        (jscWeakValueSetProperty):
+        (jscWeakValueDispose):
+        (jsc_weak_value_class_init):
+        (jsc_weak_value_new):
+        (jsc_weak_value_get_value):
+        * API/glib/JSCWeakValue.h: Added.
+        * API/glib/docs/jsc-glib-4.0-sections.txt:
+        * API/glib/docs/jsc-glib-docs.sgml:
+        * API/glib/jsc.h:
+        * GLib.cmake:
+
+2018-03-27  Yusuke Suzuki  
+
+        [DFG] Remove unnecessary USE(JSVALUE32_64) / USE(JSVALUE64)
+        https://bugs.webkit.org/show_bug.cgi?id=181292
+
+        Reviewed by Saam Barati.
+
+        By using JSValueRegs abstraction, we can simplify DFGSpeculativeJIT.cpp code.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        (JSC::DFG::SpeculativeJIT::compileCreateRest):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::compilePutDynamicVar):
+        (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal):
+
+2018-03-27  Yusuke Suzuki  
+
+        Add Load16Z for B3 and use it in WebAssembly
+        https://bugs.webkit.org/show_bug.cgi?id=165884
+
+        Reviewed by JF Bastien.
+
+        We already support Load16Z in B3. Use it for i32.load16_u / i64.load16_u in WebAssembly.
+        spec-tests/memory.wast.js already covered this change.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitLoadOp):
+
+2018-03-24  Yusuke Suzuki  
+
+        [JSC] Remove repeated iteration of ElementNode
+        https://bugs.webkit.org/show_bug.cgi?id=183987
+
+        Reviewed by Keith Miller.
+
+        BytecodeGenerator repeatedly iterates ElementNode to emit the efficient code.
+        While it is OK for small arrays, this repeated iteration takes much time
+        if the array is very large. For example, Kraken's initialization code includes
+        very large array with numeric literals. This makes bytecode compiling so long.
+
+        This patch carefully removes unnecessary iteration when emitting arrays.
+        This reduces one of Kraken/imaging-darkroom's bytecode compiling from 13.169856 ms
+        to 9.988050 ms.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitNewArrayBuffer):
+        (JSC::BytecodeGenerator::emitNewArray):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        (JSC::ArrayPatternNode::bindValue const):
+        (JSC::ArrayPatternNode::emitDirectBinding):
+
+2018-03-26  Ross Kirsling  
+
+        JIT callOperation() needs to support operations that return SlowPathReturnType differently on Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=183655
+
+        Reviewed by Keith Miller.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::ArgCollection::argCount):
+        (JSC::CCallHelpers::marshallArgumentRegister):
+        (JSC::CCallHelpers::setupArgumentsImpl):
+        On Win64, ensure that argCount always includes GPRs and FPRs and that counting starts from 1 for SlowPathReturnType.
+
+        * jit/JIT.h:
+        (JSC::JIT::callOperation):
+        (JSC::JIT::is64BitType):
+        (JSC::JIT::is64BitType):
+        On Win64, ensure special call is used for SlowPathReturnType.
+
+        * jit/JITOperations.h:
+        Update changed type.
+
+2018-03-26  Yusuke Suzuki  
+
+        We should have SSE4 detection in the X86 MacroAssembler.
+        https://bugs.webkit.org/show_bug.cgi?id=165363
+
+        Reviewed by JF Bastien.
+
+        This patch adds popcnt support to WASM in x86_64 environment.
+        To use it, we refactor our CPUID feature detection in MacroAssemblerX86Common.
+        Our spec-tests already cover popcnt.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::supportsCountPopulation):
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssemblerX86Common::getCPUID):
+        (JSC::MacroAssemblerX86Common::getCPUIDEx):
+        (JSC::MacroAssemblerX86Common::collectCPUFeatures):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::countPopulation32):
+        (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
+        (JSC::MacroAssemblerX86Common::supportsCountPopulation):
+        (JSC::MacroAssemblerX86Common::supportsAVX):
+        (JSC::MacroAssemblerX86Common::supportsLZCNT):
+        (JSC::MacroAssemblerX86Common::supportsBMI1):
+        (JSC::MacroAssemblerX86Common::isSSE2Present):
+        (JSC::MacroAssemblerX86Common::updateEax1EcxFlags): Deleted.
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::countPopulation64):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::popcnt_rr):
+        (JSC::X86Assembler::popcnt_mr):
+        (JSC::X86Assembler::popcntq_rr):
+        (JSC::X86Assembler::popcntq_mr):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addOp):
+        (JSC::Wasm::B3IRGenerator::addOp):
+
+2018-03-26  Filip Pizlo  
+
+        DFG should know that CreateThis can be effectful
+        https://bugs.webkit.org/show_bug.cgi?id=184013
+
+        Reviewed by Saam Barati.
+
+        As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
+        is a proxy.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-03-25  Saam Barati  
+
+        Fix typo in JSC option name
+        https://bugs.webkit.org/show_bug.cgi?id=184001
+
+        Reviewed by Mark Lam.
+
+        enableJITDebugAssetions => enableJITDebugAssertions.
+
+        * assembler/MacroAssembler.cpp:
+        (JSC::MacroAssembler::jitAssert):
+        * runtime/Options.h:
+
+2018-03-25  Saam Barati  
+
+        r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
+        https://bugs.webkit.org/show_bug.cgi?id=183995
+
+        Reviewed by Filip Pizlo.
+
+        The removal of this line of code was unintended and happened during some
+        refactoring Fil was doing. The consequence of removing this line of code
+        is that the m_emptyCursor became a monotonically increasing integer, leading
+        the cursor to usually being out of bounds of the block range (depending on
+        what the program is doing). This made the functionality of finding an empty
+        block to steal almost always fail.
+
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::prepareForAllocation):
+
+2018-03-22  Yusuke Suzuki  
+
+        [DFG] Introduces fused compare and jump
+        https://bugs.webkit.org/show_bug.cgi?id=177100
+
+        Reviewed by Mark Lam.
+
+        This patch introduces op_jeq, op_jneq, op_jstricteq, and op_jnstricteq.
+        It offers 3 benefit.
+
+        1. They are introduced due to the similar purpose to op_jless etc. It aligns
+        op_eq families to op_jless families.
+
+        2. It reduces the size of bytecode to represent the typical code sequence.
+
+        3. It offers the way to fuse check and jump in DFG code generation. Since
+        we have MovHint between Branch and CompareEq/CompareStrictEq previously,
+        we cannot do this optimization. It reduces the machine code size in DFG too.
+
+        It slightly improves Octane/boyer.
+
+            boyer  6.18038+-0.05002    ^     6.06990+-0.04176       ^ definitely 1.0182x faster
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/Opcode.h:
+        (JSC::isBranch):
+        * bytecode/PreciseJumpTargetsInlines.h:
+        (JSC::extractStoredJumpTargetsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileStrictEq):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_jeq):
+        (JSC::JIT::emit_op_neq):
+        (JSC::JIT::emit_op_jneq):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::emit_op_stricteq):
+        (JSC::JIT::emit_op_nstricteq):
+        (JSC::JIT::compileOpStrictEqJump):
+        (JSC::JIT::emit_op_jstricteq):
+        (JSC::JIT::emit_op_jnstricteq):
+        (JSC::JIT::emitSlow_op_jstricteq):
+        (JSC::JIT::emitSlow_op_jnstricteq):
+        (JSC::JIT::emitSlow_op_jeq):
+        (JSC::JIT::emitSlow_op_jneq):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::emit_op_jeq):
+        (JSC::JIT::compileOpEqJumpSlow):
+        (JSC::JIT::emitSlow_op_jeq):
+        (JSC::JIT::emit_op_jneq):
+        (JSC::JIT::emitSlow_op_jneq):
+        (JSC::JIT::compileOpStrictEq):
+        (JSC::JIT::emit_op_stricteq):
+        (JSC::JIT::emit_op_nstricteq):
+        (JSC::JIT::compileOpStrictEqJump):
+        (JSC::JIT::emit_op_jstricteq):
+        (JSC::JIT::emit_op_jnstricteq):
+        (JSC::JIT::emitSlow_op_jstricteq):
+        (JSC::JIT::emitSlow_op_jnstricteq):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-03-24  Yusuke Suzuki  
+
+        [JSC] Improve constants and add comments for CodeBlockHash
+        https://bugs.webkit.org/show_bug.cgi?id=183982
+
+        Rubber-stamped by Mark Lam.
+
+        * bytecode/CodeBlockHash.cpp:
+        (JSC::CodeBlockHash::CodeBlockHash):
+        * bytecode/ParseHash.cpp:
+        (JSC::ParseHash::ParseHash):
+
+2018-03-24  Yusuke Suzuki  
+
+        [JSC] Add options to report parsing and bytecode compiling times
+        https://bugs.webkit.org/show_bug.cgi?id=183982
+
+        Reviewed by Mark Lam.
+
+        This patch adds reportParseTimes and reportBytecodeCompileTimes options.
+        When they are enabled, JSC reports times consumed for parsing and bytecode
+        compiling.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ParseHash.cpp: Added.
+        (JSC::ParseHash::ParseHash):
+        * bytecode/ParseHash.h: Added.
+        (JSC::ParseHash::hashForCall const):
+        (JSC::ParseHash::hashForConstruct const):
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::generateUnlinkedFunctionCodeBlock):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::generate):
+        * parser/Parser.h:
+        (JSC::parse):
+        * runtime/CodeCache.h:
+        (JSC::generateUnlinkedCodeBlock):
+        * runtime/Options.h:
+
+2018-03-24  Yusuke Suzuki  
+
+        [JIT] Drop ENABLE_JIT_VERBOSE flag
+        https://bugs.webkit.org/show_bug.cgi?id=183983
+
+        Reviewed by Mark Lam.
+
+        Just use JITInternal::verbose value.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+
+2018-03-23  Tim Horton  
+
+        Fix the build with no pasteboard
+        https://bugs.webkit.org/show_bug.cgi?id=183973
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-23  Mark Lam  
+
+        LLInt TypeArray pointer poisoning should not pick its poison dynamically.
+        https://bugs.webkit.org/show_bug.cgi?id=183942
+        
+
+        Reviewed by JF Bastien.
+
+        1. Move the LLInt TypedArray unpoisoning to just before the array access after
+           all the branches.
+        2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
+        3. Remove a useless instruction in the implementation of emitX86Lea for a global
+           label.
+
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/x86.rb:
+
+2018-03-23  Mark Lam  
+
+        Add more support for pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=183943
+        
+
+        Reviewed by JF Bastien.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::linkJumpOrCall):
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::repatchNearCall):
+        (JSC::AbstractMacroAssembler::tagReturnAddress):
+        (JSC::AbstractMacroAssembler::untagReturnAddress):
+
+2018-03-23  Yusuke Suzuki  
+
+        [WTF] Add standard containers with FastAllocator specialization
+        https://bugs.webkit.org/show_bug.cgi?id=183789
+
+        Reviewed by Darin Adler.
+
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testDoubleLiteralComparison):
+        (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
+        * dfg/DFGGraph.h:
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
+        * runtime/FunctionHasExecutedCache.h:
+        * runtime/TypeLocationCache.h:
+
+2018-03-23  Yusuke Suzuki  
+
+        [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
+        https://bugs.webkit.org/show_bug.cgi?id=182960
+
+        Reviewed by Saam Barati.
+
+        This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
+        It should always touch ArrayStorage_vector. To unify
+        vector setting code for the real ArrayStorage_vector and
+        ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
+        annotate this.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
+
+2018-03-23  Zan Dobersek  
+
+        Unreviewed build fix for GCC 4.9 builds.
+
+        * assembler/MacroAssemblerCodeRef.h: std::is_trivially_copyable<> isn't
+        supported in 4.9 libstdc++, so wrap the static assert using it in a
+        COMPILER_SUPPORTS() macro, and use __is_trivially_copyable() builtin,
+        as is done in bitwise_cast() in StdLibExtras.h.
+
+2018-03-22  Tim Horton  
+
+        Adopt WK_ALTERNATE_FRAMEWORKS_DIR in WebCore
+        https://bugs.webkit.org/show_bug.cgi?id=183930
+        
+
+        Reviewed by Dan Bernstein.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-03-22  Mark Lam  
+
+        Add placeholder call and jump MacroAssembler emitters that take PtrTag in a register.
+        https://bugs.webkit.org/show_bug.cgi?id=183914
+        
+
+        Reviewed by Saam Barati and JF Bastien.
+
+        This is in preparation for supporting pointer profiling work.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::jump):
+        (JSC::MacroAssemblerARM::call):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::call):
+        (JSC::MacroAssemblerARM64::jump):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::jump):
+        (JSC::MacroAssemblerARMv7::call):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::jump):
+        (JSC::MacroAssemblerMIPS::call):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::call):
+        (JSC::MacroAssemblerX86::jump):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::jump):
+        (JSC::MacroAssemblerX86Common::call):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::call):
+        (JSC::MacroAssemblerX86_64::jump):
+
+2018-03-22  Tim Horton  
+
+        Improve readability of WebCore's OTHER_LDFLAGS
+        https://bugs.webkit.org/show_bug.cgi?id=183909
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-22  Dominik Infuehr  
+
+        [ARM] Thumb: Do not decorate bottom bit twice
+        https://bugs.webkit.org/show_bug.cgi?id=183906
+
+        Reviewed by Mark Lam.
+
+        Use MacroAssemblerCodePtr::createFromExecutableAddress instead of
+        MacroAssemblerCodePtr(void*) to avoid decorating the pointer twice as
+        a thumb pointer.
+
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+
+2018-03-22  Yusuke Suzuki  
+
+        [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
+        https://bugs.webkit.org/show_bug.cgi?id=183559
+
+        Reviewed by Mark Lam.
+
+        When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
+        to clear NodeMustGenerate for this ToString. It should be since it does not have
+        any user-observable side effect. This patch clears NodeMustGenerate.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2018-03-22  Yusuke Suzuki  
+
+        [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
+        https://bugs.webkit.org/show_bug.cgi?id=183897
+
+        Reviewed by Mark Lam.
+
+        We should not use `default:` clause here since it accidentally catches
+        the opcode and DFG nodes which should be optimized. For example,
+        op_super_sampler_begin and op_super_sampler_end are not listed while
+        they have DFG and FTL backend.
+
+        This patch lists up all candiates in DFGCapabilities and FTLCapabilities.
+        And we also clean up unnecessary checks in FTLCapabilities. Since we
+        already handles all the possible array types for these nodes (which can
+        be checked in DFG's code), we do not need to check array types.
+
+        We also fix FTLLowerDFGToB3' PutByVal code to use modeForPut.
+
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+
+2018-03-22  Yusuke Suzuki  
+
+        [JSC] Drop op_put_by_index
+        https://bugs.webkit.org/show_bug.cgi?id=183899
+
+        Reviewed by Mark Lam.
+
+        This patch drops op_put_by_index.
+
+        1. This functionality can be just covered by direct put_by_val.
+        2. put_by_index is not well optimized. It is just calling a C
+        function. And it does not have DFG handling.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitPutByIndex): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ArrayNode::emitBytecode):
+        (JSC::ArrayPatternNode::emitDirectBinding):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_index): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_index): Deleted.
+        * llint/LLIntSlowPaths.cpp:
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+
+2018-03-22  Michael Saboff  
+
+        Race Condition in arrayProtoFuncReverse() causes wrong results or crash
+        https://bugs.webkit.org/show_bug.cgi?id=183901
+
+        Reviewed by Keith Miller.
+
+        Added write barriers to ensure the reversed contents are properly marked.
+
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncReverse):
+
+2018-03-21  Filip Pizlo  
+
+        ScopedArguments should do poisoning and index masking
+        https://bugs.webkit.org/show_bug.cgi?id=183863
+
+        Reviewed by Mark Lam.
+        
+        This outlines the ScopedArguments overflow storage and adds poisoning.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/JSCPoison.h:
+        * runtime/ScopedArguments.cpp:
+        (JSC::ScopedArguments::ScopedArguments):
+        (JSC::ScopedArguments::createUninitialized):
+        (JSC::ScopedArguments::visitChildren):
+        * runtime/ScopedArguments.h:
+
+2018-03-21  Mark Lam  
+
+        Refactor the PtrTag list as a macro so that we can auto-generate code that enumerates each PtrTag.
+        https://bugs.webkit.org/show_bug.cgi?id=183861
+        
+
+        Reviewed by Filip Pizlo.
+
+        Also added ptrTagName() to aid debugging.  ptrTagName() is implemented using this
+        new PtrTag macro list.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * runtime/PtrTag.cpp: Added.
+        (JSC::ptrTagName):
+        * runtime/PtrTag.h:
+
+2018-03-21  Mark Lam  
+
+        Use CodeBlock::instructions()[] and CodeBlock::bytecodeOffset() instead of doing own pointer math.
+        https://bugs.webkit.org/show_bug.cgi?id=183857
+        
+
+        Reviewed by JF Bastien.
+
+        We should avoid doing pointer math with CodeBlock::instructions().begin().
+        Instead, we should use the operator[] that comes with CodeBlock::instructions()
+        for computing an Instruction*, and use CodeBlock::bytecodeOffset() for computing
+        the bytecode offset of a given Instruction*.  These methods will do assertions
+        which helps catch bugs sooner, plus they are more descriptive of the operation
+        we're trying to do.
+
+        * bytecode/BytecodeKills.h:
+        (JSC::BytecodeKills::operandIsKilled const):
+        (JSC::BytecodeKills::forEachOperandKilledAt const):
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromLLInt):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        (JSC::CodeBlock::arithProfileForBytecodeOffset):
+        (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeFromLLInt):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::callSiteBitsAsBytecodeOffset const):
+        (JSC::CallFrame::currentVPC const):
+        (JSC::CallFrame::setCurrentVPC):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITInlines.h:
+        (JSC::JIT::updateTopCallFrame):
+        (JSC::JIT::copiedInstruction):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::call):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::llint_trace_operand):
+        (JSC::LLInt::llint_trace_value):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
+        (JSC::LLInt::getByVal): Deleted.
+        (JSC::LLInt::handleHostCall): Deleted.
+        (JSC::LLInt::setUpCall): Deleted.
+        (JSC::LLInt::genericCall): Deleted.
+        (JSC::LLInt::varargsSetup): Deleted.
+        (JSC::LLInt::llint_throw_stack_overflow_error): Deleted.
+        (JSC::LLInt::llint_stack_check_at_vm_entry): Deleted.
+        (JSC::LLInt::llint_write_barrier_slow): Deleted.
+        (JSC::LLInt::llint_crash): Deleted.
+        * runtime/SamplingProfiler.cpp:
+        (JSC::tryGetBytecodeIndex):
+
+2018-03-21  Keith Miller  
+
+        btjs should print the bytecode offset in the stack trace for JS frames
+        https://bugs.webkit.org/show_bug.cgi?id=183856
+
+        Reviewed by Filip Pizlo.
+
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::bytecodeOffset):
+        (JSC::CallFrame::dump):
+
+2018-03-21  Carlos Garcia Campos  
+
+        Unreviewed. Fix GTK and WPE debug build after r229798.
+
+        Fix a typo in an ASSERT. Also convert several RELEASE_ASSERT to ASSERT that I forgot to do before landing.
+
+        * API/glib/JSCCallbackFunction.cpp:
+        (JSC::JSCCallbackFunction::JSCCallbackFunction):
+        * API/glib/JSCContext.cpp:
+        (jscContextSetVirtualMachine):
+        (jscContextGetJSContext):
+        (wrapperMap):
+        (jscContextHandleExceptionIfNeeded):
+        * API/glib/JSCValue.cpp:
+        (jscValueCallFunction):
+        * API/glib/JSCVirtualMachine.cpp:
+        (addWrapper):
+        (removeWrapper):
+        (jscVirtualMachineSetContextGroup):
+        (jscVirtualMachineAddContext):
+        (jscVirtualMachineRemoveContext):
+        * API/glib/JSCWrapperMap.cpp:
+        (JSC::WrapperMap::gobjectWrapper):
+        (JSC::WrapperMap::unwrap):
+        (JSC::WrapperMap::registerClass):
+        (JSC::WrapperMap::createJSWrappper):
+        (JSC::WrapperMap::wrappedObject const):
+
+2018-03-21  Carlos Garcia Campos  
+
+        [GTK][WPE] JSC bindings not introspectable
+        https://bugs.webkit.org/show_bug.cgi?id=136989
+
+        Reviewed by Michael Catanzaro.
+
+        Make it possible to include individual headers when building WebKit layer.
+
+        * API/glib/JSCAutocleanups.h:
+        * API/glib/JSCClass.h:
+        * API/glib/JSCContext.h:
+        * API/glib/JSCException.h:
+        * API/glib/JSCValue.h:
+        * API/glib/JSCVersion.h.in:
+        * API/glib/JSCVirtualMachine.h:
+
+2018-03-21  Carlos Garcia Campos  
+
+        [GTK][WPE] Initial implementation of JavaScriptCore glib bindings
+        https://bugs.webkit.org/show_bug.cgi?id=164061
+
+        Reviewed by Michael Catanzaro.
+
+        Add initial GLib API for JavaScriptCore.
+
+        * API/JSAPIWrapperObject.h:
+        * API/glib/JSAPIWrapperObjectGLib.cpp: Added.
+        (jsAPIWrapperObjectHandleOwner):
+        (JSAPIWrapperObjectHandleOwner::finalize):
+        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots):
+        (JSC::JSCallbackObject::createStructure):
+        (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
+        (JSC::JSAPIWrapperObject::finishCreation):
+        (JSC::JSAPIWrapperObject::setWrappedObject):
+        (JSC::JSAPIWrapperObject::visitChildren):
+        * API/glib/JSCAutocleanups.h: Added.
+        * API/glib/JSCCallbackFunction.cpp: Added.
+        (JSC::callAsFunction):
+        (JSC::callAsConstructor):
+        (JSC::JSCCallbackFunction::create):
+        (JSC::JSCCallbackFunction::JSCCallbackFunction):
+        (JSC::JSCCallbackFunction::call):
+        (JSC::JSCCallbackFunction::construct):
+        (JSC::JSCCallbackFunction::destroy):
+        * API/glib/JSCCallbackFunction.h: Added.
+        (JSC::JSCCallbackFunction::createStructure):
+        (JSC::JSCCallbackFunction::functionCallback):
+        (JSC::JSCCallbackFunction::constructCallback):
+        * API/glib/JSCClass.cpp: Added.
+        (jscClassGetProperty):
+        (jscClassSetProperty):
+        (jscClassDispose):
+        (jscClassConstructed):
+        (jsc_class_class_init):
+        (jscClassCreate):
+        (jscClassGetJSClass):
+        (jscClassGetOrCreateJSWrapper):
+        (jscClassInvalidate):
+        (jsc_class_get_name):
+        (jsc_class_get_parent):
+        (jsc_class_add_constructor):
+        (jsc_class_add_method):
+        (jsc_class_add_property):
+        * API/glib/JSCClass.h: Added.
+        * API/glib/JSCClassPrivate.h: Added.
+        * API/glib/JSCContext.cpp: Added.
+        (ExceptionHandler::ExceptionHandler):
+        (ExceptionHandler::~ExceptionHandler):
+        (jscContextSetVirtualMachine):
+        (jscContextGetProperty):
+        (jscContextSetProperty):
+        (jscContextConstructed):
+        (jscContextDispose):
+        (jsc_context_class_init):
+        (jscContextGetOrCreate):
+        (jscContextGetJSContext):
+        (wrapperMap):
+        (jscContextGetOrCreateValue):
+        (jscContextValueDestroyed):
+        (jscContextGetJSWrapper):
+        (jscContextGetOrCreateJSWrapper):
+        (jscContextWrappedObject):
+        (jscContextPushCallback):
+        (jscContextPopCallback):
+        (jscContextGArrayToJSArray):
+        (jscContextJSArrayToGArray):
+        (jscContextGValueToJSValue):
+        (jscContextJSValueToGValue):
+        (jsc_context_new):
+        (jsc_context_new_with_virtual_machine):
+        (jsc_context_get_virtual_machine):
+        (jsc_context_get_exception):
+        (jsc_context_throw):
+        (jsc_context_throw_exception):
+        (jsc_context_push_exception_handler):
+        (jsc_context_pop_exception_handler):
+        (jscContextHandleExceptionIfNeeded):
+        (jsc_context_get_current):
+        (jsc_context_evaluate):
+        (jsc_context_evaluate_with_source_uri):
+        (jsc_context_set_value):
+        (jsc_context_get_value):
+        (jsc_context_register_class):
+        * API/glib/JSCContext.h: Added.
+        * API/glib/JSCContextPrivate.h: Added.
+        * API/glib/JSCDefines.h: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.h.
+        * API/glib/JSCException.cpp: Added.
+        (jscExceptionDispose):
+        (jsc_exception_class_init):
+        (jscExceptionCreate):
+        (jscExceptionGetJSValue):
+        (jscExceptionEnsureProperties):
+        (jsc_exception_new):
+        (jsc_exception_get_message):
+        (jsc_exception_get_line_number):
+        (jsc_exception_get_source_uri):
+        * API/glib/JSCException.h: Added.
+        * API/glib/JSCExceptionPrivate.h: Added.
+        * API/glib/JSCGLibWrapperObject.h: Added.
+        (JSC::JSCGLibWrapperObject::JSCGLibWrapperObject):
+        (JSC::JSCGLibWrapperObject::~JSCGLibWrapperObject):
+        (JSC::JSCGLibWrapperObject::object const):
+        * API/glib/JSCValue.cpp: Added.
+        (jscValueGetProperty):
+        (jscValueSetProperty):
+        (jscValueDispose):
+        (jsc_value_class_init):
+        (jscValueGetJSValue):
+        (jscValueCreate):
+        (jsc_value_get_context):
+        (jsc_value_new_undefined):
+        (jsc_value_is_undefined):
+        (jsc_value_new_null):
+        (jsc_value_is_null):
+        (jsc_value_new_number):
+        (jsc_value_is_number):
+        (jsc_value_to_double):
+        (jsc_value_to_int32):
+        (jsc_value_new_boolean):
+        (jsc_value_is_boolean):
+        (jsc_value_to_boolean):
+        (jsc_value_new_string):
+        (jsc_value_is_string):
+        (jsc_value_to_string):
+        (jsc_value_new_array):
+        (jsc_value_new_array_from_garray):
+        (jsc_value_is_array):
+        (jsc_value_new_object):
+        (jsc_value_is_object):
+        (jsc_value_object_is_instance_of):
+        (jsc_value_object_set_property):
+        (jsc_value_object_get_property):
+        (jsc_value_object_set_property_at_index):
+        (jsc_value_object_get_property_at_index):
+        (jscValueCallFunction):
+        (jsc_value_object_invoke_method):
+        (jsc_value_object_define_property_data):
+        (jsc_value_object_define_property_accessor):
+        (jsc_value_new_function):
+        (jsc_value_is_function):
+        (jsc_value_function_call):
+        (jsc_value_is_constructor):
+        (jsc_value_constructor_call):
+        * API/glib/JSCValue.h: Added.
+        * API/glib/JSCValuePrivate.h: Added.
+        * API/glib/JSCVersion.cpp: Added.
+        (jsc_get_major_version):
+        (jsc_get_minor_version):
+        (jsc_get_micro_version):
+        * API/glib/JSCVersion.h.in: Added.
+        * API/glib/JSCVirtualMachine.cpp: Added.
+        (addWrapper):
+        (removeWrapper):
+        (jscVirtualMachineSetContextGroup):
+        (jscVirtualMachineEnsureContextGroup):
+        (jscVirtualMachineDispose):
+        (jsc_virtual_machine_class_init):
+        (jscVirtualMachineGetOrCreate):
+        (jscVirtualMachineGetContextGroup):
+        (jscVirtualMachineAddContext):
+        (jscVirtualMachineRemoveContext):
+        (jscVirtualMachineGetContext):
+        (jsc_virtual_machine_new):
+        * API/glib/JSCVirtualMachine.h: Added.
+        * API/glib/JSCVirtualMachinePrivate.h: Added.
+        * API/glib/JSCWrapperMap.cpp: Added.
+        (JSC::WrapperMap::WrapperMap):
+        (JSC::WrapperMap::~WrapperMap):
+        (JSC::WrapperMap::gobjectWrapper):
+        (JSC::WrapperMap::unwrap):
+        (JSC::WrapperMap::registerClass):
+        (JSC::WrapperMap::createJSWrappper):
+        (JSC::WrapperMap::jsWrapper const):
+        (JSC::WrapperMap::wrappedObject const):
+        * API/glib/JSCWrapperMap.h: Added.
+        * API/glib/docs/jsc-glib-4.0-sections.txt: Added.
+        * API/glib/docs/jsc-glib-4.0.types: Added.
+        * API/glib/docs/jsc-glib-docs.sgml: Added.
+        * API/glib/jsc.h: Added.
+        * CMakeLists.txt:
+        * GLib.cmake: Added.
+        * JavaScriptCore.gir.in: Removed.
+        * PlatformGTK.cmake:
+        * PlatformWPE.cmake:
+        * heap/Heap.cpp:
+        (JSC::Heap::releaseDelayedReleasedObjects):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::releaseSoon):
+        * javascriptcoregtk.pc.in:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        (JSC::JSGlobalObject::setWrapperMap):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::glibCallbackFunctionStructure const):
+        (JSC::JSGlobalObject::glibWrapperObjectStructure const):
+        (JSC::JSGlobalObject::wrapperMap const):
+
+2018-03-21  Christopher Reid  
+
+        Windows 64-bit build fix after r229767
+        https://bugs.webkit.org/show_bug.cgi?id=183810
+
+        Reviewed by Mark Lam.
+
+        Removing an extra parameter in the call to m_assember::call.
+
+        * assembler/MacroAssemblerX86_64.h:
+
+2018-03-20  Dan Bernstein  
+
+        [Xcode] JSVALUE_MODEL is unused
+        https://bugs.webkit.org/show_bug.cgi?id=183809
+
+        Reviewed by Tim Horton.
+
+        * Configurations/JavaScriptCore.xcconfig: Removed the unused definition.
+
+2018-03-20  Tim Horton  
+
+        Update the install name for JavaScriptCore when built with WK_ALTERNATE_FRAMEWORKS_DIR
+        https://bugs.webkit.org/show_bug.cgi?id=183808
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/JavaScriptCore.xcconfig:
+
+2018-03-20  Tim Horton  
+
+        Enable the minimal simulator feature flag when appropriate
+        https://bugs.webkit.org/show_bug.cgi?id=183807
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-20  Saam Barati  
+
+        We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=183795
+        
+
+        Reviewed by JF Bastien.
+
+        We were just assuming that the constants we were inserting were
+        always exitOK=true. However, this breaks validation. The exitOK
+        we emit for the constants in the NewArrayBuffer should respect
+        the current exit state of the IR we've emitted. This is just IR
+        bookkeeping since JSConstant is a non-exiting node.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2018-03-20  Guillaume Emont  
+
+        MIPS+Armv7 builds are broken since r229391
+        https://bugs.webkit.org/show_bug.cgi?id=183474
+
+        Reviewed by Yusuke Suzuki.
+
+        Add missing armv7 and mips operations and fix arguments to a call to
+        operationGetByValCell. This should fix compilation on MIPS and Armv7
+        (though it does not implement the missing setupArguments stuff in
+        CCallHelpers).
+
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::swap):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::swap):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/FPRInfo.h:
+
+2018-03-20  Tim Horton  
+
+        Add and adopt WK_PLATFORM_NAME and adjust default feature defines
+        https://bugs.webkit.org/show_bug.cgi?id=183758
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-20  Mark Lam  
+
+        Improve FunctionPtr and use it in the JIT CallRecord.
+        https://bugs.webkit.org/show_bug.cgi?id=183756
+        
+
+        Reviewed by JF Bastien.
+
+        1. FunctionPtr hold a C/C++ function pointer by default.  Change its default
+           PtrTag to reflect that.
+
+        2. Delete the FunctionPtr::value() method.  It is effectively a duplicate of
+           executableAddress().
+
+        3. Fix the FunctionPtr constructor that takes arbitrary pointers to be able to
+           take "any" pointer.  "any" in this case means that the pointer may not be typed
+           as a C/C++ function to the C++ compiler (due to upstream casting or usage of
+           void* as a storage type), but it is still expected to be pointing to a C/C++
+           function.
+
+        4. Added a FunctionPtr constructor that takes another FunctionPtr.  This is a
+           convenience constructor that lets us retag the underlying pointer.  The other
+           FunctionPtr is still expected to point to a C/C++ function.
+
+        5. Added PtrTag assertion placeholder functions to be implemented later.
+
+        6. Change the JIT CallRecord to embed a FunctionPtr callee instead of a void* to
+           pointer.  This improves type safety, and assists in getting pointer tagging
+           right later.
+
+        7. Added versions of JIT callOperations methods that will take a PtrTag.
+           This is preparation for more more pointer tagging work later.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::linkCall):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::linkCall):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::operator bool const):
+        (JSC::FunctionPtr::operator! const):
+        (JSC::ReturnAddressPtr::ReturnAddressPtr):
+        (JSC::MacroAssemblerCodePtr::retagged const):
+        (JSC::MacroAssemblerCodeRef::retaggedCode const):
+        (JSC::FunctionPtr::value const): Deleted.
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::linkCall):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::linkCall):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
+        (JSC::MacroAssemblerX86_64::linkCall):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLSlowPathCall.h:
+        (JSC::FTL::callOperation):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        (JSC::CallRecord::CallRecord):
+        (JSC::JIT::appendCall):
+        (JSC::JIT::appendCallWithSlowPathReturnType):
+        (JSC::JIT::callOperation):
+        (JSC::JIT::callOperationWithProfile):
+        (JSC::JIT::callOperationWithResult):
+        (JSC::JIT::callOperationNoExceptionCheck):
+        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        * jit/JITInlines.h:
+        (JSC::JIT::emitNakedCall):
+        (JSC::JIT::emitNakedTailCall):
+        (JSC::JIT::appendCallWithExceptionCheck):
+        (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
+        (JSC::JIT::appendCallWithCallFrameRollbackOnException):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_put_by_val):
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::JITSlowPathCall):
+        (JSC::JITSlowPathCall::call):
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * runtime/PtrTag.h:
+        (JSC::nextPtrTagID):
+        (JSC::assertIsCFunctionPtr):
+        (JSC::assertIsNullOrCFunctionPtr):
+        (JSC::assertIsNotTagged):
+        (JSC::assertIsTagged):
+        (JSC::assertIsNullOrTagged):
+        (JSC::assertIsTaggedWith):
+        (JSC::assertIsNullOrTaggedWith):
+        (JSC::uniquePtrTagID): Deleted.
+
+2018-03-20  Stanislav Ocovaj  
+
+        [MIPS] Optimize generated JIT code for loads/stores
+        https://bugs.webkit.org/show_bug.cgi?id=183243
+
+        Reviewed by Yusuke Suzuki.
+
+        JIT generates three MIPS instructions for a load/store from/to an absolute address:
+
+          lui adrTmpReg, address >> 16
+          ori adrTmpReg, address & 0xffff
+          lw dataReg, 0(adrTmpReg)
+
+        Since load/store instructions on MIPS have a 16-bit offset, lower 16 bits of the address can
+        be encoded into the load/store and ori instruction can be removed:
+
+          lui adrTmpReg, (address + 0x8000) >> 16
+          lw dataReg, (address & 0xffff)(adrTmpReg)
+
+        Also, in loads/stores with BaseIndex address, the left shift can be omitted if address.scale is 0.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::add32):
+        (JSC::MacroAssemblerMIPS::add64):
+        (JSC::MacroAssemblerMIPS::or32):
+        (JSC::MacroAssemblerMIPS::sub32):
+        (JSC::MacroAssemblerMIPS::convertibleLoadPtr):
+        (JSC::MacroAssemblerMIPS::load8):
+        (JSC::MacroAssemblerMIPS::load8SignedExtendTo32):
+        (JSC::MacroAssemblerMIPS::load32):
+        (JSC::MacroAssemblerMIPS::store8):
+        (JSC::MacroAssemblerMIPS::store32):
+        (JSC::MacroAssemblerMIPS::branchTest8):
+        (JSC::MacroAssemblerMIPS::branchAdd32):
+        (JSC::MacroAssemblerMIPS::loadDouble):
+        (JSC::MacroAssemblerMIPS::storeDouble):
+
+2018-03-16  Yusuke Suzuki  
+
+        [DFG][FTL] Add vectorLengthHint for NewArray
+        https://bugs.webkit.org/show_bug.cgi?id=183694
+
+        Reviewed by Saam Barati.
+
+        While the following code is a common, it is not so efficient.
+
+        var array = [];
+        for (...) {
+            ...
+            array.push(...);
+        }
+
+        The array is always allocated with 0 vector length. And it is eventually grown.
+
+        We have ArrayAllocationProfile, and it tells us that the vector length hint for
+        the allocated arrays. This hint is already used for NewArrayBuffer. This patch
+        extends this support for NewArray DFG node.
+
+        This patch improves Kraken/stanford-crypto-aes 4%.
+
+                                      baseline                  patched
+
+        stanford-crypto-aes        64.069+-1.352             61.589+-1.274           might be 1.0403x faster
+
+        NewArray can be optimized.
+
+                                                       baseline                  patched
+
+        vector-length-hint-new-array               21.8157+-0.0882     ^     13.1764+-0.0942        ^ definitely 1.6557x faster
+        vector-length-hint-array-constructor       21.9076+-0.0987     ?     22.1168+-0.4814        ?
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasVectorLengthHint):
+        (JSC::DFG::Node::vectorLengthHint):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
+
+2018-03-13  Yusuke Suzuki  
+
+        [DFG][FTL] Make ArraySlice(0) code tight
+        https://bugs.webkit.org/show_bug.cgi?id=183590
+
+        Reviewed by Saam Barati.
+
+        This patch tightens ArraySlice code, in particular, startIndex = 0 case.
+
+        1. We support array.slice() call. This is a well-used way to clone array.
+        For example, underscore.js uses this technique.
+
+        2. We remove several checks if the given index value is a proven constant.
+
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        We can skip some of checks if the given value is a proven constant.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
+        Change below to belowOrEqual. It does not change meaning in the code. But it allows us
+        to fold BelowEqual(0, x) to true.
+
+2018-03-19  Yusuke Suzuki  
+
+        Drop s_exceptionInstructions static initializer
+        https://bugs.webkit.org/show_bug.cgi?id=183732
+
+        Reviewed by Darin Adler.
+
+        Make Instruction constructor constexpr to drop the static constructor
+        of LLInt::Data::s_exceptionInstructions.
+
+        * bytecode/Instruction.h:
+        (JSC::Instruction::Instruction):
+
+2018-03-19  Dan Bernstein  
+
+        Investigate why __cpu_indicator_init is used
+        https://bugs.webkit.org/show_bug.cgi?id=183736
+
+        Reviewed by Tim Horton.
+
+        __cpu_indicator_init, which is a global initializer, was included in JavaScriptCore because
+        we were passing the -all_load option to the linker, causing it to bring in all members of
+        every static library being linked in, including the compiler runtime library. We only need
+        to load all members of WTF. The linker option for doing that is -force_load, and it requires
+        a path to the library. To support building against libWTF.a built locally as well as against
+        the copy that is in the SDK, we add a script build phase that palces a symbolic link to the
+        appropriate libWTF.a under the DerivedSources directory, and pass the path to that symlink
+        to the linker. Also, while cleaning up linker flags, make OTHER_LDFLAGS_HIDE_SYMBOLS less
+        verbose by eliminating every other -Wl, remove redundant -lobjc (libobjc is already listed
+        in the Link Binary With Libraries build phase), remove long-unsupported -Y,3, and stop
+        reexporting libobjc.
+
+        * Configurations/JavaScriptCore.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-03-19  Jiewen Tan  
+
+        Unreviewed, another quick fix for r229699
+
+        Restricts ENABLE_WEB_AUTHN to only macOS and iOS.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-19  Mark Lam  
+
+        FunctionPtr should be passed by value.
+        https://bugs.webkit.org/show_bug.cgi?id=183746
+        
+
+        Reviewed by JF Bastien.
+
+        It's meant to be an encapsulation of a C/C++ function pointer.  There are cases
+        where we use it to pass JIT compiled code (e.g. the VM thunks/stubs), but they are
+        treated as if they are C/C++ functions.
+
+        Regardless, there's no need to pass it by reference.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::appendCall):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::appendCall):
+        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
+        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
+        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
+        * jit/JIT.h:
+        (JSC::JIT::appendCall):
+        (JSC::JIT::appendCallWithSlowPathReturnType):
+        * jit/JITInlines.h:
+        (JSC::JIT::appendCallWithExceptionCheck):
+        (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType):
+        (JSC::JIT::appendCallWithCallFrameRollbackOnException):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
+        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
+
+2018-03-15  Ross Kirsling  
+
+        Fix MSVC run-time check after r229391. 
+        https://bugs.webkit.org/show_bug.cgi?id=183673
+
+        Reviewed by Keith Miller.
+
+        Replaces attempted fix from r229424/r229432.
+        Apparently MSVC doesn't like it when a zero-length std::array is defined without explicit braces.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::clampArrayToSize):
+
+2018-03-15  Tim Horton  
+
+        Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in ANGLE
+        https://bugs.webkit.org/show_bug.cgi?id=183675
+        
+
+        Reviewed by Dan Bernstein.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        Don't install the JSC alias if we're installing to an alternate location.
+        This should have been a part of r229637.
+
+2018-03-15  Tim Horton  
+
+        Add and adopt WK_ALTERNATE_FRAMEWORKS_DIR in JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=183649
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2018-03-14  Mark Lam  
+
+        Enhance the MacroAssembler and LinkBuffer to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=183623
+        
+
+        Reviewed by Michael Saboff.
+
+        1. Added a PtrTag argument to indirect call() and indirect jump() MacroAssembler
+           emitters to support pointer profiling.
+
+        2. Also added tagPtr(), untagPtr(), and removePtrTag() placeholder methods.
+
+        3. Added a PtrTag to LinkBuffer finalizeCodeWithoutDisassembly() and clients.
+
+        4. Updated clients to pass a PtrTag.  For the most part, I just apply NoPtrTag as
+           a placeholder until we have time to analyze what pointer profile each client
+           site has later.
+    
+        5. Apply PtrTags to the YarrJIT.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::linkJumpOrCall):
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::getLinkerAddress):
+        (JSC::AbstractMacroAssembler::tagPtr):
+        (JSC::AbstractMacroAssembler::untagPtr):
+        (JSC::AbstractMacroAssembler::removePtrTag):
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
+        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::link):
+        (JSC::LinkBuffer::locationOfNearCall):
+        (JSC::LinkBuffer::locationOf):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::jump):
+        (JSC::MacroAssemblerARM::call):
+        (JSC::MacroAssemblerARM::readCallTarget):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::call):
+        (JSC::MacroAssemblerARM64::jump):
+        (JSC::MacroAssemblerARM64::readCallTarget):
+        (JSC::MacroAssemblerARM64::linkCall):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::jump):
+        (JSC::MacroAssemblerARMv7::relativeTableJump):
+        (JSC::MacroAssemblerARMv7::call):
+        (JSC::MacroAssemblerARMv7::readCallTarget):
+        * assembler/MacroAssemblerCodeRef.cpp:
+        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
+        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+        (JSC::FunctionPtr::value const):
+        (JSC::MacroAssemblerCodePtr:: const):
+        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
+        (JSC::MacroAssemblerCodeRef::retaggedCode const):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::jump):
+        (JSC::MacroAssemblerMIPS::call):
+        (JSC::MacroAssemblerMIPS::readCallTarget):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::call):
+        (JSC::MacroAssemblerX86::jump):
+        (JSC::MacroAssemblerX86::readCallTarget):
+        * assembler/MacroAssemblerX86Common.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::jump):
+        (JSC::MacroAssemblerX86Common::call):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::call):
+        (JSC::MacroAssemblerX86_64::jump):
+        (JSC::MacroAssemblerX86_64::readCallTarget):
+        * assembler/testmasm.cpp:
+        (JSC::compile):
+        (JSC::invoke):
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/B3LowerMacros.cpp:
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::generate):
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::invoke):
+        (JSC::B3::testInterpreter):
+        (JSC::B3::testEntrySwitchSimple):
+        (JSC::B3::testEntrySwitchNoEntrySwitch):
+        (JSC::B3::testEntrySwitchWithCommonPaths):
+        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
+        (JSC::B3::testEntrySwitchLoop):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCaseSnippetParams.cpp:
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::linkCodeInline):
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileExceptionHandlers):
+        (JSC::DFG::JITCompiler::link):
+        (JSC::DFG::JITCompiler::compileFunction):
+        (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::appendCall):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        (JSC::DFG::osrWriteBarrier):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::callExceptionFuzz):
+        (JSC::AssemblyHelpers::debugCall):
+        * jit/CCallHelpers.cpp:
+        (JSC::CCallHelpers::ensureShadowChickenPacket):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::jumpToExceptionHandler):
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::jitWriteThunkGenerator):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitEnterOptimizationCheck):
+        (JSC::JIT::link):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        (JSC::JIT::appendCall):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_switch_imm):
+        (JSC::JIT::emit_op_switch_char):
+        (JSC::JIT::emit_op_switch_string):
+        (JSC::JIT::emitSlow_op_loop_hint):
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_switch_imm):
+        (JSC::JIT::emit_op_switch_char):
+        (JSC::JIT::emit_op_switch_string):
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        * jit/JITStubRoutine.h:
+        * jit/Repatch.cpp:
+        (JSC::readCallTarget):
+        (JSC::appropriateOptimizingPutByIdFunction):
+        (JSC::linkPolymorphicCall):
+        (JSC::resetPutByID):
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::call):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        (JSC::SpecializedThunkJIT::callDoubleToDouble):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::slowPathFor):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::arityFixupGenerator):
+        (JSC::unreachableGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        (JSC::LLInt::functionForCallEntryThunkGenerator):
+        (JSC::LLInt::functionForConstructEntryThunkGenerator):
+        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
+        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
+        (JSC::LLInt::evalEntryThunkGenerator):
+        (JSC::LLInt::programEntryThunkGenerator):
+        (JSC::LLInt::moduleProgramEntryThunkGenerator):
+        * runtime/PtrTag.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::loadFromFrameAndJump):
+        (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
+        (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::execute):
+
+2018-03-14  Caitlin Potter  
+
+        [JSC] fix order of evaluation for ClassDefinitionEvaluation
+        https://bugs.webkit.org/show_bug.cgi?id=183523
+
+        Reviewed by Keith Miller.
+
+        Computed property names need to be evaluated in source order during class
+        definition evaluation, as it's observable (and specified to work this way).
+
+        This change improves compatibility with Chromium.
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::emitDefineClassElements):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        (JSC::ClassExprNode::emitBytecode):
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createClassExpr):
+        (JSC::ASTBuilder::createGetterOrSetterProperty):
+        (JSC::ASTBuilder::createProperty):
+        * parser/NodeConstructors.h:
+        (JSC::PropertyNode::PropertyNode):
+        (JSC::ClassExprNode::ClassExprNode):
+        * parser/Nodes.cpp:
+        (JSC::PropertyListNode::hasStaticallyNamedProperty):
+        * parser/Nodes.h:
+        (JSC::PropertyNode::isClassProperty const):
+        (JSC::PropertyNode::isStaticClassProperty const):
+        (JSC::PropertyNode::isInstanceClassProperty const):
+        * parser/Parser.cpp:
+        (JSC::Parser::parseClass):
+        (JSC::Parser::parseProperty):
+        (JSC::Parser::parseGetterSetter):
+        * parser/Parser.h:
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createClassExpr):
+        (JSC::SyntaxChecker::createProperty):
+        (JSC::SyntaxChecker::createGetterOrSetterProperty):
+
+2018-03-14  Keith Miller  
+
+        Move jsc CLI breakpoint function to $vm
+        https://bugs.webkit.org/show_bug.cgi?id=183512
+
+        Reviewed by Yusuke Suzuki.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionBreakpoint): Deleted.
+        * tools/JSDollarVM.cpp:
+        (JSC::functionBreakpoint):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-03-14  Tim Horton  
+
+        Fix the build after r229567
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-12  Mark Lam  
+
+        Gardening: speculative build fix for WinCairo.
+        https://bugs.webkit.org/show_bug.cgi?id=183573
+
+        Not reviewed.
+
+        * runtime/NativeFunction.h:
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+
+2018-03-12  Yusuke Suzuki  
+
+        Unreviewed, fix obsolete ASSERT
+        https://bugs.webkit.org/show_bug.cgi?id=183310
+
+        Now NewObject can be conereted from CallObjectConstructor and CreateThis.
+
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToNewObject):
+
+2018-03-12  Tim Horton  
+
+        Stop using SDK conditionals to control feature definitions
+        https://bugs.webkit.org/show_bug.cgi?id=183430
+        
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * Configurations/WebKitTargetConditionals.xcconfig: Renamed.
+
+2018-03-12  Yoav Weiss  
+
+        Runtime flag for link prefetch and remove link subresource.
+        https://bugs.webkit.org/show_bug.cgi?id=183540
+
+        Reviewed by Chris Dumez.
+
+        Remove the LINK_PREFETCH build time flag.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-12  Mark Lam  
+
+        Gardening: speculative build fix for Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=183573
+
+        Not reviewed.
+
+        * runtime/NativeFunction.h:
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+
+2018-03-12  Mark Lam  
+
+        Add another PtrTag.
+        https://bugs.webkit.org/show_bug.cgi?id=183580
+        
+
+        Reviewed by Keith Miller.
+
+        * runtime/PtrTag.h:
+
+2018-03-12  Mark Lam  
+
+        Make a NativeFunction into a class to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=183573
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. NativeFunction is now a class, and introducing RawNativeFunction and
+           TaggedNativeFunction.
+
+           RawNativeFunction is the raw pointer type (equivalent
+           to the old definition of NativeFunction).  This is mainly used for underlying
+           storage inside the NativeFunction class, and also for global data tables that
+           cannot embed non-trivially constructed objects.
+
+           NativeFunction's role is mainly to encapsulate a pointer to a C function that
+           we pass into the VM.
+
+           TaggedNativeFunction encapsulates the tagged version of a pointer to a C
+           function that we track in the VM.
+
+        2. Added a convenience constructor for TrustedImmPtr so that we don't have to
+           cast function pointers to void* anymore when constructing a TrustedImmPtr.
+
+        3. Removed the unused CALL_RETURN macro in CommonSlowPaths.cpp.
+
+        4. Added more PtrTag utility functions.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
+        * create_hash_table:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        * interpreter/InterpreterInlines.h:
+        (JSC::Interpreter::getOpcodeID):
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::hostFunctionStub):
+        * jit/JITThunks.h:
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter.cpp:
+        (JSC::CLoop::execute):
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/ast.rb:
+        * runtime/CallData.h:
+        * runtime/CommonSlowPaths.cpp:
+        * runtime/ConstructData.h:
+        * runtime/InternalFunction.h:
+        (JSC::InternalFunction::nativeFunctionFor):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::getCallData):
+        (JSC::JSCell::getConstructData):
+        * runtime/JSFunction.h:
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::nativeFunction):
+        (JSC::JSFunction::nativeConstructor):
+        (JSC::isHostFunction):
+        * runtime/Lookup.h:
+        (JSC::HashTableValue::function const):
+        (JSC::HashTableValue::accessorGetter const):
+        (JSC::HashTableValue::accessorSetter const):
+        (JSC::nonCachingStaticFunctionGetter):
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::create):
+        (JSC::NativeExecutable::NativeExecutable):
+        * runtime/NativeExecutable.h:
+        * runtime/NativeFunction.h: Added.
+        (JSC::NativeFunction::NativeFunction):
+        (JSC::NativeFunction::operator intptr_t const):
+        (JSC::NativeFunction::operator bool const):
+        (JSC::NativeFunction::operator! const):
+        (JSC::NativeFunction::operator== const):
+        (JSC::NativeFunction::operator!= const):
+        (JSC::NativeFunction::operator()):
+        (JSC::NativeFunction::rawPointer const):
+        (JSC::NativeFunctionHash::hash):
+        (JSC::NativeFunctionHash::equal):
+        (JSC::TaggedNativeFunction::TaggedNativeFunction):
+        (JSC::TaggedNativeFunction::operator bool const):
+        (JSC::TaggedNativeFunction::operator! const):
+        (JSC::TaggedNativeFunction::operator== const):
+        (JSC::TaggedNativeFunction::operator!= const):
+        (JSC::TaggedNativeFunction::operator()):
+        (JSC::TaggedNativeFunction::operator NativeFunction):
+        (JSC::TaggedNativeFunction::rawPointer const):
+        (JSC::TaggedNativeFunctionHash::hash):
+        (JSC::TaggedNativeFunctionHash::equal):
+        * runtime/PtrTag.h:
+        (JSC::tagCFunctionPtr):
+        (JSC::untagCFunctionPtr):
+        * runtime/VM.h:
+        (JSC::VM::targetMachinePCForThrowOffset): Deleted.
+
+2018-03-12  Filip Pizlo  
+
+        Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+
+2018-03-11  Yusuke Suzuki  
+
+        [DFG] AI should convert CreateThis to NewObject if the prototype object is proved
+        https://bugs.webkit.org/show_bug.cgi?id=183310
+
+        Reviewed by Filip Pizlo.
+
+        This patch implements CreateThis -> NewObject conversion in AI if the given function is constant.
+        This contributes to 6% win in Octane/raytrace.
+
+                                        baseline                  patched
+
+            raytrace       x2       1.19915+-0.01862    ^     1.13156+-0.01589       ^ definitely 1.0597x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2018-03-11  Wenson Hsieh  
+
+        Disable Sigill crash analyzer on watchOS
+        https://bugs.webkit.org/show_bug.cgi?id=183548
+        
+
+        Reviewed by Mark Lam.
+
+        Sigill is not supported on watchOS.
+
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+
+2018-03-09  Filip Pizlo  
+
+        Split DirectArguments into JSValueOOB and JSValueStrict parts
+        https://bugs.webkit.org/show_bug.cgi?id=183458
+
+        Reviewed by Yusuke Suzuki.
+        
+        Our Spectre plan for JSValue objects is to allow inline JSValue stores and loads guarded by
+        unmitigated structure checks. This works because objects reachable from JSValues (i.e. JSValue
+        objects, like String, Symbol, and any descendant of JSObject) will only contain fields that it's OK
+        to read and write within a Spectre mitigation window. Writes are important, because within the
+        window, a write could appear to be made speculatively and rolled out later. This means that:
+        
+        - JSValue objects cannot have lengths, masks, or anything else inline.
+        
+        - JSValue objects cannot have an inline type that is used as part of a Spectre mitigation for a type
+          check, unless that type is in the form of a poison key.
+        
+        This means that the dynamic poisoning that I previously landed for DirectArguments is wrong. It also
+        means that it's wrong for DirectArguments to have an inline length.
+        
+        This changes DirectArguments to use poisoning according to the universal formula:
+        
+        - The random accessed portions are out-of-line, pointed to by a poisoned pointer.
+        
+        - No inline length.
+        
+        Surprisingly, this is perf-neutral. It's probably perf-neutral because our compiler optimizations
+        amortize whatever cost there was.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
+        (JSC::DFG::CallCreateDirectArgumentsSlowPathGenerator::CallCreateDirectArgumentsSlowPathGenerator):
+        * dfg/DFGCallCreateDirectArgumentsWithKnownLengthSlowPathGenerator.h: Added.
+        (JSC::DFG::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator::CallCreateDirectArgumentsWithKnownLengthSlowPathGenerator):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetFromArguments):
+        (JSC::DFG::SpeculativeJIT::compilePutToArguments):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetFromArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutToArguments):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType): Deleted.
+        * heap/SecurityKind.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_from_arguments):
+        (JSC::JIT::emit_op_put_to_arguments):
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_from_arguments):
+        (JSC::JIT::emit_op_put_to_arguments):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::DirectArguments):
+        (JSC::DirectArguments::createUninitialized):
+        (JSC::DirectArguments::create):
+        (JSC::DirectArguments::createByCopying):
+        (JSC::DirectArguments::estimatedSize):
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::copyToArguments):
+        (JSC::DirectArguments::mappedArgumentsSize):
+        * runtime/DirectArguments.h:
+        * runtime/JSCPoison.h:
+        * runtime/JSLexicalEnvironment.h:
+        * runtime/JSSymbolTableObject.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-03-11  Yusuke Suzuki  
+
+        [B3] Above/Below should be strength-reduced for comparison with 0
+        https://bugs.webkit.org/show_bug.cgi?id=183543
+
+        Reviewed by Filip Pizlo.
+
+        Above(0, x) and BelowEqual(0, x) can be converted to constants false and true respectively.
+        This can be seen in ArraySlice(0) case: `Select(Above(0, length), length, 0)` this should
+        be converted to `0`. This patch adds such a folding to comparisons.
+
+        We also fix B3ReduceStrength issue creating an orphan value. If a flipped value is folded to
+        a constant, we do not insert flipped value and make it an orphan. This issue causes JSC test
+        failure with this B3Const32/64Value change. With this patch, we create a flipped value only
+        when we fail to fold it to a constant.
+
+        * b3/B3Const32Value.cpp:
+        (JSC::B3::Const32Value::lessThanConstant const):
+        (JSC::B3::Const32Value::greaterThanConstant const):
+        (JSC::B3::Const32Value::lessEqualConstant const):
+        (JSC::B3::Const32Value::greaterEqualConstant const):
+        (JSC::B3::Const32Value::aboveConstant const):
+        (JSC::B3::Const32Value::belowConstant const):
+        (JSC::B3::Const32Value::aboveEqualConstant const):
+        (JSC::B3::Const32Value::belowEqualConstant const):
+        * b3/B3Const64Value.cpp:
+        (JSC::B3::Const64Value::lessThanConstant const):
+        (JSC::B3::Const64Value::greaterThanConstant const):
+        (JSC::B3::Const64Value::lessEqualConstant const):
+        (JSC::B3::Const64Value::greaterEqualConstant const):
+        (JSC::B3::Const64Value::aboveConstant const):
+        (JSC::B3::Const64Value::belowConstant const):
+        (JSC::B3::Const64Value::aboveEqualConstant const):
+        (JSC::B3::Const64Value::belowEqualConstant const):
+        * b3/B3ReduceStrength.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::int64Operands):
+        (JSC::B3::int32Operands):
+
+2018-03-10  Yusuke Suzuki  
+
+        [FTL] Drop NewRegexp for String.prototype.match with RegExp + global flag
+        https://bugs.webkit.org/show_bug.cgi?id=181848
+
+        Reviewed by Sam Weinig.
+
+        In r181535, we support `string.match(/nonglobal/)` code. However, `string.match(/global/g)` is not
+        optimized since it sets `lastIndex` value before performing RegExp operation.
+
+        This patch optimizes the above "with a global flag" case by emitting `SetRegExpObjectLastIndex` properly.
+        RegExpMatchFast is converted to SetRegExpObjectLastIndex and RegExpMatchFastGlobal. The latter node
+        just holds RegExp (not RegExpObject) cell so that it can offer a chance to make NewRegexp PhantomNewRegexp
+        in object allocation sinking phase.
+
+        Added microbenchmarks shows that this patch makes NewRegexp PhantomNewRegexp even if the given RegExp
+        has a global flag. And it improves the performance.
+
+                                      baseline                  patched
+
+        regexp-u-global-es5       44.1298+-4.6128     ^     33.7920+-2.0110        ^ definitely 1.3059x faster
+        regexp-u-global-es6      182.3272+-2.2861     ^    154.3414+-7.6769        ^ definitely 1.1813x faster
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::convertToRegExpMatchFastGlobal):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasCellOperand):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatchFastGlobal):
+        * runtime/RegExpObject.cpp:
+        (JSC::collectMatches): Deleted.
+        * runtime/RegExpObject.h:
+        * runtime/RegExpObjectInlines.h:
+        (JSC::RegExpObject::execInline):
+        (JSC::RegExpObject::matchInline):
+        (JSC::advanceStringUnicode):
+        (JSC::collectMatches):
+        (JSC::RegExpObject::advanceStringUnicode): Deleted.
+        * runtime/RegExpPrototype.cpp:
+        (JSC::advanceStringIndex):
+
+2018-03-10  Yusuke Suzuki  
+
+        B3::reduceStrength should canonicalize integer comparisons
+        https://bugs.webkit.org/show_bug.cgi?id=150958
+
+        Reviewed by Filip Pizlo.
+
+        This patch sorts operands of comparisons by flipping opcode. For example, `Above(0, @2)` is
+        converted to `Below(@2, 0)`. This sorting is the same to handleCommutativity rule. Since we
+        canonicalize comparisons to have constant value at least on the right hand side, we can
+        remove pattern matchings checking leftImm in B3LowerToAir.
+
+        Since this flipping changes the opcode of the value, to achieve safely, we just create a
+        new value which has flipped opcode and swapped operands. If we can fold it to a constant,
+        we replace m_value with this constant. If we fail to fold it to constant, we replace
+        m_value with the flipped one.
+
+        These comparisons are already handled in testb3.
+
+        * b3/B3LowerToAir.cpp:
+        * b3/B3ReduceStrength.cpp:
+
+2018-03-09  Mark Lam  
+
+        offlineasm should reset the Assembler's working state before doing another pass for a new target.
+        https://bugs.webkit.org/show_bug.cgi?id=183538
+        
+
+        Reviewed by Michael Saboff.
+
+        * llint/LowLevelInterpreter.cpp:
+        * offlineasm/asm.rb:
+        * offlineasm/cloop.rb:
+
+2018-03-09  Brian Burg  
+
+        Web Inspector: there should only be one way for async backend commands to send failure
+        https://bugs.webkit.org/show_bug.cgi?id=183524
+
+        Reviewed by Timothy Hatcher.
+
+        If this is an async command, errors should be reported with BackendDispatcher::CallbackBase::sendFailure.
+        To avoid mixups, don't include the ErrorString out-parameter in generated async command signatures.
+        This change only affects interfaces generated for C++ backend dispatchers.
+
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
+        (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+
+2018-03-09  Mark Lam  
+
+        Build fix after r229476.
+        https://bugs.webkit.org/show_bug.cgi?id=183488
+
+        Not reviewed.
+
+        * runtime/StackAlignment.h:
+
+2018-03-09  Mark Lam  
+
+        [Re-landing] Add support for ARM64E.
+        https://bugs.webkit.org/show_bug.cgi?id=183398
+        
+
+        Reviewed by Michael Saboff.
+
+        * assembler/MacroAssembler.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/backends.rb:
+
+2018-03-09  Mark Lam  
+
+        [Re-landing] Prepare LLInt code to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=183387
+        
+
+        Reviewed by JF Bastien.
+
+        1. Introduced PtrTag enums for supporting pointer profiling later.
+
+        2. Also introduced tagging, untagging, retagging, and tag removal placeholder
+           template functions for the same purpose.
+
+        3. Prepare the offlineasm for supporting pointer profiling later.
+
+        4. Tagged some pointers in LLInt asm code.  Currently, these should have no
+           effect on behavior.
+
+        5. Removed returnToThrowForThrownException() because it is not used anywhere.
+
+        6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
+           easier to view and edit these files in Xcode.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/LLIntCallLinkInfo.h:
+        (JSC::LLIntCallLinkInfo::unlink):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::returnToThrowForThrownException): Deleted.
+        * llint/LLIntExceptions.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LLIntPCRanges.h:
+        (JSC::LLInt::isLLIntPC):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/ast.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/risc.rb:
+        * runtime/PtrTag.h: Added.
+        (JSC::uniquePtrTagID):
+        (JSC::ptrTag):
+        (JSC::tagCodePtr):
+        (JSC::untagCodePtr):
+        (JSC::retagCodePtr):
+        (JSC::removeCodePtrTag):
+
+2018-03-09  Mark Lam  
+
+        Remove unused LLINT_STATS feature.
+        https://bugs.webkit.org/show_bug.cgi?id=183522
+        
+
+        Rubber-stamped by Keith Miller.
+
+        We haven't used this in a while, and it is one more option that makes offlineasm
+        build slower.  We can always re-introduce this later if we need it.
+
+        * jsc.cpp:
+        * llint/LLIntCommon.h:
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        (JSC::LLInt::Data::finalizeStats): Deleted.
+        (JSC::LLInt::compareStats): Deleted.
+        (JSC::LLInt::Data::dumpStats): Deleted.
+        (JSC::LLInt::Data::ensureStats): Deleted.
+        (JSC::LLInt::Data::loadStats): Deleted.
+        (JSC::LLInt::Data::resetStats): Deleted.
+        (JSC::LLInt::Data::saveStats): Deleted.
+        * llint/LLIntData.h:
+        (): Deleted.
+        (JSC::LLInt::Data::opcodeStats): Deleted.
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntSlowPaths.cpp:
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.cpp:
+        (JSC::Options::isAvailable):
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+        * runtime/TestRunnerUtils.cpp:
+        (JSC::finalizeStatsAtEndOfTesting):
+
+2018-03-09  Michael Saboff  
+
+        Relanding "testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64"
+        https://bugs.webkit.org/show_bug.cgi?id=183488
+
+        It applied and built just fine locally.
+
+        * assembler/testmasm.cpp:
+        (JSC::testBranchTruncateDoubleToInt32):
+
+2018-03-09  Yusuke Suzuki  
+
+        Unreviewed, remove WebAssemblyFunctionType
+        https://bugs.webkit.org/show_bug.cgi?id=183429
+
+        Drop WebAssemblyFunctionType since it is no longer used. This breaks
+        JSCast assumption that all the derived classes of JSFunction use
+        JSFunctionType. We also add ASSERT for JSFunction::finishCreation.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        * runtime/JSType.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::createStructure):
+        * wasm/js/WebAssemblyFunction.h:
+
+2018-03-09  Ryan Haddad  
+
+        Unreviewed, rolling out r229446.
+
+        This change relies on changes that have been rolled out.
+
+        Reverted changeset:
+
+        "testmasm crashes in testBranchTruncateDoubleToInt32() on
+        ARM64"
+        https://bugs.webkit.org/show_bug.cgi?id=183488
+        https://trac.webkit.org/changeset/229446
+
+2018-03-08  Chris Dumez  
+
+        Safari not handling undefined global variables with same name as element Id correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=183087
+        
+
+        Reviewed by Ryosuke Niwa.
+
+        global variables (var foo;) should not be hidden by:
+        - Named properties
+        - Properties on the prototype chain
+
+        Therefore, we now have JSGlobalObject::addVar() call JSGlobalObject::addGlobalVar()
+        if !hasOwnProperty() instead of !hasProperty.
+
+        This aligns our behavior with Chrome and Firefox.
+
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::addVar):
+
+2018-03-08  Commit Queue  
+
+        Unreviewed, rolling out r229354 and r229364.
+        https://bugs.webkit.org/show_bug.cgi?id=183492
+
+        Breaks internal builds (Requested by ryanhaddad on #webkit).
+
+        Reverted changesets:
+
+        "Prepare LLInt code to support pointer profiling."
+        https://bugs.webkit.org/show_bug.cgi?id=183387
+        https://trac.webkit.org/changeset/229354
+
+        "Add support for ARM64E."
+        https://bugs.webkit.org/show_bug.cgi?id=183398
+        https://trac.webkit.org/changeset/229364
+
+2018-03-08  Michael Saboff  
+
+        testmasm crashes in testBranchTruncateDoubleToInt32() on ARM64
+        https://bugs.webkit.org/show_bug.cgi?id=183488
+
+        Reviewed by Mark Lam.
+
+        Using stackAlignmentBytes() will keep the stack properly aligned.
+
+        * assembler/testmasm.cpp:
+        (JSC::testBranchTruncateDoubleToInt32):
+
+2018-03-08  Michael Saboff  
+
+        Emit code to zero the stack frame on function entry
+        Nhttps://bugs.webkit.org/show_bug.cgi?id=183391
+
+        Reviewed by Mark Lam.
+
+        Added code to zero incoming stack frame behind a new JSC option, zeroStackFrame.
+        The default setting of the option is off.
+
+        Did some minor refactoring of the YarrJIT stack alignment code.
+
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::defaultPrologueGenerator):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compile):
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::clearStackFrame):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/Options.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::ialignCallFrameSizeInBytesnitCallFrame):
+        (JSC::Yarr::YarrGenerator::initCallFrame):
+        (JSC::Yarr::YarrGenerator::removeCallFrame):
+
+2018-03-08  Keith Miller  
+
+        Unreviewed, another attempt at fixing the Windows build.
+        I guess the pragma must be outside the function...
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::clampArrayToSize):
+
+2018-03-08  Keith Miller  
+
+        Unreviewed, one last try at fixing the windows build before rollout.
+
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::clampArrayToSize):
+
+2018-03-08  Yusuke Suzuki  
+
+        [JSC] Optimize inherits if T is final type
+        https://bugs.webkit.org/show_bug.cgi?id=183435
+
+        Reviewed by Mark Lam.
+
+        If the type T is a final type (`std::is_final::value == true`), there is no
+        classes which is derived from T. It means that `jsDynamicCast` only needs
+        to check the given cell's `classInfo(vm)` is `T::info()`.
+
+        This patch adds a new specialization for jsDynamicCast / inherits for a
+        final type. And we also add `final` annotations to JS cell types in JSC. This
+        offers,
+
+        1. Readability. If the given class is annotated with `final`, we do not need to
+        consider about the derived classes of T.
+
+        2. Static Checking. If your class is not intended to be used as a base class, attaching
+        `final` can ensure this invariant.
+
+        3. Performance. jsDynamicCast and inherits can be optimized and the code size should
+        be smaller.
+
+        * API/JSCallbackConstructor.h:
+        (JSC::JSCallbackConstructor::create): Deleted.
+        (JSC::JSCallbackConstructor::classRef const): Deleted.
+        (JSC::JSCallbackConstructor::callback const): Deleted.
+        (JSC::JSCallbackConstructor::createStructure): Deleted.
+        (JSC::JSCallbackConstructor::constructCallback): Deleted.
+        * API/JSCallbackFunction.h:
+        (JSC::JSCallbackFunction::createStructure): Deleted.
+        (JSC::JSCallbackFunction::functionCallback): Deleted.
+        * API/JSCallbackObject.h:
+        (JSC::JSCallbackObject::create): Deleted.
+        (JSC::JSCallbackObject::destroy): Deleted.
+        (JSC::JSCallbackObject::classRef const): Deleted.
+        (JSC::JSCallbackObject::getPrivateProperty const): Deleted.
+        (JSC::JSCallbackObject::setPrivateProperty): Deleted.
+        (JSC::JSCallbackObject::deletePrivateProperty): Deleted.
+        (JSC::JSCallbackObject::visitChildren): Deleted.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/ExecutableToCodeBlockEdge.h:
+        (JSC::ExecutableToCodeBlockEdge::subspaceFor): Deleted.
+        (JSC::ExecutableToCodeBlockEdge::codeBlock const): Deleted.
+        (JSC::ExecutableToCodeBlockEdge::unwrap): Deleted.
+        * bytecode/FunctionCodeBlock.h:
+        (JSC::FunctionCodeBlock::subspaceFor): Deleted.
+        (JSC::FunctionCodeBlock::create): Deleted.
+        (JSC::FunctionCodeBlock::createStructure): Deleted.
+        (JSC::FunctionCodeBlock::FunctionCodeBlock): Deleted.
+        * debugger/DebuggerScope.h:
+        (JSC::DebuggerScope::createStructure): Deleted.
+        (JSC::DebuggerScope::iterator::iterator): Deleted.
+        (JSC::DebuggerScope::iterator::get): Deleted.
+        (JSC::DebuggerScope::iterator::operator++): Deleted.
+        (JSC::DebuggerScope::iterator::operator== const): Deleted.
+        (JSC::DebuggerScope::iterator::operator!= const): Deleted.
+        (JSC::DebuggerScope::isValid const): Deleted.
+        (JSC::DebuggerScope::jsScope const): Deleted.
+        * inspector/JSInjectedScriptHost.h:
+        (Inspector::JSInjectedScriptHost::createStructure): Deleted.
+        (Inspector::JSInjectedScriptHost::create): Deleted.
+        (Inspector::JSInjectedScriptHost::impl const): Deleted.
+        * inspector/JSInjectedScriptHostPrototype.h:
+        (Inspector::JSInjectedScriptHostPrototype::create): Deleted.
+        (Inspector::JSInjectedScriptHostPrototype::createStructure): Deleted.
+        (Inspector::JSInjectedScriptHostPrototype::JSInjectedScriptHostPrototype): Deleted.
+        * inspector/JSJavaScriptCallFrame.h:
+        (Inspector::JSJavaScriptCallFrame::createStructure): Deleted.
+        (Inspector::JSJavaScriptCallFrame::create): Deleted.
+        (Inspector::JSJavaScriptCallFrame::impl const): Deleted.
+        * inspector/JSJavaScriptCallFramePrototype.h:
+        (Inspector::JSJavaScriptCallFramePrototype::create): Deleted.
+        (Inspector::JSJavaScriptCallFramePrototype::createStructure): Deleted.
+        (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype): Deleted.
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        * runtime/ArrayConstructor.h:
+        (JSC::ArrayConstructor::create): Deleted.
+        (JSC::ArrayConstructor::createStructure): Deleted.
+        * runtime/ArrayIteratorPrototype.h:
+        (JSC::ArrayIteratorPrototype::create): Deleted.
+        (JSC::ArrayIteratorPrototype::createStructure): Deleted.
+        (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype): Deleted.
+        * runtime/ArrayPrototype.h:
+        (JSC::ArrayPrototype::createStructure): Deleted.
+        * runtime/AsyncFromSyncIteratorPrototype.h:
+        (JSC::AsyncFromSyncIteratorPrototype::createStructure): Deleted.
+        * runtime/AsyncFunctionConstructor.h:
+        (JSC::AsyncFunctionConstructor::create): Deleted.
+        (JSC::AsyncFunctionConstructor::createStructure): Deleted.
+        * runtime/AsyncFunctionPrototype.h:
+        (JSC::AsyncFunctionPrototype::create): Deleted.
+        (JSC::AsyncFunctionPrototype::createStructure): Deleted.
+        * runtime/AsyncGeneratorFunctionConstructor.h:
+        (JSC::AsyncGeneratorFunctionConstructor::create): Deleted.
+        (JSC::AsyncGeneratorFunctionConstructor::createStructure): Deleted.
+        * runtime/AsyncGeneratorFunctionPrototype.h:
+        (JSC::AsyncGeneratorFunctionPrototype::create): Deleted.
+        (JSC::AsyncGeneratorFunctionPrototype::createStructure): Deleted.
+        * runtime/AsyncGeneratorPrototype.h:
+        (JSC::AsyncGeneratorPrototype::create): Deleted.
+        (JSC::AsyncGeneratorPrototype::createStructure): Deleted.
+        (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype): Deleted.
+        * runtime/AsyncIteratorPrototype.h:
+        (JSC::AsyncIteratorPrototype::create): Deleted.
+        (JSC::AsyncIteratorPrototype::createStructure): Deleted.
+        (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype): Deleted.
+        * runtime/AtomicsObject.h:
+        * runtime/BigIntConstructor.h:
+        (JSC::BigIntConstructor::create): Deleted.
+        (JSC::BigIntConstructor::createStructure): Deleted.
+        * runtime/BigIntObject.h:
+        (JSC::BigIntObject::create): Deleted.
+        (JSC::BigIntObject::internalValue const): Deleted.
+        (JSC::BigIntObject::createStructure): Deleted.
+        * runtime/BigIntPrototype.h:
+        (JSC::BigIntPrototype::create): Deleted.
+        (JSC::BigIntPrototype::createStructure): Deleted.
+        * runtime/BooleanConstructor.h:
+        (JSC::BooleanConstructor::create): Deleted.
+        (JSC::BooleanConstructor::createStructure): Deleted.
+        * runtime/BooleanPrototype.h:
+        (JSC::BooleanPrototype::create): Deleted.
+        (JSC::BooleanPrototype::createStructure): Deleted.
+        * runtime/ConsoleObject.h:
+        (JSC::ConsoleObject::create): Deleted.
+        (JSC::ConsoleObject::createStructure): Deleted.
+        * runtime/DOMAttributeGetterSetter.h:
+        (JSC::isDOMAttributeGetterSetter): Deleted.
+        * runtime/DateConstructor.h:
+        (JSC::DateConstructor::create): Deleted.
+        (JSC::DateConstructor::createStructure): Deleted.
+        * runtime/DateInstance.h:
+        (JSC::DateInstance::create): Deleted.
+        (JSC::DateInstance::internalNumber const): Deleted.
+        (JSC::DateInstance::gregorianDateTime const): Deleted.
+        (JSC::DateInstance::gregorianDateTimeUTC const): Deleted.
+        (JSC::DateInstance::createStructure): Deleted.
+        * runtime/DatePrototype.h:
+        (JSC::DatePrototype::create): Deleted.
+        (JSC::DatePrototype::createStructure): Deleted.
+        * runtime/Error.h:
+        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction): Deleted.
+        (JSC::StrictModeTypeErrorFunction::create): Deleted.
+        (JSC::StrictModeTypeErrorFunction::constructThrowTypeError): Deleted.
+        (JSC::StrictModeTypeErrorFunction::callThrowTypeError): Deleted.
+        (JSC::StrictModeTypeErrorFunction::createStructure): Deleted.
+        * runtime/ErrorConstructor.h:
+        (JSC::ErrorConstructor::create): Deleted.
+        (JSC::ErrorConstructor::createStructure): Deleted.
+        (JSC::ErrorConstructor::stackTraceLimit const): Deleted.
+        * runtime/Exception.h:
+        (JSC::Exception::valueOffset): Deleted.
+        (JSC::Exception::value const): Deleted.
+        (JSC::Exception::stack const): Deleted.
+        (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
+        (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
+        * runtime/FunctionConstructor.h:
+        (JSC::FunctionConstructor::create): Deleted.
+        (JSC::FunctionConstructor::createStructure): Deleted.
+        * runtime/FunctionPrototype.h:
+        (JSC::FunctionPrototype::create): Deleted.
+        (JSC::FunctionPrototype::createStructure): Deleted.
+        * runtime/FunctionRareData.h:
+        (JSC::FunctionRareData::offsetOfObjectAllocationProfile): Deleted.
+        (JSC::FunctionRareData::objectAllocationProfile): Deleted.
+        (JSC::FunctionRareData::objectAllocationStructure): Deleted.
+        (JSC::FunctionRareData::allocationProfileWatchpointSet): Deleted.
+        (JSC::FunctionRareData::isObjectAllocationProfileInitialized): Deleted.
+        (JSC::FunctionRareData::internalFunctionAllocationStructure): Deleted.
+        (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase): Deleted.
+        (JSC::FunctionRareData::clearInternalFunctionAllocationProfile): Deleted.
+        (JSC::FunctionRareData::getBoundFunctionStructure): Deleted.
+        (JSC::FunctionRareData::setBoundFunctionStructure): Deleted.
+        (JSC::FunctionRareData::hasReifiedLength const): Deleted.
+        (JSC::FunctionRareData::setHasReifiedLength): Deleted.
+        (JSC::FunctionRareData::hasReifiedName const): Deleted.
+        (JSC::FunctionRareData::setHasReifiedName): Deleted.
+        (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const): Deleted.
+        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint): Deleted.
+        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint): Deleted.
+        * runtime/GeneratorFunctionConstructor.h:
+        (JSC::GeneratorFunctionConstructor::create): Deleted.
+        (JSC::GeneratorFunctionConstructor::createStructure): Deleted.
+        * runtime/GeneratorFunctionPrototype.h:
+        (JSC::GeneratorFunctionPrototype::create): Deleted.
+        (JSC::GeneratorFunctionPrototype::createStructure): Deleted.
+        * runtime/GeneratorPrototype.h:
+        (JSC::GeneratorPrototype::create): Deleted.
+        (JSC::GeneratorPrototype::createStructure): Deleted.
+        (JSC::GeneratorPrototype::GeneratorPrototype): Deleted.
+        * runtime/InferredValue.h:
+        (JSC::InferredValue::subspaceFor): Deleted.
+        (JSC::InferredValue::inferredValue): Deleted.
+        (JSC::InferredValue::state const): Deleted.
+        (JSC::InferredValue::isStillValid const): Deleted.
+        (JSC::InferredValue::hasBeenInvalidated const): Deleted.
+        (JSC::InferredValue::add): Deleted.
+        (JSC::InferredValue::notifyWrite): Deleted.
+        (JSC::InferredValue::invalidate): Deleted.
+        * runtime/InspectorInstrumentationObject.h:
+        (JSC::InspectorInstrumentationObject::create): Deleted.
+        (JSC::InspectorInstrumentationObject::createStructure): Deleted.
+        * runtime/IntlCollator.h:
+        (JSC::IntlCollator::boundCompare const): Deleted.
+        * runtime/IntlCollatorConstructor.h:
+        (JSC::IntlCollatorConstructor::collatorStructure const): Deleted.
+        * runtime/IntlCollatorPrototype.h:
+        * runtime/IntlDateTimeFormat.h:
+        (JSC::IntlDateTimeFormat::boundFormat const): Deleted.
+        * runtime/IntlDateTimeFormatConstructor.h:
+        (JSC::IntlDateTimeFormatConstructor::dateTimeFormatStructure const): Deleted.
+        * runtime/IntlDateTimeFormatPrototype.h:
+        * runtime/IntlNumberFormat.h:
+        (JSC::IntlNumberFormat::boundFormat const): Deleted.
+        * runtime/IntlNumberFormatConstructor.h:
+        (JSC::IntlNumberFormatConstructor::numberFormatStructure const): Deleted.
+        * runtime/IntlNumberFormatPrototype.h:
+        * runtime/IntlObject.h:
+        * runtime/IteratorPrototype.h:
+        (JSC::IteratorPrototype::create): Deleted.
+        (JSC::IteratorPrototype::createStructure): Deleted.
+        (JSC::IteratorPrototype::IteratorPrototype): Deleted.
+        * runtime/JSAPIValueWrapper.h:
+        (JSC::JSAPIValueWrapper::value const): Deleted.
+        (JSC::JSAPIValueWrapper::createStructure): Deleted.
+        (JSC::JSAPIValueWrapper::create): Deleted.
+        (JSC::JSAPIValueWrapper::finishCreation): Deleted.
+        (JSC::JSAPIValueWrapper::JSAPIValueWrapper): Deleted.
+        * runtime/JSArrayBufferConstructor.h:
+        (JSC::JSArrayBufferConstructor::sharingMode const): Deleted.
+        * runtime/JSArrayBufferPrototype.h:
+        * runtime/JSAsyncFunction.h:
+        (JSC::JSAsyncFunction::subspaceFor): Deleted.
+        (JSC::JSAsyncFunction::allocationSize): Deleted.
+        (JSC::JSAsyncFunction::createStructure): Deleted.
+        * runtime/JSAsyncGeneratorFunction.h:
+        (JSC::JSAsyncGeneratorFunction::subspaceFor): Deleted.
+        (JSC::JSAsyncGeneratorFunction::allocationSize): Deleted.
+        (JSC::JSAsyncGeneratorFunction::createStructure): Deleted.
+        * runtime/JSBigInt.h:
+        (JSC::JSBigInt::setSign): Deleted.
+        (JSC::JSBigInt::sign const): Deleted.
+        (JSC::JSBigInt::setLength): Deleted.
+        (JSC::JSBigInt::length const): Deleted.
+        * runtime/JSBoundFunction.h:
+        (JSC::JSBoundFunction::subspaceFor): Deleted.
+        (JSC::JSBoundFunction::targetFunction): Deleted.
+        (JSC::JSBoundFunction::boundThis): Deleted.
+        (JSC::JSBoundFunction::boundArgs): Deleted.
+        (JSC::JSBoundFunction::createStructure): Deleted.
+        (JSC::JSBoundFunction::offsetOfTargetFunction): Deleted.
+        (JSC::JSBoundFunction::offsetOfBoundThis): Deleted.
+        * runtime/JSCast.h:
+        (JSC::JSCastingHelpers::FinalTypeDispatcher::inheritsGeneric):
+        (JSC::JSCastingHelpers::inheritsJSTypeImpl):
+        (JSC::JSCastingHelpers::InheritsTraits::inherits):
+        (JSC::JSCastingHelpers::inheritsGenericImpl): Deleted.
+        * runtime/JSCustomGetterSetterFunction.cpp:
+        (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
+        * runtime/JSCustomGetterSetterFunction.h:
+        (JSC::JSCustomGetterSetterFunction::subspaceFor): Deleted.
+        (JSC::JSCustomGetterSetterFunction::createStructure): Deleted.
+        (JSC::JSCustomGetterSetterFunction::customGetterSetter const): Deleted.
+        (JSC::JSCustomGetterSetterFunction::isSetter const): Deleted.
+        (JSC::JSCustomGetterSetterFunction::propertyName const): Deleted.
+        * runtime/JSDataView.h:
+        (JSC::JSDataView::possiblySharedBuffer const): Deleted.
+        (JSC::JSDataView::unsharedBuffer const): Deleted.
+        * runtime/JSDataViewPrototype.h:
+        * runtime/JSFixedArray.h:
+        (JSC::JSFixedArray::createStructure): Deleted.
+        (JSC::JSFixedArray::tryCreate): Deleted.
+        (JSC::JSFixedArray::create): Deleted.
+        (JSC::JSFixedArray::createFromArray): Deleted.
+        (JSC::JSFixedArray::get const): Deleted.
+        (JSC::JSFixedArray::set): Deleted.
+        (JSC::JSFixedArray::buffer): Deleted.
+        (JSC::JSFixedArray::buffer const): Deleted.
+        (JSC::JSFixedArray::values const): Deleted.
+        (JSC::JSFixedArray::size const): Deleted.
+        (JSC::JSFixedArray::length const): Deleted.
+        (JSC::JSFixedArray::offsetOfSize): Deleted.
+        (JSC::JSFixedArray::offsetOfData): Deleted.
+        (JSC::JSFixedArray::JSFixedArray): Deleted.
+        (JSC::JSFixedArray::allocationSize): Deleted.
+        * runtime/JSGeneratorFunction.h:
+        (JSC::JSGeneratorFunction::subspaceFor): Deleted.
+        (JSC::JSGeneratorFunction::allocationSize): Deleted.
+        (JSC::JSGeneratorFunction::createStructure): Deleted.
+        * runtime/JSGenericTypedArrayView.h:
+        (JSC::JSGenericTypedArrayView::byteLength const): Deleted.
+        (JSC::JSGenericTypedArrayView::byteSize const): Deleted.
+        (JSC::JSGenericTypedArrayView::typedVector const): Deleted.
+        (JSC::JSGenericTypedArrayView::typedVector): Deleted.
+        (JSC::JSGenericTypedArrayView::canGetIndexQuickly): Deleted.
+        (JSC::JSGenericTypedArrayView::canSetIndexQuickly): Deleted.
+        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue): Deleted.
+        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble): Deleted.
+        (JSC::JSGenericTypedArrayView::getIndexQuickly): Deleted.
+        (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue): Deleted.
+        (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble): Deleted.
+        (JSC::JSGenericTypedArrayView::setIndexQuickly): Deleted.
+        (JSC::JSGenericTypedArrayView::setIndex): Deleted.
+        (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValue): Deleted.
+        (JSC::JSGenericTypedArrayView::toAdaptorNativeFromValueWithoutCoercion): Deleted.
+        (JSC::JSGenericTypedArrayView::sort): Deleted.
+        (JSC::JSGenericTypedArrayView::canAccessRangeQuickly): Deleted.
+        (JSC::JSGenericTypedArrayView::createStructure): Deleted.
+        (JSC::JSGenericTypedArrayView::info): Deleted.
+        (JSC::JSGenericTypedArrayView::purifyArray): Deleted.
+        (JSC::JSGenericTypedArrayView::sortComparison): Deleted.
+        (JSC::JSGenericTypedArrayView::sortFloat): Deleted.
+        * runtime/JSGenericTypedArrayViewConstructor.h:
+        * runtime/JSGenericTypedArrayViewPrototype.h:
+        * runtime/JSInternalPromise.h:
+        * runtime/JSInternalPromiseConstructor.h:
+        * runtime/JSInternalPromisePrototype.h:
+        * runtime/JSMapIterator.h:
+        (JSC::JSMapIterator::createStructure): Deleted.
+        (JSC::JSMapIterator::create): Deleted.
+        (JSC::JSMapIterator::advanceIter): Deleted.
+        (JSC::JSMapIterator::next): Deleted.
+        (JSC::JSMapIterator::nextKeyValue): Deleted.
+        (JSC::JSMapIterator::kind const): Deleted.
+        (JSC::JSMapIterator::iteratedValue const): Deleted.
+        (JSC::JSMapIterator::JSMapIterator): Deleted.
+        (JSC::JSMapIterator::setIterator): Deleted.
+        * runtime/JSModuleLoader.h:
+        (JSC::JSModuleLoader::create): Deleted.
+        (JSC::JSModuleLoader::createStructure): Deleted.
+        * runtime/JSModuleNamespaceObject.h:
+        (JSC::isJSModuleNamespaceObject): Deleted.
+        * runtime/JSModuleRecord.h:
+        (JSC::JSModuleRecord::sourceCode const): Deleted.
+        (JSC::JSModuleRecord::declaredVariables const): Deleted.
+        (JSC::JSModuleRecord::lexicalVariables const): Deleted.
+        * runtime/JSNativeStdFunction.h:
+        (JSC::JSNativeStdFunction::subspaceFor): Deleted.
+        (JSC::JSNativeStdFunction::createStructure): Deleted.
+        (JSC::JSNativeStdFunction::nativeStdFunctionCell): Deleted.
+        * runtime/JSONObject.h:
+        (JSC::JSONObject::create): Deleted.
+        (JSC::JSONObject::createStructure): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::fillCustomGetterPropertySlot):
+        * runtime/JSScriptFetchParameters.h:
+        (JSC::JSScriptFetchParameters::createStructure): Deleted.
+        (JSC::JSScriptFetchParameters::create): Deleted.
+        (JSC::JSScriptFetchParameters::parameters const): Deleted.
+        (JSC::JSScriptFetchParameters::JSScriptFetchParameters): Deleted.
+        * runtime/JSScriptFetcher.h:
+        (JSC::JSScriptFetcher::createStructure): Deleted.
+        (JSC::JSScriptFetcher::create): Deleted.
+        (JSC::JSScriptFetcher::fetcher const): Deleted.
+        (JSC::JSScriptFetcher::JSScriptFetcher): Deleted.
+        * runtime/JSSetIterator.h:
+        (JSC::JSSetIterator::createStructure): Deleted.
+        (JSC::JSSetIterator::create): Deleted.
+        (JSC::JSSetIterator::advanceIter): Deleted.
+        (JSC::JSSetIterator::next): Deleted.
+        (JSC::JSSetIterator::kind const): Deleted.
+        (JSC::JSSetIterator::iteratedValue const): Deleted.
+        (JSC::JSSetIterator::JSSetIterator): Deleted.
+        (JSC::JSSetIterator::setIterator): Deleted.
+        * runtime/JSSourceCode.h:
+        (JSC::JSSourceCode::createStructure): Deleted.
+        (JSC::JSSourceCode::create): Deleted.
+        (JSC::JSSourceCode::sourceCode const): Deleted.
+        (JSC::JSSourceCode::JSSourceCode): Deleted.
+        * runtime/JSStringIterator.h:
+        (JSC::JSStringIterator::createStructure): Deleted.
+        (JSC::JSStringIterator::create): Deleted.
+        (JSC::JSStringIterator::JSStringIterator): Deleted.
+        * runtime/JSTemplateObjectDescriptor.h:
+        (JSC::isTemplateObjectDescriptor): Deleted.
+        * runtime/JSTypedArrayViewConstructor.h:
+        (JSC::JSTypedArrayViewConstructor::create): Deleted.
+        * runtime/JSTypedArrayViewPrototype.h:
+        * runtime/MapConstructor.h:
+        (JSC::MapConstructor::create): Deleted.
+        (JSC::MapConstructor::createStructure): Deleted.
+        * runtime/MapIteratorPrototype.h:
+        (JSC::MapIteratorPrototype::create): Deleted.
+        (JSC::MapIteratorPrototype::createStructure): Deleted.
+        (JSC::MapIteratorPrototype::MapIteratorPrototype): Deleted.
+        * runtime/MapPrototype.h:
+        (JSC::MapPrototype::create): Deleted.
+        (JSC::MapPrototype::createStructure): Deleted.
+        (JSC::MapPrototype::MapPrototype): Deleted.
+        * runtime/MathObject.h:
+        (JSC::MathObject::create): Deleted.
+        (JSC::MathObject::createStructure): Deleted.
+        * runtime/ModuleLoaderPrototype.h:
+        (JSC::ModuleLoaderPrototype::create): Deleted.
+        (JSC::ModuleLoaderPrototype::createStructure): Deleted.
+        * runtime/NativeErrorConstructor.h:
+        (JSC::NativeErrorConstructor::create): Deleted.
+        (JSC::NativeErrorConstructor::createStructure): Deleted.
+        (JSC::NativeErrorConstructor::errorStructure): Deleted.
+        * runtime/NativeErrorPrototype.h:
+        (JSC::NativeErrorPrototype::create): Deleted.
+        * runtime/NativeStdFunctionCell.h:
+        (JSC::NativeStdFunctionCell::createStructure): Deleted.
+        (JSC::NativeStdFunctionCell::function const): Deleted.
+        * runtime/NullGetterFunction.h:
+        (JSC::NullGetterFunction::create): Deleted.
+        (JSC::NullGetterFunction::createStructure): Deleted.
+        * runtime/NullSetterFunction.h:
+        (JSC::NullSetterFunction::create): Deleted.
+        (JSC::NullSetterFunction::createStructure): Deleted.
+        * runtime/NumberConstructor.h:
+        (JSC::NumberConstructor::create): Deleted.
+        (JSC::NumberConstructor::createStructure): Deleted.
+        (JSC::NumberConstructor::isIntegerImpl): Deleted.
+        * runtime/NumberPrototype.h:
+        (JSC::NumberPrototype::create): Deleted.
+        (JSC::NumberPrototype::createStructure): Deleted.
+        * runtime/ObjectConstructor.h:
+        (JSC::ObjectConstructor::create): Deleted.
+        (JSC::ObjectConstructor::createStructure): Deleted.
+        * runtime/ObjectPrototype.h:
+        (JSC::ObjectPrototype::createStructure): Deleted.
+        * runtime/ProxyConstructor.h:
+        (JSC::ProxyConstructor::createStructure): Deleted.
+        * runtime/ProxyRevoke.h:
+        (JSC::ProxyRevoke::createStructure): Deleted.
+        (JSC::ProxyRevoke::proxy): Deleted.
+        (JSC::ProxyRevoke::setProxyToNull): Deleted.
+        * runtime/ReflectObject.h:
+        (JSC::ReflectObject::create): Deleted.
+        (JSC::ReflectObject::createStructure): Deleted.
+        * runtime/RegExpConstructor.cpp:
+        (JSC::regExpConstructorDollar):
+        (JSC::regExpConstructorInput):
+        (JSC::regExpConstructorMultiline):
+        (JSC::regExpConstructorLastMatch):
+        (JSC::regExpConstructorLastParen):
+        (JSC::regExpConstructorLeftContext):
+        (JSC::regExpConstructorRightContext):
+        * runtime/RegExpConstructor.h:
+        (JSC::RegExpConstructor::create): Deleted.
+        (JSC::RegExpConstructor::createStructure): Deleted.
+        (JSC::RegExpConstructor::setMultiline): Deleted.
+        (JSC::RegExpConstructor::multiline const): Deleted.
+        (JSC::RegExpConstructor::setInput): Deleted.
+        (JSC::RegExpConstructor::input): Deleted.
+        (JSC::RegExpConstructor::offsetOfCachedResult): Deleted.
+        (JSC::asRegExpConstructor): Deleted.
+        * runtime/RegExpPrototype.h:
+        (JSC::RegExpPrototype::create): Deleted.
+        (JSC::RegExpPrototype::createStructure): Deleted.
+        (JSC::RegExpPrototype::emptyRegExp const): Deleted.
+        * runtime/SetConstructor.h:
+        (JSC::SetConstructor::create): Deleted.
+        (JSC::SetConstructor::createStructure): Deleted.
+        * runtime/SetIteratorPrototype.h:
+        (JSC::SetIteratorPrototype::create): Deleted.
+        (JSC::SetIteratorPrototype::createStructure): Deleted.
+        (JSC::SetIteratorPrototype::SetIteratorPrototype): Deleted.
+        * runtime/SetPrototype.h:
+        (JSC::SetPrototype::create): Deleted.
+        (JSC::SetPrototype::createStructure): Deleted.
+        (JSC::SetPrototype::SetPrototype): Deleted.
+        * runtime/StringConstructor.h:
+        (JSC::StringConstructor::create): Deleted.
+        (JSC::StringConstructor::createStructure): Deleted.
+        * runtime/StringIteratorPrototype.h:
+        (JSC::StringIteratorPrototype::create): Deleted.
+        (JSC::StringIteratorPrototype::createStructure): Deleted.
+        (JSC::StringIteratorPrototype::StringIteratorPrototype): Deleted.
+        * runtime/StringPrototype.h:
+        (JSC::StringPrototype::createStructure): Deleted.
+        * runtime/SymbolConstructor.h:
+        (JSC::SymbolConstructor::create): Deleted.
+        (JSC::SymbolConstructor::createStructure): Deleted.
+        * runtime/SymbolObject.h:
+        (JSC::SymbolObject::create): Deleted.
+        (JSC::SymbolObject::internalValue const): Deleted.
+        (JSC::SymbolObject::createStructure): Deleted.
+        * runtime/SymbolPrototype.h:
+        (JSC::SymbolPrototype::create): Deleted.
+        (JSC::SymbolPrototype::createStructure): Deleted.
+        * runtime/WeakMapConstructor.h:
+        (JSC::WeakMapConstructor::create): Deleted.
+        (JSC::WeakMapConstructor::createStructure): Deleted.
+        * runtime/WeakMapPrototype.h:
+        (JSC::WeakMapPrototype::create): Deleted.
+        (JSC::WeakMapPrototype::createStructure): Deleted.
+        (JSC::WeakMapPrototype::WeakMapPrototype): Deleted.
+        * runtime/WeakSetConstructor.h:
+        (JSC::WeakSetConstructor::create): Deleted.
+        (JSC::WeakSetConstructor::createStructure): Deleted.
+        * runtime/WeakSetPrototype.h:
+        (JSC::WeakSetPrototype::create): Deleted.
+        (JSC::WeakSetPrototype::createStructure): Deleted.
+        (JSC::WeakSetPrototype::WeakSetPrototype): Deleted.
+        * tools/JSDollarVM.h:
+        (JSC::JSDollarVM::createStructure): Deleted.
+        (JSC::JSDollarVM::create): Deleted.
+        (JSC::JSDollarVM::JSDollarVM): Deleted.
+        * wasm/js/JSWebAssembly.h:
+        * wasm/js/JSWebAssemblyCompileError.h:
+        (JSC::JSWebAssemblyCompileError::create): Deleted.
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::instance): Deleted.
+        (JSC::JSWebAssemblyInstance::moduleNamespaceObject): Deleted.
+        (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee): Deleted.
+        (JSC::JSWebAssemblyInstance::memory): Deleted.
+        (JSC::JSWebAssemblyInstance::setMemory): Deleted.
+        (JSC::JSWebAssemblyInstance::memoryMode): Deleted.
+        (JSC::JSWebAssemblyInstance::table): Deleted.
+        (JSC::JSWebAssemblyInstance::setTable): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): Deleted.
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee): Deleted.
+        (JSC::JSWebAssemblyInstance::module const): Deleted.
+        * wasm/js/JSWebAssemblyLinkError.h:
+        (JSC::JSWebAssemblyLinkError::create): Deleted.
+        * wasm/js/JSWebAssemblyMemory.h:
+        (JSC::JSWebAssemblyMemory::subspaceFor): Deleted.
+        (JSC::JSWebAssemblyMemory::memory): Deleted.
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyRuntimeError.h:
+        (JSC::JSWebAssemblyRuntimeError::create): Deleted.
+        * wasm/js/JSWebAssemblyTable.h:
+        (JSC::JSWebAssemblyTable::isValidLength): Deleted.
+        (JSC::JSWebAssemblyTable::maximum const): Deleted.
+        (JSC::JSWebAssemblyTable::length const): Deleted.
+        (JSC::JSWebAssemblyTable::allocatedLength const): Deleted.
+        (JSC::JSWebAssemblyTable::table): Deleted.
+        * wasm/js/WebAssemblyCompileErrorConstructor.h:
+        * wasm/js/WebAssemblyCompileErrorPrototype.h:
+        * wasm/js/WebAssemblyInstanceConstructor.h:
+        * wasm/js/WebAssemblyInstancePrototype.h:
+        * wasm/js/WebAssemblyLinkErrorConstructor.h:
+        * wasm/js/WebAssemblyLinkErrorPrototype.h:
+        * wasm/js/WebAssemblyMemoryConstructor.h:
+        * wasm/js/WebAssemblyMemoryPrototype.h:
+        * wasm/js/WebAssemblyModuleConstructor.h:
+        * wasm/js/WebAssemblyModulePrototype.h:
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyPrototype.h:
+        * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.h:
+        * wasm/js/WebAssemblyTableConstructor.h:
+        * wasm/js/WebAssemblyTablePrototype.h:
+
+2018-03-07  Filip Pizlo  
+
+        Make it possible to randomize register allocation
+        https://bugs.webkit.org/show_bug.cgi?id=183416
+
+        Reviewed by Keith Miller.
+        
+        This is disabled by default for now, because it reveals a regalloc bug in wasm.
+
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::Code):
+        * b3/air/AirCode.h:
+        (JSC::B3::Air::Code::weakRandom):
+        * runtime/Options.h:
+
+2018-03-08  Yusuke Suzuki  
+
+        [JSC] Add inherits(VM&) leveraging JSCast fast path
+        https://bugs.webkit.org/show_bug.cgi?id=183429
+
+        Reviewed by Mark Lam.
+
+        Add new member function, JSCell::inherits(VM&) and JSValue::inherits(VM&).
+        They depends on jsDynamicCast implementation and leverage JSType-based fast
+        paths defined in JSCast.h. We extract checking part as `JSCastingHelpers::inherit`
+        and construct jsDynamicCast and JSCell::inherits based on this.
+
+        And we remove several unnecessary casting functions (asRegExpObject, asDateInstance etc.).
+        In addition, we add jsDynamicCast fast path for RegExpObject by using existing RegExpObjectType.
+
+        We also fix the implementation of jsDynamicCast for JSObject since it uses LastJSCObjectType.
+        The embedder can add their extended object types after that.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetPrivateProperty):
+        (JSObjectSetPrivateProperty):
+        (JSObjectDeletePrivateProperty):
+        * API/JSValue.mm:
+        (isDate):
+        (isArray):
+        * API/JSValueRef.cpp:
+        (JSValueIsArray):
+        (JSValueIsDate):
+        (JSValueIsObjectOfClass):
+        * API/JSWeakObjectMapRefPrivate.cpp:
+        * API/JSWrapperMap.mm:
+        (tryUnwrapObjcObject):
+        * API/ObjCCallbackFunction.mm:
+        (tryUnwrapConstructor):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::JSInjectedScriptHost::subtype):
+        (Inspector::JSInjectedScriptHost::functionDetails):
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::InspectorHeapAgent::getPreview):
+        * interpreter/Interpreter.cpp:
+        (JSC::notifyDebuggerOfUnwinding):
+        * interpreter/ShadowChicken.cpp:
+        (JSC::ShadowChicken::update):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JITOperations.cpp:
+        (JSC::operationNewFunctionCommon):
+        * jsc.cpp:
+        (checkException):
+        * runtime/BooleanObject.h:
+        (JSC::asBooleanObject): Deleted.
+        * runtime/BooleanPrototype.cpp:
+        (JSC::booleanProtoFuncToString):
+        (JSC::booleanProtoFuncValueOf):
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        * runtime/DateInstance.h:
+        (JSC::asDateInstance): Deleted.
+        * runtime/DatePrototype.cpp:
+        (JSC::formateDateInstance):
+        (JSC::dateProtoFuncToISOString):
+        (JSC::dateProtoFuncToLocaleString):
+        (JSC::dateProtoFuncToLocaleDateString):
+        (JSC::dateProtoFuncToLocaleTimeString):
+        (JSC::dateProtoFuncGetTime):
+        (JSC::dateProtoFuncGetFullYear):
+        (JSC::dateProtoFuncGetUTCFullYear):
+        (JSC::dateProtoFuncGetMonth):
+        (JSC::dateProtoFuncGetUTCMonth):
+        (JSC::dateProtoFuncGetDate):
+        (JSC::dateProtoFuncGetUTCDate):
+        (JSC::dateProtoFuncGetDay):
+        (JSC::dateProtoFuncGetUTCDay):
+        (JSC::dateProtoFuncGetHours):
+        (JSC::dateProtoFuncGetUTCHours):
+        (JSC::dateProtoFuncGetMinutes):
+        (JSC::dateProtoFuncGetUTCMinutes):
+        (JSC::dateProtoFuncGetSeconds):
+        (JSC::dateProtoFuncGetUTCSeconds):
+        (JSC::dateProtoFuncGetMilliSeconds):
+        (JSC::dateProtoFuncGetUTCMilliseconds):
+        (JSC::dateProtoFuncGetTimezoneOffset):
+        (JSC::dateProtoFuncSetTime):
+        (JSC::setNewValueFromTimeArgs):
+        (JSC::setNewValueFromDateArgs):
+        (JSC::dateProtoFuncSetYear):
+        (JSC::dateProtoFuncGetYear):
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::isTerminatedExecutionException):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncToString):
+        * runtime/InternalFunction.h:
+        (JSC::asInternalFunction):
+        * runtime/JSArray.h:
+        (JSC::asArray):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpForBacktrace const):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::inherits const):
+        * runtime/JSCast.h:
+        (JSC::JSCastingHelpers::inheritsGenericImpl):
+        (JSC::JSCastingHelpers::inheritsJSTypeImpl):
+        (JSC::JSCastingHelpers::InheritsTraits::inherits):
+        (JSC::JSCastingHelpers::inherits):
+        (JSC::jsDynamicCast):
+        (JSC::JSCastingHelpers::jsDynamicCastGenericImpl): Deleted.
+        (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl): Deleted.
+        (JSC::JSCastingHelpers::JSDynamicCastTraits::cast): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::inherits const):
+        * runtime/JSFunction.cpp:
+        (JSC::RetrieveCallerFunctionFunctor::operator() const):
+        (JSC::JSFunction::callerGetter):
+        (JSC::JSFunction::getOwnNonIndexPropertyNames):
+        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::enqueueJob):
+        * runtime/JSGlobalObject.h:
+        (JSC::asGlobalObject): Deleted.
+        * runtime/JSInternalPromiseDeferred.cpp:
+        (JSC::JSInternalPromiseDeferred::create):
+        * runtime/JSLexicalEnvironment.h:
+        (JSC::asActivation):
+        * runtime/JSONObject.cpp:
+        (JSC::unwrapBoxedPrimitive):
+        (JSC::Stringifier::Stringifier):
+        (JSC::Walker::walk):
+        * runtime/JSPromise.cpp:
+        (JSC::JSPromise::resolve):
+        * runtime/JSPromiseDeferred.cpp:
+        (JSC::JSPromiseDeferred::create):
+        * runtime/JSType.h:
+        * runtime/ProxyObject.h:
+        (JSC::ProxyObject::create): Deleted.
+        (JSC::ProxyObject::createStructure): Deleted.
+        (JSC::ProxyObject::target const): Deleted.
+        (JSC::ProxyObject::handler const): Deleted.
+        * runtime/RegExpConstructor.cpp:
+        (JSC::constructRegExp):
+        * runtime/RegExpConstructor.h:
+        (JSC::asRegExpConstructor):
+        (JSC::isRegExp):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::finishCreation):
+        (JSC::RegExpObject::getOwnPropertySlot):
+        (JSC::RegExpObject::defineOwnProperty):
+        (JSC::regExpObjectSetLastIndexStrict):
+        (JSC::regExpObjectSetLastIndexNonStrict):
+        (JSC::RegExpObject::put):
+        * runtime/RegExpObject.h:
+        (JSC::RegExpObject::create): Deleted.
+        (JSC::RegExpObject::setRegExp): Deleted.
+        (JSC::RegExpObject::regExp const): Deleted.
+        (JSC::RegExpObject::setLastIndex): Deleted.
+        (JSC::RegExpObject::getLastIndex const): Deleted.
+        (JSC::RegExpObject::test): Deleted.
+        (JSC::RegExpObject::testInline): Deleted.
+        (JSC::RegExpObject::createStructure): Deleted.
+        (JSC::RegExpObject::offsetOfRegExp): Deleted.
+        (JSC::RegExpObject::offsetOfLastIndex): Deleted.
+        (JSC::RegExpObject::offsetOfLastIndexIsWritable): Deleted.
+        (JSC::RegExpObject::allocationSize): Deleted.
+        (JSC::asRegExpObject): Deleted.
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncTestFast):
+        (JSC::regExpProtoFuncExec):
+        (JSC::regExpProtoFuncMatchFast):
+        (JSC::regExpProtoFuncCompile):
+        (JSC::regExpProtoGetterGlobal):
+        (JSC::regExpProtoGetterIgnoreCase):
+        (JSC::regExpProtoGetterMultiline):
+        (JSC::regExpProtoGetterDotAll):
+        (JSC::regExpProtoGetterSticky):
+        (JSC::regExpProtoGetterUnicode):
+        (JSC::regExpProtoGetterSource):
+        (JSC::regExpProtoFuncSearchFast):
+        (JSC::regExpProtoFuncSplitFast):
+        * runtime/StringObject.h:
+        (JSC::asStringObject): Deleted.
+        * runtime/StringPrototype.cpp:
+        (JSC::replaceUsingRegExpSearch):
+        (JSC::replace):
+        (JSC::stringProtoFuncReplaceUsingRegExp):
+        (JSC::stringProtoFuncToString):
+        * runtime/SymbolPrototype.cpp:
+        (JSC::symbolProtoFuncToString):
+        (JSC::symbolProtoFuncValueOf):
+        * tools/JSDollarVM.cpp:
+        (WTF::customGetValue):
+        (WTF::customSetValue):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::isWebAssemblyHostFunction):
+        * wasm/js/WebAssemblyWrapperFunction.cpp:
+        (JSC::WebAssemblyWrapperFunction::create):
+
+2018-03-07  Tim Horton  
+
+        Sort and separate FeatureDefines.xcconfig
+        https://bugs.webkit.org/show_bug.cgi?id=183427
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/FeatureDefines.xcconfig:
+        Sort and split FeatureDefines into paragraphs
+        (to make it easier to sort later).
+
+2018-03-07  Keith Miller  
+
+        Unreviewed, fix 32-bit build.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+
+2018-03-07  Keith Miller  
+
+        Meta-program setupArguments and callOperation
+        https://bugs.webkit.org/show_bug.cgi?id=183263
+
+        Rubber-stamped by Filip Pizlo.
+
+        This patch removes all the custom overrides of callOperation and setupArguments
+        throughout the JITs. In their place there is a new setupArguments that marshalls
+        the arguments into place based on the type of the operation's function pointer.
+        There were a couple of design choices in the implementation of setupArguments:
+
+        1) We assume that no TrustedImm floating point values are passed.
+        2) If ExecState* is the first argument the callFrameRegister should be marshalled implicitly.
+        3) Types should not be implicitly converted (with the exception of DFG::RegisteredStructure -> Structure*)
+
+        The new callOperation/setupArguments do their best to make sure
+        it's hard to call a function with the wrong parameters. They will
+        only try to pattern match if the types match up with the next
+        passed argument. Additionally, the base case should static_assert
+        of the number of inferred arguments does not match the arity of
+        the operation's function pointer.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
+        (JSC::AbstractMacroAssembler::TrustedImmPtr::asPtr):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::poke):
+        (JSC::MacroAssembler::move):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::swap):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::storeDouble):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::loadDouble):
+        (JSC::MacroAssemblerX86Common::swap):
+        (JSC::MacroAssemblerX86Common::move):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/AccessCaseSnippetParams.cpp:
+        (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
+        * dfg/DFGNode.h:
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::emitRestoreArguments):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::osrWriteBarrier):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSlowPathGenerator.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp):
+        (JSC::DFG::SpeculativeJIT::compileArithMod):
+        (JSC::DFG::SpeculativeJIT::compileArithRounding):
+        (JSC::DFG::SpeculativeJIT::compileArithSqrt):
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::operator MacroAssembler::TrustedImm const):
+        (JSC::DFG::SpeculativeJIT::initConstantInfo):
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
+        (JSC::DFG::SpeculativeJIT::callCustomGetter): Deleted.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * ftl/FTLSlowPathCall.h:
+        (JSC::FTL::callOperation):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
+        * jit/CCallHelpers.cpp:
+        (JSC::CCallHelpers::ensureShadowChickenPacket):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgument):
+        (JSC::CCallHelpers::setupStubArgs):
+        (JSC::CCallHelpers::ArgCollection::ArgCollection):
+        (JSC::CCallHelpers::ArgCollection::pushRegArg):
+        (JSC::CCallHelpers::ArgCollection::addGPRArg):
+        (JSC::CCallHelpers::ArgCollection::addStackArg):
+        (JSC::CCallHelpers::ArgCollection::addPoke):
+        (JSC::CCallHelpers::ArgCollection::argCount):
+        (JSC::CCallHelpers::clampArrayToSize):
+        (JSC::CCallHelpers::pokeForArgument):
+        (JSC::CCallHelpers::marshallArgumentRegister):
+        (JSC::CCallHelpers::setupArgumentsImpl):
+        (JSC::CCallHelpers::std::is_integral::value):
+        (JSC::CCallHelpers::std::is_pointer::value):
+        (JSC::CCallHelpers::setupArguments):
+        (JSC::CCallHelpers::prepareForTailCallSlow):
+        (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
+        (JSC::CCallHelpers::resetCallArguments): Deleted.
+        (JSC::CCallHelpers::addCallArgument): Deleted.
+        (JSC::CCallHelpers::setupArgumentsExecState): Deleted.
+        (JSC::CCallHelpers::setupTwoStubArgsGPR): Deleted.
+        (JSC::CCallHelpers::setupThreeStubArgsGPR): Deleted.
+        (JSC::CCallHelpers::setupFourStubArgsGPR): Deleted.
+        (JSC::CCallHelpers::setupFiveStubArgsGPR): Deleted.
+        (JSC::CCallHelpers::setupTwoStubArgsFPR): Deleted.
+        (JSC::CCallHelpers::setupStubArguments): Deleted.
+        (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Deleted.
+        (JSC::CCallHelpers::setupStubArguments134): Deleted.
+        (JSC::CCallHelpers::setupStubArgsGPR): Deleted.
+        * jit/FPRInfo.h:
+        (JSC::toInfoFromReg):
+        * jit/GPRInfo.h:
+        (JSC::JSValueRegs::JSValueRegs):
+        (JSC::toInfoFromReg):
+        * jit/JIT.h:
+        (JSC::JIT::callOperation):
+        (JSC::JIT::callOperationWithProfile):
+        (JSC::JIT::callOperationWithResult):
+        (JSC::JIT::callOperationNoExceptionCheck):
+        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emitMathICFast):
+        (JSC::JIT::emitMathICSlow):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareAndJumpSlow):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileSetupVarargsFrame):
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation): Deleted.
+        (JSC::JIT::callOperationNoExceptionCheck): Deleted.
+        (JSC::JIT::callOperationWithCallFrameRollbackOnException): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_array_with_size):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emit_op_set_function_name):
+        (JSC::JIT::emitSlow_op_eq):
+        (JSC::JIT::emitSlow_op_neq):
+        (JSC::JIT::emit_op_throw):
+        (JSC::JIT::emit_op_switch_imm):
+        (JSC::JIT::emit_op_switch_char):
+        (JSC::JIT::emit_op_switch_string):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_index):
+        (JSC::JIT::emit_op_put_setter_by_id):
+        (JSC::JIT::emit_op_put_getter_setter_by_id):
+        (JSC::JIT::emit_op_put_getter_by_val):
+        (JSC::JIT::emit_op_put_setter_by_val):
+        (JSC::JIT::emit_op_del_by_id):
+        (JSC::JIT::emit_op_del_by_val):
+        (JSC::JIT::emitGetByValWithCachedId):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emitPutByValWithCachedId):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitSlow_op_try_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id):
+        (JSC::JIT::emitSlow_op_get_by_id_with_this):
+        (JSC::JIT::emitSlow_op_put_by_id):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::RegisterSet):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::slowPathFor):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionBreakpoint):
+        * runtime/JSCJSValue.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+
+2018-03-07  Mark Lam  
+
+        Rename ProtoCallFrame::arityMissMatch to hasArityMismatch.
+        https://bugs.webkit.org/show_bug.cgi?id=183414
+        
+
+        Reviewed by Michael Saboff.
+
+        * interpreter/ProtoCallFrame.cpp:
+        (JSC::ProtoCallFrame::init):
+        * interpreter/ProtoCallFrame.h:
+
+2018-03-07  Mark Lam  
+
+        Simplify the variants of FunctionPtr constructors.
+        https://bugs.webkit.org/show_bug.cgi?id=183399
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::FunctionPtr::FunctionPtr):
+
+2018-03-06  Filip Pizlo  
+
+        MarkedArgumentsBuffer should allocate from the JSValue Gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=183377
+
+        Reviewed by Michael Saboff.
+        
+        That prevents it from being used to pivot UAF on malloc memory into corruption in the JS heap.
+
+        * runtime/ArgList.cpp:
+        (JSC::MarkedArgumentBuffer::expandCapacity):
+
+2018-03-07  Mark Lam  
+
+        Add support for ARM64E.
+        https://bugs.webkit.org/show_bug.cgi?id=183398
+        
+
+        Reviewed by Michael Saboff.
+
+        * assembler/MacroAssembler.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/backends.rb:
+
+2018-03-07  Yusuke Suzuki  
+
+        HTML `pattern` attribute should set `u` flag for regular expressions
+        https://bugs.webkit.org/show_bug.cgi?id=151598
+
+        Reviewed by Chris Dumez.
+
+        Add UnicodeMode for JSC::Yarr::RegularExpression.
+
+        * yarr/RegularExpression.cpp:
+        (JSC::Yarr::RegularExpression::Private::create):
+        (JSC::Yarr::RegularExpression::Private::Private):
+        (JSC::Yarr::RegularExpression::Private::compile):
+        (JSC::Yarr::RegularExpression::RegularExpression):
+        * yarr/RegularExpression.h:
+
+2018-03-07  Yusuke Suzuki  
+
+        [JSC] Add more JSType based fast path for jsDynamicCast
+        https://bugs.webkit.org/show_bug.cgi?id=183403
+
+        Reviewed by Mark Lam.
+
+        We add more JSType based fast path for jsDynamicCast. Basically, we add miscellaneous JSTypes which
+        are used for jsDynamicCast in JSC, arguments types, and scope types.
+
+        We also add ClassInfo to JSScope and JSSegmentedVariableObject since they are used with jsDynamicCast.
+
+        * jit/JITOperations.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setUpCall):
+        * runtime/ClonedArguments.h:
+        (JSC::ClonedArguments::specialsMaterialized const): Deleted.
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::subspaceFor): Deleted.
+        (JSC::DirectArguments::internalLength const): Deleted.
+        (JSC::DirectArguments::length const): Deleted.
+        (JSC::DirectArguments::isMappedArgument const): Deleted.
+        (JSC::DirectArguments::isMappedArgumentInDFG const): Deleted.
+        (JSC::DirectArguments::getIndexQuickly const): Deleted.
+        (JSC::DirectArguments::setIndexQuickly): Deleted.
+        (JSC::DirectArguments::callee): Deleted.
+        (JSC::DirectArguments::argument): Deleted.
+        (JSC::DirectArguments::overrodeThings const): Deleted.
+        (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
+        (JSC::DirectArguments::setModifiedArgumentDescriptor): Deleted.
+        (JSC::DirectArguments::isModifiedArgumentDescriptor): Deleted.
+        (JSC::DirectArguments::offsetOfCallee): Deleted.
+        (JSC::DirectArguments::offsetOfLength): Deleted.
+        (JSC::DirectArguments::offsetOfMinCapacity): Deleted.
+        (JSC::DirectArguments::offsetOfMappedArguments): Deleted.
+        (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor): Deleted.
+        (JSC::DirectArguments::storageOffset): Deleted.
+        (JSC::DirectArguments::offsetOfSlot): Deleted.
+        (JSC::DirectArguments::allocationSize): Deleted.
+        (JSC::DirectArguments::storage): Deleted.
+        * runtime/JSCast.h:
+        * runtime/JSGlobalLexicalEnvironment.h:
+        (JSC::JSGlobalLexicalEnvironment::create): Deleted.
+        (JSC::JSGlobalLexicalEnvironment::isEmpty const): Deleted.
+        (JSC::JSGlobalLexicalEnvironment::createStructure): Deleted.
+        (JSC::JSGlobalLexicalEnvironment::JSGlobalLexicalEnvironment): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::finishCreation):
+        * runtime/JSMap.h:
+        (JSC::isJSMap): Deleted.
+        * runtime/JSModuleEnvironment.h:
+        (JSC::JSModuleEnvironment::create): Deleted.
+        (JSC::JSModuleEnvironment::createStructure): Deleted.
+        (JSC::JSModuleEnvironment::offsetOfModuleRecord): Deleted.
+        (JSC::JSModuleEnvironment::allocationSize): Deleted.
+        (JSC::JSModuleEnvironment::moduleRecord): Deleted.
+        (JSC::JSModuleEnvironment::moduleRecordSlot): Deleted.
+        * runtime/JSObject.cpp:
+        (JSC::canDoFastPutDirectIndex):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::allocationSize): Deleted.
+        (JSC::JSFinalObject::typeInfo): Deleted.
+        (JSC::JSFinalObject::defaultInlineCapacity): Deleted.
+        (JSC::JSFinalObject::maxInlineCapacity): Deleted.
+        (JSC::JSFinalObject::createStructure): Deleted.
+        (JSC::JSFinalObject::finishCreation): Deleted.
+        (JSC::JSFinalObject::JSFinalObject): Deleted.
+        (JSC::isJSFinalObject): Deleted.
+        * runtime/JSScope.cpp:
+        * runtime/JSScope.h:
+        * runtime/JSSegmentedVariableObject.cpp:
+        * runtime/JSSegmentedVariableObject.h:
+        * runtime/JSSet.h:
+        (JSC::isJSSet): Deleted.
+        * runtime/JSType.h:
+        * runtime/JSWeakMap.h:
+        (JSC::isJSWeakMap): Deleted.
+        * runtime/JSWeakSet.h:
+        (JSC::isJSWeakSet): Deleted.
+        * runtime/JSWithScope.h:
+        (JSC::JSWithScope::object): Deleted.
+        * runtime/MapConstructor.cpp:
+        (JSC::constructMap):
+        (JSC::mapPrivateFuncMapBucketHead):
+        * runtime/MapPrototype.cpp:
+        (JSC::getMap):
+        * runtime/NumberObject.cpp:
+        (JSC::NumberObject::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::toThisNumber):
+        (JSC::numberProtoFuncToExponential):
+        (JSC::numberProtoFuncToFixed):
+        (JSC::numberProtoFuncToPrecision):
+        (JSC::numberProtoFuncToString):
+        (JSC::numberProtoFuncToLocaleString):
+        (JSC::numberProtoFuncValueOf):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        (JSC::objectConstructorIsSealed):
+        (JSC::objectConstructorIsFrozen):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::finishCreation):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor): Deleted.
+        (JSC::ScopedArguments::internalLength const): Deleted.
+        (JSC::ScopedArguments::length const): Deleted.
+        (JSC::ScopedArguments::isMappedArgument const): Deleted.
+        (JSC::ScopedArguments::isMappedArgumentInDFG const): Deleted.
+        (JSC::ScopedArguments::getIndexQuickly const): Deleted.
+        (JSC::ScopedArguments::setIndexQuickly): Deleted.
+        (JSC::ScopedArguments::callee): Deleted.
+        (JSC::ScopedArguments::overrodeThings const): Deleted.
+        (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary): Deleted.
+        (JSC::ScopedArguments::setModifiedArgumentDescriptor): Deleted.
+        (JSC::ScopedArguments::isModifiedArgumentDescriptor): Deleted.
+        (JSC::ScopedArguments::offsetOfOverrodeThings): Deleted.
+        (JSC::ScopedArguments::offsetOfTotalLength): Deleted.
+        (JSC::ScopedArguments::offsetOfTable): Deleted.
+        (JSC::ScopedArguments::offsetOfScope): Deleted.
+        (JSC::ScopedArguments::overflowStorageOffset): Deleted.
+        (JSC::ScopedArguments::allocationSize): Deleted.
+        (JSC::ScopedArguments::overflowStorage const): Deleted.
+        * runtime/SetConstructor.cpp:
+        (JSC::constructSet):
+        (JSC::setPrivateFuncSetBucketHead):
+        * runtime/SetPrototype.cpp:
+        (JSC::getSet):
+        * runtime/StrictEvalActivation.h:
+        (JSC::StrictEvalActivation::create): Deleted.
+        (JSC::StrictEvalActivation::createStructure): Deleted.
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::getWeakMap):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::getWeakSet):
+
+2018-03-07  Dominik Infuehr  
+
+        [ARM] offlineasm: fix indentation in armOpcodeReversedOperands
+        https://bugs.webkit.org/show_bug.cgi?id=183400
+
+        Reviewed by Mark Lam.
+
+        * offlineasm/arm.rb:
+
+2018-03-06  Mark Lam  
+
+        Prepare LLInt code to support pointer profiling.
+        https://bugs.webkit.org/show_bug.cgi?id=183387
+        
+
+        Reviewed by JF Bastien.
+
+        1. Introduced PtrTag enums for supporting pointer profiling later.
+
+        2. Also introduced tagging, untagging, retagging, and tag removal placeholder
+           template functions for the same purpose.
+
+        3. Prepare the offlineasm for supporting pointer profiling later.
+
+        4. Tagged some pointers in LLInt asm code.  Currently, these should have no
+           effect on behavior.
+
+        5. Removed returnToThrowForThrownException() because it is not used anywhere.
+
+        6. Added the offlineasm folder to JavaScriptCore Xcode project so that it's
+           easier to view and edit these files in Xcode.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/LLIntCallLinkInfo.h:
+        (JSC::LLIntCallLinkInfo::unlink):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::returnToThrowForThrownException): Deleted.
+        * llint/LLIntExceptions.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LLIntPCRanges.h:
+        (JSC::LLInt::isLLIntPC):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::handleHostCall):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/ast.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/risc.rb:
+        * runtime/PtrTag.h: Added.
+        (JSC::uniquePtrTagID):
+        (JSC::ptrTag):
+        (JSC::tagCodePtr):
+        (JSC::untagCodePtr):
+        (JSC::retagCodePtr):
+        (JSC::removeCodePtrTag):
+
+2018-03-06  Dominik Infuehr  
+
+        [ARM] Assembler warnings: "use of r13 is deprecated"
+        https://bugs.webkit.org/show_bug.cgi?id=183286
+
+        Reviewed by Mark Lam.
+
+        Usage of sp/r13 as operand Rm is deprecated on ARM. offlineasm
+        sometimes generates assembly code that triggers this warning. Prevent
+        this by simply switching operands.
+
+        * offlineasm/arm.rb:
+
+2018-03-06  Yusuke Suzuki  
+
+        Unreviewed, fix incorrect assertion after r229309
+        https://bugs.webkit.org/show_bug.cgi?id=182975
+
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::TypeProfilerLog):
+
+2018-03-05  Yusuke Suzuki  
+
+        Fix std::make_unique / new[] using system malloc
+        https://bugs.webkit.org/show_bug.cgi?id=182975
+
+        Reviewed by JF Bastien.
+
+        Use Vector, FAST_ALLOCATED, or UniqueArray instead.
+
+        * API/JSStringRefCF.cpp:
+        (JSStringCreateWithCFString):
+        * bytecode/BytecodeKills.h:
+        * bytecode/BytecodeLivenessAnalysis.cpp:
+        (JSC::BytecodeLivenessAnalysis::computeKills):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpDisassembly):
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
+        * jit/PolymorphicCallStubRoutine.h:
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * jsc.cpp:
+        (currentWorkingDirectory):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        * runtime/ArgList.h:
+        * runtime/StructureChain.h:
+        * runtime/StructureIDTable.cpp:
+        (JSC::StructureIDTable::StructureIDTable):
+        (JSC::StructureIDTable::resize):
+        * runtime/StructureIDTable.h:
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::TypeProfilerLog):
+        (JSC::TypeProfilerLog::initializeLog): Deleted.
+        * runtime/TypeProfilerLog.h:
+        (JSC::TypeProfilerLog::TypeProfilerLog): Deleted.
+        * runtime/VM.cpp:
+        (JSC::VM::~VM):
+        (JSC::VM::acquireRegExpPatternContexBuffer):
+        * runtime/VM.h:
+        * testRegExp.cpp:
+        (runFromFiles):
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::HeapVerifier):
+        * tools/HeapVerifier.h:
+
+2018-03-05  Mark Lam  
+
+        JITThunk functions should only be called when the JIT is enabled.
+        https://bugs.webkit.org/show_bug.cgi?id=183351
+        
+
+        Reviewed by Keith Miller.
+
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::ctiNativeCall):
+        (JSC::JITThunks::ctiNativeConstruct):
+        (JSC::JITThunks::ctiInternalFunctionCall):
+        (JSC::JITThunks::ctiInternalFunctionConstruct):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::getCTIInternalFunctionTrampolineFor):
+
+2018-03-05  Mark Lam  
+
+        Gardening: build fix.
+
+        Not reviewed.
+
+        * interpreter/AbstractPC.h:
+        (JSC::AbstractPC::AbstractPC):
+
+2018-03-05  Yusuke Suzuki  
+
+        [JSC] Use WTF::ArithmeticOperations for CLoop overflow operations
+        https://bugs.webkit.org/show_bug.cgi?id=183324
+
+        Reviewed by JF Bastien.
+
+        We have WTF::ArithmeticOperations which has operations with overflow checking.
+        This is suitable for CLoop's overflow checking operations. This patch emits
+        WTF::ArithmeticOperations for CLoop's overflow checking operations. And it is
+        lowered to optimized code using CPU's overflow flag.
+
+        * offlineasm/cloop.rb:
+
+2018-03-05  Don Olmstead  
+
+        [CMake] Split JSC header copying into public and private targets
+        https://bugs.webkit.org/show_bug.cgi?id=183251
+
+        Reviewed by Konstantin Tokarev.
+
+        * CMakeLists.txt:
+
+2018-03-04  Yusuke Suzuki  
+
+        [WTF] Move currentCPUTime and sleep(Seconds) to CPUTime.h and Seconds.h respectively
+        https://bugs.webkit.org/show_bug.cgi?id=183312
+
+        Reviewed by Mark Lam.
+
+        Remove wtf/CurrentTime.h include pragma.
+
+        * API/tests/ExecutionTimeLimitTest.cpp:
+        (currentCPUTimeAsJSFunctionCallback):
+        (testExecutionTimeLimit):
+        * bytecode/SuperSampler.cpp:
+        * dfg/DFGPlan.cpp:
+        * heap/BlockDirectory.cpp:
+        * heap/Heap.cpp:
+        * heap/IncrementalSweeper.cpp:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        * profiler/ProfilerDatabase.cpp:
+        * runtime/CodeCache.h:
+        * runtime/JSDateMath.cpp:
+        * runtime/TypeProfilerLog.cpp:
+        * runtime/VM.cpp:
+        * runtime/Watchdog.cpp:
+        (JSC::Watchdog::shouldTerminate):
+        (JSC::Watchdog::startTimer):
+        * testRegExp.cpp:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+
+2018-03-04  Tim Horton  
+
+        Make !ENABLE(DATA_DETECTION) iOS build actually succeed
+        https://bugs.webkit.org/show_bug.cgi?id=183283
+        
+
+        Reviewed by Sam Weinig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-03-02  Mark Lam  
+
+        Make the LLInt probe work for ARM64.
+        https://bugs.webkit.org/show_bug.cgi?id=183298
+        
+
+        Reviewed by Filip Pizlo.
+
+        * llint/LowLevelInterpreter.asm:
+
+2018-03-02  Yusuke Suzuki  
+
+        [JSC] Annotate more classes with WTF_MAKE_FAST_ALLOCATED
+        https://bugs.webkit.org/show_bug.cgi?id=183279
+
+        Reviewed by JF Bastien.
+
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * ftl/FTLThunks.h:
+        * heap/CodeBlockSet.h:
+        * heap/GCSegmentedArray.h:
+        * heap/MachineStackMarker.h:
+        * heap/MarkingConstraintSet.h:
+
+2018-03-01  Yusuke Suzuki  
+
+        Remove monotonicallyIncreasingTime
+        https://bugs.webkit.org/show_bug.cgi?id=182911
+
+        Reviewed by Michael Catanzaro.
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::willEvaluateScript):
+        (JSC::Debugger::didEvaluateScript):
+        * debugger/Debugger.h:
+        * debugger/ScriptProfilingScope.h:
+        * inspector/agents/InspectorDebuggerAgent.cpp:
+        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
+        * inspector/agents/InspectorHeapAgent.cpp:
+        (Inspector::InspectorHeapAgent::snapshot):
+        (Inspector::InspectorHeapAgent::didGarbageCollect):
+        (Inspector::InspectorHeapAgent::dispatchGarbageCollectedEvent):
+        * inspector/agents/InspectorHeapAgent.h:
+        * inspector/agents/InspectorScriptProfilerAgent.cpp:
+        (Inspector::InspectorScriptProfilerAgent::startTracking):
+        (Inspector::InspectorScriptProfilerAgent::willEvaluateScript):
+        (Inspector::InspectorScriptProfilerAgent::didEvaluateScript):
+        (Inspector::InspectorScriptProfilerAgent::addEvent):
+        (Inspector::buildSamples):
+        * inspector/agents/InspectorScriptProfilerAgent.h:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::takeSample):
+        * runtime/SamplingProfiler.h:
+
+2018-03-01  Yusuke Suzuki  
+
+        ASSERTION FAILED: matchContextualKeyword(m_vm->propertyNames->async)
+        https://bugs.webkit.org/show_bug.cgi?id=183173
+
+        Reviewed by Saam Barati.
+
+        Classifier could propagate an error which does not occur at the first token
+        of the given expression. We should check whether the given token is "async"
+        instead of assertion.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseAssignmentExpression):
+
+2018-03-01  Saam Barati  
+
+        We need to clear cached structures when having a bad time
+        https://bugs.webkit.org/show_bug.cgi?id=183256
+        
+
+        Reviewed by Mark Lam.
+
+        This patch makes both InternalFunctionAllocationProfile and the VM's
+        structure cache having-a-bad-time aware. For InternalFunctionAllocationProfile,
+        we clear them when they'd produce an object with a bad indexing type.
+        For the VM's Structure cache, we conservatively clear the entire cache 
+        since it may be housing Structures with bad indexing types.
+
+        * runtime/FunctionRareData.h:
+        (JSC::FunctionRareData::clearInternalFunctionAllocationProfile):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::haveABadTime):
+        * runtime/StructureCache.h:
+        (JSC::StructureCache::clear):
+
+2018-03-01  Yusuke Suzuki  
+
+        Unreviewed, fix exception check for ExceptionScope
+        https://bugs.webkit.org/show_bug.cgi?id=183175
+
+        * jsc.cpp:
+        (GlobalObject::moduleLoaderFetch):
+
+2018-02-28  Dominik Infuehr  
+
+        [ARM] Fix compile error in debug builds by invoking unpoisoned().
+
+        Reviewed by Mark Lam.
+
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr): Fix compile error.
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress()): Ditto.
+        (JSC::MacroAssemblerCodePtr::dataLocation()): Ditto.
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::dumpDisjunction): use %zu for printf'ing size_t.
+
+2018-02-28  JF Bastien  
+
+        GC should sweep code block before deleting
+        https://bugs.webkit.org/show_bug.cgi?id=183229
+        
+
+        Reviewed by Saam Barati, Fil Pizlo.
+
+        Stub routines shouldn't get deleted before codeblocks have been
+        swept, otherwise there's a small race window where the codeblock
+        thinks it's still reachable.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::deleteUnmarkedCompiledCode):
+        (JSC::Heap::sweepInFinalize):
+
+2018-02-28  Yusuke Suzuki  
+
+        JSC crash with `import("")`
+        https://bugs.webkit.org/show_bug.cgi?id=183175
+
+        Reviewed by Saam Barati.
+
+        Add file existence and file type check for module loader implementation in jsc.cpp.
+        This is not safe for TOCTOU, but it is OK since this functionality is used for the
+        JSC shell (jsc.cpp): testing purpose.
+
+        * jsc.cpp:
+        (fillBufferWithContentsOfFile):
+        (fetchModuleFromLocalFileSystem):
+
+2018-02-27  Keith Miller  
+
+        Replace TrustedImmPtr(0) with TrustedImmPtr(nullptr)
+        https://bugs.webkit.org/show_bug.cgi?id=183195
+
+        Reviewed by Mark Lam.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::patchableBranchPtr):
+        (JSC::MacroAssembler::patchableBranchPtrWithPatch):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::branchPtrWithPatch):
+        (JSC::MacroAssemblerARM::storePtrWithPatch):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::call):
+        (JSC::MacroAssemblerARM64::tailRecursiveCall):
+        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
+        (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerARM64::storePtrWithPatch):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
+        (JSC::MacroAssemblerARMv7::patchableBranchPtr):
+        (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
+        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
+        (JSC::MacroAssemblerMIPS::storePtrWithPatch):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::branchPtrWithPatch):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType):
+        (JSC::MacroAssemblerX86_64::call):
+        (JSC::MacroAssemblerX86_64::tailRecursiveCall):
+        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
+        (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileToLowerCase):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::debugCall):
+        (JSC::AssemblyHelpers::sanitizeStackInline):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/ScratchRegisterAllocator.cpp:
+        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList):
+        (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
+        (JSC::Yarr::YarrGenerator::generate):
+
+2018-02-26  Mark Lam  
+
+        Modernize FINALIZE_CODE and peer macros to use __VA_ARGS__ arguments.
+        https://bugs.webkit.org/show_bug.cgi?id=183159
+        
+
+        Reviewed by Keith Miller.
+
+        * assembler/LinkBuffer.h:
+        * assembler/testmasm.cpp:
+        (JSC::compile):
+        * b3/B3Compile.cpp:
+        (JSC::B3::compile):
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testEntrySwitchSimple):
+        (JSC::B3::testEntrySwitchNoEntrySwitch):
+        (JSC::B3::testEntrySwitchWithCommonPaths):
+        (JSC::B3::testEntrySwitchWithCommonPathsAndNonTrivialEntrypoint):
+        (JSC::B3::testEntrySwitchLoop):
+        * bytecode/InlineAccess.cpp:
+        (JSC::linkCodeInline):
+        (JSC::InlineAccess::rewireStubAsJump):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitThunkGenerator):
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        (JSC::DFG::osrEntryThunkGenerator):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::generate):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/ExecutableAllocator.cpp:
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileHasIndexedProperty):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompileGetByValWithCachedId):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::privateCompilePutByValWithCachedId):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::stringGetByValStubGenerator):
+        * jit/JITStubRoutine.h:
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        * jit/ThunkGenerators.cpp:
+        (JSC::throwExceptionFromCallSlowPathGenerator):
+        (JSC::linkCallThunkGenerator):
+        (JSC::linkPolymorphicCallThunkGenerator):
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::arityFixupGenerator):
+        (JSC::unreachableGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmOMGPlan.cpp:
+        (JSC::Wasm::OMGPlan::work):
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
+        (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::compile):
+
+2018-02-25  Yusuke Suzuki  
+
+        [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
+        https://bugs.webkit.org/show_bug.cgi?id=182965
+
+        Reviewed by Saam Barati.
+
+        This patch extends FTL coverage for PutByVal by adding ArrayStorage and SlwoPutArrayStorage support.
+        Basically large part of the patch is porting from DFG code. Since PutByVal already emits CheckInBounds
+        for InBounds case, we do not have OutOfBounds check for that case.
+        This is the last change for FTL to support all the types of DFG nodes except for CreateThis.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::contiguousPutByValOutOfBounds):
+        For consistency, we use operationPutByValXXX and operationPutByValDirectXXX.
+        But except for SlowPutArrayStorage case, basically it is meaningless since
+        we do not have indexed accessors.
+
+2018-02-26  Saam Barati  
+
+        validateStackAccess should not validate if the offset is within the stack bounds
+        https://bugs.webkit.org/show_bug.cgi?id=183067
+        
+
+        Reviewed by Mark Lam.
+
+        The validation rule was saying that any load from the stack must be
+        within the stack bounds of the frame. However, it's natural for a user
+        of B3 to emit code that may be outside of B3's stack bounds, but guard
+        such a load with a branch. The FTL does exactly this with GetMyArgumentByVal.
+        B3 is wrong to assert that this is a static property about all stack loads.
+
+        * b3/B3Validate.cpp:
+
+2018-02-23  Saam Barati  
+
+        Make Number.isInteger an intrinsic
+        https://bugs.webkit.org/show_bug.cgi?id=183088
+
+        Reviewed by JF Bastien.
+
+        When profiling the ML subtest in ARES, I noticed it was spending some
+        time in Number.isInteger. This patch makes that operation an intrinsic
+        in the DFG/FTL. It might be a speedup by 1% or so on that subtest, but
+        it's likely not an aggregate speedup on ARES. However, it is definitely
+        faster than calling into a builtin function, so we might as well have
+        it as an intrinsic.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNumberIsInteger):
+        (JSC::FTL::DFG::LowerDFGToB3::unboxDouble):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/NumberConstructor.cpp:
+        (JSC::NumberConstructor::finishCreation):
+        (JSC::numberConstructorFuncIsInteger):
+        * runtime/NumberConstructor.h:
+        (JSC::NumberConstructor::isIntegerImpl):
+
+2018-02-23  Oleksandr Skachkov  
+
+        WebAssembly: cache memory address / size on instance
+        https://bugs.webkit.org/show_bug.cgi?id=177305
+
+        Reviewed by JF Bastien.
+
+        Cache memory address/size in wasm:Instance to avoid load wasm:Memory 
+        object during access to memory and memory size property in JiT
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::cachedMemory const):
+        (JSC::Wasm::Instance::cachedMemorySize const):
+        (JSC::Wasm::Instance::createWeakPtr):
+        (JSC::Wasm::Instance::setMemory):
+        (JSC::Wasm::Instance::updateCachedMemory):
+        (JSC::Wasm::Instance::offsetOfCachedMemory):
+        (JSC::Wasm::Instance::offsetOfCachedMemorySize):
+        (JSC::Wasm::Instance::offsetOfCachedIndexingMask):
+        (JSC::Wasm::Instance::allocationSize):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::registerInstance):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::indexingMask):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+
+2018-02-23  Saam Barati  
+
+        ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
+        https://bugs.webkit.org/show_bug.cgi?id=182982
+
+        Reviewed by Yusuke Suzuki.
+
+        I don't know why this check was not always an assert. When we see
+        a GetByOffset on an eliminated allocation, that allocation *must*
+        be a PhantomClonedArguments. If it weren't, the GetByOffset would
+        have escaped it. Because this transformation happens by visiting
+        blocks in pre-order, and by visiting nodes in a block starting from
+        index zero to index block->size() - 1, we're guaranteed that eliminated
+        allocations get transformed before users of it, since we visit nodes
+        in dominator order.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2018-02-23  Yusuke Suzuki  
+
+        [JSC] Implement $vm.ftlTrue function for FTL testing
+        https://bugs.webkit.org/show_bug.cgi?id=183071
+
+        Reviewed by Mark Lam.
+
+        Add $vm.ftlTrue, which becomes true if the caller is compiled in FTL.
+        This is useful for testing whether the caller function is compiled in FTL.
+
+        We also remove duplicate DFGTrue function in jsc.cpp. We have $vm.dfgTrue.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionFalse1):
+        (functionFalse2): Deleted.
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionFTLTrue):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-02-22  Yusuke Suzuki  
+
+        [FTL] Support HasIndexedProperty for ArrayStorage and SlowPutArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=182792
+
+        Reviewed by Mark Lam.
+
+        This patch adds HasIndexedProperty for ArrayStorage and SlowPutArrayStorage in FTL.
+        HasIndexedProperty with ArrayStorage frequently causes FTL compilation failures
+        in web-tooling-benchmarks.
+
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+
+2018-02-22  Mark Lam  
+
+        Refactor MacroAssembler code to improve reuse and extensibility.
+        https://bugs.webkit.org/show_bug.cgi?id=183054
+        
+
+        Reviewed by Saam Barati.
+
+        * assembler/ARM64Assembler.h:
+        * assembler/MacroAssembler.cpp:
+        * assembler/MacroAssembler.h:
+        * assembler/MacroAssemblerARM.h:
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::canCompact):
+        (JSC::MacroAssemblerARM64::computeJumpType):
+        (JSC::MacroAssemblerARM64::jumpSizeDelta):
+        (JSC::MacroAssemblerARM64::link):
+        (JSC::MacroAssemblerARM64::load64):
+        (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM64::load32):
+        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM64::load16):
+        (JSC::MacroAssemblerARM64::load16SignedExtendTo32):
+        (JSC::MacroAssemblerARM64::load8):
+        (JSC::MacroAssemblerARM64::load8SignedExtendTo32):
+        (JSC::MacroAssemblerARM64::store64):
+        (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM64::store32):
+        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM64::store16):
+        (JSC::MacroAssemblerARM64::store8):
+        (JSC::MacroAssemblerARM64::getEffectiveAddress):
+        (JSC::MacroAssemblerARM64::branchDoubleNonZero):
+        (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
+        (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
+        (JSC::MacroAssemblerARM64::loadDouble):
+        (JSC::MacroAssemblerARM64::loadFloat):
+        (JSC::MacroAssemblerARM64::moveConditionallyAfterFloatingPointCompare):
+        (JSC::MacroAssemblerARM64::moveDoubleConditionallyAfterFloatingPointCompare):
+        (JSC::MacroAssemblerARM64::storeDouble):
+        (JSC::MacroAssemblerARM64::storeFloat):
+        (JSC::MacroAssemblerARM64::call):
+        (JSC::MacroAssemblerARM64::jump):
+        (JSC::MacroAssemblerARM64::tailRecursiveCall):
+        (JSC::MacroAssemblerARM64::setCarry):
+        (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
+        (JSC::MacroAssemblerARM64::isBreakpoint):
+        (JSC::MacroAssemblerARM64::invert):
+        (JSC::MacroAssemblerARM64::readCallTarget):
+        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
+        (JSC::MacroAssemblerARM64::replaceWithJump):
+        (JSC::MacroAssemblerARM64::maxJumpReplacementSize):
+        (JSC::MacroAssemblerARM64::patchableJumpSize):
+        (JSC::MacroAssemblerARM64::repatchCall):
+        (JSC::MacroAssemblerARM64::makeBranch):
+        (JSC::MacroAssemblerARM64::makeCompareAndBranch):
+        (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
+        (JSC::MacroAssemblerARM64::ARM64Condition):
+        (JSC::MacroAssemblerARM64::moveWithFixedWidth):
+        (JSC::MacroAssemblerARM64::load):
+        (JSC::MacroAssemblerARM64::store):
+        (JSC::MacroAssemblerARM64::tryLoadWithOffset):
+        (JSC::MacroAssemblerARM64::tryLoadSignedWithOffset):
+        (JSC::MacroAssemblerARM64::tryStoreWithOffset):
+        (JSC::MacroAssemblerARM64::jumpAfterFloatingPointCompare):
+        (JSC::MacroAssemblerARM64::linkCall):
+        * assembler/MacroAssemblerARMv7.h:
+        * assembler/MacroAssemblerMIPS.h:
+        * assembler/MacroAssemblerX86Common.h:
+        * assembler/ProbeStack.h:
+        - Removed a forward declaration of an obsolete class.
+
+2018-02-22  Yusuke Suzuki  
+
+        Remove sleep(double) and sleepMS(double) interfaces
+        https://bugs.webkit.org/show_bug.cgi?id=183038
+
+        Reviewed by Mark Lam.
+
+        * bytecode/SuperSampler.cpp:
+        (JSC::initializeSuperSampler):
+
+2018-02-21  Don Olmstead  
+
+        [CMake] Split declaration of JSC headers into public and private
+        https://bugs.webkit.org/show_bug.cgi?id=182980
+
+        Reviewed by Michael Catanzaro.
+
+        * CMakeLists.txt:
+        * PlatformGTK.cmake:
+        * PlatformMac.cmake:
+        * PlatformWPE.cmake:
+        * PlatformWin.cmake:
+
+2018-02-20  Saam Barati  
+
+        DFG::VarargsForwardingPhase should eliminate getting argument length
+        https://bugs.webkit.org/show_bug.cgi?id=182959
+
+        Reviewed by Keith Miller.
+
+        This patch teaches the DFG VarargsForwardingPhase to not treat
+        length accesses on Cloned/Direct Arguments objects as escapes.
+        It teaches this phase to materialize the length in the same
+        way the ArgumentsEliminationPhase does.
+        
+        This is around a 0.5-1% speedup on ARES6 on my iMac. It speeds
+        up the ML subtest by 2-4%.
+        
+        This patch also extends compileGetArgumentCountIncludingThis to take
+        a parameter that is the inline call frame to load from (in the case
+        where the inline call frame is a varargs frame). This allows the
+        the emitCodeToGetArgumentsArrayLength helper function to just emit
+        a GetArgumentCountIncludingThis node instead of a GetLocal. If we
+        emitted a GetLocal, we'd need to rerun CPS rethreading.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getArgumentCount):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::argumentsInlineCallFrame):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArgumentCountIncludingThis):
+
+2018-02-14  Yusuke Suzuki  
+
+        [FTL] Support ArrayPush for ArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=182782
+
+        Reviewed by Saam Barati.
+
+        This patch adds support for ArrayPush(ArrayStorage). We just port ArrayPush(ArrayStorage) in DFG to FTL.
+
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
+
+2018-02-14  Yusuke Suzuki  
+
+        [FTL] Support ArrayPop for ArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=182783
+
+        Reviewed by Saam Barati.
+
+        This patch adds ArrayPop(ArrayStorage) support to FTL. We port the implementation in DFG to FTL.
+
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPop):
+
+2018-02-14  Yusuke Suzuki  
+
+        [FTL] Add Arrayify for ArrayStorage and SlowPutArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=182731
+
+        Reviewed by Saam Barati.
+
+        This patch adds support for Arrayify(ArrayStorage/SlowPutArrayStorage) to FTL.
+        Due to ArrayifyToStructure and CheckArray changes, necessary changes for
+        supporting Arrayify in FTL are already done. Just allowing it in FTLCapabilities.cpp
+        is enough.
+
+        We fix FTL's CheckArray logic. Previously, CheckArray(SlowPutArrayStorage) does not pass
+        ArrayStorage in FTL. But now it passes this as DFG does. Moreover, we fix DFG's CheckArray
+        where CheckArray(ArrayStorage+NonArray) can pass ArrayStorage+Array.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::silentFill):
+        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+        * dfg/DFGSpeculativeJIT.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+
+2018-02-19  Saam Barati  
+
+        Don't use JSFunction's allocation profile when getting the prototype can be effectful
+        https://bugs.webkit.org/show_bug.cgi?id=182942
+        
+
+        Reviewed by Mark Lam.
+
+        Prior to this patch, the create_this implementation assumed that anything
+        that is a JSFunction can use the object allocation profile and go down the
+        fast path to allocate the |this| object. Implied by this approach is that
+        accessing the 'prototype' property of the incoming function is not an
+        effectful operation. This is inherent to the ObjectAllocationProfile 
+        data structure: it caches the prototype field. However, getting the
+        'prototype' property might be an effectful operation, e.g, it could
+        be a getter. Many variants of functions in JS have the 'prototype' property
+        as non-configurable. However, some functions, like bound functions, do not
+        have the 'prototype' field with these attributes.
+        
+        This patch adds the notion of 'canUseAllocationProfile' to JSFunction
+        and threads it through so that we only go down the fast path and use
+        the allocation profile when the prototype property is non-configurable.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ClassExprNode::emitBytecode):
+        * dfg/DFGOperations.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::prototypeForConstruction):
+        (JSC::JSFunction::allocateAndInitializeRareData):
+        (JSC::JSFunction::initializeRareData):
+        (JSC::JSFunction::getOwnPropertySlot):
+        (JSC::JSFunction::canUseAllocationProfileNonInline):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::ensureRareDataAndAllocationProfile):
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::canUseAllocationProfile):
+
+2018-02-19  Saam Barati  
+
+        Don't mark an array profile out of bounds for the cases where the DFG will convert the access to SaneChain
+        https://bugs.webkit.org/show_bug.cgi?id=182912
+        
+
+        Reviewed by Keith Miller.
+
+        In the baseline JIT and LLInt, when we loading a hole from an original array,
+        with the array prototype chain being normal, we end up marking the ArrayProfile
+        for that GetByVal as out of bounds. However, the DFG knows exactly how to
+        optimize this case by returning undefined when loading from a hole. Currently,
+        it only does this for Contiguous arrays (and sometimes Double arrays).
+        This patch just makes sure to not mark the ArrayProfile as out of bounds
+        in this scenario for Contiguous arrays, since the DFG will always optimize
+        this case.
+        
+        However, we should extend this by profiling when a GetByVal loads a hole. By
+        doing so, we can optimize this for Int32, ArrayStorage, and maybe even Double
+        arrays. That work will happen in:
+        https://bugs.webkit.org/show_bug.cgi?id=182940
+        
+        This patch is a 30-50%  speedup on JetStream's hash-map test. This patch
+        speeds up JetStream by 1% when testing on my iMac.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine const):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        (JSC::canAccessArgumentIndexQuickly): Deleted.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::getByVal):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::canAccessArgumentIndexQuickly):
+
+2018-02-17  Filip Pizlo  
+
+        GetArrayMask should support constant folding
+        https://bugs.webkit.org/show_bug.cgi?id=182907
+
+        Reviewed by Saam Barati.
+        
+        Implement constant folding for GetArrayMask. This revealed a bug in tryGetFoldableView, where it was
+        ignoring the result of a jsDynamicCast<>(). This wasn't a bug before because it would have been
+        impossible for that function to get called with a non-null value if the value was not an array view,
+        due to type filtering in CheckArray, the fact that CheckArray had to dominate GetArrayLength, and
+        the fact that the other tryGetFoldableView overload made sure that the array mode was some typed
+        array.
+        
+        This isn't a measurable progression, but it does save a register in the codegen for typed array
+        accesses. Hopefully these improvements add up.
+
+        * assembler/AssemblerBuffer.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::tryGetFoldableView):
+
+2018-02-18  Dominik Inführ  
+
+        Offlineasm/MIPS: immediates need to be within 16-bit signed values
+        https://bugs.webkit.org/show_bug.cgi?id=182890
+
+        Reviewed by Michael Catanzaro.
+
+        In Sequence.getModifiedListMIPS(), we allow immediate values within
+        the range -0xffff..0xffff for immediates (addresses and other
+        immediates), but then in Immediate.mipsOperand() and
+        Address.mipsOperand() we raise if immediate values are not within
+        -0x7fff..0x7fff. This is inconsistent, and broke compilation on mips
+        since r228552 made the VM structure bigger meaning we address values
+        with bigger offsets in llint. This change restricts the allowed range,
+        so that a separate load of the value is done for values outside of
+        that range.
+
+        * offlineasm/mips.rb:
+
+2018-02-17  Darin Adler  
+
+        Web Inspector: get rid of remaining uses of OptOutput
+        https://bugs.webkit.org/show_bug.cgi?id=180607
+
+        Reviewed by Brian Burg.
+
+        * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+        * inspector/AsyncStackTrace.h: Ditto.
+        * inspector/ConsoleMessage.cpp: Ditto.
+
+        * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
+        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
+        Vector instead of a unique_ptr.
+        (Inspector::ContentSearchUtilities::lineEndings): Ditto.
+        (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
+        (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
+        a Vector for a fixed size array; also got rid of reinterpret_cast.
+        (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
+        expression here since it's the only place it was used.
+
+        * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
+
+        * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+
+        * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
+        Removed base template for BindingTraits; we only need the specializations.
+
+        * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+        * inspector/ScriptCallFrame.h: Ditto.
+        * inspector/ScriptCallStack.cpp: Ditto.
+        * inspector/ScriptCallStack.h: Ditto.
+        * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
+        * inspector/agents/InspectorConsoleAgent.h: Ditto.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
+        OptOutput* for out arguments.
+        * inspector/agents/InspectorDebuggerAgent.h: Ditto.
+
+        * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
+        for out arguments.
+        * inspector/agents/InspectorHeapAgent.h: Ditto.
+
+        * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
+        for out arguments.
+        (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
+        (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
+        (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
+        * inspector/agents/InspectorRuntimeAgent.h: Ditto.
+
+        * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
+        and removed some bogus const.
+        * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
+
+        * inspector/scripts/codegen/cpp_generator.py:
+        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
+        (CppGenerator.cpp_type_for_type_with_name): Ditto.
+        (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
+        Inspector::Protocol::OptOutput*.
+        (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
+        (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
+        (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
+
+        * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
+        conditional around assertion code which will now compile to nothing if ASSERT is disabled.
+        Build strings more simply in a few cases.
+
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
+        Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
+        replace OptOutput here.
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        Pass by reference instead of pointer now.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
+        if ASSERT is disabled.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
+        the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
+        (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
+
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
+        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
+        more simply.
+
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        Rebaselined.
+
+2018-02-16  Matt Lewis  
+
+        Unreviewed, rolling out r228318.
+
+        The patch that this attempted to fix was rolled out already.
+
+        Reverted changeset:
+
+        "Fix build on ARMv7 traditional JSCOnly bot after r228306"
+        https://bugs.webkit.org/show_bug.cgi?id=182563
+        https://trac.webkit.org/changeset/228318
+
+2018-02-16  Filip Pizlo  
+
+        Unreviewed, roll out r228306 (custom memcpy/memset) because the bots say that it was not a
+        progression.
+
+        * assembler/AssemblerBuffer.h:
+        (JSC::AssemblerBuffer::append):
+        * heap/LargeAllocation.cpp:
+        (JSC::LargeAllocation::tryCreate):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::copyTo):
+        (JSC::ArrayBuffer::createInternal):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::zeroRangeImpl):
+        * runtime/ArrayConventions.cpp:
+        (JSC::clearArrayMemset):
+        * runtime/ArrayConventions.h:
+        (JSC::clearArray):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::resizeArray):
+        * runtime/GenericTypedArrayViewInlines.h:
+        (JSC::GenericTypedArrayView::create):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::fastSlice):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::set):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        * runtime/PropertyTable.cpp:
+        (JSC::PropertyTable::PropertyTable):
+
+2018-02-16  Saam Barati  
+
+        Fix bugs from r228411
+        https://bugs.webkit.org/show_bug.cgi?id=182851
+        
+
+        Reviewed by JF Bastien.
+
+        There was a bug from r228411 where inside the constant folding phase,
+        we used an insertCheck method that didn't handle varargs. This would
+        lead to a crash. When thinking about the fix for that function, I realized
+        a made a couple of mistakes in r228411. One is probably a security bug, and
+        the other is a performance bug because it'll prevent CSE for certain flavors
+        of GetByVal nodes. Both blunders are similar in nature.
+        
+        In r228411, I added code in LICM that inserted a CheckVarargs node with children
+        of another varargs node. However, to construct this new node's children,
+        I just copied the AdjacencyList. This does a shallow copy. What we needed
+        was a deep copy. We needed to create a new vararg AdjacencyList that points
+        to edges that are deep copies of the original varargs children. This patch
+        fixes this goof in LICM.
+        
+        r228411 made it so that PureValue over a varargs node would just compare actual
+        AdjacencyLists structs. So, if you had two GetByVals that had equal santized
+        children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
+        have different firstChild values. Instead, we need to do a deep compare of their
+        adjacency lists. This patch teaches PureValue how to do that.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::copyVarargChildren):
+        * dfg/DFGInsertionSet.h:
+        (JSC::DFG::InsertionSet::insertCheck):
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGPureValue.cpp:
+        (JSC::DFG::PureValue::dump const):
+        * dfg/DFGPureValue.h:
+        (JSC::DFG::PureValue::PureValue):
+        (JSC::DFG::PureValue::op const):
+        (JSC::DFG::PureValue::hash const):
+        (JSC::DFG::PureValue::operator== const):
+        (JSC::DFG::PureValue::isVarargs const):
+        (JSC::DFG::PureValue::children const): Deleted.
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
+
+2018-02-16  Matt Lewis  
+
+        Unreviewed, rolling out r228546.
+
+        This caused a consistent crash on all macOS WK2 platforms.
+
+        Reverted changeset:
+
+        "Web Inspector: get rid of remaining uses of OptOutput"
+        https://bugs.webkit.org/show_bug.cgi?id=180607
+        https://trac.webkit.org/changeset/228546
+
+2018-02-16  Fujii Hironori  
+
+        fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
+        https://bugs.webkit.org/show_bug.cgi?id=172952
+
+        Reviewed by Michael Catanzaro.
+
+        Null dereference of VM::topCallFrame happens in
+        Inspector::createScriptCallStackForConsole if the ExecState has no
+        call frames.
+
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::createScriptCallStack): Do null check of topCallFrame.
+        (Inspector::createScriptCallStackForConsole): Ditto.
+
+2018-02-15  Filip Pizlo  
+
+        Objects that contain dangerous things should be allocated far away from objects that can do OOB
+        https://bugs.webkit.org/show_bug.cgi?id=182843
+
+        Reviewed by Saam Barati.
+        
+        To complete our object distancing plan, we need to put objects that can contain unpoisoned data
+        far away from objects that cannot. Objects referenceable from JSValues cannot contain
+        unpoisoned data, but auxiliary data can. This further divides auxiliary data that is meant for
+        storing mostly JSValues from data that is meant for storing anything.
+        
+        This is achieved by having three SecurityKinds that are used for MarkedBlock selection and
+        zeroing sort of the same way SecurityOriginToken already was.
+        
+        This change shouldn't make anything slower. If anything, it will be a small speed-up because it
+        removes some cases of MarkedBlock zeroing since we don't need to zero blocks used for two of
+        the SecurityKinds.
+
+        * Sources.txt:
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::addBlock):
+        * heap/BlockDirectory.h:
+        * heap/CellAttributes.cpp:
+        (JSC::CellAttributes::dump const):
+        * heap/CellAttributes.h:
+        (JSC::CellAttributes::CellAttributes):
+        * heap/LocalAllocator.cpp:
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        (JSC::MarkedBlock::Handle::associateWithOrigin): Deleted.
+        * heap/MarkedBlock.h:
+        * heap/SecurityKind.cpp: Added.
+        (WTF::printInternal):
+        * heap/SecurityKind.h: Added.
+        * runtime/JSCellInlines.h:
+        (JSC::JSCell::subspaceFor):
+        * runtime/JSDestructibleObjectHeapCellType.cpp:
+        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
+        * runtime/JSObject.h:
+        (JSC::JSObject::subspaceFor):
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
+        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
+        * runtime/JSStringHeapCellType.cpp:
+        (JSC::JSStringHeapCellType::JSStringHeapCellType):
+        * runtime/Symbol.h:
+        (JSC::Symbol::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
+
+2018-02-15  Darin Adler  
+
+        Web Inspector: get rid of remaining uses of OptOutput
+        https://bugs.webkit.org/show_bug.cgi?id=180607
+
+        Reviewed by Brian Burg.
+
+        * inspector/AsyncStackTrace.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+        * inspector/AsyncStackTrace.h: Ditto.
+        * inspector/ConsoleMessage.cpp: Ditto.
+
+        * inspector/ContentSearchUtilities.cpp: More Inspector namespace removal and ...
+        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Use a
+        Vector instead of a unique_ptr.
+        (Inspector::ContentSearchUtilities::lineEndings): Ditto.
+        (Inspector::ContentSearchUtilities::stylesheetCommentPattern): Deleted.
+        (Inspector::ContentSearchUtilities::findMagicComment): Use std::array instead of
+        a Vector for a fixed size array; also got rid of reinterpret_cast.
+        (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL): Moved the regular
+        expression here since it's the only place it was used.
+
+        * inspector/ContentSearchUtilities.h: Cut down on unneeded includes.
+
+        * inspector/InjectedScript.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+
+        * inspector/InspectorProtocolTypes.h: Removed OptOutput. Simplified assertions.
+        Removed base template for BindingTraits; we only need the specializations.
+
+        * inspector/ScriptCallFrame.cpp: Removed explicit Inspector prefix from code that
+        is inside the Inspector namespace already. Also use auto a bit.
+        * inspector/ScriptCallFrame.h: Ditto.
+        * inspector/ScriptCallStack.cpp: Ditto.
+        * inspector/ScriptCallStack.h: Ditto.
+        * inspector/agents/InspectorConsoleAgent.cpp: Ditto.
+        * inspector/agents/InspectorConsoleAgent.h: Ditto.
+
+        * inspector/agents/InspectorDebuggerAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use std::optional& intead of
+        OptOutput* for out arguments.
+        * inspector/agents/InspectorDebuggerAgent.h: Ditto.
+
+        * inspector/agents/InspectorHeapAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorHeapAgent::getPreview): Use std::optional& intead of OptOutput*
+        for out arguments.
+        * inspector/agents/InspectorHeapAgent.h: Ditto.
+
+        * inspector/agents/InspectorRuntimeAgent.cpp: More Inspector namespace removal and ...
+        (Inspector::InspectorRuntimeAgent::parse): Use std::optional& intead of OptOutput*
+        for out arguments.
+        (Inspector::InspectorRuntimeAgent::evaluate): Ditto.
+        (Inspector::InspectorRuntimeAgent::callFunctionOn): Ditto.
+        (Inspector::InspectorRuntimeAgent::saveResult): Ditto.
+        * inspector/agents/InspectorRuntimeAgent.h: Ditto.
+
+        * inspector/agents/InspectorScriptProfilerAgent.cpp: More Inspector namespace removal
+        and removed some bogus const.
+        * inspector/agents/InspectorScriptProfilerAgent.h: Ditto.
+
+        * inspector/scripts/codegen/cpp_generator.py:
+        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Removed some bogus const.
+        (CppGenerator.cpp_type_for_type_with_name): Ditto.
+        (CppGenerator.cpp_type_for_formal_out_parameter): Use std::optional& instead of
+        Inspector::Protocol::OptOutput*.
+        (CppGenerator.cpp_type_for_formal_async_parameter): Ditto.
+        (CppGenerator.cpp_type_for_stack_in_parameter): Ditto.
+        (CppGenerator.cpp_type_for_stack_out_parameter): Ditto.
+
+        * inspector/scripts/codegen/cpp_generator_templates.py: Removed ASSERT_DISABLED
+        conditional around assertion code which will now compile to nothing if ASSERT is disabled.
+        Build strings more simply in a few cases.
+
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
+        Use has_value instead of isAssigned and * operator instead of getValue() since std::optional
+        replace OptOutput here.
+        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
+        Pass by reference instead of pointer now.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        Removed ASSERT_DISABLED conditional around assertion code which will now compile to nothing
+        if ASSERT is disabled.
+
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration): Generate
+        the assertion function unconditionally, but leave out the assertions if ASSERT_DISABLED is true.
+        (CppProtocolTypesImplementationGenerator): Use auto instead of writing out JSON::Object::iterator.
+
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
+        (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command): Build strings
+        more simply.
+
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        Rebaselined.
+
+2018-02-15  Filip Pizlo  
+
+        Unreviewed, roll out r228366 since it did not progress anything.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::visitChildren):
+        (JSC::ErrorInstance::finalizeUnconditionally): Deleted.
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::stackTrace):
+        (JSC::ErrorInstance::subspaceFor): Deleted.
+        * runtime/Exception.cpp:
+        (JSC::Exception::visitChildren):
+        (JSC::Exception::finalizeUnconditionally): Deleted.
+        * runtime/Exception.h:
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::visitChildren):
+        (JSC::StackFrame::isFinalizationCandidate): Deleted.
+        (JSC::StackFrame::finalizeUnconditionally): Deleted.
+        * runtime/StackFrame.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-02-15  Yusuke Suzuki  
+
+        [JSC] Remove monotonicallyIncreasingTime and currentTime
+        https://bugs.webkit.org/show_bug.cgi?id=182793
+
+        Reviewed by Saam Barati.
+
+        We would like to drop monotonicallyIncreasingTime and currentTime from our tree by
+        replacing them with MonotonicTime and WallTime, which are well-typed alternatives,
+        compared to double.
+        This patch removes monotonicallyIncreasingTime and currentTime in JSC.
+
+        * b3/testb3.cpp:
+        (JSC::B3::testComplex):
+        * dfg/DFGPhase.h:
+        (JSC::DFG::runAndLog):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThread):
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * dfg/DFGPlan.h:
+        * dynbench.cpp:
+        (JSC::benchmarkImpl):
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::isPagedOut):
+        * heap/BlockDirectory.h:
+        * heap/FullGCActivityCallback.cpp:
+        (JSC::FullGCActivityCallback::doCollection):
+        * heap/Heap.cpp:
+        (JSC::Heap::isPagedOut):
+        (JSC::Heap::sweepSynchronously):
+        * heap/Heap.h:
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::isPagedOut):
+        * heap/MarkedSpace.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::startTiming):
+        (Inspector::InspectorConsoleAgent::stopTiming):
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.cpp:
+        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+        (JSC::JIT::compileTimeStats):
+        * jit/JIT.h:
+        * jsc.cpp:
+        (StopWatch::start):
+        (StopWatch::stop):
+        (StopWatch::getElapsedMS):
+        (functionPreciseTime):
+        (runJSC):
+        * profiler/ProfilerDatabase.cpp:
+        (JSC::Profiler::Database::logEvent):
+        * profiler/ProfilerEvent.cpp:
+        (JSC::Profiler::Event::toJS const):
+        * profiler/ProfilerEvent.h:
+        (JSC::Profiler::Event::Event):
+        (JSC::Profiler::Event::time const):
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCacheMap::pruneSlowCase):
+        * runtime/CodeCache.h:
+        (JSC::CodeCacheMap::CodeCacheMap):
+        (JSC::CodeCacheMap::prune):
+        * runtime/DateConstructor.cpp:
+        (JSC::callDate):
+        * runtime/TypeProfilerLog.cpp:
+        (JSC::TypeProfilerLog::processLogEntries):
+        * testRegExp.cpp:
+        (StopWatch::start):
+        (StopWatch::stop):
+        (StopWatch::getElapsedMS):
+
+2018-02-14  Keith Miller  
+
+        We should be able to jsDynamicCast from JSType when possible
+        https://bugs.webkit.org/show_bug.cgi?id=182804
+
+        Reviewed by Filip Pizlo and Mark Lam.
+
+        This patch beefs up jsDynamicCast in some of the cases where we
+        can use the JSType to quickly determine if a cell is a subclass of
+        the desired type. Since all JSCells have a range of JSTypes they support,
+        if there is a range exclusive to a class and all subclasses we can use
+        that range to quickly determine if the cast should be successful.
+
+        Additionally, the JSValue versions of jsCast and jsDynamicCast now
+        call the JSCell version after checking the value is a cell.
+
+        Finally, the casting functions have been moved to a new header,
+        JSCast.h
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CallVariant.h:
+        * bytecode/CodeBlock.h:
+        * bytecode/ExecutableToCodeBlockEdge.h:
+        * bytecode/TrackedReferences.h:
+        * bytecode/UnlinkedCodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * dfg/DFGAbstractValue.h:
+        * dfg/DFGCommonData.h:
+        * dfg/DFGFrozenValue.h:
+        * dfg/DFGStructureAbstractValue.h:
+        * heap/CellContainerInlines.h:
+        * heap/ConservativeRoots.cpp:
+        * heap/GCLogging.cpp:
+        * heap/HeapInlines.h:
+        * heap/HeapSnapshotBuilder.cpp:
+        * heap/MarkedBlock.cpp:
+        * heap/MarkedBlockInlines.h:
+        * heap/SubspaceInlines.h:
+        * heap/WeakInlines.h:
+        * jit/JITOpcodes.cpp:
+        * jit/JITOpcodes32_64.cpp:
+        * llint/LLIntOffsetsExtractor.cpp:
+        * runtime/ArrayBufferNeuteringWatchpoint.h:
+        * runtime/BigIntPrototype.cpp:
+        * runtime/ClassInfo.h:
+        * runtime/CustomGetterSetter.h:
+        * runtime/FunctionRareData.h:
+        * runtime/GetterSetter.h:
+        * runtime/InferredType.h:
+        * runtime/InferredTypeTable.h:
+        * runtime/InferredValue.h:
+        * runtime/InternalFunction.cpp:
+        (JSC::InternalFunction::finishCreation):
+        * runtime/JSAPIValueWrapper.h:
+        * runtime/JSArray.h:
+        (JSC::JSArray::finishCreation):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::finishCreation):
+        * runtime/JSCast.h: Added.
+        (JSC::jsCast):
+        (JSC::JSCastingHelpers::jsDynamicCastGenericImpl):
+        (JSC::JSCastingHelpers::jsDynamicCastJSTypeImpl):
+        (JSC::JSCastingHelpers::JSDynamicCastTraits::cast):
+        (JSC::jsDynamicCast):
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        (JSC::jsCast): Deleted.
+        (JSC::jsDynamicCast): Deleted.
+        * runtime/JSCellInlines.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::finishCreation):
+        * runtime/JSJob.h:
+        * runtime/JSObject.h:
+        (JSC::JSObject::finishCreation):
+        * runtime/JSPromiseDeferred.h:
+        * runtime/JSPropertyNameEnumerator.h:
+        * runtime/NativeStdFunctionCell.h:
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/SparseArrayValueMap.h:
+        * runtime/Structure.h:
+        * runtime/StructureChain.h:
+        * runtime/StructureRareData.h:
+        * tools/CellProfile.h:
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+
+2018-02-14  Michael Saboff  
+
+        Crash: triggerOMGTierUpThunkGenerator() doesn't align the stack pointer before calling C++ code
+        https://bugs.webkit.org/show_bug.cgi?id=182808
+
+        Reviewed by Keith Miller.
+
+        Set up a proper frame with a prologue and epilogue to align the stack pointer for the rest of the
+        thunk.
+
+        * wasm/WasmThunks.cpp:
+        (JSC::Wasm::triggerOMGTierUpThunkGenerator):
+
+2018-02-14  Saam Barati  
+
+        Setting a VMTrap shouldn't look at topCallFrame since that may imply we're in C code and holding the malloc lock
+        https://bugs.webkit.org/show_bug.cgi?id=182801
+
+        Reviewed by Keith Miller.
+
+        VMTraps would sometimes install traps when it paused the JS thread when it
+        was in C code. This is wrong, as installing traps mallocs, and the JS thread
+        may have been holding the malloc lock while in C code. This could lead to a
+        deadlock when C code was holding the malloc lock.
+        
+        This patch makes it so that we only install traps when we've proven the PC
+        is in JIT or LLInt code. If we're in JIT/LLInt code, we are guaranteed that
+        we're not holding the malloc lock.
+
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionMallocInALoop):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+
+2018-02-14  Michael Saboff  
+
+        REGRESSION(225695) : com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::RegExp::match + 630 :: stack overflow
+        https://bugs.webkit.org/show_bug.cgi?id=182705
+
+        Reviewed by Mark Lam.
+
+        Moved the pattern context buffer used by YARR JIT'ed code from a stack local to a lazily allocated
+        buffer on the VM.  Exposed when the buffer is needed to reduce likelihood that we'd allocated it.
+        Guarded use of the buffer with a lock since the DFG compiler may call into YARR JIT'ed code on a
+        compilation thread.
+
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * runtime/VM.cpp:
+        (JSC::VM::~VM):
+        (JSC::VM::acquireRegExpPatternContexBuffer):
+        (JSC::VM::releaseRegExpPatternContexBuffer):
+        * runtime/VM.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generate):
+        (JSC::Yarr::YarrGenerator::backtrack):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::usesPatternContextBuffer):
+        (JSC::Yarr::YarrCodeBlock::setUsesPaternContextBuffer):
+
+2018-02-13  Saam Barati  
+
+        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+        https://bugs.webkit.org/show_bug.cgi?id=182755
+        
+
+        Reviewed by Keith Miller.
+
+        putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
+        the object in question to a dictionary indexing mode when the index is less than
+        the vector length. This makes no sense. If we're defining a getter, setter, or read
+        only property, we must always enter the dictionary indexing mode irrespective
+        of the index in relation to the vector length.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+
+2018-02-13  Saam Barati  
+
+        Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2018-02-13  Guillaume Emont  
+
+        [YarrJIT][ARM] We need to save r8 as it is the initial start register
+        https://bugs.webkit.org/show_bug.cgi?id=182157
+
+        Reviewed by Saam Barati.
+
+        Register r8 is the initial start register since r224172, so we need to
+        save it. We still need to save r6 as well even though it is not the
+        initial start register any more, since it is used by the
+        MacroAssembler which we use (we get crashes in some situations if we
+        don't save r6). This issue was discovered because
+        stress/regress-174044.js crashes on a raspberry pi 2 when compiled in
+        -O2.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+
+2018-02-13  Caitlin Potter  
+
+        [JSC] cache TaggedTemplate arrays by callsite rather than by contents
+        https://bugs.webkit.org/show_bug.cgi?id=182717
+
+        Reviewed by Yusuke Suzuki.
+
+        https://github.com/tc39/ecma262/pull/890 imposes a change to template
+        literals, to allow template callsite arrays to be collected when the
+        code containing the tagged template call is collected. This spec change
+        has received concensus and been ratified.
+
+        This change eliminates the eternal map associating template contents
+        with arrays.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/DirectEvalCodeCache.cpp:
+        (JSC::DirectEvalCodeCache::setSlow):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseInner):
+        (JSC::Parser::parseMemberExpression):
+        * parser/Parser.h:
+        * parser/ParserModes.h:
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::allowDirectEvalCache const):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::templateRegistry): Deleted.
+        * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        (JSC::JSTemplateObjectDescriptor::destroy):
+        (JSC::JSTemplateObjectDescriptor::createTemplateObject):
+        * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
+        (JSC::isTemplateObjectDescriptor):
+        * runtime/JSTemplateRegistryKey.cpp: Removed.
+        * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
+        (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
+        * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
+        (JSC::TemplateObjectDescriptor::operator== const):
+        (JSC::TemplateObjectDescriptor::operator!= const):
+        (JSC::TemplateObjectDescriptor::Hasher::hash):
+        (JSC::TemplateObjectDescriptor::Hasher::equal):
+        (JSC::TemplateObjectDescriptor::create):
+        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
+        (JSC::TemplateObjectDescriptor::calculateHash):
+        * runtime/TemplateRegistry.h: Removed.
+        * runtime/TemplateRegistryKeyTable.cpp: Removed.
+        * runtime/TemplateRegistryKeyTable.h: Removed.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::templateRegistryKeyTable): Deleted.
+        * runtime/VMEntryScope.cpp:
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/DirectEvalCodeCache.cpp:
+        (JSC::DirectEvalCodeCache::setSlow):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseInner):
+        (JSC::Parser::parseMemberExpression):
+        * parser/Parser.h:
+        * parser/ParserModes.h:
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::allowDirectEvalCache const):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::templateRegistry): Deleted.
+        * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        (JSC::JSTemplateObjectDescriptor::destroy):
+        (JSC::JSTemplateObjectDescriptor::createTemplateObject):
+        * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
+        (JSC::isTemplateObjectDescriptor):
+        * runtime/JSTemplateRegistryKey.cpp: Removed.
+        * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
+        (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
+        * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
+        (JSC::TemplateObjectDescriptor::operator== const):
+        (JSC::TemplateObjectDescriptor::operator!= const):
+        (JSC::TemplateObjectDescriptor::Hasher::hash):
+        (JSC::TemplateObjectDescriptor::Hasher::equal):
+        (JSC::TemplateObjectDescriptor::create):
+        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
+        (JSC::TemplateObjectDescriptor::calculateHash):
+        * runtime/TemplateRegistry.h: Removed.
+        * runtime/TemplateRegistryKeyTable.cpp: Removed.
+        * runtime/TemplateRegistryKeyTable.h: Removed.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::templateRegistryKeyTable): Deleted.
+        * runtime/VMEntryScope.cpp:
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/DirectEvalCodeCache.cpp:
+        (JSC::DirectEvalCodeCache::setSlow):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::allowDirectEvalCache const):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/Parser.cpp:
+        (JSC::Parser::parseInner):
+        (JSC::Parser::parseMemberExpression):
+        * parser/Parser.h:
+        * parser/ParserModes.h:
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::allowDirectEvalCache const):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::templateRegistry): Deleted.
+        * runtime/JSTemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistry.cpp.
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        (JSC::JSTemplateObjectDescriptor::destroy):
+        (JSC::JSTemplateObjectDescriptor::createTemplateObject):
+        * runtime/JSTemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/JSTemplateRegistryKey.h.
+        (JSC::isTemplateObjectDescriptor):
+        * runtime/JSTemplateRegistryKey.cpp: Removed.
+        * runtime/TemplateObjectDescriptor.cpp: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.cpp.
+        (JSC::TemplateObjectDescriptor::~TemplateObjectDescriptor):
+        * runtime/TemplateObjectDescriptor.h: Renamed from Source/JavaScriptCore/runtime/TemplateRegistryKey.h.
+        (JSC::TemplateObjectDescriptor::operator== const):
+        (JSC::TemplateObjectDescriptor::operator!= const):
+        (JSC::TemplateObjectDescriptor::Hasher::hash):
+        (JSC::TemplateObjectDescriptor::Hasher::equal):
+        (JSC::TemplateObjectDescriptor::create):
+        (JSC::TemplateObjectDescriptor::TemplateObjectDescriptor):
+        (JSC::TemplateObjectDescriptor::calculateHash):
+        * runtime/TemplateRegistry.h: Removed.
+        * runtime/TemplateRegistryKeyTable.cpp: Removed.
+        * runtime/TemplateRegistryKeyTable.h: Removed.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::templateRegistryKeyTable): Deleted.
+        * runtime/VMEntryScope.cpp:
+
+2018-02-13  Yusuke Suzuki  
+
+        Support GetArrayLength on ArrayStorage in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=182625
+
+        Reviewed by Saam Barati.
+
+        This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
+        The implementation is trivial; just porting one in DFG to FTL.
+
+        This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
+        ArrayPush, ArrayPop, Arrayify, and PutByVal.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+        (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
+
+2018-02-10  Filip Pizlo  
+
+        Lock down JSFunction
+        https://bugs.webkit.org/show_bug.cgi?id=182652
+
+        Reviewed by Saam Barati.
+        
+        This poisons pointers in JSFunction and puts all of the types in the JSFunction hierarchy in
+        isospaces.
+        
+        This is so neutral on JetStream: 0.01% slower with p = 0.969211.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::TrustedImmPtr):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPointer):
+        (JSC::DFG::SpeculativeJIT::TrustedImmPtr::weakPoisonedPointer):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetExecutable):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        (JSC::FTL::DFG::LowerDFGToB3::weakPointer):
+        (JSC::FTL::DFG::LowerDFGToB3::weakPoisonedPointer):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::weakPointer):
+        (JSC::FTL::Output::weakPoisonedPointer):
+        * heap/MarkedSpace.cpp:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSAsyncFunction.h:
+        (JSC::JSAsyncFunction::subspaceFor):
+        * runtime/JSAsyncGeneratorFunction.h:
+        (JSC::JSAsyncGeneratorFunction::subspaceFor):
+        * runtime/JSBoundFunction.h:
+        (JSC::JSBoundFunction::subspaceFor):
+        * runtime/JSCPoison.h:
+        * runtime/JSCustomGetterSetterFunction.h:
+        (JSC::JSCustomGetterSetterFunction::subspaceFor):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::subspaceFor):
+        * runtime/JSGeneratorFunction.h:
+        (JSC::JSGeneratorFunction::subspaceFor):
+        * runtime/JSNativeStdFunction.h:
+        (JSC::JSNativeStdFunction::subspaceFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * wasm/js/WebAssemblyFunction.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-02-12  Saam Barati  
+
+        Add a GetIndexMask node and make it an input to GetByVal for array and typed array accesses in DFG SSA
+        https://bugs.webkit.org/show_bug.cgi?id=182633
+        
+
+        Reviewed by Keith Miller.
+
+        This patch introduces a GetIndexMask node to DFG SSA. This is an input to
+        GetByVal for the GetByVal variants that do conservative index masking.
+        The reason I'm adding this node is I realized there were loads of
+        the butterfly index mask inside loops that B3 couldn't reason about
+        because B3 can't arbitrarily hoist loads out of loops if those loops
+        have side exits (because the side exit might be protecting the safety of the
+        load). However, for these loops I analyzed, the DFG would be able to hoist
+        these loads out of loops because it knows about JS semantics to correctly
+        reason about the safety of hoisting the load.
+        
+        This is a 1% speedup on JetStream on Mac and iOS in my testing.
+        
+        This patch also adds some infrastructure for eliminating and doing CSE on
+        varargs nodes. Because this patch makes GetByVal a varargs node, I ran into
+        issues we never had before. We never had a varargs node that could be CSEd or be
+        hoisted out of a loop until I made GetByVal varargs. To make it all work,
+        I added a CheckVarargs node. This is just like Check, but it's varargs.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGAdjacencyList.h:
+        (JSC::DFG::AdjacencyList::AdjacencyList):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGBasicBlock.cpp:
+        (JSC::DFG::BasicBlock::replaceTerminal):
+        * dfg/DFGBasicBlock.h:
+        (JSC::DFG::BasicBlock::findTerminal const):
+        * dfg/DFGBasicBlockInlines.h:
+        (JSC::DFG::BasicBlock::replaceTerminal):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
+        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGCleanUpPhase.cpp:
+        (JSC::DFG::CleanUpPhase::run):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
+        * dfg/DFGDCEPhase.cpp:
+        (JSC::DFG::DCEPhase::run):
+        (JSC::DFG::DCEPhase::fixupBlock):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupChecksInBlock):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::remove):
+        (JSC::DFG::Node::convertToIdentityOn):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::replaceWith):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPureValue.cpp:
+        (JSC::DFG::PureValue::dump const):
+        * dfg/DFGPureValue.h:
+        (JSC::DFG::PureValue::PureValue):
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGSSAConversionPhase.cpp:
+        (JSC::DFG::SSAConversionPhase::run):
+        * dfg/DFGSSALoweringPhase.cpp:
+        (JSC::DFG::SSALoweringPhase::handleNode):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierClusteringPhase.cpp:
+        * dfg/DFGValidate.cpp:
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayMask):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+
+2018-02-12  Mark Lam  
+
+        Miscellaneous refactoring of offlineasm.
+        https://bugs.webkit.org/show_bug.cgi?id=182702
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. Refactor out the emission of $asm.comment, $asm.codeOrigin, $asm.annotation,
+           and $asm.debugAnnotation into a recordMetaData method.  This standardizes how
+           we emit this metadata and makes all backends do it the same way.
+
+        2. Add the ability to include custom offlineasm scripts from WebKitAdditions in
+           the future.
+
+        * offlineasm/arm.rb:
+        * offlineasm/arm64.rb:
+        * offlineasm/ast.rb:
+        * offlineasm/backends.rb:
+        * offlineasm/cloop.rb:
+        * offlineasm/config.rb:
+        * offlineasm/mips.rb:
+        * offlineasm/risc.rb:
+        * offlineasm/x86.rb:
+
+2018-02-12  Saam Barati  
+
+        DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=182706
+        
+
+        Reviewed by Filip Pizlo.
+
+        When we added support for PhantomNewArrayBuffer, we forgot to update
+        the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
+        This patch adds that support. It's trivial to generate the length for
+        a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
+        length.
+
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+
+2018-02-12  Mark Lam  
+
+        Add more support for pointer preparations.
+        https://bugs.webkit.org/show_bug.cgi?id=182703
+        
+
+        Reviewed by Saam Barati.
+
+        * llint/LLIntData.h:
+        (JSC::LLInt::getCodePtr):
+        * llint/LLIntPCRanges.h:
+        (JSC::LLInt::isLLIntPC):
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+
+2018-02-12  Mark Lam  
+
+        Fix missing exception check in RegExpObject::matchGlobal().
+        https://bugs.webkit.org/show_bug.cgi?id=182701
+        
+
+        Reviewed by Michael Saboff.
+
+        This issue was discovered when running JSC tests on an asm LLInt build with
+        JSC_useJIT=false.
+
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::matchGlobal):
+
+2018-02-11  Guillaume Emont  
+
+        [MIPS] JSC needs to be built with -latomic
+        https://bugs.webkit.org/show_bug.cgi?id=182610
+
+        Reviewed by Žan Doberšek.
+
+        Since r228149, on MIPS we need to link with -latomic, because
+        __atomic_fetch_add_8 is not available as a compiler intrinsic.
+
+        * CMakeLists.txt:
+
+2018-02-09  Filip Pizlo  
+
+        Don't waste memory for error.stack
+        https://bugs.webkit.org/show_bug.cgi?id=182656
+
+        Reviewed by Saam Barati.
+        
+        This makes the StackFrames in ErrorInstance and Exception weak. We simply forget their
+        contents if we GC.
+        
+        This isn't going to happen under normal operation since your callees and code blocks will
+        still be alive when you ask for .stack.
+        
+        Bug 182650 tracks improving this so that it's not lossy. For now, I think it's worth it,
+        since it is likely to recover 3-5 MB on membuster.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::visitChildren):
+        (JSC::ErrorInstance::finalizeUnconditionally):
+        * runtime/ErrorInstance.h:
+        (JSC::ErrorInstance::subspaceFor):
+        * runtime/Exception.cpp:
+        (JSC::Exception::visitChildren):
+        (JSC::Exception::finalizeUnconditionally):
+        * runtime/Exception.h:
+        (JSC::Exception::valueOffset): Deleted.
+        (JSC::Exception::value const): Deleted.
+        (JSC::Exception::stack const): Deleted.
+        (JSC::Exception::didNotifyInspectorOfThrow const): Deleted.
+        (JSC::Exception::setDidNotifyInspectorOfThrow): Deleted.
+        * runtime/StackFrame.cpp:
+        (JSC::StackFrame::isFinalizationCandidate):
+        (JSC::StackFrame::finalizeUnconditionally):
+        (JSC::StackFrame::visitChildren): Deleted.
+        * runtime/StackFrame.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2018-02-09  Carlos Alberto Lopez Perez  
+
+        Fix build on ARMv7 traditional JSCOnly bot after r228306
+        https://bugs.webkit.org/show_bug.cgi?id=182563
+
+        Unreviewed build fix.
+
+        * assembler/AssemblerBuffer.h:
+
+2018-02-08  Filip Pizlo  
+
+        Experiment with alternative implementation of memcpy/memset
+        https://bugs.webkit.org/show_bug.cgi?id=182563
+
+        Reviewed by Michael Saboff and Mark Lam.
+        
+        This adopts new fastCopy/fastZeroFill calls for calls to memcpy/memset that do not take a
+        constant size argument.
+
+        * assembler/AssemblerBuffer.h:
+        (JSC::AssemblerBuffer::append):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::copyTo):
+        (JSC::ArrayBuffer::createInternal):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::zeroRangeImpl):
+        * runtime/ArrayConventions.cpp:
+        * runtime/ArrayConventions.h:
+        (JSC::clearArray):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoPrivateFuncConcatMemcpy):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::resizeArray):
+        * runtime/GenericTypedArrayViewInlines.h:
+        (JSC::GenericTypedArrayView::create):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::fastSlice):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::set):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        * runtime/PropertyTable.cpp:
+        (JSC::PropertyTable::PropertyTable):
+
+2018-02-08  Don Olmstead  
+
+        Remove JavaScriptCore/ForwardingHeaders directory
+        https://bugs.webkit.org/show_bug.cgi?id=182594
+
+        Reviewed by Mark Lam.
+
+        * CMakeLists.txt:
+        * ForwardingHeaders/JavaScriptCore/APICast.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSBase.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSContextRef.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSObjectRef.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSObjectRefPrivate.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSRetainPtr.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSStringRef.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSStringRefCF.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSTypedArray.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JSValueRef.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JavaScript.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/JavaScriptCore.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/OpaqueJSString.h: Removed.
+        * ForwardingHeaders/JavaScriptCore/WebKitAvailability.h: Removed.
+
+2018-02-06  Yusuke Suzuki  
+
+        [JSC] Implement Array.prototype.flatMap and Array.prototype.flatten
+        https://bugs.webkit.org/show_bug.cgi?id=182440
+
+        Reviewed by Darin Adler.
+
+        This patch implements Array.prototype.flatMap and Array.prototype.flatten
+        since they are now stage 3 [1].
+
+        [1]: https://tc39.github.io/proposal-flatMap/#sec-FlattenIntoArray
+
+        * builtins/ArrayPrototype.js:
+        (filter):
+        (map):
+        (globalPrivate.concatSlowPath):
+        (globalPrivate.arraySpeciesCreate):
+        (globalPrivate.flattenIntoArray):
+        (flatten):
+        (globalPrivate.flattenIntoArrayWithCallback):
+        We separate flattenIntoArray from flattenIntoArrayWithCallback due to performance reason.
+        We carefully keep both functions small to encourage inlining.
+
+        (flatMap):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::ArrayPrototype::finishCreation):
+
+2018-01-13  Darin Adler  
+
+        Event improvements
+        https://bugs.webkit.org/show_bug.cgi?id=179591
+
+        Reviewed by Chris Dumez.
+
+        Remove all uses of ScriptValue other than in the implementation of ScriptObject.
+
+        * bindings/ScriptFunctionCall.cpp: Removed include of ScriptValue.h.
+
+        * bindings/ScriptObject.cpp: Removed unused overload of ScriptObject constructor.
+        * bindings/ScriptObject.h: Ditto.
+
+        * bindings/ScriptValue.cpp:
+        (Deprecated::ScriptValue::~ScriptValue): Deleted.
+        (Deprecated::ScriptValue::getString const): Deleted.
+        (Deprecated::ScriptValue::toString const): Deleted.
+        (Deprecated::ScriptValue::isEqual const): Deleted.
+        (Deprecated::ScriptValue::isNull const): Deleted.
+        (Deprecated::ScriptValue::isUndefined const): Deleted.
+        (Deprecated::ScriptValue::isObject const): Deleted.
+        (Deprecated::ScriptValue::isFunction const): Deleted.
+        (Deprecated::ScriptValue::toInspectorValue const): Deleted.
+        * bindings/ScriptValue.h: Removed many unused functions. Made the rest
+        protected since this is now used only in ScriptObject.
+
+        * inspector/ConsoleMessage.cpp:
+        (Inspector::ConsoleMessage::addToFrontend): Stop using ScriptValue.
+        (Inspector::ConsoleMessage::isEqual const): Updated for change to ScriptArguments::isEqual.
+
+        * inspector/ScriptArguments.cpp:
+        (Inspector::ScriptArguments::create): Take a Vector of JSC::Strong, not ScriptValue,
+        use rvalue reference with move instead of lvalue reference with swap, and take execution
+        state by reference instead of pointer.
+        (Inspector::ScriptArguments::createEmpty): Deleted. Can now use create instead.
+        (Inspector::ScriptArguments::ScriptArguments): Ditto.
+        (Inspector::ScriptArguments::~ScriptArguments): Deleted.
+        (Inspector::ScriptArguments::argumentAt const): Updated to use JSC::Strong.
+        (Inspector::ScriptArguments::getFirstArgumentAsString): Ditto.
+        (Inspector::ScriptArguments::isEqual const): Ditto. Also changed to use JS internals
+        instead of calling through the C API.
+        * inspector/ScriptArguments.h: Updated for the above.
+
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::createScriptArguments): Updated for changes to ScriptArguments.
+
+        * inspector/ScriptDebugServer.cpp: Removed include of ScriptValue.h.
+        * inspector/agents/InspectorAgent.cpp: Ditto.
+        * inspector/agents/InspectorDebuggerAgent.cpp: Ditto.
+        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): Use JSC::Strong instead
+        of ScriptValue.
+        (Inspector::InspectorDebuggerAgent::currentCallFrames): Ditto.
+        * inspector/agents/InspectorDebuggerAgent.h: Ditto.
+        * runtime/ConsoleClient.cpp:
+        (JSC::ConsoleClient::printConsoleMessageWithArguments): Ditto.
+        (JSC::ConsoleClient::clear): Use ScriptArguments::create and pass an empty vector
+        instead of calling a separate createEmpty function.
+
+        * runtime/VM.cpp:
+        (JSC::VM::createLeaked): Deleted.
+        * runtime/VM.h: Deleted createLeaked.
+
+2018-02-06  Brian Burg  
+
+        Web Inspector: protocol generator should automatically deduce the correct include style to use
+        https://bugs.webkit.org/show_bug.cgi?id=182505
+
+        Reviewed by Timothy Hatcher.
+
+        Currently the generated imports use a mix of system header imports (powered by forwarding headers)
+        and framework-style includes. Since forwarding headers are going away, this patch stops
+        using system header includes for headers that are JavaScriptCore private headers. Instead,
+        use either a relative include or a framework include.
+
+        * inspector/scripts/codegen/generate_cpp_alternate_backend_dispatcher_header.py:
+        (CppAlternateBackendDispatcherHeaderGenerator.generate_output):
+        (CppAlternateBackendDispatcherHeaderGenerator):
+        (CppAlternateBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
+        (CppBackendDispatcherHeaderGenerator.generate_output):
+        (CppBackendDispatcherHeaderGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
+        (CppBackendDispatcherImplementationGenerator.generate_output):
+        (CppBackendDispatcherImplementationGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
+        (CppFrontendDispatcherHeaderGenerator.generate_output):
+        (CppFrontendDispatcherHeaderGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
+        (CppFrontendDispatcherImplementationGenerator.generate_output):
+        (CppFrontendDispatcherImplementationGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
+        (CppProtocolTypesHeaderGenerator.generate_output):
+        (CppProtocolTypesHeaderGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
+        (CppProtocolTypesImplementationGenerator.generate_output):
+        (CppProtocolTypesImplementationGenerator._generate_secondary_header_includes):
+        * inspector/scripts/codegen/generate_objc_backend_dispatcher_header.py:
+        (ObjCBackendDispatcherHeaderGenerator):
+        Convert existing header lists to the new entries format, which includes the
+        allowable target frameworks and the relative path to the header.
+
+        * inspector/scripts/codegen/generator.py:
+        (Generator.generate_includes_from_entries):
+        Copied from the same in the builtins code generator. It still works great.
+
+        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
+        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
+        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
+        * inspector/scripts/tests/generic/expected/enum-values.json-result:
+        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
+        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
+        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
+        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
+        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
+        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
+        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
+        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
+        Rebaseline.
+
+2018-02-06  Keith Miller  
+
+        put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object
+        https://bugs.webkit.org/show_bug.cgi?id=182549
+        
+
+        Reviewed by Saam Barati.
+
+        Previously, the llint/baseline caching for put_to_scope and
+        get_from_scope would cache lexical environments when the
+        varInjectionWatchpoint had been fired for global properties. Code
+        in the DFG does not follow this same assumption so we could
+        potentially return the wrong result. Additionally, the baseline
+        would write barrier the global object rather than the lexical
+        enviroment object. This patch makes it so that we do not cache
+        anything other than the global object for when the resolve type is
+        GlobalPropertyWithVarInjectionChecks or GlobalProperty.
+
+        * assembler/MacroAssembler.cpp:
+        (JSC::MacroAssembler::jitAssert):
+        * assembler/MacroAssembler.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
+        (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal):
+        * runtime/Options.h:
+
+2018-01-28  Filip Pizlo  
+
+        Global objects should be able to use TLCs to allocate from different blocks from each other
+        https://bugs.webkit.org/show_bug.cgi?id=182227
+
+        Reviewed by JF Bastien.
+        
+        This uses TLCs to create at least `minimumDistanceBetweenCellsFromDifferenOrigins` bytes of
+        distance between objects from different origins, using the following combination of things. For
+        short lets refer to that constant as K.
+        
+        - Since r227721, LargeAllocation puts K bytes padding at the end of each allocation.
+        
+        - Since r227718, MarkedBlock puts at least K bytes in its footer.
+        
+        - Since r227617, global objects can have their own TLCs, which make them allocate from a
+          different set of blocks than other global objects. The TLC of a global object comes into
+          effect when you enter the VM via that global object.
+        
+        - With this change, TLCs and blocks both have security origins. A TLC will only use blocks that
+          share the same security origin or empty blocks (in which case we zero the block and change
+          its security origin).
+        
+        WebCore determines the TLC-GlobalObject mapping. By default, global objects would simply use
+        the VM's default TLC. WebCore makes it so that DOM windows (but not worker global objects) get
+        a TLC based on their document's SecurityOrigin.
+        
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::prepareForAllocation):
+        * heap/BlockDirectory.h:
+        * heap/LocalAllocator.cpp:
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::reset):
+        (JSC::LocalAllocator::~LocalAllocator):
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        * heap/LocalAllocator.h:
+        (JSC::LocalAllocator::tlc const):
+        * heap/MarkStackMergingConstraint.cpp:
+        * heap/MarkStackMergingConstraint.h:
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::associateWithOrigin):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::securityOriginToken const):
+        * heap/SecurityOriginToken.cpp: Added.
+        (JSC::uniqueSecurityOriginToken):
+        * heap/SecurityOriginToken.h: Added.
+        * heap/ThreadLocalCache.cpp:
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        (JSC::ThreadLocalCache::allocateData):
+        (JSC::ThreadLocalCache::installSlow):
+        * heap/ThreadLocalCache.h:
+        (JSC::ThreadLocalCache::securityOriginToken const):
+        * heap/ThreadLocalCacheInlines.h:
+        (JSC::ThreadLocalCache::install):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::createThreadLocalCache):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache):
+        (JSC::JSGlobalObject::threadLocalCache const): Deleted.
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        (JSC::VMEntryScope::~VMEntryScope):
+        * runtime/VMEntryScope.h:
+
+2018-02-05  Don Olmstead  
+
+        JavaScriptCore files should not be included relatively
+        https://bugs.webkit.org/show_bug.cgi?id=182452
+
+        Reviewed by Keith Miller.
+
+        * API/JSCallbackConstructor.h:
+        * CMakeLists.txt:
+        * disassembler/ARM64Disassembler.cpp:
+        * disassembler/ARMv7Disassembler.cpp:
+        * heap/LockDuringMarking.h:
+        * inspector/InjectedScriptBase.h:
+        * inspector/InjectedScriptHost.h:
+        * inspector/JavaScriptCallFrame.h:
+        * inspector/ScriptArguments.h:
+        * inspector/ScriptDebugListener.h:
+        * inspector/ScriptDebugServer.h:
+        * inspector/agents/InspectorAgent.h:
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorDebuggerAgent.h:
+        * inspector/agents/InspectorHeapAgent.h:
+        * inspector/agents/InspectorRuntimeAgent.h:
+        * inspector/agents/InspectorScriptProfilerAgent.h:
+        * runtime/RegExp.h:
+
+2018-02-05  Commit Queue  
+
+        Unreviewed, rolling out r228012.
+        https://bugs.webkit.org/show_bug.cgi?id=182493
+
+        "It regressed ARES-6 by 2-4%" (Requested by saamyjoon on
+        #webkit).
+
+        Reverted changeset:
+
+        "[JSC] Clean up ArraySpeciesCreate"
+        https://bugs.webkit.org/show_bug.cgi?id=182434
+        https://trac.webkit.org/changeset/228012
+
+2018-02-02  Ryan Haddad  
+
+        Rebaseline bindings generator tests after r228032.
+        https://bugs.webkit.org/show_bug.cgi?id=182445
+
+        Unreviewed test gardening.
+
+        * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
+
+2018-02-02  Saam Barati  
+
+        Make various DFG_ASSERTs provide more data to WTFCrashWithInfo
+        https://bugs.webkit.org/show_bug.cgi?id=182453
+        
+
+        Reviewed by JF Bastien and Mark Lam.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupChecksInBlock):
+        * dfg/DFGFlowIndexing.h:
+        (JSC::DFG::FlowIndexing::shadowIndex const):
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::run):
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
+        (JSC::DFG::LoopPreHeaderCreationPhase::run):
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithAbs):
+        (JSC::DFG::SpeculativeJIT::compileArithRounding):
+        (JSC::DFG::SpeculativeJIT::compileToPrimitive):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillJSValue):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierClusteringPhase.cpp:
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithClz32):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithRound):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithFloor):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithCeil):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithTrunc):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+        (JSC::FTL::DFG::LowerDFGToB3::compare):
+        (JSC::FTL::DFG::LowerDFGToB3::switchStringRecurse):
+        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
+        (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
+        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
+        (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
+        (JSC::FTL::DFG::LowerDFGToB3::lowJSValue):
+
+2018-02-02  Don Olmstead  
+
+        JS Builtins should include JavaScriptCore headers directly
+        https://bugs.webkit.org/show_bug.cgi?id=182445
+
+        Reviewed by Yusuke Suzuki.
+
+        * Scripts/builtins/builtins_generator.py:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+
+2018-02-02  Saam Barati  
+
+        When BytecodeParser inserts Unreachable after ForceOSRExit it needs to update ArgumentPositions for Flushes it inserts
+        https://bugs.webkit.org/show_bug.cgi?id=182368
+        
+
+        Reviewed by Mark Lam.
+
+        When preserving liveness when inserting Unreachable nodes after ForceOSRExit,
+        we must add the VariableAccessData to the given argument position. Otherwise,
+        we may end up with a VariableAccessData that doesn't respect the shouldNeverUnbox bit.
+        If we end up with such a situation, it can lead to invalid IR after the
+        arguments elimination phase optimizes a GetByVal to a GetStack.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flushImpl):
+        (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::flushForTerminal):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2018-02-02  Mark Lam  
+
+        More ARM64_32 fixes.
+        https://bugs.webkit.org/show_bug.cgi?id=182441
+        
+
+        Reviewed by Dan Bernstein.
+
+        I also disabled more dynamicPoisoning code in ARM64_32.  This code assumes a
+        64-bit pointer which is not applicable here.
+
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDynamicPoison):
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
+
+2018-02-02  Saam Barati  
+
+        MapHash should return true to doesGC in the DFG depending on useKind because it might resolve a rope
+        https://bugs.webkit.org/show_bug.cgi?id=182402
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+2018-02-02  Yusuke Suzuki  
+
+        [JSC] Clean up ArraySpeciesCreate
+        https://bugs.webkit.org/show_bug.cgi?id=182434
+
+        Reviewed by Saam Barati.
+
+        We have duplicate code in filter, map, concatSlowPath.
+        This patch creates a new global private function @arraySpeciesCreate,
+        and use it.
+
+        * builtins/ArrayPrototype.js:
+        (globalPrivate.arraySpeciesCreate):
+        (filter):
+        (map):
+        (globalPrivate.concatSlowPath):
+
+2018-02-01  Mark Lam  
+
+        Fix broken bounds check in FTL's compileGetMyArgumentByVal().
+        https://bugs.webkit.org/show_bug.cgi?id=182419
+        
+
+        Reviewed by Saam Barati.
+
+        In compileGetMyArgumentByVal(), it computes:
+            limit = m_out.sub(limit, m_out.constInt32(m_node->numberOfArgumentsToSkip()));
+            ...
+            LValue isOutOfBounds = m_out.aboveOrEqual(originalIndex, limit);
+
+        where the original "limit" is the number of arguments passed in by the caller.
+        If the original limit is less than numberOfArgumentsToSkip, the resultant limit
+        will be a large unsigned number.  As a result, this will defeat the bounds check
+        that follows it.
+
+        Note: later on in compileGetMyArgumentByVal(), we have to adjust adjust the index
+        value by adding numberOfArgumentsToSkip to it, in order to determine the actual
+        entry in the arguments array to get.
+
+        The fix is to just add numberOfArgumentsToSkip to index upfront (instead of
+        subtracting it from limit), and doing an overflow speculation check on that
+        addition before doing the bounds check.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+
+2018-02-01  Keith Miller  
+
+        Fix crashes due to mishandling custom sections.
+        https://bugs.webkit.org/show_bug.cgi?id=182404
+        
+
+        Reviewed by Saam Barati.
+
+        This also cleans up some of our validation code. We also
+        mistakenly, allowed unknown (different from custom sections with
+        id: 0) section ids.
+
+        * wasm/WasmModuleParser.cpp:
+        (JSC::Wasm::ModuleParser::parse):
+        * wasm/WasmModuleParser.h:
+        * wasm/WasmSections.h:
+        (JSC::Wasm::isKnownSection):
+        (JSC::Wasm::decodeSection):
+        (JSC::Wasm::validateOrder):
+        (JSC::Wasm::makeString):
+        (JSC::Wasm::isValidSection): Deleted.
+
+2018-02-01  Michael Catanzaro  
+
+        -Wreturn-type warning in DFGObjectAllocationSinkingPhase.cpp
+        https://bugs.webkit.org/show_bug.cgi?id=182389
+
+        Reviewed by Yusuke Suzuki.
+
+        Fix the warning.
+
+        As a bonus, remove a couple unreachable breaks for good measure.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2018-02-01  Chris Dumez  
+
+        Queue a microtask when a waitUntil() promise is settled
+        https://bugs.webkit.org/show_bug.cgi?id=182372
+        
+
+        Reviewed by Mark Lam.
+
+        Export a symbol so it can be used in WebCore.
+
+        * runtime/JSGlobalObject.h:
+
+2018-01-31  Don Olmstead  
+
+        [CMake] Make JavaScriptCore headers copies
+        https://bugs.webkit.org/show_bug.cgi?id=182303
+
+        Reviewed by Alex Christensen.
+
+        * CMakeLists.txt:
+        * PlatformGTK.cmake:
+        * PlatformJSCOnly.cmake:
+        * PlatformMac.cmake:
+        * PlatformWPE.cmake:
+        * PlatformWin.cmake:
+        * shell/CMakeLists.txt:
+        * shell/PlatformWin.cmake:
+
+2018-01-31  Saam Barati  
+
+        Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm
+        https://bugs.webkit.org/show_bug.cgi?id=182064
+        
+
+        Reviewed by Geoffrey Garen.
+
+        This patch switches WebAssembly Memory to always use bmalloc's
+        zeroed virtual allocation API. This makes it so that we don't
+        dirty the memory to zero it. It's a huge compile time speedup
+        on WasmBench on iOS.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::addressIsInActiveFastMemory):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::commitZeroPages): Deleted.
+
+2018-01-31  Mark Lam  
+
+        Build fix for CLoop after r227874.
+        https://bugs.webkit.org/show_bug.cgi?id=182155
+        
+
+        Not reviewed.
+
+        Just needed support for lea of a LabelReference in cloop.rb (just like those
+        added for arm64.rb and x86.rb).
+
+        * offlineasm/cloop.rb:
+
+2018-01-31  Keith Miller  
+
+        Canonicalize aquiring the JSCell lock.
+        https://bugs.webkit.org/show_bug.cgi?id=182320
+
+        Reviewed by Michael Saboff.
+
+        It's currently kinda annoying to figure out where
+        we aquire the a JSCell's lock. This patch adds a
+        helper to make it easier to grep...
+
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::visitChildren):
+        (JSC::UnlinkedCodeBlock::setInstructions):
+        (JSC::UnlinkedCodeBlock::shrinkToFit):
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        * runtime/JSCell.h:
+        (JSC::JSCell::cellLock):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::visitButterflyImpl):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::visitChildren):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayValueMap::add):
+        (JSC::SparseArrayValueMap::remove):
+        (JSC::SparseArrayValueMap::visitChildren):
+
+2018-01-31  Saam Barati  
+
+        JSC incorrectly interpreting script, sets Global Property instead of Global Lexical variable (LiteralParser / JSONP path)
+        https://bugs.webkit.org/show_bug.cgi?id=182074
+        
+
+        Reviewed by Mark Lam.
+
+        This patch teaches the JSONP evaluator about the global lexical environment.
+        Before, it was using the global object as the global scope, but that's wrong.
+        The global lexical environment is the first node in the global scope chain.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeProgram):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (shellSupportsRichSourceInfo):
+        (functionDisableRichSourceInfo):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser::tryJSONPParse):
+        * runtime/LiteralParser.h:
+
+2018-01-31  Saam Barati  
+
+        clean up pushToSaveImmediateWithoutTouchingRegisters a bit
+        https://bugs.webkit.org/show_bug.cgi?id=181774
+
+        Reviewed by JF Bastien.
+
+        This function on ARM64 was considering what to do with the scratch
+        register. And conditionally invalidated what was in it. This is not
+        relevant though, since the function always recovers what was in that
+        register. This patch just switches it to using dataTempRegister
+        directly and updates the comment to describe why it can do so safely.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
+
+2018-01-30  Mark Lam  
+
+        Apply poisoning to TypedArray vector pointers.
+        https://bugs.webkit.org/show_bug.cgi?id=182155
+        
+
+        Reviewed by JF Bastien.
+
+        The TypeArray's vector pointer is now poisoned.  The poison value is chosen based
+        on a TypeArray's jsType.  The JSType must be between FirstTypedArrayType and
+        LastTypedArrayType.  At runtime, we enforce that the index is well-behaved by
+        masking it against TypedArrayPoisonIndexMask.  TypedArrayPoisonIndexMask (16) is
+        the number of TypedArray types (10) rounded up to the next power of 2.
+        Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we
+        can use index masking on the index, and be guaranteed that the masked index will
+        be within bounds of the poisons array.
+
+        1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not
+           do any unnecessary work if the TypedArray vector is null.
+
+           FTL's cagedMayBeNull() is no longer needed because it is only used by
+           compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning
+           in a TypedArray specific way.  So, might as well do the work inline in
+           compileGetTypedArrayByteOffset() instead.
+
+        2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize()
+           because there's already a null check above it that ensures that sizeGPR is
+           never null.
+
+        3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the
+           loading of the vector for unpoisoning and uncaging.  We don't need the vector
+           if the length is 0.
+
+        Implementation notes on the need to null check the TypeArray vector:
+
+        1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a
+           m_poisonedVector null check because the function is a null check.
+
+        2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a
+           m_poisonedVector null check because it is followed by a call to
+           cageTypedArrayStorage() which assumes that storageReg cannot be null.
+
+        3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a
+           m_poisonedVector null check.
+
+        4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null
+           check because the poisoning code is preceded by a sizeGPR null check, which
+           ensures that the storageGPR (vector to be poisoned) is not null.
+
+        5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null
+           check because it is followed by a call to caged() which assumes that the
+           vector cannot be null.
+
+        6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check.
+
+        7. FTL's compileNewTypedArray() does not need a vector null check because the
+           poisoning code is preceded by a size null check, which ensures that the
+           storage (vector to be poisoned) is not null.
+
+        8. FTL's speculateTypedArrayIsNotNeutered() does not need a
+           m_poisonedVector null check because the function is a null check.
+
+        9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic
+           case needs a null check so that it does not try to unpoison a null vector.
+
+        10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because
+            we already do a length check even before loading the vector.
+
+        11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because
+            we already do a length check even before loading the vector.
+
+        12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because
+            we already do a length check even before loading the vector.
+
+        13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because
+            we already do a length check even before loading the vector.
+
+        14. LLInt's loadTypedArrayCaged() does not need a vector null check because its
+            client will do a TypedArray length check before calling it.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::checkArray):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArrayMode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted.
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/x86.rb:
+        * runtime/CagedBarrierPtr.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finalize):
+        (JSC::JSArrayBufferView::neuter):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::vector const):
+        (JSC::JSArrayBufferView::offsetOfPoisonedVector):
+        (JSC::JSArrayBufferView::poisonFor):
+        (JSC::JSArrayBufferView::Poison::key):
+        (JSC::JSArrayBufferView::offsetOfVector): Deleted.
+        * runtime/JSCPoison.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoison.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::estimatedSize):
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        (JSC::JSGenericTypedArrayView::slowDownAndWasteMemory):
+        * runtime/JSObject.h:
+
+2018-01-30  Fujii Hironori  
+
+        [Win] Warning fix.
+        https://bugs.webkit.org/show_bug.cgi?id=177007
+
+        Reviewed by Yusuke Suzuki.
+
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::dump const):
+        Changed the type of locationRawBits from unsigned to uintptr_t.
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::createNumberFormat):
+        Initialize 'style' to avoid potentially uninitialized local variable warning.
+
+2018-01-29  Yusuke Suzuki  
+
+        [JSC] Implement trimStart and trimEnd
+        https://bugs.webkit.org/show_bug.cgi?id=182233
+
+        Reviewed by Mark Lam.
+
+        String.prototype.{trimStart,trimEnd} are now stage 3[1].
+        String.prototype.{trimLeft,trimRight} are alias to these functions.
+
+        We rename these functions to trimStart and trimEnd, and put them as
+        trimLeft and trimRight too.
+
+        [1]: https://tc39.github.io/proposal-string-left-right-trim/
+
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        (JSC::trimString):
+        (JSC::stringProtoFuncTrim):
+        (JSC::stringProtoFuncTrimStart):
+        (JSC::stringProtoFuncTrimEnd):
+        (JSC::stringProtoFuncTrimLeft): Deleted.
+        (JSC::stringProtoFuncTrimRight): Deleted.
+
+2018-01-29  Yusuke Suzuki  
+
+        [JSC] Relax line terminators in String to make JSON subset of JS
+        https://bugs.webkit.org/show_bug.cgi?id=182232
+
+        Reviewed by Keith Miller.
+
+        "Subsume JSON" spec is now stage 3[1]. Before this spec change,
+        JSON can accept \u2028 / \u2029 in string while JS cannot do that.
+        It accidentally made JSON non subset of JS.
+
+        Now we extend our JS string to accept \u2028 / \u2029 to make JSON
+        subset of JS in this spec change.
+
+        [1]: https://github.com/tc39/proposal-json-superset
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseStringSlowCase):
+
+2018-01-29  Jiewen Tan  
+
+        [WebAuthN] Add a compile-time feature flag
+        https://bugs.webkit.org/show_bug.cgi?id=182211
+        
+
+        Reviewed by Brent Fulgham.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-01-29  Michael Saboff  
+
+        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+        https://bugs.webkit.org/show_bug.cgi?id=182249
+
+        Reviewed by Keith Miller.
+
+        Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
+        Untyped and Object values when compared against built in types.  Such comparisons can
+        invoke toNumber() or other methods.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-01-29  Matt Lewis  
+
+        Unreviewed, rolling out r227725.
+
+        This caused internal failures.
+
+        Reverted changeset:
+
+        "JSC Sampling Profiler: Detect tester and testee when sampling
+        in RegExp JIT"
+        https://bugs.webkit.org/show_bug.cgi?id=152729
+        https://trac.webkit.org/changeset/227725
+
+2018-01-29  Yusuke Suzuki  
+
+        JSC Sampling Profiler: Detect tester and testee when sampling in RegExp JIT
+        https://bugs.webkit.org/show_bug.cgi?id=152729
+
+        Reviewed by Saam Barati.
+
+        This patch extends SamplingProfiler to recognize JIT RegExp execution. We record
+        executing RegExp in VM so that SamplingProfiler can detect it. This is better
+        than the previous VM::isExecutingInRegExpJIT flag approach since
+
+        1. isExecutingInRegExpJIT is set after starting executing JIT RegExp code. Thus,
+        if we suspend the thread just before executing this flag, or just after clearing
+        this flag, SamplingProfiler gets invalid frame, and frame validation fails. We
+        should set such a flag before and after executing JIT RegExp code.
+
+        2. This removes VM dependency from YarrJIT which is not essential one.
+
+        We add ExecutionContext enum to RegExp::matchInline not to mark execution if it
+        is done in non JS thread.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::regexpName):
+        (JSC::BytecodeDumper::dumpRegExps):
+        (JSC::regexpToSourceString): Deleted.
+        * heap/Heap.cpp:
+        (JSC::Heap::addCoreConstraints):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::match):
+        (JSC::RegExp::matchConcurrently):
+        (JSC::RegExp::compileMatchOnly):
+        (JSC::RegExp::toSourceString const):
+        * runtime/RegExp.h:
+        * runtime/RegExpInlines.h:
+        (JSC::RegExp::matchInline):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::createRegExpMatchesArray):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::SamplingProfiler):
+        (JSC::SamplingProfiler::timerLoop):
+        (JSC::SamplingProfiler::takeSample):
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
+        (JSC::SamplingProfiler::StackFrame::displayName):
+        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
+        (JSC::SamplingProfiler::StackFrame::functionStartLine):
+        (JSC::SamplingProfiler::StackFrame::functionStartColumn):
+        (JSC::SamplingProfiler::StackFrame::sourceID):
+        (JSC::SamplingProfiler::StackFrame::url):
+        (WTF::printInternal):
+        (JSC::SamplingProfiler::~SamplingProfiler): Deleted.
+        * runtime/SamplingProfiler.h:
+        * runtime/VM.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateEnter):
+        (JSC::Yarr::YarrGenerator::generateReturn):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+
+2018-01-29  Yusuke Suzuki  
+
+        [DFG][FTL] WeakMap#set should have DFG node
+        https://bugs.webkit.org/show_bug.cgi?id=180015
+
+        Reviewed by Saam Barati.
+
+        This patch adds WeakMapSet and WeakSetAdd DFG nodes to handle them efficiently in DFG and FTL.
+        We also define CSE rules for them. Now, WeakMapSet and WeakSetAdd can offer the results of
+        the subsequent WeakMapGet if CSE allows.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addVarArgChild):
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        WeakMap operations do not cause GC.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileWeakSetAdd):
+        (JSC::DFG::SpeculativeJIT::compileWeakMapSet):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileWeakSetAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapSet):
+        * jit/JITOperations.h:
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/WeakMapPrototype.cpp:
+        (JSC::WeakMapPrototype::finishCreation):
+        * runtime/WeakSetPrototype.cpp:
+        (JSC::WeakSetPrototype::finishCreation):
+
+2018-01-28  Filip Pizlo  
+
+        LargeAllocation should do the same distancing as MarkedBlock
+        https://bugs.webkit.org/show_bug.cgi?id=182226
+
+        Reviewed by Saam Barati.
+
+        This makes LargeAllocation do the same exact distancing that MarkedBlock promises to do.
+        
+        To make that possible, this patch first makes MarkedBlock know exactly how much distancing it
+        is doing:
+        
+        - I've rationalized the payloadSize calculation. In particular, I made MarkedSpace use the
+          calculation done in MarkedBlock. MarkedSpace used to do the math a different way. This
+          keeps the old way just for a static_assert.
+        
+        - The promised amount of distancing is now codified in HeapCell.h as
+          minimumDistanceBetweenCellsFromDifferentOrigins. We assert that the footer size is at least
+          as big as this. I didn't want to just use footer size for this constant because then, if
+          you increased the size of the footer, you'd also add padding to every large allocation.
+        
+        Then this patch just adds minimumDistanceBetweenCellsFromDifferentOrigins to each large
+        allocation. It also zeroes that slice of memory to prevent any information leaks that way.
+        
+        This is perf neutral. Large allocations start out at ~8000 bytes. The amount of padding is
+        ~300 bytes. That's 3.75% space overhead for objects that are ~8000 bytes, zero overhead for
+        smaller objects, and diminishing overhead for larger objects. We allocate very few large
+        objects, so we shouldn't have any real space overhead from this.
+
+        * heap/HeapCell.h:
+        * heap/LargeAllocation.cpp:
+        (JSC::LargeAllocation::tryCreate):
+        * heap/MarkedBlock.h:
+        * heap/MarkedSpace.h:
+
+2018-01-27  Filip Pizlo  
+
+        Make MarkedBlock::Footer bigger
+        https://bugs.webkit.org/show_bug.cgi?id=182220
+
+        Reviewed by JF Bastien.
+        
+        This makes the block footer larger by moving the newlyAllocated bits from the handle into
+        the footer.
+        
+        It used to be profitable to put anything we could into the handle because that would free up
+        payload space inside the block. But now that we want to use the footer for padding, it's
+        profitable to put GC state information - especially data that is used by the GC itself and so
+        is not useful for a Spectre attack - into the footer to increase object distancing.
+
+        * heap/CellContainer.cpp:
+        (JSC::CellContainer::isNewlyAllocated const):
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::sweepToFreeList):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::Handle):
+        (JSC::MarkedBlock::Footer::Footer):
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
+        (JSC::MarkedBlock::Handle::resumeAllocating):
+        (JSC::MarkedBlock::aboutToMarkSlow):
+        (JSC::MarkedBlock::resetAllocated):
+        (JSC::MarkedBlock::Handle::resetAllocated): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::newlyAllocatedVersion const):
+        (JSC::MarkedBlock::isNewlyAllocated):
+        (JSC::MarkedBlock::setNewlyAllocated):
+        (JSC::MarkedBlock::clearNewlyAllocated):
+        (JSC::MarkedBlock::newlyAllocated const):
+        (JSC::MarkedBlock::Handle::newlyAllocatedVersion const): Deleted.
+        (JSC::MarkedBlock::Handle::isNewlyAllocated): Deleted.
+        (JSC::MarkedBlock::Handle::setNewlyAllocated): Deleted.
+        (JSC::MarkedBlock::Handle::clearNewlyAllocated): Deleted.
+        (JSC::MarkedBlock::Handle::newlyAllocated const): Deleted.
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::isNewlyAllocatedStale const):
+        (JSC::MarkedBlock::hasAnyNewlyAllocated):
+        (JSC::MarkedBlock::Handle::isLive):
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        (JSC::MarkedBlock::Handle::newlyAllocatedMode):
+        (JSC::MarkedBlock::Handle::isNewlyAllocatedStale const): Deleted.
+        (JSC::MarkedBlock::Handle::hasAnyNewlyAllocated): Deleted.
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::endMarking):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::appendJSCellOrAuxiliary):
+
+2018-01-27  Filip Pizlo  
+
+        MarkedBlock should have a footer instead of a header
+        https://bugs.webkit.org/show_bug.cgi?id=182217
+
+        Reviewed by JF Bastien.
+        
+        This moves the MarkedBlock's meta-data from the header to the footer. This doesn't really
+        change anything except for some compile-time constants, so it should not affect performance.
+        
+        This change is to help protect against Spectre attacks on structure checks, which allow for
+        small-offset out-of-bounds access. By putting the meta-data at the end of the block, small
+        OOBs will only get to other objects in the same block or the block footer. The block footer
+        is not super interesting. So, if we combine this with the TLC change (r227617), this means we
+        can use blocks as the mechanism of achieving distance between objects from different origins.
+        We just need to avoid ever putting objects from different origins in the same block. That's
+        what bug 181636 is about.
+        
+        * heap/BlockDirectory.cpp:
+        (JSC::blockHeaderSize): Deleted.
+        (JSC::BlockDirectory::blockSizeForBytes): Deleted.
+        * heap/BlockDirectory.h:
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC::MarkedBlock::~MarkedBlock):
+        (JSC::MarkedBlock::Footer::Footer):
+        (JSC::MarkedBlock::Footer::~Footer):
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
+        (JSC::MarkedBlock::Handle::resumeAllocating):
+        (JSC::MarkedBlock::aboutToMarkSlow):
+        (JSC::MarkedBlock::resetMarks):
+        (JSC::MarkedBlock::assertMarksNotStale):
+        (JSC::MarkedBlock::Handle::didConsumeFreeList):
+        (JSC::MarkedBlock::markCount):
+        (JSC::MarkedBlock::clearHasAnyMarked):
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
+        (JSC::MarkedBlock::Handle::sweep):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::markingVersion const):
+        (JSC::MarkedBlock::lock):
+        (JSC::MarkedBlock::subspace const):
+        (JSC::MarkedBlock::footer):
+        (JSC::MarkedBlock::footer const):
+        (JSC::MarkedBlock::handle):
+        (JSC::MarkedBlock::handle const):
+        (JSC::MarkedBlock::Handle::blockFooter):
+        (JSC::MarkedBlock::isAtomAligned):
+        (JSC::MarkedBlock::Handle::cellAlign):
+        (JSC::MarkedBlock::blockFor):
+        (JSC::MarkedBlock::vm const):
+        (JSC::MarkedBlock::weakSet):
+        (JSC::MarkedBlock::cellSize):
+        (JSC::MarkedBlock::attributes const):
+        (JSC::MarkedBlock::atomNumber):
+        (JSC::MarkedBlock::areMarksStale):
+        (JSC::MarkedBlock::aboutToMark):
+        (JSC::MarkedBlock::isMarkedRaw):
+        (JSC::MarkedBlock::isMarked):
+        (JSC::MarkedBlock::testAndSetMarked):
+        (JSC::MarkedBlock::marks const):
+        (JSC::MarkedBlock::isAtom):
+        (JSC::MarkedBlock::Handle::forEachCell):
+        (JSC::MarkedBlock::hasAnyMarked const):
+        (JSC::MarkedBlock::noteMarked):
+        (WTF::MarkedBlockHash::hash):
+        (JSC::MarkedBlock::firstAtom): Deleted.
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::marksConveyLivenessDuringMarking):
+        (JSC::MarkedBlock::Handle::isLive):
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        (JSC::MarkedBlock::Handle::forEachLiveCell):
+        (JSC::MarkedBlock::Handle::forEachDeadCell):
+        (JSC::MarkedBlock::Handle::forEachMarkedCell):
+        * heap/MarkedSpace.cpp:
+        * heap/MarkedSpace.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-01-27  Yusuke Suzuki  
+
+        DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
+        https://bugs.webkit.org/show_bug.cgi?id=182213
+
+        Reviewed by Mark Lam.
+
+        toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
+        As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
+        this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
+        This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.
+
+        We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
+        but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::toStringWithRadixInternal):
+
+2018-01-26  Saam Barati  
+
+        Fix emitAllocateWithNonNullAllocator to work on arm
+        https://bugs.webkit.org/show_bug.cgi?id=182187
+        
+
+        Reviewed by Filip Pizlo.
+
+        This patch unifies the x86 and ARM paths in emitAllocateWithNonNullAllocator
+        and makes it so that emitAllocateWithNonNullAllocator uses the macro scratch
+        register on ARM.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+
+2018-01-26  Joseph Pecoraro  
+
+        Rebaselining builtin generator tests after r227685.
+
+        Unreviewed.
+
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        It used to be that the builtins generator was minifying by default. That was an accident
+        and we now only minify on Release builds. The generator tests are now getting the
+        default unminified output behavior so they need to update their expectations
+        for some extra whitespace.
+
+2018-01-26  Mark Lam  
+
+        We should only append ParserArenaDeletable pointers to ParserArena::m_deletableObjects.
+        https://bugs.webkit.org/show_bug.cgi?id=182180
+        
+
+        Reviewed by Michael Saboff.
+
+        Some parser Node subclasses extend ParserArenaDeletable via multiple inheritance,
+        but not as the Node's first base class.  ParserArena::m_deletableObjects is
+        expecting pointers to objects of the shape of ParserArenaDeletable.  We ensure
+        this by allocating the Node subclass, and casting it to ParserArenaDeletable to
+        get the correct pointer to append to ParserArena::m_deletableObjects.
+
+        To simplify things, we introduce a JSC_MAKE_PARSER_ARENA_DELETABLE_ALLOCATED 
+        (analogous to WTF_MAKE_FAST_ALLOCATED) for use in Node subclasses that extends
+        ParserArenaDeletable.
+
+        * parser/NodeConstructors.h:
+        (JSC::ParserArenaDeletable::operator new):
+        * parser/Nodes.h:
+        * parser/ParserArena.h:
+        (JSC::ParserArena::allocateDeletable):
+
+2018-01-26  Joseph Pecoraro  
+
+        JavaScriptCore builtins should be partially minified in Release builds not Debug builds
+        https://bugs.webkit.org/show_bug.cgi?id=182165
+
+        Reviewed by Keith Miller.
+
+        * Scripts/builtins/builtins_model.py:
+        (BuiltinFunction.fromString):
+        Apply minifications on Release builds instead of Debug builds.
+        Also eliminate leading whitespace.
+
+2018-01-26  Filip Pizlo  
+
+        Disable TLS-based TLCs
+        https://bugs.webkit.org/show_bug.cgi?id=182175
+
+        Reviewed by Saam Barati.
+
+        Check for the new USE(FAST_TLS_FOR_TLC) flag instead of just ENABLE(FAST_TLS_JIT).
+
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::~BlockDirectory):
+        * heap/BlockDirectory.h:
+        * heap/ThreadLocalCache.cpp:
+        (JSC::ThreadLocalCache::installSlow):
+        (JSC::ThreadLocalCache::installData):
+        * heap/ThreadLocalCache.h:
+        * heap/ThreadLocalCacheInlines.h:
+        (JSC::ThreadLocalCache::getImpl):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        * runtime/VM.cpp:
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+
+2018-01-25  Yusuke Suzuki  
+
+        imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/errorhandling.html crashes
+        https://bugs.webkit.org/show_bug.cgi?id=181980
+
+        Reviewed by Ryosuke Niwa.
+
+        We accidentally failed to propagate errored promise in instantiate and satify phase if entry.{instantiate,satisfy}
+        promises are set. Since we just returned `entry`, it becomes succeeded promise even if the dependent fetch, instantiate,
+        and satisfy promises are failed. This patch fixes error propagation by returning `entry.instantiate` and `entry.satisfy`
+        correctly.
+
+        * builtins/ModuleLoaderPrototype.js:
+        (requestInstantiate):
+        (requestSatisfy):
+
+2018-01-25  Mark Lam  
+
+        Gardening: fix 32-bit build after r227643.
+        https://bugs.webkit.org/show_bug.cgi?id=182086
+
+        Not reviewed.
+
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
+
+2018-01-24  Filip Pizlo  
+
+        DirectArguments should protect itself using dynamic poisoning and precise index masking
+        https://bugs.webkit.org/show_bug.cgi?id=182086
+
+        Reviewed by Saam Barati.
+        
+        This implements dynamic poisoning and precise index masking in DirectArguments, using the
+        helpers from  and helpers in AssemblyHelpers and FTL::LowerDFGToB3.
+        
+        We use dynamic poisoning for DirectArguments since this object did not have any additional
+        indirection inside it that could have been poisoned. So, we use the xor of the expected type
+        and the actual type as an additional input into the pointer.
+        
+        We use precise index masking for bounds checks, because it's not worth doing index masking
+        unless we know that precise index masking is too slow.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::lshiftPtr):
+        (JSC::MacroAssembler::rshiftPtr):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask64):
+        (JSC::FTL::DFG::LowerDFGToB3::preciseIndexMask32):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoison):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnLoadedType):
+        (JSC::FTL::DFG::LowerDFGToB3::dynamicPoisonOnType):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitPreciseIndexMask32):
+        (JSC::AssemblyHelpers::emitDynamicPoison):
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnLoadedType):
+        (JSC::AssemblyHelpers::emitDynamicPoisonOnType):
+        * jit/AssemblyHelpers.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::getIndexQuickly const):
+        (JSC::DirectArguments::setIndexQuickly):
+        (JSC::DirectArguments::argument):
+        * runtime/GenericArgumentsInlines.h:
+
+2018-01-25  Mark Lam  
+
+        Rename some local vars from type to typedArrayType for greater clarity.
+        https://bugs.webkit.org/show_bug.cgi?id=182148
+        
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+
+2018-01-25  Filip Pizlo  
+
+        JSC GC should support TLCs (thread local caches)
+        https://bugs.webkit.org/show_bug.cgi?id=181559
+
+        Reviewed by Mark Lam and Saam Barati.
+        
+        This is a big step towards object distancing by site origin. This patch implements TLCs, or
+        thread-local caches, which allow each thread to allocate from its own free lists. It also
+        means that any given thread can context-switch TLCs. This will allow us to do separate
+        allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
+        will allow us to have a hard distancing constraint between objects from different origins.
+        
+        In this new design, every "size class" is represented as a BlockDirectory (formerly known as
+        MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
+        aligned memory allocator (which roughly represents which cage you came out of), and anyone
+        using the same allocator can share those blocks - but so long as they are in that
+        BlockDirectory, they will have the size and type of that directory. Previously, each
+        BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
+        LocalAllocators, each of which has a FreeList.
+        
+        To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
+        BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
+        call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
+        starts by figuring out what Allocator it wants (often we have this information at JIT time).
+        Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
+        Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
+        offsets as opposed to indices to make it easy to do the math on each allocation (if
+        LocalAllocator had a weird size then every allocation would have to do an imul).
+        
+        This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
+        unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
+        geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
+        something there, but it's not significant according to our threshold).
+        
+        Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
+        function needs to be careful to avoid using the scratch register because the FTL will call it
+        in disallow-scratch-register mode.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * b3/B3LowerToAir.cpp:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsStack):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        * b3/B3StackmapValue.cpp:
+        (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
+        * b3/B3StackmapValue.h:
+        * b3/B3Validate.cpp:
+        * b3/B3ValueRep.cpp:
+        (JSC::B3::ValueRep::addUsedRegistersTo const):
+        (JSC::B3::ValueRep::dump const):
+        (WTF::printInternal):
+        * b3/B3ValueRep.h:
+        (JSC::B3::ValueRep::ValueRep):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
+        (JSC::ObjectAllocationProfile::clear):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
+        * heap/Allocator.cpp: Added.
+        (JSC::Allocator::cellSize const):
+        * heap/Allocator.h: Added.
+        (JSC::Allocator::Allocator):
+        (JSC::Allocator::offset const):
+        (JSC::Allocator::operator== const):
+        (JSC::Allocator::operator!= const):
+        (JSC::Allocator::operator bool const):
+        * heap/AllocatorInlines.h: Added.
+        (JSC::Allocator::allocate const):
+        (JSC::Allocator::tryAllocate const):
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::BlockDirectory):
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::stopAllocating):
+        (JSC::BlockDirectory::prepareForAllocation):
+        (JSC::BlockDirectory::stopAllocatingForGood):
+        (JSC::BlockDirectory::resumeAllocating):
+        (JSC::BlockDirectory::endMarking):
+        (JSC::BlockDirectory::isFreeListedCell):
+        (JSC::BlockDirectory::didConsumeFreeList): Deleted.
+        (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
+        (JSC::BlockDirectory::allocateIn): Deleted.
+        (JSC::BlockDirectory::tryAllocateIn): Deleted.
+        (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
+        (JSC::BlockDirectory::allocateSlowCase): Deleted.
+        * heap/BlockDirectory.h:
+        (JSC::BlockDirectory::cellKind const):
+        (JSC::BlockDirectory::allocator const):
+        (JSC::BlockDirectory::freeList const): Deleted.
+        (JSC::BlockDirectory::offsetOfFreeList): Deleted.
+        (JSC::BlockDirectory::offsetOfCellSize): Deleted.
+        * heap/BlockDirectoryInlines.h:
+        (JSC::BlockDirectory::isFreeListedCell const): Deleted.
+        (JSC::BlockDirectory::allocate): Deleted.
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::CompleteSubspace):
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocate):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::allocateSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h:
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/FreeList.h:
+        * heap/GCDeferralContext.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::lastChanceToFinalize):
+        * heap/Heap.h:
+        (JSC::Heap::threadLocalCacheLayout):
+        * heap/IsoCellSet.h:
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocate):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/LocalAllocator.cpp: Added.
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::reset):
+        (JSC::LocalAllocator::~LocalAllocator):
+        (JSC::LocalAllocator::stopAllocating):
+        (JSC::LocalAllocator::resumeAllocating):
+        (JSC::LocalAllocator::prepareForAllocation):
+        (JSC::LocalAllocator::stopAllocatingForGood):
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::didConsumeFreeList):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        (JSC::LocalAllocator::allocateIn):
+        (JSC::LocalAllocator::tryAllocateIn):
+        (JSC::LocalAllocator::doTestCollectionsIfNeeded):
+        (JSC::LocalAllocator::isFreeListedCell const):
+        * heap/LocalAllocator.h: Added.
+        (JSC::LocalAllocator::offsetOfFreeList):
+        (JSC::LocalAllocator::offsetOfCellSize):
+        * heap/LocalAllocatorInlines.h: Added.
+        (JSC::LocalAllocator::allocate):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::stopAllocatingForGood):
+        * heap/MarkedSpace.h:
+        * heap/SlotVisitor.cpp:
+        * heap/SlotVisitor.h:
+        * heap/Subspace.h:
+        * heap/ThreadLocalCache.cpp: Added.
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        (JSC::ThreadLocalCache::~ThreadLocalCache):
+        (JSC::ThreadLocalCache::allocateData):
+        (JSC::ThreadLocalCache::destroyData):
+        (JSC::ThreadLocalCache::installSlow):
+        (JSC::ThreadLocalCache::installData):
+        (JSC::ThreadLocalCache::allocatorSlow):
+        (JSC::ThreadLocalCache::destructor):
+        * heap/ThreadLocalCache.h: Added.
+        (JSC::ThreadLocalCache::offsetOfSize):
+        (JSC::ThreadLocalCache::offsetOfFirstAllocator):
+        * heap/ThreadLocalCacheInlines.h: Added.
+        (JSC::ThreadLocalCache::getImpl):
+        (JSC::ThreadLocalCache::get):
+        (JSC::ThreadLocalCache::install):
+        (JSC::ThreadLocalCache::allocator):
+        (JSC::ThreadLocalCache::tryGetAllocator):
+        * heap/ThreadLocalCacheLayout.cpp: Added.
+        (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::allocateOffset):
+        (JSC::ThreadLocalCacheLayout::snapshot):
+        (JSC::ThreadLocalCacheLayout::directory):
+        * heap/ThreadLocalCacheLayout.h: Added.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::vm):
+        (JSC::AssemblyHelpers::emitAllocateJSCell):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
+        (JSC::AssemblyHelpers::emitAllocate): Deleted.
+        (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache const):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+
+2018-01-25  Commit Queue  
+
+        Unreviewed, rolling out r227592.
+        https://bugs.webkit.org/show_bug.cgi?id=182110
+
+        it made ARM64 (Linux and iOS) crash (Requested by pizlo-mbp on
+        #webkit).
+
+        Reverted changeset:
+
+        "JSC GC should support TLCs (thread local caches)"
+        https://bugs.webkit.org/show_bug.cgi?id=181559
+        https://trac.webkit.org/changeset/227592
+
+2018-01-25  Alejandro G. Castro  
+
+        undefined reference to 'JSC::B3::BasicBlock::fallThrough() const
+        https://bugs.webkit.org/show_bug.cgi?id=180637
+
+        Reviewed by Michael Catanzaro.
+
+        We need to make sure the implementation of the inline functions is
+        compiled when we compile the code using the function, now that the
+        compilation is divided, or we could end up with undefined symbols
+        when the declaration is not inlined, at least with some compilers
+        and optimizations enabled -O2.
+
+        * b3/B3SwitchValue.cpp: replace the include.
+
+2018-01-20  Filip Pizlo  
+
+        JSC GC should support TLCs (thread local caches)
+        https://bugs.webkit.org/show_bug.cgi?id=181559
+
+        Reviewed by Mark Lam and Saam Barati.
+        
+        This is a big step towards object distancing by site origin. This patch implements TLCs, or
+        thread-local caches, which allow each thread to allocate from its own free lists. It also
+        means that any given thread can context-switch TLCs. This will allow us to do separate
+        allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
+        will allow us to have a hard distancing constraint between objects from different origins.
+        
+        In this new design, every "size class" is represented as a BlockDirectory (formerly known as
+        MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
+        aligned memory allocator (which roughly represents which cage you came out of), and anyone
+        using the same allocator can share those blocks - but so long as they are in that
+        BlockDirectory, they will have the size and type of that directory. Previously, each
+        BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
+        LocalAllocators, each of which has a FreeList.
+        
+        To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
+        BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
+        call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
+        starts by figuring out what Allocator it wants (often we have this information at JIT time).
+        Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
+        Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
+        offsets as opposed to indices to make it easy to do the math on each allocation (if
+        LocalAllocator had a weird size then every allocation would have to do an imul).
+        
+        This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
+        unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
+        geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
+        something there, but it's not significant according to our threshold).
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * b3/B3LowerToAir.cpp:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsStack):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        * b3/B3StackmapValue.cpp:
+        (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
+        * b3/B3StackmapValue.h:
+        * b3/B3Validate.cpp:
+        * b3/B3ValueRep.cpp:
+        (JSC::B3::ValueRep::addUsedRegistersTo const):
+        (JSC::B3::ValueRep::dump const):
+        (WTF::printInternal):
+        * b3/B3ValueRep.h:
+        (JSC::B3::ValueRep::ValueRep):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
+        (JSC::ObjectAllocationProfile::clear):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
+        * heap/Allocator.cpp: Added.
+        (JSC::Allocator::cellSize const):
+        * heap/Allocator.h: Added.
+        (JSC::Allocator::Allocator):
+        (JSC::Allocator::offset const):
+        (JSC::Allocator::operator== const):
+        (JSC::Allocator::operator!= const):
+        (JSC::Allocator::operator bool const):
+        * heap/AllocatorInlines.h: Added.
+        (JSC::Allocator::allocate const):
+        (JSC::Allocator::tryAllocate const):
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::BlockDirectory):
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::stopAllocating):
+        (JSC::BlockDirectory::prepareForAllocation):
+        (JSC::BlockDirectory::stopAllocatingForGood):
+        (JSC::BlockDirectory::resumeAllocating):
+        (JSC::BlockDirectory::endMarking):
+        (JSC::BlockDirectory::isFreeListedCell):
+        (JSC::BlockDirectory::didConsumeFreeList): Deleted.
+        (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
+        (JSC::BlockDirectory::allocateIn): Deleted.
+        (JSC::BlockDirectory::tryAllocateIn): Deleted.
+        (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
+        (JSC::BlockDirectory::allocateSlowCase): Deleted.
+        * heap/BlockDirectory.h:
+        (JSC::BlockDirectory::cellKind const):
+        (JSC::BlockDirectory::allocator const):
+        (JSC::BlockDirectory::freeList const): Deleted.
+        (JSC::BlockDirectory::offsetOfFreeList): Deleted.
+        (JSC::BlockDirectory::offsetOfCellSize): Deleted.
+        * heap/BlockDirectoryInlines.h:
+        (JSC::BlockDirectory::isFreeListedCell const): Deleted.
+        (JSC::BlockDirectory::allocate): Deleted.
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::CompleteSubspace):
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocate):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::allocateSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h:
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/FreeList.h:
+        * heap/GCDeferralContext.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::lastChanceToFinalize):
+        * heap/Heap.h:
+        (JSC::Heap::threadLocalCacheLayout):
+        * heap/IsoCellSet.h:
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocate):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/LocalAllocator.cpp: Added.
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::reset):
+        (JSC::LocalAllocator::~LocalAllocator):
+        (JSC::LocalAllocator::stopAllocating):
+        (JSC::LocalAllocator::resumeAllocating):
+        (JSC::LocalAllocator::prepareForAllocation):
+        (JSC::LocalAllocator::stopAllocatingForGood):
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::didConsumeFreeList):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        (JSC::LocalAllocator::allocateIn):
+        (JSC::LocalAllocator::tryAllocateIn):
+        (JSC::LocalAllocator::doTestCollectionsIfNeeded):
+        (JSC::LocalAllocator::isFreeListedCell const):
+        * heap/LocalAllocator.h: Added.
+        (JSC::LocalAllocator::offsetOfFreeList):
+        (JSC::LocalAllocator::offsetOfCellSize):
+        * heap/LocalAllocatorInlines.h: Added.
+        (JSC::LocalAllocator::allocate):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::stopAllocatingForGood):
+        * heap/MarkedSpace.h:
+        * heap/SlotVisitor.cpp:
+        * heap/SlotVisitor.h:
+        * heap/Subspace.h:
+        * heap/ThreadLocalCache.cpp: Added.
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        (JSC::ThreadLocalCache::~ThreadLocalCache):
+        (JSC::ThreadLocalCache::allocateData):
+        (JSC::ThreadLocalCache::destroyData):
+        (JSC::ThreadLocalCache::installSlow):
+        (JSC::ThreadLocalCache::installData):
+        (JSC::ThreadLocalCache::allocatorSlow):
+        (JSC::ThreadLocalCache::destructor):
+        * heap/ThreadLocalCache.h: Added.
+        (JSC::ThreadLocalCache::offsetOfSize):
+        (JSC::ThreadLocalCache::offsetOfFirstAllocator):
+        * heap/ThreadLocalCacheInlines.h: Added.
+        (JSC::ThreadLocalCache::getImpl):
+        (JSC::ThreadLocalCache::get):
+        (JSC::ThreadLocalCache::install):
+        (JSC::ThreadLocalCache::allocator):
+        (JSC::ThreadLocalCache::tryGetAllocator):
+        * heap/ThreadLocalCacheLayout.cpp: Added.
+        (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::allocateOffset):
+        (JSC::ThreadLocalCacheLayout::snapshot):
+        (JSC::ThreadLocalCacheLayout::directory):
+        * heap/ThreadLocalCacheLayout.h: Added.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::vm):
+        (JSC::AssemblyHelpers::emitAllocateJSCell):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
+        (JSC::AssemblyHelpers::emitAllocate): Deleted.
+        (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache const):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+
+2018-01-24  Joseph Pecoraro  
+
+        Web Inspector: Simplify update-LegacyInspectorBackendCommands.rb
+        https://bugs.webkit.org/show_bug.cgi?id=182067
+
+        Reviewed by Brian Burg.
+
+        * inspector/scripts/codegen/models.py:
+        (Framework.fromString):
+        (Frameworks):
+        * inspector/scripts/generate-inspector-protocol-bindings.py:
+        (generate_from_specification):
+        Allow framework WebInspectorUI to generate just the backend commands files.
+
+2018-01-23  Mark Lam  
+
+        Update Poisoned pointers to take a Poison class instead of a uintptr_t&.
+        https://bugs.webkit.org/show_bug.cgi?id=182017
+        
+
+        Reviewed by Filip Pizlo and JF Bastien.
+
+        Removed the POISON() macro.  Now that we have Poison types, we can just use the
+        the Poison type instead and make the code a bit nicer to read.
+
+        * API/JSAPIWrapperObject.h:
+        * API/JSCallbackFunction.h:
+        * API/JSCallbackObject.h:
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::instructions):
+        (JSC::CodeBlock::instructions const):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/JIT.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * parser/UnlinkedSourceCode.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/CustomGetterSetter.h:
+        * runtime/DateInstance.h:
+        * runtime/InternalFunction.h:
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSCPoison.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoison.h:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSScriptFetchParameters.h:
+        * runtime/JSScriptFetcher.h:
+        * runtime/NativeExecutable.h:
+        * runtime/StructureTransitionTable.h:
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrier::poison): Deleted.
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::poison):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunctionBase.h:
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyToJSCallee.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-01-23  Yusuke Suzuki  
+
+        Unreviewed, suppress GCC warnings
+        https://bugs.webkit.org/show_bug.cgi?id=181976
+
+        * runtime/TypedArrayType.h:
+
+2018-01-23  Yusuke Suzuki  
+
+        [YARR] Add diagnosis for YarrJIT failures
+        https://bugs.webkit.org/show_bug.cgi?id=181927
+
+        Reviewed by Sam Weinig.
+
+        It is nice if we can see the reason why YarrJIT fails to compile a given pattern.
+        This patch introduces Yarr::JITFailureReason and dumps messages if Options::dumpCompiledRegExpPatterns is specified.
+
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::compileMatchOnly):
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::generateTerm):
+        (JSC::Yarr::YarrGenerator::backtrackTerm):
+        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
+        (JSC::Yarr::YarrGenerator::YarrGenerator):
+        (JSC::Yarr::YarrGenerator::compile):
+        (JSC::Yarr::dumpCompileFailure):
+        (JSC::Yarr::jitCompile):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::setFallBack):
+        (JSC::Yarr::YarrCodeBlock::fallBack):
+        (JSC::Yarr::YarrCodeBlock::clear):
+        (JSC::Yarr::YarrCodeBlock::YarrCodeBlock): Deleted.
+        (JSC::Yarr::YarrCodeBlock::~YarrCodeBlock): Deleted.
+        (JSC::Yarr::YarrCodeBlock::isFallBack): Deleted.
+
+2018-01-23  Alex Christensen  
+
+        Remove pre-Sierra-OS-specific code in WTF and JavaScriptCore
+        https://bugs.webkit.org/show_bug.cgi?id=182028
+
+        Reviewed by Keith Miller.
+
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.h:
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+        (Inspector::RemoteInspectorXPCConnection::handleEvent):
+
+2018-01-23  Filip Pizlo  
+
+        Use precise index masking for FTL GetByArgumentByVal
+        https://bugs.webkit.org/show_bug.cgi?id=182006
+
+        Reviewed by Keith Miller.
+        
+        This protects speculative out-of-bounds on arguments[index].
+        
+        Making this work right involved fixing a possible overflow situation with
+        numberOfArgumentsToSkip.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasNumberOfArgumentsToSkip):
+        (JSC::DFG::Node::numberOfArgumentsToSkip):
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+
+2018-01-23  David Kilzer  
+
+        Follow-up for: oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
+        
+        
+
+        Address feedback for this change.
+
+        * CMakeLists.txt: Change "SYSTEM PUBLIC" to "SYSTEM PRIVATE" per
+        feedback from Konstantin Tokarev.
+
+2018-01-23  Robin Morisset  
+
+        Rollout r219636
+        https://bugs.webkit.org/show_bug.cgi?id=181997
+        
+
+        Unreviewed, as it is a rollout.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::ensureLengthSlow):
+
+2018-01-23  Mark Lam  
+
+        Re-arrange TypedArray JSTypes to match the order of the TypedArrayType enum list.
+        https://bugs.webkit.org/show_bug.cgi?id=181976
+        
+
+        Reviewed by Filip Pizlo.
+
+        1. The order of TypedArray JSTypes now matches the order the TypedArrayType enum
+           list.  I also added static asserts in TypedArrayType.h to enforce this.
+
+           Also redefined FOR_EACH_TYPED_ARRAY_TYPE() in terms of
+
+        2. Define 4 new values:
+           a. FirstTypedArrayType
+           b. LastTypedArrayType
+           c. NumberOfTypedArrayTypesExcludingDataView
+           d. NumberOfTypedArrayTypes
+
+           Use these everywhere where we iterate or bisect the TypedArray JSTypes.
+
+        3. Removed NUMBER_OF_TYPED_ARRAY_TYPES, and use NumberOfTypedArrayTypes instead.
+
+        4. Simplify the code that converts between TypedArrayType and JSType.
+
+           Changed typedArrayTypeForType() to be the mirror image of typeForTypedArrayType().
+           Previously, typedArrayTypeForType() converts DataViewType to NotTypedArray
+           instead of TypeDataView.  Now, it converts to TypeDataView.
+
+           This does not result in any change of behavior because typedArrayTypeForType()
+           is only called in Structure::hasIndexingHeader(), and its result is passed to
+           isTypedView(), which handles TypeDataView correctly.
+
+        5. Also fixed a bug in SpeculativeJIT::compileGetTypedArrayByteOffset().
+           If the vector is null, we can skip the rest of the checks.  While the current
+           code does not result in incorrect behavior, it is inefficient, and communicates
+           wrong information to the reader i.e. implying that there's something in the
+           dataGPR when there's not.  The dataGPR should also be null in this case.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
+        * ftl/FTLOSRExit.cpp:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSType.h:
+        * runtime/TypedArrayType.cpp:
+        (JSC::typeForTypedArrayType): Deleted.
+        * runtime/TypedArrayType.h:
+        (JSC::typedArrayTypeForType):
+        (JSC::typeForTypedArrayType):
+
+2018-01-23  Filip Pizlo  
+
+        DFG should always flush `this`
+        https://bugs.webkit.org/show_bug.cgi?id=181999
+
+        Reviewed by Saam Barati and Mark Lam.
+        
+        This is going to make it possible to use precise index masking for arguments-on-the-stack
+        accesses with an index adjusted so that 0 is this. Without this change, we would have no way
+        of masking when the argument count is 0, unless we padded the argument area so that there was
+        always an argument slot after `this` and it was always initialized.
+        
+        This is neutral on all benchmarks.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::flushImpl):
+        (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::flushForTerminal):
+        (JSC::DFG::ByteCodeParser::parse):
+        (JSC::DFG::flushImpl): Deleted.
+        (JSC::DFG::flushForTerminalImpl): Deleted.
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+
+2018-01-23  Filip Pizlo  
+
+        JSC should use a speculation fence on VM entry/exit
+        https://bugs.webkit.org/show_bug.cgi?id=181991
+
+        Reviewed by JF Bastien and Mark Lam.
+        
+        This adds a WTF::speculationFence on VM entry and exit.
+        
+        For a microbenchmark that just calls a native function (supplied via an Objective-C block) in a
+        tight loop from JS is a 0% regression on x86 and a 11% regression on ARM64.
+        
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        (JSC::JSLock::willReleaseLock):
+
+2018-01-23  Yusuke Suzuki  
+
+        [JSC] JIT requires sizeof(bool) == 1
+        https://bugs.webkit.org/show_bug.cgi?id=181150
+
+        Reviewed by Saam Barati.
+
+        LLInt and JIT assumes that sizeof(bool) == 1. But it is implementation-dependent in C++ spec.
+        Since this is a mandatory requirement in JSC, we add a static_assert to ensure this.
+
+        * runtime/InitializeThreading.cpp:
+
+2018-01-23  Robin Morisset  
+
+        Update the argument count in DFGByteCodeParser::handleRecursiveCall
+        https://bugs.webkit.org/show_bug.cgi?id=181739
+        
+
+        Reviewed by Saam Barati.
+
+        When calling a function, its number of arguments is set on the stack. When we turn a recursive tail call
+        into a jump, we should update that stack slot as there is no guarantee that the function was originally
+        called with the same number of arguments. Forgetting to do this is observable through 'arguments.length'.
+
+        It required adding a new DFG node: 'SetArgumentCountIncludingThis', that takes an unsigned int
+        as its first OpInfo field, and stores it to the stack at the right place.
+
+        We must be a bit careful in where we put this new node, as it ClobbersExit.
+        We must also fix DFGArgumentsEliminationPhase and DFGPutStackSinkingPhase as they assumed that any node that writes to the stack must write to either an argument or a local.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::argumentCountIncludingThis):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPutStackSinkingPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSetArgumentCountIncludingThis):
+
+2018-01-22  Michael Saboff  
+
+        DFG abstract interpreter needs to properly model effects of some Math ops
+        https://bugs.webkit.org/show_bug.cgi?id=181886
+
+        Reviewed by Saam Barati.
+
+        Reviewed the processing of the various ArithXXX and CompareXXX and found that
+        several nodes don't handle UntypedUse.  Added clobberWorld() for those cases.
+
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        (JSC::DFG::AbstractInterpreter::executeDoubleUnaryOpEffects):
+
+2018-01-21  Wenson Hsieh  
+
+        Add a new feature flag for EXTRA_ZOOM_MODE and reintroduce AdditionalFeatureDefines.h
+        https://bugs.webkit.org/show_bug.cgi?id=181918
+
+        Reviewed by Tim Horton.
+
+        Add EXTRA_ZOOM_MODE to FeatureDefines.xconfig (off by default).
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2018-01-20  Caio Lima  
+
+        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
+        https://bugs.webkit.org/show_bug.cgi?id=181182
+
+        Reviewed by Darin Adler.
+
+        Casting double to integer is undefined behavior when the truncation
+        results into a value that doesn't fit into integer size,
+        according C++ spec[1]. Thus, we are changing bigIntProtoFuncToString and
+        numberProtoFuncToString to remove these source of undefined
+        behavior.
+
+        [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::bigIntProtoFuncToString):
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToString):
+        (JSC::extractToStringRadixArgument):
+        (JSC::extractRadixFromArgs): Deleted.
+        * runtime/NumberPrototype.h:
+
+2018-01-19  Saam Barati  
+
+        Kill ArithNegate's ArithProfile assert inside BytecodeParser
+        https://bugs.webkit.org/show_bug.cgi?id=181877
+        
+
+        Reviewed by Mark Lam.
+
+        Before this patch, we used to assert that op_negate's result ArithProfile
+        only produces number. It's logically true that negate only produces a number.
+        However, the DFG may incorrectly pick this ArithProfile when doing OSR exit
+        profiling. So we'll end up profiling something that's likely the input to
+        negate. This patch removes the assert. We cede to the fact that Graph::methodOfGettingAValueProfileFor
+        is entirely heuristic based, potentially leading to profiling results being imprecise.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::makeSafe):
+
+2018-01-19  David Kilzer  
+
+        oss-fuzz jsc build is broken: StringImpl.h:27:10: fatal error: 'unicode/ustring.h' file not found
+        
+
+        Rubber-stamped by JF Bastien.
+
+        * CMakeLists.txt: Add ICU header search path to
+        LLIntOffsetsExtractor target by reusing
+        JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES.
+
+2018-01-19  Saam Barati  
+
+        Spread's effects are modeled incorrectly both in AI and in Clobberize
+        https://bugs.webkit.org/show_bug.cgi?id=181867
+        
+
+        Reviewed by Michael Saboff.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+2018-01-19  Keith Miller  
+
+        HaveInternalSDK includes should be "#include?"
+        https://bugs.webkit.org/show_bug.cgi?id=179670
+
+        Reviewed by Dan Bernstein.
+
+        * Configurations/Base.xcconfig:
+
+2018-01-18  JF Bastien  
+
+        Set the minimum executable allocator size properly
+        https://bugs.webkit.org/show_bug.cgi?id=181816
+        
+
+        Reviewed by Saam Barati.
+
+        Executable allocator expects at least two page size's worth of
+        allocation in certain conditions, and that causes some tests to
+        now fail because they ask for less. Set that minimum correctly. We
+        were already rounding up to a page size, so having a minimum of 2
+        page sizes is fine.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
+
+2018-01-18  Michael Saboff  
+
+        Unreviewed build fix for Windows
+
+        * interpreter/FrameTracers.h:
+        (JSC::assertStackPointerIsAligned): Can't use gcc style inlined assembly
+        on Windows.
+
+2018-01-18  Mark Lam  
+
+        Poisons should be initialized after Options are initialized.
+        https://bugs.webkit.org/show_bug.cgi?id=181807
+        
+
+        Reviewed by Keith Miller.
+
+        This is because poison initialization may depend on options.
+
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreading):
+
+2018-01-18  Dan Bernstein  
+
+        [Xcode] Streamline and future-proof target-macOS-version-dependent build setting definitions
+        https://bugs.webkit.org/show_bug.cgi?id=181803
+
+        Reviewed by Tim Horton.
+
+        * Configurations/Base.xcconfig: Updated.
+        * Configurations/DebugRelease.xcconfig: Ditto.
+        * Configurations/FeatureDefines.xcconfig: Adopted macOSTargetConditionals helpers.
+        * Configurations/Version.xcconfig: Updated.
+        * Configurations/macOSTargetConditionals.xcconfig: Added. Defines helper build settings
+          useful for defining settings that depend on the target macOS version.
+
+2018-01-18  Michael Saboff  
+
+        REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions
+        https://bugs.webkit.org/show_bug.cgi?id=181802
+
+        Reviewed by Filip Pizlo.
+
+        There where a few places where the stack isn't properly aligned for X86 when we call into C++ code.
+        Two places are where we call into exception handling code, the LLInt and from nativeForGenerator.
+        The other place was when we call into the operationOSRWriteBarrier().
+
+        Added an assert check that the stack is aligned on X86 platforms in the native call tracing code.
+        This helped find the other cases beyond the original problem.
+
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::osrWriteBarrier):
+        * interpreter/FrameTracers.h:
+        (JSC::assertStackPointerIsAligned):
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * llint/LowLevelInterpreter32_64.asm:
+
+2018-01-18  Commit Queue  
+
+        Unreviewed, rolling out r227096.
+        https://bugs.webkit.org/show_bug.cgi?id=181788
+
+        "it caused a 15% octane regression" (Requested by saamyjoon on
+        #webkit).
+
+        Reverted changeset:
+
+        "Support MultiGetByOffset in the DFG"
+        https://bugs.webkit.org/show_bug.cgi?id=181466
+        https://trac.webkit.org/changeset/227096
+
+2018-01-17  Yusuke Suzuki  
+
+        [DFG][FTL] Introduce PhantomNewRegexp and RegExpExecNonGlobalOrSticky
+        https://bugs.webkit.org/show_bug.cgi?id=181535
+
+        Reviewed by Saam Barati.
+
+        When executing the code like `string.match(/regexp/)`, `/regexp/` object is created every time we execute this code.
+        However, user rarely cares about this `/regexp/` object. Typically, it is soon discarded even if it has `lastIndex`
+        information. So we should not create RegExpObject for this typical case.
+
+        This patch introduces PhantomNewRegexp. We convert NewRegexp node to PhantomNewRegexp in Object Allocation Sinking (OAS)
+        phase. We should do this analysis in OAS phase since we track modifications to `lastIndex` in the OAS phase. Even if
+        `lastIndex` is modified, it may not be read by users. So we have a chance to drop this NewRegexp beacause we carefully model
+        SetRegExpObjectLastIndex and GetRegExpObjectLastIndex in OAS phase.
+
+        This patch is a first attempt to drop NewRegexp. So we start optimizing it with the simple step: we first drop RegExp with
+        non-global and non-sticky one. We can later extend this optimization for RegExp with global flag. But this is not included
+        in this patch.
+
+        We convert RegExpExec to RegExpExecNonGlobalOrSticky if we find that the given RegExpObject's RegExp is not global/sticky
+        flagged. Since we do not need to touch `lastIndex` property in this case, RegExpExecNonGlobalOrSticky just takes RegExp
+        instead of RegExpObject. This offers the chance to make NewRegExp unused.
+
+        We also convert RegExpMatchFast to RegExpExecNonGlobalOrSticky if its RegExpObject's RegExp is non-global and non-sticky,
+        since they are the same behavior.
+
+        The above optimization completely removes NewRegexp in SixSpeed's regexp-u.{es5,es6}. The resulted execution time is
+        somewhat pure execution time of our Yarr implementation.
+
+                                     baseline                  patched
+
+            regex-u.es5          34.8557+-0.5963     ^      6.1507+-0.5526        ^ definitely 5.6670x faster
+            regex-u.es6          89.1919+-3.3851     ^     32.0917+-0.4260        ^ definitely 2.7793x faster
+
+        This patch does not change Octane/RegExp so much since it heavily uses String.prototype.replace, which is not handled in
+        this patch right now. We should support StringReplace node in subsequent patches.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToPhantomNewRegexp):
+        (JSC::DFG::Node::convertToSetRegExpObjectLastIndex):
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::isPhantomAllocation):
+        (JSC::DFG::Node::hasIgnoreLastIndexIsWritable):
+        (JSC::DFG::Node::ignoreLastIndexIsWritable):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGPromotedHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGPromotedHeapLocation.h:
+        (JSC::DFG::PromotedLocationDescriptor::neededForMaterialization const):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp):
+        (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex):
+        (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpExecNonGlobalOrSticky):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
+        (JSC::FTL::DFG::LowerDFGToB3::compileSetRegExpObjectLastIndex):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationPopulateObjectInOSR):
+        (JSC::FTL::operationMaterializeObjectInOSR):
+        * jit/JITOperations.h:
+        * runtime/RegExpObject.h:
+        (JSC::RegExpObject::create):
+
+2018-01-17  Yusuke Suzuki  
+
+        [FTL] Remove unused helper functions to convert node to PutHint
+        https://bugs.webkit.org/show_bug.cgi?id=181775
+
+        Reviewed by Saam Barati.
+
+        We are using PromotedHeapLocation::createHint. So they are not necessary.
+
+        * dfg/DFGNode.cpp:
+        (JSC::DFG::Node::convertToPutHint): Deleted.
+        (JSC::DFG::Node::convertToPutStructureHint): Deleted.
+        (JSC::DFG::Node::convertToPutByOffsetHint): Deleted.
+        (JSC::DFG::Node::convertToPutClosureVarHint): Deleted.
+        * dfg/DFGNode.h:
+
+2018-01-17  Yusuke Suzuki  
+
+        Unreviewed, suppress warnings on GCC
+
+        Since `length` and `p` are always positive or zero,
+        static_cast() does what we want.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::parseInt):
+
+2018-01-17  Saam Barati  
+
+        Disable Atomics when SharedArrayBuffer isn’t enabled
+        https://bugs.webkit.org/show_bug.cgi?id=181572
+        
+
+        Reviewed by Michael Saboff.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::createAtomicsProperty): Deleted.
+
+2018-01-17  Saam Barati  
+
+        Support MultiGetByOffset in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=181466
+
+        Reviewed by Keith Miller.
+
+        This seems to benefit Speedometer in my local testing. It seems like this
+        might be around a 0.5% improvement.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::supportsMultiGetByOffset):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2018-01-17  Saam Barati  
+
+        DFG::Node::convertToConstant needs to clear the varargs flags
+        https://bugs.webkit.org/show_bug.cgi?id=181697
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToConstant):
+
+2018-01-16  JF Bastien  
+
+        Allow dangerous disabling of poison
+        https://bugs.webkit.org/show_bug.cgi?id=181685
+        
+
+        Reviewed by Keith Miller.
+
+        Some tools such as leak detectors and such like to look at real
+        pointers, and poisoned ones confuse them. Add a JSC option to
+        disable poisoning, but log to the console when this is done.
+
+        * runtime/JSCPoison.cpp:
+        (JSC::initializePoison):
+        * runtime/Options.h:
+
+2018-01-16  Ryan Haddad  
+
+        Unreviewed, rolling out r226937.
+
+        Tests added with this change are failing due to a missing
+        exception check.
+
+        Reverted changeset:
+
+        "[JSC] NumberPrototype::extractRadixFromArgs incorrectly cast
+        double to int32_t"
+        https://bugs.webkit.org/show_bug.cgi?id=181182
+        https://trac.webkit.org/changeset/226937
+
+2018-01-16  Michael Catanzaro  
+
+        Test programs should only be built in developer mode
+        https://bugs.webkit.org/show_bug.cgi?id=181653
+
+        Reviewed by Carlos Garcia Campos.
+
+        Build test programs only in developer mode, and fix code style.
+
+        * shell/CMakeLists.txt:
+
+2018-01-15  Michael Catanzaro  
+
+        Improve use of ExportMacros
+        https://bugs.webkit.org/show_bug.cgi?id=181652
+
+        Reviewed by Konstantin Tokarev.
+
+        * API/JSBase.h: Update a comment.
+        * inspector/InspectorBackendDispatcher.h: Use a better, yet equivalent, WTF macro.
+        * runtime/JSExportMacros.h: Simplify the #defines in this file.
+
+2018-01-15  JF Bastien  
+
+        Remove makePoisonedUnique
+        https://bugs.webkit.org/show_bug.cgi?id=181630
+        
+
+        Reviewed by Mark Lam.
+
+        I added a conversion from std::unique_ptr, so we can just use
+        std::make_unique and it'll auto-poison when converted.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::makePoisonedUnique): Deleted.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::makePoisonedUnique): Deleted.
+
+2018-01-15  Michael Catanzaro  
+
+        REGRESSION(r226266): [GTK] RELEASE_ASSERT(reservedZoneSize >= minimumReservedZoneSize) in JSC::VM::updateStackLimits
+        https://bugs.webkit.org/show_bug.cgi?id=181438
+        
+
+        Reviewed by Carlos Garcia Campos.
+
+        Roll out the functional changes of r226266. We'll keep the minor CMake library type setting
+        cleanup, but we have to switch back to building JSC only as a shared library, and we have to
+        get rid of the version script.
+
+        * PlatformGTK.cmake:
+        * javascriptcoregtk-symbols.map: Removed.
+
+2018-01-14  Saam Barati  
+
+        Unreviewed. r226928 broke the CLOOP build. This patch fixes the CLOOP build.
+
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromLLInt):
+        (JSC::CallLinkStatus::computeExitSiteData):
+
+2018-01-13  Mark Lam  
+
+        Replace all use of ConstExprPoisoned with Poisoned.
+        https://bugs.webkit.org/show_bug.cgi?id=181542
+        
+
+        Reviewed by JF Bastien.
+
+        1. All JSC poisons are now defined in JSCPoison.h.
+
+        2. Change all clients to use the new poison values via the POISON() macro.
+
+        3. The LLInt code has been updated to handle CodeBlock poison.  Some of this code
+           uses the t5 temp register, which is not available on the Windows port.
+           Fortunately, we don't currently do poisoning on the Windows port yet.  So,
+           it will just work for now.
+
+           When poisoning is enabled for the Windows port, this LLInt code will need a
+           Windows specific implementation to workaround its lack of a t5 register.
+
+        * API/JSAPIWrapperObject.h:
+        * API/JSCallbackFunction.h:
+        * API/JSCallbackObject.h:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr::emptyValue):
+        (JSC::MacroAssemblerCodePtr::deletedValue):
+        * b3/B3LowerMacros.cpp:
+        * b3/testb3.cpp:
+        (JSC::B3::testInterpreter):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::instructions):
+        (JSC::CodeBlock::instructions const):
+        (JSC::CodeBlock::makePoisonedUnique):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
+        * jit/JIT.h:
+        * jit/ThunkGenerators.cpp:
+        (JSC::virtualThunkFor):
+        (JSC::nativeForGenerator):
+        (JSC::boundThisNoArgsFunctionCallGenerator):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/UnlinkedSourceCode.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/CustomGetterSetter.h:
+        * runtime/DateInstance.h:
+        * runtime/InternalFunction.h:
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSCPoison.cpp: Copied from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
+        (JSC::initializePoison):
+        * runtime/JSCPoison.h:
+        (): Deleted.
+        * runtime/JSCPoisonedPtr.cpp: Removed.
+        * runtime/JSCPoisonedPtr.h: Removed.
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::makePoisonedUnique):
+        * runtime/JSScriptFetchParameters.h:
+        * runtime/JSScriptFetcher.h:
+        * runtime/NativeExecutable.h:
+        * runtime/StructureTransitionTable.h:
+        (JSC::StructureTransitionTable::map const):
+        (JSC::StructureTransitionTable::weakImpl const):
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrier::poison):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunctionBase.h:
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyToJSCallee.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-01-13  Caio Lima  
+
+        [JSC] NumberPrototype::extractRadixFromArgs incorrectly cast double to int32_t
+        https://bugs.webkit.org/show_bug.cgi?id=181182
+
+        Reviewed by Darin Adler.
+
+        Casting double to integer is undefined behavior when the truncation
+        results into a value that doesn't fit into integer size, according C++
+        spec[1]. Thus, we are changing bigIntProtoFuncToString and
+        numberProtoFuncToString to remove these source of undefined behavior.
+
+        [1] - http://en.cppreference.com/w/cpp/language/implicit_conversion
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::bigIntProtoFuncToString):
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToString):
+        (JSC::extractRadixFromArgs): Deleted.
+        (JSC::extractToStringRadixArgument): Added.
+
+2018-01-12  Saam Barati  
+
+        Move ExitProfile to UnlinkedCodeBlock so it can be shared amongst CodeBlocks backed by the same UnlinkedCodeBlock
+        https://bugs.webkit.org/show_bug.cgi?id=181545
+
+        Reviewed by Michael Saboff.
+
+        This patch follows the theme of putting optimization profiling information on
+        UnlinkedCodeBlock. This allows the unlinked code cache to remember OSR exit data.
+        This often leads to the first compile of a CodeBlock, backed by an UnlinkedCodeBlock
+        pulled from the code cache, making better compilation decisions, usually
+        resulting in fewer exits, and fewer recompilations.
+        
+        This is a 1% Speedometer progression in my testing.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpProfilesForBytecodeOffset):
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromLLInt):
+        (JSC::CallLinkStatus::computeFor):
+        (JSC::CallLinkStatus::computeExitSiteData):
+        (JSC::CallLinkStatus::computeDFGStatuses):
+        * bytecode/CallLinkStatus.h:
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addFrequentExitSite): Deleted.
+        (JSC::CodeBlock::hasExitSite const): Deleted.
+        (JSC::CodeBlock::exitProfile): Deleted.
+        * bytecode/DFGExitProfile.cpp:
+        (JSC::DFG::ExitProfile::add):
+        (JSC::DFG::QueryableExitProfile::initialize):
+        * bytecode/DFGExitProfile.h:
+        (JSC::DFG::ExitProfile::hasExitSite const):
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::hasExitSite):
+        (JSC::GetByIdStatus::computeFor):
+        (JSC::GetByIdStatus::computeForStubInfo):
+        * bytecode/GetByIdStatus.h:
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::hasExitSite):
+        (JSC::PutByIdStatus::computeFor):
+        (JSC::PutByIdStatus::computeForStubInfo):
+        * bytecode/PutByIdStatus.h:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::hasExitSite const):
+        (JSC::UnlinkedCodeBlock::hasExitSite):
+        (JSC::UnlinkedCodeBlock::exitProfile):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::hasGlobalExitSite):
+        (JSC::DFG::Graph::hasExitSite):
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGOSRExitBase.cpp:
+        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
+
+2018-01-12  JF Bastien  
+
+        PoisonedWriteBarrier
+        https://bugs.webkit.org/show_bug.cgi?id=181599
+        
+
+        Reviewed by Mark Lam.
+
+        Allow poisoning of WriteBarrier objects, and use this for
+        WebAssembly because it is perf-neutral, at least on WasmBench on
+        my MBP. If it indeed is perf-neutral according to the bots, start
+        using it in more performance-sensitive places.
+
+        * heap/HandleTypes.h:
+        * heap/SlotVisitor.h:
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::append):
+        (JSC::SlotVisitor::appendHidden):
+        * runtime/JSCJSValue.h:
+        * runtime/JSCPoison.h:
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::setPrototypeWithoutTransition):
+        (JSC::Structure::setGlobalObject):
+        (JSC::Structure::setPreviousID):
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase::copyFrom):
+        (JSC::WriteBarrierBase::get const):
+        (JSC::WriteBarrierBase::operator* const):
+        (JSC::WriteBarrierBase::operator-> const):
+        (JSC::WriteBarrierBase::clear):
+        (JSC::WriteBarrierBase::slot):
+        (JSC::WriteBarrierBase::operator bool const):
+        (JSC::WriteBarrierBase::setWithoutWriteBarrier):
+        (JSC::WriteBarrierBase::unvalidatedGet const):
+        (JSC::operator==):
+        * runtime/WriteBarrierInlines.h:
+        (JSC::Traits>::set):
+        (JSC::Traits>::setMayBeNull):
+        (JSC::Traits>::setEarlyValue):
+        (JSC::DumbValueTraits>::set):
+        * wasm/WasmInstance.h:
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
+        (JSC::JSWebAssemblyInstance::finishCreation):
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedCallee):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::clearFunction):
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::materializeImportJSCell):
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunctionBase.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyModuleRecord.h:
+        * wasm/js/WebAssemblyToJSCallee.h:
+        * wasm/js/WebAssemblyWrapperFunction.h:
+
+2018-01-12  Saam Barati  
+
+        CheckStructure can be incorrectly subsumed by CheckStructureOrEmpty
+        https://bugs.webkit.org/show_bug.cgi?id=181177
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        The semantics of CheckStructure are such that it does not allow the empty value to flow through it.
+        However, we may eliminate a CheckStructure if it's preceded by a CheckStructureOrEmpty. This doesn't
+        have semantic consequences when validation is turned off. However, with validation on, this trips up
+        our OSR exit machinery that says when an exit is allowed to happen.
+        
+        Consider the following IR:
+        
+        a: GetClosureVar // Or any other node that produces BytecodeTop
+        ...
+        c: CheckStructure(Cell:@a, {s2})
+        d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
+        
+        In the TypeCheckHoistingPhase, we may insert CheckStructureOrEmptys like this:
+        a: GetClosureVar
+        e: CheckStructureOrEmpty(@a, {s1})
+        ...
+        f: CheckStructureOrEmpty(@a, {s2})
+        c: CheckStructure(Cell:@a, {s2})
+        d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
+        
+        This will cause constant folding to change the IR to:
+        a: GetClosureVar
+        e: CheckStructureOrEmpty(@a, {s1})
+        ...
+        f: CheckStructureOrEmpty(@a, {s2})
+        d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
+        
+        Our mayExit analysis determines that the PutByOffset should not exit. Note
+        that AI will determine the only value the PutByOffset can see in @a is 
+        the empty value. Because KnownCell filters SpecCell and not SpecCellCheck,
+        when lowering the PutByOffset, we reach a contradiction in AI and emit
+        an OSR exit. However, because mayExit said we couldn't exit, we assert.
+        
+        Note that if we did not run the TypeCheckHoistingPhase on this IR, AI
+        would have determined we would OSR exit at the second CheckStructure.
+        
+        This patch makes it so constant folding produces the following IR:
+        a: GetClosureVar
+        e: CheckStructureOrEmpty(@a, {s1})
+        g: AssertNotEmpty(@a)
+        ...
+        f: CheckStructureOrEmpty(@a, {s2})
+        h: AssertNotEmpty(@a)
+        d: PutByOffset(KnownCell:@a, KnownCell:@a, @value)
+        
+        This modification will cause AI to know we will OSR exit before even reaching
+        the PutByOffset. Note that in the original IR, the GetClosureVar won't
+        actually produce the TDZ value. If it did, bytecode would have caused us
+        to emit a CheckNotEmpty before the CheckStructure/PutByOffset combo. That's
+        why this bug is about IR bookkeeping and not an actual error in IR analysis.
+        This patch introduces AssertNotEmpty instead of using CheckNotEmpty to be
+        more congruous with CheckStructure's semantics of crashing on the empty value
+        as input (on 64 bit platforms).
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
+
+2018-01-12  Joseph Pecoraro  
+
+        Web Inspector: Remove unnecessary raw pointer in InspectorConsoleAgent
+        https://bugs.webkit.org/show_bug.cgi?id=181579
+        
+
+        Reviewed by Brian Burg.
+
+        * inspector/agents/InspectorConsoleAgent.h:
+        * inspector/agents/InspectorConsoleAgent.cpp:
+        (Inspector::InspectorConsoleAgent::clearMessages):
+        (Inspector::InspectorConsoleAgent::addConsoleMessage):
+        Switch from a raw pointer to m_consoleMessages.last().
+        Also move the expiration check into the if block since it can only
+        happen inside here when the number of console messages changes.
+
+        (Inspector::InspectorConsoleAgent::discardValues):
+        Also clear the expired message count when messages are cleared.
+
+2018-01-12  Yusuke Suzuki  
+
+        [JSC] Create parallel SlotVisitors apriori
+        https://bugs.webkit.org/show_bug.cgi?id=180907
+
+        Reviewed by Saam Barati.
+
+        The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
+        If we create these SlotVisitors apropri, we do not need to create SlotVisitors dynamically.
+        Then we do not need to grab locks while iterating all the SlotVisitors.
+
+        In addition, we do not need to consider the case that the number of SlotVisitors increases
+        after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
+        does not increase any more.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::runBeginPhase):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::forEachSlotVisitor):
+        (JSC::Heap::numberOfSlotVisitors): Deleted.
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::didVisitSomething const):
+
+2018-01-12  Saam Barati  
+
+        Each variant of a polymorphic inlined call should be exitOK at the top of the block
+        https://bugs.webkit.org/show_bug.cgi?id=181562
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Before this patch, the very first block in the switch for polymorphic call
+        inlining will have exitOK at the top. The others are not guaranteed to.
+        That was just a bug. They're all exitOK at the top. This will lead to crashes
+        in FixupPhase because we won't have a node in a block that has ExitOK, so
+        when we fixup various type checks, we assert out.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleInlining):
+
+2018-01-11  Keith Miller  
+
+        Rename ENABLE_ASYNC_ITERATION to ENABLE_JS_ASYNC_ITERATION
+        https://bugs.webkit.org/show_bug.cgi?id=181573
+
+        Reviewed by Simon Fraser.
+
+        * Configurations/FeatureDefines.xcconfig:
+        * runtime/Options.h:
+
+2018-01-11  Michael Saboff  
+
+        REGRESSION(226788): AppStore Crashed @ JavaScriptCore: JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters
+        https://bugs.webkit.org/show_bug.cgi?id=181570
+
+        Reviewed by Keith Miller.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::abortWithReason):
+        Reverting these functions to use dataTempRegister and memoryTempRegister as they are
+        JIT release asserts that will crash the program.
+
+        (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
+        Changed this so that it invalidates any cached dataTmpRegister contents if temp register
+        caching is enabled.
+
+2018-01-11  Filip Pizlo  
+
+        Rename MarkedAllocator to BlockDirectory and AllocatorAttributes to CellAttributes
+        https://bugs.webkit.org/show_bug.cgi?id=181543
+
+        Rubber stamped by Michael Saboff.
+        
+        In a world that has thread-local caches, the thing we now call the "MarkedAllocator" doesn't
+        really have anything to do with allocation anymore. The allocation will be done by something
+        in the TLC. When you move the allocation logic out of MarkedAllocator, it becomes just a
+        place to find blocks (a "block directory").
+
+        Once we do that renaming, the term "allocator attributes" becomes weird. Those are really the
+        attributes of the HeapCellType. So let's call them CellAttributes.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfile.h:
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        * heap/AlignedMemoryAllocator.cpp:
+        (JSC::AlignedMemoryAllocator::registerDirectory):
+        (JSC::AlignedMemoryAllocator::registerAllocator): Deleted.
+        * heap/AlignedMemoryAllocator.h:
+        (JSC::AlignedMemoryAllocator::firstDirectory const):
+        (JSC::AlignedMemoryAllocator::firstAllocator const): Deleted.
+        * heap/AllocatorAttributes.cpp: Removed.
+        * heap/AllocatorAttributes.h: Removed.
+        * heap/BlockDirectory.cpp: Copied from Source/JavaScriptCore/heap/MarkedAllocator.cpp.
+        (JSC::BlockDirectory::BlockDirectory):
+        (JSC::BlockDirectory::setSubspace):
+        (JSC::BlockDirectory::isPagedOut):
+        (JSC::BlockDirectory::findEmptyBlockToSteal):
+        (JSC::BlockDirectory::didConsumeFreeList):
+        (JSC::BlockDirectory::tryAllocateWithoutCollecting):
+        (JSC::BlockDirectory::allocateIn):
+        (JSC::BlockDirectory::tryAllocateIn):
+        (JSC::BlockDirectory::doTestCollectionsIfNeeded):
+        (JSC::BlockDirectory::allocateSlowCase):
+        (JSC::BlockDirectory::blockSizeForBytes):
+        (JSC::BlockDirectory::tryAllocateBlock):
+        (JSC::BlockDirectory::addBlock):
+        (JSC::BlockDirectory::removeBlock):
+        (JSC::BlockDirectory::stopAllocating):
+        (JSC::BlockDirectory::prepareForAllocation):
+        (JSC::BlockDirectory::lastChanceToFinalize):
+        (JSC::BlockDirectory::resumeAllocating):
+        (JSC::BlockDirectory::beginMarkingForFullCollection):
+        (JSC::BlockDirectory::endMarking):
+        (JSC::BlockDirectory::snapshotUnsweptForEdenCollection):
+        (JSC::BlockDirectory::snapshotUnsweptForFullCollection):
+        (JSC::BlockDirectory::findBlockToSweep):
+        (JSC::BlockDirectory::sweep):
+        (JSC::BlockDirectory::shrink):
+        (JSC::BlockDirectory::assertNoUnswept):
+        (JSC::BlockDirectory::parallelNotEmptyBlockSource):
+        (JSC::BlockDirectory::dump const):
+        (JSC::BlockDirectory::dumpBits):
+        (JSC::BlockDirectory::markedSpace const):
+        (JSC::MarkedAllocator::MarkedAllocator): Deleted.
+        (JSC::MarkedAllocator::setSubspace): Deleted.
+        (JSC::MarkedAllocator::isPagedOut): Deleted.
+        (JSC::MarkedAllocator::findEmptyBlockToSteal): Deleted.
+        (JSC::MarkedAllocator::didConsumeFreeList): Deleted.
+        (JSC::MarkedAllocator::tryAllocateWithoutCollecting): Deleted.
+        (JSC::MarkedAllocator::allocateIn): Deleted.
+        (JSC::MarkedAllocator::tryAllocateIn): Deleted.
+        (JSC::MarkedAllocator::doTestCollectionsIfNeeded): Deleted.
+        (JSC::MarkedAllocator::allocateSlowCase): Deleted.
+        (JSC::MarkedAllocator::blockSizeForBytes): Deleted.
+        (JSC::MarkedAllocator::tryAllocateBlock): Deleted.
+        (JSC::MarkedAllocator::addBlock): Deleted.
+        (JSC::MarkedAllocator::removeBlock): Deleted.
+        (JSC::MarkedAllocator::stopAllocating): Deleted.
+        (JSC::MarkedAllocator::prepareForAllocation): Deleted.
+        (JSC::MarkedAllocator::lastChanceToFinalize): Deleted.
+        (JSC::MarkedAllocator::resumeAllocating): Deleted.
+        (JSC::MarkedAllocator::beginMarkingForFullCollection): Deleted.
+        (JSC::MarkedAllocator::endMarking): Deleted.
+        (JSC::MarkedAllocator::snapshotUnsweptForEdenCollection): Deleted.
+        (JSC::MarkedAllocator::snapshotUnsweptForFullCollection): Deleted.
+        (JSC::MarkedAllocator::findBlockToSweep): Deleted.
+        (JSC::MarkedAllocator::sweep): Deleted.
+        (JSC::MarkedAllocator::shrink): Deleted.
+        (JSC::MarkedAllocator::assertNoUnswept): Deleted.
+        (JSC::MarkedAllocator::parallelNotEmptyBlockSource): Deleted.
+        (JSC::MarkedAllocator::dump const): Deleted.
+        (JSC::MarkedAllocator::dumpBits): Deleted.
+        (JSC::MarkedAllocator::markedSpace const): Deleted.
+        * heap/BlockDirectory.h: Copied from Source/JavaScriptCore/heap/MarkedAllocator.h.
+        (JSC::BlockDirectory::attributes const):
+        (JSC::BlockDirectory::forEachBitVector):
+        (JSC::BlockDirectory::forEachBitVectorWithName):
+        (JSC::BlockDirectory::nextDirectory const):
+        (JSC::BlockDirectory::nextDirectoryInSubspace const):
+        (JSC::BlockDirectory::nextDirectoryInAlignedMemoryAllocator const):
+        (JSC::BlockDirectory::setNextDirectory):
+        (JSC::BlockDirectory::setNextDirectoryInSubspace):
+        (JSC::BlockDirectory::setNextDirectoryInAlignedMemoryAllocator):
+        (JSC::BlockDirectory::offsetOfFreeList):
+        (JSC::BlockDirectory::offsetOfCellSize):
+        (JSC::MarkedAllocator::cellSize const): Deleted.
+        (JSC::MarkedAllocator::attributes const): Deleted.
+        (JSC::MarkedAllocator::needsDestruction const): Deleted.
+        (JSC::MarkedAllocator::destruction const): Deleted.
+        (JSC::MarkedAllocator::cellKind const): Deleted.
+        (JSC::MarkedAllocator::heap): Deleted.
+        (JSC::MarkedAllocator::bitvectorLock): Deleted.
+        (JSC::MarkedAllocator::forEachBitVector): Deleted.
+        (JSC::MarkedAllocator::forEachBitVectorWithName): Deleted.
+        (JSC::MarkedAllocator::nextAllocator const): Deleted.
+        (JSC::MarkedAllocator::nextAllocatorInSubspace const): Deleted.
+        (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const): Deleted.
+        (JSC::MarkedAllocator::setNextAllocator): Deleted.
+        (JSC::MarkedAllocator::setNextAllocatorInSubspace): Deleted.
+        (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator): Deleted.
+        (JSC::MarkedAllocator::subspace const): Deleted.
+        (JSC::MarkedAllocator::freeList const): Deleted.
+        (JSC::MarkedAllocator::offsetOfFreeList): Deleted.
+        (JSC::MarkedAllocator::offsetOfCellSize): Deleted.
+        * heap/BlockDirectoryInlines.h: Copied from Source/JavaScriptCore/heap/MarkedAllocatorInlines.h.
+        (JSC::BlockDirectory::isFreeListedCell const):
+        (JSC::BlockDirectory::allocate):
+        (JSC::BlockDirectory::forEachBlock):
+        (JSC::BlockDirectory::forEachNotEmptyBlock):
+        (JSC::MarkedAllocator::isFreeListedCell const): Deleted.
+        (JSC::MarkedAllocator::allocate): Deleted.
+        (JSC::MarkedAllocator::forEachBlock): Deleted.
+        (JSC::MarkedAllocator::forEachNotEmptyBlock): Deleted.
+        * heap/CellAttributes.cpp: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.cpp.
+        (JSC::CellAttributes::dump const):
+        (JSC::AllocatorAttributes::dump const): Deleted.
+        * heap/CellAttributes.h: Copied from Source/JavaScriptCore/heap/AllocatorAttributes.h.
+        (JSC::CellAttributes::CellAttributes):
+        (JSC::AllocatorAttributes::AllocatorAttributes): Deleted.
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h:
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/GCDeferralContext.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::updateAllocationLimits):
+        * heap/Heap.h:
+        * heap/HeapCell.h:
+        * heap/HeapCellInlines.h:
+        (JSC::HeapCell::cellAttributes const):
+        (JSC::HeapCell::destructionMode const):
+        (JSC::HeapCell::cellKind const):
+        (JSC::HeapCell::allocatorAttributes const): Deleted.
+        * heap/HeapCellType.cpp:
+        (JSC::HeapCellType::HeapCellType):
+        * heap/HeapCellType.h:
+        (JSC::HeapCellType::attributes const):
+        * heap/IncrementalSweeper.cpp:
+        (JSC::IncrementalSweeper::IncrementalSweeper):
+        (JSC::IncrementalSweeper::sweepNextBlock):
+        (JSC::IncrementalSweeper::startSweeping):
+        (JSC::IncrementalSweeper::stopSweeping):
+        * heap/IncrementalSweeper.h:
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::IsoCellSet):
+        (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
+        (JSC::IsoCellSet::addSlow):
+        (JSC::IsoCellSet::didRemoveBlock):
+        (JSC::IsoCellSet::sweepToFreeList):
+        * heap/IsoCellSetInlines.h:
+        (JSC::IsoCellSet::forEachMarkedCell):
+        (JSC::IsoCellSet::forEachLiveCell):
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/LargeAllocation.h:
+        (JSC::LargeAllocation::attributes const):
+        * heap/MarkedAllocator.cpp: Removed.
+        * heap/MarkedAllocator.h: Removed.
+        * heap/MarkedAllocatorInlines.h: Removed.
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::~Handle):
+        (JSC::MarkedBlock::Handle::setIsFreeListed):
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        (JSC::MarkedBlock::Handle::lastChanceToFinalize):
+        (JSC::MarkedBlock::Handle::resumeAllocating):
+        (JSC::MarkedBlock::aboutToMarkSlow):
+        (JSC::MarkedBlock::Handle::didConsumeFreeList):
+        (JSC::MarkedBlock::noteMarkedSlow):
+        (JSC::MarkedBlock::Handle::removeFromDirectory):
+        (JSC::MarkedBlock::Handle::didAddToDirectory):
+        (JSC::MarkedBlock::Handle::didRemoveFromDirectory):
+        (JSC::MarkedBlock::Handle::dumpState):
+        (JSC::MarkedBlock::Handle::subspace const):
+        (JSC::MarkedBlock::Handle::sweep):
+        (JSC::MarkedBlock::Handle::isFreeListedCell const):
+        (JSC::MarkedBlock::Handle::removeFromAllocator): Deleted.
+        (JSC::MarkedBlock::Handle::didAddToAllocator): Deleted.
+        (JSC::MarkedBlock::Handle::didRemoveFromAllocator): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::directory const):
+        (JSC::MarkedBlock::Handle::attributes const):
+        (JSC::MarkedBlock::attributes const):
+        (JSC::MarkedBlock::Handle::allocator const): Deleted.
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::isAllocated):
+        (JSC::MarkedBlock::Handle::isLive):
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        (JSC::MarkedBlock::Handle::isEmpty):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::lastChanceToFinalize):
+        (JSC::MarkedSpace::sweep):
+        (JSC::MarkedSpace::stopAllocating):
+        (JSC::MarkedSpace::resumeAllocating):
+        (JSC::MarkedSpace::isPagedOut):
+        (JSC::MarkedSpace::freeBlock):
+        (JSC::MarkedSpace::shrink):
+        (JSC::MarkedSpace::beginMarking):
+        (JSC::MarkedSpace::endMarking):
+        (JSC::MarkedSpace::snapshotUnswept):
+        (JSC::MarkedSpace::assertNoUnswept):
+        (JSC::MarkedSpace::dumpBits):
+        (JSC::MarkedSpace::addBlockDirectory):
+        (JSC::MarkedSpace::addMarkedAllocator): Deleted.
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::firstDirectory const):
+        (JSC::MarkedSpace::directoryLock):
+        (JSC::MarkedSpace::forEachBlock):
+        (JSC::MarkedSpace::forEachDirectory):
+        (JSC::MarkedSpace::firstAllocator const): Deleted.
+        (JSC::MarkedSpace::allocatorLock): Deleted.
+        (JSC::MarkedSpace::forEachAllocator): Deleted.
+        * heap/MarkedSpaceInlines.h:
+        * heap/Subspace.cpp:
+        (JSC::Subspace::initialize):
+        (JSC::Subspace::prepareForAllocation):
+        (JSC::Subspace::findEmptyBlockToSteal):
+        (JSC::Subspace::parallelDirectorySource):
+        (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
+        (JSC::Subspace::sweep):
+        (JSC::Subspace::parallelAllocatorSource): Deleted.
+        * heap/Subspace.h:
+        (JSC::Subspace::attributes const):
+        (JSC::Subspace::didCreateFirstDirectory):
+        (JSC::Subspace::didCreateFirstAllocator): Deleted.
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachDirectory):
+        (JSC::Subspace::forEachMarkedBlock):
+        (JSC::Subspace::forEachNotEmptyMarkedBlock):
+        (JSC::Subspace::forEachAllocator): Deleted.
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateJSCell):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/JSDestructibleObjectHeapCellType.cpp:
+        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
+        * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
+        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
+        * runtime/JSStringHeapCellType.cpp:
+        (JSC::JSStringHeapCellType::JSStringHeapCellType):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
+        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
+
+2018-01-11  Saam Barati  
+
+        When inserting Unreachable in byte code parser we need to flush all the right things
+        https://bugs.webkit.org/show_bug.cgi?id=181509
+        
+
+        Reviewed by Mark Lam.
+
+        I added code in r226655 that had its own mechanism for preserving liveness when
+        inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
+        liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
+        I got some of these values wrong, which was leading to a crash when recovering the
+        callee value from an inlined frame. Instead of making the same mistake and repeating
+        similar code again, this patch refactors this logic to be shared with the other
+        liveness preservation code in the DFG bytecode parser. This is what I should have
+        done in my initial patch.
+
+        * bytecode/InlineCallFrame.h:
+        (JSC::remapOperand):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::flushImpl):
+        (JSC::DFG::flushForTerminalImpl):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::flushForTerminal):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2018-01-11  Saam Barati  
+
+        JITMathIC code in the FTL is wrong when code gets duplicated
+        https://bugs.webkit.org/show_bug.cgi?id=181525
+        
+
+        Reviewed by Michael Saboff and Keith Miller.
+
+        B3/Air may duplicate code for various reasons. Patchpoint generators inside
+        FTLLower must be aware that they can be called multiple times because of this.
+        The patchpoint for math ICs was not aware of this, and shared state amongst
+        all invocations of the patchpoint's generator. This patch fixes this bug so
+        that each invocation of the patchpoint's generator gets a unique math IC.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addMathIC):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithMul):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMathIC): Deleted.
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+
+2018-01-11  Michael Saboff  
+
+        Ensure there are no unsafe uses of MacroAssemblerARM64::dataTempRegister
+        https://bugs.webkit.org/show_bug.cgi?id=181512
+
+        Reviewed by Saam Barati.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::abortWithReason):
+        (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
+        All current uses of dataTempRegister in these functions are safe, but it makes sense to
+        fix them in case they might be used elsewhere.
+
+2018-01-04  Filip Pizlo  
+
+        CodeBlocks should be in IsoSubspaces
+        https://bugs.webkit.org/show_bug.cgi?id=180884
+
+        Reviewed by Saam Barati.
+        
+        This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
+        special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
+        WeakReferenceHarvester or UnconditionalFinalizer. Instead:
+        
+        - Code block sweeping is now just eager sweeping. This means that it automatically takes
+          advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
+          its eden set for.
+        
+        - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
+          marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
+          we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
+          longer has to clear the set of weakly visited code blocks. This also means that
+          determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
+          CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
+          has IsoCellSets to tell us which edges have output constraints (what we used to call
+          CodeBlock's weak reference harvester) and which have unconditional finalizers.
+        
+        - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
+        
+        - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
+          handle requests from the sampler, debugger, and other facilities. They may want to ask
+          if some pointer corresponds to a CodeBlock during stages of execution during which the
+          GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
+          There is no way that the GC's isLive could tell us of a CodeBlock that had already been
+          allocated has now been full constructed.
+        
+        Rolling this back in because it was rolled out by mistake. There was a flaky crash that was
+        happening before and after this change, but we misread the revision numbers at first and
+        thought that this was the cause.
+        
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::finishCreationCommon):
+        (JSC::CodeBlock::~CodeBlock):
+        (JSC::CodeBlock::visitChildren):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::determineLiveness):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
+        (JSC::CodeBlock::installVMTrapBreakpoints):
+        (JSC::CodeBlock::dumpMathICStats):
+        (JSC::CodeBlock::visitWeakly): Deleted.
+        (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
+        (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::subspaceFor):
+        (JSC::CodeBlock::ownerEdge const):
+        (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
+        * bytecode/EvalCodeBlock.h:
+        (JSC::EvalCodeBlock::create): Deleted.
+        (JSC::EvalCodeBlock::createStructure): Deleted.
+        (JSC::EvalCodeBlock::variable): Deleted.
+        (JSC::EvalCodeBlock::numVariables): Deleted.
+        (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
+        (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
+        (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
+        (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
+        * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
+        (JSC::ExecutableToCodeBlockEdge::createStructure):
+        (JSC::ExecutableToCodeBlockEdge::create):
+        (JSC::ExecutableToCodeBlockEdge::visitChildren):
+        (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
+        (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
+        (JSC::ExecutableToCodeBlockEdge::activate):
+        (JSC::ExecutableToCodeBlockEdge::deactivate):
+        (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
+        (JSC::ExecutableToCodeBlockEdge::wrap):
+        (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
+        (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
+        (JSC::ExecutableToCodeBlockEdge::runConstraint):
+        * bytecode/ExecutableToCodeBlockEdge.h: Added.
+        (JSC::ExecutableToCodeBlockEdge::subspaceFor):
+        (JSC::ExecutableToCodeBlockEdge::codeBlock const):
+        (JSC::ExecutableToCodeBlockEdge::unwrap):
+        * bytecode/FunctionCodeBlock.h:
+        (JSC::FunctionCodeBlock::subspaceFor):
+        (JSC::FunctionCodeBlock::createStructure):
+        * bytecode/ModuleProgramCodeBlock.h:
+        (JSC::ModuleProgramCodeBlock::create): Deleted.
+        (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
+        (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
+        * bytecode/ProgramCodeBlock.h:
+        (JSC::ProgramCodeBlock::create): Deleted.
+        (JSC::ProgramCodeBlock::createStructure): Deleted.
+        (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::SetSteppingModeFunctor::operator() const):
+        (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
+        (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
+        (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::contains):
+        (JSC::CodeBlockSet::dump const):
+        (JSC::CodeBlockSet::add):
+        (JSC::CodeBlockSet::remove):
+        (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
+        (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
+        (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
+        * heap/CodeBlockSet.h:
+        * heap/CodeBlockSetInlines.h:
+        (JSC::CodeBlockSet::iterate):
+        (JSC::CodeBlockSet::iterateViaSubspaces):
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+        (JSC::DummyMarkHook::markKnownJSCell):
+        (JSC::CompositeMarkHook::mark):
+        (JSC::CompositeMarkHook::markKnownJSCell):
+        * heap/ConservativeRoots.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::lastChanceToFinalize):
+        (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        (JSC::Heap::beginMarking):
+        (JSC::Heap::deleteUnmarkedCompiledCode):
+        (JSC::Heap::sweepInFinalize):
+        (JSC::Heap::forEachCodeBlockImpl):
+        (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
+        (JSC::Heap::addCoreConstraints):
+        (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
+        * heap/Heap.h:
+        * heap/HeapCell.h:
+        * heap/HeapCellInlines.h:
+        (JSC::HeapCell::subspace const):
+        * heap/HeapInlines.h:
+        (JSC::Heap::forEachCodeBlock):
+        (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
+        * heap/IsoCellSet.h:
+        * heap/IsoCellSetInlines.h:
+        (JSC::IsoCellSet::forEachMarkedCellInParallel):
+        (JSC::IsoCellSet::forEachLiveCell):
+        * heap/LargeAllocation.h:
+        (JSC::LargeAllocation::subspace const):
+        * heap/MarkStackMergingConstraint.cpp:
+        (JSC::MarkStackMergingConstraint::executeImpl):
+        * heap/MarkStackMergingConstraint.h:
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToAllocator):
+        (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::subspace const):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::forEachLiveCell):
+        * heap/MarkedSpaceInlines.h:
+        (JSC::MarkedSpace::forEachLiveCell):
+        * heap/MarkingConstraint.cpp:
+        (JSC::MarkingConstraint::execute):
+        (JSC::MarkingConstraint::doParallelWork):
+        (JSC::MarkingConstraint::finishParallelWork): Deleted.
+        (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
+        (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
+        * heap/MarkingConstraint.h:
+        * heap/MarkingConstraintSet.cpp:
+        (JSC::MarkingConstraintSet::add):
+        * heap/MarkingConstraintSet.h:
+        (JSC::MarkingConstraintSet::add):
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::execute):
+        (JSC::MarkingConstraintSolver::addParallelTask):
+        (JSC::MarkingConstraintSolver::runExecutionThread):
+        (JSC::MarkingConstraintSolver::didExecute): Deleted.
+        * heap/MarkingConstraintSolver.h:
+        (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
+        (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
+        * heap/SimpleMarkingConstraint.cpp:
+        (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
+        (JSC::SimpleMarkingConstraint::executeImpl):
+        * heap/SimpleMarkingConstraint.h:
+        (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::addParallelConstraintTask):
+        * heap/SlotVisitor.h:
+        * heap/Subspace.cpp:
+        (JSC::Subspace::sweep):
+        * heap/Subspace.h:
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachLiveCell):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::codeBlock):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::baselineCodeBlockFor):
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSType.h:
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::installCode):
+        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
+        (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
+        (JSC::VM::forEachCodeBlockSpace):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::handleTraps):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::codeBlockForMachinePC):
+        (JSC::VMInspector::isValidCodeBlock):
+
+2018-01-11  Michael Saboff  
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Ryosuke Niwa.
+
+        * runtime/Options.h:
+
+2018-01-11  Yusuke Suzuki  
+
+        [DFG][FTL] regExpMatchFast should be handled
+        https://bugs.webkit.org/show_bug.cgi?id=180988
+
+        Reviewed by Mark Lam.
+
+        RegExp.prototype.@@match has a fast path, @regExpMatchFast. This patch annotates this function
+        with RegExpMatchFastIntrinsic, and introduces RegExpMatch DFG node. This paves the way to
+        make NewRegexp PhantomNewRegexp if it is not used except for setting/getting its lastIndex property.
+
+        To improve RegExp.prototype.@@match's performance more, we make this builtin function small by moving
+        slow path part to `@matchSlow()` private function.
+
+        It improves SixSpeed regex-u.{es5,es6} largely since they stress String.prototype.match, which calls
+        this regExpMatchFast function.
+
+                                 baseline                  patched
+
+        regex-u.es5          55.3835+-6.3002     ^     36.2431+-2.0797        ^ definitely 1.5281x faster
+        regex-u.es6         110.4624+-6.2896     ^     94.1012+-7.2433        ^ definitely 1.1739x faster
+
+        * builtins/RegExpPrototype.js:
+        (globalPrivate.matchSlow):
+        (overriddenName.string_appeared_here.match):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileRegExpMatch):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileRegExpMatch):
+        * runtime/Intrinsic.cpp:
+        (JSC::intrinsicName):
+        * runtime/Intrinsic.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncMatchFast):
+
+2018-01-11  Saam Barati  
+
+        Our for-in caching is wrong when we add indexed properties on things in the prototype chain
+        https://bugs.webkit.org/show_bug.cgi?id=181508
+
+        Reviewed by Yusuke Suzuki.
+
+        Our for-in caching would cache structure chains that had prototypes with
+        indexed properties. Clearly this is wrong. This caching breaks when a prototype
+        adds new indexed properties. We would continue to enumerate the old cached
+        state of properties, and not include the new indexed properties.
+        
+        The old code used to prevent caching only if the base structure had
+        indexed properties. This patch extends it to prevent caching if the
+        base, or any structure in the prototype chain, has indexed properties.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::canCachePropertyNameEnumerator const):
+
+2018-01-10  JF Bastien  
+
+        Poison small JSObject derivatives which only contain pointers
+        https://bugs.webkit.org/show_bug.cgi?id=181483
+        
+
+        Reviewed by Mark Lam.
+
+        I wrote a script that finds interesting things to poison or
+        generally harden. These stood out because they derive from
+        JSObject and only contain a few pointer or pointer-like fields,
+        and could therefore just be poisoned. This also requires some
+        template "improvements" to our poisoning machinery. Worth noting
+        is that I'm making PoisonedUniquePtr move-assignable and
+        move-constructible from unique_ptr, which makes it a better
+        drop-in replacement because we don't need to use
+        makePoisonedUniquePtr. This means function-locals can be
+        unique_ptr and get the nice RAII pattern, and once the function is
+        done you can just move to the class' PoisonedUniquePtr without
+        worrying.
+
+        * API/JSAPIWrapperObject.h:
+        (JSC::JSAPIWrapperObject::wrappedObject):
+        * API/JSAPIWrapperObject.mm:
+        (JSC::JSAPIWrapperObject::JSAPIWrapperObject):
+        * API/JSCallbackObject.h:
+        * runtime/ArrayPrototype.h:
+        * runtime/DateInstance.h:
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::finishCreation):
+        (JSC::JSArrayBuffer::isShared const):
+        (JSC::JSArrayBuffer::sharingMode const):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSCPoison.h:
+
+2018-01-10  Commit Queue  
+
+        Unreviewed, rolling out r226667 and r226673.
+        https://bugs.webkit.org/show_bug.cgi?id=181488
+
+        This caused a flaky crash. (Requested by mlewis13 on #webkit).
+
+        Reverted changesets:
+
+        "CodeBlocks should be in IsoSubspaces"
+        https://bugs.webkit.org/show_bug.cgi?id=180884
+        https://trac.webkit.org/changeset/226667
+
+        "REGRESSION (r226667): CodeBlocks should be in IsoSubspaces"
+        https://bugs.webkit.org/show_bug.cgi?id=180884
+        https://trac.webkit.org/changeset/226673
+
+2018-01-09  David Kilzer  
+
+        REGRESSION (r226667): CodeBlocks should be in IsoSubspaces
+        
+
+        Fixes the following build error:
+
+            heap/Heap.cpp:2708:10: error: lambda capture 'this' is not used [-Werror,-Wunused-lambda-capture]
+
+        * heap/Heap.cpp:
+        (JSC::Heap::addCoreConstraints): Remove 'this' from lambda to
+        fix the build.
+
+2018-01-09  Keith Miller  
+
+        and32 with an Address source on ARM64 did not invalidate dataTempRegister
+        https://bugs.webkit.org/show_bug.cgi?id=181467
+
+        Reviewed by Michael Saboff.
+
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::and32):
+
+2018-01-04  Filip Pizlo  
+
+        CodeBlocks should be in IsoSubspaces
+        https://bugs.webkit.org/show_bug.cgi?id=180884
+
+        Reviewed by Saam Barati.
+        
+        This moves CodeBlocks into IsoSubspaces. Doing so means that we no longer need to have the
+        special CodeBlockSet HashSets of new and old CodeBlocks. We also no longer use
+        WeakReferenceHarvester or UnconditionalFinalizer. Instead:
+        
+        - Code block sweeping is now just eager sweeping. This means that it automatically takes
+          advantage of our unswept set, which roughly corresponds to what CodeBlockSet used to use
+          its eden set for.
+        
+        - Those idea of Executable "weakly visiting" the CodeBlock is replaced by Executable
+          marking a ExecutableToCodeBlockEdge object. That object being marked corresponds to what
+          we used to call CodeBlock "having been weakly visited". This means that CodeBlockSet no
+          longer has to clear the set of weakly visited code blocks. This also means that
+          determining CodeBlock liveness, propagating CodeBlock transitions, and jettisoning
+          CodeBlocks during GC are now the edge's job. The edge is also in an IsoSubspace and it
+          has IsoCellSets to tell us which edges have output constraints (what we used to call
+          CodeBlock's weak reference harvester) and which have unconditional finalizers.
+        
+        - CodeBlock now uses an IsoCellSet to tell if it has an unconditional finalizer.
+        
+        - CodeBlockSet still exists!  It has one unified HashSet of CodeBlocks that we use to
+          handle requests from the sampler, debugger, and other facilities. They may want to ask
+          if some pointer corresponds to a CodeBlock during stages of execution during which the
+          GC is unable to answer isLive() queries. The trickiest is the sampling profiler thread.
+          There is no way that the GC's isLive could tell us of a CodeBlock that had already been
+          allocated has now been full constructed.
+        
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::finishCreationCommon):
+        (JSC::CodeBlock::~CodeBlock):
+        (JSC::CodeBlock::visitChildren):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::determineLiveness):
+        (JSC::CodeBlock::finalizeUnconditionally):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        (JSC::CodeBlock::hasInstalledVMTrapBreakpoints const):
+        (JSC::CodeBlock::installVMTrapBreakpoints):
+        (JSC::CodeBlock::dumpMathICStats):
+        (JSC::CodeBlock::visitWeakly): Deleted.
+        (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences): Deleted.
+        (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::subspaceFor):
+        (JSC::CodeBlock::ownerEdge const):
+        (JSC::CodeBlock::clearVisitWeaklyHasBeenCalled): Deleted.
+        * bytecode/EvalCodeBlock.h:
+        (JSC::EvalCodeBlock::create): Deleted.
+        (JSC::EvalCodeBlock::createStructure): Deleted.
+        (JSC::EvalCodeBlock::variable): Deleted.
+        (JSC::EvalCodeBlock::numVariables): Deleted.
+        (JSC::EvalCodeBlock::functionHoistingCandidate): Deleted.
+        (JSC::EvalCodeBlock::numFunctionHoistingCandidates): Deleted.
+        (JSC::EvalCodeBlock::EvalCodeBlock): Deleted.
+        (JSC::EvalCodeBlock::unlinkedEvalCodeBlock const): Deleted.
+        * bytecode/ExecutableToCodeBlockEdge.cpp: Added.
+        (JSC::ExecutableToCodeBlockEdge::createStructure):
+        (JSC::ExecutableToCodeBlockEdge::create):
+        (JSC::ExecutableToCodeBlockEdge::visitChildren):
+        (JSC::ExecutableToCodeBlockEdge::visitOutputConstraints):
+        (JSC::ExecutableToCodeBlockEdge::finalizeUnconditionally):
+        (JSC::ExecutableToCodeBlockEdge::activate):
+        (JSC::ExecutableToCodeBlockEdge::deactivate):
+        (JSC::ExecutableToCodeBlockEdge::deactivateAndUnwrap):
+        (JSC::ExecutableToCodeBlockEdge::wrap):
+        (JSC::ExecutableToCodeBlockEdge::wrapAndActivate):
+        (JSC::ExecutableToCodeBlockEdge::ExecutableToCodeBlockEdge):
+        (JSC::ExecutableToCodeBlockEdge::runConstraint):
+        * bytecode/ExecutableToCodeBlockEdge.h: Added.
+        (JSC::ExecutableToCodeBlockEdge::subspaceFor):
+        (JSC::ExecutableToCodeBlockEdge::codeBlock const):
+        (JSC::ExecutableToCodeBlockEdge::unwrap):
+        * bytecode/FunctionCodeBlock.h:
+        (JSC::FunctionCodeBlock::subspaceFor):
+        (JSC::FunctionCodeBlock::createStructure):
+        * bytecode/ModuleProgramCodeBlock.h:
+        (JSC::ModuleProgramCodeBlock::create): Deleted.
+        (JSC::ModuleProgramCodeBlock::createStructure): Deleted.
+        (JSC::ModuleProgramCodeBlock::ModuleProgramCodeBlock): Deleted.
+        * bytecode/ProgramCodeBlock.h:
+        (JSC::ProgramCodeBlock::create): Deleted.
+        (JSC::ProgramCodeBlock::createStructure): Deleted.
+        (JSC::ProgramCodeBlock::ProgramCodeBlock): Deleted.
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::SetSteppingModeFunctor::operator() const):
+        (JSC::Debugger::ToggleBreakpointFunctor::operator() const):
+        (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator() const):
+        (JSC::Debugger::ClearDebuggerRequestsFunctor::operator() const):
+        * heap/CodeBlockSet.cpp:
+        (JSC::CodeBlockSet::contains):
+        (JSC::CodeBlockSet::dump const):
+        (JSC::CodeBlockSet::add):
+        (JSC::CodeBlockSet::remove):
+        (JSC::CodeBlockSet::promoteYoungCodeBlocks): Deleted.
+        (JSC::CodeBlockSet::clearMarksForFullCollection): Deleted.
+        (JSC::CodeBlockSet::lastChanceToFinalize): Deleted.
+        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Deleted.
+        * heap/CodeBlockSet.h:
+        * heap/CodeBlockSetInlines.h:
+        (JSC::CodeBlockSet::iterate):
+        (JSC::CodeBlockSet::iterateViaSubspaces):
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+        (JSC::DummyMarkHook::markKnownJSCell):
+        (JSC::CompositeMarkHook::mark):
+        (JSC::CompositeMarkHook::markKnownJSCell):
+        * heap/ConservativeRoots.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::lastChanceToFinalize):
+        (JSC::Heap::finalizeMarkedUnconditionalFinalizers):
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        (JSC::Heap::beginMarking):
+        (JSC::Heap::deleteUnmarkedCompiledCode):
+        (JSC::Heap::sweepInFinalize):
+        (JSC::Heap::forEachCodeBlockImpl):
+        (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
+        (JSC::Heap::addCoreConstraints):
+        (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace): Deleted.
+        * heap/Heap.h:
+        * heap/HeapCell.h:
+        * heap/HeapCellInlines.h:
+        (JSC::HeapCell::subspace const):
+        * heap/HeapInlines.h:
+        (JSC::Heap::forEachCodeBlock):
+        (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
+        * heap/HeapUtil.h:
+        (JSC::HeapUtil::findGCObjectPointersForMarking):
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::parallelNotEmptyMarkedBlockSource):
+        * heap/IsoCellSet.h:
+        * heap/IsoCellSetInlines.h:
+        (JSC::IsoCellSet::forEachMarkedCellInParallel):
+        (JSC::IsoCellSet::forEachLiveCell):
+        * heap/LargeAllocation.h:
+        (JSC::LargeAllocation::subspace const):
+        * heap/MarkStackMergingConstraint.cpp:
+        (JSC::MarkStackMergingConstraint::executeImpl):
+        * heap/MarkStackMergingConstraint.h:
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::didAddToAllocator):
+        (JSC::MarkedBlock::Handle::didRemoveFromAllocator):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::subspace const):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::forEachLiveCell):
+        * heap/MarkedSpaceInlines.h:
+        (JSC::MarkedSpace::forEachLiveCell):
+        * heap/MarkingConstraint.cpp:
+        (JSC::MarkingConstraint::execute):
+        (JSC::MarkingConstraint::doParallelWork):
+        (JSC::MarkingConstraint::finishParallelWork): Deleted.
+        (JSC::MarkingConstraint::doParallelWorkImpl): Deleted.
+        (JSC::MarkingConstraint::finishParallelWorkImpl): Deleted.
+        * heap/MarkingConstraint.h:
+        * heap/MarkingConstraintSet.cpp:
+        (JSC::MarkingConstraintSet::add):
+        * heap/MarkingConstraintSet.h:
+        (JSC::MarkingConstraintSet::add):
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::execute):
+        (JSC::MarkingConstraintSolver::addParallelTask):
+        (JSC::MarkingConstraintSolver::runExecutionThread):
+        (JSC::MarkingConstraintSolver::didExecute): Deleted.
+        * heap/MarkingConstraintSolver.h:
+        (JSC::MarkingConstraintSolver::TaskWithConstraint::TaskWithConstraint):
+        (JSC::MarkingConstraintSolver::TaskWithConstraint::operator== const):
+        * heap/SimpleMarkingConstraint.cpp:
+        (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
+        (JSC::SimpleMarkingConstraint::executeImpl):
+        * heap/SimpleMarkingConstraint.h:
+        (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::addParallelConstraintTask):
+        * heap/SlotVisitor.h:
+        * heap/Subspace.cpp:
+        (JSC::Subspace::sweep):
+        * heap/Subspace.h:
+        * heap/SubspaceInlines.h:
+        (JSC::Subspace::forEachLiveCell):
+        * llint/LowLevelInterpreter.asm:
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/EvalExecutable.h:
+        (JSC::EvalExecutable::codeBlock):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::baselineCodeBlockFor):
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSType.h:
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::installCode):
+        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet):
+        (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor):
+        (JSC::VM::forEachCodeBlockSpace):
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::handleTraps):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::codeBlockForMachinePC):
+        (JSC::VMInspector::isValidCodeBlock):
+
+2018-01-09  Michael Saboff  
+
+        Unreviewed, rolling out r226600 and r226603
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Add a DOM gadget for Spectre testing
+
+        * runtime/Options.h:
+
+2018-01-09  Saam Barati  
+
+        Reduce graph size by replacing terminal nodes in blocks that have a ForceOSRExit with Unreachable
+        https://bugs.webkit.org/show_bug.cgi?id=181409
+
+        Reviewed by Keith Miller.
+
+        When I was looking at profiler data for Speedometer, I noticed that one of
+        the hottest functions in Speedometer is around 1100 bytecode operations long.
+        Only about 100 of those bytecode ops ever execute. However, we ended up
+        spending a lot of time compiling basic blocks that never executed. We often
+        plant ForceOSRExit nodes when we parse bytecodes that have a null value profile.
+        This is the case when such a node never executes.
+        
+        This patch makes it so that anytime a block has a ForceOSRExit, we replace its
+        terminal node with an Unreachable node (and remove all nodes after the
+        ForceOSRExit). This will cut down on graph size when such a block dominates
+        other blocks in the CFG. This allows us to get rid of huge chunks of the CFG
+        in certain programs. When doing this transformation, we also insert
+        Flushes/PhantomLocals to ensure we can recover values that are bytecode
+        live-in to the ForceOSRExit.
+        
+        Using ForceOSRExit as the signal for this is a bit of a hack. It definitely
+        does not get rid of all the CFG that it could. If we decide it's worth
+        it, we could use additional inputs into this mechanism. For example, we could
+        profile if a basic block ever executes inside the LLInt/Baseline, and
+        remove parts of the CFG based on that.
+        
+        When running Speedometer with the concurrent JIT turned off, this patch
+        improves DFG/FTL compile times by around 5%.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addToGraph):
+        (JSC::DFG::ByteCodeParser::parse):
+
+2018-01-09  Mark Lam  
+
+        ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
+        https://bugs.webkit.org/show_bug.cgi?id=181388
+        
+
+        Reviewed by Saam Barati.
+
+        When there are duplicate setters or getters, we may end up overwriting a getter
+        with a setter, or vice versa.  This patch adds tracking for getters/setters that
+        have been overwritten with duplicates and ignore them.
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PropertyListNode::emitBytecode):
+        * parser/NodeConstructors.h:
+        (JSC::PropertyNode::PropertyNode):
+        * parser/Nodes.h:
+        (JSC::PropertyNode::isOverriddenByDuplicate const):
+        (JSC::PropertyNode::setIsOverriddenByDuplicate):
+
+2018-01-08  Zan Dobersek  
+
+        REGRESSION(r225913): about 30 JSC test failures on ARMv7
+        https://bugs.webkit.org/show_bug.cgi?id=181162
+        
+
+        Unreviewed follow-up to r226298. Enable the fast case in
+        DFG::SpeculativeJIT::compileArraySlice() for any 64-bit platform,
+        assuming in good faith that enough GP registers are available on any
+        such configuration. The accompanying comment is adjusted to describe
+        this assumption.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArraySlice):
+
+2018-01-08  JF Bastien  
+
+        WebAssembly: mask indexed accesses to Table
+        https://bugs.webkit.org/show_bug.cgi?id=181412
+        
+
+        Reviewed by Saam Barati.
+
+        WebAssembly Table indexed accesses are user-controlled and
+        bounds-checked. Force allocations of Table data to be a
+        power-of-two, and explicitly mask accesses after bounds-check
+        branches.
+
+        Rename misleading usage of "size" when "length" of a Table was
+        intended.
+
+        Rename the Spectre option from "disable" to "enable".
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::allocatedLength):
+        (JSC::Wasm::Table::setLength):
+        (JSC::Wasm::Table::create):
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clearFunction):
+        (JSC::Wasm::Table::setFunction):
+        * wasm/WasmTable.h:
+        (JSC::Wasm::Table::length const):
+        (JSC::Wasm::Table::offsetOfLength):
+        (JSC::Wasm::Table::offsetOfMask):
+        (JSC::Wasm::Table::mask const):
+        (JSC::Wasm::Table::isValidLength):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::create):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::visitChildren):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::getFunction):
+        (JSC::JSWebAssemblyTable::clearFunction):
+        (JSC::JSWebAssemblyTable::setFunction):
+        * wasm/js/JSWebAssemblyTable.h:
+        (JSC::JSWebAssemblyTable::isValidLength):
+        (JSC::JSWebAssemblyTable::length const):
+        (JSC::JSWebAssemblyTable::allocatedLength const):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::webAssemblyTableProtoFuncLength):
+        (JSC::webAssemblyTableProtoFuncGrow):
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+
+2018-01-08  Michael Saboff  
+
+        Add a DOM gadget for Spectre testing
+        https://bugs.webkit.org/show_bug.cgi?id=181351
+
+        Reviewed by Michael Saboff.
+
+        Added a new JSC::Option named enableSpectreGadgets to enable any gadgets added to test
+        Spectre mitigations.
+
+        * runtime/Options.h:
+
+2018-01-08  Mark Lam  
+
+        Rename CodeBlock::m_vm to CodeBlock::m_poisonedVM.
+        https://bugs.webkit.org/show_bug.cgi?id=181403
+        
+
+        Rubber-stamped by JF Bastien.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::~CodeBlock):
+        (JSC::CodeBlock::setConstantRegisters):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        (JSC::CodeBlock::jettison):
+        (JSC::CodeBlock::predictedMachineCodeSize):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::vm const):
+        (JSC::CodeBlock::addConstant):
+        (JSC::CodeBlock::heap const):
+        (JSC::CodeBlock::replaceConstant):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2018-01-07  Mark Lam  
+
+        Apply poisoning to more pointers in JSC.
+        https://bugs.webkit.org/show_bug.cgi?id=181096
+        
+
+        Reviewed by JF Bastien.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::xorPtr):
+        * assembler/MacroAssemblerARM64.h:
+        (JSC::MacroAssemblerARM64::xor64):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::xor64):
+        - Add xorPtr implementation.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::inferredName const):
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::~CodeBlock):
+        (JSC::CodeBlock::setConstantRegisters):
+        (JSC::CodeBlock::visitWeakly):
+        (JSC::CodeBlock::visitChildren):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::WeakReferenceHarvester::visitWeakReferences):
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
+        (JSC::CodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
+        (JSC::CodeBlock::jettison):
+        (JSC::CodeBlock::predictedMachineCodeSize):
+        (JSC::CodeBlock::findPC):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::UnconditionalFinalizer::UnconditionalFinalizer):
+        (JSC::CodeBlock::WeakReferenceHarvester::WeakReferenceHarvester):
+        (JSC::CodeBlock::stubInfoBegin):
+        (JSC::CodeBlock::stubInfoEnd):
+        (JSC::CodeBlock::callLinkInfosBegin):
+        (JSC::CodeBlock::callLinkInfosEnd):
+        (JSC::CodeBlock::instructions):
+        (JSC::CodeBlock::instructions const):
+        (JSC::CodeBlock::vm const):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * jit/JIT.h:
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * parser/UnlinkedSourceCode.h:
+        * runtime/JSCPoison.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSScriptFetchParameters.h:
+        * runtime/JSScriptFetcher.h:
+        * runtime/StructureTransitionTable.h:
+        * wasm/js/JSWebAssemblyCodeBlock.cpp:
+        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
+        (JSC::JSWebAssemblyCodeBlock::visitChildren):
+        (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+
+2018-01-06  Yusuke Suzuki  
+
+        Object.getOwnPropertyNames includes "arguments" and "caller" for bound functions
+        https://bugs.webkit.org/show_bug.cgi?id=181321
+
+        Reviewed by Saam Barati.
+
+        According to ECMA262 16.2[1], functions created using the bind method must not have
+        "caller" and "arguments" own properties.
+
+        [1]: https://tc39.github.io/ecma262/#sec-forbidden-extensions
+
+        * runtime/JSBoundFunction.cpp:
+        (JSC::JSBoundFunction::finishCreation):
+
+2018-01-05  JF Bastien  
+
+        WebAssembly: poison JS object's secrets
+        https://bugs.webkit.org/show_bug.cgi?id=181339
+        
+
+        Reviewed by Mark Lam.
+
+        Separating WebAssembly's JS objects from their non-JS
+        implementation means that all interesting information lives
+        outside of the JS object itself. This patch poisons each JS
+        object's pointer to non-JS implementation using the poisoning
+        mechanism and a unique key per JS object type origin.
+
+        * runtime/JSCPoison.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper): JS -> wasm stores the JS
+        object in a stack slot when fast TLS is disabled. This requires
+        that we unpoison the Wasm::Instance.
+        * wasm/js/JSWebAssemblyCodeBlock.h:
+        * wasm/js/JSWebAssemblyInstance.h:
+        (JSC::JSWebAssemblyInstance::offsetOfPoisonedInstance): renamed to
+        be explicit that the pointer is poisoned.
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/JSWebAssemblyModule.h:
+        * wasm/js/JSWebAssemblyTable.h:
+
+2018-01-05  Michael Saboff  
+
+        Add ability to disable indexed property masking for testing
+        https://bugs.webkit.org/show_bug.cgi?id=181350
+
+        Reviewed by Keith Miller.
+
+        Made the masking of indexed properties runtime controllable via a new JSC::Option
+        named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
+
+        The new option has a generic name as it will probably be used to disable future mitigations.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
+        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+
+2018-01-05  Michael Saboff  
+
+        Allow JSC Config Files to set Restricted Options
+        https://bugs.webkit.org/show_bug.cgi?id=181352
+
+        Reviewed by Mark Lam.
+
+        * runtime/ConfigFile.cpp:
+        (JSC::ConfigFile::parse):
+
+2018-01-04  Keith Miller  
+
+        TypedArrays and Wasm should use index masking.
+        https://bugs.webkit.org/show_bug.cgi?id=181313
+
+        Reviewed by Michael Saboff.
+
+        We should have index masking for our TypedArray code in the
+        DFG/FTL and for Wasm when doing bounds checking. Index masking for
+        Wasm is added to the WasmBoundsCheckValue. Since we don't CSE any
+        WasmBoundsCheckValues we don't need to worry about combining a
+        bounds check for a load and a store. I went with fusing the
+        pointer masking in the WasmBoundsCheckValue since it should reduce
+        additional compiler overhead.
+
+        * b3/B3LowerToAir.cpp:
+        * b3/B3Validate.cpp:
+        * b3/B3WasmBoundsCheckValue.cpp:
+        (JSC::B3::WasmBoundsCheckValue::WasmBoundsCheckValue):
+        (JSC::B3::WasmBoundsCheckValue::dumpMeta const):
+        * b3/B3WasmBoundsCheckValue.h:
+        (JSC::B3::WasmBoundsCheckValue::pinnedIndexingMask const):
+        * b3/air/AirCustom.h:
+        (JSC::B3::Air::WasmBoundsCheckCustom::generate):
+        * b3/testb3.cpp:
+        (JSC::B3::testWasmBoundsCheck):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::computeIndexingMask const):
+        (JSC::Butterfly::computeIndexingMaskForVectorLength): Deleted.
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::load):
+        (JSC::Wasm::B3IRGenerator::store):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::offsetOfIndexingMask):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave const):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+
+2018-01-05  Commit Queue  
+
+        Unreviewed, rolling out r226434.
+        https://bugs.webkit.org/show_bug.cgi?id=181322
+
+        32bit JSC failure in x86 (Requested by yusukesuzuki on
+        #webkit).
+
+        Reverted changeset:
+
+        "[DFG] Unify ToNumber implementation in 32bit and 64bit by
+        changing 32bit Int32Tag and LowestTag"
+        https://bugs.webkit.org/show_bug.cgi?id=181134
+        https://trac.webkit.org/changeset/226434
+
+2018-01-04  Devin Rousso  
+
+        Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
+        https://bugs.webkit.org/show_bug.cgi?id=180770
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Canvas.json:
+
+2018-01-04  Commit Queue  
+
+        Unreviewed, rolling out r226405.
+        https://bugs.webkit.org/show_bug.cgi?id=181318
+
+        Speculative rollout due to Octane/SplayLatency,Octane/Splay
+        regressions (Requested by yusukesuzuki on #webkit).
+
+        Reverted changeset:
+
+        "[JSC] Create parallel SlotVisitors apriori"
+        https://bugs.webkit.org/show_bug.cgi?id=180907
+        https://trac.webkit.org/changeset/226405
+
+2018-01-04  Saam Barati  
+
+        Do value profiling in to_this
+        https://bugs.webkit.org/show_bug.cgi?id=181299
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds value profiling to to_this. We use the result of the value
+        profiling only for strict mode code when we don't predict that the input is
+        of a specific type. This helps when the input is SpecCellOther. Such cells
+        might implement a custom ToThis, which can produce an arbitrary result. Before
+        this patch, in prediction propagation, we were saying that a ToThis with a
+        SpecCellOther input also produced SpecCellOther. However, this is incorrect,
+        given that the input may implement ToThis that produces an arbitrary result.
+        This is seen inside Speedometer. This patch fixes an OSR exit loop in Speedometer.
+        
+        Interestingly, this patch only does value profiling on the slow path. The fast
+        path of to_this in the LLInt/baseline just perform a structure check. If it
+        passes, the result is the same as the input. Therefore, doing value profiling
+        from the fast path wouldn't actually produce new information for the ValueProfile.
+
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitToThis):
+        * bytecompiler/BytecodeGenerator.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+2018-01-04  Yusuke Suzuki  
+
+        [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
+        https://bugs.webkit.org/show_bug.cgi?id=181134
+
+        Reviewed by Mark Lam.
+
+        We would like to unify DFG ToNumber implementation in 32bit and 64bit. One problem is that
+        branchIfNumber signature is different between 32bit and 64bit. 32bit implementation requires
+        an additional scratch register. We do not want to allocate an unnecessary register in 64bit
+        implementation.
+
+        This patch removes the additional register in branchIfNumber/branchIfNotNumber in both 32bit
+        and 64bit implementation. To achieve this goal, we change Int32Tag and LowestTag order. By
+        setting Int32Tag as LowestTag, we can query whether the given tag is a number by checking
+        `<= LowestTag(Int32Tag)`.
+
+        We also change the order of UndefinedTag, NullTag, and BooleanTag to keep `(UndefinedTag | 1) == NullTag`.
+
+        We also clean up speculateMisc implementation by adding branchIfMisc/branchIfNotMisc.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+        (JSC::DFG::SpeculativeJIT::speculateNumber):
+        (JSC::DFG::SpeculativeJIT::speculateMisc):
+        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
+        (JSC::DFG::SpeculativeJIT::compileToNumber):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::branchIfNotType):
+        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
+        (JSC::AssemblyHelpers::emitConvertValueToBoolean):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfMisc):
+        (JSC::AssemblyHelpers::branchIfNotMisc):
+        (JSC::AssemblyHelpers::branchIfNumber):
+        (JSC::AssemblyHelpers::branchIfNotNumber):
+        (JSC::AssemblyHelpers::branchIfNotDoubleKnownNotInt32):
+        (JSC::AssemblyHelpers::emitTypeOf):
+        * jit/JITAddGenerator.cpp:
+        (JSC::JITAddGenerator::generateFastPath):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emitBinaryDoubleOp):
+        * jit/JITDivGenerator.cpp:
+        (JSC::JITDivGenerator::loadOperand):
+        * jit/JITMulGenerator.cpp:
+        (JSC::JITMulGenerator::generateInline):
+        (JSC::JITMulGenerator::generateFastPath):
+        * jit/JITNegGenerator.cpp:
+        (JSC::JITNegGenerator::generateInline):
+        (JSC::JITNegGenerator::generateFastPath):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_number):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_to_number):
+        (JSC::JIT::emit_op_profile_type):
+        * jit/JITRightShiftGenerator.cpp:
+        (JSC::JITRightShiftGenerator::generateFastPath):
+        * jit/JITSubGenerator.cpp:
+        (JSC::JITSubGenerator::generateInline):
+        (JSC::JITSubGenerator::generateFastPath):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * runtime/JSCJSValue.h:
+
+2018-01-04  JF Bastien  
+
+        Add assembler support for x86 lfence and sfence
+        https://bugs.webkit.org/show_bug.cgi?id=181311
+        
+
+        Reviewed by Michael Saboff.
+
+        Useful for testing performance of serializing instructions (hint:
+        it's not good).
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::lfence):
+        (JSC::MacroAssemblerX86Common::sfence):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::lfence):
+        (JSC::X86Assembler::sfence):
+
+2018-01-04  Saam Barati  
+
+        Add a new pattern matching rule to Graph::methodOfGettingAValueProfileFor for SetLocal(@nodeWithHeapPrediction)
+        https://bugs.webkit.org/show_bug.cgi?id=181296
+
+        Reviewed by Filip Pizlo.
+
+        Inside Speedometer's Ember test, there is a recompile loop like:
+        a: GetByVal(..., semanticOriginX)
+        b: SetLocal(Cell:@a, semanticOriginX)
+        
+        where the cell check always fails. For reasons I didn't investigate, the
+        baseline JIT's value profiling doesn't accurately capture the GetByVal's
+        result.
+        
+        However, when compiling this cell speculation check in the DFG, we get a null
+        MethodOfGettingAValueProfile inside Graph::methodOfGettingAValueProfileFor for
+        this IR pattern because both @a and @b have the same semantic origin. We
+        should not follow the same semantic origin heuristic when dealing with
+        SetLocal since SetLocal(@nodeWithHeapPrediction) is such a common IR pattern.
+        For patterns like this, we introduce a new heuristic: @NodeThatDoesNotProduceAValue(@nodeWithHeapPrediction).
+        For this IR pattern, we will update the value profile for the semantic origin
+        for @nodeWithHeapPrediction. So, for the Speedometer example above, we
+        will correctly update the GetByVal's value profile, which will prevent
+        an OSR exit loop.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
+
+2018-01-04  Keith Miller  
+
+        Array Storage operations sometimes did not update the indexing mask correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=181301
+
+        Reviewed by Mark Lam.
+
+        I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::increaseVectorLength):
+
+2018-01-04  Yusuke Suzuki  
+
+        [DFG] Define defs for MapSet/SetAdd to participate in CSE
+        https://bugs.webkit.org/show_bug.cgi?id=179911
+
+        Reviewed by Saam Barati.
+
+        With this patch, our MapSet and SetAdd DFG nodes participate in CSE.
+        To handle a bit tricky DFG Map operation nodes, MapSet and SetAdd
+        produce added bucket as its result. Subsequent GetMapBucket will
+        be removed by CSE.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSetAdd):
+        (JSC::DFG::SpeculativeJIT::compileMapSet):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
+        * jit/JITOperations.h:
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapImpl::addNormalized):
+        (JSC::HashMapImpl::addNormalizedInternal):
+
+2018-01-04  Yusuke Suzuki  
+
+        [JSC] Remove LocalScope
+        https://bugs.webkit.org/show_bug.cgi?id=181206
+
+        Reviewed by Geoffrey Garen.
+
+        The last user of HandleStack and LocalScope is JSON. But MarkedArgumentBuffer is enough for their use.
+        This patch changes JSON parsing and stringifying to using MarkedArgumentBuffer. And remove HandleStack
+        and LocalScope.
+
+        We make Stringifier and Walker WTF_FORBID_HEAP_ALLOCATION to place them on the stack. So they can hold
+        JSObject* directly in their fields.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * heap/HandleStack.cpp: Removed.
+        * heap/HandleStack.h: Removed.
+        * heap/Heap.cpp:
+        (JSC::Heap::addCoreConstraints):
+        * heap/Heap.h:
+        (JSC::Heap::handleSet):
+        (JSC::Heap::handleStack): Deleted.
+        * heap/Local.h: Removed.
+        * heap/LocalScope.h: Removed.
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::Holder::object const):
+        (JSC::gap):
+        (JSC::Stringifier::Stringifier):
+        (JSC::Stringifier::stringify):
+        (JSC::Stringifier::appendStringifiedValue):
+        (JSC::Stringifier::Holder::Holder):
+        (JSC::Stringifier::Holder::appendNextProperty):
+        (JSC::Walker::Walker):
+        (JSC::Walker::callReviver):
+        (JSC::Walker::walk):
+        (JSC::JSONProtoFuncParse):
+        (JSC::JSONProtoFuncStringify):
+        (JSC::JSONParse):
+        (JSC::JSONStringify):
+
+2018-01-04  Yusuke Suzuki  
+
+        [FTL] Optimize ObjectAllocationSinking mergePointerSets by using removeIf
+        https://bugs.webkit.org/show_bug.cgi?id=180238
+
+        Reviewed by Saam Barati.
+
+        We can optimize ObjectAllocationSinking a bit by using removeIf.
+
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
+2018-01-04  Yusuke Suzuki  
+
+        [JSC] Create parallel SlotVisitors apriori
+        https://bugs.webkit.org/show_bug.cgi?id=180907
+
+        Reviewed by Saam Barati.
+
+        The number of SlotVisitors are capped with the number of HeapHelperPool's threads + 2.
+        If we create these SlotVisitors apriori, we do not need to create SlotVisitors dynamically.
+        Then we do not need to grab locks while iterating all the SlotVisitors.
+
+        In addition, we do not need to consider the case that the number of SlotVisitors increases
+        after setting up VisitCounters in MarkingConstraintSolver since the number of SlotVisitors
+        does not increase any more.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::runBeginPhase):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::forEachSlotVisitor):
+        (JSC::Heap::numberOfSlotVisitors): Deleted.
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::didVisitSomething const):
+
+2018-01-03  Ting-Wei Lan  
+
+        Replace hard-coded paths in shebangs with #!/usr/bin/env
+        https://bugs.webkit.org/show_bug.cgi?id=181040
+
+        Reviewed by Alex Christensen.
+
+        * Scripts/UpdateContents.py:
+        * Scripts/cssmin.py:
+        * Scripts/generate-combined-inspector-json.py:
+        * Scripts/xxd.pl:
+        * create_hash_table:
+        * generate-bytecode-files:
+        * wasm/generateWasm.py:
+        * wasm/generateWasmOpsHeader.py:
+        * yarr/generateYarrCanonicalizeUnicode:
+
+2018-01-03  Michael Saboff  
+
+        Disable SharedArrayBuffers from Web API
+        https://bugs.webkit.org/show_bug.cgi?id=181266
+
+        Reviewed by Saam Barati.
+
+        Removed SharedArrayBuffer prototype and structure from GlobalObject creation
+        to disable.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrayBufferPrototype const):
+        (JSC::JSGlobalObject::arrayBufferStructure const):
+
+2018-01-03  Michael Saboff  
+
+        Add "noInline" to $vm
+        https://bugs.webkit.org/show_bug.cgi?id=181265
+
+        Reviewed by Mark Lam.
+
+        This would be useful for web based tests.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::getExecutableForFunction):
+        (JSC::functionNoInline):
+        (JSC::JSDollarVM::finishCreation):
+
+2018-01-03  Michael Saboff  
+
+        Remove unnecessary flushing of Butterfly pointer in functionCpuClflush()
+        https://bugs.webkit.org/show_bug.cgi?id=181263
+
+        Reviewed by Mark Lam.
+
+        Flushing the butterfly pointer provides no benefit and slows this function.
+
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCpuClflush):
+
+2018-01-03  Saam Barati  
+
+        Fix BytecodeParser op_catch assert to work with useProfiler=1
+        https://bugs.webkit.org/show_bug.cgi?id=181260
+
+        Reviewed by Keith Miller.
+
+        op_catch was asserting that the current block was empty. This is only true
+        if the profiler isn't enabled. When the profiler is enabled, we will
+        insert a CountExecution node before each bytecode. This patch fixes the
+        assert to work with the profiler.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2018-01-03  Per Arne Vollan  
+
+        [Win][Debug] testapi link error.
+        https://bugs.webkit.org/show_bug.cgi?id=181247
+        
+
+        Reviewed by Brent Fulgham.
+
+        Do not set the runtime library compile flag for C files, it is already set to the correct value.
+ 
+        * shell/PlatformWin.cmake:
+
+2018-01-03  Robin Morisset  
+
+        Inlining of a function that ends in op_unreachable crashes
+        https://bugs.webkit.org/show_bug.cgi?id=181027
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+
+2018-01-02  Saam Barati  
+
+        Incorrect assertion inside AccessCase
+        https://bugs.webkit.org/show_bug.cgi?id=181200
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Consider a PutById compiled to a setter in a function like so:
+        
+        ```
+        function foo(o) { o.f = o; }
+        ```
+        
+        The DFG will often assign the same registers to the baseGPR (o in o.f) and the
+        valueRegsPayloadGPR (o in the RHS). The code totally works when these are assigned
+        to the same register. However, we're asserting that they're not the same register.
+        This patch just removes this invalid assertion.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+
+2018-01-02  Caio Lima  
+
+        [ESNext][BigInt] Implement BigIntConstructor and BigIntPrototype
+        https://bugs.webkit.org/show_bug.cgi?id=175359
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is implementing BigIntConstructor and BigIntPrototype
+        following spec[1, 2]. As addition, we are also implementing BigIntObject
+        warapper to handle ToObject(v) abstract operation when "v" is a BigInt
+        primitive. With these classes, now it's possible to syntetize
+        BigInt.prototype and then call "toString", "valueOf" and
+        "toLocaleString" when the primitive is a BigInt.
+        BigIntConstructor exposes an API to parse other primitives such as
+        Number, Boolean and String to BigInt.
+        We decided to skip parseInt implementation, since it was removed from
+        spec.
+
+        [1] - https://tc39.github.io/proposal-bigint/#sec-bigint-constructor
+        [2] - https://tc39.github.io/proposal-bigint/#sec-properties-of-the-bigint-prototype-object 
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * jsc.cpp:
+        * runtime/BigIntConstructor.cpp: Added.
+        (JSC::BigIntConstructor::BigIntConstructor):
+        (JSC::BigIntConstructor::finishCreation):
+        (JSC::isSafeInteger):
+        (JSC::toBigInt):
+        (JSC::callBigIntConstructor):
+        (JSC::bigIntConstructorFuncAsUintN):
+        (JSC::bigIntConstructorFuncAsIntN):
+        * runtime/BigIntConstructor.h: Added.
+        (JSC::BigIntConstructor::create):
+        (JSC::BigIntConstructor::createStructure):
+        * runtime/BigIntObject.cpp: Added.
+        (JSC::BigIntObject::BigIntObject):
+        (JSC::BigIntObject::finishCreation):
+        (JSC::BigIntObject::toStringName):
+        (JSC::BigIntObject::defaultValue):
+        * runtime/BigIntObject.h: Added.
+        (JSC::BigIntObject::create):
+        (JSC::BigIntObject::internalValue const):
+        (JSC::BigIntObject::createStructure):
+        * runtime/BigIntPrototype.cpp: Added.
+        (JSC::BigIntPrototype::BigIntPrototype):
+        (JSC::BigIntPrototype::finishCreation):
+        (JSC::toThisBigIntValue):
+        (JSC::bigIntProtoFuncToString):
+        (JSC::bigIntProtoFuncToLocaleString):
+        (JSC::bigIntProtoFuncValueOf):
+        * runtime/BigIntPrototype.h: Added.
+        (JSC::BigIntPrototype::create):
+        (JSC::BigIntPrototype::createStructure):
+        * runtime/IntlCollator.cpp:
+        (JSC::IntlCollator::initializeCollator):
+        * runtime/IntlNumberFormat.cpp:
+        (JSC::IntlNumberFormat::initializeNumberFormat):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::createFrom):
+        (JSC::JSBigInt::parseInt):
+        (JSC::JSBigInt::toObject const):
+        * runtime/JSBigInt.h:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::synthesizePrototype const):
+        * runtime/JSCPoisonedPtr.cpp:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::toObjectSlow const):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::bigIntPrototype const):
+        (JSC::JSGlobalObject::bigIntObjectStructure const):
+        * runtime/StructureCache.h:
+        * runtime/StructureInlines.h:
+        (JSC::prototypeForLookupPrimitiveImpl):
+
+2018-01-02  Tim Horton  
+
+        Fix the MathCommon build with a recent compiler
+        https://bugs.webkit.org/show_bug.cgi?id=181216
+
+        Reviewed by Sam Weinig.
+
+        * runtime/MathCommon.cpp:
+        (JSC::fdlibmPow):
+        This cast drops the 'const' qualifier from the pointer to 'one',
+        but it doesn't have to, and it makes the compiler sad.
+
+== Rolled over to ChangeLog-2018-01-01 ==
diff --git a/ChangeLog-2019-06-05 b/ChangeLog-2019-06-05
new file mode 100644
index 0000000..9157c54
--- /dev/null
+++ b/ChangeLog-2019-06-05
@@ -0,0 +1,31902 @@
+2019-06-04  Michael Catanzaro  
+
+        Fix miscellaneous build warnings
+        https://bugs.webkit.org/show_bug.cgi?id=198544
+
+        Reviewed by Don Olmstead.
+
+        Silence -Wclass-memaccess warning in this dangerous code.
+
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+
+2019-06-04  Yusuke Suzuki  
+
+        Unreviewed, update exception scope for putByIndexBeyondVectorLength
+        https://bugs.webkit.org/show_bug.cgi?id=198477
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+
+2019-06-04  Tadeu Zagallo  
+
+        Argument elimination should check transitive dependents for interference
+        https://bugs.webkit.org/show_bug.cgi?id=198520
+        
+
+        Reviewed by Filip Pizlo.
+
+        Consider the following program:
+
+            a: CreateRest
+            -->
+                b: CreateRest
+            <--
+            c: Spread(@a)
+            d: Spread(@b)
+            e: NewArrayWithSpread(@a, @b)
+            f: KillStack(locX)
+            g: LoadVarargs(@e)
+
+        Suppose @b reads locX, then we cannot transform @e to PhantomNewArraySpread, since that would
+        move the stack access from @b into @g, and that stack location is no longer valid at that point.
+
+        We fix that by computing a set of all inline call frames that any argument elimination candidate
+        depends on and checking each of them for interference in `eliminateCandidatesThatInterfere`.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
+2019-06-04  Yusuke Suzuki  
+
+        [JSC] InferredValue should not be a JSCell
+        https://bugs.webkit.org/show_bug.cgi?id=198407
+
+        Reviewed by Filip Pizlo.
+
+        Allocating InferredValue as a JSCell is too costly in terms of memory. Gmail has 90000 FunctionExecutables. And each gets
+        InferredValue, which takes 32 bytes. So it takes 2.7 MB memory footprint.
+
+        In this patch, we introduce a new container InferredValue<>. Which is similar to WriteBarrier<> container, but it replaces
+        the existing InferredValue cells with one pointer size field. The implementation of InferredValue<> is similar to
+        InlineWatchpointSet. But we encode JSCell* too to the pointer data of InlineWatchpointSet. So sizeof(InferredValue<>) is one
+        pointer size while it keeps Watchpoint feature and JSCell holder feature.
+
+        InferredValue<> needs validation in GC finalize phase. So this patch also makes SymbolTable Iso-allocated.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfileBase::initializeProfile):
+        * bytecode/Watchpoint.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::get):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGDesiredWatchpoints.cpp:
+        (JSC::DFG::SymbolTableAdaptor::add):
+        (JSC::DFG::FunctionExecutableAdaptor::add):
+        (JSC::DFG::DesiredWatchpoints::addLazily):
+        (JSC::DFG::DesiredWatchpoints::reallyAdd):
+        (JSC::DFG::DesiredWatchpoints::areStillValid const):
+        (JSC::DFG::DesiredWatchpoints::dumpInContext const):
+        (JSC::DFG::InferredValueAdaptor::add): Deleted.
+        * dfg/DFGDesiredWatchpoints.h:
+        (JSC::DFG::SymbolTableAdaptor::hasBeenInvalidated):
+        (JSC::DFG::SymbolTableAdaptor::dumpInContext):
+        (JSC::DFG::FunctionExecutableAdaptor::hasBeenInvalidated):
+        (JSC::DFG::FunctionExecutableAdaptor::dumpInContext):
+        (JSC::DFG::DesiredWatchpoints::isWatched):
+        (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated): Deleted.
+        (JSC::DFG::InferredValueAdaptor::dumpInContext): Deleted.
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunction):
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+        * heap/Heap.cpp:
+        (JSC::Heap::finalizeUnconditionalFinalizers):
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::FunctionExecutable):
+        (JSC::FunctionExecutable::finishCreation):
+        (JSC::FunctionExecutable::visitChildren):
+        * runtime/FunctionExecutable.h:
+        * runtime/FunctionExecutableInlines.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
+        (JSC::FunctionExecutable::finalizeUnconditionally):
+        * runtime/InferredValue.cpp: Removed.
+        * runtime/InferredValue.h:
+        (JSC::InferredValue::inferredValue):
+        (JSC::InferredValue::InferredValue):
+        (JSC::InferredValue::~InferredValue):
+        (JSC::InferredValue::stateOnJSThread const):
+        (JSC::InferredValue::state const):
+        (JSC::InferredValue::hasBeenInvalidated const):
+        (JSC::InferredValue::isStillValid const):
+        (JSC::InferredValue::invalidate):
+        (JSC::InferredValue::isBeingWatched const):
+        (JSC::InferredValue::notifyWrite):
+        (JSC::InferredValue::isThin):
+        (JSC::InferredValue::isFat):
+        (JSC::InferredValue::decodeState):
+        (JSC::InferredValue::encodeState):
+        (JSC::InferredValue::isThin const):
+        (JSC::InferredValue::isFat const):
+        (JSC::InferredValue::fat):
+        (JSC::InferredValue::fat const):
+        (JSC::InferredValue::inflate):
+        (JSC::InferredValue::InferredValueWatchpointSet::notifyWriteSlow):
+        (JSC::InferredValue::notifyWriteSlow):
+        (JSC::InferredValue::add):
+        (JSC::InferredValue::inflateSlow):
+        (JSC::InferredValue::freeFat):
+        * runtime/InferredValueInlines.h:
+        (JSC::InferredValue::finalizeUnconditionally):
+        (JSC::InferredValue::finalizeUnconditionally): Deleted.
+        * runtime/JSFunctionInlines.h:
+        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::JSSymbolTableObject::setSymbolTable):
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTable::finishCreation):
+        (JSC::SymbolTable::visitChildren):
+        * runtime/SymbolTable.h:
+        * runtime/SymbolTableInlines.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
+        (JSC::SymbolTable::finalizeUnconditionally):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
+2019-06-04  Tadeu Zagallo  
+
+        Argument elimination should check for negative indices in GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=198302
+        
+
+        Reviewed by Filip Pizlo.
+
+        In DFG::ArgumentEliminationPhase, the index is treated as unsigned, but there's no check
+        for overflow in the addition. In compileGetMyArgumentByVal, there's a check for overflow,
+        but the index is treated as signed, resulting in an index lower than numberOfArgumentsToSkip.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+
+2019-06-04  Tadeu Zagallo  
+
+        JSScript should not keep bytecode cache in memory
+        https://bugs.webkit.org/show_bug.cgi?id=198482
+
+        Reviewed by Saam Barati.
+
+        When JSScript writes to the cache, we keep the in-memory serialized bytecode alive.
+        Instead, we should only ever hold the memory mapped bytecode cache to avoid using
+        too much memory.
+
+        * API/JSScript.mm:
+        (-[JSScript writeCache:]):
+        * API/tests/testapi.mm:
+        (testBytecodeCacheWithSyntaxError):
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * jsc.cpp:
+        * parser/SourceProvider.h:
+        * runtime/BytecodeCacheError.cpp: Added.
+        (JSC::BytecodeCacheError::StandardError::isValid const):
+        (JSC::BytecodeCacheError::StandardError::message const):
+        (JSC::BytecodeCacheError::WriteError::isValid const):
+        (JSC::BytecodeCacheError::WriteError::message const):
+        (JSC::BytecodeCacheError::operator=):
+        (JSC::BytecodeCacheError::isValid const):
+        (JSC::BytecodeCacheError::message const):
+        * runtime/BytecodeCacheError.h: Added.
+        (JSC::BytecodeCacheError::StandardError::StandardError):
+        (JSC::BytecodeCacheError::WriteError::WriteError):
+        * runtime/CachedBytecode.h:
+        (JSC::CachedBytecode::create):
+        * runtime/CachedTypes.cpp:
+        (JSC::Encoder::Encoder):
+        (JSC::Encoder::release):
+        (JSC::Encoder::releaseMapped):
+        (JSC::encodeCodeBlock):
+        (JSC::encodeFunctionCodeBlock):
+        * runtime/CachedTypes.h:
+        * runtime/CodeCache.cpp:
+        (JSC::serializeBytecode):
+        * runtime/CodeCache.h:
+        * runtime/Completion.cpp:
+        (JSC::generateProgramBytecode):
+        (JSC::generateModuleBytecode):
+        * runtime/Completion.h:
+
+2019-06-03  Caio Lima  
+
+        [ESNext][BigInt] Implement support for "**"
+        https://bugs.webkit.org/show_bug.cgi?id=190799
+
+        Reviewed by Saam Barati.
+
+        We are introducing support for BigInt into "**" operator. This Patch
+        also includes changes into DFG, introducing a new node "ValuePow" that
+        is responsible to handle UntypedUse and BigIntUse.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+
+        ValuePow(Untyped, Untyped) still can propagate constant if AI proves
+        it. We are doing so if AI proves rhs and lhs as numbers.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+        When compiling op_pow, we first verify if rhs and lhs can be any Int
+        or number. If this happen, we emit ArithPow, otherwise we fallback to
+        ValuePow and rely on fixup to convert it to ArithPow if possible.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+        We only clobberize world if ValuePow is UntypedUse. Otherwise, we can
+        properly support CSE.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+        JSBigInt::exponentiate allocates JSBigInts to perform calculation and
+        it can trigger GC. ValuePow(UntypedUse) can trigger GC because it can
+        execute user code.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupArithPow):
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValuePow):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+        We are adding proper support to BigInt on op_pow. The specification
+        defines that we can only apply pow when both operands have the same
+        type after calling ToNumeric().
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::exponentiate):
+        * runtime/JSBigInt.h:
+
+2019-06-03  Yusuke Suzuki  
+
+        [JSC] JSObject::attemptToInterceptPutByIndexOnHole should use getPrototype instead of getPrototypeDirect
+        https://bugs.webkit.org/show_bug.cgi?id=198477
+        
+
+        Reviewed by Saam Barati.
+
+        JSObject::attemptToInterceptPutByIndexOnHole uses getPrototypeDirect, but it should use getPrototype to
+        handle getPrototype methods in derived JSObject classes correctly.
+
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::pushInline):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+
+2019-06-03  Don Olmstead  
+
+        [CMake] Add WebKit::JavaScriptCore target
+        https://bugs.webkit.org/show_bug.cgi?id=198403
+
+        Reviewed by Konstantin Tokarev.
+
+        Create the WebKit::JavaScriptCore target and use that to propagate headers. Use
+        WEBKIT_COPY_FILES instead of WEBKIT_MAKE_FORWARDING_HEADERS.
+
+        * CMakeLists.txt:
+        * shell/CMakeLists.txt:
+
+2019-06-03  Commit Queue  
+
+        Unreviewed, rolling out r246022.
+        https://bugs.webkit.org/show_bug.cgi?id=198486
+
+        Causing Internal build failures and JSC test failures
+        (Requested by ShawnRoberts on #webkit).
+
+        Reverted changeset:
+
+        "Reenable Gigacage on ARM64."
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+        https://trac.webkit.org/changeset/246022
+
+2019-06-03  Darin Adler  
+
+        Finish cleanup of String::number for floating point
+        https://bugs.webkit.org/show_bug.cgi?id=198471
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode): Use String::number instead of
+        String::numberToStringECMAScript, since that's now the default.
+        * parser/ParserArena.h:
+        (JSC::IdentifierArena::makeNumericIdentifier): Ditto.
+        * runtime/JSONObject.cpp:
+        (JSC::Stringifier::appendStringifiedValue): Use appendNumber instead of
+        builder.appendECMAScriptNumber, since that's now the default.
+        * runtime/NumberPrototype.cpp:
+        (JSC::toStringWithRadix): Use String::number instead of
+        String::numberToStringECMAScript, since that's now the default.
+        (JSC::numberProtoFuncToExponential): Ditto.
+        (JSC::numberProtoFuncToFixed): Ditto.
+        (JSC::numberProtoFuncToPrecision): Ditto.
+        (JSC::numberToStringInternal): Ditto.
+        * runtime/NumericStrings.h:
+        (JSC::NumericStrings::add): Ditto.
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::prepare): Ditto.
+
+2019-06-02  Yusuke Suzuki  
+
+        [JSC] Crash explicitly if StructureIDs are exhausted
+        https://bugs.webkit.org/show_bug.cgi?id=198467
+
+        Reviewed by Sam Weinig.
+
+        When StructureIDTable::m_size reaches to s_maximumNumberOfStructures, newCapacity in resize function is also capped with s_maximumNumberOfStructures.
+        So m_size == newCapacity. In that case, the following code in resize function, `makeFreeListFromRange(m_size, m_capacity - 1);` starts executing the
+        wrong code.
+
+        Currently, this is safe. We immediately execute the wrong code in makeFreeListFromRange, and crash with zero division. But we should not rely on
+        this crash, and instead we should explicitly crash because we exhaust StructureIDs.
+
+        This patch inserts RELEASE_ASSERT for `m_size < newCapacity` status to ensure that resize is always extending the table.
+
+        In practice, this crash does not happen in Safari because Safari has memory footprint limit. To exhaust StructureIDs, we need to allocate massive
+        amount of Structures, and it exceeds the memory footprint limit and the process will be killed.
+
+        * runtime/StructureIDTable.cpp:
+        (JSC::StructureIDTable::resize):
+
+2019-06-02  Keith Miller  
+
+        Reenable Gigacage on ARM64.
+        https://bugs.webkit.org/show_bug.cgi?id=198453
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
+        old Gigacage however, arm64e uses both Gigacaging and PAC. Since
+        Gigacaging would otherwise strip a PAC failed authenticate bit we
+        force a load of the pointer into some garbage register.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageConditionally):
+        * llint/LowLevelInterpreter64.asm:
+
+2019-06-02  Tadeu Zagallo  
+
+        CachedMetadataTable::decode leaks empty tables
+        https://bugs.webkit.org/show_bug.cgi?id=198465
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        CachedMetadataTable::decode creates the metadata and never calls finalize on it.
+        This leaks the underlying UnlinkedMetadataTable buffer when m_hasMetadata is false,
+        since the buffer would be freed in finalize instead of in the destructor.
+
+        * bytecode/UnlinkedMetadataTable.h:
+        (JSC::UnlinkedMetadataTable::empty):
+        * bytecode/UnlinkedMetadataTableInlines.h:
+        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedMetadataTable::decode const):
+
+2019-05-31  Yusuke Suzuki  
+
+        Unreviewed, fix setEntryAddressCommon register usage in LLInt ASM Windows 64
+        https://bugs.webkit.org/show_bug.cgi?id=197979
+
+        * llint/LowLevelInterpreter.asm:
+        * offlineasm/x86.rb:
+
+2019-05-31  Stephan Szabo  
+
+        [PlayStation] Support internal test runner for JSC tests
+        https://bugs.webkit.org/show_bug.cgi?id=198386
+
+        Reviewed by Alex Christensen.
+
+        Support using our test runner with our wrapper library
+        to run multiple tests sequentially in one execution. With
+        default arguments, will run as normal, but with special
+        arguments will shift into this mode.
+
+        * runtime/Options.h:
+        Export the default values of the JSC options similar
+        to the values for resetting the values between tests.
+        * shell/PlatformPlayStation.cmake:
+        * shell/playstation/TestShell.cpp: Added.
+        (setupTestRun): Function to set up the system before starting the tests
+        (preTest): Function for setting up individual test
+        (runTest): Function to run a test execution
+        (postTest): Function for shutdown of individual test
+        (shutdownTestRun): Function for shutting down the system after test run completes.
+
+2019-05-31  Don Olmstead  
+
+        [CMake] Add WebKit::WTF target
+        https://bugs.webkit.org/show_bug.cgi?id=198400
+
+        Reviewed by Konstantin Tokarev.
+
+        Use the WebKit::WTF target.
+
+        * CMakeLists.txt:
+        * shell/CMakeLists.txt:
+
+2019-05-30  Devin Rousso  
+
+        Web Inspector: Audit: there should be a default test for WebInspectorAudit.Resources functionality
+        https://bugs.webkit.org/show_bug.cgi?id=196710
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Audit.json:
+        Increment Audit version.
+
+2019-05-30  Devin Rousso  
+
+        Web Inspector: Audit: tests are unable to get the current Audit version
+        https://bugs.webkit.org/show_bug.cgi?id=198270
+
+        Reviewed by Timothy Hatcher.
+
+        Expose the Audit version number through the `WebInspectorObject` that's injected into tests
+        so that they can decide at runtime whether they're supported (e.g. the `unsupported` result).
+
+        * inspector/agents/InspectorAuditAgent.h:
+        * inspector/agents/InspectorAuditAgent.cpp:
+        (Inspector::InspectorAuditAgent::populateAuditObject):
+
+2019-05-30  Tadeu Zagallo   and Yusuke Suzuki  
+
+        [JSC] Implement op_wide16 / op_wide32 and introduce 16bit version bytecode
+        https://bugs.webkit.org/show_bug.cgi?id=197979
+
+        Reviewed by Filip Pizlo.
+
+        This patch introduces 16bit bytecode size. Previously, we had two versions of bytecodes, 8bit and 32bit. However,
+        in Gmail, we found that a lot of bytecodes get 32bit because they do not fit in 8bit. 8bit is very small and large
+        function easily emits a lot of 32bit bytecodes because of large VirtualRegister number etc. But they almost always
+        fit in 16bit. If we can have 16bit version of bytecode, we can make most of the current 32bit bytecodes 16bit and
+        save memory.
+
+        We rename rename op_wide to op_wide32 and introduce op_wide16. The mechanism is similar to old op_wide. When we
+        get op_wide16, the following bytecode data is 16bit, and we execute 16bit version of bytecode in LLInt.
+
+        We also disable this op_wide16 feature in Windows CLoop, which is used in AppleWin port. When the code size of
+        CLoop::execute increases, MSVC starts generating CLoop::execute function with very large stack allocation
+        requirement. Even before introducing this 16bit bytecode, CLoop::execute in AppleWin takes almost 100KB stack
+        height. After introducing this, it becomes 160KB. While the semantics of the function is correctly compiled,
+        such a large stack allocation is not essentially necessary, and this leads to stack overflow errors quite easily,
+        and tests fail with AppleWin port because it starts throwing stack overflow range error in various places.
+        In this patch, for now, we just disable op_wide16 feature for AppleWin so that CLoop::execute takes 100KB
+        stack allocation because this patch is not focusing on fixing AppleWin's CLoop issue. We introduce a new backend
+        type for LLInt, "C_LOOP_WIN". "C_LOOP_WIN" do not generate wide16 version of code to reduce the code size of
+        CLoop::execute. In the future, we should investigate whether this MSVC issue is fixed in Visual Studio 2019.
+        Or we should consider always enabling ASM LLInt for Windows.
+
+        This patch improves Gmail by 7MB at least.
+
+        * CMakeLists.txt:
+        * bytecode/BytecodeConventions.h:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper::dumpBlock):
+        * bytecode/BytecodeList.rb:
+        * bytecode/BytecodeRewriter.h:
+        (JSC::BytecodeRewriter::Fragment::align):
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::metadataTable const):
+        * bytecode/Fits.h:
+        * bytecode/Instruction.h:
+        (JSC::Instruction::opcodeID const):
+        (JSC::Instruction::isWide16 const):
+        (JSC::Instruction::isWide32 const):
+        (JSC::Instruction::hasMetadata const):
+        (JSC::Instruction::sizeShiftAmount const):
+        (JSC::Instruction::size const):
+        (JSC::Instruction::wide16 const):
+        (JSC::Instruction::wide32 const):
+        (JSC::Instruction::isWide const): Deleted.
+        (JSC::Instruction::wide const): Deleted.
+        * bytecode/InstructionStream.h:
+        (JSC::InstructionStreamWriter::write):
+        * bytecode/Opcode.h:
+        * bytecode/OpcodeSize.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::alignWideOpcode16):
+        (JSC::BytecodeGenerator::alignWideOpcode32):
+        (JSC::BytecodeGenerator::emitGetByVal): Previously, we always emit 32bit op_get_by_val for bytecodes in `for-in` context because
+        its operand can be replaced to the other VirtualRegister later. But if we know that replacing VirtualRegister can fit in 8bit / 16bit
+        a-priori, we should not emit 32bit version. We expose OpXXX::checkWithoutMetadataID to check whether we could potentially compact
+        the bytecode for the given operands.
+
+        (JSC::BytecodeGenerator::emitYieldPoint):
+        (JSC::StructureForInContext::finalize):
+        (JSC::BytecodeGenerator::alignWideOpcode): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::write):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * generator/Argument.rb:
+        * generator/DSL.rb:
+        * generator/Metadata.rb:
+        * generator/Opcode.rb: A little bit weird but checkImpl's argument must be reference. We are relying on that BoundLabel is once modified in
+        this check phase, and the modified BoundLabel will be used when emitting the code. If checkImpl copies the passed BoundLabel, this modification
+        will be discarded in this checkImpl function and make the code generation broken.
+
+        * generator/Section.rb:
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntData.h:
+        (JSC::LLInt::opcodeMapWide16):
+        (JSC::LLInt::opcodeMapWide32):
+        (JSC::LLInt::getOpcodeWide16):
+        (JSC::LLInt::getOpcodeWide32):
+        (JSC::LLInt::getWide16CodePtr):
+        (JSC::LLInt::getWide32CodePtr):
+        (JSC::LLInt::opcodeMapWide): Deleted.
+        (JSC::LLInt::getOpcodeWide): Deleted.
+        (JSC::LLInt::getWideCodePtr): Deleted.
+        * llint/LLIntOfflineAsmConfig.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter.cpp:
+        (JSC::CLoop::execute):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm.rb:
+        * offlineasm/arm64.rb:
+        * offlineasm/asm.rb:
+        * offlineasm/backends.rb:
+        * offlineasm/cloop.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/mips.rb:
+        * offlineasm/x86.rb: Load operation with sign extension should also have the extended size information. For example, loadbs should be
+        converted to loadbsi for 32bit sign extension (and loadbsq for 64bit sign extension). And use loadbsq / loadhsq for loading VirtualRegister
+        information in LowLevelInterpreter64 since they will be used for pointer arithmetic and they are using machine register width.
+
+        * parser/ResultType.h:
+        (JSC::OperandTypes::OperandTypes):
+        (JSC::OperandTypes::first const):
+        (JSC::OperandTypes::second const):
+        (JSC::OperandTypes::bits):
+        (JSC::OperandTypes::fromBits):
+        (): Deleted.
+        (JSC::OperandTypes::toInt): Deleted.
+        (JSC::OperandTypes::fromInt): Deleted.
+        We reduce sizeof(OperandTypes) from unsigned to uint16_t, which guarantees that OperandTypes always fit in 16bit bytecode.
+
+2019-05-30  Justin Michaud  
+
+        oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
+        https://bugs.webkit.org/show_bug.cgi?id=198355
+
+        Reviewed by Saam Barati.
+
+        Fix missing anyref case in addLocal.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addLocal):
+
+2019-05-29  Don Olmstead  
+
+        Remove ENABLE definitions from WebKit config files
+        https://bugs.webkit.org/show_bug.cgi?id=197858
+
+        Reviewed by Simon Fraser.
+
+        Sync FeatureDefines.xcconfig.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2019-05-28  Dean Jackson  
+
+        Implement Promise.allSettled
+        https://bugs.webkit.org/show_bug.cgi?id=197600
+        
+
+        Reviewed by Keith Miller.
+
+        Implement Promise.allSettled
+        https://github.com/tc39/proposal-promise-allSettled/
+
+        Shipping in Firefox since version 68.
+        Shipping in V8 since https://chromium.googlesource.com/v8/v8.git/+/1f6d27e8df819b448712dface6ad367fb8de426b
+
+        * builtins/PromiseConstructor.js:
+        (allSettled.newResolveRejectElements.resolveElement):
+        (allSettled.newResolveRejectElements.rejectElement):
+        (allSettled.newResolveRejectElements):
+        (allSettled): Added.
+        * runtime/JSPromiseConstructor.cpp: Add ref to allSettled.
+
+2019-05-28  Michael Saboff  
+
+        [YARR] Properly handle RegExp's that require large ParenContext space
+        https://bugs.webkit.org/show_bug.cgi?id=198065
+
+        Reviewed by Keith Miller.
+
+        Changed what happens when we exceed VM::patternContextBufferSize when compiling a RegExp
+        that needs ParenCOntextSpace to fail the RegExp JIT compilation and fall back to the YARR
+        interpreter.  This can save large amounts of JIT memory for a
+        JIT'ed function that cannot ever succeed.
+
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList):
+        (JSC::Yarr::YarrGenerator::compile):
+
+2019-05-28  Tadeu Zagallo  
+
+        JITOperations putByVal should mark negative array indices as out-of-bounds
+        https://bugs.webkit.org/show_bug.cgi?id=198271
+
+        Reviewed by Saam Barati.
+
+        Similar to what was done to getByVal in r245769, we should also mark put_by_val as out-of-bounds
+        when we exit from DFG for putting to a negative index. This avoids the same scenario where we keep
+        recompiling a CodeBlock with DFG and exiting at the same bytecode.
+
+        This is a 3.7x improvement in the microbenchmark being added: put-by-val-negative-array-index.js.
+
+        * jit/JITOperations.cpp:
+
+2019-05-28  Yusuke Suzuki  
+
+        Unreviewed, revert r242070 due to Membuster regression
+        https://bugs.webkit.org/show_bug.cgi?id=195013
+
+        Membuster shows ~0.3% regression.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::runBeginPhase):
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::forEachSlotVisitor):
+        (JSC::Heap::numberOfSlotVisitors): Deleted.
+        * heap/MarkingConstraintSolver.cpp:
+        (JSC::MarkingConstraintSolver::didVisitSomething const):
+        * heap/SlotVisitor.h:
+
+2019-05-27  Tadeu Zagallo  
+
+        Fix opensource build of testapi
+        https://bugs.webkit.org/show_bug.cgi?id=198256
+
+        Reviewed by Alexey Proskuryakov.
+
+        In r245564, we added custom entitlements to testapi to allow caching
+        bytecode in data vaults, but we should only use the entitlements for
+        internal builds. Otherwises, testapi gets killed on launch. Also fix the
+        formatting for the errors added in the same patch, according to comments
+        in the bug after the patch had already landed.
+
+        * API/JSScript.mm:
+        (validateBytecodeCachePath):
+        * Configurations/ToolExecutable.xcconfig:
+
+2019-05-25  Tadeu Zagallo  
+
+        JITOperations getByVal should mark negative array indices as out-of-bounds
+        https://bugs.webkit.org/show_bug.cgi?id=198229
+
+        Reviewed by Saam Barati.
+
+        get_by_val with an array or string as base value and a negative index causes DFG to OSR exit,
+        but baseline doesn't mark it as out-of-bounds, since it only considers positive indices. This
+        leads to discarding DFG code, recompiling it and exiting at the same bytecode.
+
+        This is observed in the prepack-wtb subtest of JetStream2. In popContext#CdOhFJ, the last item
+        of the array popped and the new last value is accessed using `array[array.length - 1]`, which
+        is -1 when the array is empty. It shows a ~0.5% progression in JetStream2, but it's within the
+        noise.
+
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+
+2019-05-24  Justin Michaud  
+
+        [WASM-References] Support Anyref in globals
+        https://bugs.webkit.org/show_bug.cgi?id=198102
+
+        Reviewed by Saam Barati.
+
+        Support anyref for globals, imports and exports. This adds code in B3 and Air to emit a write barrier
+        on the JSWebAssemblyWrapper whenever an anyref global is set. This also fixes a small bug in emitCCall
+        for air where it adds code to the wrong block.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::emitCCall):
+        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
+        (JSC::Wasm::AirIRGenerator::setGlobal):
+        (JSC::Wasm::AirIRGenerator::emitWriteBarrierForJSWrapper):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::setGlobal):
+        (JSC::Wasm::B3IRGenerator::emitWriteBarrierForJSWrapper):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::setGlobal):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::loadI32Global const):
+        (JSC::Wasm::Instance::loadI64Global const):
+        (JSC::Wasm::Instance::setGlobal):
+        (JSC::Wasm::Instance::shouldMarkGlobal):
+        (JSC::Wasm::Instance::numGlobals const):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+
+2019-05-23  Devin Rousso  
+
+        Web Inspector: Overlay: rulers/guides should be shown whenever element selection is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=198088
+
+        Reviewed by Timothy Hatcher.
+
+        When trying to "measure" the absolute position (to the viewport) or relative position (to
+        another element) of a given element, often the easiest way is to enable Element Selection
+        and Show Rulers at the same time.
+
+        This can have the undesired "side-effect" of having the rulers be always present, even when
+        not highlighting any nodes.
+
+        The ideal functionality is to allow the rulers/guides to be shown when element selection is
+        active and a node is hovered, regardless of whether "Show Rulers" is enabled.
+
+        * inspector/protocol/DOM.json:
+        Add an optional `showRulers` parameter to `DOM.setInspectModeEnabled` that supersedes the
+        current value of `Page.setShowRulers` as to whether rulers/guides are shown.
+
+2019-05-23  Ross Kirsling  
+
+        Socket-based RWI should be able to inspect a JSContext
+        https://bugs.webkit.org/show_bug.cgi?id=198197
+
+        Reviewed by Don Olmstead.
+
+        * inspector/remote/socket/RemoteInspectorSocket.cpp:
+        (Inspector::RemoteInspector::listingForInspectionTarget const):
+        Just use the debuggableType strings that WebInspectorUI ultimately wants.
+
+2019-05-23  Tadeu Zagallo  
+
+        DFG::OSREntry should not perform arity check
+        https://bugs.webkit.org/show_bug.cgi?id=198189
+
+        Reviewed by Saam Barati.
+
+        The check prevents OSR entering from hot loops inside functions that were called
+        with too few arguments.
+
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+
+2019-05-23  Ross Kirsling  
+
+        Lexer::parseDecimal ought to ASSERT isASCIIDigit
+        https://bugs.webkit.org/show_bug.cgi?id=198156
+
+        Reviewed by Keith Miller.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::parseDecimal):
+        Add ASSERT -- apparently the issue with doing so earlier was simply
+        that m_current can be anything at all when m_buffer8 is non-empty.
+
+        (JSC::Lexer::lexWithoutClearingLineTerminator):
+        Clean up a few things in the vicinity of r245655:
+         - fix token enum values in a couple of error cases added in the last patch
+         - add UNLIKELY for existing error cases that forgot to use it
+         - simplify some control flow
+
+2019-05-23  Adrian Perez de Castro  
+
+        Fix a few missing header inclusions often masked by by unified sources
+        https://bugs.webkit.org/show_bug.cgi?id=198180
+
+        Reviewed by Eric Carlson.
+
+        * assembler/PerfLog.cpp: Add missing  header inclusion.
+        * wasm/WasmBinding.cpp: Add missing "WasmCallingConvention.h" inclusion.
+
+2019-05-23  Tadeu Zagallo  
+
+        createListFromArrayLike should throw if value is not an object
+        https://bugs.webkit.org/show_bug.cgi?id=198138
+
+        Reviewed by Yusuke Suzuki.
+
+        According to the spec[1], createListFromArrayLike should throw a type error if the array-like value
+        passed in is not an object.
+        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike
+
+        * runtime/JSObjectInlines.h:
+        (JSC::createListFromArrayLike):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+
+2019-05-22  Yusuke Suzuki  
+
+        [JSC] UnlinkedMetadataTable's offset table should be small
+        https://bugs.webkit.org/show_bug.cgi?id=197910
+
+        Reviewed by Saam Barati.
+
+        In Gmail, we found that massive # of UnlinkedMetadataTable (21979 - 24727) exists. Each UnlinkedMetadataTable takes at least 204 bytes
+        because of large (unsinged) offset table. This patch reduces the size of offset table by introducing 16bit version offset table.
+        Previously our code for looking up Metadata is like this.
+
+            offset = offsetTable32[opcode]
+            metadata = (SomeOp::Metadata*)table[offset] + id
+
+        Instead, we introduce uint16_t offset table. The lookup code becomes like this.
+
+            offset = offsetTable16[opcode]
+            if (!offset)
+                offset = offsetTable32[opcode]
+            metadata = (SomeOp::Metadata*)table[offset] + id
+
+        We use 0 offset as a marker to indicate that we have 32bit offset table. This is OK since 0 offset does not appear since all the offsets
+        included in this table is larger than s_offset16TableSize.
+
+        32bit offset table is allocated only when the offset exceeds 16bit range. It means that this will be used only when Metadata table is larger
+        than almost 64KB. Even in Gmail, such MetadataTable is rare, and additional 32bit offset table size does not matter much in this case since
+        MetadataTable is already so large.
+
+        Based on the # of UnlinkedMetadataTables, this optimization should improve Gmail steady state memory by 2MB.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/MetadataTable.cpp:
+        (JSC::MetadataTable::~MetadataTable):
+        (JSC::MetadataTable::destroy):
+        * bytecode/MetadataTable.h:
+        (JSC::MetadataTable::ref):
+        (JSC::MetadataTable::deref):
+        (JSC::MetadataTable::buffer):
+        (JSC::MetadataTable::is32Bit const):
+        (JSC::MetadataTable::offsetTable16 const):
+        (JSC::MetadataTable::offsetTable32 const):
+        (JSC::MetadataTable::totalSize const):
+        (JSC::MetadataTable::getOffset const):
+        (JSC::MetadataTable::getImpl):
+        (JSC::MetadataTable::ref const): Deleted.
+        (JSC::MetadataTable::deref const): Deleted.
+        * bytecode/Opcode.cpp:
+        * bytecode/UnlinkedMetadataTable.cpp: Added.
+        (JSC::UnlinkedMetadataTable::finalize):
+        * bytecode/UnlinkedMetadataTable.h:
+        (JSC::UnlinkedMetadataTable::create):
+        (JSC::UnlinkedMetadataTable::totalSize const):
+        (JSC::UnlinkedMetadataTable::offsetTableSize const):
+        (JSC::UnlinkedMetadataTable::preprocessBuffer const):
+        (JSC::UnlinkedMetadataTable::buffer const):
+        (JSC::UnlinkedMetadataTable::offsetTable16 const):
+        (JSC::UnlinkedMetadataTable::offsetTable32 const):
+        * bytecode/UnlinkedMetadataTableInlines.h:
+        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
+        (JSC::UnlinkedMetadataTable::addEntry):
+        (JSC::UnlinkedMetadataTable::sizeInBytes):
+        (JSC::UnlinkedMetadataTable::link):
+        (JSC::UnlinkedMetadataTable::unlink):
+        (JSC::UnlinkedMetadataTable::finalize): Deleted.
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedMetadataTable::encode):
+        (JSC::CachedMetadataTable::decode const):
+
+2019-05-22  Yusuke Suzuki  
+
+        [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
+        https://bugs.webkit.org/show_bug.cgi?id=197809
+
+        Reviewed by Michael Saboff.
+
+        ArrayAllocationProfile assumes that Butterfly can be accessed concurrently. But this is not correct now
+        since LargeAllocation Butterfly can be realloced. In this patch, we switch profiling array allocations
+        only in the main thread. This allocation profiling is repeatedly called in the main thread's slow path,
+        and it is also called when updating the profiles in the main thread.
+
+        We also rename updateAllPredictionsAndCountLiveness to updateAllValueProfilePredictionsAndCountLiveness
+        since it only cares ValueProfiles.
+
+        * bytecode/ArrayAllocationProfile.cpp:
+        (JSC::ArrayAllocationProfile::updateProfile):
+        * bytecode/ArrayAllocationProfile.h:
+        (JSC::ArrayAllocationProfile::selectIndexingTypeConcurrently):
+        (JSC::ArrayAllocationProfile::selectIndexingType):
+        (JSC::ArrayAllocationProfile::vectorLengthHintConcurrently):
+        (JSC::ArrayAllocationProfile::vectorLengthHint):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness):
+        (JSC::CodeBlock::updateAllValueProfilePredictions):
+        (JSC::CodeBlock::shouldOptimizeNow):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.
+        * bytecode/CodeBlock.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2019-05-22  Yusuke Suzuki  
+
+        [JSC] Shrink Metadata
+        https://bugs.webkit.org/show_bug.cgi?id=197940
+
+        Reviewed by Michael Saboff.
+
+        We get Metadata related data in Gmail and it turns out the following things.
+
+        1. At peak, MetadataTable eats a lot of bytes (30 MB - 50 MB, sometimes 70 MB while total Gmail footprint is 400 - 500 MB).
+        2. After full GC happens, most of Metadata is destroyed while some are kept. Still keeps 1 MB. But after the GC, # of MetadataTable eventually grows again.
+
+        If we shrink Metadata, we can reduce the peak memory footprint in Gmail.
+
+        This patch shrinks Metadata. This patch first focus on low hanging fruits: it does not include the change removing OSR exit JSValue in ValueProfile.
+        This patch uses fancy bit juggling & leverages nice data types to reduce Metadata, as follows.
+
+        1. ValueProfile is reduced from 32 to 24. It reduces Metadata using ValueProfile.
+        2. ArrayProfile is reduced from 16 to 12. Ditto.
+        3. OpCall::Metadata is reduced from 88 to 64.
+        4. OpGetById::Metadata is reduced from 56 to 40.
+        5. OpToThis::Metadata is reduced from 48 to 32.
+        6. OpNewObject::Metadata is reduced from 32 to 16.
+
+        According to the gathered data, it should reduce 1-2MB in steady state in Gmail, much more in peak memory, ~1 MB in the state just after full GC.
+        It also improves RAMification by 0.3% (6 runs).
+
+        * bytecode/ArrayProfile.cpp:
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::ArrayProfile):
+        (JSC::ArrayProfile::bytecodeOffset const): Deleted.
+        (JSC::ArrayProfile::isValid const): Deleted.
+        * bytecode/BytecodeList.rb:
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFromLLInt):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        (JSC::CodeBlock::getArrayProfile):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        (JSC::CodeBlock::dumpValueProfiles):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::valueProfileForArgument):
+        * bytecode/CodeBlockInlines.h:
+        (JSC::CodeBlock::forEachValueProfile):
+        (JSC::CodeBlock::forEachArrayProfile):
+        * bytecode/GetByIdMetadata.h:
+        We use ProtoLoad's JSObject's high bits to embed hitCountForLLIntCaching and mode, since they
+        are always zero for ProtoLoad mode.
+
+        (): Deleted.
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        * bytecode/LLIntCallLinkInfo.h:
+        (JSC::LLIntCallLinkInfo::isLinked const):
+        (JSC::LLIntCallLinkInfo::link):
+        (JSC::LLIntCallLinkInfo::unlink):
+        (JSC::LLIntCallLinkInfo::callee const):
+        (JSC::LLIntCallLinkInfo::lastSeenCallee const):
+        (JSC::LLIntCallLinkInfo::clearLastSeenCallee):
+        (JSC::LLIntCallLinkInfo::LLIntCallLinkInfo): Deleted.
+        (JSC::LLIntCallLinkInfo::isLinked): Deleted.
+        In LLIntCallLinkInfo, we always set the same value to lastSeenCallee and callee. But later, callee can be cleared.
+        It means that we can represent them in one value + cleared flag. We encode this flag into the lowest bit of the callee cell so
+        that we can make them one pointer. We also use PackedRawSentinelNode to get some space, and embed ArrayProfile into this space
+        to get further memory reduction.
+
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::clearLLIntGetByIdCache):
+        * bytecode/LazyOperandValueProfile.h:
+        (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
+        (JSC::LazyOperandValueProfile::key const):
+        * bytecode/MetadataTable.h:
+        (JSC::MetadataTable::buffer):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfileBase::offsetOfAllocator):
+        (JSC::ObjectAllocationProfileBase::offsetOfStructure):
+        (JSC::ObjectAllocationProfileBase::clear):
+        (JSC::ObjectAllocationProfileBase::visitAggregate):
+        (JSC::ObjectAllocationProfile::setPrototype):
+        (JSC::ObjectAllocationProfileWithPrototype::prototype):
+        (JSC::ObjectAllocationProfileWithPrototype::clear):
+        (JSC::ObjectAllocationProfileWithPrototype::visitAggregate):
+        (JSC::ObjectAllocationProfileWithPrototype::setPrototype):
+        (JSC::ObjectAllocationProfile::offsetOfAllocator): Deleted.
+        (JSC::ObjectAllocationProfile::offsetOfStructure): Deleted.
+        (JSC::ObjectAllocationProfile::offsetOfInlineCapacity): Deleted.
+        (JSC::ObjectAllocationProfile::ObjectAllocationProfile): Deleted.
+        (JSC::ObjectAllocationProfile::isNull): Deleted.
+        (JSC::ObjectAllocationProfile::structure): Deleted.
+        (JSC::ObjectAllocationProfile::prototype): Deleted.
+        (JSC::ObjectAllocationProfile::inlineCapacity): Deleted.
+        (JSC::ObjectAllocationProfile::clear): Deleted.
+        (JSC::ObjectAllocationProfile::visitAggregate): Deleted.
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfileBase::initializeProfile):
+        (JSC::ObjectAllocationProfileBase::possibleDefaultPropertyCount):
+        (JSC::ObjectAllocationProfile::initializeProfile): Deleted.
+        (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount): Deleted.
+        OpNewObject's ObjectAllocationProfile does not need to hold prototype. So we have two versions now, ObjectAllocationProfile and ObjectAllocationProfileWithPrototype
+        to cut one pointer. We also remove inline capacity since this can be retrieved from Structure.
+
+        * bytecode/Opcode.h:
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfileBase::ValueProfileBase):
+        (JSC::ValueProfileBase::totalNumberOfSamples const):
+        (JSC::ValueProfileBase::isSampledBefore const):
+        (JSC::ValueProfileBase::dump):
+        (JSC::ValueProfileBase::computeUpdatedPrediction):
+        (JSC::MinimalValueProfile::MinimalValueProfile):
+        (JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets):
+        (JSC::ValueProfile::ValueProfile):
+        (JSC::getValueProfileBytecodeOffset): Deleted.
+        Bytecode offset is no longer used. And sample count is not used effectively.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        * ftl/FTLAbstractHeapRepository.h:
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileSetupFrame):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileSetupFrame):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_catch):
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emit_op_to_this):
+        * jit/JITOperations.cpp:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_id):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setUpCall):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/FunctionRareData.h:
+        * tools/HeapVerifier.cpp:
+        (JSC::HeapVerifier::validateJSCell):
+
+2019-05-22  Ross Kirsling  
+
+        [ESNext] Implement support for Numeric Separators
+        https://bugs.webkit.org/show_bug.cgi?id=196351
+
+        Reviewed by Keith Miller.
+
+        Implement the following proposal, which is now Stage 3:
+          https://github.com/tc39/proposal-numeric-separator
+
+        Specifically, this allows `_` to be used as a separator in numeric literals.
+        It may be inserted arbitrarily without semantic effect, but it may not occur:
+          - multiple times in a row
+          - at the beginning or end of the literal
+          - adjacent to `0x`, `0b`, `0o`, `.`, `e`, or `n`
+          - after a leading zero (e.g. `0_123`), even in sloppy mode
+
+        * parser/Lexer.cpp:
+        (JSC::isASCIIDigitOrSeparator): Added.
+        (JSC::isASCIIHexDigitOrSeparator): Added.
+        (JSC::isASCIIBinaryDigitOrSeparator): Added.
+        (JSC::isASCIIOctalDigitOrSeparator): Added.
+        (JSC::Lexer::parseHex):
+        (JSC::Lexer::parseBinary):
+        (JSC::Lexer::parseOctal):
+        (JSC::Lexer::parseDecimal):
+        (JSC::Lexer::parseNumberAfterDecimalPoint):
+        (JSC::Lexer::parseNumberAfterExponentIndicator):
+        (JSC::Lexer::lexWithoutClearingLineTerminator):
+        * parser/Lexer.h:
+
+2019-05-22  Tadeu Zagallo  
+
+        llint_slow_path_get_by_id needs to hold the CodeBlock's lock to update the metadata's mode
+        https://bugs.webkit.org/show_bug.cgi?id=198120
+        
+
+        Reviewed by Michael Saboff.
+
+        There are two places in llint_slow_path_get_by_id where we change the
+        metadata's mode without holding the CodeBlock's lock. This is an issue
+        when switching to and from ArrayLength mode, since other places can
+        either get a pointer to an array profile that will be overwritten or
+        an array profile that hasn't yet been initialized.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
+2019-05-22  Commit Queue  
+
+        Unreviewed, rolling out r245634.
+        https://bugs.webkit.org/show_bug.cgi?id=198140
+
+        'This patch makes JSC crash on launch in debug builds'
+        (Requested by tadeuzagallo on #webkit).
+
+        Reverted changeset:
+
+        "[ESNext] Implement support for Numeric Separators"
+        https://bugs.webkit.org/show_bug.cgi?id=196351
+        https://trac.webkit.org/changeset/245634
+
+2019-05-22 Zagallo  
+
+        Fix validateExceptionChecks for CLoop
+        https://bugs.webkit.org/show_bug.cgi?id=191253
+
+        Reviewed by Keith Miller.
+
+        validateExceptionChecks relies on the stack position to determine if
+        an ExceptionScope was going to be handled by LLInt or JIT, but when
+        running with CLoop, it was comparing VM::topEntryFrame, which was an
+        address inside the CLoopStack to machine stack. This caused exceptions
+        to never be checked on x86 and always fail on ARM.
+
+        * runtime/CatchScope.h:
+        * runtime/ExceptionScope.h:
+        * runtime/ThrowScope.h:
+        * runtime/VM.cpp:
+        (JSC::VM::currentCLoopStackPointer const):
+        * runtime/VM.h:
+
+2019-05-22  Tadeu Zagallo  
+
+        Stack-buffer-overflow in decodeURIComponent
+        https://bugs.webkit.org/show_bug.cgi?id=198109
+        
+
+        Reviewed by Michael Saboff.
+
+        Since r244828 we started using U8_MAX_LENGTH to determine the size of the buffer and
+        U8_COUNT_TRAIL_BYTES when decoding UTF-8 sequences in JSC::decode. However, U8_MAX_LENGTH
+        is defined as 4 and in pre-60 ICU U8_COUNT_TRAIL_BYTES returns 0..5.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode):
+
+2019-05-22  Yusuke Suzuki  
+
+        Don't clear PropertyNameArray in Proxy code
+        https://bugs.webkit.org/show_bug.cgi?id=197691
+
+        Reviewed by Saam Barati.
+
+        ProxyObject::performGetOwnPropertyNames clears the given PropertyNameArray to filter out non-enumerable keys.
+        But this does not assume that PropertyNameArray already contains the keys collected in the different objects.
+        We have an assumption that PropertyNameArray is always increasing, and JSPropertyNameEnumerator relies on this.
+        Since ProxyObject::performGetOwnPropertyNames clears the passed PropertyNameArray which contained the other
+        keys collected at some point of prototype hierarchy, this breaks JSPropertyNameEnumerator. Let's see the example.
+
+        var object = { __proto__: someProxy, someKey: 42 };
+        // Here, we first collect "someKey" in object. And using the same PropertyNameArray to add more keys from __proto__.
+        // But Proxy accidentally clears the passed PropertyNameArray, so "someKey" becomes missing.
+        for (var key in object);
+
+        This patch fixes ProxyObject::performGetOwnPropertyNames. Using separate PropertyNameArray to collect keys, and
+        filtering and adding them to the passed PropertyNameArray later. We also remove PropertyNameArray::reset method
+        since this breaks JSPropertyNameEnumerator's assumption.
+
+        We also fix the issue by changing seenKeys' HashSet to HashSet>.
+        They can be deallocated if it is not added to trapResult later and it is toString-ed result from 'toPropertyKey()'.
+
+        * runtime/PropertyNameArray.h:
+        (JSC::PropertyNameArray::reset): Deleted.
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+
+2019-05-22  Ross Kirsling  
+
+        [ESNext] Implement support for Numeric Separators
+        https://bugs.webkit.org/show_bug.cgi?id=196351
+
+        Reviewed by Keith Miller.
+
+        Implement the following proposal, which is now Stage 3:
+          https://github.com/tc39/proposal-numeric-separator
+
+        Specifically, this allows `_` to be used as a separator in numeric literals.
+        It may be inserted arbitrarily without semantic effect, but it may not occur:
+          - multiple times in a row
+          - at the beginning or end of the literal
+          - adjacent to `0x`, `0b`, `0o`, `.`, `e`, or `n`
+          - after a leading zero (e.g. `0_123`), even in sloppy mode
+
+        * parser/Lexer.cpp:
+        (JSC::isASCIIDigitOrSeparator): Added.
+        (JSC::isASCIIHexDigitOrSeparator): Added.
+        (JSC::isASCIIBinaryDigitOrSeparator): Added.
+        (JSC::isASCIIOctalDigitOrSeparator): Added.
+        (JSC::Lexer::parseHex):
+        (JSC::Lexer::parseBinary):
+        (JSC::Lexer::parseOctal):
+        (JSC::Lexer::parseDecimal):
+        (JSC::Lexer::parseNumberAfterDecimalPoint):
+        (JSC::Lexer::parseNumberAfterExponentIndicator):
+        (JSC::Lexer::lexWithoutClearingLineTerminator):
+        * parser/Lexer.h:
+
+2019-05-22  Yusuke Suzuki  
+
+        [JSC] ArrayBufferContents::tryAllocate signs the pointer with allocation size and authenticates it with sizeInBytes
+        https://bugs.webkit.org/show_bug.cgi?id=198101
+
+        Reviewed by Michael Saboff.
+
+        When we allocate 0-length ArrayBuffer, we allocate 1 byte storage instead because we would like to ensure that
+        non-neutered ArrayBuffer always have non nullptr. While we allocate a 1 byte storage, this ArrayBuffer says
+        sizeInBytes = 0. However, we accidentally configure the vector pointer with this 1 byte size in the constructor.
+        In ARM64E device, we sign the vector pointer with modifier = 1 (1 byte size), and later we authenticate this
+        pointer with modifier = 0 (sizeInBytes), and fail to authenticate the pointer.
+
+        In this patch, we sign the pointer with sizeInBytes so that we correctly authenticate the 0 bytes vector pointer.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBufferContents::tryAllocate):
+
+2019-05-21  Ross Kirsling  
+
+        [PlayStation] Don't call fcntl.
+        https://bugs.webkit.org/show_bug.cgi?id=197961
+
+        Reviewed by Fujii Hironori.
+
+        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
+        (Inspector::Socket::setup):
+        Use WTF::setCloseOnExec and WTF::setNonBlock.
+
+2019-05-21  Stephan Szabo  
+
+        [PlayStation] Update initializer for changed port options
+        https://bugs.webkit.org/show_bug.cgi?id=198057
+
+        Reviewed by Ross Kirsling.
+
+        * shell/playstation/Initializer.cpp:
+        (initializer): Remove loading of shared JavaScriptCore
+        library.
+
+2019-05-21  Tadeu Zagallo  
+
+        Fix production build after r245564
+        https://bugs.webkit.org/show_bug.cgi?id=197898
+
+        Reviewed by Keith Miller.
+
+        The production configuration should not set CODE_SIGN_IDENTITY.
+
+        * Configurations/ToolExecutable.xcconfig:
+
+2019-05-21  Keith Miller  
+
+        Unreviewed, add mistakenly ommited initializer.
+
+        * runtime/RegExpInlines.h:
+
+2019-05-21  Keith Miller  
+
+        Unreviewed build fix add UNUSED_PARAM.
+
+        * runtime/RegExpInlines.h:
+        (JSC::PatternContextBufferHolder::PatternContextBufferHolder):
+
+2019-05-20  Keith Miller  
+
+        Cleanup Yarr regexp code around paren contexts.
+        https://bugs.webkit.org/show_bug.cgi?id=198063
+
+        Reviewed by Yusuke Suzuki.
+
+        There are three refactoring changes around paren contexts:
+        1. Make EncodedMatchResult the same type as MatchResult on X86_64 and arm64 and uint64_t elsewhere.
+        2. All function pointer types for Yarr JIT generated code reserve space for paren contexts.
+        3. initParenContextFreeList should bail based on VM::patternContextBufferSize as that's the buffer size anyway.
+
+        * runtime/MatchResult.h:
+        (JSC::MatchResult::MatchResult):
+        * runtime/RegExpInlines.h:
+        (JSC::PatternContextBufferHolder::PatternContextBufferHolder):
+        (JSC::PatternContextBufferHolder::~PatternContextBufferHolder):
+        (JSC::PatternContextBufferHolder::size):
+        (JSC::RegExp::matchInline):
+        * runtime/VM.h:
+        * yarr/YarrJIT.cpp:
+        (JSC::Yarr::YarrGenerator::initParenContextFreeList):
+        * yarr/YarrJIT.h:
+        (JSC::Yarr::YarrCodeBlock::execute):
+
+2019-05-20  Tadeu Zagallo  
+
+        Only cache bytecode for API clients in data vaults
+        https://bugs.webkit.org/show_bug.cgi?id=197898
+        
+
+        Reviewed by Keith Miller.
+
+        Enforce that API clients only store cached bytecode in data vaults. This prevents
+        another process from compromising the current one by tampering with the bytecode.
+
+        * API/JSScript.mm:
+        (validateBytecodeCachePath):
+        (+[JSScript scriptOfType:withSource:andSourceURL:andBytecodeCache:inVirtualMachine:error:]):
+        (+[JSScript scriptOfType:memoryMappedFromASCIIFile:withSourceURL:andBytecodeCache:inVirtualMachine:error:]):
+        * API/tests/testapi.mm:
+        (cacheFileInDataVault):
+        (testModuleBytecodeCache):
+        (testProgramBytecodeCache):
+        (testBytecodeCacheWithSyntaxError):
+        (testBytecodeCacheWithSameCacheFileAndDifferentScript):
+        (testCacheFileFailsWhenItsAlreadyCached):
+        (testCanCacheManyFilesWithTheSameVM):
+        (testIsUsingBytecodeCacheAccessor):
+        (testBytecodeCacheValidation):
+        (testObjectiveCAPI):
+        * Configurations/ToolExecutable.xcconfig:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * testapi.entitlements: Added.
+
+2019-05-20  Tadeu Zagallo  
+
+        Fix 32-bit btyecode cache crashes
+        https://bugs.webkit.org/show_bug.cgi?id=198035
+        
+
+        Reviewed by Michael Saboff.
+
+        There were 2 32-bit issues with the bytecode cache:
+        - UnlinkedFunctionExecutable::m_cachedCodeBlockForConstructOffset was not initialized.
+          The code was relying on the other member of the union, `m_unlinkedCodeBlockForConstruct`,
+          initializing both m_cachedCodeBlockForCallOffset and m_cachedCodeBlockForConstructOffset.
+          This is undefined behavior and is also incorrect in 32-bit. Since m_unlinkedCodeBlockForConstruct
+          is 32-bit, it only initializes the first member of the struct.
+        - Encoder::Page was not aligned at the end. This lead to unaligned allocations on subsequent
+          pages, since the start of the following page would not be aligned.
+
+        * runtime/CachedTypes.cpp:
+        (JSC::Encoder::release):
+        (JSC::Encoder::Page::alignEnd):
+        (JSC::Encoder::allocateNewPage):
+        (JSC::VariableLengthObject::buffer const):
+        (JSC::VariableLengthObject::allocate):
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+
+2019-05-20  Ross Kirsling  
+
+        [WinCairo] Implement Remote Web Inspector Client.
+        https://bugs.webkit.org/show_bug.cgi?id=197434
+
+        Reviewed by Don Olmstead.
+
+        * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
+        (Inspector::RemoteInspectorConnectionClient::didAccept): Deleted.
+        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
+        (Inspector::RemoteInspectorConnectionClient::didAccept):
+        * inspector/remote/socket/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::dispatchMap):
+
+2019-05-20  Carlos Garcia Campos  
+
+        [GLIB] Crash when instantiating a js object registered with jsc_context_register_class on window object cleared
+        https://bugs.webkit.org/show_bug.cgi?id=198037
+
+        Reviewed by Michael Catanzaro.
+
+        This happens because JSCClass is keeping a pointer to the JSCContext used when the class is registered, and the
+        context can be destroyed before the class. We can't a reference to the context, because we don't really want to
+        keep it alive. The life of the JSCClass is not attached to the JSCContext, but to its wrapped global context, so
+        we can keep a pointer to the JSGlobalContextRef instead and create a new JSCContext wrapping it when
+        needed. This patch is also making the context property of JSCClass non-readable, which was always the intention,
+        that's why there isn't a public getter in the API.
+
+        * API/glib/JSCCallbackFunction.cpp:
+        (JSC::JSCCallbackFunction::construct): Pass the context to jscClassGetOrCreateJSWrapper().
+        * API/glib/JSCClass.cpp:
+        (jscClassGetProperty): Remove the getter for context property.
+        (jscClassSetProperty): Get the JSGlobalContextRef from the given JSCContext.
+        (jsc_class_class_init): Make context writable only.
+        (jscClassCreate): Use the passed in context instead of the member.
+        (jscClassGetOrCreateJSWrapper): It receives now the context as parameter.
+        (jscClassCreateContextWithJSWrapper): Ditto.
+        (jscClassCreateConstructor): Get or create a JSCContext for our JSGlobalContextRef.
+        (jscClassAddMethod): Ditto.
+        (jsc_class_add_property): Ditto.
+        * API/glib/JSCClassPrivate.h:
+        * API/glib/JSCContext.cpp:
+        (jsc_context_evaluate_in_object): Pass the context to jscClassCreateContextWithJSWrapper().
+        * API/glib/JSCValue.cpp:
+        (jsc_value_new_object): Pass the context to jscClassGetOrCreateJSWrapper().
+
+2019-05-19  Tadeu Zagallo  
+
+        Add support for %pid in dumpJITMemoryPath
+        https://bugs.webkit.org/show_bug.cgi?id=198026
+
+        Reviewed by Saam Barati.
+
+        This is necessary when using dumpJITMemory with Safari. Otherwise, multiple WebContent
+        processes will try to write to the same file at the same time, which will crash since
+        the file is open with exclusive locking.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::dumpJITMemory):
+
+2019-05-18  Tadeu Zagallo  
+
+        Add extra information to dumpJITMemory
+        https://bugs.webkit.org/show_bug.cgi?id=197998
+
+        Reviewed by Saam Barati.
+
+        Add ktrace events around the memory dump and mach_absolute_time to link the
+        events with the entries in the dump. Additionally, add a background queue
+        to flush on a configurable interval, since the atexit callback does not work
+        in every situation.
+
+        * jit/ExecutableAllocator.cpp:
+        (JSC::dumpJITMemory):
+        * runtime/Options.h:
+
+2019-05-17  Justin Michaud  
+
+        [WASM-References] Add support for Anyref in parameters and return types, Ref.null and Ref.is_null for Anyref values.
+        https://bugs.webkit.org/show_bug.cgi?id=197969
+
+        Reviewed by Keith Miller.
+
+        Add a new runtime option for wasm references.
+        Add support for Anyref as a value type.
+        Add support for Anyref in parameters and return types of Wasm functions. JSValues are marshalled into/out of wasm Anyrefs
+                as a black box, except null which becomes a Nullref value. Nullref is not expressible in the bytecode or in the js API.
+        Add Ref.null and Ref.is_null for Anyref values. Support for these functions with funcrefs is out of scope.
+
+        * runtime/Options.h:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addConstant):
+        (JSC::Wasm::AirIRGenerator::addRefIsNull):
+        (JSC::Wasm::AirIRGenerator::addReturn):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addRefIsNull):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConventionAir::marshallArgument const):
+        (JSC::Wasm::CallingConventionAir::setupCall const):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValueType):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser::FunctionParser):
+        (JSC::Wasm::FunctionParser::parseExpression):
+        (JSC::Wasm::FunctionParser::parseUnreachableExpression):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addRefIsNull):
+        * wasm/generateWasmOpsHeader.py:
+        (bitSet):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/wasm.json:
+
+2019-05-17  Don Olmstead  
+
+        [CMake] Use builtin FindICU
+        https://bugs.webkit.org/show_bug.cgi?id=197934
+
+        Reviewed by Michael Catanzaro.
+
+        Remove uses of ICU_INCLUDE_DIRS and ICU_LIBRARIES.
+
+        * CMakeLists.txt:
+        * PlatformWin.cmake:
+
+2019-05-17  Keith Rollin  
+
+        Re-enable generate-xcfilelists
+        https://bugs.webkit.org/show_bug.cgi?id=197933
+        
+
+        Reviewed by Jonathan Bedard.
+
+        The following two tasks have been completed, and we can re-enable
+        generate-xcfilelists:
+
+        Bug 197619  Temporarily disable generate-xcfilelists (197619)
+        Bug 197622  Rewrite generate-xcfilelists in Python (197622)
+
+        * Scripts/check-xcfilelists.sh:
+
+2019-05-16  Keith Miller  
+
+        Wasm should cage the memory base pointers in structs
+        https://bugs.webkit.org/show_bug.cgi?id=197620
+
+        Reviewed by Saam Barati.
+
+        Currently, we use cageConditionally; this only matters for API
+        users since the web content process cannot disable primitive
+        gigacage. This patch also adds a set helper for union/intersection
+        of RegisterSets.
+
+        * assembler/CPU.h:
+        (JSC::isARM64E):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::set):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::cachedMemory const):
+        (JSC::Wasm::Instance::updateCachedMemory):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::grow):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::memory const):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-05-16  David Kilzer  
+
+        REGRESSION (r15133): Fix leak of JSStringRef in minidom
+        
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * API/tests/minidom.c:
+        (print): Call JSStringRelease() to fix the leak.
+
+2019-05-16  Ross Kirsling  
+
+        [JSC] Invalid AssignmentTargetType should be an early error.
+        https://bugs.webkit.org/show_bug.cgi?id=197603
+
+        Reviewed by Keith Miller.
+
+        Since ES6, expressions like 0++, ++0, 0 = 0, and 0 += 0 are all specified as early errors:
+          https://tc39.github.io/ecma262/#sec-update-expressions-static-semantics-early-errors
+          https://tc39.github.io/ecma262/#sec-assignment-operators-static-semantics-early-errors
+
+        We currently throw late ReferenceErrors for these -- let's turn them into early SyntaxErrors.
+        (This is based on the expectation that https://github.com/tc39/ecma262/pull/1527 will be accepted;
+        if that doesn't come to pass, we can subsequently introduce early ReferenceError and revise these.)
+
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PostfixNode::emitBytecode): Add an assert for "function call LHS" case.
+        (JSC::PrefixNode::emitBytecode): Add an assert for "function call LHS" case.
+
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::isLocation): Added.
+        (JSC::ASTBuilder::isAssignmentLocation): Fix misleading parameter name.
+        (JSC::ASTBuilder::isFunctionCall): Added.
+        (JSC::ASTBuilder::makeAssignNode): Add an assert for "function call LHS" case.
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::isLocation): Added.
+        (JSC::SyntaxChecker::isAssignmentLocation): Fix incorrect definition and align with ASTBuilder.
+        (JSC::SyntaxChecker::isFunctionCall): Added.
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isFunctionCall const): Added.
+        Ensure that the parser can check whether an expression node is a function call.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::isSimpleAssignmentTarget): Added.
+        (JSC::Parser::parseAssignmentExpression):
+        (JSC::Parser::parseUnaryExpression): See below.
+        * parser/Parser.h:
+        Throw SyntaxError whenever an assignment or update expression's target is invalid.
+        Unfortunately, it seems that web compatibility obliges us to exempt the "function call LHS" case in sloppy mode.
+        (https://github.com/tc39/ecma262/issues/257#issuecomment-195106880)
+
+        Additional cleanup items:
+          - Make use of `semanticFailIfTrue` for `isMetaProperty` checks, as it's equivalent.
+          - Rename `requiresLExpr` to `hasPrefixUpdateOp` since it's now confusing,
+            and get rid of `modifiesExpr` since it refers to the exact same condition.
+          - Stop setting `lastOperator` near the end -- one case was incorrect and regardless neither is used.
+
+2019-05-15  Saam Barati  
+
+        Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=197855
+        
+
+        Reviewed by Michael Saboff.
+
+        Maximal flush insertion phase assumes it can extend the live range of
+        variables. However, this is not true with SetArgumentMaybe nodes, because
+        they are not guaranteed to demarcate the birth of a variable in the way
+        that SetArgumentDefinitely does. This caused things to break in SSA conversion
+        when we wanted to use the result of a SetArgumentMaybe node. To obviate this,
+        when we're done inlining something with SetArgumentMaybes, we SetLocal(undefined)
+        to the same set of locals. This caps the live range of the SetArgumentMaybe
+        and makes it so that extending the live range of the SetLocal is valid.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+
+2019-05-14  Keith Miller  
+
+        Fix issue with byteOffset on ARM64E
+        https://bugs.webkit.org/show_bug.cgi?id=197884
+
+        Reviewed by Saam Barati.
+
+        We forgot to remove the tag from the ArrayBuffer's data
+        pointer. This corrupted data when computing the offset.  We didn't
+        catch this because we didn't run any with a non-zero byteOffset in
+        the JITs.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+        (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+
+2019-05-14  Tadeu Zagallo  
+
+        REGRESSION (r245249): ASSERTION FAILED: !m_needExceptionCheck seen with stress/proxy-delete.js and stress/proxy-property-descriptor.js
+        https://bugs.webkit.org/show_bug.cgi?id=197885
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        In r245249 we added a throw scope to JSObject::getOwnPropertyDescriptor and its
+        callers now need to check for exceptions.
+
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performDelete):
+
+2019-05-14  Ross Kirsling  
+
+        Unreviewed restoration of non-unified build.
+
+        * dfg/DFGMinifiedID.h:
+        * runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp:
+
+2019-05-14  Yusuke Suzuki  
+
+        [JSC] Shrink sizeof(UnlinkedFunctionExecutable) more
+        https://bugs.webkit.org/show_bug.cgi?id=197833
+
+        Reviewed by Darin Adler.
+
+        It turns out that Gmail creates so many JSFunctions, FunctionExecutables, and UnlinkedFunctionExecutables.
+        So we should shrink size of them to save memory. As a first step, this patch reduces the sizeof(UnlinkedFunctionExecutable) more by 16 bytes.
+
+        1. We reorder some fields to get 8 bytes. And we use 31 bits for xxx offset things since their maximum size should be within 31 bits due to
+           String's length & int32_t representation in our parser.
+
+        2. We drop m_inferredName and prefer m_ecmaName. The inferred name is used to offer better function name when the function expression lacks
+           the name, but now ECMAScript has a specified semantics to name those functions with intuitive names. We should use ecmaName consistently,
+           and should not eat 8 bytes for inferred names in UnlinkedFunctionExecutable.
+
+        We also fix generator ecma name.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::inferredName const):
+        * bytecode/InlineCallFrame.cpp:
+        (JSC::InlineCallFrame::inferredName const):
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createAssignResolve):
+        (JSC::ASTBuilder::createGeneratorFunctionBody):
+        (JSC::ASTBuilder::createGetterOrSetterProperty):
+        (JSC::ASTBuilder::createProperty):
+        (JSC::ASTBuilder::tryInferNameInPatternWithIdentifier):
+        (JSC::ASTBuilder::makeAssignNode):
+        * parser/Nodes.cpp:
+        (JSC::FunctionMetadataNode::operator== const):
+        (JSC::FunctionMetadataNode::dump const):
+        * parser/Nodes.h:
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedFunctionExecutable::ecmaName const):
+        (JSC::CachedFunctionExecutable::encode):
+        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
+        (JSC::CachedFunctionExecutable::inferredName const): Deleted.
+        * runtime/FunctionExecutable.h:
+        * runtime/FunctionExecutableDump.cpp:
+        (JSC::FunctionExecutableDump::dump const):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::calculatedDisplayName):
+        (JSC::getCalculatedDisplayName):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::StackFrame::displayName):
+        (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
+
+2019-05-13  Yusuke Suzuki  
+
+        [JSC] Compress JIT related data more by using Packed<>
+        https://bugs.webkit.org/show_bug.cgi?id=197866
+
+        Reviewed by Saam Barati.
+
+        This patch leverages Packed<> more to reduce JIT related data size. When we measure memory usage on Gmail, we found that a lot of memory is
+        consumed in DFG data. This patch attempts to reduce that size by using Packed<> to make various data structure's alignment 1.
+
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::shrinkToFit): Add more shrinkToFit.
+        * dfg/DFGMinifiedID.h: Make alignment = 1.
+        (JSC::DFG::MinifiedID::operator! const):
+        (JSC::DFG::MinifiedID::operator== const):
+        (JSC::DFG::MinifiedID::operator!= const):
+        (JSC::DFG::MinifiedID::operator< const):
+        (JSC::DFG::MinifiedID::operator> const):
+        (JSC::DFG::MinifiedID::operator<= const):
+        (JSC::DFG::MinifiedID::operator>= const):
+        (JSC::DFG::MinifiedID::hash const):
+        (JSC::DFG::MinifiedID::dump const):
+        (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
+        (JSC::DFG::MinifiedID::bits const):
+        * dfg/DFGMinifiedIDInlines.h:
+        (JSC::DFG::MinifiedID::MinifiedID):
+        * dfg/DFGMinifiedNode.cpp:
+        (JSC::DFG::MinifiedNode::fromNode): Make sizeof(MinifiedNode) from 16 to 13 with alignment = 1.
+        * dfg/DFGMinifiedNode.h:
+        (JSC::DFG::MinifiedNode::id const):
+        (JSC::DFG::MinifiedNode::hasConstant const):
+        (JSC::DFG::MinifiedNode::constant const):
+        (JSC::DFG::MinifiedNode::isPhantomDirectArguments const):
+        (JSC::DFG::MinifiedNode::isPhantomClonedArguments const):
+        (JSC::DFG::MinifiedNode::hasInlineCallFrame const):
+        (JSC::DFG::MinifiedNode::inlineCallFrame const):
+        (JSC::DFG::MinifiedNode::op const): Deleted.
+        (JSC::DFG::MinifiedNode::hasInlineCallFrame): Deleted.
+        * dfg/DFGVariableEvent.h: Make sizeof(VariableEvent) from 12 to 10 with alignment = 1.
+        (JSC::DFG::VariableEvent::fillGPR):
+        (JSC::DFG::VariableEvent::fillPair):
+        (JSC::DFG::VariableEvent::fillFPR):
+        (JSC::DFG::VariableEvent::birth):
+        (JSC::DFG::VariableEvent::spill):
+        (JSC::DFG::VariableEvent::death):
+        (JSC::DFG::VariableEvent::setLocal):
+        (JSC::DFG::VariableEvent::movHint):
+        (JSC::DFG::VariableEvent::id const):
+        (JSC::DFG::VariableEvent::gpr const):
+        (JSC::DFG::VariableEvent::tagGPR const):
+        (JSC::DFG::VariableEvent::payloadGPR const):
+        (JSC::DFG::VariableEvent::fpr const):
+        (JSC::DFG::VariableEvent::spillRegister const):
+        (JSC::DFG::VariableEvent::bytecodeRegister const):
+        (JSC::DFG::VariableEvent::machineRegister const):
+        (JSC::DFG::VariableEvent::variableRepresentation const):
+        * dfg/DFGVariableEventStream.cpp:
+        (JSC::DFG::tryToSetConstantRecovery):
+
+2019-05-13  Yusuke Suzuki  
+
+        [WTF] Simplify GCThread and CompilationThread flags by adding them to WTF::Thread
+        https://bugs.webkit.org/show_bug.cgi?id=197146
+
+        Reviewed by Saam Barati.
+
+        Rename Heap::Thread to Heap::HeapThread to remove conflict between WTF::Thread.
+
+        * heap/AlignedMemoryAllocator.cpp:
+        (JSC::AlignedMemoryAllocator::registerDirectory):
+        * heap/Heap.cpp:
+        (JSC::Heap::HeapThread::HeapThread):
+        (JSC::Heap::Heap):
+        (JSC::Heap::runCurrentPhase):
+        (JSC::Heap::runBeginPhase):
+        (JSC::Heap::resumeThePeriphery):
+        (JSC::Heap::requestCollection):
+        (JSC::Heap::isCurrentThreadBusy):
+        (JSC::Heap::notifyIsSafeToCollect):
+        (JSC::Heap::Thread::Thread): Deleted.
+        * heap/Heap.h:
+        * heap/HeapInlines.h:
+        (JSC::Heap::incrementDeferralDepth):
+        (JSC::Heap::decrementDeferralDepth):
+        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::prepareForAllocation):
+
+2019-05-13  Saam Barati  
+
+        macro assembler code-pointer tagging has its arguments backwards
+        https://bugs.webkit.org/show_bug.cgi?id=197677
+
+        Reviewed by Michael Saboff.
+
+        We had the destination as the leftmost instead of the rightmost argument,
+        which goes against the convention of how we order arguments in macro assembler
+        methods.
+
+        * assembler/MacroAssemblerARM64E.h:
+        (JSC::MacroAssemblerARM64E::tagReturnAddress):
+        (JSC::MacroAssemblerARM64E::untagReturnAddress):
+        (JSC::MacroAssemblerARM64E::tagPtr):
+        (JSC::MacroAssemblerARM64E::untagPtr):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::reifyInlinedCallFrames):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::prepareForTailCallSlow):
+        * jit/CallFrameShuffler.cpp:
+        (JSC::CallFrameShuffler::prepareForTailCall):
+        * jit/ThunkGenerators.cpp:
+        (JSC::emitPointerValidation):
+        (JSC::arityFixupGenerator):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-05-13  Tadeu Zagallo  
+
+        JSObject::getOwnPropertyDescriptor is missing an exception check
+        https://bugs.webkit.org/show_bug.cgi?id=197693
+        
+
+        Reviewed by Saam Barati.
+
+        The method table call to getOwnPropertySlot might throw, and JSObject::getOwnPropertyDescriptor
+        must handle the exception before calling PropertySlot::getValue, which can also throw.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertyDescriptor):
+
+2019-05-13  Yusuke Suzuki  
+
+        [JSC] Compress miscelaneous JIT related data structures with Packed<>
+        https://bugs.webkit.org/show_bug.cgi?id=197830
+
+        Reviewed by Saam Barati.
+
+        This patch leverages Packed<> to compress miscelaneous data structures related to JIT.
+
+        1. JIT IC data structures
+
+        2. ValueRecovery
+
+            We use Packed<> for EncodedJSValue in ValueRecovery. This means that conservative GC cannot find
+            these values. But this is OK anyway since ValueRecovery's constant should be already registered
+            in DFG graph. From 16 (alignment 8) to 9 (alignment 1).
+
+        3. FTL::ExitValue
+
+            We use Packed<> for EncodedJSValue in FTL::ExitValue. This is also OK since this constant should
+            be already registered by DFG/FTL graph. From 16 (alignment 8) to 9 (alignment 1).
+
+        * assembler/CodeLocation.h:
+        * bytecode/ByValInfo.h:
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::CallLinkInfo):
+        (JSC::CallLinkInfo::callReturnLocation):
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::nearCallMode const):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::addJITAddIC):
+        (JSC::CodeBlock::addJITMulIC):
+        (JSC::CodeBlock::addJITSubIC):
+        (JSC::CodeBlock::addJITNegIC):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addMathIC):
+        * bytecode/InlineCallFrame.h:
+        (JSC::InlineCallFrame::InlineCallFrame):
+        * bytecode/ValueRecovery.h:
+        (JSC::ValueRecovery::inGPR):
+        (JSC::ValueRecovery::inPair):
+        (JSC::ValueRecovery::inFPR):
+        (JSC::ValueRecovery::displacedInJSStack):
+        (JSC::ValueRecovery::constant):
+        (JSC::ValueRecovery::directArgumentsThatWereNotCreated):
+        (JSC::ValueRecovery::clonedArgumentsThatWereNotCreated):
+        (JSC::ValueRecovery::gpr const):
+        (JSC::ValueRecovery::tagGPR const):
+        (JSC::ValueRecovery::payloadGPR const):
+        (JSC::ValueRecovery::fpr const):
+        (JSC::ValueRecovery::virtualRegister const):
+        (JSC::ValueRecovery::withLocalsOffset const):
+        (JSC::ValueRecovery::constant const):
+        (JSC::ValueRecovery::nodeID const):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueAdd):
+        (JSC::DFG::SpeculativeJIT::compileValueSub):
+        (JSC::DFG::SpeculativeJIT::compileValueNegate):
+        (JSC::DFG::SpeculativeJIT::compileValueMul):
+        * ftl/FTLExitValue.cpp:
+        (JSC::FTL::ExitValue::materializeNewObject):
+        * ftl/FTLExitValue.h:
+        (JSC::FTL::ExitValue::inJSStack):
+        (JSC::FTL::ExitValue::inJSStackAsInt32):
+        (JSC::FTL::ExitValue::inJSStackAsInt52):
+        (JSC::FTL::ExitValue::inJSStackAsDouble):
+        (JSC::FTL::ExitValue::constant):
+        (JSC::FTL::ExitValue::exitArgument):
+        (JSC::FTL::ExitValue::exitArgument const):
+        (JSC::FTL::ExitValue::adjustStackmapLocationsIndexByOffset):
+        (JSC::FTL::ExitValue::constant const):
+        (JSC::FTL::ExitValue::virtualRegister const):
+        (JSC::FTL::ExitValue::objectMaterialization const):
+        (JSC::FTL::ExitValue::withVirtualRegister const):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueMul):
+        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueNegate):
+        * jit/CachedRecovery.h:
+        * jit/CallFrameShuffleData.h:
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_negate):
+        (JSC::JIT::emit_op_add):
+        (JSC::JIT::emit_op_mul):
+        (JSC::JIT::emit_op_sub):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        (JSC::JITBinaryMathIC::JITBinaryMathIC):
+        (JSC::JITUnaryMathIC::JITUnaryMathIC):
+        * jit/PolymorphicCallStubRoutine.h:
+        (JSC::PolymorphicCallNode::hasCallLinkInfo):
+        * jit/SnippetOperand.h:
+        (JSC::SnippetOperand::asRawBits const):
+        (JSC::SnippetOperand::asConstInt32 const):
+        (JSC::SnippetOperand::asConstDouble const):
+        (JSC::SnippetOperand::setConstInt32):
+        (JSC::SnippetOperand::setConstDouble):
+
+2019-05-12  Yusuke Suzuki  
+
+        [JSC] Compress Watchpoint size by using enum type and Packed<> data structure
+        https://bugs.webkit.org/show_bug.cgi?id=197730
+
+        Reviewed by Filip Pizlo.
+
+        Watchpoint takes 5~ MB memory in Gmail (total memory starts with 400 - 500 MB), so 1~%. Since it is allocated massively,
+        reducing each size of Watchpoint reduces memory footprint significantly.
+
+        As a first step, this patch uses Packed<> and enum to reduce the size of Watchpoint.
+
+        1. Watchpoint should have enum type and should not use vtable. vtable takes one pointer, and it is too costly for such a
+           memory sensitive objects. We perform downcast and dispatch the method of the derived classes based on this enum. Since
+           the # of derived Watchpoint classes are limited (Only 8), we can list up them easily. One unfortunate thing is that
+           we cannot do this for destructor so long as we use "delete" for deleting objects. If we dispatch the destructor of derived
+           class in the destructor of the base class, we call the destructor of the base class multiple times. delete operator override
+           does not help since custom delete operator is called after the destructor is called. While we can fix this issue by always
+           using custom deleter, currently we do not since all the watchpoints do not have members which have non trivial destructor.
+           Once it is strongly required, we can start using custom deleter, but for now, we do not need to do this.
+
+        2. We use Packed<> to compact pointers in Watchpoint. Since Watchpoint is a node of doubly linked list, each one has two
+           pointers for prev and next. This is also too costly. PackedPtr reduces the size and makes alignment 1.S
+
+        3. We use PackedCellPtr<> for JSCells in Watchpoint. This leverages alignment information and makes pointers smaller in
+           Darwin ARM64. One important thing to note here is that since this pointer is packed, it cannot be found by conservative
+           GC scan. It is OK for watchpoint since they are allocated in the heap anyway.
+
+        We applied this change to Watchpoint and get the following memory reduction. The highlight is that CodeBlockJettisoningWatchpoint in
+        ARM64 only takes 2 pointers size.
+
+                                                                              ORIGINAL    X86_64   ARM64
+            WatchpointSet:                                                    40          32       28
+            CodeBlockJettisoningWatchpoint:                                   32          19       15
+            StructureStubClearingWatchpoint:                                  56          48       40
+            AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint: 24          13       11
+            AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint:  24          13       11
+            FunctionRareData::AllocationProfileClearingWatchpoint:            32          19       15
+            ObjectToStringAdaptiveStructureWatchpoint:                        56          48       40
+            LLIntPrototypeLoadAdaptiveStructureWatchpoint:                    64          48       48
+            DFG::AdaptiveStructureWatchpoint:                                 56          48       40
+
+        While we will re-architect the mechanism of Watchpoint, anyway Packed<> mechanism and enum types will be used too.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
+        * bytecode/CodeBlockJettisoningWatchpoint.h:
+        * bytecode/CodeOrigin.h:
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
+        * bytecode/StructureStubClearingWatchpoint.cpp:
+        (JSC::StructureStubClearingWatchpoint::fireInternal):
+        * bytecode/StructureStubClearingWatchpoint.h:
+        * bytecode/Watchpoint.cpp:
+        (JSC::Watchpoint::fire):
+        * bytecode/Watchpoint.h:
+        (JSC::Watchpoint::Watchpoint):
+        * dfg/DFGAdaptiveStructureWatchpoint.cpp:
+        (JSC::DFG::AdaptiveStructureWatchpoint::AdaptiveStructureWatchpoint):
+        * dfg/DFGAdaptiveStructureWatchpoint.h:
+        * heap/PackedCellPtr.h: Added.
+        * runtime/FunctionRareData.h:
+        * runtime/ObjectToStringAdaptiveStructureWatchpoint.cpp: Added.
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::ObjectToStringAdaptiveStructureWatchpoint):
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
+        * runtime/ObjectToStringAdaptiveStructureWatchpoint.h: Added.
+        * runtime/StructureRareData.cpp:
+        (JSC::StructureRareData::clearObjectToStringValue):
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::ObjectToStringAdaptiveStructureWatchpoint): Deleted.
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::install): Deleted.
+        (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal): Deleted.
+        * runtime/StructureRareData.h:
+
+2019-05-12  Yusuke Suzuki  
+
+        [JSC] Compact generator code's bytecode size
+        https://bugs.webkit.org/show_bug.cgi?id=197822
+
+        Reviewed by Michael Saboff.
+
+        op_put_to_scope's symbolTableOrScopeDepth is represented as int. This was OK for the old bytecode format since
+        VirtualRegister / scope depth can be represented by int anyway. But it is problematic now since only int8_t range
+        will be represented in narrow bytecode. When this field is used for symbol table constant index, it is always
+        larger than FirstConstantRegisterIndex. So it always exceeds the range of int8_t, and results in wide bytecode.
+        It makes all generator's op_put_to_scope wide bytecode.
+
+        In this patch, we introduce a new (logically) union type SymbolTableOrScopeDepth. It holds unsigned value, and we store the
+        SymbolTableConstantIndex - FirstConstantRegisterIndex in this unsigned value to make op_put_to_scope narrow bytecode.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/BytecodeGeneratorification.cpp:
+        (JSC::BytecodeGeneratorification::run):
+        * bytecode/BytecodeList.rb:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/Fits.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitProfileType):
+        (JSC::BytecodeGenerator::emitPutToScope):
+        (JSC::BytecodeGenerator::localScopeDepth const):
+        * bytecompiler/BytecodeGenerator.h:
+        * runtime/SymbolTableOrScopeDepth.h: Added.
+        (JSC::SymbolTableOrScopeDepth::symbolTable):
+        (JSC::SymbolTableOrScopeDepth::scopeDepth):
+        (JSC::SymbolTableOrScopeDepth::raw):
+        (JSC::SymbolTableOrScopeDepth::symbolTable const):
+        (JSC::SymbolTableOrScopeDepth::scopeDepth const):
+        (JSC::SymbolTableOrScopeDepth::raw const):
+        (JSC::SymbolTableOrScopeDepth::dump const):
+        (JSC::SymbolTableOrScopeDepth::SymbolTableOrScopeDepth):
+
+2019-05-10  Saam barati  
+
+        Call to JSToWasmICCallee::createStructure passes in wrong prototype value
+        https://bugs.webkit.org/show_bug.cgi?id=197807
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        We were passing the empty value instead of null. However, the empty
+        value means the Structure is poly proto. That's definitely not the case
+        here.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2019-05-10  Yusuke Suzuki  
+
+        [JSC] String substring operation should return ropes consistently
+        https://bugs.webkit.org/show_bug.cgi?id=197765
+        
+
+        Reviewed by Michael Saboff.
+
+        Currently we have different policies per string substring operation function.
+
+            1. String#slice returns the resolved non-rope string
+            2. String#substring returns rope string
+            3. String#substr returns rope string in runtime function, non-rope string in DFG and FTL
+
+        Due to (3), we see large memory use in the tested web page[1]. Non rope substring have a problem.
+        First of all, that returned string seems not used immediately. It is possible that the resulted
+        string is used as a part of the other ropes (like, xxx.substring(...) + "Hello"). To avoid the
+        eager materialization of the string, we are using StringImpl::createSubstringSharingImpl for the
+        resulted non rope string. StringImpl::createSubstringSharingImpl is StringImpl's substring feature: the
+        substring is pointing the owner StringImpl. While this has memory saving benefit, it can retain owner
+        StringImpl so long, and it could keep very large owner StringImpl alive.
+
+        The problem we are attempting to solve with StringImpl::createSubstringSharingImpl can be solved by
+        the rope string simply. Rope string can share the underlying string. And good feature of the rope
+        string is that, when resolving rope string, the rope string always create a new StringImpl instead of
+        using StringImpl::createSubstringSharingImpl. So we allow the owner StringImpl to be destroyed. And this
+        resolving only happens when we actually want to use the content of the rope string. In addition, we recently
+        shrunk the sizeof(JSRopeString) from 48 to 32, so JSRopeString is cheap.
+
+        In this patch, we change (2) and (3) to (1), using rope String as a result of substring operations.
+
+        RAMification and JetStream2 are neutral. The web page[1] shows large memory footprint improvement from 776MB to 681MB.
+
+        [1]: https://beta.observablehq.com/@ldgardner/assignment-4-visualizations-and-multiple-views
+
+        * dfg/DFGOperations.cpp:
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncSlice):
+        * runtime/StringPrototypeInlines.h:
+        (JSC::stringSlice):
+
+2019-05-10  Robin Morisset  
+
+        testb3 failing with crash in JSC::B3::BasicBlock::appendNonTerminal
+        https://bugs.webkit.org/show_bug.cgi?id=197756
+        
+
+        Reviewed by Saam Barati.
+
+        When I added https://bugs.webkit.org/show_bug.cgi?id=197265 I assumed that which block is the root does not change in the middle of strength reduction.
+        But specializeSelect can use splitForward, which uses a new block for the first half of the given block.
+        So if the block being split is the root block I must update m_root and erase the m_valueInConstant cache.
+        Erasing the cache cannot cause wrong results: at most it can make us miss some optimization opportunities in this iteration of the fixpoint.
+
+        * b3/B3ReduceStrength.cpp:
+
+2019-05-09  Keith Miller  
+
+        Fix crashes related to pointer authentication for primitive gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=197763
+        
+
+        Reviewed by Saam Barati.
+
+        This fixes two bugs related to PAC for caging. The first is that
+        we didn't clear the high bits of the size register going into the
+        patchpoint to tag the new buffer for NewArrayBuffer. The second is
+        that the GC needs to strip all stack pointers when considering
+        them as a conservative root.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+
+2019-05-09  Keith Miller  
+
+        parseStatementListItem needs a stack overflow check
+        https://bugs.webkit.org/show_bug.cgi?id=197749
+        
+
+        Reviewed by Saam Barati.
+
+        There currently exists a path in the parser where you can loop
+        arbibrarily many times without a stack overflow check. This patch
+        adds a check to parseStatementListItem to break that cycle.
+
+        * parser/Parser.cpp:
+        (JSC::Parser::parseStatementListItem):
+
+2019-05-09  Keith Miller  
+
+        REGRESSION (r245064): ASSERTION FAILED: m_ptr seen with wasm.yaml/wasm/js-api/test_Data.js.wasm-slow-memory
+        https://bugs.webkit.org/show_bug.cgi?id=197740
+
+        Reviewed by Saam Barati.
+
+        If a TypedArray constructor is called with just 0 as the first argument, we don't allocate a backing vector.
+        This means we need to handle null when calling vector() in ConstructionContext.
+
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+
+2019-05-09  Xan López  
+
+        [CMake] Detect SSE2 at compile time
+        https://bugs.webkit.org/show_bug.cgi?id=196488
+
+        Reviewed by Carlos Garcia Campos.
+
+        * assembler/MacroAssemblerX86Common.cpp: Remove unnecessary (and
+        incorrect) static_assert.
+        (JSC::MacroAssemblerX86Common::collectCPUFeatures):
+        * assembler/MacroAssemblerX86Common.h: Remove SSE2 flags.
+
+2019-05-08  Yusuke Suzuki  
+
+        Unreviewed, build fix after r245064
+        https://bugs.webkit.org/show_bug.cgi?id=197110
+
+        * runtime/GenericTypedArrayView.h:
+
+2019-05-08  Saam barati  
+
+        AccessGenerationState::emitExplicitExceptionHandler can clobber an in use register
+        https://bugs.webkit.org/show_bug.cgi?id=197715
+        
+
+        Reviewed by Filip Pizlo.
+
+        AccessGenerationState::emitExplicitExceptionHandler was always clobbering
+        x86's r9 without considering if that register was needed to be preserved
+        by the IC. This leads to bad things when the DFG/FTL need that register when
+        OSR exitting after an exception from a GetById call.
+
+        * b3/air/AirCode.cpp:
+        (JSC::B3::Air::Code::Code):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessGenerationState::emitExplicitExceptionHandler):
+        * runtime/Options.h:
+
+2019-05-08  Ryan Haddad  
+
+        Unreviewed, rolling out r245068.
+
+        Caused debug layout tests to exit early due to an assertion
+        failure.
+
+        Reverted changeset:
+
+        "All prototypes should call didBecomePrototype()"
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+        https://trac.webkit.org/changeset/245068
+
+2019-05-08  Yusuke Suzuki  
+
+        Invalid DFG JIT genereation in high CPU usage state
+        https://bugs.webkit.org/show_bug.cgi?id=197453
+
+        Reviewed by Saam Barati.
+
+        We have a DFG graph like this.
+
+            a: JSConstant(rope JSString)
+            b: CheckStringIdent(Check:StringUse:@a)
+            ... AI think this is unreachable ...
+
+        When executing StringUse edge filter onto @a, AbstractValue::filterValueByType clears AbstractValue and makes it None.
+        This is because @a constant produces SpecString (SpecStringVar | SpecStringIdent) while StringUse edge filter requires
+        SpecStringIdent. AbstractValue::filterValueByType has an assumption that the JS constant always produces the same
+        SpeculatedType. So it clears AbstractValue completely.
+        But this assumption is wrong. JSString can produce SpecStringIdent later if the string is resolved to AtomicStringImpl.
+        AI think that we always fail. But once the string is resolved to AtomicStringImpl, we pass this check. So we execute
+        the breakpoint emitted by DFG since DFG think this is unreachable.
+
+        In this patch, we just clear the `m_value` if AbstractValue type filter fails with the held constant, since the constant
+        may produce a narrower type which can meet the type filter later.
+
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::filterValueByType):
+
+2019-05-08  Robin Morisset  
+
+        All prototypes should call didBecomePrototype()
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+
+        Reviewed by Saam Barati.
+
+        This changelog already landed, but the commit was missing the actual changes.
+
+        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
+
+        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
+        create structures with invalid prototypes.
+        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
+        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::BigIntPrototype::finishCreation):
+        * runtime/BooleanPrototype.cpp:
+        (JSC::BooleanPrototype::finishCreation):
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlPluralRulesPrototype.cpp:
+        (JSC::IntlPluralRulesPrototype::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::JSDataViewPrototype::finishCreation):
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
+        (JSC::JSGenericTypedArrayViewPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::createConsoleProperty):
+        * runtime/JSPromisePrototype.cpp:
+        (JSC::JSPromisePrototype::finishCreation):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::finishCreation):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        * runtime/Structure.cpp:
+        (JSC::Structure::isValidPrototype):
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        (JSC::WebAssemblyInstancePrototype::finishCreation):
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::WebAssemblyMemoryPrototype::finishCreation):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::WebAssemblyModulePrototype::finishCreation):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::WebAssemblyPrototype::finishCreation):
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::WebAssemblyTablePrototype::finishCreation):
+
+2019-05-08  Keith Miller  
+
+        Remove Gigacage from arm64 and use PAC for arm64e instead
+        https://bugs.webkit.org/show_bug.cgi?id=197110
+
+        Reviewed by Saam Barati.
+
+        This patch makes a bunch of changes. I'll start with global changes then go over changes to each tier and finish with bug fixes.
+
+        Global Changes:
+        Change CagedBarrierPtr to work with PAC so constructors and accessors now expect to receive a length.
+        Update assembler helper methods to use do PAC when caging.
+
+        LLInt:
+        Add arm64e.rb backend as we missed that when originally open sourcing our arm64e code.
+        Add a new optional t6 temporary, which is only used currently on arm64e for GetByVal on a TypedArray.
+        Refactor caging into two helper macros for Primitive/JSValue cages.
+
+        Baseline/DFG:
+        Add authentication where needed for GetByVal and inline object construction.
+
+        FTL:
+        Add a new ValueRep that allows for a late register use. We want this for the authentication patchpoint since we use the length register at the same time as we are defing the authenticated pointer.
+
+        Wasm:
+        Use the TaggedArrayStoragePtr class for the memory base pointer. In theory we should be caging those pointers but I don't want to risk introducing a performance regression with the rest of this change. I've filed https://bugs.webkit.org/show_bug.cgi?id=197620 to do this later.
+        As we no longer have the Gigacage using most of our VA memory, we can enable fast memories on iOS.
+        Using fast memories leads to roughly a 2% JetStream2 speedup.
+
+        * assembler/MacroAssemblerARM64E.h:
+        (JSC::MacroAssemblerARM64E::tagArrayPtr):
+        (JSC::MacroAssemblerARM64E::untagArrayPtr):
+        (JSC::MacroAssemblerARM64E::removeArrayPtrTag):
+        * b3/B3LowerToAir.cpp:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsStack):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        * b3/B3Validate.cpp:
+        * b3/B3ValueRep.cpp:
+        (JSC::B3::ValueRep::addUsedRegistersTo const):
+        (JSC::B3::ValueRep::dump const):
+        (WTF::printInternal):
+        * b3/B3ValueRep.h:
+        (JSC::B3::ValueRep::ValueRep):
+        (JSC::B3::ValueRep::isReg const):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallNode::clearCallLinkInfo):
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/arm64e.rb: Added.
+        * offlineasm/ast.rb:
+        * offlineasm/instructions.rb:
+        * offlineasm/registers.rb:
+        * offlineasm/x86.rb:
+        * runtime/ArrayBuffer.cpp:
+        (JSC::SharedArrayBufferContents::SharedArrayBufferContents):
+        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
+        (JSC::ArrayBufferContents::ArrayBufferContents):
+        (JSC::ArrayBufferContents::destroy):
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::makeShared):
+        (JSC::ArrayBufferContents::copyTo):
+        * runtime/ArrayBuffer.h:
+        (JSC::SharedArrayBufferContents::data const):
+        (JSC::ArrayBufferContents::data const):
+        (JSC::ArrayBuffer::data):
+        (JSC::ArrayBuffer::data const):
+        (JSC::ArrayBuffer::byteLength const):
+        * runtime/ArrayBufferView.cpp:
+        (JSC::ArrayBufferView::ArrayBufferView):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::baseAddress const):
+        (JSC::ArrayBufferView::byteLength const):
+        (JSC::ArrayBufferView::setRangeImpl):
+        (JSC::ArrayBufferView::getRangeImpl):
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedScopedArgumentsTable::encode):
+        (JSC::CachedScopedArgumentsTable::decode const):
+        * runtime/CagedBarrierPtr.h:
+        (JSC::CagedBarrierPtr::CagedBarrierPtr):
+        (JSC::CagedBarrierPtr::set):
+        (JSC::CagedBarrierPtr::get const):
+        (JSC::CagedBarrierPtr::getMayBeNull const):
+        (JSC::CagedBarrierPtr::getUnsafe const):
+        (JSC::CagedBarrierPtr::at const):
+        (JSC::CagedBarrierPtr::operator== const):
+        (JSC::CagedBarrierPtr::operator bool const):
+        (JSC::CagedBarrierPtr::setWithoutBarrier):
+        (JSC::CagedBarrierPtr::operator* const): Deleted.
+        (JSC::CagedBarrierPtr::operator-> const): Deleted.
+        (JSC::CagedBarrierPtr::operator[] const): Deleted.
+        (): Deleted.
+        * runtime/DataView.cpp:
+        (JSC::DataView::DataView):
+        * runtime/DataView.h:
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::unmapArgument):
+        * runtime/DirectArguments.h:
+        * runtime/GenericArguments.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments::visitChildren):
+        (JSC::GenericArguments::initModifiedArgumentsDescriptor):
+        (JSC::GenericArguments::setModifiedArgumentDescriptor):
+        (JSC::GenericArguments::isModifiedArgumentDescriptor):
+        * runtime/GenericTypedArrayView.h:
+        * runtime/GenericTypedArrayViewInlines.h:
+        (JSC::GenericTypedArrayView::GenericTypedArrayView):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finalize):
+        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+        (JSC::JSArrayBufferView::isNeutered):
+        (JSC::JSArrayBufferView::hasVector const):
+        (JSC::JSArrayBufferView::vector const):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::createUninitialized):
+        (JSC::JSGenericTypedArrayView::estimatedSize):
+        (JSC::JSGenericTypedArrayView::visitChildren):
+        * runtime/Options.h:
+        * runtime/ScopedArgumentsTable.cpp:
+        (JSC::ScopedArgumentsTable::clone):
+        (JSC::ScopedArgumentsTable::setLength):
+        * runtime/ScopedArgumentsTable.h:
+        * runtime/SymbolTable.h:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::complete):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::cachedMemory const):
+        (JSC::Wasm::Instance::updateCachedMemory):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::~Memory):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::dump const):
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::memory const):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-05-08  Caio Lima  
+
+        [BigInt] Add ValueMod into DFG
+        https://bugs.webkit.org/show_bug.cgi?id=186174
+
+        Reviewed by Saam Barati.
+
+        This patch is introducing a new DFG node called ValueMod, that is
+        responsible to handle BigInt and Untyped specialization of op_mod.
+        With the introduction of BigInt, we think that cases with
+        ValueMod(Untyped, Untyped) can be more common and we introduced
+        support for such kind of node.
+
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter::handleConstantDivOp):
+
+        We are abstracting the constant rules of division operations. It
+        includes ArithDiv, ValueDiv, ArithMod and ValueMod, since they perform
+        the same analysis.
+
+        (JSC::DFG::AbstractInterpreter::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::makeSafe):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+        Here we check if lhs and rhs have number result to emit ArithMod.
+        Otherwise, we need to fallback to ValueMod and let fixup replace this
+        operation when possible.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+        ValueMod(BigIntUse) doesn't clobberize world because it only calls
+        `operationModBigInt`.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+        ValueMod(BigIntUse) can trigger GC since it allocates intermediate
+        JSBigInt to perform calculation. ValueMod(UntypedUse) can trigger GC
+        because it can execute arbritary code from user.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupArithDivInt32):
+
+        Function created to simplify readability of ArithDiv/AirthMod fixup
+        operation.
+
+        (JSC::DFG::FixupPhase::fixupArithDiv):
+        (JSC::DFG::FixupPhase::fixupNode):
+
+        Following the same fixup rules of ArithDiv.
+
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::binaryOp):
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+
+        ValueMod follows the same prediction propagation rules of ArithMod and
+        the same rules for `doDoubleVoting`.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueMod):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueMod):
+
+2019-05-07  Yusuke Suzuki  
+
+        [JSC] DFG_ASSERT failed in lowInt52
+        https://bugs.webkit.org/show_bug.cgi?id=197569
+
+        Reviewed by Saam Barati.
+
+        GetStack with FlushedInt52 should load the flushed value in Int52 form and put the result in m_int52Values / m_strictInt52Values. Previously,
+        we load it in JSValue / Int32 form and lowInt52 fails to get appropriate one since GetStack does not put the result in m_int52Values / m_strictInt52Values.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+
+2019-05-07  Yusuke Suzuki  
+
+        [JSC] LLIntPrototypeLoadAdaptiveStructureWatchpoint does not require Bag<>
+        https://bugs.webkit.org/show_bug.cgi?id=197645
+
+        Reviewed by Saam Barati.
+
+        We are using HashMap, Bag> for LLIntPrototypeLoadAdaptiveStructureWatchpoint,
+        but this has several memory inefficiency.
+
+        1. Structure* and Instruction* are too large. We can just use StructureID and bytecodeOffset (unsigned).
+        2. While we are using Bag<>, we do not add a new LLIntPrototypeLoadAdaptiveStructureWatchpoint after constructing this Bag first. So we can
+           use Vector instead. We ensure that new entry won't be added to this Vector by making Watchpoint
+           non-movable.
+        3. Instead of having OpGetById::Metadata&, we just hold `unsigned` bytecodeOffset, and get Metadata& from the owner CodeBlock when needed.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/CodeBlock.h:
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::LLIntPrototypeLoadAdaptiveStructureWatchpoint):
+        (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
+        * bytecode/Watchpoint.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setupGetByIdPrototypeCache):
+
+2019-05-07  Yusuke Suzuki  
+
+        JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
+        https://bugs.webkit.org/show_bug.cgi?id=197479
+
+        Reviewed by Saam Barati.
+
+        Our peephole optimization in BytecodeGenerator is (1) rewinding the previous instruction and (2) emit optimized instruction instead.
+        If we have jump target between the previous instruction and the subsequent instruction, this peephole optimization breaks the jump target.
+        To prevent it, we had a mechanism disabling peephole optimization, setting m_lastOpcodeID = op_end and checking m_lastOpcodeID when performing
+        peephole optimization. However, BytecodeGenerator::emitEqualityOpImpl checks `m_lastInstruction->is` instead of `m_lastOpcodeID == op_typeof`,
+        and miss `op_end` case.
+
+        This patch makes the following changes.
+
+        1. Add canDoPeepholeOptimization method to clarify the intent of `m_lastInstruction = op_end`.
+        2. Check canDoPeepholeOptimization status before performing peephole optimization in emitJumpIfTrue, emitJumpIfFalse, and emitEqualityOpImpl.
+        3. Add `ASSERT(canDoPeepholeOptimization())` in fuseCompareAndJump and fuseTestAndJmp to ensure that peephole optimization is allowed.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::fuseCompareAndJump):
+        (JSC::BytecodeGenerator::fuseTestAndJmp):
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        (JSC::BytecodeGenerator::emitEqualityOpImpl):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::canDoPeepholeOptimization const):
+
+2019-05-07  Yusuke Suzuki  
+
+        TemplateObject passed to template literal tags are not always identical for the same source location.
+        https://bugs.webkit.org/show_bug.cgi?id=190756
+
+        Reviewed by Saam Barati.
+
+        Tagged template literal requires that the site object is allocated per source location. Previously, we create the site object
+        when linking CodeBlock and cache it in CodeBlock. But this is wrong because,
+
+        1. CodeBlock can be jettisoned and regenerated. So every time CodeBlock is regenerated, we get the different site object.
+        2. Call and Construct can have different CodeBlock. Even if the function is called in call-form or construct-form, we should return the same site object.
+
+        In this patch, we start caching these site objects in the top-level ScriptExecutable, this matches the spec's per source location since the only one top-level
+        ScriptExecutable is created for the given script code. Each ScriptExecutable of JSFunction can be created multiple times because CodeBlock creates it.
+        But the top-level one is not created by CodeBlock. This top-level ScriptExecutable is well-aligned to the Script itself. The top-level ScriptExecutable now has HashMap,
+        which maps source locations to cached site objects.
+
+        1. This patch threads the top-level ScriptExecutable to each FunctionExecutable creation. Each FunctionExecutable has a reference to the top-level ScriptExecutable.
+        2. We put TemplateObjectMap in ScriptExecutable, which manages cached template objects.
+        3. We move FunctionExecutable::m_cachedPolyProtoStructure to the FunctionExecutable::RareDate to keep FunctionExecutable 128 bytes.
+        4. TemplateObjectMap is indexed with endOffset of TaggedTemplate.
+
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        * Scripts/wkbuiltins/builtins_templates.py:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::link):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createTaggedTemplate):
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedTemplateObjectDescriptor::encode):
+        (JSC::CachedTemplateObjectDescriptor::decode const):
+        (JSC::CachedJSValue::encode):
+        (JSC::CachedJSValue::decode const):
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::ensureTemplateObjectMap):
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/EvalExecutable.h:
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::finishCreation):
+        (JSC::FunctionExecutable::visitChildren):
+        (JSC::FunctionExecutable::fromGlobalCode):
+        (JSC::FunctionExecutable::ensureRareDataSlow):
+        (JSC::FunctionExecutable::ensureTemplateObjectMap):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSTemplateObjectDescriptor.cpp:
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        * runtime/JSTemplateObjectDescriptor.h:
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::topLevelExecutable):
+        (JSC::ScriptExecutable::createTemplateObject):
+        (JSC::ScriptExecutable::ensureTemplateObjectMapImpl):
+        (JSC::ScriptExecutable::ensureTemplateObjectMap):
+        * runtime/ScriptExecutable.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCreateBuiltin):
+        (JSC::functionDeleteAllCodeWhenIdle):
+        (JSC::JSDollarVM::finishCreation):
+
+2019-05-07  Robin Morisset  
+
+        [B3] Constants should be hoisted to the root block until moveConstants
+        https://bugs.webkit.org/show_bug.cgi?id=197265
+
+        Reviewed by Saam Barati.
+
+        This patch does the following:
+        - B3ReduceStrength now hoists all constants to the root BB, and de-duplicates them along the way
+        - B3PureCSE no longer bothers with constants, since they are already de-duplicated by the time it gets to see them
+        - We now run eliminateDeadCode just after moveConstants, so that the Nops that moveConstants generates are freed instead of staying live throughout Air compilation, reducing memory pressure.
+        - I also took the opportunity to fix typos in comments in various parts of the code base.
+
+        Here are a few numbers to justify this patch:
+        - In JetStream2, about 27% of values at the beginning of B3 are constants
+        - In JetStream2, about 11% of values at the end of B3 are Nops
+        - In JetStream2, this patch increases the number of times that tail duplication happens from a bit less than 24k to a bit more than 25k (hoisting constants makes blocks smaller).
+
+        When I tried measuring the total effect on JetStream2 I got a tiny and almost certainly non-significant progression.
+
+        * b3/B3Generate.cpp:
+        (JSC::B3::generateToAir):
+        * b3/B3MoveConstants.cpp:
+        * b3/B3PureCSE.cpp:
+        (JSC::B3::PureCSE::process):
+        * b3/B3PureCSE.h:
+        * b3/B3ReduceStrength.cpp:
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        * dfg/DFGCSEPhase.cpp:
+        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+
+2019-05-07  Robin Morisset  
+
+        All prototypes should call didBecomePrototype()
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+
+        Reviewed by Saam Barati.
+
+        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
+
+        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
+        create structures with invalid prototypes.
+        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
+        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::BigIntPrototype::finishCreation):
+        * runtime/BooleanPrototype.cpp:
+        (JSC::BooleanPrototype::finishCreation):
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlPluralRulesPrototype.cpp:
+        (JSC::IntlPluralRulesPrototype::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::JSDataViewPrototype::finishCreation):
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
+        (JSC::JSGenericTypedArrayViewPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::createConsoleProperty):
+        * runtime/JSPromisePrototype.cpp:
+        (JSC::JSPromisePrototype::finishCreation):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::finishCreation):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        * runtime/Structure.cpp:
+        (JSC::Structure::isValidPrototype):
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        (JSC::WebAssemblyInstancePrototype::finishCreation):
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::WebAssemblyMemoryPrototype::finishCreation):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::WebAssemblyModulePrototype::finishCreation):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::WebAssemblyPrototype::finishCreation):
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::WebAssemblyTablePrototype::finishCreation):
+
+2019-05-07  Robin Morisset  
+
+        WTF::BitVector should have an isEmpty() method
+        https://bugs.webkit.org/show_bug.cgi?id=197637
+
+        Reviewed by Keith Miller.
+
+        Just replaces some comparison of bitCount() to 0 by calls to isEmpty()
+
+        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
+
+2019-05-07  Commit Queue  
+
+        Unreviewed, rolling out r244978.
+        https://bugs.webkit.org/show_bug.cgi?id=197671
+
+        TemplateObject map should use start/end offsets (Requested by
+        yusukesuzuki on #webkit).
+
+        Reverted changeset:
+
+        "TemplateObject passed to template literal tags are not always
+        identical for the same source location."
+        https://bugs.webkit.org/show_bug.cgi?id=190756
+        https://trac.webkit.org/changeset/244978
+
+2019-05-07  Tadeu Zagallo  
+
+        tryCachePutByID should not crash if target offset changes
+        https://bugs.webkit.org/show_bug.cgi?id=197311
+        
+
+        Reviewed by Filip Pizlo.
+
+        When tryCachePutID is called with a cacheable setter, if the target object where the setter was
+        found is still in the prototype chain and there's no poly protos in the chain, we use
+        generateConditionsForPrototypePropertyHit to validate that the target object remains the same.
+        It checks for the absence of the property in every object in the prototype chain from the base
+        down to the target object and checks that the property is still present in the target object. It
+        also bails if there are any uncacheable objects, proxies or dictionary objects in the prototype
+        chain. However, it does not consider two edge cases:
+        - It asserts that the property should still be at the same offset in the target object, but this
+        assertion does not hold if the setter deletes properties of the object and causes the structure
+        to be flattened after the deletion. Instead of asserting, we just use the updated offset.
+        - It does not check whether the new slot is also a setter, which leads to a crash in case it's not.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID):
+
+2019-05-07  Saam Barati  
+
+        Don't OSR enter into an FTL CodeBlock that has been jettisoned
+        https://bugs.webkit.org/show_bug.cgi?id=197531
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Sometimes we make silly mistakes. This is one of those times. It's invalid to OSR
+        enter into an FTL OSR entry code block that has been jettisoned already.
+
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::clearOSREntryBlockAndResetThresholds):
+        * dfg/DFGJITCode.h:
+        (JSC::DFG::JITCode::clearOSREntryBlock): Deleted.
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOperations.cpp:
+        * ftl/FTLOSREntry.cpp:
+        (JSC::FTL::prepareOSREntry):
+
+2019-05-06  Keith Miller  
+
+        JSWrapperMap should check if existing prototype properties are wrappers when copying exported methods.
+        https://bugs.webkit.org/show_bug.cgi?id=197324
+        
+
+        Reviewed by Saam Barati.
+
+        The current implementation prevents using JSExport to shadow a
+        method from a super class. This was because we would only add a
+        method if the prototype didn't already claim to have the
+        property. Normally this would only happen if an Objective-C super
+        class already exported a ObjCCallbackFunction for the method,
+        however, if the user exports a property that is already on
+        Object.prototype the overriden method won't be exported.
+
+        This patch fixes the object prototype issue by checking if the
+        property on the prototype chain is an ObjCCallbackFunction, if
+        it's not then it adds an override.
+
+        * API/JSWrapperMap.mm:
+        (copyMethodsToObject):
+        * API/tests/testapi.mm:
+        (-[ToStringClass toString]):
+        (-[ToStringClass other]):
+        (-[ToStringSubclass toString]):
+        (-[ToStringSubclassNoProtocol toString]):
+        (testToString):
+        (testObjectiveCAPI):
+
+2019-05-06  Yusuke Suzuki  
+
+        [JSC] We should check OOM for description string of Symbol
+        https://bugs.webkit.org/show_bug.cgi?id=197634
+
+        Reviewed by Keith Miller.
+
+        When resoling JSString for description of Symbol, we should check OOM error.
+        We also change JSValueMakeSymbol(..., nullptr) to returning a symbol value
+        without description, (1) to simplify the code and (2) give a way for JSC API
+        to create a symbol value without description.
+
+        * API/JSValueRef.cpp:
+        (JSValueMakeSymbol):
+        * API/tests/testapi.cpp:
+        (TestAPI::symbolsTypeof):
+        (TestAPI::symbolsDescription):
+        (testCAPIViaCpp):
+        * dfg/DFGOperations.cpp:
+        * runtime/Symbol.cpp:
+        (JSC::Symbol::createWithDescription):
+        * runtime/Symbol.h:
+        * runtime/SymbolConstructor.cpp:
+        (JSC::callSymbol):
+
+2019-05-06  Keith Rollin  
+
+        Temporarily disable generate-xcfilelists
+        https://bugs.webkit.org/show_bug.cgi?id=197619
+        
+
+        Reviewed by Alex Christensen.
+
+        We need to perform a significant update to the generate-xcfilelist
+        scripts. This work involves coordinated work with another facility. If
+        the work does not occur in tandem, the build will be broken. To avoid
+        this, disable the invoking of the scripts during the transition. The
+        checking will be restored once the new scripts are in place.
+
+        * Scripts/check-xcfilelists.sh:
+
+2019-05-06  Basuke Suzuki  
+
+        [PlayStation] Fix build break since r244919
+        https://bugs.webkit.org/show_bug.cgi?id=197627
+
+        Reviewed by Ross Kirsling.
+
+        Bugfix for POSIX socket implementation and suppress warnings.
+
+        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
+        (Inspector::RemoteInspectorConnectionClient::didAccept):
+        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
+        (Inspector::Socket::getPort):
+
+2019-05-06  Yusuke Suzuki  
+
+        TemplateObject passed to template literal tags are not always identical for the same source location.
+        https://bugs.webkit.org/show_bug.cgi?id=190756
+
+        Reviewed by Saam Barati.
+
+        Tagged template literal requires that the site object is allocated per source location. Previously, we create the site object
+        when linking CodeBlock and cache it in CodeBlock. But this is wrong because,
+
+        1. CodeBlock can be jettisoned and regenerated. So every time CodeBlock is regenerated, we get the different site object.
+        2. Call and Construct can have different CodeBlock. Even if the function is called in call-form or construct-form, we should return the same site object.
+
+        In this patch, we start caching these site objects in the top-level ScriptExecutable, this matches the spec's per source location since the only one top-level
+        ScriptExecutable is created for the given script code. Each ScriptExecutable of JSFunction can be created multiple times because CodeBlock creates it.
+        But the top-level one is not created by CodeBlock. This top-level ScriptExecutable is well-aligned to the Script itself. The top-level ScriptExecutable now has HashMap,
+        which maps source locations to cached site objects.
+
+        1. This patch threads the top-level ScriptExecutable to each FunctionExecutable creation. Each FunctionExecutable has a reference to the top-level ScriptExecutable.
+        2. We put TemplateObjectMap in ScriptExecutable, which manages cached template objects.
+        3. We move FunctionExecutable::m_cachedPolyProtoStructure to the FunctionExecutable::RareDate to keep FunctionExecutable 128 bytes.
+
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
+        * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
+        * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
+        * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
+        * Scripts/wkbuiltins/builtins_templates.py:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/CodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::UnlinkedFunctionExecutable::link):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addTemplateObjectConstant):
+        (JSC::BytecodeGenerator::emitGetTemplateObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedTemplateObjectDescriptor::encode):
+        (JSC::CachedTemplateObjectDescriptor::decode const):
+        (JSC::CachedJSValue::encode):
+        (JSC::CachedJSValue::decode const):
+        * runtime/EvalExecutable.cpp:
+        (JSC::EvalExecutable::ensureTemplateObjectMap):
+        (JSC::EvalExecutable::visitChildren):
+        * runtime/EvalExecutable.h:
+        * runtime/FunctionExecutable.cpp:
+        (JSC::FunctionExecutable::finishCreation):
+        (JSC::FunctionExecutable::visitChildren):
+        (JSC::FunctionExecutable::fromGlobalCode):
+        (JSC::FunctionExecutable::ensureRareDataSlow):
+        (JSC::FunctionExecutable::ensureTemplateObjectMap):
+        * runtime/FunctionExecutable.h:
+        * runtime/JSModuleRecord.cpp:
+        (JSC::JSModuleRecord::instantiateDeclarations):
+        * runtime/JSTemplateObjectDescriptor.cpp:
+        (JSC::JSTemplateObjectDescriptor::JSTemplateObjectDescriptor):
+        (JSC::JSTemplateObjectDescriptor::create):
+        * runtime/JSTemplateObjectDescriptor.h:
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ModuleProgramExecutable::visitChildren):
+        * runtime/ModuleProgramExecutable.h:
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::ensureTemplateObjectMap):
+        (JSC::ProgramExecutable::visitChildren):
+        * runtime/ProgramExecutable.h:
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::topLevelExecutable):
+        (JSC::ScriptExecutable::createTemplateObject):
+        (JSC::ScriptExecutable::ensureTemplateObjectMap):
+        * runtime/ScriptExecutable.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::functionCreateBuiltin):
+        (JSC::functionDeleteAllCodeWhenIdle):
+        (JSC::JSDollarVM::finishCreation):
+
+2019-05-04  Tadeu Zagallo  
+
+        TypedArrays should not store properties that are canonical numeric indices
+        https://bugs.webkit.org/show_bug.cgi?id=197228
+        
+
+        Reviewed by Saam Barati.
+
+        According to the spec[1]:
+        - TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty if the index is a
+        CanonicalNumericIndexString, but invalid according to IntegerIndexedElementGet and similar
+        functions. I.e., there are a few properties that should not be set in a TypedArray, like NaN,
+        Infinity and -0.
+        - On DefineOwnProperty, the out-of-bounds check should be performed before validating the property
+        descriptor.
+        - On GetOwnProperty, the returned descriptor for numeric properties should have writable set to true.
+
+        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlot):
+        (JSC::JSGenericTypedArrayView::put):
+        (JSC::JSGenericTypedArrayView::defineOwnProperty):
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex):
+        (JSC::JSGenericTypedArrayView::putByIndex):
+        * runtime/PropertyName.h:
+        (JSC::isCanonicalNumericIndexString):
+
+2019-05-03  Yusuke Suzuki  
+
+        [JSC] Need to emit SetLocal if we emit MovHint in DFGByteCodeParser
+        https://bugs.webkit.org/show_bug.cgi?id=197584
+
+        Reviewed by Saam Barati.
+
+        In r244864, we emit MovHint for adhocly created GetterCall/SetterCall frame locals in the callee side to make OSR availability analysis's pruning correct.
+        However, we just emit MovHint, and we do not emit SetLocal since we ensured that these locals are already flushed in the same place before. However, MovHint
+        and SetLocal are needed to be a pair in DFGByteCodeParser because we rely on this assumption in SSA conversion phase. SSA conversion phase always emit KillStack
+        just before MovHint's target location even if the MovHint's target is the same to the previously emitted MovHint and SetLocal.
+        This patch emits SetLocal too when emitting MovHint for GetterCall/SetterCall frame locals.
+
+        The example is like this.
+
+            a:  SomeValueNode
+             :  MovHint(@a, loc10)
+            b:  SetLocal(@a, loc10)
+                ...
+            c:  MovHint(@a, loc10)
+
+        Then, this will be converted to the style in SSA conversion.
+
+            a:  SomeValueNode
+             :  KillStack(loc10)
+            b:  PutStack(@a, loc10)
+                ...
+            c:  KillStack(loc10)
+
+        Then, @b will be removed later since @c kills it.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::MarkedBlock):
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        (JSC::MarkedBlock::Handle::resumeAllocating):
+        (JSC::MarkedBlock::aboutToMarkSlow):
+        (JSC::MarkedBlock::Handle::didConsumeFreeList):
+
+2019-05-03  Devin Rousso  
+
+        Web Inspector: DOM: rename "low power" to "display composited"
+        https://bugs.webkit.org/show_bug.cgi?id=197296
+
+        Reviewed by Joseph Pecoraro.
+
+        Removed specific ChangeLog entries since it is almost entirely mechanical changes.
+
+        * inspector/protocol/DOM.json:
+
+2019-05-03  Basuke Suzuki  
+
+        [WinCairo] Implement and enable RemoteInspector Server.
+        https://bugs.webkit.org/show_bug.cgi?id=197432
+
+        Reviewed by Ross Kirsling.
+
+        Implement Windows implementation for Socket Backend of RemoteInspector and enable it on WinCairo
+        for experimental feature.
+
+        Also add listener interface for connection between RemoteInspector and RemoteInspectorServer
+        for flexible configuration.
+
+        * PlatformWin.cmake:
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
+        (Inspector::RemoteInspectorConnectionClient::didAccept):
+        * inspector/remote/socket/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::connect):
+        (Inspector::RemoteInspectorServer::listenForTargets):
+        (Inspector::RemoteInspectorServer::didAccept):
+        (Inspector::RemoteInspectorServer::dispatchMap):
+        (Inspector::RemoteInspectorServer::start):
+        (Inspector::RemoteInspectorServer::addServerConnection): Deleted.
+        * inspector/remote/socket/RemoteInspectorServer.h:
+        (Inspector::RemoteInspectorServer::RemoteInspectorServer):
+        * inspector/remote/socket/RemoteInspectorSocket.cpp:
+        (Inspector::RemoteInspector::RemoteInspector):
+        (Inspector::RemoteInspector::dispatchMap):
+        (Inspector::RemoteInspector::start):
+        (Inspector::RemoteInspector::stopInternal):
+        (Inspector::RemoteInspector::setServerPort):
+        * inspector/remote/socket/RemoteInspectorSocket.h:
+        * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
+        (Inspector::RemoteInspectorSocketEndpoint::listenInet):
+        (Inspector::RemoteInspectorSocketEndpoint::getPort const):
+        (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
+        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
+        * inspector/remote/socket/posix/RemoteInspectorSocketPOSIX.cpp:
+        (Inspector::Socket::init): Added.
+        (Inspector::Socket::listen): Signature changed.
+        (Inspector::Socket::getPort): Added.
+        * inspector/remote/socket/win/RemoteInspectorSocketWin.cpp: Added.
+        (Inspector::Socket::init):
+        (Inspector::Socket::Socket::Socket):
+        (Inspector::Socket::Socket::~Socket):
+        (Inspector::Socket::Socket::close):
+        (Inspector::Socket::Socket::operator PlatformSocketType const):
+        (Inspector::Socket::Socket::operator bool const):
+        (Inspector::Socket::Socket::leak):
+        (Inspector::Socket::Socket::create):
+        (Inspector::Socket::setOpt):
+        (Inspector::Socket::setOptEnabled):
+        (Inspector::Socket::enableOpt):
+        (Inspector::Socket::connectTo):
+        (Inspector::Socket::bindAndListen):
+        (Inspector::Socket::connect):
+        (Inspector::Socket::listen):
+        (Inspector::Socket::accept):
+        (Inspector::Socket::createPair):
+        (Inspector::Socket::setup):
+        (Inspector::Socket::isValid):
+        (Inspector::Socket::isListening):
+        (Inspector::Socket::getPort):
+        (Inspector::Socket::read):
+        (Inspector::Socket::write):
+        (Inspector::Socket::close):
+        (Inspector::Socket::preparePolling):
+        (Inspector::Socket::poll):
+        (Inspector::Socket::isReadable):
+        (Inspector::Socket::isWritable):
+        (Inspector::Socket::markWaitingWritable):
+        (Inspector::Socket::clearWaitingWritable):
+
+2019-05-03  Yusuke Suzuki  
+
+        [JSC] Generator CodeBlock generation should be idempotent
+        https://bugs.webkit.org/show_bug.cgi?id=197552
+
+        Reviewed by Keith Miller.
+
+        ES6 Generator saves and resumes the current execution state. Since ES6 generator can save the execution state at expression
+        granularity (not statement granularity), the saved state involves locals. But if the underlying CodeBlock is jettisoned and
+        recompiled with different code generation option (like, debugger, type profiler etc.), the generated instructions can be largely
+        different and it does not have the same state previously used. If we resume the previously created generator with the newly
+        generator function, resuming is messed up.
+
+            function* gen () { ... }
+            var g = gen();
+            g.next();
+
+            // CodeBlock is destroyed & Debugger is enabled.
+
+            g.next();
+
+        In this patch,
+
+        1. In generatorification, we use index Identifier (localN => Identifier("N")) instead of private symbols to generate the same
+           instructions every time we regenerate the CodeBlock.
+
+        2. We decouple the options which can affect on the generated code (Debugger, TypeProfiler, ControlFlowProfiler) from the BytecodeGenerator,
+           and pass them as a parameter, OptionSet.
+
+        3. Generator ScriptExecutable remembers the previous CodeGeneratorMode and reuses this parameter to regenerate CodeBlock. It means that,
+           even if the debugger is enabled, previously created generators are not debuggable. But newly created generators are debuggable.
+
+        * bytecode/BytecodeGeneratorification.cpp:
+        (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
+        (JSC::BytecodeGeneratorification::run):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::setConstantRegisters):
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::wasCompiledWithDebuggingOpcodes const):
+        (JSC::UnlinkedCodeBlock::wasCompiledWithTypeProfilerOpcodes const):
+        (JSC::UnlinkedCodeBlock::wasCompiledWithControlFlowProfilerOpcodes const):
+        (JSC::UnlinkedCodeBlock::codeGenerationMode const):
+        * bytecode/UnlinkedEvalCodeBlock.h:
+        * bytecode/UnlinkedFunctionCodeBlock.h:
+        * bytecode/UnlinkedFunctionExecutable.cpp:
+        (JSC::generateUnlinkedFunctionCodeBlock):
+        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
+        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
+        * bytecode/UnlinkedFunctionExecutable.h:
+        * bytecode/UnlinkedGlobalCodeBlock.h:
+        (JSC::UnlinkedGlobalCodeBlock::UnlinkedGlobalCodeBlock):
+        * bytecode/UnlinkedModuleProgramCodeBlock.h:
+        * bytecode/UnlinkedProgramCodeBlock.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
+        (JSC::BytecodeGenerator::emitProfileType):
+        (JSC::BytecodeGenerator::emitProfileControlFlow):
+        (JSC::BytecodeGenerator::pushLexicalScopeInternal):
+        (JSC::BytecodeGenerator::popLexicalScopeInternal):
+        (JSC::BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration):
+        (JSC::BytecodeGenerator::emitCall):
+        (JSC::BytecodeGenerator::emitCallVarargs):
+        (JSC::BytecodeGenerator::emitLogShadowChickenPrologueIfNecessary):
+        (JSC::BytecodeGenerator::emitLogShadowChickenTailIfNecessary):
+        (JSC::BytecodeGenerator::emitDebugHook):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::generate):
+        (JSC::BytecodeGenerator::shouldEmitDebugHooks const):
+        (JSC::BytecodeGenerator::shouldEmitTypeProfilerHooks const):
+        (JSC::BytecodeGenerator::shouldEmitControlFlowProfilerHooks const):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PrefixNode::emitResolve):
+        (JSC::EmptyVarExpression::emitBytecode):
+        (JSC::ReturnNode::emitBytecode):
+        (JSC::FunctionNode::emitBytecode):
+        * parser/ParserModes.h:
+        (): Deleted.
+        * parser/SourceCodeKey.h:
+        (JSC::SourceCodeFlags::SourceCodeFlags):
+        (JSC::SourceCodeKey::SourceCodeKey):
+        * runtime/CachedTypes.cpp:
+        (JSC::CachedCodeBlock::isClassContext const):
+        (JSC::CachedCodeBlock::codeGenerationMode const):
+        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
+        (JSC::CachedCodeBlock::encode):
+        (JSC::CachedCodeBlock::wasCompiledWithDebuggingOpcodes const): Deleted.
+        * runtime/CodeCache.cpp:
+        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
+        (JSC::CodeCache::getUnlinkedProgramCodeBlock):
+        (JSC::CodeCache::getUnlinkedEvalCodeBlock):
+        (JSC::CodeCache::getUnlinkedModuleProgramCodeBlock):
+        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
+        (JSC::generateUnlinkedCodeBlockForFunctions):
+        (JSC::sourceCodeKeyForSerializedBytecode):
+        (JSC::sourceCodeKeyForSerializedProgram):
+        (JSC::sourceCodeKeyForSerializedModule):
+        (JSC::serializeBytecode):
+        * runtime/CodeCache.h:
+        (JSC::generateUnlinkedCodeBlockImpl):
+        (JSC::generateUnlinkedCodeBlock):
+        * runtime/Completion.cpp:
+        (JSC::generateProgramBytecode):
+        (JSC::generateModuleBytecode):
+        * runtime/DirectEvalExecutable.cpp:
+        (JSC::DirectEvalExecutable::create):
+        * runtime/IndirectEvalExecutable.cpp:
+        (JSC::IndirectEvalExecutable::create):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::defaultCodeGenerationMode const):
+        * runtime/ModuleProgramExecutable.cpp:
+        (JSC::ModuleProgramExecutable::create):
+        * runtime/ProgramExecutable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/ScriptExecutable.cpp:
+        (JSC::ScriptExecutable::ScriptExecutable):
+        (JSC::ScriptExecutable::newCodeBlockFor):
+        * runtime/ScriptExecutable.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::changeDebuggerModeWhenIdle):
+        (JSC::functionEnableDebuggerModeWhenIdle):
+        (JSC::functionDisableDebuggerModeWhenIdle):
+
+2019-05-03  Devin Rousso  
+
+        Web Inspector: Record actions performed on WebGL2RenderingContext
+        https://bugs.webkit.org/show_bug.cgi?id=176008
+        
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/protocol/Recording.json:
+        * inspector/scripts/codegen/generator.py:
+        Add `canvas-webgl2` as a `Type`.
+
+2019-05-03  Commit Queue  
+
+        Unreviewed, rolling out r244881.
+        https://bugs.webkit.org/show_bug.cgi?id=197559
+
+        Breaks compilation of jsconly on linux, breaking compilation
+        for jsc-i386-ews, jsc-mips-ews and jsc-armv7-ews (Requested by
+        guijemont on #webkit).
+
+        Reverted changeset:
+
+        "[CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into
+        WEBKIT_COPY_FILES"
+        https://bugs.webkit.org/show_bug.cgi?id=197174
+        https://trac.webkit.org/changeset/244881
+
+2019-05-02  Don Olmstead  
+
+        [CMake] Refactor WEBKIT_MAKE_FORWARDING_HEADERS into WEBKIT_COPY_FILES
+        https://bugs.webkit.org/show_bug.cgi?id=197174
+
+        Reviewed by Alex Christensen.
+
+        Replace WEBKIT_MAKE_FORWARDING_HEADERS with WEBKIT_COPY_FILES and make dependencies
+        for framework headers explicit.
+
+        * CMakeLists.txt:
+
+2019-05-02  Michael Saboff  
+
+        Unreviewed rollout of r244862.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertyDescriptor):
+
+2019-05-01  Saam barati  
+
+        Baseline JIT should do argument value profiling after checking for stack overflow
+        https://bugs.webkit.org/show_bug.cgi?id=197052
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        Otherwise, we may do value profiling without running a write barrier, which
+        is against the rules of how we do value profiling.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::compileWithoutLinking):
+
+2019-05-01  Yusuke Suzuki  
+
+        [JSC] Inlining Getter/Setter should care availability of ad-hocly constructed frame
+        https://bugs.webkit.org/show_bug.cgi?id=197405
+
+        Reviewed by Saam Barati.
+
+        When inlining getter and setter calls, we setup a stack frame which does not appear in the bytecode.
+        Because Inlining can switch on executable, we could have a graph like this.
+
+        BB#0
+            ...
+            30: GetSetter
+            31: MovHint(loc10)
+            32: SetLocal(loc10)
+            33: MovHint(loc9)
+            34: SetLocal(loc9)
+            ...
+            37: GetExecutable(@30)
+            ...
+            41: Switch(@37)
+
+        BB#2
+            42: GetLocal(loc12, bc#7 of caller)
+            ...
+            --> callee: loc9 and loc10 are arguments of callee.
+              ...
+              
+
+        When we prune OSR availability at the beginning of BB#2 (bc#7 in the caller), we prune loc9 and loc10's liveness because the caller does not actually have loc9 and loc10.
+        However, when we begin executing the callee, we need OSR exit to be aware of where it can recover the arguments to the setter, loc9 and loc10.
+
+        This patch inserts MovHint at the beginning of callee for a getter / setter stack frame to make arguments (loc9 and loc10 in the above example) recoverable from OSR exit.
+        We also move arity fixup DFG nodes from the caller to the callee, since moved arguments are not live in the caller too.
+
+        Interestingly, this fix also reveals the existing issue in LiveCatchVariablePreservationPhase. We emitted Flush for |this| of InlineCallFrame blindly if we saw InlineCallFrame
+        inside a block which is covered by catch handler. But this is wrong because inlined function can finish its execution within the block, and |this| is completely unrelated to
+        the catch handler if the catch handler is in the outer callee. We already collect all the live locals at the catch handler. And this locals must include arguments too if the
+        catch handler is in inlined function. So, we should not emit Flush for each |this| of seen InlineCallFrame. This emitted Flush may connect unrelated locals in the catch handler
+        to the locals that is only defined and used in the inlined function, and it leads to the results like DFG says the local is live while the bytecode says the local is dead.
+        This results in reading and using garbage in OSR entry because DFG OSR entry needs to fill live DFG values from the stack.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::handleGetById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
+        (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
+
+2019-05-01  Michael Saboff  
+
+        ASSERTION FAILED: !m_needExceptionCheck with --validateExceptionChecks=1; ProxyObject.getOwnPropertySlotCommon/JSFunction.callerGetter
+        https://bugs.webkit.org/show_bug.cgi?id=197485
+
+        Reviewed by Saam Barati.
+
+        Added an EXCEPTION_ASSERT after call to getOwnPropertySlot().
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertyDescriptor):
+
+2019-05-01  Ross Kirsling  
+
+        RemoteInspector::updateAutomaticInspectionCandidate should have a default implementation.
+        https://bugs.webkit.org/show_bug.cgi?id=197439
+
+        Reviewed by Devin Rousso.
+
+        On non-Cocoa platforms, automatic inspection is not currently implemented,
+        so updateAutomaticInspectionCandidate falls back to the logic of updateTarget.
+        This logic already existed in three places, so refactor it into a common private method
+        and allow our websocket-based RWI implementation to make use of it too.
+
+        * inspector/remote/RemoteInspector.cpp:
+        (Inspector::RemoteInspector::updateTarget):
+        (Inspector::RemoteInspector::updateTargetMap):
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
+        * inspector/remote/socket/RemoteInspectorSocket.cpp:
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate): Deleted.
+
+2019-05-01  Darin Adler  
+
+        WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
+        https://bugs.webkit.org/show_bug.cgi?id=195535
+
+        Reviewed by Alexey Proskuryakov.
+
+        * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
+
+        * API/JSStringRef.cpp:
+        (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
+        (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
+        Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
+        since that is the default. Also updated for changes to CompletionResult.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
+        and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
+        U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
+        equivalents, since these macros from ICU are correct and efficient.
+
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String): Updated for changes to
+        convertUTF8ToUTF16.
+
+2019-05-01  Shawn Roberts  
+
+        Unreviewed, rolling out r244821.
+
+        Causing
+
+        Reverted changeset:
+
+        "WebKit has too much of its own UTF-8 code and should rely
+        more on ICU's UTF-8 support"
+        https://bugs.webkit.org/show_bug.cgi?id=195535
+        https://trac.webkit.org/changeset/244821
+
+2019-04-29  Darin Adler  
+
+        WebKit has too much of its own UTF-8 code and should rely more on ICU's UTF-8 support
+        https://bugs.webkit.org/show_bug.cgi?id=195535
+
+        Reviewed by Alexey Proskuryakov.
+
+        * API/JSClassRef.cpp: Removed uneeded include of UTF8Conversion.h.
+
+        * API/JSStringRef.cpp:
+        (JSStringCreateWithUTF8CString): Updated for changes to convertUTF8ToUTF16.
+        (JSStringGetUTF8CString): Updated for changes to convertLatin1ToUTF8.
+        Removed unneeded "true" to get the strict version of convertUTF16ToUTF8,
+        since that is the default. Also updated for changes to CompletionResult.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::decode): Stop using UTF8SequenceLength, and instead use U8_COUNT_TRAIL_BYTES
+        and U8_MAX_LENGTH. Instead of decodeUTF8Sequence, use U8_NEXT. Also use U_IS_BMP,
+        U_IS_SUPPLEMENTARY, U16_LEAD, U16_TRAIL, and U_IS_SURROGATE instead of our own
+        equivalents, since these macros from ICU are correct and efficient.
+
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser::consumeUTF8String): Updated for changes to
+        convertUTF8ToUTF16.
+
+2019-04-30  Commit Queue  
+
+        Unreviewed, rolling out r244806.
+        https://bugs.webkit.org/show_bug.cgi?id=197446
+
+        Causing Test262 and JSC test failures on multiple builds
+        (Requested by ShawnRoberts on #webkit).
+
+        Reverted changeset:
+
+        "TypeArrays should not store properties that are canonical
+        numeric indices"
+        https://bugs.webkit.org/show_bug.cgi?id=197228
+        https://trac.webkit.org/changeset/244806
+
+2019-04-30  Saam barati  
+
+        CodeBlock::m_instructionCount is wrong
+        https://bugs.webkit.org/show_bug.cgi?id=197304
+
+        Reviewed by Yusuke Suzuki.
+
+        What we were calling instructionCount() was wrong, as evidenced by
+        us using it incorrectly both in the sampling profiler and when we
+        dumped bytecode for a given CodeBlock. Prior to the bytecode rewrite,
+        instructionCount() was probably valid to do bounds checks against.
+        However, this is no longer the case. This patch renames what we called
+        instructionCount() to bytecodeCost(). It is now only used to make decisions
+        about inlining and tier up heuristics. I've also named options related to
+        this appropriately.
+        
+        This patch also introduces instructionsSize(). The result of this method
+        is valid to do bounds checks against.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpAssumingJITType const):
+        (JSC::CodeBlock::CodeBlock):
+        (JSC::CodeBlock::finishCreation):
+        (JSC::CodeBlock::optimizationThresholdScalingFactor):
+        (JSC::CodeBlock::predictedMachineCodeSize):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::instructionsSize const):
+        (JSC::CodeBlock::bytecodeCost const):
+        (JSC::CodeBlock::instructionCount const): Deleted.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::getInliningBalance):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::mightCompileEval):
+        (JSC::DFG::mightCompileProgram):
+        (JSC::DFG::mightCompileFunctionForCall):
+        (JSC::DFG::mightCompileFunctionForConstruct):
+        (JSC::DFG::mightInlineFunctionForCall):
+        (JSC::DFG::mightInlineFunctionForClosureCall):
+        (JSC::DFG::mightInlineFunctionForConstruct):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::isSmallEnoughToInlineCodeInto):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpHeader):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThread):
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITDisassembler.cpp:
+        (JSC::JITDisassembler::dumpHeader):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::shouldJIT):
+        * profiler/ProfilerBytecodes.cpp:
+        (JSC::Profiler::Bytecodes::Bytecodes):
+        * runtime/Options.h:
+        * runtime/SamplingProfiler.cpp:
+        (JSC::tryGetBytecodeIndex):
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+
+2019-04-30  Tadeu Zagallo  
+
+        TypeArrays should not store properties that are canonical numeric indices
+        https://bugs.webkit.org/show_bug.cgi?id=197228
+        
+
+        Reviewed by Darin Adler.
+
+        According to the spec[1], TypedArrays should not perform an ordinary GetOwnProperty/SetOwnProperty
+        if the index is a CanonicalNumericIndexString, but invalid according toIntegerIndexedElementGet
+        and similar functions. I.e., there are a few properties that should not be set in a TypedArray,
+        like NaN, Infinity and -0.
+
+        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-integer-indexed-exotic-objects-defineownproperty-p-desc
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlot):
+        (JSC::JSGenericTypedArrayView::put):
+        (JSC::JSGenericTypedArrayView::defineOwnProperty):
+        (JSC::JSGenericTypedArrayView::getOwnPropertySlotByIndex):
+        (JSC::JSGenericTypedArrayView::putByIndex):
+        * runtime/JSTypedArrays.cpp:
+        * runtime/PropertyName.h:
+        (JSC::canonicalNumericIndexString):
+
+2019-04-30  Brian Burg  
+
+        Web Automation: use a more informative key to indicate automation availability
+        https://bugs.webkit.org/show_bug.cgi?id=197377
+        
+
+        Reviewed by Devin Rousso.
+
+        The existing WIRAutomationEnabledKey does not encode uncertainty.
+        Add a new key that provides an 'Unknown' state, and prefer to use it.
+
+        Since an application's initial listing is sent from a background dispatch queue
+        on Cocoa platforms, this can race with main thread initialization that sets up
+        RemoteInspector::Client. Therefore, the initial listing may not properly represent
+        the client's capabilites because the client is not yet available. Allowing for
+        an "Unknown" state that is later upgraded to Available or Not Available makes it
+        possible to work around this potential race.
+
+        * inspector/remote/RemoteInspectorConstants.h:
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::pushListingsNow):
+
+2019-04-30  Keith Miller  
+
+        Fix failing ARM64E wasm tests
+        https://bugs.webkit.org/show_bug.cgi?id=197420
+
+        Reviewed by Saam Barati.
+
+        This patch fixes a bug in the slow path of our JS->Wasm IC bridge
+        where we wouldn't untag the link register before tail calling.
+
+        Additionally, this patch fixes a broken assert when using setting
+        Options::useTailCalls=false.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitCallForwardArgumentsInTailPosition):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
+2019-04-29  Saam Barati  
+
+        Make JITType an enum class
+        https://bugs.webkit.org/show_bug.cgi?id=197394
+
+        Reviewed by Yusuke Suzuki.
+
+        This makes the code more easily searchable.
+
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFor):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpAssumingJITType const):
+        (JSC::CodeBlock::specialOSREntryBlockOrNull):
+        (JSC::timeToLive):
+        (JSC::CodeBlock::propagateTransitions):
+        (JSC::CodeBlock::baselineAlternative):
+        (JSC::CodeBlock::baselineVersion):
+        (JSC::CodeBlock::hasOptimizedReplacement):
+        (JSC::CodeBlock::noticeIncomingCall):
+        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
+        (JSC::CodeBlock::tallyFrequentExitSites):
+        (JSC::CodeBlock::frameRegisterCount):
+        (JSC::CodeBlock::bytecodeOffsetFromCallSiteIndex):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::jitType const):
+        (JSC::CodeBlock::hasBaselineJITProfiling const):
+        * bytecode/CodeBlockWithJITType.h:
+        (JSC::CodeBlockWithJITType::CodeBlockWithJITType):
+        * bytecode/DeferredSourceDump.cpp:
+        (JSC::DeferredSourceDump::DeferredSourceDump):
+        * bytecode/DeferredSourceDump.h:
+        * bytecode/ExitingJITType.h:
+        (JSC::exitingJITTypeFor):
+        * bytecode/InlineCallFrame.h:
+        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGDisassembler.cpp:
+        (JSC::DFG::Disassembler::dumpHeader):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::JITCode):
+        (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
+        (JSC::DFG::JITCode::optimizeNextInvocation):
+        (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
+        (JSC::DFG::JITCode::optimizeAfterWarmUp):
+        (JSC::DFG::JITCode::optimizeSoon):
+        (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
+        (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
+        * dfg/DFGJITFinalizer.cpp:
+        (JSC::DFG::JITFinalizer::finalize):
+        (JSC::DFG::JITFinalizer::finalizeFunction):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        (JSC::DFG::prepareCatchOSREntry):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::OSRExit::compileOSRExit):
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::adjustAndJumpToTarget):
+        * dfg/DFGOSRExitCompilerCommon.h:
+        (JSC::DFG::adjustFrameAndStackInOSRExitCompilerThunk):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::osrExitGenerationThunkGenerator):
+        * dfg/DFGVariableEventStream.cpp:
+        (JSC::DFG::VariableEventStream::reconstruct const):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::JITCode):
+        * ftl/FTLJITFinalizer.cpp:
+        (JSC::FTL::JITFinalizer::finalizeCommon):
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::callSiteBitsAreBytecodeOffset const):
+        (JSC::CallFrame::callSiteBitsAreCodeOriginIndex const):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::Frame::dump const):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::AssemblyHelpers):
+        * jit/JIT.cpp:
+        (JSC::JIT::link):
+        * jit/JITCode.cpp:
+        (JSC::JITCode::typeName):
+        (WTF::printInternal):
+        * jit/JITCode.h:
+        (JSC::JITCode::bottomTierJIT):
+        (JSC::JITCode::topTierJIT):
+        (JSC::JITCode::nextTierJIT):
+        (JSC::JITCode::isExecutableScript):
+        (JSC::JITCode::couldBeInterpreted):
+        (JSC::JITCode::isJIT):
+        (JSC::JITCode::isOptimizingJIT):
+        (JSC::JITCode::isBaselineCode):
+        (JSC::JITCode::jitTypeFor):
+        * jit/JITDisassembler.cpp:
+        (JSC::JITDisassembler::dumpHeader):
+        * jit/JITOperations.cpp:
+        * jit/JITThunks.cpp:
+        (JSC::JITThunks::hostFunctionStub):
+        * jit/JITToDFGDeferredCompilationCallback.cpp:
+        (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
+        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
+        * jit/JITWorklist.cpp:
+        (JSC::JITWorklist::compileLater):
+        (JSC::JITWorklist::compileNow):
+        * jit/Repatch.cpp:
+        (JSC::readPutICCallTarget):
+        (JSC::ftlThunkAwareRepatchCall):
+        * llint/LLIntEntrypoint.cpp:
+        (JSC::LLInt::setFunctionEntrypoint):
+        (JSC::LLInt::setEvalEntrypoint):
+        (JSC::LLInt::setProgramEntrypoint):
+        (JSC::LLInt::setModuleProgramEntrypoint):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::jitCompileAndSetHeuristics):
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::processUnverifiedStackTraces):
+        * runtime/SamplingProfiler.h:
+        * runtime/VM.cpp:
+        (JSC::jitCodeForCallTrampoline):
+        (JSC::jitCodeForConstructTrampoline):
+        * tools/CodeProfile.cpp:
+        (JSC::CodeProfile::sample):
+        * tools/JSDollarVM.cpp:
+        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
+        (JSC::CallerFrameJITTypeFunctor::jitType):
+        (JSC::functionLLintTrue):
+        (JSC::functionJITTrue):
+
+2019-04-29  Yusuke Suzuki  
+
+        Unreivewed, fix FTL implementation of r244760
+        https://bugs.webkit.org/show_bug.cgi?id=197362
+
+        Reviewed by Saam Barati.
+
+        Looked with Saam. ValueFromBlock from double case block was overridden by NaN thing now.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
+
+2019-04-29  Yusuke Suzuki  
+
+        normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
+        https://bugs.webkit.org/show_bug.cgi?id=197362
+
+        Reviewed by Saam Barati.
+
+        Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
+        normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
+        pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
+        in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
+        * runtime/HashMapImpl.h:
+        (JSC::normalizeMapKey):
+
+2019-04-29  Alex Christensen  
+
+         Fix internal High Sierra build
+        https://bugs.webkit.org/show_bug.cgi?id=197388
+
+        * Configurations/Base.xcconfig:
+
+2019-04-29  Yusuke Suzuki  
+
+        JITStubRoutineSet wastes 180KB of HashTable capacity on can.com
+        https://bugs.webkit.org/show_bug.cgi?id=186732
+
+        Reviewed by Saam Barati.
+
+        Our current mechanism of JITStubRoutineSet consumes more memory than needed. Basically we have HashMap and register
+        each executable address by 16 byte to this entry. So if your StubRoutine has 128bytes, it just adds 8 entries to this hash table.
+        In Gmail, we see a ~2MB table size.
+
+        Instead, this patch uses Vector> and performs binary search onto this sorted vector. Before conservative
+        scanning, we sort this vector. And doing binary search with the sorted vector to find executing stub routines from the conservative roots.
+        This vector includes uintptr_t startAddress to make binary searching fast.
+
+        Large amount of conservative scan should be filtered by range check, so I think binary search here is OK, but we can decide based on what the
+        performance bots say.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::addCoreConstraints):
+        * heap/JITStubRoutineSet.cpp:
+        (JSC::JITStubRoutineSet::~JITStubRoutineSet):
+        (JSC::JITStubRoutineSet::add):
+        (JSC::JITStubRoutineSet::prepareForConservativeScan):
+        (JSC::JITStubRoutineSet::clearMarks):
+        (JSC::JITStubRoutineSet::markSlow):
+        (JSC::JITStubRoutineSet::deleteUnmarkedJettisonedStubRoutines):
+        (JSC::JITStubRoutineSet::traceMarkedStubRoutines):
+        * heap/JITStubRoutineSet.h:
+        (JSC::JITStubRoutineSet::mark):
+        (JSC::JITStubRoutineSet::prepareForConservativeScan):
+        (JSC::JITStubRoutineSet::size const): Deleted.
+        (JSC::JITStubRoutineSet::at const): Deleted.
+
+2019-04-29  Basuke Suzuki  
+
+        [Win] Add flag to enable version information stamping and disable by default.
+        https://bugs.webkit.org/show_bug.cgi?id=197249
+        
+
+        Reviewed by Ross Kirsling.
+
+        This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
+        Then enable it by default on AppleWin.
+
+        * CMakeLists.txt:
+
+2019-04-26  Keith Rollin  
+
+        Enable new build rule for post-processing headers when using XCBuild
+        https://bugs.webkit.org/show_bug.cgi?id=197340
+        
+
+        Reviewed by Brent Fulgham.
+
+        In Bug 197116, we conditionally disabled the old method for
+        post-processing header files when we are using the new XCBuild build
+        system. This check-in conditionally enables the new post-processing
+        facility. Note that the old system is disabled and the new system
+        enabled only when the USE_NEW_BUILD_SYSTEM environment variable is set
+        to YES.
+
+        * Configurations/JavaScriptCore.xcconfig:
+
+2019-04-26  Jessie Berlin  
+
+        Add new mac target numbers
+        https://bugs.webkit.org/show_bug.cgi?id=197313
+
+        Reviewed by Alex Christensen.
+
+        * Configurations/Version.xcconfig:
+        * Configurations/WebKitTargetConditionals.xcconfig:
+
+2019-04-26  Commit Queue  
+
+        Unreviewed, rolling out r244708.
+        https://bugs.webkit.org/show_bug.cgi?id=197334
+
+        "Broke the debug build" (Requested by rmorisset on #webkit).
+
+        Reverted changeset:
+
+        "All prototypes should call didBecomePrototype()"
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+        https://trac.webkit.org/changeset/244708
+
+2019-04-26  Don Olmstead  
+
+        [CMake] Add WEBKIT_EXECUTABLE macro
+        https://bugs.webkit.org/show_bug.cgi?id=197206
+
+        Reviewed by Konstantin Tokarev.
+
+        Migrate to WEBKIT_EXECUTABLE for the jsc and test targets.
+
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        * dfg/testdfg.cpp:
+        * shell/CMakeLists.txt:
+        * shell/PlatformGTK.cmake:
+        * shell/PlatformJSCOnly.cmake: Removed.
+        * shell/PlatformMac.cmake:
+        * shell/PlatformPlayStation.cmake:
+        * shell/PlatformWPE.cmake:
+        * shell/PlatformWin.cmake:
+
+2019-04-25  Yusuke Suzuki  
+
+        [JSC] linkPolymorphicCall now does GC
+        https://bugs.webkit.org/show_bug.cgi?id=197306
+
+        Reviewed by Saam Barati.
+
+        Previously, we assumed that linkPolymorphicCall does not perform allocations. So we put CallVariant into a Vector<>.
+        But now, WebAssemblyFunction's entrypoint generation can allocate JSToWasmICCallee and cause GC. Since CallLinkInfo
+        does not hold these cells, they can be collected, and we will see dead cells in the middle of linkPolymorphicCall.
+        We should defer GC for a while in linkPolymorphicCall. We use DeferGCForAWhile instead of DeferGC because the
+        caller "operationLinkPolymorphicCall" assumes that this function does not cause GC.
+
+        * jit/Repatch.cpp:
+        (JSC::linkPolymorphicCall):
+
+2019-04-26  Robin Morisset  
+
+        All prototypes should call didBecomePrototype()
+        https://bugs.webkit.org/show_bug.cgi?id=196315
+
+        Reviewed by Saam Barati.
+
+        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
+
+        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
+        create structures with invalid prototypes.
+        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
+        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
+
+        * runtime/BigIntPrototype.cpp:
+        (JSC::BigIntPrototype::finishCreation):
+        * runtime/BooleanPrototype.cpp:
+        (JSC::BooleanPrototype::finishCreation):
+        * runtime/DatePrototype.cpp:
+        (JSC::DatePrototype::finishCreation):
+        * runtime/ErrorConstructor.cpp:
+        (JSC::ErrorConstructor::finishCreation):
+        * runtime/ErrorPrototype.cpp:
+        (JSC::ErrorPrototype::finishCreation):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::FunctionConstructor::finishCreation):
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::finishCreation):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototype::finishCreation):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototype::finishCreation):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototype::finishCreation):
+        * runtime/IntlPluralRulesPrototype.cpp:
+        (JSC::IntlPluralRulesPrototype::finishCreation):
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::JSDataViewPrototype::finishCreation):
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
+        (JSC::JSGenericTypedArrayViewPrototype::finishCreation):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::createConsoleProperty):
+        * runtime/JSPromisePrototype.cpp:
+        (JSC::JSPromisePrototype::finishCreation):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::JSTypedArrayViewConstructor::finishCreation):
+        * runtime/JSTypedArrayViewPrototype.cpp:
+        (JSC::JSTypedArrayViewPrototype::finishCreation):
+        * runtime/NumberPrototype.cpp:
+        (JSC::NumberPrototype::finishCreation):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::RegExpPrototype::finishCreation):
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        * runtime/Structure.cpp:
+        (JSC::Structure::isValidPrototype):
+        (JSC::Structure::changePrototypeTransition):
+        * runtime/Structure.h:
+        * runtime/SymbolPrototype.cpp:
+        (JSC::SymbolPrototype::finishCreation):
+        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
+        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyInstancePrototype.cpp:
+        (JSC::WebAssemblyInstancePrototype::finishCreation):
+        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
+        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::WebAssemblyMemoryPrototype::finishCreation):
+        * wasm/js/WebAssemblyModulePrototype.cpp:
+        (JSC::WebAssemblyModulePrototype::finishCreation):
+        * wasm/js/WebAssemblyPrototype.cpp:
+        (JSC::WebAssemblyPrototype::finishCreation):
+        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
+        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::WebAssemblyTablePrototype::finishCreation):
+
+2019-04-26  Don Olmstead  
+
+        Add WTF::findIgnoringASCIICaseWithoutLength to replace strcasestr
+        https://bugs.webkit.org/show_bug.cgi?id=197291
+
+        Reviewed by Konstantin Tokarev.
+
+        Replace uses of strcasestr with WTF::findIgnoringASCIICaseWithoutLength.
+
+        * API/tests/testapi.cpp:
+        * assembler/testmasm.cpp:
+        * b3/air/testair.cpp:
+        * b3/testb3.cpp:
+        * dfg/testdfg.cpp:
+        * dynbench.cpp:
+
+2019-04-25  Fujii Hironori  
+
+        Unreviewed, rolling out r244669.
+
+        Windows ports can't clean build.
+
+        Reverted changeset:
+
+        "[Win] Add flag to enable version information stamping and
+        disable by default."
+        https://bugs.webkit.org/show_bug.cgi?id=197249
+        https://trac.webkit.org/changeset/244669
+
+2019-04-25  Basuke Suzuki  
+
+        [Win] Add flag to enable version information stamping and disable by default.
+        https://bugs.webkit.org/show_bug.cgi?id=197249
+
+        Reviewed by Ross Kirsling.
+
+        This feature is only used in AppleWin port. Add flag for this task and make it OFF by default.
+        Then enable it by default on AppleWin.
+
+        * CMakeLists.txt:
+
+2019-04-25  Timothy Hatcher  
+
+        Disable date and time inputs on iOSMac.
+        https://bugs.webkit.org/show_bug.cgi?id=197287
+        rdar://problem/46794376
+
+        Reviewed by Wenson Hsieh.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2019-04-25  Alex Christensen  
+
+        Fix more builds after r244653
+        https://bugs.webkit.org/show_bug.cgi?id=197131
+
+        * b3/B3Value.h:
+        There is an older system with libc++ headers that don't have std::conjunction.  Just use constexpr and && instead for the one use of it in WebKit.
+
+2019-04-25  Basuke Suzuki  
+
+        [RemoteInspector] Fix connection and target identifier types.
+        https://bugs.webkit.org/show_bug.cgi?id=197243
+
+        Reviewed by Ross Kirsling.
+
+        Give dedicated type for RemoteControllableTarget's identifier as Inspector::TargetID.
+
+        Also rename ClientID type used in Socket backend to ConnectionID because this is the identifier
+        socket endpoint assign to the newly created connection. The size was changed to uint32_t.
+        Enough size for managing connections.
+
+        * inspector/remote/RemoteConnectionToTarget.cpp:
+        (Inspector::RemoteConnectionToTarget::setup):
+        (Inspector::RemoteConnectionToTarget::close):
+        (Inspector::RemoteConnectionToTarget::targetIdentifier const):
+        * inspector/remote/RemoteConnectionToTarget.h:
+        * inspector/remote/RemoteControllableTarget.h:
+        * inspector/remote/RemoteInspector.cpp:
+        (Inspector::RemoteInspector::nextAvailableTargetIdentifier):
+        (Inspector::RemoteInspector::registerTarget):
+        (Inspector::RemoteInspector::unregisterTarget):
+        (Inspector::RemoteInspector::updateTarget):
+        (Inspector::RemoteInspector::setupFailed):
+        (Inspector::RemoteInspector::setupCompleted):
+        (Inspector::RemoteInspector::waitingForAutomaticInspection):
+        (Inspector::RemoteInspector::updateTargetListing):
+        * inspector/remote/RemoteInspector.h:
+        * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
+        (Inspector::RemoteConnectionToTarget::targetIdentifier const):
+        (Inspector::RemoteConnectionToTarget::setup):
+        (Inspector::RemoteConnectionToTarget::close):
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
+        (Inspector::RemoteInspector::sendMessageToRemote):
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        (Inspector::RemoteInspector::receivedDataMessage):
+        (Inspector::RemoteInspector::receivedDidCloseMessage):
+        (Inspector::RemoteInspector::receivedIndicateMessage):
+        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
+        * inspector/remote/glib/RemoteInspectorGlib.cpp:
+        (Inspector::RemoteInspector::updateAutomaticInspectionCandidate):
+        (Inspector::RemoteInspector::sendMessageToRemote):
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        (Inspector::RemoteInspector::receivedDataMessage):
+        (Inspector::RemoteInspector::receivedCloseMessage):
+        (Inspector::RemoteInspector::setup):
+        (Inspector::RemoteInspector::sendMessageToTarget):
+        * inspector/remote/socket/RemoteInspectorConnectionClient.cpp:
+        (Inspector::RemoteInspectorConnectionClient::didReceiveWebInspectorEvent):
+        * inspector/remote/socket/RemoteInspectorConnectionClient.h:
+        (Inspector::RemoteInspectorConnectionClient::didAccept):
+        * inspector/remote/socket/RemoteInspectorMessageParser.cpp:
+        (Inspector::MessageParser::MessageParser):
+        (Inspector::MessageParser::parse):
+        * inspector/remote/socket/RemoteInspectorMessageParser.h:
+        (Inspector::MessageParser::setDidParseMessageListener):
+        * inspector/remote/socket/RemoteInspectorServer.cpp:
+        (Inspector::RemoteInspectorServer::didAccept):
+        (Inspector::RemoteInspectorServer::didClose):
+        (Inspector::RemoteInspectorServer::dispatchMap):
+        (Inspector::RemoteInspectorServer::sendWebInspectorEvent):
+        (Inspector::RemoteInspectorServer::sendCloseEvent):
+        (Inspector::RemoteInspectorServer::connectionClosed):
+        * inspector/remote/socket/RemoteInspectorServer.h:
+        * inspector/remote/socket/RemoteInspectorSocket.cpp:
+        (Inspector::RemoteInspector::didClose):
+        (Inspector::RemoteInspector::sendMessageToRemote):
+        (Inspector::RemoteInspector::setup):
+        (Inspector::RemoteInspector::sendMessageToTarget):
+        * inspector/remote/socket/RemoteInspectorSocket.h:
+        * inspector/remote/socket/RemoteInspectorSocketEndpoint.cpp:
+        (Inspector::RemoteInspectorSocketEndpoint::connectInet):
+        (Inspector::RemoteInspectorSocketEndpoint::isListening):
+        (Inspector::RemoteInspectorSocketEndpoint::workerThread):
+        (Inspector::RemoteInspectorSocketEndpoint::createClient):
+        (Inspector::RemoteInspectorSocketEndpoint::recvIfEnabled):
+        (Inspector::RemoteInspectorSocketEndpoint::sendIfEnabled):
+        (Inspector::RemoteInspectorSocketEndpoint::send):
+        (Inspector::RemoteInspectorSocketEndpoint::acceptInetSocketIfEnabled):
+        * inspector/remote/socket/RemoteInspectorSocketEndpoint.h:
+
+2019-04-25  Alex Christensen  
+
+        Start using C++17
+        https://bugs.webkit.org/show_bug.cgi?id=197131
+
+        Reviewed by Darin Alder.
+
+        * Configurations/Base.xcconfig:
+
+2019-04-25  Alex Christensen  
+
+        Remove DeprecatedOptional
+        https://bugs.webkit.org/show_bug.cgi?id=197161
+
+        Reviewed by Darin Adler.
+
+        We need to keep a symbol exported from JavaScriptCore for binary compatibility with iOS12.
+        We need this symbol to be in a file that doesn't include anything because libcxx's implementation of
+        std::optional is actually std::__1::optional, which has a different mangled name.  This change will
+        prevent protocol errors from being reported if you are running the iOS12 simulator with a custom build of WebKit
+        and using the web inspector with it, but it's necessary to allow us to start using C++17 in WebKit.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * inspector/InspectorBackendDispatcher.cpp:
+        * inspector/InspectorBackendDispatcher.h:
+        * inspector/InspectorBackendDispatcherCompatibility.cpp: Added.
+        (Inspector::BackendDispatcher::reportProtocolError):
+        * inspector/InspectorBackendDispatcherCompatibility.h: Added.
+
+2019-04-24  Saam Barati  
+
+        Add SPI callbacks for before and after module execution
+        https://bugs.webkit.org/show_bug.cgi?id=197244
+        
+
+        Reviewed by Yusuke Suzuki.
+
+        This is helpful for clients that want to profile execution of modules
+        in some way. E.g, if they want to time module execution time.
+
+        * API/JSAPIGlobalObject.h:
+        * API/JSAPIGlobalObject.mm:
+        (JSC::JSAPIGlobalObject::moduleLoaderEvaluate):
+        * API/JSContextPrivate.h:
+        * API/tests/testapi.mm:
+        (+[JSContextFetchDelegate contextWithBlockForFetch:]):
+        (-[JSContextFetchDelegate willEvaluateModule:]):
+        (-[JSContextFetchDelegate didEvaluateModule:]):
+        (testFetch):
+        (testFetchWithTwoCycle):
+        (testFetchWithThreeCycle):
+        (testLoaderResolvesAbsoluteScriptURL):
+        (testLoaderRejectsNilScriptURL):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::evaluate):
+        (JSC::JSModuleLoader::evaluateNonVirtual):
+        * runtime/JSModuleLoader.h:
+
+2019-04-23  Yusuke Suzuki  
+
+        [JSC] Shrink DFG::MinifiedNode
+        https://bugs.webkit.org/show_bug.cgi?id=197224
+
+        Reviewed by Filip Pizlo.
+
+        Since it is kept alive with compiled DFG code, we should shrink it to save memory.
+        If it is effective, we should consider minimizing these OSR exit data more aggressively.
+
+        * dfg/DFGMinifiedNode.h:
+
+2019-04-23  Saam Barati  
+
+        LICM incorrectly assumes it'll never insert a node which provably OSR exits
+        https://bugs.webkit.org/show_bug.cgi?id=196721
+         
+
+        Reviewed by Filip Pizlo.
+
+        Previously, we assumed LICM could never hoist code that caused us
+        to provably OSR exit. This is a bad assumption, as we may very well
+        hoist such code. Obviously hoisting such code is not ideal. We shouldn't
+        hoist something we provably know will OSR exit. However, this is super rare,
+        and the phase is written in such a way where it's easier to gracefully
+        handle this case than to prevent us from hoisting such code.
+        
+        If we wanted to ensure we never hoisted code that would provably exit, we'd
+        have to teach the phase to know when it inserted code that provably exits. I
+        saw two ways to do that:
+        1: Save and restore the AI state before actually hoisting.
+        2: Write an analysis that can determine if such a node would exit.
+        
+        (1) is bad because it costs in memory and compile time. (2) will inevitably
+        have bugs as running into this condition is rare.
+        
+        So instead of (1) or (2), I opted to have LICM gracefully handle when
+        it causes a provable exit. When we encounter this, we mark all blocks
+        in the loop as !cfaHasVisited and !cfaDidFinish.
+
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+
+2019-04-23  Yusuke Suzuki  
+
+        [JSC] Use node index as DFG::MinifiedID
+        https://bugs.webkit.org/show_bug.cgi?id=197186
+
+        Reviewed by Saam Barati.
+
+        DFG Nodes can be identified with index if the graph is given. We should use unsigned index as a DFG::MinifiedID's underlying
+        source instead of Node* to reduce the size of VariableEvent from 16 to 12. Vector is the main data in DFG's OSR
+        tracking. It is kept after DFG compilation is done to make OSR work. We saw that this is allocated with large size in GMail.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/DataFormat.h:
+        * bytecode/ValueRecovery.h:
+        * dfg/DFGGenerationInfo.h:
+        * dfg/DFGMinifiedID.h:
+        (JSC::DFG::MinifiedID::MinifiedID):
+        (JSC::DFG::MinifiedID::operator! const):
+        (JSC::DFG::MinifiedID::operator== const):
+        (JSC::DFG::MinifiedID::operator!= const):
+        (JSC::DFG::MinifiedID::operator< const):
+        (JSC::DFG::MinifiedID::operator> const):
+        (JSC::DFG::MinifiedID::operator<= const):
+        (JSC::DFG::MinifiedID::operator>= const):
+        (JSC::DFG::MinifiedID::hash const):
+        (JSC::DFG::MinifiedID::dump const):
+        (JSC::DFG::MinifiedID::isHashTableDeletedValue const):
+        (JSC::DFG::MinifiedID::fromBits):
+        (JSC::DFG::MinifiedID::bits const):
+        (JSC::DFG::MinifiedID::invalidIndex):
+        (JSC::DFG::MinifiedID::otherInvalidIndex):
+        (JSC::DFG::MinifiedID::node const): Deleted.
+        (JSC::DFG::MinifiedID::invalidID): Deleted.
+        (JSC::DFG::MinifiedID::otherInvalidID): Deleted.
+        * dfg/DFGMinifiedIDInlines.h: Copied from Source/JavaScriptCore/dfg/DFGMinifiedNode.cpp.
+        (JSC::DFG::MinifiedID::MinifiedID):
+        * dfg/DFGMinifiedNode.cpp:
+        * dfg/DFGValueSource.h:
+        (JSC::DFG::ValueSource::ValueSource):
+        * dfg/DFGVariableEvent.h:
+        (JSC::DFG::VariableEvent::dataFormat const):
+
+2019-04-23  Keith Rollin  
+
+        Add Xcode version check for Header post-processing scripts
+        https://bugs.webkit.org/show_bug.cgi?id=197116
+        
+
+        Reviewed by Brent Fulgham.
+
+        There are several places in our Xcode projects that post-process
+        header files after they've been exported. Because of XCBuild, we're
+        moving to a model where the post-processing is performed at the same
+        time the header files are exported, rather than as a distinct
+        post-processing step. This patch disables the distinct step when the
+        inline processing is available.
+
+        In practice, this means prefixing appropriate post-processing Custom
+        Build phases with:
+
+        if [ "${XCODE_VERSION_MAJOR}" -ge "1100" -a "${USE_NEW_BUILD_SYSTEM}" = "YES" ]; then
+            # In this configuration, post-processing is performed at the same time as copying in the postprocess-header-rule script, so there's no need for this separate step.
+            exit 0
+        fi
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2019-04-23  Commit Queue  
+
+        Unreviewed, rolling out r244558.
+        https://bugs.webkit.org/show_bug.cgi?id=197219
+
+        Causing crashes on iOS Sim Release and Debug (Requested by
+        ShawnRoberts on #webkit).
+
+        Reverted changeset:
+
+        "Remove DeprecatedOptional"
+        https://bugs.webkit.org/show_bug.cgi?id=197161
+        https://trac.webkit.org/changeset/244558
+
+2019-04-23  Devin Rousso  
+
+        Web Inspector: Uncaught Exception: null is not an object (evaluating 'this.ownerDocument.frameIdentifier')
+        https://bugs.webkit.org/show_bug.cgi?id=196420
+        
+
+        Reviewed by Timothy Hatcher.
+
+        * inspector/protocol/DOM.json:
+        Modify the existing `frameId` to represent the owner frame of the node, rather than the
+        frame it holds (in the case of an `