[JSC] Shrink UnlinkedFunctionExecutable
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>
2
3         [JSC] Shrink UnlinkedFunctionExecutable
4         https://bugs.webkit.org/show_bug.cgi?id=194733
5
6         Reviewed by Mark Lam.
7
8         UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
9         directives can be found in the comment of non typical function's source code (Program,
10         Eval code, and Global function from function constructor etc.), and tricky thing is that
11         SourceProvider's directives are updated by Parser. The reason why we have these fields in
12         UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
13         if we skip parsing by using CodeCache. These fields are effective only if (1)
14         UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
15         or sourceMappingURLDirective. This is rare enough to purge them to a separated
16         UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
17         sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
18         cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
19         in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
20         If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
21         Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
22         one of size class.
23
24         This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
25         And kill one MarkedBlock allocation in JSC initialization phase.
26
27         * bytecode/UnlinkedFunctionExecutable.cpp:
28         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
29         (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
30         * bytecode/UnlinkedFunctionExecutable.h:
31         * debugger/DebuggerLocation.cpp:
32         (JSC::DebuggerLocation::DebuggerLocation):
33         * inspector/ScriptDebugServer.cpp:
34         (Inspector::ScriptDebugServer::dispatchDidParseSource):
35         * parser/Lexer.h:
36         (JSC::Lexer::sourceURLDirective const):
37         (JSC::Lexer::sourceMappingURLDirective const):
38         (JSC::Lexer::sourceURL const): Deleted.
39         (JSC::Lexer::sourceMappingURL const): Deleted.
40         * parser/Parser.h:
41         (JSC::Parser<LexerType>::parse):
42         * parser/SourceProvider.h:
43         (JSC::SourceProvider::sourceURLDirective const):
44         (JSC::SourceProvider::sourceMappingURLDirective const):
45         (JSC::SourceProvider::setSourceURLDirective):
46         (JSC::SourceProvider::setSourceMappingURLDirective):
47         (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
48         since it is the correct name.
49         (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
50         sourceMappingURLDirective since it is the correct name.
51         * runtime/CachedTypes.cpp:
52         (JSC::CachedSourceProviderShape::encode):
53         (JSC::CachedFunctionExecutableRareData::encode):
54         (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
55         sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
56         (JSC::CachedFunctionExecutable::rareData const):
57         (JSC::CachedFunctionExecutable::encode):
58         (JSC::CachedFunctionExecutable::decode const):
59         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
60         * runtime/CodeCache.cpp:
61         (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
62         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
63         * runtime/CodeCache.h:
64         (JSC::generateUnlinkedCodeBlockImpl):
65         * runtime/FunctionExecutable.h:
66         * runtime/SamplingProfiler.cpp:
67         (JSC::SamplingProfiler::StackFrame::url):
68
69 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
70
71         [JSC] Remove unused global private variables
72         https://bugs.webkit.org/show_bug.cgi?id=194741
73
74         Reviewed by Joseph Pecoraro.
75
76         There are some private functions and constants that are no longer referenced from builtin JS code.
77         This patch cleans up them.
78
79         * builtins/BuiltinNames.h:
80         * builtins/ObjectConstructor.js:
81         (entries):
82         * runtime/JSGlobalObject.cpp:
83         (JSC::JSGlobalObject::init):
84
85 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
86
87         [JSC] Lazily create empty RegExp
88         https://bugs.webkit.org/show_bug.cgi?id=194735
89
90         Reviewed by Keith Miller.
91
92         Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
93         Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
94         one MarkedBlock.
95
96         * runtime/JSGlobalObject.cpp:
97         (JSC::JSGlobalObject::init):
98         * runtime/RegExpCache.cpp:
99         (JSC::RegExpCache::ensureEmptyRegExpSlow):
100         (JSC::RegExpCache::initialize): Deleted.
101         * runtime/RegExpCache.h:
102         (JSC::RegExpCache::ensureEmptyRegExp):
103         (JSC::RegExpCache::emptyRegExp const): Deleted.
104         * runtime/RegExpCachedResult.cpp:
105         (JSC::RegExpCachedResult::lastResult):
106         * runtime/RegExpCachedResult.h:
107         * runtime/VM.cpp:
108         (JSC::VM::VM):
109
110 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
111
112         [JSC] Make builtin objects more lazily initialized under non-JIT mode
113         https://bugs.webkit.org/show_bug.cgi?id=194727
114
115         Reviewed by Saam Barati.
116
117         Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
118         because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
119         means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
120         accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
121         is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
122         drop some @Number references to avoid eager initialization. This removes some object allocations and 1
123         MarkedBlock allocation just for Symbols.
124
125         * runtime/JSGlobalObject.cpp:
126         (JSC::JSGlobalObject::init):
127         (JSC::JSGlobalObject::visitChildren):
128         * runtime/JSGlobalObject.h:
129         (JSC::JSGlobalObject::numberToStringWatchpoint):
130         (JSC::JSGlobalObject::booleanPrototype const):
131         (JSC::JSGlobalObject::numberPrototype const):
132         (JSC::JSGlobalObject::symbolPrototype const):
133         (JSC::JSGlobalObject::booleanObjectStructure const):
134         (JSC::JSGlobalObject::symbolObjectStructure const):
135         (JSC::JSGlobalObject::numberObjectStructure const):
136         (JSC::JSGlobalObject::stringObjectStructure const):
137
138 2019-02-15  Michael Saboff  <msaboff@apple.com>
139
140         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
141         https://bugs.webkit.org/show_bug.cgi?id=194558
142
143         Reviewed by Saam Barati.
144
145         Added an in bounds check before the read of the next character for Unicode regular expressions
146         for pattern generation that didn't already have such checks.
147
148         * yarr/YarrJIT.cpp:
149         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
150         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
151         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
152         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
153
154 2019-02-15  Dean Jackson  <dino@apple.com>
155
156         Allow emulation of user gestures from Web Inspector console
157         https://bugs.webkit.org/show_bug.cgi?id=194725
158         <rdar://problem/48126604>
159
160         Reviewed by Joseph Pecoraro and Devin Rousso.
161
162         * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
163         to the evaluate function, and mark the function as override so that PageRuntimeAgent
164         can change the behaviour.
165         (Inspector::InspectorRuntimeAgent::evaluate):
166         * inspector/agents/InspectorRuntimeAgent.h:
167         * inspector/protocol/Runtime.json:
168
169 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
170
171         [JSC] Do not initialize Wasm related data if Wasm is not enabled
172         https://bugs.webkit.org/show_bug.cgi?id=194728
173
174         Reviewed by Mark Lam.
175
176         Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.
177
178         * runtime/InitializeThreading.cpp:
179         (JSC::initializeThreading):
180         * runtime/JSLock.cpp:
181         (JSC::JSLock::didAcquireLock):
182
183 2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>
184
185         [WTF] Add environment variable helpers
186         https://bugs.webkit.org/show_bug.cgi?id=192405
187
188         Reviewed by Michael Catanzaro.
189
190         * inspector/remote/glib/RemoteInspectorGlib.cpp:
191         (Inspector::RemoteInspector::RemoteInspector):
192         (Inspector::RemoteInspector::start):
193         * jsc.cpp:
194         (startTimeoutThreadIfNeeded):
195         * runtime/Options.cpp:
196         (JSC::overrideOptionWithHeuristic):
197         (JSC::Options::overrideAliasedOptionWithHeuristic):
198         (JSC::Options::initialize):
199         * runtime/VM.cpp:
200         (JSC::enableAssembler):
201         (JSC::VM::VM):
202         * tools/CodeProfiling.cpp:
203         (JSC::CodeProfiling::notifyAllocator):
204         Utilize WTF::Environment where possible.
205
206 2019-02-15  Mark Lam  <mark.lam@apple.com>
207
208         SamplingProfiler::stackTracesAsJSON() should escape strings.
209         https://bugs.webkit.org/show_bug.cgi?id=194649
210         <rdar://problem/48072386>
211
212         Reviewed by Saam Barati.
213
214         Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().
215
216         * runtime/SamplingProfiler.cpp:
217         (JSC::SamplingProfiler::stackTracesAsJSON):
218         * runtime/TypeSet.cpp:
219         (JSC::TypeSet::toJSONString const):
220         (JSC::StructureShape::toJSONString const):
221
222 2019-02-15  Robin Morisset  <rmorisset@apple.com>
223
224         CodeBlock::jettison should clear related watchpoints
225         https://bugs.webkit.org/show_bug.cgi?id=194544
226
227         Reviewed by Mark Lam.
228
229         * bytecode/CodeBlock.cpp:
230         (JSC::CodeBlock::jettison):
231         * dfg/DFGCommonData.h:
232         (JSC::DFG::CommonData::clearWatchpoints): Added.
233         * dfg/CommonData.cpp:
234         (JSC::DFG::CommonData::clearWatchpoints): Added.
235
236 2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>
237
238         Move bytecode cache-related filesystem code out of CodeCache
239         https://bugs.webkit.org/show_bug.cgi?id=194675
240
241         Reviewed by Saam Barati.
242
243         That code is only used for the bytecode-cache tests, so it should live in
244         jsc.cpp rather than in the CodeCache.
245
246         * jsc.cpp:
247         (CliSourceProvider::create):
248         (CliSourceProvider::~CliSourceProvider):
249         (CliSourceProvider::cachePath const):
250         (CliSourceProvider::loadBytecode):
251         (CliSourceProvider::CliSourceProvider):
252         (jscSource):
253         (GlobalObject::moduleLoaderFetch):
254         (functionDollarEvalScript):
255         (runWithOptions):
256         * parser/SourceProvider.h:
257         (JSC::SourceProvider::cacheBytecode const):
258         * runtime/CodeCache.cpp:
259         (JSC::writeCodeBlock):
260         * runtime/CodeCache.h:
261         (JSC::CodeCacheMap::fetchFromDiskImpl):
262
263 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
264
265         [JSC] DFG, FTL, and Wasm worklist creation should be fenced
266         https://bugs.webkit.org/show_bug.cgi?id=194714
267
268         Reviewed by Mark Lam.
269
270         Let's consider about the following extreme case.
271
272         1. VM (A) is created.
273         2. Another VM (B) is created on a different thread.
274         3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
275         4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
276         5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
277         6. (A) sees the half-baked worklist, which may be in the middle of creation.
278
279         This patch puts store-store fence just before putting a pointer to a global variable.
280         This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
281
282         * dfg/DFGWorklist.cpp:
283         (JSC::DFG::ensureGlobalDFGWorklist):
284         (JSC::DFG::ensureGlobalFTLWorklist):
285         * wasm/WasmWorklist.cpp:
286         (JSC::Wasm::ensureWorklist):
287
288 2019-02-15  Commit Queue  <commit-queue@webkit.org>
289
290         Unreviewed, rolling out r241559 and r241566.
291         https://bugs.webkit.org/show_bug.cgi?id=194710
292
293         Causes layout test crashes under GuardMalloc (Requested by
294         ryanhaddad on #webkit).
295
296         Reverted changesets:
297
298         "[WTF] Add environment variable helpers"
299         https://bugs.webkit.org/show_bug.cgi?id=192405
300         https://trac.webkit.org/changeset/241559
301
302         "Unreviewed build fix for WinCairo Debug after r241559."
303         https://trac.webkit.org/changeset/241566
304
305 2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
306
307         [JSC] Do not even allocate JIT worklists in non-JIT mode
308         https://bugs.webkit.org/show_bug.cgi?id=194693
309
310         Reviewed by Mark Lam.
311
312         Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
313         And we do not perform any GC operations that are only meaningful in JIT environment.
314
315         1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
316         2. We remove DFG marking constraint in non-JIT mode.
317         3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
318         4. We do not visit JITStubRoutineSet.
319         5. Align JITWorklist function names to the other worklists.
320
321         * dfg/DFGOSRExitPreparation.cpp:
322         (JSC::DFG::prepareCodeOriginForOSRExit):
323         * dfg/DFGPlan.h:
324         * dfg/DFGWorklist.cpp:
325         (JSC::DFG::markCodeBlocks): Deleted.
326         * dfg/DFGWorklist.h:
327         * heap/Heap.cpp:
328         (JSC::Heap::completeAllJITPlans):
329         (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
330         (JSC::Heap::gatherScratchBufferRoots):
331         (JSC::Heap::removeDeadCompilerWorklistEntries):
332         (JSC::Heap::stopThePeriphery):
333         (JSC::Heap::suspendCompilerThreads):
334         (JSC::Heap::resumeCompilerThreads):
335         (JSC::Heap::addCoreConstraints):
336         * jit/JITWorklist.cpp:
337         (JSC::JITWorklist::existingGlobalWorklistOrNull):
338         (JSC::JITWorklist::ensureGlobalWorklist):
339         (JSC::JITWorklist::instance): Deleted.
340         * jit/JITWorklist.h:
341         * llint/LLIntSlowPaths.cpp:
342         (JSC::LLInt::jitCompileAndSetHeuristics):
343         * runtime/VM.cpp:
344         (JSC::VM::~VM):
345         (JSC::VM::gatherScratchBufferRoots):
346         (JSC::VM::gatherConservativeRoots): Deleted.
347         * runtime/VM.h:
348
349 2019-02-15  Saam barati  <sbarati@apple.com>
350
351         [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
352         https://bugs.webkit.org/show_bug.cgi?id=194036
353
354         Reviewed by Yusuke Suzuki.
355
356         This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
357         use linear scan for register allocation. Instead of linear scan, Air-O0 does
358         mostly block-local register allocation, and it does this as it's emitting
359         code directly. The register allocator uses liveness analysis to reduce
360         the number of spills. Doing register allocation as we're emitting code
361         allows us to skip editing the IR to insert spills, which saves a non trivial
362         amount of compile time. For stack allocation, we give each Tmp its own slot.
363         This is less than ideal. We probably want to do some trivial live range analysis
364         in the future. The reason this isn't a deal breaker for Wasm is that this patch
365         makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
366         Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
367         
368         This patch is another 25% Wasm startup time speedup. It seems to be worth
369         another 1% on JetStream2.
370
371         * JavaScriptCore.xcodeproj/project.pbxproj:
372         * Sources.txt:
373         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
374         (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
375         (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
376         (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
377         (JSC::B3::Air::callFrameAddr):
378         (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
379         (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
380         (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
381         (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
382         (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
383         (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
384         (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
385         (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
386         * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
387         * b3/air/AirCode.cpp:
388         * b3/air/AirCode.h:
389         * b3/air/AirGenerate.cpp:
390         (JSC::B3::Air::prepareForGeneration):
391         (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
392         (JSC::B3::Air::generate):
393         * b3/air/AirHandleCalleeSaves.cpp:
394         (JSC::B3::Air::handleCalleeSaves):
395         * b3/air/AirHandleCalleeSaves.h:
396         * b3/air/AirTmpMap.h:
397         * runtime/Options.h:
398         * wasm/WasmAirIRGenerator.cpp:
399         (JSC::Wasm::AirIRGenerator::didKill):
400         (JSC::Wasm::AirIRGenerator::newTmp):
401         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
402         (JSC::Wasm::parseAndCompileAir):
403         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
404         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
405         * wasm/WasmAirIRGenerator.h:
406         * wasm/WasmB3IRGenerator.cpp:
407         (JSC::Wasm::B3IRGenerator::didKill):
408         * wasm/WasmBBQPlan.cpp:
409         (JSC::Wasm::BBQPlan::compileFunctions):
410         * wasm/WasmFunctionParser.h:
411         (JSC::Wasm::FunctionParser<Context>::parseBody):
412         (JSC::Wasm::FunctionParser<Context>::parseExpression):
413         * wasm/WasmValidate.cpp:
414         (JSC::Wasm::Validate::didKill):
415
416 2019-02-14  Saam barati  <sbarati@apple.com>
417
418         lowerStackArgs should lower Lea32/64 on ARM64 to Add
419         https://bugs.webkit.org/show_bug.cgi?id=194656
420
421         Reviewed by Yusuke Suzuki.
422
423         On arm64, Lea is just implemented as an add. However, Air treats it as an
424         address with a given width. Because of this width, we were incorrectly
425         computing whether or not this immediate could fit into the instruction itself
426         or it needed to be explicitly put into a register. This patch makes
427         AirLowerStackArgs lower Lea to Add on arm64.
428
429         * b3/air/AirLowerStackArgs.cpp:
430         (JSC::B3::Air::lowerStackArgs):
431         * b3/air/AirOpcode.opcodes:
432         * b3/air/testair.cpp:
433
434 2019-02-14  Saam Barati  <sbarati@apple.com>
435
436         Cache the results of BytecodeGenerator::getVariablesUnderTDZ
437         https://bugs.webkit.org/show_bug.cgi?id=194583
438         <rdar://problem/48028140>
439
440         Reviewed by Yusuke Suzuki.
441
442         This patch makes it so that getVariablesUnderTDZ caches a result of
443         CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
444         it's called in an environment where there are a lot of variables.
445         This patch makes it so we cache its results. This is profitable when
446         getVariablesUnderTDZ is called repeatedly with the same environment
447         state. This is common since we call this every time we encounter a
448         function definition/expression node.
449
450         * builtins/BuiltinExecutables.cpp:
451         (JSC::BuiltinExecutables::createExecutable):
452         * bytecode/UnlinkedFunctionExecutable.cpp:
453         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
454         * bytecode/UnlinkedFunctionExecutable.h:
455         * bytecompiler/BytecodeGenerator.cpp:
456         (JSC::BytecodeGenerator::popLexicalScopeInternal):
457         (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
458         (JSC::BytecodeGenerator::pushTDZVariables):
459         (JSC::BytecodeGenerator::getVariablesUnderTDZ):
460         (JSC::BytecodeGenerator::restoreTDZStack):
461         * bytecompiler/BytecodeGenerator.h:
462         (JSC::BytecodeGenerator::makeFunction):
463         * parser/VariableEnvironment.cpp:
464         (JSC::CompactVariableMap::Handle::Handle):
465         (JSC::CompactVariableMap::Handle::operator=):
466         * parser/VariableEnvironment.h:
467         (JSC::CompactVariableMap::Handle::operator bool const):
468         * runtime/CodeCache.cpp:
469         (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
470
471 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
472
473         [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
474         https://bugs.webkit.org/show_bug.cgi?id=194659
475
476         Reviewed by Mark Lam.
477
478         Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
479         We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
480         And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.
481
482         * dfg/DFGJITCode.h:
483         * dfg/DFGJITFinalizer.cpp:
484         (JSC::DFG::JITFinalizer::finalize):
485         (JSC::DFG::JITFinalizer::finalizeFunction):
486         * jit/JITCode.cpp:
487         (JSC::DirectJITCode::initializeCodeRefForDFG):
488         (JSC::DirectJITCode::initializeCodeRef): Deleted.
489         (JSC::NativeJITCode::initializeCodeRef): Deleted.
490         * jit/JITCode.h:
491         * llint/LLIntEntrypoint.cpp:
492         (JSC::LLInt::setFunctionEntrypoint):
493         (JSC::LLInt::setEvalEntrypoint):
494         (JSC::LLInt::setProgramEntrypoint):
495         (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.
496
497 2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>
498
499         [WTF] Add environment variable helpers
500         https://bugs.webkit.org/show_bug.cgi?id=192405
501
502         Reviewed by Michael Catanzaro.
503
504         * inspector/remote/glib/RemoteInspectorGlib.cpp:
505         (Inspector::RemoteInspector::RemoteInspector):
506         (Inspector::RemoteInspector::start):
507         * jsc.cpp:
508         (startTimeoutThreadIfNeeded):
509         * runtime/Options.cpp:
510         (JSC::overrideOptionWithHeuristic):
511         (JSC::Options::overrideAliasedOptionWithHeuristic):
512         (JSC::Options::initialize):
513         * runtime/VM.cpp:
514         (JSC::enableAssembler):
515         (JSC::VM::VM):
516         * tools/CodeProfiling.cpp:
517         (JSC::CodeProfiling::notifyAllocator):
518         Utilize WTF::Environment where possible.
519
520 2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>
521
522         [JSC] Should have default NativeJITCode
523         https://bugs.webkit.org/show_bug.cgi?id=194634
524
525         Reviewed by Mark Lam.
526
527         In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
528         This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
529         Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
530         allocations, which takes 14KB.
531
532         * runtime/VM.cpp:
533         (JSC::jitCodeForCallTrampoline):
534         (JSC::jitCodeForConstructTrampoline):
535         (JSC::VM::getHostFunction):
536
537 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
538
539         generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
540         https://bugs.webkit.org/show_bug.cgi?id=194576
541
542         Reviewed by Saam Barati.
543
544         Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
545         and use it in `generateUnlinkedCodeBlockForFunctions` instead.
546
547         * bytecode/UnlinkedFunctionExecutable.cpp:
548         (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
549         (JSC::UnlinkedFunctionExecutable::link):
550         * bytecode/UnlinkedFunctionExecutable.h:
551         * runtime/CodeCache.cpp:
552         (JSC::generateUnlinkedCodeBlockForFunctions):
553
554 2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>
555
556         CachedBitVector's size must be converted from bits to bytes
557         https://bugs.webkit.org/show_bug.cgi?id=194441
558
559         Reviewed by Saam Barati.
560
561         CachedBitVector used its size in bits for memcpy. That didn't cause any
562         issues when encoding, since the size in bits was also used in the allocation,
563         but would overflow the actual BitVector buffer when decoding.
564
565         * runtime/CachedTypes.cpp:
566         (JSC::CachedBitVector::encode):
567         (JSC::CachedBitVector::decode const):
568
569 2019-02-13  Brian Burg  <bburg@apple.com>
570
571         Web Inspector: don't include accessibility role in DOM.Node object payloads
572         https://bugs.webkit.org/show_bug.cgi?id=194623
573         <rdar://problem/36384037>
574
575         Reviewed by Devin Rousso.
576
577         Remove property of DOM.Node that is no longer being sent.
578
579         * inspector/protocol/DOM.json:
580
581 2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
582
583         We should only make rope strings when concatenating strings long enough.
584         https://bugs.webkit.org/show_bug.cgi?id=194465
585
586         Reviewed by Mark Lam.
587
588         This patch stops us from allocating a rope string if the resulting
589         rope would be smaller than the size of the JSRopeString object we
590         would need to allocate.
591
592         This patch also adds paths so that we don't unnecessarily allocate
593         JSString cells for primitives we are going to concatenate with a
594         string anyway.
595
596         The important change from the previous one is that we do not apply
597         the above rule to JSRopeStrings generated by JSStrings. If we convert
598         it to JSString, comparison of memory consumption becomes the following,
599         because JSRopeString does not have StringImpl until it is resolved.
600
601             sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content
602
603         Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
604         resolving eagerly increases memory footprint. The point is that we need to
605         account newly created JSString and JSRopeString from the operands. This is the
606         reason why this patch adds different thresholds for each jsString functions.
607
608         This patch also avoids concatenation for ropes conservatively. Many ropes are
609         temporary cells. So we do not resolve eagerly if one of operands is already a
610         rope.
611
612         In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).
613
614             Before: 159.3778
615             After:  160.72340000000003
616
617         * dfg/DFGOperations.cpp:
618         * runtime/CommonSlowPaths.cpp:
619         (JSC::SLOW_PATH_DECL):
620         * runtime/JSString.h:
621         (JSC::JSString::isRope const):
622         * runtime/Operations.cpp:
623         (JSC::jsAddSlowCase):
624         * runtime/Operations.h:
625         (JSC::jsString):
626         (JSC::jsAddNonNumber):
627         (JSC::jsAdd):
628
629 2019-02-13  Saam Barati  <sbarati@apple.com>
630
631         AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
632         https://bugs.webkit.org/show_bug.cgi?id=194610
633
634         Reviewed by Michael Saboff.
635
636         BinarySwitch might use the scratch register. We must model the
637         effects of that properly. This is already caught by our br-table
638         tests on arm64.
639
640         * wasm/WasmAirIRGenerator.cpp:
641         (JSC::Wasm::AirIRGenerator::addSwitch):
642
643 2019-02-13  Mark Lam  <mark.lam@apple.com>
644
645         Create a randomized free list for new StructureIDs on StructureIDTable resize.
646         https://bugs.webkit.org/show_bug.cgi?id=194566
647         <rdar://problem/47975502>
648
649         Reviewed by Michael Saboff.
650
651         Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
652         implementation is a little easier to read.
653
654         This patch appears to be perf neutral on JetStream2 (as run from the command line).
655
656         * runtime/StructureIDTable.cpp:
657         (JSC::StructureIDTable::StructureIDTable):
658         (JSC::StructureIDTable::makeFreeListFromRange):
659         (JSC::StructureIDTable::resize):
660         (JSC::StructureIDTable::allocateID):
661         (JSC::StructureIDTable::deallocateID):
662         * runtime/StructureIDTable.h:
663         (JSC::StructureIDTable::get):
664         (JSC::StructureIDTable::deallocateID):
665         (JSC::StructureIDTable::allocateID):
666         (JSC::StructureIDTable::flushOldTables):
667
668 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
669
670         VariableLengthObject::allocate<T> should initialize objects
671         https://bugs.webkit.org/show_bug.cgi?id=194534
672
673         Reviewed by Michael Saboff.
674
675         `buffer()` should not be called for empty VariableLengthObjects, but
676         these cases were not being caught due to the objects not being properly
677         initialized. Fix it so that allocate calls the constructor and fix the
678         assertion failues.
679
680         * runtime/CachedTypes.cpp:
681         (JSC::CachedObject::operator new):
682         (JSC::VariableLengthObject::allocate):
683         (JSC::CachedVector::encode):
684         (JSC::CachedVector::decode const):
685         (JSC::CachedUniquedStringImpl::decode const):
686         (JSC::CachedBitVector::encode):
687         (JSC::CachedBitVector::decode const):
688         (JSC::CachedArray::encode):
689         (JSC::CachedArray::decode const):
690         (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
691         (JSC::CachedBigInt::decode const):
692
693 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
694
695         CodeBlocks read from disk should not be re-written
696         https://bugs.webkit.org/show_bug.cgi?id=194535
697
698         Reviewed by Michael Saboff.
699
700         Keep track of which CodeBlocks have been read from disk or have already
701         been serialized in CodeCache.
702
703         * runtime/CodeCache.cpp:
704         (JSC::CodeCache::write):
705         * runtime/CodeCache.h:
706         (JSC::SourceCodeValue::SourceCodeValue):
707         (JSC::CodeCacheMap::fetchFromDiskImpl):
708
709 2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>
710
711         SourceCode should be copied when generating bytecode for functions
712         https://bugs.webkit.org/show_bug.cgi?id=194536
713
714         Reviewed by Saam Barati.
715
716         The FunctionExecutable might be collected while generating the bytecode
717         for nested functions, in which case the SourceCode reference would no
718         longer be valid.
719
720         * runtime/CodeCache.cpp:
721         (JSC::generateUnlinkedCodeBlockForFunctions):
722
723 2019-02-12  Saam barati  <sbarati@apple.com>
724
725         JSScript needs to retain its cache path NSURL*
726         https://bugs.webkit.org/show_bug.cgi?id=194577
727
728         Reviewed by Tim Horton.
729
730         * API/JSScript.mm:
731         (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
732         (-[JSScript dealloc]):
733
734 2019-02-12  Robin Morisset  <rmorisset@apple.com>
735
736         Make B3Value::returnsBool() more precise
737         https://bugs.webkit.org/show_bug.cgi?id=194457
738
739         Reviewed by Saam Barati.
740
741         It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
742         It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
743         No new tests added as this should be indirectly tested by the already existing tests.
744
745         * b3/B3Value.cpp:
746         (JSC::B3::Value::returnsBool const):
747
748 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
749
750         Unreviewed, fix -Wimplicit-fallthrough warning after r241140
751         https://bugs.webkit.org/show_bug.cgi?id=194399
752         <rdar://problem/47889777>
753
754         * dfg/DFGDoesGC.cpp:
755         (JSC::DFG::doesGC):
756
757 2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>
758
759         [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
760         https://bugs.webkit.org/show_bug.cgi?id=194370
761
762         Reviewed by Darin Adler.
763
764         Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
765         necessary, but it will make errors more visible.
766
767         * inspector/remote/glib/RemoteInspectorGlib.cpp:
768         (Inspector::RemoteInspector::start):
769         (Inspector::dbusConnectionCallAsyncReadyCallback):
770         * inspector/remote/glib/RemoteInspectorServer.cpp:
771         (Inspector::RemoteInspectorServer::start):
772
773 2019-02-12  Andy Estes  <aestes@apple.com>
774
775         [iOSMac] Enable Parental Controls Content Filtering
776         https://bugs.webkit.org/show_bug.cgi?id=194521
777         <rdar://39732376>
778
779         Reviewed by Tim Horton.
780
781         * Configurations/FeatureDefines.xcconfig:
782
783 2019-02-11  Mark Lam  <mark.lam@apple.com>
784
785         Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
786         https://bugs.webkit.org/show_bug.cgi?id=194512
787         <rdar://problem/47975465>
788
789         Reviewed by Yusuke Suzuki.
790
791         * runtime/StructureIDTable.cpp:
792         (JSC::StructureIDTable::StructureIDTable):
793         (JSC::StructureIDTable::allocateID):
794         (JSC::StructureIDTable::deallocateID):
795         * runtime/StructureIDTable.h:
796
797 2019-02-10  Mark Lam  <mark.lam@apple.com>
798
799         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
800         https://bugs.webkit.org/show_bug.cgi?id=194493
801         <rdar://problem/36380852>
802
803         Reviewed by Yusuke Suzuki.
804
805         Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
806         however not good for performance and memory usage.  As such, a debug ASSERT will
807         do.  We'll also do an audit of the clients of BinarySwitch to see if it's
808         possible to be instantiated with duplicate cases in
809         https://bugs.webkit.org/show_bug.cgi?id=194492 later.
810
811         Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
812         see duplicate cases.
813
814         * jit/BinarySwitch.cpp:
815         (JSC::BinarySwitch::BinarySwitch):
816
817 2019-02-10  Darin Adler  <darin@apple.com>
818
819         Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
820         https://bugs.webkit.org/show_bug.cgi?id=194485
821
822         Reviewed by Daniel Bates.
823
824         * heap/HeapSnapshotBuilder.cpp:
825         (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
826         reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".
827
828         * runtime/JSGlobalObjectFunctions.cpp:
829         (JSC::encode): Removed some unneeded casts in StringBuilder code,
830         including one in a call to appendByteAsHex.
831         (JSC::globalFuncEscape): Ditto.
832
833 2019-02-10  Commit Queue  <commit-queue@webkit.org>
834
835         Unreviewed, rolling out r241230.
836         https://bugs.webkit.org/show_bug.cgi?id=194488
837
838         "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
839         #webkit).
840
841         Reverted changeset:
842
843         "We should only make rope strings when concatenating strings
844         long enough."
845         https://bugs.webkit.org/show_bug.cgi?id=194465
846         https://trac.webkit.org/changeset/241230
847
848 2019-02-10  Saam barati  <sbarati@apple.com>
849
850         BBQ-Air: Emit better code for switch
851         https://bugs.webkit.org/show_bug.cgi?id=194053
852
853         Reviewed by Yusuke Suzuki.
854
855         Instead of emitting a linear set of jumps for Switch, this patch
856         makes the BBQ-Air backend emit a binary switch.
857
858         * wasm/WasmAirIRGenerator.cpp:
859         (JSC::Wasm::AirIRGenerator::addSwitch):
860
861 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
862
863         Unreviewed, Lexer should use isLatin1 implementation in WTF
864         https://bugs.webkit.org/show_bug.cgi?id=194466
865
866         Follow-up after r241233 pointed by Darin.
867
868         * parser/Lexer.cpp:
869         (JSC::isLatin1): Deleted.
870
871 2019-02-09  Darin Adler  <darin@apple.com>
872
873         Eliminate unnecessary String temporaries by using StringConcatenateNumbers
874         https://bugs.webkit.org/show_bug.cgi?id=194021
875
876         Reviewed by Geoffrey Garen.
877
878         * inspector/agents/InspectorConsoleAgent.cpp:
879         (Inspector::InspectorConsoleAgent::count): Remove String::number and let
880         makeString do the conversion without allocating/destroying a String.
881         * inspector/agents/InspectorDebuggerAgent.cpp:
882         (Inspector::objectGroupForBreakpointAction): Ditto.
883         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
884         (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
885         * runtime/JSGenericTypedArrayViewInlines.h:
886         (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
887         * runtime/NumberPrototype.cpp:
888         (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
889         of calling numberToFixedWidthString to do the same thing.
890         (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
891         numberToFixedPrecisionString to do the same thing.
892         * runtime/SamplingProfiler.cpp:
893         (JSC::SamplingProfiler::reportTopFunctions): Ditto.
894
895 2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>
896
897         Unreviewed, rolling in r241237 again
898         https://bugs.webkit.org/show_bug.cgi?id=194469
899
900         * runtime/JSString.h:
901         (JSC::jsSubstring):
902
903 2019-02-09  Commit Queue  <commit-queue@webkit.org>
904
905         Unreviewed, rolling out r241237.
906         https://bugs.webkit.org/show_bug.cgi?id=194474
907
908         Shows significant memory increase in WSL (Requested by
909         yusukesuzuki on #webkit).
910
911         Reverted changeset:
912
913         "[WTF] Use BufferInternal StringImpl if substring StringImpl
914         takes more memory"
915         https://bugs.webkit.org/show_bug.cgi?id=194469
916         https://trac.webkit.org/changeset/241237
917
918 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
919
920         [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
921         https://bugs.webkit.org/show_bug.cgi?id=194469
922
923         Reviewed by Geoffrey Garen.
924
925         * runtime/JSString.h:
926         (JSC::jsSubstring):
927
928 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
929
930         [JSC] CachedTypes should use jsString instead of JSString::create
931         https://bugs.webkit.org/show_bug.cgi?id=194471
932
933         Reviewed by Mark Lam.
934
935         Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".
936
937         * runtime/CachedTypes.cpp:
938         (JSC::CachedJSValue::decode const):
939
940 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
941
942         [JSC] Increase StructureIDTable initial capacity
943         https://bugs.webkit.org/show_bug.cgi?id=194468
944
945         Reviewed by Mark Lam.
946
947         Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
948         JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
949         unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
950         more memory dirty. We also remove some structures that are no longer used.
951
952         * runtime/JSGlobalObject.h:
953         (JSC::JSGlobalObject::callbackObjectStructure const):
954         (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
955         * runtime/StructureIDTable.h:
956         * runtime/VM.h:
957
958 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
959
960         [JSC] String.fromCharCode's slow path always generates 16bit string
961         https://bugs.webkit.org/show_bug.cgi?id=194466
962
963         Reviewed by Keith Miller.
964
965         String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
966         goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
967         and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
968         creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
969         16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
970         as much as possible.
971
972         It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.
973
974         * runtime/StringConstructor.cpp:
975         (JSC::stringFromCharCode):
976
977 2019-02-08  Keith Miller  <keith_miller@apple.com>
978
979         We should only make rope strings when concatenating strings long enough.
980         https://bugs.webkit.org/show_bug.cgi?id=194465
981
982         Reviewed by Saam Barati.
983
984         This patch stops us from allocating a rope string if the resulting
985         rope would be smaller than the size of the JSRopeString object we
986         would need to allocate.
987
988         This patch also adds paths so that we don't unnecessarily allocate
989         JSString cells for primitives we are going to concatenate with a
990         string anyway.
991
992         * dfg/DFGOperations.cpp:
993         * runtime/CommonSlowPaths.cpp:
994         (JSC::SLOW_PATH_DECL):
995         * runtime/JSString.h:
996         * runtime/Operations.cpp:
997         (JSC::jsAddSlowCase):
998         * runtime/Operations.h:
999         (JSC::jsString):
1000         (JSC::jsAdd):
1001
1002 2019-02-08  Saam barati  <sbarati@apple.com>
1003
1004         Nodes that rely on being dominated by CheckInBounds should have a child edge to it
1005         https://bugs.webkit.org/show_bug.cgi?id=194334
1006         <rdar://problem/47844327>
1007
1008         Reviewed by Mark Lam.
1009
1010         * dfg/DFGAbstractInterpreterInlines.h:
1011         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1012         * dfg/DFGArgumentsEliminationPhase.cpp:
1013         * dfg/DFGByteCodeParser.cpp:
1014         (JSC::DFG::ByteCodeParser::parseBlock):
1015         * dfg/DFGClobberize.h:
1016         (JSC::DFG::clobberize):
1017         * dfg/DFGConstantFoldingPhase.cpp:
1018         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1019         * dfg/DFGFixupPhase.cpp:
1020         (JSC::DFG::FixupPhase::fixupNode):
1021         (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
1022         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1023         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
1024         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
1025         * dfg/DFGNodeType.h:
1026         * dfg/DFGSSALoweringPhase.cpp:
1027         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
1028         * dfg/DFGSpeculativeJIT.cpp:
1029         (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
1030         * ftl/FTLLowerDFGToB3.cpp:
1031         (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
1032         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1033
1034 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1035
1036         [JSC] Shrink sizeof(CodeBlock) more
1037         https://bugs.webkit.org/show_bug.cgi?id=194419
1038
1039         Reviewed by Mark Lam.
1040
1041         This patch further shrinks the size of CodeBlock, from 352 to 296 (304).
1042
1043         1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
1044         has the same information. These data is not touched in CodeBlock::~CodeBlock,
1045         so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.
1046
1047         2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
1048         And we do not touch it in CodeBlock::~CodeBlock.
1049
1050         3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
1051         cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
1052         singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.
1053
1054         4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.
1055
1056         5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.
1057
1058         * bytecode/CodeBlock.cpp:
1059         (JSC::CodeBlock::hash const):
1060         (JSC::CodeBlock::sourceCodeForTools const):
1061         (JSC::CodeBlock::dumpAssumingJITType const):
1062         (JSC::CodeBlock::dumpSource):
1063         (JSC::CodeBlock::CodeBlock):
1064         (JSC::CodeBlock::finishCreation):
1065         (JSC::CodeBlock::propagateTransitions):
1066         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1067         (JSC::CodeBlock::setCalleeSaveRegisters):
1068         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
1069         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1070         (JSC::CodeBlock::lineNumberForBytecodeOffset):
1071         (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
1072         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1073         (JSC::CodeBlock::newReplacement):
1074         (JSC::CodeBlock::replacement):
1075         (JSC::CodeBlock::computeCapabilityLevel):
1076         (JSC::CodeBlock::jettison):
1077         (JSC::CodeBlock::calleeSaveRegisters const):
1078         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1079         (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
1080         (JSC::CodeBlock::getArrayProfile):
1081         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1082         (JSC::CodeBlock::notifyLexicalBindingUpdate):
1083         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1084         (JSC::CodeBlock::validate):
1085         (JSC::CodeBlock::outOfLineJumpTarget):
1086         (JSC::CodeBlock::arithProfileForBytecodeOffset):
1087         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1088         * bytecode/CodeBlock.h:
1089         (JSC::CodeBlock::specializationKind const):
1090         (JSC::CodeBlock::isStrictMode const):
1091         (JSC::CodeBlock::isConstructor const):
1092         (JSC::CodeBlock::codeType const):
1093         (JSC::CodeBlock::isKnownNotImmediate):
1094         (JSC::CodeBlock::instructions const):
1095         (JSC::CodeBlock::ownerExecutable const):
1096         (JSC::CodeBlock::thisRegister const):
1097         (JSC::CodeBlock::source const):
1098         (JSC::CodeBlock::sourceOffset const):
1099         (JSC::CodeBlock::firstLineColumnOffset const):
1100         (JSC::CodeBlock::createRareDataIfNecessary):
1101         (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
1102         (JSC::CodeBlock::setThisRegister): Deleted.
1103         (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
1104         * bytecode/EvalCodeBlock.h:
1105         * bytecode/FunctionCodeBlock.h:
1106         * bytecode/GlobalCodeBlock.h:
1107         (JSC::GlobalCodeBlock::GlobalCodeBlock):
1108         * bytecode/ModuleProgramCodeBlock.h:
1109         * bytecode/ProgramCodeBlock.h:
1110         * debugger/Debugger.cpp:
1111         (JSC::Debugger::toggleBreakpoint):
1112         * debugger/DebuggerCallFrame.cpp:
1113         (JSC::DebuggerCallFrame::sourceID const):
1114         (JSC::DebuggerCallFrame::sourceIDForCallFrame):
1115         * debugger/DebuggerScope.cpp:
1116         (JSC::DebuggerScope::location const):
1117         * dfg/DFGByteCodeParser.cpp:
1118         (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
1119         (JSC::DFG::ByteCodeParser::inliningCost):
1120         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1121         * dfg/DFGCapabilities.cpp:
1122         (JSC::DFG::isSupportedForInlining):
1123         (JSC::DFG::mightCompileEval):
1124         (JSC::DFG::mightCompileProgram):
1125         (JSC::DFG::mightCompileFunctionForCall):
1126         (JSC::DFG::mightCompileFunctionForConstruct):
1127         (JSC::DFG::canUseOSRExitFuzzing):
1128         * dfg/DFGGraph.h:
1129         (JSC::DFG::Graph::executableFor):
1130         * dfg/DFGJITCompiler.cpp:
1131         (JSC::DFG::JITCompiler::compileFunction):
1132         * dfg/DFGOSREntry.cpp:
1133         (JSC::DFG::prepareOSREntry):
1134         * dfg/DFGOSRExit.cpp:
1135         (JSC::DFG::restoreCalleeSavesFor):
1136         (JSC::DFG::saveCalleeSavesFor):
1137         (JSC::DFG::saveOrCopyCalleeSavesFor):
1138         * dfg/DFGOSRExitCompilerCommon.cpp:
1139         (JSC::DFG::handleExitCounts):
1140         * dfg/DFGOperations.cpp:
1141         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1142         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1143         * ftl/FTLCapabilities.cpp:
1144         (JSC::FTL::canCompile):
1145         * ftl/FTLLink.cpp:
1146         (JSC::FTL::link):
1147         * ftl/FTLOSRExitCompiler.cpp:
1148         (JSC::FTL::compileStub):
1149         * interpreter/CallFrame.cpp:
1150         (JSC::CallFrame::callerSourceOrigin):
1151         * interpreter/Interpreter.cpp:
1152         (JSC::eval):
1153         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1154         * interpreter/StackVisitor.cpp:
1155         (JSC::StackVisitor::Frame::calleeSaveRegisters):
1156         (JSC::StackVisitor::Frame::sourceURL const):
1157         (JSC::StackVisitor::Frame::sourceID):
1158         (JSC::StackVisitor::Frame::computeLineAndColumn const):
1159         * interpreter/StackVisitor.h:
1160         * jit/AssemblyHelpers.h:
1161         (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
1162         (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
1163         (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
1164         * jit/CallFrameShuffleData.cpp:
1165         (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
1166         * jit/JIT.cpp:
1167         (JSC::JIT::compileWithoutLinking):
1168         * jit/JITToDFGDeferredCompilationCallback.cpp:
1169         (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
1170         * jit/JITWorklist.cpp:
1171         (JSC::JITWorklist::Plan::finalize):
1172         (JSC::JITWorklist::compileNow):
1173         * jit/RegisterAtOffsetList.cpp:
1174         (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
1175         * jit/RegisterAtOffsetList.h:
1176         (JSC::RegisterAtOffsetList::at const):
1177         * runtime/ErrorInstance.cpp:
1178         (JSC::appendSourceToError):
1179         * runtime/ScriptExecutable.cpp:
1180         (JSC::ScriptExecutable::newCodeBlockFor):
1181         * runtime/StackFrame.cpp:
1182         (JSC::StackFrame::sourceID const):
1183         (JSC::StackFrame::sourceURL const):
1184         (JSC::StackFrame::computeLineAndColumn const):
1185
1186 2019-02-08  Robin Morisset  <rmorisset@apple.com>
1187
1188         B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
1189         https://bugs.webkit.org/show_bug.cgi?id=194460
1190
1191         Reviewed by Mark Lam.
1192
1193         Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.
1194
1195         * b3/B3LowerMacros.cpp:
1196
1197 2019-02-08  Mark Lam  <mark.lam@apple.com>
1198
1199         Use maxSingleCharacterString in comparisons instead of literal constants.
1200         https://bugs.webkit.org/show_bug.cgi?id=194452
1201
1202         Reviewed by Yusuke Suzuki.
1203
1204         This way, if we ever change maxSingleCharacterString, it won't break all this code
1205         that relies on it being 0xff implicitly.
1206
1207         * dfg/DFGSpeculativeJIT.cpp:
1208         (JSC::DFG::SpeculativeJIT::compileStringSlice):
1209         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1210         * ftl/FTLLowerDFGToB3.cpp:
1211         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1212         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1213         * jit/ThunkGenerators.cpp:
1214         (JSC::stringGetByValGenerator):
1215         (JSC::charToString):
1216
1217 2019-02-08  Mark Lam  <mark.lam@apple.com>
1218
1219         Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
1220         https://bugs.webkit.org/show_bug.cgi?id=194446
1221         <rdar://problem/47926792>
1222
1223         Reviewed by Saam Barati.
1224
1225         Fix doesGC() for the following nodes:
1226
1227             CheckTierUpAtReturn:
1228                 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
1229                 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1230
1231             CheckTierUpInLoop:
1232                 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
1233                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1234
1235             CheckTierUpAndOSREnter:
1236                 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
1237                 Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
1238
1239             GetByVal:
1240                 case Array::String calls operationSingleCharacterString(), which calls
1241                 jsSingleCharacterString(), which can allocate a string.
1242
1243             PutByValDirect:
1244             PutByVal:
1245             PutByValAlias:
1246                 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
1247                 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
1248                 operationPutByValStrict(), or operationPutByValNonStrict().  All of these
1249                 slow paths call putByValInternal(), which may create exception objects, or
1250                 call the generic JSValue::put() which may execute arbitrary code.
1251
1252             StringCharAt:
1253                 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
1254                 which can allocate a string.
1255
1256         Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
1257         to use the maxSingleCharacterString constant instead of a literal constant.
1258
1259         * dfg/DFGDoesGC.cpp:
1260         (JSC::DFG::doesGC):
1261         * dfg/DFGSpeculativeJIT.cpp:
1262         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
1263         * dfg/DFGSpeculativeJIT64.cpp:
1264         (JSC::DFG::SpeculativeJIT::compile):
1265         * ftl/FTLLowerDFGToB3.cpp:
1266         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1267         (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
1268         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1269
1270 2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>
1271
1272         [JSC] SourceProviderCacheItem should be small
1273         https://bugs.webkit.org/show_bug.cgi?id=194432
1274
1275         Reviewed by Saam Barati.
1276
1277         Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
1278         While they are removed when full-GC happens, it significantly increases the peak memory usage.
1279         This patch reduces the size of SourceProviderCacheItem from 56 to 32.
1280
1281         * parser/Parser.cpp:
1282         (JSC::Parser<LexerType>::parseFunctionInfo):
1283         * parser/ParserModes.h:
1284         * parser/ParserTokens.h:
1285         * parser/SourceProviderCacheItem.h:
1286         (JSC::SourceProviderCacheItem::endFunctionToken const):
1287         (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
1288
1289 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1290
1291         Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
1292         https://bugs.webkit.org/show_bug.cgi?id=194420
1293
1294         Reviewed by Saam Barati.
1295
1296         In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
1297         But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
1298         This trivial patch fixes both.
1299
1300         * b3/B3ReduceStrength.cpp:
1301         * b3/testb3.cpp:
1302         (JSC::B3::testAbsNegArg):
1303
1304 2019-02-07  Keith Miller  <keith_miller@apple.com>
1305
1306         Better error messages for module loader SPI
1307         https://bugs.webkit.org/show_bug.cgi?id=194421
1308
1309         Reviewed by Saam Barati.
1310
1311         * API/JSAPIGlobalObject.mm:
1312         (JSC::JSAPIGlobalObject::moduleLoaderImportModule):
1313
1314 2019-02-07  Mark Lam  <mark.lam@apple.com>
1315
1316         Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
1317         https://bugs.webkit.org/show_bug.cgi?id=194399
1318         <rdar://problem/47889777>
1319
1320         Reviewed by Yusuke Suzuki.
1321
1322         Fix doesGC() for the following nodes:
1323
1324             CheckTraps:
1325                 We normally will not emit this node because Options::usePollingTraps() is
1326                 false by default.  However, as it is implemented now, CheckTraps can GC
1327                 because it can allocate a TerminatedExecutionException.  If we make the
1328                 TerminatedExecutionException a singleton allocated at initialization time,
1329                 doesGC() can return false for CheckTraps.
1330                 https://bugs.webkit.org/show_bug.cgi?id=194323
1331
1332             GetMapBucket:
1333                 Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
1334                 which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
1335                 can resolve a rope.
1336
1337             Switch:
1338                 If switchData kind is SwitchChar, can call operationResolveRope() .
1339                 If switchData kind is SwitchString and the child use kind is not StringIdentUse,
1340                     can call operationSwitchString() which resolves ropes.
1341
1342             DirectTailCall:
1343             ForceOSRExit:
1344             Return:
1345             TailCallForwardVarargs:
1346             TailCallVarargs:
1347             Throw:
1348                 These are terminal nodes.  It shouldn't really matter what doesGC() returns
1349                 for them, but following our conservative practice, unless we have a good
1350                 reason for doesGC() to return false, we should just return true.
1351
1352         * dfg/DFGDoesGC.cpp:
1353         (JSC::DFG::doesGC):
1354
1355 2019-02-07  Robin Morisset  <rmorisset@apple.com>
1356
1357         B3ReduceStrength: missing peephole optimizations for Neg and Sub
1358         https://bugs.webkit.org/show_bug.cgi?id=194250
1359
1360         Reviewed by Saam Barati.
1361
1362         Adds the following optimizations for integers:
1363         - Sub(x, x) => 0
1364             Already covered by the test testSubArg
1365         - Sub(x1, Neg(x2)) => Add (x1, x2)
1366             Added test: testSubNeg
1367         - Neg(Sub(x1, x2)) => Sub(x2, x1)
1368             Added test: testNegSub
1369         - Add(Neg(x1), x2) => Sub(x2, x1)
1370             Added test: testAddNeg1
1371         - Add(x1, Neg(x2)) => Sub(x1, x2)
1372             Added test: testAddNeg2
1373         Adds the following optimization for floating point values:
1374         - Abs(Neg(x)) => Abs(x)
1375             Added test: testAbsNegArg
1376             Adds the following optimization:
1377
1378         Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))
1379
1380         * b3/B3ReduceStrength.cpp:
1381         * b3/testb3.cpp:
1382         (JSC::B3::testAddNeg1):
1383         (JSC::B3::testAddNeg2):
1384         (JSC::B3::testSubNeg):
1385         (JSC::B3::testNegSub):
1386         (JSC::B3::testAbsAbsArg):
1387         (JSC::B3::testAbsNegArg):
1388         (JSC::B3::run):
1389
1390 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1391
1392         [JSC] Use BufferInternal single character StringImpl for SmallStrings
1393         https://bugs.webkit.org/show_bug.cgi?id=194374
1394
1395         Reviewed by Geoffrey Garen.
1396
1397         Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
1398         But pointer is larger than single character. BufferInternal StringImpl with single character
1399         is more memory efficient.
1400
1401         * runtime/SmallStrings.cpp:
1402         (JSC::SmallStringsStorage::SmallStringsStorage):
1403         (JSC::SmallStrings::SmallStrings):
1404         * runtime/SmallStrings.h:
1405
1406 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1407
1408         [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
1409         https://bugs.webkit.org/show_bug.cgi?id=194369
1410         <rdar://problem/47813087>
1411
1412         Reviewed by Saam Barati.
1413
1414         InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
1415         JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
1416         constant folding phase.
1417
1418         * dfg/DFGAbstractInterpreterInlines.h:
1419         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1420
1421 2019-02-06  Devin Rousso  <drousso@apple.com>
1422
1423         Web Inspector: DOM: don't send the entire function string with each event listener
1424         https://bugs.webkit.org/show_bug.cgi?id=194293
1425         <rdar://problem/47822809>
1426
1427         Reviewed by Joseph Pecoraro.
1428
1429         * inspector/protocol/DOM.json:
1430
1431         * runtime/JSFunction.h:
1432         Export `calculatedDisplayName`.
1433
1434 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1435
1436         [JSC] PrivateName to PublicName hash table is wasteful
1437         https://bugs.webkit.org/show_bug.cgi?id=194277
1438
1439         Reviewed by Michael Saboff.
1440
1441         PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
1442         which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
1443         each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
1444         name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.
1445
1446         In this patch, we add some rules to remove "PrivateName to PublicName" hash table.
1447
1448         1. PrivateName's content should be the same to PublicName.
1449         2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
1450            the public name should be easily crafted from the given PrivateName.
1451
1452         We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
1453         is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.
1454
1455         We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
1456         WebCore.
1457
1458         * builtins/BuiltinNames.cpp:
1459         (JSC::BuiltinNames::BuiltinNames):
1460         * builtins/BuiltinNames.h:
1461         (JSC::BuiltinNames::lookUpPrivateName const):
1462         (JSC::BuiltinNames::getPublicName const):
1463         (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
1464         (JSC::BuiltinNames::appendExternalName):
1465         (JSC::BuiltinNames::lookUpPublicName const): Deleted.
1466         * builtins/BuiltinUtils.h:
1467         * bytecode/BytecodeDumper.cpp:
1468         (JSC::BytecodeDumper<Block>::dumpIdentifiers):
1469         * bytecompiler/NodesCodegen.cpp:
1470         (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
1471         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
1472         * parser/Lexer.cpp:
1473         (JSC::Lexer<LChar>::parseIdentifier):
1474         (JSC::Lexer<UChar>::parseIdentifier):
1475         * parser/Parser.cpp:
1476         (JSC::Parser<LexerType>::createGeneratorParameters):
1477         (JSC::Parser<LexerType>::parseFunctionDeclaration):
1478         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1479         (JSC::Parser<LexerType>::parseClassDeclaration):
1480         (JSC::Parser<LexerType>::parseExportDeclaration):
1481         (JSC::Parser<LexerType>::parseMemberExpression):
1482         * parser/ParserArena.h:
1483         (JSC::IdentifierArena::makeIdentifier):
1484         * runtime/CachedTypes.cpp:
1485         (JSC::CachedUniquedStringImpl::encode):
1486         (JSC::CachedUniquedStringImpl::decode const):
1487         * runtime/CommonIdentifiers.cpp:
1488         (JSC::CommonIdentifiers::CommonIdentifiers):
1489         (JSC::CommonIdentifiers::lookUpPrivateName const):
1490         (JSC::CommonIdentifiers::getPublicName const):
1491         (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
1492         * runtime/CommonIdentifiers.h:
1493         * runtime/ExceptionHelpers.cpp:
1494         (JSC::createUndefinedVariableError):
1495         * runtime/Identifier.cpp:
1496         (JSC::Identifier::dump const):
1497         * runtime/Identifier.h:
1498         * runtime/IdentifierInlines.h:
1499         (JSC::Identifier::fromUid):
1500         * runtime/JSTypedArrayViewPrototype.cpp:
1501         (JSC::JSTypedArrayViewPrototype::finishCreation):
1502         * tools/JSDollarVM.cpp:
1503         (JSC::functionGetPrivateProperty):
1504
1505 2019-02-06  Keith Rollin  <krollin@apple.com>
1506
1507         Really enable the automatic checking and regenerations of .xcfilelists during builds
1508         https://bugs.webkit.org/show_bug.cgi?id=194357
1509         <rdar://problem/47861231>
1510
1511         Reviewed by Chris Dumez.
1512
1513         Bug 194124 was supposed to enable the automatic checking and
1514         regenerating of .xcfilelist files during the build. While related
1515         changes were included in that patch, the change to actually enable the
1516         operation somehow was omitted. This patch actually enables the
1517         operation. The check-xcfilelist.sh scripts now check
1518         WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
1519         from the checking.
1520
1521         * Scripts/check-xcfilelists.sh:
1522
1523 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1524
1525         [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
1526         https://bugs.webkit.org/show_bug.cgi?id=194339
1527
1528         Reviewed by Michael Saboff.
1529
1530         DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
1531         They have even the same structure. This patch unifies the subspaces for them.
1532
1533         * runtime/DirectEvalExecutable.h:
1534         * runtime/EvalExecutable.h:
1535         (JSC::EvalExecutable::subspaceFor):
1536         * runtime/IndirectEvalExecutable.h:
1537         * runtime/VM.cpp:
1538         * runtime/VM.h:
1539         (JSC::VM::forEachScriptExecutableSpace):
1540
1541 2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>
1542
1543         [JSC] NativeExecutable should be smaller
1544         https://bugs.webkit.org/show_bug.cgi?id=194331
1545
1546         Reviewed by Michael Saboff.
1547
1548         NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
1549         Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
1550         This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
1551         only takes one MarkedBlock for NativeExecutable.
1552
1553         To make NativeExecutable smaller,
1554
1555         1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
1556            they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.
1557
1558         2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
1559            always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
1560            NativeJITCode, and instantiated only when DOMJIT::Signature* is given.
1561
1562         3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
1563            Intrinsic for NativeExecutable.
1564
1565         We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.
1566
1567         * CMakeLists.txt:
1568         * JavaScriptCore.xcodeproj/project.pbxproj:
1569         * bytecode/CallVariant.h:
1570         * interpreter/Interpreter.cpp:
1571         * jit/JITCode.cpp:
1572         (JSC::DirectJITCode::DirectJITCode):
1573         (JSC::NativeJITCode::NativeJITCode):
1574         (JSC::NativeDOMJITCode::NativeDOMJITCode):
1575         * jit/JITCode.h:
1576         (JSC::JITCode::signature const):
1577         (JSC::JITCode::intrinsic):
1578         * jit/JITOperations.cpp:
1579         * jit/JITThunks.cpp:
1580         (JSC::JITThunks::hostFunctionStub):
1581         * jit/Repatch.cpp:
1582         * llint/LLIntSlowPaths.cpp:
1583         * runtime/ExecutableBase.cpp:
1584         (JSC::ExecutableBase::dump const):
1585         (JSC::ExecutableBase::hashFor const):
1586         (JSC::ExecutableBase::hasClearableCode const): Deleted.
1587         (JSC::ExecutableBase::clearCode): Deleted.
1588         * runtime/ExecutableBase.h:
1589         (JSC::ExecutableBase::ExecutableBase):
1590         (JSC::ExecutableBase::isModuleProgramExecutable):
1591         (JSC::ExecutableBase::isHostFunction const):
1592         (JSC::ExecutableBase::generatedJITCodeForCall const):
1593         (JSC::ExecutableBase::generatedJITCodeForConstruct const):
1594         (JSC::ExecutableBase::generatedJITCodeFor const):
1595         (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
1596         (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
1597         (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
1598         (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
1599         (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
1600         (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
1601         (JSC::ExecutableBase::intrinsic const): Deleted.
1602         * runtime/ExecutableBaseInlines.h: Added.
1603         (JSC::ExecutableBase::intrinsic const):
1604         (JSC::ExecutableBase::hasJITCodeForCall const):
1605         (JSC::ExecutableBase::hasJITCodeForConstruct const):
1606         * runtime/JSBoundFunction.cpp:
1607         * runtime/JSType.cpp:
1608         (WTF::printInternal):
1609         * runtime/JSType.h:
1610         * runtime/NativeExecutable.cpp:
1611         (JSC::NativeExecutable::create):
1612         (JSC::NativeExecutable::createStructure):
1613         (JSC::NativeExecutable::NativeExecutable):
1614         (JSC::NativeExecutable::signatureFor const):
1615         (JSC::NativeExecutable::intrinsic const):
1616         * runtime/NativeExecutable.h:
1617         * runtime/ScriptExecutable.cpp:
1618         (JSC::ScriptExecutable::ScriptExecutable):
1619         (JSC::ScriptExecutable::clearCode):
1620         (JSC::ScriptExecutable::installCode):
1621         (JSC::ScriptExecutable::hasClearableCode const):
1622         * runtime/ScriptExecutable.h:
1623         (JSC::ScriptExecutable::intrinsic const):
1624         (JSC::ScriptExecutable::hasJITCodeForCall const):
1625         (JSC::ScriptExecutable::hasJITCodeForConstruct const):
1626         * runtime/VM.cpp:
1627         (JSC::VM::getHostFunction):
1628
1629 2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>
1630
1631         Build failure after r240431
1632         https://bugs.webkit.org/show_bug.cgi?id=194330
1633
1634         Reviewed by Žan Doberšek.
1635
1636         * API/glib/JSCOptions.cpp:
1637
1638 2019-02-05  Mark Lam  <mark.lam@apple.com>
1639
1640         Fix DFG's doesGC() for a few more nodes.
1641         https://bugs.webkit.org/show_bug.cgi?id=194307
1642         <rdar://problem/47832956>
1643
1644         Reviewed by Yusuke Suzuki.
1645
1646         Fix doesGC() for the following nodes:
1647
1648             NumberToStringWithValidRadixConstant:
1649                 Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
1650                 which can allocate a string.
1651                 Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
1652                 which can allocate a string.
1653                 Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
1654                 which can allocate a string.
1655
1656             RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
1657                 memory for all kinds of objects.
1658             RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
1659                 RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
1660                 these allocates memory for the match result.
1661             RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
1662                 calls RegExpObject's collectMatches(), which allocates an array amongst
1663                 other objects.
1664
1665             StringFromCharCode:
1666                 If the uint32 code to convert is greater than maxSingleCharacterString,
1667                 we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
1668                 which allocates a new string if the code is greater than maxSingleCharacterString.
1669
1670         Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
1671         to use maxSingleCharacterString instead of a literal constant.
1672
1673         * dfg/DFGDoesGC.cpp:
1674         (JSC::DFG::doesGC):
1675         * dfg/DFGSpeculativeJIT.cpp:
1676         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
1677         * ftl/FTLLowerDFGToB3.cpp:
1678         (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
1679
1680 2019-02-05  Keith Rollin  <krollin@apple.com>
1681
1682         Enable the automatic checking and regenerations of .xcfilelists during builds
1683         https://bugs.webkit.org/show_bug.cgi?id=194124
1684         <rdar://problem/47721277>
1685
1686         Reviewed by Tim Horton.
1687
1688         Bug 193790 add a facility for checking -- during build time -- that
1689         any needed .xcfilelist files are up-to-date and for updating them if
1690         they are not. This facility was initially opt-in by setting
1691         WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
1692         the process seemed robust. Its now time to enable this facility and
1693         make it opt-out. If there is a need to disable this facility, set and
1694         export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
1695         running `make` or `build-webkit`, or before running Xcode from the
1696         command line.
1697
1698         Additionally, remove the step that generates a list of source files
1699         going into the UnifiedSources build step. It's only necessarily to
1700         specify Sources.txt and SourcesCocoa.txt as inputs.
1701
1702         * JavaScriptCore.xcodeproj/project.pbxproj:
1703         * UnifiedSources-input.xcfilelist: Removed.
1704
1705 2019-02-05  Keith Rollin  <krollin@apple.com>
1706
1707         Update .xcfilelist files
1708         https://bugs.webkit.org/show_bug.cgi?id=194121
1709         <rdar://problem/47720863>
1710
1711         Reviewed by Tim Horton.
1712
1713         Preparatory to enabling the facility for automatically updating the
1714         .xcfilelist files, check in a freshly-updated set so that not everyone
1715         runs up against having to regenerate them themselves.
1716
1717         * DerivedSources-input.xcfilelist:
1718         * DerivedSources-output.xcfilelist:
1719
1720 2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>
1721
1722         [INTL] improve efficiency of Intl.NumberFormat formatToParts
1723         https://bugs.webkit.org/show_bug.cgi?id=185557
1724
1725         Reviewed by Mark Lam.
1726
1727         Since field nesting depth is minimal, this algorithm should be effectively O(n),
1728         where n is the number of characters in the formatted string.
1729         It may be less memory efficient than the previous impl, since the intermediate Vector
1730         is the length of the string, instead of the count of the fields.
1731
1732         * runtime/IntlNumberFormat.cpp:
1733         (JSC::IntlNumberFormat::formatToParts):
1734         * runtime/IntlNumberFormat.h:
1735
1736 2019-02-05  Mark Lam  <mark.lam@apple.com>
1737
1738         Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
1739         https://bugs.webkit.org/show_bug.cgi?id=194298
1740         <rdar://problem/47827555>
1741
1742         Reviewed by Saam Barati.
1743
1744         We do this for 3 reasons:
1745         1. It's clearer when reading doesGC()'s code that these nodes will return true.
1746         2. If things change in the future where clobberize() no longer reports these nodes
1747            as write(Heap), each node should be vetted first to make sure that it can never
1748            GC before being moved back to the doesGC() list that returns false.
1749         3. This reduces the list of nodes that we need to audit to make sure doesGC() is
1750            correct in its claims about the nodes' GCing possibility.
1751
1752         The list of nodes moved are:
1753
1754             ArrayPush
1755             ArrayPop
1756             Call
1757             CallEval
1758             CallForwardVarargs
1759             CallVarargs
1760             Construct
1761             ConstructForwardVarargs
1762             ConstructVarargs
1763             DefineDataProperty
1764             DefineAccessorProperty
1765             DeleteById
1766             DeleteByVal
1767             DirectCall
1768             DirectConstruct
1769             DirectTailCallInlinedCaller
1770             GetById
1771             GetByIdDirect
1772             GetByIdDirectFlush
1773             GetByIdFlush
1774             GetByIdWithThis
1775             GetByValWithThis
1776             GetDirectPname
1777             GetDynamicVar
1778             HasGenericProperty
1779             HasOwnProperty
1780             HasStructureProperty
1781             InById
1782             InByVal
1783             InstanceOf
1784             InstanceOfCustom
1785             LoadVarargs
1786             NumberToStringWithRadix
1787             PutById
1788             PutByIdDirect
1789             PutByIdFlush
1790             PutByIdWithThis
1791             PutByOffset
1792             PutByValWithThis
1793             PutDynamicVar
1794             PutGetterById
1795             PutGetterByVal
1796             PutGetterSetterById
1797             PutSetterById
1798             PutSetterByVal
1799             PutStack
1800             PutToArguments
1801             RegExpExec
1802             RegExpTest
1803             ResolveScope
1804             ResolveScopeForHoistingFuncDeclInEval
1805             TailCall
1806             TailCallForwardVarargsInlinedCaller
1807             TailCallInlinedCaller
1808             TailCallVarargsInlinedCaller
1809             ToNumber
1810             ToPrimitive
1811             ValueNegate
1812
1813         * dfg/DFGDoesGC.cpp:
1814         (JSC::DFG::doesGC):
1815
1816 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
1817
1818         [JSC] Shrink sizeof(UnlinkedCodeBlock)
1819         https://bugs.webkit.org/show_bug.cgi?id=194281
1820
1821         Reviewed by Michael Saboff.
1822
1823         This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
1824         move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.
1825
1826         Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
1827         of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
1828         they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.
1829
1830         * bytecode/CodeBlock.cpp:
1831         (JSC::CodeBlock::finishCreation):
1832         * bytecode/CodeBlock.h:
1833         (JSC::CodeBlock::bitVectors const): Deleted.
1834         * bytecode/CodeType.h:
1835         * bytecode/UnlinkedCodeBlock.cpp:
1836         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1837         (JSC::UnlinkedCodeBlock::shrinkToFit):
1838         * bytecode/UnlinkedCodeBlock.h:
1839         (JSC::UnlinkedCodeBlock::bitVector):
1840         (JSC::UnlinkedCodeBlock::addBitVector):
1841         (JSC::UnlinkedCodeBlock::addSetConstant):
1842         (JSC::UnlinkedCodeBlock::constantRegisters):
1843         (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
1844         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1845         (JSC::UnlinkedCodeBlock::codeType const):
1846         (JSC::UnlinkedCodeBlock::didOptimize const):
1847         (JSC::UnlinkedCodeBlock::setDidOptimize):
1848         (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
1849         (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
1850         (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
1851         (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
1852         * bytecompiler/BytecodeGenerator.cpp:
1853         (JSC::BytecodeGenerator::emitLoad):
1854         (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
1855         * bytecompiler/BytecodeGenerator.h:
1856         * runtime/CachedTypes.cpp:
1857         (JSC::CachedCodeBlockRareData::encode):
1858         (JSC::CachedCodeBlockRareData::decode const):
1859         (JSC::CachedCodeBlock::scopeRegister const):
1860         (JSC::CachedCodeBlock::codeType const):
1861         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1862         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
1863         (JSC::CachedCodeBlock<CodeBlockType>::encode):
1864         (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.
1865
1866 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1867
1868         Unreviewed, add missing exception checks after r240637
1869         https://bugs.webkit.org/show_bug.cgi?id=193546
1870
1871         * tools/JSDollarVM.cpp:
1872         (JSC::functionShadowChickenFunctionsOnStack):
1873
1874 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
1875
1876         [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
1877         https://bugs.webkit.org/show_bug.cgi?id=193993
1878
1879         Reviewed by Keith Miller.
1880
1881         JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
1882         And some of them are rarely used. We should allocate it lazily.
1883
1884         In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
1885         functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
1886         And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
1887         returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
1888         parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
1889         lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
1890         by using WTF::storeStoreFence when lazily allocating it.
1891
1892         In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
1893         existence of the space before touching this. This is not racy because the main thread is stopped when
1894         the constraint solving is working.
1895
1896         This changes sizeof(VM) from 64736 to 56472.
1897
1898         Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
1899         `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
1900         collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
1901         dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
1902         of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
1903         EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
1904         can run this IsoSubspace code, the collector is never EndPhase. So this is safe.
1905
1906         * API/JSCallbackFunction.h:
1907         * API/ObjCCallbackFunction.h:
1908         (JSC::ObjCCallbackFunction::subspaceFor):
1909         * API/glib/JSCCallbackFunction.h:
1910         * CMakeLists.txt:
1911         * JavaScriptCore.xcodeproj/project.pbxproj:
1912         * bytecode/CodeBlock.cpp:
1913         (JSC::CodeBlock::visitChildren):
1914         (JSC::CodeBlock::finalizeUnconditionally):
1915         * bytecode/CodeBlock.h:
1916         * bytecode/EvalCodeBlock.h:
1917         * bytecode/ExecutableToCodeBlockEdge.h:
1918         * bytecode/FunctionCodeBlock.h:
1919         * bytecode/ModuleProgramCodeBlock.h:
1920         * bytecode/ProgramCodeBlock.h:
1921         * bytecode/UnlinkedFunctionExecutable.cpp:
1922         (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
1923         * bytecode/UnlinkedFunctionExecutable.h:
1924         * dfg/DFGSpeculativeJIT.cpp:
1925         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1926         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1927         (JSC::DFG::SpeculativeJIT::compileNewObject):
1928         * ftl/FTLLowerDFGToB3.cpp:
1929         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1930         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1931         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1932         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1933         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
1934         * heap/Heap.cpp:
1935         (JSC::Heap::finalizeUnconditionalFinalizers):
1936         (JSC::Heap::deleteAllCodeBlocks):
1937         (JSC::Heap::deleteAllUnlinkedCodeBlocks):
1938         (JSC::Heap::addCoreConstraints):
1939         * heap/Subspace.cpp:
1940         (JSC::Subspace::initialize):
1941         * jit/AssemblyHelpers.h:
1942         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1943         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1944         * jit/JITOpcodes.cpp:
1945         (JSC::JIT::emit_op_new_object):
1946         * jit/JITOpcodes32_64.cpp:
1947         (JSC::JIT::emit_op_new_object):
1948         * runtime/DirectArguments.h:
1949         * runtime/DirectEvalExecutable.h:
1950         * runtime/ErrorInstance.h:
1951         (JSC::ErrorInstance::subspaceFor):
1952         * runtime/ExecutableBase.h:
1953         * runtime/FunctionExecutable.h:
1954         * runtime/IndirectEvalExecutable.h:
1955         * runtime/InferredValue.cpp:
1956         (JSC::InferredValue::visitChildren):
1957         * runtime/InferredValue.h:
1958         * runtime/InferredValueInlines.h:
1959         (JSC::InferredValue::finalizeUnconditionally):
1960         * runtime/InternalFunction.h:
1961         * runtime/JSAsyncFunction.h:
1962         * runtime/JSAsyncGeneratorFunction.h:
1963         * runtime/JSBoundFunction.h:
1964         * runtime/JSCell.h:
1965         (JSC::subspaceFor):
1966         (JSC::subspaceForConcurrently):
1967         * runtime/JSCellInlines.h:
1968         (JSC::allocatorForNonVirtualConcurrently):
1969         * runtime/JSCustomGetterSetterFunction.h:
1970         * runtime/JSDestructibleObject.h:
1971         * runtime/JSFunction.h:
1972         * runtime/JSGeneratorFunction.h:
1973         * runtime/JSImmutableButterfly.h:
1974         * runtime/JSLexicalEnvironment.h:
1975         (JSC::JSLexicalEnvironment::subspaceFor):
1976         * runtime/JSNativeStdFunction.h:
1977         * runtime/JSSegmentedVariableObject.h:
1978         * runtime/JSString.h:
1979         * runtime/ModuleProgramExecutable.h:
1980         * runtime/NativeExecutable.h:
1981         * runtime/ProgramExecutable.h:
1982         * runtime/PropertyMapHashTable.h:
1983         * runtime/ProxyRevoke.h:
1984         * runtime/ScopedArguments.h:
1985         * runtime/ScriptExecutable.cpp:
1986         (JSC::ScriptExecutable::clearCode):
1987         (JSC::ScriptExecutable::installCode):
1988         * runtime/Structure.h:
1989         * runtime/StructureRareData.h:
1990         * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
1991         * runtime/VM.cpp:
1992         (JSC::VM::VM):
1993         * runtime/VM.h:
1994         (JSC::VM::SpaceAndSet::SpaceAndSet):
1995         (JSC::VM::SpaceAndSet::setFor):
1996         (JSC::VM::forEachScriptExecutableSpace):
1997         (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
1998         (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
1999         (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
2000         (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2001         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
2002         (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
2003         * runtime/WeakMapImpl.h:
2004         (JSC::WeakMapImpl::subspaceFor):
2005         * wasm/js/JSWebAssemblyCodeBlock.h:
2006         * wasm/js/JSWebAssemblyMemory.h:
2007         * wasm/js/WebAssemblyFunction.h:
2008         * wasm/js/WebAssemblyWrapperFunction.h:
2009
2010 2019-02-04  Keith Miller  <keith_miller@apple.com>
2011
2012         Change llint operand macros to inline functions
2013         https://bugs.webkit.org/show_bug.cgi?id=194248
2014
2015         Reviewed by Mark Lam.
2016
2017         * llint/LLIntSlowPaths.cpp:
2018         (JSC::LLInt::getNonConstantOperand):
2019         (JSC::LLInt::getOperand):
2020         (JSC::LLInt::llint_trace_value):
2021         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2022         (JSC::LLInt::getByVal):
2023         (JSC::LLInt::genericCall):
2024         (JSC::LLInt::varargsSetup):
2025         (JSC::LLInt::commonCallEval):
2026
2027 2019-02-04  Robin Morisset  <rmorisset@apple.com>
2028
2029         when lowering AssertNotEmpty, create the value before creating the patchpoint
2030         https://bugs.webkit.org/show_bug.cgi?id=194231
2031
2032         Reviewed by Saam Barati.
2033
2034         This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
2035         AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
2036
2037         * ftl/FTLLowerDFGToB3.cpp:
2038         (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
2039
2040 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2041
2042         [JSC] ExecutableToCodeBlockEdge should be smaller
2043         https://bugs.webkit.org/show_bug.cgi?id=194244
2044
2045         Reviewed by Michael Saboff.
2046
2047         ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
2048         sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
2049         Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
2050         it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.
2051
2052         In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
2053         since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
2054         ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.
2055
2056         Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
2057         for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
2058         does not touch it if it is called in non-main threads).
2059
2060         * bytecode/ExecutableToCodeBlockEdge.cpp:
2061         (JSC::ExecutableToCodeBlockEdge::finishCreation):
2062         (JSC::ExecutableToCodeBlockEdge::visitChildren):
2063         (JSC::ExecutableToCodeBlockEdge::activate):
2064         (JSC::ExecutableToCodeBlockEdge::deactivate):
2065         (JSC::ExecutableToCodeBlockEdge::isActive const):
2066         * bytecode/ExecutableToCodeBlockEdge.h:
2067         * runtime/JSCell.h:
2068         * runtime/JSCellInlines.h:
2069         (JSC::JSCell::perCellBit const):
2070         (JSC::JSCell::setPerCellBit):
2071         (JSC::JSCell::mayBePrototype const): Deleted.
2072         (JSC::JSCell::didBecomePrototype): Deleted.
2073         * runtime/JSObject.cpp:
2074         (JSC::JSObject::setPrototypeDirect):
2075         * runtime/JSObject.h:
2076         * runtime/JSObjectInlines.h:
2077         (JSC::JSObject::mayBePrototype const):
2078         (JSC::JSObject::didBecomePrototype):
2079         * runtime/JSTypeInfo.h:
2080         (JSC::TypeInfo::perCellBit):
2081         (JSC::TypeInfo::mergeInlineTypeFlags):
2082         (JSC::TypeInfo::mayBePrototype): Deleted.
2083
2084 2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>
2085
2086         [JSC] Shrink size of FunctionExecutable
2087         https://bugs.webkit.org/show_bug.cgi?id=194191
2088
2089         Reviewed by Michael Saboff.
2090
2091         This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
2092         improves the allocation efficiency.
2093
2094         1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
2095            We remove this from ScriptExecutable, and move it to FunctionExecutable.
2096
2097         2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
2098            used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
2099            the size of FunctionExecutable in the common case.
2100
2101         This patch changes the size of FunctionExecutable from 176 to 144.
2102
2103         * bytecode/CodeBlock.cpp:
2104         (JSC::CodeBlock::dumpSource):
2105         (JSC::CodeBlock::finishCreation):
2106         * dfg/DFGNode.h:
2107         (JSC::DFG::Node::OpInfoWrapper::as const):
2108         * interpreter/StackVisitor.cpp:
2109         (JSC::StackVisitor::Frame::computeLineAndColumn const):
2110         * runtime/ExecutableBase.h:
2111         * runtime/FunctionExecutable.cpp:
2112         (JSC::FunctionExecutable::FunctionExecutable):
2113         (JSC::FunctionExecutable::ensureRareDataSlow):
2114         * runtime/FunctionExecutable.h:
2115         * runtime/Intrinsic.h:
2116         * runtime/ModuleProgramExecutable.cpp:
2117         (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
2118         * runtime/ProgramExecutable.cpp:
2119         (JSC::ProgramExecutable::ProgramExecutable):
2120         * runtime/ScriptExecutable.cpp:
2121         (JSC::ScriptExecutable::ScriptExecutable):
2122         (JSC::ScriptExecutable::overrideLineNumber const):
2123         (JSC::ScriptExecutable::typeProfilingStartOffset const):
2124         (JSC::ScriptExecutable::typeProfilingEndOffset const):
2125         * runtime/ScriptExecutable.h:
2126         (JSC::ScriptExecutable::firstLine const):
2127         (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
2128         (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
2129         (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
2130         (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
2131         (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
2132         * runtime/StackFrame.cpp:
2133         (JSC::StackFrame::computeLineAndColumn const):
2134         * tools/JSDollarVM.cpp:
2135         (JSC::functionReturnTypeFor):
2136
2137 2019-02-04  Mark Lam  <mark.lam@apple.com>
2138
2139         DFG's doesGC() is incorrect about the SameValue node's behavior.
2140         https://bugs.webkit.org/show_bug.cgi?id=194211
2141         <rdar://problem/47608913>
2142
2143         Reviewed by Saam Barati.
2144
2145         Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
2146         it calls operationSameValue() which may allocate memory for resolving ropes.
2147
2148         * dfg/DFGDoesGC.cpp:
2149         (JSC::DFG::doesGC):
2150
2151 2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
2152
2153         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
2154         https://bugs.webkit.org/show_bug.cgi?id=194031
2155
2156         Reviewed by Saam Barati.
2157
2158         UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
2159         This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
2160         sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
2161         destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.
2162
2163         To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
2164         This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.
2165
2166         * bytecode/MetadataTable.cpp:
2167         (JSC::MetadataTable::MetadataTable):
2168         (JSC::MetadataTable::~MetadataTable):
2169         * bytecode/UnlinkedCodeBlock.cpp:
2170         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2171         (JSC::UnlinkedCodeBlock::visitChildren):
2172         (JSC::UnlinkedCodeBlock::estimatedSize):
2173         (JSC::UnlinkedCodeBlock::setInstructions):
2174         * bytecode/UnlinkedCodeBlock.h:
2175         (JSC::UnlinkedCodeBlock::metadata):
2176         (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
2177         * bytecode/UnlinkedMetadataTable.h:
2178         (JSC::UnlinkedMetadataTable::create):
2179         * bytecode/UnlinkedMetadataTableInlines.h:
2180         (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
2181         * runtime/CachedTypes.cpp:
2182         (JSC::CachedMetadataTable::decode const):
2183         (JSC::CachedCodeBlock::metadata const):
2184         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2185         (JSC::CachedCodeBlock<CodeBlockType>::decode const):
2186         (JSC::CachedCodeBlock<CodeBlockType>::encode):
2187
2188 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2189
2190         [JSC] Decouple JIT related data from CodeBlock
2191         https://bugs.webkit.org/show_bug.cgi?id=194187
2192
2193         Reviewed by Saam Barati.
2194
2195         CodeBlock holds bunch of data which is only used after JIT starts compiling it.
2196         We have three types of data in CodeBlock.
2197
2198         1. The data which is always used. CodeBlock needs to hold it.
2199         2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
2200         3. The data which is used after the JIT compiler starts running for the given CodeBlock.
2201
2202         This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
2203         number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
2204         memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
2205         in both non-JIT and *JIT* modes.
2206
2207         JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
2208         by the lock of CodeBlock.
2209
2210         The size of CodeBlock is reduced from 512 to 352.
2211
2212         This patch improves memory footprint and gets 1.1% improvement in RAMification.
2213
2214             Footprint geomean: 36696503 (34.997 MB)
2215             Peak Footprint geomean: 38595988 (36.808 MB)
2216             Score: 37634263 (35.891 MB)
2217
2218             Footprint geomean: 37172768 (35.451 MB)
2219             Peak Footprint geomean: 38978288 (37.173 MB)
2220             Score: 38064824 (36.301 MB)
2221
2222         * bytecode/CodeBlock.cpp:
2223         (JSC::CodeBlock::~CodeBlock):
2224         (JSC::CodeBlock::propagateTransitions):
2225         (JSC::CodeBlock::ensureJITDataSlow):
2226         (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
2227         (JSC::CodeBlock::getICStatusMap):
2228         (JSC::CodeBlock::addStubInfo):
2229         (JSC::CodeBlock::addJITAddIC):
2230         (JSC::CodeBlock::addJITMulIC):
2231         (JSC::CodeBlock::addJITSubIC):
2232         (JSC::CodeBlock::addJITNegIC):
2233         (JSC::CodeBlock::findStubInfo):
2234         (JSC::CodeBlock::addByValInfo):
2235         (JSC::CodeBlock::addCallLinkInfo):
2236         (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
2237         (JSC::CodeBlock::addRareCaseProfile):
2238         (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
2239         (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
2240         (JSC::CodeBlock::resetJITData):
2241         (JSC::CodeBlock::stronglyVisitStrongReferences):
2242         (JSC::CodeBlock::shrinkToFit):
2243         (JSC::CodeBlock::linkIncomingCall):
2244         (JSC::CodeBlock::linkIncomingPolymorphicCall):
2245         (JSC::CodeBlock::unlinkIncomingCalls):
2246         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2247         (JSC::CodeBlock::dumpValueProfiles):
2248         (JSC::CodeBlock::setPCToCodeOriginMap):
2249         (JSC::CodeBlock::findPC):
2250         (JSC::CodeBlock::dumpMathICStats):
2251         * bytecode/CodeBlock.h:
2252         (JSC::CodeBlock::ensureJITData):
2253         (JSC::CodeBlock::setJITCodeMap):
2254         (JSC::CodeBlock::jitCodeMap):
2255         (JSC::CodeBlock::likelyToTakeSlowCase):
2256         (JSC::CodeBlock::couldTakeSlowCase):
2257         (JSC::CodeBlock::lazyOperandValueProfiles):
2258         (JSC::CodeBlock::stubInfoBegin): Deleted.
2259         (JSC::CodeBlock::stubInfoEnd): Deleted.
2260         (JSC::CodeBlock::callLinkInfosBegin): Deleted.
2261         (JSC::CodeBlock::callLinkInfosEnd): Deleted.
2262         (JSC::CodeBlock::jitCodeMap const): Deleted.
2263         (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
2264         * bytecode/MethodOfGettingAValueProfile.cpp:
2265         (JSC::MethodOfGettingAValueProfile::emitReportValue const):
2266         (JSC::MethodOfGettingAValueProfile::reportValue):
2267         * dfg/DFGByteCodeParser.cpp:
2268         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2269         * jit/JIT.h:
2270         * jit/JITOperations.cpp:
2271         (JSC::tryGetByValOptimize):
2272         * jit/JITPropertyAccess.cpp:
2273         (JSC::JIT::privateCompileGetByVal):
2274         (JSC::JIT::privateCompilePutByVal):
2275
2276 2018-12-16  Darin Adler  <darin@apple.com>
2277
2278         Convert additional String::format clients to alternative approaches
2279         https://bugs.webkit.org/show_bug.cgi?id=192746
2280
2281         Reviewed by Alexey Proskuryakov.
2282
2283         * inspector/agents/InspectorConsoleAgent.cpp:
2284         (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
2285         and FormattedNumber::fixedWidth.
2286
2287 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2288
2289         [JSC] Remove some of IsoSubspaces for JSFunction subclasses
2290         https://bugs.webkit.org/show_bug.cgi?id=194177
2291
2292         Reviewed by Saam Barati.
2293
2294         JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
2295         We can share the IsoSubspace for JSFunction.
2296
2297         * runtime/JSAsyncFunction.h:
2298         * runtime/JSAsyncGeneratorFunction.h:
2299         * runtime/JSGeneratorFunction.h:
2300         * runtime/VM.cpp:
2301         (JSC::VM::VM):
2302         * runtime/VM.h:
2303
2304 2019-02-01  Mark Lam  <mark.lam@apple.com>
2305
2306         Remove invalid assertion in DFG's compileDoubleRep().
2307         https://bugs.webkit.org/show_bug.cgi?id=194130
2308         <rdar://problem/47699474>
2309
2310         Reviewed by Saam Barati.
2311
2312         * dfg/DFGSpeculativeJIT.cpp:
2313         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2314
2315 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2316
2317         [JSC] Unify CodeBlock IsoSubspaces
2318         https://bugs.webkit.org/show_bug.cgi?id=194167
2319
2320         Reviewed by Saam Barati.
2321
2322         When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
2323         But this is not necessary since,
2324
2325         1. They do not override the classInfo methods.
2326         2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.
2327
2328         Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
2329         ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
2330         MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.
2331
2332         This patch unifies these IsoSubspaces into one.
2333
2334         * bytecode/CodeBlock.cpp:
2335         (JSC::CodeBlock::destroy):
2336         * bytecode/CodeBlock.h:
2337         * bytecode/EvalCodeBlock.cpp:
2338         (JSC::EvalCodeBlock::destroy): Deleted.
2339         * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
2340         * bytecode/FunctionCodeBlock.cpp:
2341         (JSC::FunctionCodeBlock::destroy): Deleted.
2342         * bytecode/FunctionCodeBlock.h:
2343         * bytecode/GlobalCodeBlock.h:
2344         * bytecode/ModuleProgramCodeBlock.cpp:
2345         (JSC::ModuleProgramCodeBlock::destroy): Deleted.
2346         * bytecode/ModuleProgramCodeBlock.h:
2347         * bytecode/ProgramCodeBlock.cpp:
2348         (JSC::ProgramCodeBlock::destroy): Deleted.
2349         * bytecode/ProgramCodeBlock.h:
2350         * interpreter/Interpreter.cpp:
2351         (JSC::Interpreter::execute):
2352         * runtime/VM.cpp:
2353         (JSC::VM::VM):
2354         * runtime/VM.h:
2355         (JSC::VM::forEachCodeBlockSpace):
2356
2357 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2358
2359         Unreviewed, follow-up after r240859
2360         https://bugs.webkit.org/show_bug.cgi?id=194145
2361
2362         Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
2363         And rename cellDangerousBitsSpace back to cellSpace.
2364
2365         * runtime/JSCellInlines.h:
2366         (JSC::JSCell::subspaceFor):
2367         * runtime/VM.cpp:
2368         (JSC::VM::VM):
2369         * runtime/VM.h:
2370
2371 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
2372
2373         [JSC] Remove cellJSValueOOBSpace
2374         https://bugs.webkit.org/show_bug.cgi?id=194145
2375
2376         Reviewed by Mark Lam.
2377
2378         * runtime/JSObject.h:
2379         (JSC::JSObject::subspaceFor): Deleted.
2380         * runtime/VM.cpp:
2381         (JSC::VM::VM):
2382         * runtime/VM.h:
2383
2384 2019-01-31  Mark Lam  <mark.lam@apple.com>
2385
2386         Remove poisoning from CodeBlock and LLInt code.
2387         https://bugs.webkit.org/show_bug.cgi?id=194113
2388
2389         Reviewed by Yusuke Suzuki.
2390
2391         * bytecode/CodeBlock.cpp:
2392         (JSC::CodeBlock::CodeBlock):
2393         (JSC::CodeBlock::~CodeBlock):
2394         (JSC::CodeBlock::setConstantRegisters):
2395         (JSC::CodeBlock::propagateTransitions):
2396         (JSC::CodeBlock::finalizeLLIntInlineCaches):
2397         (JSC::CodeBlock::jettison):
2398         (JSC::CodeBlock::predictedMachineCodeSize):
2399         * bytecode/CodeBlock.h:
2400         (JSC::CodeBlock::vm const):
2401         (JSC::CodeBlock::addConstant):
2402         (JSC::CodeBlock::heap const):
2403         (JSC::CodeBlock::replaceConstant):
2404         * llint/LLIntOfflineAsmConfig.h:
2405         * llint/LLIntSlowPaths.cpp:
2406         (JSC::LLInt::handleHostCall):
2407         (JSC::LLInt::setUpCall):
2408         * llint/LowLevelInterpreter.asm:
2409         * llint/LowLevelInterpreter32_64.asm:
2410         * llint/LowLevelInterpreter64.asm:
2411
2412 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2413
2414         [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
2415         https://bugs.webkit.org/show_bug.cgi?id=194107
2416
2417         Reviewed by Saam Barati.
2418
2419         AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
2420         We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.
2421
2422         * CMakeLists.txt:
2423         * DerivedSources.make:
2424         * JavaScriptCore.xcodeproj/project.pbxproj:
2425         * runtime/AsyncFromSyncIteratorPrototype.cpp:
2426         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2427         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2428         (JSC::AsyncFromSyncIteratorPrototype::create):
2429         * runtime/AsyncFromSyncIteratorPrototype.h:
2430
2431 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2432
2433         Fix `runJITThreadLimitTests` in testapi
2434         https://bugs.webkit.org/show_bug.cgi?id=194064
2435         <rdar://problem/46139147>
2436
2437         Reviewed by Mark Lam.
2438
2439         Fix typo where `targetNumberOfThreads` was not being used.
2440
2441         * API/tests/testapi.mm:
2442         (runJITThreadLimitTests):
2443
2444 2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>
2445
2446         testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
2447         https://bugs.webkit.org/show_bug.cgi?id=194112
2448
2449         Reviewed by Mark Lam.
2450
2451         `testBytecodeCache` does not populate the bytecode cache for the global
2452         CodeBlock, so it should only enable `forceDiskCache` after its execution.
2453
2454         * API/tests/testapi.mm:
2455         (testBytecodeCache):
2456
2457 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2458
2459         Unreviewed, follow-up after r240796
2460
2461         Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
2462         when allocating InferredValue in FunctionExecutable::finishCreation.
2463
2464         * runtime/FunctionExecutable.cpp:
2465         (JSC::FunctionExecutable::FunctionExecutable):
2466         (JSC::FunctionExecutable::finishCreation):
2467
2468 2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>
2469
2470         [JSC] Do not use InferredValue in non-JIT configuration
2471         https://bugs.webkit.org/show_bug.cgi?id=194084
2472
2473         Reviewed by Saam Barati.
2474
2475         InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
2476         JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
2477         put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
2478         Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
2479         target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
2480         seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
2481         FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
2482         To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.
2483
2484         * bytecode/ObjectAllocationProfileInlines.h:
2485         (JSC::ObjectAllocationProfile::initializeProfile):
2486         * runtime/FunctionExecutable.cpp:
2487         (JSC::FunctionExecutable::finishCreation):
2488         (JSC::FunctionExecutable::visitChildren):
2489         * runtime/FunctionExecutable.h:
2490         * runtime/InferredValue.cpp:
2491         (JSC::InferredValue::create):
2492         * runtime/JSAsyncFunction.cpp:
2493         (JSC::JSAsyncFunction::create):
2494         * runtime/JSAsyncGeneratorFunction.cpp:
2495         (JSC::JSAsyncGeneratorFunction::create):
2496         * runtime/JSFunction.cpp:
2497         (JSC::JSFunction::create):
2498         * runtime/JSFunctionInlines.h:
2499         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
2500         * runtime/JSGeneratorFunction.cpp:
2501         (JSC::JSGeneratorFunction::create):
2502         * runtime/JSSymbolTableObject.h:
2503         (JSC::JSSymbolTableObject::setSymbolTable):
2504         * runtime/SymbolTable.cpp:
2505         (JSC::SymbolTable::finishCreation):
2506         * runtime/VM.cpp:
2507         (JSC::VM::VM):
2508
2509 2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>
2510
2511         [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
2512         https://bugs.webkit.org/show_bug.cgi?id=194085
2513
2514         Reviewed by Yusuke Suzuki.
2515
2516         r240730 changed ud_itab.py and caused incremental build failures
2517         for Ninja builds.
2518
2519         * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.
2520
2521 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2522
2523         [JSC] Symbol should be in destructibleCellSpace
2524         https://bugs.webkit.org/show_bug.cgi?id=194082
2525
2526         Reviewed by Saam Barati.
2527
2528         Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
2529         to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
2530         destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
2531         Symbol's space destructibleCellSpace to appropriately call the destructor.
2532
2533         * runtime/Symbol.h:
2534
2535 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2536
2537         Unreviewed, rolling out r240755.
2538
2539         This was not correct
2540
2541         Reverted changeset:
2542
2543         "Unreviewed, fix GCC build after r240730"
2544         https://bugs.webkit.org/show_bug.cgi?id=194041
2545         https://trac.webkit.org/changeset/240755
2546
2547 2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2548
2549         Unreviewed, fix GCC build after r240730
2550         https://bugs.webkit.org/show_bug.cgi?id=194041
2551         <rdar://problem/47680981>
2552
2553         * disassembler/udis86/ud_itab.py:
2554         (UdItabGenerator.genOpcodeTablesLookupIndex):
2555
2556 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2557
2558         testapi's `testBytecodeCache` does not need to run the code twice
2559         https://bugs.webkit.org/show_bug.cgi?id=194046
2560
2561         Reviewed by Mark Lam.
2562
2563         Since we populate the cache eagerly (unlike the stress tests) we don't
2564         need to run the code twice.
2565
2566         * API/tests/testapi.mm:
2567         (testBytecodeCache):
2568
2569 2019-01-30  Saam barati  <sbarati@apple.com>
2570
2571         [WebAssembly] Change BBQ to generate Air IR
2572         https://bugs.webkit.org/show_bug.cgi?id=191802
2573         <rdar://problem/47651718>
2574
2575         Reviewed by Keith Miller.
2576
2577         This patch adds a new Wasm compiler for the BBQ tier. Instead
2578         of compiling using  B3-01, we now generate Air code directly.
2579         The goal of doing this was to speed up compile times for Wasm
2580         programs.
2581         
2582         This patch provides us with a 20-30% compile time speedup. However, I
2583         have ideas on how to improve compile times even further. For example,
2584         we should probably implement a faster running register allocator:
2585         https://bugs.webkit.org/show_bug.cgi?id=194036
2586         
2587         We can also improve on the code we generate.
2588         We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
2589         And we should do better instruction selection in various
2590         areas: https://bugs.webkit.org/show_bug.cgi?id=193999
2591
2592         * JavaScriptCore.xcodeproj/project.pbxproj:
2593         * Sources.txt:
2594         * b3/B3LowerToAir.cpp:
2595         * b3/B3StackmapSpecial.h:
2596         * b3/air/AirCode.cpp:
2597         (JSC::B3::Air::Code::emitDefaultPrologue):
2598         * b3/air/AirCode.h:
2599         * b3/air/AirTmp.h:
2600         (JSC::B3::Air::Tmp::Tmp):
2601         * runtime/Options.h:
2602         * wasm/WasmAirIRGenerator.cpp: Added.
2603         (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
2604         (JSC::Wasm::TypedTmp::TypedTmp):
2605         (JSC::Wasm::TypedTmp::operator== const):
2606         (JSC::Wasm::TypedTmp::operator!= const):
2607         (JSC::Wasm::TypedTmp::operator bool const):
2608         (JSC::Wasm::TypedTmp::operator Tmp const):
2609         (JSC::Wasm::TypedTmp::operator Arg const):
2610         (JSC::Wasm::TypedTmp::tmp const):
2611         (JSC::Wasm::TypedTmp::type const):
2612         (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
2613         (JSC::Wasm::AirIRGenerator::ControlData::dump const):
2614         (JSC::Wasm::AirIRGenerator::ControlData::type const):
2615         (JSC::Wasm::AirIRGenerator::ControlData::signature const):
2616         (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
2617         (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
2618         (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
2619         (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
2620         (JSC::Wasm::AirIRGenerator::emptyExpression):
2621         (JSC::Wasm::AirIRGenerator::fail const):
2622         (JSC::Wasm::AirIRGenerator::setParser):
2623         (JSC::Wasm::AirIRGenerator::toTmpVector):
2624         (JSC::Wasm::AirIRGenerator::validateInst):
2625         (JSC::Wasm::AirIRGenerator::extractArg):
2626         (JSC::Wasm::AirIRGenerator::append):
2627         (JSC::Wasm::AirIRGenerator::appendEffectful):
2628         (JSC::Wasm::AirIRGenerator::newTmp):
2629         (JSC::Wasm::AirIRGenerator::g32):
2630         (JSC::Wasm::AirIRGenerator::g64):
2631         (JSC::Wasm::AirIRGenerator::f32):
2632         (JSC::Wasm::AirIRGenerator::f64):
2633         (JSC::Wasm::AirIRGenerator::tmpForType):
2634         (JSC::Wasm::AirIRGenerator::addPatchpoint):
2635         (JSC::Wasm::AirIRGenerator::emitPatchpoint):
2636         (JSC::Wasm::AirIRGenerator::emitCheck):
2637         (JSC::Wasm::AirIRGenerator::emitCCall):
2638         (JSC::Wasm::AirIRGenerator::moveOpForValueType):
2639         (JSC::Wasm::AirIRGenerator::instanceValue):
2640         (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
2641         (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
2642         (JSC::Wasm::AirIRGenerator::AirIRGenerator):
2643         (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
2644         (JSC::Wasm::AirIRGenerator::emitThrowException):
2645         (JSC::Wasm::AirIRGenerator::addLocal):
2646         (JSC::Wasm::AirIRGenerator::addConstant):
2647         (JSC::Wasm::AirIRGenerator::addArguments):
2648         (JSC::Wasm::AirIRGenerator::getLocal):
2649         (JSC::Wasm::AirIRGenerator::addUnreachable):
2650         (JSC::Wasm::AirIRGenerator::addGrowMemory):
2651         (JSC::Wasm::AirIRGenerator::addCurrentMemory):
2652         (JSC::Wasm::AirIRGenerator::setLocal):
2653         (JSC::Wasm::AirIRGenerator::getGlobal):
2654         (JSC::Wasm::AirIRGenerator::setGlobal):
2655         (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
2656         (JSC::Wasm::sizeOfLoadOp):
2657         (JSC::Wasm::AirIRGenerator::emitLoadOp):
2658         (JSC::Wasm::AirIRGenerator::load):
2659         (JSC::Wasm::sizeOfStoreOp):
2660         (JSC::Wasm::AirIRGenerator::emitStoreOp):
2661         (JSC::Wasm::AirIRGenerator::store):
2662         (JSC::Wasm::AirIRGenerator::addSelect):
2663         (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
2664         (JSC::Wasm::AirIRGenerator::addLoop):
2665         (JSC::Wasm::AirIRGenerator::addTopLevel):
2666         (JSC::Wasm::AirIRGenerator::addBlock):
2667         (JSC::Wasm::AirIRGenerator::addIf):
2668         (JSC::Wasm::AirIRGenerator::addElse):
2669         (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
2670         (JSC::Wasm::AirIRGenerator::addReturn):
2671         (JSC::Wasm::AirIRGenerator::addBranch):
2672         (JSC::Wasm::AirIRGenerator::addSwitch):
2673         (JSC::Wasm::AirIRGenerator::endBlock):
2674         (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
2675         (JSC::Wasm::AirIRGenerator::addCall):
2676         (JSC::Wasm::AirIRGenerator::addCallIndirect):
2677         (JSC::Wasm::AirIRGenerator::unify):
2678         (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
2679         (JSC::Wasm::AirIRGenerator::dump):
2680         (JSC::Wasm::AirIRGenerator::origin):
2681         (JSC::Wasm::parseAndCompileAir):
2682         (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
2683         (JSC::Wasm::AirIRGenerator::emitModOrDiv):
2684         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
2685         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
2686         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
2687         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
2688         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
2689         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
2690         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
2691         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
2692         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
2693         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
2694         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
2695         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
2696         (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
2697         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
2698         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
2699         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
2700         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
2701         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
2702         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
2703         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
2704         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
2705         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
2706         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
2707         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
2708         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
2709         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
2710         (JSC::Wasm::AirIRGenerator::addShift):
2711         (JSC::Wasm::AirIRGenerator::addIntegerSub):
2712         (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
2713         (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
2714         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
2715         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
2716         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
2717         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
2718         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
2719         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
2720         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
2721         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
2722         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
2723         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
2724         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
2725         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
2726         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
2727         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
2728         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
2729         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
2730         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
2731         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
2732         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
2733         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
2734         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
2735         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
2736         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
2737         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
2738         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
2739         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
2740         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
2741         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
2742         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
2743         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
2744         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
2745         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
2746         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
2747         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
2748         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
2749         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
2750         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
2751         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
2752         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
2753         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
2754         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
2755         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
2756         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
2757         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
2758         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
2759         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
2760         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
2761         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
2762         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
2763         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
2764         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
2765         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
2766         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
2767         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
2768         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
2769         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
2770         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
2771         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
2772         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
2773         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
2774         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
2775         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
2776         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
2777         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
2778         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
2779         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
2780         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
2781         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
2782         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
2783         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
2784         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
2785         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
2786         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
2787         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
2788         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
2789         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
2790         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
2791         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
2792         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
2793         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
2794         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
2795         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
2796         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
2797         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
2798         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
2799         (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
2800         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
2801         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
2802         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
2803         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
2804         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
2805         (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
2806         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
2807         (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
2808         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
2809         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
2810         (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
2811         * wasm/WasmAirIRGenerator.h: Added.
2812         * wasm/WasmB3IRGenerator.cpp:
2813         (JSC::Wasm::B3IRGenerator::emptyExpression):
2814         * wasm/WasmBBQPlan.cpp:
2815         (JSC::Wasm::BBQPlan::compileFunctions):
2816         * wasm/WasmCallingConvention.cpp:
2817         (JSC::Wasm::jscCallingConventionAir):
2818         (JSC::Wasm::wasmCallingConventionAir):
2819         * wasm/WasmCallingConvention.h:
2820         (JSC::Wasm::CallingConvention::CallingConvention):
2821         (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
2822         (JSC::Wasm::CallingConvention::marshallArgument const):
2823         (JSC::Wasm::CallingConventionAir::CallingConventionAir):
2824         (JSC::Wasm::CallingConventionAir::prologueScratch const):
2825         (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
2826         (JSC::Wasm::CallingConventionAir::marshallArgument const):
2827         (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
2828         (JSC::Wasm::CallingConventionAir::loadArguments const):
2829         (JSC::Wasm::CallingConventionAir::setupCall const):
2830         (JSC::Wasm::nextJSCOffset):
2831         * wasm/WasmFunctionParser.h:
2832         (JSC::Wasm::FunctionParser<Context>::parseExpression):
2833         * wasm/WasmValidate.cpp:
2834         (JSC::Wasm::Validate::emptyExpression):
2835
2836 2019-01-30  Robin Morisset  <rmorisset@apple.com>
2837
2838         Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
2839         https://bugs.webkit.org/show_bug.cgi?id=194050
2840         <rdar://problem/47595592>
2841
2842         Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
2843         It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.
2844
2845         Reviewed by Yusuke Suzuki.
2846
2847         * ftl/FTLOperations.cpp:
2848         (JSC::FTL::operationMaterializeObjectInOSR):
2849
2850 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2851
2852         Remove assertion that CachedSymbolTables should have no RareData
2853         https://bugs.webkit.org/show_bug.cgi?id=194037
2854
2855         Reviewed by Mark Lam.
2856
2857         It turns out that we don't need to cache the SymbolTableRareData and
2858         we should not assert that it's empty.
2859
2860         * runtime/CachedTypes.cpp:
2861         (JSC::CachedSymbolTable::encode):
2862
2863 2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>
2864
2865         CachedBytecode's move constructor should not call `freeDataIfOwned`
2866         https://bugs.webkit.org/show_bug.cgi?id=194045
2867
2868         Reviewed by Mark Lam.
2869
2870         That might result in freeing a garbage value
2871
2872         * parser/SourceProvider.h:
2873         (JSC::CachedBytecode::CachedBytecode):
2874
2875 2019-01-30  Keith Miller  <keith_miller@apple.com>
2876
2877         mul32 should convert powers of 2 to an lshift
2878         https://bugs.webkit.org/show_bug.cgi?id=193957
2879
2880         Reviewed by Yusuke Suzuki.
2881
2882         * assembler/MacroAssembler.h:
2883         (JSC::MacroAssembler::mul32):
2884         * assembler/testmasm.cpp:
2885         (JSC::int32Operands):
2886         (JSC::testMul32WithImmediates):
2887         (JSC::run):
2888
2889 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2890
2891         [JSC] Make disassembler data structures constant read-only data
2892         https://bugs.webkit.org/show_bug.cgi?id=194041
2893
2894         Reviewed by Mark Lam.
2895
2896         Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
2897         This patch makes them "const".
2898
2899         * disassembler/ARM64/A64DOpcode.cpp:
2900         * disassembler/udis86/ud_itab.py:
2901         (UdItabGenerator.genOpcodeTablesLookupIndex):
2902         (UdItabGenerator.genInsnTable):
2903         (UdItabGenerator.genMnemonicsList):
2904         (genItabH):
2905         * disassembler/udis86/udis86_decode.h:
2906         * disassembler/udis86/udis86_syn.c:
2907         * disassembler/udis86/udis86_syn.h:
2908         * disassembler/udis86/udis86_types.h:
2909
2910 2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>
2911
2912         Unreviewed, update the builtin test results
2913         https://bugs.webkit.org/show_bug.cgi?id=194015
2914
2915         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
2916         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
2917         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
2918         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
2919         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
2920         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
2921         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
2922         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
2923         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
2924         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
2925         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
2926         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
2927         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
2928
2929 2019-01-30  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
2930
2931         [JSC] Make global static variables "const" as much as possible
2932         https://bugs.webkit.org/show_bug.cgi?id=194015
2933
2934         Reviewed by Mark Lam.
2935
2936         Some of global static variables are not "const". For example, `static const char* name = ...`
2937         is not constant variable. We should make it `static const char* const name = ...`.
2938
2939         * Scripts/wkbuiltins/builtins_generate_combined_header.py:
2940         (generate_externs_for_object):
2941         * Scripts/wkbuiltins/builtins_generate_separate_header.py:
2942         (generate_externs_for_object):
2943         * Scripts/wkbuiltins/builtins_generator.py:
2944         (BuiltinsGenerator.generate_embedded_code_string_section_for_data):
2945         * assembler/MacroAssembler.h:
2946         (JSC::MacroAssembler::additionBlindedConstant):
2947         * b3/air/AirFormTable.h:
2948         * b3/air/opcode_generator.rb:
2949         * runtime/JSObject.cpp:
2950         (JSC::JSObject::visitButterfly):
2951         * tools/CodeProfile.cpp:
2952         * tools/CodeProfile.h:
2953
2954 2019-01-29  Keith Miller  <keith_miller@apple.com>
2955
2956         Remove default constructor from LLIntPrototypeLoadAdaptiveStructureWatchpoint
2957         https://bugs.webkit.org/show_bug.cgi?id=194000
2958         <rdar://problem/47642894>
2959
2960         Reviewed by Mark Lam.
2961
2962         default constructor is unused and
2963         LLIntPrototypeLoadAdaptiveStructureWatchpoint has a reference
2964         data member which causes sadness.
2965
2966         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2967
2968 2019-01-29  Ross Kirsling  <ross.kirsling@sony.com>
2969
2970         Remove FIXME for Annex B.3.5's "for-of var" subcase.
2971
2972         Rubber-stamped by Yusuke Suzuki.
2973
2974         This subcase is removed from the spec in https://github.com/tc39/ecma262/pull/1393.
2975
2976         * parser/Parser.h:
2977         (JSC::Parser::declareHoistedVariable):
2978
2979 2019-01-29  Mark Lam  <mark.lam@apple.com>
2980
2981         Remove unneeded CPU(BIG_ENDIAN) handling in LLInt after new bytecode format.
2982         https://bugs.webkit.org/show_bug.cgi?id=132333
2983
2984         Reviewed by Yusuke Suzuki.
2985
2986         * bytecode/InstructionStream.h:
2987         (JSC::InstructionStreamWriter::write):
2988         - The 32-bit write() function need not invert the order of the bytes written to
2989           the bytecode stream for CPU(BUG_ENDIAN) because the incoming uint32_t value to
2990           be written is already in big endian order for CPU(BUG_ENDIAN) platforms.
2991
2992         * llint/LLIntOfflineAsmConfig.h:
2993         - OFFLINE_ASM_BIG_ENDIAN is no longer needed nor used after the new bytecode format.
2994
2995 2019-01-29  Mark Lam  <mark.lam@apple.com>
2996
2997         ValueRecovery::recover() should purify NaN values it recovers.
2998         https://bugs.webkit.org/show_bug.cgi?id=193978
2999         <rdar://problem/47625488>
3000
3001         Reviewed by Saam Barati.
3002
3003         According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
3004         recovered DoubleDisplacedInJSStack values need to be purified.
3005         ValueRecovery::recover() should do the same.
3006
3007         * bytecode/ValueRecovery.cpp:
3008         (JSC::ValueRecovery::recover const):
3009
3010 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
3011
3012         [JSC] FTL should handle LocalAllocator*
3013         https://bugs.webkit.org/show_bug.cgi?id=193980
3014
3015         Reviewed by Saam Barati.
3016
3017         At some point, Allocator holds LocalAllocator* instead of 32bit integer. In FTL allocation path, we fail to use this constant LocalAllocator*
3018         because the FTL still use the incoming value as 32bit integer there.
3019
3020         * ftl/FTLLowerDFGToB3.cpp:
3021         (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
3022
3023 2019-01-29  Keith Rollin  <krollin@apple.com>
3024
3025         Add .xcfilelists to Run Script build phases
3026         https://bugs.webkit.org/show_bug.cgi?id=193792
3027         <rdar://problem/47201785>
3028
3029         Reviewed by Alex Christensen.
3030
3031         As part of supporting XCBuild, update the necessary Run Script build
3032         phases in their Xcode projects to refer to their associated
3033         .xcfilelist files.
3034
3035         Note that the addition of these files bumps the Xcode project version
3036         number to something that's Xcode 10 compatible. This change means that
3037         older versions of the Xcode IDE can't read these projects. Nor can it
3038         fully load workspaces that refer to these projects (the updated
3039         projects are shown as non-expandable placeholders). `xcodebuild` can
3040         still build these projects; it's just that the IDE can't open them.
3041
3042         * JavaScriptCore.xcodeproj/project.pbxproj:
3043
3044 2019-01-29  Dominik Infuehr  <dinfuehr@igalia.com>
3045
3046         [ARM] Check for negative zero instead of just zero
3047         https://bugs.webkit.org/show_bug.cgi?id=193689
3048
3049         Reviewed by Mark Lam.
3050
3051         ARM now performs a negative zero check in branchConvertDoubleToInt32 instead
3052         of just bailing out for zero.
3053
3054         * assembler/MacroAssemblerARMv7.h:
3055         (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
3056
3057 2019-01-28  Devin Rousso  <drousso@apple.com>
3058
3059         Web Inspector: provide a way to edit page WebRTC settings on a remote target
3060         https://bugs.webkit.org/show_bug.cgi?id=193863
3061         <rdar://problem/47572764>
3062
3063         Reviewed by Joseph Pecoraro.
3064
3065         * inspector/protocol/Page.json:
3066         Add more values to the `Setting` enum type:
3067          - `ICECandidateFilteringEnabled`
3068          - `MediaCaptureRequiresSecureConnection`
3069          - `MockCaptureDevicesEnabled`
3070
3071 2019-01-28  Ross Kirsling  <ross.kirsling@sony.com>
3072
3073         Remove unnecessary `using namespace WTF`s (or at least restrict their scope).
3074         https://bugs.webkit.org/show_bug.cgi?id=193941
3075
3076         Reviewed by Alex Christensen.
3077
3078         * API/JSWeakObjectMapRefPrivate.cpp:
3079         * bytecompiler/NodesCodegen.cpp:
3080         * heap/MachineStackMarker.cpp:
3081         * jit/ExecutableAllocator.cpp:
3082         * jsc.cpp:
3083         * parser/Nodes.cpp:
3084         * runtime/DateConstructor.cpp:
3085         * runtime/DateConversion.cpp:
3086         * runtime/DateInstance.cpp:
3087         * runtime/DatePrototype.cpp:
3088         * runtime/InitializeThreading.cpp:
3089         * runtime/IteratorOperations.cpp:
3090         * runtime/JSDateMath.cpp:
3091         * runtime/JSGlobalObjectFunctions.cpp:
3092         * runtime/StringPrototype.cpp:
3093         * runtime/VM.cpp:
3094         * testRegExp.cpp:
3095         * tools/JSDollarVM.cpp:
3096         * yarr/YarrInterpreter.cpp:
3097         * yarr/YarrJIT.cpp:
3098         * yarr/YarrPattern.cpp:
3099         * yarr/YarrUnicodeProperties.cpp:
3100
3101 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3102
3103         [JSC] Reduce size of memory used for ShadowChicken
3104         https://bugs.webkit.org/show_bug.cgi?id=193546
3105
3106         Reviewed by Mark Lam.
3107
3108         This patch lazily instantiate ShadowChicken. We do not need this until we start logging ShadowChicken packets.
3109         The removal of ShadowChicken saves 55KB memory.
3110
3111         * debugger/DebuggerCallFrame.cpp:
3112         (JSC::DebuggerCallFrame::create):
3113         * ftl/FTLLowerDFGToB3.cpp:
3114         (JSC::FTL::DFG::LowerDFGToB3::ensureShadowChickenPacket):
3115         * heap/Heap.cpp:
3116         (JSC::Heap::stopThePeriphery):
3117         (JSC::Heap::addCoreConstraints):
3118         * jit/CCallHelpers.cpp:
3119         (JSC::CCallHelpers::ensureShadowChickenPacket):
3120         * jit/JITExceptions.cpp:
3121         (JSC::genericUnwind):
3122         * jit/JITOpcodes.cpp:
3123         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3124         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3125         * jit/JITOpcodes32_64.cpp:
3126         (JSC::JIT::emit_op_log_shadow_chicken_prologue):
3127         (JSC::JIT::emit_op_log_shadow_chicken_tail):
3128         * jit/JITOperations.cpp:
3129         * llint/LLIntSlowPaths.cpp:
3130         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3131         * runtime/JSGlobalObject.cpp:
3132         (JSC::JSGlobalObject::setDebugger):
3133         * runtime/JSGlobalObject.h:
3134         (JSC::JSGlobalObject::setDebugger): Deleted.
3135         * runtime/VM.cpp:
3136         (JSC::VM::VM):
3137         (JSC::VM::ensureShadowChicken):
3138         * runtime/VM.h:
3139         (JSC::VM::shadowChicken):
3140         * tools/JSDollarVM.cpp:
3141         (JSC::functionShadowChickenFunctionsOnStack):
3142         (JSC::changeDebuggerModeWhenIdle):
3143
3144 2019-01-28  Andy Estes  <aestes@apple.com>
3145
3146         [watchOS] Enable Parental Controls content filtering
3147         https://bugs.webkit.org/show_bug.cgi?id=193939
3148         <rdar://problem/46641912>
3149
3150         Reviewed by Ryosuke Niwa.
3151
3152         * Configurations/FeatureDefines.xcconfig:
3153
3154 2019-01-28  Mark Lam  <mark.lam@apple.com>
3155
3156         ToString node actually does GC.
3157         https://bugs.webkit.org/show_bug.cgi?id=193920
3158         <rdar://problem/46695900>
3159
3160         Reviewed by Yusuke Suzuki.
3161
3162         Other than for StringObjectUse and StringOrStringObjectUse, ToString and
3163         CallStringConstructor can allocate new JSStrings, and hence, can GC.
3164
3165         * dfg/DFGDoesGC.cpp:
3166         (JSC::DFG::doesGC):
3167
3168 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
3169
3170         [JSC] RegExpConstructor should not have own IsoSubspace
3171         https://bugs.webkit.org/show_bug.cgi?id=193801
3172
3173         Reviewed by Mark Lam.
3174
3175         This patch finally removes RegExpConstructor's cached data to JSGlobalObject and remove IsoSubspace for RegExpConstructor.
3176         sizeof(RegExpConstructor) != sizeof(InternalFunction), so that we have 16KB memory just for RegExpConstructor. But cached
3177         regexp matching data (e.g. `RegExp.$1`) is per-JSGlobalObject one, and we can move this data to JSGlobalObject and remove
3178         it from RegExpConstructor members.
3179
3180         We introduce RegExpGlobalData, which holds the per-global RegExp matching data. And we perform `performMatch` etc. with
3181         JSGlobalObject instead of RegExpConstructor. This change requires small changes in DFG / FTL's RecordRegExpCachedResult
3182         node since its 1st argument is changed from RegExpConstructor to JSGlobalObject.
3183
3184         We also move emptyRegExp from RegExpPrototype to VM's RegExpCache because it is more natural place to put it.
3185
3186         * CMakeLists.txt:
3187         * JavaScriptCore.xcodeproj/project.pbxproj:
3188         * Sources.txt:
3189         * dfg/DFGOperations.cpp:
3190         * dfg/DFGSpeculativeJIT.cpp:
3191         (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult):
3192         * dfg/DFGStrengthReductionPhase.cpp:
3193         (JSC::DFG::StrengthReductionPhase::handleNode):
3194         * ftl/FTLAbstractHeapRepository.cpp:
3195         * ftl/FTLAbstractHeapRepository.h:
3196         * ftl/FTLLowerDFGToB3.cpp:
3197         (JSC::FTL::DFG::LowerDFGToB3::compileRecordRegExpCachedResult):
3198         * runtime/JSGlobalObject.cpp:
3199         (JSC::JSGlobalObject::init):
3200         (JSC::JSGlobalObject::visitChildren):
3201         * runtime/JSGlobalObject.h:
3202         (JSC::JSGlobalObject::regExpGlobalData):
3203         (JSC::JSGlobalObject::regExpGlobalDataOffset):
3204         (JSC::JSGlobalObject::regExpConstructor const): Deleted.
3205         * runtime/RegExpCache.cpp:
3206         (JSC::RegExpCache::initialize):
3207         * runtime/RegExpCache.h:
3208         (JSC::RegExpCache::emptyRegExp const):
3209         * runtime/RegExpCachedResult.cpp:
3210         (JSC::RegExpCachedResult::visitAggregate):
3211         (JSC::RegExpCachedResult::visitChildren): Deleted.
3212         * runtime/RegExpCachedResult.h:
3213         (JSC::RegExpCachedResult::RegExpCachedResult): Deleted.
3214         * runtime/RegExpConstructor.cpp:
3215         (JSC::RegExpConstructor::RegExpConstructor):
3216         (JSC::regExpConstructorDollar):
3217         (JSC::regExpConstructorInput):
3218         (JSC::regExpConstructorMultiline):
3219         (JSC::regExpConstructorLastMatch):
3220         (JSC::regExpConstructorLastParen):
3221         (JSC::regExpConstructorLeftContext):
3222         (JSC::regExpConstructorRightContext):
3223         (JSC::setRegExpConstructorInput):
3224         (JSC::setRegExpConstructorMultiline):
3225         (JSC::RegExpConstructor::destroy): Deleted.
3226         (JSC::RegExpConstructor::visitChildren): Deleted.
3227         (JSC::RegExpConstructor::getBackref): Deleted.
3228         (JSC::RegExpConstructor::getLastParen): Deleted.
3229         (JSC::RegExpConstructor::getLeftContext): Deleted.
3230         (JSC::RegExpConstructor::getRightContext): Deleted.
3231         * runtime/RegExpConstructor.h:
3232         (JSC::RegExpConstructor::performMatch): Deleted.
3233         (JSC::RegExpConstructor::recordMatch): Deleted.
3234         * runtime/RegExpGlobalData.cpp: Added.
3235         (JSC::RegExpGlobalData::visitAggregate):
3236         (JSC::RegExpGlobalData::getBackref):
3237         (JSC::RegExpGlobalData::getLastParen):
3238         (JSC::RegExpGlobalData::getLeftContext):
3239         (JSC::RegExpGlobalData::getRightContext):
3240         * runtime/RegExpGlobalData.h: Added.
3241         (JSC::RegExpGlobalData::cachedResult):
3242         (JSC::RegExpGlobalData::setMultiline):
3243         (JSC::RegExpGlobalData::multiline const):
3244         (JSC::RegExpGlobalData::input):
3245         (JSC::RegExpGlobalData::offsetOfCachedResult):
3246         * runtime/RegExpGlobalDataInlines.h: Added.
3247         (JSC::RegExpGlobalData::setInput):
3248         (JSC::RegExpGlobalData::performMatch):
3249         (JSC::RegExpGlobalData::recordMatch):
3250         * runtime/RegExpObject.cpp:
3251         (JSC::RegExpObject::matchGlobal):
3252         * runtime/RegExpObjectInlines.h:
3253         (JSC::RegExpObject::execInline):
3254         (JSC::RegExpObject::matchInline):
3255         (JSC::collectMatches):
3256         * runtime/RegExpPrototype.cpp:
3257         (JSC::RegExpPrototype::finishCreation):
3258         (JSC::regExpProtoFuncSearchFast):
3259         (JSC::RegExpPrototype::visitChildren): Deleted.
3260         * runtime/RegExpPrototype.h:
3261         * runtime/StringPrototype.cpp:
3262         (JSC::removeUsingRegExpSearch):
3263         (JSC::replaceUsingRegExpSearch):
3264         * runtime/VM.cpp:
3265         (JSC::VM::VM):
3266         * runtime/VM.h:
3267
3268 2018-12-15  Darin Adler  <darin@apple.com>
3269
3270         Replace many uses of String::format with more type-safe alternatives
3271         https://bugs.webkit.org/show_bug.cgi?id=192742
3272
3273         Reviewed by Mark Lam.
3274
3275         * inspector/InjectedScriptBase.cpp:
3276         (Inspector::InjectedScriptBase::makeCall): Use makeString.
3277         (Inspector::InjectedScriptBase::makeAsyncCall): Ditto.
3278         * inspector/InspectorBackendDispatcher.cpp:
3279         (Inspector::BackendDispatcher::getPropertyValue): Ditto.
3280         * inspector/agents/InspectorConsoleAgent.cpp:
3281         (Inspector::InspectorConsoleAgent::enable): Ditto.
3282         * jsc.cpp:
3283         (FunctionJSCStackFunctor::operator() const): Ditto.
3284
3285         * runtime/CodeCache.cpp:
3286         (JSC::writeCodeBlock): Use makeString's numeric capabilities instead of
3287         using String::number.
3288
3289         * runtime/IntlDateTimeFormat.cpp:
3290         (JSC::IntlDateTimeFormat::initializeDateTimeFormat): Use string concatenation.
3291         * runtime/IntlObject.cpp:
3292         (JSC::canonicalizeLocaleList): Ditto.
3293
3294 2019-01-27  Chris Fleizach  <cfleizach@apple.com>
3295
3296         AX: Introduce a static accessibility tree
3297         https://bugs.webkit.org/show_bug.cgi?id=193348
3298         <rdar://problem/47203295>
3299
3300         Reviewed by Ryosuke Niwa.
3301
3302         * Configurations/FeatureDefines.xcconfig:
3303
3304 2019-01-26  Devin Rousso  <drousso@apple.com>
3305
3306         Web Inspector: provide a way to edit the user agent of a remote target
3307         https://bugs.webkit.org/show_bug.cgi?id=193862
3308         <rdar://problem/47359292>
3309
3310         Reviewed by Joseph Pecoraro.
3311
3312         * inspector/protocol/Page.json:
3313         Add `overrideUserAgent` command.
3314
3315 2019-01-25  Yusuke Suzuki  <ysuzuki@apple.com>
3316
3317         [JSC] NativeErrorConstructor should not have own IsoSubspace
3318         https://bugs.webkit.org/show_bug.cgi?id=193713
3319
3320         Reviewed by Saam Barati.
3321
3322         This removes an additional member in NativeErrorConstructor, and make sizeof(NativeErrorConstructor) == sizeof(InternalFunction).
3323         We also make error constructors lazily allocated by using LazyClassStructure. Since error structures are not accessed from DFG / FTL
3324         threads, this is OK. While TypeError constructor is eagerly allocated because it is touched from our builtin JS as @TypeError, we should
3325         offer some function instead of exposing TypeError constructor in the future, and remove this @TypeError reference. This change removes
3326         IsoSubspace for NativeErrorConstructor in VM. We also remove @Error and @RangeError references for builtins since they are no longer
3327         referenced.
3328
3329         * CMakeLists.txt:
3330         * JavaScriptCore.xcodeproj/project.pbxproj:
3331         * Sources.txt:
3332         * builtins/BuiltinNames.h:
3333         * interpreter/Interpreter.h:
3334         * runtime/Error.cpp:
3335         (JSC::createEvalError):
3336         (JSC::createRangeError):
3337         (JSC::createReferenceError):
3338         (JSC::createSyntaxError):
3339         (JSC::createTypeError):
3340         (JSC::createURIError):
3341         (WTF::printInternal): Deleted.
3342         * runtime/Error.h:
3343         * runtime/ErrorPrototype.cpp:
3344         (JSC::ErrorPrototype::create):
3345         (JSC::ErrorPrototype::finishCreation):
3346         * runtime/ErrorPrototype.h:
3347         (JSC::ErrorPrototype::create): Deleted.
3348         * runtime/ErrorType.cpp: Added.
3349         (JSC::errorTypeName):
3350         (WTF::printInternal):
3351         * runtime/ErrorType.h: Added.
3352         * runtime/JSGlobalObject.cpp:
3353         (JSC::JSGlobalObject::initializeErrorConstructor):
3354         (JSC::JSGlobalObject::init):
3355         (JSC::JSGlobalObject::visitChildren):
3356         * runtime/JSGlobalObject.h:
3357         (JSC::JSGlobalObject::internalPromiseConstructor const):
3358         (JSC::JSGlobalObject::errorStructure const):
3359         (JSC::JSGlobalObject::evalErrorConstructor const): Deleted.
3360         (JSC::JSGlobalObject::rangeErrorConstructor const): Deleted.
3361         (JSC::JSGlobalObject::referenceErrorConstructor const): Deleted.
3362         (JSC::JSGlobalObject::syntaxErrorConstructor const): Deleted.
3363         (JSC::JSGlobalObject::typeErrorConstructor const): Deleted.
3364     &