Unreviewed, rolling out r241784.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2019-02-19  Truitt Savell  <tsavell@apple.com>

        Unreviewed, rolling out r241784.

        Broke all OpenSource builds.

        Reverted changeset:

        "Web Inspector: Improve ES6 Class instances in Heap Snapshot
        instances view"
        https://bugs.webkit.org/show_bug.cgi?id=172848
        https://trac.webkit.org/changeset/241784

2019-02-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
        https://bugs.webkit.org/show_bug.cgi?id=172848
        <rdar://problem/25709212>

        Reviewed by Mark Lam.

        * heap/HeapSnapshotBuilder.h:
        * heap/HeapSnapshotBuilder.cpp:
        Update the snapshot version. Change the node's 0 | 1 internal value
        to be a 32bit bit flag. This is nice in that it is both compatible
        with the previous snapshot version and the same size. We can use more
        flags in the future.

        (JSC::HeapSnapshotBuilder::json):
        In cases where the classInfo gives us "Object" check for a better
        class name by checking (o).__proto__.constructor.name. We avoid this
        check in cases where (o).hasOwnProperty("constructor") which is the
        case for most Foo.prototype objects. Otherwise this would get the
        name of the Foo superclass for the Foo.prototype object.

        * runtime/JSObject.cpp:
        (JSC::JSObject::calculatedClassName):
        Handle some possible edge cases that were not handled before, such as
        a JSObject without a GlobalObject or an object which doesn't
        have a default getPrototype. Try to make the code a little clearer.

2019-02-19  Robin Morisset  <rmorisset@apple.com>

        B3-O2 incorrectly optimizes this subtest
        https://bugs.webkit.org/show_bug.cgi?id=194625

        Reviewed by Saam Barati.

        Trivial fix. Instead of doing
            if (!cond) foo else bar => if (cond) bar else foo
        B3LowerToAir was doing
            if (x^C) foo else bar => if (cond) bar else foo whenever C&1, even if C was for example 3.

        * b3/B3LowerToAir.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testBitNotOnBooleanAndBranch32):
        (JSC::B3::testNotOnBooleanAndBranch32): Added.

2019-02-19  Robin Morisset  <rmorisset@apple.com>

        CachedCall should not consider it UNLIKELY that it will not stack overflow
        https://bugs.webkit.org/show_bug.cgi?id=194831

        Reviewed by Mark Lam.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):

2019-02-19  Mark Lam  <mark.lam@apple.com>

        Fix DFG doesGC() for TryGetById and ProfileType nodes.
        https://bugs.webkit.org/show_bug.cgi?id=194821
        <rdar://problem/48206690>

        Reviewed by Saam Barati.

        Fix doesGC() for the following nodes:

            ProfileType:
                calls operationProcessTypeProfilerLogDFG(), which can calculatedClassName(),
                which can call JSString::tryGetValue(), which can resolve a rope.

            TryGetById:
                calls operationTryGetByIdOptimize(), which can startWatchingPropertyForReplacements()
                on a structure, which can allocate StructureRareData.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Introduce JSNonDestructibleProxy for JavaScriptCore.framework's GlobalThis
        https://bugs.webkit.org/show_bug.cgi?id=194799

        Reviewed by Saam Barati.

        JSProxy is destructible one because we have JSWindowProxy which has ref counted object.
        However, JavaScriptCore.framework's JSProxy for GlobalThis does not need to be destructible.
        This is important since we need to separate Heap subspaces between destructible and non-destructible objects.
        If we can put more and more objects in non-destructible status, we can get rid of low-usage MarkedBlock.
        This patch adds JSNonDestructibleProxy, which is not destructible JSProxy. While it inherits JSDestructibleObject,
        we can make the subclass still non-destructible thanks to Subspace mechanism. This drops one more low-usage MarkedBlock.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resetPrototype):
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSNonDestructibleProxy.cpp: Added.
        * runtime/JSNonDestructibleProxy.h: Added.
        (JSC::JSNonDestructibleProxy::subspaceFor):
        (JSC::JSNonDestructibleProxy::create):
        (JSC::JSNonDestructibleProxy::createStructure):
        (JSC::JSNonDestructibleProxy::JSNonDestructibleProxy):
        * runtime/JSProxy.h:
        (JSC::JSProxy::JSProxy):

2019-02-19  Robin Morisset  <rmorisset@apple.com>

        B3ReduceStrength::simplifyCFG() could do a lot more on each iteration
        https://bugs.webkit.org/show_bug.cgi?id=194475

        Reviewed by Saam Barati.

        B3ReduceStrength::simplifyCFG() does three optimizations (which I will call A, B and C):
        - A makes any terminal that points to a block that is empty except for a jump point to that jump's target instead.
        - B transforms any branch or switch that points to a single block into a jump
        - C finds blocks ending with jumps, whose successor has a single predecessor, and inline that successor block in place of the jump

        It currently is limited in the following way:
        - A and C can only fire once per block per iteration
        - B can create jumps that would trigger A, but they may not be seen until the next iteration

        Both problems are mitigated by going through the blocks in post-order, so that when a block is optimized most of its successors have already been optimized.
        In a sense it is the symmetric of the peephole optimizer that goes in pre-order so that when an instruction is optimized most of its children have already been optimized.

        On JetStream2 it reduces the average number of iterations from 3.35 to 3.24.

        * b3/B3ReduceStrength.cpp:

2019-02-19  Tadeu Zagallo  <tzagallo@apple.com>

        Move bytecode cache-related filesystem code out of CodeCache
        https://bugs.webkit.org/show_bug.cgi?id=194675

        Reviewed by Saam Barati.

        The code is only used for the bytecode-cache tests, so it should live in
        jsc.cpp rather than in the CodeCache. The logic now lives in ShellSourceProvider,
        which overrides the a virtual method in SourceProvider, `cacheBytecode`,
        in order to write the cache to disk.

        * jsc.cpp:
        (ShellSourceProvider::create):
        (ShellSourceProvider::~ShellSourceProvider):
        (ShellSourceProvider::cachePath const):
        (ShellSourceProvider::loadBytecode):
        (ShellSourceProvider::ShellSourceProvider):
        (jscSource):
        (GlobalObject::moduleLoaderFetch):
        (functionDollarEvalScript):
        (runWithOptions):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::cacheBytecode const):
        * runtime/CodeCache.cpp:
        (JSC::writeCodeBlock):
        * runtime/CodeCache.h:
        (JSC::CodeCacheMap::fetchFromDiskImpl):

2019-02-18  Dominik Infuehr  <dinfuehr@igalia.com>

        [ARM] Fix crash with sampling profiler
        https://bugs.webkit.org/show_bug.cgi?id=194772

        Reviewed by Mark Lam.

        sampling-profiler-richards.js was crashing with an enabled sampling profiler. add32
        did not update the stack pointer in a single instruction. The src register was first
        moved into the stack pointer, the immediate imm was added in a subsequent instruction.

        This was problematic when a signal handler was invoked before applying the immediate,
        when the stack pointer is still set to the temporary value. Avoid this by calculating src+imm in
        a temporary register and then move it in one go into the stack pointer.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add32):

2019-02-18  Mark Lam  <mark.lam@apple.com>

        Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
        https://bugs.webkit.org/show_bug.cgi?id=194800
        <rdar://problem/48183773>

        Reviewed by Yusuke Suzuki.

        Fix doesGC() for the following nodes:

            CompareEq:
            CompareLess:
            CompareLessEq:
            CompareGreater:
            CompareGreaterEq:
            CompareStrictEq:
                Only return false (i.e. does not GC) for child node use kinds that have
                been vetted to not do anything that can GC.  For all other use kinds
                (including StringUse and BigIntUse), we return true (i.e. does GC).

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-16  Darin Adler  <darin@apple.com>

        Continue reducing use of String::format, now focusing on hex: "%p", "%x", etc.
        https://bugs.webkit.org/show_bug.cgi?id=194752

        Reviewed by Daniel Bates.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json): Added back the "0x" that was removed when changing
        this file to use appendUnsignedAsHex instead of "%p". The intent at that time was to
        keep behavior the same, so let's do that.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage const): Use makeString and hex instead of
        String::format and "%04x".

2019-02-18  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Add LazyClassStructure::getInitializedOnMainThread
        https://bugs.webkit.org/show_bug.cgi?id=194784
        <rdar://problem/48154820>

        Reviewed by Mark Lam.

        LazyClassStructure::get and LazyProperty::get functions do not allow compiler threads to call them. But for booleanPrototype, numberPrototype and symbolPrototype cases,
        we would like to call them from compiler threads. We eagerly initialize them if VM::canUseJIT() is true, so that compiler threads can safely call LazyClassStructure::get
        and LazyProperty::get for booleanPrototype, numberPrototype and symbolPrototype. But still assertion hits because the assertion requires that these functions need to be
        called in non compiler threads. Calling `getConcurrently()` is not possible since symbolPrototype() function is called from both the main thread and compiler threads,
        and we would like to lazily initialize SymbolPrototype object if it is called from the main thread, which can happen with non-JIT configuration.

        This patch adds `getInitializedOnMainThread()`. Compiler threads can call it only when we know that the value is already initialized on the main thread. The main thread
        can call it at anytime and this function lazily initializes the value. This is useful to make some of prototypes lazy with non-JIT configuration: With non-JIT configuration,
        this function is always called from the main thread and it initializes the value lazily. Non-JIT configuration does not care about compiler threads since they do not exist.
        With JIT configuration, we eagerly initialize them in JSGlobalObject::init so that `getInitializedOnMainThread()` always succeeds.

        Basically, `getInitializedOnMainThread()` is `get` with different assertion location: While `get` always crashes if it is called from compiler threads, `getInitializedOnMainThread()`
        crashes only when actual initialization happens on compiler threads. We do not merge them since `get` is still useful to find accidental initialization from compiler threads.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::booleanPrototype const):
        (JSC::JSGlobalObject::numberPrototype const):
        (JSC::JSGlobalObject::symbolPrototype const):
        * runtime/LazyClassStructure.h:
        (JSC::LazyClassStructure::getInitializedOnMainThread const):
        (JSC::LazyClassStructure::prototypeInitializedOnMainThread const):
        (JSC::LazyClassStructure::constructorInitializedOnMainThread const):
        * runtime/LazyProperty.h:
        (JSC::LazyProperty::get const):
        (JSC::LazyProperty::getInitializedOnMainThread const):

2019-02-18  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Better categorize CPU usage per-thread / worker
        https://bugs.webkit.org/show_bug.cgi?id=194564

        Reviewed by Devin Rousso.

        * inspector/protocol/CPUProfiler.json:
        Add additional properties per-Event, and new per-Thread object info.

2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>

        Bytecode cache should a have a boot-specific validation
        https://bugs.webkit.org/show_bug.cgi?id=194769
        <rdar://problem/48149509>

        Reviewed by Keith Miller.

        Add the boot UUID to the cached bytecode to enforce that it is not reused
        across reboots.

        * runtime/CachedTypes.cpp:
        (JSC::Encoder::malloc):
        (JSC::GenericCacheEntry::GenericCacheEntry):
        (JSC::GenericCacheEntry::tag const):
        (JSC::CacheEntry::CacheEntry):
        (JSC::CacheEntry::decode const):
        (JSC::GenericCacheEntry::decode const):
        (JSC::encodeCodeBlock):

2019-02-18  Eric Carlson  <eric.carlson@apple.com>

        Add MSE logging configuration
        https://bugs.webkit.org/show_bug.cgi?id=194719
        <rdar://problem/48122151>

        Reviewed by Joseph Pecoraro.

        * inspector/ConsoleMessage.cpp:
        (Inspector::messageSourceValue):
        * inspector/protocol/Console.json:
        * inspector/scripts/codegen/generator.py:
        * runtime/ConsoleTypes.h:

2019-02-18  Tadeu Zagallo  <tzagallo@apple.com>

        Add version number to cached bytecode
        https://bugs.webkit.org/show_bug.cgi?id=194768
        <rdar://problem/48147968>

        Reviewed by Saam Barati.

        Add a version number to the bytecode cache that should be unique per build.

        * CMakeLists.txt:
        * DerivedSources-output.xcfilelist:
        * DerivedSources.make:
        * runtime/CachedTypes.cpp:
        (JSC::Encoder::malloc):
        (JSC::GenericCacheEntry::GenericCacheEntry):
        (JSC::CacheEntry::CacheEntry):
        (JSC::CacheEntry::encode):
        (JSC::CacheEntry::decode const):
        (JSC::GenericCacheEntry::decode const):
        (JSC::decodeCodeBlockImpl):
        * runtime/CodeCache.h:
        (JSC::CodeCacheMap::fetchFromDiskImpl):

2019-02-17  Saam Barati  <sbarati@apple.com>

        WasmB3IRGenerator models some effects incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=194038

        Reviewed by Keith Miller.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
        These two functions were using global state instead of the
        arguments passed into the function.

        (JSC::Wasm::B3IRGenerator::addOp<F64ConvertUI64>):
        (JSC::Wasm::B3IRGenerator::addOp<OpType::F32ConvertUI64>):
        (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF64>):
        (JSC::Wasm::B3IRGenerator::addOp<OpType::I64TruncUF32>):
        Any patchpoint that allows scratch register usage must
        also say that it clobbers the scratch registers.

2019-02-17  Saam Barati  <sbarati@apple.com>

        Deadlock when adding a Structure property transition and then doing incremental marking
        https://bugs.webkit.org/show_bug.cgi?id=194767

        Reviewed by Mark Lam.

        This can happen in the following scenario:
        
        You have a Structure S. S is on the mark stack. Then:
        1. S grabs its lock
        2. S adds a new property transition
        3. We find out we need to do some incremental marking
        4. We mark S
        5. visitChildren on S will try to grab its lock
        6. We are now in a deadlock

        * heap/Heap.cpp:
        (JSC::Heap::performIncrement):
        * runtime/Structure.cpp:
        (JSC::Structure::addNewPropertyTransition):

2019-02-17  David Kilzer  <ddkilzer@apple.com>

        Unreviewed, rolling out r241620.

        "Causes use-after-free crashes running layout tests with ASan and GuardMalloc."
        (Requested by ddkilzer on #webkit.)

        Reverted changeset:

        "[WTF] Add environment variable helpers"
        https://bugs.webkit.org/show_bug.cgi?id=192405
        https://trac.webkit.org/changeset/241620

2019-02-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r241612.
        https://bugs.webkit.org/show_bug.cgi?id=194762

        "It regressed JetStream2 parsing tests by ~40%" (Requested by
        saamyjoon on #webkit).

        Reverted changeset:

        "Move bytecode cache-related filesystem code out of CodeCache"
        https://bugs.webkit.org/show_bug.cgi?id=194675
        https://trac.webkit.org/changeset/241612

2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] JSWrapperObject should not be destructible
        https://bugs.webkit.org/show_bug.cgi?id=194743

        Reviewed by Saam Barati.

        JSWrapperObject should be just a wrapper object for JSValue, thus, it should not be a JSDestructibleObject.
        Currently it is destructible object because DateInstance uses it. This patch changes Base of DateInstance from
        JSWrapperObject to JSDestructibleObject, and makes JSWrapperObject non-destructible.

        * runtime/BigIntObject.cpp:
        (JSC::BigIntObject::BigIntObject):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        (JSC::DateInstance::finishCreation):
        * runtime/DateInstance.h:
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        * runtime/JSCPoison.h:
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::internalValue const):
        * runtime/SymbolObject.cpp:
        (JSC::SymbolObject::SymbolObject):
        * runtime/SymbolObject.h:

2019-02-16  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink UnlinkedFunctionExecutable
        https://bugs.webkit.org/show_bug.cgi?id=194733

        Reviewed by Mark Lam.

        UnlinkedFunctionExecutable has sourceURLDirective and sourceMappingURLDirective. These
        directives can be found in the comment of non typical function's source code (Program,
        Eval code, and Global function from function constructor etc.), and tricky thing is that
        SourceProvider's directives are updated by Parser. The reason why we have these fields in
        UnlinkedFunctionExecutable is that we need to update the SourceProvider's directives even
        if we skip parsing by using CodeCache. These fields are effective only if (1)
        UnlinkedFunctionExecutable is for non typical function things, and (2) it has sourceURLDirective
        or sourceMappingURLDirective. This is rare enough to purge them to a separated
        UnlinkedFunctionExecutable::RareData to make UnlinkedFunctionExecutable small.
        sizeof(UnlinkedFunctionExecutable) is very important since it is super frequently allocated
        cell. Furthermore, the current JSC allocates two MarkedBlocks for UnlinkedFunctionExecutable
        in JSGlobalObject initialization, but the usage of the second MarkedBlock is quite low (8%).
        If we can reduce the size of UnlinkedFunctionExecutable, we can make them one MarkedBlock.
        Since UnlinkedFunctionExecutable is allocated from IsoSubspace, we do not need to fit it to
        one of size class.

        This patch adds RareData to UnlinkedFunctionExecutable and move some rare datas into RareData.
        And kill one MarkedBlock allocation in JSC initialization phase.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::ensureRareDataSlow):
        * bytecode/UnlinkedFunctionExecutable.h:
        * debugger/DebuggerLocation.cpp:
        (JSC::DebuggerLocation::DebuggerLocation):
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchDidParseSource):
        * parser/Lexer.h:
        (JSC::Lexer::sourceURLDirective const):
        (JSC::Lexer::sourceMappingURLDirective const):
        (JSC::Lexer::sourceURL const): Deleted.
        (JSC::Lexer::sourceMappingURL const): Deleted.
        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::sourceURLDirective const):
        (JSC::SourceProvider::sourceMappingURLDirective const):
        (JSC::SourceProvider::setSourceURLDirective):
        (JSC::SourceProvider::setSourceMappingURLDirective):
        (JSC::SourceProvider::sourceURL const): Deleted. We rename it from sourceURL to sourceURLDirective
        since it is the correct name.
        (JSC::SourceProvider::sourceMappingURL const): Deleted. We rename it from sourceMappingURL to
        sourceMappingURLDirective since it is the correct name.
        * runtime/CachedTypes.cpp:
        (JSC::CachedSourceProviderShape::encode):
        (JSC::CachedFunctionExecutableRareData::encode):
        (JSC::CachedFunctionExecutableRareData::decode const): CachedFunctionExecutable did not have
        sourceMappingURL to sourceMappingURLDirective. So this patch keeps the same logic.
        (JSC::CachedFunctionExecutable::rareData const):
        (JSC::CachedFunctionExecutable::encode):
        (JSC::CachedFunctionExecutable::decode const):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalCodeBlock):
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):
        * runtime/CodeCache.h:
        (JSC::generateUnlinkedCodeBlockImpl):
        * runtime/FunctionExecutable.h:
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::StackFrame::url):

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove unused global private variables
        https://bugs.webkit.org/show_bug.cgi?id=194741

        Reviewed by Joseph Pecoraro.

        There are some private functions and constants that are no longer referenced from builtin JS code.
        This patch cleans up them.

        * builtins/BuiltinNames.h:
        * builtins/ObjectConstructor.js:
        (entries):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Lazily create empty RegExp
        https://bugs.webkit.org/show_bug.cgi?id=194735

        Reviewed by Keith Miller.

        Some scripts do not have any RegExp. In that case, allocating MarkedBlock for RegExp is costly.
        Previously, there was always one RegExp, "empty RegExp". This patch lazily creates it and drop
        one MarkedBlock.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::ensureEmptyRegExpSlow):
        (JSC::RegExpCache::initialize): Deleted.
        * runtime/RegExpCache.h:
        (JSC::RegExpCache::ensureEmptyRegExp):
        (JSC::RegExpCache::emptyRegExp const): Deleted.
        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::lastResult):
        * runtime/RegExpCachedResult.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make builtin objects more lazily initialized under non-JIT mode
        https://bugs.webkit.org/show_bug.cgi?id=194727

        Reviewed by Saam Barati.

        Boolean, Symbol, and Number constructors and prototypes are initialized eagerly, but this is largely
        because concurrent compiler can touch NumberPrototype etc. when traversing object's prototypes. This
        means that eager initialization is not necessary under non-JIT mode. While we can investigate all the
        accesses to these prototypes from the concurrent compiler threads, this "lazily initialize under non-JIT"
        is safe and beneficial to non-JIT mode. This patch lazily initializes them under non-JIT mode, and
        drop some @Number references to avoid eager initialization. This removes some object allocations and 1
        MarkedBlock allocation just for Symbols.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::numberToStringWatchpoint):
        (JSC::JSGlobalObject::booleanPrototype const):
        (JSC::JSGlobalObject::numberPrototype const):
        (JSC::JSGlobalObject::symbolPrototype const):
        (JSC::JSGlobalObject::booleanObjectStructure const):
        (JSC::JSGlobalObject::symbolObjectStructure const):
        (JSC::JSGlobalObject::numberObjectStructure const):
        (JSC::JSGlobalObject::stringObjectStructure const):

2019-02-15  Michael Saboff  <msaboff@apple.com>

        RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
        https://bugs.webkit.org/show_bug.cgi?id=194558

        Reviewed by Saam Barati.

        Added an in bounds check before the read of the next character for Unicode regular expressions
        for pattern generation that didn't already have such checks.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):

2019-02-15  Dean Jackson  <dino@apple.com>

        Allow emulation of user gestures from Web Inspector console
        https://bugs.webkit.org/show_bug.cgi?id=194725
        <rdar://problem/48126604>

        Reviewed by Joseph Pecoraro and Devin Rousso.

        * inspector/agents/InspectorRuntimeAgent.cpp: Add a new optional parameter, emulateUserGesture,
        to the evaluate function, and mark the function as override so that PageRuntimeAgent
        can change the behaviour.
        (Inspector::InspectorRuntimeAgent::evaluate):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json:

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Do not initialize Wasm related data if Wasm is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=194728

        Reviewed by Mark Lam.

        Under non-JIT mode, these data structures are unnecessary. Should not allocate extra memory for that.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):

2019-02-15  Ross Kirsling  <ross.kirsling@sony.com>

        [WTF] Add environment variable helpers
        https://bugs.webkit.org/show_bug.cgi?id=192405

        Reviewed by Michael Catanzaro.

        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        * jsc.cpp:
        (startTimeoutThreadIfNeeded):
        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):
        (JSC::Options::overrideAliasedOptionWithHeuristic):
        (JSC::Options::initialize):
        * runtime/VM.cpp:
        (JSC::enableAssembler):
        (JSC::VM::VM):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator):
        Utilize WTF::Environment where possible.

2019-02-15  Mark Lam  <mark.lam@apple.com>

        SamplingProfiler::stackTracesAsJSON() should escape strings.
        https://bugs.webkit.org/show_bug.cgi?id=194649
        <rdar://problem/48072386>

        Reviewed by Saam Barati.

        Ditto for TypeSet::toJSONString() and TypeSet::toJSONString().

        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::stackTracesAsJSON):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::toJSONString const):
        (JSC::StructureShape::toJSONString const):

2019-02-15  Robin Morisset  <rmorisset@apple.com>

        CodeBlock::jettison should clear related watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=194544

        Reviewed by Mark Lam.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::clearWatchpoints): Added.
        * dfg/CommonData.cpp:
        (JSC::DFG::CommonData::clearWatchpoints): Added.

2019-02-15  Tadeu Zagallo  <tzagallo@apple.com>

        Move bytecode cache-related filesystem code out of CodeCache
        https://bugs.webkit.org/show_bug.cgi?id=194675

        Reviewed by Saam Barati.

        That code is only used for the bytecode-cache tests, so it should live in
        jsc.cpp rather than in the CodeCache.

        * jsc.cpp:
        (CliSourceProvider::create):
        (CliSourceProvider::~CliSourceProvider):
        (CliSourceProvider::cachePath const):
        (CliSourceProvider::loadBytecode):
        (CliSourceProvider::CliSourceProvider):
        (jscSource):
        (GlobalObject::moduleLoaderFetch):
        (functionDollarEvalScript):
        (runWithOptions):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::cacheBytecode const):
        * runtime/CodeCache.cpp:
        (JSC::writeCodeBlock):
        * runtime/CodeCache.h:
        (JSC::CodeCacheMap::fetchFromDiskImpl):

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] DFG, FTL, and Wasm worklist creation should be fenced
        https://bugs.webkit.org/show_bug.cgi?id=194714

        Reviewed by Mark Lam.

        Let's consider about the following extreme case.

        1. VM (A) is created.
        2. Another VM (B) is created on a different thread.
        3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
        4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
        5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
        6. (A) sees the half-baked worklist, which may be in the middle of creation.

        This patch puts store-store fence just before putting a pointer to a global variable.
        This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * wasm/WasmWorklist.cpp:
        (JSC::Wasm::ensureWorklist):

2019-02-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r241559 and r241566.
        https://bugs.webkit.org/show_bug.cgi?id=194710

        Causes layout test crashes under GuardMalloc (Requested by
        ryanhaddad on #webkit).

        Reverted changesets:

        "[WTF] Add environment variable helpers"
        https://bugs.webkit.org/show_bug.cgi?id=192405
        https://trac.webkit.org/changeset/241559

        "Unreviewed build fix for WinCairo Debug after r241559."
        https://trac.webkit.org/changeset/241566

2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Do not even allocate JIT worklists in non-JIT mode
        https://bugs.webkit.org/show_bug.cgi?id=194693

        Reviewed by Mark Lam.

        Heap always allocates JIT worklists for Baseline, DFG, and FTL. While they do not have actual threads, Worklist itself already allocates some memory.
        And we do not perform any GC operations that are only meaningful in JIT environment.

        1. We add VM::canUseJIT() check in Heap's ensureXXXWorklist things to prevent them from being allocated.
        2. We remove DFG marking constraint in non-JIT mode.
        3. We do not gather conservative roots from scratch buffers under the non-JIT mode (BTW, # of scratch buffers are always zero in non-JIT mode)
        4. We do not visit JITStubRoutineSet.
        5. Align JITWorklist function names to the other worklists.

        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGPlan.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::markCodeBlocks): Deleted.
        * dfg/DFGWorklist.h:
        * heap/Heap.cpp:
        (JSC::Heap::completeAllJITPlans):
        (JSC::Heap::iterateExecutingAndCompilingCodeBlocks):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::removeDeadCompilerWorklistEntries):
        (JSC::Heap::stopThePeriphery):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::resumeCompilerThreads):
        (JSC::Heap::addCoreConstraints):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::existingGlobalWorklistOrNull):
        (JSC::JITWorklist::ensureGlobalWorklist):
        (JSC::JITWorklist::instance): Deleted.
        * jit/JITWorklist.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/VM.cpp:
        (JSC::VM::~VM):
        (JSC::VM::gatherScratchBufferRoots):
        (JSC::VM::gatherConservativeRoots): Deleted.
        * runtime/VM.h:

2019-02-15  Saam barati  <sbarati@apple.com>

        [WebAssembly] Write a new register allocator for Air O0 and make BBQ use it
        https://bugs.webkit.org/show_bug.cgi?id=194036

        Reviewed by Yusuke Suzuki.

        This patch adds a new Air-O0 backend. Air-O0 runs fewer passes and doesn't
        use linear scan for register allocation. Instead of linear scan, Air-O0 does
        mostly block-local register allocation, and it does this as it's emitting
        code directly. The register allocator uses liveness analysis to reduce
        the number of spills. Doing register allocation as we're emitting code
        allows us to skip editing the IR to insert spills, which saves a non trivial
        amount of compile time. For stack allocation, we give each Tmp its own slot.
        This is less than ideal. We probably want to do some trivial live range analysis
        in the future. The reason this isn't a deal breaker for Wasm is that this patch
        makes it so that we reuse Tmps as we're generating Air IR in the AirIRGenerator.
        Because Wasm is a stack machine, we trivially know when we kill a stack value (its last use).
        
        This patch is another 25% Wasm startup time speedup. It seems to be worth
        another 1% on JetStream2.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.cpp: Added.
        (JSC::B3::Air::GenerateAndAllocateRegisters::GenerateAndAllocateRegisters):
        (JSC::B3::Air::GenerateAndAllocateRegisters::buildLiveRanges):
        (JSC::B3::Air::GenerateAndAllocateRegisters::insertBlocksForFlushAfterTerminalPatchpoints):
        (JSC::B3::Air::callFrameAddr):
        (JSC::B3::Air::GenerateAndAllocateRegisters::flush):
        (JSC::B3::Air::GenerateAndAllocateRegisters::spill):
        (JSC::B3::Air::GenerateAndAllocateRegisters::alloc):
        (JSC::B3::Air::GenerateAndAllocateRegisters::freeDeadTmpsIfNeeded):
        (JSC::B3::Air::GenerateAndAllocateRegisters::assignTmp):
        (JSC::B3::Air::GenerateAndAllocateRegisters::isDisallowedRegister):
        (JSC::B3::Air::GenerateAndAllocateRegisters::prepareForGeneration):
        (JSC::B3::Air::GenerateAndAllocateRegisters::generate):
        * b3/air/AirAllocateRegistersAndStackAndGenerateCode.h: Added.
        * b3/air/AirCode.cpp:
        * b3/air/AirCode.h:
        * b3/air/AirGenerate.cpp:
        (JSC::B3::Air::prepareForGeneration):
        (JSC::B3::Air::generateWithAlreadyAllocatedRegisters):
        (JSC::B3::Air::generate):
        * b3/air/AirHandleCalleeSaves.cpp:
        (JSC::B3::Air::handleCalleeSaves):
        * b3/air/AirHandleCalleeSaves.h:
        * b3/air/AirTmpMap.h:
        * runtime/Options.h:
        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::didKill):
        (JSC::Wasm::AirIRGenerator::newTmp):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::parseAndCompileAir):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
        * wasm/WasmAirIRGenerator.h:
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::didKill):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseBody):
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::didKill):

2019-02-14  Saam barati  <sbarati@apple.com>

        lowerStackArgs should lower Lea32/64 on ARM64 to Add
        https://bugs.webkit.org/show_bug.cgi?id=194656

        Reviewed by Yusuke Suzuki.

        On arm64, Lea is just implemented as an add. However, Air treats it as an
        address with a given width. Because of this width, we were incorrectly
        computing whether or not this immediate could fit into the instruction itself
        or it needed to be explicitly put into a register. This patch makes
        AirLowerStackArgs lower Lea to Add on arm64.

        * b3/air/AirLowerStackArgs.cpp:
        (JSC::B3::Air::lowerStackArgs):
        * b3/air/AirOpcode.opcodes:
        * b3/air/testair.cpp:

2019-02-14  Saam Barati  <sbarati@apple.com>

        Cache the results of BytecodeGenerator::getVariablesUnderTDZ
        https://bugs.webkit.org/show_bug.cgi?id=194583
        <rdar://problem/48028140>

        Reviewed by Yusuke Suzuki.

        This patch makes it so that getVariablesUnderTDZ caches a result of
        CompactVariableMap::Handle. getVariablesUnderTDZ is costly when
        it's called in an environment where there are a lot of variables.
        This patch makes it so we cache its results. This is profitable when
        getVariablesUnderTDZ is called repeatedly with the same environment
        state. This is common since we call this every time we encounter a
        function definition/expression node.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createExecutable):
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::popLexicalScopeInternal):
        (JSC::BytecodeGenerator::liftTDZCheckIfPossible):
        (JSC::BytecodeGenerator::pushTDZVariables):
        (JSC::BytecodeGenerator::getVariablesUnderTDZ):
        (JSC::BytecodeGenerator::restoreTDZStack):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * parser/VariableEnvironment.cpp:
        (JSC::CompactVariableMap::Handle::Handle):
        (JSC::CompactVariableMap::Handle::operator=):
        * parser/VariableEnvironment.h:
        (JSC::CompactVariableMap::Handle::operator bool const):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getUnlinkedGlobalFunctionExecutable):

2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Non-JIT entrypoints should share NativeJITCode per entrypoint type
        https://bugs.webkit.org/show_bug.cgi?id=194659

        Reviewed by Mark Lam.

        Non-JIT entrypoints create NativeJITCode every time it is called. But it is meaningless since these entry point code are identical.
        We should create one per entrypoint type (for function, we should have CodeForCall and CodeForConstruct) and continue to use them.
        And we use NativeJITCode instead of DirectJITCode if it does not have difference between usual entrypoint and arity check entrypoint.

        * dfg/DFGJITCode.h:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * jit/JITCode.cpp:
        (JSC::DirectJITCode::initializeCodeRefForDFG):
        (JSC::DirectJITCode::initializeCodeRef): Deleted.
        (JSC::NativeJITCode::initializeCodeRef): Deleted.
        * jit/JITCode.h:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        (JSC::LLInt::setModuleProgramEntrypoint): Retagged is removed since the tag is the same.

2019-02-14  Ross Kirsling  <ross.kirsling@sony.com>

        [WTF] Add environment variable helpers
        https://bugs.webkit.org/show_bug.cgi?id=192405

        Reviewed by Michael Catanzaro.

        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        * jsc.cpp:
        (startTimeoutThreadIfNeeded):
        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):
        (JSC::Options::overrideAliasedOptionWithHeuristic):
        (JSC::Options::initialize):
        * runtime/VM.cpp:
        (JSC::enableAssembler):
        (JSC::VM::VM):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator):
        Utilize WTF::Environment where possible.

2019-02-14  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Should have default NativeJITCode
        https://bugs.webkit.org/show_bug.cgi?id=194634

        Reviewed by Mark Lam.

        In JSC_useJIT=false mode, we always create identical NativeJITCode for call and construct when we create NativeExecutable.
        This is meaningless since we do not modify NativeJITCode after the creation. This patch adds singleton used as a default one.
        Since NativeJITCode (& JITCode) is ThreadSafeRefCounted, we can just share it in a whole process level. This removes 446 NativeJITCode
        allocations, which takes 14KB.

        * runtime/VM.cpp:
        (JSC::jitCodeForCallTrampoline):
        (JSC::jitCodeForConstructTrampoline):
        (JSC::VM::getHostFunction):

2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>

        generateUnlinkedCodeBlockForFunctions shouldn't need to create a FunctionExecutable just to get its source code
        https://bugs.webkit.org/show_bug.cgi?id=194576

        Reviewed by Saam Barati.

        Extract a new function, `linkedSourceCode` from UnlinkedFunctionExecutable::link
        and use it in `generateUnlinkedCodeBlockForFunctions` instead.

        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::linkedSourceCode const):
        (JSC::UnlinkedFunctionExecutable::link):
        * bytecode/UnlinkedFunctionExecutable.h:
        * runtime/CodeCache.cpp:
        (JSC::generateUnlinkedCodeBlockForFunctions):

2019-02-14  Tadeu Zagallo  <tzagallo@apple.com>

        CachedBitVector's size must be converted from bits to bytes
        https://bugs.webkit.org/show_bug.cgi?id=194441

        Reviewed by Saam Barati.

        CachedBitVector used its size in bits for memcpy. That didn't cause any
        issues when encoding, since the size in bits was also used in the allocation,
        but would overflow the actual BitVector buffer when decoding.

        * runtime/CachedTypes.cpp:
        (JSC::CachedBitVector::encode):
        (JSC::CachedBitVector::decode const):

2019-02-13  Brian Burg  <bburg@apple.com>

        Web Inspector: don't include accessibility role in DOM.Node object payloads
        https://bugs.webkit.org/show_bug.cgi?id=194623
        <rdar://problem/36384037>

        Reviewed by Devin Rousso.

        Remove property of DOM.Node that is no longer being sent.

        * inspector/protocol/DOM.json:

2019-02-13  Keith Miller  <keith_miller@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>

        We should only make rope strings when concatenating strings long enough.
        https://bugs.webkit.org/show_bug.cgi?id=194465

        Reviewed by Mark Lam.

        This patch stops us from allocating a rope string if the resulting
        rope would be smaller than the size of the JSRopeString object we
        would need to allocate.

        This patch also adds paths so that we don't unnecessarily allocate
        JSString cells for primitives we are going to concatenate with a
        string anyway.

        The important change from the previous one is that we do not apply
        the above rule to JSRopeStrings generated by JSStrings. If we convert
        it to JSString, comparison of memory consumption becomes the following,
        because JSRopeString does not have StringImpl until it is resolved.

            sizeof(JSRopeString) v.s. sizeof(JSString) + sizeof(StringImpl) + content

        Since sizeof(JSString) + sizeof(StringImpl) is larger than sizeof(JSRopeString),
        resolving eagerly increases memory footprint. The point is that we need to
        account newly created JSString and JSRopeString from the operands. This is the
        reason why this patch adds different thresholds for each jsString functions.

        This patch also avoids concatenation for ropes conservatively. Many ropes are
        temporary cells. So we do not resolve eagerly if one of operands is already a
        rope.

        In CLI execution, this change is performance neutral in JetStream2 (run 6 times, 1 for warming up and average in latter 5.).

            Before: 159.3778
            After:  160.72340000000003

        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSString.h:
        (JSC::JSString::isRope const):
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsAddNonNumber):
        (JSC::jsAdd):

2019-02-13  Saam Barati  <sbarati@apple.com>

        AirIRGenerator::addSwitch switch patchpoint needs to model clobbering the scratch register
        https://bugs.webkit.org/show_bug.cgi?id=194610

        Reviewed by Michael Saboff.

        BinarySwitch might use the scratch register. We must model the
        effects of that properly. This is already caught by our br-table
        tests on arm64.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addSwitch):

2019-02-13  Mark Lam  <mark.lam@apple.com>

        Create a randomized free list for new StructureIDs on StructureIDTable resize.
        https://bugs.webkit.org/show_bug.cgi?id=194566
        <rdar://problem/47975502>

        Reviewed by Michael Saboff.

        Also isolate 32-bit implementation of StructureIDTable out more so the 64-bit
        implementation is a little easier to read.

        This patch appears to be perf neutral on JetStream2 (as run from the command line).

        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::makeFreeListFromRange):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::get):
        (JSC::StructureIDTable::deallocateID):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::flushOldTables):

2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>

        VariableLengthObject::allocate<T> should initialize objects
        https://bugs.webkit.org/show_bug.cgi?id=194534

        Reviewed by Michael Saboff.

        `buffer()` should not be called for empty VariableLengthObjects, but
        these cases were not being caught due to the objects not being properly
        initialized. Fix it so that allocate calls the constructor and fix the
        assertion failues.

        * runtime/CachedTypes.cpp:
        (JSC::CachedObject::operator new):
        (JSC::VariableLengthObject::allocate):
        (JSC::CachedVector::encode):
        (JSC::CachedVector::decode const):
        (JSC::CachedUniquedStringImpl::decode const):
        (JSC::CachedBitVector::encode):
        (JSC::CachedBitVector::decode const):
        (JSC::CachedArray::encode):
        (JSC::CachedArray::decode const):
        (JSC::CachedImmutableButterfly::CachedImmutableButterfly):
        (JSC::CachedBigInt::decode const):

2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>

        CodeBlocks read from disk should not be re-written
        https://bugs.webkit.org/show_bug.cgi?id=194535

        Reviewed by Michael Saboff.

        Keep track of which CodeBlocks have been read from disk or have already
        been serialized in CodeCache.

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::write):
        * runtime/CodeCache.h:
        (JSC::SourceCodeValue::SourceCodeValue):
        (JSC::CodeCacheMap::fetchFromDiskImpl):

2019-02-13  Tadeu Zagallo  <tzagallo@apple.com>

        SourceCode should be copied when generating bytecode for functions
        https://bugs.webkit.org/show_bug.cgi?id=194536

        Reviewed by Saam Barati.

        The FunctionExecutable might be collected while generating the bytecode
        for nested functions, in which case the SourceCode reference would no
        longer be valid.

        * runtime/CodeCache.cpp:
        (JSC::generateUnlinkedCodeBlockForFunctions):

2019-02-12  Saam barati  <sbarati@apple.com>

        JSScript needs to retain its cache path NSURL*
        https://bugs.webkit.org/show_bug.cgi?id=194577

        Reviewed by Tim Horton.

        * API/JSScript.mm:
        (+[JSScript scriptFromASCIIFile:inVirtualMachine:withCodeSigning:andBytecodeCache:]):
        (-[JSScript dealloc]):

2019-02-12  Robin Morisset  <rmorisset@apple.com>

        Make B3Value::returnsBool() more precise
        https://bugs.webkit.org/show_bug.cgi?id=194457

        Reviewed by Saam Barati.

        It is currently used repeatedly in B3ReduceStrength, as well as once in B3LowerToAir.
        It has a needlessly complex rule for BitAnd, and has no rule for other easy cases such as BitOr or Select.
        No new tests added as this should be indirectly tested by the already existing tests.

        * b3/B3Value.cpp:
        (JSC::B3::Value::returnsBool const):

2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, fix -Wimplicit-fallthrough warning after r241140
        https://bugs.webkit.org/show_bug.cgi?id=194399
        <rdar://problem/47889777>

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-12  Michael Catanzaro  <mcatanzaro@igalia.com>

        [WPE][GTK] Unsafe g_unsetenv() use in WebProcessPool::platformInitialize
        https://bugs.webkit.org/show_bug.cgi?id=194370

        Reviewed by Darin Adler.

        Change a couple WTFLogAlways to use g_warning, for good measure. Of course this isn't
        necessary, but it will make errors more visible.

        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::start):
        (Inspector::dbusConnectionCallAsyncReadyCallback):
        * inspector/remote/glib/RemoteInspectorServer.cpp:
        (Inspector::RemoteInspectorServer::start):

2019-02-12  Andy Estes  <aestes@apple.com>

        [iOSMac] Enable Parental Controls Content Filtering
        https://bugs.webkit.org/show_bug.cgi?id=194521
        <rdar://39732376>

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2019-02-11  Mark Lam  <mark.lam@apple.com>

        Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
        https://bugs.webkit.org/show_bug.cgi?id=194512
        <rdar://problem/47975465>

        Reviewed by Yusuke Suzuki.

        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h:

2019-02-10  Mark Lam  <mark.lam@apple.com>

        Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.
        https://bugs.webkit.org/show_bug.cgi?id=194493
        <rdar://problem/36380852>

        Reviewed by Yusuke Suzuki.

        Having duplicate cases in the BinarySwitch is not a correctness issue.  It is
        however not good for performance and memory usage.  As such, a debug ASSERT will
        do.  We'll also do an audit of the clients of BinarySwitch to see if it's
        possible to be instantiated with duplicate cases in
        https://bugs.webkit.org/show_bug.cgi?id=194492 later.

        Also added some value dumps to the RELEASE_ASSERT to help debug the issue when we
        see duplicate cases.

        * jit/BinarySwitch.cpp:
        (JSC::BinarySwitch::BinarySwitch):

2019-02-10  Darin Adler  <darin@apple.com>

        Switch uses of StringBuilder with String::format for hex numbers to use HexNumber.h instead
        https://bugs.webkit.org/show_bug.cgi?id=194485

        Reviewed by Daniel Bates.

        * heap/HeapSnapshotBuilder.cpp:
        (JSC::HeapSnapshotBuilder::json): Use appendUnsignedAsHex along with
        reinterpret_cast<uintptr_t> to replace uses of String::format with "%p".

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode): Removed some unneeded casts in StringBuilder code,
        including one in a call to appendByteAsHex.
        (JSC::globalFuncEscape): Ditto.

2019-02-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r241230.
        https://bugs.webkit.org/show_bug.cgi?id=194488

        "It regressed JetStream2 by ~6%" (Requested by saamyjoon on
        #webkit).

        Reverted changeset:

        "We should only make rope strings when concatenating strings
        long enough."
        https://bugs.webkit.org/show_bug.cgi?id=194465
        https://trac.webkit.org/changeset/241230

2019-02-10  Saam barati  <sbarati@apple.com>

        BBQ-Air: Emit better code for switch
        https://bugs.webkit.org/show_bug.cgi?id=194053

        Reviewed by Yusuke Suzuki.

        Instead of emitting a linear set of jumps for Switch, this patch
        makes the BBQ-Air backend emit a binary switch.

        * wasm/WasmAirIRGenerator.cpp:
        (JSC::Wasm::AirIRGenerator::addSwitch):

2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, Lexer should use isLatin1 implementation in WTF
        https://bugs.webkit.org/show_bug.cgi?id=194466

        Follow-up after r241233 pointed by Darin.

        * parser/Lexer.cpp:
        (JSC::isLatin1): Deleted.

2019-02-09  Darin Adler  <darin@apple.com>

        Eliminate unnecessary String temporaries by using StringConcatenateNumbers
        https://bugs.webkit.org/show_bug.cgi?id=194021

        Reviewed by Geoffrey Garen.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::count): Remove String::number and let
        makeString do the conversion without allocating/destroying a String.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction): Ditto.
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): Ditto.
        (Inspector::InspectorDebuggerAgent::setBreakpoint): Ditto.
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty): Ditto.
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToFixed): Use String::numberToStringFixedWidth instead
        of calling numberToFixedWidthString to do the same thing.
        (JSC::numberProtoFuncToPrecision): Use String::number instead of calling
        numberToFixedPrecisionString to do the same thing.
        * runtime/SamplingProfiler.cpp:
        (JSC::SamplingProfiler::reportTopFunctions): Ditto.

2019-02-09  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, rolling in r241237 again
        https://bugs.webkit.org/show_bug.cgi?id=194469

        * runtime/JSString.h:
        (JSC::jsSubstring):

2019-02-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r241237.
        https://bugs.webkit.org/show_bug.cgi?id=194474

        Shows significant memory increase in WSL (Requested by
        yusukesuzuki on #webkit).

        Reverted changeset:

        "[WTF] Use BufferInternal StringImpl if substring StringImpl
        takes more memory"
        https://bugs.webkit.org/show_bug.cgi?id=194469
        https://trac.webkit.org/changeset/241237

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [WTF] Use BufferInternal StringImpl if substring StringImpl takes more memory
        https://bugs.webkit.org/show_bug.cgi?id=194469

        Reviewed by Geoffrey Garen.

        * runtime/JSString.h:
        (JSC::jsSubstring):

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] CachedTypes should use jsString instead of JSString::create
        https://bugs.webkit.org/show_bug.cgi?id=194471

        Reviewed by Mark Lam.

        Use jsString() here because JSString::create is a bit low-level API and it requires some invariant like "length is not zero".

        * runtime/CachedTypes.cpp:
        (JSC::CachedJSValue::decode const):

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Increase StructureIDTable initial capacity
        https://bugs.webkit.org/show_bug.cgi?id=194468

        Reviewed by Mark Lam.

        Currently, # of structures just after initializing JSGlobalObject (precisely, initializing GlobalObject in
        JSC shell), 281, already exceeds the current initial value 256. We should increase the capacity since
        unnecessary resizing requires more operations, keeps old StructureID array until GC happens, and makes
        more memory dirty. We also remove some structures that are no longer used.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::callbackObjectStructure const):
        (JSC::JSGlobalObject::propertyNameIteratorStructure const): Deleted.
        * runtime/StructureIDTable.h:
        * runtime/VM.h:

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] String.fromCharCode's slow path always generates 16bit string
        https://bugs.webkit.org/show_bug.cgi?id=194466

        Reviewed by Keith Miller.

        String.fromCharCode(a1) has a fast path and the most frequently used. And String.fromCharCode(a1, a2, ...)
        goes to the slow path. However, in the slow path, we always create 16bit string. 16bit string takes 2x memory,
        and even worse, taints ropes 16bit if 16bit string is included in the given rope. We find that acorn-wtb
        creates very large strings multiple times with String.fromCharCode, and String.fromCharCode always produces
        16bit string. However, only few strings are actually 16bit strings. This patch attempts to make 8bit string
        as much as possible.

        It improves non JIT acorn-wtb's peak and current memory footprint by 6% and 3% respectively.

        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCode):

2019-02-08  Keith Miller  <keith_miller@apple.com>

        We should only make rope strings when concatenating strings long enough.
        https://bugs.webkit.org/show_bug.cgi?id=194465

        Reviewed by Saam Barati.

        This patch stops us from allocating a rope string if the resulting
        rope would be smaller than the size of the JSRopeString object we
        would need to allocate.

        This patch also adds paths so that we don't unnecessarily allocate
        JSString cells for primitives we are going to concatenate with a
        string anyway.

        * dfg/DFGOperations.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSString.h:
        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsAdd):

2019-02-08  Saam barati  <sbarati@apple.com>

        Nodes that rely on being dominated by CheckInBounds should have a child edge to it
        https://bugs.webkit.org/show_bug.cgi?id=194334
        <rdar://problem/47844327>

        Reviewed by Mark Lam.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
        * dfg/DFGNodeType.h:
        * dfg/DFGSSALoweringPhase.cpp:
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink sizeof(CodeBlock) more
        https://bugs.webkit.org/show_bug.cgi?id=194419

        Reviewed by Mark Lam.

        This patch further shrinks the size of CodeBlock, from 352 to 296 (304).

        1. CodeBlock copies so many data from ScriptExecutable even if ScriptExecutable
        has the same information. These data is not touched in CodeBlock::~CodeBlock,
        so we can just use the data in ScriptExecutable instead of holding it in CodeBlock.

        2. We remove m_instructions pointer since the ownership is managed by UnlinkedCodeBlock.
        And we do not touch it in CodeBlock::~CodeBlock.

        3. We move m_calleeSaveRegisters from CodeBlock to CodeBlock::JITData. For baseline and LLInt
        cases, this patch offers RegisterAtOffsetList::llintBaselineCalleeSaveRegisters() which returns
        singleton to `const RegisterAtOffsetList*` usable for LLInt and Baseline JIT CodeBlocks.

        4. Move m_catchProfiles to RareData and materialize only when op_catch's slow path is called.

        5. Drop ownerScriptExecutable. ownerExecutable() returns ScriptExecutable*.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hash const):
        (JSC::CodeBlock::sourceCodeForTools const):
        (JSC::CodeBlock::dumpAssumingJITType const):
        (JSC::CodeBlock::dumpSource):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::setCalleeSaveRegisters):
        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
        (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::expressionRangeForBytecodeOffset const):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        (JSC::CodeBlock::newReplacement):
        (JSC::CodeBlock::replacement):
        (JSC::CodeBlock::computeCapabilityLevel):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::calleeSaveRegisters const):
        (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
        (JSC::CodeBlock::updateOSRExitCounterAndCheckIfNeedToReoptimize):
        (JSC::CodeBlock::getArrayProfile):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::notifyLexicalBindingUpdate):
        (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::outOfLineJumpTarget):
        (JSC::CodeBlock::arithProfileForBytecodeOffset):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::specializationKind const):
        (JSC::CodeBlock::isStrictMode const):
        (JSC::CodeBlock::isConstructor const):
        (JSC::CodeBlock::codeType const):
        (JSC::CodeBlock::isKnownNotImmediate):
        (JSC::CodeBlock::instructions const):
        (JSC::CodeBlock::ownerExecutable const):
        (JSC::CodeBlock::thisRegister const):
        (JSC::CodeBlock::source const):
        (JSC::CodeBlock::sourceOffset const):
        (JSC::CodeBlock::firstLineColumnOffset const):
        (JSC::CodeBlock::createRareDataIfNecessary):
        (JSC::CodeBlock::ownerScriptExecutable const): Deleted.
        (JSC::CodeBlock::setThisRegister): Deleted.
        (JSC::CodeBlock::calleeSaveRegisters const): Deleted.
        * bytecode/EvalCodeBlock.h:
        * bytecode/FunctionCodeBlock.h:
        * bytecode/GlobalCodeBlock.h:
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        * bytecode/ModuleProgramCodeBlock.h:
        * bytecode/ProgramCodeBlock.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::toggleBreakpoint):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceID const):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::location const):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
        (JSC::DFG::ByteCodeParser::inliningCost):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupportedForInlining):
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::canUseOSRExitFuzzing):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::executableFor):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::restoreCalleeSavesFor):
        (JSC::DFG::saveCalleeSavesFor):
        (JSC::DFG::saveOrCopyCalleeSavesFor):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * dfg/DFGOperations.cpp:
        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::callerSourceOrigin):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::calleeSaveRegisters):
        (JSC::StackVisitor::Frame::sourceURL const):
        (JSC::StackVisitor::Frame::sourceID):
        (JSC::StackVisitor::Frame::computeLineAndColumn const):
        * interpreter/StackVisitor.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
        (JSC::AssemblyHelpers::emitSaveOrCopyCalleeSavesFor):
        (JSC::AssemblyHelpers::emitRestoreCalleeSavesFor):
        * jit/CallFrameShuffleData.cpp:
        (JSC::CallFrameShuffleData::setupCalleeSaveRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        * jit/JITToDFGDeferredCompilationCallback.cpp:
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Plan::finalize):
        (JSC::JITWorklist::compileNow):
        * jit/RegisterAtOffsetList.cpp:
        (JSC::RegisterAtOffsetList::llintBaselineCalleeSaveRegisters):
        * jit/RegisterAtOffsetList.h:
        (JSC::RegisterAtOffsetList::at const):
        * runtime/ErrorInstance.cpp:
        (JSC::appendSourceToError):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::sourceID const):
        (JSC::StackFrame::sourceURL const):
        (JSC::StackFrame::computeLineAndColumn const):

2019-02-08  Robin Morisset  <rmorisset@apple.com>

        B3LowerMacros wrongly sets m_changed to true in the case of AtomicWeakCAS on x86
        https://bugs.webkit.org/show_bug.cgi?id=194460

        Reviewed by Mark Lam.

        Trivial fix, should already be covered by testAtomicWeakCAS in testb3.cpp.

        * b3/B3LowerMacros.cpp:

2019-02-08  Mark Lam  <mark.lam@apple.com>

        Use maxSingleCharacterString in comparisons instead of literal constants.
        https://bugs.webkit.org/show_bug.cgi?id=194452

        Reviewed by Yusuke Suzuki.

        This way, if we ever change maxSingleCharacterString, it won't break all this code
        that relies on it being 0xff implicitly.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStringSlice):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        * jit/ThunkGenerators.cpp:
        (JSC::stringGetByValGenerator):
        (JSC::charToString):

2019-02-08  Mark Lam  <mark.lam@apple.com>

        Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
        https://bugs.webkit.org/show_bug.cgi?id=194446
        <rdar://problem/47926792>

        Reviewed by Saam Barati.

        Fix doesGC() for the following nodes:

            CheckTierUpAtReturn:
                Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
                which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

            CheckTierUpInLoop:
                Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
                Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

            CheckTierUpAndOSREnter:
                Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
                Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

            GetByVal:
                case Array::String calls operationSingleCharacterString(), which calls
                jsSingleCharacterString(), which can allocate a string.

            PutByValDirect:
            PutByVal:
            PutByValAlias:
                For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
                which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
                operationPutByValStrict(), or operationPutByValNonStrict().  All of these
                slow paths call putByValInternal(), which may create exception objects, or
                call the generic JSValue::put() which may execute arbitrary code.

            StringCharAt:
                Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
                which can allocate a string.

        Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
        to use the maxSingleCharacterString constant instead of a literal constant.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):

2019-02-08  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] SourceProviderCacheItem should be small
        https://bugs.webkit.org/show_bug.cgi?id=194432

        Reviewed by Saam Barati.

        Some JetStream2 tests stress the JS parser. At that time, so many SourceProviderCacheItems are created.
        While they are removed when full-GC happens, it significantly increases the peak memory usage.
        This patch reduces the size of SourceProviderCacheItem from 56 to 32.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::endFunctionToken const):
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):

2019-02-07  Robin Morisset  <rmorisset@apple.com>

        Fix Abs(Neg(x)) -> Abs(x) optimization in B3ReduceStrength
        https://bugs.webkit.org/show_bug.cgi?id=194420

        Reviewed by Saam Barati.

        In https://bugs.webkit.org/show_bug.cgi?id=194250, I added an optimization: Abs(Neg(x)) -> Abs(x).
        But I introduced two bugs, one is that I actually implemented Abs(Neg(x)) -> x, and the other is that the test is looking at Abs(Abs(x)) instead (both were stupid copy-paste mistakes).
        This trivial patch fixes both.

        * b3/B3ReduceStrength.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testAbsNegArg):

2019-02-07  Keith Miller  <keith_miller@apple.com>

        Better error messages for module loader SPI
        https://bugs.webkit.org/show_bug.cgi?id=194421

        Reviewed by Saam Barati.

        * API/JSAPIGlobalObject.mm:
        (JSC::JSAPIGlobalObject::moduleLoaderImportModule):

2019-02-07  Mark Lam  <mark.lam@apple.com>

        Fix more doesGC() for CheckTraps, GetMapBucket, and Switch nodes.
        https://bugs.webkit.org/show_bug.cgi?id=194399
        <rdar://problem/47889777>

        Reviewed by Yusuke Suzuki.

        Fix doesGC() for the following nodes:

            CheckTraps:
                We normally will not emit this node because Options::usePollingTraps() is
                false by default.  However, as it is implemented now, CheckTraps can GC
                because it can allocate a TerminatedExecutionException.  If we make the
                TerminatedExecutionException a singleton allocated at initialization time,
                doesGC() can return false for CheckTraps.
                https://bugs.webkit.org/show_bug.cgi?id=194323

            GetMapBucket:
                Can call operationJSMapFindBucket() or operationJSSetFindBucket(),
                which calls HashMapImpl::findBucket(), which calls jsMapHash(), which
                can resolve a rope.

            Switch:
                If switchData kind is SwitchChar, can call operationResolveRope() .
                If switchData kind is SwitchString and the child use kind is not StringIdentUse,
                    can call operationSwitchString() which resolves ropes.

            DirectTailCall:
            ForceOSRExit:
            Return:
            TailCallForwardVarargs:
            TailCallVarargs:
            Throw:
                These are terminal nodes.  It shouldn't really matter what doesGC() returns
                for them, but following our conservative practice, unless we have a good
                reason for doesGC() to return false, we should just return true.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-07  Robin Morisset  <rmorisset@apple.com>

        B3ReduceStrength: missing peephole optimizations for Neg and Sub
        https://bugs.webkit.org/show_bug.cgi?id=194250

        Reviewed by Saam Barati.

        Adds the following optimizations for integers:
        - Sub(x, x) => 0
            Already covered by the test testSubArg
        - Sub(x1, Neg(x2)) => Add (x1, x2)
            Added test: testSubNeg
        - Neg(Sub(x1, x2)) => Sub(x2, x1)
            Added test: testNegSub
        - Add(Neg(x1), x2) => Sub(x2, x1)
            Added test: testAddNeg1
        - Add(x1, Neg(x2)) => Sub(x1, x2)
            Added test: testAddNeg2
        Adds the following optimization for floating point values:
        - Abs(Neg(x)) => Abs(x)
            Added test: testAbsNegArg
            Adds the following optimization:

        Also did some trivial refactoring, using m_value->isInteger() everywhere instead of isInt(m_value->type()), and using replaceWithNew<Value> instead of replaceWithNewValue(m_proc.add<Value(..))

        * b3/B3ReduceStrength.cpp:
        * b3/testb3.cpp:
        (JSC::B3::testAddNeg1):
        (JSC::B3::testAddNeg2):
        (JSC::B3::testSubNeg):
        (JSC::B3::testNegSub):
        (JSC::B3::testAbsAbsArg):
        (JSC::B3::testAbsNegArg):
        (JSC::B3::run):

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Use BufferInternal single character StringImpl for SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=194374

        Reviewed by Geoffrey Garen.

        Currently, we first create a large StringImpl, and create bunch of substrings with length = 1.
        But pointer is larger than single character. BufferInternal StringImpl with single character
        is more memory efficient.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
        https://bugs.webkit.org/show_bug.cgi?id=194369
        <rdar://problem/47813087>

        Reviewed by Saam Barati.

        InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
        JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
        constant folding phase.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2019-02-06  Devin Rousso  <drousso@apple.com>

        Web Inspector: DOM: don't send the entire function string with each event listener
        https://bugs.webkit.org/show_bug.cgi?id=194293
        <rdar://problem/47822809>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:

        * runtime/JSFunction.h:
        Export `calculatedDisplayName`.

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] PrivateName to PublicName hash table is wasteful
        https://bugs.webkit.org/show_bug.cgi?id=194277

        Reviewed by Michael Saboff.

        PrivateNames account for a lot of memory in the initial JSC footprint. BuiltinNames have Identifier fields corresponding to these PrivateNames
        which makes the sizeof(BuiltinNames) about 6KB. It also maintains hash tables for "PublicName to PrivateName" and "PrivateName to PublicName",
        each of which takes 16KB memory. While "PublicName to PrivateName" functionality is used in builtin JS (parsing "@xxx" and get a private
        name for "xxx"), "PrivateName to PublicName" is rarely used. Holding 16KB hash table for rarely used feature is costly.

        In this patch, we add some rules to remove "PrivateName to PublicName" hash table.

        1. PrivateName's content should be the same to PublicName.
        2. If PrivateName is not actually a private name (we introduced hacky mapping like "@iteratorSymbol" => Symbol.iterator),
           the public name should be easily crafted from the given PrivateName.

        We modify the content of private names to ensure (1). And for (2), we can meet this requirement by ensuring that the "@xxxSymbol"
        is converted to "Symbol.xxx". (1) and (2) allow us to convert a private name to a public name without a large hash table.

        We also remove unused identifiers in CommonIdentifiers. And we also move some of them to WebCore's WebCoreBuiltinNames if it is only used in
        WebCore.

        * builtins/BuiltinNames.cpp:
        (JSC::BuiltinNames::BuiltinNames):
        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::lookUpPrivateName const):
        (JSC::BuiltinNames::getPublicName const):
        (JSC::BuiltinNames::checkPublicToPrivateMapConsistency):
        (JSC::BuiltinNames::appendExternalName):
        (JSC::BuiltinNames::lookUpPublicName const): Deleted.
        * builtins/BuiltinUtils.h:
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpIdentifiers):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_getByIdDirectPrivate):
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByIdDirectPrivate):
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::createGeneratorParameters):
        (JSC::Parser<LexerType>::parseFunctionDeclaration):
        (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
        (JSC::Parser<LexerType>::parseClassDeclaration):
        (JSC::Parser<LexerType>::parseExportDeclaration):
        (JSC::Parser<LexerType>::parseMemberExpression):
        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        * runtime/CachedTypes.cpp:
        (JSC::CachedUniquedStringImpl::encode):
        (JSC::CachedUniquedStringImpl::decode const):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        (JSC::CommonIdentifiers::lookUpPrivateName const):
        (JSC::CommonIdentifiers::getPublicName const):
        (JSC::CommonIdentifiers::lookUpPublicName const): Deleted.
        * runtime/CommonIdentifiers.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/Identifier.cpp:
        (JSC::Identifier::dump const):
        * runtime/Identifier.h:
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::fromUid):
        * runtime/JSTypedArrayViewPrototype.cpp:
        (JSC::JSTypedArrayViewPrototype::finishCreation):
        * tools/JSDollarVM.cpp:
        (JSC::functionGetPrivateProperty):

2019-02-06  Keith Rollin  <krollin@apple.com>

        Really enable the automatic checking and regenerations of .xcfilelists during builds
        https://bugs.webkit.org/show_bug.cgi?id=194357
        <rdar://problem/47861231>

        Reviewed by Chris Dumez.

        Bug 194124 was supposed to enable the automatic checking and
        regenerating of .xcfilelist files during the build. While related
        changes were included in that patch, the change to actually enable the
        operation somehow was omitted. This patch actually enables the
        operation. The check-xcfilelist.sh scripts now check
        WK_DISABLE_CHECK_XCFILELISTS, and if it's "1", opts-out the developer
        from the checking.

        * Scripts/check-xcfilelists.sh:

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Unify indirectEvalExecutableSpace and directEvalExecutableSpace
        https://bugs.webkit.org/show_bug.cgi?id=194339

        Reviewed by Michael Saboff.

        DirectEvalExecutable and IndirectEvalExecutable have completely same memory layout.
        They have even the same structure. This patch unifies the subspaces for them.

        * runtime/DirectEvalExecutable.h:
        * runtime/EvalExecutable.h:
        (JSC::EvalExecutable::subspaceFor):
        * runtime/IndirectEvalExecutable.h:
        * runtime/VM.cpp:
        * runtime/VM.h:
        (JSC::VM::forEachScriptExecutableSpace):

2019-02-06  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] NativeExecutable should be smaller
        https://bugs.webkit.org/show_bug.cgi?id=194331

        Reviewed by Michael Saboff.

        NativeExecutable takes 88 bytes now. Since our GC rounds the size with 16, it actually takes 96 bytes in IsoSubspaces.
        Since a lot of NativeExecutable are allocated, we already has two MarkedBlocks even just after JSGlobalObject initialization.
        This patch makes sizeof(NativeExecutable) 64 bytes, which is 32 bytes smaller than 96 bytes. Now our JSGlobalObject initialization
        only takes one MarkedBlock for NativeExecutable.

        To make NativeExecutable smaller,

        1. m_numParametersForCall and m_numParametersForConstruct in ExecutableBase are only meaningful in ScriptExecutable subclasses. Since
           they are not touched from JIT, we can remove them from ExecutableBase and move them to ScriptExecutable.

        2. DOMJIT::Signature* is rarely used. Rather than having it in NativeExecutable, we should put it in NativeJITCode. Since NativeExecutable
           always has JITCode, we can safely query the value from NativeExecutable. This patch creates NativeDOMJITCode, which is a subclass of
           NativeJITCode, and instantiated only when DOMJIT::Signature* is given.

        3. Move Intrinsic to a member of ScriptExecutable or JITCode. Since JITCode has some paddings to put things, we can leverage this to put
           Intrinsic for NativeExecutable.

        We also move "clearCode" code from ExecutableBase to ScriptExecutable since it is only valid for ScriptExecutable subclasses.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallVariant.h:
        * interpreter/Interpreter.cpp:
        * jit/JITCode.cpp:
        (JSC::DirectJITCode::DirectJITCode):
        (JSC::NativeJITCode::NativeJITCode):
        (JSC::NativeDOMJITCode::NativeDOMJITCode):
        * jit/JITCode.h:
        (JSC::JITCode::signature const):
        (JSC::JITCode::intrinsic):
        * jit/JITOperations.cpp:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/Repatch.cpp:
        * llint/LLIntSlowPaths.cpp:
        * runtime/ExecutableBase.cpp:
        (JSC::ExecutableBase::dump const):
        (JSC::ExecutableBase::hashFor const):
        (JSC::ExecutableBase::hasClearableCode const): Deleted.
        (JSC::ExecutableBase::clearCode): Deleted.
        * runtime/ExecutableBase.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::isModuleProgramExecutable):
        (JSC::ExecutableBase::isHostFunction const):
        (JSC::ExecutableBase::generatedJITCodeForCall const):
        (JSC::ExecutableBase::generatedJITCodeForConstruct const):
        (JSC::ExecutableBase::generatedJITCodeFor const):
        (JSC::ExecutableBase::generatedJITCodeForCall): Deleted.
        (JSC::ExecutableBase::generatedJITCodeForConstruct): Deleted.
        (JSC::ExecutableBase::generatedJITCodeFor): Deleted.
        (JSC::ExecutableBase::offsetOfNumParametersFor): Deleted.
        (JSC::ExecutableBase::hasJITCodeForCall const): Deleted.
        (JSC::ExecutableBase::hasJITCodeForConstruct const): Deleted.
        (JSC::ExecutableBase::intrinsic const): Deleted.
        * runtime/ExecutableBaseInlines.h: Added.
        (JSC::ExecutableBase::intrinsic const):
        (JSC::ExecutableBase::hasJITCodeForCall const):
        (JSC::ExecutableBase::hasJITCodeForConstruct const):
        * runtime/JSBoundFunction.cpp:
        * runtime/JSType.cpp:
        (WTF::printInternal):
        * runtime/JSType.h:
        * runtime/NativeExecutable.cpp:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::NativeExecutable::signatureFor const):
        (JSC::NativeExecutable::intrinsic const):
        * runtime/NativeExecutable.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::clearCode):
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::hasClearableCode const):
        * runtime/ScriptExecutable.h:
        (JSC::ScriptExecutable::intrinsic const):
        (JSC::ScriptExecutable::hasJITCodeForCall const):
        (JSC::ScriptExecutable::hasJITCodeForConstruct const):
        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):

2019-02-06  Pablo Saavedra  <psaavedra@igalia.com>

        Build failure after r240431
        https://bugs.webkit.org/show_bug.cgi?id=194330

        Reviewed by Žan Doberšek.

        * API/glib/JSCOptions.cpp:

2019-02-05  Mark Lam  <mark.lam@apple.com>

        Fix DFG's doesGC() for a few more nodes.
        https://bugs.webkit.org/show_bug.cgi?id=194307
        <rdar://problem/47832956>

        Reviewed by Yusuke Suzuki.

        Fix doesGC() for the following nodes:

            NumberToStringWithValidRadixConstant:
                Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
                which can allocate a string.
                Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
                which can allocate a string.
                Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
                which can allocate a string.

            RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
                memory for all kinds of objects.
            RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
                RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
                these allocates memory for the match result.
            RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
                calls RegExpObject's collectMatches(), which allocates an array amongst
                other objects.

            StringFromCharCode:
                If the uint32 code to convert is greater than maxSingleCharacterString,
                we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
                which allocates a new string if the code is greater than maxSingleCharacterString.

        Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
        to use maxSingleCharacterString instead of a literal constant.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):

2019-02-05  Keith Rollin  <krollin@apple.com>

        Enable the automatic checking and regenerations of .xcfilelists during builds
        https://bugs.webkit.org/show_bug.cgi?id=194124
        <rdar://problem/47721277>

        Reviewed by Tim Horton.

        Bug 193790 add a facility for checking -- during build time -- that
        any needed .xcfilelist files are up-to-date and for updating them if
        they are not. This facility was initially opt-in by setting
        WK_ENABLE_CHECK_XCFILELISTS until other pieces were in place and until
        the process seemed robust. Its now time to enable this facility and
        make it opt-out. If there is a need to disable this facility, set and
        export WK_DISABLE_CHECK_XCFILELISTS=1 in your environment before
        running `make` or `build-webkit`, or before running Xcode from the
        command line.

        Additionally, remove the step that generates a list of source files
        going into the UnifiedSources build step. It's only necessarily to
        specify Sources.txt and SourcesCocoa.txt as inputs.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * UnifiedSources-input.xcfilelist: Removed.

2019-02-05  Keith Rollin  <krollin@apple.com>

        Update .xcfilelist files
        https://bugs.webkit.org/show_bug.cgi?id=194121
        <rdar://problem/47720863>

        Reviewed by Tim Horton.

        Preparatory to enabling the facility for automatically updating the
        .xcfilelist files, check in a freshly-updated set so that not everyone
        runs up against having to regenerate them themselves.

        * DerivedSources-input.xcfilelist:
        * DerivedSources-output.xcfilelist:

2019-02-05  Andy VanWagoner  <andy@vanwagoner.family>

        [INTL] improve efficiency of Intl.NumberFormat formatToParts
        https://bugs.webkit.org/show_bug.cgi?id=185557

        Reviewed by Mark Lam.

        Since field nesting depth is minimal, this algorithm should be effectively O(n),
        where n is the number of characters in the formatted string.
        It may be less memory efficient than the previous impl, since the intermediate Vector
        is the length of the string, instead of the count of the fields.

        * runtime/IntlNumberFormat.cpp:
        (JSC::IntlNumberFormat::formatToParts):
        * runtime/IntlNumberFormat.h:

2019-02-05  Mark Lam  <mark.lam@apple.com>

        Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
        https://bugs.webkit.org/show_bug.cgi?id=194298
        <rdar://problem/47827555>

        Reviewed by Saam Barati.

        We do this for 3 reasons:
        1. It's clearer when reading doesGC()'s code that these nodes will return true.
        2. If things change in the future where clobberize() no longer reports these nodes
           as write(Heap), each node should be vetted first to make sure that it can never
           GC before being moved back to the doesGC() list that returns false.
        3. This reduces the list of nodes that we need to audit to make sure doesGC() is
           correct in its claims about the nodes' GCing possibility.

        The list of nodes moved are:

            ArrayPush
            ArrayPop
            Call
            CallEval
            CallForwardVarargs
            CallVarargs
            Construct
            ConstructForwardVarargs
            ConstructVarargs
            DefineDataProperty
            DefineAccessorProperty
            DeleteById
            DeleteByVal
            DirectCall
            DirectConstruct
            DirectTailCallInlinedCaller
            GetById
            GetByIdDirect
            GetByIdDirectFlush
            GetByIdFlush
            GetByIdWithThis
            GetByValWithThis
            GetDirectPname
            GetDynamicVar
            HasGenericProperty
            HasOwnProperty
            HasStructureProperty
            InById
            InByVal
            InstanceOf
            InstanceOfCustom
            LoadVarargs
            NumberToStringWithRadix
            PutById
            PutByIdDirect
            PutByIdFlush
            PutByIdWithThis
            PutByOffset
            PutByValWithThis
            PutDynamicVar
            PutGetterById
            PutGetterByVal
            PutGetterSetterById
            PutSetterById
            PutSetterByVal
            PutStack
            PutToArguments
            RegExpExec
            RegExpTest
            ResolveScope
            ResolveScopeForHoistingFuncDeclInEval
            TailCall
            TailCallForwardVarargsInlinedCaller
            TailCallInlinedCaller
            TailCallVarargsInlinedCaller
            ToNumber
            ToPrimitive
            ValueNegate

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink sizeof(UnlinkedCodeBlock)
        https://bugs.webkit.org/show_bug.cgi?id=194281

        Reviewed by Michael Saboff.

        This patch first attempts to reduce the size of UnlinkedCodeBlock in a relatively simpler way. Reordering members, remove unused member, and
        move rarely used members to RareData. This changes sizeof(UnlinkedCodeBlock) from 312 to 256.

        Still we have several chances to reduce sizeof(UnlinkedCodeBlock). Making more Vectors to RefCountedArrays can be done with some restructuring
        of generatorification phase. It would be possible to remove m_sourceURLDirective and m_sourceMappingURLDirective from UnlinkedCodeBlock since
        they should be in SourceProvider and that should be enough. These changes require some intrusive modifications and we make them as a future work.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bitVectors const): Deleted.
        * bytecode/CodeType.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::bitVector):
        (JSC::UnlinkedCodeBlock::addBitVector):
        (JSC::UnlinkedCodeBlock::addSetConstant):
        (JSC::UnlinkedCodeBlock::constantRegisters):
        (JSC::UnlinkedCodeBlock::numberOfConstantIdentifierSets const):
        (JSC::UnlinkedCodeBlock::constantIdentifierSets):
        (JSC::UnlinkedCodeBlock::codeType const):
        (JSC::UnlinkedCodeBlock::didOptimize const):
        (JSC::UnlinkedCodeBlock::setDidOptimize):
        (JSC::UnlinkedCodeBlock::usesGlobalObject const): Deleted.
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister): Deleted.
        (JSC::UnlinkedCodeBlock::globalObjectRegister const): Deleted.
        (JSC::UnlinkedCodeBlock::bitVectors const): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::emitLoadGlobalObject): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * runtime/CachedTypes.cpp:
        (JSC::CachedCodeBlockRareData::encode):
        (JSC::CachedCodeBlockRareData::decode const):
        (JSC::CachedCodeBlock::scopeRegister const):
        (JSC::CachedCodeBlock::codeType const):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::CachedCodeBlock<CodeBlockType>::decode const):
        (JSC::CachedCodeBlock<CodeBlockType>::encode):
        (JSC::CachedCodeBlock::globalObjectRegister const): Deleted.

2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, add missing exception checks after r240637
        https://bugs.webkit.org/show_bug.cgi?id=193546

        * tools/JSDollarVM.cpp:
        (JSC::functionShadowChickenFunctionsOnStack):

2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink size of VM by lazily allocating IsoSubspaces for non-common types
        https://bugs.webkit.org/show_bug.cgi?id=193993

        Reviewed by Keith Miller.

        JSC::VM has a lot of IsoSubspaces, and each takes 504B. This unnecessarily makes VM so large.
        And some of them are rarely used. We should allocate it lazily.

        In this patch, we make some `IsoSubspaces` `std::unique_ptr<IsoSubspace>`. And we add ensureXXXSpace
        functions which allocate IsoSubspaces lazily. This function is used by subspaceFor<> in each class.
        And we also add subspaceForConcurrently<> function, which is called from concurrent JIT tiers. This
        returns nullptr if the subspace is not allocated yet. JSCell::subspaceFor now takes second template
        parameter which tells the function whether subspaceFor is concurrently done. If the IsoSubspace is
        lazily created, we may return nullptr for the concurrent access. We ensure the space's initialization
        by using WTF::storeStoreFence when lazily allocating it.

        In GC's constraint solving, we may touch these lazily allocated spaces. At that time, we check the
        existence of the space before touching this. This is not racy because the main thread is stopped when
        the constraint solving is working.

        This changes sizeof(VM) from 64736 to 56472.

        Another interesting thing is that we removed `PreventCollectionScope preventCollectionScope(heap);` in
        `Subspace::initialize`. This is really dangerous API since it easily causes dead-lock between the
        collector and the mutator if IsoSubspace is dynamically created. We do want to make IsoSubspaces
        dynamically-created ones since the requirement of the pre-allocation poses a scalability problem
        of IsoSubspace adoption because IsoSubspace is large. Registered Subspace is only touched in the
        EndPhase, and the peripheries should be stopped when running EndPhase. Thus, as long as the main thread
        can run this IsoSubspace code, the collector is never EndPhase. So this is safe.

        * API/JSCallbackFunction.h:
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::subspaceFor):
        * API/glib/JSCCallbackFunction.h:
        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitChildren):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeBlock.h:
        * bytecode/ExecutableToCodeBlockEdge.h:
        * bytecode/FunctionCodeBlock.h:
        * bytecode/ModuleProgramCodeBlock.h:
        * bytecode/ProgramCodeBlock.h:
        * bytecode/UnlinkedFunctionExecutable.cpp:
        (JSC::UnlinkedFunctionExecutable::unlinkedCodeBlockFor):
        * bytecode/UnlinkedFunctionExecutable.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileNewObject):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::deleteAllCodeBlocks):
        (JSC::Heap::deleteAllUnlinkedCodeBlocks):
        (JSC::Heap::addCoreConstraints):
        * heap/Subspace.cpp:
        (JSC::Subspace::initialize):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        * runtime/DirectArguments.h:
        * runtime/DirectEvalExecutable.h:
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::subspaceFor):
        * runtime/ExecutableBase.h:
        * runtime/FunctionExecutable.h:
        * runtime/IndirectEvalExecutable.h:
        * runtime/InferredValue.cpp:
        (JSC::InferredValue::visitChildren):
        * runtime/InferredValue.h:
        * runtime/InferredValueInlines.h:
        (JSC::InferredValue::finalizeUnconditionally):
        * runtime/InternalFunction.h:
        * runtime/JSAsyncFunction.h:
        * runtime/JSAsyncGeneratorFunction.h:
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.h:
        (JSC::subspaceFor):
        (JSC::subspaceForConcurrently):
        * runtime/JSCellInlines.h:
        (JSC::allocatorForNonVirtualConcurrently):
        * runtime/JSCustomGetterSetterFunction.h:
        * runtime/JSDestructibleObject.h:
        * runtime/JSFunction.h:
        * runtime/JSGeneratorFunction.h:
        * runtime/JSImmutableButterfly.h:
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::subspaceFor):
        * runtime/JSNativeStdFunction.h:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSString.h:
        * runtime/ModuleProgramExecutable.h:
        * runtime/NativeExecutable.h:
        * runtime/ProgramExecutable.h:
        * runtime/PropertyMapHashTable.h:
        * runtime/ProxyRevoke.h:
        * runtime/ScopedArguments.h:
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::clearCode):
        (JSC::ScriptExecutable::installCode):
        * runtime/Structure.h:
        * runtime/StructureRareData.h:
        * runtime/SubspaceAccess.h: Copied from Source/JavaScriptCore/runtime/InferredValueInlines.h.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::SpaceAndSet::SpaceAndSet):
        (JSC::VM::SpaceAndSet::setFor):
        (JSC::VM::forEachScriptExecutableSpace):
        (JSC::VM::SpaceAndFinalizerSet::SpaceAndFinalizerSet): Deleted.
        (JSC::VM::SpaceAndFinalizerSet::finalizerSetFor): Deleted.
        (JSC::VM::ScriptExecutableSpaceAndSet::ScriptExecutableSpaceAndSet): Deleted.
        (JSC::VM::ScriptExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::UnlinkedFunctionExecutableSpaceAndSet): Deleted.
        (JSC::VM::UnlinkedFunctionExecutableSpaceAndSet::clearableCodeSetFor): Deleted.
        * runtime/WeakMapImpl.h:
        (JSC::WeakMapImpl::subspaceFor):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/WebAssemblyFunction.h:
        * wasm/js/WebAssemblyWrapperFunction.h:

2019-02-04  Keith Miller  <keith_miller@apple.com>

        Change llint operand macros to inline functions
        https://bugs.webkit.org/show_bug.cgi?id=194248

        Reviewed by Mark Lam.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getNonConstantOperand):
        (JSC::LLInt::getOperand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::genericCall):
        (JSC::LLInt::varargsSetup):
        (JSC::LLInt::commonCallEval):

2019-02-04  Robin Morisset  <rmorisset@apple.com>

        when lowering AssertNotEmpty, create the value before creating the patchpoint
        https://bugs.webkit.org/show_bug.cgi?id=194231

        Reviewed by Saam Barati.

        This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
        AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):

2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] ExecutableToCodeBlockEdge should be smaller
        https://bugs.webkit.org/show_bug.cgi?id=194244

        Reviewed by Michael Saboff.

        ExecutableToCodeBlockEdge is allocated so many times. However its memory layout is not efficient.
        sizeof(ExecutableToCodeBlockEdge) is 24bytes, but it discards 7bytes due to one bool m_isActive flag.
        Because our size classes are rounded by 16bytes, ExecutableToCodeBlockEdge takes 32bytes. So, half of
        it is wasted. We should fit it into 16bytes so that we can efficiently allocate it.

        In this patch, we leverages TypeInfoMayBePrototype bit in JSTypeInfo. It is a bit special TypeInfo bit
        since this is per-cell bit. We rename this to TypeInfoPerCellBit, and use it as a `m_isActive` mark in
        ExecutableToCodeBlockEdge. In JSObject subclasses, we use it as MayBePrototype flag.

        Since this flag is not changed in CAS style, we must not change this in concurrent threads. This is OK
        for ExecutableToCodeBlockEdge's m_isActive flag since this is touched on the main thread (ScriptExecutable::installCode
        does not touch it if it is called in non-main threads).

        * bytecode/ExecutableToCodeBlockEdge.cpp:
        (JSC::ExecutableToCodeBlockEdge::finishCreation):
        (JSC::ExecutableToCodeBlockEdge::visitChildren):
        (JSC::ExecutableToCodeBlockEdge::activate):
        (JSC::ExecutableToCodeBlockEdge::deactivate):
        (JSC::ExecutableToCodeBlockEdge::isActive const):
        * bytecode/ExecutableToCodeBlockEdge.h:
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::perCellBit const):
        (JSC::JSCell::setPerCellBit):
        (JSC::JSCell::mayBePrototype const): Deleted.
        (JSC::JSCell::didBecomePrototype): Deleted.
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeDirect):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::mayBePrototype const):
        (JSC::JSObject::didBecomePrototype):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::perCellBit):
        (JSC::TypeInfo::mergeInlineTypeFlags):
        (JSC::TypeInfo::mayBePrototype): Deleted.

2019-02-04  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Shrink size of FunctionExecutable
        https://bugs.webkit.org/show_bug.cgi?id=194191

        Reviewed by Michael Saboff.

        This patch reduces the size of FunctionExecutable. Since it is allocated in IsoSubspace, reducing the size directly
        improves the allocation efficiency.

        1. ScriptExecutable (base class of FunctionExecutable) has several members, but it is meaningful only in FunctionExecutable.
           We remove this from ScriptExecutable, and move it to FunctionExecutable.

        2. FunctionExecutable has several data which are rarely used. One for FunctionOverrides functionality, which is typically
           used for JSC debugging purpose, and another is TypeSet and offsets for type profiler. We move them to RareData and reduce
           the size of FunctionExecutable in the common case.

        This patch changes the size of FunctionExecutable from 176 to 144.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpSource):
        (JSC::CodeBlock::finishCreation):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::OpInfoWrapper::as const):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::computeLineAndColumn const):
        * runtime/ExecutableBase.h:
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::ensureRareDataSlow):
        * runtime/FunctionExecutable.h:
        * runtime/Intrinsic.h:
        * runtime/ModuleProgramExecutable.cpp:
        (JSC::ModuleProgramExecutable::ModuleProgramExecutable):
        * runtime/ProgramExecutable.cpp:
        (JSC::ProgramExecutable::ProgramExecutable):
        * runtime/ScriptExecutable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::overrideLineNumber const):
        (JSC::ScriptExecutable::typeProfilingStartOffset const):
        (JSC::ScriptExecutable::typeProfilingEndOffset const):
        * runtime/ScriptExecutable.h:
        (JSC::ScriptExecutable::firstLine const):
        (JSC::ScriptExecutable::setOverrideLineNumber): Deleted.
        (JSC::ScriptExecutable::hasOverrideLineNumber const): Deleted.
        (JSC::ScriptExecutable::overrideLineNumber const): Deleted.
        (JSC::ScriptExecutable::typeProfilingStartOffset const): Deleted.
        (JSC::ScriptExecutable::typeProfilingEndOffset const): Deleted.
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::computeLineAndColumn const):
        * tools/JSDollarVM.cpp:
        (JSC::functionReturnTypeFor):

2019-02-04  Mark Lam  <mark.lam@apple.com>

        DFG's doesGC() is incorrect about the SameValue node's behavior.
        https://bugs.webkit.org/show_bug.cgi?id=194211
        <rdar://problem/47608913>

        Reviewed by Saam Barati.

        Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
        it calls operationSameValue() which may allocate memory for resolving ropes.

        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):

2019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
        https://bugs.webkit.org/show_bug.cgi?id=194031

        Reviewed by Saam Barati.

        UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
        This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
        sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
        destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.

        To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
        This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.

        * bytecode/MetadataTable.cpp:
        (JSC::MetadataTable::MetadataTable):
        (JSC::MetadataTable::~MetadataTable):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedCodeBlock::estimatedSize):
        (JSC::UnlinkedCodeBlock::setInstructions):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::metadata):
        (JSC::UnlinkedCodeBlock::metadataSizeInBytes):
        * bytecode/UnlinkedMetadataTable.h:
        (JSC::UnlinkedMetadataTable::create):
        * bytecode/UnlinkedMetadataTableInlines.h:
        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
        * runtime/CachedTypes.cpp:
        (JSC::CachedMetadataTable::decode const):
        (JSC::CachedCodeBlock::metadata const):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        (JSC::CachedCodeBlock<CodeBlockType>::decode const):
        (JSC::CachedCodeBlock<CodeBlockType>::encode):

2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Decouple JIT related data from CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=194187

        Reviewed by Saam Barati.

        CodeBlock holds bunch of data which is only used after JIT starts compiling it.
        We have three types of data in CodeBlock.

        1. The data which is always used. CodeBlock needs to hold it.
        2. The data which is touched even in LLInt, but it is only meaningful in JIT tiers. The example is profiling.
        3. The data which is used after the JIT compiler starts running for the given CodeBlock.

        This patch decouples (3) from CodeBlock as CodeBlock::JITData. Even if we have bunch of CodeBlocks, only small
        number of them gets JIT compilation. Always allocating (3) data enlarges the size of CodeBlock, leading to the
        memory waste. Potentially we can decouple (2) in another data structure, but we first do (3) since (3) is beneficial
        in both non-JIT and *JIT* modes.

        JITData is created only when JIT compiler wants to use it. So it can be concurrently created and used, so it is guarded
        by the lock of CodeBlock.

        The size of CodeBlock is reduced from 512 to 352.

        This patch improves memory footprint and gets 1.1% improvement in RAMification.

            Footprint geomean: 36696503 (34.997 MB)
            Peak Footprint geomean: 38595988 (36.808 MB)
            Score: 37634263 (35.891 MB)

            Footprint geomean: 37172768 (35.451 MB)
            Peak Footprint geomean: 38978288 (37.173 MB)
            Score: 38064824 (36.301 MB)

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::ensureJITDataSlow):
        (JSC::CodeBlock::finalizeBaselineJITInlineCaches):
        (JSC::CodeBlock::getICStatusMap):
        (JSC::CodeBlock::addStubInfo):
        (JSC::CodeBlock::addJITAddIC):
        (JSC::CodeBlock::addJITMulIC):
        (JSC::CodeBlock::addJITSubIC):
        (JSC::CodeBlock::addJITNegIC):
        (JSC::CodeBlock::findStubInfo):
        (JSC::CodeBlock::addByValInfo):
        (JSC::CodeBlock::addCallLinkInfo):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::addRareCaseProfile):
        (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
        (JSC::CodeBlock::rareCaseProfileCountForBytecodeOffset):
        (JSC::CodeBlock::resetJITData):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::shrinkToFit):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::linkIncomingPolymorphicCall):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::dumpValueProfiles):
        (JSC::CodeBlock::setPCToCodeOriginMap):
        (JSC::CodeBlock::findPC):
        (JSC::CodeBlock::dumpMathICStats):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ensureJITData):
        (JSC::CodeBlock::setJITCodeMap):
        (JSC::CodeBlock::jitCodeMap):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::lazyOperandValueProfiles):
        (JSC::CodeBlock::stubInfoBegin): Deleted.
        (JSC::CodeBlock::stubInfoEnd): Deleted.
        (JSC::CodeBlock::callLinkInfosBegin): Deleted.
        (JSC::CodeBlock::callLinkInfosEnd): Deleted.
        (JSC::CodeBlock::jitCodeMap const): Deleted.
        (JSC::CodeBlock::numberOfRareCaseProfiles): Deleted.
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::emitReportValue const):
        (JSC::MethodOfGettingAValueProfile::reportValue):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * jit/JIT.h:
        * jit/JITOperations.cpp:
        (JSC::tryGetByValOptimize):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):

2018-12-16  Darin Adler  <darin@apple.com>

        Convert additional String::format clients to alternative approaches
        https://bugs.webkit.org/show_bug.cgi?id=192746

        Reviewed by Alexey Proskuryakov.

        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::stopTiming): Use makeString
        and FormattedNumber::fixedWidth.

2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove some of IsoSubspaces for JSFunction subclasses
        https://bugs.webkit.org/show_bug.cgi?id=194177

        Reviewed by Saam Barati.

        JSGeneratorFunction, JSAsyncFunction, and JSAsyncGeneratorFunction do not add any fields / classInfo methods.
        We can share the IsoSubspace for JSFunction.

        * runtime/JSAsyncFunction.h:
        * runtime/JSAsyncGeneratorFunction.h:
        * runtime/JSGeneratorFunction.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2019-02-01  Mark Lam  <mark.lam@apple.com>

        Remove invalid assertion in DFG's compileDoubleRep().
        https://bugs.webkit.org/show_bug.cgi?id=194130
        <rdar://problem/47699474>

        Reviewed by Saam Barati.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):

2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Unify CodeBlock IsoSubspaces
        https://bugs.webkit.org/show_bug.cgi?id=194167

        Reviewed by Saam Barati.

        When we move CodeBlock into its IsoSubspace, we create IsoSubspaces for each subclass of CodeBlock.
        But this is not necessary since,

        1. They do not override the classInfo methods.
        2. sizeof(ProgramCodeBlock etc.) == sizeof(CodeBlock) since subclasses adds no additional fields.

        Creating IsoSubspace for each subclass is costly in terms of memory. Especially, IsoSubspace for
        ProgramCodeBlock is. We typically create only one ProgramCodeBlock, and it means the rest of the
        MarkedBlock (16KB - sizeof(footer) - sizeof(ProgramCodeBlock)) is just wasted.

        This patch unifies these IsoSubspaces into one.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::destroy):
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeBlock.cpp:
        (JSC::EvalCodeBlock::destroy): Deleted.
        * bytecode/EvalCodeBlock.h: We drop some utility functions in EvalCodeBlock and use UnlinkedEvalCodeBlock's one directly.
        * bytecode/FunctionCodeBlock.cpp:
        (JSC::FunctionCodeBlock::destroy): Deleted.
        * bytecode/FunctionCodeBlock.h:
        * bytecode/GlobalCodeBlock.h:
        * bytecode/ModuleProgramCodeBlock.cpp:
        (JSC::ModuleProgramCodeBlock::destroy): Deleted.
        * bytecode/ModuleProgramCodeBlock.h:
        * bytecode/ProgramCodeBlock.cpp:
        (JSC::ProgramCodeBlock::destroy): Deleted.
        * bytecode/ProgramCodeBlock.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::forEachCodeBlockSpace):

2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, follow-up after r240859
        https://bugs.webkit.org/show_bug.cgi?id=194145

        Replace OOB HeapCellType with cellHeapCellType since they are completely the same.
        And rename cellDangerousBitsSpace back to cellSpace.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::subspaceFor):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove cellJSValueOOBSpace
        https://bugs.webkit.org/show_bug.cgi?id=194145

        Reviewed by Mark Lam.

        * runtime/JSObject.h:
        (JSC::JSObject::subspaceFor): Deleted.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2019-01-31  Mark Lam  <mark.lam@apple.com>

        Remove poisoning from CodeBlock and LLInt code.
        https://bugs.webkit.org/show_bug.cgi?id=194113

        Reviewed by Yusuke Suzuki.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::setConstantRegisters):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::predictedMachineCodeSize):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::vm const):
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::heap const):
        (JSC::CodeBlock::replaceConstant):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Remove finalizer in AsyncFromSyncIteratorPrototype
        https://bugs.webkit.org/show_bug.cgi?id=194107

        Reviewed by Saam Barati.

        AsyncFromSyncIteratorPrototype uses the finalizer, but it is not necessary since it does not hold any objects which require destruction.
        We drop this finalizer. And we also make methods of AsyncFromSyncIteratorPrototype lazily allocated.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/AsyncFromSyncIteratorPrototype.cpp:
        (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
        (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
        (JSC::AsyncFromSyncIteratorPrototype::create):
        * runtime/AsyncFromSyncIteratorPrototype.h:

2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>

        Fix `runJITThreadLimitTests` in testapi
        https://bugs.webkit.org/show_bug.cgi?id=194064
        <rdar://problem/46139147>

        Reviewed by Mark Lam.

        Fix typo where `targetNumberOfThreads` was not being used.

        * API/tests/testapi.mm:
        (runJITThreadLimitTests):

2019-01-31  Tadeu Zagallo  <tzagallo@apple.com>

        testapi fails RELEASE_ASSERT(codeBlock) in fetchFromDisk() of CodeCache.h
        https://bugs.webkit.org/show_bug.cgi?id=194112

        Reviewed by Mark Lam.

        `testBytecodeCache` does not populate the bytecode cache for the global
        CodeBlock, so it should only enable `forceDiskCache` after its execution.

        * API/tests/testapi.mm:
        (testBytecodeCache):

2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, follow-up after r240796

        Initialize WriteBarrier<InferredValue> in the constructor. Otherwise, GC can see the broken one
        when allocating InferredValue in FunctionExecutable::finishCreation.

        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finishCreation):

2019-01-31  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Do not use InferredValue in non-JIT configuration
        https://bugs.webkit.org/show_bug.cgi?id=194084

        Reviewed by Saam Barati.

        InferredValue is not meaningful if our VM is non-JIT configuration. InferredValue is used to watch the instantiation of the  FunctionExecutable's
        JSFunction and SymbolTable's JSScope to explore the chance of folding them into constants in DFG and FTL. If it is instantiated only once, we can
        put a watchpoint and fold it into this constant. But if JIT is disabled, we do not need to care it.
        Even in non-JIT configuration, we still use InferredValue for FunctionExecutable to determine whether the given FunctionExecutable is preferable
        target for poly proto. If JSFunction for the FunctionExecutable is used as a constructor and instantiated more than once, poly proto Structure
        seems appropriate for objects created by this JSFunction. But at that time, only thing we would like to know is that whether JSFunction for this
        FunctionExecutable is instantiated multiple times. This does not require the full feature of InferredValue, WatchpointState is enough.
        To summarize, since nobody uses InferredValue feature in non-JIT configuration, we should not create it.

        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfile::initializeProfile):
        * runtime/FunctionExecutable.cpp:
        (JSC::FunctionExecutable::finishCreation):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/FunctionExecutable.h:
        * runtime/InferredValue.cpp:
        (JSC::InferredValue::create):
        * runtime/JSAsyncFunction.cpp:
        (JSC::JSAsyncFunction::create):
        * runtime/JSAsyncGeneratorFunction.cpp:
        (JSC::JSAsyncGeneratorFunction::create):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSGeneratorFunction.cpp:
        (JSC::JSGeneratorFunction::create):
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::setSymbolTable):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::finishCreation):
        * runtime/VM.cpp:
        (JSC::VM::VM):

2019-01-31  Fujii Hironori  <Hironori.Fujii@sony.com>

        [CMake][JSC] Changing ud_opcode.py should trigger invoking ud_opcode.py
        https://bugs.webkit.org/show_bug.cgi?id=194085

        Reviewed by Yusuke Suzuki.

        r240730 changed ud_itab.py and caused incremental build failures
        for Ninja builds.

        * CMakeLists.txt: Added ud_itab.py and optable.xml to UDIS_GEN_DEP.

2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Symbol should be in destructibleCellSpace
        https://bugs.webkit.org/show_bug.cgi?id=194082

        Reviewed by Saam Barati.

        Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
        to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
        destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
        Symbol's space destructibleCellSpace to appropriately call the destructor.

        * runtime/Symbol.h:

2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, rolling out r240755.

        This was not correct

        Reverted changeset:

        "Unreviewed, fix GCC build after r240730"
        https://bugs.webkit.org/show_bug.cgi?id=194041
        https://trac.webkit.org/changeset/240755

2019-01-30  Michael Catanzaro  <mcatanzaro@igalia.com>

        Unreviewed, fix GCC build after r240730
        https://bugs.webkit.org/show_bug.cgi?id=194041
        <rdar://problem/47680981>

        * disassembler/udis86/ud_itab.py:
        (UdItabGenerator.genOpcodeTablesLookupIndex):

2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>

        testapi's `testBytecodeCache` does not need to run the code twice
        https://bugs.webkit.org/show_bug.cgi?id=194046

        Reviewed by Mark Lam.

        Since we populate the cache eagerly (unlike the stress tests) we don't
        need to run the code twice.

        * API/tests/testapi.mm:
        (testBytecodeCache):

2019-01-30  Saam barati  <sbarati@apple.com>

        [WebAssembly] Change BBQ to generate Air IR
        https://bugs.webkit.org/show_bug.cgi?id=191802
        <rdar://problem/47651718>

        Reviewed by Keith Miller.

        This patch adds a new Wasm compiler for the BBQ tier. Instead
        of compiling using  B3-01, we now generate Air code directly.
        The goal of doing this was to speed up compile times for Wasm
        programs.
        
        This patch provides us with a 20-30% compile time speedup. However, I
        have ideas on how to improve compile times even further. For example,
        we should probably implement a faster running register allocator:
        https://bugs.webkit.org/show_bug.cgi?id=194036
        
        We can also improve on the code we generate.
        We should emit better code for Switch: https://bugs.webkit.org/show_bug.cgi?id=194053
        And we should do better instruction selection in various
        areas: https://bugs.webkit.org/show_bug.cgi?id=193999

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * b3/B3LowerToAir.cpp:
        * b3/B3StackmapSpecial.h:
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::emitDefaultPrologue):
        * b3/air/AirCode.h:
        * b3/air/AirTmp.h:
        (JSC::B3::Air::Tmp::Tmp):
        * runtime/Options.h:
        * wasm/WasmAirIRGenerator.cpp: Added.
        (JSC::Wasm::ConstrainedTmp::ConstrainedTmp):
        (JSC::Wasm::TypedTmp::TypedTmp):
        (JSC::Wasm::TypedTmp::operator== const):
        (JSC::Wasm::TypedTmp::operator!= const):
        (JSC::Wasm::TypedTmp::operator bool const):
        (JSC::Wasm::TypedTmp::operator Tmp const):
        (JSC::Wasm::TypedTmp::operator Arg const):
        (JSC::Wasm::TypedTmp::tmp const):
        (JSC::Wasm::TypedTmp::type const):
        (JSC::Wasm::AirIRGenerator::ControlData::ControlData):
        (JSC::Wasm::AirIRGenerator::ControlData::dump const):
        (JSC::Wasm::AirIRGenerator::ControlData::type const):
        (JSC::Wasm::AirIRGenerator::ControlData::signature const):
        (JSC::Wasm::AirIRGenerator::ControlData::hasNonVoidSignature const):
        (JSC::Wasm::AirIRGenerator::ControlData::targetBlockForBranch):
        (JSC::Wasm::AirIRGenerator::ControlData::convertIfToBlock):
        (JSC::Wasm::AirIRGenerator::ControlData::resultForBranch const):
        (JSC::Wasm::AirIRGenerator::emptyExpression):
        (JSC::Wasm::AirIRGenerator::fail const):
        (JSC::Wasm::AirIRGenerator::setParser):
        (JSC::Wasm::AirIRGenerator::toTmpVector):
        (JSC::Wasm::AirIRGenerator::validateInst):
        (JSC::Wasm::AirIRGenerator::extractArg):
        (JSC::Wasm::AirIRGenerator::append):
        (JSC::Wasm::AirIRGenerator::appendEffectful):
        (JSC::Wasm::AirIRGenerator::newTmp):
        (JSC::Wasm::AirIRGenerator::g32):
        (JSC::Wasm::AirIRGenerator::g64):
        (JSC::Wasm::AirIRGenerator::f32):
        (JSC::Wasm::AirIRGenerator::f64):
        (JSC::Wasm::AirIRGenerator::tmpForType):
        (JSC::Wasm::AirIRGenerator::addPatchpoint):
        (JSC::Wasm::AirIRGenerator::emitPatchpoint):
        (JSC::Wasm::AirIRGenerator::emitCheck):
        (JSC::Wasm::AirIRGenerator::emitCCall):
        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
        (JSC::Wasm::AirIRGenerator::instanceValue):
        (JSC::Wasm::AirIRGenerator::fixupPointerPlusOffset):
        (JSC::Wasm::AirIRGenerator::restoreWasmContextInstance):
        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
        (JSC::Wasm::AirIRGenerator::emitThrowException):
        (JSC::Wasm::AirIRGenerator::addLocal):
        (JSC::Wasm::AirIRGenerator::addConstant):
        (JSC::Wasm::AirIRGenerator::addArguments):
        (JSC::Wasm::AirIRGenerator::getLocal):
        (JSC::Wasm::AirIRGenerator::addUnreachable):
        (JSC::Wasm::AirIRGenerator::addGrowMemory):
        (JSC::Wasm::AirIRGenerator::addCurrentMemory):
        (JSC::Wasm::AirIRGenerator::setLocal):
        (JSC::Wasm::AirIRGenerator::getGlobal):
        (JSC::Wasm::AirIRGenerator::setGlobal):
        (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
        (JSC::Wasm::sizeOfLoadOp):
        (JSC::Wasm::AirIRGenerator::emitLoadOp):
        (JSC::Wasm::AirIRGenerator::load):
        (JSC::Wasm::sizeOfStoreOp):
        (JSC::Wasm::AirIRGenerator::emitStoreOp):
        (JSC::Wasm::AirIRGenerator::store):
        (JSC::Wasm::AirIRGenerator::addSelect):
        (JSC::Wasm::AirIRGenerator::emitTierUpCheck):
        (JSC::Wasm::AirIRGenerator::addLoop):
        (JSC::Wasm::AirIRGenerator::addTopLevel):
        (JSC::Wasm::AirIRGenerator::addBlock):
        (JSC::Wasm::AirIRGenerator::addIf):
        (JSC::Wasm::AirIRGenerator::addElse):
        (JSC::Wasm::AirIRGenerator::addElseToUnreachable):
        (JSC::Wasm::AirIRGenerator::addReturn):
        (JSC::Wasm::AirIRGenerator::addBranch):
        (JSC::Wasm::AirIRGenerator::addSwitch):
        (JSC::Wasm::AirIRGenerator::endBlock):
        (JSC::Wasm::AirIRGenerator::addEndToUnreachable):
        (JSC::Wasm::AirIRGenerator::addCall):
        (JSC::Wasm::AirIRGenerator::addCallIndirect):
        (JSC::Wasm::AirIRGenerator::unify):
        (JSC::Wasm::AirIRGenerator::unifyValuesWithBlock):
        (JSC::Wasm::AirIRGenerator::dump):
        (JSC::Wasm::AirIRGenerator::origin):
        (JSC::Wasm::parseAndCompileAir):
        (JSC::Wasm::AirIRGenerator::emitChecksForModOrDiv):
        (JSC::Wasm::AirIRGenerator::emitModOrDiv):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32DivU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32RemU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64DivU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64RemU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ctz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ctz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Popcnt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Popcnt>):
        (JSC::Wasm::AirIRGenerator::addOp<F64ConvertUI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Nearest>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Nearest>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Trunc>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Trunc>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncSF32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32TruncUF32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncSF32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64TruncUF32>):
        (JSC::Wasm::AirIRGenerator::addShift):
        (JSC::Wasm::AirIRGenerator::addIntegerSub):
        (JSC::Wasm::AirIRGenerator::addFloatingPointAbs):
        (JSC::Wasm::AirIRGenerator::addFloatingPointBinOp):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ceil>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Mul>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Sub>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Le>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32DemoteF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Min>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ne>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Lt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Max>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Mul>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Div>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Clz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Copysign>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertUI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ReinterpretI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64And>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ne>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Gt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sqrt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ge>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GtU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eqz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Div>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Add>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Or>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LeS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Ne>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Clz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Neg>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32And>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotr>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Abs>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32LtS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eq>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Copysign>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Rotl>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Lt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Eq>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Le>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Ge>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertUI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ShrS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Ceil>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GeS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Shl>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Floor>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Xor>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Abs>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Min>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Mul>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Sub>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32ReinterpretF32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Add>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sub>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Or>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LtS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ConvertSI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Xor>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Mul>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Sub>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64PromoteF32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Add>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64GeS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendUI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Ne>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64ReinterpretI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Eq>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Eq>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Floor>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32ConvertSI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Eqz>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ReinterpretF64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ShrU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Sqrt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Shl>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F32Gt>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32WrapI64>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotl>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32Rotr>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64ExtendSI32>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I32GtS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Neg>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::F64Max>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeU>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64LeS>):
        (JSC::Wasm::AirIRGenerator::addOp<OpType::I64Add>):
        * wasm/WasmAirIRGenerator.h: Added.
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emptyExpression):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::compileFunctions):
        * wasm/WasmCallingConvention.cpp:
        (JSC::Wasm::jscCallingConventionAir):
        (JSC::Wasm::wasmCallingConventionAir):
        * wasm/WasmCallingConvention.h:
        (JSC::Wasm::CallingConvention::CallingConvention):
        (JSC::Wasm::CallingConvention::marshallArgumentImpl const):
        (JSC::Wasm::CallingConvention::marshallArgument const):
        (JSC::Wasm::CallingConventionAir::CallingConventionAir):
        (JSC::Wasm::CallingConventionAir::prologueScratch const):
        (JSC::Wasm::CallingConventionAir::marshallArgumentImpl const):
        (JSC::Wasm::CallingConventionAir::marshallArgument const):
        (JSC::Wasm::CallingConventionAir::headerSizeInBytes):
        (JSC::Wasm::CallingConventionAir::loadArguments const):
        (JSC::Wasm::CallingConventionAir::setupCall const):
        (JSC::Wasm::nextJSCOffset):
        * wasm/WasmFunctionParser.h:
        (JSC::Wasm::FunctionParser<Context>::parseExpression):
        * wasm/WasmValidate.cpp:
        (JSC::Wasm::Validate::emptyExpression):

2019-01-30  Robin Morisset  <rmorisset@apple.com>

        Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
        https://bugs.webkit.org/show_bug.cgi?id=194050
        <rdar://problem/47595592>

        Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
        It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.

        Reviewed by Yusuke Suzuki.

        * ftl/FTLOperations.cpp:
        (JSC::FTL::operationMaterializeObjectInOSR):

2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>

        Remove assertion that CachedSymbolTables should have no RareData
        https://bugs.webkit.org/show_bug.cgi?id=194037

        Reviewed by Mark Lam.

        It turns out that we don't need to cache the SymbolTableRareData and
        we should not assert that it's empty.

        * runtime/CachedTypes.cpp:
        (JSC::CachedSymbolTable::encode):

2019-01-30  Tadeu Zagallo  <tzagallo@apple.com>

        CachedBytecode's move constructor should not call `freeDataIfOwned`
        https://bugs.webkit.org/show_bug.cgi?id=194045

        Reviewed by Mark Lam.

        That might result in freeing a garbage value

        * parser/SourceProvider.h:
        (JSC::CachedBytecode::CachedBytecode):

2019-01-30  Keith Miller  <keith_miller@apple.com>

        mul32 should convert powers of 2 to an lshift
        https://bugs.webkit.org/show_bug.cgi?id=193957

        Reviewed by Yusuke Suzuki.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::mul32):
        * assembler/testmasm.cpp:
        (JSC::int32Operands):
        (JSC::testMul32WithImmediates):
        (JSC::run):

2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>

        [JSC] Make disassembler data structures constant read-only data
        https://bugs.webkit.org/show_bug.cgi?id=194041

        Reviewed by Mark Lam.

        Bunch of disassembler data structures are not marked "const", which prevents the loader to put them in read-only region.
        This patch makes them "const".

        * disassembler/ARM64/A64DOpcode.cpp:
        * disassembler/udis86/ud_itab.py:
        (UdItabGenerator.genOpcodeTablesLookupIndex):
        (UdItabGenerator.genInsnTable):
        (UdItabGenerator.genMnemonicsList):
        (genItabH):
        * disassembler/udis86/udis86_decode.h:
        * disassembler/udis86/udis86_syn.c:
        * disassembler/udis86/udis86_syn.h:
        * disassembler/udis86/udis86_types.h:

2019-01-30  Yusuke Suzuki  <ysuzuki@apple.com>

        Unreviewed, update the builtin test results
        https://bugs.webkit.org/show_bug.cgi?id=194015